1 /*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@tycho.nsa.gov>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul@paul-moore.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 * Copyright (C) 2016 Mellanox Technologies
21 *
22 * This program is free software; you can redistribute it and/or modify
23 * it under the terms of the GNU General Public License version 2,
24 * as published by the Free Software Foundation.
25 */
26
27 #include <linux/init.h>
28 #include <linux/kd.h>
29 #include <linux/kernel.h>
30 #include <linux/tracehook.h>
31 #include <linux/errno.h>
32 #include <linux/sched/signal.h>
33 #include <linux/sched/task.h>
34 #include <linux/lsm_hooks.h>
35 #include <linux/xattr.h>
36 #include <linux/capability.h>
37 #include <linux/unistd.h>
38 #include <linux/mm.h>
39 #include <linux/mman.h>
40 #include <linux/slab.h>
41 #include <linux/pagemap.h>
42 #include <linux/proc_fs.h>
43 #include <linux/swap.h>
44 #include <linux/spinlock.h>
45 #include <linux/syscalls.h>
46 #include <linux/dcache.h>
47 #include <linux/file.h>
48 #include <linux/fdtable.h>
49 #include <linux/namei.h>
50 #include <linux/mount.h>
51 #include <linux/netfilter_ipv4.h>
52 #include <linux/netfilter_ipv6.h>
53 #include <linux/tty.h>
54 #include <net/icmp.h>
55 #include <net/ip.h> /* for local_port_range[] */
56 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
57 #include <net/inet_connection_sock.h>
58 #include <net/net_namespace.h>
59 #include <net/netlabel.h>
60 #include <linux/uaccess.h>
61 #include <asm/ioctls.h>
62 #include <linux/atomic.h>
63 #include <linux/bitops.h>
64 #include <linux/interrupt.h>
65 #include <linux/netdevice.h> /* for network interface checks */
66 #include <net/netlink.h>
67 #include <linux/tcp.h>
68 #include <linux/udp.h>
69 #include <linux/dccp.h>
70 #include <linux/sctp.h>
71 #include <net/sctp/structs.h>
72 #include <linux/quota.h>
73 #include <linux/un.h> /* for Unix socket types */
74 #include <net/af_unix.h> /* for Unix socket types */
75 #include <linux/parser.h>
76 #include <linux/nfs_mount.h>
77 #include <net/ipv6.h>
78 #include <linux/hugetlb.h>
79 #include <linux/personality.h>
80 #include <linux/audit.h>
81 #include <linux/string.h>
82 #include <linux/selinux.h>
83 #include <linux/mutex.h>
84 #include <linux/posix-timers.h>
85 #include <linux/syslog.h>
86 #include <linux/user_namespace.h>
87 #include <linux/export.h>
88 #include <linux/msg.h>
89 #include <linux/shm.h>
90 #include <linux/bpf.h>
91
92 #include "avc.h"
93 #include "objsec.h"
94 #include "netif.h"
95 #include "netnode.h"
96 #include "netport.h"
97 #include "ibpkey.h"
98 #include "xfrm.h"
99 #include "netlabel.h"
100 #include "audit.h"
101 #include "avc_ss.h"
102
103 struct selinux_state selinux_state;
104
105 /* SECMARK reference count */
106 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
107
108 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
109 static int selinux_enforcing_boot;
110
enforcing_setup(char * str)111 static int __init enforcing_setup(char *str)
112 {
113 unsigned long enforcing;
114 if (!kstrtoul(str, 0, &enforcing))
115 selinux_enforcing_boot = enforcing ? 1 : 0;
116 return 1;
117 }
118 __setup("enforcing=", enforcing_setup);
119 #else
120 #define selinux_enforcing_boot 1
121 #endif
122
123 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
124 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
125
selinux_enabled_setup(char * str)126 static int __init selinux_enabled_setup(char *str)
127 {
128 unsigned long enabled;
129 if (!kstrtoul(str, 0, &enabled))
130 selinux_enabled = enabled ? 1 : 0;
131 return 1;
132 }
133 __setup("selinux=", selinux_enabled_setup);
134 #else
135 int selinux_enabled = 1;
136 #endif
137
138 static unsigned int selinux_checkreqprot_boot =
139 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
140
checkreqprot_setup(char * str)141 static int __init checkreqprot_setup(char *str)
142 {
143 unsigned long checkreqprot;
144
145 if (!kstrtoul(str, 0, &checkreqprot))
146 selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
147 return 1;
148 }
149 __setup("checkreqprot=", checkreqprot_setup);
150
151 static struct kmem_cache *sel_inode_cache;
152 static struct kmem_cache *file_security_cache;
153
154 /**
155 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
156 *
157 * Description:
158 * This function checks the SECMARK reference counter to see if any SECMARK
159 * targets are currently configured, if the reference counter is greater than
160 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
161 * enabled, false (0) if SECMARK is disabled. If the always_check_network
162 * policy capability is enabled, SECMARK is always considered enabled.
163 *
164 */
selinux_secmark_enabled(void)165 static int selinux_secmark_enabled(void)
166 {
167 return (selinux_policycap_alwaysnetwork() ||
168 atomic_read(&selinux_secmark_refcount));
169 }
170
171 /**
172 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
173 *
174 * Description:
175 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
176 * (1) if any are enabled or false (0) if neither are enabled. If the
177 * always_check_network policy capability is enabled, peer labeling
178 * is always considered enabled.
179 *
180 */
selinux_peerlbl_enabled(void)181 static int selinux_peerlbl_enabled(void)
182 {
183 return (selinux_policycap_alwaysnetwork() ||
184 netlbl_enabled() || selinux_xfrm_enabled());
185 }
186
selinux_netcache_avc_callback(u32 event)187 static int selinux_netcache_avc_callback(u32 event)
188 {
189 if (event == AVC_CALLBACK_RESET) {
190 sel_netif_flush();
191 sel_netnode_flush();
192 sel_netport_flush();
193 synchronize_net();
194 }
195 return 0;
196 }
197
selinux_lsm_notifier_avc_callback(u32 event)198 static int selinux_lsm_notifier_avc_callback(u32 event)
199 {
200 if (event == AVC_CALLBACK_RESET) {
201 sel_ib_pkey_flush();
202 call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
203 }
204
205 return 0;
206 }
207
208 /*
209 * initialise the security for the init task
210 */
cred_init_security(void)211 static void cred_init_security(void)
212 {
213 struct cred *cred = (struct cred *) current->real_cred;
214 struct task_security_struct *tsec;
215
216 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
217 if (!tsec)
218 panic("SELinux: Failed to initialize initial task.\n");
219
220 tsec->osid = tsec->sid = SECINITSID_KERNEL;
221 cred->security = tsec;
222 }
223
224 /*
225 * get the security ID of a set of credentials
226 */
cred_sid(const struct cred * cred)227 static inline u32 cred_sid(const struct cred *cred)
228 {
229 const struct task_security_struct *tsec;
230
231 tsec = cred->security;
232 return tsec->sid;
233 }
234
235 /*
236 * get the objective security ID of a task
237 */
task_sid(const struct task_struct * task)238 static inline u32 task_sid(const struct task_struct *task)
239 {
240 u32 sid;
241
242 rcu_read_lock();
243 sid = cred_sid(__task_cred(task));
244 rcu_read_unlock();
245 return sid;
246 }
247
248 /* Allocate and free functions for each kind of security blob. */
249
inode_alloc_security(struct inode * inode)250 static int inode_alloc_security(struct inode *inode)
251 {
252 struct inode_security_struct *isec;
253 u32 sid = current_sid();
254
255 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
256 if (!isec)
257 return -ENOMEM;
258
259 spin_lock_init(&isec->lock);
260 INIT_LIST_HEAD(&isec->list);
261 isec->inode = inode;
262 isec->sid = SECINITSID_UNLABELED;
263 isec->sclass = SECCLASS_FILE;
264 isec->task_sid = sid;
265 isec->initialized = LABEL_INVALID;
266 inode->i_security = isec;
267
268 return 0;
269 }
270
271 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
272
273 /*
274 * Try reloading inode security labels that have been marked as invalid. The
275 * @may_sleep parameter indicates when sleeping and thus reloading labels is
276 * allowed; when set to false, returns -ECHILD when the label is
277 * invalid. The @dentry parameter should be set to a dentry of the inode.
278 */
__inode_security_revalidate(struct inode * inode,struct dentry * dentry,bool may_sleep)279 static int __inode_security_revalidate(struct inode *inode,
280 struct dentry *dentry,
281 bool may_sleep)
282 {
283 struct inode_security_struct *isec = inode->i_security;
284
285 might_sleep_if(may_sleep);
286
287 if (selinux_state.initialized &&
288 isec->initialized != LABEL_INITIALIZED) {
289 if (!may_sleep)
290 return -ECHILD;
291
292 /*
293 * Try reloading the inode security label. This will fail if
294 * @opt_dentry is NULL and no dentry for this inode can be
295 * found; in that case, continue using the old label.
296 */
297 inode_doinit_with_dentry(inode, dentry);
298 }
299 return 0;
300 }
301
inode_security_novalidate(struct inode * inode)302 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
303 {
304 return inode->i_security;
305 }
306
inode_security_rcu(struct inode * inode,bool rcu)307 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
308 {
309 int error;
310
311 error = __inode_security_revalidate(inode, NULL, !rcu);
312 if (error)
313 return ERR_PTR(error);
314 return inode->i_security;
315 }
316
317 /*
318 * Get the security label of an inode.
319 */
inode_security(struct inode * inode)320 static struct inode_security_struct *inode_security(struct inode *inode)
321 {
322 __inode_security_revalidate(inode, NULL, true);
323 return inode->i_security;
324 }
325
backing_inode_security_novalidate(struct dentry * dentry)326 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
327 {
328 struct inode *inode = d_backing_inode(dentry);
329
330 return inode->i_security;
331 }
332
333 /*
334 * Get the security label of a dentry's backing inode.
335 */
backing_inode_security(struct dentry * dentry)336 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
337 {
338 struct inode *inode = d_backing_inode(dentry);
339
340 __inode_security_revalidate(inode, dentry, true);
341 return inode->i_security;
342 }
343
inode_free_rcu(struct rcu_head * head)344 static void inode_free_rcu(struct rcu_head *head)
345 {
346 struct inode_security_struct *isec;
347
348 isec = container_of(head, struct inode_security_struct, rcu);
349 kmem_cache_free(sel_inode_cache, isec);
350 }
351
inode_free_security(struct inode * inode)352 static void inode_free_security(struct inode *inode)
353 {
354 struct inode_security_struct *isec = inode->i_security;
355 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
356
357 /*
358 * As not all inode security structures are in a list, we check for
359 * empty list outside of the lock to make sure that we won't waste
360 * time taking a lock doing nothing.
361 *
362 * The list_del_init() function can be safely called more than once.
363 * It should not be possible for this function to be called with
364 * concurrent list_add(), but for better safety against future changes
365 * in the code, we use list_empty_careful() here.
366 */
367 if (!list_empty_careful(&isec->list)) {
368 spin_lock(&sbsec->isec_lock);
369 list_del_init(&isec->list);
370 spin_unlock(&sbsec->isec_lock);
371 }
372
373 /*
374 * The inode may still be referenced in a path walk and
375 * a call to selinux_inode_permission() can be made
376 * after inode_free_security() is called. Ideally, the VFS
377 * wouldn't do this, but fixing that is a much harder
378 * job. For now, simply free the i_security via RCU, and
379 * leave the current inode->i_security pointer intact.
380 * The inode will be freed after the RCU grace period too.
381 */
382 call_rcu(&isec->rcu, inode_free_rcu);
383 }
384
file_alloc_security(struct file * file)385 static int file_alloc_security(struct file *file)
386 {
387 struct file_security_struct *fsec;
388 u32 sid = current_sid();
389
390 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
391 if (!fsec)
392 return -ENOMEM;
393
394 fsec->sid = sid;
395 fsec->fown_sid = sid;
396 file->f_security = fsec;
397
398 return 0;
399 }
400
file_free_security(struct file * file)401 static void file_free_security(struct file *file)
402 {
403 struct file_security_struct *fsec = file->f_security;
404 file->f_security = NULL;
405 kmem_cache_free(file_security_cache, fsec);
406 }
407
superblock_alloc_security(struct super_block * sb)408 static int superblock_alloc_security(struct super_block *sb)
409 {
410 struct superblock_security_struct *sbsec;
411
412 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
413 if (!sbsec)
414 return -ENOMEM;
415
416 mutex_init(&sbsec->lock);
417 INIT_LIST_HEAD(&sbsec->isec_head);
418 spin_lock_init(&sbsec->isec_lock);
419 sbsec->sb = sb;
420 sbsec->sid = SECINITSID_UNLABELED;
421 sbsec->def_sid = SECINITSID_FILE;
422 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
423 sb->s_security = sbsec;
424
425 return 0;
426 }
427
superblock_free_security(struct super_block * sb)428 static void superblock_free_security(struct super_block *sb)
429 {
430 struct superblock_security_struct *sbsec = sb->s_security;
431 sb->s_security = NULL;
432 kfree(sbsec);
433 }
434
inode_doinit(struct inode * inode)435 static inline int inode_doinit(struct inode *inode)
436 {
437 return inode_doinit_with_dentry(inode, NULL);
438 }
439
440 enum {
441 Opt_error = -1,
442 Opt_context = 1,
443 Opt_fscontext = 2,
444 Opt_defcontext = 3,
445 Opt_rootcontext = 4,
446 Opt_labelsupport = 5,
447 Opt_nextmntopt = 6,
448 };
449
450 #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
451
452 static const match_table_t tokens = {
453 {Opt_context, CONTEXT_STR "%s"},
454 {Opt_fscontext, FSCONTEXT_STR "%s"},
455 {Opt_defcontext, DEFCONTEXT_STR "%s"},
456 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
457 {Opt_labelsupport, LABELSUPP_STR},
458 {Opt_error, NULL},
459 };
460
461 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
462
may_context_mount_sb_relabel(u32 sid,struct superblock_security_struct * sbsec,const struct cred * cred)463 static int may_context_mount_sb_relabel(u32 sid,
464 struct superblock_security_struct *sbsec,
465 const struct cred *cred)
466 {
467 const struct task_security_struct *tsec = cred->security;
468 int rc;
469
470 rc = avc_has_perm(&selinux_state,
471 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
472 FILESYSTEM__RELABELFROM, NULL);
473 if (rc)
474 return rc;
475
476 rc = avc_has_perm(&selinux_state,
477 tsec->sid, sid, SECCLASS_FILESYSTEM,
478 FILESYSTEM__RELABELTO, NULL);
479 return rc;
480 }
481
may_context_mount_inode_relabel(u32 sid,struct superblock_security_struct * sbsec,const struct cred * cred)482 static int may_context_mount_inode_relabel(u32 sid,
483 struct superblock_security_struct *sbsec,
484 const struct cred *cred)
485 {
486 const struct task_security_struct *tsec = cred->security;
487 int rc;
488 rc = avc_has_perm(&selinux_state,
489 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
490 FILESYSTEM__RELABELFROM, NULL);
491 if (rc)
492 return rc;
493
494 rc = avc_has_perm(&selinux_state,
495 sid, sbsec->sid, SECCLASS_FILESYSTEM,
496 FILESYSTEM__ASSOCIATE, NULL);
497 return rc;
498 }
499
selinux_is_genfs_special_handling(struct super_block * sb)500 static int selinux_is_genfs_special_handling(struct super_block *sb)
501 {
502 /* Special handling. Genfs but also in-core setxattr handler */
503 return !strcmp(sb->s_type->name, "sysfs") ||
504 !strcmp(sb->s_type->name, "pstore") ||
505 !strcmp(sb->s_type->name, "debugfs") ||
506 !strcmp(sb->s_type->name, "tracefs") ||
507 !strcmp(sb->s_type->name, "rootfs") ||
508 (selinux_policycap_cgroupseclabel() &&
509 (!strcmp(sb->s_type->name, "cgroup") ||
510 !strcmp(sb->s_type->name, "cgroup2")));
511 }
512
selinux_is_sblabel_mnt(struct super_block * sb)513 static int selinux_is_sblabel_mnt(struct super_block *sb)
514 {
515 struct superblock_security_struct *sbsec = sb->s_security;
516
517 /*
518 * IMPORTANT: Double-check logic in this function when adding a new
519 * SECURITY_FS_USE_* definition!
520 */
521 BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7);
522
523 switch (sbsec->behavior) {
524 case SECURITY_FS_USE_XATTR:
525 case SECURITY_FS_USE_TRANS:
526 case SECURITY_FS_USE_TASK:
527 case SECURITY_FS_USE_NATIVE:
528 return 1;
529
530 case SECURITY_FS_USE_GENFS:
531 return selinux_is_genfs_special_handling(sb);
532
533 /* Never allow relabeling on context mounts */
534 case SECURITY_FS_USE_MNTPOINT:
535 case SECURITY_FS_USE_NONE:
536 default:
537 return 0;
538 }
539 }
540
sb_finish_set_opts(struct super_block * sb)541 static int sb_finish_set_opts(struct super_block *sb)
542 {
543 struct superblock_security_struct *sbsec = sb->s_security;
544 struct dentry *root = sb->s_root;
545 struct inode *root_inode = d_backing_inode(root);
546 int rc = 0;
547
548 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
549 /* Make sure that the xattr handler exists and that no
550 error other than -ENODATA is returned by getxattr on
551 the root directory. -ENODATA is ok, as this may be
552 the first boot of the SELinux kernel before we have
553 assigned xattr values to the filesystem. */
554 if (!(root_inode->i_opflags & IOP_XATTR)) {
555 pr_warn("SELinux: (dev %s, type %s) has no "
556 "xattr support\n", sb->s_id, sb->s_type->name);
557 rc = -EOPNOTSUPP;
558 goto out;
559 }
560
561 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
562 if (rc < 0 && rc != -ENODATA) {
563 if (rc == -EOPNOTSUPP)
564 pr_warn("SELinux: (dev %s, type "
565 "%s) has no security xattr handler\n",
566 sb->s_id, sb->s_type->name);
567 else
568 pr_warn("SELinux: (dev %s, type "
569 "%s) getxattr errno %d\n", sb->s_id,
570 sb->s_type->name, -rc);
571 goto out;
572 }
573 }
574
575 sbsec->flags |= SE_SBINITIALIZED;
576
577 /*
578 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
579 * leave the flag untouched because sb_clone_mnt_opts might be handing
580 * us a superblock that needs the flag to be cleared.
581 */
582 if (selinux_is_sblabel_mnt(sb))
583 sbsec->flags |= SBLABEL_MNT;
584 else
585 sbsec->flags &= ~SBLABEL_MNT;
586
587 /* Initialize the root inode. */
588 rc = inode_doinit_with_dentry(root_inode, root);
589
590 /* Initialize any other inodes associated with the superblock, e.g.
591 inodes created prior to initial policy load or inodes created
592 during get_sb by a pseudo filesystem that directly
593 populates itself. */
594 spin_lock(&sbsec->isec_lock);
595 next_inode:
596 if (!list_empty(&sbsec->isec_head)) {
597 struct inode_security_struct *isec =
598 list_entry(sbsec->isec_head.next,
599 struct inode_security_struct, list);
600 struct inode *inode = isec->inode;
601 list_del_init(&isec->list);
602 spin_unlock(&sbsec->isec_lock);
603 inode = igrab(inode);
604 if (inode) {
605 if (!IS_PRIVATE(inode))
606 inode_doinit(inode);
607 iput(inode);
608 }
609 spin_lock(&sbsec->isec_lock);
610 goto next_inode;
611 }
612 spin_unlock(&sbsec->isec_lock);
613 out:
614 return rc;
615 }
616
617 /*
618 * This function should allow an FS to ask what it's mount security
619 * options were so it can use those later for submounts, displaying
620 * mount options, or whatever.
621 */
selinux_get_mnt_opts(const struct super_block * sb,struct security_mnt_opts * opts)622 static int selinux_get_mnt_opts(const struct super_block *sb,
623 struct security_mnt_opts *opts)
624 {
625 int rc = 0, i;
626 struct superblock_security_struct *sbsec = sb->s_security;
627 char *context = NULL;
628 u32 len;
629 char tmp;
630
631 security_init_mnt_opts(opts);
632
633 if (!(sbsec->flags & SE_SBINITIALIZED))
634 return -EINVAL;
635
636 if (!selinux_state.initialized)
637 return -EINVAL;
638
639 /* make sure we always check enough bits to cover the mask */
640 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
641
642 tmp = sbsec->flags & SE_MNTMASK;
643 /* count the number of mount options for this sb */
644 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
645 if (tmp & 0x01)
646 opts->num_mnt_opts++;
647 tmp >>= 1;
648 }
649 /* Check if the Label support flag is set */
650 if (sbsec->flags & SBLABEL_MNT)
651 opts->num_mnt_opts++;
652
653 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
654 if (!opts->mnt_opts) {
655 rc = -ENOMEM;
656 goto out_free;
657 }
658
659 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
660 if (!opts->mnt_opts_flags) {
661 rc = -ENOMEM;
662 goto out_free;
663 }
664
665 i = 0;
666 if (sbsec->flags & FSCONTEXT_MNT) {
667 rc = security_sid_to_context(&selinux_state, sbsec->sid,
668 &context, &len);
669 if (rc)
670 goto out_free;
671 opts->mnt_opts[i] = context;
672 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
673 }
674 if (sbsec->flags & CONTEXT_MNT) {
675 rc = security_sid_to_context(&selinux_state,
676 sbsec->mntpoint_sid,
677 &context, &len);
678 if (rc)
679 goto out_free;
680 opts->mnt_opts[i] = context;
681 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
682 }
683 if (sbsec->flags & DEFCONTEXT_MNT) {
684 rc = security_sid_to_context(&selinux_state, sbsec->def_sid,
685 &context, &len);
686 if (rc)
687 goto out_free;
688 opts->mnt_opts[i] = context;
689 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
690 }
691 if (sbsec->flags & ROOTCONTEXT_MNT) {
692 struct dentry *root = sbsec->sb->s_root;
693 struct inode_security_struct *isec = backing_inode_security(root);
694
695 rc = security_sid_to_context(&selinux_state, isec->sid,
696 &context, &len);
697 if (rc)
698 goto out_free;
699 opts->mnt_opts[i] = context;
700 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
701 }
702 if (sbsec->flags & SBLABEL_MNT) {
703 opts->mnt_opts[i] = NULL;
704 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
705 }
706
707 BUG_ON(i != opts->num_mnt_opts);
708
709 return 0;
710
711 out_free:
712 security_free_mnt_opts(opts);
713 return rc;
714 }
715
bad_option(struct superblock_security_struct * sbsec,char flag,u32 old_sid,u32 new_sid)716 static int bad_option(struct superblock_security_struct *sbsec, char flag,
717 u32 old_sid, u32 new_sid)
718 {
719 char mnt_flags = sbsec->flags & SE_MNTMASK;
720
721 /* check if the old mount command had the same options */
722 if (sbsec->flags & SE_SBINITIALIZED)
723 if (!(sbsec->flags & flag) ||
724 (old_sid != new_sid))
725 return 1;
726
727 /* check if we were passed the same options twice,
728 * aka someone passed context=a,context=b
729 */
730 if (!(sbsec->flags & SE_SBINITIALIZED))
731 if (mnt_flags & flag)
732 return 1;
733 return 0;
734 }
735
736 /*
737 * Allow filesystems with binary mount data to explicitly set mount point
738 * labeling information.
739 */
selinux_set_mnt_opts(struct super_block * sb,struct security_mnt_opts * opts,unsigned long kern_flags,unsigned long * set_kern_flags)740 static int selinux_set_mnt_opts(struct super_block *sb,
741 struct security_mnt_opts *opts,
742 unsigned long kern_flags,
743 unsigned long *set_kern_flags)
744 {
745 const struct cred *cred = current_cred();
746 int rc = 0, i;
747 struct superblock_security_struct *sbsec = sb->s_security;
748 const char *name = sb->s_type->name;
749 struct dentry *root = sbsec->sb->s_root;
750 struct inode_security_struct *root_isec;
751 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
752 u32 defcontext_sid = 0;
753 char **mount_options = opts->mnt_opts;
754 int *flags = opts->mnt_opts_flags;
755 int num_opts = opts->num_mnt_opts;
756
757 mutex_lock(&sbsec->lock);
758
759 if (!selinux_state.initialized) {
760 if (!num_opts) {
761 /* Defer initialization until selinux_complete_init,
762 after the initial policy is loaded and the security
763 server is ready to handle calls. */
764 goto out;
765 }
766 rc = -EINVAL;
767 pr_warn("SELinux: Unable to set superblock options "
768 "before the security server is initialized\n");
769 goto out;
770 }
771 if (kern_flags && !set_kern_flags) {
772 /* Specifying internal flags without providing a place to
773 * place the results is not allowed */
774 rc = -EINVAL;
775 goto out;
776 }
777
778 /*
779 * Binary mount data FS will come through this function twice. Once
780 * from an explicit call and once from the generic calls from the vfs.
781 * Since the generic VFS calls will not contain any security mount data
782 * we need to skip the double mount verification.
783 *
784 * This does open a hole in which we will not notice if the first
785 * mount using this sb set explict options and a second mount using
786 * this sb does not set any security options. (The first options
787 * will be used for both mounts)
788 */
789 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
790 && (num_opts == 0))
791 goto out;
792
793 root_isec = backing_inode_security_novalidate(root);
794
795 /*
796 * parse the mount options, check if they are valid sids.
797 * also check if someone is trying to mount the same sb more
798 * than once with different security options.
799 */
800 for (i = 0; i < num_opts; i++) {
801 u32 sid;
802
803 if (flags[i] == SBLABEL_MNT)
804 continue;
805 rc = security_context_str_to_sid(&selinux_state,
806 mount_options[i], &sid,
807 GFP_KERNEL);
808 if (rc) {
809 pr_warn("SELinux: security_context_str_to_sid"
810 "(%s) failed for (dev %s, type %s) errno=%d\n",
811 mount_options[i], sb->s_id, name, rc);
812 goto out;
813 }
814 switch (flags[i]) {
815 case FSCONTEXT_MNT:
816 fscontext_sid = sid;
817
818 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
819 fscontext_sid))
820 goto out_double_mount;
821
822 sbsec->flags |= FSCONTEXT_MNT;
823 break;
824 case CONTEXT_MNT:
825 context_sid = sid;
826
827 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
828 context_sid))
829 goto out_double_mount;
830
831 sbsec->flags |= CONTEXT_MNT;
832 break;
833 case ROOTCONTEXT_MNT:
834 rootcontext_sid = sid;
835
836 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
837 rootcontext_sid))
838 goto out_double_mount;
839
840 sbsec->flags |= ROOTCONTEXT_MNT;
841
842 break;
843 case DEFCONTEXT_MNT:
844 defcontext_sid = sid;
845
846 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
847 defcontext_sid))
848 goto out_double_mount;
849
850 sbsec->flags |= DEFCONTEXT_MNT;
851
852 break;
853 default:
854 rc = -EINVAL;
855 goto out;
856 }
857 }
858
859 if (sbsec->flags & SE_SBINITIALIZED) {
860 /* previously mounted with options, but not on this attempt? */
861 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
862 goto out_double_mount;
863 rc = 0;
864 goto out;
865 }
866
867 if (strcmp(sb->s_type->name, "proc") == 0)
868 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
869
870 if (!strcmp(sb->s_type->name, "debugfs") ||
871 !strcmp(sb->s_type->name, "tracefs") ||
872 !strcmp(sb->s_type->name, "sysfs") ||
873 !strcmp(sb->s_type->name, "pstore") ||
874 !strcmp(sb->s_type->name, "cgroup") ||
875 !strcmp(sb->s_type->name, "cgroup2"))
876 sbsec->flags |= SE_SBGENFS;
877
878 if (!sbsec->behavior) {
879 /*
880 * Determine the labeling behavior to use for this
881 * filesystem type.
882 */
883 rc = security_fs_use(&selinux_state, sb);
884 if (rc) {
885 pr_warn("%s: security_fs_use(%s) returned %d\n",
886 __func__, sb->s_type->name, rc);
887 goto out;
888 }
889 }
890
891 /*
892 * If this is a user namespace mount and the filesystem type is not
893 * explicitly whitelisted, then no contexts are allowed on the command
894 * line and security labels must be ignored.
895 */
896 if (sb->s_user_ns != &init_user_ns &&
897 strcmp(sb->s_type->name, "tmpfs") &&
898 strcmp(sb->s_type->name, "ramfs") &&
899 strcmp(sb->s_type->name, "devpts")) {
900 if (context_sid || fscontext_sid || rootcontext_sid ||
901 defcontext_sid) {
902 rc = -EACCES;
903 goto out;
904 }
905 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
906 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
907 rc = security_transition_sid(&selinux_state,
908 current_sid(),
909 current_sid(),
910 SECCLASS_FILE, NULL,
911 &sbsec->mntpoint_sid);
912 if (rc)
913 goto out;
914 }
915 goto out_set_opts;
916 }
917
918 /* sets the context of the superblock for the fs being mounted. */
919 if (fscontext_sid) {
920 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
921 if (rc)
922 goto out;
923
924 sbsec->sid = fscontext_sid;
925 }
926
927 /*
928 * Switch to using mount point labeling behavior.
929 * sets the label used on all file below the mountpoint, and will set
930 * the superblock context if not already set.
