1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * NSA Security-Enhanced Linux (SELinux) security module
4 *
5 * This file contains the SELinux hook function implementations.
6 *
7 * Authors: Stephen Smalley, <sds@tycho.nsa.gov>
8 * Chris Vance, <cvance@nai.com>
9 * Wayne Salamon, <wsalamon@nai.com>
10 * James Morris <jmorris@redhat.com>
11 *
12 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
13 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
14 * Eric Paris <eparis@redhat.com>
15 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
16 * <dgoeddel@trustedcs.com>
17 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
18 * Paul Moore <paul@paul-moore.com>
19 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
20 * Yuichi Nakamura <ynakam@hitachisoft.jp>
21 * Copyright (C) 2016 Mellanox Technologies
22 */
23
24 #include <linux/init.h>
25 #include <linux/kd.h>
26 #include <linux/kernel.h>
27 #include <linux/kernel_read_file.h>
28 #include <linux/errno.h>
29 #include <linux/sched/signal.h>
30 #include <linux/sched/task.h>
31 #include <linux/lsm_hooks.h>
32 #include <linux/xattr.h>
33 #include <linux/capability.h>
34 #include <linux/unistd.h>
35 #include <linux/mm.h>
36 #include <linux/mman.h>
37 #include <linux/slab.h>
38 #include <linux/pagemap.h>
39 #include <linux/proc_fs.h>
40 #include <linux/swap.h>
41 #include <linux/spinlock.h>
42 #include <linux/syscalls.h>
43 #include <linux/dcache.h>
44 #include <linux/file.h>
45 #include <linux/fdtable.h>
46 #include <linux/namei.h>
47 #include <linux/mount.h>
48 #include <linux/fs_context.h>
49 #include <linux/fs_parser.h>
50 #include <linux/netfilter_ipv4.h>
51 #include <linux/netfilter_ipv6.h>
52 #include <linux/tty.h>
53 #include <net/icmp.h>
54 #include <net/ip.h> /* for local_port_range[] */
55 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
56 #include <net/inet_connection_sock.h>
57 #include <net/net_namespace.h>
58 #include <net/netlabel.h>
59 #include <linux/uaccess.h>
60 #include <asm/ioctls.h>
61 #include <linux/atomic.h>
62 #include <linux/bitops.h>
63 #include <linux/interrupt.h>
64 #include <linux/netdevice.h> /* for network interface checks */
65 #include <net/netlink.h>
66 #include <linux/tcp.h>
67 #include <linux/udp.h>
68 #include <linux/dccp.h>
69 #include <linux/sctp.h>
70 #include <net/sctp/structs.h>
71 #include <linux/quota.h>
72 #include <linux/un.h> /* for Unix socket types */
73 #include <net/af_unix.h> /* for Unix socket types */
74 #include <linux/parser.h>
75 #include <linux/nfs_mount.h>
76 #include <net/ipv6.h>
77 #include <linux/hugetlb.h>
78 #include <linux/personality.h>
79 #include <linux/audit.h>
80 #include <linux/string.h>
81 #include <linux/mutex.h>
82 #include <linux/posix-timers.h>
83 #include <linux/syslog.h>
84 #include <linux/user_namespace.h>
85 #include <linux/export.h>
86 #include <linux/msg.h>
87 #include <linux/shm.h>
88 #include <linux/bpf.h>
89 #include <linux/kernfs.h>
90 #include <linux/stringhash.h> /* for hashlen_string() */
91 #include <uapi/linux/mount.h>
92 #include <linux/fsnotify.h>
93 #include <linux/fanotify.h>
94 #include <linux/io_uring.h>
95
96 #include "avc.h"
97 #include "objsec.h"
98 #include "netif.h"
99 #include "netnode.h"
100 #include "netport.h"
101 #include "ibpkey.h"
102 #include "xfrm.h"
103 #include "netlabel.h"
104 #include "audit.h"
105 #include "avc_ss.h"
106
107 struct selinux_state selinux_state;
108
109 /* SECMARK reference count */
110 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
111
112 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
113 static int selinux_enforcing_boot __initdata;
114
enforcing_setup(char * str)115 static int __init enforcing_setup(char *str)
116 {
117 unsigned long enforcing;
118 if (!kstrtoul(str, 0, &enforcing))
119 selinux_enforcing_boot = enforcing ? 1 : 0;
120 return 1;
121 }
122 __setup("enforcing=", enforcing_setup);
123 #else
124 #define selinux_enforcing_boot 1
125 #endif
126
127 int selinux_enabled_boot __initdata = 1;
128 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
selinux_enabled_setup(char * str)129 static int __init selinux_enabled_setup(char *str)
130 {
131 unsigned long enabled;
132 if (!kstrtoul(str, 0, &enabled))
133 selinux_enabled_boot = enabled ? 1 : 0;
134 return 1;
135 }
136 __setup("selinux=", selinux_enabled_setup);
137 #endif
138
139 static unsigned int selinux_checkreqprot_boot =
140 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
141
checkreqprot_setup(char * str)142 static int __init checkreqprot_setup(char *str)
143 {
144 unsigned long checkreqprot;
145
146 if (!kstrtoul(str, 0, &checkreqprot)) {
147 selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
148 if (checkreqprot)
149 pr_err("SELinux: checkreqprot set to 1 via kernel parameter. This is deprecated and will be rejected in a future kernel release.\n");
150 }
151 return 1;
152 }
153 __setup("checkreqprot=", checkreqprot_setup);
154
155 /**
156 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
157 *
158 * Description:
159 * This function checks the SECMARK reference counter to see if any SECMARK
160 * targets are currently configured, if the reference counter is greater than
161 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
162 * enabled, false (0) if SECMARK is disabled. If the always_check_network
163 * policy capability is enabled, SECMARK is always considered enabled.
164 *
165 */
selinux_secmark_enabled(void)166 static int selinux_secmark_enabled(void)
167 {
168 return (selinux_policycap_alwaysnetwork() ||
169 atomic_read(&selinux_secmark_refcount));
170 }
171
172 /**
173 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
174 *
175 * Description:
176 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
177 * (1) if any are enabled or false (0) if neither are enabled. If the
178 * always_check_network policy capability is enabled, peer labeling
179 * is always considered enabled.
180 *
181 */
selinux_peerlbl_enabled(void)182 static int selinux_peerlbl_enabled(void)
183 {
184 return (selinux_policycap_alwaysnetwork() ||
185 netlbl_enabled() || selinux_xfrm_enabled());
186 }
187
selinux_netcache_avc_callback(u32 event)188 static int selinux_netcache_avc_callback(u32 event)
189 {
190 if (event == AVC_CALLBACK_RESET) {
191 sel_netif_flush();
192 sel_netnode_flush();
193 sel_netport_flush();
194 synchronize_net();
195 }
196 return 0;
197 }
198
selinux_lsm_notifier_avc_callback(u32 event)199 static int selinux_lsm_notifier_avc_callback(u32 event)
200 {
201 if (event == AVC_CALLBACK_RESET) {
202 sel_ib_pkey_flush();
203 call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL);
204 }
205
206 return 0;
207 }
208
209 /*
210 * initialise the security for the init task
211 */
cred_init_security(void)212 static void cred_init_security(void)
213 {
214 struct task_security_struct *tsec;
215
216 tsec = selinux_cred(unrcu_pointer(current->real_cred));
217 tsec->osid = tsec->sid = SECINITSID_KERNEL;
218 }
219
220 /*
221 * get the security ID of a set of credentials
222 */
cred_sid(const struct cred * cred)223 static inline u32 cred_sid(const struct cred *cred)
224 {
225 const struct task_security_struct *tsec;
226
227 tsec = selinux_cred(cred);
228 return tsec->sid;
229 }
230
231 /*
232 * get the objective security ID of a task
233 */
task_sid_obj(const struct task_struct * task)234 static inline u32 task_sid_obj(const struct task_struct *task)
235 {
236 u32 sid;
237
238 rcu_read_lock();
239 sid = cred_sid(__task_cred(task));
240 rcu_read_unlock();
241 return sid;
242 }
243
244 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
245
246 /*
247 * Try reloading inode security labels that have been marked as invalid. The
248 * @may_sleep parameter indicates when sleeping and thus reloading labels is
249 * allowed; when set to false, returns -ECHILD when the label is
250 * invalid. The @dentry parameter should be set to a dentry of the inode.
251 */
__inode_security_revalidate(struct inode * inode,struct dentry * dentry,bool may_sleep)252 static int __inode_security_revalidate(struct inode *inode,
253 struct dentry *dentry,
254 bool may_sleep)
255 {
256 struct inode_security_struct *isec = selinux_inode(inode);
257
258 might_sleep_if(may_sleep);
259
260 if (selinux_initialized(&selinux_state) &&
261 isec->initialized != LABEL_INITIALIZED) {
262 if (!may_sleep)
263 return -ECHILD;
264
265 /*
266 * Try reloading the inode security label. This will fail if
267 * @opt_dentry is NULL and no dentry for this inode can be
268 * found; in that case, continue using the old label.
269 */
270 inode_doinit_with_dentry(inode, dentry);
271 }
272 return 0;
273 }
274
inode_security_novalidate(struct inode * inode)275 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
276 {
277 return selinux_inode(inode);
278 }
279
inode_security_rcu(struct inode * inode,bool rcu)280 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
281 {
282 int error;
283
284 error = __inode_security_revalidate(inode, NULL, !rcu);
285 if (error)
286 return ERR_PTR(error);
287 return selinux_inode(inode);
288 }
289
290 /*
291 * Get the security label of an inode.
292 */
inode_security(struct inode * inode)293 static struct inode_security_struct *inode_security(struct inode *inode)
294 {
295 __inode_security_revalidate(inode, NULL, true);
296 return selinux_inode(inode);
297 }
298
backing_inode_security_novalidate(struct dentry * dentry)299 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
300 {
301 struct inode *inode = d_backing_inode(dentry);
302
303 return selinux_inode(inode);
304 }
305
306 /*
307 * Get the security label of a dentry's backing inode.
308 */
backing_inode_security(struct dentry * dentry)309 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
310 {
311 struct inode *inode = d_backing_inode(dentry);
312
313 __inode_security_revalidate(inode, dentry, true);
314 return selinux_inode(inode);
315 }
316
inode_free_security(struct inode * inode)317 static void inode_free_security(struct inode *inode)
318 {
319 struct inode_security_struct *isec = selinux_inode(inode);
320 struct superblock_security_struct *sbsec;
321
322 if (!isec)
323 return;
324 sbsec = selinux_superblock(inode->i_sb);
325 /*
326 * As not all inode security structures are in a list, we check for
327 * empty list outside of the lock to make sure that we won't waste
328 * time taking a lock doing nothing.
329 *
330 * The list_del_init() function can be safely called more than once.
331 * It should not be possible for this function to be called with
332 * concurrent list_add(), but for better safety against future changes
333 * in the code, we use list_empty_careful() here.
334 */
335 if (!list_empty_careful(&isec->list)) {
336 spin_lock(&sbsec->isec_lock);
337 list_del_init(&isec->list);
338 spin_unlock(&sbsec->isec_lock);
339 }
340 }
341
342 struct selinux_mnt_opts {
343 u32 fscontext_sid;
344 u32 context_sid;
345 u32 rootcontext_sid;
346 u32 defcontext_sid;
347 };
348
selinux_free_mnt_opts(void * mnt_opts)349 static void selinux_free_mnt_opts(void *mnt_opts)
350 {
351 kfree(mnt_opts);
352 }
353
354 enum {
355 Opt_error = -1,
356 Opt_context = 0,
357 Opt_defcontext = 1,
358 Opt_fscontext = 2,
359 Opt_rootcontext = 3,
360 Opt_seclabel = 4,
361 };
362
363 #define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg}
364 static struct {
365 const char *name;
366 int len;
367 int opt;
368 bool has_arg;
369 } tokens[] = {
370 A(context, true),
371 A(fscontext, true),
372 A(defcontext, true),
373 A(rootcontext, true),
374 A(seclabel, false),
375 };
376 #undef A
377
match_opt_prefix(char * s,int l,char ** arg)378 static int match_opt_prefix(char *s, int l, char **arg)
379 {
380 int i;
381
382 for (i = 0; i < ARRAY_SIZE(tokens); i++) {
383 size_t len = tokens[i].len;
384 if (len > l || memcmp(s, tokens[i].name, len))
385 continue;
386 if (tokens[i].has_arg) {
387 if (len == l || s[len] != '=')
388 continue;
389 *arg = s + len + 1;
390 } else if (len != l)
391 continue;
392 return tokens[i].opt;
393 }
394 return Opt_error;
395 }
396
397 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
398
may_context_mount_sb_relabel(u32 sid,struct superblock_security_struct * sbsec,const struct cred * cred)399 static int may_context_mount_sb_relabel(u32 sid,
400 struct superblock_security_struct *sbsec,
401 const struct cred *cred)
402 {
403 const struct task_security_struct *tsec = selinux_cred(cred);
404 int rc;
405
406 rc = avc_has_perm(&selinux_state,
407 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
408 FILESYSTEM__RELABELFROM, NULL);
409 if (rc)
410 return rc;
411
412 rc = avc_has_perm(&selinux_state,
413 tsec->sid, sid, SECCLASS_FILESYSTEM,
414 FILESYSTEM__RELABELTO, NULL);
415 return rc;
416 }
417
may_context_mount_inode_relabel(u32 sid,struct superblock_security_struct * sbsec,const struct cred * cred)418 static int may_context_mount_inode_relabel(u32 sid,
419 struct superblock_security_struct *sbsec,
420 const struct cred *cred)
421 {
422 const struct task_security_struct *tsec = selinux_cred(cred);
423 int rc;
424 rc = avc_has_perm(&selinux_state,
425 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
426 FILESYSTEM__RELABELFROM, NULL);
427 if (rc)
428 return rc;
429
430 rc = avc_has_perm(&selinux_state,
431 sid, sbsec->sid, SECCLASS_FILESYSTEM,
432 FILESYSTEM__ASSOCIATE, NULL);
433 return rc;
434 }
435
selinux_is_genfs_special_handling(struct super_block * sb)436 static int selinux_is_genfs_special_handling(struct super_block *sb)
437 {
438 /* Special handling. Genfs but also in-core setxattr handler */
439 return !strcmp(sb->s_type->name, "sysfs") ||
440 !strcmp(sb->s_type->name, "pstore") ||
441 !strcmp(sb->s_type->name, "debugfs") ||
442 !strcmp(sb->s_type->name, "tracefs") ||
443 !strcmp(sb->s_type->name, "rootfs") ||
444 (selinux_policycap_cgroupseclabel() &&
445 (!strcmp(sb->s_type->name, "cgroup") ||
446 !strcmp(sb->s_type->name, "cgroup2")));
447 }
448
selinux_is_sblabel_mnt(struct super_block * sb)449 static int selinux_is_sblabel_mnt(struct super_block *sb)
450 {
451 struct superblock_security_struct *sbsec = selinux_superblock(sb);
452
453 /*
454 * IMPORTANT: Double-check logic in this function when adding a new
455 * SECURITY_FS_USE_* definition!
456 */
457 BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7);
458
459 switch (sbsec->behavior) {
460 case SECURITY_FS_USE_XATTR:
461 case SECURITY_FS_USE_TRANS:
462 case SECURITY_FS_USE_TASK:
463 case SECURITY_FS_USE_NATIVE:
464 return 1;
465
466 case SECURITY_FS_USE_GENFS:
467 return selinux_is_genfs_special_handling(sb);
468
469 /* Never allow relabeling on context mounts */
470 case SECURITY_FS_USE_MNTPOINT:
471 case SECURITY_FS_USE_NONE:
472 default:
473 return 0;
474 }
475 }
476
sb_check_xattr_support(struct super_block * sb)477 static int sb_check_xattr_support(struct super_block *sb)
478 {
479 struct superblock_security_struct *sbsec = selinux_superblock(sb);
480 struct dentry *root = sb->s_root;
481 struct inode *root_inode = d_backing_inode(root);
482 u32 sid;
483 int rc;
484
485 /*
486 * Make sure that the xattr handler exists and that no
487 * error other than -ENODATA is returned by getxattr on
488 * the root directory. -ENODATA is ok, as this may be
489 * the first boot of the SELinux kernel before we have
490 * assigned xattr values to the filesystem.
491 */
492 if (!(root_inode->i_opflags & IOP_XATTR)) {
493 pr_warn("SELinux: (dev %s, type %s) has no xattr support\n",
494 sb->s_id, sb->s_type->name);
495 goto fallback;
496 }
497
498 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
499 if (rc < 0 && rc != -ENODATA) {
500 if (rc == -EOPNOTSUPP) {
501 pr_warn("SELinux: (dev %s, type %s) has no security xattr handler\n",
502 sb->s_id, sb->s_type->name);
503 goto fallback;
504 } else {
505 pr_warn("SELinux: (dev %s, type %s) getxattr errno %d\n",
506 sb->s_id, sb->s_type->name, -rc);
507 return rc;
508 }
509 }
510 return 0;
511
512 fallback:
513 /* No xattr support - try to fallback to genfs if possible. */
514 rc = security_genfs_sid(&selinux_state, sb->s_type->name, "/",
515 SECCLASS_DIR, &sid);
516 if (rc)
517 return -EOPNOTSUPP;
518
519 pr_warn("SELinux: (dev %s, type %s) falling back to genfs\n",
520 sb->s_id, sb->s_type->name);
521 sbsec->behavior = SECURITY_FS_USE_GENFS;
522 sbsec->sid = sid;
523 return 0;
524 }
525
sb_finish_set_opts(struct super_block * sb)526 static int sb_finish_set_opts(struct super_block *sb)
527 {
528 struct superblock_security_struct *sbsec = selinux_superblock(sb);
529 struct dentry *root = sb->s_root;
530 struct inode *root_inode = d_backing_inode(root);
531 int rc = 0;
532
533 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
534 rc = sb_check_xattr_support(sb);
535 if (rc)
536 return rc;
537 }
538
539 sbsec->flags |= SE_SBINITIALIZED;
540
541 /*
542 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
543 * leave the flag untouched because sb_clone_mnt_opts might be handing
544 * us a superblock that needs the flag to be cleared.
545 */
546 if (selinux_is_sblabel_mnt(sb))
547 sbsec->flags |= SBLABEL_MNT;
548 else
549 sbsec->flags &= ~SBLABEL_MNT;
550
551 /* Initialize the root inode. */
552 rc = inode_doinit_with_dentry(root_inode, root);
553
554 /* Initialize any other inodes associated with the superblock, e.g.
555 inodes created prior to initial policy load or inodes created
556 during get_sb by a pseudo filesystem that directly
557 populates itself. */
558 spin_lock(&sbsec->isec_lock);
559 while (!list_empty(&sbsec->isec_head)) {
560 struct inode_security_struct *isec =
561 list_first_entry(&sbsec->isec_head,
562 struct inode_security_struct, list);
563 struct inode *inode = isec->inode;
564 list_del_init(&isec->list);
565 spin_unlock(&sbsec->isec_lock);
566 inode = igrab(inode);
567 if (inode) {
568 if (!IS_PRIVATE(inode))
569 inode_doinit_with_dentry(inode, NULL);
570 iput(inode);
571 }
572 spin_lock(&sbsec->isec_lock);
573 }
574 spin_unlock(&sbsec->isec_lock);
575 return rc;
576 }
577
bad_option(struct superblock_security_struct * sbsec,char flag,u32 old_sid,u32 new_sid)578 static int bad_option(struct superblock_security_struct *sbsec, char flag,
579 u32 old_sid, u32 new_sid)
580 {
581 char mnt_flags = sbsec->flags & SE_MNTMASK;
582
583 /* check if the old mount command had the same options */
584 if (sbsec->flags & SE_SBINITIALIZED)
585 if (!(sbsec->flags & flag) ||
586 (old_sid != new_sid))
587 return 1;
588
589 /* check if we were passed the same options twice,
590 * aka someone passed context=a,context=b
591 */
592 if (!(sbsec->flags & SE_SBINITIALIZED))
593 if (mnt_flags & flag)
594 return 1;
595 return 0;
596 }
597
598 /*
599 * Allow filesystems with binary mount data to explicitly set mount point
600 * labeling information.
601 */
selinux_set_mnt_opts(struct super_block * sb,void * mnt_opts,unsigned long kern_flags,unsigned long * set_kern_flags)602 static int selinux_set_mnt_opts(struct super_block *sb,
603 void *mnt_opts,
604 unsigned long kern_flags,
605 unsigned long *set_kern_flags)
606 {
607 const struct cred *cred = current_cred();
608 struct superblock_security_struct *sbsec = selinux_superblock(sb);
609 struct dentry *root = sb->s_root;
610 struct selinux_mnt_opts *opts = mnt_opts;
611 struct inode_security_struct *root_isec;
612 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
613 u32 defcontext_sid = 0;
614 int rc = 0;
615
616 mutex_lock(&sbsec->lock);
617
618 if (!selinux_initialized(&selinux_state)) {
619 if (!opts) {
620 /* Defer initialization until selinux_complete_init,
621 after the initial policy is loaded and the security
622 server is ready to handle calls. */
623 goto out;
624 }
625 rc = -EINVAL;
626 pr_warn("SELinux: Unable to set superblock options "
627 "before the security server is initialized\n");
628 goto out;
629 }
630 if (kern_flags && !set_kern_flags) {
631 /* Specifying internal flags without providing a place to
632 * place the results is not allowed */
633 rc = -EINVAL;
634 goto out;
635 }
636
637 /*
638 * Binary mount data FS will come through this function twice. Once
639 * from an explicit call and once from the generic calls from the vfs.
640 * Since the generic VFS calls will not contain any security mount data
641 * we need to skip the double mount verification.
642 *
643 * This does open a hole in which we will not notice if the first
644 * mount using this sb set explict options and a second mount using
645 * this sb does not set any security options. (The first options
646 * will be used for both mounts)
647 */
648 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
649 && !opts)
650 goto out;
651
652 root_isec = backing_inode_security_novalidate(root);
653
654 /*
655 * parse the mount options, check if they are valid sids.
656 * also check if someone is trying to mount the same sb more
657 * than once with different security options.
658 */
659 if (opts) {
660 if (opts->fscontext_sid) {
661 fscontext_sid = opts->fscontext_sid;
662 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
663 fscontext_sid))
664 goto out_double_mount;
665 sbsec->flags |= FSCONTEXT_MNT;
666 }
667 if (opts->context_sid) {
668 context_sid = opts->context_sid;
669 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
670 context_sid))
671 goto out_double_mount;
672 sbsec->flags |= CONTEXT_MNT;
673 }
674 if (opts->rootcontext_sid) {
675 rootcontext_sid = opts->rootcontext_sid;
676 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
677 rootcontext_sid))
678 goto out_double_mount;
679 sbsec->flags |= ROOTCONTEXT_MNT;
680 }
681 if (opts->defcontext_sid) {
682 defcontext_sid = opts->defcontext_sid;
683 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
684 defcontext_sid))
685 goto out_double_mount;
686 sbsec->flags |= DEFCONTEXT_MNT;
687 }
688 }
689
690 if (sbsec->flags & SE_SBINITIALIZED) {
691 /* previously mounted with options, but not on this attempt? */
692 if ((sbsec->flags & SE_MNTMASK) && !opts)
693 goto out_double_mount;
694 rc = 0;
695 goto out;
696 }
697
698 if (strcmp(sb->s_type->name, "proc") == 0)
699 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
700
701 if (!strcmp(sb->s_type->name, "debugfs") ||
702 !strcmp(sb->s_type->name, "tracefs") ||
703 !strcmp(sb->s_type->name, "binder") ||
704 !strcmp(sb->s_type->name, "bpf") ||
705 !strcmp(sb->s_type->name, "pstore") ||
706 !strcmp(sb->s_type->name, "securityfs"))
707 sbsec->flags |= SE_SBGENFS;
708
709 if (!strcmp(sb->s_type->name, "sysfs") ||
710 !strcmp(sb->s_type->name, "cgroup") ||
711 !strcmp(sb->s_type->name, "cgroup2"))
712 sbsec->flags |= SE_SBGENFS | SE_SBGENFS_XATTR;
713
714 if (!sbsec->behavior) {
715 /*
716 * Determine the labeling behavior to use for this
717 * filesystem type.
718 */
719 rc = security_fs_use(&selinux_state, sb);
720 if (rc) {
721 pr_warn("%s: security_fs_use(%s) returned %d\n",
722 __func__, sb->s_type->name, rc);
723 goto out;
724 }
725 }
726
727 /*
728 * If this is a user namespace mount and the filesystem type is not
729 * explicitly whitelisted, then no contexts are allowed on the command
730 * line and security labels must be ignored.
731 */
732 if (sb->s_user_ns != &init_user_ns &&
733 strcmp(sb->s_type->name, "tmpfs") &&
734 strcmp(sb->s_type->name, "ramfs") &&
735 strcmp(sb->s_type->name, "devpts") &&
736 strcmp(sb->s_type->name, "overlay")) {
737 if (context_sid || fscontext_sid || rootcontext_sid ||
738 defcontext_sid) {
739 rc = -EACCES;
740 goto out;
741 }
742 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
743 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
744 rc = security_transition_sid(&selinux_state,
745 current_sid(),
746 current_sid(),
747 SECCLASS_FILE, NULL,
748 &sbsec->mntpoint_sid);
749 if (rc)
750 goto out;
751 }
752 goto out_set_opts;
753 }
754
755 /* sets the context of the superblock for the fs being mounted. */
756 if (fscontext_sid) {
757 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
758 if (rc)
759 goto out;
760
761 sbsec->sid = fscontext_sid;
762 }
763
764 /*
765 * Switch to using mount point labeling behavior.
766 * sets the label used on all file below the mountpoint, and will set
767 * the superblock context if not already set.
768 */
769 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
770 sbsec->behavior = SECURITY_FS_USE_NATIVE;
771 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
772 }
773
774 if (context_sid) {
775 if (!fscontext_sid) {
776 rc = may_context_mount_sb_relabel(context_sid, sbsec,
777 cred);
778 if (rc)
779 goto out;
780 sbsec->sid = context_sid;
781 } else {
782 rc = may_context_mount_inode_relabel(context_sid, sbsec,
783 cred);
784 if (rc)
785 goto out;
786 }
787 if (!rootcontext_sid)
788 rootcontext_sid = context_sid;
789
790 sbsec->mntpoint_sid = context_sid;
791 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
792 }
793
794 if (rootcontext_sid) {
795 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
796 cred);
797 if (rc)
798 goto out;
799
800 root_isec->sid = rootcontext_sid;
801 root_isec->initialized = LABEL_INITIALIZED;
802 }
803
804 if (defcontext_sid) {
805 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
806 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
807 rc = -EINVAL;
808 pr_warn("SELinux: defcontext option is "
809 "invalid for this filesystem type\n");
810 goto out;
811 }
812
813 if (defcontext_sid != sbsec->def_sid) {
814 rc = may_context_mount_inode_relabel(defcontext_sid,
815 sbsec, cred);
816 if (rc)
817 goto out;
818 }
819
820 sbsec->def_sid = defcontext_sid;
821 }
822
823 out_set_opts:
824 rc = sb_finish_set_opts(sb);
825 out:
826 mutex_unlock(&sbsec->lock);
827 return rc;
828 out_double_mount:
829 rc = -EINVAL;
830 pr_warn("SELinux: mount invalid. Same superblock, different "
831 "security settings for (dev %s, type %s)\n", sb->s_id,
832 sb->s_type->name);
833 goto out;
834 }
835
selinux_cmp_sb_context(const struct super_block * oldsb,const struct super_block * newsb)836 static int selinux_cmp_sb_context(const struct super_block *oldsb,
837 const struct super_block *newsb)
838 {
839 struct superblock_security_struct *old = selinux_superblock(oldsb);
840 struct superblock_security_struct *new = selinux_superblock(newsb);
841 char oldflags = old->flags & SE_MNTMASK;
842 char newflags = new->flags & SE_MNTMASK;
843
844 if (oldflags != newflags)
845 goto mismatch;
846 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
847 goto mismatch;
848 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
849 goto mismatch;
850 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
851 goto mismatch;
852 if (oldflags & ROOTCONTEXT_MNT) {
853 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
854 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
855 if (oldroot->sid != newroot->sid)
856 goto mismatch;
857 }
858 return 0;
859 mismatch:
860 pr_warn("SELinux: mount invalid. Same superblock, "
861 "different security settings for (dev %s, "
862 "type %s)\n", newsb->s_id, newsb->s_type->name);
863 return -EBUSY;
864 }
865
selinux_sb_clone_mnt_opts(const struct super_block * oldsb,struct super_block * newsb,unsigned long kern_flags,unsigned long * set_kern_flags)866 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
867 struct super_block *newsb,
868 unsigned long kern_flags,
869 unsigned long *set_kern_flags)
870 {
871 int rc = 0;
872 const struct superblock_security_struct *oldsbsec =
873 selinux_superblock(oldsb);
874 struct superblock_security_struct *newsbsec = selinux_superblock(newsb);
875
876 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
877 int set_context = (oldsbsec->flags & CONTEXT_MNT);
878 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
879
880 /*
881 * if the parent was able to be mounted it clearly had no special lsm
882 * mount options. thus we can safely deal with this superblock later
883 */
884 if (!selinux_initialized(&selinux_state))
885 return 0;
886
887 /*
888 * Specifying internal flags without providing a place to
889 * place the results is not allowed.
