1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * NSA Security-Enhanced Linux (SELinux) security module
4 *
5 * This file contains the SELinux hook function implementations.
6 *
7 * Authors: Stephen Smalley, <sds@tycho.nsa.gov>
8 * Chris Vance, <cvance@nai.com>
9 * Wayne Salamon, <wsalamon@nai.com>
10 * James Morris <jmorris@redhat.com>
11 *
12 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
13 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
14 * Eric Paris <eparis@redhat.com>
15 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
16 * <dgoeddel@trustedcs.com>
17 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
18 * Paul Moore <paul@paul-moore.com>
19 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
20 * Yuichi Nakamura <ynakam@hitachisoft.jp>
21 * Copyright (C) 2016 Mellanox Technologies
22 */
23
24 #include <linux/init.h>
25 #include <linux/kd.h>
26 #include <linux/kernel.h>
27 #include <linux/kernel_read_file.h>
28 #include <linux/tracehook.h>
29 #include <linux/errno.h>
30 #include <linux/sched/signal.h>
31 #include <linux/sched/task.h>
32 #include <linux/lsm_hooks.h>
33 #include <linux/xattr.h>
34 #include <linux/capability.h>
35 #include <linux/unistd.h>
36 #include <linux/mm.h>
37 #include <linux/mman.h>
38 #include <linux/slab.h>
39 #include <linux/pagemap.h>
40 #include <linux/proc_fs.h>
41 #include <linux/swap.h>
42 #include <linux/spinlock.h>
43 #include <linux/syscalls.h>
44 #include <linux/dcache.h>
45 #include <linux/file.h>
46 #include <linux/fdtable.h>
47 #include <linux/namei.h>
48 #include <linux/mount.h>
49 #include <linux/fs_context.h>
50 #include <linux/fs_parser.h>
51 #include <linux/netfilter_ipv4.h>
52 #include <linux/netfilter_ipv6.h>
53 #include <linux/tty.h>
54 #include <net/icmp.h>
55 #include <net/ip.h> /* for local_port_range[] */
56 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
57 #include <net/inet_connection_sock.h>
58 #include <net/net_namespace.h>
59 #include <net/netlabel.h>
60 #include <linux/uaccess.h>
61 #include <asm/ioctls.h>
62 #include <linux/atomic.h>
63 #include <linux/bitops.h>
64 #include <linux/interrupt.h>
65 #include <linux/netdevice.h> /* for network interface checks */
66 #include <net/netlink.h>
67 #include <linux/tcp.h>
68 #include <linux/udp.h>
69 #include <linux/dccp.h>
70 #include <linux/sctp.h>
71 #include <net/sctp/structs.h>
72 #include <linux/quota.h>
73 #include <linux/un.h> /* for Unix socket types */
74 #include <net/af_unix.h> /* for Unix socket types */
75 #include <linux/parser.h>
76 #include <linux/nfs_mount.h>
77 #include <net/ipv6.h>
78 #include <linux/hugetlb.h>
79 #include <linux/personality.h>
80 #include <linux/audit.h>
81 #include <linux/string.h>
82 #include <linux/mutex.h>
83 #include <linux/posix-timers.h>
84 #include <linux/syslog.h>
85 #include <linux/user_namespace.h>
86 #include <linux/export.h>
87 #include <linux/msg.h>
88 #include <linux/shm.h>
89 #include <linux/bpf.h>
90 #include <linux/kernfs.h>
91 #include <linux/stringhash.h> /* for hashlen_string() */
92 #include <uapi/linux/mount.h>
93 #include <linux/fsnotify.h>
94 #include <linux/fanotify.h>
95
96 #include "avc.h"
97 #include "objsec.h"
98 #include "netif.h"
99 #include "netnode.h"
100 #include "netport.h"
101 #include "ibpkey.h"
102 #include "xfrm.h"
103 #include "netlabel.h"
104 #include "audit.h"
105 #include "avc_ss.h"
106
107 struct selinux_state selinux_state;
108
109 /* SECMARK reference count */
110 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
111
112 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
113 static int selinux_enforcing_boot __initdata;
114
enforcing_setup(char * str)115 static int __init enforcing_setup(char *str)
116 {
117 unsigned long enforcing;
118 if (!kstrtoul(str, 0, &enforcing))
119 selinux_enforcing_boot = enforcing ? 1 : 0;
120 return 1;
121 }
122 __setup("enforcing=", enforcing_setup);
123 #else
124 #define selinux_enforcing_boot 1
125 #endif
126
127 int selinux_enabled_boot __initdata = 1;
128 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
selinux_enabled_setup(char * str)129 static int __init selinux_enabled_setup(char *str)
130 {
131 unsigned long enabled;
132 if (!kstrtoul(str, 0, &enabled))
133 selinux_enabled_boot = enabled ? 1 : 0;
134 return 1;
135 }
136 __setup("selinux=", selinux_enabled_setup);
137 #endif
138
139 static unsigned int selinux_checkreqprot_boot =
140 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
141
checkreqprot_setup(char * str)142 static int __init checkreqprot_setup(char *str)
143 {
144 unsigned long checkreqprot;
145
146 if (!kstrtoul(str, 0, &checkreqprot)) {
147 selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
148 if (checkreqprot)
149 pr_warn("SELinux: checkreqprot set to 1 via kernel parameter. This is deprecated and will be rejected in a future kernel release.\n");
150 }
151 return 1;
152 }
153 __setup("checkreqprot=", checkreqprot_setup);
154
155 /**
156 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
157 *
158 * Description:
159 * This function checks the SECMARK reference counter to see if any SECMARK
160 * targets are currently configured, if the reference counter is greater than
161 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
162 * enabled, false (0) if SECMARK is disabled. If the always_check_network
163 * policy capability is enabled, SECMARK is always considered enabled.
164 *
165 */
selinux_secmark_enabled(void)166 static int selinux_secmark_enabled(void)
167 {
168 return (selinux_policycap_alwaysnetwork() ||
169 atomic_read(&selinux_secmark_refcount));
170 }
171
172 /**
173 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
174 *
175 * Description:
176 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
177 * (1) if any are enabled or false (0) if neither are enabled. If the
178 * always_check_network policy capability is enabled, peer labeling
179 * is always considered enabled.
180 *
181 */
selinux_peerlbl_enabled(void)182 static int selinux_peerlbl_enabled(void)
183 {
184 return (selinux_policycap_alwaysnetwork() ||
185 netlbl_enabled() || selinux_xfrm_enabled());
186 }
187
selinux_netcache_avc_callback(u32 event)188 static int selinux_netcache_avc_callback(u32 event)
189 {
190 if (event == AVC_CALLBACK_RESET) {
191 sel_netif_flush();
192 sel_netnode_flush();
193 sel_netport_flush();
194 synchronize_net();
195 }
196 return 0;
197 }
198
selinux_lsm_notifier_avc_callback(u32 event)199 static int selinux_lsm_notifier_avc_callback(u32 event)
200 {
201 if (event == AVC_CALLBACK_RESET) {
202 sel_ib_pkey_flush();
203 call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL);
204 }
205
206 return 0;
207 }
208
209 /*
210 * initialise the security for the init task
211 */
cred_init_security(void)212 static void cred_init_security(void)
213 {
214 struct cred *cred = (struct cred *) current->real_cred;
215 struct task_security_struct *tsec;
216
217 tsec = selinux_cred(cred);
218 tsec->osid = tsec->sid = SECINITSID_KERNEL;
219 }
220
221 /*
222 * get the security ID of a set of credentials
223 */
cred_sid(const struct cred * cred)224 static inline u32 cred_sid(const struct cred *cred)
225 {
226 const struct task_security_struct *tsec;
227
228 tsec = selinux_cred(cred);
229 return tsec->sid;
230 }
231
232 /*
233 * get the objective security ID of a task
234 */
task_sid(const struct task_struct * task)235 static inline u32 task_sid(const struct task_struct *task)
236 {
237 u32 sid;
238
239 rcu_read_lock();
240 sid = cred_sid(__task_cred(task));
241 rcu_read_unlock();
242 return sid;
243 }
244
245 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
246
247 /*
248 * Try reloading inode security labels that have been marked as invalid. The
249 * @may_sleep parameter indicates when sleeping and thus reloading labels is
250 * allowed; when set to false, returns -ECHILD when the label is
251 * invalid. The @dentry parameter should be set to a dentry of the inode.
252 */
__inode_security_revalidate(struct inode * inode,struct dentry * dentry,bool may_sleep)253 static int __inode_security_revalidate(struct inode *inode,
254 struct dentry *dentry,
255 bool may_sleep)
256 {
257 struct inode_security_struct *isec = selinux_inode(inode);
258
259 might_sleep_if(may_sleep);
260
261 if (selinux_initialized(&selinux_state) &&
262 isec->initialized != LABEL_INITIALIZED) {
263 if (!may_sleep)
264 return -ECHILD;
265
266 /*
267 * Try reloading the inode security label. This will fail if
268 * @opt_dentry is NULL and no dentry for this inode can be
269 * found; in that case, continue using the old label.
270 */
271 inode_doinit_with_dentry(inode, dentry);
272 }
273 return 0;
274 }
275
inode_security_novalidate(struct inode * inode)276 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
277 {
278 return selinux_inode(inode);
279 }
280
inode_security_rcu(struct inode * inode,bool rcu)281 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
282 {
283 int error;
284
285 error = __inode_security_revalidate(inode, NULL, !rcu);
286 if (error)
287 return ERR_PTR(error);
288 return selinux_inode(inode);
289 }
290
291 /*
292 * Get the security label of an inode.
293 */
inode_security(struct inode * inode)294 static struct inode_security_struct *inode_security(struct inode *inode)
295 {
296 __inode_security_revalidate(inode, NULL, true);
297 return selinux_inode(inode);
298 }
299
backing_inode_security_novalidate(struct dentry * dentry)300 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
301 {
302 struct inode *inode = d_backing_inode(dentry);
303
304 return selinux_inode(inode);
305 }
306
307 /*
308 * Get the security label of a dentry's backing inode.
309 */
backing_inode_security(struct dentry * dentry)310 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
311 {
312 struct inode *inode = d_backing_inode(dentry);
313
314 __inode_security_revalidate(inode, dentry, true);
315 return selinux_inode(inode);
316 }
317
inode_free_security(struct inode * inode)318 static void inode_free_security(struct inode *inode)
319 {
320 struct inode_security_struct *isec = selinux_inode(inode);
321 struct superblock_security_struct *sbsec;
322
323 if (!isec)
324 return;
325 sbsec = inode->i_sb->s_security;
326 /*
327 * As not all inode security structures are in a list, we check for
328 * empty list outside of the lock to make sure that we won't waste
329 * time taking a lock doing nothing.
330 *
331 * The list_del_init() function can be safely called more than once.
332 * It should not be possible for this function to be called with
333 * concurrent list_add(), but for better safety against future changes
334 * in the code, we use list_empty_careful() here.
335 */
336 if (!list_empty_careful(&isec->list)) {
337 spin_lock(&sbsec->isec_lock);
338 list_del_init(&isec->list);
339 spin_unlock(&sbsec->isec_lock);
340 }
341 }
342
superblock_free_security(struct super_block * sb)343 static void superblock_free_security(struct super_block *sb)
344 {
345 struct superblock_security_struct *sbsec = sb->s_security;
346 sb->s_security = NULL;
347 kfree(sbsec);
348 }
349
350 struct selinux_mnt_opts {
351 const char *fscontext, *context, *rootcontext, *defcontext;
352 };
353
selinux_free_mnt_opts(void * mnt_opts)354 static void selinux_free_mnt_opts(void *mnt_opts)
355 {
356 struct selinux_mnt_opts *opts = mnt_opts;
357 kfree(opts->fscontext);
358 kfree(opts->context);
359 kfree(opts->rootcontext);
360 kfree(opts->defcontext);
361 kfree(opts);
362 }
363
364 enum {
365 Opt_error = -1,
366 Opt_context = 0,
367 Opt_defcontext = 1,
368 Opt_fscontext = 2,
369 Opt_rootcontext = 3,
370 Opt_seclabel = 4,
371 };
372
373 #define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg}
374 static struct {
375 const char *name;
376 int len;
377 int opt;
378 bool has_arg;
379 } tokens[] = {
380 A(context, true),
381 A(fscontext, true),
382 A(defcontext, true),
383 A(rootcontext, true),
384 A(seclabel, false),
385 };
386 #undef A
387
match_opt_prefix(char * s,int l,char ** arg)388 static int match_opt_prefix(char *s, int l, char **arg)
389 {
390 int i;
391
392 for (i = 0; i < ARRAY_SIZE(tokens); i++) {
393 size_t len = tokens[i].len;
394 if (len > l || memcmp(s, tokens[i].name, len))
395 continue;
396 if (tokens[i].has_arg) {
397 if (len == l || s[len] != '=')
398 continue;
399 *arg = s + len + 1;
400 } else if (len != l)
401 continue;
402 return tokens[i].opt;
403 }
404 return Opt_error;
405 }
406
407 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
408
may_context_mount_sb_relabel(u32 sid,struct superblock_security_struct * sbsec,const struct cred * cred)409 static int may_context_mount_sb_relabel(u32 sid,
410 struct superblock_security_struct *sbsec,
411 const struct cred *cred)
412 {
413 const struct task_security_struct *tsec = selinux_cred(cred);
414 int rc;
415
416 rc = avc_has_perm(&selinux_state,
417 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
418 FILESYSTEM__RELABELFROM, NULL);
419 if (rc)
420 return rc;
421
422 rc = avc_has_perm(&selinux_state,
423 tsec->sid, sid, SECCLASS_FILESYSTEM,
424 FILESYSTEM__RELABELTO, NULL);
425 return rc;
426 }
427
may_context_mount_inode_relabel(u32 sid,struct superblock_security_struct * sbsec,const struct cred * cred)428 static int may_context_mount_inode_relabel(u32 sid,
429 struct superblock_security_struct *sbsec,
430 const struct cred *cred)
431 {
432 const struct task_security_struct *tsec = selinux_cred(cred);
433 int rc;
434 rc = avc_has_perm(&selinux_state,
435 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
436 FILESYSTEM__RELABELFROM, NULL);
437 if (rc)
438 return rc;
439
440 rc = avc_has_perm(&selinux_state,
441 sid, sbsec->sid, SECCLASS_FILESYSTEM,
442 FILESYSTEM__ASSOCIATE, NULL);
443 return rc;
444 }
445
selinux_is_genfs_special_handling(struct super_block * sb)446 static int selinux_is_genfs_special_handling(struct super_block *sb)
447 {
448 /* Special handling. Genfs but also in-core setxattr handler */
449 return !strcmp(sb->s_type->name, "sysfs") ||
450 !strcmp(sb->s_type->name, "pstore") ||
451 !strcmp(sb->s_type->name, "debugfs") ||
452 !strcmp(sb->s_type->name, "tracefs") ||
453 !strcmp(sb->s_type->name, "rootfs") ||
454 (selinux_policycap_cgroupseclabel() &&
455 (!strcmp(sb->s_type->name, "cgroup") ||
456 !strcmp(sb->s_type->name, "cgroup2")));
457 }
458
selinux_is_sblabel_mnt(struct super_block * sb)459 static int selinux_is_sblabel_mnt(struct super_block *sb)
460 {
461 struct superblock_security_struct *sbsec = sb->s_security;
462
463 /*
464 * IMPORTANT: Double-check logic in this function when adding a new
465 * SECURITY_FS_USE_* definition!
466 */
467 BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7);
468
469 switch (sbsec->behavior) {
470 case SECURITY_FS_USE_XATTR:
471 case SECURITY_FS_USE_TRANS:
472 case SECURITY_FS_USE_TASK:
473 case SECURITY_FS_USE_NATIVE:
474 return 1;
475
476 case SECURITY_FS_USE_GENFS:
477 return selinux_is_genfs_special_handling(sb);
478
479 /* Never allow relabeling on context mounts */
480 case SECURITY_FS_USE_MNTPOINT:
481 case SECURITY_FS_USE_NONE:
482 default:
483 return 0;
484 }
485 }
486
sb_finish_set_opts(struct super_block * sb)487 static int sb_finish_set_opts(struct super_block *sb)
488 {
489 struct superblock_security_struct *sbsec = sb->s_security;
490 struct dentry *root = sb->s_root;
491 struct inode *root_inode = d_backing_inode(root);
492 int rc = 0;
493
494 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
495 /* Make sure that the xattr handler exists and that no
496 error other than -ENODATA is returned by getxattr on
497 the root directory. -ENODATA is ok, as this may be
498 the first boot of the SELinux kernel before we have
499 assigned xattr values to the filesystem. */
500 if (!(root_inode->i_opflags & IOP_XATTR)) {
501 pr_warn("SELinux: (dev %s, type %s) has no "
502 "xattr support\n", sb->s_id, sb->s_type->name);
503 rc = -EOPNOTSUPP;
504 goto out;
505 }
506
507 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
508 if (rc < 0 && rc != -ENODATA) {
509 if (rc == -EOPNOTSUPP)
510 pr_warn("SELinux: (dev %s, type "
511 "%s) has no security xattr handler\n",
512 sb->s_id, sb->s_type->name);
513 else
514 pr_warn("SELinux: (dev %s, type "
515 "%s) getxattr errno %d\n", sb->s_id,
516 sb->s_type->name, -rc);
517 goto out;
518 }
519 }
520
521 sbsec->flags |= SE_SBINITIALIZED;
522
523 /*
524 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
525 * leave the flag untouched because sb_clone_mnt_opts might be handing
526 * us a superblock that needs the flag to be cleared.
527 */
528 if (selinux_is_sblabel_mnt(sb))
529 sbsec->flags |= SBLABEL_MNT;
530 else
531 sbsec->flags &= ~SBLABEL_MNT;
532
533 /* Initialize the root inode. */
534 rc = inode_doinit_with_dentry(root_inode, root);
535
536 /* Initialize any other inodes associated with the superblock, e.g.
537 inodes created prior to initial policy load or inodes created
538 during get_sb by a pseudo filesystem that directly
539 populates itself. */
540 spin_lock(&sbsec->isec_lock);
541 while (!list_empty(&sbsec->isec_head)) {
542 struct inode_security_struct *isec =
543 list_first_entry(&sbsec->isec_head,
544 struct inode_security_struct, list);
545 struct inode *inode = isec->inode;
546 list_del_init(&isec->list);
547 spin_unlock(&sbsec->isec_lock);
548 inode = igrab(inode);
549 if (inode) {
550 if (!IS_PRIVATE(inode))
551 inode_doinit_with_dentry(inode, NULL);
552 iput(inode);
553 }
554 spin_lock(&sbsec->isec_lock);
555 }
556 spin_unlock(&sbsec->isec_lock);
557 out:
558 return rc;
559 }
560
bad_option(struct superblock_security_struct * sbsec,char flag,u32 old_sid,u32 new_sid)561 static int bad_option(struct superblock_security_struct *sbsec, char flag,
562 u32 old_sid, u32 new_sid)
563 {
564 char mnt_flags = sbsec->flags & SE_MNTMASK;
565
566 /* check if the old mount command had the same options */
567 if (sbsec->flags & SE_SBINITIALIZED)
568 if (!(sbsec->flags & flag) ||
569 (old_sid != new_sid))
570 return 1;
571
572 /* check if we were passed the same options twice,
573 * aka someone passed context=a,context=b
574 */
575 if (!(sbsec->flags & SE_SBINITIALIZED))
576 if (mnt_flags & flag)
577 return 1;
578 return 0;
579 }
580
parse_sid(struct super_block * sb,const char * s,u32 * sid)581 static int parse_sid(struct super_block *sb, const char *s, u32 *sid)
582 {
583 int rc = security_context_str_to_sid(&selinux_state, s,
584 sid, GFP_KERNEL);
585 if (rc)
586 pr_warn("SELinux: security_context_str_to_sid"
587 "(%s) failed for (dev %s, type %s) errno=%d\n",
588 s, sb->s_id, sb->s_type->name, rc);
589 return rc;
590 }
591
592 /*
593 * Allow filesystems with binary mount data to explicitly set mount point
594 * labeling information.
595 */
selinux_set_mnt_opts(struct super_block * sb,void * mnt_opts,unsigned long kern_flags,unsigned long * set_kern_flags)596 static int selinux_set_mnt_opts(struct super_block *sb,
597 void *mnt_opts,
598 unsigned long kern_flags,
599 unsigned long *set_kern_flags)
600 {
601 const struct cred *cred = current_cred();
602 struct superblock_security_struct *sbsec = sb->s_security;
603 struct dentry *root = sbsec->sb->s_root;
604 struct selinux_mnt_opts *opts = mnt_opts;
605 struct inode_security_struct *root_isec;
606 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
607 u32 defcontext_sid = 0;
608 int rc = 0;
609
610 mutex_lock(&sbsec->lock);
611
612 if (!selinux_initialized(&selinux_state)) {
613 if (!opts) {
614 /* Defer initialization until selinux_complete_init,
615 after the initial policy is loaded and the security
616 server is ready to handle calls. */
617 goto out;
618 }
619 rc = -EINVAL;
620 pr_warn("SELinux: Unable to set superblock options "
621 "before the security server is initialized\n");
622 goto out;
623 }
624 if (kern_flags && !set_kern_flags) {
625 /* Specifying internal flags without providing a place to
626 * place the results is not allowed */
627 rc = -EINVAL;
628 goto out;
629 }
630
631 /*
632 * Binary mount data FS will come through this function twice. Once
633 * from an explicit call and once from the generic calls from the vfs.
634 * Since the generic VFS calls will not contain any security mount data
635 * we need to skip the double mount verification.
636 *
637 * This does open a hole in which we will not notice if the first
638 * mount using this sb set explict options and a second mount using
639 * this sb does not set any security options. (The first options
640 * will be used for both mounts)
641 */
642 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
643 && !opts)
644 goto out;
645
646 root_isec = backing_inode_security_novalidate(root);
647
648 /*
649 * parse the mount options, check if they are valid sids.
650 * also check if someone is trying to mount the same sb more
651 * than once with different security options.
652 */
653 if (opts) {
654 if (opts->fscontext) {
655 rc = parse_sid(sb, opts->fscontext, &fscontext_sid);
656 if (rc)
657 goto out;
658 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
659 fscontext_sid))
660 goto out_double_mount;
661 sbsec->flags |= FSCONTEXT_MNT;
662 }
663 if (opts->context) {
664 rc = parse_sid(sb, opts->context, &context_sid);
665 if (rc)
666 goto out;
667 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
668 context_sid))
669 goto out_double_mount;
670 sbsec->flags |= CONTEXT_MNT;
671 }
672 if (opts->rootcontext) {
673 rc = parse_sid(sb, opts->rootcontext, &rootcontext_sid);
674 if (rc)
675 goto out;
676 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
677 rootcontext_sid))
678 goto out_double_mount;
679 sbsec->flags |= ROOTCONTEXT_MNT;
680 }
681 if (opts->defcontext) {
682 rc = parse_sid(sb, opts->defcontext, &defcontext_sid);
683 if (rc)
684 goto out;
685 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
686 defcontext_sid))
687 goto out_double_mount;
688 sbsec->flags |= DEFCONTEXT_MNT;
689 }
690 }
691
692 if (sbsec->flags & SE_SBINITIALIZED) {
693 /* previously mounted with options, but not on this attempt? */
694 if ((sbsec->flags & SE_MNTMASK) && !opts)
695 goto out_double_mount;
696 rc = 0;
697 goto out;
698 }
699
700 if (strcmp(sb->s_type->name, "proc") == 0)
701 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
702
703 if (!strcmp(sb->s_type->name, "debugfs") ||
704 !strcmp(sb->s_type->name, "tracefs") ||
705 !strcmp(sb->s_type->name, "binder") ||
706 !strcmp(sb->s_type->name, "bpf") ||
707 !strcmp(sb->s_type->name, "pstore"))
708 sbsec->flags |= SE_SBGENFS;
709
710 if (!strcmp(sb->s_type->name, "sysfs") ||
711 !strcmp(sb->s_type->name, "cgroup") ||
712 !strcmp(sb->s_type->name, "cgroup2"))
713 sbsec->flags |= SE_SBGENFS | SE_SBGENFS_XATTR;
714
715 if (!sbsec->behavior) {
716 /*
717 * Determine the labeling behavior to use for this
718 * filesystem type.
719 */
720 rc = security_fs_use(&selinux_state, sb);
721 if (rc) {
722 pr_warn("%s: security_fs_use(%s) returned %d\n",
723 __func__, sb->s_type->name, rc);
724 goto out;
725 }
726 }
727
728 /*
729 * If this is a user namespace mount and the filesystem type is not
730 * explicitly whitelisted, then no contexts are allowed on the command
731 * line and security labels must be ignored.
732 */
733 if (sb->s_user_ns != &init_user_ns &&
734 strcmp(sb->s_type->name, "tmpfs") &&
735 strcmp(sb->s_type->name, "ramfs") &&
736 strcmp(sb->s_type->name, "devpts")) {
737 if (context_sid || fscontext_sid || rootcontext_sid ||
738 defcontext_sid) {
739 rc = -EACCES;
740 goto out;
741 }
742 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
743 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
744 rc = security_transition_sid(&selinux_state,
745 current_sid(),
746 current_sid(),
747 SECCLASS_FILE, NULL,
748 &sbsec->mntpoint_sid);
749 if (rc)
750 goto out;
751 }
752 goto out_set_opts;
753 }
754
755 /* sets the context of the superblock for the fs being mounted. */
756 if (fscontext_sid) {
757 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
758 if (rc)
759 goto out;
760
761 sbsec->sid = fscontext_sid;
762 }
763
764 /*
765 * Switch to using mount point labeling behavior.
766 * sets the label used on all file below the mountpoint, and will set
767 * the superblock context if not already set.
768 */
769 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
770 sbsec->behavior = SECURITY_FS_USE_NATIVE;
771 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
772 }
773
774 if (context_sid) {
775 if (!fscontext_sid) {
776 rc = may_context_mount_sb_relabel(context_sid, sbsec,
777 cred);
778 if (rc)
779 goto out;
780 sbsec->sid = context_sid;
781 } else {
782 rc = may_context_mount_inode_relabel(context_sid, sbsec,
783 cred);
784 if (rc)
785 goto out;
786 }
787 if (!rootcontext_sid)
788 rootcontext_sid = context_sid;
789
790 sbsec->mntpoint_sid = context_sid;
791 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
792 }
793
794 if (rootcontext_sid) {
795 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
796 cred);
797 if (rc)
798 goto out;
799
800 root_isec->sid = rootcontext_sid;
801 root_isec->initialized = LABEL_INITIALIZED;
802 }
803
804 if (defcontext_sid) {
805 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
806 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
807 rc = -EINVAL;
808 pr_warn("SELinux: defcontext option is "
809 "invalid for this filesystem type\n");
810 goto out;
811 }
812
813 if (defcontext_sid != sbsec->def_sid) {
814 rc = may_context_mount_inode_relabel(defcontext_sid,
815 sbsec, cred);
816 if (rc)
817 goto out;
818 }
819
820 sbsec->def_sid = defcontext_sid;
821 }
822
823 out_set_opts:
824 rc = sb_finish_set_opts(sb);
825 out:
826 mutex_unlock(&sbsec->lock);
827 return rc;
828 out_double_mount:
829 rc = -EINVAL;
830 pr_warn("SELinux: mount invalid. Same superblock, different "
831 "security settings for (dev %s, type %s)\n", sb->s_id,
832 sb->s_type->name);
833 goto out;
834 }
835
selinux_cmp_sb_context(const struct super_block * oldsb,const struct super_block * newsb)836 static int selinux_cmp_sb_context(const struct super_block *oldsb,
837 const struct super_block *newsb)
838 {
839 struct superblock_security_struct *old = oldsb->s_security;
840 struct superblock_security_struct *new = newsb->s_security;
841 char oldflags = old->flags & SE_MNTMASK;
842 char newflags = new->flags & SE_MNTMASK;
843
844 if (oldflags != newflags)
845 goto mismatch;
846 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
847 goto mismatch;
848 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
849 goto mismatch;
850 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
851 goto mismatch;
852 if (oldflags & ROOTCONTEXT_MNT) {
853 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
854 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
855 if (oldroot->sid != newroot->sid)
856 goto mismatch;
857 }
858 return 0;
859 mismatch:
860 pr_warn("SELinux: mount invalid. Same superblock, "
861 "different security settings for (dev %s, "
862 "type %s)\n", newsb->s_id, newsb->s_type->name);
863 return -EBUSY;
864 }
865
selinux_sb_clone_mnt_opts(const struct super_block * oldsb,struct super_block * newsb,unsigned long kern_flags,unsigned long * set_kern_flags)866 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
867 struct super_block *newsb,
868 unsigned long kern_flags,
869 unsigned long *set_kern_flags)
870 {
871 int rc = 0;
872 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
873 struct superblock_security_struct *newsbsec = newsb->s_security;
874
875 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
876 int set_context = (oldsbsec->flags & CONTEXT_MNT);
877 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
878
879 /*
880 * if the parent was able to be mounted it clearly had no special lsm
881 * mount options. thus we can safely deal with this superblock later
882 */
883 if (!selinux_initialized(&selinux_state))
884 return 0;
885
886 /*
887 * Specifying internal flags without providing a place to
888 * place the results is not allowed.
