TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / hafnium / third_party / linux / 3a0ad55d848b50499b68d7141d4eca997fce28ef / . / security / selinux / hooks.c
blob: fe251c6f09f104dcfdd70ee83c72c295f37b390a [file] [log] [blame]
Andrew Scullb4b6d4a2019-01-02 15:54:55 +0000[diff] [blame]1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@tycho.nsa.gov>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul@paul-moore.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 * Copyright (C) 2016 Mellanox Technologies
21 *
22 * This program is free software; you can redistribute it and/or modify
23 * it under the terms of the GNU General Public License version 2,
24 * as published by the Free Software Foundation.
25 */
26
27#include <linux/init.h>
28#include <linux/kd.h>
29#include <linux/kernel.h>
30#include <linux/tracehook.h>
31#include <linux/errno.h>
32#include <linux/sched/signal.h>
33#include <linux/sched/task.h>
34#include <linux/lsm_hooks.h>
35#include <linux/xattr.h>
36#include <linux/capability.h>
37#include <linux/unistd.h>
38#include <linux/mm.h>
39#include <linux/mman.h>
40#include <linux/slab.h>
41#include <linux/pagemap.h>
42#include <linux/proc_fs.h>
43#include <linux/swap.h>
44#include <linux/spinlock.h>
45#include <linux/syscalls.h>
46#include <linux/dcache.h>
47#include <linux/file.h>
48#include <linux/fdtable.h>
49#include <linux/namei.h>
50#include <linux/mount.h>
51#include <linux/netfilter_ipv4.h>
52#include <linux/netfilter_ipv6.h>
53#include <linux/tty.h>
54#include <net/icmp.h>
55#include <net/ip.h> /* for local_port_range[] */
56#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
57#include <net/inet_connection_sock.h>
58#include <net/net_namespace.h>
59#include <net/netlabel.h>
60#include <linux/uaccess.h>
61#include <asm/ioctls.h>
62#include <linux/atomic.h>
63#include <linux/bitops.h>
64#include <linux/interrupt.h>
65#include <linux/netdevice.h> /* for network interface checks */
66#include <net/netlink.h>
67#include <linux/tcp.h>
68#include <linux/udp.h>
69#include <linux/dccp.h>
70#include <linux/sctp.h>
71#include <net/sctp/structs.h>
72#include <linux/quota.h>
73#include <linux/un.h> /* for Unix socket types */
74#include <net/af_unix.h> /* for Unix socket types */
75#include <linux/parser.h>
76#include <linux/nfs_mount.h>
77#include <net/ipv6.h>
78#include <linux/hugetlb.h>
79#include <linux/personality.h>
80#include <linux/audit.h>
81#include <linux/string.h>
82#include <linux/selinux.h>
83#include <linux/mutex.h>
84#include <linux/posix-timers.h>
85#include <linux/syslog.h>
86#include <linux/user_namespace.h>
87#include <linux/export.h>
88#include <linux/msg.h>
89#include <linux/shm.h>
90#include <linux/bpf.h>
91
92#include "avc.h"
93#include "objsec.h"
94#include "netif.h"
95#include "netnode.h"
96#include "netport.h"
97#include "ibpkey.h"
98#include "xfrm.h"
99#include "netlabel.h"
100#include "audit.h"
101#include "avc_ss.h"
102
103struct selinux_state selinux_state;
104
105/* SECMARK reference count */
106static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
107
108#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
109static int selinux_enforcing_boot;
110
111static int __init enforcing_setup(char *str)
112{
113 unsigned long enforcing;
114 if (!kstrtoul(str, 0, &enforcing))
115 selinux_enforcing_boot = enforcing ? 1 : 0;
116 return 1;
117}
118__setup("enforcing=", enforcing_setup);
119#else
120#define selinux_enforcing_boot 1
121#endif
122
123#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
124int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
125
126static int __init selinux_enabled_setup(char *str)
127{
128 unsigned long enabled;
129 if (!kstrtoul(str, 0, &enabled))
130 selinux_enabled = enabled ? 1 : 0;
131 return 1;
132}
133__setup("selinux=", selinux_enabled_setup);
134#else
135int selinux_enabled = 1;
136#endif
137
138static unsigned int selinux_checkreqprot_boot =
139 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
140
141static int __init checkreqprot_setup(char *str)
142{
143 unsigned long checkreqprot;
144
145 if (!kstrtoul(str, 0, &checkreqprot))
146 selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
147 return 1;
148}
149__setup("checkreqprot=", checkreqprot_setup);
150
151static struct kmem_cache *sel_inode_cache;
152static struct kmem_cache *file_security_cache;
153
154/**
155 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
156 *
157 * Description:
158 * This function checks the SECMARK reference counter to see if any SECMARK
159 * targets are currently configured, if the reference counter is greater than
160 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
161 * enabled, false (0) if SECMARK is disabled. If the always_check_network
162 * policy capability is enabled, SECMARK is always considered enabled.
163 *
164 */
165static int selinux_secmark_enabled(void)
166{
167 return (selinux_policycap_alwaysnetwork() ||
168 atomic_read(&selinux_secmark_refcount));
169}
170
171/**
172 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
173 *
174 * Description:
175 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
176 * (1) if any are enabled or false (0) if neither are enabled. If the
177 * always_check_network policy capability is enabled, peer labeling
178 * is always considered enabled.
179 *
180 */
181static int selinux_peerlbl_enabled(void)
182{
183 return (selinux_policycap_alwaysnetwork() ||
184 netlbl_enabled() || selinux_xfrm_enabled());
185}
186
187static int selinux_netcache_avc_callback(u32 event)
188{
189 if (event == AVC_CALLBACK_RESET) {
190 sel_netif_flush();
191 sel_netnode_flush();
192 sel_netport_flush();
193 synchronize_net();
194 }
195 return 0;
196}
197
198static int selinux_lsm_notifier_avc_callback(u32 event)
199{
200 if (event == AVC_CALLBACK_RESET) {
201 sel_ib_pkey_flush();
202 call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
203 }
204
205 return 0;
206}
207
208/*
209 * initialise the security for the init task
210 */
211static void cred_init_security(void)
212{
213 struct cred *cred = (struct cred *) current->real_cred;
214 struct task_security_struct *tsec;
215
216 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
217 if (!tsec)
218 panic("SELinux: Failed to initialize initial task.\n");
219
220 tsec->osid = tsec->sid = SECINITSID_KERNEL;
221 cred->security = tsec;
222}
223
224/*
225 * get the security ID of a set of credentials
226 */
227static inline u32 cred_sid(const struct cred *cred)
228{
229 const struct task_security_struct *tsec;
230
231 tsec = cred->security;
232 return tsec->sid;
233}
234
235/*
236 * get the objective security ID of a task
237 */
238static inline u32 task_sid(const struct task_struct *task)
239{
240 u32 sid;
241
242 rcu_read_lock();
243 sid = cred_sid(__task_cred(task));
244 rcu_read_unlock();
245 return sid;
246}
247
248/* Allocate and free functions for each kind of security blob. */
249
250static int inode_alloc_security(struct inode *inode)
251{
252 struct inode_security_struct *isec;
253 u32 sid = current_sid();
254
255 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
256 if (!isec)
257 return -ENOMEM;
258
259 spin_lock_init(&isec->lock);
260 INIT_LIST_HEAD(&isec->list);
261 isec->inode = inode;
262 isec->sid = SECINITSID_UNLABELED;
263 isec->sclass = SECCLASS_FILE;
264 isec->task_sid = sid;
265 isec->initialized = LABEL_INVALID;
266 inode->i_security = isec;
267
268 return 0;
269}
270
271static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
272
273/*
274 * Try reloading inode security labels that have been marked as invalid. The
275 * @may_sleep parameter indicates when sleeping and thus reloading labels is
276 * allowed; when set to false, returns -ECHILD when the label is
277 * invalid. The @dentry parameter should be set to a dentry of the inode.
278 */
279static int __inode_security_revalidate(struct inode *inode,
280 struct dentry *dentry,
281 bool may_sleep)
282{
283 struct inode_security_struct *isec = inode->i_security;
284
285 might_sleep_if(may_sleep);
286
287 if (selinux_state.initialized &&
288 isec->initialized != LABEL_INITIALIZED) {
289 if (!may_sleep)
290 return -ECHILD;
291
292 /*
293 * Try reloading the inode security label. This will fail if
294 * @opt_dentry is NULL and no dentry for this inode can be
295 * found; in that case, continue using the old label.
296 */
297 inode_doinit_with_dentry(inode, dentry);
298 }
299 return 0;
300}
301
302static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
303{
304 return inode->i_security;
305}
306
307static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
308{
309 int error;
310
311 error = __inode_security_revalidate(inode, NULL, !rcu);
312 if (error)
313 return ERR_PTR(error);
314 return inode->i_security;
315}
316
317/*
318 * Get the security label of an inode.
319 */
320static struct inode_security_struct *inode_security(struct inode *inode)
321{
322 __inode_security_revalidate(inode, NULL, true);
323 return inode->i_security;
324}
325
326static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
327{
328 struct inode *inode = d_backing_inode(dentry);
329
330 return inode->i_security;
331}
332
333/*
334 * Get the security label of a dentry's backing inode.
335 */
336static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
337{
338 struct inode *inode = d_backing_inode(dentry);
339
340 __inode_security_revalidate(inode, dentry, true);
341 return inode->i_security;
342}
343
344static void inode_free_rcu(struct rcu_head *head)
345{
346 struct inode_security_struct *isec;
347
348 isec = container_of(head, struct inode_security_struct, rcu);
349 kmem_cache_free(sel_inode_cache, isec);
350}
351
352static void inode_free_security(struct inode *inode)
353{
354 struct inode_security_struct *isec = inode->i_security;
355 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
356
357 /*
358 * As not all inode security structures are in a list, we check for
359 * empty list outside of the lock to make sure that we won't waste
360 * time taking a lock doing nothing.
361 *
362 * The list_del_init() function can be safely called more than once.
363 * It should not be possible for this function to be called with
364 * concurrent list_add(), but for better safety against future changes
365 * in the code, we use list_empty_careful() here.
366 */
367 if (!list_empty_careful(&isec->list)) {
368 spin_lock(&sbsec->isec_lock);
369 list_del_init(&isec->list);
370 spin_unlock(&sbsec->isec_lock);
371 }
372
373 /*
374 * The inode may still be referenced in a path walk and
375 * a call to selinux_inode_permission() can be made
376 * after inode_free_security() is called. Ideally, the VFS
377 * wouldn't do this, but fixing that is a much harder
378 * job. For now, simply free the i_security via RCU, and
379 * leave the current inode->i_security pointer intact.
380 * The inode will be freed after the RCU grace period too.
381 */
382 call_rcu(&isec->rcu, inode_free_rcu);
383}
384
385static int file_alloc_security(struct file *file)
386{
387 struct file_security_struct *fsec;
388 u32 sid = current_sid();
389
390 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
391 if (!fsec)
392 return -ENOMEM;
393
394 fsec->sid = sid;
395 fsec->fown_sid = sid;
396 file->f_security = fsec;
397
398 return 0;
399}
400
401static void file_free_security(struct file *file)
402{
403 struct file_security_struct *fsec = file->f_security;
404 file->f_security = NULL;
405 kmem_cache_free(file_security_cache, fsec);
406}
407
408static int superblock_alloc_security(struct super_block *sb)
409{
410 struct superblock_security_struct *sbsec;
411
412 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
413 if (!sbsec)
414 return -ENOMEM;
415
416 mutex_init(&sbsec->lock);
417 INIT_LIST_HEAD(&sbsec->isec_head);
418 spin_lock_init(&sbsec->isec_lock);
419 sbsec->sb = sb;
420 sbsec->sid = SECINITSID_UNLABELED;
421 sbsec->def_sid = SECINITSID_FILE;
422 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
423 sb->s_security = sbsec;
424
425 return 0;
426}
427
428static void superblock_free_security(struct super_block *sb)
429{
430 struct superblock_security_struct *sbsec = sb->s_security;
431 sb->s_security = NULL;
432 kfree(sbsec);
433}
434
435static inline int inode_doinit(struct inode *inode)
436{
437 return inode_doinit_with_dentry(inode, NULL);
438}
439
440enum {
441 Opt_error = -1,
442 Opt_context = 1,
443 Opt_fscontext = 2,
444 Opt_defcontext = 3,
445 Opt_rootcontext = 4,
446 Opt_labelsupport = 5,
447 Opt_nextmntopt = 6,
448};
449
450#define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
451
452static const match_table_t tokens = {
453 {Opt_context, CONTEXT_STR "%s"},
454 {Opt_fscontext, FSCONTEXT_STR "%s"},
455 {Opt_defcontext, DEFCONTEXT_STR "%s"},
456 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
457 {Opt_labelsupport, LABELSUPP_STR},
458 {Opt_error, NULL},
459};
460
461#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
462
463static int may_context_mount_sb_relabel(u32 sid,
464 struct superblock_security_struct *sbsec,
465 const struct cred *cred)
466{
467 const struct task_security_struct *tsec = cred->security;
468 int rc;
469
470 rc = avc_has_perm(&selinux_state,
471 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
472 FILESYSTEM__RELABELFROM, NULL);
473 if (rc)
474 return rc;
475
476 rc = avc_has_perm(&selinux_state,
477 tsec->sid, sid, SECCLASS_FILESYSTEM,
478 FILESYSTEM__RELABELTO, NULL);
479 return rc;
480}
481
482static int may_context_mount_inode_relabel(u32 sid,
483 struct superblock_security_struct *sbsec,
484 const struct cred *cred)
485{
486 const struct task_security_struct *tsec = cred->security;
487 int rc;
488 rc = avc_has_perm(&selinux_state,
489 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
490 FILESYSTEM__RELABELFROM, NULL);
491 if (rc)
492 return rc;
493
494 rc = avc_has_perm(&selinux_state,
495 sid, sbsec->sid, SECCLASS_FILESYSTEM,
496 FILESYSTEM__ASSOCIATE, NULL);
497 return rc;
498}
499
500static int selinux_is_sblabel_mnt(struct super_block *sb)
501{
502 struct superblock_security_struct *sbsec = sb->s_security;
503
504 return sbsec->behavior == SECURITY_FS_USE_XATTR ||
505 sbsec->behavior == SECURITY_FS_USE_TRANS ||
506 sbsec->behavior == SECURITY_FS_USE_TASK ||
507 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
508 /* Special handling. Genfs but also in-core setxattr handler */
509 !strcmp(sb->s_type->name, "sysfs") ||
510 !strcmp(sb->s_type->name, "pstore") ||
511 !strcmp(sb->s_type->name, "debugfs") ||
512 !strcmp(sb->s_type->name, "tracefs") ||
513 !strcmp(sb->s_type->name, "rootfs") ||
514 (selinux_policycap_cgroupseclabel() &&
515 (!strcmp(sb->s_type->name, "cgroup") ||
516 !strcmp(sb->s_type->name, "cgroup2")));
517}
518
519static int sb_finish_set_opts(struct super_block *sb)
520{
521 struct superblock_security_struct *sbsec = sb->s_security;
522 struct dentry *root = sb->s_root;
523 struct inode *root_inode = d_backing_inode(root);
524 int rc = 0;
525
526 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
527 /* Make sure that the xattr handler exists and that no
528 error other than -ENODATA is returned by getxattr on
529 the root directory. -ENODATA is ok, as this may be
530 the first boot of the SELinux kernel before we have
531 assigned xattr values to the filesystem. */
532 if (!(root_inode->i_opflags & IOP_XATTR)) {
533 pr_warn("SELinux: (dev %s, type %s) has no "
534 "xattr support\n", sb->s_id, sb->s_type->name);
535 rc = -EOPNOTSUPP;
536 goto out;
537 }
538
539 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
540 if (rc < 0 && rc != -ENODATA) {
541 if (rc == -EOPNOTSUPP)
542 pr_warn("SELinux: (dev %s, type "
543 "%s) has no security xattr handler\n",
544 sb->s_id, sb->s_type->name);
545 else
546 pr_warn("SELinux: (dev %s, type "
547 "%s) getxattr errno %d\n", sb->s_id,
548 sb->s_type->name, -rc);
549 goto out;
550 }
551 }
552
553 sbsec->flags |= SE_SBINITIALIZED;
554
555 /*
556 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
557 * leave the flag untouched because sb_clone_mnt_opts might be handing
558 * us a superblock that needs the flag to be cleared.
559 */
560 if (selinux_is_sblabel_mnt(sb))
561 sbsec->flags |= SBLABEL_MNT;
562 else
563 sbsec->flags &= ~SBLABEL_MNT;
564
565 /* Initialize the root inode. */
566 rc = inode_doinit_with_dentry(root_inode, root);
567
568 /* Initialize any other inodes associated with the superblock, e.g.
569 inodes created prior to initial policy load or inodes created
570 during get_sb by a pseudo filesystem that directly
571 populates itself. */
572 spin_lock(&sbsec->isec_lock);
573next_inode:
574 if (!list_empty(&sbsec->isec_head)) {
575 struct inode_security_struct *isec =
576 list_entry(sbsec->isec_head.next,
577 struct inode_security_struct, list);
578 struct inode *inode = isec->inode;
579 list_del_init(&isec->list);
580 spin_unlock(&sbsec->isec_lock);
581 inode = igrab(inode);
582 if (inode) {
583 if (!IS_PRIVATE(inode))
584 inode_doinit(inode);
585 iput(inode);
586 }
587 spin_lock(&sbsec->isec_lock);
588 goto next_inode;
589 }
590 spin_unlock(&sbsec->isec_lock);
591out:
592 return rc;
593}
594
595/*
596 * This function should allow an FS to ask what it's mount security
597 * options were so it can use those later for submounts, displaying
598 * mount options, or whatever.
599 */
600static int selinux_get_mnt_opts(const struct super_block *sb,
601 struct security_mnt_opts *opts)
602{
603 int rc = 0, i;
604 struct superblock_security_struct *sbsec = sb->s_security;
605 char *context = NULL;
606 u32 len;
607 char tmp;
608
609 security_init_mnt_opts(opts);
610
611 if (!(sbsec->flags & SE_SBINITIALIZED))
612 return -EINVAL;
613
614 if (!selinux_state.initialized)
615 return -EINVAL;
616
617 /* make sure we always check enough bits to cover the mask */
618 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
619
620 tmp = sbsec->flags & SE_MNTMASK;
621 /* count the number of mount options for this sb */
622 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
623 if (tmp & 0x01)
624 opts->num_mnt_opts++;
625 tmp >>= 1;
626 }
627 /* Check if the Label support flag is set */
628 if (sbsec->flags & SBLABEL_MNT)
629 opts->num_mnt_opts++;
630
631 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
632 if (!opts->mnt_opts) {
633 rc = -ENOMEM;
634 goto out_free;
635 }
636
637 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
638 if (!opts->mnt_opts_flags) {
639 rc = -ENOMEM;
640 goto out_free;
641 }
642
643 i = 0;
644 if (sbsec->flags & FSCONTEXT_MNT) {
645 rc = security_sid_to_context(&selinux_state, sbsec->sid,
646 &context, &len);
647 if (rc)
648 goto out_free;
649 opts->mnt_opts[i] = context;
650 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
651 }
652 if (sbsec->flags & CONTEXT_MNT) {
653 rc = security_sid_to_context(&selinux_state,
654 sbsec->mntpoint_sid,
655 &context, &len);
656 if (rc)
657 goto out_free;
658 opts->mnt_opts[i] = context;
659 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
660 }
661 if (sbsec->flags & DEFCONTEXT_MNT) {
662 rc = security_sid_to_context(&selinux_state, sbsec->def_sid,
663 &context, &len);
664 if (rc)
665 goto out_free;
666 opts->mnt_opts[i] = context;
667 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
668 }
669 if (sbsec->flags & ROOTCONTEXT_MNT) {
670 struct dentry *root = sbsec->sb->s_root;
671 struct inode_security_struct *isec = backing_inode_security(root);
672
673 rc = security_sid_to_context(&selinux_state, isec->sid,
674 &context, &len);
675 if (rc)
676 goto out_free;
677 opts->mnt_opts[i] = context;
678 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
679 }
680 if (sbsec->flags & SBLABEL_MNT) {
681 opts->mnt_opts[i] = NULL;
682 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
683 }
684
685 BUG_ON(i != opts->num_mnt_opts);
686
687 return 0;
688
689out_free:
690 security_free_mnt_opts(opts);
691 return rc;
692}
693
694static int bad_option(struct superblock_security_struct *sbsec, char flag,
695 u32 old_sid, u32 new_sid)
696{
697 char mnt_flags = sbsec->flags & SE_MNTMASK;
698
699 /* check if the old mount command had the same options */
700 if (sbsec->flags & SE_SBINITIALIZED)
701 if (!(sbsec->flags & flag) ||
702 (old_sid != new_sid))
703 return 1;
704
705 /* check if we were passed the same options twice,
706 * aka someone passed context=a,context=b
707 */
708 if (!(sbsec->flags & SE_SBINITIALIZED))
709 if (mnt_flags & flag)
710 return 1;
711 return 0;
712}
713
714/*
715 * Allow filesystems with binary mount data to explicitly set mount point
716 * labeling information.
717 */
718static int selinux_set_mnt_opts(struct super_block *sb,
719 struct security_mnt_opts *opts,
720 unsigned long kern_flags,
721 unsigned long *set_kern_flags)
722{
723 const struct cred *cred = current_cred();
724 int rc = 0, i;
725 struct superblock_security_struct *sbsec = sb->s_security;
726 const char *name = sb->s_type->name;
727 struct dentry *root = sbsec->sb->s_root;
728 struct inode_security_struct *root_isec;
729 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
730 u32 defcontext_sid = 0;
731 char **mount_options = opts->mnt_opts;
732 int *flags = opts->mnt_opts_flags;
733 int num_opts = opts->num_mnt_opts;
734
735 mutex_lock(&sbsec->lock);
736
737 if (!selinux_state.initialized) {
738 if (!num_opts) {
739 /* Defer initialization until selinux_complete_init,
740 after the initial policy is loaded and the security
741 server is ready to handle calls. */
742 goto out;
743 }
744 rc = -EINVAL;
745 pr_warn("SELinux: Unable to set superblock options "
746 "before the security server is initialized\n");
747 goto out;
748 }
749 if (kern_flags && !set_kern_flags) {
750 /* Specifying internal flags without providing a place to
751 * place the results is not allowed */
752 rc = -EINVAL;
753 goto out;
754 }
755
756 /*
757 * Binary mount data FS will come through this function twice. Once
758 * from an explicit call and once from the generic calls from the vfs.
759 * Since the generic VFS calls will not contain any security mount data
760 * we need to skip the double mount verification.
761 *
762 * This does open a hole in which we will not notice if the first
763 * mount using this sb set explict options and a second mount using
764 * this sb does not set any security options. (The first options
765 * will be used for both mounts)
766 */
767 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
768 && (num_opts == 0))
769 goto out;
770
771 root_isec = backing_inode_security_novalidate(root);
772
773 /*
774 * parse the mount options, check if they are valid sids.
775 * also check if someone is trying to mount the same sb more
776 * than once with different security options.
777 */
778 for (i = 0; i < num_opts; i++) {
779 u32 sid;
780
781 if (flags[i] == SBLABEL_MNT)
782 continue;
783 rc = security_context_str_to_sid(&selinux_state,
784 mount_options[i], &sid,
785 GFP_KERNEL);
786 if (rc) {
787 pr_warn("SELinux: security_context_str_to_sid"
788 "(%s) failed for (dev %s, type %s) errno=%d\n",
789 mount_options[i], sb->s_id, name, rc);
790 goto out;
791 }
792 switch (flags[i]) {
793 case FSCONTEXT_MNT:
794 fscontext_sid = sid;
795
796 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
797 fscontext_sid))
798 goto out_double_mount;
799
800 sbsec->flags |= FSCONTEXT_MNT;
801 break;
802 case CONTEXT_MNT:
803 context_sid = sid;
804
805 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
806 context_sid))
807 goto out_double_mount;
808
809 sbsec->flags |= CONTEXT_MNT;
810 break;
811 case ROOTCONTEXT_MNT:
812 rootcontext_sid = sid;
813
814 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
815 rootcontext_sid))
816 goto out_double_mount;
817
818 sbsec->flags |= ROOTCONTEXT_MNT;
819
820 break;
821 case DEFCONTEXT_MNT:
822 defcontext_sid = sid;
823
824 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
825 defcontext_sid))
826 goto out_double_mount;
827
828 sbsec->flags |= DEFCONTEXT_MNT;
829
830 break;
831 default:
832 rc = -EINVAL;
833 goto out;
834 }
835 }
836
837 if (sbsec->flags & SE_SBINITIALIZED) {
838 /* previously mounted with options, but not on this attempt? */
839 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
840 goto out_double_mount;
841 rc = 0;
842 goto out;
843 }
844
845 if (strcmp(sb->s_type->name, "proc") == 0)
846 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
847
848 if (!strcmp(sb->s_type->name, "debugfs") ||
849 !strcmp(sb->s_type->name, "tracefs") ||
850 !strcmp(sb->s_type->name, "sysfs") ||
851 !strcmp(sb->s_type->name, "pstore") ||
852 !strcmp(sb->s_type->name, "cgroup") ||
853 !strcmp(sb->s_type->name, "cgroup2"))
854 sbsec->flags |= SE_SBGENFS;
855
856 if (!sbsec->behavior) {
857 /*
858 * Determine the labeling behavior to use for this
859 * filesystem type.
860 */
861 rc = security_fs_use(&selinux_state, sb);
862 if (rc) {
863 pr_warn("%s: security_fs_use(%s) returned %d\n",
864 __func__, sb->s_type->name, rc);
865 goto out;
866 }
867 }
868
869 /*
870 * If this is a user namespace mount and the filesystem type is not
871 * explicitly whitelisted, then no contexts are allowed on the command
872 * line and security labels must be ignored.
873 */
874 if (sb->s_user_ns != &init_user_ns &&
875 strcmp(sb->s_type->name, "tmpfs") &&
876 strcmp(sb->s_type->name, "ramfs") &&
877 strcmp(sb->s_type->name, "devpts")) {
878 if (context_sid || fscontext_sid || rootcontext_sid ||
879 defcontext_sid) {
880 rc = -EACCES;
881 goto out;
882 }
883 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
884 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
885 rc = security_transition_sid(&selinux_state,
886 current_sid(),
887 current_sid(),
888 SECCLASS_FILE, NULL,
889 &sbsec->mntpoint_sid);
890 if (rc)
891 goto out;
892 }
893 goto out_set_opts;
894 }
895
896 /* sets the context of the superblock for the fs being mounted. */
897 if (fscontext_sid) {
898 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
899 if (rc)
900 goto out;
901
902 sbsec->sid = fscontext_sid;
903 }
904
905 /*
906 * Switch to using mount point labeling behavior.
907 * sets the label used on all file below the mountpoint, and will set
908 * the superblock context if not already set.