890 */
891 if (kern_flags && !set_kern_flags)
892 return -EINVAL;
893
894 /* how can we clone if the old one wasn't set up?? */
895 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
896
897 /* if fs is reusing a sb, make sure that the contexts match */
898 if (newsbsec->flags & SE_SBINITIALIZED) {
899 if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context)
900 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
901 return selinux_cmp_sb_context(oldsb, newsb);
902 }
903
904 mutex_lock(&newsbsec->lock);
905
906 newsbsec->flags = oldsbsec->flags;
907
908 newsbsec->sid = oldsbsec->sid;
909 newsbsec->def_sid = oldsbsec->def_sid;
910 newsbsec->behavior = oldsbsec->behavior;
911
912 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
913 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
914 rc = security_fs_use(&selinux_state, newsb);
915 if (rc)
916 goto out;
917 }
918
919 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
920 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
921 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
922 }
923
924 if (set_context) {
925 u32 sid = oldsbsec->mntpoint_sid;
926
927 if (!set_fscontext)
928 newsbsec->sid = sid;
929 if (!set_rootcontext) {
930 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
931 newisec->sid = sid;
932 }
933 newsbsec->mntpoint_sid = sid;
934 }
935 if (set_rootcontext) {
936 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
937 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
938
939 newisec->sid = oldisec->sid;
940 }
941
942 sb_finish_set_opts(newsb);
943 out:
944 mutex_unlock(&newsbsec->lock);
945 return rc;
946 }
947
selinux_add_opt(int token,const char * s,void ** mnt_opts)948 static int selinux_add_opt(int token, const char *s, void **mnt_opts)
949 {
950 struct selinux_mnt_opts *opts = *mnt_opts;
951 bool is_alloc_opts = false;
952 u32 *dst_sid;
953 int rc;
954
955 if (token == Opt_seclabel)
956 /* eaten and completely ignored */
957 return 0;
958 if (!s)
959 return -ENOMEM;
960
961 if (!selinux_initialized(&selinux_state)) {
962 pr_warn("SELinux: Unable to set superblock options before the security server is initialized\n");
963 return -EINVAL;
964 }
965
966 if (!opts) {
967 opts = kzalloc(sizeof(*opts), GFP_KERNEL);
968 if (!opts)
969 return -ENOMEM;
970 *mnt_opts = opts;
971 is_alloc_opts = true;
972 }
973
974 switch (token) {
975 case Opt_context:
976 if (opts->context_sid || opts->defcontext_sid)
977 goto err;
978 dst_sid = &opts->context_sid;
979 break;
980 case Opt_fscontext:
981 if (opts->fscontext_sid)
982 goto err;
983 dst_sid = &opts->fscontext_sid;
984 break;
985 case Opt_rootcontext:
986 if (opts->rootcontext_sid)
987 goto err;
988 dst_sid = &opts->rootcontext_sid;
989 break;
990 case Opt_defcontext:
991 if (opts->context_sid || opts->defcontext_sid)
992 goto err;
993 dst_sid = &opts->defcontext_sid;
994 break;
995 default:
996 WARN_ON(1);
997 return -EINVAL;
998 }
999 rc = security_context_str_to_sid(&selinux_state, s, dst_sid, GFP_KERNEL);
1000 if (rc)
1001 pr_warn("SELinux: security_context_str_to_sid (%s) failed with errno=%d\n",
1002 s, rc);
1003 return rc;
1004
1005 err:
1006 if (is_alloc_opts) {
1007 kfree(opts);
1008 *mnt_opts = NULL;
1009 }
1010 pr_warn(SEL_MOUNT_FAIL_MSG);
1011 return -EINVAL;
1012 }
1013
show_sid(struct seq_file * m,u32 sid)1014 static int show_sid(struct seq_file *m, u32 sid)
1015 {
1016 char *context = NULL;
1017 u32 len;
1018 int rc;
1019
1020 rc = security_sid_to_context(&selinux_state, sid,
1021 &context, &len);
1022 if (!rc) {
1023 bool has_comma = context && strchr(context, ',');
1024
1025 seq_putc(m, '=');
1026 if (has_comma)
1027 seq_putc(m, '\"');
1028 seq_escape(m, context, "\"\n\\");
1029 if (has_comma)
1030 seq_putc(m, '\"');
1031 }
1032 kfree(context);
1033 return rc;
1034 }
1035
selinux_sb_show_options(struct seq_file * m,struct super_block * sb)1036 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1037 {
1038 struct superblock_security_struct *sbsec = selinux_superblock(sb);
1039 int rc;
1040
1041 if (!(sbsec->flags & SE_SBINITIALIZED))
1042 return 0;
1043
1044 if (!selinux_initialized(&selinux_state))
1045 return 0;
1046
1047 if (sbsec->flags & FSCONTEXT_MNT) {
1048 seq_putc(m, ',');
1049 seq_puts(m, FSCONTEXT_STR);
1050 rc = show_sid(m, sbsec->sid);
1051 if (rc)
1052 return rc;
1053 }
1054 if (sbsec->flags & CONTEXT_MNT) {
1055 seq_putc(m, ',');
1056 seq_puts(m, CONTEXT_STR);
1057 rc = show_sid(m, sbsec->mntpoint_sid);
1058 if (rc)
1059 return rc;
1060 }
1061 if (sbsec->flags & DEFCONTEXT_MNT) {
1062 seq_putc(m, ',');
1063 seq_puts(m, DEFCONTEXT_STR);
1064 rc = show_sid(m, sbsec->def_sid);
1065 if (rc)
1066 return rc;
1067 }
1068 if (sbsec->flags & ROOTCONTEXT_MNT) {
1069 struct dentry *root = sb->s_root;
1070 struct inode_security_struct *isec = backing_inode_security(root);
1071 seq_putc(m, ',');
1072 seq_puts(m, ROOTCONTEXT_STR);
1073 rc = show_sid(m, isec->sid);
1074 if (rc)
1075 return rc;
1076 }
1077 if (sbsec->flags & SBLABEL_MNT) {
1078 seq_putc(m, ',');
1079 seq_puts(m, SECLABEL_STR);
1080 }
1081 return 0;
1082 }
1083
inode_mode_to_security_class(umode_t mode)1084 static inline u16 inode_mode_to_security_class(umode_t mode)
1085 {
1086 switch (mode & S_IFMT) {
1087 case S_IFSOCK:
1088 return SECCLASS_SOCK_FILE;
1089 case S_IFLNK:
1090 return SECCLASS_LNK_FILE;
1091 case S_IFREG:
1092 return SECCLASS_FILE;
1093 case S_IFBLK:
1094 return SECCLASS_BLK_FILE;
1095 case S_IFDIR:
1096 return SECCLASS_DIR;
1097 case S_IFCHR:
1098 return SECCLASS_CHR_FILE;
1099 case S_IFIFO:
1100 return SECCLASS_FIFO_FILE;
1101
1102 }
1103
1104 return SECCLASS_FILE;
1105 }
1106
default_protocol_stream(int protocol)1107 static inline int default_protocol_stream(int protocol)
1108 {
1109 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP ||
1110 protocol == IPPROTO_MPTCP);
1111 }
1112
default_protocol_dgram(int protocol)1113 static inline int default_protocol_dgram(int protocol)
1114 {
1115 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1116 }
1117
socket_type_to_security_class(int family,int type,int protocol)1118 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1119 {
1120 int extsockclass = selinux_policycap_extsockclass();
1121
1122 switch (family) {
1123 case PF_UNIX:
1124 switch (type) {
1125 case SOCK_STREAM:
1126 case SOCK_SEQPACKET:
1127 return SECCLASS_UNIX_STREAM_SOCKET;
1128 case SOCK_DGRAM:
1129 case SOCK_RAW:
1130 return SECCLASS_UNIX_DGRAM_SOCKET;
1131 }
1132 break;
1133 case PF_INET:
1134 case PF_INET6:
1135 switch (type) {
1136 case SOCK_STREAM:
1137 case SOCK_SEQPACKET:
1138 if (default_protocol_stream(protocol))
1139 return SECCLASS_TCP_SOCKET;
1140 else if (extsockclass && protocol == IPPROTO_SCTP)
1141 return SECCLASS_SCTP_SOCKET;
1142 else
1143 return SECCLASS_RAWIP_SOCKET;
1144 case SOCK_DGRAM:
1145 if (default_protocol_dgram(protocol))
1146 return SECCLASS_UDP_SOCKET;
1147 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1148 protocol == IPPROTO_ICMPV6))
1149 return SECCLASS_ICMP_SOCKET;
1150 else
1151 return SECCLASS_RAWIP_SOCKET;
1152 case SOCK_DCCP:
1153 return SECCLASS_DCCP_SOCKET;
1154 default:
1155 return SECCLASS_RAWIP_SOCKET;
1156 }
1157 break;
1158 case PF_NETLINK:
1159 switch (protocol) {
1160 case NETLINK_ROUTE:
1161 return SECCLASS_NETLINK_ROUTE_SOCKET;
1162 case NETLINK_SOCK_DIAG:
1163 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1164 case NETLINK_NFLOG:
1165 return SECCLASS_NETLINK_NFLOG_SOCKET;
1166 case NETLINK_XFRM:
1167 return SECCLASS_NETLINK_XFRM_SOCKET;
1168 case NETLINK_SELINUX:
1169 return SECCLASS_NETLINK_SELINUX_SOCKET;
1170 case NETLINK_ISCSI:
1171 return SECCLASS_NETLINK_ISCSI_SOCKET;
1172 case NETLINK_AUDIT:
1173 return SECCLASS_NETLINK_AUDIT_SOCKET;
1174 case NETLINK_FIB_LOOKUP:
1175 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1176 case NETLINK_CONNECTOR:
1177 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1178 case NETLINK_NETFILTER:
1179 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1180 case NETLINK_DNRTMSG:
1181 return SECCLASS_NETLINK_DNRT_SOCKET;
1182 case NETLINK_KOBJECT_UEVENT:
1183 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1184 case NETLINK_GENERIC:
1185 return SECCLASS_NETLINK_GENERIC_SOCKET;
1186 case NETLINK_SCSITRANSPORT:
1187 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1188 case NETLINK_RDMA:
1189 return SECCLASS_NETLINK_RDMA_SOCKET;
1190 case NETLINK_CRYPTO:
1191 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1192 default:
1193 return SECCLASS_NETLINK_SOCKET;
1194 }
1195 case PF_PACKET:
1196 return SECCLASS_PACKET_SOCKET;
1197 case PF_KEY:
1198 return SECCLASS_KEY_SOCKET;
1199 case PF_APPLETALK:
1200 return SECCLASS_APPLETALK_SOCKET;
1201 }
1202
1203 if (extsockclass) {
1204 switch (family) {
1205 case PF_AX25:
1206 return SECCLASS_AX25_SOCKET;
1207 case PF_IPX:
1208 return SECCLASS_IPX_SOCKET;
1209 case PF_NETROM:
1210 return SECCLASS_NETROM_SOCKET;
1211 case PF_ATMPVC:
1212 return SECCLASS_ATMPVC_SOCKET;
1213 case PF_X25:
1214 return SECCLASS_X25_SOCKET;
1215 case PF_ROSE:
1216 return SECCLASS_ROSE_SOCKET;
1217 case PF_DECnet:
1218 return SECCLASS_DECNET_SOCKET;
1219 case PF_ATMSVC:
1220 return SECCLASS_ATMSVC_SOCKET;
1221 case PF_RDS:
1222 return SECCLASS_RDS_SOCKET;
1223 case PF_IRDA:
1224 return SECCLASS_IRDA_SOCKET;
1225 case PF_PPPOX:
1226 return SECCLASS_PPPOX_SOCKET;
1227 case PF_LLC:
1228 return SECCLASS_LLC_SOCKET;
1229 case PF_CAN:
1230 return SECCLASS_CAN_SOCKET;
1231 case PF_TIPC:
1232 return SECCLASS_TIPC_SOCKET;
1233 case PF_BLUETOOTH:
1234 return SECCLASS_BLUETOOTH_SOCKET;
1235 case PF_IUCV:
1236 return SECCLASS_IUCV_SOCKET;
1237 case PF_RXRPC:
1238 return SECCLASS_RXRPC_SOCKET;
1239 case PF_ISDN:
1240 return SECCLASS_ISDN_SOCKET;
1241 case PF_PHONET:
1242 return SECCLASS_PHONET_SOCKET;
1243 case PF_IEEE802154:
1244 return SECCLASS_IEEE802154_SOCKET;
1245 case PF_CAIF:
1246 return SECCLASS_CAIF_SOCKET;
1247 case PF_ALG:
1248 return SECCLASS_ALG_SOCKET;
1249 case PF_NFC:
1250 return SECCLASS_NFC_SOCKET;
1251 case PF_VSOCK:
1252 return SECCLASS_VSOCK_SOCKET;
1253 case PF_KCM:
1254 return SECCLASS_KCM_SOCKET;
1255 case PF_QIPCRTR:
1256 return SECCLASS_QIPCRTR_SOCKET;
1257 case PF_SMC:
1258 return SECCLASS_SMC_SOCKET;
1259 case PF_XDP:
1260 return SECCLASS_XDP_SOCKET;
1261 case PF_MCTP:
1262 return SECCLASS_MCTP_SOCKET;
1263 #if PF_MAX > 46
1264 #error New address family defined, please update this function.
1265 #endif
1266 }
1267 }
1268
1269 return SECCLASS_SOCKET;
1270 }
1271
selinux_genfs_get_sid(struct dentry * dentry,u16 tclass,u16 flags,u32 * sid)1272 static int selinux_genfs_get_sid(struct dentry *dentry,
1273 u16 tclass,
1274 u16 flags,
1275 u32 *sid)
1276 {
1277 int rc;
1278 struct super_block *sb = dentry->d_sb;
1279 char *buffer, *path;
1280
1281 buffer = (char *)__get_free_page(GFP_KERNEL);
1282 if (!buffer)
1283 return -ENOMEM;
1284
1285 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1286 if (IS_ERR(path))
1287 rc = PTR_ERR(path);
1288 else {
1289 if (flags & SE_SBPROC) {
1290 /* each process gets a /proc/PID/ entry. Strip off the
1291 * PID part to get a valid selinux labeling.
1292 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1293 while (path[1] >= '0' && path[1] <= '9') {
1294 path[1] = '/';
1295 path++;
1296 }
1297 }
1298 rc = security_genfs_sid(&selinux_state, sb->s_type->name,
1299 path, tclass, sid);
1300 if (rc == -ENOENT) {
1301 /* No match in policy, mark as unlabeled. */
1302 *sid = SECINITSID_UNLABELED;
1303 rc = 0;
1304 }
1305 }
1306 free_page((unsigned long)buffer);
1307 return rc;
1308 }
1309
inode_doinit_use_xattr(struct inode * inode,struct dentry * dentry,u32 def_sid,u32 * sid)1310 static int inode_doinit_use_xattr(struct inode *inode, struct dentry *dentry,
1311 u32 def_sid, u32 *sid)
1312 {
1313 #define INITCONTEXTLEN 255
1314 char *context;
1315 unsigned int len;
1316 int rc;
1317
1318 len = INITCONTEXTLEN;
1319 context = kmalloc(len + 1, GFP_NOFS);
1320 if (!context)
1321 return -ENOMEM;
1322
1323 context[len] = '\0';
1324 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1325 if (rc == -ERANGE) {
1326 kfree(context);
1327
1328 /* Need a larger buffer. Query for the right size. */
1329 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1330 if (rc < 0)
1331 return rc;
1332
1333 len = rc;
1334 context = kmalloc(len + 1, GFP_NOFS);
1335 if (!context)
1336 return -ENOMEM;
1337
1338 context[len] = '\0';
1339 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX,
1340 context, len);
1341 }
1342 if (rc < 0) {
1343 kfree(context);
1344 if (rc != -ENODATA) {
1345 pr_warn("SELinux: %s: getxattr returned %d for dev=%s ino=%ld\n",
1346 __func__, -rc, inode->i_sb->s_id, inode->i_ino);
1347 return rc;
1348 }
1349 *sid = def_sid;
1350 return 0;
1351 }
1352
1353 rc = security_context_to_sid_default(&selinux_state, context, rc, sid,
1354 def_sid, GFP_NOFS);
1355 if (rc) {
1356 char *dev = inode->i_sb->s_id;
1357 unsigned long ino = inode->i_ino;
1358
1359 if (rc == -EINVAL) {
1360 pr_notice_ratelimited("SELinux: inode=%lu on dev=%s was found to have an invalid context=%s. This indicates you may need to relabel the inode or the filesystem in question.\n",
1361 ino, dev, context);
1362 } else {
1363 pr_warn("SELinux: %s: context_to_sid(%s) returned %d for dev=%s ino=%ld\n",
1364 __func__, context, -rc, dev, ino);
1365 }
1366 }
1367 kfree(context);
1368 return 0;
1369 }
1370
1371 /* The inode's security attributes must be initialized before first use. */
inode_doinit_with_dentry(struct inode * inode,struct dentry * opt_dentry)1372 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1373 {
1374 struct superblock_security_struct *sbsec = NULL;
1375 struct inode_security_struct *isec = selinux_inode(inode);
1376 u32 task_sid, sid = 0;
1377 u16 sclass;
1378 struct dentry *dentry;
1379 int rc = 0;
1380
1381 if (isec->initialized == LABEL_INITIALIZED)
1382 return 0;
1383
1384 spin_lock(&isec->lock);
1385 if (isec->initialized == LABEL_INITIALIZED)
1386 goto out_unlock;
1387
1388 if (isec->sclass == SECCLASS_FILE)
1389 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1390
1391 sbsec = selinux_superblock(inode->i_sb);
1392 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1393 /* Defer initialization until selinux_complete_init,
1394 after the initial policy is loaded and the security
1395 server is ready to handle calls. */
1396 spin_lock(&sbsec->isec_lock);
1397 if (list_empty(&isec->list))
1398 list_add(&isec->list, &sbsec->isec_head);
1399 spin_unlock(&sbsec->isec_lock);
1400 goto out_unlock;
1401 }
1402
1403 sclass = isec->sclass;
1404 task_sid = isec->task_sid;
1405 sid = isec->sid;
1406 isec->initialized = LABEL_PENDING;
1407 spin_unlock(&isec->lock);
1408
1409 switch (sbsec->behavior) {
1410 case SECURITY_FS_USE_NATIVE:
1411 break;
1412 case SECURITY_FS_USE_XATTR:
1413 if (!(inode->i_opflags & IOP_XATTR)) {
1414 sid = sbsec->def_sid;
1415 break;
1416 }
1417 /* Need a dentry, since the xattr API requires one.
1418 Life would be simpler if we could just pass the inode. */
1419 if (opt_dentry) {
1420 /* Called from d_instantiate or d_splice_alias. */
1421 dentry = dget(opt_dentry);
1422 } else {
1423 /*
1424 * Called from selinux_complete_init, try to find a dentry.
1425 * Some filesystems really want a connected one, so try
1426 * that first. We could split SECURITY_FS_USE_XATTR in
1427 * two, depending upon that...
1428 */
1429 dentry = d_find_alias(inode);
1430 if (!dentry)
1431 dentry = d_find_any_alias(inode);
1432 }
1433 if (!dentry) {
1434 /*
1435 * this is can be hit on boot when a file is accessed
1436 * before the policy is loaded. When we load policy we
1437 * may find inodes that have no dentry on the
1438 * sbsec->isec_head list. No reason to complain as these
1439 * will get fixed up the next time we go through
1440 * inode_doinit with a dentry, before these inodes could
1441 * be used again by userspace.
1442 */
1443 goto out_invalid;
1444 }
1445
1446 rc = inode_doinit_use_xattr(inode, dentry, sbsec->def_sid,
1447 &sid);
1448 dput(dentry);
1449 if (rc)
1450 goto out;
1451 break;
1452 case SECURITY_FS_USE_TASK:
1453 sid = task_sid;
1454 break;
1455 case SECURITY_FS_USE_TRANS:
1456 /* Default to the fs SID. */
1457 sid = sbsec->sid;
1458
1459 /* Try to obtain a transition SID. */
1460 rc = security_transition_sid(&selinux_state, task_sid, sid,
1461 sclass, NULL, &sid);
1462 if (rc)
1463 goto out;
1464 break;
1465 case SECURITY_FS_USE_MNTPOINT:
1466 sid = sbsec->mntpoint_sid;
1467 break;
1468 default:
1469 /* Default to the fs superblock SID. */
1470 sid = sbsec->sid;
1471
1472 if ((sbsec->flags & SE_SBGENFS) &&
1473 (!S_ISLNK(inode->i_mode) ||
1474 selinux_policycap_genfs_seclabel_symlinks())) {
1475 /* We must have a dentry to determine the label on
1476 * procfs inodes */
1477 if (opt_dentry) {
1478 /* Called from d_instantiate or
1479 * d_splice_alias. */
1480 dentry = dget(opt_dentry);
1481 } else {
1482 /* Called from selinux_complete_init, try to
1483 * find a dentry. Some filesystems really want
1484 * a connected one, so try that first.
1485 */
1486 dentry = d_find_alias(inode);
1487 if (!dentry)
1488 dentry = d_find_any_alias(inode);
1489 }
1490 /*
1491 * This can be hit on boot when a file is accessed
1492 * before the policy is loaded. When we load policy we
1493 * may find inodes that have no dentry on the
1494 * sbsec->isec_head list. No reason to complain as
1495 * these will get fixed up the next time we go through
1496 * inode_doinit() with a dentry, before these inodes
1497 * could be used again by userspace.
1498 */
1499 if (!dentry)
1500 goto out_invalid;
1501 rc = selinux_genfs_get_sid(dentry, sclass,
1502 sbsec->flags, &sid);
1503 if (rc) {
1504 dput(dentry);
1505 goto out;
1506 }
1507
1508 if ((sbsec->flags & SE_SBGENFS_XATTR) &&
1509 (inode->i_opflags & IOP_XATTR)) {
1510 rc = inode_doinit_use_xattr(inode, dentry,
1511 sid, &sid);
1512 if (rc) {
1513 dput(dentry);
1514 goto out;
1515 }
1516 }
1517 dput(dentry);
1518 }
1519 break;
1520 }
1521
1522 out:
1523 spin_lock(&isec->lock);
1524 if (isec->initialized == LABEL_PENDING) {
1525 if (rc) {
1526 isec->initialized = LABEL_INVALID;
1527 goto out_unlock;
1528 }
1529 isec->initialized = LABEL_INITIALIZED;
1530 isec->sid = sid;
1531 }
1532
1533 out_unlock:
1534 spin_unlock(&isec->lock);
1535 return rc;
1536
1537 out_invalid:
1538 spin_lock(&isec->lock);
1539 if (isec->initialized == LABEL_PENDING) {
1540 isec->initialized = LABEL_INVALID;
1541 isec->sid = sid;
1542 }
1543 spin_unlock(&isec->lock);
1544 return 0;
1545 }
1546
1547 /* Convert a Linux signal to an access vector. */
signal_to_av(int sig)1548 static inline u32 signal_to_av(int sig)
1549 {
1550 u32 perm = 0;
1551
1552 switch (sig) {
1553 case SIGCHLD:
1554 /* Commonly granted from child to parent. */
1555 perm = PROCESS__SIGCHLD;
1556 break;
1557 case SIGKILL:
1558 /* Cannot be caught or ignored */
1559 perm = PROCESS__SIGKILL;
1560 break;
1561 case SIGSTOP:
1562 /* Cannot be caught or ignored */
1563 perm = PROCESS__SIGSTOP;
1564 break;
1565 default:
1566 /* All other signals. */
1567 perm = PROCESS__SIGNAL;
1568 break;
1569 }
1570
1571 return perm;
1572 }
1573
1574 #if CAP_LAST_CAP > 63
1575 #error Fix SELinux to handle capabilities > 63.
1576 #endif
1577
1578 /* Check whether a task is allowed to use a capability. */
cred_has_capability(const struct cred * cred,int cap,unsigned int opts,bool initns)1579 static int cred_has_capability(const struct cred *cred,
1580 int cap, unsigned int opts, bool initns)
1581 {
1582 struct common_audit_data ad;
1583 struct av_decision avd;
1584 u16 sclass;
1585 u32 sid = cred_sid(cred);
1586 u32 av = CAP_TO_MASK(cap);
1587 int rc;
1588
1589 ad.type = LSM_AUDIT_DATA_CAP;
1590 ad.u.cap = cap;
1591
1592 switch (CAP_TO_INDEX(cap)) {
1593 case 0:
1594 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1595 break;
1596 case 1:
1597 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1598 break;
1599 default:
1600 pr_err("SELinux: out of range capability %d\n", cap);
1601 BUG();
1602 return -EINVAL;
1603 }
1604
1605 rc = avc_has_perm_noaudit(&selinux_state,
1606 sid, sid, sclass, av, 0, &avd);
1607 if (!(opts & CAP_OPT_NOAUDIT)) {
1608 int rc2 = avc_audit(&selinux_state,
1609 sid, sid, sclass, av, &avd, rc, &ad);
1610 if (rc2)
1611 return rc2;
1612 }
1613 return rc;
1614 }
1615
1616 /* Check whether a task has a particular permission to an inode.
1617 The 'adp' parameter is optional and allows other audit
1618 data to be passed (e.g. the dentry). */
inode_has_perm(const struct cred * cred,struct inode * inode,u32 perms,struct common_audit_data * adp)1619 static int inode_has_perm(const struct cred *cred,
1620 struct inode *inode,
1621 u32 perms,
1622 struct common_audit_data *adp)
1623 {
1624 struct inode_security_struct *isec;
1625 u32 sid;
1626
1627 validate_creds(cred);
1628
1629 if (unlikely(IS_PRIVATE(inode)))
1630 return 0;
1631
1632 sid = cred_sid(cred);
1633 isec = selinux_inode(inode);
1634
1635 return avc_has_perm(&selinux_state,
1636 sid, isec->sid, isec->sclass, perms, adp);
1637 }
1638
1639 /* Same as inode_has_perm, but pass explicit audit data containing
1640 the dentry to help the auditing code to more easily generate the
1641 pathname if needed. */
dentry_has_perm(const struct cred * cred,struct dentry * dentry,u32 av)1642 static inline int dentry_has_perm(const struct cred *cred,
1643 struct dentry *dentry,
1644 u32 av)
1645 {
1646 struct inode *inode = d_backing_inode(dentry);
1647 struct common_audit_data ad;
1648
1649 ad.type = LSM_AUDIT_DATA_DENTRY;
1650 ad.u.dentry = dentry;
1651 __inode_security_revalidate(inode, dentry, true);
1652 return inode_has_perm(cred, inode, av, &ad);
1653 }
1654
1655 /* Same as inode_has_perm, but pass explicit audit data containing
1656 the path to help the auditing code to more easily generate the
1657 pathname if needed. */
path_has_perm(const struct cred * cred,const struct path * path,u32 av)1658 static inline int path_has_perm(const struct cred *cred,
1659 const struct path *path,
1660 u32 av)
1661 {
1662 struct inode *inode = d_backing_inode(path->dentry);
1663 struct common_audit_data ad;
1664
1665 ad.type = LSM_AUDIT_DATA_PATH;
1666 ad.u.path = *path;
1667 __inode_security_revalidate(inode, path->dentry, true);
1668 return inode_has_perm(cred, inode, av, &ad);
1669 }
1670
1671 /* Same as path_has_perm, but uses the inode from the file struct. */
file_path_has_perm(const struct cred * cred,struct file * file,u32 av)1672 static inline int file_path_has_perm(const struct cred *cred,
1673 struct file *file,
1674 u32 av)
1675 {
1676 struct common_audit_data ad;
1677
1678 ad.type = LSM_AUDIT_DATA_FILE;
1679 ad.u.file = file;
1680 return inode_has_perm(cred, file_inode(file), av, &ad);
1681 }
1682
1683 #ifdef CONFIG_BPF_SYSCALL
1684 static int bpf_fd_pass(struct file *file, u32 sid);
1685 #endif
1686
1687 /* Check whether a task can use an open file descriptor to
1688 access an inode in a given way. Check access to the
1689 descriptor itself, and then use dentry_has_perm to
1690 check a particular permission to the file.
1691 Access to the descriptor is implicitly granted if it
1692 has the same SID as the process. If av is zero, then
1693 access to the file is not checked, e.g. for cases
1694 where only the descriptor is affected like seek. */
file_has_perm(const struct cred * cred,struct file * file,u32 av)1695 static int file_has_perm(const struct cred *cred,
1696 struct file *file,
1697 u32 av)
1698 {
1699 struct file_security_struct *fsec = selinux_file(file);
1700 struct inode *inode = file_inode(file);
1701 struct common_audit_data ad;
1702 u32 sid = cred_sid(cred);
1703 int rc;
1704
1705 ad.type = LSM_AUDIT_DATA_FILE;
1706 ad.u.file = file;
1707
1708 if (sid != fsec->sid) {
1709 rc = avc_has_perm(&selinux_state,
1710 sid, fsec->sid,
1711 SECCLASS_FD,
1712 FD__USE,
1713 &ad);
1714 if (rc)
1715 goto out;
1716 }
1717
1718 #ifdef CONFIG_BPF_SYSCALL
1719 rc = bpf_fd_pass(file, cred_sid(cred));
1720 if (rc)
1721 return rc;
1722 #endif
1723
1724 /* av is zero if only checking access to the descriptor. */
1725 rc = 0;
1726 if (av)
1727 rc = inode_has_perm(cred, inode, av, &ad);
1728
1729 out:
1730 return rc;
1731 }
1732
1733 /*
1734 * Determine the label for an inode that might be unioned.
1735 */
1736 static int
selinux_determine_inode_label(const struct task_security_struct * tsec,struct inode * dir,const struct qstr * name,u16 tclass,u32 * _new_isid)1737 selinux_determine_inode_label(const struct task_security_struct *tsec,
1738 struct inode *dir,
1739 const struct qstr *name, u16 tclass,
1740 u32 *_new_isid)
1741 {
1742 const struct superblock_security_struct *sbsec =
1743 selinux_superblock(dir->i_sb);
1744
1745 if ((sbsec->flags & SE_SBINITIALIZED) &&
1746 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1747 *_new_isid = sbsec->mntpoint_sid;
1748 } else if ((sbsec->flags & SBLABEL_MNT) &&
1749 tsec->create_sid) {
1750 *_new_isid = tsec->create_sid;
1751 } else {
1752 const struct inode_security_struct *dsec = inode_security(dir);
1753 return security_transition_sid(&selinux_state, tsec->sid,
1754 dsec->sid, tclass,
1755 name, _new_isid);
1756 }
1757
1758 return 0;
1759 }
1760
1761 /* Check whether a task can create a file. */
may_create(struct inode * dir,struct dentry * dentry,u16 tclass)1762 static int may_create(struct inode *dir,
1763 struct dentry *dentry,
1764 u16 tclass)
1765 {
1766 const struct task_security_struct *tsec = selinux_cred(current_cred());
1767 struct inode_security_struct *dsec;
1768 struct superblock_security_struct *sbsec;
1769 u32 sid, newsid;
1770 struct common_audit_data ad;
1771 int rc;
1772
1773 dsec = inode_security(dir);
1774 sbsec = selinux_superblock(dir->i_sb);
1775
1776 sid = tsec->sid;
1777
1778 ad.type = LSM_AUDIT_DATA_DENTRY;
1779 ad.u.dentry = dentry;
1780
1781 rc = avc_has_perm(&selinux_state,
1782 sid, dsec->sid, SECCLASS_DIR,
1783 DIR__ADD_NAME | DIR__SEARCH,
1784 &ad);
1785 if (rc)
1786 return rc;
1787
1788 rc = selinux_determine_inode_label(tsec, dir, &dentry->d_name, tclass,
1789 &newsid);
1790 if (rc)
1791 return rc;
1792
1793 rc = avc_has_perm(&selinux_state,
1794 sid, newsid, tclass, FILE__CREATE, &ad);
1795 if (rc)
1796 return rc;
1797
1798 return avc_has_perm(&selinux_state,
1799 newsid, sbsec->sid,
1800 SECCLASS_FILESYSTEM,
1801 FILESYSTEM__ASSOCIATE, &ad);
1802 }
1803
1804 #define MAY_LINK 0
1805 #define MAY_UNLINK 1
1806 #define MAY_RMDIR 2
1807
1808 /* Check whether a task can link, unlink, or rmdir a file/directory. */
may_link(struct inode * dir,struct dentry * dentry,int kind)1809 static int may_link(struct inode *dir,
1810 struct dentry *dentry,
1811 int kind)
1812
1813 {
1814 struct inode_security_struct *dsec, *isec;
1815 struct common_audit_data ad;
1816 u32 sid = current_sid();
1817 u32 av;
1818 int rc;
1819
1820 dsec = inode_security(dir);
1821 isec = backing_inode_security(dentry);
1822
1823 ad.type = LSM_AUDIT_DATA_DENTRY;
1824 ad.u.dentry = dentry;
1825
1826 av = DIR__SEARCH;
1827 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1828 rc = avc_has_perm(&selinux_state,
1829 sid, dsec->sid, SECCLASS_DIR, av, &ad);
1830 if (rc)
1831 return rc;
1832
1833 switch (kind) {
1834 case MAY_LINK:
1835 av = FILE__LINK;
1836 break;
1837 case MAY_UNLINK:
1838 av = FILE__UNLINK;
1839 break;
1840 case MAY_RMDIR:
1841 av = DIR__RMDIR;
1842 break;
1843 default:
1844 pr_warn("SELinux: %s: unrecognized kind %d\n",
1845 __func__, kind);
1846 return 0;
1847 }
1848
1849 rc = avc_has_perm(&selinux_state,
1850 sid, isec->sid, isec->sclass, av, &ad);
1851 return rc;
1852 }
1853
may_rename(struct inode * old_dir,struct dentry * old_dentry,struct inode * new_dir,struct dentry * new_dentry)1854 static inline int may_rename(struct inode *old_dir,
1855 struct dentry *old_dentry,
1856 struct inode *new_dir,
1857 struct dentry *new_dentry)
1858 {
1859 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1860 struct common_audit_data ad;
1861 u32 sid = current_sid();
1862 u32 av;
1863 int old_is_dir, new_is_dir;
1864 int rc;
1865
1866 old_dsec = inode_security(old_dir);
1867 old_isec = backing_inode_security(old_dentry);
1868 old_is_dir = d_is_dir(old_dentry);
1869 new_dsec = inode_security(new_dir);
1870
1871 ad.type = LSM_AUDIT_DATA_DENTRY;
1872
1873 ad.u.dentry = old_dentry;
1874 rc = avc_has_perm(&selinux_state,
1875 sid, old_dsec->sid, SECCLASS_DIR,
1876 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1877 if (rc)
1878 return rc;
1879 rc = avc_has_perm(&selinux_state,
1880 sid, old_isec->sid,
1881 old_isec->sclass, FILE__RENAME, &ad);
1882 if (rc)
1883 return rc;
1884 if (old_is_dir && new_dir != old_dir) {
1885 rc = avc_has_perm(&selinux_state,
1886 sid, old_isec->sid,
1887 old_isec->sclass, DIR__REPARENT, &ad);
1888 if (rc)
1889 return rc;
1890 }
1891
1892 ad.u.dentry = new_dentry;
1893 av = DIR__ADD_NAME | DIR__SEARCH;
1894 if (d_is_positive(new_dentry))
1895 av |= DIR__REMOVE_NAME;
1896 rc = avc_has_perm(&selinux_state,
1897 sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1898 if (rc)
1899 return rc;
1900 if (d_is_positive(new_dentry)) {
1901 new_isec = backing_inode_security(new_dentry);
1902 new_is_dir = d_is_dir(new_dentry);
1903 rc = avc_has_perm(&selinux_state,
1904 sid, new_isec->sid,
1905 new_isec->sclass,
1906 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1907 if (rc)
1908 return rc;
1909 }
1910
1911 return 0;
1912 }
1913
1914 /* Check whether a task can perform a filesystem operation. */
superblock_has_perm(const struct cred * cred,struct super_block * sb,u32 perms,struct common_audit_data * ad)1915 static int superblock_has_perm(const struct cred *cred,
1916 struct super_block *sb,
1917 u32 perms,
1918 struct common_audit_data *ad)
1919 {
1920 struct superblock_security_struct *sbsec;
1921 u32 sid = cred_sid(cred);
1922
1923 sbsec = selinux_superblock(sb);
1924 return avc_has_perm(&selinux_state,
1925 sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1926 }
1927
1928 /* Convert a Linux mode and permission mask to an access vector. */
file_mask_to_av(int mode,int mask)1929 static inline u32 file_mask_to_av(int mode, int mask)
1930 {
1931 u32 av = 0;
1932
1933 if (!S_ISDIR(mode)) {
1934 if (mask & MAY_EXEC)
1935 av |= FILE__EXECUTE;
1936 if (mask & MAY_READ)
1937 av |= FILE__READ;
1938
1939 if (mask & MAY_APPEND)
1940 av |= FILE__APPEND;
1941 else if (mask & MAY_WRITE)
1942 av |= FILE__WRITE;
1943
1944 } else {
1945 if (mask & MAY_EXEC)
1946 av |= DIR__SEARCH;
1947 if (mask & MAY_WRITE)
1948 av |= DIR__WRITE;
1949 if (mask & MAY_READ)
1950 av |= DIR__READ;
1951 }
1952
1953 return av;
1954 }
1955
1956 /* Convert a Linux file to an access vector. */
file_to_av(struct file * file)1957 static inline u32 file_to_av(struct file *file)
1958 {
1959 u32 av = 0;
1960
1961 if (file->f_mode & FMODE_READ)
1962 av |= FILE__READ;
1963 if (file->f_mode & FMODE_WRITE) {
1964 if (file->f_flags & O_APPEND)
1965 av |= FILE__APPEND;
1966 else
1967 av |= FILE__WRITE;
1968 }
1969 if (!av) {
1970 /*
1971 * Special file opened with flags 3 for ioctl-only use.