931 */
932 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
933 sbsec->behavior = SECURITY_FS_USE_NATIVE;
934 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
935 }
936
937 if (context_sid) {
938 if (!fscontext_sid) {
939 rc = may_context_mount_sb_relabel(context_sid, sbsec,
940 cred);
941 if (rc)
942 goto out;
943 sbsec->sid = context_sid;
944 } else {
945 rc = may_context_mount_inode_relabel(context_sid, sbsec,
946 cred);
947 if (rc)
948 goto out;
949 }
950 if (!rootcontext_sid)
951 rootcontext_sid = context_sid;
952
953 sbsec->mntpoint_sid = context_sid;
954 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
955 }
956
957 if (rootcontext_sid) {
958 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
959 cred);
960 if (rc)
961 goto out;
962
963 root_isec->sid = rootcontext_sid;
964 root_isec->initialized = LABEL_INITIALIZED;
965 }
966
967 if (defcontext_sid) {
968 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
969 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
970 rc = -EINVAL;
971 pr_warn("SELinux: defcontext option is "
972 "invalid for this filesystem type\n");
973 goto out;
974 }
975
976 if (defcontext_sid != sbsec->def_sid) {
977 rc = may_context_mount_inode_relabel(defcontext_sid,
978 sbsec, cred);
979 if (rc)
980 goto out;
981 }
982
983 sbsec->def_sid = defcontext_sid;
984 }
985
986 out_set_opts:
987 rc = sb_finish_set_opts(sb);
988 out:
989 mutex_unlock(&sbsec->lock);
990 return rc;
991 out_double_mount:
992 rc = -EINVAL;
993 pr_warn("SELinux: mount invalid. Same superblock, different "
994 "security settings for (dev %s, type %s)\n", sb->s_id, name);
995 goto out;
996 }
997
selinux_cmp_sb_context(const struct super_block * oldsb,const struct super_block * newsb)998 static int selinux_cmp_sb_context(const struct super_block *oldsb,
999 const struct super_block *newsb)
1000 {
1001 struct superblock_security_struct *old = oldsb->s_security;
1002 struct superblock_security_struct *new = newsb->s_security;
1003 char oldflags = old->flags & SE_MNTMASK;
1004 char newflags = new->flags & SE_MNTMASK;
1005
1006 if (oldflags != newflags)
1007 goto mismatch;
1008 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
1009 goto mismatch;
1010 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
1011 goto mismatch;
1012 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
1013 goto mismatch;
1014 if (oldflags & ROOTCONTEXT_MNT) {
1015 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
1016 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
1017 if (oldroot->sid != newroot->sid)
1018 goto mismatch;
1019 }
1020 return 0;
1021 mismatch:
1022 pr_warn("SELinux: mount invalid. Same superblock, "
1023 "different security settings for (dev %s, "
1024 "type %s)\n", newsb->s_id, newsb->s_type->name);
1025 return -EBUSY;
1026 }
1027
selinux_sb_clone_mnt_opts(const struct super_block * oldsb,struct super_block * newsb,unsigned long kern_flags,unsigned long * set_kern_flags)1028 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
1029 struct super_block *newsb,
1030 unsigned long kern_flags,
1031 unsigned long *set_kern_flags)
1032 {
1033 int rc = 0;
1034 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
1035 struct superblock_security_struct *newsbsec = newsb->s_security;
1036
1037 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
1038 int set_context = (oldsbsec->flags & CONTEXT_MNT);
1039 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1040
1041 /*
1042 * if the parent was able to be mounted it clearly had no special lsm
1043 * mount options. thus we can safely deal with this superblock later
1044 */
1045 if (!selinux_state.initialized)
1046 return 0;
1047
1048 /*
1049 * Specifying internal flags without providing a place to
1050 * place the results is not allowed.
1051 */
1052 if (kern_flags && !set_kern_flags)
1053 return -EINVAL;
1054
1055 /* how can we clone if the old one wasn't set up?? */
1056 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
1057
1058 /* if fs is reusing a sb, make sure that the contexts match */
1059 if (newsbsec->flags & SE_SBINITIALIZED) {
1060 if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context)
1061 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
1062 return selinux_cmp_sb_context(oldsb, newsb);
1063 }
1064
1065 mutex_lock(&newsbsec->lock);
1066
1067 newsbsec->flags = oldsbsec->flags;
1068
1069 newsbsec->sid = oldsbsec->sid;
1070 newsbsec->def_sid = oldsbsec->def_sid;
1071 newsbsec->behavior = oldsbsec->behavior;
1072
1073 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
1074 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
1075 rc = security_fs_use(&selinux_state, newsb);
1076 if (rc)
1077 goto out;
1078 }
1079
1080 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
1081 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
1082 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
1083 }
1084
1085 if (set_context) {
1086 u32 sid = oldsbsec->mntpoint_sid;
1087
1088 if (!set_fscontext)
1089 newsbsec->sid = sid;
1090 if (!set_rootcontext) {
1091 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1092 newisec->sid = sid;
1093 }
1094 newsbsec->mntpoint_sid = sid;
1095 }
1096 if (set_rootcontext) {
1097 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
1098 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1099
1100 newisec->sid = oldisec->sid;
1101 }
1102
1103 sb_finish_set_opts(newsb);
1104 out:
1105 mutex_unlock(&newsbsec->lock);
1106 return rc;
1107 }
1108
selinux_parse_opts_str(char * options,struct security_mnt_opts * opts)1109 static int selinux_parse_opts_str(char *options,
1110 struct security_mnt_opts *opts)
1111 {
1112 char *p;
1113 char *context = NULL, *defcontext = NULL;
1114 char *fscontext = NULL, *rootcontext = NULL;
1115 int rc, num_mnt_opts = 0;
1116
1117 opts->num_mnt_opts = 0;
1118
1119 /* Standard string-based options. */
1120 while ((p = strsep(&options, "|")) != NULL) {
1121 int token;
1122 substring_t args[MAX_OPT_ARGS];
1123
1124 if (!*p)
1125 continue;
1126
1127 token = match_token(p, tokens, args);
1128
1129 switch (token) {
1130 case Opt_context:
1131 if (context || defcontext) {
1132 rc = -EINVAL;
1133 pr_warn(SEL_MOUNT_FAIL_MSG);
1134 goto out_err;
1135 }
1136 context = match_strdup(&args[0]);
1137 if (!context) {
1138 rc = -ENOMEM;
1139 goto out_err;
1140 }
1141 break;
1142
1143 case Opt_fscontext:
1144 if (fscontext) {
1145 rc = -EINVAL;
1146 pr_warn(SEL_MOUNT_FAIL_MSG);
1147 goto out_err;
1148 }
1149 fscontext = match_strdup(&args[0]);
1150 if (!fscontext) {
1151 rc = -ENOMEM;
1152 goto out_err;
1153 }
1154 break;
1155
1156 case Opt_rootcontext:
1157 if (rootcontext) {
1158 rc = -EINVAL;
1159 pr_warn(SEL_MOUNT_FAIL_MSG);
1160 goto out_err;
1161 }
1162 rootcontext = match_strdup(&args[0]);
1163 if (!rootcontext) {
1164 rc = -ENOMEM;
1165 goto out_err;
1166 }
1167 break;
1168
1169 case Opt_defcontext:
1170 if (context || defcontext) {
1171 rc = -EINVAL;
1172 pr_warn(SEL_MOUNT_FAIL_MSG);
1173 goto out_err;
1174 }
1175 defcontext = match_strdup(&args[0]);
1176 if (!defcontext) {
1177 rc = -ENOMEM;
1178 goto out_err;
1179 }
1180 break;
1181 case Opt_labelsupport:
1182 break;
1183 default:
1184 rc = -EINVAL;
1185 pr_warn("SELinux: unknown mount option\n");
1186 goto out_err;
1187
1188 }
1189 }
1190
1191 rc = -ENOMEM;
1192 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
1193 if (!opts->mnt_opts)
1194 goto out_err;
1195
1196 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
1197 GFP_KERNEL);
1198 if (!opts->mnt_opts_flags)
1199 goto out_err;
1200
1201 if (fscontext) {
1202 opts->mnt_opts[num_mnt_opts] = fscontext;
1203 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1204 }
1205 if (context) {
1206 opts->mnt_opts[num_mnt_opts] = context;
1207 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1208 }
1209 if (rootcontext) {
1210 opts->mnt_opts[num_mnt_opts] = rootcontext;
1211 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1212 }
1213 if (defcontext) {
1214 opts->mnt_opts[num_mnt_opts] = defcontext;
1215 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1216 }
1217
1218 opts->num_mnt_opts = num_mnt_opts;
1219 return 0;
1220
1221 out_err:
1222 security_free_mnt_opts(opts);
1223 kfree(context);
1224 kfree(defcontext);
1225 kfree(fscontext);
1226 kfree(rootcontext);
1227 return rc;
1228 }
1229 /*
1230 * string mount options parsing and call set the sbsec
1231 */
superblock_doinit(struct super_block * sb,void * data)1232 static int superblock_doinit(struct super_block *sb, void *data)
1233 {
1234 int rc = 0;
1235 char *options = data;
1236 struct security_mnt_opts opts;
1237
1238 security_init_mnt_opts(&opts);
1239
1240 if (!data)
1241 goto out;
1242
1243 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1244
1245 rc = selinux_parse_opts_str(options, &opts);
1246 if (rc)
1247 goto out_err;
1248
1249 out:
1250 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1251
1252 out_err:
1253 security_free_mnt_opts(&opts);
1254 return rc;
1255 }
1256
selinux_write_opts(struct seq_file * m,struct security_mnt_opts * opts)1257 static void selinux_write_opts(struct seq_file *m,
1258 struct security_mnt_opts *opts)
1259 {
1260 int i;
1261 char *prefix;
1262
1263 for (i = 0; i < opts->num_mnt_opts; i++) {
1264 char *has_comma;
1265
1266 if (opts->mnt_opts[i])
1267 has_comma = strchr(opts->mnt_opts[i], ',');
1268 else
1269 has_comma = NULL;
1270
1271 switch (opts->mnt_opts_flags[i]) {
1272 case CONTEXT_MNT:
1273 prefix = CONTEXT_STR;
1274 break;
1275 case FSCONTEXT_MNT:
1276 prefix = FSCONTEXT_STR;
1277 break;
1278 case ROOTCONTEXT_MNT:
1279 prefix = ROOTCONTEXT_STR;
1280 break;
1281 case DEFCONTEXT_MNT:
1282 prefix = DEFCONTEXT_STR;
1283 break;
1284 case SBLABEL_MNT:
1285 seq_putc(m, ',');
1286 seq_puts(m, LABELSUPP_STR);
1287 continue;
1288 default:
1289 BUG();
1290 return;
1291 };
1292 /* we need a comma before each option */
1293 seq_putc(m, ',');
1294 seq_puts(m, prefix);
1295 if (has_comma)
1296 seq_putc(m, '\"');
1297 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
1298 if (has_comma)
1299 seq_putc(m, '\"');
1300 }
1301 }
1302
selinux_sb_show_options(struct seq_file * m,struct super_block * sb)1303 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1304 {
1305 struct security_mnt_opts opts;
1306 int rc;
1307
1308 rc = selinux_get_mnt_opts(sb, &opts);
1309 if (rc) {
1310 /* before policy load we may get EINVAL, don't show anything */
1311 if (rc == -EINVAL)
1312 rc = 0;
1313 return rc;
1314 }
1315
1316 selinux_write_opts(m, &opts);
1317
1318 security_free_mnt_opts(&opts);
1319
1320 return rc;
1321 }
1322
inode_mode_to_security_class(umode_t mode)1323 static inline u16 inode_mode_to_security_class(umode_t mode)
1324 {
1325 switch (mode & S_IFMT) {
1326 case S_IFSOCK:
1327 return SECCLASS_SOCK_FILE;
1328 case S_IFLNK:
1329 return SECCLASS_LNK_FILE;
1330 case S_IFREG:
1331 return SECCLASS_FILE;
1332 case S_IFBLK:
1333 return SECCLASS_BLK_FILE;
1334 case S_IFDIR:
1335 return SECCLASS_DIR;
1336 case S_IFCHR:
1337 return SECCLASS_CHR_FILE;
1338 case S_IFIFO:
1339 return SECCLASS_FIFO_FILE;
1340
1341 }
1342
1343 return SECCLASS_FILE;
1344 }
1345
default_protocol_stream(int protocol)1346 static inline int default_protocol_stream(int protocol)
1347 {
1348 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1349 }
1350
default_protocol_dgram(int protocol)1351 static inline int default_protocol_dgram(int protocol)
1352 {
1353 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1354 }
1355
socket_type_to_security_class(int family,int type,int protocol)1356 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1357 {
1358 int extsockclass = selinux_policycap_extsockclass();
1359
1360 switch (family) {
1361 case PF_UNIX:
1362 switch (type) {
1363 case SOCK_STREAM:
1364 case SOCK_SEQPACKET:
1365 return SECCLASS_UNIX_STREAM_SOCKET;
1366 case SOCK_DGRAM:
1367 case SOCK_RAW:
1368 return SECCLASS_UNIX_DGRAM_SOCKET;
1369 }
1370 break;
1371 case PF_INET:
1372 case PF_INET6:
1373 switch (type) {
1374 case SOCK_STREAM:
1375 case SOCK_SEQPACKET:
1376 if (default_protocol_stream(protocol))
1377 return SECCLASS_TCP_SOCKET;
1378 else if (extsockclass && protocol == IPPROTO_SCTP)
1379 return SECCLASS_SCTP_SOCKET;
1380 else
1381 return SECCLASS_RAWIP_SOCKET;
1382 case SOCK_DGRAM:
1383 if (default_protocol_dgram(protocol))
1384 return SECCLASS_UDP_SOCKET;
1385 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1386 protocol == IPPROTO_ICMPV6))
1387 return SECCLASS_ICMP_SOCKET;
1388 else
1389 return SECCLASS_RAWIP_SOCKET;
1390 case SOCK_DCCP:
1391 return SECCLASS_DCCP_SOCKET;
1392 default:
1393 return SECCLASS_RAWIP_SOCKET;
1394 }
1395 break;
1396 case PF_NETLINK:
1397 switch (protocol) {
1398 case NETLINK_ROUTE:
1399 return SECCLASS_NETLINK_ROUTE_SOCKET;
1400 case NETLINK_SOCK_DIAG:
1401 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1402 case NETLINK_NFLOG:
1403 return SECCLASS_NETLINK_NFLOG_SOCKET;
1404 case NETLINK_XFRM:
1405 return SECCLASS_NETLINK_XFRM_SOCKET;
1406 case NETLINK_SELINUX:
1407 return SECCLASS_NETLINK_SELINUX_SOCKET;
1408 case NETLINK_ISCSI:
1409 return SECCLASS_NETLINK_ISCSI_SOCKET;
1410 case NETLINK_AUDIT:
1411 return SECCLASS_NETLINK_AUDIT_SOCKET;
1412 case NETLINK_FIB_LOOKUP:
1413 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1414 case NETLINK_CONNECTOR:
1415 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1416 case NETLINK_NETFILTER:
1417 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1418 case NETLINK_DNRTMSG:
1419 return SECCLASS_NETLINK_DNRT_SOCKET;
1420 case NETLINK_KOBJECT_UEVENT:
1421 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1422 case NETLINK_GENERIC:
1423 return SECCLASS_NETLINK_GENERIC_SOCKET;
1424 case NETLINK_SCSITRANSPORT:
1425 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1426 case NETLINK_RDMA:
1427 return SECCLASS_NETLINK_RDMA_SOCKET;
1428 case NETLINK_CRYPTO:
1429 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1430 default:
1431 return SECCLASS_NETLINK_SOCKET;
1432 }
1433 case PF_PACKET:
1434 return SECCLASS_PACKET_SOCKET;
1435 case PF_KEY:
1436 return SECCLASS_KEY_SOCKET;
1437 case PF_APPLETALK:
1438 return SECCLASS_APPLETALK_SOCKET;
1439 }
1440
1441 if (extsockclass) {
1442 switch (family) {
1443 case PF_AX25:
1444 return SECCLASS_AX25_SOCKET;
1445 case PF_IPX:
1446 return SECCLASS_IPX_SOCKET;
1447 case PF_NETROM:
1448 return SECCLASS_NETROM_SOCKET;
1449 case PF_ATMPVC:
1450 return SECCLASS_ATMPVC_SOCKET;
1451 case PF_X25:
1452 return SECCLASS_X25_SOCKET;
1453 case PF_ROSE:
1454 return SECCLASS_ROSE_SOCKET;
1455 case PF_DECnet:
1456 return SECCLASS_DECNET_SOCKET;
1457 case PF_ATMSVC:
1458 return SECCLASS_ATMSVC_SOCKET;
1459 case PF_RDS:
1460 return SECCLASS_RDS_SOCKET;
1461 case PF_IRDA:
1462 return SECCLASS_IRDA_SOCKET;
1463 case PF_PPPOX:
1464 return SECCLASS_PPPOX_SOCKET;
1465 case PF_LLC:
1466 return SECCLASS_LLC_SOCKET;
1467 case PF_CAN:
1468 return SECCLASS_CAN_SOCKET;
1469 case PF_TIPC:
1470 return SECCLASS_TIPC_SOCKET;
1471 case PF_BLUETOOTH:
1472 return SECCLASS_BLUETOOTH_SOCKET;
1473 case PF_IUCV:
1474 return SECCLASS_IUCV_SOCKET;
1475 case PF_RXRPC:
1476 return SECCLASS_RXRPC_SOCKET;
1477 case PF_ISDN:
1478 return SECCLASS_ISDN_SOCKET;
1479 case PF_PHONET:
1480 return SECCLASS_PHONET_SOCKET;
1481 case PF_IEEE802154:
1482 return SECCLASS_IEEE802154_SOCKET;
1483 case PF_CAIF:
1484 return SECCLASS_CAIF_SOCKET;
1485 case PF_ALG:
1486 return SECCLASS_ALG_SOCKET;
1487 case PF_NFC:
1488 return SECCLASS_NFC_SOCKET;
1489 case PF_VSOCK:
1490 return SECCLASS_VSOCK_SOCKET;
1491 case PF_KCM:
1492 return SECCLASS_KCM_SOCKET;
1493 case PF_QIPCRTR:
1494 return SECCLASS_QIPCRTR_SOCKET;
1495 case PF_SMC:
1496 return SECCLASS_SMC_SOCKET;
1497 case PF_XDP:
1498 return SECCLASS_XDP_SOCKET;
1499 #if PF_MAX > 45
1500 #error New address family defined, please update this function.
1501 #endif
1502 }
1503 }
1504
1505 return SECCLASS_SOCKET;
1506 }
1507
selinux_genfs_get_sid(struct dentry * dentry,u16 tclass,u16 flags,u32 * sid)1508 static int selinux_genfs_get_sid(struct dentry *dentry,
1509 u16 tclass,
1510 u16 flags,
1511 u32 *sid)
1512 {
1513 int rc;
1514 struct super_block *sb = dentry->d_sb;
1515 char *buffer, *path;
1516
1517 buffer = (char *)__get_free_page(GFP_KERNEL);
1518 if (!buffer)
1519 return -ENOMEM;
1520
1521 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1522 if (IS_ERR(path))
1523 rc = PTR_ERR(path);
1524 else {
1525 if (flags & SE_SBPROC) {
1526 /* each process gets a /proc/PID/ entry. Strip off the
1527 * PID part to get a valid selinux labeling.
1528 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1529 while (path[1] >= '0' && path[1] <= '9') {
1530 path[1] = '/';
1531 path++;
1532 }
1533 }
1534 rc = security_genfs_sid(&selinux_state, sb->s_type->name,
1535 path, tclass, sid);
1536 if (rc == -ENOENT) {
1537 /* No match in policy, mark as unlabeled. */
1538 *sid = SECINITSID_UNLABELED;
1539 rc = 0;
1540 }
1541 }
1542 free_page((unsigned long)buffer);
1543 return rc;
1544 }
1545
1546 /* The inode's security attributes must be initialized before first use. */
inode_doinit_with_dentry(struct inode * inode,struct dentry * opt_dentry)1547 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1548 {
1549 struct superblock_security_struct *sbsec = NULL;
1550 struct inode_security_struct *isec = inode->i_security;
1551 u32 task_sid, sid = 0;
1552 u16 sclass;
1553 struct dentry *dentry;
1554 #define INITCONTEXTLEN 255
1555 char *context = NULL;
1556 unsigned len = 0;
1557 int rc = 0;
1558
1559 if (isec->initialized == LABEL_INITIALIZED)
1560 return 0;
1561
1562 spin_lock(&isec->lock);
1563 if (isec->initialized == LABEL_INITIALIZED)
1564 goto out_unlock;
1565
1566 if (isec->sclass == SECCLASS_FILE)
1567 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1568
1569 sbsec = inode->i_sb->s_security;
1570 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1571 /* Defer initialization until selinux_complete_init,
1572 after the initial policy is loaded and the security
1573 server is ready to handle calls. */
1574 spin_lock(&sbsec->isec_lock);
1575 if (list_empty(&isec->list))
1576 list_add(&isec->list, &sbsec->isec_head);
1577 spin_unlock(&sbsec->isec_lock);
1578 goto out_unlock;
1579 }
1580
1581 sclass = isec->sclass;
1582 task_sid = isec->task_sid;
1583 sid = isec->sid;
1584 isec->initialized = LABEL_PENDING;
1585 spin_unlock(&isec->lock);
1586
1587 switch (sbsec->behavior) {
1588 case SECURITY_FS_USE_NATIVE:
1589 break;
1590 case SECURITY_FS_USE_XATTR:
1591 if (!(inode->i_opflags & IOP_XATTR)) {
1592 sid = sbsec->def_sid;
1593 break;
1594 }
1595 /* Need a dentry, since the xattr API requires one.
1596 Life would be simpler if we could just pass the inode. */
1597 if (opt_dentry) {
1598 /* Called from d_instantiate or d_splice_alias. */
1599 dentry = dget(opt_dentry);
1600 } else {
1601 /*
1602 * Called from selinux_complete_init, try to find a dentry.
1603 * Some filesystems really want a connected one, so try
1604 * that first. We could split SECURITY_FS_USE_XATTR in
1605 * two, depending upon that...
1606 */
1607 dentry = d_find_alias(inode);
1608 if (!dentry)
1609 dentry = d_find_any_alias(inode);
1610 }
1611 if (!dentry) {
1612 /*
1613 * this is can be hit on boot when a file is accessed
1614 * before the policy is loaded. When we load policy we
1615 * may find inodes that have no dentry on the
1616 * sbsec->isec_head list. No reason to complain as these
1617 * will get fixed up the next time we go through
1618 * inode_doinit with a dentry, before these inodes could
1619 * be used again by userspace.
1620 */
1621 goto out;
1622 }
1623
1624 len = INITCONTEXTLEN;
1625 context = kmalloc(len+1, GFP_NOFS);
1626 if (!context) {
1627 rc = -ENOMEM;
1628 dput(dentry);
1629 goto out;
1630 }
1631 context[len] = '\0';
1632 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1633 if (rc == -ERANGE) {
1634 kfree(context);
1635
1636 /* Need a larger buffer. Query for the right size. */
1637 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1638 if (rc < 0) {
1639 dput(dentry);
1640 goto out;
1641 }
1642 len = rc;
1643 context = kmalloc(len+1, GFP_NOFS);
1644 if (!context) {
1645 rc = -ENOMEM;
1646 dput(dentry);
1647 goto out;
1648 }
1649 context[len] = '\0';
1650 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1651 }
1652 dput(dentry);
1653 if (rc < 0) {
1654 if (rc != -ENODATA) {
1655 pr_warn("SELinux: %s: getxattr returned "
1656 "%d for dev=%s ino=%ld\n", __func__,
1657 -rc, inode->i_sb->s_id, inode->i_ino);
1658 kfree(context);
1659 goto out;
1660 }
1661 /* Map ENODATA to the default file SID */
1662 sid = sbsec->def_sid;
1663 rc = 0;
1664 } else {
1665 rc = security_context_to_sid_default(&selinux_state,
1666 context, rc, &sid,
1667 sbsec->def_sid,
1668 GFP_NOFS);
1669 if (rc) {
1670 char *dev = inode->i_sb->s_id;
1671 unsigned long ino = inode->i_ino;
1672
1673 if (rc == -EINVAL) {
1674 if (printk_ratelimit())
1675 pr_notice("SELinux: inode=%lu on dev=%s was found to have an invalid "
1676 "context=%s. This indicates you may need to relabel the inode or the "
1677 "filesystem in question.\n", ino, dev, context);
1678 } else {
1679 pr_warn("SELinux: %s: context_to_sid(%s) "
1680 "returned %d for dev=%s ino=%ld\n",
1681 __func__, context, -rc, dev, ino);
1682 }
1683 kfree(context);
1684 /* Leave with the unlabeled SID */
1685 rc = 0;
1686 break;
1687 }
1688 }
1689 kfree(context);
1690 break;
1691 case SECURITY_FS_USE_TASK:
1692 sid = task_sid;
1693 break;
1694 case SECURITY_FS_USE_TRANS:
1695 /* Default to the fs SID. */
1696 sid = sbsec->sid;
1697
1698 /* Try to obtain a transition SID. */
1699 rc = security_transition_sid(&selinux_state, task_sid, sid,
1700 sclass, NULL, &sid);
1701 if (rc)
1702 goto out;
1703 break;
1704 case SECURITY_FS_USE_MNTPOINT:
1705 sid = sbsec->mntpoint_sid;
1706 break;
1707 default:
1708 /* Default to the fs superblock SID. */
1709 sid = sbsec->sid;
1710
1711 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1712 /* We must have a dentry to determine the label on
1713 * procfs inodes */
1714 if (opt_dentry) {
1715 /* Called from d_instantiate or
1716 * d_splice_alias. */
1717 dentry = dget(opt_dentry);
1718 } else {
1719 /* Called from selinux_complete_init, try to
1720 * find a dentry. Some filesystems really want
1721 * a connected one, so try that first.
1722 */
1723 dentry = d_find_alias(inode);
1724 if (!dentry)
1725 dentry = d_find_any_alias(inode);
1726 }
1727 /*
1728 * This can be hit on boot when a file is accessed
1729 * before the policy is loaded. When we load policy we
1730 * may find inodes that have no dentry on the
1731 * sbsec->isec_head list. No reason to complain as
1732 * these will get fixed up the next time we go through
1733 * inode_doinit() with a dentry, before these inodes
1734 * could be used again by userspace.
1735 */
1736 if (!dentry)
1737 goto out;
1738 rc = selinux_genfs_get_sid(dentry, sclass,
1739 sbsec->flags, &sid);
1740 dput(dentry);
1741 if (rc)
1742 goto out;
1743 }
1744 break;
1745 }
1746
1747 out:
1748 spin_lock(&isec->lock);
1749 if (isec->initialized == LABEL_PENDING) {
1750 if (!sid || rc) {
1751 isec->initialized = LABEL_INVALID;
1752 goto out_unlock;
1753 }
1754
1755 isec->initialized = LABEL_INITIALIZED;
1756 isec->sid = sid;
1757 }
1758
1759 out_unlock:
1760 spin_unlock(&isec->lock);
1761 return rc;
1762 }
1763
1764 /* Convert a Linux signal to an access vector. */
signal_to_av(int sig)1765 static inline u32 signal_to_av(int sig)
1766 {
1767 u32 perm = 0;
1768
1769 switch (sig) {
1770 case SIGCHLD:
1771 /* Commonly granted from child to parent. */
1772 perm = PROCESS__SIGCHLD;
1773 break;
1774 case SIGKILL:
1775 /* Cannot be caught or ignored */
1776 perm = PROCESS__SIGKILL;
1777 break;
1778 case SIGSTOP:
1779 /* Cannot be caught or ignored */
1780 perm = PROCESS__SIGSTOP;
1781 break;
1782 default:
1783 /* All other signals. */
1784 perm = PROCESS__SIGNAL;
1785 break;
1786 }
1787
1788 return perm;
1789 }
1790
1791 #if CAP_LAST_CAP > 63
1792 #error Fix SELinux to handle capabilities > 63.
1793 #endif
1794
1795 /* Check whether a task is allowed to use a capability. */
cred_has_capability(const struct cred * cred,int cap,unsigned int opts,bool initns)1796 static int cred_has_capability(const struct cred *cred,
1797 int cap, unsigned int opts, bool initns)
1798 {
1799 struct common_audit_data ad;
1800 struct av_decision avd;
1801 u16 sclass;
1802 u32 sid = cred_sid(cred);
1803 u32 av = CAP_TO_MASK(cap);
1804 int rc;
1805
1806 ad.type = LSM_AUDIT_DATA_CAP;
1807 ad.u.cap = cap;
1808
1809 switch (CAP_TO_INDEX(cap)) {
1810 case 0:
1811 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1812 break;
1813 case 1:
1814 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1815 break;
1816 default:
1817 pr_err("SELinux: out of range capability %d\n", cap);
1818 BUG();
1819 return -EINVAL;
1820 }
1821
1822 rc = avc_has_perm_noaudit(&selinux_state,
1823 sid, sid, sclass, av, 0, &avd);
1824 if (!(opts & CAP_OPT_NOAUDIT)) {
1825 int rc2 = avc_audit(&selinux_state,
1826 sid, sid, sclass, av, &avd, rc, &ad, 0);
1827 if (rc2)
1828 return rc2;
1829 }
1830 return rc;
1831 }
1832
1833 /* Check whether a task has a particular permission to an inode.
1834 The 'adp' parameter is optional and allows other audit
1835 data to be passed (e.g. the dentry). */
inode_has_perm(const struct cred * cred,struct inode * inode,u32 perms,struct common_audit_data * adp)1836 static int inode_has_perm(const struct cred *cred,
1837 struct inode *inode,
1838 u32 perms,
1839 struct common_audit_data *adp)
1840 {
1841 struct inode_security_struct *isec;
1842 u32 sid;
1843
1844 validate_creds(cred);
1845
1846 if (unlikely(IS_PRIVATE(inode)))
1847 return 0;
1848
1849 sid = cred_sid(cred);
1850 isec = inode->i_security;
1851
1852 return avc_has_perm(&selinux_state,
1853 sid, isec->sid, isec->sclass, perms, adp);
1854 }
1855
1856 /* Same as inode_has_perm, but pass explicit audit data containing
1857 the dentry to help the auditing code to more easily generate the
1858 pathname if needed. */
dentry_has_perm(const struct cred * cred,struct dentry * dentry,u32 av)1859 static inline int dentry_has_perm(const struct cred *cred,
1860 struct dentry *dentry,
1861 u32 av)
1862 {
1863 struct inode *inode = d_backing_inode(dentry);
1864 struct common_audit_data ad;
1865
1866 ad.type = LSM_AUDIT_DATA_DENTRY;
1867 ad.u.dentry = dentry;
1868 __inode_security_revalidate(inode, dentry, true);
1869 return inode_has_perm(cred, inode, av, &ad);
1870 }
1871
1872 /* Same as inode_has_perm, but pass explicit audit data containing
1873 the path to help the auditing code to more easily generate the
1874 pathname if needed. */
path_has_perm(const struct cred * cred,const struct path * path,u32 av)1875 static inline int path_has_perm(const struct cred *cred,
1876 const struct path *path,
1877 u32 av)
1878 {
1879 struct inode *inode = d_backing_inode(path->dentry);
1880 struct common_audit_data ad;
1881
1882 ad.type = LSM_AUDIT_DATA_PATH;
1883 ad.u.path = *path;
1884 __inode_security_revalidate(inode, path->dentry, true);
1885 return inode_has_perm(cred, inode, av, &ad);
1886 }
1887
1888 /* Same as path_has_perm, but uses the inode from the file struct. */
file_path_has_perm(const struct cred * cred,struct file * file,u32 av)1889 static inline int file_path_has_perm(const struct cred *cred,
1890 struct file *file,
1891 u32 av)
1892 {
1893 struct common_audit_data ad;
1894
1895 ad.type = LSM_AUDIT_DATA_FILE;
1896 ad.u.file = file;
1897 return inode_has_perm(cred, file_inode(file), av, &ad);
1898 }
1899
1900 #ifdef CONFIG_BPF_SYSCALL
1901 static int bpf_fd_pass(struct file *file, u32 sid);
1902 #endif
1903
1904 /* Check whether a task can use an open file descriptor to
1905 access an inode in a given way. Check access to the
1906 descriptor itself, and then use dentry_has_perm to
1907 check a particular permission to the file.
