projects / linux-2.6-block.git / blame_incremental
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (non-incremental) | history | HEAD
Infrastructure management of the cred security blob
[linux-2.6-block.git] / security / selinux / hooks.c
... / ...
CommitLineData
1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@tycho.nsa.gov>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul@paul-moore.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 * Copyright (C) 2016 Mellanox Technologies
21 *
22 * This program is free software; you can redistribute it and/or modify
23 * it under the terms of the GNU General Public License version 2,
24 * as published by the Free Software Foundation.
25 */
26
27#include <linux/init.h>
28#include <linux/kd.h>
29#include <linux/kernel.h>
30#include <linux/tracehook.h>
31#include <linux/errno.h>
32#include <linux/sched/signal.h>
33#include <linux/sched/task.h>
34#include <linux/lsm_hooks.h>
35#include <linux/xattr.h>
36#include <linux/capability.h>
37#include <linux/unistd.h>
38#include <linux/mm.h>
39#include <linux/mman.h>
40#include <linux/slab.h>
41#include <linux/pagemap.h>
42#include <linux/proc_fs.h>
43#include <linux/swap.h>
44#include <linux/spinlock.h>
45#include <linux/syscalls.h>
46#include <linux/dcache.h>
47#include <linux/file.h>
48#include <linux/fdtable.h>
49#include <linux/namei.h>
50#include <linux/mount.h>
51#include <linux/netfilter_ipv4.h>
52#include <linux/netfilter_ipv6.h>
53#include <linux/tty.h>
54#include <net/icmp.h>
55#include <net/ip.h> /* for local_port_range[] */
56#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
57#include <net/inet_connection_sock.h>
58#include <net/net_namespace.h>
59#include <net/netlabel.h>
60#include <linux/uaccess.h>
61#include <asm/ioctls.h>
62#include <linux/atomic.h>
63#include <linux/bitops.h>
64#include <linux/interrupt.h>
65#include <linux/netdevice.h> /* for network interface checks */
66#include <net/netlink.h>
67#include <linux/tcp.h>
68#include <linux/udp.h>
69#include <linux/dccp.h>
70#include <linux/sctp.h>
71#include <net/sctp/structs.h>
72#include <linux/quota.h>
73#include <linux/un.h> /* for Unix socket types */
74#include <net/af_unix.h> /* for Unix socket types */
75#include <linux/parser.h>
76#include <linux/nfs_mount.h>
77#include <net/ipv6.h>
78#include <linux/hugetlb.h>
79#include <linux/personality.h>
80#include <linux/audit.h>
81#include <linux/string.h>
82#include <linux/mutex.h>
83#include <linux/posix-timers.h>
84#include <linux/syslog.h>
85#include <linux/user_namespace.h>
86#include <linux/export.h>
87#include <linux/msg.h>
88#include <linux/shm.h>
89#include <linux/bpf.h>
90#include <uapi/linux/mount.h>
91
92#include "avc.h"
93#include "objsec.h"
94#include "netif.h"
95#include "netnode.h"
96#include "netport.h"
97#include "ibpkey.h"
98#include "xfrm.h"
99#include "netlabel.h"
100#include "audit.h"
101#include "avc_ss.h"
102
103struct selinux_state selinux_state;
104
105/* SECMARK reference count */
106static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
107
108#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
109static int selinux_enforcing_boot;
110
111static int __init enforcing_setup(char *str)
112{
113 unsigned long enforcing;
114 if (!kstrtoul(str, 0, &enforcing))
115 selinux_enforcing_boot = enforcing ? 1 : 0;
116 return 1;
117}
118__setup("enforcing=", enforcing_setup);
119#else
120#define selinux_enforcing_boot 1
121#endif
122
123int selinux_enabled __lsm_ro_after_init = 1;
124#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
125static int __init selinux_enabled_setup(char *str)
126{
127 unsigned long enabled;
128 if (!kstrtoul(str, 0, &enabled))
129 selinux_enabled = enabled ? 1 : 0;
130 return 1;
131}
132__setup("selinux=", selinux_enabled_setup);
133#endif
134
135static unsigned int selinux_checkreqprot_boot =
136 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
137
138static int __init checkreqprot_setup(char *str)
139{
140 unsigned long checkreqprot;
141
142 if (!kstrtoul(str, 0, &checkreqprot))
143 selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
144 return 1;
145}
146__setup("checkreqprot=", checkreqprot_setup);
147
148static struct kmem_cache *sel_inode_cache;
149static struct kmem_cache *file_security_cache;
150
151/**
152 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
153 *
154 * Description:
155 * This function checks the SECMARK reference counter to see if any SECMARK
156 * targets are currently configured, if the reference counter is greater than
157 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
158 * enabled, false (0) if SECMARK is disabled. If the always_check_network
159 * policy capability is enabled, SECMARK is always considered enabled.
160 *
161 */
162static int selinux_secmark_enabled(void)
163{
164 return (selinux_policycap_alwaysnetwork() ||
165 atomic_read(&selinux_secmark_refcount));
166}
167
168/**
169 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
170 *
171 * Description:
172 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
173 * (1) if any are enabled or false (0) if neither are enabled. If the
174 * always_check_network policy capability is enabled, peer labeling
175 * is always considered enabled.
176 *
177 */
178static int selinux_peerlbl_enabled(void)
179{
180 return (selinux_policycap_alwaysnetwork() ||
181 netlbl_enabled() || selinux_xfrm_enabled());
182}
183
184static int selinux_netcache_avc_callback(u32 event)
185{
186 if (event == AVC_CALLBACK_RESET) {
187 sel_netif_flush();
188 sel_netnode_flush();
189 sel_netport_flush();
190 synchronize_net();
191 }
192 return 0;
193}
194
195static int selinux_lsm_notifier_avc_callback(u32 event)
196{
197 if (event == AVC_CALLBACK_RESET) {
198 sel_ib_pkey_flush();
199 call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
200 }
201
202 return 0;
203}
204
205/*
206 * initialise the security for the init task
207 */
208static void cred_init_security(void)
209{
210 struct cred *cred = (struct cred *) current->real_cred;
211 struct task_security_struct *tsec;
212
213 lsm_early_cred(cred);
214 tsec = selinux_cred(cred);
215 tsec->osid = tsec->sid = SECINITSID_KERNEL;
216}
217
218/*
219 * get the security ID of a set of credentials
220 */
221static inline u32 cred_sid(const struct cred *cred)
222{
223 const struct task_security_struct *tsec;
224
225 tsec = selinux_cred(cred);
226 return tsec->sid;
227}
228
229/*
230 * get the objective security ID of a task
231 */
232static inline u32 task_sid(const struct task_struct *task)
233{
234 u32 sid;
235
236 rcu_read_lock();
237 sid = cred_sid(__task_cred(task));
238 rcu_read_unlock();
239 return sid;
240}
241
242/* Allocate and free functions for each kind of security blob. */
243
244static int inode_alloc_security(struct inode *inode)
245{
246 struct inode_security_struct *isec;
247 u32 sid = current_sid();
248
249 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
250 if (!isec)
251 return -ENOMEM;
252
253 spin_lock_init(&isec->lock);
254 INIT_LIST_HEAD(&isec->list);
255 isec->inode = inode;
256 isec->sid = SECINITSID_UNLABELED;
257 isec->sclass = SECCLASS_FILE;
258 isec->task_sid = sid;
259 isec->initialized = LABEL_INVALID;
260 inode->i_security = isec;
261
262 return 0;
263}
264
265static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
266
267/*
268 * Try reloading inode security labels that have been marked as invalid. The
269 * @may_sleep parameter indicates when sleeping and thus reloading labels is
270 * allowed; when set to false, returns -ECHILD when the label is
271 * invalid. The @dentry parameter should be set to a dentry of the inode.
272 */
273static int __inode_security_revalidate(struct inode *inode,
274 struct dentry *dentry,
275 bool may_sleep)
276{
277 struct inode_security_struct *isec = inode->i_security;
278
279 might_sleep_if(may_sleep);
280
281 if (selinux_state.initialized &&
282 isec->initialized != LABEL_INITIALIZED) {
283 if (!may_sleep)
284 return -ECHILD;
285
286 /*
287 * Try reloading the inode security label. This will fail if
288 * @opt_dentry is NULL and no dentry for this inode can be
289 * found; in that case, continue using the old label.
290 */
291 inode_doinit_with_dentry(inode, dentry);
292 }
293 return 0;
294}
295
296static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
297{
298 return inode->i_security;
299}
300
301static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
302{
303 int error;
304
305 error = __inode_security_revalidate(inode, NULL, !rcu);
306 if (error)
307 return ERR_PTR(error);
308 return inode->i_security;
309}
310
311/*
312 * Get the security label of an inode.
313 */
314static struct inode_security_struct *inode_security(struct inode *inode)
315{
316 __inode_security_revalidate(inode, NULL, true);
317 return inode->i_security;
318}
319
320static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
321{
322 struct inode *inode = d_backing_inode(dentry);
323
324 return inode->i_security;
325}
326
327/*
328 * Get the security label of a dentry's backing inode.
329 */
330static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
331{
332 struct inode *inode = d_backing_inode(dentry);
333
334 __inode_security_revalidate(inode, dentry, true);
335 return inode->i_security;
336}
337
338static void inode_free_rcu(struct rcu_head *head)
339{
340 struct inode_security_struct *isec;
341
342 isec = container_of(head, struct inode_security_struct, rcu);
343 kmem_cache_free(sel_inode_cache, isec);
344}
345
346static void inode_free_security(struct inode *inode)
347{
348 struct inode_security_struct *isec = inode->i_security;
349 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
350
351 /*
352 * As not all inode security structures are in a list, we check for
353 * empty list outside of the lock to make sure that we won't waste
354 * time taking a lock doing nothing.
355 *
356 * The list_del_init() function can be safely called more than once.
357 * It should not be possible for this function to be called with
358 * concurrent list_add(), but for better safety against future changes
359 * in the code, we use list_empty_careful() here.
360 */
361 if (!list_empty_careful(&isec->list)) {
362 spin_lock(&sbsec->isec_lock);
363 list_del_init(&isec->list);
364 spin_unlock(&sbsec->isec_lock);
365 }
366
367 /*
368 * The inode may still be referenced in a path walk and
369 * a call to selinux_inode_permission() can be made
370 * after inode_free_security() is called. Ideally, the VFS
371 * wouldn't do this, but fixing that is a much harder
372 * job. For now, simply free the i_security via RCU, and
373 * leave the current inode->i_security pointer intact.
374 * The inode will be freed after the RCU grace period too.
375 */
376 call_rcu(&isec->rcu, inode_free_rcu);
377}
378
379static int file_alloc_security(struct file *file)
380{
381 struct file_security_struct *fsec;
382 u32 sid = current_sid();
383
384 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
385 if (!fsec)
386 return -ENOMEM;
387
388 fsec->sid = sid;
389 fsec->fown_sid = sid;
390 file->f_security = fsec;
391
392 return 0;
393}
394
395static void file_free_security(struct file *file)
396{
397 struct file_security_struct *fsec = file->f_security;
398 file->f_security = NULL;
399 kmem_cache_free(file_security_cache, fsec);
400}
401
402static int superblock_alloc_security(struct super_block *sb)
403{
404 struct superblock_security_struct *sbsec;
405
406 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
407 if (!sbsec)
408 return -ENOMEM;
409
410 mutex_init(&sbsec->lock);
411 INIT_LIST_HEAD(&sbsec->isec_head);
412 spin_lock_init(&sbsec->isec_lock);
413 sbsec->sb = sb;
414 sbsec->sid = SECINITSID_UNLABELED;
415 sbsec->def_sid = SECINITSID_FILE;
416 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
417 sb->s_security = sbsec;
418
419 return 0;
420}
421
422static void superblock_free_security(struct super_block *sb)
423{
424 struct superblock_security_struct *sbsec = sb->s_security;
425 sb->s_security = NULL;
426 kfree(sbsec);
427}
428
429struct selinux_mnt_opts {
430 const char *fscontext, *context, *rootcontext, *defcontext;
431};
432
433static void selinux_free_mnt_opts(void *mnt_opts)
434{
435 struct selinux_mnt_opts *opts = mnt_opts;
436 kfree(opts->fscontext);
437 kfree(opts->context);
438 kfree(opts->rootcontext);
439 kfree(opts->defcontext);
440 kfree(opts);
441}
442
443static inline int inode_doinit(struct inode *inode)
444{
445 return inode_doinit_with_dentry(inode, NULL);
446}
447
448enum {
449 Opt_error = -1,
450 Opt_context = 1,
451 Opt_fscontext = 2,
452 Opt_defcontext = 3,
453 Opt_rootcontext = 4,
454 Opt_seclabel = 5,
455};
456
457#define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg}
458static struct {
459 const char *name;
460 int len;
461 int opt;
462 bool has_arg;
463} tokens[] = {
464 A(context, true),
465 A(fscontext, true),
466 A(defcontext, true),
467 A(rootcontext, true),
468 A(seclabel, false),
469};
470#undef A
471
472static int match_opt_prefix(char *s, int l, char **arg)
473{
474 int i;
475
476 for (i = 0; i < ARRAY_SIZE(tokens); i++) {
477 size_t len = tokens[i].len;
478 if (len > l || memcmp(s, tokens[i].name, len))
479 continue;
480 if (tokens[i].has_arg) {
481 if (len == l || s[len] != '=')
482 continue;
483 *arg = s + len + 1;
484 } else if (len != l)
485 continue;
486 return tokens[i].opt;
487 }
488 return Opt_error;
489}
490
491#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
492
493static int may_context_mount_sb_relabel(u32 sid,
494 struct superblock_security_struct *sbsec,
495 const struct cred *cred)
496{
497 const struct task_security_struct *tsec = selinux_cred(cred);
498 int rc;
499
500 rc = avc_has_perm(&selinux_state,
501 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
502 FILESYSTEM__RELABELFROM, NULL);
503 if (rc)
504 return rc;
505
506 rc = avc_has_perm(&selinux_state,
507 tsec->sid, sid, SECCLASS_FILESYSTEM,
508 FILESYSTEM__RELABELTO, NULL);
509 return rc;
510}
511
512static int may_context_mount_inode_relabel(u32 sid,
513 struct superblock_security_struct *sbsec,
514 const struct cred *cred)
515{
516 const struct task_security_struct *tsec = selinux_cred(cred);
517 int rc;
518 rc = avc_has_perm(&selinux_state,
519 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
520 FILESYSTEM__RELABELFROM, NULL);
521 if (rc)
522 return rc;
523
524 rc = avc_has_perm(&selinux_state,
525 sid, sbsec->sid, SECCLASS_FILESYSTEM,
526 FILESYSTEM__ASSOCIATE, NULL);
527 return rc;
528}
529
530static int selinux_is_sblabel_mnt(struct super_block *sb)
531{
532 struct superblock_security_struct *sbsec = sb->s_security;
533
534 return sbsec->behavior == SECURITY_FS_USE_XATTR ||
535 sbsec->behavior == SECURITY_FS_USE_TRANS ||
536 sbsec->behavior == SECURITY_FS_USE_TASK ||
537 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
538 /* Special handling. Genfs but also in-core setxattr handler */
539 !strcmp(sb->s_type->name, "sysfs") ||
540 !strcmp(sb->s_type->name, "pstore") ||
541 !strcmp(sb->s_type->name, "debugfs") ||
542 !strcmp(sb->s_type->name, "tracefs") ||
543 !strcmp(sb->s_type->name, "rootfs") ||
544 (selinux_policycap_cgroupseclabel() &&
545 (!strcmp(sb->s_type->name, "cgroup") ||
546 !strcmp(sb->s_type->name, "cgroup2")));
547}
548
549static int sb_finish_set_opts(struct super_block *sb)
550{
551 struct superblock_security_struct *sbsec = sb->s_security;
552 struct dentry *root = sb->s_root;
553 struct inode *root_inode = d_backing_inode(root);
554 int rc = 0;
555
556 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
557 /* Make sure that the xattr handler exists and that no
558 error other than -ENODATA is returned by getxattr on
559 the root directory. -ENODATA is ok, as this may be
560 the first boot of the SELinux kernel before we have
561 assigned xattr values to the filesystem. */
562 if (!(root_inode->i_opflags & IOP_XATTR)) {
563 pr_warn("SELinux: (dev %s, type %s) has no "
564 "xattr support\n", sb->s_id, sb->s_type->name);
565 rc = -EOPNOTSUPP;
566 goto out;
567 }
568
569 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
570 if (rc < 0 && rc != -ENODATA) {
571 if (rc == -EOPNOTSUPP)
572 pr_warn("SELinux: (dev %s, type "
573 "%s) has no security xattr handler\n",
574 sb->s_id, sb->s_type->name);
575 else
576 pr_warn("SELinux: (dev %s, type "
577 "%s) getxattr errno %d\n", sb->s_id,
578 sb->s_type->name, -rc);
579 goto out;
580 }
581 }
582
583 sbsec->flags |= SE_SBINITIALIZED;
584
585 /*
586 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
587 * leave the flag untouched because sb_clone_mnt_opts might be handing
588 * us a superblock that needs the flag to be cleared.
589 */
590 if (selinux_is_sblabel_mnt(sb))
591 sbsec->flags |= SBLABEL_MNT;
592 else
593 sbsec->flags &= ~SBLABEL_MNT;
594
595 /* Initialize the root inode. */
596 rc = inode_doinit_with_dentry(root_inode, root);
597
598 /* Initialize any other inodes associated with the superblock, e.g.
599 inodes created prior to initial policy load or inodes created
600 during get_sb by a pseudo filesystem that directly
601 populates itself. */
602 spin_lock(&sbsec->isec_lock);
603 while (!list_empty(&sbsec->isec_head)) {
604 struct inode_security_struct *isec =
605 list_first_entry(&sbsec->isec_head,
606 struct inode_security_struct, list);
607 struct inode *inode = isec->inode;
608 list_del_init(&isec->list);
609 spin_unlock(&sbsec->isec_lock);
610 inode = igrab(inode);
611 if (inode) {
612 if (!IS_PRIVATE(inode))
613 inode_doinit(inode);
614 iput(inode);
615 }
616 spin_lock(&sbsec->isec_lock);
617 }
618 spin_unlock(&sbsec->isec_lock);
619out:
620 return rc;
621}
622
623static int bad_option(struct superblock_security_struct *sbsec, char flag,
624 u32 old_sid, u32 new_sid)
625{
626 char mnt_flags = sbsec->flags & SE_MNTMASK;
627
628 /* check if the old mount command had the same options */
629 if (sbsec->flags & SE_SBINITIALIZED)
630 if (!(sbsec->flags & flag) ||
631 (old_sid != new_sid))
632 return 1;
633
634 /* check if we were passed the same options twice,
635 * aka someone passed context=a,context=b
636 */
637 if (!(sbsec->flags & SE_SBINITIALIZED))
638 if (mnt_flags & flag)
639 return 1;
640 return 0;
641}
642
643static int parse_sid(struct super_block *sb, const char *s, u32 *sid)
644{
645 int rc = security_context_str_to_sid(&selinux_state, s,
646 sid, GFP_KERNEL);
647 if (rc)
648 pr_warn("SELinux: security_context_str_to_sid"
649 "(%s) failed for (dev %s, type %s) errno=%d\n",
650 s, sb->s_id, sb->s_type->name, rc);
651 return rc;
652}
653
654/*
655 * Allow filesystems with binary mount data to explicitly set mount point
656 * labeling information.
657 */
658static int selinux_set_mnt_opts(struct super_block *sb,
659 void *mnt_opts,
660 unsigned long kern_flags,
661 unsigned long *set_kern_flags)
662{
663 const struct cred *cred = current_cred();
664 struct superblock_security_struct *sbsec = sb->s_security;
665 struct dentry *root = sbsec->sb->s_root;
666 struct selinux_mnt_opts *opts = mnt_opts;
667 struct inode_security_struct *root_isec;
668 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
669 u32 defcontext_sid = 0;
670 int rc = 0;
671
672 mutex_lock(&sbsec->lock);
673
674 if (!selinux_state.initialized) {
675 if (!opts) {
676 /* Defer initialization until selinux_complete_init,
677 after the initial policy is loaded and the security
678 server is ready to handle calls. */
679 goto out;
680 }
681 rc = -EINVAL;
682 pr_warn("SELinux: Unable to set superblock options "
683 "before the security server is initialized\n");
684 goto out;
685 }
686 if (kern_flags && !set_kern_flags) {
687 /* Specifying internal flags without providing a place to
688 * place the results is not allowed */
689 rc = -EINVAL;
690 goto out;
691 }
692
693 /*
694 * Binary mount data FS will come through this function twice. Once
695 * from an explicit call and once from the generic calls from the vfs.
696 * Since the generic VFS calls will not contain any security mount data
697 * we need to skip the double mount verification.
698 *
699 * This does open a hole in which we will not notice if the first
700 * mount using this sb set explict options and a second mount using
701 * this sb does not set any security options. (The first options
702 * will be used for both mounts)
703 */
704 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
705 && !opts)
706 goto out;
707
708 root_isec = backing_inode_security_novalidate(root);
709
710 /*
711 * parse the mount options, check if they are valid sids.
712 * also check if someone is trying to mount the same sb more
713 * than once with different security options.
714 */
715 if (opts) {
716 if (opts->fscontext) {
717 rc = parse_sid(sb, opts->fscontext, &fscontext_sid);
718 if (rc)
719 goto out;
720 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
721 fscontext_sid))
722 goto out_double_mount;
723 sbsec->flags |= FSCONTEXT_MNT;
724 }
725 if (opts->context) {
726 rc = parse_sid(sb, opts->context, &context_sid);
727 if (rc)
728 goto out;
729 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
730 context_sid))
731 goto out_double_mount;
732 sbsec->flags |= CONTEXT_MNT;
733 }
734 if (opts->rootcontext) {
735 rc = parse_sid(sb, opts->rootcontext, &rootcontext_sid);
736 if (rc)
737 goto out;
738 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
739 rootcontext_sid))
740 goto out_double_mount;
741 sbsec->flags |= ROOTCONTEXT_MNT;
742 }
743 if (opts->defcontext) {
744 rc = parse_sid(sb, opts->defcontext, &defcontext_sid);
745 if (rc)
746 goto out;
747 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
748 defcontext_sid))
749 goto out_double_mount;
750 sbsec->flags |= DEFCONTEXT_MNT;
751 }
752 }
753
754 if (sbsec->flags & SE_SBINITIALIZED) {
755 /* previously mounted with options, but not on this attempt? */
756 if ((sbsec->flags & SE_MNTMASK) && !opts)
757 goto out_double_mount;
758 rc = 0;
759 goto out;
760 }
761
762 if (strcmp(sb->s_type->name, "proc") == 0)
763 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
764
765 if (!strcmp(sb->s_type->name, "debugfs") ||
766 !strcmp(sb->s_type->name, "tracefs") ||
767 !strcmp(sb->s_type->name, "sysfs") ||
768 !strcmp(sb->s_type->name, "pstore") ||
769 !strcmp(sb->s_type->name, "cgroup") ||
770 !strcmp(sb->s_type->name, "cgroup2"))
771 sbsec->flags |= SE_SBGENFS;
772
773 if (!sbsec->behavior) {
774 /*
775 * Determine the labeling behavior to use for this
776 * filesystem type.
777 */
778 rc = security_fs_use(&selinux_state, sb);
779 if (rc) {
780 pr_warn("%s: security_fs_use(%s) returned %d\n",
781 __func__, sb->s_type->name, rc);
782 goto out;
783 }
784 }
785
786 /*
787 * If this is a user namespace mount and the filesystem type is not
788 * explicitly whitelisted, then no contexts are allowed on the command
789 * line and security labels must be ignored.
790 */
791 if (sb->s_user_ns != &init_user_ns &&
792 strcmp(sb->s_type->name, "tmpfs") &&
793 strcmp(sb->s_type->name, "ramfs") &&
794 strcmp(sb->s_type->name, "devpts")) {
795 if (context_sid || fscontext_sid || rootcontext_sid ||
796 defcontext_sid) {
797 rc = -EACCES;
798 goto out;
799 }
800 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
801 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
802 rc = security_transition_sid(&selinux_state,
803 current_sid(),
804 current_sid(),
805 SECCLASS_FILE, NULL,
806 &sbsec->mntpoint_sid);
807 if (rc)
808 goto out;
809 }
810 goto out_set_opts;
811 }
812
813 /* sets the context of the superblock for the fs being mounted. */
814 if (fscontext_sid) {
815 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
816 if (rc)
817 goto out;
818
819 sbsec->sid = fscontext_sid;
820 }
821
822 /*
823 * Switch to using mount point labeling behavior.
824 * sets the label used on all file below the mountpoint, and will set
825 * the superblock context if not already set.
826 */
827 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
828 sbsec->behavior = SECURITY_FS_USE_NATIVE;
829 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
830 }
831
832 if (context_sid) {
833 if (!fscontext_sid) {
834 rc = may_context_mount_sb_relabel(context_sid, sbsec,
835 cred);
836 if (rc)
837 goto out;
838 sbsec->sid = context_sid;
839 } else {
840 rc = may_context_mount_inode_relabel(context_sid, sbsec,
841 cred);
842 if (rc)
843 goto out;
844 }
845 if (!rootcontext_sid)
846 rootcontext_sid = context_sid;
847
848 sbsec->mntpoint_sid = context_sid;
849 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
850 }
851
852 if (rootcontext_sid) {
853 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
854 cred);
855 if (rc)
856 goto out;
857
858 root_isec->sid = rootcontext_sid;
859 root_isec->initialized = LABEL_INITIALIZED;
860 }
861
862 if (defcontext_sid) {
863 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
864 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
865 rc = -EINVAL;
866 pr_warn("SELinux: defcontext option is "
867 "invalid for this filesystem type\n");
868 goto out;
869 }
870
871 if (defcontext_sid != sbsec->def_sid) {
872 rc = may_context_mount_inode_relabel(defcontext_sid,
873 sbsec, cred);
874 if (rc)
875 goto out;
876 }
877
878 sbsec->def_sid = defcontext_sid;
879 }
880
881out_set_opts:
882 rc = sb_finish_set_opts(sb);
883out:
884 mutex_unlock(&sbsec->lock);
885 return rc;
886out_double_mount:
887 rc = -EINVAL;
888 pr_warn("SELinux: mount invalid. Same superblock, different "
889 "security settings for (dev %s, type %s)\n", sb->s_id,
890 sb->s_type->name);
891 goto out;
892}
893
894static int selinux_cmp_sb_context(const struct super_block *oldsb,
895 const struct super_block *newsb)
896{
897 struct superblock_security_struct *old = oldsb->s_security;
898 struct superblock_security_struct *new = newsb->s_security;
899 char oldflags = old->flags & SE_MNTMASK;
900 char newflags = new->flags & SE_MNTMASK;
901
902 if (oldflags != newflags)
903 goto mismatch;
904 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
905 goto mismatch;
906 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
907 goto mismatch;
908 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
909 goto mismatch;
910 if (oldflags & ROOTCONTEXT_MNT) {
911 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
912 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
913 if (oldroot->sid != newroot->sid)
914 goto mismatch;
915 }
916 return 0;
917mismatch:
918 pr_warn("SELinux: mount invalid. Same superblock, "
919 "different security settings for (dev %s, "
920 "type %s)\n", newsb->s_id, newsb->s_type->name);
921 return -EBUSY;
922}
923
924static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
925 struct super_block *newsb,
926 unsigned long kern_flags,
927 unsigned long *set_kern_flags)
928{
929 int rc = 0;
930 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
931 struct superblock_security_struct *newsbsec = newsb->s_security;
932
933 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
934 int set_context = (oldsbsec->flags & CONTEXT_MNT);
935 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
936
937 /*
938 * if the parent was able to be mounted it clearly had no special lsm
939 * mount options. thus we can safely deal with this superblock later
940 */
941 if (!selinux_state.initialized)
942 return 0;
943
944 /*
945 * Specifying internal flags without providing a place to
946 * place the results is not allowed.