1972 */
1973 av = FILE__IOCTL;
1974 }
1975
1976 return av;
1977 }
1978
1979 /*
1980 * Convert a file to an access vector and include the correct
1981 * open permission.
1982 */
open_file_to_av(struct file * file)1983 static inline u32 open_file_to_av(struct file *file)
1984 {
1985 u32 av = file_to_av(file);
1986 struct inode *inode = file_inode(file);
1987
1988 if (selinux_policycap_openperm() &&
1989 inode->i_sb->s_magic != SOCKFS_MAGIC)
1990 av |= FILE__OPEN;
1991
1992 return av;
1993 }
1994
1995 /* Hook functions begin here. */
1996
selinux_binder_set_context_mgr(const struct cred * mgr)1997 static int selinux_binder_set_context_mgr(const struct cred *mgr)
1998 {
1999 return avc_has_perm(&selinux_state,
2000 current_sid(), cred_sid(mgr), SECCLASS_BINDER,
2001 BINDER__SET_CONTEXT_MGR, NULL);
2002 }
2003
selinux_binder_transaction(const struct cred * from,const struct cred * to)2004 static int selinux_binder_transaction(const struct cred *from,
2005 const struct cred *to)
2006 {
2007 u32 mysid = current_sid();
2008 u32 fromsid = cred_sid(from);
2009 u32 tosid = cred_sid(to);
2010 int rc;
2011
2012 if (mysid != fromsid) {
2013 rc = avc_has_perm(&selinux_state,
2014 mysid, fromsid, SECCLASS_BINDER,
2015 BINDER__IMPERSONATE, NULL);
2016 if (rc)
2017 return rc;
2018 }
2019
2020 return avc_has_perm(&selinux_state, fromsid, tosid,
2021 SECCLASS_BINDER, BINDER__CALL, NULL);
2022 }
2023
selinux_binder_transfer_binder(const struct cred * from,const struct cred * to)2024 static int selinux_binder_transfer_binder(const struct cred *from,
2025 const struct cred *to)
2026 {
2027 return avc_has_perm(&selinux_state,
2028 cred_sid(from), cred_sid(to),
2029 SECCLASS_BINDER, BINDER__TRANSFER,
2030 NULL);
2031 }
2032
selinux_binder_transfer_file(const struct cred * from,const struct cred * to,struct file * file)2033 static int selinux_binder_transfer_file(const struct cred *from,
2034 const struct cred *to,
2035 struct file *file)
2036 {
2037 u32 sid = cred_sid(to);
2038 struct file_security_struct *fsec = selinux_file(file);
2039 struct dentry *dentry = file->f_path.dentry;
2040 struct inode_security_struct *isec;
2041 struct common_audit_data ad;
2042 int rc;
2043
2044 ad.type = LSM_AUDIT_DATA_PATH;
2045 ad.u.path = file->f_path;
2046
2047 if (sid != fsec->sid) {
2048 rc = avc_has_perm(&selinux_state,
2049 sid, fsec->sid,
2050 SECCLASS_FD,
2051 FD__USE,
2052 &ad);
2053 if (rc)
2054 return rc;
2055 }
2056
2057 #ifdef CONFIG_BPF_SYSCALL
2058 rc = bpf_fd_pass(file, sid);
2059 if (rc)
2060 return rc;
2061 #endif
2062
2063 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2064 return 0;
2065
2066 isec = backing_inode_security(dentry);
2067 return avc_has_perm(&selinux_state,
2068 sid, isec->sid, isec->sclass, file_to_av(file),
2069 &ad);
2070 }
2071
selinux_ptrace_access_check(struct task_struct * child,unsigned int mode)2072 static int selinux_ptrace_access_check(struct task_struct *child,
2073 unsigned int mode)
2074 {
2075 u32 sid = current_sid();
2076 u32 csid = task_sid_obj(child);
2077
2078 if (mode & PTRACE_MODE_READ)
2079 return avc_has_perm(&selinux_state,
2080 sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2081
2082 return avc_has_perm(&selinux_state,
2083 sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2084 }
2085
selinux_ptrace_traceme(struct task_struct * parent)2086 static int selinux_ptrace_traceme(struct task_struct *parent)
2087 {
2088 return avc_has_perm(&selinux_state,
2089 task_sid_obj(parent), task_sid_obj(current),
2090 SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2091 }
2092
selinux_capget(struct task_struct * target,kernel_cap_t * effective,kernel_cap_t * inheritable,kernel_cap_t * permitted)2093 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2094 kernel_cap_t *inheritable, kernel_cap_t *permitted)
2095 {
2096 return avc_has_perm(&selinux_state,
2097 current_sid(), task_sid_obj(target), SECCLASS_PROCESS,
2098 PROCESS__GETCAP, NULL);
2099 }
2100
selinux_capset(struct cred * new,const struct cred * old,const kernel_cap_t * effective,const kernel_cap_t * inheritable,const kernel_cap_t * permitted)2101 static int selinux_capset(struct cred *new, const struct cred *old,
2102 const kernel_cap_t *effective,
2103 const kernel_cap_t *inheritable,
2104 const kernel_cap_t *permitted)
2105 {
2106 return avc_has_perm(&selinux_state,
2107 cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2108 PROCESS__SETCAP, NULL);
2109 }
2110
2111 /*
2112 * (This comment used to live with the selinux_task_setuid hook,
2113 * which was removed).
2114 *
2115 * Since setuid only affects the current process, and since the SELinux
2116 * controls are not based on the Linux identity attributes, SELinux does not
2117 * need to control this operation. However, SELinux does control the use of
2118 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2119 */
2120
selinux_capable(const struct cred * cred,struct user_namespace * ns,int cap,unsigned int opts)2121 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2122 int cap, unsigned int opts)
2123 {
2124 return cred_has_capability(cred, cap, opts, ns == &init_user_ns);
2125 }
2126
selinux_quotactl(int cmds,int type,int id,struct super_block * sb)2127 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2128 {
2129 const struct cred *cred = current_cred();
2130 int rc = 0;
2131
2132 if (!sb)
2133 return 0;
2134
2135 switch (cmds) {
2136 case Q_SYNC:
2137 case Q_QUOTAON:
2138 case Q_QUOTAOFF:
2139 case Q_SETINFO:
2140 case Q_SETQUOTA:
2141 case Q_XQUOTAOFF:
2142 case Q_XQUOTAON:
2143 case Q_XSETQLIM:
2144 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2145 break;
2146 case Q_GETFMT:
2147 case Q_GETINFO:
2148 case Q_GETQUOTA:
2149 case Q_XGETQUOTA:
2150 case Q_XGETQSTAT:
2151 case Q_XGETQSTATV:
2152 case Q_XGETNEXTQUOTA:
2153 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2154 break;
2155 default:
2156 rc = 0; /* let the kernel handle invalid cmds */
2157 break;
2158 }
2159 return rc;
2160 }
2161
selinux_quota_on(struct dentry * dentry)2162 static int selinux_quota_on(struct dentry *dentry)
2163 {
2164 const struct cred *cred = current_cred();
2165
2166 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2167 }
2168
selinux_syslog(int type)2169 static int selinux_syslog(int type)
2170 {
2171 switch (type) {
2172 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2173 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2174 return avc_has_perm(&selinux_state,
2175 current_sid(), SECINITSID_KERNEL,
2176 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2177 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2178 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2179 /* Set level of messages printed to console */
2180 case SYSLOG_ACTION_CONSOLE_LEVEL:
2181 return avc_has_perm(&selinux_state,
2182 current_sid(), SECINITSID_KERNEL,
2183 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2184 NULL);
2185 }
2186 /* All other syslog types */
2187 return avc_has_perm(&selinux_state,
2188 current_sid(), SECINITSID_KERNEL,
2189 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2190 }
2191
2192 /*
2193 * Check that a process has enough memory to allocate a new virtual
2194 * mapping. 0 means there is enough memory for the allocation to
2195 * succeed and -ENOMEM implies there is not.
2196 *
2197 * Do not audit the selinux permission check, as this is applied to all
2198 * processes that allocate mappings.
2199 */
selinux_vm_enough_memory(struct mm_struct * mm,long pages)2200 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2201 {
2202 int rc, cap_sys_admin = 0;
2203
2204 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2205 CAP_OPT_NOAUDIT, true);
2206 if (rc == 0)
2207 cap_sys_admin = 1;
2208
2209 return cap_sys_admin;
2210 }
2211
2212 /* binprm security operations */
2213
ptrace_parent_sid(void)2214 static u32 ptrace_parent_sid(void)
2215 {
2216 u32 sid = 0;
2217 struct task_struct *tracer;
2218
2219 rcu_read_lock();
2220 tracer = ptrace_parent(current);
2221 if (tracer)
2222 sid = task_sid_obj(tracer);
2223 rcu_read_unlock();
2224
2225 return sid;
2226 }
2227
check_nnp_nosuid(const struct linux_binprm * bprm,const struct task_security_struct * old_tsec,const struct task_security_struct * new_tsec)2228 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2229 const struct task_security_struct *old_tsec,
2230 const struct task_security_struct *new_tsec)
2231 {
2232 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2233 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2234 int rc;
2235 u32 av;
2236
2237 if (!nnp && !nosuid)
2238 return 0; /* neither NNP nor nosuid */
2239
2240 if (new_tsec->sid == old_tsec->sid)
2241 return 0; /* No change in credentials */
2242
2243 /*
2244 * If the policy enables the nnp_nosuid_transition policy capability,
2245 * then we permit transitions under NNP or nosuid if the
2246 * policy allows the corresponding permission between
2247 * the old and new contexts.
2248 */
2249 if (selinux_policycap_nnp_nosuid_transition()) {
2250 av = 0;
2251 if (nnp)
2252 av |= PROCESS2__NNP_TRANSITION;
2253 if (nosuid)
2254 av |= PROCESS2__NOSUID_TRANSITION;
2255 rc = avc_has_perm(&selinux_state,
2256 old_tsec->sid, new_tsec->sid,
2257 SECCLASS_PROCESS2, av, NULL);
2258 if (!rc)
2259 return 0;
2260 }
2261
2262 /*
2263 * We also permit NNP or nosuid transitions to bounded SIDs,
2264 * i.e. SIDs that are guaranteed to only be allowed a subset
2265 * of the permissions of the current SID.
2266 */
2267 rc = security_bounded_transition(&selinux_state, old_tsec->sid,
2268 new_tsec->sid);
2269 if (!rc)
2270 return 0;
2271
2272 /*
2273 * On failure, preserve the errno values for NNP vs nosuid.
2274 * NNP: Operation not permitted for caller.
2275 * nosuid: Permission denied to file.
2276 */
2277 if (nnp)
2278 return -EPERM;
2279 return -EACCES;
2280 }
2281
selinux_bprm_creds_for_exec(struct linux_binprm * bprm)2282 static int selinux_bprm_creds_for_exec(struct linux_binprm *bprm)
2283 {
2284 const struct task_security_struct *old_tsec;
2285 struct task_security_struct *new_tsec;
2286 struct inode_security_struct *isec;
2287 struct common_audit_data ad;
2288 struct inode *inode = file_inode(bprm->file);
2289 int rc;
2290
2291 /* SELinux context only depends on initial program or script and not
2292 * the script interpreter */
2293
2294 old_tsec = selinux_cred(current_cred());
2295 new_tsec = selinux_cred(bprm->cred);
2296 isec = inode_security(inode);
2297
2298 /* Default to the current task SID. */
2299 new_tsec->sid = old_tsec->sid;
2300 new_tsec->osid = old_tsec->sid;
2301
2302 /* Reset fs, key, and sock SIDs on execve. */
2303 new_tsec->create_sid = 0;
2304 new_tsec->keycreate_sid = 0;
2305 new_tsec->sockcreate_sid = 0;
2306
2307 if (old_tsec->exec_sid) {
2308 new_tsec->sid = old_tsec->exec_sid;
2309 /* Reset exec SID on execve. */
2310 new_tsec->exec_sid = 0;
2311
2312 /* Fail on NNP or nosuid if not an allowed transition. */
2313 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2314 if (rc)
2315 return rc;
2316 } else {
2317 /* Check for a default transition on this program. */
2318 rc = security_transition_sid(&selinux_state, old_tsec->sid,
2319 isec->sid, SECCLASS_PROCESS, NULL,
2320 &new_tsec->sid);
2321 if (rc)
2322 return rc;
2323
2324 /*
2325 * Fallback to old SID on NNP or nosuid if not an allowed
2326 * transition.
2327 */
2328 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2329 if (rc)
2330 new_tsec->sid = old_tsec->sid;
2331 }
2332
2333 ad.type = LSM_AUDIT_DATA_FILE;
2334 ad.u.file = bprm->file;
2335
2336 if (new_tsec->sid == old_tsec->sid) {
2337 rc = avc_has_perm(&selinux_state,
2338 old_tsec->sid, isec->sid,
2339 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2340 if (rc)
2341 return rc;
2342 } else {
2343 /* Check permissions for the transition. */
2344 rc = avc_has_perm(&selinux_state,
2345 old_tsec->sid, new_tsec->sid,
2346 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2347 if (rc)
2348 return rc;
2349
2350 rc = avc_has_perm(&selinux_state,
2351 new_tsec->sid, isec->sid,
2352 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2353 if (rc)
2354 return rc;
2355
2356 /* Check for shared state */
2357 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2358 rc = avc_has_perm(&selinux_state,
2359 old_tsec->sid, new_tsec->sid,
2360 SECCLASS_PROCESS, PROCESS__SHARE,
2361 NULL);
2362 if (rc)
2363 return -EPERM;
2364 }
2365
2366 /* Make sure that anyone attempting to ptrace over a task that
2367 * changes its SID has the appropriate permit */
2368 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2369 u32 ptsid = ptrace_parent_sid();
2370 if (ptsid != 0) {
2371 rc = avc_has_perm(&selinux_state,
2372 ptsid, new_tsec->sid,
2373 SECCLASS_PROCESS,
2374 PROCESS__PTRACE, NULL);
2375 if (rc)
2376 return -EPERM;
2377 }
2378 }
2379
2380 /* Clear any possibly unsafe personality bits on exec: */
2381 bprm->per_clear |= PER_CLEAR_ON_SETID;
2382
2383 /* Enable secure mode for SIDs transitions unless
2384 the noatsecure permission is granted between
2385 the two SIDs, i.e. ahp returns 0. */
2386 rc = avc_has_perm(&selinux_state,
2387 old_tsec->sid, new_tsec->sid,
2388 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2389 NULL);
2390 bprm->secureexec |= !!rc;
2391 }
2392
2393 return 0;
2394 }
2395
match_file(const void * p,struct file * file,unsigned fd)2396 static int match_file(const void *p, struct file *file, unsigned fd)
2397 {
2398 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2399 }
2400
2401 /* Derived from fs/exec.c:flush_old_files. */
flush_unauthorized_files(const struct cred * cred,struct files_struct * files)2402 static inline void flush_unauthorized_files(const struct cred *cred,
2403 struct files_struct *files)
2404 {
2405 struct file *file, *devnull = NULL;
2406 struct tty_struct *tty;
2407 int drop_tty = 0;
2408 unsigned n;
2409
2410 tty = get_current_tty();
2411 if (tty) {
2412 spin_lock(&tty->files_lock);
2413 if (!list_empty(&tty->tty_files)) {
2414 struct tty_file_private *file_priv;
2415
2416 /* Revalidate access to controlling tty.
2417 Use file_path_has_perm on the tty path directly
2418 rather than using file_has_perm, as this particular
2419 open file may belong to another process and we are
2420 only interested in the inode-based check here. */
2421 file_priv = list_first_entry(&tty->tty_files,
2422 struct tty_file_private, list);
2423 file = file_priv->file;
2424 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2425 drop_tty = 1;
2426 }
2427 spin_unlock(&tty->files_lock);
2428 tty_kref_put(tty);
2429 }
2430 /* Reset controlling tty. */
2431 if (drop_tty)
2432 no_tty();
2433
2434 /* Revalidate access to inherited open files. */
2435 n = iterate_fd(files, 0, match_file, cred);
2436 if (!n) /* none found? */
2437 return;
2438
2439 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2440 if (IS_ERR(devnull))
2441 devnull = NULL;
2442 /* replace all the matching ones with this */
2443 do {
2444 replace_fd(n - 1, devnull, 0);
2445 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2446 if (devnull)
2447 fput(devnull);
2448 }
2449
2450 /*
2451 * Prepare a process for imminent new credential changes due to exec
2452 */
selinux_bprm_committing_creds(struct linux_binprm * bprm)2453 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2454 {
2455 struct task_security_struct *new_tsec;
2456 struct rlimit *rlim, *initrlim;
2457 int rc, i;
2458
2459 new_tsec = selinux_cred(bprm->cred);
2460 if (new_tsec->sid == new_tsec->osid)
2461 return;
2462
2463 /* Close files for which the new task SID is not authorized. */
2464 flush_unauthorized_files(bprm->cred, current->files);
2465
2466 /* Always clear parent death signal on SID transitions. */
2467 current->pdeath_signal = 0;
2468
2469 /* Check whether the new SID can inherit resource limits from the old
2470 * SID. If not, reset all soft limits to the lower of the current
2471 * task's hard limit and the init task's soft limit.
2472 *
2473 * Note that the setting of hard limits (even to lower them) can be
2474 * controlled by the setrlimit check. The inclusion of the init task's
2475 * soft limit into the computation is to avoid resetting soft limits
2476 * higher than the default soft limit for cases where the default is
2477 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2478 */
2479 rc = avc_has_perm(&selinux_state,
2480 new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2481 PROCESS__RLIMITINH, NULL);
2482 if (rc) {
2483 /* protect against do_prlimit() */
2484 task_lock(current);
2485 for (i = 0; i < RLIM_NLIMITS; i++) {
2486 rlim = current->signal->rlim + i;
2487 initrlim = init_task.signal->rlim + i;
2488 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2489 }
2490 task_unlock(current);
2491 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2492 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2493 }
2494 }
2495
2496 /*
2497 * Clean up the process immediately after the installation of new credentials
2498 * due to exec
2499 */
selinux_bprm_committed_creds(struct linux_binprm * bprm)2500 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2501 {
2502 const struct task_security_struct *tsec = selinux_cred(current_cred());
2503 u32 osid, sid;
2504 int rc;
2505
2506 osid = tsec->osid;
2507 sid = tsec->sid;
2508
2509 if (sid == osid)
2510 return;
2511
2512 /* Check whether the new SID can inherit signal state from the old SID.
2513 * If not, clear itimers to avoid subsequent signal generation and
2514 * flush and unblock signals.
2515 *
2516 * This must occur _after_ the task SID has been updated so that any
2517 * kill done after the flush will be checked against the new SID.
2518 */
2519 rc = avc_has_perm(&selinux_state,
2520 osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2521 if (rc) {
2522 clear_itimer();
2523
2524 spin_lock_irq(&unrcu_pointer(current->sighand)->siglock);
2525 if (!fatal_signal_pending(current)) {
2526 flush_sigqueue(¤t->pending);
2527 flush_sigqueue(¤t->signal->shared_pending);
2528 flush_signal_handlers(current, 1);
2529 sigemptyset(¤t->blocked);
2530 recalc_sigpending();
2531 }
2532 spin_unlock_irq(&unrcu_pointer(current->sighand)->siglock);
2533 }
2534
2535 /* Wake up the parent if it is waiting so that it can recheck
2536 * wait permission to the new task SID. */
2537 read_lock(&tasklist_lock);
2538 __wake_up_parent(current, unrcu_pointer(current->real_parent));
2539 read_unlock(&tasklist_lock);
2540 }
2541
2542 /* superblock security operations */
2543
selinux_sb_alloc_security(struct super_block * sb)2544 static int selinux_sb_alloc_security(struct super_block *sb)
2545 {
2546 struct superblock_security_struct *sbsec = selinux_superblock(sb);
2547
2548 mutex_init(&sbsec->lock);
2549 INIT_LIST_HEAD(&sbsec->isec_head);
2550 spin_lock_init(&sbsec->isec_lock);
2551 sbsec->sid = SECINITSID_UNLABELED;
2552 sbsec->def_sid = SECINITSID_FILE;
2553 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
2554
2555 return 0;
2556 }
2557
opt_len(const char * s)2558 static inline int opt_len(const char *s)
2559 {
2560 bool open_quote = false;
2561 int len;
2562 char c;
2563
2564 for (len = 0; (c = s[len]) != '\0'; len++) {
2565 if (c == '"')
2566 open_quote = !open_quote;
2567 if (c == ',' && !open_quote)
2568 break;
2569 }
2570 return len;
2571 }
2572
selinux_sb_eat_lsm_opts(char * options,void ** mnt_opts)2573 static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts)
2574 {
2575 char *from = options;
2576 char *to = options;
2577 bool first = true;
2578 int rc;
2579
2580 while (1) {
2581 int len = opt_len(from);
2582 int token;
2583 char *arg = NULL;
2584
2585 token = match_opt_prefix(from, len, &arg);
2586
2587 if (token != Opt_error) {
2588 char *p, *q;
2589
2590 /* strip quotes */
2591 if (arg) {
2592 for (p = q = arg; p < from + len; p++) {
2593 char c = *p;
2594 if (c != '"')
2595 *q++ = c;
2596 }
2597 arg = kmemdup_nul(arg, q - arg, GFP_KERNEL);
2598 if (!arg) {
2599 rc = -ENOMEM;
2600 goto free_opt;
2601 }
2602 }
2603 rc = selinux_add_opt(token, arg, mnt_opts);
2604 kfree(arg);
2605 arg = NULL;
2606 if (unlikely(rc)) {
2607 goto free_opt;
2608 }
2609 } else {
2610 if (!first) { // copy with preceding comma
2611 from--;
2612 len++;
2613 }
2614 if (to != from)
2615 memmove(to, from, len);
2616 to += len;
2617 first = false;
2618 }
2619 if (!from[len])
2620 break;
2621 from += len + 1;
2622 }
2623 *to = '\0';
2624 return 0;
2625
2626 free_opt:
2627 if (*mnt_opts) {
2628 selinux_free_mnt_opts(*mnt_opts);
2629 *mnt_opts = NULL;
2630 }
2631 return rc;
2632 }
2633
selinux_sb_mnt_opts_compat(struct super_block * sb,void * mnt_opts)2634 static int selinux_sb_mnt_opts_compat(struct super_block *sb, void *mnt_opts)
2635 {
2636 struct selinux_mnt_opts *opts = mnt_opts;
2637 struct superblock_security_struct *sbsec = selinux_superblock(sb);
2638
2639 /*
2640 * Superblock not initialized (i.e. no options) - reject if any
2641 * options specified, otherwise accept.
2642 */
2643 if (!(sbsec->flags & SE_SBINITIALIZED))
2644 return opts ? 1 : 0;
2645
2646 /*
2647 * Superblock initialized and no options specified - reject if
2648 * superblock has any options set, otherwise accept.
2649 */
2650 if (!opts)
2651 return (sbsec->flags & SE_MNTMASK) ? 1 : 0;
2652
2653 if (opts->fscontext_sid) {
2654 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
2655 opts->fscontext_sid))
2656 return 1;
2657 }
2658 if (opts->context_sid) {
2659 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
2660 opts->context_sid))
2661 return 1;
2662 }
2663 if (opts->rootcontext_sid) {
2664 struct inode_security_struct *root_isec;
2665
2666 root_isec = backing_inode_security(sb->s_root);
2667 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
2668 opts->rootcontext_sid))
2669 return 1;
2670 }
2671 if (opts->defcontext_sid) {
2672 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
2673 opts->defcontext_sid))
2674 return 1;
2675 }
2676 return 0;
2677 }
2678
selinux_sb_remount(struct super_block * sb,void * mnt_opts)2679 static int selinux_sb_remount(struct super_block *sb, void *mnt_opts)
2680 {
2681 struct selinux_mnt_opts *opts = mnt_opts;
2682 struct superblock_security_struct *sbsec = selinux_superblock(sb);
2683
2684 if (!(sbsec->flags & SE_SBINITIALIZED))
2685 return 0;
2686
2687 if (!opts)
2688 return 0;
2689
2690 if (opts->fscontext_sid) {
2691 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
2692 opts->fscontext_sid))
2693 goto out_bad_option;
2694 }
2695 if (opts->context_sid) {
2696 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
2697 opts->context_sid))
2698 goto out_bad_option;
2699 }
2700 if (opts->rootcontext_sid) {
2701 struct inode_security_struct *root_isec;
2702 root_isec = backing_inode_security(sb->s_root);
2703 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
2704 opts->rootcontext_sid))
2705 goto out_bad_option;
2706 }
2707 if (opts->defcontext_sid) {
2708 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
2709 opts->defcontext_sid))
2710 goto out_bad_option;
2711 }
2712 return 0;
2713
2714 out_bad_option:
2715 pr_warn("SELinux: unable to change security options "
2716 "during remount (dev %s, type=%s)\n", sb->s_id,
2717 sb->s_type->name);
2718 return -EINVAL;
2719 }
2720
selinux_sb_kern_mount(struct super_block * sb)2721 static int selinux_sb_kern_mount(struct super_block *sb)
2722 {
2723 const struct cred *cred = current_cred();
2724 struct common_audit_data ad;
2725
2726 ad.type = LSM_AUDIT_DATA_DENTRY;
2727 ad.u.dentry = sb->s_root;
2728 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2729 }
2730
selinux_sb_statfs(struct dentry * dentry)2731 static int selinux_sb_statfs(struct dentry *dentry)
2732 {
2733 const struct cred *cred = current_cred();
2734 struct common_audit_data ad;
2735
2736 ad.type = LSM_AUDIT_DATA_DENTRY;
2737 ad.u.dentry = dentry->d_sb->s_root;
2738 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2739 }
2740
selinux_mount(const char * dev_name,const struct path * path,const char * type,unsigned long flags,void * data)2741 static int selinux_mount(const char *dev_name,
2742 const struct path *path,
2743 const char *type,
2744 unsigned long flags,
2745 void *data)
2746 {
2747 const struct cred *cred = current_cred();
2748
2749 if (flags & MS_REMOUNT)
2750 return superblock_has_perm(cred, path->dentry->d_sb,
2751 FILESYSTEM__REMOUNT, NULL);
2752 else
2753 return path_has_perm(cred, path, FILE__MOUNTON);
2754 }
2755
selinux_move_mount(const struct path * from_path,const struct path * to_path)2756 static int selinux_move_mount(const struct path *from_path,
2757 const struct path *to_path)
2758 {
2759 const struct cred *cred = current_cred();
2760
2761 return path_has_perm(cred, to_path, FILE__MOUNTON);
2762 }
2763
selinux_umount(struct vfsmount * mnt,int flags)2764 static int selinux_umount(struct vfsmount *mnt, int flags)
2765 {
2766 const struct cred *cred = current_cred();
2767
2768 return superblock_has_perm(cred, mnt->mnt_sb,
2769 FILESYSTEM__UNMOUNT, NULL);
2770 }
2771
selinux_fs_context_dup(struct fs_context * fc,struct fs_context * src_fc)2772 static int selinux_fs_context_dup(struct fs_context *fc,
2773 struct fs_context *src_fc)
2774 {
2775 const struct selinux_mnt_opts *src = src_fc->security;
2776
2777 if (!src)
2778 return 0;
2779
2780 fc->security = kmemdup(src, sizeof(*src), GFP_KERNEL);
2781 return fc->security ? 0 : -ENOMEM;
2782 }
2783
2784 static const struct fs_parameter_spec selinux_fs_parameters[] = {
2785 fsparam_string(CONTEXT_STR, Opt_context),
2786 fsparam_string(DEFCONTEXT_STR, Opt_defcontext),
2787 fsparam_string(FSCONTEXT_STR, Opt_fscontext),
2788 fsparam_string(ROOTCONTEXT_STR, Opt_rootcontext),
2789 fsparam_flag (SECLABEL_STR, Opt_seclabel),
2790 {}
2791 };
2792
selinux_fs_context_parse_param(struct fs_context * fc,struct fs_parameter * param)2793 static int selinux_fs_context_parse_param(struct fs_context *fc,
2794 struct fs_parameter *param)
2795 {
2796 struct fs_parse_result result;
2797 int opt;
2798
2799 opt = fs_parse(fc, selinux_fs_parameters, param, &result);
2800 if (opt < 0)
2801 return opt;
2802
2803 return selinux_add_opt(opt, param->string, &fc->security);
2804 }
2805
2806 /* inode security operations */
2807
selinux_inode_alloc_security(struct inode * inode)2808 static int selinux_inode_alloc_security(struct inode *inode)
2809 {
2810 struct inode_security_struct *isec = selinux_inode(inode);
2811 u32 sid = current_sid();
2812
2813 spin_lock_init(&isec->lock);
2814 INIT_LIST_HEAD(&isec->list);
2815 isec->inode = inode;
2816 isec->sid = SECINITSID_UNLABELED;
2817 isec->sclass = SECCLASS_FILE;
2818 isec->task_sid = sid;
2819 isec->initialized = LABEL_INVALID;
2820
2821 return 0;
2822 }
2823
selinux_inode_free_security(struct inode * inode)2824 static void selinux_inode_free_security(struct inode *inode)
2825 {
2826 inode_free_security(inode);
2827 }
2828
selinux_dentry_init_security(struct dentry * dentry,int mode,const struct qstr * name,const char ** xattr_name,void ** ctx,u32 * ctxlen)2829 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2830 const struct qstr *name,
2831 const char **xattr_name, void **ctx,
2832 u32 *ctxlen)
2833 {
2834 u32 newsid;
2835 int rc;
2836
2837 rc = selinux_determine_inode_label(selinux_cred(current_cred()),
2838 d_inode(dentry->d_parent), name,
2839 inode_mode_to_security_class(mode),
2840 &newsid);
2841 if (rc)
2842 return rc;
2843
2844 if (xattr_name)
2845 *xattr_name = XATTR_NAME_SELINUX;
2846
2847 return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
2848 ctxlen);
2849 }
2850
selinux_dentry_create_files_as(struct dentry * dentry,int mode,struct qstr * name,const struct cred * old,struct cred * new)2851 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2852 struct qstr *name,
2853 const struct cred *old,
2854 struct cred *new)
2855 {
2856 u32 newsid;
2857 int rc;
2858 struct task_security_struct *tsec;
2859
2860 rc = selinux_determine_inode_label(selinux_cred(old),
2861 d_inode(dentry->d_parent), name,
2862 inode_mode_to_security_class(mode),
2863 &newsid);
2864 if (rc)
2865 return rc;
2866
2867 tsec = selinux_cred(new);
2868 tsec->create_sid = newsid;
2869 return 0;
2870 }
2871
selinux_inode_init_security(struct inode * inode,struct inode * dir,const struct qstr * qstr,const char ** name,void ** value,size_t * len)2872 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2873 const struct qstr *qstr,
2874 const char **name,
2875 void **value, size_t *len)
2876 {
2877 const struct task_security_struct *tsec = selinux_cred(current_cred());
2878 struct superblock_security_struct *sbsec;
2879 u32 newsid, clen;
2880 int rc;
2881 char *context;
2882
2883 sbsec = selinux_superblock(dir->i_sb);
2884
2885 newsid = tsec->create_sid;
2886
2887 rc = selinux_determine_inode_label(tsec, dir, qstr,
2888 inode_mode_to_security_class(inode->i_mode),
2889 &newsid);
2890 if (rc)
2891 return rc;
2892
2893 /* Possibly defer initialization to selinux_complete_init. */
2894 if (sbsec->flags & SE_SBINITIALIZED) {
2895 struct inode_security_struct *isec = selinux_inode(inode);
2896 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2897 isec->sid = newsid;
2898 isec->initialized = LABEL_INITIALIZED;
2899 }
2900
2901 if (!selinux_initialized(&selinux_state) ||
2902 !(sbsec->flags & SBLABEL_MNT))
2903 return -EOPNOTSUPP;
2904
2905 if (name)
2906 *name = XATTR_SELINUX_SUFFIX;
2907
2908 if (value && len) {
2909 rc = security_sid_to_context_force(&selinux_state, newsid,
2910 &context, &clen);
2911 if (rc)
2912 return rc;
2913 *value = context;
2914 *len = clen;
2915 }
2916
2917 return 0;
2918 }
2919
selinux_inode_init_security_anon(struct inode * inode,const struct qstr * name,const struct inode * context_inode)2920 static int selinux_inode_init_security_anon(struct inode *inode,
2921 const struct qstr *name,
2922 const struct inode *context_inode)
2923 {
2924 const struct task_security_struct *tsec = selinux_cred(current_cred());
2925 struct common_audit_data ad;
2926 struct inode_security_struct *isec;
2927 int rc;
2928
2929 if (unlikely(!selinux_initialized(&selinux_state)))
2930 return 0;
2931
2932 isec = selinux_inode(inode);
2933
2934 /*
2935 * We only get here once per ephemeral inode. The inode has
2936 * been initialized via inode_alloc_security but is otherwise
2937 * untouched.