889 */
890 if (kern_flags && !set_kern_flags)
891 return -EINVAL;
892
893 /* how can we clone if the old one wasn't set up?? */
894 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
895
896 /* if fs is reusing a sb, make sure that the contexts match */
897 if (newsbsec->flags & SE_SBINITIALIZED) {
898 if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context)
899 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
900 return selinux_cmp_sb_context(oldsb, newsb);
901 }
902
903 mutex_lock(&newsbsec->lock);
904
905 newsbsec->flags = oldsbsec->flags;
906
907 newsbsec->sid = oldsbsec->sid;
908 newsbsec->def_sid = oldsbsec->def_sid;
909 newsbsec->behavior = oldsbsec->behavior;
910
911 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
912 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
913 rc = security_fs_use(&selinux_state, newsb);
914 if (rc)
915 goto out;
916 }
917
918 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
919 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
920 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
921 }
922
923 if (set_context) {
924 u32 sid = oldsbsec->mntpoint_sid;
925
926 if (!set_fscontext)
927 newsbsec->sid = sid;
928 if (!set_rootcontext) {
929 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
930 newisec->sid = sid;
931 }
932 newsbsec->mntpoint_sid = sid;
933 }
934 if (set_rootcontext) {
935 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
936 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
937
938 newisec->sid = oldisec->sid;
939 }
940
941 sb_finish_set_opts(newsb);
942 out:
943 mutex_unlock(&newsbsec->lock);
944 return rc;
945 }
946
selinux_add_opt(int token,const char * s,void ** mnt_opts)947 static int selinux_add_opt(int token, const char *s, void **mnt_opts)
948 {
949 struct selinux_mnt_opts *opts = *mnt_opts;
950 bool is_alloc_opts = false;
951
952 if (token == Opt_seclabel) /* eaten and completely ignored */
953 return 0;
954
955 if (!s)
956 return -ENOMEM;
957
958 if (!opts) {
959 opts = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL);
960 if (!opts)
961 return -ENOMEM;
962 *mnt_opts = opts;
963 is_alloc_opts = true;
964 }
965
966 switch (token) {
967 case Opt_context:
968 if (opts->context || opts->defcontext)
969 goto Einval;
970 opts->context = s;
971 break;
972 case Opt_fscontext:
973 if (opts->fscontext)
974 goto Einval;
975 opts->fscontext = s;
976 break;
977 case Opt_rootcontext:
978 if (opts->rootcontext)
979 goto Einval;
980 opts->rootcontext = s;
981 break;
982 case Opt_defcontext:
983 if (opts->context || opts->defcontext)
984 goto Einval;
985 opts->defcontext = s;
986 break;
987 }
988 return 0;
989 Einval:
990 if (is_alloc_opts) {
991 kfree(opts);
992 *mnt_opts = NULL;
993 }
994 pr_warn(SEL_MOUNT_FAIL_MSG);
995 return -EINVAL;
996 }
997
selinux_add_mnt_opt(const char * option,const char * val,int len,void ** mnt_opts)998 static int selinux_add_mnt_opt(const char *option, const char *val, int len,
999 void **mnt_opts)
1000 {
1001 int token = Opt_error;
1002 int rc, i;
1003
1004 for (i = 0; i < ARRAY_SIZE(tokens); i++) {
1005 if (strcmp(option, tokens[i].name) == 0) {
1006 token = tokens[i].opt;
1007 break;
1008 }
1009 }
1010
1011 if (token == Opt_error)
1012 return -EINVAL;
1013
1014 if (token != Opt_seclabel) {
1015 val = kmemdup_nul(val, len, GFP_KERNEL);
1016 if (!val) {
1017 rc = -ENOMEM;
1018 goto free_opt;
1019 }
1020 }
1021 rc = selinux_add_opt(token, val, mnt_opts);
1022 if (unlikely(rc)) {
1023 kfree(val);
1024 goto free_opt;
1025 }
1026 return rc;
1027
1028 free_opt:
1029 if (*mnt_opts) {
1030 selinux_free_mnt_opts(*mnt_opts);
1031 *mnt_opts = NULL;
1032 }
1033 return rc;
1034 }
1035
show_sid(struct seq_file * m,u32 sid)1036 static int show_sid(struct seq_file *m, u32 sid)
1037 {
1038 char *context = NULL;
1039 u32 len;
1040 int rc;
1041
1042 rc = security_sid_to_context(&selinux_state, sid,
1043 &context, &len);
1044 if (!rc) {
1045 bool has_comma = context && strchr(context, ',');
1046
1047 seq_putc(m, '=');
1048 if (has_comma)
1049 seq_putc(m, '\"');
1050 seq_escape(m, context, "\"\n\\");
1051 if (has_comma)
1052 seq_putc(m, '\"');
1053 }
1054 kfree(context);
1055 return rc;
1056 }
1057
selinux_sb_show_options(struct seq_file * m,struct super_block * sb)1058 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1059 {
1060 struct superblock_security_struct *sbsec = sb->s_security;
1061 int rc;
1062
1063 if (!(sbsec->flags & SE_SBINITIALIZED))
1064 return 0;
1065
1066 if (!selinux_initialized(&selinux_state))
1067 return 0;
1068
1069 if (sbsec->flags & FSCONTEXT_MNT) {
1070 seq_putc(m, ',');
1071 seq_puts(m, FSCONTEXT_STR);
1072 rc = show_sid(m, sbsec->sid);
1073 if (rc)
1074 return rc;
1075 }
1076 if (sbsec->flags & CONTEXT_MNT) {
1077 seq_putc(m, ',');
1078 seq_puts(m, CONTEXT_STR);
1079 rc = show_sid(m, sbsec->mntpoint_sid);
1080 if (rc)
1081 return rc;
1082 }
1083 if (sbsec->flags & DEFCONTEXT_MNT) {
1084 seq_putc(m, ',');
1085 seq_puts(m, DEFCONTEXT_STR);
1086 rc = show_sid(m, sbsec->def_sid);
1087 if (rc)
1088 return rc;
1089 }
1090 if (sbsec->flags & ROOTCONTEXT_MNT) {
1091 struct dentry *root = sbsec->sb->s_root;
1092 struct inode_security_struct *isec = backing_inode_security(root);
1093 seq_putc(m, ',');
1094 seq_puts(m, ROOTCONTEXT_STR);
1095 rc = show_sid(m, isec->sid);
1096 if (rc)
1097 return rc;
1098 }
1099 if (sbsec->flags & SBLABEL_MNT) {
1100 seq_putc(m, ',');
1101 seq_puts(m, SECLABEL_STR);
1102 }
1103 return 0;
1104 }
1105
inode_mode_to_security_class(umode_t mode)1106 static inline u16 inode_mode_to_security_class(umode_t mode)
1107 {
1108 switch (mode & S_IFMT) {
1109 case S_IFSOCK:
1110 return SECCLASS_SOCK_FILE;
1111 case S_IFLNK:
1112 return SECCLASS_LNK_FILE;
1113 case S_IFREG:
1114 return SECCLASS_FILE;
1115 case S_IFBLK:
1116 return SECCLASS_BLK_FILE;
1117 case S_IFDIR:
1118 return SECCLASS_DIR;
1119 case S_IFCHR:
1120 return SECCLASS_CHR_FILE;
1121 case S_IFIFO:
1122 return SECCLASS_FIFO_FILE;
1123
1124 }
1125
1126 return SECCLASS_FILE;
1127 }
1128
default_protocol_stream(int protocol)1129 static inline int default_protocol_stream(int protocol)
1130 {
1131 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1132 }
1133
default_protocol_dgram(int protocol)1134 static inline int default_protocol_dgram(int protocol)
1135 {
1136 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1137 }
1138
socket_type_to_security_class(int family,int type,int protocol)1139 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1140 {
1141 int extsockclass = selinux_policycap_extsockclass();
1142
1143 switch (family) {
1144 case PF_UNIX:
1145 switch (type) {
1146 case SOCK_STREAM:
1147 case SOCK_SEQPACKET:
1148 return SECCLASS_UNIX_STREAM_SOCKET;
1149 case SOCK_DGRAM:
1150 case SOCK_RAW:
1151 return SECCLASS_UNIX_DGRAM_SOCKET;
1152 }
1153 break;
1154 case PF_INET:
1155 case PF_INET6:
1156 switch (type) {
1157 case SOCK_STREAM:
1158 case SOCK_SEQPACKET:
1159 if (default_protocol_stream(protocol))
1160 return SECCLASS_TCP_SOCKET;
1161 else if (extsockclass && protocol == IPPROTO_SCTP)
1162 return SECCLASS_SCTP_SOCKET;
1163 else
1164 return SECCLASS_RAWIP_SOCKET;
1165 case SOCK_DGRAM:
1166 if (default_protocol_dgram(protocol))
1167 return SECCLASS_UDP_SOCKET;
1168 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1169 protocol == IPPROTO_ICMPV6))
1170 return SECCLASS_ICMP_SOCKET;
1171 else
1172 return SECCLASS_RAWIP_SOCKET;
1173 case SOCK_DCCP:
1174 return SECCLASS_DCCP_SOCKET;
1175 default:
1176 return SECCLASS_RAWIP_SOCKET;
1177 }
1178 break;
1179 case PF_NETLINK:
1180 switch (protocol) {
1181 case NETLINK_ROUTE:
1182 return SECCLASS_NETLINK_ROUTE_SOCKET;
1183 case NETLINK_SOCK_DIAG:
1184 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1185 case NETLINK_NFLOG:
1186 return SECCLASS_NETLINK_NFLOG_SOCKET;
1187 case NETLINK_XFRM:
1188 return SECCLASS_NETLINK_XFRM_SOCKET;
1189 case NETLINK_SELINUX:
1190 return SECCLASS_NETLINK_SELINUX_SOCKET;
1191 case NETLINK_ISCSI:
1192 return SECCLASS_NETLINK_ISCSI_SOCKET;
1193 case NETLINK_AUDIT:
1194 return SECCLASS_NETLINK_AUDIT_SOCKET;
1195 case NETLINK_FIB_LOOKUP:
1196 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1197 case NETLINK_CONNECTOR:
1198 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1199 case NETLINK_NETFILTER:
1200 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1201 case NETLINK_DNRTMSG:
1202 return SECCLASS_NETLINK_DNRT_SOCKET;
1203 case NETLINK_KOBJECT_UEVENT:
1204 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1205 case NETLINK_GENERIC:
1206 return SECCLASS_NETLINK_GENERIC_SOCKET;
1207 case NETLINK_SCSITRANSPORT:
1208 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1209 case NETLINK_RDMA:
1210 return SECCLASS_NETLINK_RDMA_SOCKET;
1211 case NETLINK_CRYPTO:
1212 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1213 default:
1214 return SECCLASS_NETLINK_SOCKET;
1215 }
1216 case PF_PACKET:
1217 return SECCLASS_PACKET_SOCKET;
1218 case PF_KEY:
1219 return SECCLASS_KEY_SOCKET;
1220 case PF_APPLETALK:
1221 return SECCLASS_APPLETALK_SOCKET;
1222 }
1223
1224 if (extsockclass) {
1225 switch (family) {
1226 case PF_AX25:
1227 return SECCLASS_AX25_SOCKET;
1228 case PF_IPX:
1229 return SECCLASS_IPX_SOCKET;
1230 case PF_NETROM:
1231 return SECCLASS_NETROM_SOCKET;
1232 case PF_ATMPVC:
1233 return SECCLASS_ATMPVC_SOCKET;
1234 case PF_X25:
1235 return SECCLASS_X25_SOCKET;
1236 case PF_ROSE:
1237 return SECCLASS_ROSE_SOCKET;
1238 case PF_DECnet:
1239 return SECCLASS_DECNET_SOCKET;
1240 case PF_ATMSVC:
1241 return SECCLASS_ATMSVC_SOCKET;
1242 case PF_RDS:
1243 return SECCLASS_RDS_SOCKET;
1244 case PF_IRDA:
1245 return SECCLASS_IRDA_SOCKET;
1246 case PF_PPPOX:
1247 return SECCLASS_PPPOX_SOCKET;
1248 case PF_LLC:
1249 return SECCLASS_LLC_SOCKET;
1250 case PF_CAN:
1251 return SECCLASS_CAN_SOCKET;
1252 case PF_TIPC:
1253 return SECCLASS_TIPC_SOCKET;
1254 case PF_BLUETOOTH:
1255 return SECCLASS_BLUETOOTH_SOCKET;
1256 case PF_IUCV:
1257 return SECCLASS_IUCV_SOCKET;
1258 case PF_RXRPC:
1259 return SECCLASS_RXRPC_SOCKET;
1260 case PF_ISDN:
1261 return SECCLASS_ISDN_SOCKET;
1262 case PF_PHONET:
1263 return SECCLASS_PHONET_SOCKET;
1264 case PF_IEEE802154:
1265 return SECCLASS_IEEE802154_SOCKET;
1266 case PF_CAIF:
1267 return SECCLASS_CAIF_SOCKET;
1268 case PF_ALG:
1269 return SECCLASS_ALG_SOCKET;
1270 case PF_NFC:
1271 return SECCLASS_NFC_SOCKET;
1272 case PF_VSOCK:
1273 return SECCLASS_VSOCK_SOCKET;
1274 case PF_KCM:
1275 return SECCLASS_KCM_SOCKET;
1276 case PF_QIPCRTR:
1277 return SECCLASS_QIPCRTR_SOCKET;
1278 case PF_SMC:
1279 return SECCLASS_SMC_SOCKET;
1280 case PF_XDP:
1281 return SECCLASS_XDP_SOCKET;
1282 #if PF_MAX > 46
1283 #error New address family defined, please update this function.
1284 #endif
1285 }
1286 }
1287
1288 return SECCLASS_SOCKET;
1289 }
1290
selinux_genfs_get_sid(struct dentry * dentry,u16 tclass,u16 flags,u32 * sid)1291 static int selinux_genfs_get_sid(struct dentry *dentry,
1292 u16 tclass,
1293 u16 flags,
1294 u32 *sid)
1295 {
1296 int rc;
1297 struct super_block *sb = dentry->d_sb;
1298 char *buffer, *path;
1299
1300 buffer = (char *)__get_free_page(GFP_KERNEL);
1301 if (!buffer)
1302 return -ENOMEM;
1303
1304 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1305 if (IS_ERR(path))
1306 rc = PTR_ERR(path);
1307 else {
1308 if (flags & SE_SBPROC) {
1309 /* each process gets a /proc/PID/ entry. Strip off the
1310 * PID part to get a valid selinux labeling.
1311 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1312 while (path[1] >= '0' && path[1] <= '9') {
1313 path[1] = '/';
1314 path++;
1315 }
1316 }
1317 rc = security_genfs_sid(&selinux_state, sb->s_type->name,
1318 path, tclass, sid);
1319 if (rc == -ENOENT) {
1320 /* No match in policy, mark as unlabeled. */
1321 *sid = SECINITSID_UNLABELED;
1322 rc = 0;
1323 }
1324 }
1325 free_page((unsigned long)buffer);
1326 return rc;
1327 }
1328
inode_doinit_use_xattr(struct inode * inode,struct dentry * dentry,u32 def_sid,u32 * sid)1329 static int inode_doinit_use_xattr(struct inode *inode, struct dentry *dentry,
1330 u32 def_sid, u32 *sid)
1331 {
1332 #define INITCONTEXTLEN 255
1333 char *context;
1334 unsigned int len;
1335 int rc;
1336
1337 len = INITCONTEXTLEN;
1338 context = kmalloc(len + 1, GFP_NOFS);
1339 if (!context)
1340 return -ENOMEM;
1341
1342 context[len] = '\0';
1343 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1344 if (rc == -ERANGE) {
1345 kfree(context);
1346
1347 /* Need a larger buffer. Query for the right size. */
1348 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1349 if (rc < 0)
1350 return rc;
1351
1352 len = rc;
1353 context = kmalloc(len + 1, GFP_NOFS);
1354 if (!context)
1355 return -ENOMEM;
1356
1357 context[len] = '\0';
1358 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX,
1359 context, len);
1360 }
1361 if (rc < 0) {
1362 kfree(context);
1363 if (rc != -ENODATA) {
1364 pr_warn("SELinux: %s: getxattr returned %d for dev=%s ino=%ld\n",
1365 __func__, -rc, inode->i_sb->s_id, inode->i_ino);
1366 return rc;
1367 }
1368 *sid = def_sid;
1369 return 0;
1370 }
1371
1372 rc = security_context_to_sid_default(&selinux_state, context, rc, sid,
1373 def_sid, GFP_NOFS);
1374 if (rc) {
1375 char *dev = inode->i_sb->s_id;
1376 unsigned long ino = inode->i_ino;
1377
1378 if (rc == -EINVAL) {
1379 pr_notice_ratelimited("SELinux: inode=%lu on dev=%s was found to have an invalid context=%s. This indicates you may need to relabel the inode or the filesystem in question.\n",
1380 ino, dev, context);
1381 } else {
1382 pr_warn("SELinux: %s: context_to_sid(%s) returned %d for dev=%s ino=%ld\n",
1383 __func__, context, -rc, dev, ino);
1384 }
1385 }
1386 kfree(context);
1387 return 0;
1388 }
1389
1390 /* The inode's security attributes must be initialized before first use. */
inode_doinit_with_dentry(struct inode * inode,struct dentry * opt_dentry)1391 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1392 {
1393 struct superblock_security_struct *sbsec = NULL;
1394 struct inode_security_struct *isec = selinux_inode(inode);
1395 u32 task_sid, sid = 0;
1396 u16 sclass;
1397 struct dentry *dentry;
1398 int rc = 0;
1399
1400 if (isec->initialized == LABEL_INITIALIZED)
1401 return 0;
1402
1403 spin_lock(&isec->lock);
1404 if (isec->initialized == LABEL_INITIALIZED)
1405 goto out_unlock;
1406
1407 if (isec->sclass == SECCLASS_FILE)
1408 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1409
1410 sbsec = inode->i_sb->s_security;
1411 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1412 /* Defer initialization until selinux_complete_init,
1413 after the initial policy is loaded and the security
1414 server is ready to handle calls. */
1415 spin_lock(&sbsec->isec_lock);
1416 if (list_empty(&isec->list))
1417 list_add(&isec->list, &sbsec->isec_head);
1418 spin_unlock(&sbsec->isec_lock);
1419 goto out_unlock;
1420 }
1421
1422 sclass = isec->sclass;
1423 task_sid = isec->task_sid;
1424 sid = isec->sid;
1425 isec->initialized = LABEL_PENDING;
1426 spin_unlock(&isec->lock);
1427
1428 switch (sbsec->behavior) {
1429 case SECURITY_FS_USE_NATIVE:
1430 break;
1431 case SECURITY_FS_USE_XATTR:
1432 if (!(inode->i_opflags & IOP_XATTR)) {
1433 sid = sbsec->def_sid;
1434 break;
1435 }
1436 /* Need a dentry, since the xattr API requires one.
1437 Life would be simpler if we could just pass the inode. */
1438 if (opt_dentry) {
1439 /* Called from d_instantiate or d_splice_alias. */
1440 dentry = dget(opt_dentry);
1441 } else {
1442 /*
1443 * Called from selinux_complete_init, try to find a dentry.
1444 * Some filesystems really want a connected one, so try
1445 * that first. We could split SECURITY_FS_USE_XATTR in
1446 * two, depending upon that...
1447 */
1448 dentry = d_find_alias(inode);
1449 if (!dentry)
1450 dentry = d_find_any_alias(inode);
1451 }
1452 if (!dentry) {
1453 /*
1454 * this is can be hit on boot when a file is accessed
1455 * before the policy is loaded. When we load policy we
1456 * may find inodes that have no dentry on the
1457 * sbsec->isec_head list. No reason to complain as these
1458 * will get fixed up the next time we go through
1459 * inode_doinit with a dentry, before these inodes could
1460 * be used again by userspace.
1461 */
1462 goto out_invalid;
1463 }
1464
1465 rc = inode_doinit_use_xattr(inode, dentry, sbsec->def_sid,
1466 &sid);
1467 dput(dentry);
1468 if (rc)
1469 goto out;
1470 break;
1471 case SECURITY_FS_USE_TASK:
1472 sid = task_sid;
1473 break;
1474 case SECURITY_FS_USE_TRANS:
1475 /* Default to the fs SID. */
1476 sid = sbsec->sid;
1477
1478 /* Try to obtain a transition SID. */
1479 rc = security_transition_sid(&selinux_state, task_sid, sid,
1480 sclass, NULL, &sid);
1481 if (rc)
1482 goto out;
1483 break;
1484 case SECURITY_FS_USE_MNTPOINT:
1485 sid = sbsec->mntpoint_sid;
1486 break;
1487 default:
1488 /* Default to the fs superblock SID. */
1489 sid = sbsec->sid;
1490
1491 if ((sbsec->flags & SE_SBGENFS) &&
1492 (!S_ISLNK(inode->i_mode) ||
1493 selinux_policycap_genfs_seclabel_symlinks())) {
1494 /* We must have a dentry to determine the label on
1495 * procfs inodes */
1496 if (opt_dentry) {
1497 /* Called from d_instantiate or
1498 * d_splice_alias. */
1499 dentry = dget(opt_dentry);
1500 } else {
1501 /* Called from selinux_complete_init, try to
1502 * find a dentry. Some filesystems really want
1503 * a connected one, so try that first.
1504 */
1505 dentry = d_find_alias(inode);
1506 if (!dentry)
1507 dentry = d_find_any_alias(inode);
1508 }
1509 /*
1510 * This can be hit on boot when a file is accessed
1511 * before the policy is loaded. When we load policy we
1512 * may find inodes that have no dentry on the
1513 * sbsec->isec_head list. No reason to complain as
1514 * these will get fixed up the next time we go through
1515 * inode_doinit() with a dentry, before these inodes
1516 * could be used again by userspace.
1517 */
1518 if (!dentry)
1519 goto out_invalid;
1520 rc = selinux_genfs_get_sid(dentry, sclass,
1521 sbsec->flags, &sid);
1522 if (rc) {
1523 dput(dentry);
1524 goto out;
1525 }
1526
1527 if ((sbsec->flags & SE_SBGENFS_XATTR) &&
1528 (inode->i_opflags & IOP_XATTR)) {
1529 rc = inode_doinit_use_xattr(inode, dentry,
1530 sid, &sid);
1531 if (rc) {
1532 dput(dentry);
1533 goto out;
1534 }
1535 }
1536 dput(dentry);
1537 }
1538 break;
1539 }
1540
1541 out:
1542 spin_lock(&isec->lock);
1543 if (isec->initialized == LABEL_PENDING) {
1544 if (rc) {
1545 isec->initialized = LABEL_INVALID;
1546 goto out_unlock;
1547 }
1548 isec->initialized = LABEL_INITIALIZED;
1549 isec->sid = sid;
1550 }
1551
1552 out_unlock:
1553 spin_unlock(&isec->lock);
1554 return rc;
1555
1556 out_invalid:
1557 spin_lock(&isec->lock);
1558 if (isec->initialized == LABEL_PENDING) {
1559 isec->initialized = LABEL_INVALID;
1560 isec->sid = sid;
1561 }
1562 spin_unlock(&isec->lock);
1563 return 0;
1564 }
1565
1566 /* Convert a Linux signal to an access vector. */
signal_to_av(int sig)1567 static inline u32 signal_to_av(int sig)
1568 {
1569 u32 perm = 0;
1570
1571 switch (sig) {
1572 case SIGCHLD:
1573 /* Commonly granted from child to parent. */
1574 perm = PROCESS__SIGCHLD;
1575 break;
1576 case SIGKILL:
1577 /* Cannot be caught or ignored */
1578 perm = PROCESS__SIGKILL;
1579 break;
1580 case SIGSTOP:
1581 /* Cannot be caught or ignored */
1582 perm = PROCESS__SIGSTOP;
1583 break;
1584 default:
1585 /* All other signals. */
1586 perm = PROCESS__SIGNAL;
1587 break;
1588 }
1589
1590 return perm;
1591 }
1592
1593 #if CAP_LAST_CAP > 63
1594 #error Fix SELinux to handle capabilities > 63.
1595 #endif
1596
1597 /* Check whether a task is allowed to use a capability. */
cred_has_capability(const struct cred * cred,int cap,unsigned int opts,bool initns)1598 static int cred_has_capability(const struct cred *cred,
1599 int cap, unsigned int opts, bool initns)
1600 {
1601 struct common_audit_data ad;
1602 struct av_decision avd;
1603 u16 sclass;
1604 u32 sid = cred_sid(cred);
1605 u32 av = CAP_TO_MASK(cap);
1606 int rc;
1607
1608 ad.type = LSM_AUDIT_DATA_CAP;
1609 ad.u.cap = cap;
1610
1611 switch (CAP_TO_INDEX(cap)) {
1612 case 0:
1613 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1614 break;
1615 case 1:
1616 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1617 break;
1618 default:
1619 pr_err("SELinux: out of range capability %d\n", cap);
1620 BUG();
1621 return -EINVAL;
1622 }
1623
1624 rc = avc_has_perm_noaudit(&selinux_state,
1625 sid, sid, sclass, av, 0, &avd);
1626 if (!(opts & CAP_OPT_NOAUDIT)) {
1627 int rc2 = avc_audit(&selinux_state,
1628 sid, sid, sclass, av, &avd, rc, &ad, 0);
1629 if (rc2)
1630 return rc2;
1631 }
1632 return rc;
1633 }
1634
1635 /* Check whether a task has a particular permission to an inode.
1636 The 'adp' parameter is optional and allows other audit
1637 data to be passed (e.g. the dentry). */
inode_has_perm(const struct cred * cred,struct inode * inode,u32 perms,struct common_audit_data * adp)1638 static int inode_has_perm(const struct cred *cred,
1639 struct inode *inode,
1640 u32 perms,
1641 struct common_audit_data *adp)
1642 {
1643 struct inode_security_struct *isec;
1644 u32 sid;
1645
1646 validate_creds(cred);
1647
1648 if (unlikely(IS_PRIVATE(inode)))
1649 return 0;
1650
1651 sid = cred_sid(cred);
1652 isec = selinux_inode(inode);
1653
1654 return avc_has_perm(&selinux_state,
1655 sid, isec->sid, isec->sclass, perms, adp);
1656 }
1657
1658 /* Same as inode_has_perm, but pass explicit audit data containing
1659 the dentry to help the auditing code to more easily generate the
1660 pathname if needed. */
dentry_has_perm(const struct cred * cred,struct dentry * dentry,u32 av)1661 static inline int dentry_has_perm(const struct cred *cred,
1662 struct dentry *dentry,
1663 u32 av)
1664 {
1665 struct inode *inode = d_backing_inode(dentry);
1666 struct common_audit_data ad;
1667
1668 ad.type = LSM_AUDIT_DATA_DENTRY;
1669 ad.u.dentry = dentry;
1670 __inode_security_revalidate(inode, dentry, true);
1671 return inode_has_perm(cred, inode, av, &ad);
1672 }
1673
1674 /* Same as inode_has_perm, but pass explicit audit data containing
1675 the path to help the auditing code to more easily generate the
1676 pathname if needed. */
path_has_perm(const struct cred * cred,const struct path * path,u32 av)1677 static inline int path_has_perm(const struct cred *cred,
1678 const struct path *path,
1679 u32 av)
1680 {
1681 struct inode *inode = d_backing_inode(path->dentry);
1682 struct common_audit_data ad;
1683
1684 ad.type = LSM_AUDIT_DATA_PATH;
1685 ad.u.path = *path;
1686 __inode_security_revalidate(inode, path->dentry, true);
1687 return inode_has_perm(cred, inode, av, &ad);
1688 }
1689
1690 /* Same as path_has_perm, but uses the inode from the file struct. */
file_path_has_perm(const struct cred * cred,struct file * file,u32 av)1691 static inline int file_path_has_perm(const struct cred *cred,
1692 struct file *file,
1693 u32 av)
1694 {
1695 struct common_audit_data ad;
1696
1697 ad.type = LSM_AUDIT_DATA_FILE;
1698 ad.u.file = file;
1699 return inode_has_perm(cred, file_inode(file), av, &ad);
1700 }
1701
1702 #ifdef CONFIG_BPF_SYSCALL
1703 static int bpf_fd_pass(struct file *file, u32 sid);
1704 #endif
1705
1706 /* Check whether a task can use an open file descriptor to
1707 access an inode in a given way. Check access to the
1708 descriptor itself, and then use dentry_has_perm to
1709 check a particular permission to the file.
1710 Access to the descriptor is implicitly granted if it
1711 has the same SID as the process. If av is zero, then
1712 access to the file is not checked, e.g. for cases
1713 where only the descriptor is affected like seek. */
file_has_perm(const struct cred * cred,struct file * file,u32 av)1714 static int file_has_perm(const struct cred *cred,
1715 struct file *file,
1716 u32 av)
1717 {
1718 struct file_security_struct *fsec = selinux_file(file);
1719 struct inode *inode = file_inode(file);
1720 struct common_audit_data ad;
1721 u32 sid = cred_sid(cred);
1722 int rc;
1723
1724 ad.type = LSM_AUDIT_DATA_FILE;
1725 ad.u.file = file;
1726
1727 if (sid != fsec->sid) {
1728 rc = avc_has_perm(&selinux_state,
1729 sid, fsec->sid,
1730 SECCLASS_FD,
1731 FD__USE,
1732 &ad);
1733 if (rc)
1734 goto out;
1735 }
1736
1737 #ifdef CONFIG_BPF_SYSCALL
1738 rc = bpf_fd_pass(file, cred_sid(cred));
1739 if (rc)
1740 return rc;
1741 #endif
1742
1743 /* av is zero if only checking access to the descriptor. */
1744 rc = 0;
1745 if (av)
1746 rc = inode_has_perm(cred, inode, av, &ad);
1747
1748 out:
1749 return rc;
1750 }
1751
1752 /*
1753 * Determine the label for an inode that might be unioned.
