1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * NSA Security-Enhanced Linux (SELinux) security module
4 *
5 * This file contains the SELinux hook function implementations.
6 *
7 * Authors: Stephen Smalley, <sds@tycho.nsa.gov>
8 * Chris Vance, <cvance@nai.com>
9 * Wayne Salamon, <wsalamon@nai.com>
10 * James Morris <jmorris@redhat.com>
11 *
12 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
13 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
14 * Eric Paris <eparis@redhat.com>
15 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
16 * <dgoeddel@trustedcs.com>
17 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
18 * Paul Moore <paul@paul-moore.com>
19 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
20 * Yuichi Nakamura <ynakam@hitachisoft.jp>
21 * Copyright (C) 2016 Mellanox Technologies
22 */
23
24 #include <linux/init.h>
25 #include <linux/kd.h>
26 #include <linux/kernel.h>
27 #include <linux/kernel_read_file.h>
28 #include <linux/tracehook.h>
29 #include <linux/errno.h>
30 #include <linux/sched/signal.h>
31 #include <linux/sched/task.h>
32 #include <linux/lsm_hooks.h>
33 #include <linux/xattr.h>
34 #include <linux/capability.h>
35 #include <linux/unistd.h>
36 #include <linux/mm.h>
37 #include <linux/mman.h>
38 #include <linux/slab.h>
39 #include <linux/pagemap.h>
40 #include <linux/proc_fs.h>
41 #include <linux/swap.h>
42 #include <linux/spinlock.h>
43 #include <linux/syscalls.h>
44 #include <linux/dcache.h>
45 #include <linux/file.h>
46 #include <linux/fdtable.h>
47 #include <linux/namei.h>
48 #include <linux/mount.h>
49 #include <linux/fs_context.h>
50 #include <linux/fs_parser.h>
51 #include <linux/netfilter_ipv4.h>
52 #include <linux/netfilter_ipv6.h>
53 #include <linux/tty.h>
54 #include <net/icmp.h>
55 #include <net/ip.h> /* for local_port_range[] */
56 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
57 #include <net/inet_connection_sock.h>
58 #include <net/net_namespace.h>
59 #include <net/netlabel.h>
60 #include <linux/uaccess.h>
61 #include <asm/ioctls.h>
62 #include <linux/atomic.h>
63 #include <linux/bitops.h>
64 #include <linux/interrupt.h>
65 #include <linux/netdevice.h> /* for network interface checks */
66 #include <net/netlink.h>
67 #include <linux/tcp.h>
68 #include <linux/udp.h>
69 #include <linux/dccp.h>
70 #include <linux/sctp.h>
71 #include <net/sctp/structs.h>
72 #include <linux/quota.h>
73 #include <linux/un.h> /* for Unix socket types */
74 #include <net/af_unix.h> /* for Unix socket types */
75 #include <linux/parser.h>
76 #include <linux/nfs_mount.h>
77 #include <net/ipv6.h>
78 #include <linux/hugetlb.h>
79 #include <linux/personality.h>
80 #include <linux/audit.h>
81 #include <linux/string.h>
82 #include <linux/mutex.h>
83 #include <linux/posix-timers.h>
84 #include <linux/syslog.h>
85 #include <linux/user_namespace.h>
86 #include <linux/export.h>
87 #include <linux/msg.h>
88 #include <linux/shm.h>
89 #include <linux/bpf.h>
90 #include <linux/kernfs.h>
91 #include <linux/stringhash.h> /* for hashlen_string() */
92 #include <uapi/linux/mount.h>
93 #include <linux/fsnotify.h>
94 #include <linux/fanotify.h>
95
96 #include <linux/hck/lite_hck_ced.h>
97
98 #include "avc.h"
99 #include "objsec.h"
100 #include "netif.h"
101 #include "netnode.h"
102 #include "netport.h"
103 #include "ibpkey.h"
104 #include "xfrm.h"
105 #include "netlabel.h"
106 #include "audit.h"
107 #include "avc_ss.h"
108
109 struct selinux_state selinux_state;
110
111 /* SECMARK reference count */
112 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
113
114 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
115 static int selinux_enforcing_boot __initdata;
116
enforcing_setup(char * str)117 static int __init enforcing_setup(char *str)
118 {
119 unsigned long enforcing;
120 if (!kstrtoul(str, 0, &enforcing))
121 selinux_enforcing_boot = enforcing ? 1 : 0;
122 return 1;
123 }
124 __setup("enforcing=", enforcing_setup);
125 #else
126 #define selinux_enforcing_boot 1
127 #endif
128
129 int selinux_enabled_boot __initdata = 1;
130 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
selinux_enabled_setup(char * str)131 static int __init selinux_enabled_setup(char *str)
132 {
133 unsigned long enabled;
134 if (!kstrtoul(str, 0, &enabled))
135 selinux_enabled_boot = enabled ? 1 : 0;
136 return 1;
137 }
138 __setup("selinux=", selinux_enabled_setup);
139 #endif
140
141 static unsigned int selinux_checkreqprot_boot =
142 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
143
checkreqprot_setup(char * str)144 static int __init checkreqprot_setup(char *str)
145 {
146 unsigned long checkreqprot;
147
148 if (!kstrtoul(str, 0, &checkreqprot)) {
149 selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
150 if (checkreqprot)
151 pr_warn("SELinux: checkreqprot set to 1 via kernel parameter. This is deprecated and will be rejected in a future kernel release.\n");
152 }
153 return 1;
154 }
155 __setup("checkreqprot=", checkreqprot_setup);
156
157 /**
158 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
159 *
160 * Description:
161 * This function checks the SECMARK reference counter to see if any SECMARK
162 * targets are currently configured, if the reference counter is greater than
163 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
164 * enabled, false (0) if SECMARK is disabled. If the always_check_network
165 * policy capability is enabled, SECMARK is always considered enabled.
166 *
167 */
selinux_secmark_enabled(void)168 static int selinux_secmark_enabled(void)
169 {
170 return (selinux_policycap_alwaysnetwork() ||
171 atomic_read(&selinux_secmark_refcount));
172 }
173
174 /**
175 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
176 *
177 * Description:
178 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
179 * (1) if any are enabled or false (0) if neither are enabled. If the
180 * always_check_network policy capability is enabled, peer labeling
181 * is always considered enabled.
182 *
183 */
selinux_peerlbl_enabled(void)184 static int selinux_peerlbl_enabled(void)
185 {
186 return (selinux_policycap_alwaysnetwork() ||
187 netlbl_enabled() || selinux_xfrm_enabled());
188 }
189
selinux_netcache_avc_callback(u32 event)190 static int selinux_netcache_avc_callback(u32 event)
191 {
192 if (event == AVC_CALLBACK_RESET) {
193 sel_netif_flush();
194 sel_netnode_flush();
195 sel_netport_flush();
196 synchronize_net();
197 }
198 return 0;
199 }
200
selinux_lsm_notifier_avc_callback(u32 event)201 static int selinux_lsm_notifier_avc_callback(u32 event)
202 {
203 if (event == AVC_CALLBACK_RESET) {
204 sel_ib_pkey_flush();
205 call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL);
206 }
207
208 return 0;
209 }
210
211 /*
212 * initialise the security for the init task
213 */
cred_init_security(void)214 static void cred_init_security(void)
215 {
216 struct cred *cred = (struct cred *) current->real_cred;
217 struct task_security_struct *tsec;
218
219 tsec = selinux_cred(cred);
220 tsec->osid = tsec->sid = SECINITSID_KERNEL;
221 }
222
223 /*
224 * get the security ID of a set of credentials
225 */
cred_sid(const struct cred * cred)226 static inline u32 cred_sid(const struct cred *cred)
227 {
228 const struct task_security_struct *tsec;
229
230 tsec = selinux_cred(cred);
231 return tsec->sid;
232 }
233
234 /*
235 * get the objective security ID of a task
236 */
task_sid(const struct task_struct * task)237 static inline u32 task_sid(const struct task_struct *task)
238 {
239 u32 sid;
240
241 rcu_read_lock();
242 sid = cred_sid(__task_cred(task));
243 rcu_read_unlock();
244 return sid;
245 }
246
247 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
248
249 /*
250 * Try reloading inode security labels that have been marked as invalid. The
251 * @may_sleep parameter indicates when sleeping and thus reloading labels is
252 * allowed; when set to false, returns -ECHILD when the label is
253 * invalid. The @dentry parameter should be set to a dentry of the inode.
254 */
__inode_security_revalidate(struct inode * inode,struct dentry * dentry,bool may_sleep)255 static int __inode_security_revalidate(struct inode *inode,
256 struct dentry *dentry,
257 bool may_sleep)
258 {
259 struct inode_security_struct *isec = selinux_inode(inode);
260
261 might_sleep_if(may_sleep);
262
263 if (selinux_initialized(&selinux_state) &&
264 isec->initialized != LABEL_INITIALIZED) {
265 if (!may_sleep)
266 return -ECHILD;
267
268 /*
269 * Try reloading the inode security label. This will fail if
270 * @opt_dentry is NULL and no dentry for this inode can be
271 * found; in that case, continue using the old label.
272 */
273 inode_doinit_with_dentry(inode, dentry);
274 }
275 return 0;
276 }
277
inode_security_novalidate(struct inode * inode)278 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
279 {
280 return selinux_inode(inode);
281 }
282
inode_security_rcu(struct inode * inode,bool rcu)283 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
284 {
285 int error;
286
287 error = __inode_security_revalidate(inode, NULL, !rcu);
288 if (error)
289 return ERR_PTR(error);
290 return selinux_inode(inode);
291 }
292
293 /*
294 * Get the security label of an inode.
295 */
inode_security(struct inode * inode)296 static struct inode_security_struct *inode_security(struct inode *inode)
297 {
298 __inode_security_revalidate(inode, NULL, true);
299 return selinux_inode(inode);
300 }
301
backing_inode_security_novalidate(struct dentry * dentry)302 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
303 {
304 struct inode *inode = d_backing_inode(dentry);
305
306 return selinux_inode(inode);
307 }
308
309 /*
310 * Get the security label of a dentry's backing inode.