909 */
910 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
911 sbsec->behavior = SECURITY_FS_USE_NATIVE;
912 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
913 }
914
915 if (context_sid) {
916 if (!fscontext_sid) {
917 rc = may_context_mount_sb_relabel(context_sid, sbsec,
918 cred);
919 if (rc)
920 goto out;
921 sbsec->sid = context_sid;
922 } else {
923 rc = may_context_mount_inode_relabel(context_sid, sbsec,
924 cred);
925 if (rc)
926 goto out;
927 }
928 if (!rootcontext_sid)
929 rootcontext_sid = context_sid;
930
931 sbsec->mntpoint_sid = context_sid;
932 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
933 }
934
935 if (rootcontext_sid) {
936 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
937 cred);
938 if (rc)
939 goto out;
940
941 root_isec->sid = rootcontext_sid;
942 root_isec->initialized = LABEL_INITIALIZED;
943 }
944
945 if (defcontext_sid) {
946 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
947 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
948 rc = -EINVAL;
949 pr_warn("SELinux: defcontext option is "
950 "invalid for this filesystem type\n");
951 goto out;
952 }
953
954 if (defcontext_sid != sbsec->def_sid) {
955 rc = may_context_mount_inode_relabel(defcontext_sid,
956 sbsec, cred);
957 if (rc)
958 goto out;
959 }
960
961 sbsec->def_sid = defcontext_sid;
962 }
963
964out_set_opts:
965 rc = sb_finish_set_opts(sb);
966out:
967 mutex_unlock(&sbsec->lock);
968 return rc;
969out_double_mount:
970 rc = -EINVAL;
971 pr_warn("SELinux: mount invalid. Same superblock, different "
972 "security settings for (dev %s, type %s)\n", sb->s_id, name);
973 goto out;
974}
975
976static int selinux_cmp_sb_context(const struct super_block *oldsb,
977 const struct super_block *newsb)
978{
979 struct superblock_security_struct *old = oldsb->s_security;
980 struct superblock_security_struct *new = newsb->s_security;
981 char oldflags = old->flags & SE_MNTMASK;
982 char newflags = new->flags & SE_MNTMASK;
983
984 if (oldflags != newflags)
985 goto mismatch;
986 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
987 goto mismatch;
988 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
989 goto mismatch;
990 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
991 goto mismatch;
992 if (oldflags & ROOTCONTEXT_MNT) {
993 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
994 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
995 if (oldroot->sid != newroot->sid)
996 goto mismatch;
997 }
998 return 0;
999mismatch:
1000 pr_warn("SELinux: mount invalid. Same superblock, "
1001 "different security settings for (dev %s, "
1002 "type %s)\n", newsb->s_id, newsb->s_type->name);
1003 return -EBUSY;
1004}
1005
1006static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
1007 struct super_block *newsb,
1008 unsigned long kern_flags,
1009 unsigned long *set_kern_flags)
1010{
1011 int rc = 0;
1012 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
1013 struct superblock_security_struct *newsbsec = newsb->s_security;
1014
1015 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
1016 int set_context = (oldsbsec->flags & CONTEXT_MNT);
1017 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1018
1019 /*
1020 * if the parent was able to be mounted it clearly had no special lsm
1021 * mount options. thus we can safely deal with this superblock later
1022 */
1023 if (!selinux_state.initialized)
1024 return 0;
1025
1026 /*
1027 * Specifying internal flags without providing a place to
1028 * place the results is not allowed.
1029 */
1030 if (kern_flags && !set_kern_flags)
1031 return -EINVAL;
1032
1033 /* how can we clone if the old one wasn't set up?? */
1034 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
1035
1036 /* if fs is reusing a sb, make sure that the contexts match */
1037 if (newsbsec->flags & SE_SBINITIALIZED)
1038 return selinux_cmp_sb_context(oldsb, newsb);
1039
1040 mutex_lock(&newsbsec->lock);
1041
1042 newsbsec->flags = oldsbsec->flags;
1043
1044 newsbsec->sid = oldsbsec->sid;
1045 newsbsec->def_sid = oldsbsec->def_sid;
1046 newsbsec->behavior = oldsbsec->behavior;
1047
1048 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
1049 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
1050 rc = security_fs_use(&selinux_state, newsb);
1051 if (rc)
1052 goto out;
1053 }
1054
1055 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
1056 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
1057 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
1058 }
1059
1060 if (set_context) {
1061 u32 sid = oldsbsec->mntpoint_sid;
1062
1063 if (!set_fscontext)
1064 newsbsec->sid = sid;
1065 if (!set_rootcontext) {
1066 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1067 newisec->sid = sid;
1068 }
1069 newsbsec->mntpoint_sid = sid;
1070 }
1071 if (set_rootcontext) {
1072 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
1073 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1074
1075 newisec->sid = oldisec->sid;
1076 }
1077
1078 sb_finish_set_opts(newsb);
1079out:
1080 mutex_unlock(&newsbsec->lock);
1081 return rc;
1082}
1083
1084static int selinux_parse_opts_str(char *options,
1085 struct security_mnt_opts *opts)
1086{
1087 char *p;
1088 char *context = NULL, *defcontext = NULL;
1089 char *fscontext = NULL, *rootcontext = NULL;
1090 int rc, num_mnt_opts = 0;
1091
1092 opts->num_mnt_opts = 0;
1093
1094 /* Standard string-based options. */
1095 while ((p = strsep(&options, "|")) != NULL) {
1096 int token;
1097 substring_t args[MAX_OPT_ARGS];
1098
1099 if (!*p)
1100 continue;
1101
1102 token = match_token(p, tokens, args);
1103
1104 switch (token) {
1105 case Opt_context:
1106 if (context || defcontext) {
1107 rc = -EINVAL;
1108 pr_warn(SEL_MOUNT_FAIL_MSG);
1109 goto out_err;
1110 }
1111 context = match_strdup(&args[0]);
1112 if (!context) {
1113 rc = -ENOMEM;
1114 goto out_err;
1115 }
1116 break;
1117
1118 case Opt_fscontext:
1119 if (fscontext) {
1120 rc = -EINVAL;
1121 pr_warn(SEL_MOUNT_FAIL_MSG);
1122 goto out_err;
1123 }
1124 fscontext = match_strdup(&args[0]);
1125 if (!fscontext) {
1126 rc = -ENOMEM;
1127 goto out_err;
1128 }
1129 break;
1130
1131 case Opt_rootcontext:
1132 if (rootcontext) {
1133 rc = -EINVAL;
1134 pr_warn(SEL_MOUNT_FAIL_MSG);
1135 goto out_err;
1136 }
1137 rootcontext = match_strdup(&args[0]);
1138 if (!rootcontext) {
1139 rc = -ENOMEM;
1140 goto out_err;
1141 }
1142 break;
1143
1144 case Opt_defcontext:
1145 if (context || defcontext) {
1146 rc = -EINVAL;
1147 pr_warn(SEL_MOUNT_FAIL_MSG);
1148 goto out_err;
1149 }
1150 defcontext = match_strdup(&args[0]);
1151 if (!defcontext) {
1152 rc = -ENOMEM;
1153 goto out_err;
1154 }
1155 break;
1156 case Opt_labelsupport:
1157 break;
1158 default:
1159 rc = -EINVAL;
1160 pr_warn("SELinux: unknown mount option\n");
1161 goto out_err;
1162
1163 }
1164 }
1165
1166 rc = -ENOMEM;
1167 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
1168 if (!opts->mnt_opts)
1169 goto out_err;
1170
1171 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
1172 GFP_KERNEL);
1173 if (!opts->mnt_opts_flags)
1174 goto out_err;
1175
1176 if (fscontext) {
1177 opts->mnt_opts[num_mnt_opts] = fscontext;
1178 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1179 }
1180 if (context) {
1181 opts->mnt_opts[num_mnt_opts] = context;
1182 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1183 }
1184 if (rootcontext) {
1185 opts->mnt_opts[num_mnt_opts] = rootcontext;
1186 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1187 }
1188 if (defcontext) {
1189 opts->mnt_opts[num_mnt_opts] = defcontext;
1190 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1191 }
1192
1193 opts->num_mnt_opts = num_mnt_opts;
1194 return 0;
1195
1196out_err:
1197 security_free_mnt_opts(opts);
1198 kfree(context);
1199 kfree(defcontext);
1200 kfree(fscontext);
1201 kfree(rootcontext);
1202 return rc;
1203}
1204/*
1205 * string mount options parsing and call set the sbsec
1206 */
1207static int superblock_doinit(struct super_block *sb, void *data)
1208{
1209 int rc = 0;
1210 char *options = data;
1211 struct security_mnt_opts opts;
1212
1213 security_init_mnt_opts(&opts);
1214
1215 if (!data)
1216 goto out;
1217
1218 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1219
1220 rc = selinux_parse_opts_str(options, &opts);
1221 if (rc)
1222 goto out_err;
1223
1224out:
1225 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1226
1227out_err:
1228 security_free_mnt_opts(&opts);
1229 return rc;
1230}
1231
1232static void selinux_write_opts(struct seq_file *m,
1233 struct security_mnt_opts *opts)
1234{
1235 int i;
1236 char *prefix;
1237
1238 for (i = 0; i < opts->num_mnt_opts; i++) {
1239 char *has_comma;
1240
1241 if (opts->mnt_opts[i])
1242 has_comma = strchr(opts->mnt_opts[i], ',');
1243 else
1244 has_comma = NULL;
1245
1246 switch (opts->mnt_opts_flags[i]) {
1247 case CONTEXT_MNT:
1248 prefix = CONTEXT_STR;
1249 break;
1250 case FSCONTEXT_MNT:
1251 prefix = FSCONTEXT_STR;
1252 break;
1253 case ROOTCONTEXT_MNT:
1254 prefix = ROOTCONTEXT_STR;
1255 break;
1256 case DEFCONTEXT_MNT:
1257 prefix = DEFCONTEXT_STR;
1258 break;
1259 case SBLABEL_MNT:
1260 seq_putc(m, ',');
1261 seq_puts(m, LABELSUPP_STR);
1262 continue;
1263 default:
1264 BUG();
1265 return;
1266 };
1267 /* we need a comma before each option */
1268 seq_putc(m, ',');
1269 seq_puts(m, prefix);
1270 if (has_comma)
1271 seq_putc(m, '\"');
1272 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
1273 if (has_comma)
1274 seq_putc(m, '\"');
1275 }
1276}
1277
1278static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1279{
1280 struct security_mnt_opts opts;
1281 int rc;
1282
1283 rc = selinux_get_mnt_opts(sb, &opts);
1284 if (rc) {
1285 /* before policy load we may get EINVAL, don't show anything */
1286 if (rc == -EINVAL)
1287 rc = 0;
1288 return rc;
1289 }
1290
1291 selinux_write_opts(m, &opts);
1292
1293 security_free_mnt_opts(&opts);
1294
1295 return rc;
1296}
1297
1298static inline u16 inode_mode_to_security_class(umode_t mode)
1299{
1300 switch (mode & S_IFMT) {
1301 case S_IFSOCK:
1302 return SECCLASS_SOCK_FILE;
1303 case S_IFLNK:
1304 return SECCLASS_LNK_FILE;
1305 case S_IFREG:
1306 return SECCLASS_FILE;
1307 case S_IFBLK:
1308 return SECCLASS_BLK_FILE;
1309 case S_IFDIR:
1310 return SECCLASS_DIR;
1311 case S_IFCHR:
1312 return SECCLASS_CHR_FILE;
1313 case S_IFIFO:
1314 return SECCLASS_FIFO_FILE;
1315
1316 }
1317
1318 return SECCLASS_FILE;
1319}
1320
1321static inline int default_protocol_stream(int protocol)
1322{
1323 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1324}
1325
1326static inline int default_protocol_dgram(int protocol)
1327{
1328 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1329}
1330
1331static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1332{
1333 int extsockclass = selinux_policycap_extsockclass();
1334
1335 switch (family) {
1336 case PF_UNIX:
1337 switch (type) {
1338 case SOCK_STREAM:
1339 case SOCK_SEQPACKET:
1340 return SECCLASS_UNIX_STREAM_SOCKET;
1341 case SOCK_DGRAM:
1342 case SOCK_RAW:
1343 return SECCLASS_UNIX_DGRAM_SOCKET;
1344 }
1345 break;
1346 case PF_INET:
1347 case PF_INET6:
1348 switch (type) {
1349 case SOCK_STREAM:
1350 case SOCK_SEQPACKET:
1351 if (default_protocol_stream(protocol))
1352 return SECCLASS_TCP_SOCKET;
1353 else if (extsockclass && protocol == IPPROTO_SCTP)
1354 return SECCLASS_SCTP_SOCKET;
1355 else
1356 return SECCLASS_RAWIP_SOCKET;
1357 case SOCK_DGRAM:
1358 if (default_protocol_dgram(protocol))
1359 return SECCLASS_UDP_SOCKET;
1360 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1361 protocol == IPPROTO_ICMPV6))
1362 return SECCLASS_ICMP_SOCKET;
1363 else
1364 return SECCLASS_RAWIP_SOCKET;
1365 case SOCK_DCCP:
1366 return SECCLASS_DCCP_SOCKET;
1367 default:
1368 return SECCLASS_RAWIP_SOCKET;
1369 }
1370 break;
1371 case PF_NETLINK:
1372 switch (protocol) {
1373 case NETLINK_ROUTE:
1374 return SECCLASS_NETLINK_ROUTE_SOCKET;
1375 case NETLINK_SOCK_DIAG:
1376 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1377 case NETLINK_NFLOG:
1378 return SECCLASS_NETLINK_NFLOG_SOCKET;
1379 case NETLINK_XFRM:
1380 return SECCLASS_NETLINK_XFRM_SOCKET;
1381 case NETLINK_SELINUX:
1382 return SECCLASS_NETLINK_SELINUX_SOCKET;
1383 case NETLINK_ISCSI:
1384 return SECCLASS_NETLINK_ISCSI_SOCKET;
1385 case NETLINK_AUDIT:
1386 return SECCLASS_NETLINK_AUDIT_SOCKET;
1387 case NETLINK_FIB_LOOKUP:
1388 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1389 case NETLINK_CONNECTOR:
1390 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1391 case NETLINK_NETFILTER:
1392 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1393 case NETLINK_DNRTMSG:
1394 return SECCLASS_NETLINK_DNRT_SOCKET;
1395 case NETLINK_KOBJECT_UEVENT:
1396 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1397 case NETLINK_GENERIC:
1398 return SECCLASS_NETLINK_GENERIC_SOCKET;
1399 case NETLINK_SCSITRANSPORT:
1400 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1401 case NETLINK_RDMA:
1402 return SECCLASS_NETLINK_RDMA_SOCKET;
1403 case NETLINK_CRYPTO:
1404 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1405 default:
1406 return SECCLASS_NETLINK_SOCKET;
1407 }
1408 case PF_PACKET:
1409 return SECCLASS_PACKET_SOCKET;
1410 case PF_KEY:
1411 return SECCLASS_KEY_SOCKET;
1412 case PF_APPLETALK:
1413 return SECCLASS_APPLETALK_SOCKET;
1414 }
1415
1416 if (extsockclass) {
1417 switch (family) {
1418 case PF_AX25:
1419 return SECCLASS_AX25_SOCKET;
1420 case PF_IPX:
1421 return SECCLASS_IPX_SOCKET;
1422 case PF_NETROM:
1423 return SECCLASS_NETROM_SOCKET;
1424 case PF_ATMPVC:
1425 return SECCLASS_ATMPVC_SOCKET;
1426 case PF_X25:
1427 return SECCLASS_X25_SOCKET;
1428 case PF_ROSE:
1429 return SECCLASS_ROSE_SOCKET;
1430 case PF_DECnet:
1431 return SECCLASS_DECNET_SOCKET;
1432 case PF_ATMSVC:
1433 return SECCLASS_ATMSVC_SOCKET;
1434 case PF_RDS:
1435 return SECCLASS_RDS_SOCKET;
1436 case PF_IRDA:
1437 return SECCLASS_IRDA_SOCKET;
1438 case PF_PPPOX:
1439 return SECCLASS_PPPOX_SOCKET;
1440 case PF_LLC:
1441 return SECCLASS_LLC_SOCKET;
1442 case PF_CAN:
1443 return SECCLASS_CAN_SOCKET;
1444 case PF_TIPC:
1445 return SECCLASS_TIPC_SOCKET;
1446 case PF_BLUETOOTH:
1447 return SECCLASS_BLUETOOTH_SOCKET;
1448 case PF_IUCV:
1449 return SECCLASS_IUCV_SOCKET;
1450 case PF_RXRPC:
1451 return SECCLASS_RXRPC_SOCKET;
1452 case PF_ISDN:
1453 return SECCLASS_ISDN_SOCKET;
1454 case PF_PHONET:
1455 return SECCLASS_PHONET_SOCKET;
1456 case PF_IEEE802154:
1457 return SECCLASS_IEEE802154_SOCKET;
1458 case PF_CAIF:
1459 return SECCLASS_CAIF_SOCKET;
1460 case PF_ALG:
1461 return SECCLASS_ALG_SOCKET;
1462 case PF_NFC:
1463 return SECCLASS_NFC_SOCKET;
1464 case PF_VSOCK:
1465 return SECCLASS_VSOCK_SOCKET;
1466 case PF_KCM:
1467 return SECCLASS_KCM_SOCKET;
1468 case PF_QIPCRTR:
1469 return SECCLASS_QIPCRTR_SOCKET;
1470 case PF_SMC:
1471 return SECCLASS_SMC_SOCKET;
1472 case PF_XDP:
1473 return SECCLASS_XDP_SOCKET;
1474#if PF_MAX > 45
1475#error New address family defined, please update this function.
1476#endif
1477 }
1478 }
1479
1480 return SECCLASS_SOCKET;
1481}
1482
1483static int selinux_genfs_get_sid(struct dentry *dentry,
1484 u16 tclass,
1485 u16 flags,
1486 u32 *sid)
1487{
1488 int rc;
1489 struct super_block *sb = dentry->d_sb;
1490 char *buffer, *path;
1491
1492 buffer = (char *)__get_free_page(GFP_KERNEL);
1493 if (!buffer)
1494 return -ENOMEM;
1495
1496 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1497 if (IS_ERR(path))
1498 rc = PTR_ERR(path);
1499 else {
1500 if (flags & SE_SBPROC) {
1501 /* each process gets a /proc/PID/ entry. Strip off the
1502 * PID part to get a valid selinux labeling.
1503 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1504 while (path[1] >= '0' && path[1] <= '9') {
1505 path[1] = '/';
1506 path++;
1507 }
1508 }
1509 rc = security_genfs_sid(&selinux_state, sb->s_type->name,
1510 path, tclass, sid);
1511 if (rc == -ENOENT) {
1512 /* No match in policy, mark as unlabeled. */
1513 *sid = SECINITSID_UNLABELED;
1514 rc = 0;
1515 }
1516 }
1517 free_page((unsigned long)buffer);
1518 return rc;
1519}
1520
1521/* The inode's security attributes must be initialized before first use. */
1522static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1523{
1524 struct superblock_security_struct *sbsec = NULL;
1525 struct inode_security_struct *isec = inode->i_security;
1526 u32 task_sid, sid = 0;
1527 u16 sclass;
1528 struct dentry *dentry;
1529#define INITCONTEXTLEN 255
1530 char *context = NULL;
1531 unsigned len = 0;
1532 int rc = 0;
1533
1534 if (isec->initialized == LABEL_INITIALIZED)
1535 return 0;
1536
1537 spin_lock(&isec->lock);
1538 if (isec->initialized == LABEL_INITIALIZED)
1539 goto out_unlock;
1540
1541 if (isec->sclass == SECCLASS_FILE)
1542 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1543
1544 sbsec = inode->i_sb->s_security;
1545 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1546 /* Defer initialization until selinux_complete_init,
1547 after the initial policy is loaded and the security
1548 server is ready to handle calls. */
1549 spin_lock(&sbsec->isec_lock);
1550 if (list_empty(&isec->list))
1551 list_add(&isec->list, &sbsec->isec_head);
1552 spin_unlock(&sbsec->isec_lock);
1553 goto out_unlock;
1554 }
1555
1556 sclass = isec->sclass;
1557 task_sid = isec->task_sid;
1558 sid = isec->sid;
1559 isec->initialized = LABEL_PENDING;
1560 spin_unlock(&isec->lock);
1561
1562 switch (sbsec->behavior) {
1563 case SECURITY_FS_USE_NATIVE:
1564 break;
1565 case SECURITY_FS_USE_XATTR:
1566 if (!(inode->i_opflags & IOP_XATTR)) {
1567 sid = sbsec->def_sid;
1568 break;
1569 }
1570 /* Need a dentry, since the xattr API requires one.
1571 Life would be simpler if we could just pass the inode. */
1572 if (opt_dentry) {
1573 /* Called from d_instantiate or d_splice_alias. */
1574 dentry = dget(opt_dentry);
1575 } else {
1576 /*
1577 * Called from selinux_complete_init, try to find a dentry.
1578 * Some filesystems really want a connected one, so try
1579 * that first. We could split SECURITY_FS_USE_XATTR in
1580 * two, depending upon that...
1581 */
1582 dentry = d_find_alias(inode);
1583 if (!dentry)
1584 dentry = d_find_any_alias(inode);
1585 }
1586 if (!dentry) {
1587 /*
1588 * this is can be hit on boot when a file is accessed
1589 * before the policy is loaded. When we load policy we
1590 * may find inodes that have no dentry on the
1591 * sbsec->isec_head list. No reason to complain as these
1592 * will get fixed up the next time we go through
1593 * inode_doinit with a dentry, before these inodes could
1594 * be used again by userspace.
1595 */
1596 goto out;
1597 }
1598
1599 len = INITCONTEXTLEN;
1600 context = kmalloc(len+1, GFP_NOFS);
1601 if (!context) {
1602 rc = -ENOMEM;
1603 dput(dentry);
1604 goto out;
1605 }
1606 context[len] = '\0';
1607 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1608 if (rc == -ERANGE) {
1609 kfree(context);
1610
1611 /* Need a larger buffer. Query for the right size. */
1612 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1613 if (rc < 0) {
1614 dput(dentry);
1615 goto out;
1616 }
1617 len = rc;
1618 context = kmalloc(len+1, GFP_NOFS);
1619 if (!context) {
1620 rc = -ENOMEM;
1621 dput(dentry);
1622 goto out;
1623 }
1624 context[len] = '\0';
1625 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1626 }
1627 dput(dentry);
1628 if (rc < 0) {
1629 if (rc != -ENODATA) {
1630 pr_warn("SELinux: %s: getxattr returned "
1631 "%d for dev=%s ino=%ld\n", __func__,
1632 -rc, inode->i_sb->s_id, inode->i_ino);
1633 kfree(context);
1634 goto out;
1635 }
1636 /* Map ENODATA to the default file SID */
1637 sid = sbsec->def_sid;
1638 rc = 0;
1639 } else {
1640 rc = security_context_to_sid_default(&selinux_state,
1641 context, rc, &sid,
1642 sbsec->def_sid,
1643 GFP_NOFS);
1644 if (rc) {
1645 char *dev = inode->i_sb->s_id;
1646 unsigned long ino = inode->i_ino;
1647
1648 if (rc == -EINVAL) {
1649 if (printk_ratelimit())
1650 pr_notice("SELinux: inode=%lu on dev=%s was found to have an invalid "
1651 "context=%s. This indicates you may need to relabel the inode or the "
1652 "filesystem in question.\n", ino, dev, context);
1653 } else {
1654 pr_warn("SELinux: %s: context_to_sid(%s) "
1655 "returned %d for dev=%s ino=%ld\n",
1656 __func__, context, -rc, dev, ino);
1657 }
1658 kfree(context);
1659 /* Leave with the unlabeled SID */
1660 rc = 0;
1661 break;
1662 }
1663 }
1664 kfree(context);
1665 break;
1666 case SECURITY_FS_USE_TASK:
1667 sid = task_sid;
1668 break;
1669 case SECURITY_FS_USE_TRANS:
1670 /* Default to the fs SID. */
1671 sid = sbsec->sid;
1672
1673 /* Try to obtain a transition SID. */
1674 rc = security_transition_sid(&selinux_state, task_sid, sid,
1675 sclass, NULL, &sid);
1676 if (rc)
1677 goto out;
1678 break;
1679 case SECURITY_FS_USE_MNTPOINT:
1680 sid = sbsec->mntpoint_sid;
1681 break;
1682 default:
1683 /* Default to the fs superblock SID. */
1684 sid = sbsec->sid;
1685
1686 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1687 /* We must have a dentry to determine the label on
1688 * procfs inodes */
1689 if (opt_dentry) {
1690 /* Called from d_instantiate or
1691 * d_splice_alias. */
1692 dentry = dget(opt_dentry);
1693 } else {
1694 /* Called from selinux_complete_init, try to
1695 * find a dentry. Some filesystems really want
1696 * a connected one, so try that first.
1697 */
1698 dentry = d_find_alias(inode);
1699 if (!dentry)
1700 dentry = d_find_any_alias(inode);
1701 }
1702 /*
1703 * This can be hit on boot when a file is accessed
1704 * before the policy is loaded. When we load policy we
1705 * may find inodes that have no dentry on the
1706 * sbsec->isec_head list. No reason to complain as
1707 * these will get fixed up the next time we go through
1708 * inode_doinit() with a dentry, before these inodes
1709 * could be used again by userspace.
1710 */
1711 if (!dentry)
1712 goto out;
1713 rc = selinux_genfs_get_sid(dentry, sclass,
1714 sbsec->flags, &sid);
1715 dput(dentry);
1716 if (rc)
1717 goto out;
1718 }
1719 break;
1720 }
1721
1722out:
1723 spin_lock(&isec->lock);
1724 if (isec->initialized == LABEL_PENDING) {
1725 if (!sid || rc) {
1726 isec->initialized = LABEL_INVALID;
1727 goto out_unlock;
1728 }
1729
1730 isec->initialized = LABEL_INITIALIZED;
1731 isec->sid = sid;
1732 }
1733
1734out_unlock:
1735 spin_unlock(&isec->lock);
1736 return rc;
1737}
1738
1739/* Convert a Linux signal to an access vector. */
1740static inline u32 signal_to_av(int sig)
1741{
1742 u32 perm = 0;
1743
1744 switch (sig) {
1745 case SIGCHLD:
1746 /* Commonly granted from child to parent. */
1747 perm = PROCESS__SIGCHLD;
1748 break;
1749 case SIGKILL:
1750 /* Cannot be caught or ignored */
1751 perm = PROCESS__SIGKILL;
1752 break;
1753 case SIGSTOP:
1754 /* Cannot be caught or ignored */
1755 perm = PROCESS__SIGSTOP;
1756 break;
1757 default:
1758 /* All other signals. */
1759 perm = PROCESS__SIGNAL;
1760 break;
1761 }
1762
1763 return perm;
1764}
1765
1766#if CAP_LAST_CAP > 63
1767#error Fix SELinux to handle capabilities > 63.
1768#endif
1769
1770/* Check whether a task is allowed to use a capability. */
1771static int cred_has_capability(const struct cred *cred,
1772 int cap, int audit, bool initns)
1773{
1774 struct common_audit_data ad;
1775 struct av_decision avd;
1776 u16 sclass;
1777 u32 sid = cred_sid(cred);
1778 u32 av = CAP_TO_MASK(cap);
1779 int rc;
1780
1781 ad.type = LSM_AUDIT_DATA_CAP;
1782 ad.u.cap = cap;
1783
1784 switch (CAP_TO_INDEX(cap)) {
1785 case 0:
1786 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1787 break;
1788 case 1:
1789 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1790 break;
1791 default:
1792 pr_err("SELinux: out of range capability %d\n", cap);
1793 BUG();
1794 return -EINVAL;
1795 }
1796
1797 rc = avc_has_perm_noaudit(&selinux_state,
1798 sid, sid, sclass, av, 0, &avd);
1799 if (audit == SECURITY_CAP_AUDIT) {
1800 int rc2 = avc_audit(&selinux_state,
1801 sid, sid, sclass, av, &avd, rc, &ad, 0);
1802 if (rc2)
1803 return rc2;
1804 }
1805 return rc;
1806}
1807
1808/* Check whether a task has a particular permission to an inode.