947 */
948 if (kern_flags && !set_kern_flags)
949 return -EINVAL;
950
951 /* how can we clone if the old one wasn't set up?? */
952 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
953
954 /* if fs is reusing a sb, make sure that the contexts match */
955 if (newsbsec->flags & SE_SBINITIALIZED)
956 return selinux_cmp_sb_context(oldsb, newsb);
957
958 mutex_lock(&newsbsec->lock);
959
960 newsbsec->flags = oldsbsec->flags;
961
962 newsbsec->sid = oldsbsec->sid;
963 newsbsec->def_sid = oldsbsec->def_sid;
964 newsbsec->behavior = oldsbsec->behavior;
965
966 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
967 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
968 rc = security_fs_use(&selinux_state, newsb);
969 if (rc)
970 goto out;
971 }
972
973 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
974 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
975 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
976 }
977
978 if (set_context) {
979 u32 sid = oldsbsec->mntpoint_sid;
980
981 if (!set_fscontext)
982 newsbsec->sid = sid;
983 if (!set_rootcontext) {
984 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
985 newisec->sid = sid;
986 }
987 newsbsec->mntpoint_sid = sid;
988 }
989 if (set_rootcontext) {
990 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
991 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
992
993 newisec->sid = oldisec->sid;
994 }
995
996 sb_finish_set_opts(newsb);
997out:
998 mutex_unlock(&newsbsec->lock);
999 return rc;
1000}
1001
1002static int selinux_add_opt(int token, const char *s, void **mnt_opts)
1003{
1004 struct selinux_mnt_opts *opts = *mnt_opts;
1005
1006 if (token == Opt_seclabel) /* eaten and completely ignored */
1007 return 0;
1008
1009 if (!opts) {
1010 opts = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL);
1011 if (!opts)
1012 return -ENOMEM;
1013 *mnt_opts = opts;
1014 }
1015 if (!s)
1016 return -ENOMEM;
1017 switch (token) {
1018 case Opt_context:
1019 if (opts->context || opts->defcontext)
1020 goto Einval;
1021 opts->context = s;
1022 break;
1023 case Opt_fscontext:
1024 if (opts->fscontext)
1025 goto Einval;
1026 opts->fscontext = s;
1027 break;
1028 case Opt_rootcontext:
1029 if (opts->rootcontext)
1030 goto Einval;
1031 opts->rootcontext = s;
1032 break;
1033 case Opt_defcontext:
1034 if (opts->context || opts->defcontext)
1035 goto Einval;
1036 opts->defcontext = s;
1037 break;
1038 }
1039 return 0;
1040Einval:
1041 pr_warn(SEL_MOUNT_FAIL_MSG);
1042 return -EINVAL;
1043}
1044
1045static int selinux_add_mnt_opt(const char *option, const char *val, int len,
1046 void **mnt_opts)
1047{
1048 int token = Opt_error;
1049 int rc, i;
1050
1051 for (i = 0; i < ARRAY_SIZE(tokens); i++) {
1052 if (strcmp(option, tokens[i].name) == 0) {
1053 token = tokens[i].opt;
1054 break;
1055 }
1056 }
1057
1058 if (token == Opt_error)
1059 return -EINVAL;
1060
1061 if (token != Opt_seclabel)
1062 val = kmemdup_nul(val, len, GFP_KERNEL);
1063 rc = selinux_add_opt(token, val, mnt_opts);
1064 if (unlikely(rc)) {
1065 kfree(val);
1066 if (*mnt_opts) {
1067 selinux_free_mnt_opts(*mnt_opts);
1068 *mnt_opts = NULL;
1069 }
1070 }
1071 return rc;
1072}
1073
1074static int show_sid(struct seq_file *m, u32 sid)
1075{
1076 char *context = NULL;
1077 u32 len;
1078 int rc;
1079
1080 rc = security_sid_to_context(&selinux_state, sid,
1081 &context, &len);
1082 if (!rc) {
1083 bool has_comma = context && strchr(context, ',');
1084
1085 if (has_comma)
1086 seq_putc(m, '\"');
1087 seq_escape(m, context, "\"\n\\");
1088 if (has_comma)
1089 seq_putc(m, '\"');
1090 }
1091 kfree(context);
1092 return rc;
1093}
1094
1095static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1096{
1097 struct superblock_security_struct *sbsec = sb->s_security;
1098 int rc;
1099
1100 if (!(sbsec->flags & SE_SBINITIALIZED))
1101 return 0;
1102
1103 if (!selinux_state.initialized)
1104 return 0;
1105
1106 if (sbsec->flags & FSCONTEXT_MNT) {
1107 seq_putc(m, ',');
1108 seq_puts(m, FSCONTEXT_STR);
1109 rc = show_sid(m, sbsec->sid);
1110 if (rc)
1111 return rc;
1112 }
1113 if (sbsec->flags & CONTEXT_MNT) {
1114 seq_putc(m, ',');
1115 seq_puts(m, CONTEXT_STR);
1116 rc = show_sid(m, sbsec->mntpoint_sid);
1117 if (rc)
1118 return rc;
1119 }
1120 if (sbsec->flags & DEFCONTEXT_MNT) {
1121 seq_putc(m, ',');
1122 seq_puts(m, DEFCONTEXT_STR);
1123 rc = show_sid(m, sbsec->def_sid);
1124 if (rc)
1125 return rc;
1126 }
1127 if (sbsec->flags & ROOTCONTEXT_MNT) {
1128 struct dentry *root = sbsec->sb->s_root;
1129 struct inode_security_struct *isec = backing_inode_security(root);
1130 seq_putc(m, ',');
1131 seq_puts(m, ROOTCONTEXT_STR);
1132 rc = show_sid(m, isec->sid);
1133 if (rc)
1134 return rc;
1135 }
1136 if (sbsec->flags & SBLABEL_MNT) {
1137 seq_putc(m, ',');
1138 seq_puts(m, LABELSUPP_STR);
1139 }
1140 return 0;
1141}
1142
1143static inline u16 inode_mode_to_security_class(umode_t mode)
1144{
1145 switch (mode & S_IFMT) {
1146 case S_IFSOCK:
1147 return SECCLASS_SOCK_FILE;
1148 case S_IFLNK:
1149 return SECCLASS_LNK_FILE;
1150 case S_IFREG:
1151 return SECCLASS_FILE;
1152 case S_IFBLK:
1153 return SECCLASS_BLK_FILE;
1154 case S_IFDIR:
1155 return SECCLASS_DIR;
1156 case S_IFCHR:
1157 return SECCLASS_CHR_FILE;
1158 case S_IFIFO:
1159 return SECCLASS_FIFO_FILE;
1160
1161 }
1162
1163 return SECCLASS_FILE;
1164}
1165
1166static inline int default_protocol_stream(int protocol)
1167{
1168 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1169}
1170
1171static inline int default_protocol_dgram(int protocol)
1172{
1173 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1174}
1175
1176static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1177{
1178 int extsockclass = selinux_policycap_extsockclass();
1179
1180 switch (family) {
1181 case PF_UNIX:
1182 switch (type) {
1183 case SOCK_STREAM:
1184 case SOCK_SEQPACKET:
1185 return SECCLASS_UNIX_STREAM_SOCKET;
1186 case SOCK_DGRAM:
1187 case SOCK_RAW:
1188 return SECCLASS_UNIX_DGRAM_SOCKET;
1189 }
1190 break;
1191 case PF_INET:
1192 case PF_INET6:
1193 switch (type) {
1194 case SOCK_STREAM:
1195 case SOCK_SEQPACKET:
1196 if (default_protocol_stream(protocol))
1197 return SECCLASS_TCP_SOCKET;
1198 else if (extsockclass && protocol == IPPROTO_SCTP)
1199 return SECCLASS_SCTP_SOCKET;
1200 else
1201 return SECCLASS_RAWIP_SOCKET;
1202 case SOCK_DGRAM:
1203 if (default_protocol_dgram(protocol))
1204 return SECCLASS_UDP_SOCKET;
1205 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1206 protocol == IPPROTO_ICMPV6))
1207 return SECCLASS_ICMP_SOCKET;
1208 else
1209 return SECCLASS_RAWIP_SOCKET;
1210 case SOCK_DCCP:
1211 return SECCLASS_DCCP_SOCKET;
1212 default:
1213 return SECCLASS_RAWIP_SOCKET;
1214 }
1215 break;
1216 case PF_NETLINK:
1217 switch (protocol) {
1218 case NETLINK_ROUTE:
1219 return SECCLASS_NETLINK_ROUTE_SOCKET;
1220 case NETLINK_SOCK_DIAG:
1221 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1222 case NETLINK_NFLOG:
1223 return SECCLASS_NETLINK_NFLOG_SOCKET;
1224 case NETLINK_XFRM:
1225 return SECCLASS_NETLINK_XFRM_SOCKET;
1226 case NETLINK_SELINUX:
1227 return SECCLASS_NETLINK_SELINUX_SOCKET;
1228 case NETLINK_ISCSI:
1229 return SECCLASS_NETLINK_ISCSI_SOCKET;
1230 case NETLINK_AUDIT:
1231 return SECCLASS_NETLINK_AUDIT_SOCKET;
1232 case NETLINK_FIB_LOOKUP:
1233 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1234 case NETLINK_CONNECTOR:
1235 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1236 case NETLINK_NETFILTER:
1237 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1238 case NETLINK_DNRTMSG:
1239 return SECCLASS_NETLINK_DNRT_SOCKET;
1240 case NETLINK_KOBJECT_UEVENT:
1241 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1242 case NETLINK_GENERIC:
1243 return SECCLASS_NETLINK_GENERIC_SOCKET;
1244 case NETLINK_SCSITRANSPORT:
1245 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1246 case NETLINK_RDMA:
1247 return SECCLASS_NETLINK_RDMA_SOCKET;
1248 case NETLINK_CRYPTO:
1249 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1250 default:
1251 return SECCLASS_NETLINK_SOCKET;
1252 }
1253 case PF_PACKET:
1254 return SECCLASS_PACKET_SOCKET;
1255 case PF_KEY:
1256 return SECCLASS_KEY_SOCKET;
1257 case PF_APPLETALK:
1258 return SECCLASS_APPLETALK_SOCKET;
1259 }
1260
1261 if (extsockclass) {
1262 switch (family) {
1263 case PF_AX25:
1264 return SECCLASS_AX25_SOCKET;
1265 case PF_IPX:
1266 return SECCLASS_IPX_SOCKET;
1267 case PF_NETROM:
1268 return SECCLASS_NETROM_SOCKET;
1269 case PF_ATMPVC:
1270 return SECCLASS_ATMPVC_SOCKET;
1271 case PF_X25:
1272 return SECCLASS_X25_SOCKET;
1273 case PF_ROSE:
1274 return SECCLASS_ROSE_SOCKET;
1275 case PF_DECnet:
1276 return SECCLASS_DECNET_SOCKET;
1277 case PF_ATMSVC:
1278 return SECCLASS_ATMSVC_SOCKET;
1279 case PF_RDS:
1280 return SECCLASS_RDS_SOCKET;
1281 case PF_IRDA:
1282 return SECCLASS_IRDA_SOCKET;
1283 case PF_PPPOX:
1284 return SECCLASS_PPPOX_SOCKET;
1285 case PF_LLC:
1286 return SECCLASS_LLC_SOCKET;
1287 case PF_CAN:
1288 return SECCLASS_CAN_SOCKET;
1289 case PF_TIPC:
1290 return SECCLASS_TIPC_SOCKET;
1291 case PF_BLUETOOTH:
1292 return SECCLASS_BLUETOOTH_SOCKET;
1293 case PF_IUCV:
1294 return SECCLASS_IUCV_SOCKET;
1295 case PF_RXRPC:
1296 return SECCLASS_RXRPC_SOCKET;
1297 case PF_ISDN:
1298 return SECCLASS_ISDN_SOCKET;
1299 case PF_PHONET:
1300 return SECCLASS_PHONET_SOCKET;
1301 case PF_IEEE802154:
1302 return SECCLASS_IEEE802154_SOCKET;
1303 case PF_CAIF:
1304 return SECCLASS_CAIF_SOCKET;
1305 case PF_ALG:
1306 return SECCLASS_ALG_SOCKET;
1307 case PF_NFC:
1308 return SECCLASS_NFC_SOCKET;
1309 case PF_VSOCK:
1310 return SECCLASS_VSOCK_SOCKET;
1311 case PF_KCM:
1312 return SECCLASS_KCM_SOCKET;
1313 case PF_QIPCRTR:
1314 return SECCLASS_QIPCRTR_SOCKET;
1315 case PF_SMC:
1316 return SECCLASS_SMC_SOCKET;
1317 case PF_XDP:
1318 return SECCLASS_XDP_SOCKET;
1319#if PF_MAX > 45
1320#error New address family defined, please update this function.
1321#endif
1322 }
1323 }
1324
1325 return SECCLASS_SOCKET;
1326}
1327
1328static int selinux_genfs_get_sid(struct dentry *dentry,
1329 u16 tclass,
1330 u16 flags,
1331 u32 *sid)
1332{
1333 int rc;
1334 struct super_block *sb = dentry->d_sb;
1335 char *buffer, *path;
1336
1337 buffer = (char *)__get_free_page(GFP_KERNEL);
1338 if (!buffer)
1339 return -ENOMEM;
1340
1341 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1342 if (IS_ERR(path))
1343 rc = PTR_ERR(path);
1344 else {
1345 if (flags & SE_SBPROC) {
1346 /* each process gets a /proc/PID/ entry. Strip off the
1347 * PID part to get a valid selinux labeling.
1348 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1349 while (path[1] >= '0' && path[1] <= '9') {
1350 path[1] = '/';
1351 path++;
1352 }
1353 }
1354 rc = security_genfs_sid(&selinux_state, sb->s_type->name,
1355 path, tclass, sid);
1356 if (rc == -ENOENT) {
1357 /* No match in policy, mark as unlabeled. */
1358 *sid = SECINITSID_UNLABELED;
1359 rc = 0;
1360 }
1361 }
1362 free_page((unsigned long)buffer);
1363 return rc;
1364}
1365
1366/* The inode's security attributes must be initialized before first use. */
1367static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1368{
1369 struct superblock_security_struct *sbsec = NULL;
1370 struct inode_security_struct *isec = inode->i_security;
1371 u32 task_sid, sid = 0;
1372 u16 sclass;
1373 struct dentry *dentry;
1374#define INITCONTEXTLEN 255
1375 char *context = NULL;
1376 unsigned len = 0;
1377 int rc = 0;
1378
1379 if (isec->initialized == LABEL_INITIALIZED)
1380 return 0;
1381
1382 spin_lock(&isec->lock);
1383 if (isec->initialized == LABEL_INITIALIZED)
1384 goto out_unlock;
1385
1386 if (isec->sclass == SECCLASS_FILE)
1387 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1388
1389 sbsec = inode->i_sb->s_security;
1390 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1391 /* Defer initialization until selinux_complete_init,
1392 after the initial policy is loaded and the security
1393 server is ready to handle calls. */
1394 spin_lock(&sbsec->isec_lock);
1395 if (list_empty(&isec->list))
1396 list_add(&isec->list, &sbsec->isec_head);
1397 spin_unlock(&sbsec->isec_lock);
1398 goto out_unlock;
1399 }
1400
1401 sclass = isec->sclass;
1402 task_sid = isec->task_sid;
1403 sid = isec->sid;
1404 isec->initialized = LABEL_PENDING;
1405 spin_unlock(&isec->lock);
1406
1407 switch (sbsec->behavior) {
1408 case SECURITY_FS_USE_NATIVE:
1409 break;
1410 case SECURITY_FS_USE_XATTR:
1411 if (!(inode->i_opflags & IOP_XATTR)) {
1412 sid = sbsec->def_sid;
1413 break;
1414 }
1415 /* Need a dentry, since the xattr API requires one.
1416 Life would be simpler if we could just pass the inode. */
1417 if (opt_dentry) {
1418 /* Called from d_instantiate or d_splice_alias. */
1419 dentry = dget(opt_dentry);
1420 } else {
1421 /*
1422 * Called from selinux_complete_init, try to find a dentry.
1423 * Some filesystems really want a connected one, so try
1424 * that first. We could split SECURITY_FS_USE_XATTR in
1425 * two, depending upon that...
1426 */
1427 dentry = d_find_alias(inode);
1428 if (!dentry)
1429 dentry = d_find_any_alias(inode);
1430 }
1431 if (!dentry) {
1432 /*
1433 * this is can be hit on boot when a file is accessed
1434 * before the policy is loaded. When we load policy we
1435 * may find inodes that have no dentry on the
1436 * sbsec->isec_head list. No reason to complain as these
1437 * will get fixed up the next time we go through
1438 * inode_doinit with a dentry, before these inodes could
1439 * be used again by userspace.
1440 */
1441 goto out;
1442 }
1443
1444 len = INITCONTEXTLEN;
1445 context = kmalloc(len+1, GFP_NOFS);
1446 if (!context) {
1447 rc = -ENOMEM;
1448 dput(dentry);
1449 goto out;
1450 }
1451 context[len] = '\0';
1452 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1453 if (rc == -ERANGE) {
1454 kfree(context);
1455
1456 /* Need a larger buffer. Query for the right size. */
1457 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1458 if (rc < 0) {
1459 dput(dentry);
1460 goto out;
1461 }
1462 len = rc;
1463 context = kmalloc(len+1, GFP_NOFS);
1464 if (!context) {
1465 rc = -ENOMEM;
1466 dput(dentry);
1467 goto out;
1468 }
1469 context[len] = '\0';
1470 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1471 }
1472 dput(dentry);
1473 if (rc < 0) {
1474 if (rc != -ENODATA) {
1475 pr_warn("SELinux: %s: getxattr returned "
1476 "%d for dev=%s ino=%ld\n", __func__,
1477 -rc, inode->i_sb->s_id, inode->i_ino);
1478 kfree(context);
1479 goto out;
1480 }
1481 /* Map ENODATA to the default file SID */
1482 sid = sbsec->def_sid;
1483 rc = 0;
1484 } else {
1485 rc = security_context_to_sid_default(&selinux_state,
1486 context, rc, &sid,
1487 sbsec->def_sid,
1488 GFP_NOFS);
1489 if (rc) {
1490 char *dev = inode->i_sb->s_id;
1491 unsigned long ino = inode->i_ino;
1492
1493 if (rc == -EINVAL) {
1494 if (printk_ratelimit())
1495 pr_notice("SELinux: inode=%lu on dev=%s was found to have an invalid "
1496 "context=%s. This indicates you may need to relabel the inode or the "
1497 "filesystem in question.\n", ino, dev, context);
1498 } else {
1499 pr_warn("SELinux: %s: context_to_sid(%s) "
1500 "returned %d for dev=%s ino=%ld\n",
1501 __func__, context, -rc, dev, ino);
1502 }
1503 kfree(context);
1504 /* Leave with the unlabeled SID */
1505 rc = 0;
1506 break;
1507 }
1508 }
1509 kfree(context);
1510 break;
1511 case SECURITY_FS_USE_TASK:
1512 sid = task_sid;
1513 break;
1514 case SECURITY_FS_USE_TRANS:
1515 /* Default to the fs SID. */
1516 sid = sbsec->sid;
1517
1518 /* Try to obtain a transition SID. */
1519 rc = security_transition_sid(&selinux_state, task_sid, sid,
1520 sclass, NULL, &sid);
1521 if (rc)
1522 goto out;
1523 break;
1524 case SECURITY_FS_USE_MNTPOINT:
1525 sid = sbsec->mntpoint_sid;
1526 break;
1527 default:
1528 /* Default to the fs superblock SID. */
1529 sid = sbsec->sid;
1530
1531 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1532 /* We must have a dentry to determine the label on
1533 * procfs inodes */
1534 if (opt_dentry) {
1535 /* Called from d_instantiate or
1536 * d_splice_alias. */
1537 dentry = dget(opt_dentry);
1538 } else {
1539 /* Called from selinux_complete_init, try to
1540 * find a dentry. Some filesystems really want
1541 * a connected one, so try that first.
1542 */
1543 dentry = d_find_alias(inode);
1544 if (!dentry)
1545 dentry = d_find_any_alias(inode);
1546 }
1547 /*
1548 * This can be hit on boot when a file is accessed
1549 * before the policy is loaded. When we load policy we
1550 * may find inodes that have no dentry on the
1551 * sbsec->isec_head list. No reason to complain as
1552 * these will get fixed up the next time we go through
1553 * inode_doinit() with a dentry, before these inodes
1554 * could be used again by userspace.
1555 */
1556 if (!dentry)
1557 goto out;
1558 rc = selinux_genfs_get_sid(dentry, sclass,
1559 sbsec->flags, &sid);
1560 dput(dentry);
1561 if (rc)
1562 goto out;
1563 }
1564 break;
1565 }
1566
1567out:
1568 spin_lock(&isec->lock);
1569 if (isec->initialized == LABEL_PENDING) {
1570 if (!sid || rc) {
1571 isec->initialized = LABEL_INVALID;
1572 goto out_unlock;
1573 }
1574
1575 isec->initialized = LABEL_INITIALIZED;
1576 isec->sid = sid;
1577 }
1578
1579out_unlock:
1580 spin_unlock(&isec->lock);
1581 return rc;
1582}
1583
1584/* Convert a Linux signal to an access vector. */
1585static inline u32 signal_to_av(int sig)
1586{
1587 u32 perm = 0;
1588
1589 switch (sig) {
1590 case SIGCHLD:
1591 /* Commonly granted from child to parent. */
1592 perm = PROCESS__SIGCHLD;
1593 break;
1594 case SIGKILL:
1595 /* Cannot be caught or ignored */
1596 perm = PROCESS__SIGKILL;
1597 break;
1598 case SIGSTOP:
1599 /* Cannot be caught or ignored */
1600 perm = PROCESS__SIGSTOP;
1601 break;
1602 default:
1603 /* All other signals. */
1604 perm = PROCESS__SIGNAL;
1605 break;
1606 }
1607
1608 return perm;
1609}
1610
1611#if CAP_LAST_CAP > 63
1612#error Fix SELinux to handle capabilities > 63.
1613#endif
1614
1615/* Check whether a task is allowed to use a capability. */
1616static int cred_has_capability(const struct cred *cred,
1617 int cap, int audit, bool initns)
1618{
1619 struct common_audit_data ad;
1620 struct av_decision avd;
1621 u16 sclass;
1622 u32 sid = cred_sid(cred);
1623 u32 av = CAP_TO_MASK(cap);
1624 int rc;
1625
1626 ad.type = LSM_AUDIT_DATA_CAP;
1627 ad.u.cap = cap;
1628
1629 switch (CAP_TO_INDEX(cap)) {
1630 case 0:
1631 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1632 break;
1633 case 1:
1634 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1635 break;
1636 default:
1637 pr_err("SELinux: out of range capability %d\n", cap);
1638 BUG();
1639 return -EINVAL;
1640 }
1641
1642 rc = avc_has_perm_noaudit(&selinux_state,
1643 sid, sid, sclass, av, 0, &avd);
1644 if (audit == SECURITY_CAP_AUDIT) {
1645 int rc2 = avc_audit(&selinux_state,
1646 sid, sid, sclass, av, &avd, rc, &ad, 0);
1647 if (rc2)
1648 return rc2;
1649 }
1650 return rc;
1651}
1652
1653/* Check whether a task has a particular permission to an inode.
1654 The 'adp' parameter is optional and allows other audit
1655 data to be passed (e.g. the dentry). */
1656static int inode_has_perm(const struct cred *cred,
1657 struct inode *inode,
1658 u32 perms,
1659 struct common_audit_data *adp)
1660{
1661 struct inode_security_struct *isec;
1662 u32 sid;
1663
1664 validate_creds(cred);
1665
1666 if (unlikely(IS_PRIVATE(inode)))
1667 return 0;
1668
1669 sid = cred_sid(cred);
1670 isec = inode->i_security;
1671
1672 return avc_has_perm(&selinux_state,
1673 sid, isec->sid, isec->sclass, perms, adp);
1674}
1675
1676/* Same as inode_has_perm, but pass explicit audit data containing
1677 the dentry to help the auditing code to more easily generate the
1678 pathname if needed. */
1679static inline int dentry_has_perm(const struct cred *cred,
1680 struct dentry *dentry,
1681 u32 av)
1682{
1683 struct inode *inode = d_backing_inode(dentry);
1684 struct common_audit_data ad;
1685
1686 ad.type = LSM_AUDIT_DATA_DENTRY;
1687 ad.u.dentry = dentry;
1688 __inode_security_revalidate(inode, dentry, true);
1689 return inode_has_perm(cred, inode, av, &ad);
1690}
1691
1692/* Same as inode_has_perm, but pass explicit audit data containing
1693 the path to help the auditing code to more easily generate the
1694 pathname if needed. */
1695static inline int path_has_perm(const struct cred *cred,
1696 const struct path *path,
1697 u32 av)
1698{
1699 struct inode *inode = d_backing_inode(path->dentry);
1700 struct common_audit_data ad;
1701
1702 ad.type = LSM_AUDIT_DATA_PATH;
1703 ad.u.path = *path;
1704 __inode_security_revalidate(inode, path->dentry, true);
1705 return inode_has_perm(cred, inode, av, &ad);
1706}
1707
1708/* Same as path_has_perm, but uses the inode from the file struct. */
1709static inline int file_path_has_perm(const struct cred *cred,
1710 struct file *file,
1711 u32 av)
1712{
1713 struct common_audit_data ad;
1714
1715 ad.type = LSM_AUDIT_DATA_FILE;
1716 ad.u.file = file;
1717 return inode_has_perm(cred, file_inode(file), av, &ad);
1718}
1719
1720#ifdef CONFIG_BPF_SYSCALL
1721static int bpf_fd_pass(struct file *file, u32 sid);
1722#endif
1723
1724/* Check whether a task can use an open file descriptor to
1725 access an inode in a given way. Check access to the
1726 descriptor itself, and then use dentry_has_perm to
1727 check a particular permission to the file.