311 */
backing_inode_security(struct dentry * dentry)312 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
313 {
314 struct inode *inode = d_backing_inode(dentry);
315
316 __inode_security_revalidate(inode, dentry, true);
317 return selinux_inode(inode);
318 }
319
inode_free_security(struct inode * inode)320 static void inode_free_security(struct inode *inode)
321 {
322 struct inode_security_struct *isec = selinux_inode(inode);
323 struct superblock_security_struct *sbsec;
324
325 if (!isec)
326 return;
327 sbsec = inode->i_sb->s_security;
328 /*
329 * As not all inode security structures are in a list, we check for
330 * empty list outside of the lock to make sure that we won't waste
331 * time taking a lock doing nothing.
332 *
333 * The list_del_init() function can be safely called more than once.
334 * It should not be possible for this function to be called with
335 * concurrent list_add(), but for better safety against future changes
336 * in the code, we use list_empty_careful() here.
337 */
338 if (!list_empty_careful(&isec->list)) {
339 spin_lock(&sbsec->isec_lock);
340 list_del_init(&isec->list);
341 spin_unlock(&sbsec->isec_lock);
342 }
343 }
344
superblock_free_security(struct super_block * sb)345 static void superblock_free_security(struct super_block *sb)
346 {
347 struct superblock_security_struct *sbsec = sb->s_security;
348 sb->s_security = NULL;
349 kfree(sbsec);
350 }
351
352 struct selinux_mnt_opts {
353 const char *fscontext, *context, *rootcontext, *defcontext;
354 };
355
selinux_free_mnt_opts(void * mnt_opts)356 static void selinux_free_mnt_opts(void *mnt_opts)
357 {
358 struct selinux_mnt_opts *opts = mnt_opts;
359 kfree(opts->fscontext);
360 kfree(opts->context);
361 kfree(opts->rootcontext);
362 kfree(opts->defcontext);
363 kfree(opts);
364 }
365
366 enum {
367 Opt_error = -1,
368 Opt_context = 0,
369 Opt_defcontext = 1,
370 Opt_fscontext = 2,
371 Opt_rootcontext = 3,
372 Opt_seclabel = 4,
373 };
374
375 #define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg}
376 static struct {
377 const char *name;
378 int len;
379 int opt;
380 bool has_arg;
381 } tokens[] = {
382 A(context, true),
383 A(fscontext, true),
384 A(defcontext, true),
385 A(rootcontext, true),
386 A(seclabel, false),
387 };
388 #undef A
389
match_opt_prefix(char * s,int l,char ** arg)390 static int match_opt_prefix(char *s, int l, char **arg)
391 {
392 int i;
393
394 for (i = 0; i < ARRAY_SIZE(tokens); i++) {
395 size_t len = tokens[i].len;
396 if (len > l || memcmp(s, tokens[i].name, len))
397 continue;
398 if (tokens[i].has_arg) {
399 if (len == l || s[len] != '=')
400 continue;
401 *arg = s + len + 1;
402 } else if (len != l)
403 continue;
404 return tokens[i].opt;
405 }
406 return Opt_error;
407 }
408
409 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
410
may_context_mount_sb_relabel(u32 sid,struct superblock_security_struct * sbsec,const struct cred * cred)411 static int may_context_mount_sb_relabel(u32 sid,
412 struct superblock_security_struct *sbsec,
413 const struct cred *cred)
414 {
415 const struct task_security_struct *tsec = selinux_cred(cred);
416 int rc;
417
418 rc = avc_has_perm(&selinux_state,
419 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
420 FILESYSTEM__RELABELFROM, NULL);
421 if (rc)
422 return rc;
423
424 rc = avc_has_perm(&selinux_state,
425 tsec->sid, sid, SECCLASS_FILESYSTEM,
426 FILESYSTEM__RELABELTO, NULL);
427 return rc;
428 }
429
may_context_mount_inode_relabel(u32 sid,struct superblock_security_struct * sbsec,const struct cred * cred)430 static int may_context_mount_inode_relabel(u32 sid,
431 struct superblock_security_struct *sbsec,
432 const struct cred *cred)
433 {
434 const struct task_security_struct *tsec = selinux_cred(cred);
435 int rc;
436 rc = avc_has_perm(&selinux_state,
437 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
438 FILESYSTEM__RELABELFROM, NULL);
439 if (rc)
440 return rc;
441
442 rc = avc_has_perm(&selinux_state,
443 sid, sbsec->sid, SECCLASS_FILESYSTEM,
444 FILESYSTEM__ASSOCIATE, NULL);
445 return rc;
446 }
447
selinux_is_genfs_special_handling(struct super_block * sb)448 static int selinux_is_genfs_special_handling(struct super_block *sb)
449 {
450 /* Special handling. Genfs but also in-core setxattr handler */
451 return !strcmp(sb->s_type->name, "sysfs") ||
452 !strcmp(sb->s_type->name, "pstore") ||
453 !strcmp(sb->s_type->name, "debugfs") ||
454 !strcmp(sb->s_type->name, "tracefs") ||
455 !strcmp(sb->s_type->name, "rootfs") ||
456 (selinux_policycap_cgroupseclabel() &&
457 (!strcmp(sb->s_type->name, "cgroup") ||
458 !strcmp(sb->s_type->name, "cgroup2")));
459 }
460
selinux_is_sblabel_mnt(struct super_block * sb)461 static int selinux_is_sblabel_mnt(struct super_block *sb)
462 {
463 struct superblock_security_struct *sbsec = sb->s_security;
464
465 /*
466 * IMPORTANT: Double-check logic in this function when adding a new
467 * SECURITY_FS_USE_* definition!
468 */
469 BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7);
470
471 switch (sbsec->behavior) {
472 case SECURITY_FS_USE_XATTR:
473 case SECURITY_FS_USE_TRANS:
474 case SECURITY_FS_USE_TASK:
475 case SECURITY_FS_USE_NATIVE:
476 return 1;
477
478 case SECURITY_FS_USE_GENFS:
479 return selinux_is_genfs_special_handling(sb);
480
481 /* Never allow relabeling on context mounts */
482 case SECURITY_FS_USE_MNTPOINT:
483 case SECURITY_FS_USE_NONE:
484 default:
485 return 0;
486 }
487 }
488
sb_finish_set_opts(struct super_block * sb)489 static int sb_finish_set_opts(struct super_block *sb)
490 {
491 struct superblock_security_struct *sbsec = sb->s_security;
492 struct dentry *root = sb->s_root;
493 struct inode *root_inode = d_backing_inode(root);
494 int rc = 0;
495
496 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
497 /* Make sure that the xattr handler exists and that no
498 error other than -ENODATA is returned by getxattr on
499 the root directory. -ENODATA is ok, as this may be
500 the first boot of the SELinux kernel before we have
501 assigned xattr values to the filesystem. */
502 if (!(root_inode->i_opflags & IOP_XATTR)) {
503 pr_warn("SELinux: (dev %s, type %s) has no "
504 "xattr support\n", sb->s_id, sb->s_type->name);
505 rc = -EOPNOTSUPP;
506 goto out;
507 }
508
509 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
510 if (rc < 0 && rc != -ENODATA) {
511 if (rc == -EOPNOTSUPP)
512 pr_warn("SELinux: (dev %s, type "
513 "%s) has no security xattr handler\n",
514 sb->s_id, sb->s_type->name);
515 else
516 pr_warn("SELinux: (dev %s, type "
517 "%s) getxattr errno %d\n", sb->s_id,
518 sb->s_type->name, -rc);
519 goto out;
520 }
521 }
522
523 sbsec->flags |= SE_SBINITIALIZED;
524
525 /*
526 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
527 * leave the flag untouched because sb_clone_mnt_opts might be handing
528 * us a superblock that needs the flag to be cleared.
529 */
530 if (selinux_is_sblabel_mnt(sb))
531 sbsec->flags |= SBLABEL_MNT;
532 else
533 sbsec->flags &= ~SBLABEL_MNT;
534
535 /* Initialize the root inode. */
536 rc = inode_doinit_with_dentry(root_inode, root);
537
538 /* Initialize any other inodes associated with the superblock, e.g.
539 inodes created prior to initial policy load or inodes created
540 during get_sb by a pseudo filesystem that directly
541 populates itself. */
542 spin_lock(&sbsec->isec_lock);
543 while (!list_empty(&sbsec->isec_head)) {
544 struct inode_security_struct *isec =
545 list_first_entry(&sbsec->isec_head,
546 struct inode_security_struct, list);
547 struct inode *inode = isec->inode;
548 list_del_init(&isec->list);
549 spin_unlock(&sbsec->isec_lock);
550 inode = igrab(inode);
551 if (inode) {
552 if (!IS_PRIVATE(inode))
553 inode_doinit_with_dentry(inode, NULL);
554 iput(inode);
555 }
556 spin_lock(&sbsec->isec_lock);
557 }
558 spin_unlock(&sbsec->isec_lock);
559 out:
560 return rc;
561 }
562
bad_option(struct superblock_security_struct * sbsec,char flag,u32 old_sid,u32 new_sid)563 static int bad_option(struct superblock_security_struct *sbsec, char flag,
564 u32 old_sid, u32 new_sid)
565 {
566 char mnt_flags = sbsec->flags & SE_MNTMASK;
567
568 /* check if the old mount command had the same options */
569 if (sbsec->flags & SE_SBINITIALIZED)
570 if (!(sbsec->flags & flag) ||
571 (old_sid != new_sid))
572 return 1;
573
574 /* check if we were passed the same options twice,
575 * aka someone passed context=a,context=b
576 */
577 if (!(sbsec->flags & SE_SBINITIALIZED))
578 if (mnt_flags & flag)
579 return 1;
580 return 0;
581 }
582
parse_sid(struct super_block * sb,const char * s,u32 * sid)583 static int parse_sid(struct super_block *sb, const char *s, u32 *sid)
584 {
585 int rc = security_context_str_to_sid(&selinux_state, s,
586 sid, GFP_KERNEL);
587 if (rc)
588 pr_warn("SELinux: security_context_str_to_sid"
589 "(%s) failed for (dev %s, type %s) errno=%d\n",
590 s, sb->s_id, sb->s_type->name, rc);
591 return rc;
592 }
593
594 /*
595 * Allow filesystems with binary mount data to explicitly set mount point
596 * labeling information.