1809 The 'adp' parameter is optional and allows other audit
1810 data to be passed (e.g. the dentry). */
1811static int inode_has_perm(const struct cred *cred,
1812 struct inode *inode,
1813 u32 perms,
1814 struct common_audit_data *adp)
1815{
1816 struct inode_security_struct *isec;
1817 u32 sid;
1818
1819 validate_creds(cred);
1820
1821 if (unlikely(IS_PRIVATE(inode)))
1822 return 0;
1823
1824 sid = cred_sid(cred);
1825 isec = inode->i_security;
1826
1827 return avc_has_perm(&selinux_state,
1828 sid, isec->sid, isec->sclass, perms, adp);
1829}
1830
1831/* Same as inode_has_perm, but pass explicit audit data containing
1832 the dentry to help the auditing code to more easily generate the
1833 pathname if needed. */
1834static inline int dentry_has_perm(const struct cred *cred,
1835 struct dentry *dentry,
1836 u32 av)
1837{
1838 struct inode *inode = d_backing_inode(dentry);
1839 struct common_audit_data ad;
1840
1841 ad.type = LSM_AUDIT_DATA_DENTRY;
1842 ad.u.dentry = dentry;
1843 __inode_security_revalidate(inode, dentry, true);
1844 return inode_has_perm(cred, inode, av, &ad);
1845}
1846
1847/* Same as inode_has_perm, but pass explicit audit data containing
1848 the path to help the auditing code to more easily generate the
1849 pathname if needed. */
1850static inline int path_has_perm(const struct cred *cred,
1851 const struct path *path,
1852 u32 av)
1853{
1854 struct inode *inode = d_backing_inode(path->dentry);
1855 struct common_audit_data ad;
1856
1857 ad.type = LSM_AUDIT_DATA_PATH;
1858 ad.u.path = *path;
1859 __inode_security_revalidate(inode, path->dentry, true);
1860 return inode_has_perm(cred, inode, av, &ad);
1861}
1862
1863/* Same as path_has_perm, but uses the inode from the file struct. */
1864static inline int file_path_has_perm(const struct cred *cred,
1865 struct file *file,
1866 u32 av)
1867{
1868 struct common_audit_data ad;
1869
1870 ad.type = LSM_AUDIT_DATA_FILE;
1871 ad.u.file = file;
1872 return inode_has_perm(cred, file_inode(file), av, &ad);
1873}
1874
1875#ifdef CONFIG_BPF_SYSCALL
1876static int bpf_fd_pass(struct file *file, u32 sid);
1877#endif
1878
1879/* Check whether a task can use an open file descriptor to
1880 access an inode in a given way. Check access to the
1881 descriptor itself, and then use dentry_has_perm to
1882 check a particular permission to the file.
1883 Access to the descriptor is implicitly granted if it
1884 has the same SID as the process. If av is zero, then
1885 access to the file is not checked, e.g. for cases
1886 where only the descriptor is affected like seek. */
1887static int file_has_perm(const struct cred *cred,
1888 struct file *file,
1889 u32 av)
1890{
1891 struct file_security_struct *fsec = file->f_security;
1892 struct inode *inode = file_inode(file);
1893 struct common_audit_data ad;
1894 u32 sid = cred_sid(cred);
1895 int rc;
1896
1897 ad.type = LSM_AUDIT_DATA_FILE;
1898 ad.u.file = file;
1899
1900 if (sid != fsec->sid) {
1901 rc = avc_has_perm(&selinux_state,
1902 sid, fsec->sid,
1903 SECCLASS_FD,
1904 FD__USE,
1905 &ad);
1906 if (rc)
1907 goto out;
1908 }
1909
1910#ifdef CONFIG_BPF_SYSCALL
1911 rc = bpf_fd_pass(file, cred_sid(cred));
1912 if (rc)
1913 return rc;
1914#endif
1915
1916 /* av is zero if only checking access to the descriptor. */
1917 rc = 0;
1918 if (av)
1919 rc = inode_has_perm(cred, inode, av, &ad);
1920
1921out:
1922 return rc;
1923}
1924
1925/*
1926 * Determine the label for an inode that might be unioned.
1927 */
1928static int
1929selinux_determine_inode_label(const struct task_security_struct *tsec,
1930 struct inode *dir,
1931 const struct qstr *name, u16 tclass,
1932 u32 *_new_isid)
1933{
1934 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1935
1936 if ((sbsec->flags & SE_SBINITIALIZED) &&
1937 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1938 *_new_isid = sbsec->mntpoint_sid;
1939 } else if ((sbsec->flags & SBLABEL_MNT) &&
1940 tsec->create_sid) {
1941 *_new_isid = tsec->create_sid;
1942 } else {
1943 const struct inode_security_struct *dsec = inode_security(dir);
1944 return security_transition_sid(&selinux_state, tsec->sid,
1945 dsec->sid, tclass,
1946 name, _new_isid);
1947 }
1948
1949 return 0;
1950}
1951
1952/* Check whether a task can create a file. */
1953static int may_create(struct inode *dir,
1954 struct dentry *dentry,
1955 u16 tclass)
1956{
1957 const struct task_security_struct *tsec = current_security();
1958 struct inode_security_struct *dsec;
1959 struct superblock_security_struct *sbsec;
1960 u32 sid, newsid;
1961 struct common_audit_data ad;
1962 int rc;
1963
1964 dsec = inode_security(dir);
1965 sbsec = dir->i_sb->s_security;
1966
1967 sid = tsec->sid;
1968
1969 ad.type = LSM_AUDIT_DATA_DENTRY;
1970 ad.u.dentry = dentry;
1971
1972 rc = avc_has_perm(&selinux_state,
1973 sid, dsec->sid, SECCLASS_DIR,
1974 DIR__ADD_NAME | DIR__SEARCH,
1975 &ad);
1976 if (rc)
1977 return rc;
1978
1979 rc = selinux_determine_inode_label(current_security(), dir,
1980 &dentry->d_name, tclass, &newsid);
1981 if (rc)
1982 return rc;
1983
1984 rc = avc_has_perm(&selinux_state,
1985 sid, newsid, tclass, FILE__CREATE, &ad);
1986 if (rc)
1987 return rc;
1988
1989 return avc_has_perm(&selinux_state,
1990 newsid, sbsec->sid,
1991 SECCLASS_FILESYSTEM,
1992 FILESYSTEM__ASSOCIATE, &ad);
1993}
1994
1995#define MAY_LINK 0
1996#define MAY_UNLINK 1
1997#define MAY_RMDIR 2
1998
1999/* Check whether a task can link, unlink, or rmdir a file/directory. */
2000static int may_link(struct inode *dir,
2001 struct dentry *dentry,
2002 int kind)
2003
2004{
2005 struct inode_security_struct *dsec, *isec;
2006 struct common_audit_data ad;
2007 u32 sid = current_sid();
2008 u32 av;
2009 int rc;
2010
2011 dsec = inode_security(dir);
2012 isec = backing_inode_security(dentry);
2013
2014 ad.type = LSM_AUDIT_DATA_DENTRY;
2015 ad.u.dentry = dentry;
2016
2017 av = DIR__SEARCH;
2018 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
2019 rc = avc_has_perm(&selinux_state,
2020 sid, dsec->sid, SECCLASS_DIR, av, &ad);
2021 if (rc)
2022 return rc;
2023
2024 switch (kind) {
2025 case MAY_LINK:
2026 av = FILE__LINK;
2027 break;
2028 case MAY_UNLINK:
2029 av = FILE__UNLINK;
2030 break;
2031 case MAY_RMDIR:
2032 av = DIR__RMDIR;
2033 break;
2034 default:
2035 pr_warn("SELinux: %s: unrecognized kind %d\n",
2036 __func__, kind);
2037 return 0;
2038 }
2039
2040 rc = avc_has_perm(&selinux_state,
2041 sid, isec->sid, isec->sclass, av, &ad);
2042 return rc;
2043}
2044
2045static inline int may_rename(struct inode *old_dir,
2046 struct dentry *old_dentry,
2047 struct inode *new_dir,
2048 struct dentry *new_dentry)
2049{
2050 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2051 struct common_audit_data ad;
2052 u32 sid = current_sid();
2053 u32 av;
2054 int old_is_dir, new_is_dir;
2055 int rc;
2056
2057 old_dsec = inode_security(old_dir);
2058 old_isec = backing_inode_security(old_dentry);
2059 old_is_dir = d_is_dir(old_dentry);
2060 new_dsec = inode_security(new_dir);
2061
2062 ad.type = LSM_AUDIT_DATA_DENTRY;
2063
2064 ad.u.dentry = old_dentry;
2065 rc = avc_has_perm(&selinux_state,
2066 sid, old_dsec->sid, SECCLASS_DIR,
2067 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
2068 if (rc)
2069 return rc;
2070 rc = avc_has_perm(&selinux_state,
2071 sid, old_isec->sid,
2072 old_isec->sclass, FILE__RENAME, &ad);
2073 if (rc)
2074 return rc;
2075 if (old_is_dir && new_dir != old_dir) {
2076 rc = avc_has_perm(&selinux_state,
2077 sid, old_isec->sid,
2078 old_isec->sclass, DIR__REPARENT, &ad);
2079 if (rc)
2080 return rc;
2081 }
2082
2083 ad.u.dentry = new_dentry;
2084 av = DIR__ADD_NAME | DIR__SEARCH;
2085 if (d_is_positive(new_dentry))
2086 av |= DIR__REMOVE_NAME;
2087 rc = avc_has_perm(&selinux_state,
2088 sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
2089 if (rc)
2090 return rc;
2091 if (d_is_positive(new_dentry)) {
2092 new_isec = backing_inode_security(new_dentry);
2093 new_is_dir = d_is_dir(new_dentry);
2094 rc = avc_has_perm(&selinux_state,
2095 sid, new_isec->sid,
2096 new_isec->sclass,
2097 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
2098 if (rc)
2099 return rc;
2100 }
2101
2102 return 0;
2103}
2104
2105/* Check whether a task can perform a filesystem operation. */
2106static int superblock_has_perm(const struct cred *cred,
2107 struct super_block *sb,
2108 u32 perms,
2109 struct common_audit_data *ad)
2110{
2111 struct superblock_security_struct *sbsec;
2112 u32 sid = cred_sid(cred);
2113
2114 sbsec = sb->s_security;
2115 return avc_has_perm(&selinux_state,
2116 sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
2117}
2118
2119/* Convert a Linux mode and permission mask to an access vector. */
2120static inline u32 file_mask_to_av(int mode, int mask)
2121{
2122 u32 av = 0;
2123
2124 if (!S_ISDIR(mode)) {
2125 if (mask & MAY_EXEC)
2126 av |= FILE__EXECUTE;
2127 if (mask & MAY_READ)
2128 av |= FILE__READ;
2129
2130 if (mask & MAY_APPEND)
2131 av |= FILE__APPEND;
2132 else if (mask & MAY_WRITE)
2133 av |= FILE__WRITE;
2134
2135 } else {
2136 if (mask & MAY_EXEC)
2137 av |= DIR__SEARCH;
2138 if (mask & MAY_WRITE)
2139 av |= DIR__WRITE;
2140 if (mask & MAY_READ)
2141 av |= DIR__READ;
2142 }
2143
2144 return av;
2145}
2146
2147/* Convert a Linux file to an access vector. */
2148static inline u32 file_to_av(struct file *file)
2149{
2150 u32 av = 0;
2151
2152 if (file->f_mode & FMODE_READ)
2153 av |= FILE__READ;
2154 if (file->f_mode & FMODE_WRITE) {
2155 if (file->f_flags & O_APPEND)
2156 av |= FILE__APPEND;
2157 else
2158 av |= FILE__WRITE;
2159 }
2160 if (!av) {
2161 /*
2162 * Special file opened with flags 3 for ioctl-only use.
2163 */
2164 av = FILE__IOCTL;
2165 }
2166
2167 return av;
2168}
2169
2170/*
2171 * Convert a file to an access vector and include the correct open
2172 * open permission.
2173 */
2174static inline u32 open_file_to_av(struct file *file)
2175{
2176 u32 av = file_to_av(file);
2177 struct inode *inode = file_inode(file);
2178
2179 if (selinux_policycap_openperm() &&
2180 inode->i_sb->s_magic != SOCKFS_MAGIC)
2181 av |= FILE__OPEN;
2182
2183 return av;
2184}
2185
2186/* Hook functions begin here. */
2187
2188static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2189{
2190 u32 mysid = current_sid();
2191 u32 mgrsid = task_sid(mgr);
2192
2193 return avc_has_perm(&selinux_state,
2194 mysid, mgrsid, SECCLASS_BINDER,
2195 BINDER__SET_CONTEXT_MGR, NULL);
2196}
2197
2198static int selinux_binder_transaction(struct task_struct *from,
2199 struct task_struct *to)
2200{
2201 u32 mysid = current_sid();
2202 u32 fromsid = task_sid(from);
2203 u32 tosid = task_sid(to);
2204 int rc;
2205
2206 if (mysid != fromsid) {
2207 rc = avc_has_perm(&selinux_state,
2208 mysid, fromsid, SECCLASS_BINDER,
2209 BINDER__IMPERSONATE, NULL);
2210 if (rc)
2211 return rc;
2212 }
2213
2214 return avc_has_perm(&selinux_state,
2215 fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2216 NULL);
2217}
2218
2219static int selinux_binder_transfer_binder(struct task_struct *from,
2220 struct task_struct *to)
2221{
2222 u32 fromsid = task_sid(from);
2223 u32 tosid = task_sid(to);
2224
2225 return avc_has_perm(&selinux_state,
2226 fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2227 NULL);
2228}
2229
2230static int selinux_binder_transfer_file(struct task_struct *from,
2231 struct task_struct *to,
2232 struct file *file)
2233{
2234 u32 sid = task_sid(to);
2235 struct file_security_struct *fsec = file->f_security;
2236 struct dentry *dentry = file->f_path.dentry;
2237 struct inode_security_struct *isec;
2238 struct common_audit_data ad;
2239 int rc;
2240
2241 ad.type = LSM_AUDIT_DATA_PATH;
2242 ad.u.path = file->f_path;
2243
2244 if (sid != fsec->sid) {
2245 rc = avc_has_perm(&selinux_state,
2246 sid, fsec->sid,
2247 SECCLASS_FD,
2248 FD__USE,
2249 &ad);
2250 if (rc)
2251 return rc;
2252 }
2253
2254#ifdef CONFIG_BPF_SYSCALL
2255 rc = bpf_fd_pass(file, sid);
2256 if (rc)
2257 return rc;
2258#endif
2259
2260 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2261 return 0;
2262
2263 isec = backing_inode_security(dentry);
2264 return avc_has_perm(&selinux_state,
2265 sid, isec->sid, isec->sclass, file_to_av(file),
2266 &ad);
2267}
2268
2269static int selinux_ptrace_access_check(struct task_struct *child,
2270 unsigned int mode)
2271{
2272 u32 sid = current_sid();
2273 u32 csid = task_sid(child);
2274
2275 if (mode & PTRACE_MODE_READ)
2276 return avc_has_perm(&selinux_state,
2277 sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2278
2279 return avc_has_perm(&selinux_state,
2280 sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2281}
2282
2283static int selinux_ptrace_traceme(struct task_struct *parent)
2284{
2285 return avc_has_perm(&selinux_state,
2286 task_sid(parent), current_sid(), SECCLASS_PROCESS,
2287 PROCESS__PTRACE, NULL);
2288}
2289
2290static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2291 kernel_cap_t *inheritable, kernel_cap_t *permitted)
2292{
2293 return avc_has_perm(&selinux_state,
2294 current_sid(), task_sid(target), SECCLASS_PROCESS,
2295 PROCESS__GETCAP, NULL);
2296}
2297
2298static int selinux_capset(struct cred *new, const struct cred *old,
2299 const kernel_cap_t *effective,
2300 const kernel_cap_t *inheritable,
2301 const kernel_cap_t *permitted)
2302{
2303 return avc_has_perm(&selinux_state,
2304 cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2305 PROCESS__SETCAP, NULL);
2306}
2307
2308/*
2309 * (This comment used to live with the selinux_task_setuid hook,
2310 * which was removed).
2311 *
2312 * Since setuid only affects the current process, and since the SELinux
2313 * controls are not based on the Linux identity attributes, SELinux does not
2314 * need to control this operation. However, SELinux does control the use of
2315 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2316 */
2317
2318static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2319 int cap, int audit)
2320{
2321 return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
2322}
2323
2324static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2325{
2326 const struct cred *cred = current_cred();
2327 int rc = 0;
2328
2329 if (!sb)
2330 return 0;
2331
2332 switch (cmds) {
2333 case Q_SYNC:
2334 case Q_QUOTAON:
2335 case Q_QUOTAOFF:
2336 case Q_SETINFO:
2337 case Q_SETQUOTA:
2338 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2339 break;
2340 case Q_GETFMT:
2341 case Q_GETINFO:
2342 case Q_GETQUOTA:
2343 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2344 break;
2345 default:
2346 rc = 0; /* let the kernel handle invalid cmds */
2347 break;
2348 }
2349 return rc;
2350}
2351
2352static int selinux_quota_on(struct dentry *dentry)
2353{
2354 const struct cred *cred = current_cred();
2355
2356 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2357}
2358
2359static int selinux_syslog(int type)
2360{
2361 switch (type) {
2362 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2363 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2364 return avc_has_perm(&selinux_state,
2365 current_sid(), SECINITSID_KERNEL,
2366 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2367 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2368 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2369 /* Set level of messages printed to console */
2370 case SYSLOG_ACTION_CONSOLE_LEVEL:
2371 return avc_has_perm(&selinux_state,
2372 current_sid(), SECINITSID_KERNEL,
2373 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2374 NULL);
2375 }
2376 /* All other syslog types */
2377 return avc_has_perm(&selinux_state,
2378 current_sid(), SECINITSID_KERNEL,
2379 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2380}
2381
2382/*
2383 * Check that a process has enough memory to allocate a new virtual
2384 * mapping. 0 means there is enough memory for the allocation to
2385 * succeed and -ENOMEM implies there is not.
2386 *
2387 * Do not audit the selinux permission check, as this is applied to all
2388 * processes that allocate mappings.
2389 */
2390static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2391{
2392 int rc, cap_sys_admin = 0;
2393
2394 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2395 SECURITY_CAP_NOAUDIT, true);
2396 if (rc == 0)
2397 cap_sys_admin = 1;
2398
2399 return cap_sys_admin;
2400}
2401
2402/* binprm security operations */
2403
2404static u32 ptrace_parent_sid(void)
2405{
2406 u32 sid = 0;
2407 struct task_struct *tracer;
2408
2409 rcu_read_lock();
2410 tracer = ptrace_parent(current);
2411 if (tracer)
2412 sid = task_sid(tracer);
2413 rcu_read_unlock();
2414
2415 return sid;
2416}
2417
2418static int check_nnp_nosuid(const struct linux_binprm *bprm,
2419 const struct task_security_struct *old_tsec,
2420 const struct task_security_struct *new_tsec)
2421{
2422 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2423 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2424 int rc;
2425 u32 av;
2426
2427 if (!nnp && !nosuid)
2428 return 0; /* neither NNP nor nosuid */
2429
2430 if (new_tsec->sid == old_tsec->sid)
2431 return 0; /* No change in credentials */
2432
2433 /*
2434 * If the policy enables the nnp_nosuid_transition policy capability,
2435 * then we permit transitions under NNP or nosuid if the
2436 * policy allows the corresponding permission between
2437 * the old and new contexts.
2438 */
2439 if (selinux_policycap_nnp_nosuid_transition()) {
2440 av = 0;
2441 if (nnp)
2442 av |= PROCESS2__NNP_TRANSITION;
2443 if (nosuid)
2444 av |= PROCESS2__NOSUID_TRANSITION;
2445 rc = avc_has_perm(&selinux_state,
2446 old_tsec->sid, new_tsec->sid,
2447 SECCLASS_PROCESS2, av, NULL);
2448 if (!rc)
2449 return 0;
2450 }
2451
2452 /*
2453 * We also permit NNP or nosuid transitions to bounded SIDs,
2454 * i.e. SIDs that are guaranteed to only be allowed a subset
2455 * of the permissions of the current SID.
2456 */
2457 rc = security_bounded_transition(&selinux_state, old_tsec->sid,
2458 new_tsec->sid);
2459 if (!rc)
2460 return 0;
2461
2462 /*
2463 * On failure, preserve the errno values for NNP vs nosuid.
2464 * NNP: Operation not permitted for caller.
2465 * nosuid: Permission denied to file.
2466 */
2467 if (nnp)
2468 return -EPERM;
2469 return -EACCES;
2470}
2471
2472static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2473{
2474 const struct task_security_struct *old_tsec;
2475 struct task_security_struct *new_tsec;
2476 struct inode_security_struct *isec;
2477 struct common_audit_data ad;
2478 struct inode *inode = file_inode(bprm->file);
2479 int rc;
2480
2481 /* SELinux context only depends on initial program or script and not
2482 * the script interpreter */
2483 if (bprm->called_set_creds)
2484 return 0;
2485
2486 old_tsec = current_security();
2487 new_tsec = bprm->cred->security;
2488 isec = inode_security(inode);
2489
2490 /* Default to the current task SID. */
2491 new_tsec->sid = old_tsec->sid;
2492 new_tsec->osid = old_tsec->sid;
2493
2494 /* Reset fs, key, and sock SIDs on execve. */
2495 new_tsec->create_sid = 0;
2496 new_tsec->keycreate_sid = 0;
2497 new_tsec->sockcreate_sid = 0;
2498
2499 if (old_tsec->exec_sid) {
2500 new_tsec->sid = old_tsec->exec_sid;
2501 /* Reset exec SID on execve. */
2502 new_tsec->exec_sid = 0;
2503
2504 /* Fail on NNP or nosuid if not an allowed transition. */
2505 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2506 if (rc)
2507 return rc;
2508 } else {
2509 /* Check for a default transition on this program. */
2510 rc = security_transition_sid(&selinux_state, old_tsec->sid,
2511 isec->sid, SECCLASS_PROCESS, NULL,
2512 &new_tsec->sid);
2513 if (rc)
2514 return rc;
2515
2516 /*
2517 * Fallback to old SID on NNP or nosuid if not an allowed
2518 * transition.
2519 */
2520 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2521 if (rc)
2522 new_tsec->sid = old_tsec->sid;
2523 }
2524
2525 ad.type = LSM_AUDIT_DATA_FILE;
2526 ad.u.file = bprm->file;
2527
2528 if (new_tsec->sid == old_tsec->sid) {
2529 rc = avc_has_perm(&selinux_state,
2530 old_tsec->sid, isec->sid,
2531 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2532 if (rc)
2533 return rc;
2534 } else {
2535 /* Check permissions for the transition. */
2536 rc = avc_has_perm(&selinux_state,
2537 old_tsec->sid, new_tsec->sid,
2538 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2539 if (rc)
2540 return rc;
2541
2542 rc = avc_has_perm(&selinux_state,
2543 new_tsec->sid, isec->sid,
2544 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2545 if (rc)
2546 return rc;
2547
2548 /* Check for shared state */
2549 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2550 rc = avc_has_perm(&selinux_state,
2551 old_tsec->sid, new_tsec->sid,
2552 SECCLASS_PROCESS, PROCESS__SHARE,
2553 NULL);
2554 if (rc)
2555 return -EPERM;
2556 }
2557
2558 /* Make sure that anyone attempting to ptrace over a task that
2559 * changes its SID has the appropriate permit */
2560 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2561 u32 ptsid = ptrace_parent_sid();
2562 if (ptsid != 0) {
2563 rc = avc_has_perm(&selinux_state,
2564 ptsid, new_tsec->sid,
2565 SECCLASS_PROCESS,
2566 PROCESS__PTRACE, NULL);
2567 if (rc)
2568 return -EPERM;
2569 }
2570 }
2571
2572 /* Clear any possibly unsafe personality bits on exec: */
2573 bprm->per_clear |= PER_CLEAR_ON_SETID;
2574
2575 /* Enable secure mode for SIDs transitions unless
2576 the noatsecure permission is granted between
2577 the two SIDs, i.e. ahp returns 0. */
2578 rc = avc_has_perm(&selinux_state,
2579 old_tsec->sid, new_tsec->sid,
2580 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2581 NULL);
2582 bprm->secureexec |= !!rc;
2583 }
2584
2585 return 0;
2586}
2587
2588static int match_file(const void *p, struct file *file, unsigned fd)
2589{
2590 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2591}
2592
2593/* Derived from fs/exec.c:flush_old_files. */
2594static inline void flush_unauthorized_files(const struct cred *cred,
2595 struct files_struct *files)
2596{
2597 struct file *file, *devnull = NULL;
2598 struct tty_struct *tty;
2599 int drop_tty = 0;
2600 unsigned n;
2601
2602 tty = get_current_tty();
2603 if (tty) {
2604 spin_lock(&tty->files_lock);
2605 if (!list_empty(&tty->tty_files)) {
2606 struct tty_file_private *file_priv;
2607
2608 /* Revalidate access to controlling tty.
2609 Use file_path_has_perm on the tty path directly
2610 rather than using file_has_perm, as this particular
2611 open file may belong to another process and we are
2612 only interested in the inode-based check here. */
2613 file_priv = list_first_entry(&tty->tty_files,
2614 struct tty_file_private, list);
2615 file = file_priv->file;
2616 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2617 drop_tty = 1;
2618 }
2619 spin_unlock(&tty->files_lock);
2620 tty_kref_put(tty);
2621 }
2622 /* Reset controlling tty. */
2623 if (drop_tty)
2624 no_tty();
2625
2626 /* Revalidate access to inherited open files. */
2627 n = iterate_fd(files, 0, match_file, cred);
2628 if (!n) /* none found? */
2629 return;
2630
2631 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2632 if (IS_ERR(devnull))
2633 devnull = NULL;
2634 /* replace all the matching ones with this */
2635 do {
2636 replace_fd(n - 1, devnull, 0);
2637 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2638 if (devnull)
2639 fput(devnull);
2640}
2641
2642/*
2643 * Prepare a process for imminent new credential changes due to exec
2644 */
2645static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2646{
2647 struct task_security_struct *new_tsec;
2648 struct rlimit *rlim, *initrlim;
2649 int rc, i;
2650
2651 new_tsec = bprm->cred->security;
2652 if (new_tsec->sid == new_tsec->osid)
2653 return;
2654
2655 /* Close files for which the new task SID is not authorized. */
2656 flush_unauthorized_files(bprm->cred, current->files);
2657
2658 /* Always clear parent death signal on SID transitions. */
2659 current->pdeath_signal = 0;
2660
2661 /* Check whether the new SID can inherit resource limits from the old
2662 * SID. If not, reset all soft limits to the lower of the current
2663 * task's hard limit and the init task's soft limit.
2664 *
2665 * Note that the setting of hard limits (even to lower them) can be
2666 * controlled by the setrlimit check. The inclusion of the init task's
2667 * soft limit into the computation is to avoid resetting soft limits
2668 * higher than the default soft limit for cases where the default is
2669 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2670 */
2671 rc = avc_has_perm(&selinux_state,
2672 new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2673 PROCESS__RLIMITINH, NULL);
2674 if (rc) {
2675 /* protect against do_prlimit() */
2676 task_lock(current);
2677 for (i = 0; i < RLIM_NLIMITS; i++) {
2678 rlim = current->signal->rlim + i;
2679 initrlim = init_task.signal->rlim + i;
2680 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2681 }
2682 task_unlock(current);
2683 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2684 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2685 }
2686}
2687
2688/*
2689 * Clean up the process immediately after the installation of new credentials
2690 * due to exec
2691 */
2692static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2693{
2694 const struct task_security_struct *tsec = current_security();
2695 struct itimerval itimer;
2696 u32 osid, sid;
2697 int rc, i;
2698
2699 osid = tsec->osid;
2700 sid = tsec->sid;
2701
2702 if (sid == osid)
2703 return;
2704
2705 /* Check whether the new SID can inherit signal state from the old SID.