1754 */
1755 static int
selinux_determine_inode_label(const struct task_security_struct * tsec,struct inode * dir,const struct qstr * name,u16 tclass,u32 * _new_isid)1756 selinux_determine_inode_label(const struct task_security_struct *tsec,
1757 struct inode *dir,
1758 const struct qstr *name, u16 tclass,
1759 u32 *_new_isid)
1760 {
1761 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1762
1763 if ((sbsec->flags & SE_SBINITIALIZED) &&
1764 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1765 *_new_isid = sbsec->mntpoint_sid;
1766 } else if ((sbsec->flags & SBLABEL_MNT) &&
1767 tsec->create_sid) {
1768 *_new_isid = tsec->create_sid;
1769 } else {
1770 const struct inode_security_struct *dsec = inode_security(dir);
1771 return security_transition_sid(&selinux_state, tsec->sid,
1772 dsec->sid, tclass,
1773 name, _new_isid);
1774 }
1775
1776 return 0;
1777 }
1778
1779 /* Check whether a task can create a file. */
may_create(struct inode * dir,struct dentry * dentry,u16 tclass)1780 static int may_create(struct inode *dir,
1781 struct dentry *dentry,
1782 u16 tclass)
1783 {
1784 const struct task_security_struct *tsec = selinux_cred(current_cred());
1785 struct inode_security_struct *dsec;
1786 struct superblock_security_struct *sbsec;
1787 u32 sid, newsid;
1788 struct common_audit_data ad;
1789 int rc;
1790
1791 dsec = inode_security(dir);
1792 sbsec = dir->i_sb->s_security;
1793
1794 sid = tsec->sid;
1795
1796 ad.type = LSM_AUDIT_DATA_DENTRY;
1797 ad.u.dentry = dentry;
1798
1799 rc = avc_has_perm(&selinux_state,
1800 sid, dsec->sid, SECCLASS_DIR,
1801 DIR__ADD_NAME | DIR__SEARCH,
1802 &ad);
1803 if (rc)
1804 return rc;
1805
1806 rc = selinux_determine_inode_label(tsec, dir, &dentry->d_name, tclass,
1807 &newsid);
1808 if (rc)
1809 return rc;
1810
1811 rc = avc_has_perm(&selinux_state,
1812 sid, newsid, tclass, FILE__CREATE, &ad);
1813 if (rc)
1814 return rc;
1815
1816 return avc_has_perm(&selinux_state,
1817 newsid, sbsec->sid,
1818 SECCLASS_FILESYSTEM,
1819 FILESYSTEM__ASSOCIATE, &ad);
1820 }
1821
1822 #define MAY_LINK 0
1823 #define MAY_UNLINK 1
1824 #define MAY_RMDIR 2
1825
1826 /* Check whether a task can link, unlink, or rmdir a file/directory. */
may_link(struct inode * dir,struct dentry * dentry,int kind)1827 static int may_link(struct inode *dir,
1828 struct dentry *dentry,
1829 int kind)
1830
1831 {
1832 struct inode_security_struct *dsec, *isec;
1833 struct common_audit_data ad;
1834 u32 sid = current_sid();
1835 u32 av;
1836 int rc;
1837
1838 dsec = inode_security(dir);
1839 isec = backing_inode_security(dentry);
1840
1841 ad.type = LSM_AUDIT_DATA_DENTRY;
1842 ad.u.dentry = dentry;
1843
1844 av = DIR__SEARCH;
1845 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1846 rc = avc_has_perm(&selinux_state,
1847 sid, dsec->sid, SECCLASS_DIR, av, &ad);
1848 if (rc)
1849 return rc;
1850
1851 switch (kind) {
1852 case MAY_LINK:
1853 av = FILE__LINK;
1854 break;
1855 case MAY_UNLINK:
1856 av = FILE__UNLINK;
1857 break;
1858 case MAY_RMDIR:
1859 av = DIR__RMDIR;
1860 break;
1861 default:
1862 pr_warn("SELinux: %s: unrecognized kind %d\n",
1863 __func__, kind);
1864 return 0;
1865 }
1866
1867 rc = avc_has_perm(&selinux_state,
1868 sid, isec->sid, isec->sclass, av, &ad);
1869 return rc;
1870 }
1871
may_rename(struct inode * old_dir,struct dentry * old_dentry,struct inode * new_dir,struct dentry * new_dentry)1872 static inline int may_rename(struct inode *old_dir,
1873 struct dentry *old_dentry,
1874 struct inode *new_dir,
1875 struct dentry *new_dentry)
1876 {
1877 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1878 struct common_audit_data ad;
1879 u32 sid = current_sid();
1880 u32 av;
1881 int old_is_dir, new_is_dir;
1882 int rc;
1883
1884 old_dsec = inode_security(old_dir);
1885 old_isec = backing_inode_security(old_dentry);
1886 old_is_dir = d_is_dir(old_dentry);
1887 new_dsec = inode_security(new_dir);
1888
1889 ad.type = LSM_AUDIT_DATA_DENTRY;
1890
1891 ad.u.dentry = old_dentry;
1892 rc = avc_has_perm(&selinux_state,
1893 sid, old_dsec->sid, SECCLASS_DIR,
1894 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1895 if (rc)
1896 return rc;
1897 rc = avc_has_perm(&selinux_state,
1898 sid, old_isec->sid,
1899 old_isec->sclass, FILE__RENAME, &ad);
1900 if (rc)
1901 return rc;
1902 if (old_is_dir && new_dir != old_dir) {
1903 rc = avc_has_perm(&selinux_state,
1904 sid, old_isec->sid,
1905 old_isec->sclass, DIR__REPARENT, &ad);
1906 if (rc)
1907 return rc;
1908 }
1909
1910 ad.u.dentry = new_dentry;
1911 av = DIR__ADD_NAME | DIR__SEARCH;
1912 if (d_is_positive(new_dentry))
1913 av |= DIR__REMOVE_NAME;
1914 rc = avc_has_perm(&selinux_state,
1915 sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1916 if (rc)
1917 return rc;
1918 if (d_is_positive(new_dentry)) {
1919 new_isec = backing_inode_security(new_dentry);
1920 new_is_dir = d_is_dir(new_dentry);
1921 rc = avc_has_perm(&selinux_state,
1922 sid, new_isec->sid,
1923 new_isec->sclass,
1924 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1925 if (rc)
1926 return rc;
1927 }
1928
1929 return 0;
1930 }
1931
1932 /* Check whether a task can perform a filesystem operation. */
superblock_has_perm(const struct cred * cred,struct super_block * sb,u32 perms,struct common_audit_data * ad)1933 static int superblock_has_perm(const struct cred *cred,
1934 struct super_block *sb,
1935 u32 perms,
1936 struct common_audit_data *ad)
1937 {
1938 struct superblock_security_struct *sbsec;
1939 u32 sid = cred_sid(cred);
1940
1941 sbsec = sb->s_security;
1942 return avc_has_perm(&selinux_state,
1943 sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1944 }
1945
1946 /* Convert a Linux mode and permission mask to an access vector. */
file_mask_to_av(int mode,int mask)1947 static inline u32 file_mask_to_av(int mode, int mask)
1948 {
1949 u32 av = 0;
1950
1951 if (!S_ISDIR(mode)) {
1952 if (mask & MAY_EXEC)
1953 av |= FILE__EXECUTE;
1954 if (mask & MAY_READ)
1955 av |= FILE__READ;
1956
1957 if (mask & MAY_APPEND)
1958 av |= FILE__APPEND;
1959 else if (mask & MAY_WRITE)
1960 av |= FILE__WRITE;
1961
1962 } else {
1963 if (mask & MAY_EXEC)
1964 av |= DIR__SEARCH;
1965 if (mask & MAY_WRITE)
1966 av |= DIR__WRITE;
1967 if (mask & MAY_READ)
1968 av |= DIR__READ;
1969 }
1970
1971 return av;
1972 }
1973
1974 /* Convert a Linux file to an access vector. */
file_to_av(struct file * file)1975 static inline u32 file_to_av(struct file *file)
1976 {
1977 u32 av = 0;
1978
1979 if (file->f_mode & FMODE_READ)
1980 av |= FILE__READ;
1981 if (file->f_mode & FMODE_WRITE) {
1982 if (file->f_flags & O_APPEND)
1983 av |= FILE__APPEND;
1984 else
1985 av |= FILE__WRITE;
1986 }
1987 if (!av) {
1988 /*
1989 * Special file opened with flags 3 for ioctl-only use.
1990 */
1991 av = FILE__IOCTL;
1992 }
1993
1994 return av;
1995 }
1996
1997 /*
1998 * Convert a file to an access vector and include the correct
1999 * open permission.
2000 */
open_file_to_av(struct file * file)2001 static inline u32 open_file_to_av(struct file *file)
2002 {
2003 u32 av = file_to_av(file);
2004 struct inode *inode = file_inode(file);
2005
2006 if (selinux_policycap_openperm() &&
2007 inode->i_sb->s_magic != SOCKFS_MAGIC)
2008 av |= FILE__OPEN;
2009
2010 return av;
2011 }
2012
2013 /* Hook functions begin here. */
2014
selinux_binder_set_context_mgr(const struct cred * mgr)2015 static int selinux_binder_set_context_mgr(const struct cred *mgr)
2016 {
2017 return avc_has_perm(&selinux_state,
2018 current_sid(), cred_sid(mgr), SECCLASS_BINDER,
2019 BINDER__SET_CONTEXT_MGR, NULL);
2020 }
2021
selinux_binder_transaction(const struct cred * from,const struct cred * to)2022 static int selinux_binder_transaction(const struct cred *from,
2023 const struct cred *to)
2024 {
2025 u32 mysid = current_sid();
2026 u32 fromsid = cred_sid(from);
2027 u32 tosid = cred_sid(to);
2028 int rc;
2029
2030 if (mysid != fromsid) {
2031 rc = avc_has_perm(&selinux_state,
2032 mysid, fromsid, SECCLASS_BINDER,
2033 BINDER__IMPERSONATE, NULL);
2034 if (rc)
2035 return rc;
2036 }
2037
2038 return avc_has_perm(&selinux_state, fromsid, tosid,
2039 SECCLASS_BINDER, BINDER__CALL, NULL);
2040 }
2041
selinux_binder_transfer_binder(const struct cred * from,const struct cred * to)2042 static int selinux_binder_transfer_binder(const struct cred *from,
2043 const struct cred *to)
2044 {
2045 return avc_has_perm(&selinux_state,
2046 cred_sid(from), cred_sid(to),
2047 SECCLASS_BINDER, BINDER__TRANSFER,
2048 NULL);
2049 }
2050
selinux_binder_transfer_file(const struct cred * from,const struct cred * to,struct file * file)2051 static int selinux_binder_transfer_file(const struct cred *from,
2052 const struct cred *to,
2053 struct file *file)
2054 {
2055 u32 sid = cred_sid(to);
2056 struct file_security_struct *fsec = selinux_file(file);
2057 struct dentry *dentry = file->f_path.dentry;
2058 struct inode_security_struct *isec;
2059 struct common_audit_data ad;
2060 int rc;
2061
2062 ad.type = LSM_AUDIT_DATA_PATH;
2063 ad.u.path = file->f_path;
2064
2065 if (sid != fsec->sid) {
2066 rc = avc_has_perm(&selinux_state,
2067 sid, fsec->sid,
2068 SECCLASS_FD,
2069 FD__USE,
2070 &ad);
2071 if (rc)
2072 return rc;
2073 }
2074
2075 #ifdef CONFIG_BPF_SYSCALL
2076 rc = bpf_fd_pass(file, sid);
2077 if (rc)
2078 return rc;
2079 #endif
2080
2081 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2082 return 0;
2083
2084 isec = backing_inode_security(dentry);
2085 return avc_has_perm(&selinux_state,
2086 sid, isec->sid, isec->sclass, file_to_av(file),
2087 &ad);
2088 }
2089
selinux_ptrace_access_check(struct task_struct * child,unsigned int mode)2090 static int selinux_ptrace_access_check(struct task_struct *child,
2091 unsigned int mode)
2092 {
2093 u32 sid = current_sid();
2094 u32 csid = task_sid(child);
2095
2096 if (mode & PTRACE_MODE_READ)
2097 return avc_has_perm(&selinux_state,
2098 sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2099
2100 return avc_has_perm(&selinux_state,
2101 sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2102 }
2103
selinux_ptrace_traceme(struct task_struct * parent)2104 static int selinux_ptrace_traceme(struct task_struct *parent)
2105 {
2106 return avc_has_perm(&selinux_state,
2107 task_sid(parent), current_sid(), SECCLASS_PROCESS,
2108 PROCESS__PTRACE, NULL);
2109 }
2110
selinux_capget(struct task_struct * target,kernel_cap_t * effective,kernel_cap_t * inheritable,kernel_cap_t * permitted)2111 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2112 kernel_cap_t *inheritable, kernel_cap_t *permitted)
2113 {
2114 return avc_has_perm(&selinux_state,
2115 current_sid(), task_sid(target), SECCLASS_PROCESS,
2116 PROCESS__GETCAP, NULL);
2117 }
2118
selinux_capset(struct cred * new,const struct cred * old,const kernel_cap_t * effective,const kernel_cap_t * inheritable,const kernel_cap_t * permitted)2119 static int selinux_capset(struct cred *new, const struct cred *old,
2120 const kernel_cap_t *effective,
2121 const kernel_cap_t *inheritable,
2122 const kernel_cap_t *permitted)
2123 {
2124 return avc_has_perm(&selinux_state,
2125 cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2126 PROCESS__SETCAP, NULL);
2127 }
2128
2129 /*
2130 * (This comment used to live with the selinux_task_setuid hook,
2131 * which was removed).
2132 *
2133 * Since setuid only affects the current process, and since the SELinux
2134 * controls are not based on the Linux identity attributes, SELinux does not
2135 * need to control this operation. However, SELinux does control the use of
2136 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2137 */
2138
selinux_capable(const struct cred * cred,struct user_namespace * ns,int cap,unsigned int opts)2139 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2140 int cap, unsigned int opts)
2141 {
2142 return cred_has_capability(cred, cap, opts, ns == &init_user_ns);
2143 }
2144
selinux_quotactl(int cmds,int type,int id,struct super_block * sb)2145 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2146 {
2147 const struct cred *cred = current_cred();
2148 int rc = 0;
2149
2150 if (!sb)
2151 return 0;
2152
2153 switch (cmds) {
2154 case Q_SYNC:
2155 case Q_QUOTAON:
2156 case Q_QUOTAOFF:
2157 case Q_SETINFO:
2158 case Q_SETQUOTA:
2159 case Q_XQUOTAOFF:
2160 case Q_XQUOTAON:
2161 case Q_XSETQLIM:
2162 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2163 break;
2164 case Q_GETFMT:
2165 case Q_GETINFO:
2166 case Q_GETQUOTA:
2167 case Q_XGETQUOTA:
2168 case Q_XGETQSTAT:
2169 case Q_XGETQSTATV:
2170 case Q_XGETNEXTQUOTA:
2171 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2172 break;
2173 default:
2174 rc = 0; /* let the kernel handle invalid cmds */
2175 break;
2176 }
2177 return rc;
2178 }
2179
selinux_quota_on(struct dentry * dentry)2180 static int selinux_quota_on(struct dentry *dentry)
2181 {
2182 const struct cred *cred = current_cred();
2183
2184 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2185 }
2186
selinux_syslog(int type)2187 static int selinux_syslog(int type)
2188 {
2189 switch (type) {
2190 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2191 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2192 return avc_has_perm(&selinux_state,
2193 current_sid(), SECINITSID_KERNEL,
2194 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2195 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2196 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2197 /* Set level of messages printed to console */
2198 case SYSLOG_ACTION_CONSOLE_LEVEL:
2199 return avc_has_perm(&selinux_state,
2200 current_sid(), SECINITSID_KERNEL,
2201 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2202 NULL);
2203 }
2204 /* All other syslog types */
2205 return avc_has_perm(&selinux_state,
2206 current_sid(), SECINITSID_KERNEL,
2207 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2208 }
2209
2210 /*
2211 * Check that a process has enough memory to allocate a new virtual
2212 * mapping. 0 means there is enough memory for the allocation to
2213 * succeed and -ENOMEM implies there is not.
2214 *
2215 * Do not audit the selinux permission check, as this is applied to all
2216 * processes that allocate mappings.
2217 */
selinux_vm_enough_memory(struct mm_struct * mm,long pages)2218 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2219 {
2220 int rc, cap_sys_admin = 0;
2221
2222 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2223 CAP_OPT_NOAUDIT, true);
2224 if (rc == 0)
2225 cap_sys_admin = 1;
2226
2227 return cap_sys_admin;
2228 }
2229
2230 /* binprm security operations */
2231
ptrace_parent_sid(void)2232 static u32 ptrace_parent_sid(void)
2233 {
2234 u32 sid = 0;
2235 struct task_struct *tracer;
2236
2237 rcu_read_lock();
2238 tracer = ptrace_parent(current);
2239 if (tracer)
2240 sid = task_sid(tracer);
2241 rcu_read_unlock();
2242
2243 return sid;
2244 }
2245
check_nnp_nosuid(const struct linux_binprm * bprm,const struct task_security_struct * old_tsec,const struct task_security_struct * new_tsec)2246 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2247 const struct task_security_struct *old_tsec,
2248 const struct task_security_struct *new_tsec)
2249 {
2250 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2251 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2252 int rc;
2253 u32 av;
2254
2255 if (!nnp && !nosuid)
2256 return 0; /* neither NNP nor nosuid */
2257
2258 if (new_tsec->sid == old_tsec->sid)
2259 return 0; /* No change in credentials */
2260
2261 /*
2262 * If the policy enables the nnp_nosuid_transition policy capability,
2263 * then we permit transitions under NNP or nosuid if the
2264 * policy allows the corresponding permission between
2265 * the old and new contexts.
2266 */
2267 if (selinux_policycap_nnp_nosuid_transition()) {
2268 av = 0;
2269 if (nnp)
2270 av |= PROCESS2__NNP_TRANSITION;
2271 if (nosuid)
2272 av |= PROCESS2__NOSUID_TRANSITION;
2273 rc = avc_has_perm(&selinux_state,
2274 old_tsec->sid, new_tsec->sid,
2275 SECCLASS_PROCESS2, av, NULL);
2276 if (!rc)
2277 return 0;
2278 }
2279
2280 /*
2281 * We also permit NNP or nosuid transitions to bounded SIDs,
2282 * i.e. SIDs that are guaranteed to only be allowed a subset
2283 * of the permissions of the current SID.
2284 */
2285 rc = security_bounded_transition(&selinux_state, old_tsec->sid,
2286 new_tsec->sid);
2287 if (!rc)
2288 return 0;
2289
2290 /*
2291 * On failure, preserve the errno values for NNP vs nosuid.
2292 * NNP: Operation not permitted for caller.
2293 * nosuid: Permission denied to file.
2294 */
2295 if (nnp)
2296 return -EPERM;
2297 return -EACCES;
2298 }
2299
selinux_bprm_creds_for_exec(struct linux_binprm * bprm)2300 static int selinux_bprm_creds_for_exec(struct linux_binprm *bprm)
2301 {
2302 const struct task_security_struct *old_tsec;
2303 struct task_security_struct *new_tsec;
2304 struct inode_security_struct *isec;
2305 struct common_audit_data ad;
2306 struct inode *inode = file_inode(bprm->file);
2307 int rc;
2308
2309 /* SELinux context only depends on initial program or script and not
2310 * the script interpreter */
2311
2312 old_tsec = selinux_cred(current_cred());
2313 new_tsec = selinux_cred(bprm->cred);
2314 isec = inode_security(inode);
2315
2316 /* Default to the current task SID. */
2317 new_tsec->sid = old_tsec->sid;
2318 new_tsec->osid = old_tsec->sid;
2319
2320 /* Reset fs, key, and sock SIDs on execve. */
2321 new_tsec->create_sid = 0;
2322 new_tsec->keycreate_sid = 0;
2323 new_tsec->sockcreate_sid = 0;
2324
2325 if (old_tsec->exec_sid) {
2326 new_tsec->sid = old_tsec->exec_sid;
2327 /* Reset exec SID on execve. */
2328 new_tsec->exec_sid = 0;
2329
2330 /* Fail on NNP or nosuid if not an allowed transition. */
2331 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2332 if (rc)
2333 return rc;
2334 } else {
2335 /* Check for a default transition on this program. */
2336 rc = security_transition_sid(&selinux_state, old_tsec->sid,
2337 isec->sid, SECCLASS_PROCESS, NULL,
2338 &new_tsec->sid);
2339 if (rc)
2340 return rc;
2341
2342 /*
2343 * Fallback to old SID on NNP or nosuid if not an allowed
2344 * transition.
2345 */
2346 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2347 if (rc)
2348 new_tsec->sid = old_tsec->sid;
2349 }
2350
2351 ad.type = LSM_AUDIT_DATA_FILE;
2352 ad.u.file = bprm->file;
2353
2354 if (new_tsec->sid == old_tsec->sid) {
2355 rc = avc_has_perm(&selinux_state,
2356 old_tsec->sid, isec->sid,
2357 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2358 if (rc)
2359 return rc;
2360 } else {
2361 /* Check permissions for the transition. */
2362 rc = avc_has_perm(&selinux_state,
2363 old_tsec->sid, new_tsec->sid,
2364 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2365 if (rc)
2366 return rc;
2367
2368 rc = avc_has_perm(&selinux_state,
2369 new_tsec->sid, isec->sid,
2370 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2371 if (rc)
2372 return rc;
2373
2374 /* Check for shared state */
2375 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2376 rc = avc_has_perm(&selinux_state,
2377 old_tsec->sid, new_tsec->sid,
2378 SECCLASS_PROCESS, PROCESS__SHARE,
2379 NULL);
2380 if (rc)
2381 return -EPERM;
2382 }
2383
2384 /* Make sure that anyone attempting to ptrace over a task that
2385 * changes its SID has the appropriate permit */
2386 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2387 u32 ptsid = ptrace_parent_sid();
2388 if (ptsid != 0) {
2389 rc = avc_has_perm(&selinux_state,
2390 ptsid, new_tsec->sid,
2391 SECCLASS_PROCESS,
2392 PROCESS__PTRACE, NULL);
2393 if (rc)
2394 return -EPERM;
2395 }
2396 }
2397
2398 /* Clear any possibly unsafe personality bits on exec: */
2399 bprm->per_clear |= PER_CLEAR_ON_SETID;
2400
2401 /* Enable secure mode for SIDs transitions unless
2402 the noatsecure permission is granted between
2403 the two SIDs, i.e. ahp returns 0. */
2404 rc = avc_has_perm(&selinux_state,
2405 old_tsec->sid, new_tsec->sid,
2406 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2407 NULL);
2408 bprm->secureexec |= !!rc;
2409 }
2410
2411 return 0;
2412 }
2413
match_file(const void * p,struct file * file,unsigned fd)2414 static int match_file(const void *p, struct file *file, unsigned fd)
2415 {
2416 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2417 }
2418
2419 /* Derived from fs/exec.c:flush_old_files. */
flush_unauthorized_files(const struct cred * cred,struct files_struct * files)2420 static inline void flush_unauthorized_files(const struct cred *cred,
2421 struct files_struct *files)
2422 {
2423 struct file *file, *devnull = NULL;
2424 struct tty_struct *tty;
2425 int drop_tty = 0;
2426 unsigned n;
2427
2428 tty = get_current_tty();
2429 if (tty) {
2430 spin_lock(&tty->files_lock);
2431 if (!list_empty(&tty->tty_files)) {
2432 struct tty_file_private *file_priv;
2433
2434 /* Revalidate access to controlling tty.
2435 Use file_path_has_perm on the tty path directly
2436 rather than using file_has_perm, as this particular
2437 open file may belong to another process and we are
2438 only interested in the inode-based check here. */
2439 file_priv = list_first_entry(&tty->tty_files,
2440 struct tty_file_private, list);
2441 file = file_priv->file;
2442 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2443 drop_tty = 1;
2444 }
2445 spin_unlock(&tty->files_lock);
2446 tty_kref_put(tty);
2447 }
2448 /* Reset controlling tty. */
2449 if (drop_tty)
2450 no_tty();
2451
2452 /* Revalidate access to inherited open files. */
2453 n = iterate_fd(files, 0, match_file, cred);
2454 if (!n) /* none found? */
2455 return;
2456
2457 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2458 if (IS_ERR(devnull))
2459 devnull = NULL;
2460 /* replace all the matching ones with this */
2461 do {
2462 replace_fd(n - 1, devnull, 0);
2463 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2464 if (devnull)
2465 fput(devnull);
2466 }
2467
2468 /*
2469 * Prepare a process for imminent new credential changes due to exec
2470 */
selinux_bprm_committing_creds(struct linux_binprm * bprm)2471 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2472 {
2473 struct task_security_struct *new_tsec;
2474 struct rlimit *rlim, *initrlim;
2475 int rc, i;
2476
2477 new_tsec = selinux_cred(bprm->cred);
2478 if (new_tsec->sid == new_tsec->osid)
2479 return;
2480
2481 /* Close files for which the new task SID is not authorized. */
2482 flush_unauthorized_files(bprm->cred, current->files);
2483
2484 /* Always clear parent death signal on SID transitions. */
2485 current->pdeath_signal = 0;
2486
2487 /* Check whether the new SID can inherit resource limits from the old
2488 * SID. If not, reset all soft limits to the lower of the current
2489 * task's hard limit and the init task's soft limit.
2490 *
2491 * Note that the setting of hard limits (even to lower them) can be
2492 * controlled by the setrlimit check. The inclusion of the init task's
2493 * soft limit into the computation is to avoid resetting soft limits
2494 * higher than the default soft limit for cases where the default is
2495 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2496 */
2497 rc = avc_has_perm(&selinux_state,
2498 new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2499 PROCESS__RLIMITINH, NULL);
2500 if (rc) {
2501 /* protect against do_prlimit() */
2502 task_lock(current);
2503 for (i = 0; i < RLIM_NLIMITS; i++) {
2504 rlim = current->signal->rlim + i;
2505 initrlim = init_task.signal->rlim + i;
2506 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2507 }
2508 task_unlock(current);
2509 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2510 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2511 }
2512 }
2513
2514 /*
2515 * Clean up the process immediately after the installation of new credentials
2516 * due to exec
2517 */
selinux_bprm_committed_creds(struct linux_binprm * bprm)2518 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2519 {
2520 const struct task_security_struct *tsec = selinux_cred(current_cred());
2521 u32 osid, sid;
2522 int rc;
2523
2524 osid = tsec->osid;
2525 sid = tsec->sid;
2526
2527 if (sid == osid)
2528 return;
2529
2530 /* Check whether the new SID can inherit signal state from the old SID.
2531 * If not, clear itimers to avoid subsequent signal generation and
2532 * flush and unblock signals.
2533 *
2534 * This must occur _after_ the task SID has been updated so that any
2535 * kill done after the flush will be checked against the new SID.