2938 */
2939
2940 if (context_inode) {
2941 struct inode_security_struct *context_isec =
2942 selinux_inode(context_inode);
2943 if (context_isec->initialized != LABEL_INITIALIZED) {
2944 pr_err("SELinux: context_inode is not initialized");
2945 return -EACCES;
2946 }
2947
2948 isec->sclass = context_isec->sclass;
2949 isec->sid = context_isec->sid;
2950 } else {
2951 isec->sclass = SECCLASS_ANON_INODE;
2952 rc = security_transition_sid(
2953 &selinux_state, tsec->sid, tsec->sid,
2954 isec->sclass, name, &isec->sid);
2955 if (rc)
2956 return rc;
2957 }
2958
2959 isec->initialized = LABEL_INITIALIZED;
2960 /*
2961 * Now that we've initialized security, check whether we're
2962 * allowed to actually create this type of anonymous inode.
2963 */
2964
2965 ad.type = LSM_AUDIT_DATA_ANONINODE;
2966 ad.u.anonclass = name ? (const char *)name->name : "?";
2967
2968 return avc_has_perm(&selinux_state,
2969 tsec->sid,
2970 isec->sid,
2971 isec->sclass,
2972 FILE__CREATE,
2973 &ad);
2974 }
2975
selinux_inode_create(struct inode * dir,struct dentry * dentry,umode_t mode)2976 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2977 {
2978 return may_create(dir, dentry, SECCLASS_FILE);
2979 }
2980
selinux_inode_link(struct dentry * old_dentry,struct inode * dir,struct dentry * new_dentry)2981 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2982 {
2983 return may_link(dir, old_dentry, MAY_LINK);
2984 }
2985
selinux_inode_unlink(struct inode * dir,struct dentry * dentry)2986 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2987 {
2988 return may_link(dir, dentry, MAY_UNLINK);
2989 }
2990
selinux_inode_symlink(struct inode * dir,struct dentry * dentry,const char * name)2991 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2992 {
2993 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2994 }
2995
selinux_inode_mkdir(struct inode * dir,struct dentry * dentry,umode_t mask)2996 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2997 {
2998 return may_create(dir, dentry, SECCLASS_DIR);
2999 }
3000
selinux_inode_rmdir(struct inode * dir,struct dentry * dentry)3001 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
3002 {
3003 return may_link(dir, dentry, MAY_RMDIR);
3004 }
3005
selinux_inode_mknod(struct inode * dir,struct dentry * dentry,umode_t mode,dev_t dev)3006 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
3007 {
3008 return may_create(dir, dentry, inode_mode_to_security_class(mode));
3009 }
3010
selinux_inode_rename(struct inode * old_inode,struct dentry * old_dentry,struct inode * new_inode,struct dentry * new_dentry)3011 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
3012 struct inode *new_inode, struct dentry *new_dentry)
3013 {
3014 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
3015 }
3016
selinux_inode_readlink(struct dentry * dentry)3017 static int selinux_inode_readlink(struct dentry *dentry)
3018 {
3019 const struct cred *cred = current_cred();
3020
3021 return dentry_has_perm(cred, dentry, FILE__READ);
3022 }
3023
selinux_inode_follow_link(struct dentry * dentry,struct inode * inode,bool rcu)3024 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3025 bool rcu)
3026 {
3027 const struct cred *cred = current_cred();
3028 struct common_audit_data ad;
3029 struct inode_security_struct *isec;
3030 u32 sid;
3031
3032 validate_creds(cred);
3033
3034 ad.type = LSM_AUDIT_DATA_DENTRY;
3035 ad.u.dentry = dentry;
3036 sid = cred_sid(cred);
3037 isec = inode_security_rcu(inode, rcu);
3038 if (IS_ERR(isec))
3039 return PTR_ERR(isec);
3040
3041 return avc_has_perm(&selinux_state,
3042 sid, isec->sid, isec->sclass, FILE__READ, &ad);
3043 }
3044
audit_inode_permission(struct inode * inode,u32 perms,u32 audited,u32 denied,int result)3045 static noinline int audit_inode_permission(struct inode *inode,
3046 u32 perms, u32 audited, u32 denied,
3047 int result)
3048 {
3049 struct common_audit_data ad;
3050 struct inode_security_struct *isec = selinux_inode(inode);
3051
3052 ad.type = LSM_AUDIT_DATA_INODE;
3053 ad.u.inode = inode;
3054
3055 return slow_avc_audit(&selinux_state,
3056 current_sid(), isec->sid, isec->sclass, perms,
3057 audited, denied, result, &ad);
3058 }
3059
selinux_inode_permission(struct inode * inode,int mask)3060 static int selinux_inode_permission(struct inode *inode, int mask)
3061 {
3062 const struct cred *cred = current_cred();
3063 u32 perms;
3064 bool from_access;
3065 bool no_block = mask & MAY_NOT_BLOCK;
3066 struct inode_security_struct *isec;
3067 u32 sid;
3068 struct av_decision avd;
3069 int rc, rc2;
3070 u32 audited, denied;
3071
3072 from_access = mask & MAY_ACCESS;
3073 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3074
3075 /* No permission to check. Existence test. */
3076 if (!mask)
3077 return 0;
3078
3079 validate_creds(cred);
3080
3081 if (unlikely(IS_PRIVATE(inode)))
3082 return 0;
3083
3084 perms = file_mask_to_av(inode->i_mode, mask);
3085
3086 sid = cred_sid(cred);
3087 isec = inode_security_rcu(inode, no_block);
3088 if (IS_ERR(isec))
3089 return PTR_ERR(isec);
3090
3091 rc = avc_has_perm_noaudit(&selinux_state,
3092 sid, isec->sid, isec->sclass, perms, 0,
3093 &avd);
3094 audited = avc_audit_required(perms, &avd, rc,
3095 from_access ? FILE__AUDIT_ACCESS : 0,
3096 &denied);
3097 if (likely(!audited))
3098 return rc;
3099
3100 rc2 = audit_inode_permission(inode, perms, audited, denied, rc);
3101 if (rc2)
3102 return rc2;
3103 return rc;
3104 }
3105
selinux_inode_setattr(struct dentry * dentry,struct iattr * iattr)3106 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3107 {
3108 const struct cred *cred = current_cred();
3109 struct inode *inode = d_backing_inode(dentry);
3110 unsigned int ia_valid = iattr->ia_valid;
3111 __u32 av = FILE__WRITE;
3112
3113 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3114 if (ia_valid & ATTR_FORCE) {
3115 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3116 ATTR_FORCE);
3117 if (!ia_valid)
3118 return 0;
3119 }
3120
3121 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3122 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3123 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3124
3125 if (selinux_policycap_openperm() &&
3126 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3127 (ia_valid & ATTR_SIZE) &&
3128 !(ia_valid & ATTR_FILE))
3129 av |= FILE__OPEN;
3130
3131 return dentry_has_perm(cred, dentry, av);
3132 }
3133
selinux_inode_getattr(const struct path * path)3134 static int selinux_inode_getattr(const struct path *path)
3135 {
3136 return path_has_perm(current_cred(), path, FILE__GETATTR);
3137 }
3138
has_cap_mac_admin(bool audit)3139 static bool has_cap_mac_admin(bool audit)
3140 {
3141 const struct cred *cred = current_cred();
3142 unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT;
3143
3144 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts))
3145 return false;
3146 if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true))
3147 return false;
3148 return true;
3149 }
3150
selinux_inode_setxattr(struct user_namespace * mnt_userns,struct dentry * dentry,const char * name,const void * value,size_t size,int flags)3151 static int selinux_inode_setxattr(struct user_namespace *mnt_userns,
3152 struct dentry *dentry, const char *name,
3153 const void *value, size_t size, int flags)
3154 {
3155 struct inode *inode = d_backing_inode(dentry);
3156 struct inode_security_struct *isec;
3157 struct superblock_security_struct *sbsec;
3158 struct common_audit_data ad;
3159 u32 newsid, sid = current_sid();
3160 int rc = 0;
3161
3162 if (strcmp(name, XATTR_NAME_SELINUX)) {
3163 rc = cap_inode_setxattr(dentry, name, value, size, flags);
3164 if (rc)
3165 return rc;
3166
3167 /* Not an attribute we recognize, so just check the
3168 ordinary setattr permission. */
3169 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3170 }
3171
3172 if (!selinux_initialized(&selinux_state))
3173 return (inode_owner_or_capable(mnt_userns, inode) ? 0 : -EPERM);
3174
3175 sbsec = selinux_superblock(inode->i_sb);
3176 if (!(sbsec->flags & SBLABEL_MNT))
3177 return -EOPNOTSUPP;
3178
3179 if (!inode_owner_or_capable(mnt_userns, inode))
3180 return -EPERM;
3181
3182 ad.type = LSM_AUDIT_DATA_DENTRY;
3183 ad.u.dentry = dentry;
3184
3185 isec = backing_inode_security(dentry);
3186 rc = avc_has_perm(&selinux_state,
3187 sid, isec->sid, isec->sclass,
3188 FILE__RELABELFROM, &ad);
3189 if (rc)
3190 return rc;
3191
3192 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3193 GFP_KERNEL);
3194 if (rc == -EINVAL) {
3195 if (!has_cap_mac_admin(true)) {
3196 struct audit_buffer *ab;
3197 size_t audit_size;
3198
3199 /* We strip a nul only if it is at the end, otherwise the
3200 * context contains a nul and we should audit that */
3201 if (value) {
3202 const char *str = value;
3203
3204 if (str[size - 1] == '\0')
3205 audit_size = size - 1;
3206 else
3207 audit_size = size;
3208 } else {
3209 audit_size = 0;
3210 }
3211 ab = audit_log_start(audit_context(),
3212 GFP_ATOMIC, AUDIT_SELINUX_ERR);
3213 if (!ab)
3214 return rc;
3215 audit_log_format(ab, "op=setxattr invalid_context=");
3216 audit_log_n_untrustedstring(ab, value, audit_size);
3217 audit_log_end(ab);
3218
3219 return rc;
3220 }
3221 rc = security_context_to_sid_force(&selinux_state, value,
3222 size, &newsid);
3223 }
3224 if (rc)
3225 return rc;
3226
3227 rc = avc_has_perm(&selinux_state,
3228 sid, newsid, isec->sclass,
3229 FILE__RELABELTO, &ad);
3230 if (rc)
3231 return rc;
3232
3233 rc = security_validate_transition(&selinux_state, isec->sid, newsid,
3234 sid, isec->sclass);
3235 if (rc)
3236 return rc;
3237
3238 return avc_has_perm(&selinux_state,
3239 newsid,
3240 sbsec->sid,
3241 SECCLASS_FILESYSTEM,
3242 FILESYSTEM__ASSOCIATE,
3243 &ad);
3244 }
3245
selinux_inode_post_setxattr(struct dentry * dentry,const char * name,const void * value,size_t size,int flags)3246 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3247 const void *value, size_t size,
3248 int flags)
3249 {
3250 struct inode *inode = d_backing_inode(dentry);
3251 struct inode_security_struct *isec;
3252 u32 newsid;
3253 int rc;
3254
3255 if (strcmp(name, XATTR_NAME_SELINUX)) {
3256 /* Not an attribute we recognize, so nothing to do. */
3257 return;
3258 }
3259
3260 if (!selinux_initialized(&selinux_state)) {
3261 /* If we haven't even been initialized, then we can't validate
3262 * against a policy, so leave the label as invalid. It may
3263 * resolve to a valid label on the next revalidation try if
3264 * we've since initialized.
3265 */
3266 return;
3267 }
3268
3269 rc = security_context_to_sid_force(&selinux_state, value, size,
3270 &newsid);
3271 if (rc) {
3272 pr_err("SELinux: unable to map context to SID"
3273 "for (%s, %lu), rc=%d\n",
3274 inode->i_sb->s_id, inode->i_ino, -rc);
3275 return;
3276 }
3277
3278 isec = backing_inode_security(dentry);
3279 spin_lock(&isec->lock);
3280 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3281 isec->sid = newsid;
3282 isec->initialized = LABEL_INITIALIZED;
3283 spin_unlock(&isec->lock);
3284 }
3285
selinux_inode_getxattr(struct dentry * dentry,const char * name)3286 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3287 {
3288 const struct cred *cred = current_cred();
3289
3290 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3291 }
3292
selinux_inode_listxattr(struct dentry * dentry)3293 static int selinux_inode_listxattr(struct dentry *dentry)
3294 {
3295 const struct cred *cred = current_cred();
3296
3297 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3298 }
3299
selinux_inode_removexattr(struct user_namespace * mnt_userns,struct dentry * dentry,const char * name)3300 static int selinux_inode_removexattr(struct user_namespace *mnt_userns,
3301 struct dentry *dentry, const char *name)
3302 {
3303 if (strcmp(name, XATTR_NAME_SELINUX)) {
3304 int rc = cap_inode_removexattr(mnt_userns, dentry, name);
3305 if (rc)
3306 return rc;
3307
3308 /* Not an attribute we recognize, so just check the
3309 ordinary setattr permission. */
3310 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3311 }
3312
3313 if (!selinux_initialized(&selinux_state))
3314 return 0;
3315
3316 /* No one is allowed to remove a SELinux security label.
3317 You can change the label, but all data must be labeled. */
3318 return -EACCES;
3319 }
3320
selinux_path_notify(const struct path * path,u64 mask,unsigned int obj_type)3321 static int selinux_path_notify(const struct path *path, u64 mask,
3322 unsigned int obj_type)
3323 {
3324 int ret;
3325 u32 perm;
3326
3327 struct common_audit_data ad;
3328
3329 ad.type = LSM_AUDIT_DATA_PATH;
3330 ad.u.path = *path;
3331
3332 /*
3333 * Set permission needed based on the type of mark being set.
3334 * Performs an additional check for sb watches.
3335 */
3336 switch (obj_type) {
3337 case FSNOTIFY_OBJ_TYPE_VFSMOUNT:
3338 perm = FILE__WATCH_MOUNT;
3339 break;
3340 case FSNOTIFY_OBJ_TYPE_SB:
3341 perm = FILE__WATCH_SB;
3342 ret = superblock_has_perm(current_cred(), path->dentry->d_sb,
3343 FILESYSTEM__WATCH, &ad);
3344 if (ret)
3345 return ret;
3346 break;
3347 case FSNOTIFY_OBJ_TYPE_INODE:
3348 perm = FILE__WATCH;
3349 break;
3350 default:
3351 return -EINVAL;
3352 }
3353
3354 /* blocking watches require the file:watch_with_perm permission */
3355 if (mask & (ALL_FSNOTIFY_PERM_EVENTS))
3356 perm |= FILE__WATCH_WITH_PERM;
3357
3358 /* watches on read-like events need the file:watch_reads permission */
3359 if (mask & (FS_ACCESS | FS_ACCESS_PERM | FS_CLOSE_NOWRITE))
3360 perm |= FILE__WATCH_READS;
3361
3362 return path_has_perm(current_cred(), path, perm);
3363 }
3364
3365 /*
3366 * Copy the inode security context value to the user.
3367 *
3368 * Permission check is handled by selinux_inode_getxattr hook.
3369 */
selinux_inode_getsecurity(struct user_namespace * mnt_userns,struct inode * inode,const char * name,void ** buffer,bool alloc)3370 static int selinux_inode_getsecurity(struct user_namespace *mnt_userns,
3371 struct inode *inode, const char *name,
3372 void **buffer, bool alloc)
3373 {
3374 u32 size;
3375 int error;
3376 char *context = NULL;
3377 struct inode_security_struct *isec;
3378
3379 /*
3380 * If we're not initialized yet, then we can't validate contexts, so
3381 * just let vfs_getxattr fall back to using the on-disk xattr.
3382 */
3383 if (!selinux_initialized(&selinux_state) ||
3384 strcmp(name, XATTR_SELINUX_SUFFIX))
3385 return -EOPNOTSUPP;
3386
3387 /*
3388 * If the caller has CAP_MAC_ADMIN, then get the raw context
3389 * value even if it is not defined by current policy; otherwise,
3390 * use the in-core value under current policy.
3391 * Use the non-auditing forms of the permission checks since
3392 * getxattr may be called by unprivileged processes commonly
3393 * and lack of permission just means that we fall back to the
3394 * in-core context value, not a denial.
3395 */
3396 isec = inode_security(inode);
3397 if (has_cap_mac_admin(false))
3398 error = security_sid_to_context_force(&selinux_state,
3399 isec->sid, &context,
3400 &size);
3401 else
3402 error = security_sid_to_context(&selinux_state, isec->sid,
3403 &context, &size);
3404 if (error)
3405 return error;
3406 error = size;
3407 if (alloc) {
3408 *buffer = context;
3409 goto out_nofree;
3410 }
3411 kfree(context);
3412 out_nofree:
3413 return error;
3414 }
3415
selinux_inode_setsecurity(struct inode * inode,const char * name,const void * value,size_t size,int flags)3416 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3417 const void *value, size_t size, int flags)
3418 {
3419 struct inode_security_struct *isec = inode_security_novalidate(inode);
3420 struct superblock_security_struct *sbsec;
3421 u32 newsid;
3422 int rc;
3423
3424 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3425 return -EOPNOTSUPP;
3426
3427 sbsec = selinux_superblock(inode->i_sb);
3428 if (!(sbsec->flags & SBLABEL_MNT))
3429 return -EOPNOTSUPP;
3430
3431 if (!value || !size)
3432 return -EACCES;
3433
3434 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3435 GFP_KERNEL);
3436 if (rc)
3437 return rc;
3438
3439 spin_lock(&isec->lock);
3440 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3441 isec->sid = newsid;
3442 isec->initialized = LABEL_INITIALIZED;
3443 spin_unlock(&isec->lock);
3444 return 0;
3445 }
3446
selinux_inode_listsecurity(struct inode * inode,char * buffer,size_t buffer_size)3447 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3448 {
3449 const int len = sizeof(XATTR_NAME_SELINUX);
3450
3451 if (!selinux_initialized(&selinux_state))
3452 return 0;
3453
3454 if (buffer && len <= buffer_size)
3455 memcpy(buffer, XATTR_NAME_SELINUX, len);
3456 return len;
3457 }
3458
selinux_inode_getsecid(struct inode * inode,u32 * secid)3459 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3460 {
3461 struct inode_security_struct *isec = inode_security_novalidate(inode);
3462 *secid = isec->sid;
3463 }
3464
selinux_inode_copy_up(struct dentry * src,struct cred ** new)3465 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3466 {
3467 u32 sid;
3468 struct task_security_struct *tsec;
3469 struct cred *new_creds = *new;
3470
3471 if (new_creds == NULL) {
3472 new_creds = prepare_creds();
3473 if (!new_creds)
3474 return -ENOMEM;
3475 }
3476
3477 tsec = selinux_cred(new_creds);
3478 /* Get label from overlay inode and set it in create_sid */
3479 selinux_inode_getsecid(d_inode(src), &sid);
3480 tsec->create_sid = sid;
3481 *new = new_creds;
3482 return 0;
3483 }
3484
selinux_inode_copy_up_xattr(const char * name)3485 static int selinux_inode_copy_up_xattr(const char *name)
3486 {
3487 /* The copy_up hook above sets the initial context on an inode, but we
3488 * don't then want to overwrite it by blindly copying all the lower
3489 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3490 */
3491 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3492 return 1; /* Discard */
3493 /*
3494 * Any other attribute apart from SELINUX is not claimed, supported
3495 * by selinux.
3496 */
3497 return -EOPNOTSUPP;
3498 }
3499
3500 /* kernfs node operations */
3501
selinux_kernfs_init_security(struct kernfs_node * kn_dir,struct kernfs_node * kn)3502 static int selinux_kernfs_init_security(struct kernfs_node *kn_dir,
3503 struct kernfs_node *kn)
3504 {
3505 const struct task_security_struct *tsec = selinux_cred(current_cred());
3506 u32 parent_sid, newsid, clen;
3507 int rc;
3508 char *context;
3509
3510 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, NULL, 0);
3511 if (rc == -ENODATA)
3512 return 0;
3513 else if (rc < 0)
3514 return rc;
3515
3516 clen = (u32)rc;
3517 context = kmalloc(clen, GFP_KERNEL);
3518 if (!context)
3519 return -ENOMEM;
3520
3521 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, context, clen);
3522 if (rc < 0) {
3523 kfree(context);
3524 return rc;
3525 }
3526
3527 rc = security_context_to_sid(&selinux_state, context, clen, &parent_sid,
3528 GFP_KERNEL);
3529 kfree(context);
3530 if (rc)
3531 return rc;
3532
3533 if (tsec->create_sid) {
3534 newsid = tsec->create_sid;
3535 } else {
3536 u16 secclass = inode_mode_to_security_class(kn->mode);
3537 struct qstr q;
3538
3539 q.name = kn->name;
3540 q.hash_len = hashlen_string(kn_dir, kn->name);
3541
3542 rc = security_transition_sid(&selinux_state, tsec->sid,
3543 parent_sid, secclass, &q,
3544 &newsid);
3545 if (rc)
3546 return rc;
3547 }
3548
3549 rc = security_sid_to_context_force(&selinux_state, newsid,
3550 &context, &clen);
3551 if (rc)
3552 return rc;
3553
3554 rc = kernfs_xattr_set(kn, XATTR_NAME_SELINUX, context, clen,
3555 XATTR_CREATE);
3556 kfree(context);
3557 return rc;
3558 }
3559
3560
3561 /* file security operations */
3562
selinux_revalidate_file_permission(struct file * file,int mask)3563 static int selinux_revalidate_file_permission(struct file *file, int mask)
3564 {
3565 const struct cred *cred = current_cred();
3566 struct inode *inode = file_inode(file);
3567
3568 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3569 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3570 mask |= MAY_APPEND;
3571
3572 return file_has_perm(cred, file,
3573 file_mask_to_av(inode->i_mode, mask));
3574 }
3575
selinux_file_permission(struct file * file,int mask)3576 static int selinux_file_permission(struct file *file, int mask)
3577 {
3578 struct inode *inode = file_inode(file);
3579 struct file_security_struct *fsec = selinux_file(file);
3580 struct inode_security_struct *isec;
3581 u32 sid = current_sid();
3582
3583 if (!mask)
3584 /* No permission to check. Existence test. */
3585 return 0;
3586
3587 isec = inode_security(inode);
3588 if (sid == fsec->sid && fsec->isid == isec->sid &&
3589 fsec->pseqno == avc_policy_seqno(&selinux_state))
3590 /* No change since file_open check. */
3591 return 0;
3592
3593 return selinux_revalidate_file_permission(file, mask);
3594 }
3595
selinux_file_alloc_security(struct file * file)3596 static int selinux_file_alloc_security(struct file *file)
3597 {
3598 struct file_security_struct *fsec = selinux_file(file);
3599 u32 sid = current_sid();
3600
3601 fsec->sid = sid;
3602 fsec->fown_sid = sid;
3603
3604 return 0;
3605 }
3606
3607 /*
3608 * Check whether a task has the ioctl permission and cmd
3609 * operation to an inode.
3610 */
ioctl_has_perm(const struct cred * cred,struct file * file,u32 requested,u16 cmd)3611 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3612 u32 requested, u16 cmd)
3613 {
3614 struct common_audit_data ad;
3615 struct file_security_struct *fsec = selinux_file(file);
3616 struct inode *inode = file_inode(file);
3617 struct inode_security_struct *isec;
3618 struct lsm_ioctlop_audit ioctl;
3619 u32 ssid = cred_sid(cred);
3620 int rc;
3621 u8 driver = cmd >> 8;
3622 u8 xperm = cmd & 0xff;
3623
3624 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3625 ad.u.op = &ioctl;
3626 ad.u.op->cmd = cmd;
3627 ad.u.op->path = file->f_path;
3628
3629 if (ssid != fsec->sid) {
3630 rc = avc_has_perm(&selinux_state,
3631 ssid, fsec->sid,
3632 SECCLASS_FD,
3633 FD__USE,
3634 &ad);
3635 if (rc)
3636 goto out;
3637 }
3638
3639 if (unlikely(IS_PRIVATE(inode)))
3640 return 0;
3641
3642 isec = inode_security(inode);
3643 rc = avc_has_extended_perms(&selinux_state,
3644 ssid, isec->sid, isec->sclass,
3645 requested, driver, xperm, &ad);
3646 out:
3647 return rc;
3648 }
3649
selinux_file_ioctl(struct file * file,unsigned int cmd,unsigned long arg)3650 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3651 unsigned long arg)
3652 {
3653 const struct cred *cred = current_cred();
3654 int error = 0;
3655
3656 switch (cmd) {
3657 case FIONREAD:
3658 case FIBMAP:
3659 case FIGETBSZ:
3660 case FS_IOC_GETFLAGS:
3661 case FS_IOC_GETVERSION:
3662 error = file_has_perm(cred, file, FILE__GETATTR);
3663 break;
3664
3665 case FS_IOC_SETFLAGS:
3666 case FS_IOC_SETVERSION:
3667 error = file_has_perm(cred, file, FILE__SETATTR);
3668 break;
3669
3670 /* sys_ioctl() checks */
3671 case FIONBIO:
3672 case FIOASYNC:
3673 error = file_has_perm(cred, file, 0);
3674 break;
3675
3676 case KDSKBENT:
3677 case KDSKBSENT:
3678 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3679 CAP_OPT_NONE, true);
3680 break;
3681
3682 case FIOCLEX:
3683 case FIONCLEX:
3684 if (!selinux_policycap_ioctl_skip_cloexec())
3685 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3686 break;
3687
3688 /* default case assumes that the command will go
3689 * to the file's ioctl() function.
3690 */
3691 default:
3692 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3693 }
3694 return error;
3695 }
3696
3697 static int default_noexec __ro_after_init;
3698
file_map_prot_check(struct file * file,unsigned long prot,int shared)3699 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3700 {
3701 const struct cred *cred = current_cred();
3702 u32 sid = cred_sid(cred);
3703 int rc = 0;
3704
3705 if (default_noexec &&
3706 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3707 (!shared && (prot & PROT_WRITE)))) {
3708 /*
3709 * We are making executable an anonymous mapping or a
3710 * private file mapping that will also be writable.
3711 * This has an additional check.
3712 */
3713 rc = avc_has_perm(&selinux_state,
3714 sid, sid, SECCLASS_PROCESS,
3715 PROCESS__EXECMEM, NULL);
3716 if (rc)
3717 goto error;
3718 }
3719
3720 if (file) {
3721 /* read access is always possible with a mapping */
3722 u32 av = FILE__READ;
3723
3724 /* write access only matters if the mapping is shared */
3725 if (shared && (prot & PROT_WRITE))
3726 av |= FILE__WRITE;
3727
3728 if (prot & PROT_EXEC)
3729 av |= FILE__EXECUTE;
3730
3731 return file_has_perm(cred, file, av);
3732 }
3733
3734 error:
3735 return rc;
3736 }
3737
selinux_mmap_addr(unsigned long addr)3738 static int selinux_mmap_addr(unsigned long addr)
3739 {
3740 int rc = 0;
3741
3742 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3743 u32 sid = current_sid();
3744 rc = avc_has_perm(&selinux_state,
3745 sid, sid, SECCLASS_MEMPROTECT,
3746 MEMPROTECT__MMAP_ZERO, NULL);
3747 }
3748
3749 return rc;
3750 }
3751
selinux_mmap_file(struct file * file,unsigned long reqprot,unsigned long prot,unsigned long flags)3752 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3753 unsigned long prot, unsigned long flags)
3754 {
3755 struct common_audit_data ad;
3756 int rc;
3757
3758 if (file) {
3759 ad.type = LSM_AUDIT_DATA_FILE;
3760 ad.u.file = file;
3761 rc = inode_has_perm(current_cred(), file_inode(file),
3762 FILE__MAP, &ad);
3763 if (rc)
3764 return rc;
3765 }
3766
3767 if (checkreqprot_get(&selinux_state))
3768 prot = reqprot;
3769
3770 return file_map_prot_check(file, prot,
3771 (flags & MAP_TYPE) == MAP_SHARED);
3772 }
3773
selinux_file_mprotect(struct vm_area_struct * vma,unsigned long reqprot,unsigned long prot)3774 static int selinux_file_mprotect(struct vm_area_struct *vma,
3775 unsigned long reqprot,
3776 unsigned long prot)
3777 {
3778 const struct cred *cred = current_cred();
3779 u32 sid = cred_sid(cred);
3780
3781 if (checkreqprot_get(&selinux_state))
3782 prot = reqprot;
3783
3784 if (default_noexec &&
3785 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3786 int rc = 0;
3787 if (vma->vm_start >= vma->vm_mm->start_brk &&
3788 vma->vm_end <= vma->vm_mm->brk) {
3789 rc = avc_has_perm(&selinux_state,
3790 sid, sid, SECCLASS_PROCESS,
3791 PROCESS__EXECHEAP, NULL);
3792 } else if (!vma->vm_file &&
3793 ((vma->vm_start <= vma->vm_mm->start_stack &&
3794 vma->vm_end >= vma->vm_mm->start_stack) ||
3795 vma_is_stack_for_current(vma))) {
3796 rc = avc_has_perm(&selinux_state,
3797 sid, sid, SECCLASS_PROCESS,
3798 PROCESS__EXECSTACK, NULL);
3799 } else if (vma->vm_file && vma->anon_vma) {
3800 /*
3801 * We are making executable a file mapping that has
3802 * had some COW done. Since pages might have been
3803 * written, check ability to execute the possibly
3804 * modified content. This typically should only
3805 * occur for text relocations.