2706 * If not, clear itimers to avoid subsequent signal generation and
2707 * flush and unblock signals.
2708 *
2709 * This must occur _after_ the task SID has been updated so that any
2710 * kill done after the flush will be checked against the new SID.
2711 */
2712 rc = avc_has_perm(&selinux_state,
2713 osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2714 if (rc) {
2715 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2716 memset(&itimer, 0, sizeof itimer);
2717 for (i = 0; i < 3; i++)
2718 do_setitimer(i, &itimer, NULL);
2719 }
2720 spin_lock_irq(&current->sighand->siglock);
2721 if (!fatal_signal_pending(current)) {
2722 flush_sigqueue(&current->pending);
2723 flush_sigqueue(&current->signal->shared_pending);
2724 flush_signal_handlers(current, 1);
2725 sigemptyset(&current->blocked);
2726 recalc_sigpending();
2727 }
2728 spin_unlock_irq(&current->sighand->siglock);
2729 }
2730
2731 /* Wake up the parent if it is waiting so that it can recheck
2732 * wait permission to the new task SID. */
2733 read_lock(&tasklist_lock);
2734 __wake_up_parent(current, current->real_parent);
2735 read_unlock(&tasklist_lock);
2736}
2737
2738/* superblock security operations */
2739
2740static int selinux_sb_alloc_security(struct super_block *sb)
2741{
2742 return superblock_alloc_security(sb);
2743}
2744
2745static void selinux_sb_free_security(struct super_block *sb)
2746{
2747 superblock_free_security(sb);
2748}
2749
2750static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2751{
2752 if (plen > olen)
2753 return 0;
2754
2755 return !memcmp(prefix, option, plen);
2756}
2757
2758static inline int selinux_option(char *option, int len)
2759{
2760 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2761 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2762 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2763 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2764 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2765}
2766
2767static inline void take_option(char **to, char *from, int *first, int len)
2768{
2769 if (!*first) {
2770 **to = ',';
2771 *to += 1;
2772 } else
2773 *first = 0;
2774 memcpy(*to, from, len);
2775 *to += len;
2776}
2777
2778static inline void take_selinux_option(char **to, char *from, int *first,
2779 int len)
2780{
2781 int current_size = 0;
2782
2783 if (!*first) {
2784 **to = '|';
2785 *to += 1;
2786 } else
2787 *first = 0;
2788
2789 while (current_size < len) {
2790 if (*from != '"') {
2791 **to = *from;
2792 *to += 1;
2793 }
2794 from += 1;
2795 current_size += 1;
2796 }
2797}
2798
2799static int selinux_sb_copy_data(char *orig, char *copy)
2800{
2801 int fnosec, fsec, rc = 0;
2802 char *in_save, *in_curr, *in_end;
2803 char *sec_curr, *nosec_save, *nosec;
2804 int open_quote = 0;
2805
2806 in_curr = orig;
2807 sec_curr = copy;
2808
2809 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2810 if (!nosec) {
2811 rc = -ENOMEM;
2812 goto out;
2813 }
2814
2815 nosec_save = nosec;
2816 fnosec = fsec = 1;
2817 in_save = in_end = orig;
2818
2819 do {
2820 if (*in_end == '"')
2821 open_quote = !open_quote;
2822 if ((*in_end == ',' && open_quote == 0) ||
2823 *in_end == '\0') {
2824 int len = in_end - in_curr;
2825
2826 if (selinux_option(in_curr, len))
2827 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2828 else
2829 take_option(&nosec, in_curr, &fnosec, len);
2830
2831 in_curr = in_end + 1;
2832 }
2833 } while (*in_end++);
2834
2835 strcpy(in_save, nosec_save);
2836 free_page((unsigned long)nosec_save);
2837out:
2838 return rc;
2839}
2840
2841static int selinux_sb_remount(struct super_block *sb, void *data)
2842{
2843 int rc, i, *flags;
2844 struct security_mnt_opts opts;
2845 char *secdata, **mount_options;
2846 struct superblock_security_struct *sbsec = sb->s_security;
2847
2848 if (!(sbsec->flags & SE_SBINITIALIZED))
2849 return 0;
2850
2851 if (!data)
2852 return 0;
2853
2854 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2855 return 0;
2856
2857 security_init_mnt_opts(&opts);
2858 secdata = alloc_secdata();
2859 if (!secdata)
2860 return -ENOMEM;
2861 rc = selinux_sb_copy_data(data, secdata);
2862 if (rc)
2863 goto out_free_secdata;
2864
2865 rc = selinux_parse_opts_str(secdata, &opts);
2866 if (rc)
2867 goto out_free_secdata;
2868
2869 mount_options = opts.mnt_opts;
2870 flags = opts.mnt_opts_flags;
2871
2872 for (i = 0; i < opts.num_mnt_opts; i++) {
2873 u32 sid;
2874
2875 if (flags[i] == SBLABEL_MNT)
2876 continue;
2877 rc = security_context_str_to_sid(&selinux_state,
2878 mount_options[i], &sid,
2879 GFP_KERNEL);
2880 if (rc) {
2881 pr_warn("SELinux: security_context_str_to_sid"
2882 "(%s) failed for (dev %s, type %s) errno=%d\n",
2883 mount_options[i], sb->s_id, sb->s_type->name, rc);
2884 goto out_free_opts;
2885 }
2886 rc = -EINVAL;
2887 switch (flags[i]) {
2888 case FSCONTEXT_MNT:
2889 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2890 goto out_bad_option;
2891 break;
2892 case CONTEXT_MNT:
2893 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2894 goto out_bad_option;
2895 break;
2896 case ROOTCONTEXT_MNT: {
2897 struct inode_security_struct *root_isec;
2898 root_isec = backing_inode_security(sb->s_root);
2899
2900 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2901 goto out_bad_option;
2902 break;
2903 }
2904 case DEFCONTEXT_MNT:
2905 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2906 goto out_bad_option;
2907 break;
2908 default:
2909 goto out_free_opts;
2910 }
2911 }
2912
2913 rc = 0;
2914out_free_opts:
2915 security_free_mnt_opts(&opts);
2916out_free_secdata:
2917 free_secdata(secdata);
2918 return rc;
2919out_bad_option:
2920 pr_warn("SELinux: unable to change security options "
2921 "during remount (dev %s, type=%s)\n", sb->s_id,
2922 sb->s_type->name);
2923 goto out_free_opts;
2924}
2925
2926static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2927{
2928 const struct cred *cred = current_cred();
2929 struct common_audit_data ad;
2930 int rc;
2931
2932 rc = superblock_doinit(sb, data);
2933 if (rc)
2934 return rc;
2935
2936 /* Allow all mounts performed by the kernel */
2937 if (flags & MS_KERNMOUNT)
2938 return 0;
2939
2940 ad.type = LSM_AUDIT_DATA_DENTRY;
2941 ad.u.dentry = sb->s_root;
2942 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2943}
2944
2945static int selinux_sb_statfs(struct dentry *dentry)
2946{
2947 const struct cred *cred = current_cred();
2948 struct common_audit_data ad;
2949
2950 ad.type = LSM_AUDIT_DATA_DENTRY;
2951 ad.u.dentry = dentry->d_sb->s_root;
2952 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2953}
2954
2955static int selinux_mount(const char *dev_name,
2956 const struct path *path,
2957 const char *type,
2958 unsigned long flags,
2959 void *data)
2960{
2961 const struct cred *cred = current_cred();
2962
2963 if (flags & MS_REMOUNT)
2964 return superblock_has_perm(cred, path->dentry->d_sb,
2965 FILESYSTEM__REMOUNT, NULL);
2966 else
2967 return path_has_perm(cred, path, FILE__MOUNTON);
2968}
2969
2970static int selinux_umount(struct vfsmount *mnt, int flags)
2971{
2972 const struct cred *cred = current_cred();
2973
2974 return superblock_has_perm(cred, mnt->mnt_sb,
2975 FILESYSTEM__UNMOUNT, NULL);
2976}
2977
2978/* inode security operations */
2979
2980static int selinux_inode_alloc_security(struct inode *inode)
2981{
2982 return inode_alloc_security(inode);
2983}
2984
2985static void selinux_inode_free_security(struct inode *inode)
2986{
2987 inode_free_security(inode);
2988}
2989
2990static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2991 const struct qstr *name, void **ctx,
2992 u32 *ctxlen)
2993{
2994 u32 newsid;
2995 int rc;
2996
2997 rc = selinux_determine_inode_label(current_security(),
2998 d_inode(dentry->d_parent), name,
2999 inode_mode_to_security_class(mode),
3000 &newsid);
3001 if (rc)
3002 return rc;
3003
3004 return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
3005 ctxlen);
3006}
3007
3008static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
3009 struct qstr *name,
3010 const struct cred *old,
3011 struct cred *new)
3012{
3013 u32 newsid;
3014 int rc;
3015 struct task_security_struct *tsec;
3016
3017 rc = selinux_determine_inode_label(old->security,
3018 d_inode(dentry->d_parent), name,
3019 inode_mode_to_security_class(mode),
3020 &newsid);
3021 if (rc)
3022 return rc;
3023
3024 tsec = new->security;
3025 tsec->create_sid = newsid;
3026 return 0;
3027}
3028
3029static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
3030 const struct qstr *qstr,
3031 const char **name,
3032 void **value, size_t *len)
3033{
3034 const struct task_security_struct *tsec = current_security();
3035 struct superblock_security_struct *sbsec;
3036 u32 newsid, clen;
3037 int rc;
3038 char *context;
3039
3040 sbsec = dir->i_sb->s_security;
3041
3042 newsid = tsec->create_sid;
3043
3044 rc = selinux_determine_inode_label(current_security(),
3045 dir, qstr,
3046 inode_mode_to_security_class(inode->i_mode),
3047 &newsid);
3048 if (rc)
3049 return rc;
3050
3051 /* Possibly defer initialization to selinux_complete_init. */
3052 if (sbsec->flags & SE_SBINITIALIZED) {
3053 struct inode_security_struct *isec = inode->i_security;
3054 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3055 isec->sid = newsid;
3056 isec->initialized = LABEL_INITIALIZED;
3057 }
3058
3059 if (!selinux_state.initialized || !(sbsec->flags & SBLABEL_MNT))
3060 return -EOPNOTSUPP;
3061
3062 if (name)
3063 *name = XATTR_SELINUX_SUFFIX;
3064
3065 if (value && len) {
3066 rc = security_sid_to_context_force(&selinux_state, newsid,
3067 &context, &clen);
3068 if (rc)
3069 return rc;
3070 *value = context;
3071 *len = clen;
3072 }
3073
3074 return 0;
3075}
3076
3077static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
3078{
3079 return may_create(dir, dentry, SECCLASS_FILE);
3080}
3081
3082static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
3083{
3084 return may_link(dir, old_dentry, MAY_LINK);
3085}
3086
3087static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
3088{
3089 return may_link(dir, dentry, MAY_UNLINK);
3090}
3091
3092static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
3093{
3094 return may_create(dir, dentry, SECCLASS_LNK_FILE);
3095}
3096
3097static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
3098{
3099 return may_create(dir, dentry, SECCLASS_DIR);
3100}
3101
3102static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
3103{
3104 return may_link(dir, dentry, MAY_RMDIR);
3105}
3106
3107static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
3108{
3109 return may_create(dir, dentry, inode_mode_to_security_class(mode));
3110}
3111
3112static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
3113 struct inode *new_inode, struct dentry *new_dentry)
3114{
3115 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
3116}
3117
3118static int selinux_inode_readlink(struct dentry *dentry)
3119{
3120 const struct cred *cred = current_cred();
3121
3122 return dentry_has_perm(cred, dentry, FILE__READ);
3123}
3124
3125static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3126 bool rcu)
3127{
3128 const struct cred *cred = current_cred();
3129 struct common_audit_data ad;
3130 struct inode_security_struct *isec;
3131 u32 sid;
3132
3133 validate_creds(cred);
3134
3135 ad.type = LSM_AUDIT_DATA_DENTRY;
3136 ad.u.dentry = dentry;
3137 sid = cred_sid(cred);
3138 isec = inode_security_rcu(inode, rcu);
3139 if (IS_ERR(isec))
3140 return PTR_ERR(isec);
3141
3142 return avc_has_perm_flags(&selinux_state,
3143 sid, isec->sid, isec->sclass, FILE__READ, &ad,
3144 rcu ? MAY_NOT_BLOCK : 0);
3145}
3146
3147static noinline int audit_inode_permission(struct inode *inode,
3148 u32 perms, u32 audited, u32 denied,
3149 int result,
3150 unsigned flags)
3151{
3152 struct common_audit_data ad;
3153 struct inode_security_struct *isec = inode->i_security;
3154 int rc;
3155
3156 ad.type = LSM_AUDIT_DATA_INODE;
3157 ad.u.inode = inode;
3158
3159 rc = slow_avc_audit(&selinux_state,
3160 current_sid(), isec->sid, isec->sclass, perms,
3161 audited, denied, result, &ad, flags);
3162 if (rc)
3163 return rc;
3164 return 0;
3165}
3166
3167static int selinux_inode_permission(struct inode *inode, int mask)
3168{
3169 const struct cred *cred = current_cred();
3170 u32 perms;
3171 bool from_access;
3172 unsigned flags = mask & MAY_NOT_BLOCK;
3173 struct inode_security_struct *isec;
3174 u32 sid;
3175 struct av_decision avd;
3176 int rc, rc2;
3177 u32 audited, denied;
3178
3179 from_access = mask & MAY_ACCESS;
3180 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3181
3182 /* No permission to check. Existence test. */
3183 if (!mask)
3184 return 0;
3185
3186 validate_creds(cred);
3187
3188 if (unlikely(IS_PRIVATE(inode)))
3189 return 0;
3190
3191 perms = file_mask_to_av(inode->i_mode, mask);
3192
3193 sid = cred_sid(cred);
3194 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3195 if (IS_ERR(isec))
3196 return PTR_ERR(isec);
3197
3198 rc = avc_has_perm_noaudit(&selinux_state,
3199 sid, isec->sid, isec->sclass, perms, 0, &avd);
3200 audited = avc_audit_required(perms, &avd, rc,
3201 from_access ? FILE__AUDIT_ACCESS : 0,
3202 &denied);
3203 if (likely(!audited))
3204 return rc;
3205
3206 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
3207 if (rc2)
3208 return rc2;
3209 return rc;
3210}
3211
3212static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3213{
3214 const struct cred *cred = current_cred();
3215 struct inode *inode = d_backing_inode(dentry);
3216 unsigned int ia_valid = iattr->ia_valid;
3217 __u32 av = FILE__WRITE;
3218
3219 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3220 if (ia_valid & ATTR_FORCE) {
3221 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3222 ATTR_FORCE);
3223 if (!ia_valid)
3224 return 0;
3225 }
3226
3227 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3228 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3229 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3230
3231 if (selinux_policycap_openperm() &&
3232 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3233 (ia_valid & ATTR_SIZE) &&
3234 !(ia_valid & ATTR_FILE))
3235 av |= FILE__OPEN;
3236
3237 return dentry_has_perm(cred, dentry, av);
3238}
3239
3240static int selinux_inode_getattr(const struct path *path)
3241{
3242 return path_has_perm(current_cred(), path, FILE__GETATTR);
3243}
3244
3245static bool has_cap_mac_admin(bool audit)
3246{
3247 const struct cred *cred = current_cred();
3248 int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT;
3249
3250 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit))
3251 return false;
3252 if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true))
3253 return false;
3254 return true;
3255}
3256
3257static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3258 const void *value, size_t size, int flags)
3259{
3260 struct inode *inode = d_backing_inode(dentry);
3261 struct inode_security_struct *isec;
3262 struct superblock_security_struct *sbsec;
3263 struct common_audit_data ad;
3264 u32 newsid, sid = current_sid();
3265 int rc = 0;
3266
3267 if (strcmp(name, XATTR_NAME_SELINUX)) {
3268 rc = cap_inode_setxattr(dentry, name, value, size, flags);
3269 if (rc)
3270 return rc;
3271
3272 /* Not an attribute we recognize, so just check the
3273 ordinary setattr permission. */
3274 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3275 }
3276
3277 sbsec = inode->i_sb->s_security;
3278 if (!(sbsec->flags & SBLABEL_MNT))
3279 return -EOPNOTSUPP;
3280
3281 if (!inode_owner_or_capable(inode))
3282 return -EPERM;
3283
3284 ad.type = LSM_AUDIT_DATA_DENTRY;
3285 ad.u.dentry = dentry;
3286
3287 isec = backing_inode_security(dentry);
3288 rc = avc_has_perm(&selinux_state,
3289 sid, isec->sid, isec->sclass,
3290 FILE__RELABELFROM, &ad);
3291 if (rc)
3292 return rc;
3293
3294 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3295 GFP_KERNEL);
3296 if (rc == -EINVAL) {
3297 if (!has_cap_mac_admin(true)) {
3298 struct audit_buffer *ab;
3299 size_t audit_size;
3300
3301 /* We strip a nul only if it is at the end, otherwise the
3302 * context contains a nul and we should audit that */
3303 if (value) {
3304 const char *str = value;
3305
3306 if (str[size - 1] == '\0')
3307 audit_size = size - 1;
3308 else
3309 audit_size = size;
3310 } else {
3311 audit_size = 0;
3312 }
3313 ab = audit_log_start(audit_context(),
3314 GFP_ATOMIC, AUDIT_SELINUX_ERR);
3315 audit_log_format(ab, "op=setxattr invalid_context=");
3316 audit_log_n_untrustedstring(ab, value, audit_size);
3317 audit_log_end(ab);
3318
3319 return rc;
3320 }
3321 rc = security_context_to_sid_force(&selinux_state, value,
3322 size, &newsid);
3323 }
3324 if (rc)
3325 return rc;
3326
3327 rc = avc_has_perm(&selinux_state,
3328 sid, newsid, isec->sclass,
3329 FILE__RELABELTO, &ad);
3330 if (rc)
3331 return rc;
3332
3333 rc = security_validate_transition(&selinux_state, isec->sid, newsid,
3334 sid, isec->sclass);
3335 if (rc)
3336 return rc;
3337
3338 return avc_has_perm(&selinux_state,
3339 newsid,
3340 sbsec->sid,
3341 SECCLASS_FILESYSTEM,
3342 FILESYSTEM__ASSOCIATE,
3343 &ad);
3344}
3345
3346static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3347 const void *value, size_t size,
3348 int flags)
3349{
3350 struct inode *inode = d_backing_inode(dentry);
3351 struct inode_security_struct *isec;
3352 u32 newsid;
3353 int rc;
3354
3355 if (strcmp(name, XATTR_NAME_SELINUX)) {
3356 /* Not an attribute we recognize, so nothing to do. */
3357 return;
3358 }
3359
3360 rc = security_context_to_sid_force(&selinux_state, value, size,
3361 &newsid);
3362 if (rc) {
3363 pr_err("SELinux: unable to map context to SID"
3364 "for (%s, %lu), rc=%d\n",
3365 inode->i_sb->s_id, inode->i_ino, -rc);
3366 return;
3367 }
3368
3369 isec = backing_inode_security(dentry);
3370 spin_lock(&isec->lock);
3371 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3372 isec->sid = newsid;
3373 isec->initialized = LABEL_INITIALIZED;
3374 spin_unlock(&isec->lock);
3375
3376 return;
3377}
3378
3379static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3380{
3381 const struct cred *cred = current_cred();
3382
3383 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3384}
3385
3386static int selinux_inode_listxattr(struct dentry *dentry)
3387{
3388 const struct cred *cred = current_cred();
3389
3390 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3391}
3392
3393static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3394{
3395 if (strcmp(name, XATTR_NAME_SELINUX)) {
3396 int rc = cap_inode_removexattr(dentry, name);
3397 if (rc)
3398 return rc;
3399
3400 /* Not an attribute we recognize, so just check the
3401 ordinary setattr permission. */
3402 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3403 }
3404
3405 /* No one is allowed to remove a SELinux security label.
3406 You can change the label, but all data must be labeled. */
3407 return -EACCES;
3408}
3409
3410/*
3411 * Copy the inode security context value to the user.
3412 *
3413 * Permission check is handled by selinux_inode_getxattr hook.
3414 */
3415static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
3416{
3417 u32 size;
3418 int error;
3419 char *context = NULL;
3420 struct inode_security_struct *isec;
3421
3422 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3423 return -EOPNOTSUPP;
3424
3425 /*
3426 * If the caller has CAP_MAC_ADMIN, then get the raw context
3427 * value even if it is not defined by current policy; otherwise,
3428 * use the in-core value under current policy.
3429 * Use the non-auditing forms of the permission checks since
3430 * getxattr may be called by unprivileged processes commonly
3431 * and lack of permission just means that we fall back to the
3432 * in-core context value, not a denial.
3433 */
3434 isec = inode_security(inode);
3435 if (has_cap_mac_admin(false))
3436 error = security_sid_to_context_force(&selinux_state,
3437 isec->sid, &context,
3438 &size);
3439 else
3440 error = security_sid_to_context(&selinux_state, isec->sid,
3441 &context, &size);
3442 if (error)
3443 return error;
3444 error = size;
3445 if (alloc) {
3446 *buffer = context;
3447 goto out_nofree;
3448 }
3449 kfree(context);
3450out_nofree:
3451 return error;
3452}
3453
3454static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3455 const void *value, size_t size, int flags)
3456{
3457 struct inode_security_struct *isec = inode_security_novalidate(inode);
3458 u32 newsid;
3459 int rc;
3460
3461 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3462 return -EOPNOTSUPP;
3463
3464 if (!value || !size)
3465 return -EACCES;
3466
3467 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3468 GFP_KERNEL);
3469 if (rc)
3470 return rc;
3471
3472 spin_lock(&isec->lock);
3473 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3474 isec->sid = newsid;
3475 isec->initialized = LABEL_INITIALIZED;
3476 spin_unlock(&isec->lock);
3477 return 0;
3478}
3479
3480static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3481{
3482 const int len = sizeof(XATTR_NAME_SELINUX);
3483 if (buffer && len <= buffer_size)
3484 memcpy(buffer, XATTR_NAME_SELINUX, len);
3485 return len;
3486}
3487
3488static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3489{
3490 struct inode_security_struct *isec = inode_security_novalidate(inode);
3491 *secid = isec->sid;
3492}
3493
3494static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3495{
3496 u32 sid;
3497 struct task_security_struct *tsec;
3498 struct cred *new_creds = *new;
3499
3500 if (new_creds == NULL) {
3501 new_creds = prepare_creds();
3502 if (!new_creds)
3503 return -ENOMEM;
3504 }
3505
3506 tsec = new_creds->security;
3507 /* Get label from overlay inode and set it in create_sid */
3508 selinux_inode_getsecid(d_inode(src), &sid);
3509 tsec->create_sid = sid;
3510 *new = new_creds;
3511 return 0;
3512}
3513
3514static int selinux_inode_copy_up_xattr(const char *name)
3515{
3516 /* The copy_up hook above sets the initial context on an inode, but we
3517 * don't then want to overwrite it by blindly copying all the lower
3518 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3519 */
3520 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3521 return 1; /* Discard */
3522 /*
3523 * Any other attribute apart from SELINUX is not claimed, supported
3524 * by selinux.
3525 */
3526 return -EOPNOTSUPP;
3527}
3528
3529/* file security operations */
3530
3531static int selinux_revalidate_file_permission(struct file *file, int mask)
3532{
3533 const struct cred *cred = current_cred();
3534 struct inode *inode = file_inode(file);
3535
3536 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3537 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3538 mask |= MAY_APPEND;
3539
3540 return file_has_perm(cred, file,
3541 file_mask_to_av(inode->i_mode, mask));
3542}
3543
3544static int selinux_file_permission(struct file *file, int mask)
3545{
3546 struct inode *inode = file_inode(file);
3547 struct file_security_struct *fsec = file->f_security;
3548 struct inode_security_struct *isec;
3549 u32 sid = current_sid();
3550
3551 if (!mask)
3552 /* No permission to check. Existence test. */
3553 return 0;
3554
3555 isec = inode_security(inode);
3556 if (sid == fsec->sid && fsec->isid == isec->sid &&
3557 fsec->pseqno == avc_policy_seqno(&selinux_state))
3558 /* No change since file_open check. */
3559 return 0;
3560
3561 return selinux_revalidate_file_permission(file, mask);
3562}
3563
3564static int selinux_file_alloc_security(struct file *file)
3565{
3566 return file_alloc_security(file);
3567}
3568
3569static void selinux_file_free_security(struct file *file)
3570{
3571 file_free_security(file);
3572}
3573
3574/*
3575 * Check whether a task has the ioctl permission and cmd
3576 * operation to an inode.
3577 */
3578static int ioctl_has_perm(const struct cred *cred, struct file *file,
3579 u32 requested, u16 cmd)
3580{
3581 struct common_audit_data ad;
3582 struct file_security_struct *fsec = file->f_security;
3583 struct inode *inode = file_inode(file);
3584 struct inode_security_struct *isec;
3585 struct lsm_ioctlop_audit ioctl;
3586 u32 ssid = cred_sid(cred);
3587 int rc;
3588 u8 driver = cmd >> 8;
3589 u8 xperm = cmd & 0xff;
3590
3591 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3592 ad.u.op = &ioctl;
3593 ad.u.op->cmd = cmd;
3594 ad.u.op->path = file->f_path;
3595
3596 if (ssid != fsec->sid) {
3597 rc = avc_has_perm(&selinux_state,
3598 ssid, fsec->sid,
3599 SECCLASS_FD,
3600 FD__USE,
3601 &ad);
3602 if (rc)
3603 goto out;
3604 }
3605
3606 if (unlikely(IS_PRIVATE(inode)))
3607 return 0;
3608
3609 isec = inode_security(inode);
3610 rc = avc_has_extended_perms(&selinux_state,
3611 ssid, isec->sid, isec->sclass,
3612 requested, driver, xperm, &ad);
3613out:
3614 return rc;
3615}
3616
3617static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3618 unsigned long arg)
3619{
3620 const struct cred *cred = current_cred();
3621 int error = 0;
3622
3623 switch (cmd) {
3624 case FIONREAD:
3625 /* fall through */
3626 case FIBMAP:
3627 /* fall through */
3628 case FIGETBSZ:
3629 /* fall through */
3630 case FS_IOC_GETFLAGS:
3631 /* fall through */
3632 case FS_IOC_GETVERSION:
3633 error = file_has_perm(cred, file, FILE__GETATTR);
3634 break;
3635
3636 case FS_IOC_SETFLAGS:
3637 /* fall through */
3638 case FS_IOC_SETVERSION:
3639 error = file_has_perm(cred, file, FILE__SETATTR);
3640 break;
3641
3642 /* sys_ioctl() checks */
3643 case FIONBIO:
3644 /* fall through */
3645 case FIOASYNC:
3646 error = file_has_perm(cred, file, 0);
3647 break;
3648
3649 case KDSKBENT:
3650 case KDSKBSENT:
3651 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3652 SECURITY_CAP_AUDIT, true);
3653 break;
3654
3655 /* default case assumes that the command will go
3656 * to the file's ioctl() function.
3657 */
3658 default:
3659 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3660 }
3661 return error;
3662}
3663
3664static int default_noexec;
3665
3666static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3667{
3668 const struct cred *cred = current_cred();
3669 u32 sid = cred_sid(cred);
3670 int rc = 0;
3671
3672 if (default_noexec &&
3673 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3674 (!shared && (prot & PROT_WRITE)))) {
3675 /*
3676 * We are making executable an anonymous mapping or a
3677 * private file mapping that will also be writable.