2536 */
2537 rc = avc_has_perm(&selinux_state,
2538 osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2539 if (rc) {
2540 clear_itimer();
2541
2542 spin_lock_irq(¤t->sighand->siglock);
2543 if (!fatal_signal_pending(current)) {
2544 flush_sigqueue(¤t->pending);
2545 flush_sigqueue(¤t->signal->shared_pending);
2546 flush_signal_handlers(current, 1);
2547 sigemptyset(¤t->blocked);
2548 recalc_sigpending();
2549 }
2550 spin_unlock_irq(¤t->sighand->siglock);
2551 }
2552
2553 /* Wake up the parent if it is waiting so that it can recheck
2554 * wait permission to the new task SID. */
2555 read_lock(&tasklist_lock);
2556 __wake_up_parent(current, current->real_parent);
2557 read_unlock(&tasklist_lock);
2558 }
2559
2560 /* superblock security operations */
2561
selinux_sb_alloc_security(struct super_block * sb)2562 static int selinux_sb_alloc_security(struct super_block *sb)
2563 {
2564 struct superblock_security_struct *sbsec;
2565
2566 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
2567 if (!sbsec)
2568 return -ENOMEM;
2569
2570 mutex_init(&sbsec->lock);
2571 INIT_LIST_HEAD(&sbsec->isec_head);
2572 spin_lock_init(&sbsec->isec_lock);
2573 sbsec->sb = sb;
2574 sbsec->sid = SECINITSID_UNLABELED;
2575 sbsec->def_sid = SECINITSID_FILE;
2576 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
2577 sb->s_security = sbsec;
2578
2579 return 0;
2580 }
2581
selinux_sb_free_security(struct super_block * sb)2582 static void selinux_sb_free_security(struct super_block *sb)
2583 {
2584 superblock_free_security(sb);
2585 }
2586
opt_len(const char * s)2587 static inline int opt_len(const char *s)
2588 {
2589 bool open_quote = false;
2590 int len;
2591 char c;
2592
2593 for (len = 0; (c = s[len]) != '\0'; len++) {
2594 if (c == '"')
2595 open_quote = !open_quote;
2596 if (c == ',' && !open_quote)
2597 break;
2598 }
2599 return len;
2600 }
2601
selinux_sb_eat_lsm_opts(char * options,void ** mnt_opts)2602 static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts)
2603 {
2604 char *from = options;
2605 char *to = options;
2606 bool first = true;
2607 int rc;
2608
2609 while (1) {
2610 int len = opt_len(from);
2611 int token;
2612 char *arg = NULL;
2613
2614 token = match_opt_prefix(from, len, &arg);
2615
2616 if (token != Opt_error) {
2617 char *p, *q;
2618
2619 /* strip quotes */
2620 if (arg) {
2621 for (p = q = arg; p < from + len; p++) {
2622 char c = *p;
2623 if (c != '"')
2624 *q++ = c;
2625 }
2626 arg = kmemdup_nul(arg, q - arg, GFP_KERNEL);
2627 if (!arg) {
2628 rc = -ENOMEM;
2629 goto free_opt;
2630 }
2631 }
2632 rc = selinux_add_opt(token, arg, mnt_opts);
2633 if (unlikely(rc)) {
2634 kfree(arg);
2635 goto free_opt;
2636 }
2637 } else {
2638 if (!first) { // copy with preceding comma
2639 from--;
2640 len++;
2641 }
2642 if (to != from)
2643 memmove(to, from, len);
2644 to += len;
2645 first = false;
2646 }
2647 if (!from[len])
2648 break;
2649 from += len + 1;
2650 }
2651 *to = '\0';
2652 return 0;
2653
2654 free_opt:
2655 if (*mnt_opts) {
2656 selinux_free_mnt_opts(*mnt_opts);
2657 *mnt_opts = NULL;
2658 }
2659 return rc;
2660 }
2661
selinux_sb_remount(struct super_block * sb,void * mnt_opts)2662 static int selinux_sb_remount(struct super_block *sb, void *mnt_opts)
2663 {
2664 struct selinux_mnt_opts *opts = mnt_opts;
2665 struct superblock_security_struct *sbsec = sb->s_security;
2666 u32 sid;
2667 int rc;
2668
2669 if (!(sbsec->flags & SE_SBINITIALIZED))
2670 return 0;
2671
2672 if (!opts)
2673 return 0;
2674
2675 if (opts->fscontext) {
2676 rc = parse_sid(sb, opts->fscontext, &sid);
2677 if (rc)
2678 return rc;
2679 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2680 goto out_bad_option;
2681 }
2682 if (opts->context) {
2683 rc = parse_sid(sb, opts->context, &sid);
2684 if (rc)
2685 return rc;
2686 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2687 goto out_bad_option;
2688 }
2689 if (opts->rootcontext) {
2690 struct inode_security_struct *root_isec;
2691 root_isec = backing_inode_security(sb->s_root);
2692 rc = parse_sid(sb, opts->rootcontext, &sid);
2693 if (rc)
2694 return rc;
2695 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2696 goto out_bad_option;
2697 }
2698 if (opts->defcontext) {
2699 rc = parse_sid(sb, opts->defcontext, &sid);
2700 if (rc)
2701 return rc;
2702 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2703 goto out_bad_option;
2704 }
2705 return 0;
2706
2707 out_bad_option:
2708 pr_warn("SELinux: unable to change security options "
2709 "during remount (dev %s, type=%s)\n", sb->s_id,
2710 sb->s_type->name);
2711 return -EINVAL;
2712 }
2713
selinux_sb_kern_mount(struct super_block * sb)2714 static int selinux_sb_kern_mount(struct super_block *sb)
2715 {
2716 const struct cred *cred = current_cred();
2717 struct common_audit_data ad;
2718
2719 ad.type = LSM_AUDIT_DATA_DENTRY;
2720 ad.u.dentry = sb->s_root;
2721 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2722 }
2723
selinux_sb_statfs(struct dentry * dentry)2724 static int selinux_sb_statfs(struct dentry *dentry)
2725 {
2726 const struct cred *cred = current_cred();
2727 struct common_audit_data ad;
2728
2729 ad.type = LSM_AUDIT_DATA_DENTRY;
2730 ad.u.dentry = dentry->d_sb->s_root;
2731 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2732 }
2733
selinux_mount(const char * dev_name,const struct path * path,const char * type,unsigned long flags,void * data)2734 static int selinux_mount(const char *dev_name,
2735 const struct path *path,
2736 const char *type,
2737 unsigned long flags,
2738 void *data)
2739 {
2740 const struct cred *cred = current_cred();
2741
2742 if (flags & MS_REMOUNT)
2743 return superblock_has_perm(cred, path->dentry->d_sb,
2744 FILESYSTEM__REMOUNT, NULL);
2745 else
2746 return path_has_perm(cred, path, FILE__MOUNTON);
2747 }
2748
selinux_move_mount(const struct path * from_path,const struct path * to_path)2749 static int selinux_move_mount(const struct path *from_path,
2750 const struct path *to_path)
2751 {
2752 const struct cred *cred = current_cred();
2753
2754 return path_has_perm(cred, to_path, FILE__MOUNTON);
2755 }
2756
selinux_umount(struct vfsmount * mnt,int flags)2757 static int selinux_umount(struct vfsmount *mnt, int flags)
2758 {
2759 const struct cred *cred = current_cred();
2760
2761 return superblock_has_perm(cred, mnt->mnt_sb,
2762 FILESYSTEM__UNMOUNT, NULL);
2763 }
2764
selinux_fs_context_dup(struct fs_context * fc,struct fs_context * src_fc)2765 static int selinux_fs_context_dup(struct fs_context *fc,
2766 struct fs_context *src_fc)
2767 {
2768 const struct selinux_mnt_opts *src = src_fc->security;
2769 struct selinux_mnt_opts *opts;
2770
2771 if (!src)
2772 return 0;
2773
2774 fc->security = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL);
2775 if (!fc->security)
2776 return -ENOMEM;
2777
2778 opts = fc->security;
2779
2780 if (src->fscontext) {
2781 opts->fscontext = kstrdup(src->fscontext, GFP_KERNEL);
2782 if (!opts->fscontext)
2783 return -ENOMEM;
2784 }
2785 if (src->context) {
2786 opts->context = kstrdup(src->context, GFP_KERNEL);
2787 if (!opts->context)
2788 return -ENOMEM;
2789 }
2790 if (src->rootcontext) {
2791 opts->rootcontext = kstrdup(src->rootcontext, GFP_KERNEL);
2792 if (!opts->rootcontext)
2793 return -ENOMEM;
2794 }
2795 if (src->defcontext) {
2796 opts->defcontext = kstrdup(src->defcontext, GFP_KERNEL);
2797 if (!opts->defcontext)
2798 return -ENOMEM;
2799 }
2800 return 0;
2801 }
2802
2803 static const struct fs_parameter_spec selinux_fs_parameters[] = {
2804 fsparam_string(CONTEXT_STR, Opt_context),
2805 fsparam_string(DEFCONTEXT_STR, Opt_defcontext),
2806 fsparam_string(FSCONTEXT_STR, Opt_fscontext),
2807 fsparam_string(ROOTCONTEXT_STR, Opt_rootcontext),
2808 fsparam_flag (SECLABEL_STR, Opt_seclabel),
2809 {}
2810 };
2811
selinux_fs_context_parse_param(struct fs_context * fc,struct fs_parameter * param)2812 static int selinux_fs_context_parse_param(struct fs_context *fc,
2813 struct fs_parameter *param)
2814 {
2815 struct fs_parse_result result;
2816 int opt, rc;
2817
2818 opt = fs_parse(fc, selinux_fs_parameters, param, &result);
2819 if (opt < 0)
2820 return opt;
2821
2822 rc = selinux_add_opt(opt, param->string, &fc->security);
2823 if (!rc)
2824 param->string = NULL;
2825
2826 return rc;
2827 }
2828
2829 /* inode security operations */
2830
selinux_inode_alloc_security(struct inode * inode)2831 static int selinux_inode_alloc_security(struct inode *inode)
2832 {
2833 struct inode_security_struct *isec = selinux_inode(inode);
2834 u32 sid = current_sid();
2835
2836 spin_lock_init(&isec->lock);
2837 INIT_LIST_HEAD(&isec->list);
2838 isec->inode = inode;
2839 isec->sid = SECINITSID_UNLABELED;
2840 isec->sclass = SECCLASS_FILE;
2841 isec->task_sid = sid;
2842 isec->initialized = LABEL_INVALID;
2843
2844 return 0;
2845 }
2846
selinux_inode_free_security(struct inode * inode)2847 static void selinux_inode_free_security(struct inode *inode)
2848 {
2849 inode_free_security(inode);
2850 }
2851
selinux_dentry_init_security(struct dentry * dentry,int mode,const struct qstr * name,void ** ctx,u32 * ctxlen)2852 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2853 const struct qstr *name, void **ctx,
2854 u32 *ctxlen)
2855 {
2856 u32 newsid;
2857 int rc;
2858
2859 rc = selinux_determine_inode_label(selinux_cred(current_cred()),
2860 d_inode(dentry->d_parent), name,
2861 inode_mode_to_security_class(mode),
2862 &newsid);
2863 if (rc)
2864 return rc;
2865
2866 return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
2867 ctxlen);
2868 }
2869
selinux_dentry_create_files_as(struct dentry * dentry,int mode,struct qstr * name,const struct cred * old,struct cred * new)2870 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2871 struct qstr *name,
2872 const struct cred *old,
2873 struct cred *new)
2874 {
2875 u32 newsid;
2876 int rc;
2877 struct task_security_struct *tsec;
2878
2879 rc = selinux_determine_inode_label(selinux_cred(old),
2880 d_inode(dentry->d_parent), name,
2881 inode_mode_to_security_class(mode),
2882 &newsid);
2883 if (rc)
2884 return rc;
2885
2886 tsec = selinux_cred(new);
2887 tsec->create_sid = newsid;
2888 return 0;
2889 }
2890
selinux_inode_init_security(struct inode * inode,struct inode * dir,const struct qstr * qstr,const char ** name,void ** value,size_t * len)2891 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2892 const struct qstr *qstr,
2893 const char **name,
2894 void **value, size_t *len)
2895 {
2896 const struct task_security_struct *tsec = selinux_cred(current_cred());
2897 struct superblock_security_struct *sbsec;
2898 u32 newsid, clen;
2899 int rc;
2900 char *context;
2901
2902 sbsec = dir->i_sb->s_security;
2903
2904 newsid = tsec->create_sid;
2905
2906 rc = selinux_determine_inode_label(tsec, dir, qstr,
2907 inode_mode_to_security_class(inode->i_mode),
2908 &newsid);
2909 if (rc)
2910 return rc;
2911
2912 /* Possibly defer initialization to selinux_complete_init. */
2913 if (sbsec->flags & SE_SBINITIALIZED) {
2914 struct inode_security_struct *isec = selinux_inode(inode);
2915 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2916 isec->sid = newsid;
2917 isec->initialized = LABEL_INITIALIZED;
2918 }
2919
2920 if (!selinux_initialized(&selinux_state) ||
2921 !(sbsec->flags & SBLABEL_MNT))
2922 return -EOPNOTSUPP;
2923
2924 if (name)
2925 *name = XATTR_SELINUX_SUFFIX;
2926
2927 if (value && len) {
2928 rc = security_sid_to_context_force(&selinux_state, newsid,
2929 &context, &clen);
2930 if (rc)
2931 return rc;
2932 *value = context;
2933 *len = clen;
2934 }
2935
2936 return 0;
2937 }
2938
selinux_inode_create(struct inode * dir,struct dentry * dentry,umode_t mode)2939 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2940 {
2941 return may_create(dir, dentry, SECCLASS_FILE);
2942 }
2943
selinux_inode_link(struct dentry * old_dentry,struct inode * dir,struct dentry * new_dentry)2944 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2945 {
2946 return may_link(dir, old_dentry, MAY_LINK);
2947 }
2948
selinux_inode_unlink(struct inode * dir,struct dentry * dentry)2949 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2950 {
2951 return may_link(dir, dentry, MAY_UNLINK);
2952 }
2953
selinux_inode_symlink(struct inode * dir,struct dentry * dentry,const char * name)2954 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2955 {
2956 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2957 }
2958
selinux_inode_mkdir(struct inode * dir,struct dentry * dentry,umode_t mask)2959 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2960 {
2961 return may_create(dir, dentry, SECCLASS_DIR);
2962 }
2963
selinux_inode_rmdir(struct inode * dir,struct dentry * dentry)2964 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2965 {
2966 return may_link(dir, dentry, MAY_RMDIR);
2967 }
2968
selinux_inode_mknod(struct inode * dir,struct dentry * dentry,umode_t mode,dev_t dev)2969 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2970 {
2971 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2972 }
2973
selinux_inode_rename(struct inode * old_inode,struct dentry * old_dentry,struct inode * new_inode,struct dentry * new_dentry)2974 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2975 struct inode *new_inode, struct dentry *new_dentry)
2976 {
2977 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2978 }
2979
selinux_inode_readlink(struct dentry * dentry)2980 static int selinux_inode_readlink(struct dentry *dentry)
2981 {
2982 const struct cred *cred = current_cred();
2983
2984 return dentry_has_perm(cred, dentry, FILE__READ);
2985 }
2986
selinux_inode_follow_link(struct dentry * dentry,struct inode * inode,bool rcu)2987 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
2988 bool rcu)
2989 {
2990 const struct cred *cred = current_cred();
2991 struct common_audit_data ad;
2992 struct inode_security_struct *isec;
2993 u32 sid;
2994
2995 validate_creds(cred);
2996
2997 ad.type = LSM_AUDIT_DATA_DENTRY;
2998 ad.u.dentry = dentry;
2999 sid = cred_sid(cred);
3000 isec = inode_security_rcu(inode, rcu);
3001 if (IS_ERR(isec))
3002 return PTR_ERR(isec);
3003
3004 return avc_has_perm_flags(&selinux_state,
3005 sid, isec->sid, isec->sclass, FILE__READ, &ad,
3006 rcu ? MAY_NOT_BLOCK : 0);
3007 }
3008
audit_inode_permission(struct inode * inode,u32 perms,u32 audited,u32 denied,int result)3009 static noinline int audit_inode_permission(struct inode *inode,
3010 u32 perms, u32 audited, u32 denied,
3011 int result)
3012 {
3013 struct common_audit_data ad;
3014 struct inode_security_struct *isec = selinux_inode(inode);
3015 int rc;
3016
3017 ad.type = LSM_AUDIT_DATA_INODE;
3018 ad.u.inode = inode;
3019
3020 rc = slow_avc_audit(&selinux_state,
3021 current_sid(), isec->sid, isec->sclass, perms,
3022 audited, denied, result, &ad);
3023 if (rc)
3024 return rc;
3025 return 0;
3026 }
3027
selinux_inode_permission(struct inode * inode,int mask)3028 static int selinux_inode_permission(struct inode *inode, int mask)
3029 {
3030 const struct cred *cred = current_cred();
3031 u32 perms;
3032 bool from_access;
3033 bool no_block = mask & MAY_NOT_BLOCK;
3034 struct inode_security_struct *isec;
3035 u32 sid;
3036 struct av_decision avd;
3037 int rc, rc2;
3038 u32 audited, denied;
3039
3040 from_access = mask & MAY_ACCESS;
3041 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3042
3043 /* No permission to check. Existence test. */
3044 if (!mask)
3045 return 0;
3046
3047 validate_creds(cred);
3048
3049 if (unlikely(IS_PRIVATE(inode)))
3050 return 0;
3051
3052 perms = file_mask_to_av(inode->i_mode, mask);
3053
3054 sid = cred_sid(cred);
3055 isec = inode_security_rcu(inode, no_block);
3056 if (IS_ERR(isec))
3057 return PTR_ERR(isec);
3058
3059 rc = avc_has_perm_noaudit(&selinux_state,
3060 sid, isec->sid, isec->sclass, perms,
3061 no_block ? AVC_NONBLOCKING : 0,
3062 &avd);
3063 audited = avc_audit_required(perms, &avd, rc,
3064 from_access ? FILE__AUDIT_ACCESS : 0,
3065 &denied);
3066 if (likely(!audited))
3067 return rc;
3068
3069 /* fall back to ref-walk if we have to generate audit */
3070 if (no_block)
3071 return -ECHILD;
3072
3073 rc2 = audit_inode_permission(inode, perms, audited, denied, rc);
3074 if (rc2)
3075 return rc2;
3076 return rc;
3077 }
3078
selinux_inode_setattr(struct dentry * dentry,struct iattr * iattr)3079 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3080 {
3081 const struct cred *cred = current_cred();
3082 struct inode *inode = d_backing_inode(dentry);
3083 unsigned int ia_valid = iattr->ia_valid;
3084 __u32 av = FILE__WRITE;
3085
3086 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3087 if (ia_valid & ATTR_FORCE) {
3088 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3089 ATTR_FORCE);
3090 if (!ia_valid)
3091 return 0;
3092 }
3093
3094 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3095 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3096 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3097
3098 if (selinux_policycap_openperm() &&
3099 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3100 (ia_valid & ATTR_SIZE) &&
3101 !(ia_valid & ATTR_FILE))
3102 av |= FILE__OPEN;
3103
3104 return dentry_has_perm(cred, dentry, av);
3105 }
3106
selinux_inode_getattr(const struct path * path)3107 static int selinux_inode_getattr(const struct path *path)
3108 {
3109 return path_has_perm(current_cred(), path, FILE__GETATTR);
3110 }
3111
has_cap_mac_admin(bool audit)3112 static bool has_cap_mac_admin(bool audit)
3113 {
3114 const struct cred *cred = current_cred();
3115 unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT;
3116
3117 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts))
3118 return false;
3119 if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true))
3120 return false;
3121 return true;
3122 }
3123
selinux_inode_setxattr(struct dentry * dentry,const char * name,const void * value,size_t size,int flags)3124 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3125 const void *value, size_t size, int flags)
3126 {
3127 struct inode *inode = d_backing_inode(dentry);
3128 struct inode_security_struct *isec;
3129 struct superblock_security_struct *sbsec;
3130 struct common_audit_data ad;
3131 u32 newsid, sid = current_sid();
3132 int rc = 0;
3133
3134 if (strcmp(name, XATTR_NAME_SELINUX)) {
3135 rc = cap_inode_setxattr(dentry, name, value, size, flags);
3136 if (rc)
3137 return rc;
3138
3139 /* Not an attribute we recognize, so just check the
3140 ordinary setattr permission. */
3141 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3142 }
3143
3144 if (!selinux_initialized(&selinux_state))
3145 return (inode_owner_or_capable(inode) ? 0 : -EPERM);
3146
3147 sbsec = inode->i_sb->s_security;
3148 if (!(sbsec->flags & SBLABEL_MNT))
3149 return -EOPNOTSUPP;
3150
3151 if (!inode_owner_or_capable(inode))
3152 return -EPERM;
3153
3154 ad.type = LSM_AUDIT_DATA_DENTRY;
3155 ad.u.dentry = dentry;
3156
3157 isec = backing_inode_security(dentry);
3158 rc = avc_has_perm(&selinux_state,
3159 sid, isec->sid, isec->sclass,
3160 FILE__RELABELFROM, &ad);
3161 if (rc)
3162 return rc;
3163
3164 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3165 GFP_KERNEL);
3166 if (rc == -EINVAL) {
3167 if (!has_cap_mac_admin(true)) {
3168 struct audit_buffer *ab;
3169 size_t audit_size;
3170
3171 /* We strip a nul only if it is at the end, otherwise the
3172 * context contains a nul and we should audit that */
3173 if (value) {
3174 const char *str = value;
3175
3176 if (str[size - 1] == '\0')
3177 audit_size = size - 1;
3178 else
3179 audit_size = size;
3180 } else {
3181 audit_size = 0;
3182 }
3183 ab = audit_log_start(audit_context(),
3184 GFP_ATOMIC, AUDIT_SELINUX_ERR);
3185 audit_log_format(ab, "op=setxattr invalid_context=");
3186 audit_log_n_untrustedstring(ab, value, audit_size);
3187 audit_log_end(ab);
3188
3189 return rc;
3190 }
3191 rc = security_context_to_sid_force(&selinux_state, value,
3192 size, &newsid);
3193 }
3194 if (rc)
3195 return rc;
3196
3197 rc = avc_has_perm(&selinux_state,
3198 sid, newsid, isec->sclass,
3199 FILE__RELABELTO, &ad);
3200 if (rc)
3201 return rc;
3202
3203 rc = security_validate_transition(&selinux_state, isec->sid, newsid,
3204 sid, isec->sclass);
3205 if (rc)
3206 return rc;
3207
3208 return avc_has_perm(&selinux_state,
3209 newsid,
3210 sbsec->sid,
3211 SECCLASS_FILESYSTEM,
3212 FILESYSTEM__ASSOCIATE,
3213 &ad);
3214 }
3215
selinux_inode_post_setxattr(struct dentry * dentry,const char * name,const void * value,size_t size,int flags)3216 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3217 const void *value, size_t size,
3218 int flags)
3219 {
3220 struct inode *inode = d_backing_inode(dentry);
3221 struct inode_security_struct *isec;
3222 u32 newsid;
3223 int rc;
3224
3225 if (strcmp(name, XATTR_NAME_SELINUX)) {
3226 /* Not an attribute we recognize, so nothing to do. */
3227 return;
3228 }
3229
3230 if (!selinux_initialized(&selinux_state)) {
3231 /* If we haven't even been initialized, then we can't validate
3232 * against a policy, so leave the label as invalid. It may
3233 * resolve to a valid label on the next revalidation try if
3234 * we've since initialized.
3235 */
3236 return;
3237 }
3238
3239 rc = security_context_to_sid_force(&selinux_state, value, size,
3240 &newsid);
3241 if (rc) {
3242 pr_err("SELinux: unable to map context to SID"
3243 "for (%s, %lu), rc=%d\n",
3244 inode->i_sb->s_id, inode->i_ino, -rc);
3245 return;
3246 }
3247
3248 isec = backing_inode_security(dentry);
3249 spin_lock(&isec->lock);
3250 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3251 isec->sid = newsid;
3252 isec->initialized = LABEL_INITIALIZED;
3253 spin_unlock(&isec->lock);
3254
3255 return;
3256 }
3257
selinux_inode_getxattr(struct dentry * dentry,const char * name)3258 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3259 {
3260 const struct cred *cred = current_cred();
3261
3262 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3263 }
3264
selinux_inode_listxattr(struct dentry * dentry)3265 static int selinux_inode_listxattr(struct dentry *dentry)
3266 {
3267 const struct cred *cred = current_cred();
3268
3269 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3270 }
3271
selinux_inode_removexattr(struct dentry * dentry,const char * name)3272 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3273 {
3274 if (strcmp(name, XATTR_NAME_SELINUX)) {
3275 int rc = cap_inode_removexattr(dentry, name);
3276 if (rc)
3277 return rc;
3278
3279 /* Not an attribute we recognize, so just check the
3280 ordinary setattr permission. */
3281 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3282 }
3283
3284 if (!selinux_initialized(&selinux_state))
3285 return 0;
3286
3287 /* No one is allowed to remove a SELinux security label.
3288 You can change the label, but all data must be labeled. */
3289 return -EACCES;
3290 }
3291
selinux_path_notify(const struct path * path,u64 mask,unsigned int obj_type)3292 static int selinux_path_notify(const struct path *path, u64 mask,
3293 unsigned int obj_type)
3294 {
3295 int ret;
3296 u32 perm;
3297
3298 struct common_audit_data ad;
3299
3300 ad.type = LSM_AUDIT_DATA_PATH;
3301 ad.u.path = *path;
3302
3303 /*
3304 * Set permission needed based on the type of mark being set.
3305 * Performs an additional check for sb watches.
3306 */
3307 switch (obj_type) {
3308 case FSNOTIFY_OBJ_TYPE_VFSMOUNT:
3309 perm = FILE__WATCH_MOUNT;
3310 break;
3311 case FSNOTIFY_OBJ_TYPE_SB:
3312 perm = FILE__WATCH_SB;
3313 ret = superblock_has_perm(current_cred(), path->dentry->d_sb,
3314 FILESYSTEM__WATCH, &ad);
3315 if (ret)
3316 return ret;
3317 break;
3318 case FSNOTIFY_OBJ_TYPE_INODE:
3319 perm = FILE__WATCH;
3320 break;
3321 default:
3322 return -EINVAL;
3323 }
3324
3325 /* blocking watches require the file:watch_with_perm permission */
3326 if (mask & (ALL_FSNOTIFY_PERM_EVENTS))
3327 perm |= FILE__WATCH_WITH_PERM;
3328
3329 /* watches on read-like events need the file:watch_reads permission */
3330 if (mask & (FS_ACCESS | FS_ACCESS_PERM | FS_CLOSE_NOWRITE))
3331 perm |= FILE__WATCH_READS;
3332
3333 return path_has_perm(current_cred(), path, perm);
3334 }
3335
3336 /*
3337 * Copy the inode security context value to the user.
3338 *
3339 * Permission check is handled by selinux_inode_getxattr hook.
3340 */
selinux_inode_getsecurity(struct inode * inode,const char * name,void ** buffer,bool alloc)3341 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
3342 {
3343 u32 size;
3344 int error;
3345 char *context = NULL;
3346 struct inode_security_struct *isec;
3347
3348 /*
3349 * If we're not initialized yet, then we can't validate contexts, so
3350 * just let vfs_getxattr fall back to using the on-disk xattr.
3351 */
3352 if (!selinux_initialized(&selinux_state) ||
3353 strcmp(name, XATTR_SELINUX_SUFFIX))
3354 return -EOPNOTSUPP;
3355
3356 /*
3357 * If the caller has CAP_MAC_ADMIN, then get the raw context
3358 * value even if it is not defined by current policy; otherwise,
3359 * use the in-core value under current policy.
3360 * Use the non-auditing forms of the permission checks since
3361 * getxattr may be called by unprivileged processes commonly
3362 * and lack of permission just means that we fall back to the
3363 * in-core context value, not a denial.
3364 */
3365 isec = inode_security(inode);
3366 if (has_cap_mac_admin(false))
3367 error = security_sid_to_context_force(&selinux_state,
3368 isec->sid, &context,
3369 &size);
3370 else
3371 error = security_sid_to_context(&selinux_state, isec->sid,
3372 &context, &size);
3373 if (error)
3374 return error;
3375 error = size;
3376 if (alloc) {
3377 *buffer = context;
3378 goto out_nofree;
3379 }
3380 kfree(context);
3381 out_nofree:
3382 return error;
3383 }
3384
selinux_inode_setsecurity(struct inode * inode,const char * name,const void * value,size_t size,int flags)3385 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3386 const void *value, size_t size, int flags)
3387 {
3388 struct inode_security_struct *isec = inode_security_novalidate(inode);
3389 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
3390 u32 newsid;
3391 int rc;
3392
3393 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3394 return -EOPNOTSUPP;
3395
3396 if (!(sbsec->flags & SBLABEL_MNT))
3397 return -EOPNOTSUPP;
3398
3399 if (!value || !size)
3400 return -EACCES;
3401
3402 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3403 GFP_KERNEL);
3404 if (rc)
3405 return rc;
3406
3407 spin_lock(&isec->lock);
3408 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3409 isec->sid = newsid;
3410 isec->initialized = LABEL_INITIALIZED;
3411 spin_unlock(&isec->lock);
3412 return 0;
3413 }
3414
selinux_inode_listsecurity(struct inode * inode,char * buffer,size_t buffer_size)3415 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3416 {
3417 const int len = sizeof(XATTR_NAME_SELINUX);
3418
3419 if (!selinux_initialized(&selinux_state))
3420 return 0;
3421
3422 if (buffer && len <= buffer_size)
3423 memcpy(buffer, XATTR_NAME_SELINUX, len);
3424 return len;
3425 }
3426
selinux_inode_getsecid(struct inode * inode,u32 * secid)3427 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3428 {
3429 struct inode_security_struct *isec = inode_security_novalidate(inode);
3430 *secid = isec->sid;
3431 }
3432
selinux_inode_copy_up(struct dentry * src,struct cred ** new)3433 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3434 {
3435 u32 sid;
3436 struct task_security_struct *tsec;
3437 struct cred *new_creds = *new;
3438
3439 if (new_creds == NULL) {
3440 new_creds = prepare_creds();
3441 if (!new_creds)
3442 return -ENOMEM;
3443 }
3444
3445 tsec = selinux_cred(new_creds);
3446 /* Get label from overlay inode and set it in create_sid */
3447 selinux_inode_getsecid(d_inode(src), &sid);
3448 tsec->create_sid = sid;
3449 *new = new_creds;
3450 return 0;
3451 }
3452
selinux_inode_copy_up_xattr(const char * name)3453 static int selinux_inode_copy_up_xattr(const char *name)
3454 {
3455 /* The copy_up hook above sets the initial context on an inode, but we
3456 * don't then want to overwrite it by blindly copying all the lower
3457 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3458 */
3459 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3460 return 1; /* Discard */
3461 /*
3462 * Any other attribute apart from SELINUX is not claimed, supported
3463 * by selinux.
3464 */
3465 return -EOPNOTSUPP;
3466 }
3467
3468 /* kernfs node operations */
3469
selinux_kernfs_init_security(struct kernfs_node * kn_dir,struct kernfs_node * kn)3470 static int selinux_kernfs_init_security(struct kernfs_node *kn_dir,
3471 struct kernfs_node *kn)
3472 {
3473 const struct task_security_struct *tsec = selinux_cred(current_cred());
3474 u32 parent_sid, newsid, clen;
3475 int rc;
3476 char *context;
3477
3478 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, NULL, 0);
3479 if (rc == -ENODATA)
3480 return 0;
3481 else if (rc < 0)
3482 return rc;
3483
3484 clen = (u32)rc;
3485 context = kmalloc(clen, GFP_KERNEL);
3486 if (!context)
3487 return -ENOMEM;
3488
3489 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, context, clen);
3490 if (rc < 0) {
3491 kfree(context);
3492 return rc;
3493 }
3494
3495 rc = security_context_to_sid(&selinux_state, context, clen, &parent_sid,
3496 GFP_KERNEL);
3497 kfree(context);
3498 if (rc)
3499 return rc;
3500
3501 if (tsec->create_sid) {
3502 newsid = tsec->create_sid;
3503 } else {
3504 u16 secclass = inode_mode_to_security_class(kn->mode);
3505 struct qstr q;
3506
3507 q.name = kn->name;
3508 q.hash_len = hashlen_string(kn_dir, kn->name);
3509
3510 rc = security_transition_sid(&selinux_state, tsec->sid,
3511 parent_sid, secclass, &q,
3512 &newsid);
3513 if (rc)
3514 return rc;
3515 }
3516
3517 rc = security_sid_to_context_force(&selinux_state, newsid,
3518 &context, &clen);
3519 if (rc)
3520 return rc;
3521
3522 rc = kernfs_xattr_set(kn, XATTR_NAME_SELINUX, context, clen,
3523 XATTR_CREATE);
3524 kfree(context);
3525 return rc;
3526 }
3527
3528
3529 /* file security operations */
3530
selinux_revalidate_file_permission(struct file * file,int mask)3531 static int selinux_revalidate_file_permission(struct file *file, int mask)
3532 {
3533 const struct cred *cred = current_cred();
3534 struct inode *inode = file_inode(file);
3535
3536 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3537 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3538 mask |= MAY_APPEND;
3539
3540 return file_has_perm(cred, file,
3541 file_mask_to_av(inode->i_mode, mask));
3542 }
3543
selinux_file_permission(struct file * file,int mask)3544 static int selinux_file_permission(struct file *file, int mask)
3545 {
3546 struct inode *inode = file_inode(file);
3547 struct file_security_struct *fsec = selinux_file(file);
3548 struct inode_security_struct *isec;
3549 u32 sid = current_sid();
3550
3551 if (!mask)
3552 /* No permission to check. Existence test. */
3553 return 0;
3554
3555 isec = inode_security(inode);
3556 if (sid == fsec->sid && fsec->isid == isec->sid &&
3557 fsec->pseqno == avc_policy_seqno(&selinux_state))
3558 /* No change since file_open check. */
3559 return 0;
3560
3561 return selinux_revalidate_file_permission(file, mask);
3562 }
3563
selinux_file_alloc_security(struct file * file)3564 static int selinux_file_alloc_security(struct file *file)
3565 {
3566 struct file_security_struct *fsec = selinux_file(file);
3567 u32 sid = current_sid();
3568
3569 fsec->sid = sid;
3570 fsec->fown_sid = sid;
3571
3572 return 0;
3573 }
3574
3575 /*
3576 * Check whether a task has the ioctl permission and cmd
3577 * operation to an inode.
3578 */
ioctl_has_perm(const struct cred * cred,struct file * file,u32 requested,u16 cmd)3579 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3580 u32 requested, u16 cmd)
3581 {
3582 struct common_audit_data ad;
3583 struct file_security_struct *fsec = selinux_file(file);
3584 struct inode *inode = file_inode(file);
3585 struct inode_security_struct *isec;
3586 struct lsm_ioctlop_audit ioctl;
3587 u32 ssid = cred_sid(cred);
3588 int rc;
3589 u8 driver = cmd >> 8;
3590 u8 xperm = cmd & 0xff;
3591
3592 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3593 ad.u.op = &ioctl;
3594 ad.u.op->cmd = cmd;
3595 ad.u.op->path = file->f_path;
3596
3597 if (ssid != fsec->sid) {
3598 rc = avc_has_perm(&selinux_state,
3599 ssid, fsec->sid,
3600 SECCLASS_FD,
3601 FD__USE,
3602 &ad);
3603 if (rc)
3604 goto out;
3605 }
3606
3607 if (unlikely(IS_PRIVATE(inode)))
3608 return 0;
3609
3610 isec = inode_security(inode);
3611 rc = avc_has_extended_perms(&selinux_state,
3612 ssid, isec->sid, isec->sclass,
3613 requested, driver, xperm, &ad);
3614 out:
3615 return rc;
3616 }
3617
selinux_file_ioctl(struct file * file,unsigned int cmd,unsigned long arg)3618 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3619 unsigned long arg)
3620 {
3621 const struct cred *cred = current_cred();
3622 int error = 0;
3623
3624 switch (cmd) {
3625 case FIONREAD:
3626 case FIBMAP:
3627 case FIGETBSZ:
3628 case FS_IOC_GETFLAGS:
3629 case FS_IOC_GETVERSION:
3630 error = file_has_perm(cred, file, FILE__GETATTR);
3631 break;
3632
3633 case FS_IOC_SETFLAGS:
3634 case FS_IOC_SETVERSION:
3635 error = file_has_perm(cred, file, FILE__SETATTR);
3636 break;
3637
3638 /* sys_ioctl() checks */
3639 case FIONBIO:
3640 case FIOASYNC:
3641 error = file_has_perm(cred, file, 0);
3642 break;
3643
3644 case KDSKBENT:
3645 case KDSKBSENT:
3646 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3647 CAP_OPT_NONE, true);
3648 break;
3649
3650 case FIOCLEX:
3651 case FIONCLEX:
3652 if (!selinux_policycap_ioctl_skip_cloexec())
3653 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3654 break;
3655
3656 /* default case assumes that the command will go
3657 * to the file's ioctl() function.
3658 */
3659 default:
3660 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3661 }
3662 return error;
3663 }
3664
3665 static int default_noexec __ro_after_init;
3666
file_map_prot_check(struct file * file,unsigned long prot,int shared)3667 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3668 {
3669 const struct cred *cred = current_cred();
3670 u32 sid = cred_sid(cred);
3671 int rc = 0;
3672
3673 if (default_noexec &&
3674 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3675 (!shared && (prot & PROT_WRITE)))) {
3676 /*
3677 * We are making executable an anonymous mapping or a
3678 * private file mapping that will also be writable.
3679 * This has an additional check.
3680 */
3681 rc = avc_has_perm(&selinux_state,
3682 sid, sid, SECCLASS_PROCESS,
3683 PROCESS__EXECMEM, NULL);
3684 if (rc)
3685 goto error;
3686 }
3687
3688 if (file) {
3689 /* read access is always possible with a mapping */
3690 u32 av = FILE__READ;
3691
3692 /* write access only matters if the mapping is shared */
3693 if (shared && (prot & PROT_WRITE))
3694 av |= FILE__WRITE;
3695
3696 if (prot & PROT_EXEC)
3697 av |= FILE__EXECUTE;
3698
3699 return file_has_perm(cred, file, av);
3700 }
3701
3702 error:
3703 return rc;
3704 }
3705
selinux_mmap_addr(unsigned long addr)3706 static int selinux_mmap_addr(unsigned long addr)
3707 {
3708 int rc = 0;
3709
3710 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3711 u32 sid = current_sid();
3712 rc = avc_has_perm(&selinux_state,
3713 sid, sid, SECCLASS_MEMPROTECT,
3714 MEMPROTECT__MMAP_ZERO, NULL);
3715 }
3716
3717 return rc;
3718 }
3719
selinux_mmap_file(struct file * file,unsigned long reqprot,unsigned long prot,unsigned long flags)3720 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3721 unsigned long prot, unsigned long flags)
3722 {
3723 struct common_audit_data ad;
3724 int rc;
3725
3726 if (file) {
3727 ad.type = LSM_AUDIT_DATA_FILE;
3728 ad.u.file = file;
3729 rc = inode_has_perm(current_cred(), file_inode(file),
3730 FILE__MAP, &ad);
3731 if (rc)
3732 return rc;
3733 }
3734
3735 if (checkreqprot_get(&selinux_state))
3736 prot = reqprot;
3737
3738 return file_map_prot_check(file, prot,
3739 (flags & MAP_TYPE) == MAP_SHARED);
3740 }
3741
selinux_file_mprotect(struct vm_area_struct * vma,unsigned long reqprot,unsigned long prot)3742 static int selinux_file_mprotect(struct vm_area_struct *vma,
3743 unsigned long reqprot,
3744 unsigned long prot)
3745 {
3746 const struct cred *cred = current_cred();
3747 u32 sid = cred_sid(cred);
3748
3749 if (checkreqprot_get(&selinux_state))
3750 prot = reqprot;
3751
3752 if (default_noexec &&
3753 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3754 int rc = 0;
3755 if (vma->vm_start >= vma->vm_mm->start_brk &&
3756 vma->vm_end <= vma->vm_mm->brk) {
3757 rc = avc_has_perm(&selinux_state,
3758 sid, sid, SECCLASS_PROCESS,
3759 PROCESS__EXECHEAP, NULL);
3760 } else if (!vma->vm_file &&
3761 ((vma->vm_start <= vma->vm_mm->start_stack &&
3762 vma->vm_end >= vma->vm_mm->start_stack) ||
3763 vma_is_stack_for_current(vma))) {
3764 rc = avc_has_perm(&selinux_state,
3765 sid, sid, SECCLASS_PROCESS,
3766 PROCESS__EXECSTACK, NULL);
3767 } else if (vma->vm_file && vma->anon_vma) {
3768 /*
3769 * We are making executable a file mapping that has
3770 * had some COW done. Since pages might have been
3771 * written, check ability to execute the possibly
3772 * modified content. This typically should only
3773 * occur for text relocations.