597 */
selinux_set_mnt_opts(struct super_block * sb,void * mnt_opts,unsigned long kern_flags,unsigned long * set_kern_flags)598 static int selinux_set_mnt_opts(struct super_block *sb,
599 void *mnt_opts,
600 unsigned long kern_flags,
601 unsigned long *set_kern_flags)
602 {
603 const struct cred *cred = current_cred();
604 struct superblock_security_struct *sbsec = sb->s_security;
605 struct dentry *root = sbsec->sb->s_root;
606 struct selinux_mnt_opts *opts = mnt_opts;
607 struct inode_security_struct *root_isec;
608 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
609 u32 defcontext_sid = 0;
610 int rc = 0;
611
612 mutex_lock(&sbsec->lock);
613
614 if (!selinux_initialized(&selinux_state)) {
615 if (!opts) {
616 /* Defer initialization until selinux_complete_init,
617 after the initial policy is loaded and the security
618 server is ready to handle calls. */
619 goto out;
620 }
621 rc = -EINVAL;
622 pr_warn("SELinux: Unable to set superblock options "
623 "before the security server is initialized\n");
624 goto out;
625 }
626 if (kern_flags && !set_kern_flags) {
627 /* Specifying internal flags without providing a place to
628 * place the results is not allowed */
629 rc = -EINVAL;
630 goto out;
631 }
632
633 /*
634 * Binary mount data FS will come through this function twice. Once
635 * from an explicit call and once from the generic calls from the vfs.
636 * Since the generic VFS calls will not contain any security mount data
637 * we need to skip the double mount verification.
638 *
639 * This does open a hole in which we will not notice if the first
640 * mount using this sb set explict options and a second mount using
641 * this sb does not set any security options. (The first options
642 * will be used for both mounts)
643 */
644 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
645 && !opts)
646 goto out;
647
648 root_isec = backing_inode_security_novalidate(root);
649
650 /*
651 * parse the mount options, check if they are valid sids.
652 * also check if someone is trying to mount the same sb more
653 * than once with different security options.
654 */
655 if (opts) {
656 if (opts->fscontext) {
657 rc = parse_sid(sb, opts->fscontext, &fscontext_sid);
658 if (rc)
659 goto out;
660 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
661 fscontext_sid))
662 goto out_double_mount;
663 sbsec->flags |= FSCONTEXT_MNT;
664 }
665 if (opts->context) {
666 rc = parse_sid(sb, opts->context, &context_sid);
667 if (rc)
668 goto out;
669 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
670 context_sid))
671 goto out_double_mount;
672 sbsec->flags |= CONTEXT_MNT;
673 }
674 if (opts->rootcontext) {
675 rc = parse_sid(sb, opts->rootcontext, &rootcontext_sid);
676 if (rc)
677 goto out;
678 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
679 rootcontext_sid))
680 goto out_double_mount;
681 sbsec->flags |= ROOTCONTEXT_MNT;
682 }
683 if (opts->defcontext) {
684 rc = parse_sid(sb, opts->defcontext, &defcontext_sid);
685 if (rc)
686 goto out;
687 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
688 defcontext_sid))
689 goto out_double_mount;
690 sbsec->flags |= DEFCONTEXT_MNT;
691 }
692 }
693
694 if (sbsec->flags & SE_SBINITIALIZED) {
695 /* previously mounted with options, but not on this attempt? */
696 if ((sbsec->flags & SE_MNTMASK) && !opts)
697 goto out_double_mount;
698 rc = 0;
699 goto out;
700 }
701
702 if (strcmp(sb->s_type->name, "proc") == 0)
703 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
704
705 if (!strcmp(sb->s_type->name, "debugfs") ||
706 !strcmp(sb->s_type->name, "tracefs") ||
707 !strcmp(sb->s_type->name, "binder") ||
708 !strcmp(sb->s_type->name, "bpf") ||
709 !strcmp(sb->s_type->name, "pstore"))
710 sbsec->flags |= SE_SBGENFS;
711
712 if (!strcmp(sb->s_type->name, "sysfs") ||
713 !strcmp(sb->s_type->name, "cgroup") ||
714 !strcmp(sb->s_type->name, "cgroup2"))
715 sbsec->flags |= SE_SBGENFS | SE_SBGENFS_XATTR;
716
717 if (!sbsec->behavior) {
718 /*
719 * Determine the labeling behavior to use for this
720 * filesystem type.
721 */
722 rc = security_fs_use(&selinux_state, sb);
723 if (rc) {
724 pr_warn("%s: security_fs_use(%s) returned %d\n",
725 __func__, sb->s_type->name, rc);
726 goto out;
727 }
728 }
729
730 /*
731 * If this is a user namespace mount and the filesystem type is not
732 * explicitly whitelisted, then no contexts are allowed on the command
733 * line and security labels must be ignored.
734 */
735 if (sb->s_user_ns != &init_user_ns &&
736 strcmp(sb->s_type->name, "tmpfs") &&
737 strcmp(sb->s_type->name, "ramfs") &&
738 strcmp(sb->s_type->name, "devpts")) {
739 if (context_sid || fscontext_sid || rootcontext_sid ||
740 defcontext_sid) {
741 rc = -EACCES;
742 goto out;
743 }
744 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
745 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
746 rc = security_transition_sid(&selinux_state,
747 current_sid(),
748 current_sid(),
749 SECCLASS_FILE, NULL,
750 &sbsec->mntpoint_sid);
751 if (rc)
752 goto out;
753 }
754 goto out_set_opts;
755 }
756
757 /* sets the context of the superblock for the fs being mounted. */
758 if (fscontext_sid) {
759 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
760 if (rc)
761 goto out;
762
763 sbsec->sid = fscontext_sid;
764 }
765
766 /*
767 * Switch to using mount point labeling behavior.
768 * sets the label used on all file below the mountpoint, and will set
769 * the superblock context if not already set.
770 */
771 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
772 sbsec->behavior = SECURITY_FS_USE_NATIVE;
773 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
774 }
775
776 if (context_sid) {
777 if (!fscontext_sid) {
778 rc = may_context_mount_sb_relabel(context_sid, sbsec,
779 cred);
780 if (rc)
781 goto out;
782 sbsec->sid = context_sid;
783 } else {
784 rc = may_context_mount_inode_relabel(context_sid, sbsec,
785 cred);
786 if (rc)
787 goto out;
788 }
789 if (!rootcontext_sid)
790 rootcontext_sid = context_sid;
791
792 sbsec->mntpoint_sid = context_sid;
793 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
794 }
795
796 if (rootcontext_sid) {
797 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
798 cred);
799 if (rc)
800 goto out;
801
802 root_isec->sid = rootcontext_sid;
803 root_isec->initialized = LABEL_INITIALIZED;
804 }
805
806 if (defcontext_sid) {
807 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
808 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
809 rc = -EINVAL;
810 pr_warn("SELinux: defcontext option is "
811 "invalid for this filesystem type\n");
812 goto out;
813 }
814
815 if (defcontext_sid != sbsec->def_sid) {
816 rc = may_context_mount_inode_relabel(defcontext_sid,
817 sbsec, cred);
818 if (rc)
819 goto out;
820 }
821
822 sbsec->def_sid = defcontext_sid;
823 }
824
825 out_set_opts:
826 rc = sb_finish_set_opts(sb);
827 out:
828 mutex_unlock(&sbsec->lock);
829 return rc;
830 out_double_mount:
831 rc = -EINVAL;
832 pr_warn("SELinux: mount invalid. Same superblock, different "
833 "security settings for (dev %s, type %s)\n", sb->s_id,
834 sb->s_type->name);
835 goto out;
836 }
837
selinux_cmp_sb_context(const struct super_block * oldsb,const struct super_block * newsb)838 static int selinux_cmp_sb_context(const struct super_block *oldsb,
839 const struct super_block *newsb)
840 {
841 struct superblock_security_struct *old = oldsb->s_security;
842 struct superblock_security_struct *new = newsb->s_security;
843 char oldflags = old->flags & SE_MNTMASK;
844 char newflags = new->flags & SE_MNTMASK;
845
846 if (oldflags != newflags)
847 goto mismatch;
848 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
849 goto mismatch;
850 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
851 goto mismatch;
852 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
853 goto mismatch;
854 if (oldflags & ROOTCONTEXT_MNT) {
855 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
856 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
857 if (oldroot->sid != newroot->sid)
858 goto mismatch;
859 }
860 return 0;
861 mismatch:
862 pr_warn("SELinux: mount invalid. Same superblock, "
863 "different security settings for (dev %s, "
864 "type %s)\n", newsb->s_id, newsb->s_type->name);
865 return -EBUSY;
866 }
867
selinux_sb_clone_mnt_opts(const struct super_block * oldsb,struct super_block * newsb,unsigned long kern_flags,unsigned long * set_kern_flags)868 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
869 struct super_block *newsb,
870 unsigned long kern_flags,
871 unsigned long *set_kern_flags)
872 {
873 int rc = 0;
874 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
875 struct superblock_security_struct *newsbsec = newsb->s_security;
876
877 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
878 int set_context = (oldsbsec->flags & CONTEXT_MNT);
879 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
880
881 /*
882 * if the parent was able to be mounted it clearly had no special lsm
883 * mount options. thus we can safely deal with this superblock later
884 */
885 if (!selinux_initialized(&selinux_state))
886 return 0;
887
888 /*
889 * Specifying internal flags without providing a place to
890 * place the results is not allowed.