3678 * This has an additional check.
3679 */
3680 rc = avc_has_perm(&selinux_state,
3681 sid, sid, SECCLASS_PROCESS,
3682 PROCESS__EXECMEM, NULL);
3683 if (rc)
3684 goto error;
3685 }
3686
3687 if (file) {
3688 /* read access is always possible with a mapping */
3689 u32 av = FILE__READ;
3690
3691 /* write access only matters if the mapping is shared */
3692 if (shared && (prot & PROT_WRITE))
3693 av |= FILE__WRITE;
3694
3695 if (prot & PROT_EXEC)
3696 av |= FILE__EXECUTE;
3697
3698 return file_has_perm(cred, file, av);
3699 }
3700
3701error:
3702 return rc;
3703}
3704
3705static int selinux_mmap_addr(unsigned long addr)
3706{
3707 int rc = 0;
3708
3709 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3710 u32 sid = current_sid();
3711 rc = avc_has_perm(&selinux_state,
3712 sid, sid, SECCLASS_MEMPROTECT,
3713 MEMPROTECT__MMAP_ZERO, NULL);
3714 }
3715
3716 return rc;
3717}
3718
3719static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3720 unsigned long prot, unsigned long flags)
3721{
3722 struct common_audit_data ad;
3723 int rc;
3724
3725 if (file) {
3726 ad.type = LSM_AUDIT_DATA_FILE;
3727 ad.u.file = file;
3728 rc = inode_has_perm(current_cred(), file_inode(file),
3729 FILE__MAP, &ad);
3730 if (rc)
3731 return rc;
3732 }
3733
3734 if (selinux_state.checkreqprot)
3735 prot = reqprot;
3736
3737 return file_map_prot_check(file, prot,
3738 (flags & MAP_TYPE) == MAP_SHARED);
3739}
3740
3741static int selinux_file_mprotect(struct vm_area_struct *vma,
3742 unsigned long reqprot,
3743 unsigned long prot)
3744{
3745 const struct cred *cred = current_cred();
3746 u32 sid = cred_sid(cred);
3747
3748 if (selinux_state.checkreqprot)
3749 prot = reqprot;
3750
3751 if (default_noexec &&
3752 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3753 int rc = 0;
3754 if (vma->vm_start >= vma->vm_mm->start_brk &&
3755 vma->vm_end <= vma->vm_mm->brk) {
3756 rc = avc_has_perm(&selinux_state,
3757 sid, sid, SECCLASS_PROCESS,
3758 PROCESS__EXECHEAP, NULL);
3759 } else if (!vma->vm_file &&
3760 ((vma->vm_start <= vma->vm_mm->start_stack &&
3761 vma->vm_end >= vma->vm_mm->start_stack) ||
3762 vma_is_stack_for_current(vma))) {
3763 rc = avc_has_perm(&selinux_state,
3764 sid, sid, SECCLASS_PROCESS,
3765 PROCESS__EXECSTACK, NULL);
3766 } else if (vma->vm_file && vma->anon_vma) {
3767 /*
3768 * We are making executable a file mapping that has
3769 * had some COW done. Since pages might have been
3770 * written, check ability to execute the possibly
3771 * modified content. This typically should only
3772 * occur for text relocations.
3773 */
3774 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3775 }
3776 if (rc)
3777 return rc;
3778 }
3779
3780 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3781}
3782
3783static int selinux_file_lock(struct file *file, unsigned int cmd)
3784{
3785 const struct cred *cred = current_cred();
3786
3787 return file_has_perm(cred, file, FILE__LOCK);
3788}
3789
3790static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3791 unsigned long arg)
3792{
3793 const struct cred *cred = current_cred();
3794 int err = 0;
3795
3796 switch (cmd) {
3797 case F_SETFL:
3798 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3799 err = file_has_perm(cred, file, FILE__WRITE);
3800 break;
3801 }
3802 /* fall through */
3803 case F_SETOWN:
3804 case F_SETSIG:
3805 case F_GETFL:
3806 case F_GETOWN:
3807 case F_GETSIG:
3808 case F_GETOWNER_UIDS:
3809 /* Just check FD__USE permission */
3810 err = file_has_perm(cred, file, 0);
3811 break;
3812 case F_GETLK:
3813 case F_SETLK:
3814 case F_SETLKW:
3815 case F_OFD_GETLK:
3816 case F_OFD_SETLK:
3817 case F_OFD_SETLKW:
3818#if BITS_PER_LONG == 32
3819 case F_GETLK64:
3820 case F_SETLK64:
3821 case F_SETLKW64:
3822#endif
3823 err = file_has_perm(cred, file, FILE__LOCK);
3824 break;
3825 }
3826
3827 return err;
3828}
3829
3830static void selinux_file_set_fowner(struct file *file)
3831{
3832 struct file_security_struct *fsec;
3833
3834 fsec = file->f_security;
3835 fsec->fown_sid = current_sid();
3836}
3837
3838static int selinux_file_send_sigiotask(struct task_struct *tsk,
3839 struct fown_struct *fown, int signum)
3840{
3841 struct file *file;
3842 u32 sid = task_sid(tsk);
3843 u32 perm;
3844 struct file_security_struct *fsec;
3845
3846 /* struct fown_struct is never outside the context of a struct file */
3847 file = container_of(fown, struct file, f_owner);
3848
3849 fsec = file->f_security;
3850
3851 if (!signum)
3852 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3853 else
3854 perm = signal_to_av(signum);
3855
3856 return avc_has_perm(&selinux_state,
3857 fsec->fown_sid, sid,
3858 SECCLASS_PROCESS, perm, NULL);
3859}
3860
3861static int selinux_file_receive(struct file *file)
3862{
3863 const struct cred *cred = current_cred();
3864
3865 return file_has_perm(cred, file, file_to_av(file));
3866}
3867
3868static int selinux_file_open(struct file *file)
3869{
3870 struct file_security_struct *fsec;
3871 struct inode_security_struct *isec;
3872
3873 fsec = file->f_security;
3874 isec = inode_security(file_inode(file));
3875 /*
3876 * Save inode label and policy sequence number
3877 * at open-time so that selinux_file_permission
3878 * can determine whether revalidation is necessary.
3879 * Task label is already saved in the file security
3880 * struct as its SID.
3881 */
3882 fsec->isid = isec->sid;
3883 fsec->pseqno = avc_policy_seqno(&selinux_state);
3884 /*
3885 * Since the inode label or policy seqno may have changed
3886 * between the selinux_inode_permission check and the saving
3887 * of state above, recheck that access is still permitted.
3888 * Otherwise, access might never be revalidated against the
3889 * new inode label or new policy.
3890 * This check is not redundant - do not remove.
3891 */
3892 return file_path_has_perm(file->f_cred, file, open_file_to_av(file));
3893}
3894
3895/* task security operations */
3896
3897static int selinux_task_alloc(struct task_struct *task,
3898 unsigned long clone_flags)
3899{
3900 u32 sid = current_sid();
3901
3902 return avc_has_perm(&selinux_state,
3903 sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
3904}
3905
3906/*
3907 * allocate the SELinux part of blank credentials
3908 */
3909static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3910{
3911 struct task_security_struct *tsec;
3912
3913 tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3914 if (!tsec)
3915 return -ENOMEM;
3916
3917 cred->security = tsec;
3918 return 0;
3919}
3920
3921/*
3922 * detach and free the LSM part of a set of credentials
3923 */
3924static void selinux_cred_free(struct cred *cred)
3925{
3926 struct task_security_struct *tsec = cred->security;
3927
3928 /*
3929 * cred->security == NULL if security_cred_alloc_blank() or
3930 * security_prepare_creds() returned an error.
3931 */
3932 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3933 cred->security = (void *) 0x7UL;
3934 kfree(tsec);
3935}
3936
3937/*
3938 * prepare a new set of credentials for modification
3939 */
3940static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3941 gfp_t gfp)
3942{
3943 const struct task_security_struct *old_tsec;
3944 struct task_security_struct *tsec;
3945
3946 old_tsec = old->security;
3947
3948 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3949 if (!tsec)
3950 return -ENOMEM;
3951
3952 new->security = tsec;
3953 return 0;
3954}
3955
3956/*
3957 * transfer the SELinux data to a blank set of creds
3958 */
3959static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3960{
3961 const struct task_security_struct *old_tsec = old->security;
3962 struct task_security_struct *tsec = new->security;
3963
3964 *tsec = *old_tsec;
3965}
3966
3967static void selinux_cred_getsecid(const struct cred *c, u32 *secid)
3968{
3969 *secid = cred_sid(c);
3970}
3971
3972/*
3973 * set the security data for a kernel service
3974 * - all the creation contexts are set to unlabelled
3975 */
3976static int selinux_kernel_act_as(struct cred *new, u32 secid)
3977{
3978 struct task_security_struct *tsec = new->security;
3979 u32 sid = current_sid();
3980 int ret;
3981
3982 ret = avc_has_perm(&selinux_state,
3983 sid, secid,
3984 SECCLASS_KERNEL_SERVICE,
3985 KERNEL_SERVICE__USE_AS_OVERRIDE,
3986 NULL);
3987 if (ret == 0) {
3988 tsec->sid = secid;
3989 tsec->create_sid = 0;
3990 tsec->keycreate_sid = 0;
3991 tsec->sockcreate_sid = 0;
3992 }
3993 return ret;
3994}
3995
3996/*
3997 * set the file creation context in a security record to the same as the
3998 * objective context of the specified inode
3999 */
4000static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
4001{
4002 struct inode_security_struct *isec = inode_security(inode);
4003 struct task_security_struct *tsec = new->security;
4004 u32 sid = current_sid();
4005 int ret;
4006
4007 ret = avc_has_perm(&selinux_state,
4008 sid, isec->sid,
4009 SECCLASS_KERNEL_SERVICE,
4010 KERNEL_SERVICE__CREATE_FILES_AS,
4011 NULL);
4012
4013 if (ret == 0)
4014 tsec->create_sid = isec->sid;
4015 return ret;
4016}
4017
4018static int selinux_kernel_module_request(char *kmod_name)
4019{
4020 struct common_audit_data ad;
4021
4022 ad.type = LSM_AUDIT_DATA_KMOD;
4023 ad.u.kmod_name = kmod_name;
4024
4025 return avc_has_perm(&selinux_state,
4026 current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
4027 SYSTEM__MODULE_REQUEST, &ad);
4028}
4029
4030static int selinux_kernel_module_from_file(struct file *file)
4031{
4032 struct common_audit_data ad;
4033 struct inode_security_struct *isec;
4034 struct file_security_struct *fsec;
4035 u32 sid = current_sid();
4036 int rc;
4037
4038 /* init_module */
4039 if (file == NULL)
4040 return avc_has_perm(&selinux_state,
4041 sid, sid, SECCLASS_SYSTEM,
4042 SYSTEM__MODULE_LOAD, NULL);
4043
4044 /* finit_module */
4045
4046 ad.type = LSM_AUDIT_DATA_FILE;
4047 ad.u.file = file;
4048
4049 fsec = file->f_security;
4050 if (sid != fsec->sid) {
4051 rc = avc_has_perm(&selinux_state,
4052 sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
4053 if (rc)
4054 return rc;
4055 }
4056
4057 isec = inode_security(file_inode(file));
4058 return avc_has_perm(&selinux_state,
4059 sid, isec->sid, SECCLASS_SYSTEM,
4060 SYSTEM__MODULE_LOAD, &ad);
4061}
4062
4063static int selinux_kernel_read_file(struct file *file,
4064 enum kernel_read_file_id id)
4065{
4066 int rc = 0;
4067
4068 switch (id) {
4069 case READING_MODULE:
4070 rc = selinux_kernel_module_from_file(file);
4071 break;
4072 default:
4073 break;
4074 }
4075
4076 return rc;
4077}
4078
4079static int selinux_kernel_load_data(enum kernel_load_data_id id)
4080{
4081 int rc = 0;
4082
4083 switch (id) {
4084 case LOADING_MODULE:
4085 rc = selinux_kernel_module_from_file(NULL);
4086 default:
4087 break;
4088 }
4089
4090 return rc;
4091}
4092
4093static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
4094{
4095 return avc_has_perm(&selinux_state,
4096 current_sid(), task_sid(p), SECCLASS_PROCESS,
4097 PROCESS__SETPGID, NULL);
4098}
4099
4100static int selinux_task_getpgid(struct task_struct *p)
4101{
4102 return avc_has_perm(&selinux_state,
4103 current_sid(), task_sid(p), SECCLASS_PROCESS,
4104 PROCESS__GETPGID, NULL);
4105}
4106
4107static int selinux_task_getsid(struct task_struct *p)
4108{
4109 return avc_has_perm(&selinux_state,
4110 current_sid(), task_sid(p), SECCLASS_PROCESS,
4111 PROCESS__GETSESSION, NULL);
4112}
4113
4114static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
4115{
4116 *secid = task_sid(p);
4117}
4118
4119static int selinux_task_setnice(struct task_struct *p, int nice)
4120{
4121 return avc_has_perm(&selinux_state,
4122 current_sid(), task_sid(p), SECCLASS_PROCESS,
4123 PROCESS__SETSCHED, NULL);
4124}
4125
4126static int selinux_task_setioprio(struct task_struct *p, int ioprio)
4127{
4128 return avc_has_perm(&selinux_state,
4129 current_sid(), task_sid(p), SECCLASS_PROCESS,
4130 PROCESS__SETSCHED, NULL);
4131}
4132
4133static int selinux_task_getioprio(struct task_struct *p)
4134{
4135 return avc_has_perm(&selinux_state,
4136 current_sid(), task_sid(p), SECCLASS_PROCESS,
4137 PROCESS__GETSCHED, NULL);
4138}
4139
4140static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
4141 unsigned int flags)
4142{
4143 u32 av = 0;
4144
4145 if (!flags)
4146 return 0;
4147 if (flags & LSM_PRLIMIT_WRITE)
4148 av |= PROCESS__SETRLIMIT;
4149 if (flags & LSM_PRLIMIT_READ)
4150 av |= PROCESS__GETRLIMIT;
4151 return avc_has_perm(&selinux_state,
4152 cred_sid(cred), cred_sid(tcred),
4153 SECCLASS_PROCESS, av, NULL);
4154}
4155
4156static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4157 struct rlimit *new_rlim)
4158{
4159 struct rlimit *old_rlim = p->signal->rlim + resource;
4160
4161 /* Control the ability to change the hard limit (whether
4162 lowering or raising it), so that the hard limit can
4163 later be used as a safe reset point for the soft limit
4164 upon context transitions. See selinux_bprm_committing_creds. */
4165 if (old_rlim->rlim_max != new_rlim->rlim_max)
4166 return avc_has_perm(&selinux_state,
4167 current_sid(), task_sid(p),
4168 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
4169
4170 return 0;
4171}
4172
4173static int selinux_task_setscheduler(struct task_struct *p)
4174{
4175 return avc_has_perm(&selinux_state,
4176 current_sid(), task_sid(p), SECCLASS_PROCESS,
4177 PROCESS__SETSCHED, NULL);
4178}
4179
4180static int selinux_task_getscheduler(struct task_struct *p)
4181{
4182 return avc_has_perm(&selinux_state,
4183 current_sid(), task_sid(p), SECCLASS_PROCESS,
4184 PROCESS__GETSCHED, NULL);
4185}
4186
4187static int selinux_task_movememory(struct task_struct *p)
4188{
4189 return avc_has_perm(&selinux_state,
4190 current_sid(), task_sid(p), SECCLASS_PROCESS,
4191 PROCESS__SETSCHED, NULL);
4192}
4193
4194static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
4195 int sig, const struct cred *cred)
4196{
4197 u32 secid;
4198 u32 perm;
4199
4200 if (!sig)
4201 perm = PROCESS__SIGNULL; /* null signal; existence test */
4202 else
4203 perm = signal_to_av(sig);
4204 if (!cred)
4205 secid = current_sid();
4206 else
4207 secid = cred_sid(cred);
4208 return avc_has_perm(&selinux_state,
4209 secid, task_sid(p), SECCLASS_PROCESS, perm, NULL);
4210}
4211
4212static void selinux_task_to_inode(struct task_struct *p,
4213 struct inode *inode)
4214{
4215 struct inode_security_struct *isec = inode->i_security;
4216 u32 sid = task_sid(p);
4217
4218 spin_lock(&isec->lock);
4219 isec->sclass = inode_mode_to_security_class(inode->i_mode);
4220 isec->sid = sid;
4221 isec->initialized = LABEL_INITIALIZED;
4222 spin_unlock(&isec->lock);
4223}
4224
4225/* Returns error only if unable to parse addresses */
4226static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4227 struct common_audit_data *ad, u8 *proto)
4228{
4229 int offset, ihlen, ret = -EINVAL;
4230 struct iphdr _iph, *ih;
4231
4232 offset = skb_network_offset(skb);
4233 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
4234 if (ih == NULL)
4235 goto out;
4236
4237 ihlen = ih->ihl * 4;
4238 if (ihlen < sizeof(_iph))
4239 goto out;
4240
4241 ad->u.net->v4info.saddr = ih->saddr;
4242 ad->u.net->v4info.daddr = ih->daddr;
4243 ret = 0;
4244
4245 if (proto)
4246 *proto = ih->protocol;
4247
4248 switch (ih->protocol) {
4249 case IPPROTO_TCP: {
4250 struct tcphdr _tcph, *th;
4251
4252 if (ntohs(ih->frag_off) & IP_OFFSET)
4253 break;
4254
4255 offset += ihlen;
4256 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4257 if (th == NULL)
4258 break;
4259
4260 ad->u.net->sport = th->source;
4261 ad->u.net->dport = th->dest;
4262 break;
4263 }
4264
4265 case IPPROTO_UDP: {
4266 struct udphdr _udph, *uh;
4267
4268 if (ntohs(ih->frag_off) & IP_OFFSET)
4269 break;
4270
4271 offset += ihlen;
4272 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4273 if (uh == NULL)
4274 break;
4275
4276 ad->u.net->sport = uh->source;
4277 ad->u.net->dport = uh->dest;
4278 break;
4279 }
4280
4281 case IPPROTO_DCCP: {
4282 struct dccp_hdr _dccph, *dh;
4283
4284 if (ntohs(ih->frag_off) & IP_OFFSET)
4285 break;
4286
4287 offset += ihlen;
4288 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4289 if (dh == NULL)
4290 break;
4291
4292 ad->u.net->sport = dh->dccph_sport;
4293 ad->u.net->dport = dh->dccph_dport;
4294 break;
4295 }
4296
4297#if IS_ENABLED(CONFIG_IP_SCTP)
4298 case IPPROTO_SCTP: {
4299 struct sctphdr _sctph, *sh;
4300
4301 if (ntohs(ih->frag_off) & IP_OFFSET)
4302 break;
4303
4304 offset += ihlen;
4305 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4306 if (sh == NULL)
4307 break;
4308
4309 ad->u.net->sport = sh->source;
4310 ad->u.net->dport = sh->dest;
4311 break;
4312 }
4313#endif
4314 default:
4315 break;
4316 }
4317out:
4318 return ret;
4319}
4320
4321#if IS_ENABLED(CONFIG_IPV6)
4322
4323/* Returns error only if unable to parse addresses */
4324static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4325 struct common_audit_data *ad, u8 *proto)
4326{
4327 u8 nexthdr;
4328 int ret = -EINVAL, offset;
4329 struct ipv6hdr _ipv6h, *ip6;
4330 __be16 frag_off;
4331
4332 offset = skb_network_offset(skb);
4333 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4334 if (ip6 == NULL)
4335 goto out;
4336
4337 ad->u.net->v6info.saddr = ip6->saddr;
4338 ad->u.net->v6info.daddr = ip6->daddr;
4339 ret = 0;
4340
4341 nexthdr = ip6->nexthdr;
4342 offset += sizeof(_ipv6h);
4343 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4344 if (offset < 0)
4345 goto out;
4346
4347 if (proto)
4348 *proto = nexthdr;
4349
4350 switch (nexthdr) {
4351 case IPPROTO_TCP: {
4352 struct tcphdr _tcph, *th;
4353
4354 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4355 if (th == NULL)
4356 break;
4357
4358 ad->u.net->sport = th->source;
4359 ad->u.net->dport = th->dest;
4360 break;
4361 }
4362
4363 case IPPROTO_UDP: {
4364 struct udphdr _udph, *uh;
4365
4366 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4367 if (uh == NULL)
4368 break;
4369
4370 ad->u.net->sport = uh->source;
4371 ad->u.net->dport = uh->dest;
4372 break;
4373 }
4374
4375 case IPPROTO_DCCP: {
4376 struct dccp_hdr _dccph, *dh;
4377
4378 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4379 if (dh == NULL)
4380 break;
4381
4382 ad->u.net->sport = dh->dccph_sport;
4383 ad->u.net->dport = dh->dccph_dport;
4384 break;
4385 }
4386
4387#if IS_ENABLED(CONFIG_IP_SCTP)
4388 case IPPROTO_SCTP: {
4389 struct sctphdr _sctph, *sh;
4390
4391 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4392 if (sh == NULL)
4393 break;
4394
4395 ad->u.net->sport = sh->source;
4396 ad->u.net->dport = sh->dest;
4397 break;
4398 }
4399#endif
4400 /* includes fragments */
4401 default:
4402 break;
4403 }
4404out:
4405 return ret;
4406}
4407
4408#endif /* IPV6 */
4409
4410static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4411 char **_addrp, int src, u8 *proto)
4412{
4413 char *addrp;
4414 int ret;
4415
4416 switch (ad->u.net->family) {
4417 case PF_INET:
4418 ret = selinux_parse_skb_ipv4(skb, ad, proto);
4419 if (ret)
4420 goto parse_error;
4421 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4422 &ad->u.net->v4info.daddr);
4423 goto okay;
4424
4425#if IS_ENABLED(CONFIG_IPV6)
4426 case PF_INET6:
4427 ret = selinux_parse_skb_ipv6(skb, ad, proto);
4428 if (ret)
4429 goto parse_error;
4430 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4431 &ad->u.net->v6info.daddr);
4432 goto okay;
4433#endif /* IPV6 */
4434 default:
4435 addrp = NULL;
4436 goto okay;
4437 }
4438
4439parse_error:
4440 pr_warn(
4441 "SELinux: failure in selinux_parse_skb(),"
4442 " unable to parse packet\n");
4443 return ret;
4444
4445okay:
4446 if (_addrp)
4447 *_addrp = addrp;
4448 return 0;
4449}
4450
4451/**
4452 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4453 * @skb: the packet
4454 * @family: protocol family
4455 * @sid: the packet's peer label SID
4456 *
4457 * Description:
4458 * Check the various different forms of network peer labeling and determine
4459 * the peer label/SID for the packet; most of the magic actually occurs in
4460 * the security server function security_net_peersid_cmp(). The function
4461 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4462 * or -EACCES if @sid is invalid due to inconsistencies with the different
4463 * peer labels.
4464 *
4465 */
4466static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4467{
4468 int err;
4469 u32 xfrm_sid;
4470 u32 nlbl_sid;
4471 u32 nlbl_type;
4472
4473 err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4474 if (unlikely(err))
4475 return -EACCES;
4476 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4477 if (unlikely(err))
4478 return -EACCES;
4479
4480 err = security_net_peersid_resolve(&selinux_state, nlbl_sid,
4481 nlbl_type, xfrm_sid, sid);
4482 if (unlikely(err)) {
4483 pr_warn(
4484 "SELinux: failure in selinux_skb_peerlbl_sid(),"
4485 " unable to determine packet's peer label\n");
4486 return -EACCES;
4487 }
4488
4489 return 0;
4490}
4491
4492/**
4493 * selinux_conn_sid - Determine the child socket label for a connection
4494 * @sk_sid: the parent socket's SID
4495 * @skb_sid: the packet's SID
4496 * @conn_sid: the resulting connection SID
4497 *
4498 * If @skb_sid is valid then the user:role:type information from @sk_sid is
4499 * combined with the MLS information from @skb_sid in order to create
4500 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy
4501 * of @sk_sid. Returns zero on success, negative values on failure.
4502 *
4503 */
4504static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4505{
4506 int err = 0;
4507
4508 if (skb_sid != SECSID_NULL)
4509 err = security_sid_mls_copy(&selinux_state, sk_sid, skb_sid,
4510 conn_sid);
4511 else
4512 *conn_sid = sk_sid;
4513
4514 return err;
4515}
4516
4517/* socket security operations */
4518
4519static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4520 u16 secclass, u32 *socksid)
4521{
4522 if (tsec->sockcreate_sid > SECSID_NULL) {
4523 *socksid = tsec->sockcreate_sid;
4524 return 0;
4525 }
4526
4527 return security_transition_sid(&selinux_state, tsec->sid, tsec->sid,
4528 secclass, NULL, socksid);
4529}
4530
4531static int sock_has_perm(struct sock *sk, u32 perms)
4532{
4533 struct sk_security_struct *sksec = sk->sk_security;
4534 struct common_audit_data ad;
4535 struct lsm_network_audit net = {0,};
4536
4537 if (sksec->sid == SECINITSID_KERNEL)
4538 return 0;
4539
4540 ad.type = LSM_AUDIT_DATA_NET;
4541 ad.u.net = &net;
4542 ad.u.net->sk = sk;
4543
4544 return avc_has_perm(&selinux_state,
4545 current_sid(), sksec->sid, sksec->sclass, perms,
4546 &ad);
4547}
4548
4549static int selinux_socket_create(int family, int type,
4550 int protocol, int kern)
4551{
4552 const struct task_security_struct *tsec = current_security();
4553 u32 newsid;
4554 u16 secclass;
4555 int rc;
4556
4557 if (kern)
4558 return 0;
4559
4560 secclass = socket_type_to_security_class(family, type, protocol);
4561 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4562 if (rc)
4563 return rc;
4564
4565 return avc_has_perm(&selinux_state,
4566 tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4567}
4568
4569static int selinux_socket_post_create(struct socket *sock, int family,
4570 int type, int protocol, int kern)
4571{
4572 const struct task_security_struct *tsec = current_security();
4573 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4574 struct sk_security_struct *sksec;
4575 u16 sclass = socket_type_to_security_class(family, type, protocol);
4576 u32 sid = SECINITSID_KERNEL;
4577 int err = 0;
4578
4579 if (!kern) {
4580 err = socket_sockcreate_sid(tsec, sclass, &sid);
4581 if (err)
4582 return err;
4583 }
4584
4585 isec->sclass = sclass;
4586 isec->sid = sid;
4587 isec->initialized = LABEL_INITIALIZED;
4588
4589 if (sock->sk) {
4590 sksec = sock->sk->sk_security;
4591 sksec->sclass = sclass;
4592 sksec->sid = sid;
4593 /* Allows detection of the first association on this socket */
4594 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4595 sksec->sctp_assoc_state = SCTP_ASSOC_UNSET;
4596
4597 err = selinux_netlbl_socket_post_create(sock->sk, family);
4598 }
4599
4600 return err;
4601}
4602
4603static int selinux_socket_socketpair(struct socket *socka,
4604 struct socket *sockb)
4605{
4606 struct sk_security_struct *sksec_a = socka->sk->sk_security;
4607 struct sk_security_struct *sksec_b = sockb->sk->sk_security;
4608
4609 sksec_a->peer_sid = sksec_b->sid;
4610 sksec_b->peer_sid = sksec_a->sid;
4611
4612 return 0;
4613}
4614
4615/* Range of port numbers used to automatically bind.