1908 Access to the descriptor is implicitly granted if it
1909 has the same SID as the process. If av is zero, then
1910 access to the file is not checked, e.g. for cases
1911 where only the descriptor is affected like seek. */
file_has_perm(const struct cred * cred,struct file * file,u32 av)1912 static int file_has_perm(const struct cred *cred,
1913 struct file *file,
1914 u32 av)
1915 {
1916 struct file_security_struct *fsec = file->f_security;
1917 struct inode *inode = file_inode(file);
1918 struct common_audit_data ad;
1919 u32 sid = cred_sid(cred);
1920 int rc;
1921
1922 ad.type = LSM_AUDIT_DATA_FILE;
1923 ad.u.file = file;
1924
1925 if (sid != fsec->sid) {
1926 rc = avc_has_perm(&selinux_state,
1927 sid, fsec->sid,
1928 SECCLASS_FD,
1929 FD__USE,
1930 &ad);
1931 if (rc)
1932 goto out;
1933 }
1934
1935 #ifdef CONFIG_BPF_SYSCALL
1936 rc = bpf_fd_pass(file, cred_sid(cred));
1937 if (rc)
1938 return rc;
1939 #endif
1940
1941 /* av is zero if only checking access to the descriptor. */
1942 rc = 0;
1943 if (av)
1944 rc = inode_has_perm(cred, inode, av, &ad);
1945
1946 out:
1947 return rc;
1948 }
1949
1950 /*
1951 * Determine the label for an inode that might be unioned.
1952 */
1953 static int
selinux_determine_inode_label(const struct task_security_struct * tsec,struct inode * dir,const struct qstr * name,u16 tclass,u32 * _new_isid)1954 selinux_determine_inode_label(const struct task_security_struct *tsec,
1955 struct inode *dir,
1956 const struct qstr *name, u16 tclass,
1957 u32 *_new_isid)
1958 {
1959 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1960
1961 if ((sbsec->flags & SE_SBINITIALIZED) &&
1962 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1963 *_new_isid = sbsec->mntpoint_sid;
1964 } else if ((sbsec->flags & SBLABEL_MNT) &&
1965 tsec->create_sid) {
1966 *_new_isid = tsec->create_sid;
1967 } else {
1968 const struct inode_security_struct *dsec = inode_security(dir);
1969 return security_transition_sid(&selinux_state, tsec->sid,
1970 dsec->sid, tclass,
1971 name, _new_isid);
1972 }
1973
1974 return 0;
1975 }
1976
1977 /* Check whether a task can create a file. */
may_create(struct inode * dir,struct dentry * dentry,u16 tclass)1978 static int may_create(struct inode *dir,
1979 struct dentry *dentry,
1980 u16 tclass)
1981 {
1982 const struct task_security_struct *tsec = current_security();
1983 struct inode_security_struct *dsec;
1984 struct superblock_security_struct *sbsec;
1985 u32 sid, newsid;
1986 struct common_audit_data ad;
1987 int rc;
1988
1989 dsec = inode_security(dir);
1990 sbsec = dir->i_sb->s_security;
1991
1992 sid = tsec->sid;
1993
1994 ad.type = LSM_AUDIT_DATA_DENTRY;
1995 ad.u.dentry = dentry;
1996
1997 rc = avc_has_perm(&selinux_state,
1998 sid, dsec->sid, SECCLASS_DIR,
1999 DIR__ADD_NAME | DIR__SEARCH,
2000 &ad);
2001 if (rc)
2002 return rc;
2003
2004 rc = selinux_determine_inode_label(current_security(), dir,
2005 &dentry->d_name, tclass, &newsid);
2006 if (rc)
2007 return rc;
2008
2009 rc = avc_has_perm(&selinux_state,
2010 sid, newsid, tclass, FILE__CREATE, &ad);
2011 if (rc)
2012 return rc;
2013
2014 return avc_has_perm(&selinux_state,
2015 newsid, sbsec->sid,
2016 SECCLASS_FILESYSTEM,
2017 FILESYSTEM__ASSOCIATE, &ad);
2018 }
2019
2020 #define MAY_LINK 0
2021 #define MAY_UNLINK 1
2022 #define MAY_RMDIR 2
2023
2024 /* Check whether a task can link, unlink, or rmdir a file/directory. */
may_link(struct inode * dir,struct dentry * dentry,int kind)2025 static int may_link(struct inode *dir,
2026 struct dentry *dentry,
2027 int kind)
2028
2029 {
2030 struct inode_security_struct *dsec, *isec;
2031 struct common_audit_data ad;
2032 u32 sid = current_sid();
2033 u32 av;
2034 int rc;
2035
2036 dsec = inode_security(dir);
2037 isec = backing_inode_security(dentry);
2038
2039 ad.type = LSM_AUDIT_DATA_DENTRY;
2040 ad.u.dentry = dentry;
2041
2042 av = DIR__SEARCH;
2043 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
2044 rc = avc_has_perm(&selinux_state,
2045 sid, dsec->sid, SECCLASS_DIR, av, &ad);
2046 if (rc)
2047 return rc;
2048
2049 switch (kind) {
2050 case MAY_LINK:
2051 av = FILE__LINK;
2052 break;
2053 case MAY_UNLINK:
2054 av = FILE__UNLINK;
2055 break;
2056 case MAY_RMDIR:
2057 av = DIR__RMDIR;
2058 break;
2059 default:
2060 pr_warn("SELinux: %s: unrecognized kind %d\n",
2061 __func__, kind);
2062 return 0;
2063 }
2064
2065 rc = avc_has_perm(&selinux_state,
2066 sid, isec->sid, isec->sclass, av, &ad);
2067 return rc;
2068 }
2069
may_rename(struct inode * old_dir,struct dentry * old_dentry,struct inode * new_dir,struct dentry * new_dentry)2070 static inline int may_rename(struct inode *old_dir,
2071 struct dentry *old_dentry,
2072 struct inode *new_dir,
2073 struct dentry *new_dentry)
2074 {
2075 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2076 struct common_audit_data ad;
2077 u32 sid = current_sid();
2078 u32 av;
2079 int old_is_dir, new_is_dir;
2080 int rc;
2081
2082 old_dsec = inode_security(old_dir);
2083 old_isec = backing_inode_security(old_dentry);
2084 old_is_dir = d_is_dir(old_dentry);
2085 new_dsec = inode_security(new_dir);
2086
2087 ad.type = LSM_AUDIT_DATA_DENTRY;
2088
2089 ad.u.dentry = old_dentry;
2090 rc = avc_has_perm(&selinux_state,
2091 sid, old_dsec->sid, SECCLASS_DIR,
2092 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
2093 if (rc)
2094 return rc;
2095 rc = avc_has_perm(&selinux_state,
2096 sid, old_isec->sid,
2097 old_isec->sclass, FILE__RENAME, &ad);
2098 if (rc)
2099 return rc;
2100 if (old_is_dir && new_dir != old_dir) {
2101 rc = avc_has_perm(&selinux_state,
2102 sid, old_isec->sid,
2103 old_isec->sclass, DIR__REPARENT, &ad);
2104 if (rc)
2105 return rc;
2106 }
2107
2108 ad.u.dentry = new_dentry;
2109 av = DIR__ADD_NAME | DIR__SEARCH;
2110 if (d_is_positive(new_dentry))
2111 av |= DIR__REMOVE_NAME;
2112 rc = avc_has_perm(&selinux_state,
2113 sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
2114 if (rc)
2115 return rc;
2116 if (d_is_positive(new_dentry)) {
2117 new_isec = backing_inode_security(new_dentry);
2118 new_is_dir = d_is_dir(new_dentry);
2119 rc = avc_has_perm(&selinux_state,
2120 sid, new_isec->sid,
2121 new_isec->sclass,
2122 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
2123 if (rc)
2124 return rc;
2125 }
2126
2127 return 0;
2128 }
2129
2130 /* Check whether a task can perform a filesystem operation. */
superblock_has_perm(const struct cred * cred,struct super_block * sb,u32 perms,struct common_audit_data * ad)2131 static int superblock_has_perm(const struct cred *cred,
2132 struct super_block *sb,
2133 u32 perms,
2134 struct common_audit_data *ad)
2135 {
2136 struct superblock_security_struct *sbsec;
2137 u32 sid = cred_sid(cred);
2138
2139 sbsec = sb->s_security;
2140 return avc_has_perm(&selinux_state,
2141 sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
2142 }
2143
2144 /* Convert a Linux mode and permission mask to an access vector. */
file_mask_to_av(int mode,int mask)2145 static inline u32 file_mask_to_av(int mode, int mask)
2146 {
2147 u32 av = 0;
2148
2149 if (!S_ISDIR(mode)) {
2150 if (mask & MAY_EXEC)
2151 av |= FILE__EXECUTE;
2152 if (mask & MAY_READ)
2153 av |= FILE__READ;
2154
2155 if (mask & MAY_APPEND)
2156 av |= FILE__APPEND;
2157 else if (mask & MAY_WRITE)
2158 av |= FILE__WRITE;
2159
2160 } else {
2161 if (mask & MAY_EXEC)
2162 av |= DIR__SEARCH;
2163 if (mask & MAY_WRITE)
2164 av |= DIR__WRITE;
2165 if (mask & MAY_READ)
2166 av |= DIR__READ;
2167 }
2168
2169 return av;
2170 }
2171
2172 /* Convert a Linux file to an access vector. */
file_to_av(struct file * file)2173 static inline u32 file_to_av(struct file *file)
2174 {
2175 u32 av = 0;
2176
2177 if (file->f_mode & FMODE_READ)
2178 av |= FILE__READ;
2179 if (file->f_mode & FMODE_WRITE) {
2180 if (file->f_flags & O_APPEND)
2181 av |= FILE__APPEND;
2182 else
2183 av |= FILE__WRITE;
2184 }
2185 if (!av) {
2186 /*
2187 * Special file opened with flags 3 for ioctl-only use.
2188 */
2189 av = FILE__IOCTL;
2190 }
2191
2192 return av;
2193 }
2194
2195 /*
2196 * Convert a file to an access vector and include the correct open
2197 * open permission.
2198 */
open_file_to_av(struct file * file)2199 static inline u32 open_file_to_av(struct file *file)
2200 {
2201 u32 av = file_to_av(file);
2202 struct inode *inode = file_inode(file);
2203
2204 if (selinux_policycap_openperm() &&
2205 inode->i_sb->s_magic != SOCKFS_MAGIC)
2206 av |= FILE__OPEN;
2207
2208 return av;
2209 }
2210
2211 /* Hook functions begin here. */
2212
selinux_binder_set_context_mgr(struct task_struct * mgr)2213 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2214 {
2215 u32 mysid = current_sid();
2216 u32 mgrsid = task_sid(mgr);
2217
2218 return avc_has_perm(&selinux_state,
2219 mysid, mgrsid, SECCLASS_BINDER,
2220 BINDER__SET_CONTEXT_MGR, NULL);
2221 }
2222
selinux_binder_transaction(struct task_struct * from,struct task_struct * to)2223 static int selinux_binder_transaction(struct task_struct *from,
2224 struct task_struct *to)
2225 {
2226 u32 mysid = current_sid();
2227 u32 fromsid = task_sid(from);
2228 u32 tosid = task_sid(to);
2229 int rc;
2230
2231 if (mysid != fromsid) {
2232 rc = avc_has_perm(&selinux_state,
2233 mysid, fromsid, SECCLASS_BINDER,
2234 BINDER__IMPERSONATE, NULL);
2235 if (rc)
2236 return rc;
2237 }
2238
2239 return avc_has_perm(&selinux_state,
2240 fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2241 NULL);
2242 }
2243
selinux_binder_transfer_binder(struct task_struct * from,struct task_struct * to)2244 static int selinux_binder_transfer_binder(struct task_struct *from,
2245 struct task_struct *to)
2246 {
2247 u32 fromsid = task_sid(from);
2248 u32 tosid = task_sid(to);
2249
2250 return avc_has_perm(&selinux_state,
2251 fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2252 NULL);
2253 }
2254
selinux_binder_transfer_file(struct task_struct * from,struct task_struct * to,struct file * file)2255 static int selinux_binder_transfer_file(struct task_struct *from,
2256 struct task_struct *to,
2257 struct file *file)
2258 {
2259 u32 sid = task_sid(to);
2260 struct file_security_struct *fsec = file->f_security;
2261 struct dentry *dentry = file->f_path.dentry;
2262 struct inode_security_struct *isec;
2263 struct common_audit_data ad;
2264 int rc;
2265
2266 ad.type = LSM_AUDIT_DATA_PATH;
2267 ad.u.path = file->f_path;
2268
2269 if (sid != fsec->sid) {
2270 rc = avc_has_perm(&selinux_state,
2271 sid, fsec->sid,
2272 SECCLASS_FD,
2273 FD__USE,
2274 &ad);
2275 if (rc)
2276 return rc;
2277 }
2278
2279 #ifdef CONFIG_BPF_SYSCALL
2280 rc = bpf_fd_pass(file, sid);
2281 if (rc)
2282 return rc;
2283 #endif
2284
2285 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2286 return 0;
2287
2288 isec = backing_inode_security(dentry);
2289 return avc_has_perm(&selinux_state,
2290 sid, isec->sid, isec->sclass, file_to_av(file),
2291 &ad);
2292 }
2293
selinux_ptrace_access_check(struct task_struct * child,unsigned int mode)2294 static int selinux_ptrace_access_check(struct task_struct *child,
2295 unsigned int mode)
2296 {
2297 u32 sid = current_sid();
2298 u32 csid = task_sid(child);
2299
2300 if (mode & PTRACE_MODE_READ)
2301 return avc_has_perm(&selinux_state,
2302 sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2303
2304 return avc_has_perm(&selinux_state,
2305 sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2306 }
2307
selinux_ptrace_traceme(struct task_struct * parent)2308 static int selinux_ptrace_traceme(struct task_struct *parent)
2309 {
2310 return avc_has_perm(&selinux_state,
2311 task_sid(parent), current_sid(), SECCLASS_PROCESS,
2312 PROCESS__PTRACE, NULL);
2313 }
2314
selinux_capget(struct task_struct * target,kernel_cap_t * effective,kernel_cap_t * inheritable,kernel_cap_t * permitted)2315 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2316 kernel_cap_t *inheritable, kernel_cap_t *permitted)
2317 {
2318 return avc_has_perm(&selinux_state,
2319 current_sid(), task_sid(target), SECCLASS_PROCESS,
2320 PROCESS__GETCAP, NULL);
2321 }
2322
selinux_capset(struct cred * new,const struct cred * old,const kernel_cap_t * effective,const kernel_cap_t * inheritable,const kernel_cap_t * permitted)2323 static int selinux_capset(struct cred *new, const struct cred *old,
2324 const kernel_cap_t *effective,
2325 const kernel_cap_t *inheritable,
2326 const kernel_cap_t *permitted)
2327 {
2328 return avc_has_perm(&selinux_state,
2329 cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2330 PROCESS__SETCAP, NULL);
2331 }
2332
2333 /*
2334 * (This comment used to live with the selinux_task_setuid hook,
2335 * which was removed).
2336 *
2337 * Since setuid only affects the current process, and since the SELinux
2338 * controls are not based on the Linux identity attributes, SELinux does not
2339 * need to control this operation. However, SELinux does control the use of
2340 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2341 */
2342
selinux_capable(const struct cred * cred,struct user_namespace * ns,int cap,unsigned int opts)2343 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2344 int cap, unsigned int opts)
2345 {
2346 return cred_has_capability(cred, cap, opts, ns == &init_user_ns);
2347 }
2348
selinux_quotactl(int cmds,int type,int id,struct super_block * sb)2349 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2350 {
2351 const struct cred *cred = current_cred();
2352 int rc = 0;
2353
2354 if (!sb)
2355 return 0;
2356
2357 switch (cmds) {
2358 case Q_SYNC:
2359 case Q_QUOTAON:
2360 case Q_QUOTAOFF:
2361 case Q_SETINFO:
2362 case Q_SETQUOTA:
2363 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2364 break;
2365 case Q_GETFMT:
2366 case Q_GETINFO:
2367 case Q_GETQUOTA:
2368 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2369 break;
2370 default:
2371 rc = 0; /* let the kernel handle invalid cmds */
2372 break;
2373 }
2374 return rc;
2375 }
2376
selinux_quota_on(struct dentry * dentry)2377 static int selinux_quota_on(struct dentry *dentry)
2378 {
2379 const struct cred *cred = current_cred();
2380
2381 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2382 }
2383
selinux_syslog(int type)2384 static int selinux_syslog(int type)
2385 {
2386 switch (type) {
2387 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2388 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2389 return avc_has_perm(&selinux_state,
2390 current_sid(), SECINITSID_KERNEL,
2391 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2392 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2393 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2394 /* Set level of messages printed to console */
2395 case SYSLOG_ACTION_CONSOLE_LEVEL:
2396 return avc_has_perm(&selinux_state,
2397 current_sid(), SECINITSID_KERNEL,
2398 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2399 NULL);
2400 }
2401 /* All other syslog types */
2402 return avc_has_perm(&selinux_state,
2403 current_sid(), SECINITSID_KERNEL,
2404 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2405 }
2406
2407 /*
2408 * Check that a process has enough memory to allocate a new virtual
2409 * mapping. 0 means there is enough memory for the allocation to
2410 * succeed and -ENOMEM implies there is not.
2411 *
2412 * Do not audit the selinux permission check, as this is applied to all
2413 * processes that allocate mappings.
2414 */
selinux_vm_enough_memory(struct mm_struct * mm,long pages)2415 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2416 {
2417 int rc, cap_sys_admin = 0;
2418
2419 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2420 CAP_OPT_NOAUDIT, true);
2421 if (rc == 0)
2422 cap_sys_admin = 1;
2423
2424 return cap_sys_admin;
2425 }
2426
2427 /* binprm security operations */
2428
ptrace_parent_sid(void)2429 static u32 ptrace_parent_sid(void)
2430 {
2431 u32 sid = 0;
2432 struct task_struct *tracer;
2433
2434 rcu_read_lock();
2435 tracer = ptrace_parent(current);
2436 if (tracer)
2437 sid = task_sid(tracer);
2438 rcu_read_unlock();
2439
2440 return sid;
2441 }
2442
check_nnp_nosuid(const struct linux_binprm * bprm,const struct task_security_struct * old_tsec,const struct task_security_struct * new_tsec)2443 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2444 const struct task_security_struct *old_tsec,
2445 const struct task_security_struct *new_tsec)
2446 {
2447 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2448 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2449 int rc;
2450 u32 av;
2451
2452 if (!nnp && !nosuid)
2453 return 0; /* neither NNP nor nosuid */
2454
2455 if (new_tsec->sid == old_tsec->sid)
2456 return 0; /* No change in credentials */
2457
2458 /*
2459 * If the policy enables the nnp_nosuid_transition policy capability,
2460 * then we permit transitions under NNP or nosuid if the
2461 * policy allows the corresponding permission between
2462 * the old and new contexts.
2463 */
2464 if (selinux_policycap_nnp_nosuid_transition()) {
2465 av = 0;
2466 if (nnp)
2467 av |= PROCESS2__NNP_TRANSITION;
2468 if (nosuid)
2469 av |= PROCESS2__NOSUID_TRANSITION;
2470 rc = avc_has_perm(&selinux_state,
2471 old_tsec->sid, new_tsec->sid,
2472 SECCLASS_PROCESS2, av, NULL);
2473 if (!rc)
2474 return 0;
2475 }
2476
2477 /*
2478 * We also permit NNP or nosuid transitions to bounded SIDs,
2479 * i.e. SIDs that are guaranteed to only be allowed a subset
2480 * of the permissions of the current SID.
2481 */
2482 rc = security_bounded_transition(&selinux_state, old_tsec->sid,
2483 new_tsec->sid);
2484 if (!rc)
2485 return 0;
2486
2487 /*
2488 * On failure, preserve the errno values for NNP vs nosuid.
2489 * NNP: Operation not permitted for caller.
2490 * nosuid: Permission denied to file.
2491 */
2492 if (nnp)
2493 return -EPERM;
2494 return -EACCES;
2495 }
2496
selinux_bprm_set_creds(struct linux_binprm * bprm)2497 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2498 {
2499 const struct task_security_struct *old_tsec;
2500 struct task_security_struct *new_tsec;
2501 struct inode_security_struct *isec;
2502 struct common_audit_data ad;
2503 struct inode *inode = file_inode(bprm->file);
2504 int rc;
2505
2506 /* SELinux context only depends on initial program or script and not
2507 * the script interpreter */
2508 if (bprm->called_set_creds)
2509 return 0;
2510
2511 old_tsec = current_security();
2512 new_tsec = bprm->cred->security;
2513 isec = inode_security(inode);
2514
2515 /* Default to the current task SID. */
2516 new_tsec->sid = old_tsec->sid;
2517 new_tsec->osid = old_tsec->sid;
2518
2519 /* Reset fs, key, and sock SIDs on execve. */
2520 new_tsec->create_sid = 0;
2521 new_tsec->keycreate_sid = 0;
2522 new_tsec->sockcreate_sid = 0;
2523
2524 if (old_tsec->exec_sid) {
2525 new_tsec->sid = old_tsec->exec_sid;
2526 /* Reset exec SID on execve. */
2527 new_tsec->exec_sid = 0;
2528
2529 /* Fail on NNP or nosuid if not an allowed transition. */
2530 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2531 if (rc)
2532 return rc;
2533 } else {
2534 /* Check for a default transition on this program. */
2535 rc = security_transition_sid(&selinux_state, old_tsec->sid,
2536 isec->sid, SECCLASS_PROCESS, NULL,
2537 &new_tsec->sid);
2538 if (rc)
2539 return rc;
2540
2541 /*
2542 * Fallback to old SID on NNP or nosuid if not an allowed
2543 * transition.
2544 */
2545 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2546 if (rc)
2547 new_tsec->sid = old_tsec->sid;
2548 }
2549
2550 ad.type = LSM_AUDIT_DATA_FILE;
2551 ad.u.file = bprm->file;
2552
2553 if (new_tsec->sid == old_tsec->sid) {
2554 rc = avc_has_perm(&selinux_state,
2555 old_tsec->sid, isec->sid,
2556 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2557 if (rc)
2558 return rc;
2559 } else {
2560 /* Check permissions for the transition. */
2561 rc = avc_has_perm(&selinux_state,
2562 old_tsec->sid, new_tsec->sid,
2563 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2564 if (rc)
2565 return rc;
2566
2567 rc = avc_has_perm(&selinux_state,
2568 new_tsec->sid, isec->sid,
2569 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2570 if (rc)
2571 return rc;
2572
2573 /* Check for shared state */
2574 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2575 rc = avc_has_perm(&selinux_state,
2576 old_tsec->sid, new_tsec->sid,
2577 SECCLASS_PROCESS, PROCESS__SHARE,
2578 NULL);
2579 if (rc)
2580 return -EPERM;
2581 }
2582
2583 /* Make sure that anyone attempting to ptrace over a task that
2584 * changes its SID has the appropriate permit */
2585 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2586 u32 ptsid = ptrace_parent_sid();
2587 if (ptsid != 0) {
2588 rc = avc_has_perm(&selinux_state,
2589 ptsid, new_tsec->sid,
2590 SECCLASS_PROCESS,
2591 PROCESS__PTRACE, NULL);
2592 if (rc)
2593 return -EPERM;
2594 }
2595 }
2596
2597 /* Clear any possibly unsafe personality bits on exec: */
2598 bprm->per_clear |= PER_CLEAR_ON_SETID;
2599
2600 /* Enable secure mode for SIDs transitions unless
2601 the noatsecure permission is granted between
2602 the two SIDs, i.e. ahp returns 0. */
2603 rc = avc_has_perm(&selinux_state,
2604 old_tsec->sid, new_tsec->sid,
2605 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2606 NULL);
2607 bprm->secureexec |= !!rc;
2608 }
2609
2610 return 0;
2611 }
2612
match_file(const void * p,struct file * file,unsigned fd)2613 static int match_file(const void *p, struct file *file, unsigned fd)
2614 {
2615 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2616 }
2617
2618 /* Derived from fs/exec.c:flush_old_files. */
flush_unauthorized_files(const struct cred * cred,struct files_struct * files)2619 static inline void flush_unauthorized_files(const struct cred *cred,
2620 struct files_struct *files)
2621 {
2622 struct file *file, *devnull = NULL;
2623 struct tty_struct *tty;
2624 int drop_tty = 0;
2625 unsigned n;
2626
2627 tty = get_current_tty();
2628 if (tty) {
2629 spin_lock(&tty->files_lock);
2630 if (!list_empty(&tty->tty_files)) {
2631 struct tty_file_private *file_priv;
2632
2633 /* Revalidate access to controlling tty.
2634 Use file_path_has_perm on the tty path directly
2635 rather than using file_has_perm, as this particular
2636 open file may belong to another process and we are
2637 only interested in the inode-based check here. */
2638 file_priv = list_first_entry(&tty->tty_files,
2639 struct tty_file_private, list);
2640 file = file_priv->file;
2641 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2642 drop_tty = 1;
2643 }
2644 spin_unlock(&tty->files_lock);
2645 tty_kref_put(tty);
2646 }
2647 /* Reset controlling tty. */
2648 if (drop_tty)
2649 no_tty();
2650
2651 /* Revalidate access to inherited open files. */
2652 n = iterate_fd(files, 0, match_file, cred);
2653 if (!n) /* none found? */
2654 return;
2655
2656 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2657 if (IS_ERR(devnull))
2658 devnull = NULL;
2659 /* replace all the matching ones with this */
2660 do {
2661 replace_fd(n - 1, devnull, 0);
2662 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2663 if (devnull)
2664 fput(devnull);
2665 }
2666
2667 /*
2668 * Prepare a process for imminent new credential changes due to exec
2669 */
selinux_bprm_committing_creds(struct linux_binprm * bprm)2670 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2671 {
2672 struct task_security_struct *new_tsec;
2673 struct rlimit *rlim, *initrlim;
2674 int rc, i;
2675
2676 new_tsec = bprm->cred->security;
2677 if (new_tsec->sid == new_tsec->osid)
2678 return;
2679
2680 /* Close files for which the new task SID is not authorized. */
2681 flush_unauthorized_files(bprm->cred, current->files);
2682
2683 /* Always clear parent death signal on SID transitions. */
2684 current->pdeath_signal = 0;
2685
2686 /* Check whether the new SID can inherit resource limits from the old
2687 * SID. If not, reset all soft limits to the lower of the current
2688 * task's hard limit and the init task's soft limit.
2689 *
2690 * Note that the setting of hard limits (even to lower them) can be
2691 * controlled by the setrlimit check. The inclusion of the init task's
2692 * soft limit into the computation is to avoid resetting soft limits
2693 * higher than the default soft limit for cases where the default is
2694 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2695 */
2696 rc = avc_has_perm(&selinux_state,
2697 new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2698 PROCESS__RLIMITINH, NULL);
2699 if (rc) {
2700 /* protect against do_prlimit() */
2701 task_lock(current);
2702 for (i = 0; i < RLIM_NLIMITS; i++) {
2703 rlim = current->signal->rlim + i;
2704 initrlim = init_task.signal->rlim + i;
2705 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2706 }
2707 task_unlock(current);
2708 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2709 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2710 }
2711 }
2712
2713 /*
2714 * Clean up the process immediately after the installation of new credentials
2715 * due to exec
2716 */
selinux_bprm_committed_creds(struct linux_binprm * bprm)2717 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2718 {
2719 const struct task_security_struct *tsec = current_security();
2720 struct itimerval itimer;
2721 u32 osid, sid;
2722 int rc, i;
2723
2724 osid = tsec->osid;
2725 sid = tsec->sid;
2726
2727 if (sid == osid)
2728 return;
2729
2730 /* Check whether the new SID can inherit signal state from the old SID.
2731 * If not, clear itimers to avoid subsequent signal generation and
2732 * flush and unblock signals.
2733 *
2734 * This must occur _after_ the task SID has been updated so that any
2735 * kill done after the flush will be checked against the new SID.