1728 Access to the descriptor is implicitly granted if it
1729 has the same SID as the process. If av is zero, then
1730 access to the file is not checked, e.g. for cases
1731 where only the descriptor is affected like seek. */
1732static int file_has_perm(const struct cred *cred,
1733 struct file *file,
1734 u32 av)
1735{
1736 struct file_security_struct *fsec = file->f_security;
1737 struct inode *inode = file_inode(file);
1738 struct common_audit_data ad;
1739 u32 sid = cred_sid(cred);
1740 int rc;
1741
1742 ad.type = LSM_AUDIT_DATA_FILE;
1743 ad.u.file = file;
1744
1745 if (sid != fsec->sid) {
1746 rc = avc_has_perm(&selinux_state,
1747 sid, fsec->sid,
1748 SECCLASS_FD,
1749 FD__USE,
1750 &ad);
1751 if (rc)
1752 goto out;
1753 }
1754
1755#ifdef CONFIG_BPF_SYSCALL
1756 rc = bpf_fd_pass(file, cred_sid(cred));
1757 if (rc)
1758 return rc;
1759#endif
1760
1761 /* av is zero if only checking access to the descriptor. */
1762 rc = 0;
1763 if (av)
1764 rc = inode_has_perm(cred, inode, av, &ad);
1765
1766out:
1767 return rc;
1768}
1769
1770/*
1771 * Determine the label for an inode that might be unioned.
1772 */
1773static int
1774selinux_determine_inode_label(const struct task_security_struct *tsec,
1775 struct inode *dir,
1776 const struct qstr *name, u16 tclass,
1777 u32 *_new_isid)
1778{
1779 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1780
1781 if ((sbsec->flags & SE_SBINITIALIZED) &&
1782 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1783 *_new_isid = sbsec->mntpoint_sid;
1784 } else if ((sbsec->flags & SBLABEL_MNT) &&
1785 tsec->create_sid) {
1786 *_new_isid = tsec->create_sid;
1787 } else {
1788 const struct inode_security_struct *dsec = inode_security(dir);
1789 return security_transition_sid(&selinux_state, tsec->sid,
1790 dsec->sid, tclass,
1791 name, _new_isid);
1792 }
1793
1794 return 0;
1795}
1796
1797/* Check whether a task can create a file. */
1798static int may_create(struct inode *dir,
1799 struct dentry *dentry,
1800 u16 tclass)
1801{
1802 const struct task_security_struct *tsec = selinux_cred(current_cred());
1803 struct inode_security_struct *dsec;
1804 struct superblock_security_struct *sbsec;
1805 u32 sid, newsid;
1806 struct common_audit_data ad;
1807 int rc;
1808
1809 dsec = inode_security(dir);
1810 sbsec = dir->i_sb->s_security;
1811
1812 sid = tsec->sid;
1813
1814 ad.type = LSM_AUDIT_DATA_DENTRY;
1815 ad.u.dentry = dentry;
1816
1817 rc = avc_has_perm(&selinux_state,
1818 sid, dsec->sid, SECCLASS_DIR,
1819 DIR__ADD_NAME | DIR__SEARCH,
1820 &ad);
1821 if (rc)
1822 return rc;
1823
1824 rc = selinux_determine_inode_label(selinux_cred(current_cred()), dir,
1825 &dentry->d_name, tclass, &newsid);
1826 if (rc)
1827 return rc;
1828
1829 rc = avc_has_perm(&selinux_state,
1830 sid, newsid, tclass, FILE__CREATE, &ad);
1831 if (rc)
1832 return rc;
1833
1834 return avc_has_perm(&selinux_state,
1835 newsid, sbsec->sid,
1836 SECCLASS_FILESYSTEM,
1837 FILESYSTEM__ASSOCIATE, &ad);
1838}
1839
1840#define MAY_LINK 0
1841#define MAY_UNLINK 1
1842#define MAY_RMDIR 2
1843
1844/* Check whether a task can link, unlink, or rmdir a file/directory. */
1845static int may_link(struct inode *dir,
1846 struct dentry *dentry,
1847 int kind)
1848
1849{
1850 struct inode_security_struct *dsec, *isec;
1851 struct common_audit_data ad;
1852 u32 sid = current_sid();
1853 u32 av;
1854 int rc;
1855
1856 dsec = inode_security(dir);
1857 isec = backing_inode_security(dentry);
1858
1859 ad.type = LSM_AUDIT_DATA_DENTRY;
1860 ad.u.dentry = dentry;
1861
1862 av = DIR__SEARCH;
1863 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1864 rc = avc_has_perm(&selinux_state,
1865 sid, dsec->sid, SECCLASS_DIR, av, &ad);
1866 if (rc)
1867 return rc;
1868
1869 switch (kind) {
1870 case MAY_LINK:
1871 av = FILE__LINK;
1872 break;
1873 case MAY_UNLINK:
1874 av = FILE__UNLINK;
1875 break;
1876 case MAY_RMDIR:
1877 av = DIR__RMDIR;
1878 break;
1879 default:
1880 pr_warn("SELinux: %s: unrecognized kind %d\n",
1881 __func__, kind);
1882 return 0;
1883 }
1884
1885 rc = avc_has_perm(&selinux_state,
1886 sid, isec->sid, isec->sclass, av, &ad);
1887 return rc;
1888}
1889
1890static inline int may_rename(struct inode *old_dir,
1891 struct dentry *old_dentry,
1892 struct inode *new_dir,
1893 struct dentry *new_dentry)
1894{
1895 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1896 struct common_audit_data ad;
1897 u32 sid = current_sid();
1898 u32 av;
1899 int old_is_dir, new_is_dir;
1900 int rc;
1901
1902 old_dsec = inode_security(old_dir);
1903 old_isec = backing_inode_security(old_dentry);
1904 old_is_dir = d_is_dir(old_dentry);
1905 new_dsec = inode_security(new_dir);
1906
1907 ad.type = LSM_AUDIT_DATA_DENTRY;
1908
1909 ad.u.dentry = old_dentry;
1910 rc = avc_has_perm(&selinux_state,
1911 sid, old_dsec->sid, SECCLASS_DIR,
1912 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1913 if (rc)
1914 return rc;
1915 rc = avc_has_perm(&selinux_state,
1916 sid, old_isec->sid,
1917 old_isec->sclass, FILE__RENAME, &ad);
1918 if (rc)
1919 return rc;
1920 if (old_is_dir && new_dir != old_dir) {
1921 rc = avc_has_perm(&selinux_state,
1922 sid, old_isec->sid,
1923 old_isec->sclass, DIR__REPARENT, &ad);
1924 if (rc)
1925 return rc;
1926 }
1927
1928 ad.u.dentry = new_dentry;
1929 av = DIR__ADD_NAME | DIR__SEARCH;
1930 if (d_is_positive(new_dentry))
1931 av |= DIR__REMOVE_NAME;
1932 rc = avc_has_perm(&selinux_state,
1933 sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1934 if (rc)
1935 return rc;
1936 if (d_is_positive(new_dentry)) {
1937 new_isec = backing_inode_security(new_dentry);
1938 new_is_dir = d_is_dir(new_dentry);
1939 rc = avc_has_perm(&selinux_state,
1940 sid, new_isec->sid,
1941 new_isec->sclass,
1942 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1943 if (rc)
1944 return rc;
1945 }
1946
1947 return 0;
1948}
1949
1950/* Check whether a task can perform a filesystem operation. */
1951static int superblock_has_perm(const struct cred *cred,
1952 struct super_block *sb,
1953 u32 perms,
1954 struct common_audit_data *ad)
1955{
1956 struct superblock_security_struct *sbsec;
1957 u32 sid = cred_sid(cred);
1958
1959 sbsec = sb->s_security;
1960 return avc_has_perm(&selinux_state,
1961 sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1962}
1963
1964/* Convert a Linux mode and permission mask to an access vector. */
1965static inline u32 file_mask_to_av(int mode, int mask)
1966{
1967 u32 av = 0;
1968
1969 if (!S_ISDIR(mode)) {
1970 if (mask & MAY_EXEC)
1971 av |= FILE__EXECUTE;
1972 if (mask & MAY_READ)
1973 av |= FILE__READ;
1974
1975 if (mask & MAY_APPEND)
1976 av |= FILE__APPEND;
1977 else if (mask & MAY_WRITE)
1978 av |= FILE__WRITE;
1979
1980 } else {
1981 if (mask & MAY_EXEC)
1982 av |= DIR__SEARCH;
1983 if (mask & MAY_WRITE)
1984 av |= DIR__WRITE;
1985 if (mask & MAY_READ)
1986 av |= DIR__READ;
1987 }
1988
1989 return av;
1990}
1991
1992/* Convert a Linux file to an access vector. */
1993static inline u32 file_to_av(struct file *file)
1994{
1995 u32 av = 0;
1996
1997 if (file->f_mode & FMODE_READ)
1998 av |= FILE__READ;
1999 if (file->f_mode & FMODE_WRITE) {
2000 if (file->f_flags & O_APPEND)
2001 av |= FILE__APPEND;
2002 else
2003 av |= FILE__WRITE;
2004 }
2005 if (!av) {
2006 /*
2007 * Special file opened with flags 3 for ioctl-only use.
2008 */
2009 av = FILE__IOCTL;
2010 }
2011
2012 return av;
2013}
2014
2015/*
2016 * Convert a file to an access vector and include the correct open
2017 * open permission.
2018 */
2019static inline u32 open_file_to_av(struct file *file)
2020{
2021 u32 av = file_to_av(file);
2022 struct inode *inode = file_inode(file);
2023
2024 if (selinux_policycap_openperm() &&
2025 inode->i_sb->s_magic != SOCKFS_MAGIC)
2026 av |= FILE__OPEN;
2027
2028 return av;
2029}
2030
2031/* Hook functions begin here. */
2032
2033static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2034{
2035 u32 mysid = current_sid();
2036 u32 mgrsid = task_sid(mgr);
2037
2038 return avc_has_perm(&selinux_state,
2039 mysid, mgrsid, SECCLASS_BINDER,
2040 BINDER__SET_CONTEXT_MGR, NULL);
2041}
2042
2043static int selinux_binder_transaction(struct task_struct *from,
2044 struct task_struct *to)
2045{
2046 u32 mysid = current_sid();
2047 u32 fromsid = task_sid(from);
2048 u32 tosid = task_sid(to);
2049 int rc;
2050
2051 if (mysid != fromsid) {
2052 rc = avc_has_perm(&selinux_state,
2053 mysid, fromsid, SECCLASS_BINDER,
2054 BINDER__IMPERSONATE, NULL);
2055 if (rc)
2056 return rc;
2057 }
2058
2059 return avc_has_perm(&selinux_state,
2060 fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2061 NULL);
2062}
2063
2064static int selinux_binder_transfer_binder(struct task_struct *from,
2065 struct task_struct *to)
2066{
2067 u32 fromsid = task_sid(from);
2068 u32 tosid = task_sid(to);
2069
2070 return avc_has_perm(&selinux_state,
2071 fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2072 NULL);
2073}
2074
2075static int selinux_binder_transfer_file(struct task_struct *from,
2076 struct task_struct *to,
2077 struct file *file)
2078{
2079 u32 sid = task_sid(to);
2080 struct file_security_struct *fsec = file->f_security;
2081 struct dentry *dentry = file->f_path.dentry;
2082 struct inode_security_struct *isec;
2083 struct common_audit_data ad;
2084 int rc;
2085
2086 ad.type = LSM_AUDIT_DATA_PATH;
2087 ad.u.path = file->f_path;
2088
2089 if (sid != fsec->sid) {
2090 rc = avc_has_perm(&selinux_state,
2091 sid, fsec->sid,
2092 SECCLASS_FD,
2093 FD__USE,
2094 &ad);
2095 if (rc)
2096 return rc;
2097 }
2098
2099#ifdef CONFIG_BPF_SYSCALL
2100 rc = bpf_fd_pass(file, sid);
2101 if (rc)
2102 return rc;
2103#endif
2104
2105 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2106 return 0;
2107
2108 isec = backing_inode_security(dentry);
2109 return avc_has_perm(&selinux_state,
2110 sid, isec->sid, isec->sclass, file_to_av(file),
2111 &ad);
2112}
2113
2114static int selinux_ptrace_access_check(struct task_struct *child,
2115 unsigned int mode)
2116{
2117 u32 sid = current_sid();
2118 u32 csid = task_sid(child);
2119
2120 if (mode & PTRACE_MODE_READ)
2121 return avc_has_perm(&selinux_state,
2122 sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2123
2124 return avc_has_perm(&selinux_state,
2125 sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2126}
2127
2128static int selinux_ptrace_traceme(struct task_struct *parent)
2129{
2130 return avc_has_perm(&selinux_state,
2131 task_sid(parent), current_sid(), SECCLASS_PROCESS,
2132 PROCESS__PTRACE, NULL);
2133}
2134
2135static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2136 kernel_cap_t *inheritable, kernel_cap_t *permitted)
2137{
2138 return avc_has_perm(&selinux_state,
2139 current_sid(), task_sid(target), SECCLASS_PROCESS,
2140 PROCESS__GETCAP, NULL);
2141}
2142
2143static int selinux_capset(struct cred *new, const struct cred *old,
2144 const kernel_cap_t *effective,
2145 const kernel_cap_t *inheritable,
2146 const kernel_cap_t *permitted)
2147{
2148 return avc_has_perm(&selinux_state,
2149 cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2150 PROCESS__SETCAP, NULL);
2151}
2152
2153/*
2154 * (This comment used to live with the selinux_task_setuid hook,
2155 * which was removed).
2156 *
2157 * Since setuid only affects the current process, and since the SELinux
2158 * controls are not based on the Linux identity attributes, SELinux does not
2159 * need to control this operation. However, SELinux does control the use of
2160 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2161 */
2162
2163static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2164 int cap, int audit)
2165{
2166 return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
2167}
2168
2169static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2170{
2171 const struct cred *cred = current_cred();
2172 int rc = 0;
2173
2174 if (!sb)
2175 return 0;
2176
2177 switch (cmds) {
2178 case Q_SYNC:
2179 case Q_QUOTAON:
2180 case Q_QUOTAOFF:
2181 case Q_SETINFO:
2182 case Q_SETQUOTA:
2183 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2184 break;
2185 case Q_GETFMT:
2186 case Q_GETINFO:
2187 case Q_GETQUOTA:
2188 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2189 break;
2190 default:
2191 rc = 0; /* let the kernel handle invalid cmds */
2192 break;
2193 }
2194 return rc;
2195}
2196
2197static int selinux_quota_on(struct dentry *dentry)
2198{
2199 const struct cred *cred = current_cred();
2200
2201 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2202}
2203
2204static int selinux_syslog(int type)
2205{
2206 switch (type) {
2207 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2208 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2209 return avc_has_perm(&selinux_state,
2210 current_sid(), SECINITSID_KERNEL,
2211 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2212 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2213 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2214 /* Set level of messages printed to console */
2215 case SYSLOG_ACTION_CONSOLE_LEVEL:
2216 return avc_has_perm(&selinux_state,
2217 current_sid(), SECINITSID_KERNEL,
2218 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2219 NULL);
2220 }
2221 /* All other syslog types */
2222 return avc_has_perm(&selinux_state,
2223 current_sid(), SECINITSID_KERNEL,
2224 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2225}
2226
2227/*
2228 * Check that a process has enough memory to allocate a new virtual
2229 * mapping. 0 means there is enough memory for the allocation to
2230 * succeed and -ENOMEM implies there is not.
2231 *
2232 * Do not audit the selinux permission check, as this is applied to all
2233 * processes that allocate mappings.
2234 */
2235static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2236{
2237 int rc, cap_sys_admin = 0;
2238
2239 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2240 SECURITY_CAP_NOAUDIT, true);
2241 if (rc == 0)
2242 cap_sys_admin = 1;
2243
2244 return cap_sys_admin;
2245}
2246
2247/* binprm security operations */
2248
2249static u32 ptrace_parent_sid(void)
2250{
2251 u32 sid = 0;
2252 struct task_struct *tracer;
2253
2254 rcu_read_lock();
2255 tracer = ptrace_parent(current);
2256 if (tracer)
2257 sid = task_sid(tracer);
2258 rcu_read_unlock();
2259
2260 return sid;
2261}
2262
2263static int check_nnp_nosuid(const struct linux_binprm *bprm,
2264 const struct task_security_struct *old_tsec,
2265 const struct task_security_struct *new_tsec)
2266{
2267 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2268 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2269 int rc;
2270 u32 av;
2271
2272 if (!nnp && !nosuid)
2273 return 0; /* neither NNP nor nosuid */
2274
2275 if (new_tsec->sid == old_tsec->sid)
2276 return 0; /* No change in credentials */
2277
2278 /*
2279 * If the policy enables the nnp_nosuid_transition policy capability,
2280 * then we permit transitions under NNP or nosuid if the
2281 * policy allows the corresponding permission between
2282 * the old and new contexts.
2283 */
2284 if (selinux_policycap_nnp_nosuid_transition()) {
2285 av = 0;
2286 if (nnp)
2287 av |= PROCESS2__NNP_TRANSITION;
2288 if (nosuid)
2289 av |= PROCESS2__NOSUID_TRANSITION;
2290 rc = avc_has_perm(&selinux_state,
2291 old_tsec->sid, new_tsec->sid,
2292 SECCLASS_PROCESS2, av, NULL);
2293 if (!rc)
2294 return 0;
2295 }
2296
2297 /*
2298 * We also permit NNP or nosuid transitions to bounded SIDs,
2299 * i.e. SIDs that are guaranteed to only be allowed a subset
2300 * of the permissions of the current SID.
2301 */
2302 rc = security_bounded_transition(&selinux_state, old_tsec->sid,
2303 new_tsec->sid);
2304 if (!rc)
2305 return 0;
2306
2307 /*
2308 * On failure, preserve the errno values for NNP vs nosuid.
2309 * NNP: Operation not permitted for caller.
2310 * nosuid: Permission denied to file.
2311 */
2312 if (nnp)
2313 return -EPERM;
2314 return -EACCES;
2315}
2316
2317static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2318{
2319 const struct task_security_struct *old_tsec;
2320 struct task_security_struct *new_tsec;
2321 struct inode_security_struct *isec;
2322 struct common_audit_data ad;
2323 struct inode *inode = file_inode(bprm->file);
2324 int rc;
2325
2326 /* SELinux context only depends on initial program or script and not
2327 * the script interpreter */
2328 if (bprm->called_set_creds)
2329 return 0;
2330
2331 old_tsec = selinux_cred(current_cred());
2332 new_tsec = selinux_cred(bprm->cred);
2333 isec = inode_security(inode);
2334
2335 /* Default to the current task SID. */
2336 new_tsec->sid = old_tsec->sid;
2337 new_tsec->osid = old_tsec->sid;
2338
2339 /* Reset fs, key, and sock SIDs on execve. */
2340 new_tsec->create_sid = 0;
2341 new_tsec->keycreate_sid = 0;
2342 new_tsec->sockcreate_sid = 0;
2343
2344 if (old_tsec->exec_sid) {
2345 new_tsec->sid = old_tsec->exec_sid;
2346 /* Reset exec SID on execve. */
2347 new_tsec->exec_sid = 0;
2348
2349 /* Fail on NNP or nosuid if not an allowed transition. */
2350 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2351 if (rc)
2352 return rc;
2353 } else {
2354 /* Check for a default transition on this program. */
2355 rc = security_transition_sid(&selinux_state, old_tsec->sid,
2356 isec->sid, SECCLASS_PROCESS, NULL,
2357 &new_tsec->sid);
2358 if (rc)
2359 return rc;
2360
2361 /*
2362 * Fallback to old SID on NNP or nosuid if not an allowed
2363 * transition.
2364 */
2365 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2366 if (rc)
2367 new_tsec->sid = old_tsec->sid;
2368 }
2369
2370 ad.type = LSM_AUDIT_DATA_FILE;
2371 ad.u.file = bprm->file;
2372
2373 if (new_tsec->sid == old_tsec->sid) {
2374 rc = avc_has_perm(&selinux_state,
2375 old_tsec->sid, isec->sid,
2376 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2377 if (rc)
2378 return rc;
2379 } else {
2380 /* Check permissions for the transition. */
2381 rc = avc_has_perm(&selinux_state,
2382 old_tsec->sid, new_tsec->sid,
2383 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2384 if (rc)
2385 return rc;
2386
2387 rc = avc_has_perm(&selinux_state,
2388 new_tsec->sid, isec->sid,
2389 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2390 if (rc)
2391 return rc;
2392
2393 /* Check for shared state */
2394 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2395 rc = avc_has_perm(&selinux_state,
2396 old_tsec->sid, new_tsec->sid,
2397 SECCLASS_PROCESS, PROCESS__SHARE,
2398 NULL);
2399 if (rc)
2400 return -EPERM;
2401 }
2402
2403 /* Make sure that anyone attempting to ptrace over a task that
2404 * changes its SID has the appropriate permit */
2405 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2406 u32 ptsid = ptrace_parent_sid();
2407 if (ptsid != 0) {
2408 rc = avc_has_perm(&selinux_state,
2409 ptsid, new_tsec->sid,
2410 SECCLASS_PROCESS,
2411 PROCESS__PTRACE, NULL);
2412 if (rc)
2413 return -EPERM;
2414 }
2415 }
2416
2417 /* Clear any possibly unsafe personality bits on exec: */
2418 bprm->per_clear |= PER_CLEAR_ON_SETID;
2419
2420 /* Enable secure mode for SIDs transitions unless
2421 the noatsecure permission is granted between
2422 the two SIDs, i.e. ahp returns 0. */
2423 rc = avc_has_perm(&selinux_state,
2424 old_tsec->sid, new_tsec->sid,
2425 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2426 NULL);
2427 bprm->secureexec |= !!rc;
2428 }
2429
2430 return 0;
2431}
2432
2433static int match_file(const void *p, struct file *file, unsigned fd)
2434{
2435 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2436}
2437
2438/* Derived from fs/exec.c:flush_old_files. */
2439static inline void flush_unauthorized_files(const struct cred *cred,
2440 struct files_struct *files)
2441{
2442 struct file *file, *devnull = NULL;
2443 struct tty_struct *tty;
2444 int drop_tty = 0;
2445 unsigned n;
2446
2447 tty = get_current_tty();
2448 if (tty) {
2449 spin_lock(&tty->files_lock);
2450 if (!list_empty(&tty->tty_files)) {
2451 struct tty_file_private *file_priv;
2452
2453 /* Revalidate access to controlling tty.
2454 Use file_path_has_perm on the tty path directly
2455 rather than using file_has_perm, as this particular
2456 open file may belong to another process and we are
2457 only interested in the inode-based check here. */
2458 file_priv = list_first_entry(&tty->tty_files,
2459 struct tty_file_private, list);
2460 file = file_priv->file;
2461 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2462 drop_tty = 1;
2463 }
2464 spin_unlock(&tty->files_lock);
2465 tty_kref_put(tty);
2466 }
2467 /* Reset controlling tty. */
2468 if (drop_tty)
2469 no_tty();
2470
2471 /* Revalidate access to inherited open files. */
2472 n = iterate_fd(files, 0, match_file, cred);
2473 if (!n) /* none found? */
2474 return;
2475
2476 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2477 if (IS_ERR(devnull))
2478 devnull = NULL;
2479 /* replace all the matching ones with this */
2480 do {
2481 replace_fd(n - 1, devnull, 0);
2482 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2483 if (devnull)
2484 fput(devnull);
2485}
2486
2487/*
2488 * Prepare a process for imminent new credential changes due to exec
2489 */
2490static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2491{
2492 struct task_security_struct *new_tsec;
2493 struct rlimit *rlim, *initrlim;
2494 int rc, i;
2495
2496 new_tsec = selinux_cred(bprm->cred);
2497 if (new_tsec->sid == new_tsec->osid)
2498 return;
2499
2500 /* Close files for which the new task SID is not authorized. */
2501 flush_unauthorized_files(bprm->cred, current->files);
2502
2503 /* Always clear parent death signal on SID transitions. */
2504 current->pdeath_signal = 0;
2505
2506 /* Check whether the new SID can inherit resource limits from the old
2507 * SID. If not, reset all soft limits to the lower of the current
2508 * task's hard limit and the init task's soft limit.
2509 *
2510 * Note that the setting of hard limits (even to lower them) can be
2511 * controlled by the setrlimit check. The inclusion of the init task's
2512 * soft limit into the computation is to avoid resetting soft limits
2513 * higher than the default soft limit for cases where the default is
2514 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2515 */
2516 rc = avc_has_perm(&selinux_state,
2517 new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2518 PROCESS__RLIMITINH, NULL);
2519 if (rc) {
2520 /* protect against do_prlimit() */
2521 task_lock(current);
2522 for (i = 0; i < RLIM_NLIMITS; i++) {
2523 rlim = current->signal->rlim + i;
2524 initrlim = init_task.signal->rlim + i;
2525 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2526 }
2527 task_unlock(current);
2528 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2529 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2530 }
2531}
2532
2533/*
2534 * Clean up the process immediately after the installation of new credentials
2535 * due to exec
2536 */
2537static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2538{
2539 const struct task_security_struct *tsec = selinux_cred(current_cred());
2540 struct itimerval itimer;
2541 u32 osid, sid;
2542 int rc, i;
2543
2544 osid = tsec->osid;
2545 sid = tsec->sid;
2546
2547 if (sid == osid)
2548 return;
2549
2550 /* Check whether the new SID can inherit signal state from the old SID.
2551 * If not, clear itimers to avoid subsequent signal generation and
2552 * flush and unblock signals.
2553 *
2554 * This must occur _after_ the task SID has been updated so that any
2555 * kill done after the flush will be checked against the new SID.