3806 */
3807 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3808 }
3809 if (rc)
3810 return rc;
3811 }
3812
3813 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3814 }
3815
selinux_file_lock(struct file * file,unsigned int cmd)3816 static int selinux_file_lock(struct file *file, unsigned int cmd)
3817 {
3818 const struct cred *cred = current_cred();
3819
3820 return file_has_perm(cred, file, FILE__LOCK);
3821 }
3822
selinux_file_fcntl(struct file * file,unsigned int cmd,unsigned long arg)3823 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3824 unsigned long arg)
3825 {
3826 const struct cred *cred = current_cred();
3827 int err = 0;
3828
3829 switch (cmd) {
3830 case F_SETFL:
3831 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3832 err = file_has_perm(cred, file, FILE__WRITE);
3833 break;
3834 }
3835 fallthrough;
3836 case F_SETOWN:
3837 case F_SETSIG:
3838 case F_GETFL:
3839 case F_GETOWN:
3840 case F_GETSIG:
3841 case F_GETOWNER_UIDS:
3842 /* Just check FD__USE permission */
3843 err = file_has_perm(cred, file, 0);
3844 break;
3845 case F_GETLK:
3846 case F_SETLK:
3847 case F_SETLKW:
3848 case F_OFD_GETLK:
3849 case F_OFD_SETLK:
3850 case F_OFD_SETLKW:
3851 #if BITS_PER_LONG == 32
3852 case F_GETLK64:
3853 case F_SETLK64:
3854 case F_SETLKW64:
3855 #endif
3856 err = file_has_perm(cred, file, FILE__LOCK);
3857 break;
3858 }
3859
3860 return err;
3861 }
3862
selinux_file_set_fowner(struct file * file)3863 static void selinux_file_set_fowner(struct file *file)
3864 {
3865 struct file_security_struct *fsec;
3866
3867 fsec = selinux_file(file);
3868 fsec->fown_sid = current_sid();
3869 }
3870
selinux_file_send_sigiotask(struct task_struct * tsk,struct fown_struct * fown,int signum)3871 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3872 struct fown_struct *fown, int signum)
3873 {
3874 struct file *file;
3875 u32 sid = task_sid_obj(tsk);
3876 u32 perm;
3877 struct file_security_struct *fsec;
3878
3879 /* struct fown_struct is never outside the context of a struct file */
3880 file = container_of(fown, struct file, f_owner);
3881
3882 fsec = selinux_file(file);
3883
3884 if (!signum)
3885 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3886 else
3887 perm = signal_to_av(signum);
3888
3889 return avc_has_perm(&selinux_state,
3890 fsec->fown_sid, sid,
3891 SECCLASS_PROCESS, perm, NULL);
3892 }
3893
selinux_file_receive(struct file * file)3894 static int selinux_file_receive(struct file *file)
3895 {
3896 const struct cred *cred = current_cred();
3897
3898 return file_has_perm(cred, file, file_to_av(file));
3899 }
3900
selinux_file_open(struct file * file)3901 static int selinux_file_open(struct file *file)
3902 {
3903 struct file_security_struct *fsec;
3904 struct inode_security_struct *isec;
3905
3906 fsec = selinux_file(file);
3907 isec = inode_security(file_inode(file));
3908 /*
3909 * Save inode label and policy sequence number
3910 * at open-time so that selinux_file_permission
3911 * can determine whether revalidation is necessary.
3912 * Task label is already saved in the file security
3913 * struct as its SID.
3914 */
3915 fsec->isid = isec->sid;
3916 fsec->pseqno = avc_policy_seqno(&selinux_state);
3917 /*
3918 * Since the inode label or policy seqno may have changed
3919 * between the selinux_inode_permission check and the saving
3920 * of state above, recheck that access is still permitted.
3921 * Otherwise, access might never be revalidated against the
3922 * new inode label or new policy.
3923 * This check is not redundant - do not remove.
3924 */
3925 return file_path_has_perm(file->f_cred, file, open_file_to_av(file));
3926 }
3927
3928 /* task security operations */
3929
selinux_task_alloc(struct task_struct * task,unsigned long clone_flags)3930 static int selinux_task_alloc(struct task_struct *task,
3931 unsigned long clone_flags)
3932 {
3933 u32 sid = current_sid();
3934
3935 return avc_has_perm(&selinux_state,
3936 sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
3937 }
3938
3939 /*
3940 * prepare a new set of credentials for modification
3941 */
selinux_cred_prepare(struct cred * new,const struct cred * old,gfp_t gfp)3942 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3943 gfp_t gfp)
3944 {
3945 const struct task_security_struct *old_tsec = selinux_cred(old);
3946 struct task_security_struct *tsec = selinux_cred(new);
3947
3948 *tsec = *old_tsec;
3949 return 0;
3950 }
3951
3952 /*
3953 * transfer the SELinux data to a blank set of creds
3954 */
selinux_cred_transfer(struct cred * new,const struct cred * old)3955 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3956 {
3957 const struct task_security_struct *old_tsec = selinux_cred(old);
3958 struct task_security_struct *tsec = selinux_cred(new);
3959
3960 *tsec = *old_tsec;
3961 }
3962
selinux_cred_getsecid(const struct cred * c,u32 * secid)3963 static void selinux_cred_getsecid(const struct cred *c, u32 *secid)
3964 {
3965 *secid = cred_sid(c);
3966 }
3967
3968 /*
3969 * set the security data for a kernel service
3970 * - all the creation contexts are set to unlabelled
3971 */
selinux_kernel_act_as(struct cred * new,u32 secid)3972 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3973 {
3974 struct task_security_struct *tsec = selinux_cred(new);
3975 u32 sid = current_sid();
3976 int ret;
3977
3978 ret = avc_has_perm(&selinux_state,
3979 sid, secid,
3980 SECCLASS_KERNEL_SERVICE,
3981 KERNEL_SERVICE__USE_AS_OVERRIDE,
3982 NULL);
3983 if (ret == 0) {
3984 tsec->sid = secid;
3985 tsec->create_sid = 0;
3986 tsec->keycreate_sid = 0;
3987 tsec->sockcreate_sid = 0;
3988 }
3989 return ret;
3990 }
3991
3992 /*
3993 * set the file creation context in a security record to the same as the
3994 * objective context of the specified inode
3995 */
selinux_kernel_create_files_as(struct cred * new,struct inode * inode)3996 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3997 {
3998 struct inode_security_struct *isec = inode_security(inode);
3999 struct task_security_struct *tsec = selinux_cred(new);
4000 u32 sid = current_sid();
4001 int ret;
4002
4003 ret = avc_has_perm(&selinux_state,
4004 sid, isec->sid,
4005 SECCLASS_KERNEL_SERVICE,
4006 KERNEL_SERVICE__CREATE_FILES_AS,
4007 NULL);
4008
4009 if (ret == 0)
4010 tsec->create_sid = isec->sid;
4011 return ret;
4012 }
4013
selinux_kernel_module_request(char * kmod_name)4014 static int selinux_kernel_module_request(char *kmod_name)
4015 {
4016 struct common_audit_data ad;
4017
4018 ad.type = LSM_AUDIT_DATA_KMOD;
4019 ad.u.kmod_name = kmod_name;
4020
4021 return avc_has_perm(&selinux_state,
4022 current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
4023 SYSTEM__MODULE_REQUEST, &ad);
4024 }
4025
selinux_kernel_module_from_file(struct file * file)4026 static int selinux_kernel_module_from_file(struct file *file)
4027 {
4028 struct common_audit_data ad;
4029 struct inode_security_struct *isec;
4030 struct file_security_struct *fsec;
4031 u32 sid = current_sid();
4032 int rc;
4033
4034 /* init_module */
4035 if (file == NULL)
4036 return avc_has_perm(&selinux_state,
4037 sid, sid, SECCLASS_SYSTEM,
4038 SYSTEM__MODULE_LOAD, NULL);
4039
4040 /* finit_module */
4041
4042 ad.type = LSM_AUDIT_DATA_FILE;
4043 ad.u.file = file;
4044
4045 fsec = selinux_file(file);
4046 if (sid != fsec->sid) {
4047 rc = avc_has_perm(&selinux_state,
4048 sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
4049 if (rc)
4050 return rc;
4051 }
4052
4053 isec = inode_security(file_inode(file));
4054 return avc_has_perm(&selinux_state,
4055 sid, isec->sid, SECCLASS_SYSTEM,
4056 SYSTEM__MODULE_LOAD, &ad);
4057 }
4058
selinux_kernel_read_file(struct file * file,enum kernel_read_file_id id,bool contents)4059 static int selinux_kernel_read_file(struct file *file,
4060 enum kernel_read_file_id id,
4061 bool contents)
4062 {
4063 int rc = 0;
4064
4065 switch (id) {
4066 case READING_MODULE:
4067 rc = selinux_kernel_module_from_file(contents ? file : NULL);
4068 break;
4069 default:
4070 break;
4071 }
4072
4073 return rc;
4074 }
4075
selinux_kernel_load_data(enum kernel_load_data_id id,bool contents)4076 static int selinux_kernel_load_data(enum kernel_load_data_id id, bool contents)
4077 {
4078 int rc = 0;
4079
4080 switch (id) {
4081 case LOADING_MODULE:
4082 rc = selinux_kernel_module_from_file(NULL);
4083 break;
4084 default:
4085 break;
4086 }
4087
4088 return rc;
4089 }
4090
selinux_task_setpgid(struct task_struct * p,pid_t pgid)4091 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
4092 {
4093 return avc_has_perm(&selinux_state,
4094 current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4095 PROCESS__SETPGID, NULL);
4096 }
4097
selinux_task_getpgid(struct task_struct * p)4098 static int selinux_task_getpgid(struct task_struct *p)
4099 {
4100 return avc_has_perm(&selinux_state,
4101 current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4102 PROCESS__GETPGID, NULL);
4103 }
4104
selinux_task_getsid(struct task_struct * p)4105 static int selinux_task_getsid(struct task_struct *p)
4106 {
4107 return avc_has_perm(&selinux_state,
4108 current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4109 PROCESS__GETSESSION, NULL);
4110 }
4111
selinux_current_getsecid_subj(u32 * secid)4112 static void selinux_current_getsecid_subj(u32 *secid)
4113 {
4114 *secid = current_sid();
4115 }
4116
selinux_task_getsecid_obj(struct task_struct * p,u32 * secid)4117 static void selinux_task_getsecid_obj(struct task_struct *p, u32 *secid)
4118 {
4119 *secid = task_sid_obj(p);
4120 }
4121
selinux_task_setnice(struct task_struct * p,int nice)4122 static int selinux_task_setnice(struct task_struct *p, int nice)
4123 {
4124 return avc_has_perm(&selinux_state,
4125 current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4126 PROCESS__SETSCHED, NULL);
4127 }
4128
selinux_task_setioprio(struct task_struct * p,int ioprio)4129 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
4130 {
4131 return avc_has_perm(&selinux_state,
4132 current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4133 PROCESS__SETSCHED, NULL);
4134 }
4135
selinux_task_getioprio(struct task_struct * p)4136 static int selinux_task_getioprio(struct task_struct *p)
4137 {
4138 return avc_has_perm(&selinux_state,
4139 current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4140 PROCESS__GETSCHED, NULL);
4141 }
4142
selinux_task_prlimit(const struct cred * cred,const struct cred * tcred,unsigned int flags)4143 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
4144 unsigned int flags)
4145 {
4146 u32 av = 0;
4147
4148 if (!flags)
4149 return 0;
4150 if (flags & LSM_PRLIMIT_WRITE)
4151 av |= PROCESS__SETRLIMIT;
4152 if (flags & LSM_PRLIMIT_READ)
4153 av |= PROCESS__GETRLIMIT;
4154 return avc_has_perm(&selinux_state,
4155 cred_sid(cred), cred_sid(tcred),
4156 SECCLASS_PROCESS, av, NULL);
4157 }
4158
selinux_task_setrlimit(struct task_struct * p,unsigned int resource,struct rlimit * new_rlim)4159 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4160 struct rlimit *new_rlim)
4161 {
4162 struct rlimit *old_rlim = p->signal->rlim + resource;
4163
4164 /* Control the ability to change the hard limit (whether
4165 lowering or raising it), so that the hard limit can
4166 later be used as a safe reset point for the soft limit
4167 upon context transitions. See selinux_bprm_committing_creds. */
4168 if (old_rlim->rlim_max != new_rlim->rlim_max)
4169 return avc_has_perm(&selinux_state,
4170 current_sid(), task_sid_obj(p),
4171 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
4172
4173 return 0;
4174 }
4175
selinux_task_setscheduler(struct task_struct * p)4176 static int selinux_task_setscheduler(struct task_struct *p)
4177 {
4178 return avc_has_perm(&selinux_state,
4179 current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4180 PROCESS__SETSCHED, NULL);
4181 }
4182
selinux_task_getscheduler(struct task_struct * p)4183 static int selinux_task_getscheduler(struct task_struct *p)
4184 {
4185 return avc_has_perm(&selinux_state,
4186 current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4187 PROCESS__GETSCHED, NULL);
4188 }
4189
selinux_task_movememory(struct task_struct * p)4190 static int selinux_task_movememory(struct task_struct *p)
4191 {
4192 return avc_has_perm(&selinux_state,
4193 current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4194 PROCESS__SETSCHED, NULL);
4195 }
4196
selinux_task_kill(struct task_struct * p,struct kernel_siginfo * info,int sig,const struct cred * cred)4197 static int selinux_task_kill(struct task_struct *p, struct kernel_siginfo *info,
4198 int sig, const struct cred *cred)
4199 {
4200 u32 secid;
4201 u32 perm;
4202
4203 if (!sig)
4204 perm = PROCESS__SIGNULL; /* null signal; existence test */
4205 else
4206 perm = signal_to_av(sig);
4207 if (!cred)
4208 secid = current_sid();
4209 else
4210 secid = cred_sid(cred);
4211 return avc_has_perm(&selinux_state,
4212 secid, task_sid_obj(p), SECCLASS_PROCESS, perm, NULL);
4213 }
4214
selinux_task_to_inode(struct task_struct * p,struct inode * inode)4215 static void selinux_task_to_inode(struct task_struct *p,
4216 struct inode *inode)
4217 {
4218 struct inode_security_struct *isec = selinux_inode(inode);
4219 u32 sid = task_sid_obj(p);
4220
4221 spin_lock(&isec->lock);
4222 isec->sclass = inode_mode_to_security_class(inode->i_mode);
4223 isec->sid = sid;
4224 isec->initialized = LABEL_INITIALIZED;
4225 spin_unlock(&isec->lock);
4226 }
4227
4228 /* Returns error only if unable to parse addresses */
selinux_parse_skb_ipv4(struct sk_buff * skb,struct common_audit_data * ad,u8 * proto)4229 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4230 struct common_audit_data *ad, u8 *proto)
4231 {
4232 int offset, ihlen, ret = -EINVAL;
4233 struct iphdr _iph, *ih;
4234
4235 offset = skb_network_offset(skb);
4236 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
4237 if (ih == NULL)
4238 goto out;
4239
4240 ihlen = ih->ihl * 4;
4241 if (ihlen < sizeof(_iph))
4242 goto out;
4243
4244 ad->u.net->v4info.saddr = ih->saddr;
4245 ad->u.net->v4info.daddr = ih->daddr;
4246 ret = 0;
4247
4248 if (proto)
4249 *proto = ih->protocol;
4250
4251 switch (ih->protocol) {
4252 case IPPROTO_TCP: {
4253 struct tcphdr _tcph, *th;
4254
4255 if (ntohs(ih->frag_off) & IP_OFFSET)
4256 break;
4257
4258 offset += ihlen;
4259 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4260 if (th == NULL)
4261 break;
4262
4263 ad->u.net->sport = th->source;
4264 ad->u.net->dport = th->dest;
4265 break;
4266 }
4267
4268 case IPPROTO_UDP: {
4269 struct udphdr _udph, *uh;
4270
4271 if (ntohs(ih->frag_off) & IP_OFFSET)
4272 break;
4273
4274 offset += ihlen;
4275 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4276 if (uh == NULL)
4277 break;
4278
4279 ad->u.net->sport = uh->source;
4280 ad->u.net->dport = uh->dest;
4281 break;
4282 }
4283
4284 case IPPROTO_DCCP: {
4285 struct dccp_hdr _dccph, *dh;
4286
4287 if (ntohs(ih->frag_off) & IP_OFFSET)
4288 break;
4289
4290 offset += ihlen;
4291 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4292 if (dh == NULL)
4293 break;
4294
4295 ad->u.net->sport = dh->dccph_sport;
4296 ad->u.net->dport = dh->dccph_dport;
4297 break;
4298 }
4299
4300 #if IS_ENABLED(CONFIG_IP_SCTP)
4301 case IPPROTO_SCTP: {
4302 struct sctphdr _sctph, *sh;
4303
4304 if (ntohs(ih->frag_off) & IP_OFFSET)
4305 break;
4306
4307 offset += ihlen;
4308 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4309 if (sh == NULL)
4310 break;
4311
4312 ad->u.net->sport = sh->source;
4313 ad->u.net->dport = sh->dest;
4314 break;
4315 }
4316 #endif
4317 default:
4318 break;
4319 }
4320 out:
4321 return ret;
4322 }
4323
4324 #if IS_ENABLED(CONFIG_IPV6)
4325
4326 /* Returns error only if unable to parse addresses */
selinux_parse_skb_ipv6(struct sk_buff * skb,struct common_audit_data * ad,u8 * proto)4327 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4328 struct common_audit_data *ad, u8 *proto)
4329 {
4330 u8 nexthdr;
4331 int ret = -EINVAL, offset;
4332 struct ipv6hdr _ipv6h, *ip6;
4333 __be16 frag_off;
4334
4335 offset = skb_network_offset(skb);
4336 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4337 if (ip6 == NULL)
4338 goto out;
4339
4340 ad->u.net->v6info.saddr = ip6->saddr;
4341 ad->u.net->v6info.daddr = ip6->daddr;
4342 ret = 0;
4343
4344 nexthdr = ip6->nexthdr;
4345 offset += sizeof(_ipv6h);
4346 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4347 if (offset < 0)
4348 goto out;
4349
4350 if (proto)
4351 *proto = nexthdr;
4352
4353 switch (nexthdr) {
4354 case IPPROTO_TCP: {
4355 struct tcphdr _tcph, *th;
4356
4357 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4358 if (th == NULL)
4359 break;
4360
4361 ad->u.net->sport = th->source;
4362 ad->u.net->dport = th->dest;
4363 break;
4364 }
4365
4366 case IPPROTO_UDP: {
4367 struct udphdr _udph, *uh;
4368
4369 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4370 if (uh == NULL)
4371 break;
4372
4373 ad->u.net->sport = uh->source;
4374 ad->u.net->dport = uh->dest;
4375 break;
4376 }
4377
4378 case IPPROTO_DCCP: {
4379 struct dccp_hdr _dccph, *dh;
4380
4381 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4382 if (dh == NULL)
4383 break;
4384
4385 ad->u.net->sport = dh->dccph_sport;
4386 ad->u.net->dport = dh->dccph_dport;
4387 break;
4388 }
4389
4390 #if IS_ENABLED(CONFIG_IP_SCTP)
4391 case IPPROTO_SCTP: {
4392 struct sctphdr _sctph, *sh;
4393
4394 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4395 if (sh == NULL)
4396 break;
4397
4398 ad->u.net->sport = sh->source;
4399 ad->u.net->dport = sh->dest;
4400 break;
4401 }
4402 #endif
4403 /* includes fragments */
4404 default:
4405 break;
4406 }
4407 out:
4408 return ret;
4409 }
4410
4411 #endif /* IPV6 */
4412
selinux_parse_skb(struct sk_buff * skb,struct common_audit_data * ad,char ** _addrp,int src,u8 * proto)4413 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4414 char **_addrp, int src, u8 *proto)
4415 {
4416 char *addrp;
4417 int ret;
4418
4419 switch (ad->u.net->family) {
4420 case PF_INET:
4421 ret = selinux_parse_skb_ipv4(skb, ad, proto);
4422 if (ret)
4423 goto parse_error;
4424 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4425 &ad->u.net->v4info.daddr);
4426 goto okay;
4427
4428 #if IS_ENABLED(CONFIG_IPV6)
4429 case PF_INET6:
4430 ret = selinux_parse_skb_ipv6(skb, ad, proto);
4431 if (ret)
4432 goto parse_error;
4433 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4434 &ad->u.net->v6info.daddr);
4435 goto okay;
4436 #endif /* IPV6 */
4437 default:
4438 addrp = NULL;
4439 goto okay;
4440 }
4441
4442 parse_error:
4443 pr_warn(
4444 "SELinux: failure in selinux_parse_skb(),"
4445 " unable to parse packet\n");
4446 return ret;
4447
4448 okay:
4449 if (_addrp)
4450 *_addrp = addrp;
4451 return 0;
4452 }
4453
4454 /**
4455 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4456 * @skb: the packet
4457 * @family: protocol family
4458 * @sid: the packet's peer label SID
4459 *
4460 * Description:
4461 * Check the various different forms of network peer labeling and determine
4462 * the peer label/SID for the packet; most of the magic actually occurs in
4463 * the security server function security_net_peersid_cmp(). The function
4464 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4465 * or -EACCES if @sid is invalid due to inconsistencies with the different
4466 * peer labels.
4467 *
4468 */
selinux_skb_peerlbl_sid(struct sk_buff * skb,u16 family,u32 * sid)4469 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4470 {
4471 int err;
4472 u32 xfrm_sid;
4473 u32 nlbl_sid;
4474 u32 nlbl_type;
4475
4476 err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4477 if (unlikely(err))
4478 return -EACCES;
4479 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4480 if (unlikely(err))
4481 return -EACCES;
4482
4483 err = security_net_peersid_resolve(&selinux_state, nlbl_sid,
4484 nlbl_type, xfrm_sid, sid);
4485 if (unlikely(err)) {
4486 pr_warn(
4487 "SELinux: failure in selinux_skb_peerlbl_sid(),"
4488 " unable to determine packet's peer label\n");
4489 return -EACCES;
4490 }
4491
4492 return 0;
4493 }
4494
4495 /**
4496 * selinux_conn_sid - Determine the child socket label for a connection
4497 * @sk_sid: the parent socket's SID
4498 * @skb_sid: the packet's SID
4499 * @conn_sid: the resulting connection SID
4500 *
4501 * If @skb_sid is valid then the user:role:type information from @sk_sid is
4502 * combined with the MLS information from @skb_sid in order to create
4503 * @conn_sid. If @skb_sid is not valid then @conn_sid is simply a copy
4504 * of @sk_sid. Returns zero on success, negative values on failure.
4505 *
4506 */
selinux_conn_sid(u32 sk_sid,u32 skb_sid,u32 * conn_sid)4507 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4508 {
4509 int err = 0;
4510
4511 if (skb_sid != SECSID_NULL)
4512 err = security_sid_mls_copy(&selinux_state, sk_sid, skb_sid,
4513 conn_sid);
4514 else
4515 *conn_sid = sk_sid;
4516
4517 return err;
4518 }
4519
4520 /* socket security operations */
4521
socket_sockcreate_sid(const struct task_security_struct * tsec,u16 secclass,u32 * socksid)4522 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4523 u16 secclass, u32 *socksid)
4524 {
4525 if (tsec->sockcreate_sid > SECSID_NULL) {
4526 *socksid = tsec->sockcreate_sid;
4527 return 0;
4528 }
4529
4530 return security_transition_sid(&selinux_state, tsec->sid, tsec->sid,
4531 secclass, NULL, socksid);
4532 }
4533
sock_has_perm(struct sock * sk,u32 perms)4534 static int sock_has_perm(struct sock *sk, u32 perms)
4535 {
4536 struct sk_security_struct *sksec = sk->sk_security;
4537 struct common_audit_data ad;
4538 struct lsm_network_audit net = {0,};
4539
4540 if (sksec->sid == SECINITSID_KERNEL)
4541 return 0;
4542
4543 ad.type = LSM_AUDIT_DATA_NET;
4544 ad.u.net = &net;
4545 ad.u.net->sk = sk;
4546
4547 return avc_has_perm(&selinux_state,
4548 current_sid(), sksec->sid, sksec->sclass, perms,
4549 &ad);
4550 }
4551
selinux_socket_create(int family,int type,int protocol,int kern)4552 static int selinux_socket_create(int family, int type,
4553 int protocol, int kern)
4554 {
4555 const struct task_security_struct *tsec = selinux_cred(current_cred());
4556 u32 newsid;
4557 u16 secclass;
4558 int rc;
4559
4560 if (kern)
4561 return 0;
4562
4563 secclass = socket_type_to_security_class(family, type, protocol);
4564 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4565 if (rc)
4566 return rc;
4567
4568 return avc_has_perm(&selinux_state,
4569 tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4570 }
4571
selinux_socket_post_create(struct socket * sock,int family,int type,int protocol,int kern)4572 static int selinux_socket_post_create(struct socket *sock, int family,
4573 int type, int protocol, int kern)
4574 {
4575 const struct task_security_struct *tsec = selinux_cred(current_cred());
4576 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4577 struct sk_security_struct *sksec;
4578 u16 sclass = socket_type_to_security_class(family, type, protocol);
4579 u32 sid = SECINITSID_KERNEL;
4580 int err = 0;
4581
4582 if (!kern) {
4583 err = socket_sockcreate_sid(tsec, sclass, &sid);
4584 if (err)
4585 return err;
4586 }
4587
4588 isec->sclass = sclass;
4589 isec->sid = sid;
4590 isec->initialized = LABEL_INITIALIZED;
4591
4592 if (sock->sk) {
4593 sksec = sock->sk->sk_security;
4594 sksec->sclass = sclass;
4595 sksec->sid = sid;
4596 /* Allows detection of the first association on this socket */
4597 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4598 sksec->sctp_assoc_state = SCTP_ASSOC_UNSET;
4599
4600 err = selinux_netlbl_socket_post_create(sock->sk, family);
4601 }
4602
4603 return err;
4604 }
4605
selinux_socket_socketpair(struct socket * socka,struct socket * sockb)4606 static int selinux_socket_socketpair(struct socket *socka,
4607 struct socket *sockb)
4608 {
4609 struct sk_security_struct *sksec_a = socka->sk->sk_security;
4610 struct sk_security_struct *sksec_b = sockb->sk->sk_security;
4611
4612 sksec_a->peer_sid = sksec_b->sid;
4613 sksec_b->peer_sid = sksec_a->sid;
4614
4615 return 0;
4616 }
4617
4618 /* Range of port numbers used to automatically bind.
4619 Need to determine whether we should perform a name_bind
4620 permission check between the socket and the port number. */
4621
selinux_socket_bind(struct socket * sock,struct sockaddr * address,int addrlen)4622 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4623 {
4624 struct sock *sk = sock->sk;
4625 struct sk_security_struct *sksec = sk->sk_security;
4626 u16 family;
4627 int err;
4628
4629 err = sock_has_perm(sk, SOCKET__BIND);
4630 if (err)
4631 goto out;
4632
4633 /* If PF_INET or PF_INET6, check name_bind permission for the port. */
4634 family = sk->sk_family;
4635 if (family == PF_INET || family == PF_INET6) {
4636 char *addrp;
4637 struct common_audit_data ad;
4638 struct lsm_network_audit net = {0,};
4639 struct sockaddr_in *addr4 = NULL;
4640 struct sockaddr_in6 *addr6 = NULL;
4641 u16 family_sa;
4642 unsigned short snum;
4643 u32 sid, node_perm;
4644
4645 /*
4646 * sctp_bindx(3) calls via selinux_sctp_bind_connect()
4647 * that validates multiple binding addresses. Because of this
4648 * need to check address->sa_family as it is possible to have
4649 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4650 */
4651 if (addrlen < offsetofend(struct sockaddr, sa_family))
4652 return -EINVAL;
4653 family_sa = address->sa_family;
4654 switch (family_sa) {
4655 case AF_UNSPEC:
4656 case AF_INET:
4657 if (addrlen < sizeof(struct sockaddr_in))
4658 return -EINVAL;
4659 addr4 = (struct sockaddr_in *)address;
4660 if (family_sa == AF_UNSPEC) {
4661 /* see __inet_bind(), we only want to allow
4662 * AF_UNSPEC if the address is INADDR_ANY
4663 */
4664 if (addr4->sin_addr.s_addr != htonl(INADDR_ANY))
4665 goto err_af;
4666 family_sa = AF_INET;
4667 }
4668 snum = ntohs(addr4->sin_port);
4669 addrp = (char *)&addr4->sin_addr.s_addr;
4670 break;
4671 case AF_INET6:
4672 if (addrlen < SIN6_LEN_RFC2133)
4673 return -EINVAL;
4674 addr6 = (struct sockaddr_in6 *)address;
4675 snum = ntohs(addr6->sin6_port);
4676 addrp = (char *)&addr6->sin6_addr.s6_addr;
4677 break;
4678 default:
4679 goto err_af;
4680 }
4681
4682 ad.type = LSM_AUDIT_DATA_NET;
4683 ad.u.net = &net;
4684 ad.u.net->sport = htons(snum);
4685 ad.u.net->family = family_sa;
4686
4687 if (snum) {
4688 int low, high;
4689
4690 inet_get_local_port_range(sock_net(sk), &low, &high);
4691
4692 if (inet_port_requires_bind_service(sock_net(sk), snum) ||
4693 snum < low || snum > high) {
4694 err = sel_netport_sid(sk->sk_protocol,
4695 snum, &sid);
4696 if (err)
4697 goto out;
4698 err = avc_has_perm(&selinux_state,
4699 sksec->sid, sid,
4700 sksec->sclass,
4701 SOCKET__NAME_BIND, &ad);
4702 if (err)
4703 goto out;
4704 }
4705 }
4706
4707 switch (sksec->sclass) {
4708 case SECCLASS_TCP_SOCKET:
4709 node_perm = TCP_SOCKET__NODE_BIND;
4710 break;
4711
4712 case SECCLASS_UDP_SOCKET:
4713 node_perm = UDP_SOCKET__NODE_BIND;
4714 break;
4715
4716 case SECCLASS_DCCP_SOCKET:
4717 node_perm = DCCP_SOCKET__NODE_BIND;
4718 break;
4719
4720 case SECCLASS_SCTP_SOCKET:
4721 node_perm = SCTP_SOCKET__NODE_BIND;
4722 break;
4723
4724 default:
4725 node_perm = RAWIP_SOCKET__NODE_BIND;
4726 break;
4727 }
4728
4729 err = sel_netnode_sid(addrp, family_sa, &sid);
4730 if (err)
4731 goto out;
4732
4733 if (family_sa == AF_INET)
4734 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4735 else
4736 ad.u.net->v6info.saddr = addr6->sin6_addr;
4737
4738 err = avc_has_perm(&selinux_state,
4739 sksec->sid, sid,
4740 sksec->sclass, node_perm, &ad);
4741 if (err)
4742 goto out;
4743 }
4744 out:
4745 return err;
4746 err_af:
4747 /* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */
4748 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4749 return -EINVAL;
4750 return -EAFNOSUPPORT;
4751 }
4752
4753 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3)
4754 * and sctp_sendmsg(3) as described in Documentation/security/SCTP.rst
4755 */
selinux_socket_connect_helper(struct socket * sock,struct sockaddr * address,int addrlen)4756 static int selinux_socket_connect_helper(struct socket *sock,
4757 struct sockaddr *address, int addrlen)
4758 {
4759 struct sock *sk = sock->sk;
4760 struct sk_security_struct *sksec = sk->sk_security;
4761 int err;
4762
4763 err = sock_has_perm(sk, SOCKET__CONNECT);
4764 if (err)
4765 return err;
4766 if (addrlen < offsetofend(struct sockaddr, sa_family))
4767 return -EINVAL;
4768
4769 /* connect(AF_UNSPEC) has special handling, as it is a documented
4770 * way to disconnect the socket
4771 */
4772 if (address->sa_family == AF_UNSPEC)
4773 return 0;
4774
4775 /*
4776 * If a TCP, DCCP or SCTP socket, check name_connect permission
4777 * for the port.