2736 */
2737 rc = avc_has_perm(&selinux_state,
2738 osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2739 if (rc) {
2740 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2741 memset(&itimer, 0, sizeof itimer);
2742 for (i = 0; i < 3; i++)
2743 do_setitimer(i, &itimer, NULL);
2744 }
2745 spin_lock_irq(¤t->sighand->siglock);
2746 if (!fatal_signal_pending(current)) {
2747 flush_sigqueue(¤t->pending);
2748 flush_sigqueue(¤t->signal->shared_pending);
2749 flush_signal_handlers(current, 1);
2750 sigemptyset(¤t->blocked);
2751 recalc_sigpending();
2752 }
2753 spin_unlock_irq(¤t->sighand->siglock);
2754 }
2755
2756 /* Wake up the parent if it is waiting so that it can recheck
2757 * wait permission to the new task SID. */
2758 read_lock(&tasklist_lock);
2759 __wake_up_parent(current, current->real_parent);
2760 read_unlock(&tasklist_lock);
2761 }
2762
2763 /* superblock security operations */
2764
selinux_sb_alloc_security(struct super_block * sb)2765 static int selinux_sb_alloc_security(struct super_block *sb)
2766 {
2767 return superblock_alloc_security(sb);
2768 }
2769
selinux_sb_free_security(struct super_block * sb)2770 static void selinux_sb_free_security(struct super_block *sb)
2771 {
2772 superblock_free_security(sb);
2773 }
2774
match_prefix(char * prefix,int plen,char * option,int olen)2775 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2776 {
2777 if (plen > olen)
2778 return 0;
2779
2780 return !memcmp(prefix, option, plen);
2781 }
2782
selinux_option(char * option,int len)2783 static inline int selinux_option(char *option, int len)
2784 {
2785 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2786 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2787 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2788 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2789 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2790 }
2791
take_option(char ** to,char * from,int * first,int len)2792 static inline void take_option(char **to, char *from, int *first, int len)
2793 {
2794 if (!*first) {
2795 **to = ',';
2796 *to += 1;
2797 } else
2798 *first = 0;
2799 memcpy(*to, from, len);
2800 *to += len;
2801 }
2802
take_selinux_option(char ** to,char * from,int * first,int len)2803 static inline void take_selinux_option(char **to, char *from, int *first,
2804 int len)
2805 {
2806 int current_size = 0;
2807
2808 if (!*first) {
2809 **to = '|';
2810 *to += 1;
2811 } else
2812 *first = 0;
2813
2814 while (current_size < len) {
2815 if (*from != '"') {
2816 **to = *from;
2817 *to += 1;
2818 }
2819 from += 1;
2820 current_size += 1;
2821 }
2822 }
2823
selinux_sb_copy_data(char * orig,char * copy)2824 static int selinux_sb_copy_data(char *orig, char *copy)
2825 {
2826 int fnosec, fsec, rc = 0;
2827 char *in_save, *in_curr, *in_end;
2828 char *sec_curr, *nosec_save, *nosec;
2829 int open_quote = 0;
2830
2831 in_curr = orig;
2832 sec_curr = copy;
2833
2834 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2835 if (!nosec) {
2836 rc = -ENOMEM;
2837 goto out;
2838 }
2839
2840 nosec_save = nosec;
2841 fnosec = fsec = 1;
2842 in_save = in_end = orig;
2843
2844 do {
2845 if (*in_end == '"')
2846 open_quote = !open_quote;
2847 if ((*in_end == ',' && open_quote == 0) ||
2848 *in_end == '\0') {
2849 int len = in_end - in_curr;
2850
2851 if (selinux_option(in_curr, len))
2852 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2853 else
2854 take_option(&nosec, in_curr, &fnosec, len);
2855
2856 in_curr = in_end + 1;
2857 }
2858 } while (*in_end++);
2859
2860 strcpy(in_save, nosec_save);
2861 free_page((unsigned long)nosec_save);
2862 out:
2863 return rc;
2864 }
2865
selinux_sb_remount(struct super_block * sb,void * data)2866 static int selinux_sb_remount(struct super_block *sb, void *data)
2867 {
2868 int rc, i, *flags;
2869 struct security_mnt_opts opts;
2870 char *secdata, **mount_options;
2871 struct superblock_security_struct *sbsec = sb->s_security;
2872
2873 if (!(sbsec->flags & SE_SBINITIALIZED))
2874 return 0;
2875
2876 if (!data)
2877 return 0;
2878
2879 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2880 return 0;
2881
2882 security_init_mnt_opts(&opts);
2883 secdata = alloc_secdata();
2884 if (!secdata)
2885 return -ENOMEM;
2886 rc = selinux_sb_copy_data(data, secdata);
2887 if (rc)
2888 goto out_free_secdata;
2889
2890 rc = selinux_parse_opts_str(secdata, &opts);
2891 if (rc)
2892 goto out_free_secdata;
2893
2894 mount_options = opts.mnt_opts;
2895 flags = opts.mnt_opts_flags;
2896
2897 for (i = 0; i < opts.num_mnt_opts; i++) {
2898 u32 sid;
2899
2900 if (flags[i] == SBLABEL_MNT)
2901 continue;
2902 rc = security_context_str_to_sid(&selinux_state,
2903 mount_options[i], &sid,
2904 GFP_KERNEL);
2905 if (rc) {
2906 pr_warn("SELinux: security_context_str_to_sid"
2907 "(%s) failed for (dev %s, type %s) errno=%d\n",
2908 mount_options[i], sb->s_id, sb->s_type->name, rc);
2909 goto out_free_opts;
2910 }
2911 rc = -EINVAL;
2912 switch (flags[i]) {
2913 case FSCONTEXT_MNT:
2914 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2915 goto out_bad_option;
2916 break;
2917 case CONTEXT_MNT:
2918 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2919 goto out_bad_option;
2920 break;
2921 case ROOTCONTEXT_MNT: {
2922 struct inode_security_struct *root_isec;
2923 root_isec = backing_inode_security(sb->s_root);
2924
2925 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2926 goto out_bad_option;
2927 break;
2928 }
2929 case DEFCONTEXT_MNT:
2930 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2931 goto out_bad_option;
2932 break;
2933 default:
2934 goto out_free_opts;
2935 }
2936 }
2937
2938 rc = 0;
2939 out_free_opts:
2940 security_free_mnt_opts(&opts);
2941 out_free_secdata:
2942 free_secdata(secdata);
2943 return rc;
2944 out_bad_option:
2945 pr_warn("SELinux: unable to change security options "
2946 "during remount (dev %s, type=%s)\n", sb->s_id,
2947 sb->s_type->name);
2948 goto out_free_opts;
2949 }
2950
selinux_sb_kern_mount(struct super_block * sb,int flags,void * data)2951 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2952 {
2953 const struct cred *cred = current_cred();
2954 struct common_audit_data ad;
2955 int rc;
2956
2957 rc = superblock_doinit(sb, data);
2958 if (rc)
2959 return rc;
2960
2961 /* Allow all mounts performed by the kernel */
2962 if (flags & (MS_KERNMOUNT | MS_SUBMOUNT))
2963 return 0;
2964
2965 ad.type = LSM_AUDIT_DATA_DENTRY;
2966 ad.u.dentry = sb->s_root;
2967 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2968 }
2969
selinux_sb_statfs(struct dentry * dentry)2970 static int selinux_sb_statfs(struct dentry *dentry)
2971 {
2972 const struct cred *cred = current_cred();
2973 struct common_audit_data ad;
2974
2975 ad.type = LSM_AUDIT_DATA_DENTRY;
2976 ad.u.dentry = dentry->d_sb->s_root;
2977 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2978 }
2979
selinux_mount(const char * dev_name,const struct path * path,const char * type,unsigned long flags,void * data)2980 static int selinux_mount(const char *dev_name,
2981 const struct path *path,
2982 const char *type,
2983 unsigned long flags,
2984 void *data)
2985 {
2986 const struct cred *cred = current_cred();
2987
2988 if (flags & MS_REMOUNT)
2989 return superblock_has_perm(cred, path->dentry->d_sb,
2990 FILESYSTEM__REMOUNT, NULL);
2991 else
2992 return path_has_perm(cred, path, FILE__MOUNTON);
2993 }
2994
selinux_umount(struct vfsmount * mnt,int flags)2995 static int selinux_umount(struct vfsmount *mnt, int flags)
2996 {
2997 const struct cred *cred = current_cred();
2998
2999 return superblock_has_perm(cred, mnt->mnt_sb,
3000 FILESYSTEM__UNMOUNT, NULL);
3001 }
3002
3003 /* inode security operations */
3004
selinux_inode_alloc_security(struct inode * inode)3005 static int selinux_inode_alloc_security(struct inode *inode)
3006 {
3007 return inode_alloc_security(inode);
3008 }
3009
selinux_inode_free_security(struct inode * inode)3010 static void selinux_inode_free_security(struct inode *inode)
3011 {
3012 inode_free_security(inode);
3013 }
3014
selinux_dentry_init_security(struct dentry * dentry,int mode,const struct qstr * name,void ** ctx,u32 * ctxlen)3015 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
3016 const struct qstr *name, void **ctx,
3017 u32 *ctxlen)
3018 {
3019 u32 newsid;
3020 int rc;
3021
3022 rc = selinux_determine_inode_label(current_security(),
3023 d_inode(dentry->d_parent), name,
3024 inode_mode_to_security_class(mode),
3025 &newsid);
3026 if (rc)
3027 return rc;
3028
3029 return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
3030 ctxlen);
3031 }
3032
selinux_dentry_create_files_as(struct dentry * dentry,int mode,struct qstr * name,const struct cred * old,struct cred * new)3033 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
3034 struct qstr *name,
3035 const struct cred *old,
3036 struct cred *new)
3037 {
3038 u32 newsid;
3039 int rc;
3040 struct task_security_struct *tsec;
3041
3042 rc = selinux_determine_inode_label(old->security,
3043 d_inode(dentry->d_parent), name,
3044 inode_mode_to_security_class(mode),
3045 &newsid);
3046 if (rc)
3047 return rc;
3048
3049 tsec = new->security;
3050 tsec->create_sid = newsid;
3051 return 0;
3052 }
3053
selinux_inode_init_security(struct inode * inode,struct inode * dir,const struct qstr * qstr,const char ** name,void ** value,size_t * len)3054 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
3055 const struct qstr *qstr,
3056 const char **name,
3057 void **value, size_t *len)
3058 {
3059 const struct task_security_struct *tsec = current_security();
3060 struct superblock_security_struct *sbsec;
3061 u32 newsid, clen;
3062 int rc;
3063 char *context;
3064
3065 sbsec = dir->i_sb->s_security;
3066
3067 newsid = tsec->create_sid;
3068
3069 rc = selinux_determine_inode_label(current_security(),
3070 dir, qstr,
3071 inode_mode_to_security_class(inode->i_mode),
3072 &newsid);
3073 if (rc)
3074 return rc;
3075
3076 /* Possibly defer initialization to selinux_complete_init. */
3077 if (sbsec->flags & SE_SBINITIALIZED) {
3078 struct inode_security_struct *isec = inode->i_security;
3079 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3080 isec->sid = newsid;
3081 isec->initialized = LABEL_INITIALIZED;
3082 }
3083
3084 if (!selinux_state.initialized || !(sbsec->flags & SBLABEL_MNT))
3085 return -EOPNOTSUPP;
3086
3087 if (name)
3088 *name = XATTR_SELINUX_SUFFIX;
3089
3090 if (value && len) {
3091 rc = security_sid_to_context_force(&selinux_state, newsid,
3092 &context, &clen);
3093 if (rc)
3094 return rc;
3095 *value = context;
3096 *len = clen;
3097 }
3098
3099 return 0;
3100 }
3101
selinux_inode_create(struct inode * dir,struct dentry * dentry,umode_t mode)3102 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
3103 {
3104 return may_create(dir, dentry, SECCLASS_FILE);
3105 }
3106
selinux_inode_link(struct dentry * old_dentry,struct inode * dir,struct dentry * new_dentry)3107 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
3108 {
3109 return may_link(dir, old_dentry, MAY_LINK);
3110 }
3111
selinux_inode_unlink(struct inode * dir,struct dentry * dentry)3112 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
3113 {
3114 return may_link(dir, dentry, MAY_UNLINK);
3115 }
3116
selinux_inode_symlink(struct inode * dir,struct dentry * dentry,const char * name)3117 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
3118 {
3119 return may_create(dir, dentry, SECCLASS_LNK_FILE);
3120 }
3121
selinux_inode_mkdir(struct inode * dir,struct dentry * dentry,umode_t mask)3122 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
3123 {
3124 return may_create(dir, dentry, SECCLASS_DIR);
3125 }
3126
selinux_inode_rmdir(struct inode * dir,struct dentry * dentry)3127 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
3128 {
3129 return may_link(dir, dentry, MAY_RMDIR);
3130 }
3131
selinux_inode_mknod(struct inode * dir,struct dentry * dentry,umode_t mode,dev_t dev)3132 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
3133 {
3134 return may_create(dir, dentry, inode_mode_to_security_class(mode));
3135 }
3136
selinux_inode_rename(struct inode * old_inode,struct dentry * old_dentry,struct inode * new_inode,struct dentry * new_dentry)3137 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
3138 struct inode *new_inode, struct dentry *new_dentry)
3139 {
3140 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
3141 }
3142
selinux_inode_readlink(struct dentry * dentry)3143 static int selinux_inode_readlink(struct dentry *dentry)
3144 {
3145 const struct cred *cred = current_cred();
3146
3147 return dentry_has_perm(cred, dentry, FILE__READ);
3148 }
3149
selinux_inode_follow_link(struct dentry * dentry,struct inode * inode,bool rcu)3150 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3151 bool rcu)
3152 {
3153 const struct cred *cred = current_cred();
3154 struct common_audit_data ad;
3155 struct inode_security_struct *isec;
3156 u32 sid;
3157
3158 validate_creds(cred);
3159
3160 ad.type = LSM_AUDIT_DATA_DENTRY;
3161 ad.u.dentry = dentry;
3162 sid = cred_sid(cred);
3163 isec = inode_security_rcu(inode, rcu);
3164 if (IS_ERR(isec))
3165 return PTR_ERR(isec);
3166
3167 return avc_has_perm_flags(&selinux_state,
3168 sid, isec->sid, isec->sclass, FILE__READ, &ad,
3169 rcu ? MAY_NOT_BLOCK : 0);
3170 }
3171
audit_inode_permission(struct inode * inode,u32 perms,u32 audited,u32 denied,int result)3172 static noinline int audit_inode_permission(struct inode *inode,
3173 u32 perms, u32 audited, u32 denied,
3174 int result)
3175 {
3176 struct common_audit_data ad;
3177 struct inode_security_struct *isec = inode->i_security;
3178 int rc;
3179
3180 ad.type = LSM_AUDIT_DATA_INODE;
3181 ad.u.inode = inode;
3182
3183 rc = slow_avc_audit(&selinux_state,
3184 current_sid(), isec->sid, isec->sclass, perms,
3185 audited, denied, result, &ad);
3186 if (rc)
3187 return rc;
3188 return 0;
3189 }
3190
selinux_inode_permission(struct inode * inode,int mask)3191 static int selinux_inode_permission(struct inode *inode, int mask)
3192 {
3193 const struct cred *cred = current_cred();
3194 u32 perms;
3195 bool from_access;
3196 unsigned flags = mask & MAY_NOT_BLOCK;
3197 struct inode_security_struct *isec;
3198 u32 sid;
3199 struct av_decision avd;
3200 int rc, rc2;
3201 u32 audited, denied;
3202
3203 from_access = mask & MAY_ACCESS;
3204 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3205
3206 /* No permission to check. Existence test. */
3207 if (!mask)
3208 return 0;
3209
3210 validate_creds(cred);
3211
3212 if (unlikely(IS_PRIVATE(inode)))
3213 return 0;
3214
3215 perms = file_mask_to_av(inode->i_mode, mask);
3216
3217 sid = cred_sid(cred);
3218 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3219 if (IS_ERR(isec))
3220 return PTR_ERR(isec);
3221
3222 rc = avc_has_perm_noaudit(&selinux_state,
3223 sid, isec->sid, isec->sclass, perms,
3224 (flags & MAY_NOT_BLOCK) ? AVC_NONBLOCKING : 0,
3225 &avd);
3226 audited = avc_audit_required(perms, &avd, rc,
3227 from_access ? FILE__AUDIT_ACCESS : 0,
3228 &denied);
3229 if (likely(!audited))
3230 return rc;
3231
3232 /* fall back to ref-walk if we have to generate audit */
3233 if (flags & MAY_NOT_BLOCK)
3234 return -ECHILD;
3235
3236 rc2 = audit_inode_permission(inode, perms, audited, denied, rc);
3237 if (rc2)
3238 return rc2;
3239 return rc;
3240 }
3241
selinux_inode_setattr(struct dentry * dentry,struct iattr * iattr)3242 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3243 {
3244 const struct cred *cred = current_cred();
3245 struct inode *inode = d_backing_inode(dentry);
3246 unsigned int ia_valid = iattr->ia_valid;
3247 __u32 av = FILE__WRITE;
3248
3249 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3250 if (ia_valid & ATTR_FORCE) {
3251 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3252 ATTR_FORCE);
3253 if (!ia_valid)
3254 return 0;
3255 }
3256
3257 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3258 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3259 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3260
3261 if (selinux_policycap_openperm() &&
3262 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3263 (ia_valid & ATTR_SIZE) &&
3264 !(ia_valid & ATTR_FILE))
3265 av |= FILE__OPEN;
3266
3267 return dentry_has_perm(cred, dentry, av);
3268 }
3269
selinux_inode_getattr(const struct path * path)3270 static int selinux_inode_getattr(const struct path *path)
3271 {
3272 return path_has_perm(current_cred(), path, FILE__GETATTR);
3273 }
3274
has_cap_mac_admin(bool audit)3275 static bool has_cap_mac_admin(bool audit)
3276 {
3277 const struct cred *cred = current_cred();
3278 unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT;
3279
3280 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts))
3281 return false;
3282 if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true))
3283 return false;
3284 return true;
3285 }
3286
selinux_inode_setxattr(struct dentry * dentry,const char * name,const void * value,size_t size,int flags)3287 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3288 const void *value, size_t size, int flags)
3289 {
3290 struct inode *inode = d_backing_inode(dentry);
3291 struct inode_security_struct *isec;
3292 struct superblock_security_struct *sbsec;
3293 struct common_audit_data ad;
3294 u32 newsid, sid = current_sid();
3295 int rc = 0;
3296
3297 if (strcmp(name, XATTR_NAME_SELINUX)) {
3298 rc = cap_inode_setxattr(dentry, name, value, size, flags);
3299 if (rc)
3300 return rc;
3301
3302 /* Not an attribute we recognize, so just check the
3303 ordinary setattr permission. */
3304 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3305 }
3306
3307 if (!selinux_state.initialized)
3308 return (inode_owner_or_capable(inode) ? 0 : -EPERM);
3309
3310 sbsec = inode->i_sb->s_security;
3311 if (!(sbsec->flags & SBLABEL_MNT))
3312 return -EOPNOTSUPP;
3313
3314 if (!inode_owner_or_capable(inode))
3315 return -EPERM;
3316
3317 ad.type = LSM_AUDIT_DATA_DENTRY;
3318 ad.u.dentry = dentry;
3319
3320 isec = backing_inode_security(dentry);
3321 rc = avc_has_perm(&selinux_state,
3322 sid, isec->sid, isec->sclass,
3323 FILE__RELABELFROM, &ad);
3324 if (rc)
3325 return rc;
3326
3327 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3328 GFP_KERNEL);
3329 if (rc == -EINVAL) {
3330 if (!has_cap_mac_admin(true)) {
3331 struct audit_buffer *ab;
3332 size_t audit_size;
3333
3334 /* We strip a nul only if it is at the end, otherwise the
3335 * context contains a nul and we should audit that */
3336 if (value) {
3337 const char *str = value;
3338
3339 if (str[size - 1] == '\0')
3340 audit_size = size - 1;
3341 else
3342 audit_size = size;
3343 } else {
3344 audit_size = 0;
3345 }
3346 ab = audit_log_start(audit_context(),
3347 GFP_ATOMIC, AUDIT_SELINUX_ERR);
3348 audit_log_format(ab, "op=setxattr invalid_context=");
3349 audit_log_n_untrustedstring(ab, value, audit_size);
3350 audit_log_end(ab);
3351
3352 return rc;
3353 }
3354 rc = security_context_to_sid_force(&selinux_state, value,
3355 size, &newsid);
3356 }
3357 if (rc)
3358 return rc;
3359
3360 rc = avc_has_perm(&selinux_state,
3361 sid, newsid, isec->sclass,
3362 FILE__RELABELTO, &ad);
3363 if (rc)
3364 return rc;
3365
3366 rc = security_validate_transition(&selinux_state, isec->sid, newsid,
3367 sid, isec->sclass);
3368 if (rc)
3369 return rc;
3370
3371 return avc_has_perm(&selinux_state,
3372 newsid,
3373 sbsec->sid,
3374 SECCLASS_FILESYSTEM,
3375 FILESYSTEM__ASSOCIATE,
3376 &ad);
3377 }
3378
selinux_inode_post_setxattr(struct dentry * dentry,const char * name,const void * value,size_t size,int flags)3379 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3380 const void *value, size_t size,
3381 int flags)
3382 {
3383 struct inode *inode = d_backing_inode(dentry);
3384 struct inode_security_struct *isec;
3385 u32 newsid;
3386 int rc;
3387
3388 if (strcmp(name, XATTR_NAME_SELINUX)) {
3389 /* Not an attribute we recognize, so nothing to do. */
3390 return;
3391 }
3392
3393 if (!selinux_state.initialized) {
3394 /* If we haven't even been initialized, then we can't validate
3395 * against a policy, so leave the label as invalid. It may
3396 * resolve to a valid label on the next revalidation try if
3397 * we've since initialized.
3398 */
3399 return;
3400 }
3401
3402 rc = security_context_to_sid_force(&selinux_state, value, size,
3403 &newsid);
3404 if (rc) {
3405 pr_err("SELinux: unable to map context to SID"
3406 "for (%s, %lu), rc=%d\n",
3407 inode->i_sb->s_id, inode->i_ino, -rc);
3408 return;
3409 }
3410
3411 isec = backing_inode_security(dentry);
3412 spin_lock(&isec->lock);
3413 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3414 isec->sid = newsid;
3415 isec->initialized = LABEL_INITIALIZED;
3416 spin_unlock(&isec->lock);
3417
3418 return;
3419 }
3420
selinux_inode_getxattr(struct dentry * dentry,const char * name)3421 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3422 {
3423 const struct cred *cred = current_cred();
3424
3425 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3426 }
3427
selinux_inode_listxattr(struct dentry * dentry)3428 static int selinux_inode_listxattr(struct dentry *dentry)
3429 {
3430 const struct cred *cred = current_cred();
3431
3432 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3433 }
3434
selinux_inode_removexattr(struct dentry * dentry,const char * name)3435 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3436 {
3437 if (strcmp(name, XATTR_NAME_SELINUX)) {
3438 int rc = cap_inode_removexattr(dentry, name);
3439 if (rc)
3440 return rc;
3441
3442 /* Not an attribute we recognize, so just check the
3443 ordinary setattr permission. */
3444 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3445 }
3446
3447 /* No one is allowed to remove a SELinux security label.
3448 You can change the label, but all data must be labeled. */
3449 return -EACCES;
3450 }
3451
3452 /*
3453 * Copy the inode security context value to the user.
3454 *
3455 * Permission check is handled by selinux_inode_getxattr hook.
3456 */
selinux_inode_getsecurity(struct inode * inode,const char * name,void ** buffer,bool alloc)3457 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
3458 {
3459 u32 size;
3460 int error;
3461 char *context = NULL;
3462 struct inode_security_struct *isec;
3463
3464 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3465 return -EOPNOTSUPP;
3466
3467 /*
3468 * If the caller has CAP_MAC_ADMIN, then get the raw context
3469 * value even if it is not defined by current policy; otherwise,
3470 * use the in-core value under current policy.
3471 * Use the non-auditing forms of the permission checks since
3472 * getxattr may be called by unprivileged processes commonly
3473 * and lack of permission just means that we fall back to the
3474 * in-core context value, not a denial.
3475 */
3476 isec = inode_security(inode);
3477 if (has_cap_mac_admin(false))
3478 error = security_sid_to_context_force(&selinux_state,
3479 isec->sid, &context,
3480 &size);
3481 else
3482 error = security_sid_to_context(&selinux_state, isec->sid,
3483 &context, &size);
3484 if (error)
3485 return error;
3486 error = size;
3487 if (alloc) {
3488 *buffer = context;
3489 goto out_nofree;
3490 }
3491 kfree(context);
3492 out_nofree:
3493 return error;
3494 }
3495
selinux_inode_setsecurity(struct inode * inode,const char * name,const void * value,size_t size,int flags)3496 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3497 const void *value, size_t size, int flags)
3498 {
3499 struct inode_security_struct *isec = inode_security_novalidate(inode);
3500 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
3501 u32 newsid;
3502 int rc;
3503
3504 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3505 return -EOPNOTSUPP;
3506
3507 if (!(sbsec->flags & SBLABEL_MNT))
3508 return -EOPNOTSUPP;
3509
3510 if (!value || !size)
3511 return -EACCES;
3512
3513 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3514 GFP_KERNEL);
3515 if (rc)
3516 return rc;
3517
3518 spin_lock(&isec->lock);
3519 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3520 isec->sid = newsid;
3521 isec->initialized = LABEL_INITIALIZED;
3522 spin_unlock(&isec->lock);
3523 return 0;
3524 }
3525
selinux_inode_listsecurity(struct inode * inode,char * buffer,size_t buffer_size)3526 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3527 {
3528 const int len = sizeof(XATTR_NAME_SELINUX);
3529 if (buffer && len <= buffer_size)
3530 memcpy(buffer, XATTR_NAME_SELINUX, len);
3531 return len;
3532 }
3533
selinux_inode_getsecid(struct inode * inode,u32 * secid)3534 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3535 {
3536 struct inode_security_struct *isec = inode_security_novalidate(inode);
3537 *secid = isec->sid;
3538 }
3539
selinux_inode_copy_up(struct dentry * src,struct cred ** new)3540 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3541 {
3542 u32 sid;
3543 struct task_security_struct *tsec;
3544 struct cred *new_creds = *new;
3545
3546 if (new_creds == NULL) {
3547 new_creds = prepare_creds();
3548 if (!new_creds)
3549 return -ENOMEM;
3550 }
3551
3552 tsec = new_creds->security;
3553 /* Get label from overlay inode and set it in create_sid */
3554 selinux_inode_getsecid(d_inode(src), &sid);
3555 tsec->create_sid = sid;
3556 *new = new_creds;
3557 return 0;
3558 }
3559
selinux_inode_copy_up_xattr(const char * name)3560 static int selinux_inode_copy_up_xattr(const char *name)
3561 {
3562 /* The copy_up hook above sets the initial context on an inode, but we
3563 * don't then want to overwrite it by blindly copying all the lower
3564 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3565 */
3566 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3567 return 1; /* Discard */
3568 /*
3569 * Any other attribute apart from SELINUX is not claimed, supported
3570 * by selinux.
3571 */
3572 return -EOPNOTSUPP;
3573 }
3574
3575 /* file security operations */
3576
selinux_revalidate_file_permission(struct file * file,int mask)3577 static int selinux_revalidate_file_permission(struct file *file, int mask)
3578 {
3579 const struct cred *cred = current_cred();
3580 struct inode *inode = file_inode(file);
3581
3582 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3583 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3584 mask |= MAY_APPEND;
3585
3586 return file_has_perm(cred, file,
3587 file_mask_to_av(inode->i_mode, mask));
3588 }
3589
selinux_file_permission(struct file * file,int mask)3590 static int selinux_file_permission(struct file *file, int mask)
3591 {
3592 struct inode *inode = file_inode(file);
3593 struct file_security_struct *fsec = file->f_security;
3594 struct inode_security_struct *isec;
3595 u32 sid = current_sid();
3596
3597 if (!mask)
3598 /* No permission to check. Existence test. */
3599 return 0;
3600
3601 isec = inode_security(inode);
3602 if (sid == fsec->sid && fsec->isid == isec->sid &&
3603 fsec->pseqno == avc_policy_seqno(&selinux_state))
3604 /* No change since file_open check. */
3605 return 0;
3606
3607 return selinux_revalidate_file_permission(file, mask);
3608 }
3609
selinux_file_alloc_security(struct file * file)3610 static int selinux_file_alloc_security(struct file *file)
3611 {
3612 return file_alloc_security(file);
3613 }
3614
selinux_file_free_security(struct file * file)3615 static void selinux_file_free_security(struct file *file)
3616 {
3617 file_free_security(file);
3618 }
3619
3620 /*
3621 * Check whether a task has the ioctl permission and cmd
3622 * operation to an inode.
3623 */
ioctl_has_perm(const struct cred * cred,struct file * file,u32 requested,u16 cmd)3624 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3625 u32 requested, u16 cmd)
3626 {
3627 struct common_audit_data ad;
3628 struct file_security_struct *fsec = file->f_security;
3629 struct inode *inode = file_inode(file);
3630 struct inode_security_struct *isec;
3631 struct lsm_ioctlop_audit ioctl;
3632 u32 ssid = cred_sid(cred);
3633 int rc;
3634 u8 driver = cmd >> 8;
3635 u8 xperm = cmd & 0xff;
3636
3637 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3638 ad.u.op = &ioctl;
3639 ad.u.op->cmd = cmd;
3640 ad.u.op->path = file->f_path;
3641
3642 if (ssid != fsec->sid) {
3643 rc = avc_has_perm(&selinux_state,
3644 ssid, fsec->sid,
3645 SECCLASS_FD,
3646 FD__USE,
3647 &ad);
3648 if (rc)
3649 goto out;
3650 }
3651
3652 if (unlikely(IS_PRIVATE(inode)))
3653 return 0;
3654
3655 isec = inode_security(inode);
3656 rc = avc_has_extended_perms(&selinux_state,
3657 ssid, isec->sid, isec->sclass,
3658 requested, driver, xperm, &ad);
3659 out:
3660 return rc;
3661 }
3662
selinux_file_ioctl(struct file * file,unsigned int cmd,unsigned long arg)3663 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3664 unsigned long arg)
3665 {
3666 const struct cred *cred = current_cred();
3667 int error = 0;
3668
3669 switch (cmd) {
3670 case FIONREAD:
3671 /* fall through */
3672 case FIBMAP:
3673 /* fall through */
3674 case FIGETBSZ:
3675 /* fall through */
3676 case FS_IOC_GETFLAGS:
3677 /* fall through */
3678 case FS_IOC_GETVERSION:
3679 error = file_has_perm(cred, file, FILE__GETATTR);
3680 break;
3681
3682 case FS_IOC_SETFLAGS:
3683 /* fall through */
3684 case FS_IOC_SETVERSION:
3685 error = file_has_perm(cred, file, FILE__SETATTR);
3686 break;
3687
3688 /* sys_ioctl() checks */
3689 case FIONBIO:
3690 /* fall through */
3691 case FIOASYNC:
3692 error = file_has_perm(cred, file, 0);
3693 break;
3694
3695 case KDSKBENT:
3696 case KDSKBSENT:
3697 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3698 CAP_OPT_NONE, true);
3699 break;
3700
3701 /* default case assumes that the command will go
3702 * to the file's ioctl() function.
3703 */
3704 default:
3705 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3706 }
3707 return error;
3708 }
3709
3710 static int default_noexec;
3711
file_map_prot_check(struct file * file,unsigned long prot,int shared)3712 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3713 {
3714 const struct cred *cred = current_cred();
3715 u32 sid = cred_sid(cred);
3716 int rc = 0;
3717
3718 if (default_noexec &&
3719 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3720 (!shared && (prot & PROT_WRITE)))) {
3721 /*
3722 * We are making executable an anonymous mapping or a
3723 * private file mapping that will also be writable.
3724 * This has an additional check.