2556 */
2557 rc = avc_has_perm(&selinux_state,
2558 osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2559 if (rc) {
2560 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2561 memset(&itimer, 0, sizeof itimer);
2562 for (i = 0; i < 3; i++)
2563 do_setitimer(i, &itimer, NULL);
2564 }
2565 spin_lock_irq(&current->sighand->siglock);
2566 if (!fatal_signal_pending(current)) {
2567 flush_sigqueue(&current->pending);
2568 flush_sigqueue(&current->signal->shared_pending);
2569 flush_signal_handlers(current, 1);
2570 sigemptyset(&current->blocked);
2571 recalc_sigpending();
2572 }
2573 spin_unlock_irq(&current->sighand->siglock);
2574 }
2575
2576 /* Wake up the parent if it is waiting so that it can recheck
2577 * wait permission to the new task SID. */
2578 read_lock(&tasklist_lock);
2579 __wake_up_parent(current, current->real_parent);
2580 read_unlock(&tasklist_lock);
2581}
2582
2583/* superblock security operations */
2584
2585static int selinux_sb_alloc_security(struct super_block *sb)
2586{
2587 return superblock_alloc_security(sb);
2588}
2589
2590static void selinux_sb_free_security(struct super_block *sb)
2591{
2592 superblock_free_security(sb);
2593}
2594
2595static inline int opt_len(const char *s)
2596{
2597 bool open_quote = false;
2598 int len;
2599 char c;
2600
2601 for (len = 0; (c = s[len]) != '\0'; len++) {
2602 if (c == '"')
2603 open_quote = !open_quote;
2604 if (c == ',' && !open_quote)
2605 break;
2606 }
2607 return len;
2608}
2609
2610static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts)
2611{
2612 char *from = options;
2613 char *to = options;
2614 bool first = true;
2615
2616 while (1) {
2617 int len = opt_len(from);
2618 int token, rc;
2619 char *arg = NULL;
2620
2621 token = match_opt_prefix(from, len, &arg);
2622
2623 if (token != Opt_error) {
2624 char *p, *q;
2625
2626 /* strip quotes */
2627 if (arg) {
2628 for (p = q = arg; p < from + len; p++) {
2629 char c = *p;
2630 if (c != '"')
2631 *q++ = c;
2632 }
2633 arg = kmemdup_nul(arg, q - arg, GFP_KERNEL);
2634 }
2635 rc = selinux_add_opt(token, arg, mnt_opts);
2636 if (unlikely(rc)) {
2637 kfree(arg);
2638 if (*mnt_opts) {
2639 selinux_free_mnt_opts(*mnt_opts);
2640 *mnt_opts = NULL;
2641 }
2642 return rc;
2643 }
2644 } else {
2645 if (!first) { // copy with preceding comma
2646 from--;
2647 len++;
2648 }
2649 if (to != from)
2650 memmove(to, from, len);
2651 to += len;
2652 first = false;
2653 }
2654 if (!from[len])
2655 break;
2656 from += len + 1;
2657 }
2658 *to = '\0';
2659 return 0;
2660}
2661
2662static int selinux_sb_remount(struct super_block *sb, void *mnt_opts)
2663{
2664 struct selinux_mnt_opts *opts = mnt_opts;
2665 struct superblock_security_struct *sbsec = sb->s_security;
2666 u32 sid;
2667 int rc;
2668
2669 if (!(sbsec->flags & SE_SBINITIALIZED))
2670 return 0;
2671
2672 if (!opts)
2673 return 0;
2674
2675 if (opts->fscontext) {
2676 rc = parse_sid(sb, opts->fscontext, &sid);
2677 if (rc)
2678 return rc;
2679 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2680 goto out_bad_option;
2681 }
2682 if (opts->context) {
2683 rc = parse_sid(sb, opts->context, &sid);
2684 if (rc)
2685 return rc;
2686 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2687 goto out_bad_option;
2688 }
2689 if (opts->rootcontext) {
2690 struct inode_security_struct *root_isec;
2691 root_isec = backing_inode_security(sb->s_root);
2692 rc = parse_sid(sb, opts->rootcontext, &sid);
2693 if (rc)
2694 return rc;
2695 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2696 goto out_bad_option;
2697 }
2698 if (opts->defcontext) {
2699 rc = parse_sid(sb, opts->defcontext, &sid);
2700 if (rc)
2701 return rc;
2702 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2703 goto out_bad_option;
2704 }
2705 return 0;
2706
2707out_bad_option:
2708 pr_warn("SELinux: unable to change security options "
2709 "during remount (dev %s, type=%s)\n", sb->s_id,
2710 sb->s_type->name);
2711 return -EINVAL;
2712}
2713
2714static int selinux_sb_kern_mount(struct super_block *sb)
2715{
2716 const struct cred *cred = current_cred();
2717 struct common_audit_data ad;
2718
2719 ad.type = LSM_AUDIT_DATA_DENTRY;
2720 ad.u.dentry = sb->s_root;
2721 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2722}
2723
2724static int selinux_sb_statfs(struct dentry *dentry)
2725{
2726 const struct cred *cred = current_cred();
2727 struct common_audit_data ad;
2728
2729 ad.type = LSM_AUDIT_DATA_DENTRY;
2730 ad.u.dentry = dentry->d_sb->s_root;
2731 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2732}
2733
2734static int selinux_mount(const char *dev_name,
2735 const struct path *path,
2736 const char *type,
2737 unsigned long flags,
2738 void *data)
2739{
2740 const struct cred *cred = current_cred();
2741
2742 if (flags & MS_REMOUNT)
2743 return superblock_has_perm(cred, path->dentry->d_sb,
2744 FILESYSTEM__REMOUNT, NULL);
2745 else
2746 return path_has_perm(cred, path, FILE__MOUNTON);
2747}
2748
2749static int selinux_umount(struct vfsmount *mnt, int flags)
2750{
2751 const struct cred *cred = current_cred();
2752
2753 return superblock_has_perm(cred, mnt->mnt_sb,
2754 FILESYSTEM__UNMOUNT, NULL);
2755}
2756
2757/* inode security operations */
2758
2759static int selinux_inode_alloc_security(struct inode *inode)
2760{
2761 return inode_alloc_security(inode);
2762}
2763
2764static void selinux_inode_free_security(struct inode *inode)
2765{
2766 inode_free_security(inode);
2767}
2768
2769static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2770 const struct qstr *name, void **ctx,
2771 u32 *ctxlen)
2772{
2773 u32 newsid;
2774 int rc;
2775
2776 rc = selinux_determine_inode_label(selinux_cred(current_cred()),
2777 d_inode(dentry->d_parent), name,
2778 inode_mode_to_security_class(mode),
2779 &newsid);
2780 if (rc)
2781 return rc;
2782
2783 return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
2784 ctxlen);
2785}
2786
2787static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2788 struct qstr *name,
2789 const struct cred *old,
2790 struct cred *new)
2791{
2792 u32 newsid;
2793 int rc;
2794 struct task_security_struct *tsec;
2795
2796 rc = selinux_determine_inode_label(selinux_cred(old),
2797 d_inode(dentry->d_parent), name,
2798 inode_mode_to_security_class(mode),
2799 &newsid);
2800 if (rc)
2801 return rc;
2802
2803 tsec = selinux_cred(new);
2804 tsec->create_sid = newsid;
2805 return 0;
2806}
2807
2808static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2809 const struct qstr *qstr,
2810 const char **name,
2811 void **value, size_t *len)
2812{
2813 const struct task_security_struct *tsec = selinux_cred(current_cred());
2814 struct superblock_security_struct *sbsec;
2815 u32 newsid, clen;
2816 int rc;
2817 char *context;
2818
2819 sbsec = dir->i_sb->s_security;
2820
2821 newsid = tsec->create_sid;
2822
2823 rc = selinux_determine_inode_label(selinux_cred(current_cred()),
2824 dir, qstr,
2825 inode_mode_to_security_class(inode->i_mode),
2826 &newsid);
2827 if (rc)
2828 return rc;
2829
2830 /* Possibly defer initialization to selinux_complete_init. */
2831 if (sbsec->flags & SE_SBINITIALIZED) {
2832 struct inode_security_struct *isec = inode->i_security;
2833 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2834 isec->sid = newsid;
2835 isec->initialized = LABEL_INITIALIZED;
2836 }
2837
2838 if (!selinux_state.initialized || !(sbsec->flags & SBLABEL_MNT))
2839 return -EOPNOTSUPP;
2840
2841 if (name)
2842 *name = XATTR_SELINUX_SUFFIX;
2843
2844 if (value && len) {
2845 rc = security_sid_to_context_force(&selinux_state, newsid,
2846 &context, &clen);
2847 if (rc)
2848 return rc;
2849 *value = context;
2850 *len = clen;
2851 }
2852
2853 return 0;
2854}
2855
2856static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2857{
2858 return may_create(dir, dentry, SECCLASS_FILE);
2859}
2860
2861static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2862{
2863 return may_link(dir, old_dentry, MAY_LINK);
2864}
2865
2866static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2867{
2868 return may_link(dir, dentry, MAY_UNLINK);
2869}
2870
2871static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2872{
2873 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2874}
2875
2876static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2877{
2878 return may_create(dir, dentry, SECCLASS_DIR);
2879}
2880
2881static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2882{
2883 return may_link(dir, dentry, MAY_RMDIR);
2884}
2885
2886static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2887{
2888 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2889}
2890
2891static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2892 struct inode *new_inode, struct dentry *new_dentry)
2893{
2894 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2895}
2896
2897static int selinux_inode_readlink(struct dentry *dentry)
2898{
2899 const struct cred *cred = current_cred();
2900
2901 return dentry_has_perm(cred, dentry, FILE__READ);
2902}
2903
2904static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
2905 bool rcu)
2906{
2907 const struct cred *cred = current_cred();
2908 struct common_audit_data ad;
2909 struct inode_security_struct *isec;
2910 u32 sid;
2911
2912 validate_creds(cred);
2913
2914 ad.type = LSM_AUDIT_DATA_DENTRY;
2915 ad.u.dentry = dentry;
2916 sid = cred_sid(cred);
2917 isec = inode_security_rcu(inode, rcu);
2918 if (IS_ERR(isec))
2919 return PTR_ERR(isec);
2920
2921 return avc_has_perm_flags(&selinux_state,
2922 sid, isec->sid, isec->sclass, FILE__READ, &ad,
2923 rcu ? MAY_NOT_BLOCK : 0);
2924}
2925
2926static noinline int audit_inode_permission(struct inode *inode,
2927 u32 perms, u32 audited, u32 denied,
2928 int result,
2929 unsigned flags)
2930{
2931 struct common_audit_data ad;
2932 struct inode_security_struct *isec = inode->i_security;
2933 int rc;
2934
2935 ad.type = LSM_AUDIT_DATA_INODE;
2936 ad.u.inode = inode;
2937
2938 rc = slow_avc_audit(&selinux_state,
2939 current_sid(), isec->sid, isec->sclass, perms,
2940 audited, denied, result, &ad, flags);
2941 if (rc)
2942 return rc;
2943 return 0;
2944}
2945
2946static int selinux_inode_permission(struct inode *inode, int mask)
2947{
2948 const struct cred *cred = current_cred();
2949 u32 perms;
2950 bool from_access;
2951 unsigned flags = mask & MAY_NOT_BLOCK;
2952 struct inode_security_struct *isec;
2953 u32 sid;
2954 struct av_decision avd;
2955 int rc, rc2;
2956 u32 audited, denied;
2957
2958 from_access = mask & MAY_ACCESS;
2959 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2960
2961 /* No permission to check. Existence test. */
2962 if (!mask)
2963 return 0;
2964
2965 validate_creds(cred);
2966
2967 if (unlikely(IS_PRIVATE(inode)))
2968 return 0;
2969
2970 perms = file_mask_to_av(inode->i_mode, mask);
2971
2972 sid = cred_sid(cred);
2973 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
2974 if (IS_ERR(isec))
2975 return PTR_ERR(isec);
2976
2977 rc = avc_has_perm_noaudit(&selinux_state,
2978 sid, isec->sid, isec->sclass, perms, 0, &avd);
2979 audited = avc_audit_required(perms, &avd, rc,
2980 from_access ? FILE__AUDIT_ACCESS : 0,
2981 &denied);
2982 if (likely(!audited))
2983 return rc;
2984
2985 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
2986 if (rc2)
2987 return rc2;
2988 return rc;
2989}
2990
2991static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2992{
2993 const struct cred *cred = current_cred();
2994 struct inode *inode = d_backing_inode(dentry);
2995 unsigned int ia_valid = iattr->ia_valid;
2996 __u32 av = FILE__WRITE;
2997
2998 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2999 if (ia_valid & ATTR_FORCE) {
3000 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3001 ATTR_FORCE);
3002 if (!ia_valid)
3003 return 0;
3004 }
3005
3006 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3007 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3008 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3009
3010 if (selinux_policycap_openperm() &&
3011 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3012 (ia_valid & ATTR_SIZE) &&
3013 !(ia_valid & ATTR_FILE))
3014 av |= FILE__OPEN;
3015
3016 return dentry_has_perm(cred, dentry, av);
3017}
3018
3019static int selinux_inode_getattr(const struct path *path)
3020{
3021 return path_has_perm(current_cred(), path, FILE__GETATTR);
3022}
3023
3024static bool has_cap_mac_admin(bool audit)
3025{
3026 const struct cred *cred = current_cred();
3027 int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT;
3028
3029 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit))
3030 return false;
3031 if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true))
3032 return false;
3033 return true;
3034}
3035
3036static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3037 const void *value, size_t size, int flags)
3038{
3039 struct inode *inode = d_backing_inode(dentry);
3040 struct inode_security_struct *isec;
3041 struct superblock_security_struct *sbsec;
3042 struct common_audit_data ad;
3043 u32 newsid, sid = current_sid();
3044 int rc = 0;
3045
3046 if (strcmp(name, XATTR_NAME_SELINUX)) {
3047 rc = cap_inode_setxattr(dentry, name, value, size, flags);
3048 if (rc)
3049 return rc;
3050
3051 /* Not an attribute we recognize, so just check the
3052 ordinary setattr permission. */
3053 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3054 }
3055
3056 sbsec = inode->i_sb->s_security;
3057 if (!(sbsec->flags & SBLABEL_MNT))
3058 return -EOPNOTSUPP;
3059
3060 if (!inode_owner_or_capable(inode))
3061 return -EPERM;
3062
3063 ad.type = LSM_AUDIT_DATA_DENTRY;
3064 ad.u.dentry = dentry;
3065
3066 isec = backing_inode_security(dentry);
3067 rc = avc_has_perm(&selinux_state,
3068 sid, isec->sid, isec->sclass,
3069 FILE__RELABELFROM, &ad);
3070 if (rc)
3071 return rc;
3072
3073 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3074 GFP_KERNEL);
3075 if (rc == -EINVAL) {
3076 if (!has_cap_mac_admin(true)) {
3077 struct audit_buffer *ab;
3078 size_t audit_size;
3079
3080 /* We strip a nul only if it is at the end, otherwise the
3081 * context contains a nul and we should audit that */
3082 if (value) {
3083 const char *str = value;
3084
3085 if (str[size - 1] == '\0')
3086 audit_size = size - 1;
3087 else
3088 audit_size = size;
3089 } else {
3090 audit_size = 0;
3091 }
3092 ab = audit_log_start(audit_context(),
3093 GFP_ATOMIC, AUDIT_SELINUX_ERR);
3094 audit_log_format(ab, "op=setxattr invalid_context=");
3095 audit_log_n_untrustedstring(ab, value, audit_size);
3096 audit_log_end(ab);
3097
3098 return rc;
3099 }
3100 rc = security_context_to_sid_force(&selinux_state, value,
3101 size, &newsid);
3102 }
3103 if (rc)
3104 return rc;
3105
3106 rc = avc_has_perm(&selinux_state,
3107 sid, newsid, isec->sclass,
3108 FILE__RELABELTO, &ad);
3109 if (rc)
3110 return rc;
3111
3112 rc = security_validate_transition(&selinux_state, isec->sid, newsid,
3113 sid, isec->sclass);
3114 if (rc)
3115 return rc;
3116
3117 return avc_has_perm(&selinux_state,
3118 newsid,
3119 sbsec->sid,
3120 SECCLASS_FILESYSTEM,
3121 FILESYSTEM__ASSOCIATE,
3122 &ad);
3123}
3124
3125static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3126 const void *value, size_t size,
3127 int flags)
3128{
3129 struct inode *inode = d_backing_inode(dentry);
3130 struct inode_security_struct *isec;
3131 u32 newsid;
3132 int rc;
3133
3134 if (strcmp(name, XATTR_NAME_SELINUX)) {
3135 /* Not an attribute we recognize, so nothing to do. */
3136 return;
3137 }
3138
3139 rc = security_context_to_sid_force(&selinux_state, value, size,
3140 &newsid);
3141 if (rc) {
3142 pr_err("SELinux: unable to map context to SID"
3143 "for (%s, %lu), rc=%d\n",
3144 inode->i_sb->s_id, inode->i_ino, -rc);
3145 return;
3146 }
3147
3148 isec = backing_inode_security(dentry);
3149 spin_lock(&isec->lock);
3150 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3151 isec->sid = newsid;
3152 isec->initialized = LABEL_INITIALIZED;
3153 spin_unlock(&isec->lock);
3154
3155 return;
3156}
3157
3158static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3159{
3160 const struct cred *cred = current_cred();
3161
3162 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3163}
3164
3165static int selinux_inode_listxattr(struct dentry *dentry)
3166{
3167 const struct cred *cred = current_cred();
3168
3169 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3170}
3171
3172static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3173{
3174 if (strcmp(name, XATTR_NAME_SELINUX)) {
3175 int rc = cap_inode_removexattr(dentry, name);
3176 if (rc)
3177 return rc;
3178
3179 /* Not an attribute we recognize, so just check the
3180 ordinary setattr permission. */
3181 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3182 }
3183
3184 /* No one is allowed to remove a SELinux security label.
3185 You can change the label, but all data must be labeled. */
3186 return -EACCES;
3187}
3188
3189/*
3190 * Copy the inode security context value to the user.
3191 *
3192 * Permission check is handled by selinux_inode_getxattr hook.
3193 */
3194static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
3195{
3196 u32 size;
3197 int error;
3198 char *context = NULL;
3199 struct inode_security_struct *isec;
3200
3201 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3202 return -EOPNOTSUPP;
3203
3204 /*
3205 * If the caller has CAP_MAC_ADMIN, then get the raw context
3206 * value even if it is not defined by current policy; otherwise,
3207 * use the in-core value under current policy.
3208 * Use the non-auditing forms of the permission checks since
3209 * getxattr may be called by unprivileged processes commonly
3210 * and lack of permission just means that we fall back to the
3211 * in-core context value, not a denial.
3212 */
3213 isec = inode_security(inode);
3214 if (has_cap_mac_admin(false))
3215 error = security_sid_to_context_force(&selinux_state,
3216 isec->sid, &context,
3217 &size);
3218 else
3219 error = security_sid_to_context(&selinux_state, isec->sid,
3220 &context, &size);
3221 if (error)
3222 return error;
3223 error = size;
3224 if (alloc) {
3225 *buffer = context;
3226 goto out_nofree;
3227 }
3228 kfree(context);
3229out_nofree:
3230 return error;
3231}
3232
3233static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3234 const void *value, size_t size, int flags)
3235{
3236 struct inode_security_struct *isec = inode_security_novalidate(inode);
3237 u32 newsid;
3238 int rc;
3239
3240 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3241 return -EOPNOTSUPP;
3242
3243 if (!value || !size)
3244 return -EACCES;
3245
3246 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3247 GFP_KERNEL);
3248 if (rc)
3249 return rc;
3250
3251 spin_lock(&isec->lock);
3252 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3253 isec->sid = newsid;
3254 isec->initialized = LABEL_INITIALIZED;
3255 spin_unlock(&isec->lock);
3256 return 0;
3257}
3258
3259static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3260{
3261 const int len = sizeof(XATTR_NAME_SELINUX);
3262 if (buffer && len <= buffer_size)
3263 memcpy(buffer, XATTR_NAME_SELINUX, len);
3264 return len;
3265}
3266
3267static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3268{
3269 struct inode_security_struct *isec = inode_security_novalidate(inode);
3270 *secid = isec->sid;
3271}
3272
3273static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3274{
3275 u32 sid;
3276 struct task_security_struct *tsec;
3277 struct cred *new_creds = *new;
3278
3279 if (new_creds == NULL) {
3280 new_creds = prepare_creds();
3281 if (!new_creds)
3282 return -ENOMEM;
3283 }
3284
3285 tsec = selinux_cred(new_creds);
3286 /* Get label from overlay inode and set it in create_sid */
3287 selinux_inode_getsecid(d_inode(src), &sid);
3288 tsec->create_sid = sid;
3289 *new = new_creds;
3290 return 0;
3291}
3292
3293static int selinux_inode_copy_up_xattr(const char *name)
3294{
3295 /* The copy_up hook above sets the initial context on an inode, but we
3296 * don't then want to overwrite it by blindly copying all the lower
3297 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3298 */
3299 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3300 return 1; /* Discard */
3301 /*
3302 * Any other attribute apart from SELINUX is not claimed, supported
3303 * by selinux.
3304 */
3305 return -EOPNOTSUPP;
3306}
3307
3308/* file security operations */
3309
3310static int selinux_revalidate_file_permission(struct file *file, int mask)
3311{
3312 const struct cred *cred = current_cred();
3313 struct inode *inode = file_inode(file);
3314
3315 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3316 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3317 mask |= MAY_APPEND;
3318
3319 return file_has_perm(cred, file,
3320 file_mask_to_av(inode->i_mode, mask));
3321}
3322
3323static int selinux_file_permission(struct file *file, int mask)
3324{
3325 struct inode *inode = file_inode(file);
3326 struct file_security_struct *fsec = file->f_security;
3327 struct inode_security_struct *isec;
3328 u32 sid = current_sid();
3329
3330 if (!mask)
3331 /* No permission to check. Existence test. */
3332 return 0;
3333
3334 isec = inode_security(inode);
3335 if (sid == fsec->sid && fsec->isid == isec->sid &&
3336 fsec->pseqno == avc_policy_seqno(&selinux_state))
3337 /* No change since file_open check. */
3338 return 0;
3339
3340 return selinux_revalidate_file_permission(file, mask);
3341}
3342
3343static int selinux_file_alloc_security(struct file *file)
3344{
3345 return file_alloc_security(file);
3346}
3347
3348static void selinux_file_free_security(struct file *file)
3349{
3350 file_free_security(file);
3351}
3352
3353/*
3354 * Check whether a task has the ioctl permission and cmd
3355 * operation to an inode.
3356 */
3357static int ioctl_has_perm(const struct cred *cred, struct file *file,
3358 u32 requested, u16 cmd)
3359{
3360 struct common_audit_data ad;
3361 struct file_security_struct *fsec = file->f_security;
3362 struct inode *inode = file_inode(file);
3363 struct inode_security_struct *isec;
3364 struct lsm_ioctlop_audit ioctl;
3365 u32 ssid = cred_sid(cred);
3366 int rc;
3367 u8 driver = cmd >> 8;
3368 u8 xperm = cmd & 0xff;
3369
3370 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3371 ad.u.op = &ioctl;
3372 ad.u.op->cmd = cmd;
3373 ad.u.op->path = file->f_path;
3374
3375 if (ssid != fsec->sid) {
3376 rc = avc_has_perm(&selinux_state,
3377 ssid, fsec->sid,
3378 SECCLASS_FD,
3379 FD__USE,
3380 &ad);
3381 if (rc)
3382 goto out;
3383 }
3384
3385 if (unlikely(IS_PRIVATE(inode)))
3386 return 0;
3387
3388 isec = inode_security(inode);
3389 rc = avc_has_extended_perms(&selinux_state,
3390 ssid, isec->sid, isec->sclass,
3391 requested, driver, xperm, &ad);
3392out:
3393 return rc;
3394}
3395
3396static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3397 unsigned long arg)
3398{
3399 const struct cred *cred = current_cred();
3400 int error = 0;
3401
3402 switch (cmd) {
3403 case FIONREAD:
3404 /* fall through */
3405 case FIBMAP:
3406 /* fall through */
3407 case FIGETBSZ:
3408 /* fall through */
3409 case FS_IOC_GETFLAGS:
3410 /* fall through */
3411 case FS_IOC_GETVERSION:
3412 error = file_has_perm(cred, file, FILE__GETATTR);
3413 break;
3414
3415 case FS_IOC_SETFLAGS:
3416 /* fall through */
3417 case FS_IOC_SETVERSION:
3418 error = file_has_perm(cred, file, FILE__SETATTR);
3419 break;
3420
3421 /* sys_ioctl() checks */
3422 case FIONBIO:
3423 /* fall through */
3424 case FIOASYNC:
3425 error = file_has_perm(cred, file, 0);
3426 break;
3427
3428 case KDSKBENT:
3429 case KDSKBSENT:
3430 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3431 SECURITY_CAP_AUDIT, true);
3432 break;
3433
3434 /* default case assumes that the command will go
3435 * to the file's ioctl() function.
3436 */
3437 default:
3438 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3439 }
3440 return error;
3441}
3442
3443static int default_noexec;
3444
3445static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3446{
3447 const struct cred *cred = current_cred();
3448 u32 sid = cred_sid(cred);
3449 int rc = 0;
3450
3451 if (default_noexec &&
3452 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3453 (!shared && (prot & PROT_WRITE)))) {
3454 /*
3455 * We are making executable an anonymous mapping or a
3456 * private file mapping that will also be writable.
3457 * This has an additional check.
3458 */
3459 rc = avc_has_perm(&selinux_state,
3460 sid, sid, SECCLASS_PROCESS,
3461 PROCESS__EXECMEM, NULL);
3462 if (rc)
3463 goto error;
3464 }
3465
3466 if (file) {
3467 /* read access is always possible with a mapping */
3468 u32 av = FILE__READ;
3469
3470 /* write access only matters if the mapping is shared */
3471 if (shared && (prot & PROT_WRITE))
3472 av |= FILE__WRITE;
3473
3474 if (prot & PROT_EXEC)
3475 av |= FILE__EXECUTE;
3476
3477 return file_has_perm(cred, file, av);
3478 }
3479
3480error:
3481 return rc;
3482}
3483
3484static int selinux_mmap_addr(unsigned long addr)
3485{
3486 int rc = 0;
3487
3488 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3489 u32 sid = current_sid();
3490 rc = avc_has_perm(&selinux_state,
3491 sid, sid, SECCLASS_MEMPROTECT,
3492 MEMPROTECT__MMAP_ZERO, NULL);
3493 }
3494
3495 return rc;
3496}
3497
3498static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3499 unsigned long prot, unsigned long flags)
3500{
3501 struct common_audit_data ad;
3502 int rc;
3503
3504 if (file) {
3505 ad.type = LSM_AUDIT_DATA_FILE;
3506 ad.u.file = file;
3507 rc = inode_has_perm(current_cred(), file_inode(file),
3508 FILE__MAP, &ad);
3509 if (rc)
3510 return rc;
3511 }
3512
3513 if (selinux_state.checkreqprot)
3514 prot = reqprot;
3515
3516 return file_map_prot_check(file, prot,
3517 (flags & MAP_TYPE) == MAP_SHARED);
3518}
3519
3520static int selinux_file_mprotect(struct vm_area_struct *vma,
3521 unsigned long reqprot,
3522 unsigned long prot)
3523{
3524 const struct cred *cred = current_cred();
3525 u32 sid = cred_sid(cred);
3526
3527 if (selinux_state.checkreqprot)
3528 prot = reqprot;
3529
3530 if (default_noexec &&
3531 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3532 int rc = 0;
3533 if (vma->vm_start >= vma->vm_mm->start_brk &&
3534 vma->vm_end <= vma->vm_mm->brk) {
3535 rc = avc_has_perm(&selinux_state,
3536 sid, sid, SECCLASS_PROCESS,
3537 PROCESS__EXECHEAP, NULL);
3538 } else if (!vma->vm_file &&
3539 ((vma->vm_start <= vma->vm_mm->start_stack &&
3540 vma->vm_end >= vma->vm_mm->start_stack) ||
3541 vma_is_stack_for_current(vma))) {
3542 rc = avc_has_perm(&selinux_state,
3543 sid, sid, SECCLASS_PROCESS,
3544 PROCESS__EXECSTACK, NULL);
3545 } else if (vma->vm_file && vma->anon_vma) {
3546 /*
3547 * We are making executable a file mapping that has
3548 * had some COW done. Since pages might have been
3549 * written, check ability to execute the possibly
3550 * modified content. This typically should only
3551 * occur for text relocations.