4778 */
4779 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4780 sksec->sclass == SECCLASS_DCCP_SOCKET ||
4781 sksec->sclass == SECCLASS_SCTP_SOCKET) {
4782 struct common_audit_data ad;
4783 struct lsm_network_audit net = {0,};
4784 struct sockaddr_in *addr4 = NULL;
4785 struct sockaddr_in6 *addr6 = NULL;
4786 unsigned short snum;
4787 u32 sid, perm;
4788
4789 /* sctp_connectx(3) calls via selinux_sctp_bind_connect()
4790 * that validates multiple connect addresses. Because of this
4791 * need to check address->sa_family as it is possible to have
4792 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4793 */
4794 switch (address->sa_family) {
4795 case AF_INET:
4796 addr4 = (struct sockaddr_in *)address;
4797 if (addrlen < sizeof(struct sockaddr_in))
4798 return -EINVAL;
4799 snum = ntohs(addr4->sin_port);
4800 break;
4801 case AF_INET6:
4802 addr6 = (struct sockaddr_in6 *)address;
4803 if (addrlen < SIN6_LEN_RFC2133)
4804 return -EINVAL;
4805 snum = ntohs(addr6->sin6_port);
4806 break;
4807 default:
4808 /* Note that SCTP services expect -EINVAL, whereas
4809 * others expect -EAFNOSUPPORT.
4810 */
4811 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4812 return -EINVAL;
4813 else
4814 return -EAFNOSUPPORT;
4815 }
4816
4817 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4818 if (err)
4819 return err;
4820
4821 switch (sksec->sclass) {
4822 case SECCLASS_TCP_SOCKET:
4823 perm = TCP_SOCKET__NAME_CONNECT;
4824 break;
4825 case SECCLASS_DCCP_SOCKET:
4826 perm = DCCP_SOCKET__NAME_CONNECT;
4827 break;
4828 case SECCLASS_SCTP_SOCKET:
4829 perm = SCTP_SOCKET__NAME_CONNECT;
4830 break;
4831 }
4832
4833 ad.type = LSM_AUDIT_DATA_NET;
4834 ad.u.net = &net;
4835 ad.u.net->dport = htons(snum);
4836 ad.u.net->family = address->sa_family;
4837 err = avc_has_perm(&selinux_state,
4838 sksec->sid, sid, sksec->sclass, perm, &ad);
4839 if (err)
4840 return err;
4841 }
4842
4843 return 0;
4844 }
4845
4846 /* Supports connect(2), see comments in selinux_socket_connect_helper() */
selinux_socket_connect(struct socket * sock,struct sockaddr * address,int addrlen)4847 static int selinux_socket_connect(struct socket *sock,
4848 struct sockaddr *address, int addrlen)
4849 {
4850 int err;
4851 struct sock *sk = sock->sk;
4852
4853 err = selinux_socket_connect_helper(sock, address, addrlen);
4854 if (err)
4855 return err;
4856
4857 return selinux_netlbl_socket_connect(sk, address);
4858 }
4859
selinux_socket_listen(struct socket * sock,int backlog)4860 static int selinux_socket_listen(struct socket *sock, int backlog)
4861 {
4862 return sock_has_perm(sock->sk, SOCKET__LISTEN);
4863 }
4864
selinux_socket_accept(struct socket * sock,struct socket * newsock)4865 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4866 {
4867 int err;
4868 struct inode_security_struct *isec;
4869 struct inode_security_struct *newisec;
4870 u16 sclass;
4871 u32 sid;
4872
4873 err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
4874 if (err)
4875 return err;
4876
4877 isec = inode_security_novalidate(SOCK_INODE(sock));
4878 spin_lock(&isec->lock);
4879 sclass = isec->sclass;
4880 sid = isec->sid;
4881 spin_unlock(&isec->lock);
4882
4883 newisec = inode_security_novalidate(SOCK_INODE(newsock));
4884 newisec->sclass = sclass;
4885 newisec->sid = sid;
4886 newisec->initialized = LABEL_INITIALIZED;
4887
4888 return 0;
4889 }
4890
selinux_socket_sendmsg(struct socket * sock,struct msghdr * msg,int size)4891 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4892 int size)
4893 {
4894 return sock_has_perm(sock->sk, SOCKET__WRITE);
4895 }
4896
selinux_socket_recvmsg(struct socket * sock,struct msghdr * msg,int size,int flags)4897 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4898 int size, int flags)
4899 {
4900 return sock_has_perm(sock->sk, SOCKET__READ);
4901 }
4902
selinux_socket_getsockname(struct socket * sock)4903 static int selinux_socket_getsockname(struct socket *sock)
4904 {
4905 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4906 }
4907
selinux_socket_getpeername(struct socket * sock)4908 static int selinux_socket_getpeername(struct socket *sock)
4909 {
4910 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4911 }
4912
selinux_socket_setsockopt(struct socket * sock,int level,int optname)4913 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4914 {
4915 int err;
4916
4917 err = sock_has_perm(sock->sk, SOCKET__SETOPT);
4918 if (err)
4919 return err;
4920
4921 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4922 }
4923
selinux_socket_getsockopt(struct socket * sock,int level,int optname)4924 static int selinux_socket_getsockopt(struct socket *sock, int level,
4925 int optname)
4926 {
4927 return sock_has_perm(sock->sk, SOCKET__GETOPT);
4928 }
4929
selinux_socket_shutdown(struct socket * sock,int how)4930 static int selinux_socket_shutdown(struct socket *sock, int how)
4931 {
4932 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
4933 }
4934
selinux_socket_unix_stream_connect(struct sock * sock,struct sock * other,struct sock * newsk)4935 static int selinux_socket_unix_stream_connect(struct sock *sock,
4936 struct sock *other,
4937 struct sock *newsk)
4938 {
4939 struct sk_security_struct *sksec_sock = sock->sk_security;
4940 struct sk_security_struct *sksec_other = other->sk_security;
4941 struct sk_security_struct *sksec_new = newsk->sk_security;
4942 struct common_audit_data ad;
4943 struct lsm_network_audit net = {0,};
4944 int err;
4945
4946 ad.type = LSM_AUDIT_DATA_NET;
4947 ad.u.net = &net;
4948 ad.u.net->sk = other;
4949
4950 err = avc_has_perm(&selinux_state,
4951 sksec_sock->sid, sksec_other->sid,
4952 sksec_other->sclass,
4953 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4954 if (err)
4955 return err;
4956
4957 /* server child socket */
4958 sksec_new->peer_sid = sksec_sock->sid;
4959 err = security_sid_mls_copy(&selinux_state, sksec_other->sid,
4960 sksec_sock->sid, &sksec_new->sid);
4961 if (err)
4962 return err;
4963
4964 /* connecting socket */
4965 sksec_sock->peer_sid = sksec_new->sid;
4966
4967 return 0;
4968 }
4969
selinux_socket_unix_may_send(struct socket * sock,struct socket * other)4970 static int selinux_socket_unix_may_send(struct socket *sock,
4971 struct socket *other)
4972 {
4973 struct sk_security_struct *ssec = sock->sk->sk_security;
4974 struct sk_security_struct *osec = other->sk->sk_security;
4975 struct common_audit_data ad;
4976 struct lsm_network_audit net = {0,};
4977
4978 ad.type = LSM_AUDIT_DATA_NET;
4979 ad.u.net = &net;
4980 ad.u.net->sk = other->sk;
4981
4982 return avc_has_perm(&selinux_state,
4983 ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4984 &ad);
4985 }
4986
selinux_inet_sys_rcv_skb(struct net * ns,int ifindex,char * addrp,u16 family,u32 peer_sid,struct common_audit_data * ad)4987 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4988 char *addrp, u16 family, u32 peer_sid,
4989 struct common_audit_data *ad)
4990 {
4991 int err;
4992 u32 if_sid;
4993 u32 node_sid;
4994
4995 err = sel_netif_sid(ns, ifindex, &if_sid);
4996 if (err)
4997 return err;
4998 err = avc_has_perm(&selinux_state,
4999 peer_sid, if_sid,
5000 SECCLASS_NETIF, NETIF__INGRESS, ad);
5001 if (err)
5002 return err;
5003
5004 err = sel_netnode_sid(addrp, family, &node_sid);
5005 if (err)
5006 return err;
5007 return avc_has_perm(&selinux_state,
5008 peer_sid, node_sid,
5009 SECCLASS_NODE, NODE__RECVFROM, ad);
5010 }
5011
selinux_sock_rcv_skb_compat(struct sock * sk,struct sk_buff * skb,u16 family)5012 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
5013 u16 family)
5014 {
5015 int err = 0;
5016 struct sk_security_struct *sksec = sk->sk_security;
5017 u32 sk_sid = sksec->sid;
5018 struct common_audit_data ad;
5019 struct lsm_network_audit net = {0,};
5020 char *addrp;
5021
5022 ad.type = LSM_AUDIT_DATA_NET;
5023 ad.u.net = &net;
5024 ad.u.net->netif = skb->skb_iif;
5025 ad.u.net->family = family;
5026 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5027 if (err)
5028 return err;
5029
5030 if (selinux_secmark_enabled()) {
5031 err = avc_has_perm(&selinux_state,
5032 sk_sid, skb->secmark, SECCLASS_PACKET,
5033 PACKET__RECV, &ad);
5034 if (err)
5035 return err;
5036 }
5037
5038 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
5039 if (err)
5040 return err;
5041 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
5042
5043 return err;
5044 }
5045
selinux_socket_sock_rcv_skb(struct sock * sk,struct sk_buff * skb)5046 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
5047 {
5048 int err;
5049 struct sk_security_struct *sksec = sk->sk_security;
5050 u16 family = sk->sk_family;
5051 u32 sk_sid = sksec->sid;
5052 struct common_audit_data ad;
5053 struct lsm_network_audit net = {0,};
5054 char *addrp;
5055 u8 secmark_active;
5056 u8 peerlbl_active;
5057
5058 if (family != PF_INET && family != PF_INET6)
5059 return 0;
5060
5061 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
5062 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5063 family = PF_INET;
5064
5065 /* If any sort of compatibility mode is enabled then handoff processing
5066 * to the selinux_sock_rcv_skb_compat() function to deal with the
5067 * special handling. We do this in an attempt to keep this function
5068 * as fast and as clean as possible. */
5069 if (!selinux_policycap_netpeer())
5070 return selinux_sock_rcv_skb_compat(sk, skb, family);
5071
5072 secmark_active = selinux_secmark_enabled();
5073 peerlbl_active = selinux_peerlbl_enabled();
5074 if (!secmark_active && !peerlbl_active)
5075 return 0;
5076
5077 ad.type = LSM_AUDIT_DATA_NET;
5078 ad.u.net = &net;
5079 ad.u.net->netif = skb->skb_iif;
5080 ad.u.net->family = family;
5081 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5082 if (err)
5083 return err;
5084
5085 if (peerlbl_active) {
5086 u32 peer_sid;
5087
5088 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
5089 if (err)
5090 return err;
5091 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
5092 addrp, family, peer_sid, &ad);
5093 if (err) {
5094 selinux_netlbl_err(skb, family, err, 0);
5095 return err;
5096 }
5097 err = avc_has_perm(&selinux_state,
5098 sk_sid, peer_sid, SECCLASS_PEER,
5099 PEER__RECV, &ad);
5100 if (err) {
5101 selinux_netlbl_err(skb, family, err, 0);
5102 return err;
5103 }
5104 }
5105
5106 if (secmark_active) {
5107 err = avc_has_perm(&selinux_state,
5108 sk_sid, skb->secmark, SECCLASS_PACKET,
5109 PACKET__RECV, &ad);
5110 if (err)
5111 return err;
5112 }
5113
5114 return err;
5115 }
5116
selinux_socket_getpeersec_stream(struct socket * sock,char __user * optval,int __user * optlen,unsigned len)5117 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
5118 int __user *optlen, unsigned len)
5119 {
5120 int err = 0;
5121 char *scontext;
5122 u32 scontext_len;
5123 struct sk_security_struct *sksec = sock->sk->sk_security;
5124 u32 peer_sid = SECSID_NULL;
5125
5126 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
5127 sksec->sclass == SECCLASS_TCP_SOCKET ||
5128 sksec->sclass == SECCLASS_SCTP_SOCKET)
5129 peer_sid = sksec->peer_sid;
5130 if (peer_sid == SECSID_NULL)
5131 return -ENOPROTOOPT;
5132
5133 err = security_sid_to_context(&selinux_state, peer_sid, &scontext,
5134 &scontext_len);
5135 if (err)
5136 return err;
5137
5138 if (scontext_len > len) {
5139 err = -ERANGE;
5140 goto out_len;
5141 }
5142
5143 if (copy_to_user(optval, scontext, scontext_len))
5144 err = -EFAULT;
5145
5146 out_len:
5147 if (put_user(scontext_len, optlen))
5148 err = -EFAULT;
5149 kfree(scontext);
5150 return err;
5151 }
5152
selinux_socket_getpeersec_dgram(struct socket * sock,struct sk_buff * skb,u32 * secid)5153 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
5154 {
5155 u32 peer_secid = SECSID_NULL;
5156 u16 family;
5157 struct inode_security_struct *isec;
5158
5159 if (skb && skb->protocol == htons(ETH_P_IP))
5160 family = PF_INET;
5161 else if (skb && skb->protocol == htons(ETH_P_IPV6))
5162 family = PF_INET6;
5163 else if (sock)
5164 family = sock->sk->sk_family;
5165 else
5166 goto out;
5167
5168 if (sock && family == PF_UNIX) {
5169 isec = inode_security_novalidate(SOCK_INODE(sock));
5170 peer_secid = isec->sid;
5171 } else if (skb)
5172 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
5173
5174 out:
5175 *secid = peer_secid;
5176 if (peer_secid == SECSID_NULL)
5177 return -EINVAL;
5178 return 0;
5179 }
5180
selinux_sk_alloc_security(struct sock * sk,int family,gfp_t priority)5181 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
5182 {
5183 struct sk_security_struct *sksec;
5184
5185 sksec = kzalloc(sizeof(*sksec), priority);
5186 if (!sksec)
5187 return -ENOMEM;
5188
5189 sksec->peer_sid = SECINITSID_UNLABELED;
5190 sksec->sid = SECINITSID_UNLABELED;
5191 sksec->sclass = SECCLASS_SOCKET;
5192 selinux_netlbl_sk_security_reset(sksec);
5193 sk->sk_security = sksec;
5194
5195 return 0;
5196 }
5197
selinux_sk_free_security(struct sock * sk)5198 static void selinux_sk_free_security(struct sock *sk)
5199 {
5200 struct sk_security_struct *sksec = sk->sk_security;
5201
5202 sk->sk_security = NULL;
5203 selinux_netlbl_sk_security_free(sksec);
5204 kfree(sksec);
5205 }
5206
selinux_sk_clone_security(const struct sock * sk,struct sock * newsk)5207 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
5208 {
5209 struct sk_security_struct *sksec = sk->sk_security;
5210 struct sk_security_struct *newsksec = newsk->sk_security;
5211
5212 newsksec->sid = sksec->sid;
5213 newsksec->peer_sid = sksec->peer_sid;
5214 newsksec->sclass = sksec->sclass;
5215
5216 selinux_netlbl_sk_security_reset(newsksec);
5217 }
5218
selinux_sk_getsecid(struct sock * sk,u32 * secid)5219 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
5220 {
5221 if (!sk)
5222 *secid = SECINITSID_ANY_SOCKET;
5223 else {
5224 struct sk_security_struct *sksec = sk->sk_security;
5225
5226 *secid = sksec->sid;
5227 }
5228 }
5229
selinux_sock_graft(struct sock * sk,struct socket * parent)5230 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
5231 {
5232 struct inode_security_struct *isec =
5233 inode_security_novalidate(SOCK_INODE(parent));
5234 struct sk_security_struct *sksec = sk->sk_security;
5235
5236 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
5237 sk->sk_family == PF_UNIX)
5238 isec->sid = sksec->sid;
5239 sksec->sclass = isec->sclass;
5240 }
5241
5242 /*
5243 * Determines peer_secid for the asoc and updates socket's peer label
5244 * if it's the first association on the socket.
5245 */
selinux_sctp_process_new_assoc(struct sctp_association * asoc,struct sk_buff * skb)5246 static int selinux_sctp_process_new_assoc(struct sctp_association *asoc,
5247 struct sk_buff *skb)
5248 {
5249 struct sock *sk = asoc->base.sk;
5250 u16 family = sk->sk_family;
5251 struct sk_security_struct *sksec = sk->sk_security;
5252 struct common_audit_data ad;
5253 struct lsm_network_audit net = {0,};
5254 int err;
5255
5256 /* handle mapped IPv4 packets arriving via IPv6 sockets */
5257 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5258 family = PF_INET;
5259
5260 if (selinux_peerlbl_enabled()) {
5261 asoc->peer_secid = SECSID_NULL;
5262
5263 /* This will return peer_sid = SECSID_NULL if there are
5264 * no peer labels, see security_net_peersid_resolve().
5265 */
5266 err = selinux_skb_peerlbl_sid(skb, family, &asoc->peer_secid);
5267 if (err)
5268 return err;
5269
5270 if (asoc->peer_secid == SECSID_NULL)
5271 asoc->peer_secid = SECINITSID_UNLABELED;
5272 } else {
5273 asoc->peer_secid = SECINITSID_UNLABELED;
5274 }
5275
5276 if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) {
5277 sksec->sctp_assoc_state = SCTP_ASSOC_SET;
5278
5279 /* Here as first association on socket. As the peer SID
5280 * was allowed by peer recv (and the netif/node checks),
5281 * then it is approved by policy and used as the primary
5282 * peer SID for getpeercon(3).
5283 */
5284 sksec->peer_sid = asoc->peer_secid;
5285 } else if (sksec->peer_sid != asoc->peer_secid) {
5286 /* Other association peer SIDs are checked to enforce
5287 * consistency among the peer SIDs.
5288 */
5289 ad.type = LSM_AUDIT_DATA_NET;
5290 ad.u.net = &net;
5291 ad.u.net->sk = asoc->base.sk;
5292 err = avc_has_perm(&selinux_state,
5293 sksec->peer_sid, asoc->peer_secid,
5294 sksec->sclass, SCTP_SOCKET__ASSOCIATION,
5295 &ad);
5296 if (err)
5297 return err;
5298 }
5299 return 0;
5300 }
5301
5302 /* Called whenever SCTP receives an INIT or COOKIE ECHO chunk. This
5303 * happens on an incoming connect(2), sctp_connectx(3) or
5304 * sctp_sendmsg(3) (with no association already present).
5305 */
selinux_sctp_assoc_request(struct sctp_association * asoc,struct sk_buff * skb)5306 static int selinux_sctp_assoc_request(struct sctp_association *asoc,
5307 struct sk_buff *skb)
5308 {
5309 struct sk_security_struct *sksec = asoc->base.sk->sk_security;
5310 u32 conn_sid;
5311 int err;
5312
5313 if (!selinux_policycap_extsockclass())
5314 return 0;
5315
5316 err = selinux_sctp_process_new_assoc(asoc, skb);
5317 if (err)
5318 return err;
5319
5320 /* Compute the MLS component for the connection and store
5321 * the information in asoc. This will be used by SCTP TCP type
5322 * sockets and peeled off connections as they cause a new
5323 * socket to be generated. selinux_sctp_sk_clone() will then
5324 * plug this into the new socket.
5325 */
5326 err = selinux_conn_sid(sksec->sid, asoc->peer_secid, &conn_sid);
5327 if (err)
5328 return err;
5329
5330 asoc->secid = conn_sid;
5331
5332 /* Set any NetLabel labels including CIPSO/CALIPSO options. */
5333 return selinux_netlbl_sctp_assoc_request(asoc, skb);
5334 }
5335
5336 /* Called when SCTP receives a COOKIE ACK chunk as the final
5337 * response to an association request (initited by us).
5338 */
selinux_sctp_assoc_established(struct sctp_association * asoc,struct sk_buff * skb)5339 static int selinux_sctp_assoc_established(struct sctp_association *asoc,
5340 struct sk_buff *skb)
5341 {
5342 struct sk_security_struct *sksec = asoc->base.sk->sk_security;
5343
5344 if (!selinux_policycap_extsockclass())
5345 return 0;
5346
5347 /* Inherit secid from the parent socket - this will be picked up
5348 * by selinux_sctp_sk_clone() if the association gets peeled off
5349 * into a new socket.
5350 */
5351 asoc->secid = sksec->sid;
5352
5353 return selinux_sctp_process_new_assoc(asoc, skb);
5354 }
5355
5356 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting
5357 * based on their @optname.
5358 */
selinux_sctp_bind_connect(struct sock * sk,int optname,struct sockaddr * address,int addrlen)5359 static int selinux_sctp_bind_connect(struct sock *sk, int optname,
5360 struct sockaddr *address,
5361 int addrlen)
5362 {
5363 int len, err = 0, walk_size = 0;
5364 void *addr_buf;
5365 struct sockaddr *addr;
5366 struct socket *sock;
5367
5368 if (!selinux_policycap_extsockclass())
5369 return 0;
5370
5371 /* Process one or more addresses that may be IPv4 or IPv6 */
5372 sock = sk->sk_socket;
5373 addr_buf = address;
5374
5375 while (walk_size < addrlen) {
5376 if (walk_size + sizeof(sa_family_t) > addrlen)
5377 return -EINVAL;
5378
5379 addr = addr_buf;
5380 switch (addr->sa_family) {
5381 case AF_UNSPEC:
5382 case AF_INET:
5383 len = sizeof(struct sockaddr_in);
5384 break;
5385 case AF_INET6:
5386 len = sizeof(struct sockaddr_in6);
5387 break;
5388 default:
5389 return -EINVAL;
5390 }
5391
5392 if (walk_size + len > addrlen)
5393 return -EINVAL;
5394
5395 err = -EINVAL;
5396 switch (optname) {
5397 /* Bind checks */
5398 case SCTP_PRIMARY_ADDR:
5399 case SCTP_SET_PEER_PRIMARY_ADDR:
5400 case SCTP_SOCKOPT_BINDX_ADD:
5401 err = selinux_socket_bind(sock, addr, len);
5402 break;
5403 /* Connect checks */
5404 case SCTP_SOCKOPT_CONNECTX:
5405 case SCTP_PARAM_SET_PRIMARY:
5406 case SCTP_PARAM_ADD_IP:
5407 case SCTP_SENDMSG_CONNECT:
5408 err = selinux_socket_connect_helper(sock, addr, len);
5409 if (err)
5410 return err;
5411
5412 /* As selinux_sctp_bind_connect() is called by the
5413 * SCTP protocol layer, the socket is already locked,
5414 * therefore selinux_netlbl_socket_connect_locked()
5415 * is called here. The situations handled are:
5416 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2),
5417 * whenever a new IP address is added or when a new
5418 * primary address is selected.
5419 * Note that an SCTP connect(2) call happens before
5420 * the SCTP protocol layer and is handled via
5421 * selinux_socket_connect().
5422 */
5423 err = selinux_netlbl_socket_connect_locked(sk, addr);
5424 break;
5425 }
5426
5427 if (err)
5428 return err;
5429
5430 addr_buf += len;
5431 walk_size += len;
5432 }
5433
5434 return 0;
5435 }
5436
5437 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */
selinux_sctp_sk_clone(struct sctp_association * asoc,struct sock * sk,struct sock * newsk)5438 static void selinux_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk,
5439 struct sock *newsk)
5440 {
5441 struct sk_security_struct *sksec = sk->sk_security;
5442 struct sk_security_struct *newsksec = newsk->sk_security;
5443
5444 /* If policy does not support SECCLASS_SCTP_SOCKET then call
5445 * the non-sctp clone version.
5446 */
5447 if (!selinux_policycap_extsockclass())
5448 return selinux_sk_clone_security(sk, newsk);
5449
5450 newsksec->sid = asoc->secid;
5451 newsksec->peer_sid = asoc->peer_secid;
5452 newsksec->sclass = sksec->sclass;
5453 selinux_netlbl_sctp_sk_clone(sk, newsk);
5454 }
5455
selinux_inet_conn_request(const struct sock * sk,struct sk_buff * skb,struct request_sock * req)5456 static int selinux_inet_conn_request(const struct sock *sk, struct sk_buff *skb,
5457 struct request_sock *req)
5458 {
5459 struct sk_security_struct *sksec = sk->sk_security;
5460 int err;
5461 u16 family = req->rsk_ops->family;
5462 u32 connsid;
5463 u32 peersid;
5464
5465 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
5466 if (err)
5467 return err;
5468 err = selinux_conn_sid(sksec->sid, peersid, &connsid);
5469 if (err)
5470 return err;
5471 req->secid = connsid;
5472 req->peer_secid = peersid;
5473
5474 return selinux_netlbl_inet_conn_request(req, family);
5475 }
5476
selinux_inet_csk_clone(struct sock * newsk,const struct request_sock * req)5477 static void selinux_inet_csk_clone(struct sock *newsk,
5478 const struct request_sock *req)
5479 {
5480 struct sk_security_struct *newsksec = newsk->sk_security;
5481
5482 newsksec->sid = req->secid;
5483 newsksec->peer_sid = req->peer_secid;
5484 /* NOTE: Ideally, we should also get the isec->sid for the
5485 new socket in sync, but we don't have the isec available yet.
5486 So we will wait until sock_graft to do it, by which
5487 time it will have been created and available. */
5488
5489 /* We don't need to take any sort of lock here as we are the only
5490 * thread with access to newsksec */
5491 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
5492 }
5493
selinux_inet_conn_established(struct sock * sk,struct sk_buff * skb)5494 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
5495 {
5496 u16 family = sk->sk_family;
5497 struct sk_security_struct *sksec = sk->sk_security;
5498
5499 /* handle mapped IPv4 packets arriving via IPv6 sockets */
5500 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5501 family = PF_INET;
5502
5503 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
5504 }
5505
selinux_secmark_relabel_packet(u32 sid)5506 static int selinux_secmark_relabel_packet(u32 sid)
5507 {
5508 const struct task_security_struct *__tsec;
5509 u32 tsid;
5510
5511 __tsec = selinux_cred(current_cred());
5512 tsid = __tsec->sid;
5513
5514 return avc_has_perm(&selinux_state,
5515 tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO,
5516 NULL);
5517 }
5518
selinux_secmark_refcount_inc(void)5519 static void selinux_secmark_refcount_inc(void)
5520 {
5521 atomic_inc(&selinux_secmark_refcount);
5522 }
5523
selinux_secmark_refcount_dec(void)5524 static void selinux_secmark_refcount_dec(void)
5525 {
5526 atomic_dec(&selinux_secmark_refcount);
5527 }
5528
selinux_req_classify_flow(const struct request_sock * req,struct flowi_common * flic)5529 static void selinux_req_classify_flow(const struct request_sock *req,
5530 struct flowi_common *flic)
5531 {
5532 flic->flowic_secid = req->secid;
5533 }
5534
selinux_tun_dev_alloc_security(void ** security)5535 static int selinux_tun_dev_alloc_security(void **security)
5536 {
5537 struct tun_security_struct *tunsec;
5538
5539 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
5540 if (!tunsec)
5541 return -ENOMEM;
5542 tunsec->sid = current_sid();
5543
5544 *security = tunsec;
5545 return 0;
5546 }
5547
selinux_tun_dev_free_security(void * security)5548 static void selinux_tun_dev_free_security(void *security)
5549 {
5550 kfree(security);
5551 }
5552
selinux_tun_dev_create(void)5553 static int selinux_tun_dev_create(void)
5554 {
5555 u32 sid = current_sid();
5556
5557 /* we aren't taking into account the "sockcreate" SID since the socket
5558 * that is being created here is not a socket in the traditional sense,
5559 * instead it is a private sock, accessible only to the kernel, and
5560 * representing a wide range of network traffic spanning multiple
5561 * connections unlike traditional sockets - check the TUN driver to
5562 * get a better understanding of why this socket is special */
5563
5564 return avc_has_perm(&selinux_state,
5565 sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5566 NULL);
5567 }
5568
selinux_tun_dev_attach_queue(void * security)5569 static int selinux_tun_dev_attach_queue(void *security)
5570 {
5571 struct tun_security_struct *tunsec = security;
5572
5573 return avc_has_perm(&selinux_state,
5574 current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5575 TUN_SOCKET__ATTACH_QUEUE, NULL);
5576 }
5577
selinux_tun_dev_attach(struct sock * sk,void * security)5578 static int selinux_tun_dev_attach(struct sock *sk, void *security)
5579 {
5580 struct tun_security_struct *tunsec = security;
5581 struct sk_security_struct *sksec = sk->sk_security;
5582
5583 /* we don't currently perform any NetLabel based labeling here and it
5584 * isn't clear that we would want to do so anyway; while we could apply
5585 * labeling without the support of the TUN user the resulting labeled
5586 * traffic from the other end of the connection would almost certainly
5587 * cause confusion to the TUN user that had no idea network labeling
5588 * protocols were being used */
5589
5590 sksec->sid = tunsec->sid;
5591 sksec->sclass = SECCLASS_TUN_SOCKET;
5592
5593 return 0;
5594 }
5595
selinux_tun_dev_open(void * security)5596 static int selinux_tun_dev_open(void *security)
5597 {
5598 struct tun_security_struct *tunsec = security;
5599 u32 sid = current_sid();
5600 int err;
5601
5602 err = avc_has_perm(&selinux_state,
5603 sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5604 TUN_SOCKET__RELABELFROM, NULL);
5605 if (err)
5606 return err;
5607 err = avc_has_perm(&selinux_state,
5608 sid, sid, SECCLASS_TUN_SOCKET,
5609 TUN_SOCKET__RELABELTO, NULL);
5610 if (err)
5611 return err;
5612 tunsec->sid = sid;
5613
5614 return 0;
5615 }
5616
5617 #ifdef CONFIG_NETFILTER
5618
selinux_ip_forward(void * priv,struct sk_buff * skb,const struct nf_hook_state * state)5619 static unsigned int selinux_ip_forward(void *priv, struct sk_buff *skb,
5620 const struct nf_hook_state *state)
5621 {
5622 int ifindex;
5623 u16 family;
5624 char *addrp;
5625 u32 peer_sid;
5626 struct common_audit_data ad;
5627 struct lsm_network_audit net = {0,};
5628 int secmark_active, peerlbl_active;
5629
5630 if (!selinux_policycap_netpeer())
5631 return NF_ACCEPT;
5632
5633 secmark_active = selinux_secmark_enabled();
5634 peerlbl_active = selinux_peerlbl_enabled();
5635 if (!secmark_active && !peerlbl_active)
5636 return NF_ACCEPT;
5637
5638 family = state->pf;
5639 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5640 return NF_DROP;
5641
5642 ifindex = state->in->ifindex;
5643 ad.type = LSM_AUDIT_DATA_NET;
5644 ad.u.net = &net;
5645 ad.u.net->netif = ifindex;
5646 ad.u.net->family = family;
5647 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5648 return NF_DROP;
5649
5650 if (peerlbl_active) {
5651 int err;
5652
5653 err = selinux_inet_sys_rcv_skb(state->net, ifindex,
5654 addrp, family, peer_sid, &ad);
5655 if (err) {
5656 selinux_netlbl_err(skb, family, err, 1);
5657 return NF_DROP;
5658 }
5659 }
5660
5661 if (secmark_active)
5662 if (avc_has_perm(&selinux_state,
5663 peer_sid, skb->secmark,
5664 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5665 return NF_DROP;
5666
5667 if (netlbl_enabled())
5668 /* we do this in the FORWARD path and not the POST_ROUTING
5669 * path because we want to make sure we apply the necessary
5670 * labeling before IPsec is applied so we can leverage AH
5671 * protection */
5672 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5673 return NF_DROP;
5674
5675 return NF_ACCEPT;
5676 }
5677
selinux_ip_output(void * priv,struct sk_buff * skb,const struct nf_hook_state * state)5678 static unsigned int selinux_ip_output(void *priv, struct sk_buff *skb,
5679 const struct nf_hook_state *state)
5680 {
5681 struct sock *sk;
5682 u32 sid;
5683
5684 if (!netlbl_enabled())
5685 return NF_ACCEPT;
5686
5687 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5688 * because we want to make sure we apply the necessary labeling
5689 * before IPsec is applied so we can leverage AH protection */
5690 sk = skb->sk;
5691 if (sk) {
5692 struct sk_security_struct *sksec;
5693
5694 if (sk_listener(sk))
5695 /* if the socket is the listening state then this
5696 * packet is a SYN-ACK packet which means it needs to
5697 * be labeled based on the connection/request_sock and
5698 * not the parent socket. unfortunately, we can't
5699 * lookup the request_sock yet as it isn't queued on
5700 * the parent socket until after the SYN-ACK is sent.