3725 */
3726 rc = avc_has_perm(&selinux_state,
3727 sid, sid, SECCLASS_PROCESS,
3728 PROCESS__EXECMEM, NULL);
3729 if (rc)
3730 goto error;
3731 }
3732
3733 if (file) {
3734 /* read access is always possible with a mapping */
3735 u32 av = FILE__READ;
3736
3737 /* write access only matters if the mapping is shared */
3738 if (shared && (prot & PROT_WRITE))
3739 av |= FILE__WRITE;
3740
3741 if (prot & PROT_EXEC)
3742 av |= FILE__EXECUTE;
3743
3744 return file_has_perm(cred, file, av);
3745 }
3746
3747 error:
3748 return rc;
3749 }
3750
selinux_mmap_addr(unsigned long addr)3751 static int selinux_mmap_addr(unsigned long addr)
3752 {
3753 int rc = 0;
3754
3755 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3756 u32 sid = current_sid();
3757 rc = avc_has_perm(&selinux_state,
3758 sid, sid, SECCLASS_MEMPROTECT,
3759 MEMPROTECT__MMAP_ZERO, NULL);
3760 }
3761
3762 return rc;
3763 }
3764
selinux_mmap_file(struct file * file,unsigned long reqprot,unsigned long prot,unsigned long flags)3765 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3766 unsigned long prot, unsigned long flags)
3767 {
3768 struct common_audit_data ad;
3769 int rc;
3770
3771 if (file) {
3772 ad.type = LSM_AUDIT_DATA_FILE;
3773 ad.u.file = file;
3774 rc = inode_has_perm(current_cred(), file_inode(file),
3775 FILE__MAP, &ad);
3776 if (rc)
3777 return rc;
3778 }
3779
3780 if (selinux_state.checkreqprot)
3781 prot = reqprot;
3782
3783 return file_map_prot_check(file, prot,
3784 (flags & MAP_TYPE) == MAP_SHARED);
3785 }
3786
selinux_file_mprotect(struct vm_area_struct * vma,unsigned long reqprot,unsigned long prot)3787 static int selinux_file_mprotect(struct vm_area_struct *vma,
3788 unsigned long reqprot,
3789 unsigned long prot)
3790 {
3791 const struct cred *cred = current_cred();
3792 u32 sid = cred_sid(cred);
3793
3794 if (selinux_state.checkreqprot)
3795 prot = reqprot;
3796
3797 if (default_noexec &&
3798 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3799 int rc = 0;
3800 if (vma->vm_start >= vma->vm_mm->start_brk &&
3801 vma->vm_end <= vma->vm_mm->brk) {
3802 rc = avc_has_perm(&selinux_state,
3803 sid, sid, SECCLASS_PROCESS,
3804 PROCESS__EXECHEAP, NULL);
3805 } else if (!vma->vm_file &&
3806 ((vma->vm_start <= vma->vm_mm->start_stack &&
3807 vma->vm_end >= vma->vm_mm->start_stack) ||
3808 vma_is_stack_for_current(vma))) {
3809 rc = avc_has_perm(&selinux_state,
3810 sid, sid, SECCLASS_PROCESS,
3811 PROCESS__EXECSTACK, NULL);
3812 } else if (vma->vm_file && vma->anon_vma) {
3813 /*
3814 * We are making executable a file mapping that has
3815 * had some COW done. Since pages might have been
3816 * written, check ability to execute the possibly
3817 * modified content. This typically should only
3818 * occur for text relocations.
3819 */
3820 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3821 }
3822 if (rc)
3823 return rc;
3824 }
3825
3826 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3827 }
3828
selinux_file_lock(struct file * file,unsigned int cmd)3829 static int selinux_file_lock(struct file *file, unsigned int cmd)
3830 {
3831 const struct cred *cred = current_cred();
3832
3833 return file_has_perm(cred, file, FILE__LOCK);
3834 }
3835
selinux_file_fcntl(struct file * file,unsigned int cmd,unsigned long arg)3836 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3837 unsigned long arg)
3838 {
3839 const struct cred *cred = current_cred();
3840 int err = 0;
3841
3842 switch (cmd) {
3843 case F_SETFL:
3844 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3845 err = file_has_perm(cred, file, FILE__WRITE);
3846 break;
3847 }
3848 /* fall through */
3849 case F_SETOWN:
3850 case F_SETSIG:
3851 case F_GETFL:
3852 case F_GETOWN:
3853 case F_GETSIG:
3854 case F_GETOWNER_UIDS:
3855 /* Just check FD__USE permission */
3856 err = file_has_perm(cred, file, 0);
3857 break;
3858 case F_GETLK:
3859 case F_SETLK:
3860 case F_SETLKW:
3861 case F_OFD_GETLK:
3862 case F_OFD_SETLK:
3863 case F_OFD_SETLKW:
3864 #if BITS_PER_LONG == 32
3865 case F_GETLK64:
3866 case F_SETLK64:
3867 case F_SETLKW64:
3868 #endif
3869 err = file_has_perm(cred, file, FILE__LOCK);
3870 break;
3871 }
3872
3873 return err;
3874 }
3875
selinux_file_set_fowner(struct file * file)3876 static void selinux_file_set_fowner(struct file *file)
3877 {
3878 struct file_security_struct *fsec;
3879
3880 fsec = file->f_security;
3881 fsec->fown_sid = current_sid();
3882 }
3883
selinux_file_send_sigiotask(struct task_struct * tsk,struct fown_struct * fown,int signum)3884 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3885 struct fown_struct *fown, int signum)
3886 {
3887 struct file *file;
3888 u32 sid = task_sid(tsk);
3889 u32 perm;
3890 struct file_security_struct *fsec;
3891
3892 /* struct fown_struct is never outside the context of a struct file */
3893 file = container_of(fown, struct file, f_owner);
3894
3895 fsec = file->f_security;
3896
3897 if (!signum)
3898 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3899 else
3900 perm = signal_to_av(signum);
3901
3902 return avc_has_perm(&selinux_state,
3903 fsec->fown_sid, sid,
3904 SECCLASS_PROCESS, perm, NULL);
3905 }
3906
selinux_file_receive(struct file * file)3907 static int selinux_file_receive(struct file *file)
3908 {
3909 const struct cred *cred = current_cred();
3910
3911 return file_has_perm(cred, file, file_to_av(file));
3912 }
3913
selinux_file_open(struct file * file)3914 static int selinux_file_open(struct file *file)
3915 {
3916 struct file_security_struct *fsec;
3917 struct inode_security_struct *isec;
3918
3919 fsec = file->f_security;
3920 isec = inode_security(file_inode(file));
3921 /*
3922 * Save inode label and policy sequence number
3923 * at open-time so that selinux_file_permission
3924 * can determine whether revalidation is necessary.
3925 * Task label is already saved in the file security
3926 * struct as its SID.
3927 */
3928 fsec->isid = isec->sid;
3929 fsec->pseqno = avc_policy_seqno(&selinux_state);
3930 /*
3931 * Since the inode label or policy seqno may have changed
3932 * between the selinux_inode_permission check and the saving
3933 * of state above, recheck that access is still permitted.
3934 * Otherwise, access might never be revalidated against the
3935 * new inode label or new policy.
3936 * This check is not redundant - do not remove.
3937 */
3938 return file_path_has_perm(file->f_cred, file, open_file_to_av(file));
3939 }
3940
3941 /* task security operations */
3942
selinux_task_alloc(struct task_struct * task,unsigned long clone_flags)3943 static int selinux_task_alloc(struct task_struct *task,
3944 unsigned long clone_flags)
3945 {
3946 u32 sid = current_sid();
3947
3948 return avc_has_perm(&selinux_state,
3949 sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
3950 }
3951
3952 /*
3953 * allocate the SELinux part of blank credentials
3954 */
selinux_cred_alloc_blank(struct cred * cred,gfp_t gfp)3955 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3956 {
3957 struct task_security_struct *tsec;
3958
3959 tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3960 if (!tsec)
3961 return -ENOMEM;
3962
3963 cred->security = tsec;
3964 return 0;
3965 }
3966
3967 /*
3968 * detach and free the LSM part of a set of credentials
3969 */
selinux_cred_free(struct cred * cred)3970 static void selinux_cred_free(struct cred *cred)
3971 {
3972 struct task_security_struct *tsec = cred->security;
3973
3974 /*
3975 * cred->security == NULL if security_cred_alloc_blank() or
3976 * security_prepare_creds() returned an error.
3977 */
3978 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3979 cred->security = (void *) 0x7UL;
3980 kfree(tsec);
3981 }
3982
3983 /*
3984 * prepare a new set of credentials for modification
3985 */
selinux_cred_prepare(struct cred * new,const struct cred * old,gfp_t gfp)3986 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3987 gfp_t gfp)
3988 {
3989 const struct task_security_struct *old_tsec;
3990 struct task_security_struct *tsec;
3991
3992 old_tsec = old->security;
3993
3994 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3995 if (!tsec)
3996 return -ENOMEM;
3997
3998 new->security = tsec;
3999 return 0;
4000 }
4001
4002 /*
4003 * transfer the SELinux data to a blank set of creds
4004 */
selinux_cred_transfer(struct cred * new,const struct cred * old)4005 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
4006 {
4007 const struct task_security_struct *old_tsec = old->security;
4008 struct task_security_struct *tsec = new->security;
4009
4010 *tsec = *old_tsec;
4011 }
4012
selinux_cred_getsecid(const struct cred * c,u32 * secid)4013 static void selinux_cred_getsecid(const struct cred *c, u32 *secid)
4014 {
4015 *secid = cred_sid(c);
4016 }
4017
4018 /*
4019 * set the security data for a kernel service
4020 * - all the creation contexts are set to unlabelled
4021 */
selinux_kernel_act_as(struct cred * new,u32 secid)4022 static int selinux_kernel_act_as(struct cred *new, u32 secid)
4023 {
4024 struct task_security_struct *tsec = new->security;
4025 u32 sid = current_sid();
4026 int ret;
4027
4028 ret = avc_has_perm(&selinux_state,
4029 sid, secid,
4030 SECCLASS_KERNEL_SERVICE,
4031 KERNEL_SERVICE__USE_AS_OVERRIDE,
4032 NULL);
4033 if (ret == 0) {
4034 tsec->sid = secid;
4035 tsec->create_sid = 0;
4036 tsec->keycreate_sid = 0;
4037 tsec->sockcreate_sid = 0;
4038 }
4039 return ret;
4040 }
4041
4042 /*
4043 * set the file creation context in a security record to the same as the
4044 * objective context of the specified inode
4045 */
selinux_kernel_create_files_as(struct cred * new,struct inode * inode)4046 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
4047 {
4048 struct inode_security_struct *isec = inode_security(inode);
4049 struct task_security_struct *tsec = new->security;
4050 u32 sid = current_sid();
4051 int ret;
4052
4053 ret = avc_has_perm(&selinux_state,
4054 sid, isec->sid,
4055 SECCLASS_KERNEL_SERVICE,
4056 KERNEL_SERVICE__CREATE_FILES_AS,
4057 NULL);
4058
4059 if (ret == 0)
4060 tsec->create_sid = isec->sid;
4061 return ret;
4062 }
4063
selinux_kernel_module_request(char * kmod_name)4064 static int selinux_kernel_module_request(char *kmod_name)
4065 {
4066 struct common_audit_data ad;
4067
4068 ad.type = LSM_AUDIT_DATA_KMOD;
4069 ad.u.kmod_name = kmod_name;
4070
4071 return avc_has_perm(&selinux_state,
4072 current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
4073 SYSTEM__MODULE_REQUEST, &ad);
4074 }
4075
selinux_kernel_module_from_file(struct file * file)4076 static int selinux_kernel_module_from_file(struct file *file)
4077 {
4078 struct common_audit_data ad;
4079 struct inode_security_struct *isec;
4080 struct file_security_struct *fsec;
4081 u32 sid = current_sid();
4082 int rc;
4083
4084 /* init_module */
4085 if (file == NULL)
4086 return avc_has_perm(&selinux_state,
4087 sid, sid, SECCLASS_SYSTEM,
4088 SYSTEM__MODULE_LOAD, NULL);
4089
4090 /* finit_module */
4091
4092 ad.type = LSM_AUDIT_DATA_FILE;
4093 ad.u.file = file;
4094
4095 fsec = file->f_security;
4096 if (sid != fsec->sid) {
4097 rc = avc_has_perm(&selinux_state,
4098 sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
4099 if (rc)
4100 return rc;
4101 }
4102
4103 isec = inode_security(file_inode(file));
4104 return avc_has_perm(&selinux_state,
4105 sid, isec->sid, SECCLASS_SYSTEM,
4106 SYSTEM__MODULE_LOAD, &ad);
4107 }
4108
selinux_kernel_read_file(struct file * file,enum kernel_read_file_id id)4109 static int selinux_kernel_read_file(struct file *file,
4110 enum kernel_read_file_id id)
4111 {
4112 int rc = 0;
4113
4114 switch (id) {
4115 case READING_MODULE:
4116 rc = selinux_kernel_module_from_file(file);
4117 break;
4118 default:
4119 break;
4120 }
4121
4122 return rc;
4123 }
4124
selinux_kernel_load_data(enum kernel_load_data_id id)4125 static int selinux_kernel_load_data(enum kernel_load_data_id id)
4126 {
4127 int rc = 0;
4128
4129 switch (id) {
4130 case LOADING_MODULE:
4131 rc = selinux_kernel_module_from_file(NULL);
4132 default:
4133 break;
4134 }
4135
4136 return rc;
4137 }
4138
selinux_task_setpgid(struct task_struct * p,pid_t pgid)4139 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
4140 {
4141 return avc_has_perm(&selinux_state,
4142 current_sid(), task_sid(p), SECCLASS_PROCESS,
4143 PROCESS__SETPGID, NULL);
4144 }
4145
selinux_task_getpgid(struct task_struct * p)4146 static int selinux_task_getpgid(struct task_struct *p)
4147 {
4148 return avc_has_perm(&selinux_state,
4149 current_sid(), task_sid(p), SECCLASS_PROCESS,
4150 PROCESS__GETPGID, NULL);
4151 }
4152
selinux_task_getsid(struct task_struct * p)4153 static int selinux_task_getsid(struct task_struct *p)
4154 {
4155 return avc_has_perm(&selinux_state,
4156 current_sid(), task_sid(p), SECCLASS_PROCESS,
4157 PROCESS__GETSESSION, NULL);
4158 }
4159
selinux_task_getsecid(struct task_struct * p,u32 * secid)4160 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
4161 {
4162 *secid = task_sid(p);
4163 }
4164
selinux_task_setnice(struct task_struct * p,int nice)4165 static int selinux_task_setnice(struct task_struct *p, int nice)
4166 {
4167 return avc_has_perm(&selinux_state,
4168 current_sid(), task_sid(p), SECCLASS_PROCESS,
4169 PROCESS__SETSCHED, NULL);
4170 }
4171
selinux_task_setioprio(struct task_struct * p,int ioprio)4172 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
4173 {
4174 return avc_has_perm(&selinux_state,
4175 current_sid(), task_sid(p), SECCLASS_PROCESS,
4176 PROCESS__SETSCHED, NULL);
4177 }
4178
selinux_task_getioprio(struct task_struct * p)4179 static int selinux_task_getioprio(struct task_struct *p)
4180 {
4181 return avc_has_perm(&selinux_state,
4182 current_sid(), task_sid(p), SECCLASS_PROCESS,
4183 PROCESS__GETSCHED, NULL);
4184 }
4185
selinux_task_prlimit(const struct cred * cred,const struct cred * tcred,unsigned int flags)4186 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
4187 unsigned int flags)
4188 {
4189 u32 av = 0;
4190
4191 if (!flags)
4192 return 0;
4193 if (flags & LSM_PRLIMIT_WRITE)
4194 av |= PROCESS__SETRLIMIT;
4195 if (flags & LSM_PRLIMIT_READ)
4196 av |= PROCESS__GETRLIMIT;
4197 return avc_has_perm(&selinux_state,
4198 cred_sid(cred), cred_sid(tcred),
4199 SECCLASS_PROCESS, av, NULL);
4200 }
4201
selinux_task_setrlimit(struct task_struct * p,unsigned int resource,struct rlimit * new_rlim)4202 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4203 struct rlimit *new_rlim)
4204 {
4205 struct rlimit *old_rlim = p->signal->rlim + resource;
4206
4207 /* Control the ability to change the hard limit (whether
4208 lowering or raising it), so that the hard limit can
4209 later be used as a safe reset point for the soft limit
4210 upon context transitions. See selinux_bprm_committing_creds. */
4211 if (old_rlim->rlim_max != new_rlim->rlim_max)
4212 return avc_has_perm(&selinux_state,
4213 current_sid(), task_sid(p),
4214 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
4215
4216 return 0;
4217 }
4218
selinux_task_setscheduler(struct task_struct * p)4219 static int selinux_task_setscheduler(struct task_struct *p)
4220 {
4221 return avc_has_perm(&selinux_state,
4222 current_sid(), task_sid(p), SECCLASS_PROCESS,
4223 PROCESS__SETSCHED, NULL);
4224 }
4225
selinux_task_getscheduler(struct task_struct * p)4226 static int selinux_task_getscheduler(struct task_struct *p)
4227 {
4228 return avc_has_perm(&selinux_state,
4229 current_sid(), task_sid(p), SECCLASS_PROCESS,
4230 PROCESS__GETSCHED, NULL);
4231 }
4232
selinux_task_movememory(struct task_struct * p)4233 static int selinux_task_movememory(struct task_struct *p)
4234 {
4235 return avc_has_perm(&selinux_state,
4236 current_sid(), task_sid(p), SECCLASS_PROCESS,
4237 PROCESS__SETSCHED, NULL);
4238 }
4239
selinux_task_kill(struct task_struct * p,struct siginfo * info,int sig,const struct cred * cred)4240 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
4241 int sig, const struct cred *cred)
4242 {
4243 u32 secid;
4244 u32 perm;
4245
4246 if (!sig)
4247 perm = PROCESS__SIGNULL; /* null signal; existence test */
4248 else
4249 perm = signal_to_av(sig);
4250 if (!cred)
4251 secid = current_sid();
4252 else
4253 secid = cred_sid(cred);
4254 return avc_has_perm(&selinux_state,
4255 secid, task_sid(p), SECCLASS_PROCESS, perm, NULL);
4256 }
4257
selinux_task_to_inode(struct task_struct * p,struct inode * inode)4258 static void selinux_task_to_inode(struct task_struct *p,
4259 struct inode *inode)
4260 {
4261 struct inode_security_struct *isec = inode->i_security;
4262 u32 sid = task_sid(p);
4263
4264 spin_lock(&isec->lock);
4265 isec->sclass = inode_mode_to_security_class(inode->i_mode);
4266 isec->sid = sid;
4267 isec->initialized = LABEL_INITIALIZED;
4268 spin_unlock(&isec->lock);
4269 }
4270
4271 /* Returns error only if unable to parse addresses */
selinux_parse_skb_ipv4(struct sk_buff * skb,struct common_audit_data * ad,u8 * proto)4272 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4273 struct common_audit_data *ad, u8 *proto)
4274 {
4275 int offset, ihlen, ret = -EINVAL;
4276 struct iphdr _iph, *ih;
4277
4278 offset = skb_network_offset(skb);
4279 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
4280 if (ih == NULL)
4281 goto out;
4282
4283 ihlen = ih->ihl * 4;
4284 if (ihlen < sizeof(_iph))
4285 goto out;
4286
4287 ad->u.net->v4info.saddr = ih->saddr;
4288 ad->u.net->v4info.daddr = ih->daddr;
4289 ret = 0;
4290
4291 if (proto)
4292 *proto = ih->protocol;
4293
4294 switch (ih->protocol) {
4295 case IPPROTO_TCP: {
4296 struct tcphdr _tcph, *th;
4297
4298 if (ntohs(ih->frag_off) & IP_OFFSET)
4299 break;
4300
4301 offset += ihlen;
4302 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4303 if (th == NULL)
4304 break;
4305
4306 ad->u.net->sport = th->source;
4307 ad->u.net->dport = th->dest;
4308 break;
4309 }
4310
4311 case IPPROTO_UDP: {
4312 struct udphdr _udph, *uh;
4313
4314 if (ntohs(ih->frag_off) & IP_OFFSET)
4315 break;
4316
4317 offset += ihlen;
4318 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4319 if (uh == NULL)
4320 break;
4321
4322 ad->u.net->sport = uh->source;
4323 ad->u.net->dport = uh->dest;
4324 break;
4325 }
4326
4327 case IPPROTO_DCCP: {
4328 struct dccp_hdr _dccph, *dh;
4329
4330 if (ntohs(ih->frag_off) & IP_OFFSET)
4331 break;
4332
4333 offset += ihlen;
4334 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4335 if (dh == NULL)
4336 break;
4337
4338 ad->u.net->sport = dh->dccph_sport;
4339 ad->u.net->dport = dh->dccph_dport;
4340 break;
4341 }
4342
4343 #if IS_ENABLED(CONFIG_IP_SCTP)
4344 case IPPROTO_SCTP: {
4345 struct sctphdr _sctph, *sh;
4346
4347 if (ntohs(ih->frag_off) & IP_OFFSET)
4348 break;
4349
4350 offset += ihlen;
4351 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4352 if (sh == NULL)
4353 break;
4354
4355 ad->u.net->sport = sh->source;
4356 ad->u.net->dport = sh->dest;
4357 break;
4358 }
4359 #endif
4360 default:
4361 break;
4362 }
4363 out:
4364 return ret;
4365 }
4366
4367 #if IS_ENABLED(CONFIG_IPV6)
4368
4369 /* Returns error only if unable to parse addresses */
selinux_parse_skb_ipv6(struct sk_buff * skb,struct common_audit_data * ad,u8 * proto)4370 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4371 struct common_audit_data *ad, u8 *proto)
4372 {
4373 u8 nexthdr;
4374 int ret = -EINVAL, offset;
4375 struct ipv6hdr _ipv6h, *ip6;
4376 __be16 frag_off;
4377
4378 offset = skb_network_offset(skb);
4379 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4380 if (ip6 == NULL)
4381 goto out;
4382
4383 ad->u.net->v6info.saddr = ip6->saddr;
4384 ad->u.net->v6info.daddr = ip6->daddr;
4385 ret = 0;
4386
4387 nexthdr = ip6->nexthdr;
4388 offset += sizeof(_ipv6h);
4389 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4390 if (offset < 0)
4391 goto out;
4392
4393 if (proto)
4394 *proto = nexthdr;
4395
4396 switch (nexthdr) {
4397 case IPPROTO_TCP: {
4398 struct tcphdr _tcph, *th;
4399
4400 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4401 if (th == NULL)
4402 break;
4403
4404 ad->u.net->sport = th->source;
4405 ad->u.net->dport = th->dest;
4406 break;
4407 }
4408
4409 case IPPROTO_UDP: {
4410 struct udphdr _udph, *uh;
4411
4412 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4413 if (uh == NULL)
4414 break;
4415
4416 ad->u.net->sport = uh->source;
4417 ad->u.net->dport = uh->dest;
4418 break;
4419 }
4420
4421 case IPPROTO_DCCP: {
4422 struct dccp_hdr _dccph, *dh;
4423
4424 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4425 if (dh == NULL)
4426 break;
4427
4428 ad->u.net->sport = dh->dccph_sport;
4429 ad->u.net->dport = dh->dccph_dport;
4430 break;
4431 }
4432
4433 #if IS_ENABLED(CONFIG_IP_SCTP)
4434 case IPPROTO_SCTP: {
4435 struct sctphdr _sctph, *sh;
4436
4437 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4438 if (sh == NULL)
4439 break;
4440
4441 ad->u.net->sport = sh->source;
4442 ad->u.net->dport = sh->dest;
4443 break;
4444 }
4445 #endif
4446 /* includes fragments */
4447 default:
4448 break;
4449 }
4450 out:
4451 return ret;
4452 }
4453
4454 #endif /* IPV6 */
4455
selinux_parse_skb(struct sk_buff * skb,struct common_audit_data * ad,char ** _addrp,int src,u8 * proto)4456 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4457 char **_addrp, int src, u8 *proto)
4458 {
4459 char *addrp;
4460 int ret;
4461
4462 switch (ad->u.net->family) {
4463 case PF_INET:
4464 ret = selinux_parse_skb_ipv4(skb, ad, proto);
4465 if (ret)
4466 goto parse_error;
4467 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4468 &ad->u.net->v4info.daddr);
4469 goto okay;
4470
4471 #if IS_ENABLED(CONFIG_IPV6)
4472 case PF_INET6:
4473 ret = selinux_parse_skb_ipv6(skb, ad, proto);
4474 if (ret)
4475 goto parse_error;
4476 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4477 &ad->u.net->v6info.daddr);
4478 goto okay;
4479 #endif /* IPV6 */
4480 default:
4481 addrp = NULL;
4482 goto okay;
4483 }
4484
4485 parse_error:
4486 pr_warn(
4487 "SELinux: failure in selinux_parse_skb(),"
4488 " unable to parse packet\n");
4489 return ret;
4490
4491 okay:
4492 if (_addrp)
4493 *_addrp = addrp;
4494 return 0;
4495 }
4496
4497 /**
4498 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4499 * @skb: the packet
4500 * @family: protocol family
4501 * @sid: the packet's peer label SID
4502 *
4503 * Description:
4504 * Check the various different forms of network peer labeling and determine
4505 * the peer label/SID for the packet; most of the magic actually occurs in
4506 * the security server function security_net_peersid_cmp(). The function
4507 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4508 * or -EACCES if @sid is invalid due to inconsistencies with the different
4509 * peer labels.
4510 *
4511 */
selinux_skb_peerlbl_sid(struct sk_buff * skb,u16 family,u32 * sid)4512 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4513 {
4514 int err;
4515 u32 xfrm_sid;
4516 u32 nlbl_sid;
4517 u32 nlbl_type;
4518
4519 err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4520 if (unlikely(err))
4521 return -EACCES;
4522 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4523 if (unlikely(err))
4524 return -EACCES;
4525
4526 err = security_net_peersid_resolve(&selinux_state, nlbl_sid,
4527 nlbl_type, xfrm_sid, sid);
4528 if (unlikely(err)) {
4529 pr_warn(
4530 "SELinux: failure in selinux_skb_peerlbl_sid(),"
4531 " unable to determine packet's peer label\n");
4532 return -EACCES;
4533 }
4534
4535 return 0;
4536 }
4537
4538 /**
4539 * selinux_conn_sid - Determine the child socket label for a connection
4540 * @sk_sid: the parent socket's SID
4541 * @skb_sid: the packet's SID
4542 * @conn_sid: the resulting connection SID
4543 *
4544 * If @skb_sid is valid then the user:role:type information from @sk_sid is
4545 * combined with the MLS information from @skb_sid in order to create
4546 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy
4547 * of @sk_sid. Returns zero on success, negative values on failure.
4548 *
4549 */
selinux_conn_sid(u32 sk_sid,u32 skb_sid,u32 * conn_sid)4550 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4551 {
4552 int err = 0;
4553
4554 if (skb_sid != SECSID_NULL)
4555 err = security_sid_mls_copy(&selinux_state, sk_sid, skb_sid,
4556 conn_sid);
4557 else
4558 *conn_sid = sk_sid;
4559
4560 return err;
4561 }
4562
4563 /* socket security operations */
4564
socket_sockcreate_sid(const struct task_security_struct * tsec,u16 secclass,u32 * socksid)4565 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4566 u16 secclass, u32 *socksid)
4567 {
4568 if (tsec->sockcreate_sid > SECSID_NULL) {
4569 *socksid = tsec->sockcreate_sid;
4570 return 0;
4571 }
4572
4573 return security_transition_sid(&selinux_state, tsec->sid, tsec->sid,
4574 secclass, NULL, socksid);
4575 }
4576
sock_has_perm(struct sock * sk,u32 perms)4577 static int sock_has_perm(struct sock *sk, u32 perms)
4578 {
4579 struct sk_security_struct *sksec = sk->sk_security;
4580 struct common_audit_data ad;
4581 struct lsm_network_audit net = {0,};
4582
4583 if (sksec->sid == SECINITSID_KERNEL)
4584 return 0;
4585
4586 ad.type = LSM_AUDIT_DATA_NET;
4587 ad.u.net = &net;
4588 ad.u.net->sk = sk;
4589
4590 return avc_has_perm(&selinux_state,
4591 current_sid(), sksec->sid, sksec->sclass, perms,
4592 &ad);
4593 }
4594
selinux_socket_create(int family,int type,int protocol,int kern)4595 static int selinux_socket_create(int family, int type,
4596 int protocol, int kern)
4597 {
4598 const struct task_security_struct *tsec = current_security();
4599 u32 newsid;
4600 u16 secclass;
4601 int rc;
4602
4603 if (kern)
4604 return 0;
4605
4606 secclass = socket_type_to_security_class(family, type, protocol);
4607 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4608 if (rc)
4609 return rc;
4610
4611 return avc_has_perm(&selinux_state,
4612 tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4613 }
4614
selinux_socket_post_create(struct socket * sock,int family,int type,int protocol,int kern)4615 static int selinux_socket_post_create(struct socket *sock, int family,
4616 int type, int protocol, int kern)
4617 {
4618 const struct task_security_struct *tsec = current_security();
4619 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4620 struct sk_security_struct *sksec;
4621 u16 sclass = socket_type_to_security_class(family, type, protocol);
4622 u32 sid = SECINITSID_KERNEL;
4623 int err = 0;
4624
4625 if (!kern) {
4626 err = socket_sockcreate_sid(tsec, sclass, &sid);
4627 if (err)
4628 return err;
4629 }
4630
4631 isec->sclass = sclass;
4632 isec->sid = sid;
4633 isec->initialized = LABEL_INITIALIZED;
4634
4635 if (sock->sk) {
4636 sksec = sock->sk->sk_security;
4637 sksec->sclass = sclass;
4638 sksec->sid = sid;
4639 /* Allows detection of the first association on this socket */
4640 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4641 sksec->sctp_assoc_state = SCTP_ASSOC_UNSET;
4642
4643 err = selinux_netlbl_socket_post_create(sock->sk, family);
4644 }
4645
4646 return err;
4647 }
4648
selinux_socket_socketpair(struct socket * socka,struct socket * sockb)4649 static int selinux_socket_socketpair(struct socket *socka,
4650 struct socket *sockb)
4651 {
4652 struct sk_security_struct *sksec_a = socka->sk->sk_security;
4653 struct sk_security_struct *sksec_b = sockb->sk->sk_security;
4654
4655 sksec_a->peer_sid = sksec_b->sid;
4656 sksec_b->peer_sid = sksec_a->sid;
4657
4658 return 0;
4659 }
4660
4661 /* Range of port numbers used to automatically bind.