3552 */
3553 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3554 }
3555 if (rc)
3556 return rc;
3557 }
3558
3559 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3560}
3561
3562static int selinux_file_lock(struct file *file, unsigned int cmd)
3563{
3564 const struct cred *cred = current_cred();
3565
3566 return file_has_perm(cred, file, FILE__LOCK);
3567}
3568
3569static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3570 unsigned long arg)
3571{
3572 const struct cred *cred = current_cred();
3573 int err = 0;
3574
3575 switch (cmd) {
3576 case F_SETFL:
3577 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3578 err = file_has_perm(cred, file, FILE__WRITE);
3579 break;
3580 }
3581 /* fall through */
3582 case F_SETOWN:
3583 case F_SETSIG:
3584 case F_GETFL:
3585 case F_GETOWN:
3586 case F_GETSIG:
3587 case F_GETOWNER_UIDS:
3588 /* Just check FD__USE permission */
3589 err = file_has_perm(cred, file, 0);
3590 break;
3591 case F_GETLK:
3592 case F_SETLK:
3593 case F_SETLKW:
3594 case F_OFD_GETLK:
3595 case F_OFD_SETLK:
3596 case F_OFD_SETLKW:
3597#if BITS_PER_LONG == 32
3598 case F_GETLK64:
3599 case F_SETLK64:
3600 case F_SETLKW64:
3601#endif
3602 err = file_has_perm(cred, file, FILE__LOCK);
3603 break;
3604 }
3605
3606 return err;
3607}
3608
3609static void selinux_file_set_fowner(struct file *file)
3610{
3611 struct file_security_struct *fsec;
3612
3613 fsec = file->f_security;
3614 fsec->fown_sid = current_sid();
3615}
3616
3617static int selinux_file_send_sigiotask(struct task_struct *tsk,
3618 struct fown_struct *fown, int signum)
3619{
3620 struct file *file;
3621 u32 sid = task_sid(tsk);
3622 u32 perm;
3623 struct file_security_struct *fsec;
3624
3625 /* struct fown_struct is never outside the context of a struct file */
3626 file = container_of(fown, struct file, f_owner);
3627
3628 fsec = file->f_security;
3629
3630 if (!signum)
3631 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3632 else
3633 perm = signal_to_av(signum);
3634
3635 return avc_has_perm(&selinux_state,
3636 fsec->fown_sid, sid,
3637 SECCLASS_PROCESS, perm, NULL);
3638}
3639
3640static int selinux_file_receive(struct file *file)
3641{
3642 const struct cred *cred = current_cred();
3643
3644 return file_has_perm(cred, file, file_to_av(file));
3645}
3646
3647static int selinux_file_open(struct file *file)
3648{
3649 struct file_security_struct *fsec;
3650 struct inode_security_struct *isec;
3651
3652 fsec = file->f_security;
3653 isec = inode_security(file_inode(file));
3654 /*
3655 * Save inode label and policy sequence number
3656 * at open-time so that selinux_file_permission
3657 * can determine whether revalidation is necessary.
3658 * Task label is already saved in the file security
3659 * struct as its SID.
3660 */
3661 fsec->isid = isec->sid;
3662 fsec->pseqno = avc_policy_seqno(&selinux_state);
3663 /*
3664 * Since the inode label or policy seqno may have changed
3665 * between the selinux_inode_permission check and the saving
3666 * of state above, recheck that access is still permitted.
3667 * Otherwise, access might never be revalidated against the
3668 * new inode label or new policy.
3669 * This check is not redundant - do not remove.
3670 */
3671 return file_path_has_perm(file->f_cred, file, open_file_to_av(file));
3672}
3673
3674/* task security operations */
3675
3676static int selinux_task_alloc(struct task_struct *task,
3677 unsigned long clone_flags)
3678{
3679 u32 sid = current_sid();
3680
3681 return avc_has_perm(&selinux_state,
3682 sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
3683}
3684
3685/*
3686 * prepare a new set of credentials for modification
3687 */
3688static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3689 gfp_t gfp)
3690{
3691 const struct task_security_struct *old_tsec = selinux_cred(old);
3692 struct task_security_struct *tsec = selinux_cred(new);
3693
3694 *tsec = *old_tsec;
3695 return 0;
3696}
3697
3698/*
3699 * transfer the SELinux data to a blank set of creds
3700 */
3701static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3702{
3703 const struct task_security_struct *old_tsec = selinux_cred(old);
3704 struct task_security_struct *tsec = selinux_cred(new);
3705
3706 *tsec = *old_tsec;
3707}
3708
3709static void selinux_cred_getsecid(const struct cred *c, u32 *secid)
3710{
3711 *secid = cred_sid(c);
3712}
3713
3714/*
3715 * set the security data for a kernel service
3716 * - all the creation contexts are set to unlabelled
3717 */
3718static int selinux_kernel_act_as(struct cred *new, u32 secid)
3719{
3720 struct task_security_struct *tsec = selinux_cred(new);
3721 u32 sid = current_sid();
3722 int ret;
3723
3724 ret = avc_has_perm(&selinux_state,
3725 sid, secid,
3726 SECCLASS_KERNEL_SERVICE,
3727 KERNEL_SERVICE__USE_AS_OVERRIDE,
3728 NULL);
3729 if (ret == 0) {
3730 tsec->sid = secid;
3731 tsec->create_sid = 0;
3732 tsec->keycreate_sid = 0;
3733 tsec->sockcreate_sid = 0;
3734 }
3735 return ret;
3736}
3737
3738/*
3739 * set the file creation context in a security record to the same as the
3740 * objective context of the specified inode
3741 */
3742static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3743{
3744 struct inode_security_struct *isec = inode_security(inode);
3745 struct task_security_struct *tsec = selinux_cred(new);
3746 u32 sid = current_sid();
3747 int ret;
3748
3749 ret = avc_has_perm(&selinux_state,
3750 sid, isec->sid,
3751 SECCLASS_KERNEL_SERVICE,
3752 KERNEL_SERVICE__CREATE_FILES_AS,
3753 NULL);
3754
3755 if (ret == 0)
3756 tsec->create_sid = isec->sid;
3757 return ret;
3758}
3759
3760static int selinux_kernel_module_request(char *kmod_name)
3761{
3762 struct common_audit_data ad;
3763
3764 ad.type = LSM_AUDIT_DATA_KMOD;
3765 ad.u.kmod_name = kmod_name;
3766
3767 return avc_has_perm(&selinux_state,
3768 current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
3769 SYSTEM__MODULE_REQUEST, &ad);
3770}
3771
3772static int selinux_kernel_module_from_file(struct file *file)
3773{
3774 struct common_audit_data ad;
3775 struct inode_security_struct *isec;
3776 struct file_security_struct *fsec;
3777 u32 sid = current_sid();
3778 int rc;
3779
3780 /* init_module */
3781 if (file == NULL)
3782 return avc_has_perm(&selinux_state,
3783 sid, sid, SECCLASS_SYSTEM,
3784 SYSTEM__MODULE_LOAD, NULL);
3785
3786 /* finit_module */
3787
3788 ad.type = LSM_AUDIT_DATA_FILE;
3789 ad.u.file = file;
3790
3791 fsec = file->f_security;
3792 if (sid != fsec->sid) {
3793 rc = avc_has_perm(&selinux_state,
3794 sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
3795 if (rc)
3796 return rc;
3797 }
3798
3799 isec = inode_security(file_inode(file));
3800 return avc_has_perm(&selinux_state,
3801 sid, isec->sid, SECCLASS_SYSTEM,
3802 SYSTEM__MODULE_LOAD, &ad);
3803}
3804
3805static int selinux_kernel_read_file(struct file *file,
3806 enum kernel_read_file_id id)
3807{
3808 int rc = 0;
3809
3810 switch (id) {
3811 case READING_MODULE:
3812 rc = selinux_kernel_module_from_file(file);
3813 break;
3814 default:
3815 break;
3816 }
3817
3818 return rc;
3819}
3820
3821static int selinux_kernel_load_data(enum kernel_load_data_id id)
3822{
3823 int rc = 0;
3824
3825 switch (id) {
3826 case LOADING_MODULE:
3827 rc = selinux_kernel_module_from_file(NULL);
3828 default:
3829 break;
3830 }
3831
3832 return rc;
3833}
3834
3835static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3836{
3837 return avc_has_perm(&selinux_state,
3838 current_sid(), task_sid(p), SECCLASS_PROCESS,
3839 PROCESS__SETPGID, NULL);
3840}
3841
3842static int selinux_task_getpgid(struct task_struct *p)
3843{
3844 return avc_has_perm(&selinux_state,
3845 current_sid(), task_sid(p), SECCLASS_PROCESS,
3846 PROCESS__GETPGID, NULL);
3847}
3848
3849static int selinux_task_getsid(struct task_struct *p)
3850{
3851 return avc_has_perm(&selinux_state,
3852 current_sid(), task_sid(p), SECCLASS_PROCESS,
3853 PROCESS__GETSESSION, NULL);
3854}
3855
3856static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3857{
3858 *secid = task_sid(p);
3859}
3860
3861static int selinux_task_setnice(struct task_struct *p, int nice)
3862{
3863 return avc_has_perm(&selinux_state,
3864 current_sid(), task_sid(p), SECCLASS_PROCESS,
3865 PROCESS__SETSCHED, NULL);
3866}
3867
3868static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3869{
3870 return avc_has_perm(&selinux_state,
3871 current_sid(), task_sid(p), SECCLASS_PROCESS,
3872 PROCESS__SETSCHED, NULL);
3873}
3874
3875static int selinux_task_getioprio(struct task_struct *p)
3876{
3877 return avc_has_perm(&selinux_state,
3878 current_sid(), task_sid(p), SECCLASS_PROCESS,
3879 PROCESS__GETSCHED, NULL);
3880}
3881
3882static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
3883 unsigned int flags)
3884{
3885 u32 av = 0;
3886
3887 if (!flags)
3888 return 0;
3889 if (flags & LSM_PRLIMIT_WRITE)
3890 av |= PROCESS__SETRLIMIT;
3891 if (flags & LSM_PRLIMIT_READ)
3892 av |= PROCESS__GETRLIMIT;
3893 return avc_has_perm(&selinux_state,
3894 cred_sid(cred), cred_sid(tcred),
3895 SECCLASS_PROCESS, av, NULL);
3896}
3897
3898static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3899 struct rlimit *new_rlim)
3900{
3901 struct rlimit *old_rlim = p->signal->rlim + resource;
3902
3903 /* Control the ability to change the hard limit (whether
3904 lowering or raising it), so that the hard limit can
3905 later be used as a safe reset point for the soft limit
3906 upon context transitions. See selinux_bprm_committing_creds. */
3907 if (old_rlim->rlim_max != new_rlim->rlim_max)
3908 return avc_has_perm(&selinux_state,
3909 current_sid(), task_sid(p),
3910 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
3911
3912 return 0;
3913}
3914
3915static int selinux_task_setscheduler(struct task_struct *p)
3916{
3917 return avc_has_perm(&selinux_state,
3918 current_sid(), task_sid(p), SECCLASS_PROCESS,
3919 PROCESS__SETSCHED, NULL);
3920}
3921
3922static int selinux_task_getscheduler(struct task_struct *p)
3923{
3924 return avc_has_perm(&selinux_state,
3925 current_sid(), task_sid(p), SECCLASS_PROCESS,
3926 PROCESS__GETSCHED, NULL);
3927}
3928
3929static int selinux_task_movememory(struct task_struct *p)
3930{
3931 return avc_has_perm(&selinux_state,
3932 current_sid(), task_sid(p), SECCLASS_PROCESS,
3933 PROCESS__SETSCHED, NULL);
3934}
3935
3936static int selinux_task_kill(struct task_struct *p, struct kernel_siginfo *info,
3937 int sig, const struct cred *cred)
3938{
3939 u32 secid;
3940 u32 perm;
3941
3942 if (!sig)
3943 perm = PROCESS__SIGNULL; /* null signal; existence test */
3944 else
3945 perm = signal_to_av(sig);
3946 if (!cred)
3947 secid = current_sid();
3948 else
3949 secid = cred_sid(cred);
3950 return avc_has_perm(&selinux_state,
3951 secid, task_sid(p), SECCLASS_PROCESS, perm, NULL);
3952}
3953
3954static void selinux_task_to_inode(struct task_struct *p,
3955 struct inode *inode)
3956{
3957 struct inode_security_struct *isec = inode->i_security;
3958 u32 sid = task_sid(p);
3959
3960 spin_lock(&isec->lock);
3961 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3962 isec->sid = sid;
3963 isec->initialized = LABEL_INITIALIZED;
3964 spin_unlock(&isec->lock);
3965}
3966
3967/* Returns error only if unable to parse addresses */
3968static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3969 struct common_audit_data *ad, u8 *proto)
3970{
3971 int offset, ihlen, ret = -EINVAL;
3972 struct iphdr _iph, *ih;
3973
3974 offset = skb_network_offset(skb);
3975 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3976 if (ih == NULL)
3977 goto out;
3978
3979 ihlen = ih->ihl * 4;
3980 if (ihlen < sizeof(_iph))
3981 goto out;
3982
3983 ad->u.net->v4info.saddr = ih->saddr;
3984 ad->u.net->v4info.daddr = ih->daddr;
3985 ret = 0;
3986
3987 if (proto)
3988 *proto = ih->protocol;
3989
3990 switch (ih->protocol) {
3991 case IPPROTO_TCP: {
3992 struct tcphdr _tcph, *th;
3993
3994 if (ntohs(ih->frag_off) & IP_OFFSET)
3995 break;
3996
3997 offset += ihlen;
3998 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3999 if (th == NULL)
4000 break;
4001
4002 ad->u.net->sport = th->source;
4003 ad->u.net->dport = th->dest;
4004 break;
4005 }
4006
4007 case IPPROTO_UDP: {
4008 struct udphdr _udph, *uh;
4009
4010 if (ntohs(ih->frag_off) & IP_OFFSET)
4011 break;
4012
4013 offset += ihlen;
4014 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4015 if (uh == NULL)
4016 break;
4017
4018 ad->u.net->sport = uh->source;
4019 ad->u.net->dport = uh->dest;
4020 break;
4021 }
4022
4023 case IPPROTO_DCCP: {
4024 struct dccp_hdr _dccph, *dh;
4025
4026 if (ntohs(ih->frag_off) & IP_OFFSET)
4027 break;
4028
4029 offset += ihlen;
4030 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4031 if (dh == NULL)
4032 break;
4033
4034 ad->u.net->sport = dh->dccph_sport;
4035 ad->u.net->dport = dh->dccph_dport;
4036 break;
4037 }
4038
4039#if IS_ENABLED(CONFIG_IP_SCTP)
4040 case IPPROTO_SCTP: {
4041 struct sctphdr _sctph, *sh;
4042
4043 if (ntohs(ih->frag_off) & IP_OFFSET)
4044 break;
4045
4046 offset += ihlen;
4047 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4048 if (sh == NULL)
4049 break;
4050
4051 ad->u.net->sport = sh->source;
4052 ad->u.net->dport = sh->dest;
4053 break;
4054 }
4055#endif
4056 default:
4057 break;
4058 }
4059out:
4060 return ret;
4061}
4062
4063#if IS_ENABLED(CONFIG_IPV6)
4064
4065/* Returns error only if unable to parse addresses */
4066static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4067 struct common_audit_data *ad, u8 *proto)
4068{
4069 u8 nexthdr;
4070 int ret = -EINVAL, offset;
4071 struct ipv6hdr _ipv6h, *ip6;
4072 __be16 frag_off;
4073
4074 offset = skb_network_offset(skb);
4075 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4076 if (ip6 == NULL)
4077 goto out;
4078
4079 ad->u.net->v6info.saddr = ip6->saddr;
4080 ad->u.net->v6info.daddr = ip6->daddr;
4081 ret = 0;
4082
4083 nexthdr = ip6->nexthdr;
4084 offset += sizeof(_ipv6h);
4085 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4086 if (offset < 0)
4087 goto out;
4088
4089 if (proto)
4090 *proto = nexthdr;
4091
4092 switch (nexthdr) {
4093 case IPPROTO_TCP: {
4094 struct tcphdr _tcph, *th;
4095
4096 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4097 if (th == NULL)
4098 break;
4099
4100 ad->u.net->sport = th->source;
4101 ad->u.net->dport = th->dest;
4102 break;
4103 }
4104
4105 case IPPROTO_UDP: {
4106 struct udphdr _udph, *uh;
4107
4108 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4109 if (uh == NULL)
4110 break;
4111
4112 ad->u.net->sport = uh->source;
4113 ad->u.net->dport = uh->dest;
4114 break;
4115 }
4116
4117 case IPPROTO_DCCP: {
4118 struct dccp_hdr _dccph, *dh;
4119
4120 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4121 if (dh == NULL)
4122 break;
4123
4124 ad->u.net->sport = dh->dccph_sport;
4125 ad->u.net->dport = dh->dccph_dport;
4126 break;
4127 }
4128
4129#if IS_ENABLED(CONFIG_IP_SCTP)
4130 case IPPROTO_SCTP: {
4131 struct sctphdr _sctph, *sh;
4132
4133 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4134 if (sh == NULL)
4135 break;
4136
4137 ad->u.net->sport = sh->source;
4138 ad->u.net->dport = sh->dest;
4139 break;
4140 }
4141#endif
4142 /* includes fragments */
4143 default:
4144 break;
4145 }
4146out:
4147 return ret;
4148}
4149
4150#endif /* IPV6 */
4151
4152static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4153 char **_addrp, int src, u8 *proto)
4154{
4155 char *addrp;
4156 int ret;
4157
4158 switch (ad->u.net->family) {
4159 case PF_INET:
4160 ret = selinux_parse_skb_ipv4(skb, ad, proto);
4161 if (ret)
4162 goto parse_error;
4163 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4164 &ad->u.net->v4info.daddr);
4165 goto okay;
4166
4167#if IS_ENABLED(CONFIG_IPV6)
4168 case PF_INET6:
4169 ret = selinux_parse_skb_ipv6(skb, ad, proto);
4170 if (ret)
4171 goto parse_error;
4172 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4173 &ad->u.net->v6info.daddr);
4174 goto okay;
4175#endif /* IPV6 */
4176 default:
4177 addrp = NULL;
4178 goto okay;
4179 }
4180
4181parse_error:
4182 pr_warn(
4183 "SELinux: failure in selinux_parse_skb(),"
4184 " unable to parse packet\n");
4185 return ret;
4186
4187okay:
4188 if (_addrp)
4189 *_addrp = addrp;
4190 return 0;
4191}
4192
4193/**
4194 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4195 * @skb: the packet
4196 * @family: protocol family
4197 * @sid: the packet's peer label SID
4198 *
4199 * Description:
4200 * Check the various different forms of network peer labeling and determine
4201 * the peer label/SID for the packet; most of the magic actually occurs in
4202 * the security server function security_net_peersid_cmp(). The function
4203 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4204 * or -EACCES if @sid is invalid due to inconsistencies with the different
4205 * peer labels.
4206 *
4207 */
4208static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4209{
4210 int err;
4211 u32 xfrm_sid;
4212 u32 nlbl_sid;
4213 u32 nlbl_type;
4214
4215 err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4216 if (unlikely(err))
4217 return -EACCES;
4218 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4219 if (unlikely(err))
4220 return -EACCES;
4221
4222 err = security_net_peersid_resolve(&selinux_state, nlbl_sid,
4223 nlbl_type, xfrm_sid, sid);
4224 if (unlikely(err)) {
4225 pr_warn(
4226 "SELinux: failure in selinux_skb_peerlbl_sid(),"
4227 " unable to determine packet's peer label\n");
4228 return -EACCES;
4229 }
4230
4231 return 0;
4232}
4233
4234/**
4235 * selinux_conn_sid - Determine the child socket label for a connection
4236 * @sk_sid: the parent socket's SID
4237 * @skb_sid: the packet's SID
4238 * @conn_sid: the resulting connection SID
4239 *
4240 * If @skb_sid is valid then the user:role:type information from @sk_sid is
4241 * combined with the MLS information from @skb_sid in order to create
4242 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy
4243 * of @sk_sid. Returns zero on success, negative values on failure.
4244 *
4245 */
4246static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4247{
4248 int err = 0;
4249
4250 if (skb_sid != SECSID_NULL)
4251 err = security_sid_mls_copy(&selinux_state, sk_sid, skb_sid,
4252 conn_sid);
4253 else
4254 *conn_sid = sk_sid;
4255
4256 return err;
4257}
4258
4259/* socket security operations */
4260
4261static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4262 u16 secclass, u32 *socksid)
4263{
4264 if (tsec->sockcreate_sid > SECSID_NULL) {
4265 *socksid = tsec->sockcreate_sid;
4266 return 0;
4267 }
4268
4269 return security_transition_sid(&selinux_state, tsec->sid, tsec->sid,
4270 secclass, NULL, socksid);
4271}
4272
4273static int sock_has_perm(struct sock *sk, u32 perms)
4274{
4275 struct sk_security_struct *sksec = sk->sk_security;
4276 struct common_audit_data ad;
4277 struct lsm_network_audit net = {0,};
4278
4279 if (sksec->sid == SECINITSID_KERNEL)
4280 return 0;
4281
4282 ad.type = LSM_AUDIT_DATA_NET;
4283 ad.u.net = &net;
4284 ad.u.net->sk = sk;
4285
4286 return avc_has_perm(&selinux_state,
4287 current_sid(), sksec->sid, sksec->sclass, perms,
4288 &ad);
4289}
4290
4291static int selinux_socket_create(int family, int type,
4292 int protocol, int kern)
4293{
4294 const struct task_security_struct *tsec = selinux_cred(current_cred());
4295 u32 newsid;
4296 u16 secclass;
4297 int rc;
4298
4299 if (kern)
4300 return 0;
4301
4302 secclass = socket_type_to_security_class(family, type, protocol);
4303 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4304 if (rc)
4305 return rc;
4306
4307 return avc_has_perm(&selinux_state,
4308 tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4309}
4310
4311static int selinux_socket_post_create(struct socket *sock, int family,
4312 int type, int protocol, int kern)
4313{
4314 const struct task_security_struct *tsec = selinux_cred(current_cred());
4315 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4316 struct sk_security_struct *sksec;
4317 u16 sclass = socket_type_to_security_class(family, type, protocol);
4318 u32 sid = SECINITSID_KERNEL;
4319 int err = 0;
4320
4321 if (!kern) {
4322 err = socket_sockcreate_sid(tsec, sclass, &sid);
4323 if (err)
4324 return err;
4325 }
4326
4327 isec->sclass = sclass;
4328 isec->sid = sid;
4329 isec->initialized = LABEL_INITIALIZED;
4330
4331 if (sock->sk) {
4332 sksec = sock->sk->sk_security;
4333 sksec->sclass = sclass;
4334 sksec->sid = sid;
4335 /* Allows detection of the first association on this socket */
4336 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4337 sksec->sctp_assoc_state = SCTP_ASSOC_UNSET;
4338
4339 err = selinux_netlbl_socket_post_create(sock->sk, family);
4340 }
4341
4342 return err;
4343}
4344
4345static int selinux_socket_socketpair(struct socket *socka,
4346 struct socket *sockb)
4347{
4348 struct sk_security_struct *sksec_a = socka->sk->sk_security;
4349 struct sk_security_struct *sksec_b = sockb->sk->sk_security;
4350
4351 sksec_a->peer_sid = sksec_b->sid;
4352 sksec_b->peer_sid = sksec_a->sid;
4353
4354 return 0;
4355}
4356
4357/* Range of port numbers used to automatically bind.
4358 Need to determine whether we should perform a name_bind
4359 permission check between the socket and the port number. */
4360
4361static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4362{
4363 struct sock *sk = sock->sk;
4364 struct sk_security_struct *sksec = sk->sk_security;
4365 u16 family;
4366 int err;
4367
4368 err = sock_has_perm(sk, SOCKET__BIND);
4369 if (err)
4370 goto out;
4371
4372 /* If PF_INET or PF_INET6, check name_bind permission for the port. */
4373 family = sk->sk_family;
4374 if (family == PF_INET || family == PF_INET6) {
4375 char *addrp;
4376 struct common_audit_data ad;
4377 struct lsm_network_audit net = {0,};
4378 struct sockaddr_in *addr4 = NULL;
4379 struct sockaddr_in6 *addr6 = NULL;
4380 u16 family_sa = address->sa_family;
4381 unsigned short snum;
4382 u32 sid, node_perm;
4383
4384 /*
4385 * sctp_bindx(3) calls via selinux_sctp_bind_connect()
4386 * that validates multiple binding addresses. Because of this
4387 * need to check address->sa_family as it is possible to have
4388 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4389 */
4390 switch (family_sa) {
4391 case AF_UNSPEC:
4392 case AF_INET:
4393 if (addrlen < sizeof(struct sockaddr_in))
4394 return -EINVAL;
4395 addr4 = (struct sockaddr_in *)address;
4396 if (family_sa == AF_UNSPEC) {
4397 /* see __inet_bind(), we only want to allow
4398 * AF_UNSPEC if the address is INADDR_ANY
4399 */
4400 if (addr4->sin_addr.s_addr != htonl(INADDR_ANY))
4401 goto err_af;
4402 family_sa = AF_INET;
4403 }
4404 snum = ntohs(addr4->sin_port);
4405 addrp = (char *)&addr4->sin_addr.s_addr;
4406 break;
4407 case AF_INET6:
4408 if (addrlen < SIN6_LEN_RFC2133)
4409 return -EINVAL;
4410 addr6 = (struct sockaddr_in6 *)address;
4411 snum = ntohs(addr6->sin6_port);
4412 addrp = (char *)&addr6->sin6_addr.s6_addr;
4413 break;
4414 default:
4415 goto err_af;
4416 }
4417
4418 ad.type = LSM_AUDIT_DATA_NET;
4419 ad.u.net = &net;
4420 ad.u.net->sport = htons(snum);
4421 ad.u.net->family = family_sa;
4422
4423 if (snum) {
4424 int low, high;
4425
4426 inet_get_local_port_range(sock_net(sk), &low, &high);
4427
4428 if (snum < max(inet_prot_sock(sock_net(sk)), low) ||
4429 snum > high) {
4430 err = sel_netport_sid(sk->sk_protocol,
4431 snum, &sid);
4432 if (err)
4433 goto out;
4434 err = avc_has_perm(&selinux_state,
4435 sksec->sid, sid,
4436 sksec->sclass,
4437 SOCKET__NAME_BIND, &ad);
4438 if (err)
4439 goto out;
4440 }
4441 }
4442
4443 switch (sksec->sclass) {
4444 case SECCLASS_TCP_SOCKET:
4445 node_perm = TCP_SOCKET__NODE_BIND;
4446 break;
4447
4448 case SECCLASS_UDP_SOCKET:
4449 node_perm = UDP_SOCKET__NODE_BIND;
4450 break;
4451
4452 case SECCLASS_DCCP_SOCKET:
4453 node_perm = DCCP_SOCKET__NODE_BIND;
4454 break;
4455
4456 case SECCLASS_SCTP_SOCKET:
4457 node_perm = SCTP_SOCKET__NODE_BIND;
4458 break;
4459
4460 default:
4461 node_perm = RAWIP_SOCKET__NODE_BIND;
4462 break;
4463 }
4464
4465 err = sel_netnode_sid(addrp, family_sa, &sid);
4466 if (err)
4467 goto out;
4468
4469 if (family_sa == AF_INET)
4470 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4471 else
4472 ad.u.net->v6info.saddr = addr6->sin6_addr;
4473
4474 err = avc_has_perm(&selinux_state,
4475 sksec->sid, sid,
4476 sksec->sclass, node_perm, &ad);
4477 if (err)
4478 goto out;
4479 }
4480out:
4481 return err;
4482err_af:
4483 /* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */
4484 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4485 return -EINVAL;
4486 return -EAFNOSUPPORT;
4487}
4488
4489/* This supports connect(2) and SCTP connect services such as sctp_connectx(3)
4490 * and sctp_sendmsg(3) as described in Documentation/security/LSM-sctp.rst
4491 */
4492static int selinux_socket_connect_helper(struct socket *sock,
4493 struct sockaddr *address, int addrlen)
4494{
4495 struct sock *sk = sock->sk;
4496 struct sk_security_struct *sksec = sk->sk_security;
4497 int err;
4498
4499 err = sock_has_perm(sk, SOCKET__CONNECT);
4500 if (err)
4501 return err;
4502
4503 /*
4504 * If a TCP, DCCP or SCTP socket, check name_connect permission
4505 * for the port.