3774 */
3775 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3776 }
3777 if (rc)
3778 return rc;
3779 }
3780
3781 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3782 }
3783
selinux_file_lock(struct file * file,unsigned int cmd)3784 static int selinux_file_lock(struct file *file, unsigned int cmd)
3785 {
3786 const struct cred *cred = current_cred();
3787
3788 return file_has_perm(cred, file, FILE__LOCK);
3789 }
3790
selinux_file_fcntl(struct file * file,unsigned int cmd,unsigned long arg)3791 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3792 unsigned long arg)
3793 {
3794 const struct cred *cred = current_cred();
3795 int err = 0;
3796
3797 switch (cmd) {
3798 case F_SETFL:
3799 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3800 err = file_has_perm(cred, file, FILE__WRITE);
3801 break;
3802 }
3803 fallthrough;
3804 case F_SETOWN:
3805 case F_SETSIG:
3806 case F_GETFL:
3807 case F_GETOWN:
3808 case F_GETSIG:
3809 case F_GETOWNER_UIDS:
3810 /* Just check FD__USE permission */
3811 err = file_has_perm(cred, file, 0);
3812 break;
3813 case F_GETLK:
3814 case F_SETLK:
3815 case F_SETLKW:
3816 case F_OFD_GETLK:
3817 case F_OFD_SETLK:
3818 case F_OFD_SETLKW:
3819 #if BITS_PER_LONG == 32
3820 case F_GETLK64:
3821 case F_SETLK64:
3822 case F_SETLKW64:
3823 #endif
3824 err = file_has_perm(cred, file, FILE__LOCK);
3825 break;
3826 }
3827
3828 return err;
3829 }
3830
selinux_file_set_fowner(struct file * file)3831 static void selinux_file_set_fowner(struct file *file)
3832 {
3833 struct file_security_struct *fsec;
3834
3835 fsec = selinux_file(file);
3836 fsec->fown_sid = current_sid();
3837 }
3838
selinux_file_send_sigiotask(struct task_struct * tsk,struct fown_struct * fown,int signum)3839 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3840 struct fown_struct *fown, int signum)
3841 {
3842 struct file *file;
3843 u32 sid = task_sid(tsk);
3844 u32 perm;
3845 struct file_security_struct *fsec;
3846
3847 /* struct fown_struct is never outside the context of a struct file */
3848 file = container_of(fown, struct file, f_owner);
3849
3850 fsec = selinux_file(file);
3851
3852 if (!signum)
3853 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3854 else
3855 perm = signal_to_av(signum);
3856
3857 return avc_has_perm(&selinux_state,
3858 fsec->fown_sid, sid,
3859 SECCLASS_PROCESS, perm, NULL);
3860 }
3861
selinux_file_receive(struct file * file)3862 static int selinux_file_receive(struct file *file)
3863 {
3864 const struct cred *cred = current_cred();
3865
3866 return file_has_perm(cred, file, file_to_av(file));
3867 }
3868
selinux_file_open(struct file * file)3869 static int selinux_file_open(struct file *file)
3870 {
3871 struct file_security_struct *fsec;
3872 struct inode_security_struct *isec;
3873
3874 fsec = selinux_file(file);
3875 isec = inode_security(file_inode(file));
3876 /*
3877 * Save inode label and policy sequence number
3878 * at open-time so that selinux_file_permission
3879 * can determine whether revalidation is necessary.
3880 * Task label is already saved in the file security
3881 * struct as its SID.
3882 */
3883 fsec->isid = isec->sid;
3884 fsec->pseqno = avc_policy_seqno(&selinux_state);
3885 /*
3886 * Since the inode label or policy seqno may have changed
3887 * between the selinux_inode_permission check and the saving
3888 * of state above, recheck that access is still permitted.
3889 * Otherwise, access might never be revalidated against the
3890 * new inode label or new policy.
3891 * This check is not redundant - do not remove.
3892 */
3893 return file_path_has_perm(file->f_cred, file, open_file_to_av(file));
3894 }
3895
3896 /* task security operations */
3897
selinux_task_alloc(struct task_struct * task,unsigned long clone_flags)3898 static int selinux_task_alloc(struct task_struct *task,
3899 unsigned long clone_flags)
3900 {
3901 u32 sid = current_sid();
3902
3903 return avc_has_perm(&selinux_state,
3904 sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
3905 }
3906
3907 /*
3908 * prepare a new set of credentials for modification
3909 */
selinux_cred_prepare(struct cred * new,const struct cred * old,gfp_t gfp)3910 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3911 gfp_t gfp)
3912 {
3913 const struct task_security_struct *old_tsec = selinux_cred(old);
3914 struct task_security_struct *tsec = selinux_cred(new);
3915
3916 *tsec = *old_tsec;
3917 return 0;
3918 }
3919
3920 /*
3921 * transfer the SELinux data to a blank set of creds
3922 */
selinux_cred_transfer(struct cred * new,const struct cred * old)3923 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3924 {
3925 const struct task_security_struct *old_tsec = selinux_cred(old);
3926 struct task_security_struct *tsec = selinux_cred(new);
3927
3928 *tsec = *old_tsec;
3929 }
3930
selinux_cred_getsecid(const struct cred * c,u32 * secid)3931 static void selinux_cred_getsecid(const struct cred *c, u32 *secid)
3932 {
3933 *secid = cred_sid(c);
3934 }
3935
3936 /*
3937 * set the security data for a kernel service
3938 * - all the creation contexts are set to unlabelled
3939 */
selinux_kernel_act_as(struct cred * new,u32 secid)3940 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3941 {
3942 struct task_security_struct *tsec = selinux_cred(new);
3943 u32 sid = current_sid();
3944 int ret;
3945
3946 ret = avc_has_perm(&selinux_state,
3947 sid, secid,
3948 SECCLASS_KERNEL_SERVICE,
3949 KERNEL_SERVICE__USE_AS_OVERRIDE,
3950 NULL);
3951 if (ret == 0) {
3952 tsec->sid = secid;
3953 tsec->create_sid = 0;
3954 tsec->keycreate_sid = 0;
3955 tsec->sockcreate_sid = 0;
3956 }
3957 return ret;
3958 }
3959
3960 /*
3961 * set the file creation context in a security record to the same as the
3962 * objective context of the specified inode
3963 */
selinux_kernel_create_files_as(struct cred * new,struct inode * inode)3964 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3965 {
3966 struct inode_security_struct *isec = inode_security(inode);
3967 struct task_security_struct *tsec = selinux_cred(new);
3968 u32 sid = current_sid();
3969 int ret;
3970
3971 ret = avc_has_perm(&selinux_state,
3972 sid, isec->sid,
3973 SECCLASS_KERNEL_SERVICE,
3974 KERNEL_SERVICE__CREATE_FILES_AS,
3975 NULL);
3976
3977 if (ret == 0)
3978 tsec->create_sid = isec->sid;
3979 return ret;
3980 }
3981
selinux_kernel_module_request(char * kmod_name)3982 static int selinux_kernel_module_request(char *kmod_name)
3983 {
3984 struct common_audit_data ad;
3985
3986 ad.type = LSM_AUDIT_DATA_KMOD;
3987 ad.u.kmod_name = kmod_name;
3988
3989 return avc_has_perm(&selinux_state,
3990 current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
3991 SYSTEM__MODULE_REQUEST, &ad);
3992 }
3993
selinux_kernel_module_from_file(struct file * file)3994 static int selinux_kernel_module_from_file(struct file *file)
3995 {
3996 struct common_audit_data ad;
3997 struct inode_security_struct *isec;
3998 struct file_security_struct *fsec;
3999 u32 sid = current_sid();
4000 int rc;
4001
4002 /* init_module */
4003 if (file == NULL)
4004 return avc_has_perm(&selinux_state,
4005 sid, sid, SECCLASS_SYSTEM,
4006 SYSTEM__MODULE_LOAD, NULL);
4007
4008 /* finit_module */
4009
4010 ad.type = LSM_AUDIT_DATA_FILE;
4011 ad.u.file = file;
4012
4013 fsec = selinux_file(file);
4014 if (sid != fsec->sid) {
4015 rc = avc_has_perm(&selinux_state,
4016 sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
4017 if (rc)
4018 return rc;
4019 }
4020
4021 isec = inode_security(file_inode(file));
4022 return avc_has_perm(&selinux_state,
4023 sid, isec->sid, SECCLASS_SYSTEM,
4024 SYSTEM__MODULE_LOAD, &ad);
4025 }
4026
selinux_kernel_read_file(struct file * file,enum kernel_read_file_id id,bool contents)4027 static int selinux_kernel_read_file(struct file *file,
4028 enum kernel_read_file_id id,
4029 bool contents)
4030 {
4031 int rc = 0;
4032
4033 switch (id) {
4034 case READING_MODULE:
4035 rc = selinux_kernel_module_from_file(contents ? file : NULL);
4036 break;
4037 default:
4038 break;
4039 }
4040
4041 return rc;
4042 }
4043
selinux_kernel_load_data(enum kernel_load_data_id id,bool contents)4044 static int selinux_kernel_load_data(enum kernel_load_data_id id, bool contents)
4045 {
4046 int rc = 0;
4047
4048 switch (id) {
4049 case LOADING_MODULE:
4050 rc = selinux_kernel_module_from_file(NULL);
4051 default:
4052 break;
4053 }
4054
4055 return rc;
4056 }
4057
selinux_task_setpgid(struct task_struct * p,pid_t pgid)4058 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
4059 {
4060 return avc_has_perm(&selinux_state,
4061 current_sid(), task_sid(p), SECCLASS_PROCESS,
4062 PROCESS__SETPGID, NULL);
4063 }
4064
selinux_task_getpgid(struct task_struct * p)4065 static int selinux_task_getpgid(struct task_struct *p)
4066 {
4067 return avc_has_perm(&selinux_state,
4068 current_sid(), task_sid(p), SECCLASS_PROCESS,
4069 PROCESS__GETPGID, NULL);
4070 }
4071
selinux_task_getsid(struct task_struct * p)4072 static int selinux_task_getsid(struct task_struct *p)
4073 {
4074 return avc_has_perm(&selinux_state,
4075 current_sid(), task_sid(p), SECCLASS_PROCESS,
4076 PROCESS__GETSESSION, NULL);
4077 }
4078
selinux_task_getsecid(struct task_struct * p,u32 * secid)4079 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
4080 {
4081 *secid = task_sid(p);
4082 }
4083
selinux_task_setnice(struct task_struct * p,int nice)4084 static int selinux_task_setnice(struct task_struct *p, int nice)
4085 {
4086 return avc_has_perm(&selinux_state,
4087 current_sid(), task_sid(p), SECCLASS_PROCESS,
4088 PROCESS__SETSCHED, NULL);
4089 }
4090
selinux_task_setioprio(struct task_struct * p,int ioprio)4091 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
4092 {
4093 return avc_has_perm(&selinux_state,
4094 current_sid(), task_sid(p), SECCLASS_PROCESS,
4095 PROCESS__SETSCHED, NULL);
4096 }
4097
selinux_task_getioprio(struct task_struct * p)4098 static int selinux_task_getioprio(struct task_struct *p)
4099 {
4100 return avc_has_perm(&selinux_state,
4101 current_sid(), task_sid(p), SECCLASS_PROCESS,
4102 PROCESS__GETSCHED, NULL);
4103 }
4104
selinux_task_prlimit(const struct cred * cred,const struct cred * tcred,unsigned int flags)4105 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
4106 unsigned int flags)
4107 {
4108 u32 av = 0;
4109
4110 if (!flags)
4111 return 0;
4112 if (flags & LSM_PRLIMIT_WRITE)
4113 av |= PROCESS__SETRLIMIT;
4114 if (flags & LSM_PRLIMIT_READ)
4115 av |= PROCESS__GETRLIMIT;
4116 return avc_has_perm(&selinux_state,
4117 cred_sid(cred), cred_sid(tcred),
4118 SECCLASS_PROCESS, av, NULL);
4119 }
4120
selinux_task_setrlimit(struct task_struct * p,unsigned int resource,struct rlimit * new_rlim)4121 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4122 struct rlimit *new_rlim)
4123 {
4124 struct rlimit *old_rlim = p->signal->rlim + resource;
4125
4126 /* Control the ability to change the hard limit (whether
4127 lowering or raising it), so that the hard limit can
4128 later be used as a safe reset point for the soft limit
4129 upon context transitions. See selinux_bprm_committing_creds. */
4130 if (old_rlim->rlim_max != new_rlim->rlim_max)
4131 return avc_has_perm(&selinux_state,
4132 current_sid(), task_sid(p),
4133 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
4134
4135 return 0;
4136 }
4137
selinux_task_setscheduler(struct task_struct * p)4138 static int selinux_task_setscheduler(struct task_struct *p)
4139 {
4140 return avc_has_perm(&selinux_state,
4141 current_sid(), task_sid(p), SECCLASS_PROCESS,
4142 PROCESS__SETSCHED, NULL);
4143 }
4144
selinux_task_getscheduler(struct task_struct * p)4145 static int selinux_task_getscheduler(struct task_struct *p)
4146 {
4147 return avc_has_perm(&selinux_state,
4148 current_sid(), task_sid(p), SECCLASS_PROCESS,
4149 PROCESS__GETSCHED, NULL);
4150 }
4151
selinux_task_movememory(struct task_struct * p)4152 static int selinux_task_movememory(struct task_struct *p)
4153 {
4154 return avc_has_perm(&selinux_state,
4155 current_sid(), task_sid(p), SECCLASS_PROCESS,
4156 PROCESS__SETSCHED, NULL);
4157 }
4158
selinux_task_kill(struct task_struct * p,struct kernel_siginfo * info,int sig,const struct cred * cred)4159 static int selinux_task_kill(struct task_struct *p, struct kernel_siginfo *info,
4160 int sig, const struct cred *cred)
4161 {
4162 u32 secid;
4163 u32 perm;
4164
4165 if (!sig)
4166 perm = PROCESS__SIGNULL; /* null signal; existence test */
4167 else
4168 perm = signal_to_av(sig);
4169 if (!cred)
4170 secid = current_sid();
4171 else
4172 secid = cred_sid(cred);
4173 return avc_has_perm(&selinux_state,
4174 secid, task_sid(p), SECCLASS_PROCESS, perm, NULL);
4175 }
4176
selinux_task_to_inode(struct task_struct * p,struct inode * inode)4177 static void selinux_task_to_inode(struct task_struct *p,
4178 struct inode *inode)
4179 {
4180 struct inode_security_struct *isec = selinux_inode(inode);
4181 u32 sid = task_sid(p);
4182
4183 spin_lock(&isec->lock);
4184 isec->sclass = inode_mode_to_security_class(inode->i_mode);
4185 isec->sid = sid;
4186 isec->initialized = LABEL_INITIALIZED;
4187 spin_unlock(&isec->lock);
4188 }
4189
4190 /* Returns error only if unable to parse addresses */
selinux_parse_skb_ipv4(struct sk_buff * skb,struct common_audit_data * ad,u8 * proto)4191 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4192 struct common_audit_data *ad, u8 *proto)
4193 {
4194 int offset, ihlen, ret = -EINVAL;
4195 struct iphdr _iph, *ih;
4196
4197 offset = skb_network_offset(skb);
4198 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
4199 if (ih == NULL)
4200 goto out;
4201
4202 ihlen = ih->ihl * 4;
4203 if (ihlen < sizeof(_iph))
4204 goto out;
4205
4206 ad->u.net->v4info.saddr = ih->saddr;
4207 ad->u.net->v4info.daddr = ih->daddr;
4208 ret = 0;
4209
4210 if (proto)
4211 *proto = ih->protocol;
4212
4213 switch (ih->protocol) {
4214 case IPPROTO_TCP: {
4215 struct tcphdr _tcph, *th;
4216
4217 if (ntohs(ih->frag_off) & IP_OFFSET)
4218 break;
4219
4220 offset += ihlen;
4221 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4222 if (th == NULL)
4223 break;
4224
4225 ad->u.net->sport = th->source;
4226 ad->u.net->dport = th->dest;
4227 break;
4228 }
4229
4230 case IPPROTO_UDP: {
4231 struct udphdr _udph, *uh;
4232
4233 if (ntohs(ih->frag_off) & IP_OFFSET)
4234 break;
4235
4236 offset += ihlen;
4237 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4238 if (uh == NULL)
4239 break;
4240
4241 ad->u.net->sport = uh->source;
4242 ad->u.net->dport = uh->dest;
4243 break;
4244 }
4245
4246 case IPPROTO_DCCP: {
4247 struct dccp_hdr _dccph, *dh;
4248
4249 if (ntohs(ih->frag_off) & IP_OFFSET)
4250 break;
4251
4252 offset += ihlen;
4253 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4254 if (dh == NULL)
4255 break;
4256
4257 ad->u.net->sport = dh->dccph_sport;
4258 ad->u.net->dport = dh->dccph_dport;
4259 break;
4260 }
4261
4262 #if IS_ENABLED(CONFIG_IP_SCTP)
4263 case IPPROTO_SCTP: {
4264 struct sctphdr _sctph, *sh;
4265
4266 if (ntohs(ih->frag_off) & IP_OFFSET)
4267 break;
4268
4269 offset += ihlen;
4270 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4271 if (sh == NULL)
4272 break;
4273
4274 ad->u.net->sport = sh->source;
4275 ad->u.net->dport = sh->dest;
4276 break;
4277 }
4278 #endif
4279 default:
4280 break;
4281 }
4282 out:
4283 return ret;
4284 }
4285
4286 #if IS_ENABLED(CONFIG_IPV6)
4287
4288 /* Returns error only if unable to parse addresses */
selinux_parse_skb_ipv6(struct sk_buff * skb,struct common_audit_data * ad,u8 * proto)4289 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4290 struct common_audit_data *ad, u8 *proto)
4291 {
4292 u8 nexthdr;
4293 int ret = -EINVAL, offset;
4294 struct ipv6hdr _ipv6h, *ip6;
4295 __be16 frag_off;
4296
4297 offset = skb_network_offset(skb);
4298 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4299 if (ip6 == NULL)
4300 goto out;
4301
4302 ad->u.net->v6info.saddr = ip6->saddr;
4303 ad->u.net->v6info.daddr = ip6->daddr;
4304 ret = 0;
4305
4306 nexthdr = ip6->nexthdr;
4307 offset += sizeof(_ipv6h);
4308 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4309 if (offset < 0)
4310 goto out;
4311
4312 if (proto)
4313 *proto = nexthdr;
4314
4315 switch (nexthdr) {
4316 case IPPROTO_TCP: {
4317 struct tcphdr _tcph, *th;
4318
4319 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4320 if (th == NULL)
4321 break;
4322
4323 ad->u.net->sport = th->source;
4324 ad->u.net->dport = th->dest;
4325 break;
4326 }
4327
4328 case IPPROTO_UDP: {
4329 struct udphdr _udph, *uh;
4330
4331 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4332 if (uh == NULL)
4333 break;
4334
4335 ad->u.net->sport = uh->source;
4336 ad->u.net->dport = uh->dest;
4337 break;
4338 }
4339
4340 case IPPROTO_DCCP: {
4341 struct dccp_hdr _dccph, *dh;
4342
4343 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4344 if (dh == NULL)
4345 break;
4346
4347 ad->u.net->sport = dh->dccph_sport;
4348 ad->u.net->dport = dh->dccph_dport;
4349 break;
4350 }
4351
4352 #if IS_ENABLED(CONFIG_IP_SCTP)
4353 case IPPROTO_SCTP: {
4354 struct sctphdr _sctph, *sh;
4355
4356 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4357 if (sh == NULL)
4358 break;
4359
4360 ad->u.net->sport = sh->source;
4361 ad->u.net->dport = sh->dest;
4362 break;
4363 }
4364 #endif
4365 /* includes fragments */
4366 default:
4367 break;
4368 }
4369 out:
4370 return ret;
4371 }
4372
4373 #endif /* IPV6 */
4374
selinux_parse_skb(struct sk_buff * skb,struct common_audit_data * ad,char ** _addrp,int src,u8 * proto)4375 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4376 char **_addrp, int src, u8 *proto)
4377 {
4378 char *addrp;
4379 int ret;
4380
4381 switch (ad->u.net->family) {
4382 case PF_INET:
4383 ret = selinux_parse_skb_ipv4(skb, ad, proto);
4384 if (ret)
4385 goto parse_error;
4386 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4387 &ad->u.net->v4info.daddr);
4388 goto okay;
4389
4390 #if IS_ENABLED(CONFIG_IPV6)
4391 case PF_INET6:
4392 ret = selinux_parse_skb_ipv6(skb, ad, proto);
4393 if (ret)
4394 goto parse_error;
4395 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4396 &ad->u.net->v6info.daddr);
4397 goto okay;
4398 #endif /* IPV6 */
4399 default:
4400 addrp = NULL;
4401 goto okay;
4402 }
4403
4404 parse_error:
4405 pr_warn(
4406 "SELinux: failure in selinux_parse_skb(),"
4407 " unable to parse packet\n");
4408 return ret;
4409
4410 okay:
4411 if (_addrp)
4412 *_addrp = addrp;
4413 return 0;
4414 }
4415
4416 /**
4417 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4418 * @skb: the packet
4419 * @family: protocol family
4420 * @sid: the packet's peer label SID
4421 *
4422 * Description:
4423 * Check the various different forms of network peer labeling and determine
4424 * the peer label/SID for the packet; most of the magic actually occurs in
4425 * the security server function security_net_peersid_cmp(). The function
4426 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4427 * or -EACCES if @sid is invalid due to inconsistencies with the different
4428 * peer labels.
4429 *
4430 */
selinux_skb_peerlbl_sid(struct sk_buff * skb,u16 family,u32 * sid)4431 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4432 {
4433 int err;
4434 u32 xfrm_sid;
4435 u32 nlbl_sid;
4436 u32 nlbl_type;
4437
4438 err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4439 if (unlikely(err))
4440 return -EACCES;
4441 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4442 if (unlikely(err))
4443 return -EACCES;
4444
4445 err = security_net_peersid_resolve(&selinux_state, nlbl_sid,
4446 nlbl_type, xfrm_sid, sid);
4447 if (unlikely(err)) {
4448 pr_warn(
4449 "SELinux: failure in selinux_skb_peerlbl_sid(),"
4450 " unable to determine packet's peer label\n");
4451 return -EACCES;
4452 }
4453
4454 return 0;
4455 }
4456
4457 /**
4458 * selinux_conn_sid - Determine the child socket label for a connection
4459 * @sk_sid: the parent socket's SID
4460 * @skb_sid: the packet's SID
4461 * @conn_sid: the resulting connection SID
4462 *
4463 * If @skb_sid is valid then the user:role:type information from @sk_sid is
4464 * combined with the MLS information from @skb_sid in order to create
4465 * @conn_sid. If @skb_sid is not valid then @conn_sid is simply a copy
4466 * of @sk_sid. Returns zero on success, negative values on failure.
4467 *
4468 */
selinux_conn_sid(u32 sk_sid,u32 skb_sid,u32 * conn_sid)4469 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4470 {
4471 int err = 0;
4472
4473 if (skb_sid != SECSID_NULL)
4474 err = security_sid_mls_copy(&selinux_state, sk_sid, skb_sid,
4475 conn_sid);
4476 else
4477 *conn_sid = sk_sid;
4478
4479 return err;
4480 }
4481
4482 /* socket security operations */
4483
socket_sockcreate_sid(const struct task_security_struct * tsec,u16 secclass,u32 * socksid)4484 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4485 u16 secclass, u32 *socksid)
4486 {
4487 if (tsec->sockcreate_sid > SECSID_NULL) {
4488 *socksid = tsec->sockcreate_sid;
4489 return 0;
4490 }
4491
4492 return security_transition_sid(&selinux_state, tsec->sid, tsec->sid,
4493 secclass, NULL, socksid);
4494 }
4495
sock_has_perm(struct sock * sk,u32 perms)4496 static int sock_has_perm(struct sock *sk, u32 perms)
4497 {
4498 struct sk_security_struct *sksec = sk->sk_security;
4499 struct common_audit_data ad;
4500 struct lsm_network_audit net = {0,};
4501
4502 if (sksec->sid == SECINITSID_KERNEL)
4503 return 0;
4504
4505 ad.type = LSM_AUDIT_DATA_NET;
4506 ad.u.net = &net;
4507 ad.u.net->sk = sk;
4508
4509 return avc_has_perm(&selinux_state,
4510 current_sid(), sksec->sid, sksec->sclass, perms,
4511 &ad);
4512 }
4513
selinux_socket_create(int family,int type,int protocol,int kern)4514 static int selinux_socket_create(int family, int type,
4515 int protocol, int kern)
4516 {
4517 const struct task_security_struct *tsec = selinux_cred(current_cred());
4518 u32 newsid;
4519 u16 secclass;
4520 int rc;
4521
4522 if (kern)
4523 return 0;
4524
4525 secclass = socket_type_to_security_class(family, type, protocol);
4526 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4527 if (rc)
4528 return rc;
4529
4530 return avc_has_perm(&selinux_state,
4531 tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4532 }
4533
selinux_socket_post_create(struct socket * sock,int family,int type,int protocol,int kern)4534 static int selinux_socket_post_create(struct socket *sock, int family,
4535 int type, int protocol, int kern)
4536 {
4537 const struct task_security_struct *tsec = selinux_cred(current_cred());
4538 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4539 struct sk_security_struct *sksec;
4540 u16 sclass = socket_type_to_security_class(family, type, protocol);
4541 u32 sid = SECINITSID_KERNEL;
4542 int err = 0;
4543
4544 if (!kern) {
4545 err = socket_sockcreate_sid(tsec, sclass, &sid);
4546 if (err)
4547 return err;
4548 }
4549
4550 isec->sclass = sclass;
4551 isec->sid = sid;
4552 isec->initialized = LABEL_INITIALIZED;
4553
4554 if (sock->sk) {
4555 sksec = sock->sk->sk_security;
4556 sksec->sclass = sclass;
4557 sksec->sid = sid;
4558 /* Allows detection of the first association on this socket */
4559 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4560 sksec->sctp_assoc_state = SCTP_ASSOC_UNSET;
4561
4562 err = selinux_netlbl_socket_post_create(sock->sk, family);
4563 }
4564
4565 return err;
4566 }
4567
selinux_socket_socketpair(struct socket * socka,struct socket * sockb)4568 static int selinux_socket_socketpair(struct socket *socka,
4569 struct socket *sockb)
4570 {
4571 struct sk_security_struct *sksec_a = socka->sk->sk_security;
4572 struct sk_security_struct *sksec_b = sockb->sk->sk_security;
4573
4574 sksec_a->peer_sid = sksec_b->sid;
4575 sksec_b->peer_sid = sksec_a->sid;
4576
4577 return 0;
4578 }
4579
4580 /* Range of port numbers used to automatically bind.
4581 Need to determine whether we should perform a name_bind
4582 permission check between the socket and the port number. */
4583
selinux_socket_bind(struct socket * sock,struct sockaddr * address,int addrlen)4584 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4585 {
4586 struct sock *sk = sock->sk;
4587 struct sk_security_struct *sksec = sk->sk_security;
4588 u16 family;
4589 int err;
4590
4591 err = sock_has_perm(sk, SOCKET__BIND);
4592 if (err)
4593 goto out;
4594
4595 /* If PF_INET or PF_INET6, check name_bind permission for the port. */
4596 family = sk->sk_family;
4597 if (family == PF_INET || family == PF_INET6) {
4598 char *addrp;
4599 struct common_audit_data ad;
4600 struct lsm_network_audit net = {0,};
4601 struct sockaddr_in *addr4 = NULL;
4602 struct sockaddr_in6 *addr6 = NULL;
4603 u16 family_sa;
4604 unsigned short snum;
4605 u32 sid, node_perm;
4606
4607 /*
4608 * sctp_bindx(3) calls via selinux_sctp_bind_connect()
4609 * that validates multiple binding addresses. Because of this
4610 * need to check address->sa_family as it is possible to have
4611 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4612 */
4613 if (addrlen < offsetofend(struct sockaddr, sa_family))
4614 return -EINVAL;
4615 family_sa = address->sa_family;
4616 switch (family_sa) {
4617 case AF_UNSPEC:
4618 case AF_INET:
4619 if (addrlen < sizeof(struct sockaddr_in))
4620 return -EINVAL;
4621 addr4 = (struct sockaddr_in *)address;
4622 if (family_sa == AF_UNSPEC) {
4623 /* see __inet_bind(), we only want to allow
4624 * AF_UNSPEC if the address is INADDR_ANY
4625 */
4626 if (addr4->sin_addr.s_addr != htonl(INADDR_ANY))
4627 goto err_af;
4628 family_sa = AF_INET;
4629 }
4630 snum = ntohs(addr4->sin_port);
4631 addrp = (char *)&addr4->sin_addr.s_addr;
4632 break;
4633 case AF_INET6:
4634 if (addrlen < SIN6_LEN_RFC2133)
4635 return -EINVAL;
4636 addr6 = (struct sockaddr_in6 *)address;
4637 snum = ntohs(addr6->sin6_port);
4638 addrp = (char *)&addr6->sin6_addr.s6_addr;
4639 break;
4640 default:
4641 goto err_af;
4642 }
4643
4644 ad.type = LSM_AUDIT_DATA_NET;
4645 ad.u.net = &net;
4646 ad.u.net->sport = htons(snum);
4647 ad.u.net->family = family_sa;
4648
4649 if (snum) {
4650 int low, high;
4651
4652 inet_get_local_port_range(sock_net(sk), &low, &high);
4653
4654 if (inet_port_requires_bind_service(sock_net(sk), snum) ||
4655 snum < low || snum > high) {
4656 err = sel_netport_sid(sk->sk_protocol,
4657 snum, &sid);
4658 if (err)
4659 goto out;
4660 err = avc_has_perm(&selinux_state,
4661 sksec->sid, sid,
4662 sksec->sclass,
4663 SOCKET__NAME_BIND, &ad);
4664 if (err)
4665 goto out;
4666 }
4667 }
4668
4669 switch (sksec->sclass) {
4670 case SECCLASS_TCP_SOCKET:
4671 node_perm = TCP_SOCKET__NODE_BIND;
4672 break;
4673
4674 case SECCLASS_UDP_SOCKET:
4675 node_perm = UDP_SOCKET__NODE_BIND;
4676 break;
4677
4678 case SECCLASS_DCCP_SOCKET:
4679 node_perm = DCCP_SOCKET__NODE_BIND;
4680 break;
4681
4682 case SECCLASS_SCTP_SOCKET:
4683 node_perm = SCTP_SOCKET__NODE_BIND;
4684 break;
4685
4686 default:
4687 node_perm = RAWIP_SOCKET__NODE_BIND;
4688 break;
4689 }
4690
4691 err = sel_netnode_sid(addrp, family_sa, &sid);
4692 if (err)
4693 goto out;
4694
4695 if (family_sa == AF_INET)
4696 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4697 else
4698 ad.u.net->v6info.saddr = addr6->sin6_addr;
4699
4700 err = avc_has_perm(&selinux_state,
4701 sksec->sid, sid,
4702 sksec->sclass, node_perm, &ad);
4703 if (err)
4704 goto out;
4705 }
4706 out:
4707 return err;
4708 err_af:
4709 /* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */
4710 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4711 return -EINVAL;
4712 return -EAFNOSUPPORT;
4713 }
4714
4715 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3)
4716 * and sctp_sendmsg(3) as described in Documentation/security/SCTP.rst
4717 */
selinux_socket_connect_helper(struct socket * sock,struct sockaddr * address,int addrlen)4718 static int selinux_socket_connect_helper(struct socket *sock,
4719 struct sockaddr *address, int addrlen)
4720 {
4721 struct sock *sk = sock->sk;
4722 struct sk_security_struct *sksec = sk->sk_security;
4723 int err;
4724
4725 err = sock_has_perm(sk, SOCKET__CONNECT);
4726 if (err)
4727 return err;
4728 if (addrlen < offsetofend(struct sockaddr, sa_family))
4729 return -EINVAL;
4730
4731 /* connect(AF_UNSPEC) has special handling, as it is a documented
4732 * way to disconnect the socket
4733 */
4734 if (address->sa_family == AF_UNSPEC)
4735 return 0;
4736
4737 /*
4738 * If a TCP, DCCP or SCTP socket, check name_connect permission
4739 * for the port.