4616 Need to determine whether we should perform a name_bind
4617 permission check between the socket and the port number. */
4618
4619static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4620{
4621 struct sock *sk = sock->sk;
4622 struct sk_security_struct *sksec = sk->sk_security;
4623 u16 family;
4624 int err;
4625
4626 err = sock_has_perm(sk, SOCKET__BIND);
4627 if (err)
4628 goto out;
4629
4630 /* If PF_INET or PF_INET6, check name_bind permission for the port. */
4631 family = sk->sk_family;
4632 if (family == PF_INET || family == PF_INET6) {
4633 char *addrp;
4634 struct common_audit_data ad;
4635 struct lsm_network_audit net = {0,};
4636 struct sockaddr_in *addr4 = NULL;
4637 struct sockaddr_in6 *addr6 = NULL;
4638 u16 family_sa = address->sa_family;
4639 unsigned short snum;
4640 u32 sid, node_perm;
4641
4642 /*
4643 * sctp_bindx(3) calls via selinux_sctp_bind_connect()
4644 * that validates multiple binding addresses. Because of this
4645 * need to check address->sa_family as it is possible to have
4646 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4647 */
4648 switch (family_sa) {
4649 case AF_UNSPEC:
4650 case AF_INET:
4651 if (addrlen < sizeof(struct sockaddr_in))
4652 return -EINVAL;
4653 addr4 = (struct sockaddr_in *)address;
4654 if (family_sa == AF_UNSPEC) {
4655 /* see __inet_bind(), we only want to allow
4656 * AF_UNSPEC if the address is INADDR_ANY
4657 */
4658 if (addr4->sin_addr.s_addr != htonl(INADDR_ANY))
4659 goto err_af;
4660 family_sa = AF_INET;
4661 }
4662 snum = ntohs(addr4->sin_port);
4663 addrp = (char *)&addr4->sin_addr.s_addr;
4664 break;
4665 case AF_INET6:
4666 if (addrlen < SIN6_LEN_RFC2133)
4667 return -EINVAL;
4668 addr6 = (struct sockaddr_in6 *)address;
4669 snum = ntohs(addr6->sin6_port);
4670 addrp = (char *)&addr6->sin6_addr.s6_addr;
4671 break;
4672 default:
4673 goto err_af;
4674 }
4675
4676 ad.type = LSM_AUDIT_DATA_NET;
4677 ad.u.net = &net;
4678 ad.u.net->sport = htons(snum);
4679 ad.u.net->family = family_sa;
4680
4681 if (snum) {
4682 int low, high;
4683
4684 inet_get_local_port_range(sock_net(sk), &low, &high);
4685
4686 if (snum < max(inet_prot_sock(sock_net(sk)), low) ||
4687 snum > high) {
4688 err = sel_netport_sid(sk->sk_protocol,
4689 snum, &sid);
4690 if (err)
4691 goto out;
4692 err = avc_has_perm(&selinux_state,
4693 sksec->sid, sid,
4694 sksec->sclass,
4695 SOCKET__NAME_BIND, &ad);
4696 if (err)
4697 goto out;
4698 }
4699 }
4700
4701 switch (sksec->sclass) {
4702 case SECCLASS_TCP_SOCKET:
4703 node_perm = TCP_SOCKET__NODE_BIND;
4704 break;
4705
4706 case SECCLASS_UDP_SOCKET:
4707 node_perm = UDP_SOCKET__NODE_BIND;
4708 break;
4709
4710 case SECCLASS_DCCP_SOCKET:
4711 node_perm = DCCP_SOCKET__NODE_BIND;
4712 break;
4713
4714 case SECCLASS_SCTP_SOCKET:
4715 node_perm = SCTP_SOCKET__NODE_BIND;
4716 break;
4717
4718 default:
4719 node_perm = RAWIP_SOCKET__NODE_BIND;
4720 break;
4721 }
4722
4723 err = sel_netnode_sid(addrp, family_sa, &sid);
4724 if (err)
4725 goto out;
4726
4727 if (family_sa == AF_INET)
4728 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4729 else
4730 ad.u.net->v6info.saddr = addr6->sin6_addr;
4731
4732 err = avc_has_perm(&selinux_state,
4733 sksec->sid, sid,
4734 sksec->sclass, node_perm, &ad);
4735 if (err)
4736 goto out;
4737 }
4738out:
4739 return err;
4740err_af:
4741 /* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */
4742 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4743 return -EINVAL;
4744 return -EAFNOSUPPORT;
4745}
4746
4747/* This supports connect(2) and SCTP connect services such as sctp_connectx(3)
4748 * and sctp_sendmsg(3) as described in Documentation/security/LSM-sctp.rst
4749 */
4750static int selinux_socket_connect_helper(struct socket *sock,
4751 struct sockaddr *address, int addrlen)
4752{
4753 struct sock *sk = sock->sk;
4754 struct sk_security_struct *sksec = sk->sk_security;
4755 int err;
4756
4757 err = sock_has_perm(sk, SOCKET__CONNECT);
4758 if (err)
4759 return err;
4760
4761 /*
4762 * If a TCP, DCCP or SCTP socket, check name_connect permission
4763 * for the port.
4764 */
4765 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4766 sksec->sclass == SECCLASS_DCCP_SOCKET ||
4767 sksec->sclass == SECCLASS_SCTP_SOCKET) {
4768 struct common_audit_data ad;
4769 struct lsm_network_audit net = {0,};
4770 struct sockaddr_in *addr4 = NULL;
4771 struct sockaddr_in6 *addr6 = NULL;
4772 unsigned short snum;
4773 u32 sid, perm;
4774
4775 /* sctp_connectx(3) calls via selinux_sctp_bind_connect()
4776 * that validates multiple connect addresses. Because of this
4777 * need to check address->sa_family as it is possible to have
4778 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4779 */
4780 switch (address->sa_family) {
4781 case AF_INET:
4782 addr4 = (struct sockaddr_in *)address;
4783 if (addrlen < sizeof(struct sockaddr_in))
4784 return -EINVAL;
4785 snum = ntohs(addr4->sin_port);
4786 break;
4787 case AF_INET6:
4788 addr6 = (struct sockaddr_in6 *)address;
4789 if (addrlen < SIN6_LEN_RFC2133)
4790 return -EINVAL;
4791 snum = ntohs(addr6->sin6_port);
4792 break;
4793 default:
4794 /* Note that SCTP services expect -EINVAL, whereas
4795 * others expect -EAFNOSUPPORT.
4796 */
4797 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4798 return -EINVAL;
4799 else
4800 return -EAFNOSUPPORT;
4801 }
4802
4803 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4804 if (err)
4805 return err;
4806
4807 switch (sksec->sclass) {
4808 case SECCLASS_TCP_SOCKET:
4809 perm = TCP_SOCKET__NAME_CONNECT;
4810 break;
4811 case SECCLASS_DCCP_SOCKET:
4812 perm = DCCP_SOCKET__NAME_CONNECT;
4813 break;
4814 case SECCLASS_SCTP_SOCKET:
4815 perm = SCTP_SOCKET__NAME_CONNECT;
4816 break;
4817 }
4818
4819 ad.type = LSM_AUDIT_DATA_NET;
4820 ad.u.net = &net;
4821 ad.u.net->dport = htons(snum);
4822 ad.u.net->family = address->sa_family;
4823 err = avc_has_perm(&selinux_state,
4824 sksec->sid, sid, sksec->sclass, perm, &ad);
4825 if (err)
4826 return err;
4827 }
4828
4829 return 0;
4830}
4831
4832/* Supports connect(2), see comments in selinux_socket_connect_helper() */
4833static int selinux_socket_connect(struct socket *sock,
4834 struct sockaddr *address, int addrlen)
4835{
4836 int err;
4837 struct sock *sk = sock->sk;
4838
4839 err = selinux_socket_connect_helper(sock, address, addrlen);
4840 if (err)
4841 return err;
4842
4843 return selinux_netlbl_socket_connect(sk, address);
4844}
4845
4846static int selinux_socket_listen(struct socket *sock, int backlog)
4847{
4848 return sock_has_perm(sock->sk, SOCKET__LISTEN);
4849}
4850
4851static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4852{
4853 int err;
4854 struct inode_security_struct *isec;
4855 struct inode_security_struct *newisec;
4856 u16 sclass;
4857 u32 sid;
4858
4859 err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
4860 if (err)
4861 return err;
4862
4863 isec = inode_security_novalidate(SOCK_INODE(sock));
4864 spin_lock(&isec->lock);
4865 sclass = isec->sclass;
4866 sid = isec->sid;
4867 spin_unlock(&isec->lock);
4868
4869 newisec = inode_security_novalidate(SOCK_INODE(newsock));
4870 newisec->sclass = sclass;
4871 newisec->sid = sid;
4872 newisec->initialized = LABEL_INITIALIZED;
4873
4874 return 0;
4875}
4876
4877static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4878 int size)
4879{
4880 return sock_has_perm(sock->sk, SOCKET__WRITE);
4881}
4882
4883static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4884 int size, int flags)
4885{
4886 return sock_has_perm(sock->sk, SOCKET__READ);
4887}
4888
4889static int selinux_socket_getsockname(struct socket *sock)
4890{
4891 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4892}
4893
4894static int selinux_socket_getpeername(struct socket *sock)
4895{
4896 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4897}
4898
4899static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4900{
4901 int err;
4902
4903 err = sock_has_perm(sock->sk, SOCKET__SETOPT);
4904 if (err)
4905 return err;
4906
4907 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4908}
4909
4910static int selinux_socket_getsockopt(struct socket *sock, int level,
4911 int optname)
4912{
4913 return sock_has_perm(sock->sk, SOCKET__GETOPT);
4914}
4915
4916static int selinux_socket_shutdown(struct socket *sock, int how)
4917{
4918 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
4919}
4920
4921static int selinux_socket_unix_stream_connect(struct sock *sock,
4922 struct sock *other,
4923 struct sock *newsk)
4924{
4925 struct sk_security_struct *sksec_sock = sock->sk_security;
4926 struct sk_security_struct *sksec_other = other->sk_security;
4927 struct sk_security_struct *sksec_new = newsk->sk_security;
4928 struct common_audit_data ad;
4929 struct lsm_network_audit net = {0,};
4930 int err;
4931
4932 ad.type = LSM_AUDIT_DATA_NET;
4933 ad.u.net = &net;
4934 ad.u.net->sk = other;
4935
4936 err = avc_has_perm(&selinux_state,
4937 sksec_sock->sid, sksec_other->sid,
4938 sksec_other->sclass,
4939 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4940 if (err)
4941 return err;
4942
4943 /* server child socket */
4944 sksec_new->peer_sid = sksec_sock->sid;
4945 err = security_sid_mls_copy(&selinux_state, sksec_other->sid,
4946 sksec_sock->sid, &sksec_new->sid);
4947 if (err)
4948 return err;
4949
4950 /* connecting socket */
4951 sksec_sock->peer_sid = sksec_new->sid;
4952
4953 return 0;
4954}
4955
4956static int selinux_socket_unix_may_send(struct socket *sock,
4957 struct socket *other)
4958{
4959 struct sk_security_struct *ssec = sock->sk->sk_security;
4960 struct sk_security_struct *osec = other->sk->sk_security;
4961 struct common_audit_data ad;
4962 struct lsm_network_audit net = {0,};
4963
4964 ad.type = LSM_AUDIT_DATA_NET;
4965 ad.u.net = &net;
4966 ad.u.net->sk = other->sk;
4967
4968 return avc_has_perm(&selinux_state,
4969 ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4970 &ad);
4971}
4972
4973static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4974 char *addrp, u16 family, u32 peer_sid,
4975 struct common_audit_data *ad)
4976{
4977 int err;
4978 u32 if_sid;
4979 u32 node_sid;
4980
4981 err = sel_netif_sid(ns, ifindex, &if_sid);
4982 if (err)
4983 return err;
4984 err = avc_has_perm(&selinux_state,
4985 peer_sid, if_sid,
4986 SECCLASS_NETIF, NETIF__INGRESS, ad);
4987 if (err)
4988 return err;
4989
4990 err = sel_netnode_sid(addrp, family, &node_sid);
4991 if (err)
4992 return err;
4993 return avc_has_perm(&selinux_state,
4994 peer_sid, node_sid,
4995 SECCLASS_NODE, NODE__RECVFROM, ad);
4996}
4997
4998static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4999 u16 family)
5000{
5001 int err = 0;
5002 struct sk_security_struct *sksec = sk->sk_security;
5003 u32 sk_sid = sksec->sid;
5004 struct common_audit_data ad;
5005 struct lsm_network_audit net = {0,};
5006 char *addrp;
5007
5008 ad.type = LSM_AUDIT_DATA_NET;
5009 ad.u.net = &net;
5010 ad.u.net->netif = skb->skb_iif;
5011 ad.u.net->family = family;
5012 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5013 if (err)
5014 return err;
5015
5016 if (selinux_secmark_enabled()) {
5017 err = avc_has_perm(&selinux_state,
5018 sk_sid, skb->secmark, SECCLASS_PACKET,
5019 PACKET__RECV, &ad);
5020 if (err)
5021 return err;
5022 }
5023
5024 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
5025 if (err)
5026 return err;
5027 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
5028
5029 return err;
5030}
5031
5032static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
5033{
5034 int err;
5035 struct sk_security_struct *sksec = sk->sk_security;
5036 u16 family = sk->sk_family;
5037 u32 sk_sid = sksec->sid;
5038 struct common_audit_data ad;
5039 struct lsm_network_audit net = {0,};
5040 char *addrp;
5041 u8 secmark_active;
5042 u8 peerlbl_active;
5043
5044 if (family != PF_INET && family != PF_INET6)
5045 return 0;
5046
5047 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
5048 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5049 family = PF_INET;
5050
5051 /* If any sort of compatibility mode is enabled then handoff processing
5052 * to the selinux_sock_rcv_skb_compat() function to deal with the
5053 * special handling. We do this in an attempt to keep this function
5054 * as fast and as clean as possible. */
5055 if (!selinux_policycap_netpeer())
5056 return selinux_sock_rcv_skb_compat(sk, skb, family);
5057
5058 secmark_active = selinux_secmark_enabled();
5059 peerlbl_active = selinux_peerlbl_enabled();
5060 if (!secmark_active && !peerlbl_active)
5061 return 0;
5062
5063 ad.type = LSM_AUDIT_DATA_NET;
5064 ad.u.net = &net;
5065 ad.u.net->netif = skb->skb_iif;
5066 ad.u.net->family = family;
5067 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5068 if (err)
5069 return err;
5070
5071 if (peerlbl_active) {
5072 u32 peer_sid;
5073
5074 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
5075 if (err)
5076 return err;
5077 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
5078 addrp, family, peer_sid, &ad);
5079 if (err) {
5080 selinux_netlbl_err(skb, family, err, 0);
5081 return err;
5082 }
5083 err = avc_has_perm(&selinux_state,
5084 sk_sid, peer_sid, SECCLASS_PEER,
5085 PEER__RECV, &ad);
5086 if (err) {
5087 selinux_netlbl_err(skb, family, err, 0);
5088 return err;
5089 }
5090 }
5091
5092 if (secmark_active) {
5093 err = avc_has_perm(&selinux_state,
5094 sk_sid, skb->secmark, SECCLASS_PACKET,
5095 PACKET__RECV, &ad);
5096 if (err)
5097 return err;
5098 }
5099
5100 return err;
5101}
5102
5103static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
5104 int __user *optlen, unsigned len)
5105{
5106 int err = 0;
5107 char *scontext;
5108 u32 scontext_len;
5109 struct sk_security_struct *sksec = sock->sk->sk_security;
5110 u32 peer_sid = SECSID_NULL;
5111
5112 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
5113 sksec->sclass == SECCLASS_TCP_SOCKET ||
5114 sksec->sclass == SECCLASS_SCTP_SOCKET)
5115 peer_sid = sksec->peer_sid;
5116 if (peer_sid == SECSID_NULL)
5117 return -ENOPROTOOPT;
5118
5119 err = security_sid_to_context(&selinux_state, peer_sid, &scontext,
5120 &scontext_len);
5121 if (err)
5122 return err;
5123
5124 if (scontext_len > len) {
5125 err = -ERANGE;
5126 goto out_len;
5127 }
5128
5129 if (copy_to_user(optval, scontext, scontext_len))
5130 err = -EFAULT;
5131
5132out_len:
5133 if (put_user(scontext_len, optlen))
5134 err = -EFAULT;
5135 kfree(scontext);
5136 return err;
5137}
5138
5139static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
5140{
5141 u32 peer_secid = SECSID_NULL;
5142 u16 family;
5143 struct inode_security_struct *isec;
5144
5145 if (skb && skb->protocol == htons(ETH_P_IP))
5146 family = PF_INET;
5147 else if (skb && skb->protocol == htons(ETH_P_IPV6))
5148 family = PF_INET6;
5149 else if (sock)
5150 family = sock->sk->sk_family;
5151 else
5152 goto out;
5153
5154 if (sock && family == PF_UNIX) {
5155 isec = inode_security_novalidate(SOCK_INODE(sock));
5156 peer_secid = isec->sid;
5157 } else if (skb)
5158 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
5159
5160out:
5161 *secid = peer_secid;
5162 if (peer_secid == SECSID_NULL)
5163 return -EINVAL;
5164 return 0;
5165}
5166
5167static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
5168{
5169 struct sk_security_struct *sksec;
5170
5171 sksec = kzalloc(sizeof(*sksec), priority);
5172 if (!sksec)
5173 return -ENOMEM;
5174
5175 sksec->peer_sid = SECINITSID_UNLABELED;
5176 sksec->sid = SECINITSID_UNLABELED;
5177 sksec->sclass = SECCLASS_SOCKET;
5178 selinux_netlbl_sk_security_reset(sksec);
5179 sk->sk_security = sksec;
5180
5181 return 0;
5182}
5183
5184static void selinux_sk_free_security(struct sock *sk)
5185{
5186 struct sk_security_struct *sksec = sk->sk_security;
5187
5188 sk->sk_security = NULL;
5189 selinux_netlbl_sk_security_free(sksec);
5190 kfree(sksec);
5191}
5192
5193static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
5194{
5195 struct sk_security_struct *sksec = sk->sk_security;
5196 struct sk_security_struct *newsksec = newsk->sk_security;
5197
5198 newsksec->sid = sksec->sid;
5199 newsksec->peer_sid = sksec->peer_sid;
5200 newsksec->sclass = sksec->sclass;
5201
5202 selinux_netlbl_sk_security_reset(newsksec);
5203}
5204
5205static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
5206{
5207 if (!sk)
5208 *secid = SECINITSID_ANY_SOCKET;
5209 else {
5210 struct sk_security_struct *sksec = sk->sk_security;
5211
5212 *secid = sksec->sid;
5213 }
5214}
5215
5216static void selinux_sock_graft(struct sock *sk, struct socket *parent)
5217{
5218 struct inode_security_struct *isec =
5219 inode_security_novalidate(SOCK_INODE(parent));
5220 struct sk_security_struct *sksec = sk->sk_security;
5221
5222 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
5223 sk->sk_family == PF_UNIX)
5224 isec->sid = sksec->sid;
5225 sksec->sclass = isec->sclass;
5226}
5227
5228/* Called whenever SCTP receives an INIT chunk. This happens when an incoming
5229 * connect(2), sctp_connectx(3) or sctp_sendmsg(3) (with no association
5230 * already present).
5231 */
5232static int selinux_sctp_assoc_request(struct sctp_endpoint *ep,
5233 struct sk_buff *skb)
5234{
5235 struct sk_security_struct *sksec = ep->base.sk->sk_security;
5236 struct common_audit_data ad;
5237 struct lsm_network_audit net = {0,};
5238 u8 peerlbl_active;
5239 u32 peer_sid = SECINITSID_UNLABELED;
5240 u32 conn_sid;
5241 int err = 0;
5242
5243 if (!selinux_policycap_extsockclass())
5244 return 0;
5245
5246 peerlbl_active = selinux_peerlbl_enabled();
5247
5248 if (peerlbl_active) {
5249 /* This will return peer_sid = SECSID_NULL if there are
5250 * no peer labels, see security_net_peersid_resolve().
5251 */
5252 err = selinux_skb_peerlbl_sid(skb, ep->base.sk->sk_family,
5253 &peer_sid);
5254 if (err)
5255 return err;
5256
5257 if (peer_sid == SECSID_NULL)
5258 peer_sid = SECINITSID_UNLABELED;
5259 }
5260
5261 if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) {
5262 sksec->sctp_assoc_state = SCTP_ASSOC_SET;
5263
5264 /* Here as first association on socket. As the peer SID
5265 * was allowed by peer recv (and the netif/node checks),
5266 * then it is approved by policy and used as the primary
5267 * peer SID for getpeercon(3).
5268 */
5269 sksec->peer_sid = peer_sid;
5270 } else if (sksec->peer_sid != peer_sid) {
5271 /* Other association peer SIDs are checked to enforce
5272 * consistency among the peer SIDs.
5273 */
5274 ad.type = LSM_AUDIT_DATA_NET;
5275 ad.u.net = &net;
5276 ad.u.net->sk = ep->base.sk;
5277 err = avc_has_perm(&selinux_state,
5278 sksec->peer_sid, peer_sid, sksec->sclass,
5279 SCTP_SOCKET__ASSOCIATION, &ad);
5280 if (err)
5281 return err;
5282 }
5283
5284 /* Compute the MLS component for the connection and store
5285 * the information in ep. This will be used by SCTP TCP type
5286 * sockets and peeled off connections as they cause a new
5287 * socket to be generated. selinux_sctp_sk_clone() will then
5288 * plug this into the new socket.
5289 */
5290 err = selinux_conn_sid(sksec->sid, peer_sid, &conn_sid);
5291 if (err)
5292 return err;
5293
5294 ep->secid = conn_sid;
5295 ep->peer_secid = peer_sid;
5296
5297 /* Set any NetLabel labels including CIPSO/CALIPSO options. */
5298 return selinux_netlbl_sctp_assoc_request(ep, skb);
5299}
5300
5301/* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting
5302 * based on their @optname.
5303 */
5304static int selinux_sctp_bind_connect(struct sock *sk, int optname,
5305 struct sockaddr *address,
5306 int addrlen)
5307{
5308 int len, err = 0, walk_size = 0;
5309 void *addr_buf;
5310 struct sockaddr *addr;
5311 struct socket *sock;
5312
5313 if (!selinux_policycap_extsockclass())
5314 return 0;
5315
5316 /* Process one or more addresses that may be IPv4 or IPv6 */
5317 sock = sk->sk_socket;
5318 addr_buf = address;
5319
5320 while (walk_size < addrlen) {
5321 if (walk_size + sizeof(sa_family_t) > addrlen)
5322 return -EINVAL;
5323
5324 addr = addr_buf;
5325 switch (addr->sa_family) {
5326 case AF_UNSPEC:
5327 case AF_INET:
5328 len = sizeof(struct sockaddr_in);
5329 break;
5330 case AF_INET6:
5331 len = sizeof(struct sockaddr_in6);
5332 break;
5333 default:
5334 return -EINVAL;
5335 }
5336
5337 err = -EINVAL;
5338 switch (optname) {
5339 /* Bind checks */
5340 case SCTP_PRIMARY_ADDR:
5341 case SCTP_SET_PEER_PRIMARY_ADDR:
5342 case SCTP_SOCKOPT_BINDX_ADD:
5343 err = selinux_socket_bind(sock, addr, len);
5344 break;
5345 /* Connect checks */
5346 case SCTP_SOCKOPT_CONNECTX:
5347 case SCTP_PARAM_SET_PRIMARY:
5348 case SCTP_PARAM_ADD_IP:
5349 case SCTP_SENDMSG_CONNECT:
5350 err = selinux_socket_connect_helper(sock, addr, len);
5351 if (err)
5352 return err;
5353
5354 /* As selinux_sctp_bind_connect() is called by the
5355 * SCTP protocol layer, the socket is already locked,
5356 * therefore selinux_netlbl_socket_connect_locked() is
5357 * is called here. The situations handled are:
5358 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2),
5359 * whenever a new IP address is added or when a new
5360 * primary address is selected.
5361 * Note that an SCTP connect(2) call happens before
5362 * the SCTP protocol layer and is handled via
5363 * selinux_socket_connect().
5364 */
5365 err = selinux_netlbl_socket_connect_locked(sk, addr);
5366 break;
5367 }
5368
5369 if (err)
5370 return err;
5371
5372 addr_buf += len;
5373 walk_size += len;
5374 }
5375
5376 return 0;
5377}
5378
5379/* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */
5380static void selinux_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk,
5381 struct sock *newsk)
5382{
5383 struct sk_security_struct *sksec = sk->sk_security;
5384 struct sk_security_struct *newsksec = newsk->sk_security;
5385
5386 /* If policy does not support SECCLASS_SCTP_SOCKET then call
5387 * the non-sctp clone version.
5388 */
5389 if (!selinux_policycap_extsockclass())
5390 return selinux_sk_clone_security(sk, newsk);
5391
5392 newsksec->sid = ep->secid;
5393 newsksec->peer_sid = ep->peer_secid;
5394 newsksec->sclass = sksec->sclass;
5395 selinux_netlbl_sctp_sk_clone(sk, newsk);
5396}
5397
5398static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
5399 struct request_sock *req)
5400{
5401 struct sk_security_struct *sksec = sk->sk_security;
5402 int err;
5403 u16 family = req->rsk_ops->family;
5404 u32 connsid;
5405 u32 peersid;
5406
5407 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
5408 if (err)
5409 return err;
5410 err = selinux_conn_sid(sksec->sid, peersid, &connsid);
5411 if (err)
5412 return err;
5413 req->secid = connsid;
5414 req->peer_secid = peersid;
5415
5416 return selinux_netlbl_inet_conn_request(req, family);
5417}
5418
5419static void selinux_inet_csk_clone(struct sock *newsk,
5420 const struct request_sock *req)
5421{
5422 struct sk_security_struct *newsksec = newsk->sk_security;
5423
5424 newsksec->sid = req->secid;
5425 newsksec->peer_sid = req->peer_secid;
5426 /* NOTE: Ideally, we should also get the isec->sid for the
5427 new socket in sync, but we don't have the isec available yet.