4506 */
4507 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4508 sksec->sclass == SECCLASS_DCCP_SOCKET ||
4509 sksec->sclass == SECCLASS_SCTP_SOCKET) {
4510 struct common_audit_data ad;
4511 struct lsm_network_audit net = {0,};
4512 struct sockaddr_in *addr4 = NULL;
4513 struct sockaddr_in6 *addr6 = NULL;
4514 unsigned short snum;
4515 u32 sid, perm;
4516
4517 /* sctp_connectx(3) calls via selinux_sctp_bind_connect()
4518 * that validates multiple connect addresses. Because of this
4519 * need to check address->sa_family as it is possible to have
4520 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4521 */
4522 switch (address->sa_family) {
4523 case AF_INET:
4524 addr4 = (struct sockaddr_in *)address;
4525 if (addrlen < sizeof(struct sockaddr_in))
4526 return -EINVAL;
4527 snum = ntohs(addr4->sin_port);
4528 break;
4529 case AF_INET6:
4530 addr6 = (struct sockaddr_in6 *)address;
4531 if (addrlen < SIN6_LEN_RFC2133)
4532 return -EINVAL;
4533 snum = ntohs(addr6->sin6_port);
4534 break;
4535 default:
4536 /* Note that SCTP services expect -EINVAL, whereas
4537 * others expect -EAFNOSUPPORT.
4538 */
4539 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4540 return -EINVAL;
4541 else
4542 return -EAFNOSUPPORT;
4543 }
4544
4545 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4546 if (err)
4547 return err;
4548
4549 switch (sksec->sclass) {
4550 case SECCLASS_TCP_SOCKET:
4551 perm = TCP_SOCKET__NAME_CONNECT;
4552 break;
4553 case SECCLASS_DCCP_SOCKET:
4554 perm = DCCP_SOCKET__NAME_CONNECT;
4555 break;
4556 case SECCLASS_SCTP_SOCKET:
4557 perm = SCTP_SOCKET__NAME_CONNECT;
4558 break;
4559 }
4560
4561 ad.type = LSM_AUDIT_DATA_NET;
4562 ad.u.net = &net;
4563 ad.u.net->dport = htons(snum);
4564 ad.u.net->family = address->sa_family;
4565 err = avc_has_perm(&selinux_state,
4566 sksec->sid, sid, sksec->sclass, perm, &ad);
4567 if (err)
4568 return err;
4569 }
4570
4571 return 0;
4572}
4573
4574/* Supports connect(2), see comments in selinux_socket_connect_helper() */
4575static int selinux_socket_connect(struct socket *sock,
4576 struct sockaddr *address, int addrlen)
4577{
4578 int err;
4579 struct sock *sk = sock->sk;
4580
4581 err = selinux_socket_connect_helper(sock, address, addrlen);
4582 if (err)
4583 return err;
4584
4585 return selinux_netlbl_socket_connect(sk, address);
4586}
4587
4588static int selinux_socket_listen(struct socket *sock, int backlog)
4589{
4590 return sock_has_perm(sock->sk, SOCKET__LISTEN);
4591}
4592
4593static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4594{
4595 int err;
4596 struct inode_security_struct *isec;
4597 struct inode_security_struct *newisec;
4598 u16 sclass;
4599 u32 sid;
4600
4601 err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
4602 if (err)
4603 return err;
4604
4605 isec = inode_security_novalidate(SOCK_INODE(sock));
4606 spin_lock(&isec->lock);
4607 sclass = isec->sclass;
4608 sid = isec->sid;
4609 spin_unlock(&isec->lock);
4610
4611 newisec = inode_security_novalidate(SOCK_INODE(newsock));
4612 newisec->sclass = sclass;
4613 newisec->sid = sid;
4614 newisec->initialized = LABEL_INITIALIZED;
4615
4616 return 0;
4617}
4618
4619static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4620 int size)
4621{
4622 return sock_has_perm(sock->sk, SOCKET__WRITE);
4623}
4624
4625static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4626 int size, int flags)
4627{
4628 return sock_has_perm(sock->sk, SOCKET__READ);
4629}
4630
4631static int selinux_socket_getsockname(struct socket *sock)
4632{
4633 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4634}
4635
4636static int selinux_socket_getpeername(struct socket *sock)
4637{
4638 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4639}
4640
4641static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4642{
4643 int err;
4644
4645 err = sock_has_perm(sock->sk, SOCKET__SETOPT);
4646 if (err)
4647 return err;
4648
4649 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4650}
4651
4652static int selinux_socket_getsockopt(struct socket *sock, int level,
4653 int optname)
4654{
4655 return sock_has_perm(sock->sk, SOCKET__GETOPT);
4656}
4657
4658static int selinux_socket_shutdown(struct socket *sock, int how)
4659{
4660 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
4661}
4662
4663static int selinux_socket_unix_stream_connect(struct sock *sock,
4664 struct sock *other,
4665 struct sock *newsk)
4666{
4667 struct sk_security_struct *sksec_sock = sock->sk_security;
4668 struct sk_security_struct *sksec_other = other->sk_security;
4669 struct sk_security_struct *sksec_new = newsk->sk_security;
4670 struct common_audit_data ad;
4671 struct lsm_network_audit net = {0,};
4672 int err;
4673
4674 ad.type = LSM_AUDIT_DATA_NET;
4675 ad.u.net = &net;
4676 ad.u.net->sk = other;
4677
4678 err = avc_has_perm(&selinux_state,
4679 sksec_sock->sid, sksec_other->sid,
4680 sksec_other->sclass,
4681 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4682 if (err)
4683 return err;
4684
4685 /* server child socket */
4686 sksec_new->peer_sid = sksec_sock->sid;
4687 err = security_sid_mls_copy(&selinux_state, sksec_other->sid,
4688 sksec_sock->sid, &sksec_new->sid);
4689 if (err)
4690 return err;
4691
4692 /* connecting socket */
4693 sksec_sock->peer_sid = sksec_new->sid;
4694
4695 return 0;
4696}
4697
4698static int selinux_socket_unix_may_send(struct socket *sock,
4699 struct socket *other)
4700{
4701 struct sk_security_struct *ssec = sock->sk->sk_security;
4702 struct sk_security_struct *osec = other->sk->sk_security;
4703 struct common_audit_data ad;
4704 struct lsm_network_audit net = {0,};
4705
4706 ad.type = LSM_AUDIT_DATA_NET;
4707 ad.u.net = &net;
4708 ad.u.net->sk = other->sk;
4709
4710 return avc_has_perm(&selinux_state,
4711 ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4712 &ad);
4713}
4714
4715static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4716 char *addrp, u16 family, u32 peer_sid,
4717 struct common_audit_data *ad)
4718{
4719 int err;
4720 u32 if_sid;
4721 u32 node_sid;
4722
4723 err = sel_netif_sid(ns, ifindex, &if_sid);
4724 if (err)
4725 return err;
4726 err = avc_has_perm(&selinux_state,
4727 peer_sid, if_sid,
4728 SECCLASS_NETIF, NETIF__INGRESS, ad);
4729 if (err)
4730 return err;
4731
4732 err = sel_netnode_sid(addrp, family, &node_sid);
4733 if (err)
4734 return err;
4735 return avc_has_perm(&selinux_state,
4736 peer_sid, node_sid,
4737 SECCLASS_NODE, NODE__RECVFROM, ad);
4738}
4739
4740static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4741 u16 family)
4742{
4743 int err = 0;
4744 struct sk_security_struct *sksec = sk->sk_security;
4745 u32 sk_sid = sksec->sid;
4746 struct common_audit_data ad;
4747 struct lsm_network_audit net = {0,};
4748 char *addrp;
4749
4750 ad.type = LSM_AUDIT_DATA_NET;
4751 ad.u.net = &net;
4752 ad.u.net->netif = skb->skb_iif;
4753 ad.u.net->family = family;
4754 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4755 if (err)
4756 return err;
4757
4758 if (selinux_secmark_enabled()) {
4759 err = avc_has_perm(&selinux_state,
4760 sk_sid, skb->secmark, SECCLASS_PACKET,
4761 PACKET__RECV, &ad);
4762 if (err)
4763 return err;
4764 }
4765
4766 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4767 if (err)
4768 return err;
4769 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4770
4771 return err;
4772}
4773
4774static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4775{
4776 int err;
4777 struct sk_security_struct *sksec = sk->sk_security;
4778 u16 family = sk->sk_family;
4779 u32 sk_sid = sksec->sid;
4780 struct common_audit_data ad;
4781 struct lsm_network_audit net = {0,};
4782 char *addrp;
4783 u8 secmark_active;
4784 u8 peerlbl_active;
4785
4786 if (family != PF_INET && family != PF_INET6)
4787 return 0;
4788
4789 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4790 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4791 family = PF_INET;
4792
4793 /* If any sort of compatibility mode is enabled then handoff processing
4794 * to the selinux_sock_rcv_skb_compat() function to deal with the
4795 * special handling. We do this in an attempt to keep this function
4796 * as fast and as clean as possible. */
4797 if (!selinux_policycap_netpeer())
4798 return selinux_sock_rcv_skb_compat(sk, skb, family);
4799
4800 secmark_active = selinux_secmark_enabled();
4801 peerlbl_active = selinux_peerlbl_enabled();
4802 if (!secmark_active && !peerlbl_active)
4803 return 0;
4804
4805 ad.type = LSM_AUDIT_DATA_NET;
4806 ad.u.net = &net;
4807 ad.u.net->netif = skb->skb_iif;
4808 ad.u.net->family = family;
4809 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4810 if (err)
4811 return err;
4812
4813 if (peerlbl_active) {
4814 u32 peer_sid;
4815
4816 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4817 if (err)
4818 return err;
4819 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
4820 addrp, family, peer_sid, &ad);
4821 if (err) {
4822 selinux_netlbl_err(skb, family, err, 0);
4823 return err;
4824 }
4825 err = avc_has_perm(&selinux_state,
4826 sk_sid, peer_sid, SECCLASS_PEER,
4827 PEER__RECV, &ad);
4828 if (err) {
4829 selinux_netlbl_err(skb, family, err, 0);
4830 return err;
4831 }
4832 }
4833
4834 if (secmark_active) {
4835 err = avc_has_perm(&selinux_state,
4836 sk_sid, skb->secmark, SECCLASS_PACKET,
4837 PACKET__RECV, &ad);
4838 if (err)
4839 return err;
4840 }
4841
4842 return err;
4843}
4844
4845static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4846 int __user *optlen, unsigned len)
4847{
4848 int err = 0;
4849 char *scontext;
4850 u32 scontext_len;
4851 struct sk_security_struct *sksec = sock->sk->sk_security;
4852 u32 peer_sid = SECSID_NULL;
4853
4854 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4855 sksec->sclass == SECCLASS_TCP_SOCKET ||
4856 sksec->sclass == SECCLASS_SCTP_SOCKET)
4857 peer_sid = sksec->peer_sid;
4858 if (peer_sid == SECSID_NULL)
4859 return -ENOPROTOOPT;
4860
4861 err = security_sid_to_context(&selinux_state, peer_sid, &scontext,
4862 &scontext_len);
4863 if (err)
4864 return err;
4865
4866 if (scontext_len > len) {
4867 err = -ERANGE;
4868 goto out_len;
4869 }
4870
4871 if (copy_to_user(optval, scontext, scontext_len))
4872 err = -EFAULT;
4873
4874out_len:
4875 if (put_user(scontext_len, optlen))
4876 err = -EFAULT;
4877 kfree(scontext);
4878 return err;
4879}
4880
4881static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4882{
4883 u32 peer_secid = SECSID_NULL;
4884 u16 family;
4885 struct inode_security_struct *isec;
4886
4887 if (skb && skb->protocol == htons(ETH_P_IP))
4888 family = PF_INET;
4889 else if (skb && skb->protocol == htons(ETH_P_IPV6))
4890 family = PF_INET6;
4891 else if (sock)
4892 family = sock->sk->sk_family;
4893 else
4894 goto out;
4895
4896 if (sock && family == PF_UNIX) {
4897 isec = inode_security_novalidate(SOCK_INODE(sock));
4898 peer_secid = isec->sid;
4899 } else if (skb)
4900 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4901
4902out:
4903 *secid = peer_secid;
4904 if (peer_secid == SECSID_NULL)
4905 return -EINVAL;
4906 return 0;
4907}
4908
4909static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4910{
4911 struct sk_security_struct *sksec;
4912
4913 sksec = kzalloc(sizeof(*sksec), priority);
4914 if (!sksec)
4915 return -ENOMEM;
4916
4917 sksec->peer_sid = SECINITSID_UNLABELED;
4918 sksec->sid = SECINITSID_UNLABELED;
4919 sksec->sclass = SECCLASS_SOCKET;
4920 selinux_netlbl_sk_security_reset(sksec);
4921 sk->sk_security = sksec;
4922
4923 return 0;
4924}
4925
4926static void selinux_sk_free_security(struct sock *sk)
4927{
4928 struct sk_security_struct *sksec = sk->sk_security;
4929
4930 sk->sk_security = NULL;
4931 selinux_netlbl_sk_security_free(sksec);
4932 kfree(sksec);
4933}
4934
4935static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4936{
4937 struct sk_security_struct *sksec = sk->sk_security;
4938 struct sk_security_struct *newsksec = newsk->sk_security;
4939
4940 newsksec->sid = sksec->sid;
4941 newsksec->peer_sid = sksec->peer_sid;
4942 newsksec->sclass = sksec->sclass;
4943
4944 selinux_netlbl_sk_security_reset(newsksec);
4945}
4946
4947static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4948{
4949 if (!sk)
4950 *secid = SECINITSID_ANY_SOCKET;
4951 else {
4952 struct sk_security_struct *sksec = sk->sk_security;
4953
4954 *secid = sksec->sid;
4955 }
4956}
4957
4958static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4959{
4960 struct inode_security_struct *isec =
4961 inode_security_novalidate(SOCK_INODE(parent));
4962 struct sk_security_struct *sksec = sk->sk_security;
4963
4964 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4965 sk->sk_family == PF_UNIX)
4966 isec->sid = sksec->sid;
4967 sksec->sclass = isec->sclass;
4968}
4969
4970/* Called whenever SCTP receives an INIT chunk. This happens when an incoming
4971 * connect(2), sctp_connectx(3) or sctp_sendmsg(3) (with no association
4972 * already present).
4973 */
4974static int selinux_sctp_assoc_request(struct sctp_endpoint *ep,
4975 struct sk_buff *skb)
4976{
4977 struct sk_security_struct *sksec = ep->base.sk->sk_security;
4978 struct common_audit_data ad;
4979 struct lsm_network_audit net = {0,};
4980 u8 peerlbl_active;
4981 u32 peer_sid = SECINITSID_UNLABELED;
4982 u32 conn_sid;
4983 int err = 0;
4984
4985 if (!selinux_policycap_extsockclass())
4986 return 0;
4987
4988 peerlbl_active = selinux_peerlbl_enabled();
4989
4990 if (peerlbl_active) {
4991 /* This will return peer_sid = SECSID_NULL if there are
4992 * no peer labels, see security_net_peersid_resolve().
4993 */
4994 err = selinux_skb_peerlbl_sid(skb, ep->base.sk->sk_family,
4995 &peer_sid);
4996 if (err)
4997 return err;
4998
4999 if (peer_sid == SECSID_NULL)
5000 peer_sid = SECINITSID_UNLABELED;
5001 }
5002
5003 if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) {
5004 sksec->sctp_assoc_state = SCTP_ASSOC_SET;
5005
5006 /* Here as first association on socket. As the peer SID
5007 * was allowed by peer recv (and the netif/node checks),
5008 * then it is approved by policy and used as the primary
5009 * peer SID for getpeercon(3).
5010 */
5011 sksec->peer_sid = peer_sid;
5012 } else if (sksec->peer_sid != peer_sid) {
5013 /* Other association peer SIDs are checked to enforce
5014 * consistency among the peer SIDs.
5015 */
5016 ad.type = LSM_AUDIT_DATA_NET;
5017 ad.u.net = &net;
5018 ad.u.net->sk = ep->base.sk;
5019 err = avc_has_perm(&selinux_state,
5020 sksec->peer_sid, peer_sid, sksec->sclass,
5021 SCTP_SOCKET__ASSOCIATION, &ad);
5022 if (err)
5023 return err;
5024 }
5025
5026 /* Compute the MLS component for the connection and store
5027 * the information in ep. This will be used by SCTP TCP type
5028 * sockets and peeled off connections as they cause a new
5029 * socket to be generated. selinux_sctp_sk_clone() will then
5030 * plug this into the new socket.
5031 */
5032 err = selinux_conn_sid(sksec->sid, peer_sid, &conn_sid);
5033 if (err)
5034 return err;
5035
5036 ep->secid = conn_sid;
5037 ep->peer_secid = peer_sid;
5038
5039 /* Set any NetLabel labels including CIPSO/CALIPSO options. */
5040 return selinux_netlbl_sctp_assoc_request(ep, skb);
5041}
5042
5043/* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting
5044 * based on their @optname.
5045 */
5046static int selinux_sctp_bind_connect(struct sock *sk, int optname,
5047 struct sockaddr *address,
5048 int addrlen)
5049{
5050 int len, err = 0, walk_size = 0;
5051 void *addr_buf;
5052 struct sockaddr *addr;
5053 struct socket *sock;
5054
5055 if (!selinux_policycap_extsockclass())
5056 return 0;
5057
5058 /* Process one or more addresses that may be IPv4 or IPv6 */
5059 sock = sk->sk_socket;
5060 addr_buf = address;
5061
5062 while (walk_size < addrlen) {
5063 if (walk_size + sizeof(sa_family_t) > addrlen)
5064 return -EINVAL;
5065
5066 addr = addr_buf;
5067 switch (addr->sa_family) {
5068 case AF_UNSPEC:
5069 case AF_INET:
5070 len = sizeof(struct sockaddr_in);
5071 break;
5072 case AF_INET6:
5073 len = sizeof(struct sockaddr_in6);
5074 break;
5075 default:
5076 return -EINVAL;
5077 }
5078
5079 err = -EINVAL;
5080 switch (optname) {
5081 /* Bind checks */
5082 case SCTP_PRIMARY_ADDR:
5083 case SCTP_SET_PEER_PRIMARY_ADDR:
5084 case SCTP_SOCKOPT_BINDX_ADD:
5085 err = selinux_socket_bind(sock, addr, len);
5086 break;
5087 /* Connect checks */
5088 case SCTP_SOCKOPT_CONNECTX:
5089 case SCTP_PARAM_SET_PRIMARY:
5090 case SCTP_PARAM_ADD_IP:
5091 case SCTP_SENDMSG_CONNECT:
5092 err = selinux_socket_connect_helper(sock, addr, len);
5093 if (err)
5094 return err;
5095
5096 /* As selinux_sctp_bind_connect() is called by the
5097 * SCTP protocol layer, the socket is already locked,
5098 * therefore selinux_netlbl_socket_connect_locked() is
5099 * is called here. The situations handled are:
5100 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2),
5101 * whenever a new IP address is added or when a new
5102 * primary address is selected.
5103 * Note that an SCTP connect(2) call happens before
5104 * the SCTP protocol layer and is handled via
5105 * selinux_socket_connect().
5106 */
5107 err = selinux_netlbl_socket_connect_locked(sk, addr);
5108 break;
5109 }
5110
5111 if (err)
5112 return err;
5113
5114 addr_buf += len;
5115 walk_size += len;
5116 }
5117
5118 return 0;
5119}
5120
5121/* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */
5122static void selinux_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk,
5123 struct sock *newsk)
5124{
5125 struct sk_security_struct *sksec = sk->sk_security;
5126 struct sk_security_struct *newsksec = newsk->sk_security;
5127
5128 /* If policy does not support SECCLASS_SCTP_SOCKET then call
5129 * the non-sctp clone version.
5130 */
5131 if (!selinux_policycap_extsockclass())
5132 return selinux_sk_clone_security(sk, newsk);
5133
5134 newsksec->sid = ep->secid;
5135 newsksec->peer_sid = ep->peer_secid;
5136 newsksec->sclass = sksec->sclass;
5137 selinux_netlbl_sctp_sk_clone(sk, newsk);
5138}
5139
5140static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
5141 struct request_sock *req)
5142{
5143 struct sk_security_struct *sksec = sk->sk_security;
5144 int err;
5145 u16 family = req->rsk_ops->family;
5146 u32 connsid;
5147 u32 peersid;
5148
5149 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
5150 if (err)
5151 return err;
5152 err = selinux_conn_sid(sksec->sid, peersid, &connsid);
5153 if (err)
5154 return err;
5155 req->secid = connsid;
5156 req->peer_secid = peersid;
5157
5158 return selinux_netlbl_inet_conn_request(req, family);
5159}
5160
5161static void selinux_inet_csk_clone(struct sock *newsk,
5162 const struct request_sock *req)
5163{
5164 struct sk_security_struct *newsksec = newsk->sk_security;
5165
5166 newsksec->sid = req->secid;
5167 newsksec->peer_sid = req->peer_secid;
5168 /* NOTE: Ideally, we should also get the isec->sid for the
5169 new socket in sync, but we don't have the isec available yet.