4662 Need to determine whether we should perform a name_bind
4663 permission check between the socket and the port number. */
4664
selinux_socket_bind(struct socket * sock,struct sockaddr * address,int addrlen)4665 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4666 {
4667 struct sock *sk = sock->sk;
4668 struct sk_security_struct *sksec = sk->sk_security;
4669 u16 family;
4670 int err;
4671
4672 err = sock_has_perm(sk, SOCKET__BIND);
4673 if (err)
4674 goto out;
4675
4676 /* If PF_INET or PF_INET6, check name_bind permission for the port. */
4677 family = sk->sk_family;
4678 if (family == PF_INET || family == PF_INET6) {
4679 char *addrp;
4680 struct common_audit_data ad;
4681 struct lsm_network_audit net = {0,};
4682 struct sockaddr_in *addr4 = NULL;
4683 struct sockaddr_in6 *addr6 = NULL;
4684 u16 family_sa = address->sa_family;
4685 unsigned short snum;
4686 u32 sid, node_perm;
4687
4688 /*
4689 * sctp_bindx(3) calls via selinux_sctp_bind_connect()
4690 * that validates multiple binding addresses. Because of this
4691 * need to check address->sa_family as it is possible to have
4692 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4693 */
4694 switch (family_sa) {
4695 case AF_UNSPEC:
4696 case AF_INET:
4697 if (addrlen < sizeof(struct sockaddr_in))
4698 return -EINVAL;
4699 addr4 = (struct sockaddr_in *)address;
4700 if (family_sa == AF_UNSPEC) {
4701 /* see __inet_bind(), we only want to allow
4702 * AF_UNSPEC if the address is INADDR_ANY
4703 */
4704 if (addr4->sin_addr.s_addr != htonl(INADDR_ANY))
4705 goto err_af;
4706 family_sa = AF_INET;
4707 }
4708 snum = ntohs(addr4->sin_port);
4709 addrp = (char *)&addr4->sin_addr.s_addr;
4710 break;
4711 case AF_INET6:
4712 if (addrlen < SIN6_LEN_RFC2133)
4713 return -EINVAL;
4714 addr6 = (struct sockaddr_in6 *)address;
4715 snum = ntohs(addr6->sin6_port);
4716 addrp = (char *)&addr6->sin6_addr.s6_addr;
4717 break;
4718 default:
4719 goto err_af;
4720 }
4721
4722 ad.type = LSM_AUDIT_DATA_NET;
4723 ad.u.net = &net;
4724 ad.u.net->sport = htons(snum);
4725 ad.u.net->family = family_sa;
4726
4727 if (snum) {
4728 int low, high;
4729
4730 inet_get_local_port_range(sock_net(sk), &low, &high);
4731
4732 if (snum < max(inet_prot_sock(sock_net(sk)), low) ||
4733 snum > high) {
4734 err = sel_netport_sid(sk->sk_protocol,
4735 snum, &sid);
4736 if (err)
4737 goto out;
4738 err = avc_has_perm(&selinux_state,
4739 sksec->sid, sid,
4740 sksec->sclass,
4741 SOCKET__NAME_BIND, &ad);
4742 if (err)
4743 goto out;
4744 }
4745 }
4746
4747 switch (sksec->sclass) {
4748 case SECCLASS_TCP_SOCKET:
4749 node_perm = TCP_SOCKET__NODE_BIND;
4750 break;
4751
4752 case SECCLASS_UDP_SOCKET:
4753 node_perm = UDP_SOCKET__NODE_BIND;
4754 break;
4755
4756 case SECCLASS_DCCP_SOCKET:
4757 node_perm = DCCP_SOCKET__NODE_BIND;
4758 break;
4759
4760 case SECCLASS_SCTP_SOCKET:
4761 node_perm = SCTP_SOCKET__NODE_BIND;
4762 break;
4763
4764 default:
4765 node_perm = RAWIP_SOCKET__NODE_BIND;
4766 break;
4767 }
4768
4769 err = sel_netnode_sid(addrp, family_sa, &sid);
4770 if (err)
4771 goto out;
4772
4773 if (family_sa == AF_INET)
4774 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4775 else
4776 ad.u.net->v6info.saddr = addr6->sin6_addr;
4777
4778 err = avc_has_perm(&selinux_state,
4779 sksec->sid, sid,
4780 sksec->sclass, node_perm, &ad);
4781 if (err)
4782 goto out;
4783 }
4784 out:
4785 return err;
4786 err_af:
4787 /* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */
4788 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4789 return -EINVAL;
4790 return -EAFNOSUPPORT;
4791 }
4792
4793 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3)
4794 * and sctp_sendmsg(3) as described in Documentation/security/LSM-sctp.rst
4795 */
selinux_socket_connect_helper(struct socket * sock,struct sockaddr * address,int addrlen)4796 static int selinux_socket_connect_helper(struct socket *sock,
4797 struct sockaddr *address, int addrlen)
4798 {
4799 struct sock *sk = sock->sk;
4800 struct sk_security_struct *sksec = sk->sk_security;
4801 int err;
4802
4803 err = sock_has_perm(sk, SOCKET__CONNECT);
4804 if (err)
4805 return err;
4806
4807 /*
4808 * If a TCP, DCCP or SCTP socket, check name_connect permission
4809 * for the port.
4810 */
4811 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4812 sksec->sclass == SECCLASS_DCCP_SOCKET ||
4813 sksec->sclass == SECCLASS_SCTP_SOCKET) {
4814 struct common_audit_data ad;
4815 struct lsm_network_audit net = {0,};
4816 struct sockaddr_in *addr4 = NULL;
4817 struct sockaddr_in6 *addr6 = NULL;
4818 unsigned short snum = 0;
4819 u32 sid, perm;
4820
4821 /* sctp_connectx(3) calls via selinux_sctp_bind_connect()
4822 * that validates multiple connect addresses. Because of this
4823 * need to check address->sa_family as it is possible to have
4824 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4825 */
4826 switch (address->sa_family) {
4827 case AF_INET:
4828 addr4 = (struct sockaddr_in *)address;
4829 if (addrlen < sizeof(struct sockaddr_in))
4830 return -EINVAL;
4831 snum = ntohs(addr4->sin_port);
4832 break;
4833 case AF_INET6:
4834 addr6 = (struct sockaddr_in6 *)address;
4835 if (addrlen < SIN6_LEN_RFC2133)
4836 return -EINVAL;
4837 snum = ntohs(addr6->sin6_port);
4838 break;
4839 default:
4840 /* Note that SCTP services expect -EINVAL, whereas
4841 * others must handle this at the protocol level:
4842 * connect(AF_UNSPEC) on a connected socket is
4843 * a documented way disconnect the socket.
4844 */
4845 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4846 return -EINVAL;
4847 }
4848
4849 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4850 if (err)
4851 return err;
4852
4853 switch (sksec->sclass) {
4854 case SECCLASS_TCP_SOCKET:
4855 perm = TCP_SOCKET__NAME_CONNECT;
4856 break;
4857 case SECCLASS_DCCP_SOCKET:
4858 perm = DCCP_SOCKET__NAME_CONNECT;
4859 break;
4860 case SECCLASS_SCTP_SOCKET:
4861 perm = SCTP_SOCKET__NAME_CONNECT;
4862 break;
4863 }
4864
4865 ad.type = LSM_AUDIT_DATA_NET;
4866 ad.u.net = &net;
4867 ad.u.net->dport = htons(snum);
4868 ad.u.net->family = address->sa_family;
4869 err = avc_has_perm(&selinux_state,
4870 sksec->sid, sid, sksec->sclass, perm, &ad);
4871 if (err)
4872 return err;
4873 }
4874
4875 return 0;
4876 }
4877
4878 /* Supports connect(2), see comments in selinux_socket_connect_helper() */
selinux_socket_connect(struct socket * sock,struct sockaddr * address,int addrlen)4879 static int selinux_socket_connect(struct socket *sock,
4880 struct sockaddr *address, int addrlen)
4881 {
4882 int err;
4883 struct sock *sk = sock->sk;
4884
4885 err = selinux_socket_connect_helper(sock, address, addrlen);
4886 if (err)
4887 return err;
4888
4889 return selinux_netlbl_socket_connect(sk, address);
4890 }
4891
selinux_socket_listen(struct socket * sock,int backlog)4892 static int selinux_socket_listen(struct socket *sock, int backlog)
4893 {
4894 return sock_has_perm(sock->sk, SOCKET__LISTEN);
4895 }
4896
selinux_socket_accept(struct socket * sock,struct socket * newsock)4897 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4898 {
4899 int err;
4900 struct inode_security_struct *isec;
4901 struct inode_security_struct *newisec;
4902 u16 sclass;
4903 u32 sid;
4904
4905 err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
4906 if (err)
4907 return err;
4908
4909 isec = inode_security_novalidate(SOCK_INODE(sock));
4910 spin_lock(&isec->lock);
4911 sclass = isec->sclass;
4912 sid = isec->sid;
4913 spin_unlock(&isec->lock);
4914
4915 newisec = inode_security_novalidate(SOCK_INODE(newsock));
4916 newisec->sclass = sclass;
4917 newisec->sid = sid;
4918 newisec->initialized = LABEL_INITIALIZED;
4919
4920 return 0;
4921 }
4922
selinux_socket_sendmsg(struct socket * sock,struct msghdr * msg,int size)4923 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4924 int size)
4925 {
4926 return sock_has_perm(sock->sk, SOCKET__WRITE);
4927 }
4928
selinux_socket_recvmsg(struct socket * sock,struct msghdr * msg,int size,int flags)4929 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4930 int size, int flags)
4931 {
4932 return sock_has_perm(sock->sk, SOCKET__READ);
4933 }
4934
selinux_socket_getsockname(struct socket * sock)4935 static int selinux_socket_getsockname(struct socket *sock)
4936 {
4937 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4938 }
4939
selinux_socket_getpeername(struct socket * sock)4940 static int selinux_socket_getpeername(struct socket *sock)
4941 {
4942 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4943 }
4944
selinux_socket_setsockopt(struct socket * sock,int level,int optname)4945 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4946 {
4947 int err;
4948
4949 err = sock_has_perm(sock->sk, SOCKET__SETOPT);
4950 if (err)
4951 return err;
4952
4953 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4954 }
4955
selinux_socket_getsockopt(struct socket * sock,int level,int optname)4956 static int selinux_socket_getsockopt(struct socket *sock, int level,
4957 int optname)
4958 {
4959 return sock_has_perm(sock->sk, SOCKET__GETOPT);
4960 }
4961
selinux_socket_shutdown(struct socket * sock,int how)4962 static int selinux_socket_shutdown(struct socket *sock, int how)
4963 {
4964 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
4965 }
4966
selinux_socket_unix_stream_connect(struct sock * sock,struct sock * other,struct sock * newsk)4967 static int selinux_socket_unix_stream_connect(struct sock *sock,
4968 struct sock *other,
4969 struct sock *newsk)
4970 {
4971 struct sk_security_struct *sksec_sock = sock->sk_security;
4972 struct sk_security_struct *sksec_other = other->sk_security;
4973 struct sk_security_struct *sksec_new = newsk->sk_security;
4974 struct common_audit_data ad;
4975 struct lsm_network_audit net = {0,};
4976 int err;
4977
4978 ad.type = LSM_AUDIT_DATA_NET;
4979 ad.u.net = &net;
4980 ad.u.net->sk = other;
4981
4982 err = avc_has_perm(&selinux_state,
4983 sksec_sock->sid, sksec_other->sid,
4984 sksec_other->sclass,
4985 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4986 if (err)
4987 return err;
4988
4989 /* server child socket */
4990 sksec_new->peer_sid = sksec_sock->sid;
4991 err = security_sid_mls_copy(&selinux_state, sksec_other->sid,
4992 sksec_sock->sid, &sksec_new->sid);
4993 if (err)
4994 return err;
4995
4996 /* connecting socket */
4997 sksec_sock->peer_sid = sksec_new->sid;
4998
4999 return 0;
5000 }
5001
selinux_socket_unix_may_send(struct socket * sock,struct socket * other)5002 static int selinux_socket_unix_may_send(struct socket *sock,
5003 struct socket *other)
5004 {
5005 struct sk_security_struct *ssec = sock->sk->sk_security;
5006 struct sk_security_struct *osec = other->sk->sk_security;
5007 struct common_audit_data ad;
5008 struct lsm_network_audit net = {0,};
5009
5010 ad.type = LSM_AUDIT_DATA_NET;
5011 ad.u.net = &net;
5012 ad.u.net->sk = other->sk;
5013
5014 return avc_has_perm(&selinux_state,
5015 ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
5016 &ad);
5017 }
5018
selinux_inet_sys_rcv_skb(struct net * ns,int ifindex,char * addrp,u16 family,u32 peer_sid,struct common_audit_data * ad)5019 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
5020 char *addrp, u16 family, u32 peer_sid,
5021 struct common_audit_data *ad)
5022 {
5023 int err;
5024 u32 if_sid;
5025 u32 node_sid;
5026
5027 err = sel_netif_sid(ns, ifindex, &if_sid);
5028 if (err)
5029 return err;
5030 err = avc_has_perm(&selinux_state,
5031 peer_sid, if_sid,
5032 SECCLASS_NETIF, NETIF__INGRESS, ad);
5033 if (err)
5034 return err;
5035
5036 err = sel_netnode_sid(addrp, family, &node_sid);
5037 if (err)
5038 return err;
5039 return avc_has_perm(&selinux_state,
5040 peer_sid, node_sid,
5041 SECCLASS_NODE, NODE__RECVFROM, ad);
5042 }
5043
selinux_sock_rcv_skb_compat(struct sock * sk,struct sk_buff * skb,u16 family)5044 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
5045 u16 family)
5046 {
5047 int err = 0;
5048 struct sk_security_struct *sksec = sk->sk_security;
5049 u32 sk_sid = sksec->sid;
5050 struct common_audit_data ad;
5051 struct lsm_network_audit net = {0,};
5052 char *addrp;
5053
5054 ad.type = LSM_AUDIT_DATA_NET;
5055 ad.u.net = &net;
5056 ad.u.net->netif = skb->skb_iif;
5057 ad.u.net->family = family;
5058 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5059 if (err)
5060 return err;
5061
5062 if (selinux_secmark_enabled()) {
5063 err = avc_has_perm(&selinux_state,
5064 sk_sid, skb->secmark, SECCLASS_PACKET,
5065 PACKET__RECV, &ad);
5066 if (err)
5067 return err;
5068 }
5069
5070 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
5071 if (err)
5072 return err;
5073 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
5074
5075 return err;
5076 }
5077
selinux_socket_sock_rcv_skb(struct sock * sk,struct sk_buff * skb)5078 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
5079 {
5080 int err;
5081 struct sk_security_struct *sksec = sk->sk_security;
5082 u16 family = sk->sk_family;
5083 u32 sk_sid = sksec->sid;
5084 struct common_audit_data ad;
5085 struct lsm_network_audit net = {0,};
5086 char *addrp;
5087 u8 secmark_active;
5088 u8 peerlbl_active;
5089
5090 if (family != PF_INET && family != PF_INET6)
5091 return 0;
5092
5093 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
5094 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5095 family = PF_INET;
5096
5097 /* If any sort of compatibility mode is enabled then handoff processing
5098 * to the selinux_sock_rcv_skb_compat() function to deal with the
5099 * special handling. We do this in an attempt to keep this function
5100 * as fast and as clean as possible. */
5101 if (!selinux_policycap_netpeer())
5102 return selinux_sock_rcv_skb_compat(sk, skb, family);
5103
5104 secmark_active = selinux_secmark_enabled();
5105 peerlbl_active = selinux_peerlbl_enabled();
5106 if (!secmark_active && !peerlbl_active)
5107 return 0;
5108
5109 ad.type = LSM_AUDIT_DATA_NET;
5110 ad.u.net = &net;
5111 ad.u.net->netif = skb->skb_iif;
5112 ad.u.net->family = family;
5113 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5114 if (err)
5115 return err;
5116
5117 if (peerlbl_active) {
5118 u32 peer_sid;
5119
5120 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
5121 if (err)
5122 return err;
5123 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
5124 addrp, family, peer_sid, &ad);
5125 if (err) {
5126 selinux_netlbl_err(skb, family, err, 0);
5127 return err;
5128 }
5129 err = avc_has_perm(&selinux_state,
5130 sk_sid, peer_sid, SECCLASS_PEER,
5131 PEER__RECV, &ad);
5132 if (err) {
5133 selinux_netlbl_err(skb, family, err, 0);
5134 return err;
5135 }
5136 }
5137
5138 if (secmark_active) {
5139 err = avc_has_perm(&selinux_state,
5140 sk_sid, skb->secmark, SECCLASS_PACKET,
5141 PACKET__RECV, &ad);
5142 if (err)
5143 return err;
5144 }
5145
5146 return err;
5147 }
5148
selinux_socket_getpeersec_stream(struct socket * sock,char __user * optval,int __user * optlen,unsigned len)5149 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
5150 int __user *optlen, unsigned len)
5151 {
5152 int err = 0;
5153 char *scontext;
5154 u32 scontext_len;
5155 struct sk_security_struct *sksec = sock->sk->sk_security;
5156 u32 peer_sid = SECSID_NULL;
5157
5158 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
5159 sksec->sclass == SECCLASS_TCP_SOCKET ||
5160 sksec->sclass == SECCLASS_SCTP_SOCKET)
5161 peer_sid = sksec->peer_sid;
5162 if (peer_sid == SECSID_NULL)
5163 return -ENOPROTOOPT;
5164
5165 err = security_sid_to_context(&selinux_state, peer_sid, &scontext,
5166 &scontext_len);
5167 if (err)
5168 return err;
5169
5170 if (scontext_len > len) {
5171 err = -ERANGE;
5172 goto out_len;
5173 }
5174
5175 if (copy_to_user(optval, scontext, scontext_len))
5176 err = -EFAULT;
5177
5178 out_len:
5179 if (put_user(scontext_len, optlen))
5180 err = -EFAULT;
5181 kfree(scontext);
5182 return err;
5183 }
5184
selinux_socket_getpeersec_dgram(struct socket * sock,struct sk_buff * skb,u32 * secid)5185 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
5186 {
5187 u32 peer_secid = SECSID_NULL;
5188 u16 family;
5189 struct inode_security_struct *isec;
5190
5191 if (skb && skb->protocol == htons(ETH_P_IP))
5192 family = PF_INET;
5193 else if (skb && skb->protocol == htons(ETH_P_IPV6))
5194 family = PF_INET6;
5195 else if (sock)
5196 family = sock->sk->sk_family;
5197 else
5198 goto out;
5199
5200 if (sock && family == PF_UNIX) {
5201 isec = inode_security_novalidate(SOCK_INODE(sock));
5202 peer_secid = isec->sid;
5203 } else if (skb)
5204 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
5205
5206 out:
5207 *secid = peer_secid;
5208 if (peer_secid == SECSID_NULL)
5209 return -EINVAL;
5210 return 0;
5211 }
5212
selinux_sk_alloc_security(struct sock * sk,int family,gfp_t priority)5213 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
5214 {
5215 struct sk_security_struct *sksec;
5216
5217 sksec = kzalloc(sizeof(*sksec), priority);
5218 if (!sksec)
5219 return -ENOMEM;
5220
5221 sksec->peer_sid = SECINITSID_UNLABELED;
5222 sksec->sid = SECINITSID_UNLABELED;
5223 sksec->sclass = SECCLASS_SOCKET;
5224 selinux_netlbl_sk_security_reset(sksec);
5225 sk->sk_security = sksec;
5226
5227 return 0;
5228 }
5229
selinux_sk_free_security(struct sock * sk)5230 static void selinux_sk_free_security(struct sock *sk)
5231 {
5232 struct sk_security_struct *sksec = sk->sk_security;
5233
5234 sk->sk_security = NULL;
5235 selinux_netlbl_sk_security_free(sksec);
5236 kfree(sksec);
5237 }
5238
selinux_sk_clone_security(const struct sock * sk,struct sock * newsk)5239 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
5240 {
5241 struct sk_security_struct *sksec = sk->sk_security;
5242 struct sk_security_struct *newsksec = newsk->sk_security;
5243
5244 newsksec->sid = sksec->sid;
5245 newsksec->peer_sid = sksec->peer_sid;
5246 newsksec->sclass = sksec->sclass;
5247
5248 selinux_netlbl_sk_security_reset(newsksec);
5249 }
5250
selinux_sk_getsecid(struct sock * sk,u32 * secid)5251 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
5252 {
5253 if (!sk)
5254 *secid = SECINITSID_ANY_SOCKET;
5255 else {
5256 struct sk_security_struct *sksec = sk->sk_security;
5257
5258 *secid = sksec->sid;
5259 }
5260 }
5261
selinux_sock_graft(struct sock * sk,struct socket * parent)5262 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
5263 {
5264 struct inode_security_struct *isec =
5265 inode_security_novalidate(SOCK_INODE(parent));
5266 struct sk_security_struct *sksec = sk->sk_security;
5267
5268 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
5269 sk->sk_family == PF_UNIX)
5270 isec->sid = sksec->sid;
5271 sksec->sclass = isec->sclass;
5272 }
5273
5274 /* Called whenever SCTP receives an INIT chunk. This happens when an incoming
5275 * connect(2), sctp_connectx(3) or sctp_sendmsg(3) (with no association
5276 * already present).
5277 */
selinux_sctp_assoc_request(struct sctp_endpoint * ep,struct sk_buff * skb)5278 static int selinux_sctp_assoc_request(struct sctp_endpoint *ep,
5279 struct sk_buff *skb)
5280 {
5281 struct sk_security_struct *sksec = ep->base.sk->sk_security;
5282 struct common_audit_data ad;
5283 struct lsm_network_audit net = {0,};
5284 u8 peerlbl_active;
5285 u32 peer_sid = SECINITSID_UNLABELED;
5286 u32 conn_sid;
5287 int err = 0;
5288
5289 if (!selinux_policycap_extsockclass())
5290 return 0;
5291
5292 peerlbl_active = selinux_peerlbl_enabled();
5293
5294 if (peerlbl_active) {
5295 /* This will return peer_sid = SECSID_NULL if there are
5296 * no peer labels, see security_net_peersid_resolve().
5297 */
5298 err = selinux_skb_peerlbl_sid(skb, ep->base.sk->sk_family,
5299 &peer_sid);
5300 if (err)
5301 return err;
5302
5303 if (peer_sid == SECSID_NULL)
5304 peer_sid = SECINITSID_UNLABELED;
5305 }
5306
5307 if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) {
5308 sksec->sctp_assoc_state = SCTP_ASSOC_SET;
5309
5310 /* Here as first association on socket. As the peer SID
5311 * was allowed by peer recv (and the netif/node checks),
5312 * then it is approved by policy and used as the primary
5313 * peer SID for getpeercon(3).
5314 */
5315 sksec->peer_sid = peer_sid;
5316 } else if (sksec->peer_sid != peer_sid) {
5317 /* Other association peer SIDs are checked to enforce
5318 * consistency among the peer SIDs.
5319 */
5320 ad.type = LSM_AUDIT_DATA_NET;
5321 ad.u.net = &net;
5322 ad.u.net->sk = ep->base.sk;
5323 err = avc_has_perm(&selinux_state,
5324 sksec->peer_sid, peer_sid, sksec->sclass,
5325 SCTP_SOCKET__ASSOCIATION, &ad);
5326 if (err)
5327 return err;
5328 }
5329
5330 /* Compute the MLS component for the connection and store
5331 * the information in ep. This will be used by SCTP TCP type
5332 * sockets and peeled off connections as they cause a new
5333 * socket to be generated. selinux_sctp_sk_clone() will then
5334 * plug this into the new socket.
5335 */
5336 err = selinux_conn_sid(sksec->sid, peer_sid, &conn_sid);
5337 if (err)
5338 return err;
5339
5340 ep->secid = conn_sid;
5341 ep->peer_secid = peer_sid;
5342
5343 /* Set any NetLabel labels including CIPSO/CALIPSO options. */
5344 return selinux_netlbl_sctp_assoc_request(ep, skb);
5345 }
5346
5347 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting
5348 * based on their @optname.
5349 */
selinux_sctp_bind_connect(struct sock * sk,int optname,struct sockaddr * address,int addrlen)5350 static int selinux_sctp_bind_connect(struct sock *sk, int optname,
5351 struct sockaddr *address,
5352 int addrlen)
5353 {
5354 int len, err = 0, walk_size = 0;
5355 void *addr_buf;
5356 struct sockaddr *addr;
5357 struct socket *sock;
5358
5359 if (!selinux_policycap_extsockclass())
5360 return 0;
5361
5362 /* Process one or more addresses that may be IPv4 or IPv6 */
5363 sock = sk->sk_socket;
5364 addr_buf = address;
5365
5366 while (walk_size < addrlen) {
5367 if (walk_size + sizeof(sa_family_t) > addrlen)
5368 return -EINVAL;
5369
5370 addr = addr_buf;
5371 switch (addr->sa_family) {
5372 case AF_UNSPEC:
5373 case AF_INET:
5374 len = sizeof(struct sockaddr_in);
5375 break;
5376 case AF_INET6:
5377 len = sizeof(struct sockaddr_in6);
5378 break;
5379 default:
5380 return -EINVAL;
5381 }
5382
5383 if (walk_size + len > addrlen)
5384 return -EINVAL;
5385
5386 err = -EINVAL;
5387 switch (optname) {
5388 /* Bind checks */
5389 case SCTP_PRIMARY_ADDR:
5390 case SCTP_SET_PEER_PRIMARY_ADDR:
5391 case SCTP_SOCKOPT_BINDX_ADD:
5392 err = selinux_socket_bind(sock, addr, len);
5393 break;
5394 /* Connect checks */
5395 case SCTP_SOCKOPT_CONNECTX:
5396 case SCTP_PARAM_SET_PRIMARY:
5397 case SCTP_PARAM_ADD_IP:
5398 case SCTP_SENDMSG_CONNECT:
5399 err = selinux_socket_connect_helper(sock, addr, len);
5400 if (err)
5401 return err;
5402
5403 /* As selinux_sctp_bind_connect() is called by the
5404 * SCTP protocol layer, the socket is already locked,
5405 * therefore selinux_netlbl_socket_connect_locked() is
5406 * is called here. The situations handled are:
5407 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2),
5408 * whenever a new IP address is added or when a new
5409 * primary address is selected.
5410 * Note that an SCTP connect(2) call happens before
5411 * the SCTP protocol layer and is handled via
5412 * selinux_socket_connect().
5413 */
5414 err = selinux_netlbl_socket_connect_locked(sk, addr);
5415 break;
5416 }
5417
5418 if (err)
5419 return err;
5420
5421 addr_buf += len;
5422 walk_size += len;
5423 }
5424
5425 return 0;
5426 }
5427
5428 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */
selinux_sctp_sk_clone(struct sctp_endpoint * ep,struct sock * sk,struct sock * newsk)5429 static void selinux_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk,
5430 struct sock *newsk)
5431 {
5432 struct sk_security_struct *sksec = sk->sk_security;
5433 struct sk_security_struct *newsksec = newsk->sk_security;
5434
5435 /* If policy does not support SECCLASS_SCTP_SOCKET then call
5436 * the non-sctp clone version.
5437 */
5438 if (!selinux_policycap_extsockclass())
5439 return selinux_sk_clone_security(sk, newsk);
5440
5441 newsksec->sid = ep->secid;
5442 newsksec->peer_sid = ep->peer_secid;
5443 newsksec->sclass = sksec->sclass;
5444 selinux_netlbl_sctp_sk_clone(sk, newsk);
5445 }
5446
selinux_inet_conn_request(struct sock * sk,struct sk_buff * skb,struct request_sock * req)5447 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
5448 struct request_sock *req)
5449 {
5450 struct sk_security_struct *sksec = sk->sk_security;
5451 int err;
5452 u16 family = req->rsk_ops->family;
5453 u32 connsid;
5454 u32 peersid;
5455
5456 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
5457 if (err)
5458 return err;
5459 err = selinux_conn_sid(sksec->sid, peersid, &connsid);
5460 if (err)
5461 return err;
5462 req->secid = connsid;
5463 req->peer_secid = peersid;
5464
5465 return selinux_netlbl_inet_conn_request(req, family);
5466 }
5467
selinux_inet_csk_clone(struct sock * newsk,const struct request_sock * req)5468 static void selinux_inet_csk_clone(struct sock *newsk,
5469 const struct request_sock *req)
5470 {
5471 struct sk_security_struct *newsksec = newsk->sk_security;
5472
5473 newsksec->sid = req->secid;
5474 newsksec->peer_sid = req->peer_secid;
5475 /* NOTE: Ideally, we should also get the isec->sid for the
5476 new socket in sync, but we don't have the isec available yet.