5701 * the "solution" is to simply pass the packet as-is
5702 * as any IP option based labeling should be copied
5703 * from the initial connection request (in the IP
5704 * layer). it is far from ideal, but until we get a
5705 * security label in the packet itself this is the
5706 * best we can do. */
5707 return NF_ACCEPT;
5708
5709 /* standard practice, label using the parent socket */
5710 sksec = sk->sk_security;
5711 sid = sksec->sid;
5712 } else
5713 sid = SECINITSID_KERNEL;
5714 if (selinux_netlbl_skbuff_setsid(skb, state->pf, sid) != 0)
5715 return NF_DROP;
5716
5717 return NF_ACCEPT;
5718 }
5719
5720
selinux_ip_postroute_compat(struct sk_buff * skb,const struct nf_hook_state * state)5721 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5722 const struct nf_hook_state *state)
5723 {
5724 struct sock *sk;
5725 struct sk_security_struct *sksec;
5726 struct common_audit_data ad;
5727 struct lsm_network_audit net = {0,};
5728 u8 proto = 0;
5729
5730 sk = skb_to_full_sk(skb);
5731 if (sk == NULL)
5732 return NF_ACCEPT;
5733 sksec = sk->sk_security;
5734
5735 ad.type = LSM_AUDIT_DATA_NET;
5736 ad.u.net = &net;
5737 ad.u.net->netif = state->out->ifindex;
5738 ad.u.net->family = state->pf;
5739 if (selinux_parse_skb(skb, &ad, NULL, 0, &proto))
5740 return NF_DROP;
5741
5742 if (selinux_secmark_enabled())
5743 if (avc_has_perm(&selinux_state,
5744 sksec->sid, skb->secmark,
5745 SECCLASS_PACKET, PACKET__SEND, &ad))
5746 return NF_DROP_ERR(-ECONNREFUSED);
5747
5748 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5749 return NF_DROP_ERR(-ECONNREFUSED);
5750
5751 return NF_ACCEPT;
5752 }
5753
selinux_ip_postroute(void * priv,struct sk_buff * skb,const struct nf_hook_state * state)5754 static unsigned int selinux_ip_postroute(void *priv,
5755 struct sk_buff *skb,
5756 const struct nf_hook_state *state)
5757 {
5758 u16 family;
5759 u32 secmark_perm;
5760 u32 peer_sid;
5761 int ifindex;
5762 struct sock *sk;
5763 struct common_audit_data ad;
5764 struct lsm_network_audit net = {0,};
5765 char *addrp;
5766 int secmark_active, peerlbl_active;
5767
5768 /* If any sort of compatibility mode is enabled then handoff processing
5769 * to the selinux_ip_postroute_compat() function to deal with the
5770 * special handling. We do this in an attempt to keep this function
5771 * as fast and as clean as possible. */
5772 if (!selinux_policycap_netpeer())
5773 return selinux_ip_postroute_compat(skb, state);
5774
5775 secmark_active = selinux_secmark_enabled();
5776 peerlbl_active = selinux_peerlbl_enabled();
5777 if (!secmark_active && !peerlbl_active)
5778 return NF_ACCEPT;
5779
5780 sk = skb_to_full_sk(skb);
5781
5782 #ifdef CONFIG_XFRM
5783 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5784 * packet transformation so allow the packet to pass without any checks
5785 * since we'll have another chance to perform access control checks
5786 * when the packet is on it's final way out.
5787 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5788 * is NULL, in this case go ahead and apply access control.
5789 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5790 * TCP listening state we cannot wait until the XFRM processing
5791 * is done as we will miss out on the SA label if we do;
5792 * unfortunately, this means more work, but it is only once per
5793 * connection. */
5794 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5795 !(sk && sk_listener(sk)))
5796 return NF_ACCEPT;
5797 #endif
5798
5799 family = state->pf;
5800 if (sk == NULL) {
5801 /* Without an associated socket the packet is either coming
5802 * from the kernel or it is being forwarded; check the packet
5803 * to determine which and if the packet is being forwarded
5804 * query the packet directly to determine the security label. */
5805 if (skb->skb_iif) {
5806 secmark_perm = PACKET__FORWARD_OUT;
5807 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5808 return NF_DROP;
5809 } else {
5810 secmark_perm = PACKET__SEND;
5811 peer_sid = SECINITSID_KERNEL;
5812 }
5813 } else if (sk_listener(sk)) {
5814 /* Locally generated packet but the associated socket is in the
5815 * listening state which means this is a SYN-ACK packet. In
5816 * this particular case the correct security label is assigned
5817 * to the connection/request_sock but unfortunately we can't
5818 * query the request_sock as it isn't queued on the parent
5819 * socket until after the SYN-ACK packet is sent; the only
5820 * viable choice is to regenerate the label like we do in
5821 * selinux_inet_conn_request(). See also selinux_ip_output()
5822 * for similar problems. */
5823 u32 skb_sid;
5824 struct sk_security_struct *sksec;
5825
5826 sksec = sk->sk_security;
5827 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5828 return NF_DROP;
5829 /* At this point, if the returned skb peerlbl is SECSID_NULL
5830 * and the packet has been through at least one XFRM
5831 * transformation then we must be dealing with the "final"
5832 * form of labeled IPsec packet; since we've already applied
5833 * all of our access controls on this packet we can safely
5834 * pass the packet. */
5835 if (skb_sid == SECSID_NULL) {
5836 switch (family) {
5837 case PF_INET:
5838 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5839 return NF_ACCEPT;
5840 break;
5841 case PF_INET6:
5842 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5843 return NF_ACCEPT;
5844 break;
5845 default:
5846 return NF_DROP_ERR(-ECONNREFUSED);
5847 }
5848 }
5849 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5850 return NF_DROP;
5851 secmark_perm = PACKET__SEND;
5852 } else {
5853 /* Locally generated packet, fetch the security label from the
5854 * associated socket. */
5855 struct sk_security_struct *sksec = sk->sk_security;
5856 peer_sid = sksec->sid;
5857 secmark_perm = PACKET__SEND;
5858 }
5859
5860 ifindex = state->out->ifindex;
5861 ad.type = LSM_AUDIT_DATA_NET;
5862 ad.u.net = &net;
5863 ad.u.net->netif = ifindex;
5864 ad.u.net->family = family;
5865 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5866 return NF_DROP;
5867
5868 if (secmark_active)
5869 if (avc_has_perm(&selinux_state,
5870 peer_sid, skb->secmark,
5871 SECCLASS_PACKET, secmark_perm, &ad))
5872 return NF_DROP_ERR(-ECONNREFUSED);
5873
5874 if (peerlbl_active) {
5875 u32 if_sid;
5876 u32 node_sid;
5877
5878 if (sel_netif_sid(state->net, ifindex, &if_sid))
5879 return NF_DROP;
5880 if (avc_has_perm(&selinux_state,
5881 peer_sid, if_sid,
5882 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5883 return NF_DROP_ERR(-ECONNREFUSED);
5884
5885 if (sel_netnode_sid(addrp, family, &node_sid))
5886 return NF_DROP;
5887 if (avc_has_perm(&selinux_state,
5888 peer_sid, node_sid,
5889 SECCLASS_NODE, NODE__SENDTO, &ad))
5890 return NF_DROP_ERR(-ECONNREFUSED);
5891 }
5892
5893 return NF_ACCEPT;
5894 }
5895 #endif /* CONFIG_NETFILTER */
5896
selinux_netlink_send(struct sock * sk,struct sk_buff * skb)5897 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5898 {
5899 int rc = 0;
5900 unsigned int msg_len;
5901 unsigned int data_len = skb->len;
5902 unsigned char *data = skb->data;
5903 struct nlmsghdr *nlh;
5904 struct sk_security_struct *sksec = sk->sk_security;
5905 u16 sclass = sksec->sclass;
5906 u32 perm;
5907
5908 while (data_len >= nlmsg_total_size(0)) {
5909 nlh = (struct nlmsghdr *)data;
5910
5911 /* NOTE: the nlmsg_len field isn't reliably set by some netlink
5912 * users which means we can't reject skb's with bogus
5913 * length fields; our solution is to follow what
5914 * netlink_rcv_skb() does and simply skip processing at
5915 * messages with length fields that are clearly junk
5916 */
5917 if (nlh->nlmsg_len < NLMSG_HDRLEN || nlh->nlmsg_len > data_len)
5918 return 0;
5919
5920 rc = selinux_nlmsg_lookup(sclass, nlh->nlmsg_type, &perm);
5921 if (rc == 0) {
5922 rc = sock_has_perm(sk, perm);
5923 if (rc)
5924 return rc;
5925 } else if (rc == -EINVAL) {
5926 /* -EINVAL is a missing msg/perm mapping */
5927 pr_warn_ratelimited("SELinux: unrecognized netlink"
5928 " message: protocol=%hu nlmsg_type=%hu sclass=%s"
5929 " pid=%d comm=%s\n",
5930 sk->sk_protocol, nlh->nlmsg_type,
5931 secclass_map[sclass - 1].name,
5932 task_pid_nr(current), current->comm);
5933 if (enforcing_enabled(&selinux_state) &&
5934 !security_get_allow_unknown(&selinux_state))
5935 return rc;
5936 rc = 0;
5937 } else if (rc == -ENOENT) {
5938 /* -ENOENT is a missing socket/class mapping, ignore */
5939 rc = 0;
5940 } else {
5941 return rc;
5942 }
5943
5944 /* move to the next message after applying netlink padding */
5945 msg_len = NLMSG_ALIGN(nlh->nlmsg_len);
5946 if (msg_len >= data_len)
5947 return 0;
5948 data_len -= msg_len;
5949 data += msg_len;
5950 }
5951
5952 return rc;
5953 }
5954
ipc_init_security(struct ipc_security_struct * isec,u16 sclass)5955 static void ipc_init_security(struct ipc_security_struct *isec, u16 sclass)
5956 {
5957 isec->sclass = sclass;
5958 isec->sid = current_sid();
5959 }
5960
ipc_has_perm(struct kern_ipc_perm * ipc_perms,u32 perms)5961 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5962 u32 perms)
5963 {
5964 struct ipc_security_struct *isec;
5965 struct common_audit_data ad;
5966 u32 sid = current_sid();
5967
5968 isec = selinux_ipc(ipc_perms);
5969
5970 ad.type = LSM_AUDIT_DATA_IPC;
5971 ad.u.ipc_id = ipc_perms->key;
5972
5973 return avc_has_perm(&selinux_state,
5974 sid, isec->sid, isec->sclass, perms, &ad);
5975 }
5976
selinux_msg_msg_alloc_security(struct msg_msg * msg)5977 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5978 {
5979 struct msg_security_struct *msec;
5980
5981 msec = selinux_msg_msg(msg);
5982 msec->sid = SECINITSID_UNLABELED;
5983
5984 return 0;
5985 }
5986
5987 /* message queue security operations */
selinux_msg_queue_alloc_security(struct kern_ipc_perm * msq)5988 static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq)
5989 {
5990 struct ipc_security_struct *isec;
5991 struct common_audit_data ad;
5992 u32 sid = current_sid();
5993 int rc;
5994
5995 isec = selinux_ipc(msq);
5996 ipc_init_security(isec, SECCLASS_MSGQ);
5997
5998 ad.type = LSM_AUDIT_DATA_IPC;
5999 ad.u.ipc_id = msq->key;
6000
6001 rc = avc_has_perm(&selinux_state,
6002 sid, isec->sid, SECCLASS_MSGQ,
6003 MSGQ__CREATE, &ad);
6004 return rc;
6005 }
6006
selinux_msg_queue_associate(struct kern_ipc_perm * msq,int msqflg)6007 static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
6008 {
6009 struct ipc_security_struct *isec;
6010 struct common_audit_data ad;
6011 u32 sid = current_sid();
6012
6013 isec = selinux_ipc(msq);
6014
6015 ad.type = LSM_AUDIT_DATA_IPC;
6016 ad.u.ipc_id = msq->key;
6017
6018 return avc_has_perm(&selinux_state,
6019 sid, isec->sid, SECCLASS_MSGQ,
6020 MSGQ__ASSOCIATE, &ad);
6021 }
6022
selinux_msg_queue_msgctl(struct kern_ipc_perm * msq,int cmd)6023 static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)
6024 {
6025 int err;
6026 int perms;
6027
6028 switch (cmd) {
6029 case IPC_INFO:
6030 case MSG_INFO:
6031 /* No specific object, just general system-wide information. */
6032 return avc_has_perm(&selinux_state,
6033 current_sid(), SECINITSID_KERNEL,
6034 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6035 case IPC_STAT:
6036 case MSG_STAT:
6037 case MSG_STAT_ANY:
6038 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
6039 break;
6040 case IPC_SET:
6041 perms = MSGQ__SETATTR;
6042 break;
6043 case IPC_RMID:
6044 perms = MSGQ__DESTROY;
6045 break;
6046 default:
6047 return 0;
6048 }
6049
6050 err = ipc_has_perm(msq, perms);
6051 return err;
6052 }
6053
selinux_msg_queue_msgsnd(struct kern_ipc_perm * msq,struct msg_msg * msg,int msqflg)6054 static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg)
6055 {
6056 struct ipc_security_struct *isec;
6057 struct msg_security_struct *msec;
6058 struct common_audit_data ad;
6059 u32 sid = current_sid();
6060 int rc;
6061
6062 isec = selinux_ipc(msq);
6063 msec = selinux_msg_msg(msg);
6064
6065 /*
6066 * First time through, need to assign label to the message
6067 */
6068 if (msec->sid == SECINITSID_UNLABELED) {
6069 /*
6070 * Compute new sid based on current process and
6071 * message queue this message will be stored in
6072 */
6073 rc = security_transition_sid(&selinux_state, sid, isec->sid,
6074 SECCLASS_MSG, NULL, &msec->sid);
6075 if (rc)
6076 return rc;
6077 }
6078
6079 ad.type = LSM_AUDIT_DATA_IPC;
6080 ad.u.ipc_id = msq->key;
6081
6082 /* Can this process write to the queue? */
6083 rc = avc_has_perm(&selinux_state,
6084 sid, isec->sid, SECCLASS_MSGQ,
6085 MSGQ__WRITE, &ad);
6086 if (!rc)
6087 /* Can this process send the message */
6088 rc = avc_has_perm(&selinux_state,
6089 sid, msec->sid, SECCLASS_MSG,
6090 MSG__SEND, &ad);
6091 if (!rc)
6092 /* Can the message be put in the queue? */
6093 rc = avc_has_perm(&selinux_state,
6094 msec->sid, isec->sid, SECCLASS_MSGQ,
6095 MSGQ__ENQUEUE, &ad);
6096
6097 return rc;
6098 }
6099
selinux_msg_queue_msgrcv(struct kern_ipc_perm * msq,struct msg_msg * msg,struct task_struct * target,long type,int mode)6100 static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg,
6101 struct task_struct *target,
6102 long type, int mode)
6103 {
6104 struct ipc_security_struct *isec;
6105 struct msg_security_struct *msec;
6106 struct common_audit_data ad;
6107 u32 sid = task_sid_obj(target);
6108 int rc;
6109
6110 isec = selinux_ipc(msq);
6111 msec = selinux_msg_msg(msg);
6112
6113 ad.type = LSM_AUDIT_DATA_IPC;
6114 ad.u.ipc_id = msq->key;
6115
6116 rc = avc_has_perm(&selinux_state,
6117 sid, isec->sid,
6118 SECCLASS_MSGQ, MSGQ__READ, &ad);
6119 if (!rc)
6120 rc = avc_has_perm(&selinux_state,
6121 sid, msec->sid,
6122 SECCLASS_MSG, MSG__RECEIVE, &ad);
6123 return rc;
6124 }
6125
6126 /* Shared Memory security operations */
selinux_shm_alloc_security(struct kern_ipc_perm * shp)6127 static int selinux_shm_alloc_security(struct kern_ipc_perm *shp)
6128 {
6129 struct ipc_security_struct *isec;
6130 struct common_audit_data ad;
6131 u32 sid = current_sid();
6132 int rc;
6133
6134 isec = selinux_ipc(shp);
6135 ipc_init_security(isec, SECCLASS_SHM);
6136
6137 ad.type = LSM_AUDIT_DATA_IPC;
6138 ad.u.ipc_id = shp->key;
6139
6140 rc = avc_has_perm(&selinux_state,
6141 sid, isec->sid, SECCLASS_SHM,
6142 SHM__CREATE, &ad);
6143 return rc;
6144 }
6145
selinux_shm_associate(struct kern_ipc_perm * shp,int shmflg)6146 static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg)
6147 {
6148 struct ipc_security_struct *isec;
6149 struct common_audit_data ad;
6150 u32 sid = current_sid();
6151
6152 isec = selinux_ipc(shp);
6153
6154 ad.type = LSM_AUDIT_DATA_IPC;
6155 ad.u.ipc_id = shp->key;
6156
6157 return avc_has_perm(&selinux_state,
6158 sid, isec->sid, SECCLASS_SHM,
6159 SHM__ASSOCIATE, &ad);
6160 }
6161
6162 /* Note, at this point, shp is locked down */
selinux_shm_shmctl(struct kern_ipc_perm * shp,int cmd)6163 static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd)
6164 {
6165 int perms;
6166 int err;
6167
6168 switch (cmd) {
6169 case IPC_INFO:
6170 case SHM_INFO:
6171 /* No specific object, just general system-wide information. */
6172 return avc_has_perm(&selinux_state,
6173 current_sid(), SECINITSID_KERNEL,
6174 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6175 case IPC_STAT:
6176 case SHM_STAT:
6177 case SHM_STAT_ANY:
6178 perms = SHM__GETATTR | SHM__ASSOCIATE;
6179 break;
6180 case IPC_SET:
6181 perms = SHM__SETATTR;
6182 break;
6183 case SHM_LOCK:
6184 case SHM_UNLOCK:
6185 perms = SHM__LOCK;
6186 break;
6187 case IPC_RMID:
6188 perms = SHM__DESTROY;
6189 break;
6190 default:
6191 return 0;
6192 }
6193
6194 err = ipc_has_perm(shp, perms);
6195 return err;
6196 }
6197
selinux_shm_shmat(struct kern_ipc_perm * shp,char __user * shmaddr,int shmflg)6198 static int selinux_shm_shmat(struct kern_ipc_perm *shp,
6199 char __user *shmaddr, int shmflg)
6200 {
6201 u32 perms;
6202
6203 if (shmflg & SHM_RDONLY)
6204 perms = SHM__READ;
6205 else
6206 perms = SHM__READ | SHM__WRITE;
6207
6208 return ipc_has_perm(shp, perms);
6209 }
6210
6211 /* Semaphore security operations */
selinux_sem_alloc_security(struct kern_ipc_perm * sma)6212 static int selinux_sem_alloc_security(struct kern_ipc_perm *sma)
6213 {
6214 struct ipc_security_struct *isec;
6215 struct common_audit_data ad;
6216 u32 sid = current_sid();
6217 int rc;
6218
6219 isec = selinux_ipc(sma);
6220 ipc_init_security(isec, SECCLASS_SEM);
6221
6222 ad.type = LSM_AUDIT_DATA_IPC;
6223 ad.u.ipc_id = sma->key;
6224
6225 rc = avc_has_perm(&selinux_state,
6226 sid, isec->sid, SECCLASS_SEM,
6227 SEM__CREATE, &ad);
6228 return rc;
6229 }
6230
selinux_sem_associate(struct kern_ipc_perm * sma,int semflg)6231 static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg)
6232 {
6233 struct ipc_security_struct *isec;
6234 struct common_audit_data ad;
6235 u32 sid = current_sid();
6236
6237 isec = selinux_ipc(sma);
6238
6239 ad.type = LSM_AUDIT_DATA_IPC;
6240 ad.u.ipc_id = sma->key;
6241
6242 return avc_has_perm(&selinux_state,
6243 sid, isec->sid, SECCLASS_SEM,
6244 SEM__ASSOCIATE, &ad);
6245 }
6246
6247 /* Note, at this point, sma is locked down */
selinux_sem_semctl(struct kern_ipc_perm * sma,int cmd)6248 static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd)
6249 {
6250 int err;
6251 u32 perms;
6252
6253 switch (cmd) {
6254 case IPC_INFO:
6255 case SEM_INFO:
6256 /* No specific object, just general system-wide information. */
6257 return avc_has_perm(&selinux_state,
6258 current_sid(), SECINITSID_KERNEL,
6259 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6260 case GETPID:
6261 case GETNCNT:
6262 case GETZCNT:
6263 perms = SEM__GETATTR;
6264 break;
6265 case GETVAL:
6266 case GETALL:
6267 perms = SEM__READ;
6268 break;
6269 case SETVAL:
6270 case SETALL:
6271 perms = SEM__WRITE;
6272 break;
6273 case IPC_RMID:
6274 perms = SEM__DESTROY;
6275 break;
6276 case IPC_SET:
6277 perms = SEM__SETATTR;
6278 break;
6279 case IPC_STAT:
6280 case SEM_STAT:
6281 case SEM_STAT_ANY:
6282 perms = SEM__GETATTR | SEM__ASSOCIATE;
6283 break;
6284 default:
6285 return 0;
6286 }
6287
6288 err = ipc_has_perm(sma, perms);
6289 return err;
6290 }
6291
selinux_sem_semop(struct kern_ipc_perm * sma,struct sembuf * sops,unsigned nsops,int alter)6292 static int selinux_sem_semop(struct kern_ipc_perm *sma,
6293 struct sembuf *sops, unsigned nsops, int alter)
6294 {
6295 u32 perms;
6296
6297 if (alter)
6298 perms = SEM__READ | SEM__WRITE;
6299 else
6300 perms = SEM__READ;
6301
6302 return ipc_has_perm(sma, perms);
6303 }
6304
selinux_ipc_permission(struct kern_ipc_perm * ipcp,short flag)6305 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
6306 {
6307 u32 av = 0;
6308
6309 av = 0;
6310 if (flag & S_IRUGO)
6311 av |= IPC__UNIX_READ;
6312 if (flag & S_IWUGO)
6313 av |= IPC__UNIX_WRITE;
6314
6315 if (av == 0)
6316 return 0;
6317
6318 return ipc_has_perm(ipcp, av);
6319 }
6320
selinux_ipc_getsecid(struct kern_ipc_perm * ipcp,u32 * secid)6321 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
6322 {
6323 struct ipc_security_struct *isec = selinux_ipc(ipcp);
6324 *secid = isec->sid;
6325 }
6326
selinux_d_instantiate(struct dentry * dentry,struct inode * inode)6327 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
6328 {
6329 if (inode)
6330 inode_doinit_with_dentry(inode, dentry);
6331 }
6332
selinux_getprocattr(struct task_struct * p,char * name,char ** value)6333 static int selinux_getprocattr(struct task_struct *p,
6334 char *name, char **value)
6335 {
6336 const struct task_security_struct *__tsec;
6337 u32 sid;
6338 int error;
6339 unsigned len;
6340
6341 rcu_read_lock();
6342 __tsec = selinux_cred(__task_cred(p));
6343
6344 if (current != p) {
6345 error = avc_has_perm(&selinux_state,
6346 current_sid(), __tsec->sid,
6347 SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
6348 if (error)
6349 goto bad;
6350 }
6351
6352 if (!strcmp(name, "current"))
6353 sid = __tsec->sid;
6354 else if (!strcmp(name, "prev"))
6355 sid = __tsec->osid;
6356 else if (!strcmp(name, "exec"))
6357 sid = __tsec->exec_sid;
6358 else if (!strcmp(name, "fscreate"))
6359 sid = __tsec->create_sid;
6360 else if (!strcmp(name, "keycreate"))
6361 sid = __tsec->keycreate_sid;
6362 else if (!strcmp(name, "sockcreate"))
6363 sid = __tsec->sockcreate_sid;
6364 else {
6365 error = -EINVAL;
6366 goto bad;
6367 }
6368 rcu_read_unlock();
6369
6370 if (!sid)
6371 return 0;
6372
6373 error = security_sid_to_context(&selinux_state, sid, value, &len);
6374 if (error)
6375 return error;
6376 return len;
6377
6378 bad:
6379 rcu_read_unlock();
6380 return error;
6381 }
6382
selinux_setprocattr(const char * name,void * value,size_t size)6383 static int selinux_setprocattr(const char *name, void *value, size_t size)
6384 {
6385 struct task_security_struct *tsec;
6386 struct cred *new;
6387 u32 mysid = current_sid(), sid = 0, ptsid;
6388 int error;
6389 char *str = value;
6390
6391 /*
6392 * Basic control over ability to set these attributes at all.
6393 */
6394 if (!strcmp(name, "exec"))
6395 error = avc_has_perm(&selinux_state,
6396 mysid, mysid, SECCLASS_PROCESS,
6397 PROCESS__SETEXEC, NULL);
6398 else if (!strcmp(name, "fscreate"))
6399 error = avc_has_perm(&selinux_state,
6400 mysid, mysid, SECCLASS_PROCESS,
6401 PROCESS__SETFSCREATE, NULL);
6402 else if (!strcmp(name, "keycreate"))
6403 error = avc_has_perm(&selinux_state,
6404 mysid, mysid, SECCLASS_PROCESS,
6405 PROCESS__SETKEYCREATE, NULL);
6406 else if (!strcmp(name, "sockcreate"))
6407 error = avc_has_perm(&selinux_state,
6408 mysid, mysid, SECCLASS_PROCESS,
6409 PROCESS__SETSOCKCREATE, NULL);
6410 else if (!strcmp(name, "current"))
6411 error = avc_has_perm(&selinux_state,
6412 mysid, mysid, SECCLASS_PROCESS,
6413 PROCESS__SETCURRENT, NULL);
6414 else
6415 error = -EINVAL;
6416 if (error)
6417 return error;
6418
6419 /* Obtain a SID for the context, if one was specified. */
6420 if (size && str[0] && str[0] != '\n') {
6421 if (str[size-1] == '\n') {
6422 str[size-1] = 0;
6423 size--;
6424 }
6425 error = security_context_to_sid(&selinux_state, value, size,
6426 &sid, GFP_KERNEL);
6427 if (error == -EINVAL && !strcmp(name, "fscreate")) {
6428 if (!has_cap_mac_admin(true)) {
6429 struct audit_buffer *ab;
6430 size_t audit_size;
6431
6432 /* We strip a nul only if it is at the end, otherwise the
6433 * context contains a nul and we should audit that */
6434 if (str[size - 1] == '\0')
6435 audit_size = size - 1;
6436 else
6437 audit_size = size;
6438 ab = audit_log_start(audit_context(),
6439 GFP_ATOMIC,
6440 AUDIT_SELINUX_ERR);
6441 if (!ab)
6442 return error;
6443 audit_log_format(ab, "op=fscreate invalid_context=");
6444 audit_log_n_untrustedstring(ab, value, audit_size);
6445 audit_log_end(ab);
6446
6447 return error;
6448 }
6449 error = security_context_to_sid_force(
6450 &selinux_state,
6451 value, size, &sid);
6452 }
6453 if (error)
6454 return error;
6455 }
6456
6457 new = prepare_creds();
6458 if (!new)
6459 return -ENOMEM;
6460
6461 /* Permission checking based on the specified context is
6462 performed during the actual operation (execve,
6463 open/mkdir/...), when we know the full context of the
6464 operation. See selinux_bprm_creds_for_exec for the execve
6465 checks and may_create for the file creation checks. The
6466 operation will then fail if the context is not permitted. */
6467 tsec = selinux_cred(new);
6468 if (!strcmp(name, "exec")) {
6469 tsec->exec_sid = sid;
6470 } else if (!strcmp(name, "fscreate")) {
6471 tsec->create_sid = sid;
6472 } else if (!strcmp(name, "keycreate")) {
6473 if (sid) {
6474 error = avc_has_perm(&selinux_state, mysid, sid,
6475 SECCLASS_KEY, KEY__CREATE, NULL);
6476 if (error)
6477 goto abort_change;
6478 }
6479 tsec->keycreate_sid = sid;
6480 } else if (!strcmp(name, "sockcreate")) {
6481 tsec->sockcreate_sid = sid;
6482 } else if (!strcmp(name, "current")) {
6483 error = -EINVAL;
6484 if (sid == 0)
6485 goto abort_change;
6486
6487 /* Only allow single threaded processes to change context */
6488 if (!current_is_single_threaded()) {
6489 error = security_bounded_transition(&selinux_state,
6490 tsec->sid, sid);
6491 if (error)
6492 goto abort_change;
6493 }
6494
6495 /* Check permissions for the transition. */
6496 error = avc_has_perm(&selinux_state,
6497 tsec->sid, sid, SECCLASS_PROCESS,
6498 PROCESS__DYNTRANSITION, NULL);
6499 if (error)
6500 goto abort_change;
6501
6502 /* Check for ptracing, and update the task SID if ok.