5170 So we will wait until sock_graft to do it, by which
5171 time it will have been created and available. */
5172
5173 /* We don't need to take any sort of lock here as we are the only
5174 * thread with access to newsksec */
5175 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
5176}
5177
5178static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
5179{
5180 u16 family = sk->sk_family;
5181 struct sk_security_struct *sksec = sk->sk_security;
5182
5183 /* handle mapped IPv4 packets arriving via IPv6 sockets */
5184 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5185 family = PF_INET;
5186
5187 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
5188}
5189
5190static int selinux_secmark_relabel_packet(u32 sid)
5191{
5192 const struct task_security_struct *__tsec;
5193 u32 tsid;
5194
5195 __tsec = selinux_cred(current_cred());
5196 tsid = __tsec->sid;
5197
5198 return avc_has_perm(&selinux_state,
5199 tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO,
5200 NULL);
5201}
5202
5203static void selinux_secmark_refcount_inc(void)
5204{
5205 atomic_inc(&selinux_secmark_refcount);
5206}
5207
5208static void selinux_secmark_refcount_dec(void)
5209{
5210 atomic_dec(&selinux_secmark_refcount);
5211}
5212
5213static void selinux_req_classify_flow(const struct request_sock *req,
5214 struct flowi *fl)
5215{
5216 fl->flowi_secid = req->secid;
5217}
5218
5219static int selinux_tun_dev_alloc_security(void **security)
5220{
5221 struct tun_security_struct *tunsec;
5222
5223 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
5224 if (!tunsec)
5225 return -ENOMEM;
5226 tunsec->sid = current_sid();
5227
5228 *security = tunsec;
5229 return 0;
5230}
5231
5232static void selinux_tun_dev_free_security(void *security)
5233{
5234 kfree(security);
5235}
5236
5237static int selinux_tun_dev_create(void)
5238{
5239 u32 sid = current_sid();
5240
5241 /* we aren't taking into account the "sockcreate" SID since the socket
5242 * that is being created here is not a socket in the traditional sense,
5243 * instead it is a private sock, accessible only to the kernel, and
5244 * representing a wide range of network traffic spanning multiple
5245 * connections unlike traditional sockets - check the TUN driver to
5246 * get a better understanding of why this socket is special */
5247
5248 return avc_has_perm(&selinux_state,
5249 sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5250 NULL);
5251}
5252
5253static int selinux_tun_dev_attach_queue(void *security)
5254{
5255 struct tun_security_struct *tunsec = security;
5256
5257 return avc_has_perm(&selinux_state,
5258 current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5259 TUN_SOCKET__ATTACH_QUEUE, NULL);
5260}
5261
5262static int selinux_tun_dev_attach(struct sock *sk, void *security)
5263{
5264 struct tun_security_struct *tunsec = security;
5265 struct sk_security_struct *sksec = sk->sk_security;
5266
5267 /* we don't currently perform any NetLabel based labeling here and it
5268 * isn't clear that we would want to do so anyway; while we could apply
5269 * labeling without the support of the TUN user the resulting labeled
5270 * traffic from the other end of the connection would almost certainly
5271 * cause confusion to the TUN user that had no idea network labeling
5272 * protocols were being used */
5273
5274 sksec->sid = tunsec->sid;
5275 sksec->sclass = SECCLASS_TUN_SOCKET;
5276
5277 return 0;
5278}
5279
5280static int selinux_tun_dev_open(void *security)
5281{
5282 struct tun_security_struct *tunsec = security;
5283 u32 sid = current_sid();
5284 int err;
5285
5286 err = avc_has_perm(&selinux_state,
5287 sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5288 TUN_SOCKET__RELABELFROM, NULL);
5289 if (err)
5290 return err;
5291 err = avc_has_perm(&selinux_state,
5292 sid, sid, SECCLASS_TUN_SOCKET,
5293 TUN_SOCKET__RELABELTO, NULL);
5294 if (err)
5295 return err;
5296 tunsec->sid = sid;
5297
5298 return 0;
5299}
5300
5301static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
5302{
5303 int err = 0;
5304 u32 perm;
5305 struct nlmsghdr *nlh;
5306 struct sk_security_struct *sksec = sk->sk_security;
5307
5308 if (skb->len < NLMSG_HDRLEN) {
5309 err = -EINVAL;
5310 goto out;
5311 }
5312 nlh = nlmsg_hdr(skb);
5313
5314 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
5315 if (err) {
5316 if (err == -EINVAL) {
5317 pr_warn_ratelimited("SELinux: unrecognized netlink"
5318 " message: protocol=%hu nlmsg_type=%hu sclass=%s"
5319 " pig=%d comm=%s\n",
5320 sk->sk_protocol, nlh->nlmsg_type,
5321 secclass_map[sksec->sclass - 1].name,
5322 task_pid_nr(current), current->comm);
5323 if (!enforcing_enabled(&selinux_state) ||
5324 security_get_allow_unknown(&selinux_state))
5325 err = 0;
5326 }
5327
5328 /* Ignore */
5329 if (err == -ENOENT)
5330 err = 0;
5331 goto out;
5332 }
5333
5334 err = sock_has_perm(sk, perm);
5335out:
5336 return err;
5337}
5338
5339#ifdef CONFIG_NETFILTER
5340
5341static unsigned int selinux_ip_forward(struct sk_buff *skb,
5342 const struct net_device *indev,
5343 u16 family)
5344{
5345 int err;
5346 char *addrp;
5347 u32 peer_sid;
5348 struct common_audit_data ad;
5349 struct lsm_network_audit net = {0,};
5350 u8 secmark_active;
5351 u8 netlbl_active;
5352 u8 peerlbl_active;
5353
5354 if (!selinux_policycap_netpeer())
5355 return NF_ACCEPT;
5356
5357 secmark_active = selinux_secmark_enabled();
5358 netlbl_active = netlbl_enabled();
5359 peerlbl_active = selinux_peerlbl_enabled();
5360 if (!secmark_active && !peerlbl_active)
5361 return NF_ACCEPT;
5362
5363 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5364 return NF_DROP;
5365
5366 ad.type = LSM_AUDIT_DATA_NET;
5367 ad.u.net = &net;
5368 ad.u.net->netif = indev->ifindex;
5369 ad.u.net->family = family;
5370 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5371 return NF_DROP;
5372
5373 if (peerlbl_active) {
5374 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
5375 addrp, family, peer_sid, &ad);
5376 if (err) {
5377 selinux_netlbl_err(skb, family, err, 1);
5378 return NF_DROP;
5379 }
5380 }
5381
5382 if (secmark_active)
5383 if (avc_has_perm(&selinux_state,
5384 peer_sid, skb->secmark,
5385 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5386 return NF_DROP;
5387
5388 if (netlbl_active)
5389 /* we do this in the FORWARD path and not the POST_ROUTING
5390 * path because we want to make sure we apply the necessary
5391 * labeling before IPsec is applied so we can leverage AH
5392 * protection */
5393 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5394 return NF_DROP;
5395
5396 return NF_ACCEPT;
5397}
5398
5399static unsigned int selinux_ipv4_forward(void *priv,
5400 struct sk_buff *skb,
5401 const struct nf_hook_state *state)
5402{
5403 return selinux_ip_forward(skb, state->in, PF_INET);
5404}
5405
5406#if IS_ENABLED(CONFIG_IPV6)
5407static unsigned int selinux_ipv6_forward(void *priv,
5408 struct sk_buff *skb,
5409 const struct nf_hook_state *state)
5410{
5411 return selinux_ip_forward(skb, state->in, PF_INET6);
5412}
5413#endif /* IPV6 */
5414
5415static unsigned int selinux_ip_output(struct sk_buff *skb,
5416 u16 family)
5417{
5418 struct sock *sk;
5419 u32 sid;
5420
5421 if (!netlbl_enabled())
5422 return NF_ACCEPT;
5423
5424 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5425 * because we want to make sure we apply the necessary labeling
5426 * before IPsec is applied so we can leverage AH protection */
5427 sk = skb->sk;
5428 if (sk) {
5429 struct sk_security_struct *sksec;
5430
5431 if (sk_listener(sk))
5432 /* if the socket is the listening state then this
5433 * packet is a SYN-ACK packet which means it needs to
5434 * be labeled based on the connection/request_sock and
5435 * not the parent socket. unfortunately, we can't
5436 * lookup the request_sock yet as it isn't queued on
5437 * the parent socket until after the SYN-ACK is sent.
5438 * the "solution" is to simply pass the packet as-is
5439 * as any IP option based labeling should be copied
5440 * from the initial connection request (in the IP
5441 * layer). it is far from ideal, but until we get a
5442 * security label in the packet itself this is the
5443 * best we can do. */
5444 return NF_ACCEPT;
5445
5446 /* standard practice, label using the parent socket */
5447 sksec = sk->sk_security;
5448 sid = sksec->sid;
5449 } else
5450 sid = SECINITSID_KERNEL;
5451 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
5452 return NF_DROP;
5453
5454 return NF_ACCEPT;
5455}
5456
5457static unsigned int selinux_ipv4_output(void *priv,
5458 struct sk_buff *skb,
5459 const struct nf_hook_state *state)
5460{
5461 return selinux_ip_output(skb, PF_INET);
5462}
5463
5464#if IS_ENABLED(CONFIG_IPV6)
5465static unsigned int selinux_ipv6_output(void *priv,
5466 struct sk_buff *skb,
5467 const struct nf_hook_state *state)
5468{
5469 return selinux_ip_output(skb, PF_INET6);
5470}
5471#endif /* IPV6 */
5472
5473static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5474 int ifindex,
5475 u16 family)
5476{
5477 struct sock *sk = skb_to_full_sk(skb);
5478 struct sk_security_struct *sksec;
5479 struct common_audit_data ad;
5480 struct lsm_network_audit net = {0,};
5481 char *addrp;
5482 u8 proto;
5483
5484 if (sk == NULL)
5485 return NF_ACCEPT;
5486 sksec = sk->sk_security;
5487
5488 ad.type = LSM_AUDIT_DATA_NET;
5489 ad.u.net = &net;
5490 ad.u.net->netif = ifindex;
5491 ad.u.net->family = family;
5492 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
5493 return NF_DROP;
5494
5495 if (selinux_secmark_enabled())
5496 if (avc_has_perm(&selinux_state,
5497 sksec->sid, skb->secmark,
5498 SECCLASS_PACKET, PACKET__SEND, &ad))
5499 return NF_DROP_ERR(-ECONNREFUSED);
5500
5501 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5502 return NF_DROP_ERR(-ECONNREFUSED);
5503
5504 return NF_ACCEPT;
5505}
5506
5507static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5508 const struct net_device *outdev,
5509 u16 family)
5510{
5511 u32 secmark_perm;
5512 u32 peer_sid;
5513 int ifindex = outdev->ifindex;
5514 struct sock *sk;
5515 struct common_audit_data ad;
5516 struct lsm_network_audit net = {0,};
5517 char *addrp;
5518 u8 secmark_active;
5519 u8 peerlbl_active;
5520
5521 /* If any sort of compatibility mode is enabled then handoff processing
5522 * to the selinux_ip_postroute_compat() function to deal with the
5523 * special handling. We do this in an attempt to keep this function
5524 * as fast and as clean as possible. */
5525 if (!selinux_policycap_netpeer())
5526 return selinux_ip_postroute_compat(skb, ifindex, family);
5527
5528 secmark_active = selinux_secmark_enabled();
5529 peerlbl_active = selinux_peerlbl_enabled();
5530 if (!secmark_active && !peerlbl_active)
5531 return NF_ACCEPT;
5532
5533 sk = skb_to_full_sk(skb);
5534
5535#ifdef CONFIG_XFRM
5536 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5537 * packet transformation so allow the packet to pass without any checks
5538 * since we'll have another chance to perform access control checks
5539 * when the packet is on it's final way out.
5540 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5541 * is NULL, in this case go ahead and apply access control.
5542 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5543 * TCP listening state we cannot wait until the XFRM processing
5544 * is done as we will miss out on the SA label if we do;
5545 * unfortunately, this means more work, but it is only once per
5546 * connection. */
5547 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5548 !(sk && sk_listener(sk)))
5549 return NF_ACCEPT;
5550#endif
5551
5552 if (sk == NULL) {
5553 /* Without an associated socket the packet is either coming
5554 * from the kernel or it is being forwarded; check the packet
5555 * to determine which and if the packet is being forwarded
5556 * query the packet directly to determine the security label. */
5557 if (skb->skb_iif) {
5558 secmark_perm = PACKET__FORWARD_OUT;
5559 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5560 return NF_DROP;
5561 } else {
5562 secmark_perm = PACKET__SEND;
5563 peer_sid = SECINITSID_KERNEL;
5564 }
5565 } else if (sk_listener(sk)) {
5566 /* Locally generated packet but the associated socket is in the
5567 * listening state which means this is a SYN-ACK packet. In
5568 * this particular case the correct security label is assigned
5569 * to the connection/request_sock but unfortunately we can't
5570 * query the request_sock as it isn't queued on the parent
5571 * socket until after the SYN-ACK packet is sent; the only
5572 * viable choice is to regenerate the label like we do in
5573 * selinux_inet_conn_request(). See also selinux_ip_output()
5574 * for similar problems. */
5575 u32 skb_sid;
5576 struct sk_security_struct *sksec;
5577
5578 sksec = sk->sk_security;
5579 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5580 return NF_DROP;
5581 /* At this point, if the returned skb peerlbl is SECSID_NULL
5582 * and the packet has been through at least one XFRM
5583 * transformation then we must be dealing with the "final"
5584 * form of labeled IPsec packet; since we've already applied
5585 * all of our access controls on this packet we can safely
5586 * pass the packet. */
5587 if (skb_sid == SECSID_NULL) {
5588 switch (family) {
5589 case PF_INET:
5590 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5591 return NF_ACCEPT;
5592 break;
5593 case PF_INET6:
5594 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5595 return NF_ACCEPT;
5596 break;
5597 default:
5598 return NF_DROP_ERR(-ECONNREFUSED);
5599 }
5600 }
5601 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5602 return NF_DROP;
5603 secmark_perm = PACKET__SEND;
5604 } else {
5605 /* Locally generated packet, fetch the security label from the
5606 * associated socket. */
5607 struct sk_security_struct *sksec = sk->sk_security;
5608 peer_sid = sksec->sid;
5609 secmark_perm = PACKET__SEND;
5610 }
5611
5612 ad.type = LSM_AUDIT_DATA_NET;
5613 ad.u.net = &net;
5614 ad.u.net->netif = ifindex;
5615 ad.u.net->family = family;
5616 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5617 return NF_DROP;
5618
5619 if (secmark_active)
5620 if (avc_has_perm(&selinux_state,
5621 peer_sid, skb->secmark,
5622 SECCLASS_PACKET, secmark_perm, &ad))
5623 return NF_DROP_ERR(-ECONNREFUSED);
5624
5625 if (peerlbl_active) {
5626 u32 if_sid;
5627 u32 node_sid;
5628
5629 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5630 return NF_DROP;
5631 if (avc_has_perm(&selinux_state,
5632 peer_sid, if_sid,
5633 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5634 return NF_DROP_ERR(-ECONNREFUSED);
5635
5636 if (sel_netnode_sid(addrp, family, &node_sid))
5637 return NF_DROP;
5638 if (avc_has_perm(&selinux_state,
5639 peer_sid, node_sid,
5640 SECCLASS_NODE, NODE__SENDTO, &ad))
5641 return NF_DROP_ERR(-ECONNREFUSED);
5642 }
5643
5644 return NF_ACCEPT;
5645}
5646
5647static unsigned int selinux_ipv4_postroute(void *priv,
5648 struct sk_buff *skb,
5649 const struct nf_hook_state *state)
5650{
5651 return selinux_ip_postroute(skb, state->out, PF_INET);
5652}
5653
5654#if IS_ENABLED(CONFIG_IPV6)
5655static unsigned int selinux_ipv6_postroute(void *priv,
5656 struct sk_buff *skb,
5657 const struct nf_hook_state *state)
5658{
5659 return selinux_ip_postroute(skb, state->out, PF_INET6);
5660}
5661#endif /* IPV6 */
5662
5663#endif /* CONFIG_NETFILTER */
5664
5665static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5666{
5667 return selinux_nlmsg_perm(sk, skb);
5668}
5669
5670static int ipc_alloc_security(struct kern_ipc_perm *perm,
5671 u16 sclass)
5672{
5673 struct ipc_security_struct *isec;
5674
5675 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
5676 if (!isec)
5677 return -ENOMEM;
5678
5679 isec->sclass = sclass;
5680 isec->sid = current_sid();
5681 perm->security = isec;
5682
5683 return 0;
5684}
5685
5686static void ipc_free_security(struct kern_ipc_perm *perm)
5687{
5688 struct ipc_security_struct *isec = perm->security;
5689 perm->security = NULL;
5690 kfree(isec);
5691}
5692
5693static int msg_msg_alloc_security(struct msg_msg *msg)
5694{
5695 struct msg_security_struct *msec;
5696
5697 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
5698 if (!msec)
5699 return -ENOMEM;
5700
5701 msec->sid = SECINITSID_UNLABELED;
5702 msg->security = msec;
5703
5704 return 0;
5705}
5706
5707static void msg_msg_free_security(struct msg_msg *msg)
5708{
5709 struct msg_security_struct *msec = msg->security;
5710
5711 msg->security = NULL;
5712 kfree(msec);
5713}
5714
5715static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5716 u32 perms)
5717{
5718 struct ipc_security_struct *isec;
5719 struct common_audit_data ad;
5720 u32 sid = current_sid();
5721
5722 isec = ipc_perms->security;
5723
5724 ad.type = LSM_AUDIT_DATA_IPC;
5725 ad.u.ipc_id = ipc_perms->key;
5726
5727 return avc_has_perm(&selinux_state,
5728 sid, isec->sid, isec->sclass, perms, &ad);
5729}
5730
5731static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5732{
5733 return msg_msg_alloc_security(msg);
5734}
5735
5736static void selinux_msg_msg_free_security(struct msg_msg *msg)
5737{
5738 msg_msg_free_security(msg);
5739}
5740
5741/* message queue security operations */
5742static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq)
5743{
5744 struct ipc_security_struct *isec;
5745 struct common_audit_data ad;
5746 u32 sid = current_sid();
5747 int rc;
5748
5749 rc = ipc_alloc_security(msq, SECCLASS_MSGQ);
5750 if (rc)
5751 return rc;
5752
5753 isec = msq->security;
5754
5755 ad.type = LSM_AUDIT_DATA_IPC;
5756 ad.u.ipc_id = msq->key;
5757
5758 rc = avc_has_perm(&selinux_state,
5759 sid, isec->sid, SECCLASS_MSGQ,
5760 MSGQ__CREATE, &ad);
5761 if (rc) {
5762 ipc_free_security(msq);
5763 return rc;
5764 }
5765 return 0;
5766}
5767
5768static void selinux_msg_queue_free_security(struct kern_ipc_perm *msq)
5769{
5770 ipc_free_security(msq);
5771}
5772
5773static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
5774{
5775 struct ipc_security_struct *isec;
5776 struct common_audit_data ad;
5777 u32 sid = current_sid();
5778
5779 isec = msq->security;
5780
5781 ad.type = LSM_AUDIT_DATA_IPC;
5782 ad.u.ipc_id = msq->key;
5783
5784 return avc_has_perm(&selinux_state,
5785 sid, isec->sid, SECCLASS_MSGQ,
5786 MSGQ__ASSOCIATE, &ad);
5787}
5788
5789static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)
5790{
5791 int err;
5792 int perms;
5793
5794 switch (cmd) {
5795 case IPC_INFO:
5796 case MSG_INFO:
5797 /* No specific object, just general system-wide information. */
5798 return avc_has_perm(&selinux_state,
5799 current_sid(), SECINITSID_KERNEL,
5800 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5801 case IPC_STAT:
5802 case MSG_STAT:
5803 case MSG_STAT_ANY:
5804 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5805 break;
5806 case IPC_SET:
5807 perms = MSGQ__SETATTR;
5808 break;
5809 case IPC_RMID:
5810 perms = MSGQ__DESTROY;
5811 break;
5812 default:
5813 return 0;
5814 }
5815
5816 err = ipc_has_perm(msq, perms);
5817 return err;
5818}
5819
5820static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg)
5821{
5822 struct ipc_security_struct *isec;
5823 struct msg_security_struct *msec;
5824 struct common_audit_data ad;
5825 u32 sid = current_sid();
5826 int rc;
5827
5828 isec = msq->security;
5829 msec = msg->security;
5830
5831 /*
5832 * First time through, need to assign label to the message
5833 */
5834 if (msec->sid == SECINITSID_UNLABELED) {
5835 /*
5836 * Compute new sid based on current process and
5837 * message queue this message will be stored in
5838 */
5839 rc = security_transition_sid(&selinux_state, sid, isec->sid,
5840 SECCLASS_MSG, NULL, &msec->sid);
5841 if (rc)
5842 return rc;
5843 }
5844
5845 ad.type = LSM_AUDIT_DATA_IPC;
5846 ad.u.ipc_id = msq->key;
5847
5848 /* Can this process write to the queue? */
5849 rc = avc_has_perm(&selinux_state,
5850 sid, isec->sid, SECCLASS_MSGQ,
5851 MSGQ__WRITE, &ad);
5852 if (!rc)
5853 /* Can this process send the message */
5854 rc = avc_has_perm(&selinux_state,
5855 sid, msec->sid, SECCLASS_MSG,
5856 MSG__SEND, &ad);
5857 if (!rc)
5858 /* Can the message be put in the queue? */
5859 rc = avc_has_perm(&selinux_state,
5860 msec->sid, isec->sid, SECCLASS_MSGQ,
5861 MSGQ__ENQUEUE, &ad);
5862
5863 return rc;
5864}
5865
5866static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg,
5867 struct task_struct *target,
5868 long type, int mode)
5869{
5870 struct ipc_security_struct *isec;
5871 struct msg_security_struct *msec;
5872 struct common_audit_data ad;
5873 u32 sid = task_sid(target);
5874 int rc;
5875
5876 isec = msq->security;
5877 msec = msg->security;
5878
5879 ad.type = LSM_AUDIT_DATA_IPC;
5880 ad.u.ipc_id = msq->key;
5881
5882 rc = avc_has_perm(&selinux_state,
5883 sid, isec->sid,
5884 SECCLASS_MSGQ, MSGQ__READ, &ad);
5885 if (!rc)
5886 rc = avc_has_perm(&selinux_state,
5887 sid, msec->sid,
5888 SECCLASS_MSG, MSG__RECEIVE, &ad);
5889 return rc;
5890}
5891
5892/* Shared Memory security operations */
5893static int selinux_shm_alloc_security(struct kern_ipc_perm *shp)
5894{
5895 struct ipc_security_struct *isec;
5896 struct common_audit_data ad;
5897 u32 sid = current_sid();
5898 int rc;
5899
5900 rc = ipc_alloc_security(shp, SECCLASS_SHM);
5901 if (rc)
5902 return rc;
5903
5904 isec = shp->security;
5905
5906 ad.type = LSM_AUDIT_DATA_IPC;
5907 ad.u.ipc_id = shp->key;
5908
5909 rc = avc_has_perm(&selinux_state,
5910 sid, isec->sid, SECCLASS_SHM,
5911 SHM__CREATE, &ad);
5912 if (rc) {
5913 ipc_free_security(shp);
5914 return rc;
5915 }
5916 return 0;
5917}
5918
5919static void selinux_shm_free_security(struct kern_ipc_perm *shp)
5920{
5921 ipc_free_security(shp);
5922}
5923
5924static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg)
5925{
5926 struct ipc_security_struct *isec;
5927 struct common_audit_data ad;
5928 u32 sid = current_sid();
5929
5930 isec = shp->security;
5931
5932 ad.type = LSM_AUDIT_DATA_IPC;
5933 ad.u.ipc_id = shp->key;
5934
5935 return avc_has_perm(&selinux_state,
5936 sid, isec->sid, SECCLASS_SHM,
5937 SHM__ASSOCIATE, &ad);
5938}
5939
5940/* Note, at this point, shp is locked down */
5941static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd)
5942{
5943 int perms;
5944 int err;
5945
5946 switch (cmd) {
5947 case IPC_INFO:
5948 case SHM_INFO:
5949 /* No specific object, just general system-wide information. */
5950 return avc_has_perm(&selinux_state,
5951 current_sid(), SECINITSID_KERNEL,
5952 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5953 case IPC_STAT:
5954 case SHM_STAT:
5955 case SHM_STAT_ANY:
5956 perms = SHM__GETATTR | SHM__ASSOCIATE;
5957 break;
5958 case IPC_SET:
5959 perms = SHM__SETATTR;
5960 break;
5961 case SHM_LOCK:
5962 case SHM_UNLOCK:
5963 perms = SHM__LOCK;
5964 break;
5965 case IPC_RMID:
5966 perms = SHM__DESTROY;
5967 break;
5968 default:
5969 return 0;
5970 }
5971
5972 err = ipc_has_perm(shp, perms);
5973 return err;
5974}
5975
5976static int selinux_shm_shmat(struct kern_ipc_perm *shp,
5977 char __user *shmaddr, int shmflg)
5978{
5979 u32 perms;
5980
5981 if (shmflg & SHM_RDONLY)
5982 perms = SHM__READ;
5983 else
5984 perms = SHM__READ | SHM__WRITE;
5985
5986 return ipc_has_perm(shp, perms);
5987}
5988
5989/* Semaphore security operations */
5990static int selinux_sem_alloc_security(struct kern_ipc_perm *sma)
5991{
5992 struct ipc_security_struct *isec;
5993 struct common_audit_data ad;
5994 u32 sid = current_sid();
5995 int rc;
5996
5997 rc = ipc_alloc_security(sma, SECCLASS_SEM);
5998 if (rc)
5999 return rc;
6000
6001 isec = sma->security;
6002
6003 ad.type = LSM_AUDIT_DATA_IPC;
6004 ad.u.ipc_id = sma->key;
6005
6006 rc = avc_has_perm(&selinux_state,
6007 sid, isec->sid, SECCLASS_SEM,
6008 SEM__CREATE, &ad);
6009 if (rc) {
6010 ipc_free_security(sma);
6011 return rc;
6012 }
6013 return 0;
6014}
6015
6016static void selinux_sem_free_security(struct kern_ipc_perm *sma)
6017{
6018 ipc_free_security(sma);
6019}
6020
6021static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg)
6022{
6023 struct ipc_security_struct *isec;
6024 struct common_audit_data ad;
6025 u32 sid = current_sid();
6026
6027 isec = sma->security;
6028
6029 ad.type = LSM_AUDIT_DATA_IPC;
6030 ad.u.ipc_id = sma->key;
6031
6032 return avc_has_perm(&selinux_state,
6033 sid, isec->sid, SECCLASS_SEM,
6034 SEM__ASSOCIATE, &ad);
6035}
6036
6037/* Note, at this point, sma is locked down */
6038static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd)
6039{
6040 int err;
6041 u32 perms;
6042
6043 switch (cmd) {
6044 case IPC_INFO:
6045 case SEM_INFO:
6046 /* No specific object, just general system-wide information. */
6047 return avc_has_perm(&selinux_state,
6048 current_sid(), SECINITSID_KERNEL,
6049 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6050 case GETPID:
6051 case GETNCNT:
6052 case GETZCNT:
6053 perms = SEM__GETATTR;
6054 break;
6055 case GETVAL:
6056 case GETALL:
6057 perms = SEM__READ;
6058 break;
6059 case SETVAL:
6060 case SETALL:
6061 perms = SEM__WRITE;
6062 break;
6063 case IPC_RMID:
6064 perms = SEM__DESTROY;
6065 break;
6066 case IPC_SET:
6067 perms = SEM__SETATTR;
6068 break;
6069 case IPC_STAT:
6070 case SEM_STAT:
6071 case SEM_STAT_ANY:
6072 perms = SEM__GETATTR | SEM__ASSOCIATE;
6073 break;
6074 default:
6075 return 0;
6076 }
6077
6078 err = ipc_has_perm(sma, perms);
6079 return err;
6080}
6081
6082static int selinux_sem_semop(struct kern_ipc_perm *sma,
6083 struct sembuf *sops, unsigned nsops, int alter)
6084{
6085 u32 perms;
6086
6087 if (alter)
6088 perms = SEM__READ | SEM__WRITE;
6089 else
6090 perms = SEM__READ;
6091
6092 return ipc_has_perm(sma, perms);
6093}
6094
6095static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
6096{
6097 u32 av = 0;
6098
6099 av = 0;
6100 if (flag & S_IRUGO)
6101 av |= IPC__UNIX_READ;
6102 if (flag & S_IWUGO)
6103 av |= IPC__UNIX_WRITE;
6104
6105 if (av == 0)
6106 return 0;
6107
6108 return ipc_has_perm(ipcp, av);
6109}
6110
6111static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
6112{
6113 struct ipc_security_struct *isec = ipcp->security;
6114 *secid = isec->sid;
6115}
6116
6117static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
6118{
6119 if (inode)
6120 inode_doinit_with_dentry(inode, dentry);
6121}
6122
6123static int selinux_getprocattr(struct task_struct *p,
6124 char *name, char **value)
6125{
6126 const struct task_security_struct *__tsec;
6127 u32 sid;
6128 int error;
6129 unsigned len;
6130
6131 rcu_read_lock();
6132 __tsec = selinux_cred(__task_cred(p));
6133
6134 if (current != p) {
6135 error = avc_has_perm(&selinux_state,
6136 current_sid(), __tsec->sid,
6137 SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
6138 if (error)
6139 goto bad;
6140 }
6141
6142 if (!strcmp(name, "current"))
6143 sid = __tsec->sid;
6144 else if (!strcmp(name, "prev"))
6145 sid = __tsec->osid;
6146 else if (!strcmp(name, "exec"))
6147 sid = __tsec->exec_sid;
6148 else if (!strcmp(name, "fscreate"))
6149 sid = __tsec->create_sid;
6150 else if (!strcmp(name, "keycreate"))
6151 sid = __tsec->keycreate_sid;
6152 else if (!strcmp(name, "sockcreate"))
6153 sid = __tsec->sockcreate_sid;
6154 else {
6155 error = -EINVAL;
6156 goto bad;
6157 }
6158 rcu_read_unlock();
6159
6160 if (!sid)
6161 return 0;
6162
6163 error = security_sid_to_context(&selinux_state, sid, value, &len);
6164 if (error)
6165 return error;
6166 return len;
6167
6168bad:
6169 rcu_read_unlock();
6170 return error;
6171}
6172
6173static int selinux_setprocattr(const char *name, void *value, size_t size)
6174{
6175 struct task_security_struct *tsec;
6176 struct cred *new;
6177 u32 mysid = current_sid(), sid = 0, ptsid;
6178 int error;
6179 char *str = value;
6180
6181 /*
6182 * Basic control over ability to set these attributes at all.