4740 */
4741 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4742 sksec->sclass == SECCLASS_DCCP_SOCKET ||
4743 sksec->sclass == SECCLASS_SCTP_SOCKET) {
4744 struct common_audit_data ad;
4745 struct lsm_network_audit net = {0,};
4746 struct sockaddr_in *addr4 = NULL;
4747 struct sockaddr_in6 *addr6 = NULL;
4748 unsigned short snum;
4749 u32 sid, perm;
4750
4751 /* sctp_connectx(3) calls via selinux_sctp_bind_connect()
4752 * that validates multiple connect addresses. Because of this
4753 * need to check address->sa_family as it is possible to have
4754 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4755 */
4756 switch (address->sa_family) {
4757 case AF_INET:
4758 addr4 = (struct sockaddr_in *)address;
4759 if (addrlen < sizeof(struct sockaddr_in))
4760 return -EINVAL;
4761 snum = ntohs(addr4->sin_port);
4762 break;
4763 case AF_INET6:
4764 addr6 = (struct sockaddr_in6 *)address;
4765 if (addrlen < SIN6_LEN_RFC2133)
4766 return -EINVAL;
4767 snum = ntohs(addr6->sin6_port);
4768 break;
4769 default:
4770 /* Note that SCTP services expect -EINVAL, whereas
4771 * others expect -EAFNOSUPPORT.
4772 */
4773 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4774 return -EINVAL;
4775 else
4776 return -EAFNOSUPPORT;
4777 }
4778
4779 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4780 if (err)
4781 return err;
4782
4783 switch (sksec->sclass) {
4784 case SECCLASS_TCP_SOCKET:
4785 perm = TCP_SOCKET__NAME_CONNECT;
4786 break;
4787 case SECCLASS_DCCP_SOCKET:
4788 perm = DCCP_SOCKET__NAME_CONNECT;
4789 break;
4790 case SECCLASS_SCTP_SOCKET:
4791 perm = SCTP_SOCKET__NAME_CONNECT;
4792 break;
4793 }
4794
4795 ad.type = LSM_AUDIT_DATA_NET;
4796 ad.u.net = &net;
4797 ad.u.net->dport = htons(snum);
4798 ad.u.net->family = address->sa_family;
4799 err = avc_has_perm(&selinux_state,
4800 sksec->sid, sid, sksec->sclass, perm, &ad);
4801 if (err)
4802 return err;
4803 }
4804
4805 return 0;
4806 }
4807
4808 /* Supports connect(2), see comments in selinux_socket_connect_helper() */
selinux_socket_connect(struct socket * sock,struct sockaddr * address,int addrlen)4809 static int selinux_socket_connect(struct socket *sock,
4810 struct sockaddr *address, int addrlen)
4811 {
4812 int err;
4813 struct sock *sk = sock->sk;
4814
4815 err = selinux_socket_connect_helper(sock, address, addrlen);
4816 if (err)
4817 return err;
4818
4819 return selinux_netlbl_socket_connect(sk, address);
4820 }
4821
selinux_socket_listen(struct socket * sock,int backlog)4822 static int selinux_socket_listen(struct socket *sock, int backlog)
4823 {
4824 return sock_has_perm(sock->sk, SOCKET__LISTEN);
4825 }
4826
selinux_socket_accept(struct socket * sock,struct socket * newsock)4827 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4828 {
4829 int err;
4830 struct inode_security_struct *isec;
4831 struct inode_security_struct *newisec;
4832 u16 sclass;
4833 u32 sid;
4834
4835 err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
4836 if (err)
4837 return err;
4838
4839 isec = inode_security_novalidate(SOCK_INODE(sock));
4840 spin_lock(&isec->lock);
4841 sclass = isec->sclass;
4842 sid = isec->sid;
4843 spin_unlock(&isec->lock);
4844
4845 newisec = inode_security_novalidate(SOCK_INODE(newsock));
4846 newisec->sclass = sclass;
4847 newisec->sid = sid;
4848 newisec->initialized = LABEL_INITIALIZED;
4849
4850 return 0;
4851 }
4852
selinux_socket_sendmsg(struct socket * sock,struct msghdr * msg,int size)4853 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4854 int size)
4855 {
4856 return sock_has_perm(sock->sk, SOCKET__WRITE);
4857 }
4858
selinux_socket_recvmsg(struct socket * sock,struct msghdr * msg,int size,int flags)4859 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4860 int size, int flags)
4861 {
4862 return sock_has_perm(sock->sk, SOCKET__READ);
4863 }
4864
selinux_socket_getsockname(struct socket * sock)4865 static int selinux_socket_getsockname(struct socket *sock)
4866 {
4867 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4868 }
4869
selinux_socket_getpeername(struct socket * sock)4870 static int selinux_socket_getpeername(struct socket *sock)
4871 {
4872 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4873 }
4874
selinux_socket_setsockopt(struct socket * sock,int level,int optname)4875 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4876 {
4877 int err;
4878
4879 err = sock_has_perm(sock->sk, SOCKET__SETOPT);
4880 if (err)
4881 return err;
4882
4883 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4884 }
4885
selinux_socket_getsockopt(struct socket * sock,int level,int optname)4886 static int selinux_socket_getsockopt(struct socket *sock, int level,
4887 int optname)
4888 {
4889 return sock_has_perm(sock->sk, SOCKET__GETOPT);
4890 }
4891
selinux_socket_shutdown(struct socket * sock,int how)4892 static int selinux_socket_shutdown(struct socket *sock, int how)
4893 {
4894 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
4895 }
4896
selinux_socket_unix_stream_connect(struct sock * sock,struct sock * other,struct sock * newsk)4897 static int selinux_socket_unix_stream_connect(struct sock *sock,
4898 struct sock *other,
4899 struct sock *newsk)
4900 {
4901 struct sk_security_struct *sksec_sock = sock->sk_security;
4902 struct sk_security_struct *sksec_other = other->sk_security;
4903 struct sk_security_struct *sksec_new = newsk->sk_security;
4904 struct common_audit_data ad;
4905 struct lsm_network_audit net = {0,};
4906 int err;
4907
4908 ad.type = LSM_AUDIT_DATA_NET;
4909 ad.u.net = &net;
4910 ad.u.net->sk = other;
4911
4912 err = avc_has_perm(&selinux_state,
4913 sksec_sock->sid, sksec_other->sid,
4914 sksec_other->sclass,
4915 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4916 if (err)
4917 return err;
4918
4919 /* server child socket */
4920 sksec_new->peer_sid = sksec_sock->sid;
4921 err = security_sid_mls_copy(&selinux_state, sksec_other->sid,
4922 sksec_sock->sid, &sksec_new->sid);
4923 if (err)
4924 return err;
4925
4926 /* connecting socket */
4927 sksec_sock->peer_sid = sksec_new->sid;
4928
4929 return 0;
4930 }
4931
selinux_socket_unix_may_send(struct socket * sock,struct socket * other)4932 static int selinux_socket_unix_may_send(struct socket *sock,
4933 struct socket *other)
4934 {
4935 struct sk_security_struct *ssec = sock->sk->sk_security;
4936 struct sk_security_struct *osec = other->sk->sk_security;
4937 struct common_audit_data ad;
4938 struct lsm_network_audit net = {0,};
4939
4940 ad.type = LSM_AUDIT_DATA_NET;
4941 ad.u.net = &net;
4942 ad.u.net->sk = other->sk;
4943
4944 return avc_has_perm(&selinux_state,
4945 ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4946 &ad);
4947 }
4948
selinux_inet_sys_rcv_skb(struct net * ns,int ifindex,char * addrp,u16 family,u32 peer_sid,struct common_audit_data * ad)4949 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4950 char *addrp, u16 family, u32 peer_sid,
4951 struct common_audit_data *ad)
4952 {
4953 int err;
4954 u32 if_sid;
4955 u32 node_sid;
4956
4957 err = sel_netif_sid(ns, ifindex, &if_sid);
4958 if (err)
4959 return err;
4960 err = avc_has_perm(&selinux_state,
4961 peer_sid, if_sid,
4962 SECCLASS_NETIF, NETIF__INGRESS, ad);
4963 if (err)
4964 return err;
4965
4966 err = sel_netnode_sid(addrp, family, &node_sid);
4967 if (err)
4968 return err;
4969 return avc_has_perm(&selinux_state,
4970 peer_sid, node_sid,
4971 SECCLASS_NODE, NODE__RECVFROM, ad);
4972 }
4973
selinux_sock_rcv_skb_compat(struct sock * sk,struct sk_buff * skb,u16 family)4974 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4975 u16 family)
4976 {
4977 int err = 0;
4978 struct sk_security_struct *sksec = sk->sk_security;
4979 u32 sk_sid = sksec->sid;
4980 struct common_audit_data ad;
4981 struct lsm_network_audit net = {0,};
4982 char *addrp;
4983
4984 ad.type = LSM_AUDIT_DATA_NET;
4985 ad.u.net = &net;
4986 ad.u.net->netif = skb->skb_iif;
4987 ad.u.net->family = family;
4988 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4989 if (err)
4990 return err;
4991
4992 if (selinux_secmark_enabled()) {
4993 err = avc_has_perm(&selinux_state,
4994 sk_sid, skb->secmark, SECCLASS_PACKET,
4995 PACKET__RECV, &ad);
4996 if (err)
4997 return err;
4998 }
4999
5000 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
5001 if (err)
5002 return err;
5003 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
5004
5005 return err;
5006 }
5007
selinux_socket_sock_rcv_skb(struct sock * sk,struct sk_buff * skb)5008 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
5009 {
5010 int err;
5011 struct sk_security_struct *sksec = sk->sk_security;
5012 u16 family = sk->sk_family;
5013 u32 sk_sid = sksec->sid;
5014 struct common_audit_data ad;
5015 struct lsm_network_audit net = {0,};
5016 char *addrp;
5017 u8 secmark_active;
5018 u8 peerlbl_active;
5019
5020 if (family != PF_INET && family != PF_INET6)
5021 return 0;
5022
5023 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
5024 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5025 family = PF_INET;
5026
5027 /* If any sort of compatibility mode is enabled then handoff processing
5028 * to the selinux_sock_rcv_skb_compat() function to deal with the
5029 * special handling. We do this in an attempt to keep this function
5030 * as fast and as clean as possible. */
5031 if (!selinux_policycap_netpeer())
5032 return selinux_sock_rcv_skb_compat(sk, skb, family);
5033
5034 secmark_active = selinux_secmark_enabled();
5035 peerlbl_active = selinux_peerlbl_enabled();
5036 if (!secmark_active && !peerlbl_active)
5037 return 0;
5038
5039 ad.type = LSM_AUDIT_DATA_NET;
5040 ad.u.net = &net;
5041 ad.u.net->netif = skb->skb_iif;
5042 ad.u.net->family = family;
5043 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5044 if (err)
5045 return err;
5046
5047 if (peerlbl_active) {
5048 u32 peer_sid;
5049
5050 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
5051 if (err)
5052 return err;
5053 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
5054 addrp, family, peer_sid, &ad);
5055 if (err) {
5056 selinux_netlbl_err(skb, family, err, 0);
5057 return err;
5058 }
5059 err = avc_has_perm(&selinux_state,
5060 sk_sid, peer_sid, SECCLASS_PEER,
5061 PEER__RECV, &ad);
5062 if (err) {
5063 selinux_netlbl_err(skb, family, err, 0);
5064 return err;
5065 }
5066 }
5067
5068 if (secmark_active) {
5069 err = avc_has_perm(&selinux_state,
5070 sk_sid, skb->secmark, SECCLASS_PACKET,
5071 PACKET__RECV, &ad);
5072 if (err)
5073 return err;
5074 }
5075
5076 return err;
5077 }
5078
selinux_socket_getpeersec_stream(struct socket * sock,char __user * optval,int __user * optlen,unsigned len)5079 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
5080 int __user *optlen, unsigned len)
5081 {
5082 int err = 0;
5083 char *scontext;
5084 u32 scontext_len;
5085 struct sk_security_struct *sksec = sock->sk->sk_security;
5086 u32 peer_sid = SECSID_NULL;
5087
5088 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
5089 sksec->sclass == SECCLASS_TCP_SOCKET ||
5090 sksec->sclass == SECCLASS_SCTP_SOCKET)
5091 peer_sid = sksec->peer_sid;
5092 if (peer_sid == SECSID_NULL)
5093 return -ENOPROTOOPT;
5094
5095 err = security_sid_to_context(&selinux_state, peer_sid, &scontext,
5096 &scontext_len);
5097 if (err)
5098 return err;
5099
5100 if (scontext_len > len) {
5101 err = -ERANGE;
5102 goto out_len;
5103 }
5104
5105 if (copy_to_user(optval, scontext, scontext_len))
5106 err = -EFAULT;
5107
5108 out_len:
5109 if (put_user(scontext_len, optlen))
5110 err = -EFAULT;
5111 kfree(scontext);
5112 return err;
5113 }
5114
selinux_socket_getpeersec_dgram(struct socket * sock,struct sk_buff * skb,u32 * secid)5115 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
5116 {
5117 u32 peer_secid = SECSID_NULL;
5118 u16 family;
5119 struct inode_security_struct *isec;
5120
5121 if (skb && skb->protocol == htons(ETH_P_IP))
5122 family = PF_INET;
5123 else if (skb && skb->protocol == htons(ETH_P_IPV6))
5124 family = PF_INET6;
5125 else if (sock)
5126 family = sock->sk->sk_family;
5127 else
5128 goto out;
5129
5130 if (sock && family == PF_UNIX) {
5131 isec = inode_security_novalidate(SOCK_INODE(sock));
5132 peer_secid = isec->sid;
5133 } else if (skb)
5134 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
5135
5136 out:
5137 *secid = peer_secid;
5138 if (peer_secid == SECSID_NULL)
5139 return -EINVAL;
5140 return 0;
5141 }
5142
selinux_sk_alloc_security(struct sock * sk,int family,gfp_t priority)5143 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
5144 {
5145 struct sk_security_struct *sksec;
5146
5147 sksec = kzalloc(sizeof(*sksec), priority);
5148 if (!sksec)
5149 return -ENOMEM;
5150
5151 sksec->peer_sid = SECINITSID_UNLABELED;
5152 sksec->sid = SECINITSID_UNLABELED;
5153 sksec->sclass = SECCLASS_SOCKET;
5154 selinux_netlbl_sk_security_reset(sksec);
5155 sk->sk_security = sksec;
5156
5157 return 0;
5158 }
5159
selinux_sk_free_security(struct sock * sk)5160 static void selinux_sk_free_security(struct sock *sk)
5161 {
5162 struct sk_security_struct *sksec = sk->sk_security;
5163
5164 sk->sk_security = NULL;
5165 selinux_netlbl_sk_security_free(sksec);
5166 kfree(sksec);
5167 }
5168
selinux_sk_clone_security(const struct sock * sk,struct sock * newsk)5169 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
5170 {
5171 struct sk_security_struct *sksec = sk->sk_security;
5172 struct sk_security_struct *newsksec = newsk->sk_security;
5173
5174 newsksec->sid = sksec->sid;
5175 newsksec->peer_sid = sksec->peer_sid;
5176 newsksec->sclass = sksec->sclass;
5177
5178 selinux_netlbl_sk_security_reset(newsksec);
5179 }
5180
selinux_sk_getsecid(struct sock * sk,u32 * secid)5181 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
5182 {
5183 if (!sk)
5184 *secid = SECINITSID_ANY_SOCKET;
5185 else {
5186 struct sk_security_struct *sksec = sk->sk_security;
5187
5188 *secid = sksec->sid;
5189 }
5190 }
5191
selinux_sock_graft(struct sock * sk,struct socket * parent)5192 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
5193 {
5194 struct inode_security_struct *isec =
5195 inode_security_novalidate(SOCK_INODE(parent));
5196 struct sk_security_struct *sksec = sk->sk_security;
5197
5198 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
5199 sk->sk_family == PF_UNIX)
5200 isec->sid = sksec->sid;
5201 sksec->sclass = isec->sclass;
5202 }
5203
5204 /* Called whenever SCTP receives an INIT chunk. This happens when an incoming
5205 * connect(2), sctp_connectx(3) or sctp_sendmsg(3) (with no association
5206 * already present).
5207 */
selinux_sctp_assoc_request(struct sctp_endpoint * ep,struct sk_buff * skb)5208 static int selinux_sctp_assoc_request(struct sctp_endpoint *ep,
5209 struct sk_buff *skb)
5210 {
5211 struct sk_security_struct *sksec = ep->base.sk->sk_security;
5212 struct common_audit_data ad;
5213 struct lsm_network_audit net = {0,};
5214 u8 peerlbl_active;
5215 u32 peer_sid = SECINITSID_UNLABELED;
5216 u32 conn_sid;
5217 int err = 0;
5218
5219 if (!selinux_policycap_extsockclass())
5220 return 0;
5221
5222 peerlbl_active = selinux_peerlbl_enabled();
5223
5224 if (peerlbl_active) {
5225 /* This will return peer_sid = SECSID_NULL if there are
5226 * no peer labels, see security_net_peersid_resolve().
5227 */
5228 err = selinux_skb_peerlbl_sid(skb, ep->base.sk->sk_family,
5229 &peer_sid);
5230 if (err)
5231 return err;
5232
5233 if (peer_sid == SECSID_NULL)
5234 peer_sid = SECINITSID_UNLABELED;
5235 }
5236
5237 if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) {
5238 sksec->sctp_assoc_state = SCTP_ASSOC_SET;
5239
5240 /* Here as first association on socket. As the peer SID
5241 * was allowed by peer recv (and the netif/node checks),
5242 * then it is approved by policy and used as the primary
5243 * peer SID for getpeercon(3).
5244 */
5245 sksec->peer_sid = peer_sid;
5246 } else if (sksec->peer_sid != peer_sid) {
5247 /* Other association peer SIDs are checked to enforce
5248 * consistency among the peer SIDs.
5249 */
5250 ad.type = LSM_AUDIT_DATA_NET;
5251 ad.u.net = &net;
5252 ad.u.net->sk = ep->base.sk;
5253 err = avc_has_perm(&selinux_state,
5254 sksec->peer_sid, peer_sid, sksec->sclass,
5255 SCTP_SOCKET__ASSOCIATION, &ad);
5256 if (err)
5257 return err;
5258 }
5259
5260 /* Compute the MLS component for the connection and store
5261 * the information in ep. This will be used by SCTP TCP type
5262 * sockets and peeled off connections as they cause a new
5263 * socket to be generated. selinux_sctp_sk_clone() will then
5264 * plug this into the new socket.
5265 */
5266 err = selinux_conn_sid(sksec->sid, peer_sid, &conn_sid);
5267 if (err)
5268 return err;
5269
5270 ep->secid = conn_sid;
5271 ep->peer_secid = peer_sid;
5272
5273 /* Set any NetLabel labels including CIPSO/CALIPSO options. */
5274 return selinux_netlbl_sctp_assoc_request(ep, skb);
5275 }
5276
5277 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting
5278 * based on their @optname.
5279 */
selinux_sctp_bind_connect(struct sock * sk,int optname,struct sockaddr * address,int addrlen)5280 static int selinux_sctp_bind_connect(struct sock *sk, int optname,
5281 struct sockaddr *address,
5282 int addrlen)
5283 {
5284 int len, err = 0, walk_size = 0;
5285 void *addr_buf;
5286 struct sockaddr *addr;
5287 struct socket *sock;
5288
5289 if (!selinux_policycap_extsockclass())
5290 return 0;
5291
5292 /* Process one or more addresses that may be IPv4 or IPv6 */
5293 sock = sk->sk_socket;
5294 addr_buf = address;
5295
5296 while (walk_size < addrlen) {
5297 if (walk_size + sizeof(sa_family_t) > addrlen)
5298 return -EINVAL;
5299
5300 addr = addr_buf;
5301 switch (addr->sa_family) {
5302 case AF_UNSPEC:
5303 case AF_INET:
5304 len = sizeof(struct sockaddr_in);
5305 break;
5306 case AF_INET6:
5307 len = sizeof(struct sockaddr_in6);
5308 break;
5309 default:
5310 return -EINVAL;
5311 }
5312
5313 if (walk_size + len > addrlen)
5314 return -EINVAL;
5315
5316 err = -EINVAL;
5317 switch (optname) {
5318 /* Bind checks */
5319 case SCTP_PRIMARY_ADDR:
5320 case SCTP_SET_PEER_PRIMARY_ADDR:
5321 case SCTP_SOCKOPT_BINDX_ADD:
5322 err = selinux_socket_bind(sock, addr, len);
5323 break;
5324 /* Connect checks */
5325 case SCTP_SOCKOPT_CONNECTX:
5326 case SCTP_PARAM_SET_PRIMARY:
5327 case SCTP_PARAM_ADD_IP:
5328 case SCTP_SENDMSG_CONNECT:
5329 err = selinux_socket_connect_helper(sock, addr, len);
5330 if (err)
5331 return err;
5332
5333 /* As selinux_sctp_bind_connect() is called by the
5334 * SCTP protocol layer, the socket is already locked,
5335 * therefore selinux_netlbl_socket_connect_locked()
5336 * is called here. The situations handled are:
5337 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2),
5338 * whenever a new IP address is added or when a new
5339 * primary address is selected.
5340 * Note that an SCTP connect(2) call happens before
5341 * the SCTP protocol layer and is handled via
5342 * selinux_socket_connect().
5343 */
5344 err = selinux_netlbl_socket_connect_locked(sk, addr);
5345 break;
5346 }
5347
5348 if (err)
5349 return err;
5350
5351 addr_buf += len;
5352 walk_size += len;
5353 }
5354
5355 return 0;
5356 }
5357
5358 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */
selinux_sctp_sk_clone(struct sctp_endpoint * ep,struct sock * sk,struct sock * newsk)5359 static void selinux_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk,
5360 struct sock *newsk)
5361 {
5362 struct sk_security_struct *sksec = sk->sk_security;
5363 struct sk_security_struct *newsksec = newsk->sk_security;
5364
5365 /* If policy does not support SECCLASS_SCTP_SOCKET then call
5366 * the non-sctp clone version.
5367 */
5368 if (!selinux_policycap_extsockclass())
5369 return selinux_sk_clone_security(sk, newsk);
5370
5371 newsksec->sid = ep->secid;
5372 newsksec->peer_sid = ep->peer_secid;
5373 newsksec->sclass = sksec->sclass;
5374 selinux_netlbl_sctp_sk_clone(sk, newsk);
5375 }
5376
selinux_inet_conn_request(struct sock * sk,struct sk_buff * skb,struct request_sock * req)5377 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
5378 struct request_sock *req)
5379 {
5380 struct sk_security_struct *sksec = sk->sk_security;
5381 int err;
5382 u16 family = req->rsk_ops->family;
5383 u32 connsid;
5384 u32 peersid;
5385
5386 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
5387 if (err)
5388 return err;
5389 err = selinux_conn_sid(sksec->sid, peersid, &connsid);
5390 if (err)
5391 return err;
5392 req->secid = connsid;
5393 req->peer_secid = peersid;
5394
5395 return selinux_netlbl_inet_conn_request(req, family);
5396 }
5397
selinux_inet_csk_clone(struct sock * newsk,const struct request_sock * req)5398 static void selinux_inet_csk_clone(struct sock *newsk,
5399 const struct request_sock *req)
5400 {
5401 struct sk_security_struct *newsksec = newsk->sk_security;
5402
5403 newsksec->sid = req->secid;
5404 newsksec->peer_sid = req->peer_secid;
5405 /* NOTE: Ideally, we should also get the isec->sid for the
5406 new socket in sync, but we don't have the isec available yet.
5407 So we will wait until sock_graft to do it, by which
5408 time it will have been created and available. */
5409
5410 /* We don't need to take any sort of lock here as we are the only
5411 * thread with access to newsksec */
5412 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
5413 }
5414
selinux_inet_conn_established(struct sock * sk,struct sk_buff * skb)5415 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
5416 {
5417 u16 family = sk->sk_family;
5418 struct sk_security_struct *sksec = sk->sk_security;
5419
5420 /* handle mapped IPv4 packets arriving via IPv6 sockets */
5421 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5422 family = PF_INET;
5423
5424 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
5425 }
5426
selinux_secmark_relabel_packet(u32 sid)5427 static int selinux_secmark_relabel_packet(u32 sid)
5428 {
5429 const struct task_security_struct *__tsec;
5430 u32 tsid;
5431
5432 __tsec = selinux_cred(current_cred());
5433 tsid = __tsec->sid;
5434
5435 return avc_has_perm(&selinux_state,
5436 tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO,
5437 NULL);
5438 }
5439
selinux_secmark_refcount_inc(void)5440 static void selinux_secmark_refcount_inc(void)
5441 {
5442 atomic_inc(&selinux_secmark_refcount);
5443 }
5444
selinux_secmark_refcount_dec(void)5445 static void selinux_secmark_refcount_dec(void)
5446 {
5447 atomic_dec(&selinux_secmark_refcount);
5448 }
5449
selinux_req_classify_flow(const struct request_sock * req,struct flowi_common * flic)5450 static void selinux_req_classify_flow(const struct request_sock *req,
5451 struct flowi_common *flic)
5452 {
5453 flic->flowic_secid = req->secid;
5454 }
5455
selinux_tun_dev_alloc_security(void ** security)5456 static int selinux_tun_dev_alloc_security(void **security)
5457 {
5458 struct tun_security_struct *tunsec;
5459
5460 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
5461 if (!tunsec)
5462 return -ENOMEM;
5463 tunsec->sid = current_sid();
5464
5465 *security = tunsec;
5466 return 0;
5467 }
5468
selinux_tun_dev_free_security(void * security)5469 static void selinux_tun_dev_free_security(void *security)
5470 {
5471 kfree(security);
5472 }
5473
selinux_tun_dev_create(void)5474 static int selinux_tun_dev_create(void)
5475 {
5476 u32 sid = current_sid();
5477
5478 /* we aren't taking into account the "sockcreate" SID since the socket
5479 * that is being created here is not a socket in the traditional sense,
5480 * instead it is a private sock, accessible only to the kernel, and
5481 * representing a wide range of network traffic spanning multiple
5482 * connections unlike traditional sockets - check the TUN driver to
5483 * get a better understanding of why this socket is special */
5484
5485 return avc_has_perm(&selinux_state,
5486 sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5487 NULL);
5488 }
5489
selinux_tun_dev_attach_queue(void * security)5490 static int selinux_tun_dev_attach_queue(void *security)
5491 {
5492 struct tun_security_struct *tunsec = security;
5493
5494 return avc_has_perm(&selinux_state,
5495 current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5496 TUN_SOCKET__ATTACH_QUEUE, NULL);
5497 }
5498
selinux_tun_dev_attach(struct sock * sk,void * security)5499 static int selinux_tun_dev_attach(struct sock *sk, void *security)
5500 {
5501 struct tun_security_struct *tunsec = security;
5502 struct sk_security_struct *sksec = sk->sk_security;
5503
5504 /* we don't currently perform any NetLabel based labeling here and it
5505 * isn't clear that we would want to do so anyway; while we could apply
5506 * labeling without the support of the TUN user the resulting labeled
5507 * traffic from the other end of the connection would almost certainly
5508 * cause confusion to the TUN user that had no idea network labeling
5509 * protocols were being used */
5510
5511 sksec->sid = tunsec->sid;
5512 sksec->sclass = SECCLASS_TUN_SOCKET;
5513
5514 return 0;
5515 }
5516
selinux_tun_dev_open(void * security)5517 static int selinux_tun_dev_open(void *security)
5518 {
5519 struct tun_security_struct *tunsec = security;
5520 u32 sid = current_sid();
5521 int err;
5522
5523 err = avc_has_perm(&selinux_state,
5524 sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5525 TUN_SOCKET__RELABELFROM, NULL);
5526 if (err)
5527 return err;
5528 err = avc_has_perm(&selinux_state,
5529 sid, sid, SECCLASS_TUN_SOCKET,
5530 TUN_SOCKET__RELABELTO, NULL);
5531 if (err)
5532 return err;
5533 tunsec->sid = sid;
5534
5535 return 0;
5536 }
5537
5538 #ifdef CONFIG_NETFILTER
5539
selinux_ip_forward(struct sk_buff * skb,const struct net_device * indev,u16 family)5540 static unsigned int selinux_ip_forward(struct sk_buff *skb,
5541 const struct net_device *indev,
5542 u16 family)
5543 {
5544 int err;
5545 char *addrp;
5546 u32 peer_sid;
5547 struct common_audit_data ad;
5548 struct lsm_network_audit net = {0,};
5549 u8 secmark_active;
5550 u8 netlbl_active;
5551 u8 peerlbl_active;
5552
5553 if (!selinux_policycap_netpeer())
5554 return NF_ACCEPT;
5555
5556 secmark_active = selinux_secmark_enabled();
5557 netlbl_active = netlbl_enabled();
5558 peerlbl_active = selinux_peerlbl_enabled();
5559 if (!secmark_active && !peerlbl_active)
5560 return NF_ACCEPT;
5561
5562 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5563 return NF_DROP;
5564
5565 ad.type = LSM_AUDIT_DATA_NET;
5566 ad.u.net = &net;
5567 ad.u.net->netif = indev->ifindex;
5568 ad.u.net->family = family;
5569 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5570 return NF_DROP;
5571
5572 if (peerlbl_active) {
5573 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
5574 addrp, family, peer_sid, &ad);
5575 if (err) {
5576 selinux_netlbl_err(skb, family, err, 1);
5577 return NF_DROP;
5578 }
5579 }
5580
5581 if (secmark_active)
5582 if (avc_has_perm(&selinux_state,
5583 peer_sid, skb->secmark,
5584 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5585 return NF_DROP;
5586
5587 if (netlbl_active)
5588 /* we do this in the FORWARD path and not the POST_ROUTING
5589 * path because we want to make sure we apply the necessary
5590 * labeling before IPsec is applied so we can leverage AH
5591 * protection */
5592 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5593 return NF_DROP;
5594
5595 return NF_ACCEPT;
5596 }
5597
selinux_ipv4_forward(void * priv,struct sk_buff * skb,const struct nf_hook_state * state)5598 static unsigned int selinux_ipv4_forward(void *priv,
5599 struct sk_buff *skb,
5600 const struct nf_hook_state *state)
5601 {
5602 return selinux_ip_forward(skb, state->in, PF_INET);
5603 }
5604
5605 #if IS_ENABLED(CONFIG_IPV6)
selinux_ipv6_forward(void * priv,struct sk_buff * skb,const struct nf_hook_state * state)5606 static unsigned int selinux_ipv6_forward(void *priv,
5607 struct sk_buff *skb,
5608 const struct nf_hook_state *state)
5609 {
5610 return selinux_ip_forward(skb, state->in, PF_INET6);
5611 }
5612 #endif /* IPV6 */
5613
selinux_ip_output(struct sk_buff * skb,u16 family)5614 static unsigned int selinux_ip_output(struct sk_buff *skb,
5615 u16 family)
5616 {
5617 struct sock *sk;
5618 u32 sid;
5619
5620 if (!netlbl_enabled())
5621 return NF_ACCEPT;
5622
5623 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5624 * because we want to make sure we apply the necessary labeling
5625 * before IPsec is applied so we can leverage AH protection */
5626 sk = skb->sk;
5627 if (sk) {
5628 struct sk_security_struct *sksec;
5629
5630 if (sk_listener(sk))
5631 /* if the socket is the listening state then this
5632 * packet is a SYN-ACK packet which means it needs to
5633 * be labeled based on the connection/request_sock and
5634 * not the parent socket. unfortunately, we can't
5635 * lookup the request_sock yet as it isn't queued on
5636 * the parent socket until after the SYN-ACK is sent.