5428 So we will wait until sock_graft to do it, by which
5429 time it will have been created and available. */
5430
5431 /* We don't need to take any sort of lock here as we are the only
5432 * thread with access to newsksec */
5433 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
5434}
5435
5436static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
5437{
5438 u16 family = sk->sk_family;
5439 struct sk_security_struct *sksec = sk->sk_security;
5440
5441 /* handle mapped IPv4 packets arriving via IPv6 sockets */
5442 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5443 family = PF_INET;
5444
5445 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
5446}
5447
5448static int selinux_secmark_relabel_packet(u32 sid)
5449{
5450 const struct task_security_struct *__tsec;
5451 u32 tsid;
5452
5453 __tsec = current_security();
5454 tsid = __tsec->sid;
5455
5456 return avc_has_perm(&selinux_state,
5457 tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO,
5458 NULL);
5459}
5460
5461static void selinux_secmark_refcount_inc(void)
5462{
5463 atomic_inc(&selinux_secmark_refcount);
5464}
5465
5466static void selinux_secmark_refcount_dec(void)
5467{
5468 atomic_dec(&selinux_secmark_refcount);
5469}
5470
5471static void selinux_req_classify_flow(const struct request_sock *req,
5472 struct flowi *fl)
5473{
5474 fl->flowi_secid = req->secid;
5475}
5476
5477static int selinux_tun_dev_alloc_security(void **security)
5478{
5479 struct tun_security_struct *tunsec;
5480
5481 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
5482 if (!tunsec)
5483 return -ENOMEM;
5484 tunsec->sid = current_sid();
5485
5486 *security = tunsec;
5487 return 0;
5488}
5489
5490static void selinux_tun_dev_free_security(void *security)
5491{
5492 kfree(security);
5493}
5494
5495static int selinux_tun_dev_create(void)
5496{
5497 u32 sid = current_sid();
5498
5499 /* we aren't taking into account the "sockcreate" SID since the socket
5500 * that is being created here is not a socket in the traditional sense,
5501 * instead it is a private sock, accessible only to the kernel, and
5502 * representing a wide range of network traffic spanning multiple
5503 * connections unlike traditional sockets - check the TUN driver to
5504 * get a better understanding of why this socket is special */
5505
5506 return avc_has_perm(&selinux_state,
5507 sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5508 NULL);
5509}
5510
5511static int selinux_tun_dev_attach_queue(void *security)
5512{
5513 struct tun_security_struct *tunsec = security;
5514
5515 return avc_has_perm(&selinux_state,
5516 current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5517 TUN_SOCKET__ATTACH_QUEUE, NULL);
5518}
5519
5520static int selinux_tun_dev_attach(struct sock *sk, void *security)
5521{
5522 struct tun_security_struct *tunsec = security;
5523 struct sk_security_struct *sksec = sk->sk_security;
5524
5525 /* we don't currently perform any NetLabel based labeling here and it
5526 * isn't clear that we would want to do so anyway; while we could apply
5527 * labeling without the support of the TUN user the resulting labeled
5528 * traffic from the other end of the connection would almost certainly
5529 * cause confusion to the TUN user that had no idea network labeling
5530 * protocols were being used */
5531
5532 sksec->sid = tunsec->sid;
5533 sksec->sclass = SECCLASS_TUN_SOCKET;
5534
5535 return 0;
5536}
5537
5538static int selinux_tun_dev_open(void *security)
5539{
5540 struct tun_security_struct *tunsec = security;
5541 u32 sid = current_sid();
5542 int err;
5543
5544 err = avc_has_perm(&selinux_state,
5545 sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5546 TUN_SOCKET__RELABELFROM, NULL);
5547 if (err)
5548 return err;
5549 err = avc_has_perm(&selinux_state,
5550 sid, sid, SECCLASS_TUN_SOCKET,
5551 TUN_SOCKET__RELABELTO, NULL);
5552 if (err)
5553 return err;
5554 tunsec->sid = sid;
5555
5556 return 0;
5557}
5558
5559static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
5560{
5561 int err = 0;
5562 u32 perm;
5563 struct nlmsghdr *nlh;
5564 struct sk_security_struct *sksec = sk->sk_security;
5565
5566 if (skb->len < NLMSG_HDRLEN) {
5567 err = -EINVAL;
5568 goto out;
5569 }
5570 nlh = nlmsg_hdr(skb);
5571
5572 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
5573 if (err) {
5574 if (err == -EINVAL) {
5575 pr_warn_ratelimited("SELinux: unrecognized netlink"
5576 " message: protocol=%hu nlmsg_type=%hu sclass=%s"
5577 " pig=%d comm=%s\n",
5578 sk->sk_protocol, nlh->nlmsg_type,
5579 secclass_map[sksec->sclass - 1].name,
5580 task_pid_nr(current), current->comm);
5581 if (!enforcing_enabled(&selinux_state) ||
5582 security_get_allow_unknown(&selinux_state))
5583 err = 0;
5584 }
5585
5586 /* Ignore */
5587 if (err == -ENOENT)
5588 err = 0;
5589 goto out;
5590 }
5591
5592 err = sock_has_perm(sk, perm);
5593out:
5594 return err;
5595}
5596
5597#ifdef CONFIG_NETFILTER
5598
5599static unsigned int selinux_ip_forward(struct sk_buff *skb,
5600 const struct net_device *indev,
5601 u16 family)
5602{
5603 int err;
5604 char *addrp;
5605 u32 peer_sid;
5606 struct common_audit_data ad;
5607 struct lsm_network_audit net = {0,};
5608 u8 secmark_active;
5609 u8 netlbl_active;
5610 u8 peerlbl_active;
5611
5612 if (!selinux_policycap_netpeer())
5613 return NF_ACCEPT;
5614
5615 secmark_active = selinux_secmark_enabled();
5616 netlbl_active = netlbl_enabled();
5617 peerlbl_active = selinux_peerlbl_enabled();
5618 if (!secmark_active && !peerlbl_active)
5619 return NF_ACCEPT;
5620
5621 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5622 return NF_DROP;
5623
5624 ad.type = LSM_AUDIT_DATA_NET;
5625 ad.u.net = &net;
5626 ad.u.net->netif = indev->ifindex;
5627 ad.u.net->family = family;
5628 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5629 return NF_DROP;
5630
5631 if (peerlbl_active) {
5632 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
5633 addrp, family, peer_sid, &ad);
5634 if (err) {
5635 selinux_netlbl_err(skb, family, err, 1);
5636 return NF_DROP;
5637 }
5638 }
5639
5640 if (secmark_active)
5641 if (avc_has_perm(&selinux_state,
5642 peer_sid, skb->secmark,
5643 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5644 return NF_DROP;
5645
5646 if (netlbl_active)
5647 /* we do this in the FORWARD path and not the POST_ROUTING
5648 * path because we want to make sure we apply the necessary
5649 * labeling before IPsec is applied so we can leverage AH
5650 * protection */
5651 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5652 return NF_DROP;
5653
5654 return NF_ACCEPT;
5655}
5656
5657static unsigned int selinux_ipv4_forward(void *priv,
5658 struct sk_buff *skb,
5659 const struct nf_hook_state *state)
5660{
5661 return selinux_ip_forward(skb, state->in, PF_INET);
5662}
5663
5664#if IS_ENABLED(CONFIG_IPV6)
5665static unsigned int selinux_ipv6_forward(void *priv,
5666 struct sk_buff *skb,
5667 const struct nf_hook_state *state)
5668{
5669 return selinux_ip_forward(skb, state->in, PF_INET6);
5670}
5671#endif /* IPV6 */
5672
5673static unsigned int selinux_ip_output(struct sk_buff *skb,
5674 u16 family)
5675{
5676 struct sock *sk;
5677 u32 sid;
5678
5679 if (!netlbl_enabled())
5680 return NF_ACCEPT;
5681
5682 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5683 * because we want to make sure we apply the necessary labeling
5684 * before IPsec is applied so we can leverage AH protection */
5685 sk = skb->sk;
5686 if (sk) {
5687 struct sk_security_struct *sksec;
5688
5689 if (sk_listener(sk))
5690 /* if the socket is the listening state then this
5691 * packet is a SYN-ACK packet which means it needs to
5692 * be labeled based on the connection/request_sock and
5693 * not the parent socket. unfortunately, we can't
5694 * lookup the request_sock yet as it isn't queued on
5695 * the parent socket until after the SYN-ACK is sent.
5696 * the "solution" is to simply pass the packet as-is
5697 * as any IP option based labeling should be copied
5698 * from the initial connection request (in the IP
5699 * layer). it is far from ideal, but until we get a
5700 * security label in the packet itself this is the
5701 * best we can do. */
5702 return NF_ACCEPT;
5703
5704 /* standard practice, label using the parent socket */
5705 sksec = sk->sk_security;
5706 sid = sksec->sid;
5707 } else
5708 sid = SECINITSID_KERNEL;
5709 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
5710 return NF_DROP;
5711
5712 return NF_ACCEPT;
5713}
5714
5715static unsigned int selinux_ipv4_output(void *priv,
5716 struct sk_buff *skb,
5717 const struct nf_hook_state *state)
5718{
5719 return selinux_ip_output(skb, PF_INET);
5720}
5721
5722#if IS_ENABLED(CONFIG_IPV6)
5723static unsigned int selinux_ipv6_output(void *priv,
5724 struct sk_buff *skb,
5725 const struct nf_hook_state *state)
5726{
5727 return selinux_ip_output(skb, PF_INET6);
5728}
5729#endif /* IPV6 */
5730
5731static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5732 int ifindex,
5733 u16 family)
5734{
5735 struct sock *sk = skb_to_full_sk(skb);
5736 struct sk_security_struct *sksec;
5737 struct common_audit_data ad;
5738 struct lsm_network_audit net = {0,};
5739 char *addrp;
5740 u8 proto;
5741
5742 if (sk == NULL)
5743 return NF_ACCEPT;
5744 sksec = sk->sk_security;
5745
5746 ad.type = LSM_AUDIT_DATA_NET;
5747 ad.u.net = &net;
5748 ad.u.net->netif = ifindex;
5749 ad.u.net->family = family;
5750 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
5751 return NF_DROP;
5752
5753 if (selinux_secmark_enabled())
5754 if (avc_has_perm(&selinux_state,
5755 sksec->sid, skb->secmark,
5756 SECCLASS_PACKET, PACKET__SEND, &ad))
5757 return NF_DROP_ERR(-ECONNREFUSED);
5758
5759 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5760 return NF_DROP_ERR(-ECONNREFUSED);
5761
5762 return NF_ACCEPT;
5763}
5764
5765static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5766 const struct net_device *outdev,
5767 u16 family)
5768{
5769 u32 secmark_perm;
5770 u32 peer_sid;
5771 int ifindex = outdev->ifindex;
5772 struct sock *sk;
5773 struct common_audit_data ad;
5774 struct lsm_network_audit net = {0,};
5775 char *addrp;
5776 u8 secmark_active;
5777 u8 peerlbl_active;
5778
5779 /* If any sort of compatibility mode is enabled then handoff processing
5780 * to the selinux_ip_postroute_compat() function to deal with the
5781 * special handling. We do this in an attempt to keep this function
5782 * as fast and as clean as possible. */
5783 if (!selinux_policycap_netpeer())
5784 return selinux_ip_postroute_compat(skb, ifindex, family);
5785
5786 secmark_active = selinux_secmark_enabled();
5787 peerlbl_active = selinux_peerlbl_enabled();
5788 if (!secmark_active && !peerlbl_active)
5789 return NF_ACCEPT;
5790
5791 sk = skb_to_full_sk(skb);
5792
5793#ifdef CONFIG_XFRM
5794 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5795 * packet transformation so allow the packet to pass without any checks
5796 * since we'll have another chance to perform access control checks
5797 * when the packet is on it's final way out.
5798 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5799 * is NULL, in this case go ahead and apply access control.
5800 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5801 * TCP listening state we cannot wait until the XFRM processing
5802 * is done as we will miss out on the SA label if we do;
5803 * unfortunately, this means more work, but it is only once per
5804 * connection. */
5805 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5806 !(sk && sk_listener(sk)))
5807 return NF_ACCEPT;
5808#endif
5809
5810 if (sk == NULL) {
5811 /* Without an associated socket the packet is either coming
5812 * from the kernel or it is being forwarded; check the packet
5813 * to determine which and if the packet is being forwarded
5814 * query the packet directly to determine the security label. */
5815 if (skb->skb_iif) {
5816 secmark_perm = PACKET__FORWARD_OUT;
5817 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5818 return NF_DROP;
5819 } else {
5820 secmark_perm = PACKET__SEND;
5821 peer_sid = SECINITSID_KERNEL;
5822 }
5823 } else if (sk_listener(sk)) {
5824 /* Locally generated packet but the associated socket is in the
5825 * listening state which means this is a SYN-ACK packet. In
5826 * this particular case the correct security label is assigned
5827 * to the connection/request_sock but unfortunately we can't
5828 * query the request_sock as it isn't queued on the parent
5829 * socket until after the SYN-ACK packet is sent; the only
5830 * viable choice is to regenerate the label like we do in
5831 * selinux_inet_conn_request(). See also selinux_ip_output()
5832 * for similar problems. */
5833 u32 skb_sid;
5834 struct sk_security_struct *sksec;
5835
5836 sksec = sk->sk_security;
5837 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5838 return NF_DROP;
5839 /* At this point, if the returned skb peerlbl is SECSID_NULL
5840 * and the packet has been through at least one XFRM
5841 * transformation then we must be dealing with the "final"
5842 * form of labeled IPsec packet; since we've already applied
5843 * all of our access controls on this packet we can safely
5844 * pass the packet. */
5845 if (skb_sid == SECSID_NULL) {
5846 switch (family) {
5847 case PF_INET:
5848 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5849 return NF_ACCEPT;
5850 break;
5851 case PF_INET6:
5852 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5853 return NF_ACCEPT;
5854 break;
5855 default:
5856 return NF_DROP_ERR(-ECONNREFUSED);
5857 }
5858 }
5859 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5860 return NF_DROP;
5861 secmark_perm = PACKET__SEND;
5862 } else {
5863 /* Locally generated packet, fetch the security label from the
5864 * associated socket. */
5865 struct sk_security_struct *sksec = sk->sk_security;
5866 peer_sid = sksec->sid;
5867 secmark_perm = PACKET__SEND;
5868 }
5869
5870 ad.type = LSM_AUDIT_DATA_NET;
5871 ad.u.net = &net;
5872 ad.u.net->netif = ifindex;
5873 ad.u.net->family = family;
5874 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5875 return NF_DROP;
5876
5877 if (secmark_active)
5878 if (avc_has_perm(&selinux_state,
5879 peer_sid, skb->secmark,
5880 SECCLASS_PACKET, secmark_perm, &ad))
5881 return NF_DROP_ERR(-ECONNREFUSED);
5882
5883 if (peerlbl_active) {
5884 u32 if_sid;
5885 u32 node_sid;
5886
5887 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5888 return NF_DROP;
5889 if (avc_has_perm(&selinux_state,
5890 peer_sid, if_sid,
5891 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5892 return NF_DROP_ERR(-ECONNREFUSED);
5893
5894 if (sel_netnode_sid(addrp, family, &node_sid))
5895 return NF_DROP;
5896 if (avc_has_perm(&selinux_state,
5897 peer_sid, node_sid,
5898 SECCLASS_NODE, NODE__SENDTO, &ad))
5899 return NF_DROP_ERR(-ECONNREFUSED);
5900 }
5901
5902 return NF_ACCEPT;
5903}
5904
5905static unsigned int selinux_ipv4_postroute(void *priv,
5906 struct sk_buff *skb,
5907 const struct nf_hook_state *state)
5908{
5909 return selinux_ip_postroute(skb, state->out, PF_INET);
5910}
5911
5912#if IS_ENABLED(CONFIG_IPV6)
5913static unsigned int selinux_ipv6_postroute(void *priv,
5914 struct sk_buff *skb,
5915 const struct nf_hook_state *state)
5916{
5917 return selinux_ip_postroute(skb, state->out, PF_INET6);
5918}
5919#endif /* IPV6 */
5920
5921#endif /* CONFIG_NETFILTER */
5922
5923static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5924{
5925 return selinux_nlmsg_perm(sk, skb);
5926}
5927
5928static int ipc_alloc_security(struct kern_ipc_perm *perm,
5929 u16 sclass)
5930{
5931 struct ipc_security_struct *isec;
5932
5933 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
5934 if (!isec)
5935 return -ENOMEM;
5936
5937 isec->sclass = sclass;
5938 isec->sid = current_sid();
5939 perm->security = isec;
5940
5941 return 0;
5942}
5943
5944static void ipc_free_security(struct kern_ipc_perm *perm)
5945{
5946 struct ipc_security_struct *isec = perm->security;
5947 perm->security = NULL;
5948 kfree(isec);
5949}
5950
5951static int msg_msg_alloc_security(struct msg_msg *msg)
5952{
5953 struct msg_security_struct *msec;
5954
5955 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
5956 if (!msec)
5957 return -ENOMEM;
5958
5959 msec->sid = SECINITSID_UNLABELED;
5960 msg->security = msec;
5961
5962 return 0;
5963}
5964
5965static void msg_msg_free_security(struct msg_msg *msg)
5966{
5967 struct msg_security_struct *msec = msg->security;
5968
5969 msg->security = NULL;
5970 kfree(msec);
5971}
5972
5973static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5974 u32 perms)
5975{
5976 struct ipc_security_struct *isec;
5977 struct common_audit_data ad;
5978 u32 sid = current_sid();
5979
5980 isec = ipc_perms->security;
5981
5982 ad.type = LSM_AUDIT_DATA_IPC;
5983 ad.u.ipc_id = ipc_perms->key;
5984
5985 return avc_has_perm(&selinux_state,
5986 sid, isec->sid, isec->sclass, perms, &ad);
5987}
5988
5989static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5990{
5991 return msg_msg_alloc_security(msg);
5992}
5993
5994static void selinux_msg_msg_free_security(struct msg_msg *msg)
5995{
5996 msg_msg_free_security(msg);
5997}
5998
5999/* message queue security operations */
6000static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq)
6001{
6002 struct ipc_security_struct *isec;
6003 struct common_audit_data ad;
6004 u32 sid = current_sid();
6005 int rc;
6006
6007 rc = ipc_alloc_security(msq, SECCLASS_MSGQ);
6008 if (rc)
6009 return rc;
6010
6011 isec = msq->security;
6012
6013 ad.type = LSM_AUDIT_DATA_IPC;
6014 ad.u.ipc_id = msq->key;
6015
6016 rc = avc_has_perm(&selinux_state,
6017 sid, isec->sid, SECCLASS_MSGQ,
6018 MSGQ__CREATE, &ad);
6019 if (rc) {
6020 ipc_free_security(msq);
6021 return rc;
6022 }
6023 return 0;
6024}
6025
6026static void selinux_msg_queue_free_security(struct kern_ipc_perm *msq)
6027{
6028 ipc_free_security(msq);
6029}
6030
6031static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
6032{
6033 struct ipc_security_struct *isec;
6034 struct common_audit_data ad;
6035 u32 sid = current_sid();
6036
6037 isec = msq->security;
6038
6039 ad.type = LSM_AUDIT_DATA_IPC;
6040 ad.u.ipc_id = msq->key;
6041
6042 return avc_has_perm(&selinux_state,
6043 sid, isec->sid, SECCLASS_MSGQ,
6044 MSGQ__ASSOCIATE, &ad);
6045}
6046
6047static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)
6048{
6049 int err;
6050 int perms;
6051
6052 switch (cmd) {
6053 case IPC_INFO:
6054 case MSG_INFO:
6055 /* No specific object, just general system-wide information. */
6056 return avc_has_perm(&selinux_state,
6057 current_sid(), SECINITSID_KERNEL,
6058 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6059 case IPC_STAT:
6060 case MSG_STAT:
6061 case MSG_STAT_ANY:
6062 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
6063 break;
6064 case IPC_SET:
6065 perms = MSGQ__SETATTR;
6066 break;
6067 case IPC_RMID:
6068 perms = MSGQ__DESTROY;
6069 break;
6070 default:
6071 return 0;
6072 }
6073
6074 err = ipc_has_perm(msq, perms);
6075 return err;
6076}
6077
6078static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg)
6079{
6080 struct ipc_security_struct *isec;
6081 struct msg_security_struct *msec;
6082 struct common_audit_data ad;
6083 u32 sid = current_sid();
6084 int rc;
6085
6086 isec = msq->security;
6087 msec = msg->security;
6088
6089 /*
6090 * First time through, need to assign label to the message
6091 */
6092 if (msec->sid == SECINITSID_UNLABELED) {
6093 /*
6094 * Compute new sid based on current process and
6095 * message queue this message will be stored in
6096 */
6097 rc = security_transition_sid(&selinux_state, sid, isec->sid,
6098 SECCLASS_MSG, NULL, &msec->sid);
6099 if (rc)
6100 return rc;
6101 }
6102
6103 ad.type = LSM_AUDIT_DATA_IPC;
6104 ad.u.ipc_id = msq->key;
6105
6106 /* Can this process write to the queue? */
6107 rc = avc_has_perm(&selinux_state,
6108 sid, isec->sid, SECCLASS_MSGQ,
6109 MSGQ__WRITE, &ad);
6110 if (!rc)
6111 /* Can this process send the message */
6112 rc = avc_has_perm(&selinux_state,
6113 sid, msec->sid, SECCLASS_MSG,
6114 MSG__SEND, &ad);
6115 if (!rc)
6116 /* Can the message be put in the queue? */
6117 rc = avc_has_perm(&selinux_state,
6118 msec->sid, isec->sid, SECCLASS_MSGQ,
6119 MSGQ__ENQUEUE, &ad);
6120
6121 return rc;
6122}
6123
6124static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg,
6125 struct task_struct *target,
6126 long type, int mode)
6127{
6128 struct ipc_security_struct *isec;
6129 struct msg_security_struct *msec;
6130 struct common_audit_data ad;
6131 u32 sid = task_sid(target);
6132 int rc;
6133
6134 isec = msq->security;
6135 msec = msg->security;
6136
6137 ad.type = LSM_AUDIT_DATA_IPC;
6138 ad.u.ipc_id = msq->key;
6139
6140 rc = avc_has_perm(&selinux_state,
6141 sid, isec->sid,
6142 SECCLASS_MSGQ, MSGQ__READ, &ad);
6143 if (!rc)
6144 rc = avc_has_perm(&selinux_state,
6145 sid, msec->sid,
6146 SECCLASS_MSG, MSG__RECEIVE, &ad);
6147 return rc;
6148}
6149
6150/* Shared Memory security operations */
6151static int selinux_shm_alloc_security(struct kern_ipc_perm *shp)
6152{
6153 struct ipc_security_struct *isec;
6154 struct common_audit_data ad;
6155 u32 sid = current_sid();
6156 int rc;
6157
6158 rc = ipc_alloc_security(shp, SECCLASS_SHM);
6159 if (rc)
6160 return rc;
6161
6162 isec = shp->security;
6163
6164 ad.type = LSM_AUDIT_DATA_IPC;
6165 ad.u.ipc_id = shp->key;
6166
6167 rc = avc_has_perm(&selinux_state,
6168 sid, isec->sid, SECCLASS_SHM,
6169 SHM__CREATE, &ad);
6170 if (rc) {
6171 ipc_free_security(shp);
6172 return rc;
6173 }
6174 return 0;
6175}
6176
6177static void selinux_shm_free_security(struct kern_ipc_perm *shp)
6178{
6179 ipc_free_security(shp);
6180}
6181
6182static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg)
6183{
6184 struct ipc_security_struct *isec;
6185 struct common_audit_data ad;
6186 u32 sid = current_sid();
6187
6188 isec = shp->security;
6189
6190 ad.type = LSM_AUDIT_DATA_IPC;
6191 ad.u.ipc_id = shp->key;
6192
6193 return avc_has_perm(&selinux_state,
6194 sid, isec->sid, SECCLASS_SHM,
6195 SHM__ASSOCIATE, &ad);
6196}
6197
6198/* Note, at this point, shp is locked down */
6199static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd)
6200{
6201 int perms;
6202 int err;
6203
6204 switch (cmd) {
6205 case IPC_INFO:
6206 case SHM_INFO:
6207 /* No specific object, just general system-wide information. */
6208 return avc_has_perm(&selinux_state,
6209 current_sid(), SECINITSID_KERNEL,
6210 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6211 case IPC_STAT:
6212 case SHM_STAT:
6213 case SHM_STAT_ANY:
6214 perms = SHM__GETATTR | SHM__ASSOCIATE;
6215 break;
6216 case IPC_SET:
6217 perms = SHM__SETATTR;
6218 break;
6219 case SHM_LOCK:
6220 case SHM_UNLOCK:
6221 perms = SHM__LOCK;
6222 break;
6223 case IPC_RMID:
6224 perms = SHM__DESTROY;
6225 break;
6226 default:
6227 return 0;
6228 }
6229
6230 err = ipc_has_perm(shp, perms);
6231 return err;
6232}
6233
6234static int selinux_shm_shmat(struct kern_ipc_perm *shp,
6235 char __user *shmaddr, int shmflg)
6236{
6237 u32 perms;
6238
6239 if (shmflg & SHM_RDONLY)
6240 perms = SHM__READ;
6241 else
6242 perms = SHM__READ | SHM__WRITE;
6243
6244 return ipc_has_perm(shp, perms);
6245}
6246
6247/* Semaphore security operations */
6248static int selinux_sem_alloc_security(struct kern_ipc_perm *sma)
6249{
6250 struct ipc_security_struct *isec;
6251 struct common_audit_data ad;
6252 u32 sid = current_sid();
6253 int rc;
6254
6255 rc = ipc_alloc_security(sma, SECCLASS_SEM);
6256 if (rc)
6257 return rc;
6258
6259 isec = sma->security;
6260
6261 ad.type = LSM_AUDIT_DATA_IPC;
6262 ad.u.ipc_id = sma->key;
6263
6264 rc = avc_has_perm(&selinux_state,
6265 sid, isec->sid, SECCLASS_SEM,
6266 SEM__CREATE, &ad);
6267 if (rc) {
6268 ipc_free_security(sma);
6269 return rc;
6270 }
6271 return 0;
6272}
6273
6274static void selinux_sem_free_security(struct kern_ipc_perm *sma)
6275{
6276 ipc_free_security(sma);
6277}
6278
6279static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg)
6280{
6281 struct ipc_security_struct *isec;
6282 struct common_audit_data ad;
6283 u32 sid = current_sid();
6284
6285 isec = sma->security;
6286
6287 ad.type = LSM_AUDIT_DATA_IPC;
6288 ad.u.ipc_id = sma->key;
6289
6290 return avc_has_perm(&selinux_state,
6291 sid, isec->sid, SECCLASS_SEM,
6292 SEM__ASSOCIATE, &ad);
6293}
6294
6295/* Note, at this point, sma is locked down */
6296static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd)
6297{
6298 int err;
6299 u32 perms;
6300
6301 switch (cmd) {
6302 case IPC_INFO:
6303 case SEM_INFO:
6304 /* No specific object, just general system-wide information. */
6305 return avc_has_perm(&selinux_state,
6306 current_sid(), SECINITSID_KERNEL,
6307 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6308 case GETPID:
6309 case GETNCNT:
6310 case GETZCNT:
6311 perms = SEM__GETATTR;
6312 break;
6313 case GETVAL:
6314 case GETALL:
6315 perms = SEM__READ;
6316 break;
6317 case SETVAL:
6318 case SETALL:
6319 perms = SEM__WRITE;
6320 break;
6321 case IPC_RMID:
6322 perms = SEM__DESTROY;
6323 break;
6324 case IPC_SET:
6325 perms = SEM__SETATTR;
6326 break;
6327 case IPC_STAT:
6328 case SEM_STAT:
6329 case SEM_STAT_ANY:
6330 perms = SEM__GETATTR | SEM__ASSOCIATE;
6331 break;
6332 default:
6333 return 0;
6334 }
6335
6336 err = ipc_has_perm(sma, perms);
6337 return err;
6338}
6339
6340static int selinux_sem_semop(struct kern_ipc_perm *sma,
6341 struct sembuf *sops, unsigned nsops, int alter)
6342{
6343 u32 perms;
6344
6345 if (alter)
6346 perms = SEM__READ | SEM__WRITE;
6347 else
6348 perms = SEM__READ;
6349
6350 return ipc_has_perm(sma, perms);
6351}
6352
6353static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
6354{
6355 u32 av = 0;
6356
6357 av = 0;
6358 if (flag & S_IRUGO)
6359 av |= IPC__UNIX_READ;
6360 if (flag & S_IWUGO)
6361 av |= IPC__UNIX_WRITE;
6362
6363 if (av == 0)
6364 return 0;
6365
6366 return ipc_has_perm(ipcp, av);
6367}
6368
6369static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
6370{
6371 struct ipc_security_struct *isec = ipcp->security;
6372 *secid = isec->sid;
6373}
6374
6375static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
6376{
6377 if (inode)
6378 inode_doinit_with_dentry(inode, dentry);
6379}
6380
6381static int selinux_getprocattr(struct task_struct *p,
6382 char *name, char **value)
6383{
6384 const struct task_security_struct *__tsec;
6385 u32 sid;
6386 int error;
6387 unsigned len;
6388
6389 rcu_read_lock();
6390 __tsec = __task_cred(p)->security;
6391
6392 if (current != p) {
6393 error = avc_has_perm(&selinux_state,
6394 current_sid(), __tsec->sid,
6395 SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
6396 if (error)
6397 goto bad;
6398 }
6399
6400 if (!strcmp(name, "current"))
6401 sid = __tsec->sid;
6402 else if (!strcmp(name, "prev"))
6403 sid = __tsec->osid;
6404 else if (!strcmp(name, "exec"))
6405 sid = __tsec->exec_sid;
6406 else if (!strcmp(name, "fscreate"))
6407 sid = __tsec->create_sid;
6408 else if (!strcmp(name, "keycreate"))
6409 sid = __tsec->keycreate_sid;
6410 else if (!strcmp(name, "sockcreate"))
6411 sid = __tsec->sockcreate_sid;
6412 else {
6413 error = -EINVAL;
6414 goto bad;
6415 }
6416 rcu_read_unlock();
6417
6418 if (!sid)
6419 return 0;
6420
6421 error = security_sid_to_context(&selinux_state, sid, value, &len);
6422 if (error)
6423 return error;
6424 return len;
6425
6426bad:
6427 rcu_read_unlock();
6428 return error;
6429}
6430
6431static int selinux_setprocattr(const char *name, void *value, size_t size)
6432{
6433 struct task_security_struct *tsec;
6434 struct cred *new;
6435 u32 mysid = current_sid(), sid = 0, ptsid;
6436 int error;
6437 char *str = value;
6438
6439 /*
6440 * Basic control over ability to set these attributes at all.