5477 So we will wait until sock_graft to do it, by which
5478 time it will have been created and available. */
5479
5480 /* We don't need to take any sort of lock here as we are the only
5481 * thread with access to newsksec */
5482 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
5483 }
5484
selinux_inet_conn_established(struct sock * sk,struct sk_buff * skb)5485 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
5486 {
5487 u16 family = sk->sk_family;
5488 struct sk_security_struct *sksec = sk->sk_security;
5489
5490 /* handle mapped IPv4 packets arriving via IPv6 sockets */
5491 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5492 family = PF_INET;
5493
5494 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
5495 }
5496
selinux_secmark_relabel_packet(u32 sid)5497 static int selinux_secmark_relabel_packet(u32 sid)
5498 {
5499 const struct task_security_struct *__tsec;
5500 u32 tsid;
5501
5502 __tsec = current_security();
5503 tsid = __tsec->sid;
5504
5505 return avc_has_perm(&selinux_state,
5506 tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO,
5507 NULL);
5508 }
5509
selinux_secmark_refcount_inc(void)5510 static void selinux_secmark_refcount_inc(void)
5511 {
5512 atomic_inc(&selinux_secmark_refcount);
5513 }
5514
selinux_secmark_refcount_dec(void)5515 static void selinux_secmark_refcount_dec(void)
5516 {
5517 atomic_dec(&selinux_secmark_refcount);
5518 }
5519
selinux_req_classify_flow(const struct request_sock * req,struct flowi * fl)5520 static void selinux_req_classify_flow(const struct request_sock *req,
5521 struct flowi *fl)
5522 {
5523 fl->flowi_secid = req->secid;
5524 }
5525
selinux_tun_dev_alloc_security(void ** security)5526 static int selinux_tun_dev_alloc_security(void **security)
5527 {
5528 struct tun_security_struct *tunsec;
5529
5530 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
5531 if (!tunsec)
5532 return -ENOMEM;
5533 tunsec->sid = current_sid();
5534
5535 *security = tunsec;
5536 return 0;
5537 }
5538
selinux_tun_dev_free_security(void * security)5539 static void selinux_tun_dev_free_security(void *security)
5540 {
5541 kfree(security);
5542 }
5543
selinux_tun_dev_create(void)5544 static int selinux_tun_dev_create(void)
5545 {
5546 u32 sid = current_sid();
5547
5548 /* we aren't taking into account the "sockcreate" SID since the socket
5549 * that is being created here is not a socket in the traditional sense,
5550 * instead it is a private sock, accessible only to the kernel, and
5551 * representing a wide range of network traffic spanning multiple
5552 * connections unlike traditional sockets - check the TUN driver to
5553 * get a better understanding of why this socket is special */
5554
5555 return avc_has_perm(&selinux_state,
5556 sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5557 NULL);
5558 }
5559
selinux_tun_dev_attach_queue(void * security)5560 static int selinux_tun_dev_attach_queue(void *security)
5561 {
5562 struct tun_security_struct *tunsec = security;
5563
5564 return avc_has_perm(&selinux_state,
5565 current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5566 TUN_SOCKET__ATTACH_QUEUE, NULL);
5567 }
5568
selinux_tun_dev_attach(struct sock * sk,void * security)5569 static int selinux_tun_dev_attach(struct sock *sk, void *security)
5570 {
5571 struct tun_security_struct *tunsec = security;
5572 struct sk_security_struct *sksec = sk->sk_security;
5573
5574 /* we don't currently perform any NetLabel based labeling here and it
5575 * isn't clear that we would want to do so anyway; while we could apply
5576 * labeling without the support of the TUN user the resulting labeled
5577 * traffic from the other end of the connection would almost certainly
5578 * cause confusion to the TUN user that had no idea network labeling
5579 * protocols were being used */
5580
5581 sksec->sid = tunsec->sid;
5582 sksec->sclass = SECCLASS_TUN_SOCKET;
5583
5584 return 0;
5585 }
5586
selinux_tun_dev_open(void * security)5587 static int selinux_tun_dev_open(void *security)
5588 {
5589 struct tun_security_struct *tunsec = security;
5590 u32 sid = current_sid();
5591 int err;
5592
5593 err = avc_has_perm(&selinux_state,
5594 sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5595 TUN_SOCKET__RELABELFROM, NULL);
5596 if (err)
5597 return err;
5598 err = avc_has_perm(&selinux_state,
5599 sid, sid, SECCLASS_TUN_SOCKET,
5600 TUN_SOCKET__RELABELTO, NULL);
5601 if (err)
5602 return err;
5603 tunsec->sid = sid;
5604
5605 return 0;
5606 }
5607
selinux_nlmsg_perm(struct sock * sk,struct sk_buff * skb)5608 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
5609 {
5610 int rc = 0;
5611 unsigned int msg_len;
5612 unsigned int data_len = skb->len;
5613 unsigned char *data = skb->data;
5614 struct nlmsghdr *nlh;
5615 struct sk_security_struct *sksec = sk->sk_security;
5616 u16 sclass = sksec->sclass;
5617 u32 perm;
5618
5619 while (data_len >= nlmsg_total_size(0)) {
5620 nlh = (struct nlmsghdr *)data;
5621
5622 /* NOTE: the nlmsg_len field isn't reliably set by some netlink
5623 * users which means we can't reject skb's with bogus
5624 * length fields; our solution is to follow what
5625 * netlink_rcv_skb() does and simply skip processing at
5626 * messages with length fields that are clearly junk
5627 */
5628 if (nlh->nlmsg_len < NLMSG_HDRLEN || nlh->nlmsg_len > data_len)
5629 return 0;
5630
5631 rc = selinux_nlmsg_lookup(sclass, nlh->nlmsg_type, &perm);
5632 if (rc == 0) {
5633 rc = sock_has_perm(sk, perm);
5634 if (rc)
5635 return rc;
5636 } else if (rc == -EINVAL) {
5637 /* -EINVAL is a missing msg/perm mapping */
5638 pr_warn_ratelimited("SELinux: unrecognized netlink"
5639 " message: protocol=%hu nlmsg_type=%hu sclass=%s"
5640 " pid=%d comm=%s\n",
5641 sk->sk_protocol, nlh->nlmsg_type,
5642 secclass_map[sclass - 1].name,
5643 task_pid_nr(current), current->comm);
5644 if (enforcing_enabled(&selinux_state) &&
5645 !security_get_allow_unknown(&selinux_state))
5646 return rc;
5647 rc = 0;
5648 } else if (rc == -ENOENT) {
5649 /* -ENOENT is a missing socket/class mapping, ignore */
5650 rc = 0;
5651 } else {
5652 return rc;
5653 }
5654
5655 /* move to the next message after applying netlink padding */
5656 msg_len = NLMSG_ALIGN(nlh->nlmsg_len);
5657 if (msg_len >= data_len)
5658 return 0;
5659 data_len -= msg_len;
5660 data += msg_len;
5661 }
5662
5663 return rc;
5664 }
5665
5666 #ifdef CONFIG_NETFILTER
5667
selinux_ip_forward(struct sk_buff * skb,const struct net_device * indev,u16 family)5668 static unsigned int selinux_ip_forward(struct sk_buff *skb,
5669 const struct net_device *indev,
5670 u16 family)
5671 {
5672 int err;
5673 char *addrp;
5674 u32 peer_sid;
5675 struct common_audit_data ad;
5676 struct lsm_network_audit net = {0,};
5677 u8 secmark_active;
5678 u8 netlbl_active;
5679 u8 peerlbl_active;
5680
5681 if (!selinux_policycap_netpeer())
5682 return NF_ACCEPT;
5683
5684 secmark_active = selinux_secmark_enabled();
5685 netlbl_active = netlbl_enabled();
5686 peerlbl_active = selinux_peerlbl_enabled();
5687 if (!secmark_active && !peerlbl_active)
5688 return NF_ACCEPT;
5689
5690 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5691 return NF_DROP;
5692
5693 ad.type = LSM_AUDIT_DATA_NET;
5694 ad.u.net = &net;
5695 ad.u.net->netif = indev->ifindex;
5696 ad.u.net->family = family;
5697 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5698 return NF_DROP;
5699
5700 if (peerlbl_active) {
5701 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
5702 addrp, family, peer_sid, &ad);
5703 if (err) {
5704 selinux_netlbl_err(skb, family, err, 1);
5705 return NF_DROP;
5706 }
5707 }
5708
5709 if (secmark_active)
5710 if (avc_has_perm(&selinux_state,
5711 peer_sid, skb->secmark,
5712 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5713 return NF_DROP;
5714
5715 if (netlbl_active)
5716 /* we do this in the FORWARD path and not the POST_ROUTING
5717 * path because we want to make sure we apply the necessary
5718 * labeling before IPsec is applied so we can leverage AH
5719 * protection */
5720 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5721 return NF_DROP;
5722
5723 return NF_ACCEPT;
5724 }
5725
selinux_ipv4_forward(void * priv,struct sk_buff * skb,const struct nf_hook_state * state)5726 static unsigned int selinux_ipv4_forward(void *priv,
5727 struct sk_buff *skb,
5728 const struct nf_hook_state *state)
5729 {
5730 return selinux_ip_forward(skb, state->in, PF_INET);
5731 }
5732
5733 #if IS_ENABLED(CONFIG_IPV6)
selinux_ipv6_forward(void * priv,struct sk_buff * skb,const struct nf_hook_state * state)5734 static unsigned int selinux_ipv6_forward(void *priv,
5735 struct sk_buff *skb,
5736 const struct nf_hook_state *state)
5737 {
5738 return selinux_ip_forward(skb, state->in, PF_INET6);
5739 }
5740 #endif /* IPV6 */
5741
selinux_ip_output(struct sk_buff * skb,u16 family)5742 static unsigned int selinux_ip_output(struct sk_buff *skb,
5743 u16 family)
5744 {
5745 struct sock *sk;
5746 u32 sid;
5747
5748 if (!netlbl_enabled())
5749 return NF_ACCEPT;
5750
5751 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5752 * because we want to make sure we apply the necessary labeling
5753 * before IPsec is applied so we can leverage AH protection */
5754 sk = skb->sk;
5755 if (sk) {
5756 struct sk_security_struct *sksec;
5757
5758 if (sk_listener(sk))
5759 /* if the socket is the listening state then this
5760 * packet is a SYN-ACK packet which means it needs to
5761 * be labeled based on the connection/request_sock and
5762 * not the parent socket. unfortunately, we can't
5763 * lookup the request_sock yet as it isn't queued on
5764 * the parent socket until after the SYN-ACK is sent.
5765 * the "solution" is to simply pass the packet as-is
5766 * as any IP option based labeling should be copied
5767 * from the initial connection request (in the IP
5768 * layer). it is far from ideal, but until we get a
5769 * security label in the packet itself this is the
5770 * best we can do. */
5771 return NF_ACCEPT;
5772
5773 /* standard practice, label using the parent socket */
5774 sksec = sk->sk_security;
5775 sid = sksec->sid;
5776 } else
5777 sid = SECINITSID_KERNEL;
5778 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
5779 return NF_DROP;
5780
5781 return NF_ACCEPT;
5782 }
5783
selinux_ipv4_output(void * priv,struct sk_buff * skb,const struct nf_hook_state * state)5784 static unsigned int selinux_ipv4_output(void *priv,
5785 struct sk_buff *skb,
5786 const struct nf_hook_state *state)
5787 {
5788 return selinux_ip_output(skb, PF_INET);
5789 }
5790
5791 #if IS_ENABLED(CONFIG_IPV6)
selinux_ipv6_output(void * priv,struct sk_buff * skb,const struct nf_hook_state * state)5792 static unsigned int selinux_ipv6_output(void *priv,
5793 struct sk_buff *skb,
5794 const struct nf_hook_state *state)
5795 {
5796 return selinux_ip_output(skb, PF_INET6);
5797 }
5798 #endif /* IPV6 */
5799
selinux_ip_postroute_compat(struct sk_buff * skb,int ifindex,u16 family)5800 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5801 int ifindex,
5802 u16 family)
5803 {
5804 struct sock *sk = skb_to_full_sk(skb);
5805 struct sk_security_struct *sksec;
5806 struct common_audit_data ad;
5807 struct lsm_network_audit net = {0,};
5808 char *addrp;
5809 u8 proto;
5810
5811 if (sk == NULL)
5812 return NF_ACCEPT;
5813 sksec = sk->sk_security;
5814
5815 ad.type = LSM_AUDIT_DATA_NET;
5816 ad.u.net = &net;
5817 ad.u.net->netif = ifindex;
5818 ad.u.net->family = family;
5819 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
5820 return NF_DROP;
5821
5822 if (selinux_secmark_enabled())
5823 if (avc_has_perm(&selinux_state,
5824 sksec->sid, skb->secmark,
5825 SECCLASS_PACKET, PACKET__SEND, &ad))
5826 return NF_DROP_ERR(-ECONNREFUSED);
5827
5828 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5829 return NF_DROP_ERR(-ECONNREFUSED);
5830
5831 return NF_ACCEPT;
5832 }
5833
selinux_ip_postroute(struct sk_buff * skb,const struct net_device * outdev,u16 family)5834 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5835 const struct net_device *outdev,
5836 u16 family)
5837 {
5838 u32 secmark_perm;
5839 u32 peer_sid;
5840 int ifindex = outdev->ifindex;
5841 struct sock *sk;
5842 struct common_audit_data ad;
5843 struct lsm_network_audit net = {0,};
5844 char *addrp;
5845 u8 secmark_active;
5846 u8 peerlbl_active;
5847
5848 /* If any sort of compatibility mode is enabled then handoff processing
5849 * to the selinux_ip_postroute_compat() function to deal with the
5850 * special handling. We do this in an attempt to keep this function
5851 * as fast and as clean as possible. */
5852 if (!selinux_policycap_netpeer())
5853 return selinux_ip_postroute_compat(skb, ifindex, family);
5854
5855 secmark_active = selinux_secmark_enabled();
5856 peerlbl_active = selinux_peerlbl_enabled();
5857 if (!secmark_active && !peerlbl_active)
5858 return NF_ACCEPT;
5859
5860 sk = skb_to_full_sk(skb);
5861
5862 #ifdef CONFIG_XFRM
5863 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5864 * packet transformation so allow the packet to pass without any checks
5865 * since we'll have another chance to perform access control checks
5866 * when the packet is on it's final way out.
5867 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5868 * is NULL, in this case go ahead and apply access control.
5869 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5870 * TCP listening state we cannot wait until the XFRM processing
5871 * is done as we will miss out on the SA label if we do;
5872 * unfortunately, this means more work, but it is only once per
5873 * connection. */
5874 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5875 !(sk && sk_listener(sk)))
5876 return NF_ACCEPT;
5877 #endif
5878
5879 if (sk == NULL) {
5880 /* Without an associated socket the packet is either coming
5881 * from the kernel or it is being forwarded; check the packet
5882 * to determine which and if the packet is being forwarded
5883 * query the packet directly to determine the security label. */
5884 if (skb->skb_iif) {
5885 secmark_perm = PACKET__FORWARD_OUT;
5886 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5887 return NF_DROP;
5888 } else {
5889 secmark_perm = PACKET__SEND;
5890 peer_sid = SECINITSID_KERNEL;
5891 }
5892 } else if (sk_listener(sk)) {
5893 /* Locally generated packet but the associated socket is in the
5894 * listening state which means this is a SYN-ACK packet. In
5895 * this particular case the correct security label is assigned
5896 * to the connection/request_sock but unfortunately we can't
5897 * query the request_sock as it isn't queued on the parent
5898 * socket until after the SYN-ACK packet is sent; the only
5899 * viable choice is to regenerate the label like we do in
5900 * selinux_inet_conn_request(). See also selinux_ip_output()
5901 * for similar problems. */
5902 u32 skb_sid;
5903 struct sk_security_struct *sksec;
5904
5905 sksec = sk->sk_security;
5906 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5907 return NF_DROP;
5908 /* At this point, if the returned skb peerlbl is SECSID_NULL
5909 * and the packet has been through at least one XFRM
5910 * transformation then we must be dealing with the "final"
5911 * form of labeled IPsec packet; since we've already applied
5912 * all of our access controls on this packet we can safely
5913 * pass the packet. */
5914 if (skb_sid == SECSID_NULL) {
5915 switch (family) {
5916 case PF_INET:
5917 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5918 return NF_ACCEPT;
5919 break;
5920 case PF_INET6:
5921 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5922 return NF_ACCEPT;
5923 break;
5924 default:
5925 return NF_DROP_ERR(-ECONNREFUSED);
5926 }
5927 }
5928 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5929 return NF_DROP;
5930 secmark_perm = PACKET__SEND;
5931 } else {
5932 /* Locally generated packet, fetch the security label from the
5933 * associated socket. */
5934 struct sk_security_struct *sksec = sk->sk_security;
5935 peer_sid = sksec->sid;
5936 secmark_perm = PACKET__SEND;
5937 }
5938
5939 ad.type = LSM_AUDIT_DATA_NET;
5940 ad.u.net = &net;
5941 ad.u.net->netif = ifindex;
5942 ad.u.net->family = family;
5943 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5944 return NF_DROP;
5945
5946 if (secmark_active)
5947 if (avc_has_perm(&selinux_state,
5948 peer_sid, skb->secmark,
5949 SECCLASS_PACKET, secmark_perm, &ad))
5950 return NF_DROP_ERR(-ECONNREFUSED);
5951
5952 if (peerlbl_active) {
5953 u32 if_sid;
5954 u32 node_sid;
5955
5956 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5957 return NF_DROP;
5958 if (avc_has_perm(&selinux_state,
5959 peer_sid, if_sid,
5960 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5961 return NF_DROP_ERR(-ECONNREFUSED);
5962
5963 if (sel_netnode_sid(addrp, family, &node_sid))
5964 return NF_DROP;
5965 if (avc_has_perm(&selinux_state,
5966 peer_sid, node_sid,
5967 SECCLASS_NODE, NODE__SENDTO, &ad))
5968 return NF_DROP_ERR(-ECONNREFUSED);
5969 }
5970
5971 return NF_ACCEPT;
5972 }
5973
selinux_ipv4_postroute(void * priv,struct sk_buff * skb,const struct nf_hook_state * state)5974 static unsigned int selinux_ipv4_postroute(void *priv,
5975 struct sk_buff *skb,
5976 const struct nf_hook_state *state)
5977 {
5978 return selinux_ip_postroute(skb, state->out, PF_INET);
5979 }
5980
5981 #if IS_ENABLED(CONFIG_IPV6)
selinux_ipv6_postroute(void * priv,struct sk_buff * skb,const struct nf_hook_state * state)5982 static unsigned int selinux_ipv6_postroute(void *priv,
5983 struct sk_buff *skb,
5984 const struct nf_hook_state *state)
5985 {
5986 return selinux_ip_postroute(skb, state->out, PF_INET6);
5987 }
5988 #endif /* IPV6 */
5989
5990 #endif /* CONFIG_NETFILTER */
5991
selinux_netlink_send(struct sock * sk,struct sk_buff * skb)5992 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5993 {
5994 return selinux_nlmsg_perm(sk, skb);
5995 }
5996
ipc_alloc_security(struct kern_ipc_perm * perm,u16 sclass)5997 static int ipc_alloc_security(struct kern_ipc_perm *perm,
5998 u16 sclass)
5999 {
6000 struct ipc_security_struct *isec;
6001
6002 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
6003 if (!isec)
6004 return -ENOMEM;
6005
6006 isec->sclass = sclass;
6007 isec->sid = current_sid();
6008 perm->security = isec;
6009
6010 return 0;
6011 }
6012
ipc_free_security(struct kern_ipc_perm * perm)6013 static void ipc_free_security(struct kern_ipc_perm *perm)
6014 {
6015 struct ipc_security_struct *isec = perm->security;
6016 perm->security = NULL;
6017 kfree(isec);
6018 }
6019
msg_msg_alloc_security(struct msg_msg * msg)6020 static int msg_msg_alloc_security(struct msg_msg *msg)
6021 {
6022 struct msg_security_struct *msec;
6023
6024 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
6025 if (!msec)
6026 return -ENOMEM;
6027
6028 msec->sid = SECINITSID_UNLABELED;
6029 msg->security = msec;
6030
6031 return 0;
6032 }
6033
msg_msg_free_security(struct msg_msg * msg)6034 static void msg_msg_free_security(struct msg_msg *msg)
6035 {
6036 struct msg_security_struct *msec = msg->security;
6037
6038 msg->security = NULL;
6039 kfree(msec);
6040 }
6041
ipc_has_perm(struct kern_ipc_perm * ipc_perms,u32 perms)6042 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
6043 u32 perms)
6044 {
6045 struct ipc_security_struct *isec;
6046 struct common_audit_data ad;
6047 u32 sid = current_sid();
6048
6049 isec = ipc_perms->security;
6050
6051 ad.type = LSM_AUDIT_DATA_IPC;
6052 ad.u.ipc_id = ipc_perms->key;
6053
6054 return avc_has_perm(&selinux_state,
6055 sid, isec->sid, isec->sclass, perms, &ad);
6056 }
6057
selinux_msg_msg_alloc_security(struct msg_msg * msg)6058 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
6059 {
6060 return msg_msg_alloc_security(msg);
6061 }
6062
selinux_msg_msg_free_security(struct msg_msg * msg)6063 static void selinux_msg_msg_free_security(struct msg_msg *msg)
6064 {
6065 msg_msg_free_security(msg);
6066 }
6067
6068 /* message queue security operations */
selinux_msg_queue_alloc_security(struct kern_ipc_perm * msq)6069 static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq)
6070 {
6071 struct ipc_security_struct *isec;
6072 struct common_audit_data ad;
6073 u32 sid = current_sid();
6074 int rc;
6075
6076 rc = ipc_alloc_security(msq, SECCLASS_MSGQ);
6077 if (rc)
6078 return rc;
6079
6080 isec = msq->security;
6081
6082 ad.type = LSM_AUDIT_DATA_IPC;
6083 ad.u.ipc_id = msq->key;
6084
6085 rc = avc_has_perm(&selinux_state,
6086 sid, isec->sid, SECCLASS_MSGQ,
6087 MSGQ__CREATE, &ad);
6088 if (rc) {
6089 ipc_free_security(msq);
6090 return rc;
6091 }
6092 return 0;
6093 }
6094
selinux_msg_queue_free_security(struct kern_ipc_perm * msq)6095 static void selinux_msg_queue_free_security(struct kern_ipc_perm *msq)
6096 {
6097 ipc_free_security(msq);
6098 }
6099
selinux_msg_queue_associate(struct kern_ipc_perm * msq,int msqflg)6100 static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
6101 {
6102 struct ipc_security_struct *isec;
6103 struct common_audit_data ad;
6104 u32 sid = current_sid();
6105
6106 isec = msq->security;
6107
6108 ad.type = LSM_AUDIT_DATA_IPC;
6109 ad.u.ipc_id = msq->key;
6110
6111 return avc_has_perm(&selinux_state,
6112 sid, isec->sid, SECCLASS_MSGQ,
6113 MSGQ__ASSOCIATE, &ad);
6114 }
6115
selinux_msg_queue_msgctl(struct kern_ipc_perm * msq,int cmd)6116 static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)
6117 {
6118 int err;
6119 int perms;
6120
6121 switch (cmd) {
6122 case IPC_INFO:
6123 case MSG_INFO:
6124 /* No specific object, just general system-wide information. */
6125 return avc_has_perm(&selinux_state,
6126 current_sid(), SECINITSID_KERNEL,
6127 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6128 case IPC_STAT:
6129 case MSG_STAT:
6130 case MSG_STAT_ANY:
6131 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
6132 break;
6133 case IPC_SET:
6134 perms = MSGQ__SETATTR;
6135 break;
6136 case IPC_RMID:
6137 perms = MSGQ__DESTROY;
6138 break;
6139 default:
6140 return 0;
6141 }
6142
6143 err = ipc_has_perm(msq, perms);
6144 return err;
6145 }
6146
selinux_msg_queue_msgsnd(struct kern_ipc_perm * msq,struct msg_msg * msg,int msqflg)6147 static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg)
6148 {
6149 struct ipc_security_struct *isec;
6150 struct msg_security_struct *msec;
6151 struct common_audit_data ad;
6152 u32 sid = current_sid();
6153 int rc;
6154
6155 isec = msq->security;
6156 msec = msg->security;
6157
6158 /*
6159 * First time through, need to assign label to the message
6160 */
6161 if (msec->sid == SECINITSID_UNLABELED) {
6162 /*
6163 * Compute new sid based on current process and
6164 * message queue this message will be stored in
6165 */
6166 rc = security_transition_sid(&selinux_state, sid, isec->sid,
6167 SECCLASS_MSG, NULL, &msec->sid);
6168 if (rc)
6169 return rc;
6170 }
6171
6172 ad.type = LSM_AUDIT_DATA_IPC;
6173 ad.u.ipc_id = msq->key;
6174
6175 /* Can this process write to the queue? */
6176 rc = avc_has_perm(&selinux_state,
6177 sid, isec->sid, SECCLASS_MSGQ,
6178 MSGQ__WRITE, &ad);
6179 if (!rc)
6180 /* Can this process send the message */
6181 rc = avc_has_perm(&selinux_state,
6182 sid, msec->sid, SECCLASS_MSG,
6183 MSG__SEND, &ad);
6184 if (!rc)
6185 /* Can the message be put in the queue? */
6186 rc = avc_has_perm(&selinux_state,
6187 msec->sid, isec->sid, SECCLASS_MSGQ,
6188 MSGQ__ENQUEUE, &ad);
6189
6190 return rc;
6191 }
6192
selinux_msg_queue_msgrcv(struct kern_ipc_perm * msq,struct msg_msg * msg,struct task_struct * target,long type,int mode)6193 static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg,
6194 struct task_struct *target,
6195 long type, int mode)
6196 {
6197 struct ipc_security_struct *isec;
6198 struct msg_security_struct *msec;
6199 struct common_audit_data ad;
6200 u32 sid = task_sid(target);
6201 int rc;
6202
6203 isec = msq->security;
6204 msec = msg->security;
6205
6206 ad.type = LSM_AUDIT_DATA_IPC;
6207 ad.u.ipc_id = msq->key;
6208
6209 rc = avc_has_perm(&selinux_state,
6210 sid, isec->sid,
6211 SECCLASS_MSGQ, MSGQ__READ, &ad);
6212 if (!rc)
6213 rc = avc_has_perm(&selinux_state,
6214 sid, msec->sid,
6215 SECCLASS_MSG, MSG__RECEIVE, &ad);
6216 return rc;
6217 }
6218
6219 /* Shared Memory security operations */
selinux_shm_alloc_security(struct kern_ipc_perm * shp)6220 static int selinux_shm_alloc_security(struct kern_ipc_perm *shp)
6221 {
6222 struct ipc_security_struct *isec;
6223 struct common_audit_data ad;
6224 u32 sid = current_sid();
6225 int rc;
6226
6227 rc = ipc_alloc_security(shp, SECCLASS_SHM);
6228 if (rc)
6229 return rc;
6230
6231 isec = shp->security;
6232
6233 ad.type = LSM_AUDIT_DATA_IPC;
6234 ad.u.ipc_id = shp->key;
6235
6236 rc = avc_has_perm(&selinux_state,
6237 sid, isec->sid, SECCLASS_SHM,
6238 SHM__CREATE, &ad);
6239 if (rc) {
6240 ipc_free_security(shp);
6241 return rc;
6242 }
6243 return 0;
6244 }
6245
selinux_shm_free_security(struct kern_ipc_perm * shp)6246 static void selinux_shm_free_security(struct kern_ipc_perm *shp)
6247 {
6248 ipc_free_security(shp);
6249 }
6250
selinux_shm_associate(struct kern_ipc_perm * shp,int shmflg)6251 static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg)
6252 {
6253 struct ipc_security_struct *isec;
6254 struct common_audit_data ad;
6255 u32 sid = current_sid();
6256
6257 isec = shp->security;
6258
6259 ad.type = LSM_AUDIT_DATA_IPC;
6260 ad.u.ipc_id = shp->key;
6261
6262 return avc_has_perm(&selinux_state,
6263 sid, isec->sid, SECCLASS_SHM,
6264 SHM__ASSOCIATE, &ad);
6265 }
6266
6267 /* Note, at this point, shp is locked down */
selinux_shm_shmctl(struct kern_ipc_perm * shp,int cmd)6268 static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd)
6269 {
6270 int perms;
6271 int err;
6272
6273 switch (cmd) {
6274 case IPC_INFO:
6275 case SHM_INFO:
6276 /* No specific object, just general system-wide information. */
6277 return avc_has_perm(&selinux_state,
6278 current_sid(), SECINITSID_KERNEL,
6279 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6280 case IPC_STAT:
6281 case SHM_STAT:
6282 case SHM_STAT_ANY:
6283 perms = SHM__GETATTR | SHM__ASSOCIATE;
6284 break;
6285 case IPC_SET:
6286 perms = SHM__SETATTR;
6287 break;
6288 case SHM_LOCK:
6289 case SHM_UNLOCK:
6290 perms = SHM__LOCK;
6291 break;
6292 case IPC_RMID:
6293 perms = SHM__DESTROY;
6294 break;
6295 default:
6296 return 0;
6297 }
6298
6299 err = ipc_has_perm(shp, perms);
6300 return err;
6301 }
6302
selinux_shm_shmat(struct kern_ipc_perm * shp,char __user * shmaddr,int shmflg)6303 static int selinux_shm_shmat(struct kern_ipc_perm *shp,
6304 char __user *shmaddr, int shmflg)
6305 {
6306 u32 perms;
6307
6308 if (shmflg & SHM_RDONLY)
6309 perms = SHM__READ;
6310 else
6311 perms = SHM__READ | SHM__WRITE;
6312
6313 return ipc_has_perm(shp, perms);
6314 }
6315
6316 /* Semaphore security operations */
selinux_sem_alloc_security(struct kern_ipc_perm * sma)6317 static int selinux_sem_alloc_security(struct kern_ipc_perm *sma)
6318 {
6319 struct ipc_security_struct *isec;
6320 struct common_audit_data ad;
6321 u32 sid = current_sid();
6322 int rc;
6323
6324 rc = ipc_alloc_security(sma, SECCLASS_SEM);
6325 if (rc)
6326 return rc;
6327
6328 isec = sma->security;
6329
6330 ad.type = LSM_AUDIT_DATA_IPC;
6331 ad.u.ipc_id = sma->key;
6332
6333 rc = avc_has_perm(&selinux_state,
6334 sid, isec->sid, SECCLASS_SEM,
6335 SEM__CREATE, &ad);
6336 if (rc) {
6337 ipc_free_security(sma);
6338 return rc;
6339 }
6340 return 0;
6341 }
6342
selinux_sem_free_security(struct kern_ipc_perm * sma)6343 static void selinux_sem_free_security(struct kern_ipc_perm *sma)
6344 {
6345 ipc_free_security(sma);
6346 }
6347
selinux_sem_associate(struct kern_ipc_perm * sma,int semflg)6348 static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg)
6349 {
6350 struct ipc_security_struct *isec;
6351 struct common_audit_data ad;
6352 u32 sid = current_sid();
6353
6354 isec = sma->security;
6355
6356 ad.type = LSM_AUDIT_DATA_IPC;
6357 ad.u.ipc_id = sma->key;
6358
6359 return avc_has_perm(&selinux_state,
6360 sid, isec->sid, SECCLASS_SEM,
6361 SEM__ASSOCIATE, &ad);
6362 }
6363
6364 /* Note, at this point, sma is locked down */
selinux_sem_semctl(struct kern_ipc_perm * sma,int cmd)6365 static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd)
6366 {
6367 int err;
6368 u32 perms;
6369
6370 switch (cmd) {
6371 case IPC_INFO:
6372 case SEM_INFO:
6373 /* No specific object, just general system-wide information. */
6374 return avc_has_perm(&selinux_state,
6375 current_sid(), SECINITSID_KERNEL,
6376 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6377 case GETPID:
6378 case GETNCNT:
6379 case GETZCNT:
6380 perms = SEM__GETATTR;
6381 break;
6382 case GETVAL:
6383 case GETALL:
6384 perms = SEM__READ;
6385 break;
6386 case SETVAL:
6387 case SETALL:
6388 perms = SEM__WRITE;
6389 break;
6390 case IPC_RMID:
6391 perms = SEM__DESTROY;
6392 break;
6393 case IPC_SET:
6394 perms = SEM__SETATTR;
6395 break;
6396 case IPC_STAT:
6397 case SEM_STAT:
6398 case SEM_STAT_ANY:
6399 perms = SEM__GETATTR | SEM__ASSOCIATE;
6400 break;
6401 default:
6402 return 0;
6403 }
6404
6405 err = ipc_has_perm(sma, perms);
6406 return err;
6407 }
6408
selinux_sem_semop(struct kern_ipc_perm * sma,struct sembuf * sops,unsigned nsops,int alter)6409 static int selinux_sem_semop(struct kern_ipc_perm *sma,
6410 struct sembuf *sops, unsigned nsops, int alter)
6411 {
6412 u32 perms;
6413
6414 if (alter)
6415 perms = SEM__READ | SEM__WRITE;
6416 else
6417 perms = SEM__READ;
6418
6419 return ipc_has_perm(sma, perms);
6420 }
6421
selinux_ipc_permission(struct kern_ipc_perm * ipcp,short flag)6422 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
6423 {
6424 u32 av = 0;
6425
6426 av = 0;
6427 if (flag & S_IRUGO)
6428 av |= IPC__UNIX_READ;
6429 if (flag & S_IWUGO)
6430 av |= IPC__UNIX_WRITE;
6431
6432 if (av == 0)
6433 return 0;
6434
6435 return ipc_has_perm(ipcp, av);
6436 }
6437
selinux_ipc_getsecid(struct kern_ipc_perm * ipcp,u32 * secid)6438 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
6439 {
6440 struct ipc_security_struct *isec = ipcp->security;
6441 *secid = isec->sid;
6442 }
6443
selinux_d_instantiate(struct dentry * dentry,struct inode * inode)6444 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
6445 {
6446 if (inode)
6447 inode_doinit_with_dentry(inode, dentry);
6448 }
6449
selinux_getprocattr(struct task_struct * p,char * name,char ** value)6450 static int selinux_getprocattr(struct task_struct *p,
6451 char *name, char **value)
6452 {
6453 const struct task_security_struct *__tsec;
6454 u32 sid;
6455 int error;
6456 unsigned len;
6457
6458 rcu_read_lock();
6459 __tsec = __task_cred(p)->security;
6460
6461 if (current != p) {
6462 error = avc_has_perm(&selinux_state,
6463 current_sid(), __tsec->sid,
6464 SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
6465 if (error)
6466 goto bad;
6467 }
6468
6469 if (!strcmp(name, "current"))
6470 sid = __tsec->sid;
6471 else if (!strcmp(name, "prev"))
6472 sid = __tsec->osid;
6473 else if (!strcmp(name, "exec"))
6474 sid = __tsec->exec_sid;
6475 else if (!strcmp(name, "fscreate"))
6476 sid = __tsec->create_sid;
6477 else if (!strcmp(name, "keycreate"))
6478 sid = __tsec->keycreate_sid;
6479 else if (!strcmp(name, "sockcreate"))
6480 sid = __tsec->sockcreate_sid;
6481 else {
6482 error = -EINVAL;
6483 goto bad;
6484 }
6485 rcu_read_unlock();
6486
6487 if (!sid)
6488 return 0;
6489
6490 error = security_sid_to_context(&selinux_state, sid, value, &len);
6491 if (error)
6492 return error;
6493 return len;
6494
6495 bad:
6496 rcu_read_unlock();
6497 return error;
6498 }
6499
selinux_setprocattr(const char * name,void * value,size_t size)6500 static int selinux_setprocattr(const char *name, void *value, size_t size)
6501 {
6502 struct task_security_struct *tsec;
6503 struct cred *new;
6504 u32 mysid = current_sid(), sid = 0, ptsid;
6505 int error;
6506 char *str = value;
6507
6508 /*
6509 * Basic control over ability to set these attributes at all.