5637 * the "solution" is to simply pass the packet as-is
5638 * as any IP option based labeling should be copied
5639 * from the initial connection request (in the IP
5640 * layer). it is far from ideal, but until we get a
5641 * security label in the packet itself this is the
5642 * best we can do. */
5643 return NF_ACCEPT;
5644
5645 /* standard practice, label using the parent socket */
5646 sksec = sk->sk_security;
5647 sid = sksec->sid;
5648 } else
5649 sid = SECINITSID_KERNEL;
5650 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
5651 return NF_DROP;
5652
5653 return NF_ACCEPT;
5654 }
5655
selinux_ipv4_output(void * priv,struct sk_buff * skb,const struct nf_hook_state * state)5656 static unsigned int selinux_ipv4_output(void *priv,
5657 struct sk_buff *skb,
5658 const struct nf_hook_state *state)
5659 {
5660 return selinux_ip_output(skb, PF_INET);
5661 }
5662
5663 #if IS_ENABLED(CONFIG_IPV6)
selinux_ipv6_output(void * priv,struct sk_buff * skb,const struct nf_hook_state * state)5664 static unsigned int selinux_ipv6_output(void *priv,
5665 struct sk_buff *skb,
5666 const struct nf_hook_state *state)
5667 {
5668 return selinux_ip_output(skb, PF_INET6);
5669 }
5670 #endif /* IPV6 */
5671
selinux_ip_postroute_compat(struct sk_buff * skb,int ifindex,u16 family)5672 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5673 int ifindex,
5674 u16 family)
5675 {
5676 struct sock *sk = skb_to_full_sk(skb);
5677 struct sk_security_struct *sksec;
5678 struct common_audit_data ad;
5679 struct lsm_network_audit net = {0,};
5680 char *addrp;
5681 u8 proto = 0;
5682
5683 if (sk == NULL)
5684 return NF_ACCEPT;
5685 sksec = sk->sk_security;
5686
5687 ad.type = LSM_AUDIT_DATA_NET;
5688 ad.u.net = &net;
5689 ad.u.net->netif = ifindex;
5690 ad.u.net->family = family;
5691 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
5692 return NF_DROP;
5693
5694 if (selinux_secmark_enabled())
5695 if (avc_has_perm(&selinux_state,
5696 sksec->sid, skb->secmark,
5697 SECCLASS_PACKET, PACKET__SEND, &ad))
5698 return NF_DROP_ERR(-ECONNREFUSED);
5699
5700 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5701 return NF_DROP_ERR(-ECONNREFUSED);
5702
5703 return NF_ACCEPT;
5704 }
5705
selinux_ip_postroute(struct sk_buff * skb,const struct net_device * outdev,u16 family)5706 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5707 const struct net_device *outdev,
5708 u16 family)
5709 {
5710 u32 secmark_perm;
5711 u32 peer_sid;
5712 int ifindex = outdev->ifindex;
5713 struct sock *sk;
5714 struct common_audit_data ad;
5715 struct lsm_network_audit net = {0,};
5716 char *addrp;
5717 u8 secmark_active;
5718 u8 peerlbl_active;
5719
5720 /* If any sort of compatibility mode is enabled then handoff processing
5721 * to the selinux_ip_postroute_compat() function to deal with the
5722 * special handling. We do this in an attempt to keep this function
5723 * as fast and as clean as possible. */
5724 if (!selinux_policycap_netpeer())
5725 return selinux_ip_postroute_compat(skb, ifindex, family);
5726
5727 secmark_active = selinux_secmark_enabled();
5728 peerlbl_active = selinux_peerlbl_enabled();
5729 if (!secmark_active && !peerlbl_active)
5730 return NF_ACCEPT;
5731
5732 sk = skb_to_full_sk(skb);
5733
5734 #ifdef CONFIG_XFRM
5735 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5736 * packet transformation so allow the packet to pass without any checks
5737 * since we'll have another chance to perform access control checks
5738 * when the packet is on it's final way out.
5739 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5740 * is NULL, in this case go ahead and apply access control.
5741 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5742 * TCP listening state we cannot wait until the XFRM processing
5743 * is done as we will miss out on the SA label if we do;
5744 * unfortunately, this means more work, but it is only once per
5745 * connection. */
5746 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5747 !(sk && sk_listener(sk)))
5748 return NF_ACCEPT;
5749 #endif
5750
5751 if (sk == NULL) {
5752 /* Without an associated socket the packet is either coming
5753 * from the kernel or it is being forwarded; check the packet
5754 * to determine which and if the packet is being forwarded
5755 * query the packet directly to determine the security label. */
5756 if (skb->skb_iif) {
5757 secmark_perm = PACKET__FORWARD_OUT;
5758 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5759 return NF_DROP;
5760 } else {
5761 secmark_perm = PACKET__SEND;
5762 peer_sid = SECINITSID_KERNEL;
5763 }
5764 } else if (sk_listener(sk)) {
5765 /* Locally generated packet but the associated socket is in the
5766 * listening state which means this is a SYN-ACK packet. In
5767 * this particular case the correct security label is assigned
5768 * to the connection/request_sock but unfortunately we can't
5769 * query the request_sock as it isn't queued on the parent
5770 * socket until after the SYN-ACK packet is sent; the only
5771 * viable choice is to regenerate the label like we do in
5772 * selinux_inet_conn_request(). See also selinux_ip_output()
5773 * for similar problems. */
5774 u32 skb_sid;
5775 struct sk_security_struct *sksec;
5776
5777 sksec = sk->sk_security;
5778 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5779 return NF_DROP;
5780 /* At this point, if the returned skb peerlbl is SECSID_NULL
5781 * and the packet has been through at least one XFRM
5782 * transformation then we must be dealing with the "final"
5783 * form of labeled IPsec packet; since we've already applied
5784 * all of our access controls on this packet we can safely
5785 * pass the packet. */
5786 if (skb_sid == SECSID_NULL) {
5787 switch (family) {
5788 case PF_INET:
5789 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5790 return NF_ACCEPT;
5791 break;
5792 case PF_INET6:
5793 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5794 return NF_ACCEPT;
5795 break;
5796 default:
5797 return NF_DROP_ERR(-ECONNREFUSED);
5798 }
5799 }
5800 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5801 return NF_DROP;
5802 secmark_perm = PACKET__SEND;
5803 } else {
5804 /* Locally generated packet, fetch the security label from the
5805 * associated socket. */
5806 struct sk_security_struct *sksec = sk->sk_security;
5807 peer_sid = sksec->sid;
5808 secmark_perm = PACKET__SEND;
5809 }
5810
5811 ad.type = LSM_AUDIT_DATA_NET;
5812 ad.u.net = &net;
5813 ad.u.net->netif = ifindex;
5814 ad.u.net->family = family;
5815 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5816 return NF_DROP;
5817
5818 if (secmark_active)
5819 if (avc_has_perm(&selinux_state,
5820 peer_sid, skb->secmark,
5821 SECCLASS_PACKET, secmark_perm, &ad))
5822 return NF_DROP_ERR(-ECONNREFUSED);
5823
5824 if (peerlbl_active) {
5825 u32 if_sid;
5826 u32 node_sid;
5827
5828 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5829 return NF_DROP;
5830 if (avc_has_perm(&selinux_state,
5831 peer_sid, if_sid,
5832 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5833 return NF_DROP_ERR(-ECONNREFUSED);
5834
5835 if (sel_netnode_sid(addrp, family, &node_sid))
5836 return NF_DROP;
5837 if (avc_has_perm(&selinux_state,
5838 peer_sid, node_sid,
5839 SECCLASS_NODE, NODE__SENDTO, &ad))
5840 return NF_DROP_ERR(-ECONNREFUSED);
5841 }
5842
5843 return NF_ACCEPT;
5844 }
5845
selinux_ipv4_postroute(void * priv,struct sk_buff * skb,const struct nf_hook_state * state)5846 static unsigned int selinux_ipv4_postroute(void *priv,
5847 struct sk_buff *skb,
5848 const struct nf_hook_state *state)
5849 {
5850 return selinux_ip_postroute(skb, state->out, PF_INET);
5851 }
5852
5853 #if IS_ENABLED(CONFIG_IPV6)
selinux_ipv6_postroute(void * priv,struct sk_buff * skb,const struct nf_hook_state * state)5854 static unsigned int selinux_ipv6_postroute(void *priv,
5855 struct sk_buff *skb,
5856 const struct nf_hook_state *state)
5857 {
5858 return selinux_ip_postroute(skb, state->out, PF_INET6);
5859 }
5860 #endif /* IPV6 */
5861
5862 #endif /* CONFIG_NETFILTER */
5863
selinux_netlink_send(struct sock * sk,struct sk_buff * skb)5864 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5865 {
5866 int rc = 0;
5867 unsigned int msg_len;
5868 unsigned int data_len = skb->len;
5869 unsigned char *data = skb->data;
5870 struct nlmsghdr *nlh;
5871 struct sk_security_struct *sksec = sk->sk_security;
5872 u16 sclass = sksec->sclass;
5873 u32 perm;
5874
5875 while (data_len >= nlmsg_total_size(0)) {
5876 nlh = (struct nlmsghdr *)data;
5877
5878 /* NOTE: the nlmsg_len field isn't reliably set by some netlink
5879 * users which means we can't reject skb's with bogus
5880 * length fields; our solution is to follow what
5881 * netlink_rcv_skb() does and simply skip processing at
5882 * messages with length fields that are clearly junk
5883 */
5884 if (nlh->nlmsg_len < NLMSG_HDRLEN || nlh->nlmsg_len > data_len)
5885 return 0;
5886
5887 rc = selinux_nlmsg_lookup(sclass, nlh->nlmsg_type, &perm);
5888 if (rc == 0) {
5889 rc = sock_has_perm(sk, perm);
5890 if (rc)
5891 return rc;
5892 } else if (rc == -EINVAL) {
5893 /* -EINVAL is a missing msg/perm mapping */
5894 pr_warn_ratelimited("SELinux: unrecognized netlink"
5895 " message: protocol=%hu nlmsg_type=%hu sclass=%s"
5896 " pid=%d comm=%s\n",
5897 sk->sk_protocol, nlh->nlmsg_type,
5898 secclass_map[sclass - 1].name,
5899 task_pid_nr(current), current->comm);
5900 if (enforcing_enabled(&selinux_state) &&
5901 !security_get_allow_unknown(&selinux_state))
5902 return rc;
5903 rc = 0;
5904 } else if (rc == -ENOENT) {
5905 /* -ENOENT is a missing socket/class mapping, ignore */
5906 rc = 0;
5907 } else {
5908 return rc;
5909 }
5910
5911 /* move to the next message after applying netlink padding */
5912 msg_len = NLMSG_ALIGN(nlh->nlmsg_len);
5913 if (msg_len >= data_len)
5914 return 0;
5915 data_len -= msg_len;
5916 data += msg_len;
5917 }
5918
5919 return rc;
5920 }
5921
ipc_init_security(struct ipc_security_struct * isec,u16 sclass)5922 static void ipc_init_security(struct ipc_security_struct *isec, u16 sclass)
5923 {
5924 isec->sclass = sclass;
5925 isec->sid = current_sid();
5926 }
5927
ipc_has_perm(struct kern_ipc_perm * ipc_perms,u32 perms)5928 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5929 u32 perms)
5930 {
5931 struct ipc_security_struct *isec;
5932 struct common_audit_data ad;
5933 u32 sid = current_sid();
5934
5935 isec = selinux_ipc(ipc_perms);
5936
5937 ad.type = LSM_AUDIT_DATA_IPC;
5938 ad.u.ipc_id = ipc_perms->key;
5939
5940 return avc_has_perm(&selinux_state,
5941 sid, isec->sid, isec->sclass, perms, &ad);
5942 }
5943
selinux_msg_msg_alloc_security(struct msg_msg * msg)5944 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5945 {
5946 struct msg_security_struct *msec;
5947
5948 msec = selinux_msg_msg(msg);
5949 msec->sid = SECINITSID_UNLABELED;
5950
5951 return 0;
5952 }
5953
5954 /* message queue security operations */
selinux_msg_queue_alloc_security(struct kern_ipc_perm * msq)5955 static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq)
5956 {
5957 struct ipc_security_struct *isec;
5958 struct common_audit_data ad;
5959 u32 sid = current_sid();
5960 int rc;
5961
5962 isec = selinux_ipc(msq);
5963 ipc_init_security(isec, SECCLASS_MSGQ);
5964
5965 ad.type = LSM_AUDIT_DATA_IPC;
5966 ad.u.ipc_id = msq->key;
5967
5968 rc = avc_has_perm(&selinux_state,
5969 sid, isec->sid, SECCLASS_MSGQ,
5970 MSGQ__CREATE, &ad);
5971 return rc;
5972 }
5973
selinux_msg_queue_associate(struct kern_ipc_perm * msq,int msqflg)5974 static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
5975 {
5976 struct ipc_security_struct *isec;
5977 struct common_audit_data ad;
5978 u32 sid = current_sid();
5979
5980 isec = selinux_ipc(msq);
5981
5982 ad.type = LSM_AUDIT_DATA_IPC;
5983 ad.u.ipc_id = msq->key;
5984
5985 return avc_has_perm(&selinux_state,
5986 sid, isec->sid, SECCLASS_MSGQ,
5987 MSGQ__ASSOCIATE, &ad);
5988 }
5989
selinux_msg_queue_msgctl(struct kern_ipc_perm * msq,int cmd)5990 static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)
5991 {
5992 int err;
5993 int perms;
5994
5995 switch (cmd) {
5996 case IPC_INFO:
5997 case MSG_INFO:
5998 /* No specific object, just general system-wide information. */
5999 return avc_has_perm(&selinux_state,
6000 current_sid(), SECINITSID_KERNEL,
6001 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6002 case IPC_STAT:
6003 case MSG_STAT:
6004 case MSG_STAT_ANY:
6005 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
6006 break;
6007 case IPC_SET:
6008 perms = MSGQ__SETATTR;
6009 break;
6010 case IPC_RMID:
6011 perms = MSGQ__DESTROY;
6012 break;
6013 default:
6014 return 0;
6015 }
6016
6017 err = ipc_has_perm(msq, perms);
6018 return err;
6019 }
6020
selinux_msg_queue_msgsnd(struct kern_ipc_perm * msq,struct msg_msg * msg,int msqflg)6021 static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg)
6022 {
6023 struct ipc_security_struct *isec;
6024 struct msg_security_struct *msec;
6025 struct common_audit_data ad;
6026 u32 sid = current_sid();
6027 int rc;
6028
6029 isec = selinux_ipc(msq);
6030 msec = selinux_msg_msg(msg);
6031
6032 /*
6033 * First time through, need to assign label to the message
6034 */
6035 if (msec->sid == SECINITSID_UNLABELED) {
6036 /*
6037 * Compute new sid based on current process and
6038 * message queue this message will be stored in
6039 */
6040 rc = security_transition_sid(&selinux_state, sid, isec->sid,
6041 SECCLASS_MSG, NULL, &msec->sid);
6042 if (rc)
6043 return rc;
6044 }
6045
6046 ad.type = LSM_AUDIT_DATA_IPC;
6047 ad.u.ipc_id = msq->key;
6048
6049 /* Can this process write to the queue? */
6050 rc = avc_has_perm(&selinux_state,
6051 sid, isec->sid, SECCLASS_MSGQ,
6052 MSGQ__WRITE, &ad);
6053 if (!rc)
6054 /* Can this process send the message */
6055 rc = avc_has_perm(&selinux_state,
6056 sid, msec->sid, SECCLASS_MSG,
6057 MSG__SEND, &ad);
6058 if (!rc)
6059 /* Can the message be put in the queue? */
6060 rc = avc_has_perm(&selinux_state,
6061 msec->sid, isec->sid, SECCLASS_MSGQ,
6062 MSGQ__ENQUEUE, &ad);
6063
6064 return rc;
6065 }
6066
selinux_msg_queue_msgrcv(struct kern_ipc_perm * msq,struct msg_msg * msg,struct task_struct * target,long type,int mode)6067 static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg,
6068 struct task_struct *target,
6069 long type, int mode)
6070 {
6071 struct ipc_security_struct *isec;
6072 struct msg_security_struct *msec;
6073 struct common_audit_data ad;
6074 u32 sid = task_sid(target);
6075 int rc;
6076
6077 isec = selinux_ipc(msq);
6078 msec = selinux_msg_msg(msg);
6079
6080 ad.type = LSM_AUDIT_DATA_IPC;
6081 ad.u.ipc_id = msq->key;
6082
6083 rc = avc_has_perm(&selinux_state,
6084 sid, isec->sid,
6085 SECCLASS_MSGQ, MSGQ__READ, &ad);
6086 if (!rc)
6087 rc = avc_has_perm(&selinux_state,
6088 sid, msec->sid,
6089 SECCLASS_MSG, MSG__RECEIVE, &ad);
6090 return rc;
6091 }
6092
6093 /* Shared Memory security operations */
selinux_shm_alloc_security(struct kern_ipc_perm * shp)6094 static int selinux_shm_alloc_security(struct kern_ipc_perm *shp)
6095 {
6096 struct ipc_security_struct *isec;
6097 struct common_audit_data ad;
6098 u32 sid = current_sid();
6099 int rc;
6100
6101 isec = selinux_ipc(shp);
6102 ipc_init_security(isec, SECCLASS_SHM);
6103
6104 ad.type = LSM_AUDIT_DATA_IPC;
6105 ad.u.ipc_id = shp->key;
6106
6107 rc = avc_has_perm(&selinux_state,
6108 sid, isec->sid, SECCLASS_SHM,
6109 SHM__CREATE, &ad);
6110 return rc;
6111 }
6112
selinux_shm_associate(struct kern_ipc_perm * shp,int shmflg)6113 static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg)
6114 {
6115 struct ipc_security_struct *isec;
6116 struct common_audit_data ad;
6117 u32 sid = current_sid();
6118
6119 isec = selinux_ipc(shp);
6120
6121 ad.type = LSM_AUDIT_DATA_IPC;
6122 ad.u.ipc_id = shp->key;
6123
6124 return avc_has_perm(&selinux_state,
6125 sid, isec->sid, SECCLASS_SHM,
6126 SHM__ASSOCIATE, &ad);
6127 }
6128
6129 /* Note, at this point, shp is locked down */
selinux_shm_shmctl(struct kern_ipc_perm * shp,int cmd)6130 static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd)
6131 {
6132 int perms;
6133 int err;
6134
6135 switch (cmd) {
6136 case IPC_INFO:
6137 case SHM_INFO:
6138 /* No specific object, just general system-wide information. */
6139 return avc_has_perm(&selinux_state,
6140 current_sid(), SECINITSID_KERNEL,
6141 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6142 case IPC_STAT:
6143 case SHM_STAT:
6144 case SHM_STAT_ANY:
6145 perms = SHM__GETATTR | SHM__ASSOCIATE;
6146 break;
6147 case IPC_SET:
6148 perms = SHM__SETATTR;
6149 break;
6150 case SHM_LOCK:
6151 case SHM_UNLOCK:
6152 perms = SHM__LOCK;
6153 break;
6154 case IPC_RMID:
6155 perms = SHM__DESTROY;
6156 break;
6157 default:
6158 return 0;
6159 }
6160
6161 err = ipc_has_perm(shp, perms);
6162 return err;
6163 }
6164
selinux_shm_shmat(struct kern_ipc_perm * shp,char __user * shmaddr,int shmflg)6165 static int selinux_shm_shmat(struct kern_ipc_perm *shp,
6166 char __user *shmaddr, int shmflg)
6167 {
6168 u32 perms;
6169
6170 if (shmflg & SHM_RDONLY)
6171 perms = SHM__READ;
6172 else
6173 perms = SHM__READ | SHM__WRITE;
6174
6175 return ipc_has_perm(shp, perms);
6176 }
6177
6178 /* Semaphore security operations */
selinux_sem_alloc_security(struct kern_ipc_perm * sma)6179 static int selinux_sem_alloc_security(struct kern_ipc_perm *sma)
6180 {
6181 struct ipc_security_struct *isec;
6182 struct common_audit_data ad;
6183 u32 sid = current_sid();
6184 int rc;
6185
6186 isec = selinux_ipc(sma);
6187 ipc_init_security(isec, SECCLASS_SEM);
6188
6189 ad.type = LSM_AUDIT_DATA_IPC;
6190 ad.u.ipc_id = sma->key;
6191
6192 rc = avc_has_perm(&selinux_state,
6193 sid, isec->sid, SECCLASS_SEM,
6194 SEM__CREATE, &ad);
6195 return rc;
6196 }
6197
selinux_sem_associate(struct kern_ipc_perm * sma,int semflg)6198 static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg)
6199 {
6200 struct ipc_security_struct *isec;
6201 struct common_audit_data ad;
6202 u32 sid = current_sid();
6203
6204 isec = selinux_ipc(sma);
6205
6206 ad.type = LSM_AUDIT_DATA_IPC;
6207 ad.u.ipc_id = sma->key;
6208
6209 return avc_has_perm(&selinux_state,
6210 sid, isec->sid, SECCLASS_SEM,
6211 SEM__ASSOCIATE, &ad);
6212 }
6213
6214 /* Note, at this point, sma is locked down */
selinux_sem_semctl(struct kern_ipc_perm * sma,int cmd)6215 static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd)
6216 {
6217 int err;
6218 u32 perms;
6219
6220 switch (cmd) {
6221 case IPC_INFO:
6222 case SEM_INFO:
6223 /* No specific object, just general system-wide information. */
6224 return avc_has_perm(&selinux_state,
6225 current_sid(), SECINITSID_KERNEL,
6226 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6227 case GETPID:
6228 case GETNCNT:
6229 case GETZCNT:
6230 perms = SEM__GETATTR;
6231 break;
6232 case GETVAL:
6233 case GETALL:
6234 perms = SEM__READ;
6235 break;
6236 case SETVAL:
6237 case SETALL:
6238 perms = SEM__WRITE;
6239 break;
6240 case IPC_RMID:
6241 perms = SEM__DESTROY;
6242 break;
6243 case IPC_SET:
6244 perms = SEM__SETATTR;
6245 break;
6246 case IPC_STAT:
6247 case SEM_STAT:
6248 case SEM_STAT_ANY:
6249 perms = SEM__GETATTR | SEM__ASSOCIATE;
6250 break;
6251 default:
6252 return 0;
6253 }
6254
6255 err = ipc_has_perm(sma, perms);
6256 return err;
6257 }
6258
selinux_sem_semop(struct kern_ipc_perm * sma,struct sembuf * sops,unsigned nsops,int alter)6259 static int selinux_sem_semop(struct kern_ipc_perm *sma,
6260 struct sembuf *sops, unsigned nsops, int alter)
6261 {
6262 u32 perms;
6263
6264 if (alter)
6265 perms = SEM__READ | SEM__WRITE;
6266 else
6267 perms = SEM__READ;
6268
6269 return ipc_has_perm(sma, perms);
6270 }
6271
selinux_ipc_permission(struct kern_ipc_perm * ipcp,short flag)6272 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
6273 {
6274 u32 av = 0;
6275
6276 av = 0;
6277 if (flag & S_IRUGO)
6278 av |= IPC__UNIX_READ;
6279 if (flag & S_IWUGO)
6280 av |= IPC__UNIX_WRITE;
6281
6282 if (av == 0)
6283 return 0;
6284
6285 return ipc_has_perm(ipcp, av);
6286 }
6287
selinux_ipc_getsecid(struct kern_ipc_perm * ipcp,u32 * secid)6288 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
6289 {
6290 struct ipc_security_struct *isec = selinux_ipc(ipcp);
6291 *secid = isec->sid;
6292 }
6293
selinux_d_instantiate(struct dentry * dentry,struct inode * inode)6294 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
6295 {
6296 if (inode)
6297 inode_doinit_with_dentry(inode, dentry);
6298 }
6299
selinux_getprocattr(struct task_struct * p,char * name,char ** value)6300 static int selinux_getprocattr(struct task_struct *p,
6301 char *name, char **value)
6302 {
6303 const struct task_security_struct *__tsec;
6304 u32 sid;
6305 int error;
6306 unsigned len;
6307
6308 rcu_read_lock();
6309 __tsec = selinux_cred(__task_cred(p));
6310
6311 if (current != p) {
6312 error = avc_has_perm(&selinux_state,
6313 current_sid(), __tsec->sid,
6314 SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
6315 if (error)
6316 goto bad;
6317 }
6318
6319 if (!strcmp(name, "current"))
6320 sid = __tsec->sid;
6321 else if (!strcmp(name, "prev"))
6322 sid = __tsec->osid;
6323 else if (!strcmp(name, "exec"))
6324 sid = __tsec->exec_sid;
6325 else if (!strcmp(name, "fscreate"))
6326 sid = __tsec->create_sid;
6327 else if (!strcmp(name, "keycreate"))
6328 sid = __tsec->keycreate_sid;
6329 else if (!strcmp(name, "sockcreate"))
6330 sid = __tsec->sockcreate_sid;
6331 else {
6332 error = -EINVAL;
6333 goto bad;
6334 }
6335 rcu_read_unlock();
6336
6337 if (!sid)
6338 return 0;
6339
6340 error = security_sid_to_context(&selinux_state, sid, value, &len);
6341 if (error)
6342 return error;
6343 return len;
6344
6345 bad:
6346 rcu_read_unlock();
6347 return error;
6348 }
6349
selinux_setprocattr(const char * name,void * value,size_t size)6350 static int selinux_setprocattr(const char *name, void *value, size_t size)
6351 {
6352 struct task_security_struct *tsec;
6353 struct cred *new;
6354 u32 mysid = current_sid(), sid = 0, ptsid;
6355 int error;
6356 char *str = value;
6357
6358 /*
6359 * Basic control over ability to set these attributes at all.
6360 */
6361 if (!strcmp(name, "exec"))
6362 error = avc_has_perm(&selinux_state,
6363 mysid, mysid, SECCLASS_PROCESS,
6364 PROCESS__SETEXEC, NULL);
6365 else if (!strcmp(name, "fscreate"))
6366 error = avc_has_perm(&selinux_state,
6367 mysid, mysid, SECCLASS_PROCESS,
6368 PROCESS__SETFSCREATE, NULL);
6369 else if (!strcmp(name, "keycreate"))
6370 error = avc_has_perm(&selinux_state,
6371 mysid, mysid, SECCLASS_PROCESS,
6372 PROCESS__SETKEYCREATE, NULL);
6373 else if (!strcmp(name, "sockcreate"))
6374 error = avc_has_perm(&selinux_state,
6375 mysid, mysid, SECCLASS_PROCESS,
6376 PROCESS__SETSOCKCREATE, NULL);
6377 else if (!strcmp(name, "current"))
6378 error = avc_has_perm(&selinux_state,
6379 mysid, mysid, SECCLASS_PROCESS,
6380 PROCESS__SETCURRENT, NULL);
6381 else
6382 error = -EINVAL;
6383 if (error)
6384 return error;
6385
6386 /* Obtain a SID for the context, if one was specified. */
6387 if (size && str[0] && str[0] != '\n') {
6388 if (str[size-1] == '\n') {
6389 str[size-1] = 0;
6390 size--;
6391 }
6392 error = security_context_to_sid(&selinux_state, value, size,
6393 &sid, GFP_KERNEL);
6394 if (error == -EINVAL && !strcmp(name, "fscreate")) {
6395 if (!has_cap_mac_admin(true)) {
6396 struct audit_buffer *ab;
6397 size_t audit_size;
6398
6399 /* We strip a nul only if it is at the end, otherwise the
6400 * context contains a nul and we should audit that */
6401 if (str[size - 1] == '\0')
6402 audit_size = size - 1;
6403 else
6404 audit_size = size;
6405 ab = audit_log_start(audit_context(),
6406 GFP_ATOMIC,
6407 AUDIT_SELINUX_ERR);
6408 audit_log_format(ab, "op=fscreate invalid_context=");
6409 audit_log_n_untrustedstring(ab, value, audit_size);
6410 audit_log_end(ab);
6411
6412 return error;
6413 }
6414 error = security_context_to_sid_force(
6415 &selinux_state,
6416 value, size, &sid);
6417 }
6418 if (error)
6419 return error;
6420 }
6421
6422 new = prepare_creds();
6423 if (!new)
6424 return -ENOMEM;
6425
6426 /* Permission checking based on the specified context is
6427 performed during the actual operation (execve,
6428 open/mkdir/...), when we know the full context of the
6429 operation. See selinux_bprm_creds_for_exec for the execve
6430 checks and may_create for the file creation checks. The
6431 operation will then fail if the context is not permitted. */
6432 tsec = selinux_cred(new);
6433 if (!strcmp(name, "exec")) {
6434 tsec->exec_sid = sid;
6435 } else if (!strcmp(name, "fscreate")) {
6436 tsec->create_sid = sid;
6437 } else if (!strcmp(name, "keycreate")) {
6438 if (sid) {
6439 error = avc_has_perm(&selinux_state, mysid, sid,
6440 SECCLASS_KEY, KEY__CREATE, NULL);
6441 if (error)
6442 goto abort_change;
6443 }
6444 tsec->keycreate_sid = sid;
6445 } else if (!strcmp(name, "sockcreate")) {
6446 tsec->sockcreate_sid = sid;
6447 } else if (!strcmp(name, "current")) {
6448 error = -EINVAL;
6449 if (sid == 0)
6450 goto abort_change;
6451
6452 /* Only allow single threaded processes to change context */
6453 error = -EPERM;
6454 if (!current_is_single_threaded()) {
6455 error = security_bounded_transition(&selinux_state,
6456 tsec->sid, sid);
6457 if (error)
6458 goto abort_change;
6459 }
6460
6461 /* Check permissions for the transition. */
6462 error = avc_has_perm(&selinux_state,
6463 tsec->sid, sid, SECCLASS_PROCESS,
6464 PROCESS__DYNTRANSITION, NULL);
6465 if (error)
6466 goto abort_change;
6467
6468 /* Check for ptracing, and update the task SID if ok.