891 */
892 if (kern_flags && !set_kern_flags)
893 return -EINVAL;
894
895 /* how can we clone if the old one wasn't set up?? */
896 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
897
898 /* if fs is reusing a sb, make sure that the contexts match */
899 if (newsbsec->flags & SE_SBINITIALIZED) {
900 if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context)
901 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
902 return selinux_cmp_sb_context(oldsb, newsb);
903 }
904
905 mutex_lock(&newsbsec->lock);
906
907 newsbsec->flags = oldsbsec->flags;
908
909 newsbsec->sid = oldsbsec->sid;
910 newsbsec->def_sid = oldsbsec->def_sid;
911 newsbsec->behavior = oldsbsec->behavior;
912
913 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
914 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
915 rc = security_fs_use(&selinux_state, newsb);
916 if (rc)
917 goto out;
918 }
919
920 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
921 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
922 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
923 }
924
925 if (set_context) {
926 u32 sid = oldsbsec->mntpoint_sid;
927
928 if (!set_fscontext)
929 newsbsec->sid = sid;
930 if (!set_rootcontext) {
931 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
932 newisec->sid = sid;
933 }
934 newsbsec->mntpoint_sid = sid;
935 }
936 if (set_rootcontext) {
937 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
938 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
939
940 newisec->sid = oldisec->sid;
941 }
942
943 sb_finish_set_opts(newsb);
944 out:
945 mutex_unlock(&newsbsec->lock);
946 return rc;
947 }
948
selinux_add_opt(int token,const char * s,void ** mnt_opts)949 static int selinux_add_opt(int token, const char *s, void **mnt_opts)
950 {
951 struct selinux_mnt_opts *opts = *mnt_opts;
952 bool is_alloc_opts = false;
953
954 if (token == Opt_seclabel) /* eaten and completely ignored */
955 return 0;
956
957 if (!s)
958 return -ENOMEM;
959
960 if (!opts) {
961 opts = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL);
962 if (!opts)
963 return -ENOMEM;
964 *mnt_opts = opts;
965 is_alloc_opts = true;
966 }
967
968 switch (token) {
969 case Opt_context:
970 if (opts->context || opts->defcontext)
971 goto Einval;
972 opts->context = s;
973 break;
974 case Opt_fscontext:
975 if (opts->fscontext)
976 goto Einval;
977 opts->fscontext = s;
978 break;
979 case Opt_rootcontext:
980 if (opts->rootcontext)
981 goto Einval;
982 opts->rootcontext = s;
983 break;
984 case Opt_defcontext:
985 if (opts->context || opts->defcontext)
986 goto Einval;
987 opts->defcontext = s;
988 break;
989 }
990 return 0;
991 Einval:
992 if (is_alloc_opts) {
993 kfree(opts);
994 *mnt_opts = NULL;
995 }
996 pr_warn(SEL_MOUNT_FAIL_MSG);
997 return -EINVAL;
998 }
999
selinux_add_mnt_opt(const char * option,const char * val,int len,void ** mnt_opts)1000 static int selinux_add_mnt_opt(const char *option, const char *val, int len,
1001 void **mnt_opts)
1002 {
1003 int token = Opt_error;
1004 int rc, i;
1005
1006 for (i = 0; i < ARRAY_SIZE(tokens); i++) {
1007 if (strcmp(option, tokens[i].name) == 0) {
1008 token = tokens[i].opt;
1009 break;
1010 }
1011 }
1012
1013 if (token == Opt_error)
1014 return -EINVAL;
1015
1016 if (token != Opt_seclabel) {
1017 val = kmemdup_nul(val, len, GFP_KERNEL);
1018 if (!val) {
1019 rc = -ENOMEM;
1020 goto free_opt;
1021 }
1022 }
1023 rc = selinux_add_opt(token, val, mnt_opts);
1024 if (unlikely(rc)) {
1025 kfree(val);
1026 goto free_opt;
1027 }
1028 return rc;
1029
1030 free_opt:
1031 if (*mnt_opts) {
1032 selinux_free_mnt_opts(*mnt_opts);
1033 *mnt_opts = NULL;
1034 }
1035 return rc;
1036 }
1037
show_sid(struct seq_file * m,u32 sid)1038 static int show_sid(struct seq_file *m, u32 sid)
1039 {
1040 char *context = NULL;
1041 u32 len;
1042 int rc;
1043
1044 rc = security_sid_to_context(&selinux_state, sid,
1045 &context, &len);
1046 if (!rc) {
1047 bool has_comma = context && strchr(context, ',');
1048
1049 seq_putc(m, '=');
1050 if (has_comma)
1051 seq_putc(m, '\"');
1052 seq_escape(m, context, "\"\n\\");
1053 if (has_comma)
1054 seq_putc(m, '\"');
1055 }
1056 kfree(context);
1057 return rc;
1058 }
1059
selinux_sb_show_options(struct seq_file * m,struct super_block * sb)1060 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1061 {
1062 struct superblock_security_struct *sbsec = sb->s_security;
1063 int rc;
1064
1065 if (!(sbsec->flags & SE_SBINITIALIZED))
1066 return 0;
1067
1068 if (!selinux_initialized(&selinux_state))
1069 return 0;
1070
1071 if (sbsec->flags & FSCONTEXT_MNT) {
1072 seq_putc(m, ',');
1073 seq_puts(m, FSCONTEXT_STR);
1074 rc = show_sid(m, sbsec->sid);
1075 if (rc)
1076 return rc;
1077 }
1078 if (sbsec->flags & CONTEXT_MNT) {
1079 seq_putc(m, ',');
1080 seq_puts(m, CONTEXT_STR);
1081 rc = show_sid(m, sbsec->mntpoint_sid);
1082 if (rc)
1083 return rc;
1084 }
1085 if (sbsec->flags & DEFCONTEXT_MNT) {
1086 seq_putc(m, ',');
1087 seq_puts(m, DEFCONTEXT_STR);
1088 rc = show_sid(m, sbsec->def_sid);
1089 if (rc)
1090 return rc;
1091 }
1092 if (sbsec->flags & ROOTCONTEXT_MNT) {
1093 struct dentry *root = sbsec->sb->s_root;
1094 struct inode_security_struct *isec = backing_inode_security(root);
1095 seq_putc(m, ',');
1096 seq_puts(m, ROOTCONTEXT_STR);
1097 rc = show_sid(m, isec->sid);
1098 if (rc)
1099 return rc;
1100 }
1101 if (sbsec->flags & SBLABEL_MNT) {
1102 seq_putc(m, ',');
1103 seq_puts(m, SECLABEL_STR);
1104 }
1105 return 0;
1106 }
1107
inode_mode_to_security_class(umode_t mode)1108 static inline u16 inode_mode_to_security_class(umode_t mode)
1109 {
1110 switch (mode & S_IFMT) {
1111 case S_IFSOCK:
1112 return SECCLASS_SOCK_FILE;
1113 case S_IFLNK:
1114 return SECCLASS_LNK_FILE;
1115 case S_IFREG:
1116 return SECCLASS_FILE;
1117 case S_IFBLK:
1118 return SECCLASS_BLK_FILE;
1119 case S_IFDIR:
1120 return SECCLASS_DIR;
1121 case S_IFCHR:
1122 return SECCLASS_CHR_FILE;
1123 case S_IFIFO:
1124 return SECCLASS_FIFO_FILE;
1125
1126 }
1127
1128 return SECCLASS_FILE;
1129 }
1130
default_protocol_stream(int protocol)1131 static inline int default_protocol_stream(int protocol)
1132 {
1133 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1134 }
1135
default_protocol_dgram(int protocol)1136 static inline int default_protocol_dgram(int protocol)
1137 {
1138 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1139 }
1140
socket_type_to_security_class(int family,int type,int protocol)1141 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1142 {
1143 int extsockclass = selinux_policycap_extsockclass();
1144
1145 switch (family) {
1146 case PF_UNIX:
1147 switch (type) {
1148 case SOCK_STREAM:
1149 case SOCK_SEQPACKET:
1150 return SECCLASS_UNIX_STREAM_SOCKET;
1151 case SOCK_DGRAM:
1152 case SOCK_RAW:
1153 return SECCLASS_UNIX_DGRAM_SOCKET;
1154 }
1155 break;
1156 case PF_INET:
1157 case PF_INET6:
1158 switch (type) {
1159 case SOCK_STREAM:
1160 case SOCK_SEQPACKET:
1161 if (default_protocol_stream(protocol))
1162 return SECCLASS_TCP_SOCKET;
1163 else if (extsockclass && protocol == IPPROTO_SCTP)
1164 return SECCLASS_SCTP_SOCKET;
1165 else
1166 return SECCLASS_RAWIP_SOCKET;
1167 case SOCK_DGRAM:
1168 if (default_protocol_dgram(protocol))
1169 return SECCLASS_UDP_SOCKET;
1170 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1171 protocol == IPPROTO_ICMPV6))
1172 return SECCLASS_ICMP_SOCKET;
1173 else
1174 return SECCLASS_RAWIP_SOCKET;
1175 case SOCK_DCCP:
1176 return SECCLASS_DCCP_SOCKET;
1177 default:
1178 return SECCLASS_RAWIP_SOCKET;
1179 }
1180 break;
1181 case PF_NETLINK:
1182 switch (protocol) {
1183 case NETLINK_ROUTE:
1184 return SECCLASS_NETLINK_ROUTE_SOCKET;
1185 case NETLINK_SOCK_DIAG:
1186 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1187 case NETLINK_NFLOG:
1188 return SECCLASS_NETLINK_NFLOG_SOCKET;
1189 case NETLINK_XFRM:
1190 return SECCLASS_NETLINK_XFRM_SOCKET;
1191 case NETLINK_SELINUX:
1192 return SECCLASS_NETLINK_SELINUX_SOCKET;
1193 case NETLINK_ISCSI:
1194 return SECCLASS_NETLINK_ISCSI_SOCKET;
1195 case NETLINK_AUDIT:
1196 return SECCLASS_NETLINK_AUDIT_SOCKET;
1197 case NETLINK_FIB_LOOKUP:
1198 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1199 case NETLINK_CONNECTOR:
1200 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1201 case NETLINK_NETFILTER:
1202 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1203 case NETLINK_DNRTMSG:
1204 return SECCLASS_NETLINK_DNRT_SOCKET;
1205 case NETLINK_KOBJECT_UEVENT:
1206 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1207 case NETLINK_GENERIC:
1208 return SECCLASS_NETLINK_GENERIC_SOCKET;
1209 case NETLINK_SCSITRANSPORT:
1210 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1211 case NETLINK_RDMA:
1212 return SECCLASS_NETLINK_RDMA_SOCKET;
1213 case NETLINK_CRYPTO:
1214 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1215 default:
1216 return SECCLASS_NETLINK_SOCKET;
1217 }
1218 case PF_PACKET:
1219 return SECCLASS_PACKET_SOCKET;
1220 case PF_KEY:
1221 return SECCLASS_KEY_SOCKET;
1222 case PF_APPLETALK:
1223 return SECCLASS_APPLETALK_SOCKET;
1224 }
1225
1226 if (extsockclass) {
1227 switch (family) {
1228 case PF_AX25:
1229 return SECCLASS_AX25_SOCKET;
1230 case PF_IPX:
1231 return SECCLASS_IPX_SOCKET;
1232 case PF_NETROM:
1233 return SECCLASS_NETROM_SOCKET;
1234 case PF_ATMPVC:
1235 return SECCLASS_ATMPVC_SOCKET;
1236 case PF_X25:
1237 return SECCLASS_X25_SOCKET;
1238 case PF_ROSE:
1239 return SECCLASS_ROSE_SOCKET;
1240 case PF_DECnet:
1241 return SECCLASS_DECNET_SOCKET;
1242 case PF_ATMSVC:
1243 return SECCLASS_ATMSVC_SOCKET;
1244 case PF_RDS:
1245 return SECCLASS_RDS_SOCKET;
1246 case PF_IRDA:
1247 return SECCLASS_IRDA_SOCKET;
1248 case PF_PPPOX:
1249 return SECCLASS_PPPOX_SOCKET;
1250 case PF_LLC:
1251 return SECCLASS_LLC_SOCKET;
1252 case PF_CAN:
1253 return SECCLASS_CAN_SOCKET;
1254 case PF_TIPC:
1255 return SECCLASS_TIPC_SOCKET;
1256 case PF_BLUETOOTH:
1257 return SECCLASS_BLUETOOTH_SOCKET;
1258 case PF_IUCV:
1259 return SECCLASS_IUCV_SOCKET;
1260 case PF_RXRPC:
1261 return SECCLASS_RXRPC_SOCKET;
1262 case PF_ISDN:
1263 return SECCLASS_ISDN_SOCKET;
1264 case PF_PHONET:
1265 return SECCLASS_PHONET_SOCKET;
1266 case PF_IEEE802154:
1267 return SECCLASS_IEEE802154_SOCKET;
1268 case PF_CAIF:
1269 return SECCLASS_CAIF_SOCKET;
1270 case PF_ALG:
1271 return SECCLASS_ALG_SOCKET;
1272 case PF_NFC:
1273 return SECCLASS_NFC_SOCKET;
1274 case PF_VSOCK:
1275 return SECCLASS_VSOCK_SOCKET;
1276 case PF_KCM:
1277 return SECCLASS_KCM_SOCKET;
1278 case PF_QIPCRTR:
1279 return SECCLASS_QIPCRTR_SOCKET;
1280 case PF_SMC:
1281 return SECCLASS_SMC_SOCKET;
1282 case PF_XDP:
1283 return SECCLASS_XDP_SOCKET;
1284 #if PF_MAX > 46
1285 #error New address family defined, please update this function.