6510 */
6511 if (!strcmp(name, "exec"))
6512 error = avc_has_perm(&selinux_state,
6513 mysid, mysid, SECCLASS_PROCESS,
6514 PROCESS__SETEXEC, NULL);
6515 else if (!strcmp(name, "fscreate"))
6516 error = avc_has_perm(&selinux_state,
6517 mysid, mysid, SECCLASS_PROCESS,
6518 PROCESS__SETFSCREATE, NULL);
6519 else if (!strcmp(name, "keycreate"))
6520 error = avc_has_perm(&selinux_state,
6521 mysid, mysid, SECCLASS_PROCESS,
6522 PROCESS__SETKEYCREATE, NULL);
6523 else if (!strcmp(name, "sockcreate"))
6524 error = avc_has_perm(&selinux_state,
6525 mysid, mysid, SECCLASS_PROCESS,
6526 PROCESS__SETSOCKCREATE, NULL);
6527 else if (!strcmp(name, "current"))
6528 error = avc_has_perm(&selinux_state,
6529 mysid, mysid, SECCLASS_PROCESS,
6530 PROCESS__SETCURRENT, NULL);
6531 else
6532 error = -EINVAL;
6533 if (error)
6534 return error;
6535
6536 /* Obtain a SID for the context, if one was specified. */
6537 if (size && str[0] && str[0] != '\n') {
6538 if (str[size-1] == '\n') {
6539 str[size-1] = 0;
6540 size--;
6541 }
6542 error = security_context_to_sid(&selinux_state, value, size,
6543 &sid, GFP_KERNEL);
6544 if (error == -EINVAL && !strcmp(name, "fscreate")) {
6545 if (!has_cap_mac_admin(true)) {
6546 struct audit_buffer *ab;
6547 size_t audit_size;
6548
6549 /* We strip a nul only if it is at the end, otherwise the
6550 * context contains a nul and we should audit that */
6551 if (str[size - 1] == '\0')
6552 audit_size = size - 1;
6553 else
6554 audit_size = size;
6555 ab = audit_log_start(audit_context(),
6556 GFP_ATOMIC,
6557 AUDIT_SELINUX_ERR);
6558 audit_log_format(ab, "op=fscreate invalid_context=");
6559 audit_log_n_untrustedstring(ab, value, audit_size);
6560 audit_log_end(ab);
6561
6562 return error;
6563 }
6564 error = security_context_to_sid_force(
6565 &selinux_state,
6566 value, size, &sid);
6567 }
6568 if (error)
6569 return error;
6570 }
6571
6572 new = prepare_creds();
6573 if (!new)
6574 return -ENOMEM;
6575
6576 /* Permission checking based on the specified context is
6577 performed during the actual operation (execve,
6578 open/mkdir/...), when we know the full context of the
6579 operation. See selinux_bprm_set_creds for the execve
6580 checks and may_create for the file creation checks. The
6581 operation will then fail if the context is not permitted. */
6582 tsec = new->security;
6583 if (!strcmp(name, "exec")) {
6584 tsec->exec_sid = sid;
6585 } else if (!strcmp(name, "fscreate")) {
6586 tsec->create_sid = sid;
6587 } else if (!strcmp(name, "keycreate")) {
6588 if (sid) {
6589 error = avc_has_perm(&selinux_state, mysid, sid,
6590 SECCLASS_KEY, KEY__CREATE, NULL);
6591 if (error)
6592 goto abort_change;
6593 }
6594 tsec->keycreate_sid = sid;
6595 } else if (!strcmp(name, "sockcreate")) {
6596 tsec->sockcreate_sid = sid;
6597 } else if (!strcmp(name, "current")) {
6598 error = -EINVAL;
6599 if (sid == 0)
6600 goto abort_change;
6601
6602 /* Only allow single threaded processes to change context */
6603 error = -EPERM;
6604 if (!current_is_single_threaded()) {
6605 error = security_bounded_transition(&selinux_state,
6606 tsec->sid, sid);
6607 if (error)
6608 goto abort_change;
6609 }
6610
6611 /* Check permissions for the transition. */
6612 error = avc_has_perm(&selinux_state,
6613 tsec->sid, sid, SECCLASS_PROCESS,
6614 PROCESS__DYNTRANSITION, NULL);
6615 if (error)
6616 goto abort_change;
6617
6618 /* Check for ptracing, and update the task SID if ok.
6619 Otherwise, leave SID unchanged and fail. */
6620 ptsid = ptrace_parent_sid();
6621 if (ptsid != 0) {
6622 error = avc_has_perm(&selinux_state,
6623 ptsid, sid, SECCLASS_PROCESS,
6624 PROCESS__PTRACE, NULL);
6625 if (error)
6626 goto abort_change;
6627 }
6628
6629 tsec->sid = sid;
6630 } else {
6631 error = -EINVAL;
6632 goto abort_change;
6633 }
6634
6635 commit_creds(new);
6636 return size;
6637
6638 abort_change:
6639 abort_creds(new);
6640 return error;
6641 }
6642
selinux_ismaclabel(const char * name)6643 static int selinux_ismaclabel(const char *name)
6644 {
6645 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
6646 }
6647
selinux_secid_to_secctx(u32 secid,char ** secdata,u32 * seclen)6648 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
6649 {
6650 return security_sid_to_context(&selinux_state, secid,
6651 secdata, seclen);
6652 }
6653
selinux_secctx_to_secid(const char * secdata,u32 seclen,u32 * secid)6654 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
6655 {
6656 return security_context_to_sid(&selinux_state, secdata, seclen,
6657 secid, GFP_KERNEL);
6658 }
6659
selinux_release_secctx(char * secdata,u32 seclen)6660 static void selinux_release_secctx(char *secdata, u32 seclen)
6661 {
6662 kfree(secdata);
6663 }
6664
selinux_inode_invalidate_secctx(struct inode * inode)6665 static void selinux_inode_invalidate_secctx(struct inode *inode)
6666 {
6667 struct inode_security_struct *isec = inode->i_security;
6668
6669 spin_lock(&isec->lock);
6670 isec->initialized = LABEL_INVALID;
6671 spin_unlock(&isec->lock);
6672 }
6673
6674 /*
6675 * called with inode->i_mutex locked
6676 */
selinux_inode_notifysecctx(struct inode * inode,void * ctx,u32 ctxlen)6677 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
6678 {
6679 int rc = selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX,
6680 ctx, ctxlen, 0);
6681 /* Do not return error when suppressing label (SBLABEL_MNT not set). */
6682 return rc == -EOPNOTSUPP ? 0 : rc;
6683 }
6684
6685 /*
6686 * called with inode->i_mutex locked
6687 */
selinux_inode_setsecctx(struct dentry * dentry,void * ctx,u32 ctxlen)6688 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
6689 {
6690 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
6691 }
6692
selinux_inode_getsecctx(struct inode * inode,void ** ctx,u32 * ctxlen)6693 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
6694 {
6695 int len = 0;
6696 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
6697 ctx, true);
6698 if (len < 0)
6699 return len;
6700 *ctxlen = len;
6701 return 0;
6702 }
6703 #ifdef CONFIG_KEYS
6704
selinux_key_alloc(struct key * k,const struct cred * cred,unsigned long flags)6705 static int selinux_key_alloc(struct key *k, const struct cred *cred,
6706 unsigned long flags)
6707 {
6708 const struct task_security_struct *tsec;
6709 struct key_security_struct *ksec;
6710
6711 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
6712 if (!ksec)
6713 return -ENOMEM;
6714
6715 tsec = cred->security;
6716 if (tsec->keycreate_sid)
6717 ksec->sid = tsec->keycreate_sid;
6718 else
6719 ksec->sid = tsec->sid;
6720
6721 k->security = ksec;
6722 return 0;
6723 }
6724
selinux_key_free(struct key * k)6725 static void selinux_key_free(struct key *k)
6726 {
6727 struct key_security_struct *ksec = k->security;
6728
6729 k->security = NULL;
6730 kfree(ksec);
6731 }
6732
selinux_key_permission(key_ref_t key_ref,const struct cred * cred,unsigned perm)6733 static int selinux_key_permission(key_ref_t key_ref,
6734 const struct cred *cred,
6735 unsigned perm)
6736 {
6737 struct key *key;
6738 struct key_security_struct *ksec;
6739 u32 sid;
6740
6741 /* if no specific permissions are requested, we skip the
6742 permission check. No serious, additional covert channels
6743 appear to be created. */
6744 if (perm == 0)
6745 return 0;
6746
6747 sid = cred_sid(cred);
6748
6749 key = key_ref_to_ptr(key_ref);
6750 ksec = key->security;
6751
6752 return avc_has_perm(&selinux_state,
6753 sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6754 }
6755
selinux_key_getsecurity(struct key * key,char ** _buffer)6756 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6757 {
6758 struct key_security_struct *ksec = key->security;
6759 char *context = NULL;
6760 unsigned len;
6761 int rc;
6762
6763 rc = security_sid_to_context(&selinux_state, ksec->sid,
6764 &context, &len);
6765 if (!rc)
6766 rc = len;
6767 *_buffer = context;
6768 return rc;
6769 }
6770 #endif
6771
6772 #ifdef CONFIG_SECURITY_INFINIBAND
selinux_ib_pkey_access(void * ib_sec,u64 subnet_prefix,u16 pkey_val)6773 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6774 {
6775 struct common_audit_data ad;
6776 int err;
6777 u32 sid = 0;
6778 struct ib_security_struct *sec = ib_sec;
6779 struct lsm_ibpkey_audit ibpkey;
6780
6781 err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
6782 if (err)
6783 return err;
6784
6785 ad.type = LSM_AUDIT_DATA_IBPKEY;
6786 ibpkey.subnet_prefix = subnet_prefix;
6787 ibpkey.pkey = pkey_val;
6788 ad.u.ibpkey = &ibpkey;
6789 return avc_has_perm(&selinux_state,
6790 sec->sid, sid,
6791 SECCLASS_INFINIBAND_PKEY,
6792 INFINIBAND_PKEY__ACCESS, &ad);
6793 }
6794
selinux_ib_endport_manage_subnet(void * ib_sec,const char * dev_name,u8 port_num)6795 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6796 u8 port_num)
6797 {
6798 struct common_audit_data ad;
6799 int err;
6800 u32 sid = 0;
6801 struct ib_security_struct *sec = ib_sec;
6802 struct lsm_ibendport_audit ibendport;
6803
6804 err = security_ib_endport_sid(&selinux_state, dev_name, port_num,
6805 &sid);
6806
6807 if (err)
6808 return err;
6809
6810 ad.type = LSM_AUDIT_DATA_IBENDPORT;
6811 strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name));
6812 ibendport.port = port_num;
6813 ad.u.ibendport = &ibendport;
6814 return avc_has_perm(&selinux_state,
6815 sec->sid, sid,
6816 SECCLASS_INFINIBAND_ENDPORT,
6817 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
6818 }
6819
selinux_ib_alloc_security(void ** ib_sec)6820 static int selinux_ib_alloc_security(void **ib_sec)
6821 {
6822 struct ib_security_struct *sec;
6823
6824 sec = kzalloc(sizeof(*sec), GFP_KERNEL);
6825 if (!sec)
6826 return -ENOMEM;
6827 sec->sid = current_sid();
6828
6829 *ib_sec = sec;
6830 return 0;
6831 }
6832
selinux_ib_free_security(void * ib_sec)6833 static void selinux_ib_free_security(void *ib_sec)
6834 {
6835 kfree(ib_sec);
6836 }
6837 #endif
6838
6839 #ifdef CONFIG_BPF_SYSCALL
selinux_bpf(int cmd,union bpf_attr * attr,unsigned int size)6840 static int selinux_bpf(int cmd, union bpf_attr *attr,
6841 unsigned int size)
6842 {
6843 u32 sid = current_sid();
6844 int ret;
6845
6846 switch (cmd) {
6847 case BPF_MAP_CREATE:
6848 ret = avc_has_perm(&selinux_state,
6849 sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
6850 NULL);
6851 break;
6852 case BPF_PROG_LOAD:
6853 ret = avc_has_perm(&selinux_state,
6854 sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
6855 NULL);
6856 break;
6857 default:
6858 ret = 0;
6859 break;
6860 }
6861
6862 return ret;
6863 }
6864
bpf_map_fmode_to_av(fmode_t fmode)6865 static u32 bpf_map_fmode_to_av(fmode_t fmode)
6866 {
6867 u32 av = 0;
6868
6869 if (fmode & FMODE_READ)
6870 av |= BPF__MAP_READ;
6871 if (fmode & FMODE_WRITE)
6872 av |= BPF__MAP_WRITE;
6873 return av;
6874 }
6875
6876 /* This function will check the file pass through unix socket or binder to see
6877 * if it is a bpf related object. And apply correspinding checks on the bpf
6878 * object based on the type. The bpf maps and programs, not like other files and
6879 * socket, are using a shared anonymous inode inside the kernel as their inode.
6880 * So checking that inode cannot identify if the process have privilege to
6881 * access the bpf object and that's why we have to add this additional check in
6882 * selinux_file_receive and selinux_binder_transfer_files.
6883 */
bpf_fd_pass(struct file * file,u32 sid)6884 static int bpf_fd_pass(struct file *file, u32 sid)
6885 {
6886 struct bpf_security_struct *bpfsec;
6887 struct bpf_prog *prog;
6888 struct bpf_map *map;
6889 int ret;
6890
6891 if (file->f_op == &bpf_map_fops) {
6892 map = file->private_data;
6893 bpfsec = map->security;
6894 ret = avc_has_perm(&selinux_state,
6895 sid, bpfsec->sid, SECCLASS_BPF,
6896 bpf_map_fmode_to_av(file->f_mode), NULL);
6897 if (ret)
6898 return ret;
6899 } else if (file->f_op == &bpf_prog_fops) {
6900 prog = file->private_data;
6901 bpfsec = prog->aux->security;
6902 ret = avc_has_perm(&selinux_state,
6903 sid, bpfsec->sid, SECCLASS_BPF,
6904 BPF__PROG_RUN, NULL);
6905 if (ret)
6906 return ret;
6907 }
6908 return 0;
6909 }
6910
selinux_bpf_map(struct bpf_map * map,fmode_t fmode)6911 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)
6912 {
6913 u32 sid = current_sid();
6914 struct bpf_security_struct *bpfsec;
6915
6916 bpfsec = map->security;
6917 return avc_has_perm(&selinux_state,
6918 sid, bpfsec->sid, SECCLASS_BPF,
6919 bpf_map_fmode_to_av(fmode), NULL);
6920 }
6921
selinux_bpf_prog(struct bpf_prog * prog)6922 static int selinux_bpf_prog(struct bpf_prog *prog)
6923 {
6924 u32 sid = current_sid();
6925 struct bpf_security_struct *bpfsec;
6926
6927 bpfsec = prog->aux->security;
6928 return avc_has_perm(&selinux_state,
6929 sid, bpfsec->sid, SECCLASS_BPF,
6930 BPF__PROG_RUN, NULL);
6931 }
6932
selinux_bpf_map_alloc(struct bpf_map * map)6933 static int selinux_bpf_map_alloc(struct bpf_map *map)
6934 {
6935 struct bpf_security_struct *bpfsec;
6936
6937 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6938 if (!bpfsec)
6939 return -ENOMEM;
6940
6941 bpfsec->sid = current_sid();
6942 map->security = bpfsec;
6943
6944 return 0;
6945 }
6946
selinux_bpf_map_free(struct bpf_map * map)6947 static void selinux_bpf_map_free(struct bpf_map *map)
6948 {
6949 struct bpf_security_struct *bpfsec = map->security;
6950
6951 map->security = NULL;
6952 kfree(bpfsec);
6953 }
6954
selinux_bpf_prog_alloc(struct bpf_prog_aux * aux)6955 static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux)
6956 {
6957 struct bpf_security_struct *bpfsec;
6958
6959 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6960 if (!bpfsec)
6961 return -ENOMEM;
6962
6963 bpfsec->sid = current_sid();
6964 aux->security = bpfsec;
6965
6966 return 0;
6967 }
6968
selinux_bpf_prog_free(struct bpf_prog_aux * aux)6969 static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
6970 {
6971 struct bpf_security_struct *bpfsec = aux->security;
6972
6973 aux->security = NULL;
6974 kfree(bpfsec);
6975 }
6976 #endif
6977
6978 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
6979 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
6980 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
6981 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
6982 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
6983
6984 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
6985 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
6986 LSM_HOOK_INIT(capget, selinux_capget),
6987 LSM_HOOK_INIT(capset, selinux_capset),
6988 LSM_HOOK_INIT(capable, selinux_capable),
6989 LSM_HOOK_INIT(quotactl, selinux_quotactl),
6990 LSM_HOOK_INIT(quota_on, selinux_quota_on),
6991 LSM_HOOK_INIT(syslog, selinux_syslog),
6992 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
6993
6994 LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
6995
6996 LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
6997 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
6998 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
6999
7000 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
7001 LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
7002 LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data),
7003 LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
7004 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
7005 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
7006 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
7007 LSM_HOOK_INIT(sb_mount, selinux_mount),
7008 LSM_HOOK_INIT(sb_umount, selinux_umount),
7009 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
7010 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
7011 LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str),
7012
7013 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
7014 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
7015
7016 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
7017 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
7018 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
7019 LSM_HOOK_INIT(inode_create, selinux_inode_create),
7020 LSM_HOOK_INIT(inode_link, selinux_inode_link),
7021 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
7022 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
7023 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
7024 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
7025 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
7026 LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
7027 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
7028 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
7029 LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
7030 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
7031 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
7032 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
7033 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
7034 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
7035 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
7036 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
7037 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
7038 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
7039 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
7040 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
7041 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
7042 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
7043
7044 LSM_HOOK_INIT(file_permission, selinux_file_permission),
7045 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
7046 LSM_HOOK_INIT(file_free_security, selinux_file_free_security),
7047 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
7048 LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
7049 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
7050 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
7051 LSM_HOOK_INIT(file_lock, selinux_file_lock),
7052 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
7053 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
7054 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
7055 LSM_HOOK_INIT(file_receive, selinux_file_receive),
7056
7057 LSM_HOOK_INIT(file_open, selinux_file_open),
7058
7059 LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
7060 LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank),
7061 LSM_HOOK_INIT(cred_free, selinux_cred_free),
7062 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
7063 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
7064 LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid),
7065 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
7066 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
7067 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
7068 LSM_HOOK_INIT(kernel_load_data, selinux_kernel_load_data),
7069 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
7070 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
7071 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
7072 LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
7073 LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
7074 LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
7075 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
7076 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
7077 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
7078 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
7079 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
7080 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
7081 LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
7082 LSM_HOOK_INIT(task_kill, selinux_task_kill),
7083 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
7084
7085 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
7086 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
7087
7088 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
7089 LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security),
7090
7091 LSM_HOOK_INIT(msg_queue_alloc_security,
7092 selinux_msg_queue_alloc_security),
7093 LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security),
7094 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
7095 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
7096 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
7097 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
7098
7099 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
7100 LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security),
7101 LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
7102 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
7103 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
7104
7105 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
7106 LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security),
7107 LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
7108 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
7109 LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
7110
7111 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
7112
7113 LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
7114 LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
7115
7116 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
7117 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
7118 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
7119 LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
7120 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
7121 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
7122 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
7123 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
7124
7125 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
7126 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
7127
7128 LSM_HOOK_INIT(socket_create, selinux_socket_create),
7129 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
7130 LSM_HOOK_INIT(socket_socketpair, selinux_socket_socketpair),
7131 LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
7132 LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
7133 LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
7134 LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
7135 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
7136 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
7137 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
7138 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
7139 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
7140 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
7141 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
7142 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
7143 LSM_HOOK_INIT(socket_getpeersec_stream,
7144 selinux_socket_getpeersec_stream),
7145 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
7146 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
7147 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
7148 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
7149 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
7150 LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
7151 LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request),
7152 LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone),
7153 LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect),
7154 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
7155 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
7156 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
7157 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
7158 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
7159 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
7160 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
7161 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
7162 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
7163 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
7164 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
7165 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
7166 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
7167 #ifdef CONFIG_SECURITY_INFINIBAND
7168 LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
7169 LSM_HOOK_INIT(ib_endport_manage_subnet,
7170 selinux_ib_endport_manage_subnet),
7171 LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
7172 LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
7173 #endif
7174 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7175 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
7176 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
7177 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
7178 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
7179 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
7180 LSM_HOOK_INIT(xfrm_state_alloc_acquire,
7181 selinux_xfrm_state_alloc_acquire),
7182 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
7183 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
7184 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
7185 LSM_HOOK_INIT(xfrm_state_pol_flow_match,
7186 selinux_xfrm_state_pol_flow_match),
7187 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
7188 #endif
7189
7190 #ifdef CONFIG_KEYS
7191 LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
7192 LSM_HOOK_INIT(key_free, selinux_key_free),
7193 LSM_HOOK_INIT(key_permission, selinux_key_permission),
7194 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
7195 #endif
7196
7197 #ifdef CONFIG_AUDIT
7198 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
7199 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
7200 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
7201 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
7202 #endif
7203
7204 #ifdef CONFIG_BPF_SYSCALL
7205 LSM_HOOK_INIT(bpf, selinux_bpf),
7206 LSM_HOOK_INIT(bpf_map, selinux_bpf_map),
7207 LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog),
7208 LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc),
7209 LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc),
7210 LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free),
7211 LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free),
7212 #endif
7213 };
7214
selinux_init(void)7215 static __init int selinux_init(void)
7216 {
7217 if (!security_module_enable("selinux")) {
7218 selinux_enabled = 0;
7219 return 0;
7220 }
7221
7222 if (!selinux_enabled) {
7223 pr_info("SELinux: Disabled at boot.\n");
7224 return 0;
7225 }
7226
7227 pr_info("SELinux: Initializing.\n");
7228
7229 memset(&selinux_state, 0, sizeof(selinux_state));
7230 enforcing_set(&selinux_state, selinux_enforcing_boot);
7231 selinux_state.checkreqprot = selinux_checkreqprot_boot;
7232 selinux_ss_init(&selinux_state.ss);
7233 selinux_avc_init(&selinux_state.avc);
7234
7235 /* Set the security state for the initial task. */
7236 cred_init_security();
7237
7238 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
7239
7240 sel_inode_cache = kmem_cache_create("selinux_inode_security",
7241 sizeof(struct inode_security_struct),
7242 0, SLAB_PANIC, NULL);
7243 file_security_cache = kmem_cache_create("selinux_file_security",
7244 sizeof(struct file_security_struct),
7245 0, SLAB_PANIC, NULL);
7246 avc_init();
7247
7248 avtab_cache_init();
7249
7250 ebitmap_cache_init();
7251
7252 hashtab_cache_init();
7253
7254 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
7255
7256 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
7257 panic("SELinux: Unable to register AVC netcache callback\n");
7258
7259 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
7260 panic("SELinux: Unable to register AVC LSM notifier callback\n");
7261
7262 if (selinux_enforcing_boot)
7263 pr_debug("SELinux: Starting in enforcing mode\n");
7264 else
7265 pr_debug("SELinux: Starting in permissive mode\n");
7266
7267 return 0;
7268 }
7269
delayed_superblock_init(struct super_block * sb,void * unused)7270 static void delayed_superblock_init(struct super_block *sb, void *unused)
7271 {
7272 superblock_doinit(sb, NULL);
7273 }
7274
selinux_complete_init(void)7275 void selinux_complete_init(void)
7276 {
7277 pr_debug("SELinux: Completing initialization.\n");
7278
7279 /* Set up any superblocks initialized prior to the policy load. */
7280 pr_debug("SELinux: Setting up existing superblocks.\n");
7281 iterate_supers(delayed_superblock_init, NULL);
7282 }
7283
7284 /* SELinux requires early initialization in order to label
7285 all processes and objects when they are created. */
7286 security_initcall(selinux_init);
7287
7288 #if defined(CONFIG_NETFILTER)
7289
7290 static const struct nf_hook_ops selinux_nf_ops[] = {
7291 {
7292 .hook = selinux_ipv4_postroute,
7293 .pf = NFPROTO_IPV4,
7294 .hooknum = NF_INET_POST_ROUTING,
7295 .priority = NF_IP_PRI_SELINUX_LAST,
7296 },
7297 {
7298 .hook = selinux_ipv4_forward,
7299 .pf = NFPROTO_IPV4,
7300 .hooknum = NF_INET_FORWARD,
7301 .priority = NF_IP_PRI_SELINUX_FIRST,
7302 },
7303 {
7304 .hook = selinux_ipv4_output,
7305 .pf = NFPROTO_IPV4,
7306 .hooknum = NF_INET_LOCAL_OUT,
7307 .priority = NF_IP_PRI_SELINUX_FIRST,
7308 },
7309 #if IS_ENABLED(CONFIG_IPV6)
7310 {
7311 .hook = selinux_ipv6_postroute,
7312 .pf = NFPROTO_IPV6,
7313 .hooknum = NF_INET_POST_ROUTING,
7314 .priority = NF_IP6_PRI_SELINUX_LAST,
7315 },
7316 {
7317 .hook = selinux_ipv6_forward,
7318 .pf = NFPROTO_IPV6,
7319 .hooknum = NF_INET_FORWARD,
7320 .priority = NF_IP6_PRI_SELINUX_FIRST,
7321 },
7322 {
7323 .hook = selinux_ipv6_output,
7324 .pf = NFPROTO_IPV6,
7325 .hooknum = NF_INET_LOCAL_OUT,
7326 .priority = NF_IP6_PRI_SELINUX_FIRST,
7327 },
7328 #endif /* IPV6 */
7329 };
7330
selinux_nf_register(struct net * net)7331 static int __net_init selinux_nf_register(struct net *net)
7332 {
7333 return nf_register_net_hooks(net, selinux_nf_ops,
7334 ARRAY_SIZE(selinux_nf_ops));
7335 }
7336
selinux_nf_unregister(struct net * net)7337 static void __net_exit selinux_nf_unregister(struct net *net)
7338 {
7339 nf_unregister_net_hooks(net, selinux_nf_ops,
7340 ARRAY_SIZE(selinux_nf_ops));
7341 }
7342
7343 static struct pernet_operations selinux_net_ops = {
7344 .init = selinux_nf_register,
7345 .exit = selinux_nf_unregister,
7346 };
7347
selinux_nf_ip_init(void)7348 static int __init selinux_nf_ip_init(void)
7349 {
7350 int err;
7351
7352 if (!selinux_enabled)
7353 return 0;
7354
7355 pr_debug("SELinux: Registering netfilter hooks\n");
7356
7357 err = register_pernet_subsys(&selinux_net_ops);
7358 if (err)
7359 panic("SELinux: register_pernet_subsys: error %d\n", err);
7360
7361 return 0;
7362 }
7363 __initcall(selinux_nf_ip_init);
7364
7365 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
selinux_nf_ip_exit(void)7366 static void selinux_nf_ip_exit(void)
7367 {
7368 pr_debug("SELinux: Unregistering netfilter hooks\n");
7369
7370 unregister_pernet_subsys(&selinux_net_ops);
7371 }
7372 #endif
7373
7374 #else /* CONFIG_NETFILTER */
7375
7376 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7377 #define selinux_nf_ip_exit()
7378 #endif
7379
7380 #endif /* CONFIG_NETFILTER */
7381
7382 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
selinux_disable(struct selinux_state * state)7383 int selinux_disable(struct selinux_state *state)
7384 {
7385 if (state->initialized) {
7386 /* Not permitted after initial policy load. */
7387 return -EINVAL;
7388 }
7389
7390 if (state->disabled) {
7391 /* Only do this once. */
7392 return -EINVAL;
7393 }
7394
7395 state->disabled = 1;
7396
7397 pr_info("SELinux: Disabled at runtime.\n");
7398
7399 selinux_enabled = 0;
7400
7401 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
7402
7403 /* Try to destroy the avc node cache */
7404 avc_disable();
7405
7406 /* Unregister netfilter hooks. */
7407 selinux_nf_ip_exit();
7408
7409 /* Unregister selinuxfs. */
7410 exit_sel_fs();
7411
7412 return 0;
7413 }
7414 #endif
7415