6503 Otherwise, leave SID unchanged and fail. */
6504 ptsid = ptrace_parent_sid();
6505 if (ptsid != 0) {
6506 error = avc_has_perm(&selinux_state,
6507 ptsid, sid, SECCLASS_PROCESS,
6508 PROCESS__PTRACE, NULL);
6509 if (error)
6510 goto abort_change;
6511 }
6512
6513 tsec->sid = sid;
6514 } else {
6515 error = -EINVAL;
6516 goto abort_change;
6517 }
6518
6519 commit_creds(new);
6520 return size;
6521
6522 abort_change:
6523 abort_creds(new);
6524 return error;
6525 }
6526
selinux_ismaclabel(const char * name)6527 static int selinux_ismaclabel(const char *name)
6528 {
6529 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
6530 }
6531
selinux_secid_to_secctx(u32 secid,char ** secdata,u32 * seclen)6532 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
6533 {
6534 return security_sid_to_context(&selinux_state, secid,
6535 secdata, seclen);
6536 }
6537
selinux_secctx_to_secid(const char * secdata,u32 seclen,u32 * secid)6538 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
6539 {
6540 return security_context_to_sid(&selinux_state, secdata, seclen,
6541 secid, GFP_KERNEL);
6542 }
6543
selinux_release_secctx(char * secdata,u32 seclen)6544 static void selinux_release_secctx(char *secdata, u32 seclen)
6545 {
6546 kfree(secdata);
6547 }
6548
selinux_inode_invalidate_secctx(struct inode * inode)6549 static void selinux_inode_invalidate_secctx(struct inode *inode)
6550 {
6551 struct inode_security_struct *isec = selinux_inode(inode);
6552
6553 spin_lock(&isec->lock);
6554 isec->initialized = LABEL_INVALID;
6555 spin_unlock(&isec->lock);
6556 }
6557
6558 /*
6559 * called with inode->i_mutex locked
6560 */
selinux_inode_notifysecctx(struct inode * inode,void * ctx,u32 ctxlen)6561 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
6562 {
6563 int rc = selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX,
6564 ctx, ctxlen, 0);
6565 /* Do not return error when suppressing label (SBLABEL_MNT not set). */
6566 return rc == -EOPNOTSUPP ? 0 : rc;
6567 }
6568
6569 /*
6570 * called with inode->i_mutex locked
6571 */
selinux_inode_setsecctx(struct dentry * dentry,void * ctx,u32 ctxlen)6572 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
6573 {
6574 return __vfs_setxattr_noperm(&init_user_ns, dentry, XATTR_NAME_SELINUX,
6575 ctx, ctxlen, 0);
6576 }
6577
selinux_inode_getsecctx(struct inode * inode,void ** ctx,u32 * ctxlen)6578 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
6579 {
6580 int len = 0;
6581 len = selinux_inode_getsecurity(&init_user_ns, inode,
6582 XATTR_SELINUX_SUFFIX, ctx, true);
6583 if (len < 0)
6584 return len;
6585 *ctxlen = len;
6586 return 0;
6587 }
6588 #ifdef CONFIG_KEYS
6589
selinux_key_alloc(struct key * k,const struct cred * cred,unsigned long flags)6590 static int selinux_key_alloc(struct key *k, const struct cred *cred,
6591 unsigned long flags)
6592 {
6593 const struct task_security_struct *tsec;
6594 struct key_security_struct *ksec;
6595
6596 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
6597 if (!ksec)
6598 return -ENOMEM;
6599
6600 tsec = selinux_cred(cred);
6601 if (tsec->keycreate_sid)
6602 ksec->sid = tsec->keycreate_sid;
6603 else
6604 ksec->sid = tsec->sid;
6605
6606 k->security = ksec;
6607 return 0;
6608 }
6609
selinux_key_free(struct key * k)6610 static void selinux_key_free(struct key *k)
6611 {
6612 struct key_security_struct *ksec = k->security;
6613
6614 k->security = NULL;
6615 kfree(ksec);
6616 }
6617
selinux_key_permission(key_ref_t key_ref,const struct cred * cred,enum key_need_perm need_perm)6618 static int selinux_key_permission(key_ref_t key_ref,
6619 const struct cred *cred,
6620 enum key_need_perm need_perm)
6621 {
6622 struct key *key;
6623 struct key_security_struct *ksec;
6624 u32 perm, sid;
6625
6626 switch (need_perm) {
6627 case KEY_NEED_VIEW:
6628 perm = KEY__VIEW;
6629 break;
6630 case KEY_NEED_READ:
6631 perm = KEY__READ;
6632 break;
6633 case KEY_NEED_WRITE:
6634 perm = KEY__WRITE;
6635 break;
6636 case KEY_NEED_SEARCH:
6637 perm = KEY__SEARCH;
6638 break;
6639 case KEY_NEED_LINK:
6640 perm = KEY__LINK;
6641 break;
6642 case KEY_NEED_SETATTR:
6643 perm = KEY__SETATTR;
6644 break;
6645 case KEY_NEED_UNLINK:
6646 case KEY_SYSADMIN_OVERRIDE:
6647 case KEY_AUTHTOKEN_OVERRIDE:
6648 case KEY_DEFER_PERM_CHECK:
6649 return 0;
6650 default:
6651 WARN_ON(1);
6652 return -EPERM;
6653
6654 }
6655
6656 sid = cred_sid(cred);
6657 key = key_ref_to_ptr(key_ref);
6658 ksec = key->security;
6659
6660 return avc_has_perm(&selinux_state,
6661 sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6662 }
6663
selinux_key_getsecurity(struct key * key,char ** _buffer)6664 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6665 {
6666 struct key_security_struct *ksec = key->security;
6667 char *context = NULL;
6668 unsigned len;
6669 int rc;
6670
6671 rc = security_sid_to_context(&selinux_state, ksec->sid,
6672 &context, &len);
6673 if (!rc)
6674 rc = len;
6675 *_buffer = context;
6676 return rc;
6677 }
6678
6679 #ifdef CONFIG_KEY_NOTIFICATIONS
selinux_watch_key(struct key * key)6680 static int selinux_watch_key(struct key *key)
6681 {
6682 struct key_security_struct *ksec = key->security;
6683 u32 sid = current_sid();
6684
6685 return avc_has_perm(&selinux_state,
6686 sid, ksec->sid, SECCLASS_KEY, KEY__VIEW, NULL);
6687 }
6688 #endif
6689 #endif
6690
6691 #ifdef CONFIG_SECURITY_INFINIBAND
selinux_ib_pkey_access(void * ib_sec,u64 subnet_prefix,u16 pkey_val)6692 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6693 {
6694 struct common_audit_data ad;
6695 int err;
6696 u32 sid = 0;
6697 struct ib_security_struct *sec = ib_sec;
6698 struct lsm_ibpkey_audit ibpkey;
6699
6700 err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
6701 if (err)
6702 return err;
6703
6704 ad.type = LSM_AUDIT_DATA_IBPKEY;
6705 ibpkey.subnet_prefix = subnet_prefix;
6706 ibpkey.pkey = pkey_val;
6707 ad.u.ibpkey = &ibpkey;
6708 return avc_has_perm(&selinux_state,
6709 sec->sid, sid,
6710 SECCLASS_INFINIBAND_PKEY,
6711 INFINIBAND_PKEY__ACCESS, &ad);
6712 }
6713
selinux_ib_endport_manage_subnet(void * ib_sec,const char * dev_name,u8 port_num)6714 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6715 u8 port_num)
6716 {
6717 struct common_audit_data ad;
6718 int err;
6719 u32 sid = 0;
6720 struct ib_security_struct *sec = ib_sec;
6721 struct lsm_ibendport_audit ibendport;
6722
6723 err = security_ib_endport_sid(&selinux_state, dev_name, port_num,
6724 &sid);
6725
6726 if (err)
6727 return err;
6728
6729 ad.type = LSM_AUDIT_DATA_IBENDPORT;
6730 ibendport.dev_name = dev_name;
6731 ibendport.port = port_num;
6732 ad.u.ibendport = &ibendport;
6733 return avc_has_perm(&selinux_state,
6734 sec->sid, sid,
6735 SECCLASS_INFINIBAND_ENDPORT,
6736 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
6737 }
6738
selinux_ib_alloc_security(void ** ib_sec)6739 static int selinux_ib_alloc_security(void **ib_sec)
6740 {
6741 struct ib_security_struct *sec;
6742
6743 sec = kzalloc(sizeof(*sec), GFP_KERNEL);
6744 if (!sec)
6745 return -ENOMEM;
6746 sec->sid = current_sid();
6747
6748 *ib_sec = sec;
6749 return 0;
6750 }
6751
selinux_ib_free_security(void * ib_sec)6752 static void selinux_ib_free_security(void *ib_sec)
6753 {
6754 kfree(ib_sec);
6755 }
6756 #endif
6757
6758 #ifdef CONFIG_BPF_SYSCALL
selinux_bpf(int cmd,union bpf_attr * attr,unsigned int size)6759 static int selinux_bpf(int cmd, union bpf_attr *attr,
6760 unsigned int size)
6761 {
6762 u32 sid = current_sid();
6763 int ret;
6764
6765 switch (cmd) {
6766 case BPF_MAP_CREATE:
6767 ret = avc_has_perm(&selinux_state,
6768 sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
6769 NULL);
6770 break;
6771 case BPF_PROG_LOAD:
6772 ret = avc_has_perm(&selinux_state,
6773 sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
6774 NULL);
6775 break;
6776 default:
6777 ret = 0;
6778 break;
6779 }
6780
6781 return ret;
6782 }
6783
bpf_map_fmode_to_av(fmode_t fmode)6784 static u32 bpf_map_fmode_to_av(fmode_t fmode)
6785 {
6786 u32 av = 0;
6787
6788 if (fmode & FMODE_READ)
6789 av |= BPF__MAP_READ;
6790 if (fmode & FMODE_WRITE)
6791 av |= BPF__MAP_WRITE;
6792 return av;
6793 }
6794
6795 /* This function will check the file pass through unix socket or binder to see
6796 * if it is a bpf related object. And apply correspinding checks on the bpf
6797 * object based on the type. The bpf maps and programs, not like other files and
6798 * socket, are using a shared anonymous inode inside the kernel as their inode.
6799 * So checking that inode cannot identify if the process have privilege to
6800 * access the bpf object and that's why we have to add this additional check in
6801 * selinux_file_receive and selinux_binder_transfer_files.
6802 */
bpf_fd_pass(struct file * file,u32 sid)6803 static int bpf_fd_pass(struct file *file, u32 sid)
6804 {
6805 struct bpf_security_struct *bpfsec;
6806 struct bpf_prog *prog;
6807 struct bpf_map *map;
6808 int ret;
6809
6810 if (file->f_op == &bpf_map_fops) {
6811 map = file->private_data;
6812 bpfsec = map->security;
6813 ret = avc_has_perm(&selinux_state,
6814 sid, bpfsec->sid, SECCLASS_BPF,
6815 bpf_map_fmode_to_av(file->f_mode), NULL);
6816 if (ret)
6817 return ret;
6818 } else if (file->f_op == &bpf_prog_fops) {
6819 prog = file->private_data;
6820 bpfsec = prog->aux->security;
6821 ret = avc_has_perm(&selinux_state,
6822 sid, bpfsec->sid, SECCLASS_BPF,
6823 BPF__PROG_RUN, NULL);
6824 if (ret)
6825 return ret;
6826 }
6827 return 0;
6828 }
6829
selinux_bpf_map(struct bpf_map * map,fmode_t fmode)6830 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)
6831 {
6832 u32 sid = current_sid();
6833 struct bpf_security_struct *bpfsec;
6834
6835 bpfsec = map->security;
6836 return avc_has_perm(&selinux_state,
6837 sid, bpfsec->sid, SECCLASS_BPF,
6838 bpf_map_fmode_to_av(fmode), NULL);
6839 }
6840
selinux_bpf_prog(struct bpf_prog * prog)6841 static int selinux_bpf_prog(struct bpf_prog *prog)
6842 {
6843 u32 sid = current_sid();
6844 struct bpf_security_struct *bpfsec;
6845
6846 bpfsec = prog->aux->security;
6847 return avc_has_perm(&selinux_state,
6848 sid, bpfsec->sid, SECCLASS_BPF,
6849 BPF__PROG_RUN, NULL);
6850 }
6851
selinux_bpf_map_alloc(struct bpf_map * map)6852 static int selinux_bpf_map_alloc(struct bpf_map *map)
6853 {
6854 struct bpf_security_struct *bpfsec;
6855
6856 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6857 if (!bpfsec)
6858 return -ENOMEM;
6859
6860 bpfsec->sid = current_sid();
6861 map->security = bpfsec;
6862
6863 return 0;
6864 }
6865
selinux_bpf_map_free(struct bpf_map * map)6866 static void selinux_bpf_map_free(struct bpf_map *map)
6867 {
6868 struct bpf_security_struct *bpfsec = map->security;
6869
6870 map->security = NULL;
6871 kfree(bpfsec);
6872 }
6873
selinux_bpf_prog_alloc(struct bpf_prog_aux * aux)6874 static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux)
6875 {
6876 struct bpf_security_struct *bpfsec;
6877
6878 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6879 if (!bpfsec)
6880 return -ENOMEM;
6881
6882 bpfsec->sid = current_sid();
6883 aux->security = bpfsec;
6884
6885 return 0;
6886 }
6887
selinux_bpf_prog_free(struct bpf_prog_aux * aux)6888 static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
6889 {
6890 struct bpf_security_struct *bpfsec = aux->security;
6891
6892 aux->security = NULL;
6893 kfree(bpfsec);
6894 }
6895 #endif
6896
6897 struct lsm_blob_sizes selinux_blob_sizes __lsm_ro_after_init = {
6898 .lbs_cred = sizeof(struct task_security_struct),
6899 .lbs_file = sizeof(struct file_security_struct),
6900 .lbs_inode = sizeof(struct inode_security_struct),
6901 .lbs_ipc = sizeof(struct ipc_security_struct),
6902 .lbs_msg_msg = sizeof(struct msg_security_struct),
6903 .lbs_superblock = sizeof(struct superblock_security_struct),
6904 };
6905
6906 #ifdef CONFIG_PERF_EVENTS
selinux_perf_event_open(struct perf_event_attr * attr,int type)6907 static int selinux_perf_event_open(struct perf_event_attr *attr, int type)
6908 {
6909 u32 requested, sid = current_sid();
6910
6911 if (type == PERF_SECURITY_OPEN)
6912 requested = PERF_EVENT__OPEN;
6913 else if (type == PERF_SECURITY_CPU)
6914 requested = PERF_EVENT__CPU;
6915 else if (type == PERF_SECURITY_KERNEL)
6916 requested = PERF_EVENT__KERNEL;
6917 else if (type == PERF_SECURITY_TRACEPOINT)
6918 requested = PERF_EVENT__TRACEPOINT;
6919 else
6920 return -EINVAL;
6921
6922 return avc_has_perm(&selinux_state, sid, sid, SECCLASS_PERF_EVENT,
6923 requested, NULL);
6924 }
6925
selinux_perf_event_alloc(struct perf_event * event)6926 static int selinux_perf_event_alloc(struct perf_event *event)
6927 {
6928 struct perf_event_security_struct *perfsec;
6929
6930 perfsec = kzalloc(sizeof(*perfsec), GFP_KERNEL);
6931 if (!perfsec)
6932 return -ENOMEM;
6933
6934 perfsec->sid = current_sid();
6935 event->security = perfsec;
6936
6937 return 0;
6938 }
6939
selinux_perf_event_free(struct perf_event * event)6940 static void selinux_perf_event_free(struct perf_event *event)
6941 {
6942 struct perf_event_security_struct *perfsec = event->security;
6943
6944 event->security = NULL;
6945 kfree(perfsec);
6946 }
6947
selinux_perf_event_read(struct perf_event * event)6948 static int selinux_perf_event_read(struct perf_event *event)
6949 {
6950 struct perf_event_security_struct *perfsec = event->security;
6951 u32 sid = current_sid();
6952
6953 return avc_has_perm(&selinux_state, sid, perfsec->sid,
6954 SECCLASS_PERF_EVENT, PERF_EVENT__READ, NULL);
6955 }
6956
selinux_perf_event_write(struct perf_event * event)6957 static int selinux_perf_event_write(struct perf_event *event)
6958 {
6959 struct perf_event_security_struct *perfsec = event->security;
6960 u32 sid = current_sid();
6961
6962 return avc_has_perm(&selinux_state, sid, perfsec->sid,
6963 SECCLASS_PERF_EVENT, PERF_EVENT__WRITE, NULL);
6964 }
6965 #endif
6966
6967 #ifdef CONFIG_IO_URING
6968 /**
6969 * selinux_uring_override_creds - check the requested cred override
6970 * @new: the target creds
6971 *
6972 * Check to see if the current task is allowed to override it's credentials
6973 * to service an io_uring operation.
6974 */
selinux_uring_override_creds(const struct cred * new)6975 static int selinux_uring_override_creds(const struct cred *new)
6976 {
6977 return avc_has_perm(&selinux_state, current_sid(), cred_sid(new),
6978 SECCLASS_IO_URING, IO_URING__OVERRIDE_CREDS, NULL);
6979 }
6980
6981 /**
6982 * selinux_uring_sqpoll - check if a io_uring polling thread can be created
6983 *
6984 * Check to see if the current task is allowed to create a new io_uring
6985 * kernel polling thread.
6986 */
selinux_uring_sqpoll(void)6987 static int selinux_uring_sqpoll(void)
6988 {
6989 int sid = current_sid();
6990
6991 return avc_has_perm(&selinux_state, sid, sid,
6992 SECCLASS_IO_URING, IO_URING__SQPOLL, NULL);
6993 }
6994
6995 /**
6996 * selinux_uring_cmd - check if IORING_OP_URING_CMD is allowed
6997 * @ioucmd: the io_uring command structure
6998 *
6999 * Check to see if the current domain is allowed to execute an
7000 * IORING_OP_URING_CMD against the device/file specified in @ioucmd.
7001 *
7002 */
selinux_uring_cmd(struct io_uring_cmd * ioucmd)7003 static int selinux_uring_cmd(struct io_uring_cmd *ioucmd)
7004 {
7005 struct file *file = ioucmd->file;
7006 struct inode *inode = file_inode(file);
7007 struct inode_security_struct *isec = selinux_inode(inode);
7008 struct common_audit_data ad;
7009
7010 ad.type = LSM_AUDIT_DATA_FILE;
7011 ad.u.file = file;
7012
7013 return avc_has_perm(&selinux_state, current_sid(), isec->sid,
7014 SECCLASS_IO_URING, IO_URING__CMD, &ad);
7015 }
7016 #endif /* CONFIG_IO_URING */
7017
7018 /*
7019 * IMPORTANT NOTE: When adding new hooks, please be careful to keep this order:
7020 * 1. any hooks that don't belong to (2.) or (3.) below,
7021 * 2. hooks that both access structures allocated by other hooks, and allocate
7022 * structures that can be later accessed by other hooks (mostly "cloning"
7023 * hooks),
7024 * 3. hooks that only allocate structures that can be later accessed by other
7025 * hooks ("allocating" hooks).
7026 *
7027 * Please follow block comment delimiters in the list to keep this order.
7028 *
7029 * This ordering is needed for SELinux runtime disable to work at least somewhat
7030 * safely. Breaking the ordering rules above might lead to NULL pointer derefs
7031 * when disabling SELinux at runtime.
7032 */
7033 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
7034 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
7035 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
7036 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
7037 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
7038
7039 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
7040 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
7041 LSM_HOOK_INIT(capget, selinux_capget),
7042 LSM_HOOK_INIT(capset, selinux_capset),
7043 LSM_HOOK_INIT(capable, selinux_capable),
7044 LSM_HOOK_INIT(quotactl, selinux_quotactl),
7045 LSM_HOOK_INIT(quota_on, selinux_quota_on),
7046 LSM_HOOK_INIT(syslog, selinux_syslog),
7047 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
7048
7049 LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
7050
7051 LSM_HOOK_INIT(bprm_creds_for_exec, selinux_bprm_creds_for_exec),
7052 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
7053 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
7054
7055 LSM_HOOK_INIT(sb_free_mnt_opts, selinux_free_mnt_opts),
7056 LSM_HOOK_INIT(sb_mnt_opts_compat, selinux_sb_mnt_opts_compat),
7057 LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
7058 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
7059 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
7060 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
7061 LSM_HOOK_INIT(sb_mount, selinux_mount),
7062 LSM_HOOK_INIT(sb_umount, selinux_umount),
7063 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
7064 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
7065
7066 LSM_HOOK_INIT(move_mount, selinux_move_mount),
7067
7068 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
7069 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
7070
7071 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
7072 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
7073 LSM_HOOK_INIT(inode_init_security_anon, selinux_inode_init_security_anon),
7074 LSM_HOOK_INIT(inode_create, selinux_inode_create),
7075 LSM_HOOK_INIT(inode_link, selinux_inode_link),
7076 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
7077 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
7078 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
7079 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
7080 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
7081 LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
7082 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
7083 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
7084 LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
7085 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
7086 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
7087 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
7088 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
7089 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
7090 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
7091 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
7092 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
7093 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
7094 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
7095 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
7096 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
7097 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
7098 LSM_HOOK_INIT(path_notify, selinux_path_notify),
7099
7100 LSM_HOOK_INIT(kernfs_init_security, selinux_kernfs_init_security),
7101
7102 LSM_HOOK_INIT(file_permission, selinux_file_permission),
7103 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
7104 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
7105 LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
7106 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
7107 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
7108 LSM_HOOK_INIT(file_lock, selinux_file_lock),
7109 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
7110 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
7111 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
7112 LSM_HOOK_INIT(file_receive, selinux_file_receive),
7113
7114 LSM_HOOK_INIT(file_open, selinux_file_open),
7115
7116 LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
7117 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
7118 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
7119 LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid),
7120 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
7121 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
7122 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
7123 LSM_HOOK_INIT(kernel_load_data, selinux_kernel_load_data),
7124 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
7125 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
7126 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
7127 LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
7128 LSM_HOOK_INIT(current_getsecid_subj, selinux_current_getsecid_subj),
7129 LSM_HOOK_INIT(task_getsecid_obj, selinux_task_getsecid_obj),
7130 LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
7131 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
7132 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
7133 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
7134 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
7135 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
7136 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
7137 LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
7138 LSM_HOOK_INIT(task_kill, selinux_task_kill),
7139 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
7140
7141 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
7142 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
7143
7144 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
7145 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
7146 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
7147 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
7148
7149 LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
7150 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
7151 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
7152
7153 LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
7154 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
7155 LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
7156
7157 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
7158
7159 LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
7160 LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
7161
7162 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
7163 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
7164 LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
7165 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
7166 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
7167 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
7168
7169 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
7170 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
7171
7172 LSM_HOOK_INIT(socket_create, selinux_socket_create),
7173 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
7174 LSM_HOOK_INIT(socket_socketpair, selinux_socket_socketpair),
7175 LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
7176 LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
7177 LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
7178 LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
7179 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
7180 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
7181 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
7182 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
7183 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
7184 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
7185 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
7186 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
7187 LSM_HOOK_INIT(socket_getpeersec_stream,
7188 selinux_socket_getpeersec_stream),
7189 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
7190 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
7191 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
7192 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
7193 LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
7194 LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request),
7195 LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone),
7196 LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect),
7197 LSM_HOOK_INIT(sctp_assoc_established, selinux_sctp_assoc_established),
7198 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
7199 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
7200 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
7201 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
7202 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
7203 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
7204 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
7205 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
7206 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
7207 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
7208 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
7209 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
7210 #ifdef CONFIG_SECURITY_INFINIBAND
7211 LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
7212 LSM_HOOK_INIT(ib_endport_manage_subnet,
7213 selinux_ib_endport_manage_subnet),
7214 LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
7215 #endif
7216 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7217 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
7218 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
7219 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
7220 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
7221 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
7222 LSM_HOOK_INIT(xfrm_state_pol_flow_match,
7223 selinux_xfrm_state_pol_flow_match),
7224 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
7225 #endif
7226
7227 #ifdef CONFIG_KEYS
7228 LSM_HOOK_INIT(key_free, selinux_key_free),
7229 LSM_HOOK_INIT(key_permission, selinux_key_permission),
7230 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
7231 #ifdef CONFIG_KEY_NOTIFICATIONS
7232 LSM_HOOK_INIT(watch_key, selinux_watch_key),
7233 #endif
7234 #endif
7235
7236 #ifdef CONFIG_AUDIT
7237 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
7238 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
7239 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
7240 #endif
7241
7242 #ifdef CONFIG_BPF_SYSCALL
7243 LSM_HOOK_INIT(bpf, selinux_bpf),
7244 LSM_HOOK_INIT(bpf_map, selinux_bpf_map),
7245 LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog),
7246 LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free),
7247 LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free),
7248 #endif
7249
7250 #ifdef CONFIG_PERF_EVENTS
7251 LSM_HOOK_INIT(perf_event_open, selinux_perf_event_open),
7252 LSM_HOOK_INIT(perf_event_free, selinux_perf_event_free),
7253 LSM_HOOK_INIT(perf_event_read, selinux_perf_event_read),
7254 LSM_HOOK_INIT(perf_event_write, selinux_perf_event_write),
7255 #endif
7256
7257 #ifdef CONFIG_IO_URING
7258 LSM_HOOK_INIT(uring_override_creds, selinux_uring_override_creds),
7259 LSM_HOOK_INIT(uring_sqpoll, selinux_uring_sqpoll),
7260 LSM_HOOK_INIT(uring_cmd, selinux_uring_cmd),
7261 #endif
7262
7263 /*
7264 * PUT "CLONING" (ACCESSING + ALLOCATING) HOOKS HERE
7265 */
7266 LSM_HOOK_INIT(fs_context_dup, selinux_fs_context_dup),
7267 LSM_HOOK_INIT(fs_context_parse_param, selinux_fs_context_parse_param),
7268 LSM_HOOK_INIT(sb_eat_lsm_opts, selinux_sb_eat_lsm_opts),
7269 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7270 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
7271 #endif
7272
7273 /*
7274 * PUT "ALLOCATING" HOOKS HERE
7275 */
7276 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
7277 LSM_HOOK_INIT(msg_queue_alloc_security,
7278 selinux_msg_queue_alloc_security),
7279 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
7280 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
7281 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
7282 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
7283 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
7284 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
7285 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
7286 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
7287 #ifdef CONFIG_SECURITY_INFINIBAND
7288 LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
7289 #endif
7290 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7291 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
7292 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
7293 LSM_HOOK_INIT(xfrm_state_alloc_acquire,
7294 selinux_xfrm_state_alloc_acquire),
7295 #endif
7296 #ifdef CONFIG_KEYS
7297 LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
7298 #endif
7299 #ifdef CONFIG_AUDIT
7300 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
7301 #endif
7302 #ifdef CONFIG_BPF_SYSCALL
7303 LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc),
7304 LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc),
7305 #endif
7306 #ifdef CONFIG_PERF_EVENTS
7307 LSM_HOOK_INIT(perf_event_alloc, selinux_perf_event_alloc),
7308 #endif
7309 };
7310
selinux_init(void)7311 static __init int selinux_init(void)
7312 {
7313 pr_info("SELinux: Initializing.\n");
7314
7315 memset(&selinux_state, 0, sizeof(selinux_state));
7316 enforcing_set(&selinux_state, selinux_enforcing_boot);
7317 if (CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE)
7318 pr_err("SELinux: CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE is non-zero. This is deprecated and will be rejected in a future kernel release.\n");
7319 checkreqprot_set(&selinux_state, selinux_checkreqprot_boot);
7320 selinux_avc_init(&selinux_state.avc);
7321 mutex_init(&selinux_state.status_lock);
7322 mutex_init(&selinux_state.policy_mutex);
7323
7324 /* Set the security state for the initial task. */
7325 cred_init_security();
7326
7327 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
7328
7329 avc_init();
7330
7331 avtab_cache_init();
7332
7333 ebitmap_cache_init();
7334
7335 hashtab_cache_init();
7336
7337 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
7338
7339 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
7340 panic("SELinux: Unable to register AVC netcache callback\n");
7341
7342 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
7343 panic("SELinux: Unable to register AVC LSM notifier callback\n");
7344
7345 if (selinux_enforcing_boot)
7346 pr_debug("SELinux: Starting in enforcing mode\n");
7347 else
7348 pr_debug("SELinux: Starting in permissive mode\n");
7349
7350 fs_validate_description("selinux", selinux_fs_parameters);
7351
7352 return 0;
7353 }
7354
delayed_superblock_init(struct super_block * sb,void * unused)7355 static void delayed_superblock_init(struct super_block *sb, void *unused)
7356 {
7357 selinux_set_mnt_opts(sb, NULL, 0, NULL);
7358 }
7359
selinux_complete_init(void)7360 void selinux_complete_init(void)
7361 {
7362 pr_debug("SELinux: Completing initialization.\n");
7363
7364 /* Set up any superblocks initialized prior to the policy load. */
7365 pr_debug("SELinux: Setting up existing superblocks.\n");
7366 iterate_supers(delayed_superblock_init, NULL);
7367 }
7368
7369 /* SELinux requires early initialization in order to label
7370 all processes and objects when they are created. */
7371 DEFINE_LSM(selinux) = {
7372 .name = "selinux",
7373 .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE,
7374 .enabled = &selinux_enabled_boot,
7375 .blobs = &selinux_blob_sizes,
7376 .init = selinux_init,
7377 };
7378
7379 #if defined(CONFIG_NETFILTER)
7380
7381 static const struct nf_hook_ops selinux_nf_ops[] = {
7382 {
7383 .hook = selinux_ip_postroute,
7384 .pf = NFPROTO_IPV4,
7385 .hooknum = NF_INET_POST_ROUTING,
7386 .priority = NF_IP_PRI_SELINUX_LAST,
7387 },
7388 {
7389 .hook = selinux_ip_forward,
7390 .pf = NFPROTO_IPV4,
7391 .hooknum = NF_INET_FORWARD,
7392 .priority = NF_IP_PRI_SELINUX_FIRST,
7393 },
7394 {
7395 .hook = selinux_ip_output,
7396 .pf = NFPROTO_IPV4,
7397 .hooknum = NF_INET_LOCAL_OUT,
7398 .priority = NF_IP_PRI_SELINUX_FIRST,
7399 },
7400 #if IS_ENABLED(CONFIG_IPV6)
7401 {
7402 .hook = selinux_ip_postroute,
7403 .pf = NFPROTO_IPV6,
7404 .hooknum = NF_INET_POST_ROUTING,
7405 .priority = NF_IP6_PRI_SELINUX_LAST,
7406 },
7407 {
7408 .hook = selinux_ip_forward,
7409 .pf = NFPROTO_IPV6,
7410 .hooknum = NF_INET_FORWARD,
7411 .priority = NF_IP6_PRI_SELINUX_FIRST,
7412 },
7413 {
7414 .hook = selinux_ip_output,
7415 .pf = NFPROTO_IPV6,
7416 .hooknum = NF_INET_LOCAL_OUT,
7417 .priority = NF_IP6_PRI_SELINUX_FIRST,
7418 },
7419 #endif /* IPV6 */
7420 };
7421
selinux_nf_register(struct net * net)7422 static int __net_init selinux_nf_register(struct net *net)
7423 {
7424 return nf_register_net_hooks(net, selinux_nf_ops,
7425 ARRAY_SIZE(selinux_nf_ops));
7426 }
7427
selinux_nf_unregister(struct net * net)7428 static void __net_exit selinux_nf_unregister(struct net *net)
7429 {
7430 nf_unregister_net_hooks(net, selinux_nf_ops,
7431 ARRAY_SIZE(selinux_nf_ops));
7432 }
7433
7434 static struct pernet_operations selinux_net_ops = {
7435 .init = selinux_nf_register,
7436 .exit = selinux_nf_unregister,
7437 };
7438
selinux_nf_ip_init(void)7439 static int __init selinux_nf_ip_init(void)
7440 {
7441 int err;
7442
7443 if (!selinux_enabled_boot)
7444 return 0;
7445
7446 pr_debug("SELinux: Registering netfilter hooks\n");
7447
7448 err = register_pernet_subsys(&selinux_net_ops);
7449 if (err)
7450 panic("SELinux: register_pernet_subsys: error %d\n", err);
7451
7452 return 0;
7453 }
7454 __initcall(selinux_nf_ip_init);
7455
7456 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
selinux_nf_ip_exit(void)7457 static void selinux_nf_ip_exit(void)
7458 {
7459 pr_debug("SELinux: Unregistering netfilter hooks\n");
7460
7461 unregister_pernet_subsys(&selinux_net_ops);
7462 }
7463 #endif
7464
7465 #else /* CONFIG_NETFILTER */
7466
7467 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7468 #define selinux_nf_ip_exit()
7469 #endif
7470
7471 #endif /* CONFIG_NETFILTER */
7472
7473 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
selinux_disable(struct selinux_state * state)7474 int selinux_disable(struct selinux_state *state)
7475 {
7476 if (selinux_initialized(state)) {
7477 /* Not permitted after initial policy load. */
7478 return -EINVAL;
7479 }
7480
7481 if (selinux_disabled(state)) {
7482 /* Only do this once. */
7483 return -EINVAL;
7484 }
7485
7486 selinux_mark_disabled(state);
7487
7488 pr_info("SELinux: Disabled at runtime.\n");
7489
7490 /*
7491 * Unregister netfilter hooks.
7492 * Must be done before security_delete_hooks() to avoid breaking
7493 * runtime disable.
7494 */
7495 selinux_nf_ip_exit();
7496
7497 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
7498
7499 /* Try to destroy the avc node cache */
7500 avc_disable();
7501
7502 /* Unregister selinuxfs. */
7503 exit_sel_fs();
7504
7505 return 0;
7506 }
7507 #endif
7508