6183 */
6184 if (!strcmp(name, "exec"))
6185 error = avc_has_perm(&selinux_state,
6186 mysid, mysid, SECCLASS_PROCESS,
6187 PROCESS__SETEXEC, NULL);
6188 else if (!strcmp(name, "fscreate"))
6189 error = avc_has_perm(&selinux_state,
6190 mysid, mysid, SECCLASS_PROCESS,
6191 PROCESS__SETFSCREATE, NULL);
6192 else if (!strcmp(name, "keycreate"))
6193 error = avc_has_perm(&selinux_state,
6194 mysid, mysid, SECCLASS_PROCESS,
6195 PROCESS__SETKEYCREATE, NULL);
6196 else if (!strcmp(name, "sockcreate"))
6197 error = avc_has_perm(&selinux_state,
6198 mysid, mysid, SECCLASS_PROCESS,
6199 PROCESS__SETSOCKCREATE, NULL);
6200 else if (!strcmp(name, "current"))
6201 error = avc_has_perm(&selinux_state,
6202 mysid, mysid, SECCLASS_PROCESS,
6203 PROCESS__SETCURRENT, NULL);
6204 else
6205 error = -EINVAL;
6206 if (error)
6207 return error;
6208
6209 /* Obtain a SID for the context, if one was specified. */
6210 if (size && str[0] && str[0] != '\n') {
6211 if (str[size-1] == '\n') {
6212 str[size-1] = 0;
6213 size--;
6214 }
6215 error = security_context_to_sid(&selinux_state, value, size,
6216 &sid, GFP_KERNEL);
6217 if (error == -EINVAL && !strcmp(name, "fscreate")) {
6218 if (!has_cap_mac_admin(true)) {
6219 struct audit_buffer *ab;
6220 size_t audit_size;
6221
6222 /* We strip a nul only if it is at the end, otherwise the
6223 * context contains a nul and we should audit that */
6224 if (str[size - 1] == '\0')
6225 audit_size = size - 1;
6226 else
6227 audit_size = size;
6228 ab = audit_log_start(audit_context(),
6229 GFP_ATOMIC,
6230 AUDIT_SELINUX_ERR);
6231 audit_log_format(ab, "op=fscreate invalid_context=");
6232 audit_log_n_untrustedstring(ab, value, audit_size);
6233 audit_log_end(ab);
6234
6235 return error;
6236 }
6237 error = security_context_to_sid_force(
6238 &selinux_state,
6239 value, size, &sid);
6240 }
6241 if (error)
6242 return error;
6243 }
6244
6245 new = prepare_creds();
6246 if (!new)
6247 return -ENOMEM;
6248
6249 /* Permission checking based on the specified context is
6250 performed during the actual operation (execve,
6251 open/mkdir/...), when we know the full context of the
6252 operation. See selinux_bprm_set_creds for the execve
6253 checks and may_create for the file creation checks. The
6254 operation will then fail if the context is not permitted. */
6255 tsec = selinux_cred(new);
6256 if (!strcmp(name, "exec")) {
6257 tsec->exec_sid = sid;
6258 } else if (!strcmp(name, "fscreate")) {
6259 tsec->create_sid = sid;
6260 } else if (!strcmp(name, "keycreate")) {
6261 error = avc_has_perm(&selinux_state,
6262 mysid, sid, SECCLASS_KEY, KEY__CREATE,
6263 NULL);
6264 if (error)
6265 goto abort_change;
6266 tsec->keycreate_sid = sid;
6267 } else if (!strcmp(name, "sockcreate")) {
6268 tsec->sockcreate_sid = sid;
6269 } else if (!strcmp(name, "current")) {
6270 error = -EINVAL;
6271 if (sid == 0)
6272 goto abort_change;
6273
6274 /* Only allow single threaded processes to change context */
6275 error = -EPERM;
6276 if (!current_is_single_threaded()) {
6277 error = security_bounded_transition(&selinux_state,
6278 tsec->sid, sid);
6279 if (error)
6280 goto abort_change;
6281 }
6282
6283 /* Check permissions for the transition. */
6284 error = avc_has_perm(&selinux_state,
6285 tsec->sid, sid, SECCLASS_PROCESS,
6286 PROCESS__DYNTRANSITION, NULL);
6287 if (error)
6288 goto abort_change;
6289
6290 /* Check for ptracing, and update the task SID if ok.
6291 Otherwise, leave SID unchanged and fail. */
6292 ptsid = ptrace_parent_sid();
6293 if (ptsid != 0) {
6294 error = avc_has_perm(&selinux_state,
6295 ptsid, sid, SECCLASS_PROCESS,
6296 PROCESS__PTRACE, NULL);
6297 if (error)
6298 goto abort_change;
6299 }
6300
6301 tsec->sid = sid;
6302 } else {
6303 error = -EINVAL;
6304 goto abort_change;
6305 }
6306
6307 commit_creds(new);
6308 return size;
6309
6310abort_change:
6311 abort_creds(new);
6312 return error;
6313}
6314
6315static int selinux_ismaclabel(const char *name)
6316{
6317 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
6318}
6319
6320static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
6321{
6322 return security_sid_to_context(&selinux_state, secid,
6323 secdata, seclen);
6324}
6325
6326static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
6327{
6328 return security_context_to_sid(&selinux_state, secdata, seclen,
6329 secid, GFP_KERNEL);
6330}
6331
6332static void selinux_release_secctx(char *secdata, u32 seclen)
6333{
6334 kfree(secdata);
6335}
6336
6337static void selinux_inode_invalidate_secctx(struct inode *inode)
6338{
6339 struct inode_security_struct *isec = inode->i_security;
6340
6341 spin_lock(&isec->lock);
6342 isec->initialized = LABEL_INVALID;
6343 spin_unlock(&isec->lock);
6344}
6345
6346/*
6347 * called with inode->i_mutex locked
6348 */
6349static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
6350{
6351 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
6352}
6353
6354/*
6355 * called with inode->i_mutex locked
6356 */
6357static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
6358{
6359 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
6360}
6361
6362static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
6363{
6364 int len = 0;
6365 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
6366 ctx, true);
6367 if (len < 0)
6368 return len;
6369 *ctxlen = len;
6370 return 0;
6371}
6372#ifdef CONFIG_KEYS
6373
6374static int selinux_key_alloc(struct key *k, const struct cred *cred,
6375 unsigned long flags)
6376{
6377 const struct task_security_struct *tsec;
6378 struct key_security_struct *ksec;
6379
6380 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
6381 if (!ksec)
6382 return -ENOMEM;
6383
6384 tsec = selinux_cred(cred);
6385 if (tsec->keycreate_sid)
6386 ksec->sid = tsec->keycreate_sid;
6387 else
6388 ksec->sid = tsec->sid;
6389
6390 k->security = ksec;
6391 return 0;
6392}
6393
6394static void selinux_key_free(struct key *k)
6395{
6396 struct key_security_struct *ksec = k->security;
6397
6398 k->security = NULL;
6399 kfree(ksec);
6400}
6401
6402static int selinux_key_permission(key_ref_t key_ref,
6403 const struct cred *cred,
6404 unsigned perm)
6405{
6406 struct key *key;
6407 struct key_security_struct *ksec;
6408 u32 sid;
6409
6410 /* if no specific permissions are requested, we skip the
6411 permission check. No serious, additional covert channels
6412 appear to be created. */
6413 if (perm == 0)
6414 return 0;
6415
6416 sid = cred_sid(cred);
6417
6418 key = key_ref_to_ptr(key_ref);
6419 ksec = key->security;
6420
6421 return avc_has_perm(&selinux_state,
6422 sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6423}
6424
6425static int selinux_key_getsecurity(struct key *key, char **_buffer)
6426{
6427 struct key_security_struct *ksec = key->security;
6428 char *context = NULL;
6429 unsigned len;
6430 int rc;
6431
6432 rc = security_sid_to_context(&selinux_state, ksec->sid,
6433 &context, &len);
6434 if (!rc)
6435 rc = len;
6436 *_buffer = context;
6437 return rc;
6438}
6439#endif
6440
6441#ifdef CONFIG_SECURITY_INFINIBAND
6442static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6443{
6444 struct common_audit_data ad;
6445 int err;
6446 u32 sid = 0;
6447 struct ib_security_struct *sec = ib_sec;
6448 struct lsm_ibpkey_audit ibpkey;
6449
6450 err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
6451 if (err)
6452 return err;
6453
6454 ad.type = LSM_AUDIT_DATA_IBPKEY;
6455 ibpkey.subnet_prefix = subnet_prefix;
6456 ibpkey.pkey = pkey_val;
6457 ad.u.ibpkey = &ibpkey;
6458 return avc_has_perm(&selinux_state,
6459 sec->sid, sid,
6460 SECCLASS_INFINIBAND_PKEY,
6461 INFINIBAND_PKEY__ACCESS, &ad);
6462}
6463
6464static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6465 u8 port_num)
6466{
6467 struct common_audit_data ad;
6468 int err;
6469 u32 sid = 0;
6470 struct ib_security_struct *sec = ib_sec;
6471 struct lsm_ibendport_audit ibendport;
6472
6473 err = security_ib_endport_sid(&selinux_state, dev_name, port_num,
6474 &sid);
6475
6476 if (err)
6477 return err;
6478
6479 ad.type = LSM_AUDIT_DATA_IBENDPORT;
6480 strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name));
6481 ibendport.port = port_num;
6482 ad.u.ibendport = &ibendport;
6483 return avc_has_perm(&selinux_state,
6484 sec->sid, sid,
6485 SECCLASS_INFINIBAND_ENDPORT,
6486 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
6487}
6488
6489static int selinux_ib_alloc_security(void **ib_sec)
6490{
6491 struct ib_security_struct *sec;
6492
6493 sec = kzalloc(sizeof(*sec), GFP_KERNEL);
6494 if (!sec)
6495 return -ENOMEM;
6496 sec->sid = current_sid();
6497
6498 *ib_sec = sec;
6499 return 0;
6500}
6501
6502static void selinux_ib_free_security(void *ib_sec)
6503{
6504 kfree(ib_sec);
6505}
6506#endif
6507
6508#ifdef CONFIG_BPF_SYSCALL
6509static int selinux_bpf(int cmd, union bpf_attr *attr,
6510 unsigned int size)
6511{
6512 u32 sid = current_sid();
6513 int ret;
6514
6515 switch (cmd) {
6516 case BPF_MAP_CREATE:
6517 ret = avc_has_perm(&selinux_state,
6518 sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
6519 NULL);
6520 break;
6521 case BPF_PROG_LOAD:
6522 ret = avc_has_perm(&selinux_state,
6523 sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
6524 NULL);
6525 break;
6526 default:
6527 ret = 0;
6528 break;
6529 }
6530
6531 return ret;
6532}
6533
6534static u32 bpf_map_fmode_to_av(fmode_t fmode)
6535{
6536 u32 av = 0;
6537
6538 if (fmode & FMODE_READ)
6539 av |= BPF__MAP_READ;
6540 if (fmode & FMODE_WRITE)
6541 av |= BPF__MAP_WRITE;
6542 return av;
6543}
6544
6545/* This function will check the file pass through unix socket or binder to see
6546 * if it is a bpf related object. And apply correspinding checks on the bpf
6547 * object based on the type. The bpf maps and programs, not like other files and
6548 * socket, are using a shared anonymous inode inside the kernel as their inode.
6549 * So checking that inode cannot identify if the process have privilege to
6550 * access the bpf object and that's why we have to add this additional check in
6551 * selinux_file_receive and selinux_binder_transfer_files.
6552 */
6553static int bpf_fd_pass(struct file *file, u32 sid)
6554{
6555 struct bpf_security_struct *bpfsec;
6556 struct bpf_prog *prog;
6557 struct bpf_map *map;
6558 int ret;
6559
6560 if (file->f_op == &bpf_map_fops) {
6561 map = file->private_data;
6562 bpfsec = map->security;
6563 ret = avc_has_perm(&selinux_state,
6564 sid, bpfsec->sid, SECCLASS_BPF,
6565 bpf_map_fmode_to_av(file->f_mode), NULL);
6566 if (ret)
6567 return ret;
6568 } else if (file->f_op == &bpf_prog_fops) {
6569 prog = file->private_data;
6570 bpfsec = prog->aux->security;
6571 ret = avc_has_perm(&selinux_state,
6572 sid, bpfsec->sid, SECCLASS_BPF,
6573 BPF__PROG_RUN, NULL);
6574 if (ret)
6575 return ret;
6576 }
6577 return 0;
6578}
6579
6580static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)
6581{
6582 u32 sid = current_sid();
6583 struct bpf_security_struct *bpfsec;
6584
6585 bpfsec = map->security;
6586 return avc_has_perm(&selinux_state,
6587 sid, bpfsec->sid, SECCLASS_BPF,
6588 bpf_map_fmode_to_av(fmode), NULL);
6589}
6590
6591static int selinux_bpf_prog(struct bpf_prog *prog)
6592{
6593 u32 sid = current_sid();
6594 struct bpf_security_struct *bpfsec;
6595
6596 bpfsec = prog->aux->security;
6597 return avc_has_perm(&selinux_state,
6598 sid, bpfsec->sid, SECCLASS_BPF,
6599 BPF__PROG_RUN, NULL);
6600}
6601
6602static int selinux_bpf_map_alloc(struct bpf_map *map)
6603{
6604 struct bpf_security_struct *bpfsec;
6605
6606 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6607 if (!bpfsec)
6608 return -ENOMEM;
6609
6610 bpfsec->sid = current_sid();
6611 map->security = bpfsec;
6612
6613 return 0;
6614}
6615
6616static void selinux_bpf_map_free(struct bpf_map *map)
6617{
6618 struct bpf_security_struct *bpfsec = map->security;
6619
6620 map->security = NULL;
6621 kfree(bpfsec);
6622}
6623
6624static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux)
6625{
6626 struct bpf_security_struct *bpfsec;
6627
6628 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6629 if (!bpfsec)
6630 return -ENOMEM;
6631
6632 bpfsec->sid = current_sid();
6633 aux->security = bpfsec;
6634
6635 return 0;
6636}
6637
6638static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
6639{
6640 struct bpf_security_struct *bpfsec = aux->security;
6641
6642 aux->security = NULL;
6643 kfree(bpfsec);
6644}
6645#endif
6646
6647struct lsm_blob_sizes selinux_blob_sizes __lsm_ro_after_init = {
6648 .lbs_cred = sizeof(struct task_security_struct),
6649};
6650
6651static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
6652 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
6653 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
6654 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
6655 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
6656
6657 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
6658 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
6659 LSM_HOOK_INIT(capget, selinux_capget),
6660 LSM_HOOK_INIT(capset, selinux_capset),
6661 LSM_HOOK_INIT(capable, selinux_capable),
6662 LSM_HOOK_INIT(quotactl, selinux_quotactl),
6663 LSM_HOOK_INIT(quota_on, selinux_quota_on),
6664 LSM_HOOK_INIT(syslog, selinux_syslog),
6665 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
6666
6667 LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
6668
6669 LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
6670 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
6671 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
6672
6673 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
6674 LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
6675 LSM_HOOK_INIT(sb_eat_lsm_opts, selinux_sb_eat_lsm_opts),
6676 LSM_HOOK_INIT(sb_free_mnt_opts, selinux_free_mnt_opts),
6677 LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
6678 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
6679 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
6680 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
6681 LSM_HOOK_INIT(sb_mount, selinux_mount),
6682 LSM_HOOK_INIT(sb_umount, selinux_umount),
6683 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
6684 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
6685 LSM_HOOK_INIT(sb_add_mnt_opt, selinux_add_mnt_opt),
6686
6687 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
6688 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
6689
6690 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
6691 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
6692 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
6693 LSM_HOOK_INIT(inode_create, selinux_inode_create),
6694 LSM_HOOK_INIT(inode_link, selinux_inode_link),
6695 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
6696 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
6697 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
6698 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
6699 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
6700 LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
6701 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
6702 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
6703 LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
6704 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
6705 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
6706 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
6707 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
6708 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
6709 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
6710 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
6711 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
6712 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
6713 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
6714 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
6715 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
6716 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
6717
6718 LSM_HOOK_INIT(file_permission, selinux_file_permission),
6719 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
6720 LSM_HOOK_INIT(file_free_security, selinux_file_free_security),
6721 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
6722 LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
6723 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
6724 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
6725 LSM_HOOK_INIT(file_lock, selinux_file_lock),
6726 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
6727 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
6728 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
6729 LSM_HOOK_INIT(file_receive, selinux_file_receive),
6730
6731 LSM_HOOK_INIT(file_open, selinux_file_open),
6732
6733 LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
6734 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
6735 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
6736 LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid),
6737 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
6738 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
6739 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
6740 LSM_HOOK_INIT(kernel_load_data, selinux_kernel_load_data),
6741 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
6742 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
6743 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
6744 LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
6745 LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
6746 LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
6747 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
6748 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
6749 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
6750 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
6751 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
6752 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
6753 LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
6754 LSM_HOOK_INIT(task_kill, selinux_task_kill),
6755 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
6756
6757 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
6758 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
6759
6760 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
6761 LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security),
6762
6763 LSM_HOOK_INIT(msg_queue_alloc_security,
6764 selinux_msg_queue_alloc_security),
6765 LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security),
6766 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
6767 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
6768 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
6769 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
6770
6771 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
6772 LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security),
6773 LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
6774 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
6775 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
6776
6777 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
6778 LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security),
6779 LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
6780 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
6781 LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
6782
6783 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
6784
6785 LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
6786 LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
6787
6788 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
6789 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
6790 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
6791 LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
6792 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
6793 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
6794 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
6795 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
6796
6797 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
6798 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
6799
6800 LSM_HOOK_INIT(socket_create, selinux_socket_create),
6801 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
6802 LSM_HOOK_INIT(socket_socketpair, selinux_socket_socketpair),
6803 LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
6804 LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
6805 LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
6806 LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
6807 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
6808 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
6809 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
6810 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
6811 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
6812 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
6813 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
6814 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
6815 LSM_HOOK_INIT(socket_getpeersec_stream,
6816 selinux_socket_getpeersec_stream),
6817 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
6818 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
6819 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
6820 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
6821 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
6822 LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
6823 LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request),
6824 LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone),
6825 LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect),
6826 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
6827 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
6828 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
6829 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
6830 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
6831 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
6832 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
6833 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
6834 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
6835 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
6836 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
6837 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
6838 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
6839#ifdef CONFIG_SECURITY_INFINIBAND
6840 LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
6841 LSM_HOOK_INIT(ib_endport_manage_subnet,
6842 selinux_ib_endport_manage_subnet),
6843 LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
6844 LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
6845#endif
6846#ifdef CONFIG_SECURITY_NETWORK_XFRM
6847 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
6848 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
6849 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
6850 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
6851 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
6852 LSM_HOOK_INIT(xfrm_state_alloc_acquire,
6853 selinux_xfrm_state_alloc_acquire),
6854 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
6855 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
6856 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
6857 LSM_HOOK_INIT(xfrm_state_pol_flow_match,
6858 selinux_xfrm_state_pol_flow_match),
6859 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
6860#endif
6861
6862#ifdef CONFIG_KEYS
6863 LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
6864 LSM_HOOK_INIT(key_free, selinux_key_free),
6865 LSM_HOOK_INIT(key_permission, selinux_key_permission),
6866 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
6867#endif
6868
6869#ifdef CONFIG_AUDIT
6870 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
6871 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
6872 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
6873 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
6874#endif
6875
6876#ifdef CONFIG_BPF_SYSCALL
6877 LSM_HOOK_INIT(bpf, selinux_bpf),
6878 LSM_HOOK_INIT(bpf_map, selinux_bpf_map),
6879 LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog),
6880 LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc),
6881 LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc),
6882 LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free),
6883 LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free),
6884#endif
6885};
6886
6887static __init int selinux_init(void)
6888{
6889 pr_info("SELinux: Initializing.\n");
6890
6891 memset(&selinux_state, 0, sizeof(selinux_state));
6892 enforcing_set(&selinux_state, selinux_enforcing_boot);
6893 selinux_state.checkreqprot = selinux_checkreqprot_boot;
6894 selinux_ss_init(&selinux_state.ss);
6895 selinux_avc_init(&selinux_state.avc);
6896
6897 /* Set the security state for the initial task. */
6898 cred_init_security();
6899
6900 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
6901
6902 sel_inode_cache = kmem_cache_create("selinux_inode_security",
6903 sizeof(struct inode_security_struct),
6904 0, SLAB_PANIC, NULL);
6905 file_security_cache = kmem_cache_create("selinux_file_security",
6906 sizeof(struct file_security_struct),
6907 0, SLAB_PANIC, NULL);
6908 avc_init();
6909
6910 avtab_cache_init();
6911
6912 ebitmap_cache_init();
6913
6914 hashtab_cache_init();
6915
6916 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
6917
6918 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
6919 panic("SELinux: Unable to register AVC netcache callback\n");
6920
6921 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
6922 panic("SELinux: Unable to register AVC LSM notifier callback\n");
6923
6924 if (selinux_enforcing_boot)
6925 pr_debug("SELinux: Starting in enforcing mode\n");
6926 else
6927 pr_debug("SELinux: Starting in permissive mode\n");
6928
6929 return 0;
6930}
6931
6932static void delayed_superblock_init(struct super_block *sb, void *unused)
6933{
6934 selinux_set_mnt_opts(sb, NULL, 0, NULL);
6935}
6936
6937void selinux_complete_init(void)
6938{
6939 pr_debug("SELinux: Completing initialization.\n");
6940
6941 /* Set up any superblocks initialized prior to the policy load. */
6942 pr_debug("SELinux: Setting up existing superblocks.\n");
6943 iterate_supers(delayed_superblock_init, NULL);
6944}
6945
6946/* SELinux requires early initialization in order to label
6947 all processes and objects when they are created. */
6948DEFINE_LSM(selinux) = {
6949 .name = "selinux",
6950 .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE,
6951 .enabled = &selinux_enabled,
6952 .blobs = &selinux_blob_sizes,
6953 .init = selinux_init,
6954};
6955
6956#if defined(CONFIG_NETFILTER)
6957
6958static const struct nf_hook_ops selinux_nf_ops[] = {
6959 {
6960 .hook = selinux_ipv4_postroute,
6961 .pf = NFPROTO_IPV4,
6962 .hooknum = NF_INET_POST_ROUTING,
6963 .priority = NF_IP_PRI_SELINUX_LAST,
6964 },
6965 {
6966 .hook = selinux_ipv4_forward,
6967 .pf = NFPROTO_IPV4,
6968 .hooknum = NF_INET_FORWARD,
6969 .priority = NF_IP_PRI_SELINUX_FIRST,
6970 },
6971 {
6972 .hook = selinux_ipv4_output,
6973 .pf = NFPROTO_IPV4,
6974 .hooknum = NF_INET_LOCAL_OUT,
6975 .priority = NF_IP_PRI_SELINUX_FIRST,
6976 },
6977#if IS_ENABLED(CONFIG_IPV6)
6978 {
6979 .hook = selinux_ipv6_postroute,
6980 .pf = NFPROTO_IPV6,
6981 .hooknum = NF_INET_POST_ROUTING,
6982 .priority = NF_IP6_PRI_SELINUX_LAST,
6983 },
6984 {
6985 .hook = selinux_ipv6_forward,
6986 .pf = NFPROTO_IPV6,
6987 .hooknum = NF_INET_FORWARD,
6988 .priority = NF_IP6_PRI_SELINUX_FIRST,
6989 },
6990 {
6991 .hook = selinux_ipv6_output,
6992 .pf = NFPROTO_IPV6,
6993 .hooknum = NF_INET_LOCAL_OUT,
6994 .priority = NF_IP6_PRI_SELINUX_FIRST,
6995 },
6996#endif /* IPV6 */
6997};
6998
6999static int __net_init selinux_nf_register(struct net *net)
7000{
7001 return nf_register_net_hooks(net, selinux_nf_ops,
7002 ARRAY_SIZE(selinux_nf_ops));
7003}
7004
7005static void __net_exit selinux_nf_unregister(struct net *net)
7006{
7007 nf_unregister_net_hooks(net, selinux_nf_ops,
7008 ARRAY_SIZE(selinux_nf_ops));
7009}
7010
7011static struct pernet_operations selinux_net_ops = {
7012 .init = selinux_nf_register,
7013 .exit = selinux_nf_unregister,
7014};
7015
7016static int __init selinux_nf_ip_init(void)
7017{
7018 int err;
7019
7020 if (!selinux_enabled)
7021 return 0;
7022
7023 pr_debug("SELinux: Registering netfilter hooks\n");
7024
7025 err = register_pernet_subsys(&selinux_net_ops);
7026 if (err)
7027 panic("SELinux: register_pernet_subsys: error %d\n", err);
7028
7029 return 0;
7030}
7031__initcall(selinux_nf_ip_init);
7032
7033#ifdef CONFIG_SECURITY_SELINUX_DISABLE
7034static void selinux_nf_ip_exit(void)
7035{
7036 pr_debug("SELinux: Unregistering netfilter hooks\n");
7037
7038 unregister_pernet_subsys(&selinux_net_ops);
7039}
7040#endif
7041
7042#else /* CONFIG_NETFILTER */
7043
7044#ifdef CONFIG_SECURITY_SELINUX_DISABLE
7045#define selinux_nf_ip_exit()
7046#endif
7047
7048#endif /* CONFIG_NETFILTER */
7049
7050#ifdef CONFIG_SECURITY_SELINUX_DISABLE
7051int selinux_disable(struct selinux_state *state)
7052{
7053 if (state->initialized) {
7054 /* Not permitted after initial policy load. */
7055 return -EINVAL;
7056 }
7057
7058 if (state->disabled) {
7059 /* Only do this once. */
7060 return -EINVAL;
7061 }
7062
7063 state->disabled = 1;
7064
7065 pr_info("SELinux: Disabled at runtime.\n");
7066
7067 selinux_enabled = 0;
7068
7069 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
7070
7071 /* Try to destroy the avc node cache */
7072 avc_disable();
7073
7074 /* Unregister netfilter hooks. */
7075 selinux_nf_ip_exit();
7076
7077 /* Unregister selinuxfs. */
7078 exit_sel_fs();
7079
7080 return 0;
7081}
7082#endif
Linux 6.x block layer and io_uring tree(s)