1286 #endif
1287 }
1288 }
1289
1290 return SECCLASS_SOCKET;
1291 }
1292
selinux_genfs_get_sid(struct dentry * dentry,u16 tclass,u16 flags,u32 * sid)1293 static int selinux_genfs_get_sid(struct dentry *dentry,
1294 u16 tclass,
1295 u16 flags,
1296 u32 *sid)
1297 {
1298 int rc;
1299 struct super_block *sb = dentry->d_sb;
1300 char *buffer, *path;
1301
1302 buffer = (char *)__get_free_page(GFP_KERNEL);
1303 if (!buffer)
1304 return -ENOMEM;
1305
1306 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1307 if (IS_ERR(path))
1308 rc = PTR_ERR(path);
1309 else {
1310 if (flags & SE_SBPROC) {
1311 /* each process gets a /proc/PID/ entry. Strip off the
1312 * PID part to get a valid selinux labeling.
1313 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1314 while (path[1] >= '0' && path[1] <= '9') {
1315 path[1] = '/';
1316 path++;
1317 }
1318 }
1319 rc = security_genfs_sid(&selinux_state, sb->s_type->name,
1320 path, tclass, sid);
1321 if (rc == -ENOENT) {
1322 /* No match in policy, mark as unlabeled. */
1323 *sid = SECINITSID_UNLABELED;
1324 rc = 0;
1325 }
1326 }
1327 free_page((unsigned long)buffer);
1328 return rc;
1329 }
1330
inode_doinit_use_xattr(struct inode * inode,struct dentry * dentry,u32 def_sid,u32 * sid)1331 static int inode_doinit_use_xattr(struct inode *inode, struct dentry *dentry,
1332 u32 def_sid, u32 *sid)
1333 {
1334 #define INITCONTEXTLEN 255
1335 char *context;
1336 unsigned int len;
1337 int rc;
1338
1339 len = INITCONTEXTLEN;
1340 context = kmalloc(len + 1, GFP_NOFS);
1341 if (!context)
1342 return -ENOMEM;
1343
1344 context[len] = '\0';
1345 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1346 if (rc == -ERANGE) {
1347 kfree(context);
1348
1349 /* Need a larger buffer. Query for the right size. */
1350 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1351 if (rc < 0)
1352 return rc;
1353
1354 len = rc;
1355 context = kmalloc(len + 1, GFP_NOFS);
1356 if (!context)
1357 return -ENOMEM;
1358
1359 context[len] = '\0';
1360 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX,
1361 context, len);
1362 }
1363 if (rc < 0) {
1364 kfree(context);
1365 if (rc != -ENODATA) {
1366 pr_warn("SELinux: %s: getxattr returned %d for dev=%s ino=%ld\n",
1367 __func__, -rc, inode->i_sb->s_id, inode->i_ino);
1368 return rc;
1369 }
1370 *sid = def_sid;
1371 return 0;
1372 }
1373
1374 rc = security_context_to_sid_default(&selinux_state, context, rc, sid,
1375 def_sid, GFP_NOFS);
1376 if (rc) {
1377 char *dev = inode->i_sb->s_id;
1378 unsigned long ino = inode->i_ino;
1379
1380 if (rc == -EINVAL) {
1381 pr_notice_ratelimited("SELinux: inode=%lu on dev=%s was found to have an invalid context=%s. This indicates you may need to relabel the inode or the filesystem in question.\n",
1382 ino, dev, context);
1383 } else {
1384 pr_warn("SELinux: %s: context_to_sid(%s) returned %d for dev=%s ino=%ld\n",
1385 __func__, context, -rc, dev, ino);
1386 }
1387 }
1388 kfree(context);
1389 return 0;
1390 }
1391
1392 /* The inode's security attributes must be initialized before first use. */
inode_doinit_with_dentry(struct inode * inode,struct dentry * opt_dentry)1393 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1394 {
1395 struct superblock_security_struct *sbsec = NULL;
1396 struct inode_security_struct *isec = selinux_inode(inode);
1397 u32 task_sid, sid = 0;
1398 u16 sclass;
1399 struct dentry *dentry;
1400 int rc = 0;
1401
1402 if (isec->initialized == LABEL_INITIALIZED)
1403 return 0;
1404
1405 spin_lock(&isec->lock);
1406 if (isec->initialized == LABEL_INITIALIZED)
1407 goto out_unlock;
1408
1409 if (isec->sclass == SECCLASS_FILE)
1410 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1411
1412 sbsec = inode->i_sb->s_security;
1413 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1414 /* Defer initialization until selinux_complete_init,
1415 after the initial policy is loaded and the security
1416 server is ready to handle calls. */
1417 spin_lock(&sbsec->isec_lock);
1418 if (list_empty(&isec->list))
1419 list_add(&isec->list, &sbsec->isec_head);
1420 spin_unlock(&sbsec->isec_lock);
1421 goto out_unlock;
1422 }
1423
1424 sclass = isec->sclass;
1425 task_sid = isec->task_sid;
1426 sid = isec->sid;
1427 isec->initialized = LABEL_PENDING;
1428 spin_unlock(&isec->lock);
1429
1430 switch (sbsec->behavior) {
1431 case SECURITY_FS_USE_NATIVE:
1432 break;
1433 case SECURITY_FS_USE_XATTR:
1434 if (!(inode->i_opflags & IOP_XATTR)) {
1435 sid = sbsec->def_sid;
1436 break;
1437 }
1438 /* Need a dentry, since the xattr API requires one.
1439 Life would be simpler if we could just pass the inode. */
1440 if (opt_dentry) {
1441 /* Called from d_instantiate or d_splice_alias. */
1442 dentry = dget(opt_dentry);
1443 } else {
1444 /*
1445 * Called from selinux_complete_init, try to find a dentry.
1446 * Some filesystems really want a connected one, so try
1447 * that first. We could split SECURITY_FS_USE_XATTR in
1448 * two, depending upon that...
1449 */
1450 dentry = d_find_alias(inode);
1451 if (!dentry)
1452 dentry = d_find_any_alias(inode);
1453 }
1454 if (!dentry) {
1455 /*
1456 * this is can be hit on boot when a file is accessed
1457 * before the policy is loaded. When we load policy we
1458 * may find inodes that have no dentry on the
1459 * sbsec->isec_head list. No reason to complain as these
1460 * will get fixed up the next time we go through
1461 * inode_doinit with a dentry, before these inodes could
1462 * be used again by userspace.
1463 */
1464 goto out_invalid;
1465 }
1466
1467 rc = inode_doinit_use_xattr(inode, dentry, sbsec->def_sid,
1468 &sid);
1469 dput(dentry);
1470 if (rc)
1471 goto out;
1472 break;
1473 case SECURITY_FS_USE_TASK:
1474 sid = task_sid;
1475 break;
1476 case SECURITY_FS_USE_TRANS:
1477 /* Default to the fs SID. */
1478 sid = sbsec->sid;
1479
1480 /* Try to obtain a transition SID. */
1481 rc = security_transition_sid(&selinux_state, task_sid, sid,
1482 sclass, NULL, &sid);
1483 if (rc)
1484 goto out;
1485 break;
1486 case SECURITY_FS_USE_MNTPOINT:
1487 sid = sbsec->mntpoint_sid;
1488 break;
1489 default:
1490 /* Default to the fs superblock SID. */
1491 sid = sbsec->sid;
1492
1493 if ((sbsec->flags & SE_SBGENFS) &&
1494 (!S_ISLNK(inode->i_mode) ||
1495 selinux_policycap_genfs_seclabel_symlinks())) {
1496 /* We must have a dentry to determine the label on
1497 * procfs inodes */
1498 if (opt_dentry) {
1499 /* Called from d_instantiate or
1500 * d_splice_alias. */
1501 dentry = dget(opt_dentry);
1502 } else {
1503 /* Called from selinux_complete_init, try to
1504 * find a dentry. Some filesystems really want
1505 * a connected one, so try that first.
1506 */
1507 dentry = d_find_alias(inode);
1508 if (!dentry)
1509 dentry = d_find_any_alias(inode);
1510 }
1511 /*
1512 * This can be hit on boot when a file is accessed
1513 * before the policy is loaded. When we load policy we
1514 * may find inodes that have no dentry on the
1515 * sbsec->isec_head list. No reason to complain as
1516 * these will get fixed up the next time we go through
1517 * inode_doinit() with a dentry, before these inodes
1518 * could be used again by userspace.