6469 Otherwise, leave SID unchanged and fail. */
6470 ptsid = ptrace_parent_sid();
6471 if (ptsid != 0) {
6472 error = avc_has_perm(&selinux_state,
6473 ptsid, sid, SECCLASS_PROCESS,
6474 PROCESS__PTRACE, NULL);
6475 if (error)
6476 goto abort_change;
6477 }
6478
6479 tsec->sid = sid;
6480 } else {
6481 error = -EINVAL;
6482 goto abort_change;
6483 }
6484
6485 commit_creds(new);
6486 return size;
6487
6488 abort_change:
6489 abort_creds(new);
6490 return error;
6491 }
6492
selinux_ismaclabel(const char * name)6493 static int selinux_ismaclabel(const char *name)
6494 {
6495 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
6496 }
6497
selinux_secid_to_secctx(u32 secid,char ** secdata,u32 * seclen)6498 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
6499 {
6500 return security_sid_to_context(&selinux_state, secid,
6501 secdata, seclen);
6502 }
6503
selinux_secctx_to_secid(const char * secdata,u32 seclen,u32 * secid)6504 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
6505 {
6506 return security_context_to_sid(&selinux_state, secdata, seclen,
6507 secid, GFP_KERNEL);
6508 }
6509
selinux_release_secctx(char * secdata,u32 seclen)6510 static void selinux_release_secctx(char *secdata, u32 seclen)
6511 {
6512 kfree(secdata);
6513 }
6514
selinux_inode_invalidate_secctx(struct inode * inode)6515 static void selinux_inode_invalidate_secctx(struct inode *inode)
6516 {
6517 struct inode_security_struct *isec = selinux_inode(inode);
6518
6519 spin_lock(&isec->lock);
6520 isec->initialized = LABEL_INVALID;
6521 spin_unlock(&isec->lock);
6522 }
6523
6524 /*
6525 * called with inode->i_mutex locked
6526 */
selinux_inode_notifysecctx(struct inode * inode,void * ctx,u32 ctxlen)6527 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
6528 {
6529 int rc = selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX,
6530 ctx, ctxlen, 0);
6531 /* Do not return error when suppressing label (SBLABEL_MNT not set). */
6532 return rc == -EOPNOTSUPP ? 0 : rc;
6533 }
6534
6535 /*
6536 * called with inode->i_mutex locked
6537 */
selinux_inode_setsecctx(struct dentry * dentry,void * ctx,u32 ctxlen)6538 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
6539 {
6540 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
6541 }
6542
selinux_inode_getsecctx(struct inode * inode,void ** ctx,u32 * ctxlen)6543 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
6544 {
6545 int len = 0;
6546 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
6547 ctx, true);
6548 if (len < 0)
6549 return len;
6550 *ctxlen = len;
6551 return 0;
6552 }
6553 #ifdef CONFIG_KEYS
6554
selinux_key_alloc(struct key * k,const struct cred * cred,unsigned long flags)6555 static int selinux_key_alloc(struct key *k, const struct cred *cred,
6556 unsigned long flags)
6557 {
6558 const struct task_security_struct *tsec;
6559 struct key_security_struct *ksec;
6560
6561 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
6562 if (!ksec)
6563 return -ENOMEM;
6564
6565 tsec = selinux_cred(cred);
6566 if (tsec->keycreate_sid)
6567 ksec->sid = tsec->keycreate_sid;
6568 else
6569 ksec->sid = tsec->sid;
6570
6571 k->security = ksec;
6572 return 0;
6573 }
6574
selinux_key_free(struct key * k)6575 static void selinux_key_free(struct key *k)
6576 {
6577 struct key_security_struct *ksec = k->security;
6578
6579 k->security = NULL;
6580 kfree(ksec);
6581 }
6582
selinux_key_permission(key_ref_t key_ref,const struct cred * cred,enum key_need_perm need_perm)6583 static int selinux_key_permission(key_ref_t key_ref,
6584 const struct cred *cred,
6585 enum key_need_perm need_perm)
6586 {
6587 struct key *key;
6588 struct key_security_struct *ksec;
6589 u32 perm, sid;
6590
6591 switch (need_perm) {
6592 case KEY_NEED_VIEW:
6593 perm = KEY__VIEW;
6594 break;
6595 case KEY_NEED_READ:
6596 perm = KEY__READ;
6597 break;
6598 case KEY_NEED_WRITE:
6599 perm = KEY__WRITE;
6600 break;
6601 case KEY_NEED_SEARCH:
6602 perm = KEY__SEARCH;
6603 break;
6604 case KEY_NEED_LINK:
6605 perm = KEY__LINK;
6606 break;
6607 case KEY_NEED_SETATTR:
6608 perm = KEY__SETATTR;
6609 break;
6610 case KEY_NEED_UNLINK:
6611 case KEY_SYSADMIN_OVERRIDE:
6612 case KEY_AUTHTOKEN_OVERRIDE:
6613 case KEY_DEFER_PERM_CHECK:
6614 return 0;
6615 default:
6616 WARN_ON(1);
6617 return -EPERM;
6618
6619 }
6620
6621 sid = cred_sid(cred);
6622 key = key_ref_to_ptr(key_ref);
6623 ksec = key->security;
6624
6625 return avc_has_perm(&selinux_state,
6626 sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6627 }
6628
selinux_key_getsecurity(struct key * key,char ** _buffer)6629 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6630 {
6631 struct key_security_struct *ksec = key->security;
6632 char *context = NULL;
6633 unsigned len;
6634 int rc;
6635
6636 rc = security_sid_to_context(&selinux_state, ksec->sid,
6637 &context, &len);
6638 if (!rc)
6639 rc = len;
6640 *_buffer = context;
6641 return rc;
6642 }
6643
6644 #ifdef CONFIG_KEY_NOTIFICATIONS
selinux_watch_key(struct key * key)6645 static int selinux_watch_key(struct key *key)
6646 {
6647 struct key_security_struct *ksec = key->security;
6648 u32 sid = current_sid();
6649
6650 return avc_has_perm(&selinux_state,
6651 sid, ksec->sid, SECCLASS_KEY, KEY__VIEW, NULL);
6652 }
6653 #endif
6654 #endif
6655
6656 #ifdef CONFIG_SECURITY_INFINIBAND
selinux_ib_pkey_access(void * ib_sec,u64 subnet_prefix,u16 pkey_val)6657 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6658 {
6659 struct common_audit_data ad;
6660 int err;
6661 u32 sid = 0;
6662 struct ib_security_struct *sec = ib_sec;
6663 struct lsm_ibpkey_audit ibpkey;
6664
6665 err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
6666 if (err)
6667 return err;
6668
6669 ad.type = LSM_AUDIT_DATA_IBPKEY;
6670 ibpkey.subnet_prefix = subnet_prefix;
6671 ibpkey.pkey = pkey_val;
6672 ad.u.ibpkey = &ibpkey;
6673 return avc_has_perm(&selinux_state,
6674 sec->sid, sid,
6675 SECCLASS_INFINIBAND_PKEY,
6676 INFINIBAND_PKEY__ACCESS, &ad);
6677 }
6678
selinux_ib_endport_manage_subnet(void * ib_sec,const char * dev_name,u8 port_num)6679 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6680 u8 port_num)
6681 {
6682 struct common_audit_data ad;
6683 int err;
6684 u32 sid = 0;
6685 struct ib_security_struct *sec = ib_sec;
6686 struct lsm_ibendport_audit ibendport;
6687
6688 err = security_ib_endport_sid(&selinux_state, dev_name, port_num,
6689 &sid);
6690
6691 if (err)
6692 return err;
6693
6694 ad.type = LSM_AUDIT_DATA_IBENDPORT;
6695 strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name));
6696 ibendport.port = port_num;
6697 ad.u.ibendport = &ibendport;
6698 return avc_has_perm(&selinux_state,
6699 sec->sid, sid,
6700 SECCLASS_INFINIBAND_ENDPORT,
6701 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
6702 }
6703
selinux_ib_alloc_security(void ** ib_sec)6704 static int selinux_ib_alloc_security(void **ib_sec)
6705 {
6706 struct ib_security_struct *sec;
6707
6708 sec = kzalloc(sizeof(*sec), GFP_KERNEL);
6709 if (!sec)
6710 return -ENOMEM;
6711 sec->sid = current_sid();
6712
6713 *ib_sec = sec;
6714 return 0;
6715 }
6716
selinux_ib_free_security(void * ib_sec)6717 static void selinux_ib_free_security(void *ib_sec)
6718 {
6719 kfree(ib_sec);
6720 }
6721 #endif
6722
6723 #ifdef CONFIG_BPF_SYSCALL
selinux_bpf(int cmd,union bpf_attr * attr,unsigned int size)6724 static int selinux_bpf(int cmd, union bpf_attr *attr,
6725 unsigned int size)
6726 {
6727 u32 sid = current_sid();
6728 int ret;
6729
6730 switch (cmd) {
6731 case BPF_MAP_CREATE:
6732 ret = avc_has_perm(&selinux_state,
6733 sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
6734 NULL);
6735 break;
6736 case BPF_PROG_LOAD:
6737 ret = avc_has_perm(&selinux_state,
6738 sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
6739 NULL);
6740 break;
6741 default:
6742 ret = 0;
6743 break;
6744 }
6745
6746 return ret;
6747 }
6748
bpf_map_fmode_to_av(fmode_t fmode)6749 static u32 bpf_map_fmode_to_av(fmode_t fmode)
6750 {
6751 u32 av = 0;
6752
6753 if (fmode & FMODE_READ)
6754 av |= BPF__MAP_READ;
6755 if (fmode & FMODE_WRITE)
6756 av |= BPF__MAP_WRITE;
6757 return av;
6758 }
6759
6760 /* This function will check the file pass through unix socket or binder to see
6761 * if it is a bpf related object. And apply correspinding checks on the bpf
6762 * object based on the type. The bpf maps and programs, not like other files and
6763 * socket, are using a shared anonymous inode inside the kernel as their inode.
6764 * So checking that inode cannot identify if the process have privilege to
6765 * access the bpf object and that's why we have to add this additional check in
6766 * selinux_file_receive and selinux_binder_transfer_files.
6767 */
bpf_fd_pass(struct file * file,u32 sid)6768 static int bpf_fd_pass(struct file *file, u32 sid)
6769 {
6770 struct bpf_security_struct *bpfsec;
6771 struct bpf_prog *prog;
6772 struct bpf_map *map;
6773 int ret;
6774
6775 if (file->f_op == &bpf_map_fops) {
6776 map = file->private_data;
6777 bpfsec = map->security;
6778 ret = avc_has_perm(&selinux_state,
6779 sid, bpfsec->sid, SECCLASS_BPF,
6780 bpf_map_fmode_to_av(file->f_mode), NULL);
6781 if (ret)
6782 return ret;
6783 } else if (file->f_op == &bpf_prog_fops) {
6784 prog = file->private_data;
6785 bpfsec = prog->aux->security;
6786 ret = avc_has_perm(&selinux_state,
6787 sid, bpfsec->sid, SECCLASS_BPF,
6788 BPF__PROG_RUN, NULL);
6789 if (ret)
6790 return ret;
6791 }
6792 return 0;
6793 }
6794
selinux_bpf_map(struct bpf_map * map,fmode_t fmode)6795 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)
6796 {
6797 u32 sid = current_sid();
6798 struct bpf_security_struct *bpfsec;
6799
6800 bpfsec = map->security;
6801 return avc_has_perm(&selinux_state,
6802 sid, bpfsec->sid, SECCLASS_BPF,
6803 bpf_map_fmode_to_av(fmode), NULL);
6804 }
6805
selinux_bpf_prog(struct bpf_prog * prog)6806 static int selinux_bpf_prog(struct bpf_prog *prog)
6807 {
6808 u32 sid = current_sid();
6809 struct bpf_security_struct *bpfsec;
6810
6811 bpfsec = prog->aux->security;
6812 return avc_has_perm(&selinux_state,
6813 sid, bpfsec->sid, SECCLASS_BPF,
6814 BPF__PROG_RUN, NULL);
6815 }
6816
selinux_bpf_map_alloc(struct bpf_map * map)6817 static int selinux_bpf_map_alloc(struct bpf_map *map)
6818 {
6819 struct bpf_security_struct *bpfsec;
6820
6821 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6822 if (!bpfsec)
6823 return -ENOMEM;
6824
6825 bpfsec->sid = current_sid();
6826 map->security = bpfsec;
6827
6828 return 0;
6829 }
6830
selinux_bpf_map_free(struct bpf_map * map)6831 static void selinux_bpf_map_free(struct bpf_map *map)
6832 {
6833 struct bpf_security_struct *bpfsec = map->security;
6834
6835 map->security = NULL;
6836 kfree(bpfsec);
6837 }
6838
selinux_bpf_prog_alloc(struct bpf_prog_aux * aux)6839 static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux)
6840 {
6841 struct bpf_security_struct *bpfsec;
6842
6843 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6844 if (!bpfsec)
6845 return -ENOMEM;
6846
6847 bpfsec->sid = current_sid();
6848 aux->security = bpfsec;
6849
6850 return 0;
6851 }
6852
selinux_bpf_prog_free(struct bpf_prog_aux * aux)6853 static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
6854 {
6855 struct bpf_security_struct *bpfsec = aux->security;
6856
6857 aux->security = NULL;
6858 kfree(bpfsec);
6859 }
6860 #endif
6861
selinux_lockdown(enum lockdown_reason what)6862 static int selinux_lockdown(enum lockdown_reason what)
6863 {
6864 struct common_audit_data ad;
6865 u32 sid = current_sid();
6866 int invalid_reason = (what <= LOCKDOWN_NONE) ||
6867 (what == LOCKDOWN_INTEGRITY_MAX) ||
6868 (what >= LOCKDOWN_CONFIDENTIALITY_MAX);
6869
6870 if (WARN(invalid_reason, "Invalid lockdown reason")) {
6871 audit_log(audit_context(),
6872 GFP_ATOMIC, AUDIT_SELINUX_ERR,
6873 "lockdown_reason=invalid");
6874 return -EINVAL;
6875 }
6876
6877 ad.type = LSM_AUDIT_DATA_LOCKDOWN;
6878 ad.u.reason = what;
6879
6880 if (what <= LOCKDOWN_INTEGRITY_MAX)
6881 return avc_has_perm(&selinux_state,
6882 sid, sid, SECCLASS_LOCKDOWN,
6883 LOCKDOWN__INTEGRITY, &ad);
6884 else
6885 return avc_has_perm(&selinux_state,
6886 sid, sid, SECCLASS_LOCKDOWN,
6887 LOCKDOWN__CONFIDENTIALITY, &ad);
6888 }
6889
6890 struct lsm_blob_sizes selinux_blob_sizes __lsm_ro_after_init = {
6891 .lbs_cred = sizeof(struct task_security_struct),
6892 .lbs_file = sizeof(struct file_security_struct),
6893 .lbs_inode = sizeof(struct inode_security_struct),
6894 .lbs_ipc = sizeof(struct ipc_security_struct),
6895 .lbs_msg_msg = sizeof(struct msg_security_struct),
6896 };
6897
6898 #ifdef CONFIG_PERF_EVENTS
selinux_perf_event_open(struct perf_event_attr * attr,int type)6899 static int selinux_perf_event_open(struct perf_event_attr *attr, int type)
6900 {
6901 u32 requested, sid = current_sid();
6902
6903 if (type == PERF_SECURITY_OPEN)
6904 requested = PERF_EVENT__OPEN;
6905 else if (type == PERF_SECURITY_CPU)
6906 requested = PERF_EVENT__CPU;
6907 else if (type == PERF_SECURITY_KERNEL)
6908 requested = PERF_EVENT__KERNEL;
6909 else if (type == PERF_SECURITY_TRACEPOINT)
6910 requested = PERF_EVENT__TRACEPOINT;
6911 else
6912 return -EINVAL;
6913
6914 return avc_has_perm(&selinux_state, sid, sid, SECCLASS_PERF_EVENT,
6915 requested, NULL);
6916 }
6917
selinux_perf_event_alloc(struct perf_event * event)6918 static int selinux_perf_event_alloc(struct perf_event *event)
6919 {
6920 struct perf_event_security_struct *perfsec;
6921
6922 perfsec = kzalloc(sizeof(*perfsec), GFP_KERNEL);
6923 if (!perfsec)
6924 return -ENOMEM;
6925
6926 perfsec->sid = current_sid();
6927 event->security = perfsec;
6928
6929 return 0;
6930 }
6931
selinux_perf_event_free(struct perf_event * event)6932 static void selinux_perf_event_free(struct perf_event *event)
6933 {
6934 struct perf_event_security_struct *perfsec = event->security;
6935
6936 event->security = NULL;
6937 kfree(perfsec);
6938 }
6939
selinux_perf_event_read(struct perf_event * event)6940 static int selinux_perf_event_read(struct perf_event *event)
6941 {
6942 struct perf_event_security_struct *perfsec = event->security;
6943 u32 sid = current_sid();
6944
6945 return avc_has_perm(&selinux_state, sid, perfsec->sid,
6946 SECCLASS_PERF_EVENT, PERF_EVENT__READ, NULL);
6947 }
6948
selinux_perf_event_write(struct perf_event * event)6949 static int selinux_perf_event_write(struct perf_event *event)
6950 {
6951 struct perf_event_security_struct *perfsec = event->security;
6952 u32 sid = current_sid();
6953
6954 return avc_has_perm(&selinux_state, sid, perfsec->sid,
6955 SECCLASS_PERF_EVENT, PERF_EVENT__WRITE, NULL);
6956 }
6957 #endif
6958
6959 /*
6960 * IMPORTANT NOTE: When adding new hooks, please be careful to keep this order:
6961 * 1. any hooks that don't belong to (2.) or (3.) below,
6962 * 2. hooks that both access structures allocated by other hooks, and allocate
6963 * structures that can be later accessed by other hooks (mostly "cloning"
6964 * hooks),
6965 * 3. hooks that only allocate structures that can be later accessed by other
6966 * hooks ("allocating" hooks).
6967 *
6968 * Please follow block comment delimiters in the list to keep this order.
6969 *
6970 * This ordering is needed for SELinux runtime disable to work at least somewhat
6971 * safely. Breaking the ordering rules above might lead to NULL pointer derefs
6972 * when disabling SELinux at runtime.
6973 */
6974 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
6975 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
6976 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
6977 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
6978 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
6979
6980 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
6981 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
6982 LSM_HOOK_INIT(capget, selinux_capget),
6983 LSM_HOOK_INIT(capset, selinux_capset),
6984 LSM_HOOK_INIT(capable, selinux_capable),
6985 LSM_HOOK_INIT(quotactl, selinux_quotactl),
6986 LSM_HOOK_INIT(quota_on, selinux_quota_on),
6987 LSM_HOOK_INIT(syslog, selinux_syslog),
6988 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
6989
6990 LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
6991
6992 LSM_HOOK_INIT(bprm_creds_for_exec, selinux_bprm_creds_for_exec),
6993 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
6994 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
6995
6996 LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
6997 LSM_HOOK_INIT(sb_free_mnt_opts, selinux_free_mnt_opts),
6998 LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
6999 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
7000 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
7001 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
7002 LSM_HOOK_INIT(sb_mount, selinux_mount),
7003 LSM_HOOK_INIT(sb_umount, selinux_umount),
7004 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
7005 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
7006
7007 LSM_HOOK_INIT(move_mount, selinux_move_mount),
7008
7009 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
7010 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
7011
7012 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
7013 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
7014 LSM_HOOK_INIT(inode_create, selinux_inode_create),
7015 LSM_HOOK_INIT(inode_link, selinux_inode_link),
7016 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
7017 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
7018 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
7019 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
7020 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
7021 LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
7022 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
7023 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
7024 LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
7025 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
7026 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
7027 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
7028 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
7029 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
7030 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
7031 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
7032 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
7033 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
7034 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
7035 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
7036 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
7037 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
7038 LSM_HOOK_INIT(path_notify, selinux_path_notify),
7039
7040 LSM_HOOK_INIT(kernfs_init_security, selinux_kernfs_init_security),
7041
7042 LSM_HOOK_INIT(file_permission, selinux_file_permission),
7043 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
7044 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
7045 LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
7046 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
7047 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
7048 LSM_HOOK_INIT(file_lock, selinux_file_lock),
7049 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
7050 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
7051 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
7052 LSM_HOOK_INIT(file_receive, selinux_file_receive),
7053
7054 LSM_HOOK_INIT(file_open, selinux_file_open),
7055
7056 LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
7057 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
7058 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
7059 LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid),
7060 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
7061 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
7062 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
7063 LSM_HOOK_INIT(kernel_load_data, selinux_kernel_load_data),
7064 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
7065 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
7066 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
7067 LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
7068 LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
7069 LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
7070 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
7071 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
7072 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
7073 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
7074 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
7075 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
7076 LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
7077 LSM_HOOK_INIT(task_kill, selinux_task_kill),
7078 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
7079
7080 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
7081 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
7082
7083 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
7084 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
7085 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
7086 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
7087
7088 LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
7089 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
7090 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
7091
7092 LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
7093 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
7094 LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
7095
7096 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
7097
7098 LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
7099 LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
7100
7101 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
7102 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
7103 LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
7104 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
7105 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
7106 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
7107
7108 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
7109 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
7110
7111 LSM_HOOK_INIT(socket_create, selinux_socket_create),
7112 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
7113 LSM_HOOK_INIT(socket_socketpair, selinux_socket_socketpair),
7114 LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
7115 LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
7116 LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
7117 LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
7118 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
7119 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
7120 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
7121 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
7122 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
7123 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
7124 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
7125 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
7126 LSM_HOOK_INIT(socket_getpeersec_stream,
7127 selinux_socket_getpeersec_stream),
7128 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
7129 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
7130 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
7131 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
7132 LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
7133 LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request),
7134 LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone),
7135 LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect),
7136 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
7137 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
7138 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
7139 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
7140 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
7141 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
7142 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
7143 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
7144 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
7145 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
7146 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
7147 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
7148 #ifdef CONFIG_SECURITY_INFINIBAND
7149 LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
7150 LSM_HOOK_INIT(ib_endport_manage_subnet,
7151 selinux_ib_endport_manage_subnet),
7152 LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
7153 #endif
7154 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7155 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
7156 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
7157 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
7158 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
7159 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
7160 LSM_HOOK_INIT(xfrm_state_pol_flow_match,
7161 selinux_xfrm_state_pol_flow_match),
7162 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
7163 #endif
7164
7165 #ifdef CONFIG_KEYS
7166 LSM_HOOK_INIT(key_free, selinux_key_free),
7167 LSM_HOOK_INIT(key_permission, selinux_key_permission),
7168 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
7169 #ifdef CONFIG_KEY_NOTIFICATIONS
7170 LSM_HOOK_INIT(watch_key, selinux_watch_key),
7171 #endif
7172 #endif
7173
7174 #ifdef CONFIG_AUDIT
7175 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
7176 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
7177 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
7178 #endif
7179
7180 #ifdef CONFIG_BPF_SYSCALL
7181 LSM_HOOK_INIT(bpf, selinux_bpf),
7182 LSM_HOOK_INIT(bpf_map, selinux_bpf_map),
7183 LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog),
7184 LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free),
7185 LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free),
7186 #endif
7187
7188 #ifdef CONFIG_PERF_EVENTS
7189 LSM_HOOK_INIT(perf_event_open, selinux_perf_event_open),
7190 LSM_HOOK_INIT(perf_event_free, selinux_perf_event_free),
7191 LSM_HOOK_INIT(perf_event_read, selinux_perf_event_read),
7192 LSM_HOOK_INIT(perf_event_write, selinux_perf_event_write),
7193 #endif
7194
7195 LSM_HOOK_INIT(locked_down, selinux_lockdown),
7196
7197 /*
7198 * PUT "CLONING" (ACCESSING + ALLOCATING) HOOKS HERE
7199 */
7200 LSM_HOOK_INIT(fs_context_dup, selinux_fs_context_dup),
7201 LSM_HOOK_INIT(fs_context_parse_param, selinux_fs_context_parse_param),
7202 LSM_HOOK_INIT(sb_eat_lsm_opts, selinux_sb_eat_lsm_opts),
7203 LSM_HOOK_INIT(sb_add_mnt_opt, selinux_add_mnt_opt),
7204 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7205 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
7206 #endif
7207
7208 /*
7209 * PUT "ALLOCATING" HOOKS HERE
7210 */
7211 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
7212 LSM_HOOK_INIT(msg_queue_alloc_security,
7213 selinux_msg_queue_alloc_security),
7214 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
7215 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
7216 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
7217 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
7218 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
7219 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
7220 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
7221 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
7222 #ifdef CONFIG_SECURITY_INFINIBAND
7223 LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
7224 #endif
7225 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7226 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
7227 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
7228 LSM_HOOK_INIT(xfrm_state_alloc_acquire,
7229 selinux_xfrm_state_alloc_acquire),
7230 #endif
7231 #ifdef CONFIG_KEYS
7232 LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
7233 #endif
7234 #ifdef CONFIG_AUDIT
7235 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
7236 #endif
7237 #ifdef CONFIG_BPF_SYSCALL
7238 LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc),
7239 LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc),
7240 #endif
7241 #ifdef CONFIG_PERF_EVENTS
7242 LSM_HOOK_INIT(perf_event_alloc, selinux_perf_event_alloc),
7243 #endif
7244 };
7245
selinux_init(void)7246 static __init int selinux_init(void)
7247 {
7248 pr_info("SELinux: Initializing.\n");
7249
7250 memset(&selinux_state, 0, sizeof(selinux_state));
7251 enforcing_set(&selinux_state, selinux_enforcing_boot);
7252 checkreqprot_set(&selinux_state, selinux_checkreqprot_boot);
7253 selinux_avc_init(&selinux_state.avc);
7254 mutex_init(&selinux_state.status_lock);
7255 mutex_init(&selinux_state.policy_mutex);
7256
7257 /* Set the security state for the initial task. */
7258 cred_init_security();
7259
7260 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
7261
7262 avc_init();
7263
7264 avtab_cache_init();
7265
7266 ebitmap_cache_init();
7267
7268 hashtab_cache_init();
7269
7270 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
7271
7272 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
7273 panic("SELinux: Unable to register AVC netcache callback\n");
7274
7275 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
7276 panic("SELinux: Unable to register AVC LSM notifier callback\n");
7277
7278 if (selinux_enforcing_boot)
7279 pr_debug("SELinux: Starting in enforcing mode\n");
7280 else
7281 pr_debug("SELinux: Starting in permissive mode\n");
7282
7283 fs_validate_description("selinux", selinux_fs_parameters);
7284
7285 return 0;
7286 }
7287
delayed_superblock_init(struct super_block * sb,void * unused)7288 static void delayed_superblock_init(struct super_block *sb, void *unused)
7289 {
7290 selinux_set_mnt_opts(sb, NULL, 0, NULL);
7291 }
7292
selinux_complete_init(void)7293 void selinux_complete_init(void)
7294 {
7295 pr_debug("SELinux: Completing initialization.\n");
7296
7297 /* Set up any superblocks initialized prior to the policy load. */
7298 pr_debug("SELinux: Setting up existing superblocks.\n");
7299 iterate_supers(delayed_superblock_init, NULL);
7300 }
7301
7302 /* SELinux requires early initialization in order to label
7303 all processes and objects when they are created. */
7304 DEFINE_LSM(selinux) = {
7305 .name = "selinux",
7306 .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE,
7307 .enabled = &selinux_enabled_boot,
7308 .blobs = &selinux_blob_sizes,
7309 .init = selinux_init,
7310 };
7311
7312 #if defined(CONFIG_NETFILTER)
7313
7314 static const struct nf_hook_ops selinux_nf_ops[] = {
7315 {
7316 .hook = selinux_ipv4_postroute,
7317 .pf = NFPROTO_IPV4,
7318 .hooknum = NF_INET_POST_ROUTING,
7319 .priority = NF_IP_PRI_SELINUX_LAST,
7320 },
7321 {
7322 .hook = selinux_ipv4_forward,
7323 .pf = NFPROTO_IPV4,
7324 .hooknum = NF_INET_FORWARD,
7325 .priority = NF_IP_PRI_SELINUX_FIRST,
7326 },
7327 {
7328 .hook = selinux_ipv4_output,
7329 .pf = NFPROTO_IPV4,
7330 .hooknum = NF_INET_LOCAL_OUT,
7331 .priority = NF_IP_PRI_SELINUX_FIRST,
7332 },
7333 #if IS_ENABLED(CONFIG_IPV6)
7334 {
7335 .hook = selinux_ipv6_postroute,
7336 .pf = NFPROTO_IPV6,
7337 .hooknum = NF_INET_POST_ROUTING,
7338 .priority = NF_IP6_PRI_SELINUX_LAST,
7339 },
7340 {
7341 .hook = selinux_ipv6_forward,
7342 .pf = NFPROTO_IPV6,
7343 .hooknum = NF_INET_FORWARD,
7344 .priority = NF_IP6_PRI_SELINUX_FIRST,
7345 },
7346 {
7347 .hook = selinux_ipv6_output,
7348 .pf = NFPROTO_IPV6,
7349 .hooknum = NF_INET_LOCAL_OUT,
7350 .priority = NF_IP6_PRI_SELINUX_FIRST,
7351 },
7352 #endif /* IPV6 */
7353 };
7354
selinux_nf_register(struct net * net)7355 static int __net_init selinux_nf_register(struct net *net)
7356 {
7357 return nf_register_net_hooks(net, selinux_nf_ops,
7358 ARRAY_SIZE(selinux_nf_ops));
7359 }
7360
selinux_nf_unregister(struct net * net)7361 static void __net_exit selinux_nf_unregister(struct net *net)
7362 {
7363 nf_unregister_net_hooks(net, selinux_nf_ops,
7364 ARRAY_SIZE(selinux_nf_ops));
7365 }
7366
7367 static struct pernet_operations selinux_net_ops = {
7368 .init = selinux_nf_register,
7369 .exit = selinux_nf_unregister,
7370 };
7371
selinux_nf_ip_init(void)7372 static int __init selinux_nf_ip_init(void)
7373 {
7374 int err;
7375
7376 if (!selinux_enabled_boot)
7377 return 0;
7378
7379 pr_debug("SELinux: Registering netfilter hooks\n");
7380
7381 err = register_pernet_subsys(&selinux_net_ops);
7382 if (err)
7383 panic("SELinux: register_pernet_subsys: error %d\n", err);
7384
7385 return 0;
7386 }
7387 __initcall(selinux_nf_ip_init);
7388
7389 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
selinux_nf_ip_exit(void)7390 static void selinux_nf_ip_exit(void)
7391 {
7392 pr_debug("SELinux: Unregistering netfilter hooks\n");
7393
7394 unregister_pernet_subsys(&selinux_net_ops);
7395 }
7396 #endif
7397
7398 #else /* CONFIG_NETFILTER */
7399
7400 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7401 #define selinux_nf_ip_exit()
7402 #endif
7403
7404 #endif /* CONFIG_NETFILTER */
7405
7406 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
selinux_disable(struct selinux_state * state)7407 int selinux_disable(struct selinux_state *state)
7408 {
7409 if (selinux_initialized(state)) {
7410 /* Not permitted after initial policy load. */
7411 return -EINVAL;
7412 }
7413
7414 if (selinux_disabled(state)) {
7415 /* Only do this once. */
7416 return -EINVAL;
7417 }
7418
7419 selinux_mark_disabled(state);
7420
7421 pr_info("SELinux: Disabled at runtime.\n");
7422
7423 /*
7424 * Unregister netfilter hooks.
7425 * Must be done before security_delete_hooks() to avoid breaking
7426 * runtime disable.
7427 */
7428 selinux_nf_ip_exit();
7429
7430 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
7431
7432 /* Try to destroy the avc node cache */
7433 avc_disable();
7434
7435 /* Unregister selinuxfs. */
7436 exit_sel_fs();
7437
7438 return 0;
7439 }
7440 #endif
7441