6441 */
6442 if (!strcmp(name, "exec"))
6443 error = avc_has_perm(&selinux_state,
6444 mysid, mysid, SECCLASS_PROCESS,
6445 PROCESS__SETEXEC, NULL);
6446 else if (!strcmp(name, "fscreate"))
6447 error = avc_has_perm(&selinux_state,
6448 mysid, mysid, SECCLASS_PROCESS,
6449 PROCESS__SETFSCREATE, NULL);
6450 else if (!strcmp(name, "keycreate"))
6451 error = avc_has_perm(&selinux_state,
6452 mysid, mysid, SECCLASS_PROCESS,
6453 PROCESS__SETKEYCREATE, NULL);
6454 else if (!strcmp(name, "sockcreate"))
6455 error = avc_has_perm(&selinux_state,
6456 mysid, mysid, SECCLASS_PROCESS,
6457 PROCESS__SETSOCKCREATE, NULL);
6458 else if (!strcmp(name, "current"))
6459 error = avc_has_perm(&selinux_state,
6460 mysid, mysid, SECCLASS_PROCESS,
6461 PROCESS__SETCURRENT, NULL);
6462 else
6463 error = -EINVAL;
6464 if (error)
6465 return error;
6466
6467 /* Obtain a SID for the context, if one was specified. */
6468 if (size && str[0] && str[0] != '\n') {
6469 if (str[size-1] == '\n') {
6470 str[size-1] = 0;
6471 size--;
6472 }
6473 error = security_context_to_sid(&selinux_state, value, size,
6474 &sid, GFP_KERNEL);
6475 if (error == -EINVAL && !strcmp(name, "fscreate")) {
6476 if (!has_cap_mac_admin(true)) {
6477 struct audit_buffer *ab;
6478 size_t audit_size;
6479
6480 /* We strip a nul only if it is at the end, otherwise the
6481 * context contains a nul and we should audit that */
6482 if (str[size - 1] == '\0')
6483 audit_size = size - 1;
6484 else
6485 audit_size = size;
6486 ab = audit_log_start(audit_context(),
6487 GFP_ATOMIC,
6488 AUDIT_SELINUX_ERR);
6489 audit_log_format(ab, "op=fscreate invalid_context=");
6490 audit_log_n_untrustedstring(ab, value, audit_size);
6491 audit_log_end(ab);
6492
6493 return error;
6494 }
6495 error = security_context_to_sid_force(
6496 &selinux_state,
6497 value, size, &sid);
6498 }
6499 if (error)
6500 return error;
6501 }
6502
6503 new = prepare_creds();
6504 if (!new)
6505 return -ENOMEM;
6506
6507 /* Permission checking based on the specified context is
6508 performed during the actual operation (execve,
6509 open/mkdir/...), when we know the full context of the
6510 operation. See selinux_bprm_set_creds for the execve
6511 checks and may_create for the file creation checks. The
6512 operation will then fail if the context is not permitted. */
6513 tsec = new->security;
6514 if (!strcmp(name, "exec")) {
6515 tsec->exec_sid = sid;
6516 } else if (!strcmp(name, "fscreate")) {
6517 tsec->create_sid = sid;
6518 } else if (!strcmp(name, "keycreate")) {
6519 error = avc_has_perm(&selinux_state,
6520 mysid, sid, SECCLASS_KEY, KEY__CREATE,
6521 NULL);
6522 if (error)
6523 goto abort_change;
6524 tsec->keycreate_sid = sid;
6525 } else if (!strcmp(name, "sockcreate")) {
6526 tsec->sockcreate_sid = sid;
6527 } else if (!strcmp(name, "current")) {
6528 error = -EINVAL;
6529 if (sid == 0)
6530 goto abort_change;
6531
6532 /* Only allow single threaded processes to change context */
6533 error = -EPERM;
6534 if (!current_is_single_threaded()) {
6535 error = security_bounded_transition(&selinux_state,
6536 tsec->sid, sid);
6537 if (error)
6538 goto abort_change;
6539 }
6540
6541 /* Check permissions for the transition. */
6542 error = avc_has_perm(&selinux_state,
6543 tsec->sid, sid, SECCLASS_PROCESS,
6544 PROCESS__DYNTRANSITION, NULL);
6545 if (error)
6546 goto abort_change;
6547
6548 /* Check for ptracing, and update the task SID if ok.
6549 Otherwise, leave SID unchanged and fail. */
6550 ptsid = ptrace_parent_sid();
6551 if (ptsid != 0) {
6552 error = avc_has_perm(&selinux_state,
6553 ptsid, sid, SECCLASS_PROCESS,
6554 PROCESS__PTRACE, NULL);
6555 if (error)
6556 goto abort_change;
6557 }
6558
6559 tsec->sid = sid;
6560 } else {
6561 error = -EINVAL;
6562 goto abort_change;
6563 }
6564
6565 commit_creds(new);
6566 return size;
6567
6568abort_change:
6569 abort_creds(new);
6570 return error;
6571}
6572
6573static int selinux_ismaclabel(const char *name)
6574{
6575 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
6576}
6577
6578static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
6579{
6580 return security_sid_to_context(&selinux_state, secid,
6581 secdata, seclen);
6582}
6583
6584static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
6585{
6586 return security_context_to_sid(&selinux_state, secdata, seclen,
6587 secid, GFP_KERNEL);
6588}
6589
6590static void selinux_release_secctx(char *secdata, u32 seclen)
6591{
6592 kfree(secdata);
6593}
6594
6595static void selinux_inode_invalidate_secctx(struct inode *inode)
6596{
6597 struct inode_security_struct *isec = inode->i_security;
6598
6599 spin_lock(&isec->lock);
6600 isec->initialized = LABEL_INVALID;
6601 spin_unlock(&isec->lock);
6602}
6603
6604/*
6605 * called with inode->i_mutex locked
6606 */
6607static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
6608{
6609 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
6610}
6611
6612/*
6613 * called with inode->i_mutex locked
6614 */
6615static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
6616{
6617 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
6618}
6619
6620static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
6621{
6622 int len = 0;
6623 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
6624 ctx, true);
6625 if (len < 0)
6626 return len;
6627 *ctxlen = len;
6628 return 0;
6629}
6630#ifdef CONFIG_KEYS
6631
6632static int selinux_key_alloc(struct key *k, const struct cred *cred,
6633 unsigned long flags)
6634{
6635 const struct task_security_struct *tsec;
6636 struct key_security_struct *ksec;
6637
6638 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
6639 if (!ksec)
6640 return -ENOMEM;
6641
6642 tsec = cred->security;
6643 if (tsec->keycreate_sid)
6644 ksec->sid = tsec->keycreate_sid;
6645 else
6646 ksec->sid = tsec->sid;
6647
6648 k->security = ksec;
6649 return 0;
6650}
6651
6652static void selinux_key_free(struct key *k)
6653{
6654 struct key_security_struct *ksec = k->security;
6655
6656 k->security = NULL;
6657 kfree(ksec);
6658}
6659
6660static int selinux_key_permission(key_ref_t key_ref,
6661 const struct cred *cred,
6662 unsigned perm)
6663{
6664 struct key *key;
6665 struct key_security_struct *ksec;
6666 u32 sid;
6667
6668 /* if no specific permissions are requested, we skip the
6669 permission check. No serious, additional covert channels
6670 appear to be created. */
6671 if (perm == 0)
6672 return 0;
6673
6674 sid = cred_sid(cred);
6675
6676 key = key_ref_to_ptr(key_ref);
6677 ksec = key->security;
6678
6679 return avc_has_perm(&selinux_state,
6680 sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6681}
6682
6683static int selinux_key_getsecurity(struct key *key, char **_buffer)
6684{
6685 struct key_security_struct *ksec = key->security;
6686 char *context = NULL;
6687 unsigned len;
6688 int rc;
6689
6690 rc = security_sid_to_context(&selinux_state, ksec->sid,
6691 &context, &len);
6692 if (!rc)
6693 rc = len;
6694 *_buffer = context;
6695 return rc;
6696}
6697#endif
6698
6699#ifdef CONFIG_SECURITY_INFINIBAND
6700static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6701{
6702 struct common_audit_data ad;
6703 int err;
6704 u32 sid = 0;
6705 struct ib_security_struct *sec = ib_sec;
6706 struct lsm_ibpkey_audit ibpkey;
6707
6708 err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
6709 if (err)
6710 return err;
6711
6712 ad.type = LSM_AUDIT_DATA_IBPKEY;
6713 ibpkey.subnet_prefix = subnet_prefix;
6714 ibpkey.pkey = pkey_val;
6715 ad.u.ibpkey = &ibpkey;
6716 return avc_has_perm(&selinux_state,
6717 sec->sid, sid,
6718 SECCLASS_INFINIBAND_PKEY,
6719 INFINIBAND_PKEY__ACCESS, &ad);
6720}
6721
6722static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6723 u8 port_num)
6724{
6725 struct common_audit_data ad;
6726 int err;
6727 u32 sid = 0;
6728 struct ib_security_struct *sec = ib_sec;
6729 struct lsm_ibendport_audit ibendport;
6730
6731 err = security_ib_endport_sid(&selinux_state, dev_name, port_num,
6732 &sid);
6733
6734 if (err)
6735 return err;
6736
6737 ad.type = LSM_AUDIT_DATA_IBENDPORT;
6738 strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name));
6739 ibendport.port = port_num;
6740 ad.u.ibendport = &ibendport;
6741 return avc_has_perm(&selinux_state,
6742 sec->sid, sid,
6743 SECCLASS_INFINIBAND_ENDPORT,
6744 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
6745}
6746
6747static int selinux_ib_alloc_security(void **ib_sec)
6748{
6749 struct ib_security_struct *sec;
6750
6751 sec = kzalloc(sizeof(*sec), GFP_KERNEL);
6752 if (!sec)
6753 return -ENOMEM;
6754 sec->sid = current_sid();
6755
6756 *ib_sec = sec;
6757 return 0;
6758}
6759
6760static void selinux_ib_free_security(void *ib_sec)
6761{
6762 kfree(ib_sec);
6763}
6764#endif
6765
6766#ifdef CONFIG_BPF_SYSCALL
6767static int selinux_bpf(int cmd, union bpf_attr *attr,
6768 unsigned int size)
6769{
6770 u32 sid = current_sid();
6771 int ret;
6772
6773 switch (cmd) {
6774 case BPF_MAP_CREATE:
6775 ret = avc_has_perm(&selinux_state,
6776 sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
6777 NULL);
6778 break;
6779 case BPF_PROG_LOAD:
6780 ret = avc_has_perm(&selinux_state,
6781 sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
6782 NULL);
6783 break;
6784 default:
6785 ret = 0;
6786 break;
6787 }
6788
6789 return ret;
6790}
6791
6792static u32 bpf_map_fmode_to_av(fmode_t fmode)
6793{
6794 u32 av = 0;
6795
6796 if (fmode & FMODE_READ)
6797 av |= BPF__MAP_READ;
6798 if (fmode & FMODE_WRITE)
6799 av |= BPF__MAP_WRITE;
6800 return av;
6801}
6802
6803/* This function will check the file pass through unix socket or binder to see
6804 * if it is a bpf related object. And apply correspinding checks on the bpf
6805 * object based on the type. The bpf maps and programs, not like other files and
6806 * socket, are using a shared anonymous inode inside the kernel as their inode.
6807 * So checking that inode cannot identify if the process have privilege to
6808 * access the bpf object and that's why we have to add this additional check in
6809 * selinux_file_receive and selinux_binder_transfer_files.
6810 */
6811static int bpf_fd_pass(struct file *file, u32 sid)
6812{
6813 struct bpf_security_struct *bpfsec;
6814 struct bpf_prog *prog;
6815 struct bpf_map *map;
6816 int ret;
6817
6818 if (file->f_op == &bpf_map_fops) {
6819 map = file->private_data;
6820 bpfsec = map->security;
6821 ret = avc_has_perm(&selinux_state,
6822 sid, bpfsec->sid, SECCLASS_BPF,
6823 bpf_map_fmode_to_av(file->f_mode), NULL);
6824 if (ret)
6825 return ret;
6826 } else if (file->f_op == &bpf_prog_fops) {
6827 prog = file->private_data;
6828 bpfsec = prog->aux->security;
6829 ret = avc_has_perm(&selinux_state,
6830 sid, bpfsec->sid, SECCLASS_BPF,
6831 BPF__PROG_RUN, NULL);
6832 if (ret)
6833 return ret;
6834 }
6835 return 0;
6836}
6837
6838static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)
6839{
6840 u32 sid = current_sid();
6841 struct bpf_security_struct *bpfsec;
6842
6843 bpfsec = map->security;
6844 return avc_has_perm(&selinux_state,
6845 sid, bpfsec->sid, SECCLASS_BPF,
6846 bpf_map_fmode_to_av(fmode), NULL);
6847}
6848
6849static int selinux_bpf_prog(struct bpf_prog *prog)
6850{
6851 u32 sid = current_sid();
6852 struct bpf_security_struct *bpfsec;
6853
6854 bpfsec = prog->aux->security;
6855 return avc_has_perm(&selinux_state,
6856 sid, bpfsec->sid, SECCLASS_BPF,
6857 BPF__PROG_RUN, NULL);
6858}
6859
6860static int selinux_bpf_map_alloc(struct bpf_map *map)
6861{
6862 struct bpf_security_struct *bpfsec;
6863
6864 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6865 if (!bpfsec)
6866 return -ENOMEM;
6867
6868 bpfsec->sid = current_sid();
6869 map->security = bpfsec;
6870
6871 return 0;
6872}
6873
6874static void selinux_bpf_map_free(struct bpf_map *map)
6875{
6876 struct bpf_security_struct *bpfsec = map->security;
6877
6878 map->security = NULL;
6879 kfree(bpfsec);
6880}
6881
6882static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux)
6883{
6884 struct bpf_security_struct *bpfsec;
6885
6886 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6887 if (!bpfsec)
6888 return -ENOMEM;
6889
6890 bpfsec->sid = current_sid();
6891 aux->security = bpfsec;
6892
6893 return 0;
6894}
6895
6896static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
6897{
6898 struct bpf_security_struct *bpfsec = aux->security;
6899
6900 aux->security = NULL;
6901 kfree(bpfsec);
6902}
6903#endif
6904
6905static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
6906 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
6907 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
6908 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
6909 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
6910
6911 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
6912 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
6913 LSM_HOOK_INIT(capget, selinux_capget),
6914 LSM_HOOK_INIT(capset, selinux_capset),
6915 LSM_HOOK_INIT(capable, selinux_capable),
6916 LSM_HOOK_INIT(quotactl, selinux_quotactl),
6917 LSM_HOOK_INIT(quota_on, selinux_quota_on),
6918 LSM_HOOK_INIT(syslog, selinux_syslog),
6919 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
6920
6921 LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
6922
6923 LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
6924 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
6925 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
6926
6927 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
6928 LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
6929 LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data),
6930 LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
6931 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
6932 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
6933 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
6934 LSM_HOOK_INIT(sb_mount, selinux_mount),
6935 LSM_HOOK_INIT(sb_umount, selinux_umount),
6936 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
6937 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
6938 LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str),
6939
6940 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
6941 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
6942
6943 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
6944 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
6945 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
6946 LSM_HOOK_INIT(inode_create, selinux_inode_create),
6947 LSM_HOOK_INIT(inode_link, selinux_inode_link),
6948 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
6949 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
6950 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
6951 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
6952 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
6953 LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
6954 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
6955 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
6956 LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
6957 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
6958 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
6959 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
6960 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
6961 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
6962 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
6963 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
6964 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
6965 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
6966 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
6967 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
6968 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
6969 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
6970
6971 LSM_HOOK_INIT(file_permission, selinux_file_permission),
6972 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
6973 LSM_HOOK_INIT(file_free_security, selinux_file_free_security),
6974 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
6975 LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
6976 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
6977 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
6978 LSM_HOOK_INIT(file_lock, selinux_file_lock),
6979 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
6980 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
6981 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
6982 LSM_HOOK_INIT(file_receive, selinux_file_receive),
6983
6984 LSM_HOOK_INIT(file_open, selinux_file_open),
6985
6986 LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
6987 LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank),
6988 LSM_HOOK_INIT(cred_free, selinux_cred_free),
6989 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
6990 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
6991 LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid),
6992 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
6993 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
6994 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
6995 LSM_HOOK_INIT(kernel_load_data, selinux_kernel_load_data),
6996 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
6997 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
6998 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
6999 LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
7000 LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
7001 LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
7002 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
7003 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
7004 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
7005 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
7006 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
7007 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
7008 LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
7009 LSM_HOOK_INIT(task_kill, selinux_task_kill),
7010 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
7011
7012 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
7013 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
7014
7015 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
7016 LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security),
7017
7018 LSM_HOOK_INIT(msg_queue_alloc_security,
7019 selinux_msg_queue_alloc_security),
7020 LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security),
7021 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
7022 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
7023 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
7024 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
7025
7026 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
7027 LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security),
7028 LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
7029 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
7030 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
7031
7032 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
7033 LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security),
7034 LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
7035 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
7036 LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
7037
7038 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
7039
7040 LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
7041 LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
7042
7043 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
7044 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
7045 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
7046 LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
7047 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
7048 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
7049 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
7050 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
7051
7052 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
7053 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
7054
7055 LSM_HOOK_INIT(socket_create, selinux_socket_create),
7056 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
7057 LSM_HOOK_INIT(socket_socketpair, selinux_socket_socketpair),
7058 LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
7059 LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
7060 LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
7061 LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
7062 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
7063 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
7064 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
7065 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
7066 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
7067 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
7068 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
7069 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
7070 LSM_HOOK_INIT(socket_getpeersec_stream,
7071 selinux_socket_getpeersec_stream),
7072 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
7073 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
7074 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
7075 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
7076 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
7077 LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
7078 LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request),
7079 LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone),
7080 LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect),
7081 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
7082 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
7083 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
7084 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
7085 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
7086 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
7087 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
7088 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
7089 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
7090 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
7091 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
7092 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
7093 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
7094#ifdef CONFIG_SECURITY_INFINIBAND
7095 LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
7096 LSM_HOOK_INIT(ib_endport_manage_subnet,
7097 selinux_ib_endport_manage_subnet),
7098 LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
7099 LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
7100#endif
7101#ifdef CONFIG_SECURITY_NETWORK_XFRM
7102 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
7103 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
7104 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
7105 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
7106 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
7107 LSM_HOOK_INIT(xfrm_state_alloc_acquire,
7108 selinux_xfrm_state_alloc_acquire),
7109 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
7110 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
7111 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
7112 LSM_HOOK_INIT(xfrm_state_pol_flow_match,
7113 selinux_xfrm_state_pol_flow_match),
7114 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
7115#endif
7116
7117#ifdef CONFIG_KEYS
7118 LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
7119 LSM_HOOK_INIT(key_free, selinux_key_free),
7120 LSM_HOOK_INIT(key_permission, selinux_key_permission),
7121 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
7122#endif
7123
7124#ifdef CONFIG_AUDIT
7125 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
7126 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
7127 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
7128 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
7129#endif
7130
7131#ifdef CONFIG_BPF_SYSCALL
7132 LSM_HOOK_INIT(bpf, selinux_bpf),
7133 LSM_HOOK_INIT(bpf_map, selinux_bpf_map),
7134 LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog),
7135 LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc),
7136 LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc),
7137 LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free),
7138 LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free),
7139#endif
7140};
7141
7142static __init int selinux_init(void)
7143{
7144 if (!security_module_enable("selinux")) {
7145 selinux_enabled = 0;
7146 return 0;
7147 }
7148
7149 if (!selinux_enabled) {
7150 pr_info("SELinux: Disabled at boot.\n");
7151 return 0;
7152 }
7153
7154 pr_info("SELinux: Initializing.\n");
7155
7156 memset(&selinux_state, 0, sizeof(selinux_state));
7157 enforcing_set(&selinux_state, selinux_enforcing_boot);
7158 selinux_state.checkreqprot = selinux_checkreqprot_boot;
7159 selinux_ss_init(&selinux_state.ss);
7160 selinux_avc_init(&selinux_state.avc);
7161
7162 /* Set the security state for the initial task. */
7163 cred_init_security();
7164
7165 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
7166
7167 sel_inode_cache = kmem_cache_create("selinux_inode_security",
7168 sizeof(struct inode_security_struct),
7169 0, SLAB_PANIC, NULL);
7170 file_security_cache = kmem_cache_create("selinux_file_security",
7171 sizeof(struct file_security_struct),
7172 0, SLAB_PANIC, NULL);
7173 avc_init();
7174
7175 avtab_cache_init();
7176
7177 ebitmap_cache_init();
7178
7179 hashtab_cache_init();
7180
7181 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
7182
7183 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
7184 panic("SELinux: Unable to register AVC netcache callback\n");
7185
7186 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
7187 panic("SELinux: Unable to register AVC LSM notifier callback\n");
7188
7189 if (selinux_enforcing_boot)
7190 pr_debug("SELinux: Starting in enforcing mode\n");
7191 else
7192 pr_debug("SELinux: Starting in permissive mode\n");
7193
7194 return 0;
7195}
7196
7197static void delayed_superblock_init(struct super_block *sb, void *unused)
7198{
7199 superblock_doinit(sb, NULL);
7200}
7201
7202void selinux_complete_init(void)
7203{
7204 pr_debug("SELinux: Completing initialization.\n");
7205
7206 /* Set up any superblocks initialized prior to the policy load. */
7207 pr_debug("SELinux: Setting up existing superblocks.\n");
7208 iterate_supers(delayed_superblock_init, NULL);
7209}
7210
7211/* SELinux requires early initialization in order to label
7212 all processes and objects when they are created. */
7213security_initcall(selinux_init);
7214
7215#if defined(CONFIG_NETFILTER)
7216
7217static const struct nf_hook_ops selinux_nf_ops[] = {
7218 {
7219 .hook = selinux_ipv4_postroute,
7220 .pf = NFPROTO_IPV4,
7221 .hooknum = NF_INET_POST_ROUTING,
7222 .priority = NF_IP_PRI_SELINUX_LAST,
7223 },
7224 {
7225 .hook = selinux_ipv4_forward,
7226 .pf = NFPROTO_IPV4,
7227 .hooknum = NF_INET_FORWARD,
7228 .priority = NF_IP_PRI_SELINUX_FIRST,
7229 },
7230 {
7231 .hook = selinux_ipv4_output,
7232 .pf = NFPROTO_IPV4,
7233 .hooknum = NF_INET_LOCAL_OUT,
7234 .priority = NF_IP_PRI_SELINUX_FIRST,
7235 },
7236#if IS_ENABLED(CONFIG_IPV6)
7237 {
7238 .hook = selinux_ipv6_postroute,
7239 .pf = NFPROTO_IPV6,
7240 .hooknum = NF_INET_POST_ROUTING,
7241 .priority = NF_IP6_PRI_SELINUX_LAST,
7242 },
7243 {
7244 .hook = selinux_ipv6_forward,
7245 .pf = NFPROTO_IPV6,
7246 .hooknum = NF_INET_FORWARD,
7247 .priority = NF_IP6_PRI_SELINUX_FIRST,
7248 },
7249 {
7250 .hook = selinux_ipv6_output,
7251 .pf = NFPROTO_IPV6,
7252 .hooknum = NF_INET_LOCAL_OUT,
7253 .priority = NF_IP6_PRI_SELINUX_FIRST,
7254 },
7255#endif /* IPV6 */
7256};
7257
7258static int __net_init selinux_nf_register(struct net *net)
7259{
7260 return nf_register_net_hooks(net, selinux_nf_ops,
7261 ARRAY_SIZE(selinux_nf_ops));
7262}
7263
7264static void __net_exit selinux_nf_unregister(struct net *net)
7265{
7266 nf_unregister_net_hooks(net, selinux_nf_ops,
7267 ARRAY_SIZE(selinux_nf_ops));
7268}
7269
7270static struct pernet_operations selinux_net_ops = {
7271 .init = selinux_nf_register,
7272 .exit = selinux_nf_unregister,
7273};
7274
7275static int __init selinux_nf_ip_init(void)
7276{
7277 int err;
7278
7279 if (!selinux_enabled)
7280 return 0;
7281
7282 pr_debug("SELinux: Registering netfilter hooks\n");
7283
7284 err = register_pernet_subsys(&selinux_net_ops);
7285 if (err)
7286 panic("SELinux: register_pernet_subsys: error %d\n", err);
7287
7288 return 0;
7289}
7290__initcall(selinux_nf_ip_init);
7291
7292#ifdef CONFIG_SECURITY_SELINUX_DISABLE
7293static void selinux_nf_ip_exit(void)
7294{
7295 pr_debug("SELinux: Unregistering netfilter hooks\n");
7296
7297 unregister_pernet_subsys(&selinux_net_ops);
7298}
7299#endif
7300
7301#else /* CONFIG_NETFILTER */
7302
7303#ifdef CONFIG_SECURITY_SELINUX_DISABLE
7304#define selinux_nf_ip_exit()
7305#endif
7306
7307#endif /* CONFIG_NETFILTER */
7308
7309#ifdef CONFIG_SECURITY_SELINUX_DISABLE
7310int selinux_disable(struct selinux_state *state)
7311{
7312 if (state->initialized) {
7313 /* Not permitted after initial policy load. */
7314 return -EINVAL;
7315 }
7316
7317 if (state->disabled) {
7318 /* Only do this once. */
7319 return -EINVAL;
7320 }
7321
7322 state->disabled = 1;
7323
7324 pr_info("SELinux: Disabled at runtime.\n");
7325
7326 selinux_enabled = 0;
7327
7328 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
7329
7330 /* Try to destroy the avc node cache */
7331 avc_disable();
7332
7333 /* Unregister netfilter hooks. */
7334 selinux_nf_ip_exit();
7335
7336 /* Unregister selinuxfs. */
7337 exit_sel_fs();
7338
7339 return 0;
7340}
7341#endif