1519 */
1520 if (!dentry)
1521 goto out_invalid;
1522 rc = selinux_genfs_get_sid(dentry, sclass,
1523 sbsec->flags, &sid);
1524 if (rc) {
1525 dput(dentry);
1526 goto out;
1527 }
1528
1529 if ((sbsec->flags & SE_SBGENFS_XATTR) &&
1530 (inode->i_opflags & IOP_XATTR)) {
1531 rc = inode_doinit_use_xattr(inode, dentry,
1532 sid, &sid);
1533 if (rc) {
1534 dput(dentry);
1535 goto out;
1536 }
1537 }
1538 dput(dentry);
1539 }
1540 break;
1541 }
1542
1543 out:
1544 spin_lock(&isec->lock);
1545 if (isec->initialized == LABEL_PENDING) {
1546 if (rc) {
1547 isec->initialized = LABEL_INVALID;
1548 goto out_unlock;
1549 }
1550 isec->initialized = LABEL_INITIALIZED;
1551 isec->sid = sid;
1552 }
1553
1554 out_unlock:
1555 spin_unlock(&isec->lock);
1556 return rc;
1557
1558 out_invalid:
1559 spin_lock(&isec->lock);
1560 if (isec->initialized == LABEL_PENDING) {
1561 isec->initialized = LABEL_INVALID;
1562 isec->sid = sid;
1563 }
1564 spin_unlock(&isec->lock);
1565 return 0;
1566 }
1567
1568 /* Convert a Linux signal to an access vector. */
signal_to_av(int sig)1569 static inline u32 signal_to_av(int sig)
1570 {
1571 u32 perm = 0;
1572
1573 switch (sig) {
1574 case SIGCHLD:
1575 /* Commonly granted from child to parent. */
1576 perm = PROCESS__SIGCHLD;
1577 break;
1578 case SIGKILL:
1579 /* Cannot be caught or ignored */
1580 perm = PROCESS__SIGKILL;
1581 break;
1582 case SIGSTOP:
1583 /* Cannot be caught or ignored */
1584 perm = PROCESS__SIGSTOP;
1585 break;
1586 default:
1587 /* All other signals. */
1588 perm = PROCESS__SIGNAL;
1589 break;
1590 }
1591
1592 return perm;
1593 }
1594
1595 #if CAP_LAST_CAP > 63
1596 #error Fix SELinux to handle capabilities > 63.
1597 #endif
1598
1599 /* Check whether a task is allowed to use a capability. */
cred_has_capability(const struct cred * cred,int cap,unsigned int opts,bool initns)1600 static int cred_has_capability(const struct cred *cred,
1601 int cap, unsigned int opts, bool initns)
1602 {
1603 struct common_audit_data ad;
1604 struct av_decision avd;
1605 u16 sclass;
1606 u32 sid = cred_sid(cred);
1607 u32 av = CAP_TO_MASK(cap);
1608 int rc;
1609
1610 ad.type = LSM_AUDIT_DATA_CAP;
1611 ad.u.cap = cap;
1612
1613 switch (CAP_TO_INDEX(cap)) {
1614 case 0:
1615 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1616 break;
1617 case 1:
1618 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1619 break;
1620 default:
1621 pr_err("SELinux: out of range capability %d\n", cap);
1622 BUG();
1623 return -EINVAL;
1624 }
1625
1626 rc = avc_has_perm_noaudit(&selinux_state,
1627 sid, sid, sclass, av, 0, &avd);
1628 if (!(opts & CAP_OPT_NOAUDIT)) {
1629 int rc2 = avc_audit(&selinux_state,
1630 sid, sid, sclass, av, &avd, rc, &ad, 0);
1631 if (rc2)
1632 return rc2;
1633 }
1634 return rc;
1635 }
1636
1637 /* Check whether a task has a particular permission to an inode.
1638 The 'adp' parameter is optional and allows other audit
1639 data to be passed (e.g. the dentry). */
inode_has_perm(const struct cred * cred,struct inode * inode,u32 perms,struct common_audit_data * adp)1640 static int inode_has_perm(const struct cred *cred,
1641 struct inode *inode,
1642 u32 perms,
1643 struct common_audit_data *adp)
1644 {
1645 struct inode_security_struct *isec;
1646 u32 sid;
1647
1648 validate_creds(cred);
1649
1650 if (unlikely(IS_PRIVATE(inode)))
1651 return 0;
1652
1653 sid = cred_sid(cred);
1654 isec = selinux_inode(inode);
1655
1656 return avc_has_perm(&selinux_state,
1657 sid, isec->sid, isec->sclass, perms, adp);
1658 }
1659
1660 /* Same as inode_has_perm, but pass explicit audit data containing
1661 the dentry to help the auditing code to more easily generate the
1662 pathname if needed. */
dentry_has_perm(const struct cred * cred,struct dentry * dentry,u32 av)1663 static inline int dentry_has_perm(const struct cred *cred,
1664 struct dentry *dentry,
1665 u32 av)
1666 {
1667 struct inode *inode = d_backing_inode(dentry);
1668 struct common_audit_data ad;
1669
1670 ad.type = LSM_AUDIT_DATA_DENTRY;
1671 ad.u.dentry = dentry;
1672 __inode_security_revalidate(inode, dentry, true);
1673 return inode_has_perm(cred, inode, av, &ad);
1674 }
1675
1676 /* Same as inode_has_perm, but pass explicit audit data containing
1677 the path to help the auditing code to more easily generate the
1678 pathname if needed. */
path_has_perm(const struct cred * cred,const struct path * path,u32 av)1679 static inline int path_has_perm(const struct cred *cred,
1680 const struct path *path,
1681 u32 av)
1682 {
1683 struct inode *inode = d_backing_inode(path->dentry);
1684 struct common_audit_data ad;
1685
1686 ad.type = LSM_AUDIT_DATA_PATH;
1687 ad.u.path = *path;
1688 __inode_security_revalidate(inode, path->dentry, true);
1689 return inode_has_perm(cred, inode, av, &ad);
1690 }
1691
1692 /* Same as path_has_perm, but uses the inode from the file struct. */
file_path_has_perm(const struct cred * cred,struct file * file,u32 av)1693 static inline int file_path_has_perm(const struct cred *cred,
1694 struct file *file,
1695 u32 av)
1696 {
1697 struct common_audit_data ad;
1698
1699 ad.type = LSM_AUDIT_DATA_FILE;
1700 ad.u.file = file;
1701 return inode_has_perm(cred, file_inode(file), av, &ad);
1702 }
1703
1704 #ifdef CONFIG_BPF_SYSCALL
1705 static int bpf_fd_pass(struct file *file, u32 sid);
1706 #endif
1707
1708 /* Check whether a task can use an open file descriptor to
1709 access an inode in a given way. Check access to the
1710 descriptor itself, and then use dentry_has_perm to
1711 check a particular permission to the file.
1712 Access to the descriptor is implicitly granted if it
1713 has the same SID as the process. If av is zero, then
1714 access to the file is not checked, e.g. for cases
1715 where only the descriptor is affected like seek. */
file_has_perm(const struct cred * cred,struct file * file,u32 av)1716 static int file_has_perm(const struct cred *cred,
1717 struct file *file,
1718 u32 av)
1719 {
1720 struct file_security_struct *fsec = selinux_file(file);
1721 struct inode *inode = file_inode(file);
1722 struct common_audit_data ad;
1723 u32 sid = cred_sid(cred);
1724 int rc;
1725
1726 ad.type = LSM_AUDIT_DATA_FILE;
1727 ad.u.file = file;
1728
1729 if (sid != fsec->sid) {
1730 rc = avc_has_perm(&selinux_state,
1731 sid, fsec->sid,
1732 SECCLASS_FD,
1733 FD__USE,
1734 &ad);
1735 if (rc)
1736 goto out;
1737 }
1738
1739 #ifdef CONFIG_BPF_SYSCALL
1740 rc = bpf_fd_pass(file, cred_sid(cred));
1741 if (rc)
1742 return rc;
1743 #endif
1744
1745 /* av is zero if only checking access to the descriptor. */
1746 rc = 0;
1747 if (av)
1748 rc = inode_has_perm(cred, inode, av, &ad);
1749
1750 out:
1751 return rc;
1752 }
1753
1754 /*
1755 * Determine the label for an inode that might be unioned.
1756 */
1757 static int
selinux_determine_inode_label(const struct task_security_struct * tsec,struct inode * dir,const struct qstr * name,u16 tclass,u32 * _new_isid)1758 selinux_determine_inode_label(const struct task_security_struct *tsec,
1759 struct inode *dir,
1760 const struct qstr *name, u16 tclass,
1761 u32 *_new_isid)
1762 {
1763 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1764
1765 if ((sbsec->flags & SE_SBINITIALIZED) &&
1766 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1767 *_new_isid = sbsec->mntpoint_sid;
1768 } else if ((sbsec->flags & SBLABEL_MNT) &&
1769 tsec->create_sid) {
1770 *_new_isid = tsec->create_sid;
1771 } else {
1772 const struct inode_security_struct *dsec = inode_security(dir);
1773 return security_transition_sid(&selinux_state, tsec->sid,
1774 dsec->sid, tclass,
1775 name, _new_isid);
1776 }
1777
1778 return 0;
1779 }
1780
1781 /* Check whether a task can create a file. */
may_create(struct inode * dir,struct dentry * dentry,u16 tclass)1782 static int may_create(struct inode *dir,
1783 struct dentry *dentry,
1784 u16 tclass)
1785 {
1786 const struct task_security_struct *tsec = selinux_cred(current_cred());
1787 struct inode_security_struct *dsec;
1788 struct superblock_security_struct *sbsec;
1789 u32 sid, newsid;
1790 struct common_audit_data ad;
1791 int rc;
1792
1793 dsec = inode_security(dir);
1794 sbsec = dir->i_sb->s_security;
1795
1796 sid = tsec->sid;
1797
1798 ad.type = LSM_AUDIT_DATA_DENTRY;
1799 ad.u.dentry = dentry;
1800
1801 rc = avc_has_perm(&selinux_state,
1802 sid, dsec->sid, SECCLASS_DIR,
1803 DIR__ADD_NAME | DIR__SEARCH,
1804 &ad);
1805 if (rc)
1806 return rc;
1807
1808 rc = selinux_determine_inode_label(tsec, dir, &dentry->d_name, tclass,
1809 &newsid);
1810 if (rc)
1811 return rc;
1812
1813 rc = avc_has_perm(&selinux_state,
1814 sid, newsid, tclass, FILE__CREATE, &ad);
1815 if (rc)
1816 return rc;
1817
1818 return avc_has_perm(&selinux_state,
1819 newsid, sbsec->sid,
1820 SECCLASS_FILESYSTEM,
1821 FILESYSTEM__ASSOCIATE, &ad);
1822 }
1823
1824 #define MAY_LINK 0
1825 #define MAY_UNLINK 1
1826 #define MAY_RMDIR 2
1827
1828 /* Check whether a task can link, unlink, or rmdir a file/directory. */
may_link(struct inode * dir,struct dentry * dentry,int kind)1829 static int may_link(struct inode *dir,
1830 struct dentry *dentry,
1831 int kind)
1832
1833 {
1834 struct inode_security_struct *dsec, *isec;
1835 struct common_audit_data ad;
1836 u32 sid = current_sid();
1837 u32 av;
1838 int rc;
1839
1840 dsec = inode_security(dir);
1841 isec = backing_inode_security(dentry);
1842
1843 ad.type = LSM_AUDIT_DATA_DENTRY;
1844 ad.u.dentry = dentry;
1845
1846 av = DIR__SEARCH;
1847 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1848 rc = avc_has_perm(&selinux_state,
1849 sid, dsec->sid, SECCLASS_DIR, av, &ad);
1850 if (rc)
1851 return rc;
1852
1853 switch (kind) {
1854 case MAY_LINK:
1855 av = FILE__LINK;
1856 break;
1857 case MAY_UNLINK:
1858 av = FILE__UNLINK;
1859 break;
1860 case MAY_RMDIR:
1861 av = DIR__RMDIR;
1862 break;
1863 default:
1864 pr_warn("SELinux: %s: unrecognized kind %d\n",
1865 __func__, kind);
1866 return 0;
1867 }
1868
1869 rc = avc_has_perm(&selinux_state,
1870 sid, isec->sid, isec->sclass, av, &ad);
1871 return rc;
1872 }
1873
may_rename(struct inode * old_dir,struct dentry * old_dentry,struct inode * new_dir,struct dentry * new_dentry)1874 static inline int may_rename(struct inode *old_dir,
1875 struct dentry *old_dentry,
1876 struct inode *new_dir,
1877 struct dentry *new_dentry)
1878 {
1879 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1880 struct common_audit_data ad;
1881 u32 sid = current_sid();
1882 u32 av;
1883 int old_is_dir, new_is_dir;
1884 int rc;
1885
1886 old_dsec = inode_security(old_dir);
1887 old_isec = backing_inode_security(old_dentry);
1888 old_is_dir = d_is_dir(old_dentry);
1889 new_dsec = inode_security(new_dir);
1890
1891 ad.type = LSM_AUDIT_DATA_DENTRY;
1892
1893 ad.u.dentry = old_dentry;
1894 rc = avc_has_perm(&selinux_state,
1895 sid, old_dsec->sid, SECCLASS_DIR,
1896 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1897 if (rc)
1898 return rc;
1899 rc = avc_has_perm(&selinux_state,
1900 sid, old_isec->sid,
1901 old_isec->sclass, FILE__RENAME, &ad);
1902 if (rc)
1903 return rc;
1904 if (old_is_dir && new_dir != old_dir) {
1905 rc = avc_has_perm(&selinux_state,
1906 sid, old_isec->sid,
1907 old_isec->sclass, DIR__REPARENT, &ad);
1908 if (rc)
1909 return rc;
1910 }
1911
1912 ad.u.dentry = new_dentry;
1913 av = DIR__ADD_NAME | DIR__SEARCH;
1914 if (d_is_positive(new_dentry))
1915 av |= DIR__REMOVE_NAME;
1916 rc = avc_has_perm(&selinux_state,
1917 sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1918 if (rc)
1919 return rc;
1920 if (d_is_positive(new_dentry)) {
1921 new_isec = backing_inode_security(new_dentry);
1922 new_is_dir = d_is_dir(new_dentry);
1923 rc = avc_has_perm(&selinux_state,
1924 sid, new_isec->sid,
1925 new_isec->sclass,
1926 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1927 if (rc)
1928 return rc;
1929 }
1930
1931 return 0;
1932 }
1933
1934 /* Check whether a task can perform a filesystem operation. */
superblock_has_perm(const struct cred * cred,struct super_block * sb,u32 perms,struct common_audit_data * ad)1935 static int superblock_has_perm(const struct cred *cred,
1936 struct super_block *sb,
1937 u32 perms,
1938 struct common_audit_data *ad)
1939 {
1940 struct superblock_security_struct *sbsec;
1941 u32 sid = cred_sid(cred);
1942
1943 sbsec = sb->s_security;
1944 return avc_has_perm(&selinux_state,
1945 sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1946 }
1947
1948 /* Convert a Linux mode and permission mask to an access vector. */
file_mask_to_av(int mode,int mask)1949 static inline u32 file_mask_to_av(int mode, int mask)
1950 {
1951 u32 av = 0;
1952
1953 if (!S_ISDIR(mode)) {
1954 if (mask & MAY_EXEC)
1955 av |= FILE__EXECUTE;
1956 if (mask & MAY_READ)
1957 av |= FILE__READ;
1958
1959 if (mask & MAY_APPEND)
1960 av |= FILE__APPEND;
1961 else if (mask & MAY_WRITE)
1962 av |= FILE__WRITE;
1963
1964 } else {
1965 if (mask & MAY_EXEC)
1966 av |= DIR__SEARCH;
1967 if (mask & MAY_WRITE)
1968 av |= DIR__WRITE;
1969 if (mask & MAY_READ)
1970 av |= DIR__READ;
1971 }
1972
1973 return av;
1974 }
1975
1976 /* Convert a Linux file to an access vector. */
file_to_av(struct file * file)1977 static inline u32 file_to_av(struct file *file)
1978 {
1979 u32 av = 0;
1980
1981 if (file->f_mode & FMODE_READ)
1982 av |= FILE__READ;
1983 if (file->f_mode & FMODE_WRITE) {
1984 if (file->f_flags & O_APPEND)
1985 av |= FILE__APPEND;
1986 else
1987 av |= FILE__WRITE;
1988 }
1989 if (!av) {
1990 /*
1991 * Special file opened with flags 3 for ioctl-only use.
1992 */
1993 av = FILE__IOCTL;
1994 }
1995
1996 return av;
1997 }
1998
1999 /*
2000 * Convert a file to an access vector and include the correct
2001 * open permission.
2002 */
open_file_to_av(struct file * file)2003 static inline u32 open_file_to_av(struct file *file)
2004 {
2005 u32 av = file_to_av(file);
2006 struct inode *inode = file_inode(file);
2007
2008 if (selinux_policycap_openperm() &&
2009 inode->i_sb->s_magic != SOCKFS_MAGIC)
2010 av |= FILE__OPEN;
2011
2012 return av;
2013 }
2014
2015 /* Hook functions begin here. */
2016
selinux_binder_set_context_mgr(const struct cred * mgr)2017 static int selinux_binder_set_context_mgr(const struct cred *mgr)
2018 {
2019 return avc_has_perm(&selinux_state,
2020 current_sid(), cred_sid(mgr), SECCLASS_BINDER,
2021 BINDER__SET_CONTEXT_MGR, NULL);
2022 }
2023
selinux_binder_transaction(const struct cred * from,const struct cred * to)2024 static int selinux_binder_transaction(const struct cred *from,
2025 const struct cred *to)
2026 {
2027 u32 mysid = current_sid();
2028 u32 fromsid = cred_sid(from);
2029 u32 tosid = cred_sid(to);
2030 int rc;
2031
2032 if (mysid != fromsid) {
2033 rc = avc_has_perm(&selinux_state,
2034 mysid, fromsid, SECCLASS_BINDER,
2035 BINDER__IMPERSONATE, NULL);
2036 if (rc)
2037 return rc;
2038 }
2039
2040 return avc_has_perm(&selinux_state, fromsid, tosid,
2041 SECCLASS_BINDER, BINDER__CALL, NULL);
2042 }
2043
selinux_binder_transfer_binder(const struct cred * from,const struct cred * to)2044 static int selinux_binder_transfer_binder(const struct cred *from,
2045 const struct cred *to)
2046 {
2047 return avc_has_perm(&selinux_state,
2048 cred_sid(from), cred_sid(to),
2049 SECCLASS_BINDER, BINDER__TRANSFER,
2050 NULL);
2051 }
2052
selinux_binder_transfer_file(const struct cred * from,const struct cred * to,struct file * file)2053 static int selinux_binder_transfer_file(const struct cred *from,
2054 const struct cred *to,
2055 struct file *file)
2056 {
2057 u32 sid = cred_sid(to);
2058 struct file_security_struct *fsec = selinux_file(file);
2059 struct dentry *dentry = file->f_path.dentry;
2060 struct inode_security_struct *isec;
2061 struct common_audit_data ad;
2062 int rc;
2063
2064 ad.type = LSM_AUDIT_DATA_PATH;
2065 ad.u.path = file->f_path;
2066
2067 if (sid != fsec->sid) {
2068 rc = avc_has_perm(&selinux_state,
2069 sid, fsec->sid,
2070 SECCLASS_FD,
2071 FD__USE,
2072 &ad);
2073 if (rc)
2074 return rc;
2075 }
2076
2077 #ifdef CONFIG_BPF_SYSCALL
2078 rc = bpf_fd_pass(file, sid);
2079 if (rc)
2080 return rc;
2081 #endif
2082
2083 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2084 return 0;
2085
2086 isec = backing_inode_security(dentry);
2087 return avc_has_perm(&selinux_state,
2088 sid, isec->sid, isec->sclass, file_to_av(file),
2089 &ad);
2090 }
2091
selinux_ptrace_access_check(struct task_struct * child,unsigned int mode)2092 static int selinux_ptrace_access_check(struct task_struct *child,
2093 unsigned int mode)
2094 {
2095 u32 sid = current_sid();
2096 u32 csid = task_sid(child);
2097
2098 if (mode & PTRACE_MODE_READ)
2099 return avc_has_perm(&selinux_state,
2100 sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2101
2102 return avc_has_perm(&selinux_state,
2103 sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2104 }
2105
selinux_ptrace_traceme(struct task_struct * parent)2106 static int selinux_ptrace_traceme(struct task_struct *parent)
2107 {
2108 return avc_has_perm(&selinux_state,
2109 task_sid(parent), current_sid(), SECCLASS_PROCESS,
2110 PROCESS__PTRACE, NULL);
2111 }
2112
selinux_capget(struct task_struct * target,kernel_cap_t * effective,kernel_cap_t * inheritable,kernel_cap_t * permitted)2113 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2114 kernel_cap_t *inheritable, kernel_cap_t *permitted)
2115 {
2116 return avc_has_perm(&selinux_state,
2117 current_sid(), task_sid(target), SECCLASS_PROCESS,
2118 PROCESS__GETCAP, NULL);
2119 }
2120
selinux_capset(struct cred * new,const struct cred * old,const kernel_cap_t * effective,const kernel_cap_t * inheritable,const kernel_cap_t * permitted)2121 static int selinux_capset(struct cred *new, const struct cred *old,
2122 const kernel_cap_t *effective,
2123 const kernel_cap_t *inheritable,
2124 const kernel_cap_t *permitted)
2125 {
2126 return avc_has_perm(&selinux_state,
2127 cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2128 PROCESS__SETCAP, NULL);
2129 }
2130
2131 /*
2132 * (This comment used to live with the selinux_task_setuid hook,
2133 * which was removed).
2134 *
2135 * Since setuid only affects the current process, and since the SELinux
2136 * controls are not based on the Linux identity attributes, SELinux does not
2137 * need to control this operation. However, SELinux does control the use of
2138 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2139 */
2140
selinux_capable(const struct cred * cred,struct user_namespace * ns,int cap,unsigned int opts)2141 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2142 int cap, unsigned int opts)
2143 {
2144 return cred_has_capability(cred, cap, opts, ns == &init_user_ns);
2145 }
2146
selinux_quotactl(int cmds,int type,int id,struct super_block * sb)2147 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2148 {
2149 const struct cred *cred = current_cred();
2150 int rc = 0;
2151
2152 if (!sb)
2153 return 0;
2154
2155 switch (cmds) {
2156 case Q_SYNC:
2157 case Q_QUOTAON:
2158 case Q_QUOTAOFF:
2159 case Q_SETINFO:
2160 case Q_SETQUOTA:
2161 case Q_XQUOTAOFF:
2162 case Q_XQUOTAON:
2163 case Q_XSETQLIM:
2164 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2165 break;
2166 case Q_GETFMT:
2167 case Q_GETINFO:
2168 case Q_GETQUOTA:
2169 case Q_XGETQUOTA:
2170 case Q_XGETQSTAT:
2171 case Q_XGETQSTATV:
2172 case Q_XGETNEXTQUOTA:
2173 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2174 break;
2175 default:
2176 rc = 0; /* let the kernel handle invalid cmds */
2177 break;
2178 }
2179 return rc;
2180 }
2181
selinux_quota_on(struct dentry * dentry)2182 static int selinux_quota_on(struct dentry *dentry)
2183 {
2184 const struct cred *cred = current_cred();
2185
2186 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2187 }
2188
selinux_syslog(int type)2189 static int selinux_syslog(int type)
2190 {
2191 switch (type) {
2192 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2193 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2194 return avc_has_perm(&selinux_state,
2195 current_sid(), SECINITSID_KERNEL,
2196 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2197 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2198 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2199 /* Set level of messages printed to console */
2200 case SYSLOG_ACTION_CONSOLE_LEVEL:
2201 return avc_has_perm(&selinux_state,
2202 current_sid(), SECINITSID_KERNEL,
2203 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2204 NULL);
2205 }
2206 /* All other syslog types */
2207 return avc_has_perm(&selinux_state,
2208 current_sid(), SECINITSID_KERNEL,
2209 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2210 }
2211
2212 /*
2213 * Check that a process has enough memory to allocate a new virtual
2214 * mapping. 0 means there is enough memory for the allocation to
2215 * succeed and -ENOMEM implies there is not.
2216 *
2217 * Do not audit the selinux permission check, as this is applied to all
2218 * processes that allocate mappings.
2219 */
selinux_vm_enough_memory(struct mm_struct * mm,long pages)2220 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2221 {
2222 int rc, cap_sys_admin = 0;
2223
2224 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2225 CAP_OPT_NOAUDIT, true);
2226 if (rc == 0)
2227 cap_sys_admin = 1;
2228
2229 return cap_sys_admin;
2230 }
2231
2232 /* binprm security operations */
2233
ptrace_parent_sid(void)2234 static u32 ptrace_parent_sid(void)
2235 {
2236 u32 sid = 0;
2237 struct task_struct *tracer;
2238
2239 rcu_read_lock();
2240 tracer = ptrace_parent(current);
2241 if (tracer)
2242 sid = task_sid(tracer);
2243 rcu_read_unlock();
2244
2245 return sid;
2246 }
2247
check_nnp_nosuid(const struct linux_binprm * bprm,const struct task_security_struct * old_tsec,const struct task_security_struct * new_tsec)2248 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2249 const struct task_security_struct *old_tsec,
2250 const struct task_security_struct *new_tsec)
2251 {
2252 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2253 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2254 int rc;
2255 u32 av;
2256
2257 if (!nnp && !nosuid)
2258 return 0; /* neither NNP nor nosuid */
2259
2260 if (new_tsec->sid == old_tsec->sid)
2261 return 0; /* No change in credentials */
2262
2263 /*
2264 * If the policy enables the nnp_nosuid_transition policy capability,
2265 * then we permit transitions under NNP or nosuid if the
2266 * policy allows the corresponding permission between
2267 * the old and new contexts.
2268 */
2269 if (selinux_policycap_nnp_nosuid_transition()) {
2270 av = 0;
2271 if (nnp)
2272 av |= PROCESS2__NNP_TRANSITION;
2273 if (nosuid)
2274 av |= PROCESS2__NOSUID_TRANSITION;
2275 rc = avc_has_perm(&selinux_state,
2276 old_tsec->sid, new_tsec->sid,
2277 SECCLASS_PROCESS2, av, NULL);
2278 if (!rc)
2279 return 0;
2280 }
2281
2282 /*
2283 * We also permit NNP or nosuid transitions to bounded SIDs,
2284 * i.e. SIDs that are guaranteed to only be allowed a subset
2285 * of the permissions of the current SID.
2286 */
2287 rc = security_bounded_transition(&selinux_state, old_tsec->sid,
2288 new_tsec->sid);
2289 if (!rc)
2290 return 0;
2291
2292 /*
2293 * On failure, preserve the errno values for NNP vs nosuid.
2294 * NNP: Operation not permitted for caller.
2295 * nosuid: Permission denied to file.
2296 */
2297 if (nnp)
2298 return -EPERM;
2299 return -EACCES;
2300 }
2301
selinux_bprm_creds_for_exec(struct linux_binprm * bprm)2302 static int selinux_bprm_creds_for_exec(struct linux_binprm *bprm)
2303 {
2304 const struct task_security_struct *old_tsec;
2305 struct task_security_struct *new_tsec;
2306 struct inode_security_struct *isec;
2307 struct common_audit_data ad;
2308 struct inode *inode = file_inode(bprm->file);
2309 int rc;
2310
2311 /* SELinux context only depends on initial program or script and not
2312 * the script interpreter */
2313
2314 old_tsec = selinux_cred(current_cred());
2315 new_tsec = selinux_cred(bprm->cred);
2316 isec = inode_security(inode);
2317
2318 /* Default to the current task SID. */
2319 new_tsec->sid = old_tsec->sid;
2320 new_tsec->osid = old_tsec->sid;
2321
2322 /* Reset fs, key, and sock SIDs on execve. */
2323 new_tsec->create_sid = 0;
2324 new_tsec->keycreate_sid = 0;
2325 new_tsec->sockcreate_sid = 0;
2326
2327 if (old_tsec->exec_sid) {
2328 new_tsec->sid = old_tsec->exec_sid;
2329 /* Reset exec SID on execve. */
2330 new_tsec->exec_sid = 0;
2331
2332 /* Fail on NNP or nosuid if not an allowed transition. */
2333 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2334 if (rc)
2335 return rc;
2336 } else {
2337 /* Check for a default transition on this program. */
2338 rc = security_transition_sid(&selinux_state, old_tsec->sid,
2339 isec->sid, SECCLASS_PROCESS, NULL,
2340 &new_tsec->sid);
2341 if (rc)
2342 return rc;
2343
2344 /*
2345 * Fallback to old SID on NNP or nosuid if not an allowed
2346 * transition.
2347 */
2348 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2349 if (rc)
2350 new_tsec->sid = old_tsec->sid;
2351 }
2352
2353 ad.type = LSM_AUDIT_DATA_FILE;
2354 ad.u.file = bprm->file;
2355
2356 if (new_tsec->sid == old_tsec->sid) {
2357 rc = avc_has_perm(&selinux_state,
2358 old_tsec->sid, isec->sid,
2359 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2360 if (rc)
2361 return rc;
2362 } else {
2363 /* Check permissions for the transition. */
2364 rc = avc_has_perm(&selinux_state,
2365 old_tsec->sid, new_tsec->sid,
2366 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2367 if (rc)
2368 return rc;
2369
2370 rc = avc_has_perm(&selinux_state,
2371 new_tsec->sid, isec->sid,
2372 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2373 if (rc)
2374 return rc;
2375
2376 /* Check for shared state */
2377 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2378 rc = avc_has_perm(&selinux_state,
2379 old_tsec->sid, new_tsec->sid,
2380 SECCLASS_PROCESS, PROCESS__SHARE,
2381 NULL);
2382 if (rc)
2383 return -EPERM;
2384 }
2385
2386 /* Make sure that anyone attempting to ptrace over a task that
2387 * changes its SID has the appropriate permit */
2388 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2389 u32 ptsid = ptrace_parent_sid();
2390 if (ptsid != 0) {
2391 rc = avc_has_perm(&selinux_state,
2392 ptsid, new_tsec->sid,
2393 SECCLASS_PROCESS,
2394 PROCESS__PTRACE, NULL);
2395 if (rc)
2396 return -EPERM;
2397 }
2398 }
2399
2400 /* Clear any possibly unsafe personality bits on exec: */
2401 bprm->per_clear |= PER_CLEAR_ON_SETID;
2402
2403 /* Enable secure mode for SIDs transitions unless
2404 the noatsecure permission is granted between
2405 the two SIDs, i.e. ahp returns 0. */
2406 rc = avc_has_perm(&selinux_state,
2407 old_tsec->sid, new_tsec->sid,
2408 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2409 NULL);
2410 bprm->secureexec |= !!rc;
2411 }
2412
2413 return 0;
2414 }
2415
match_file(const void * p,struct file * file,unsigned fd)2416 static int match_file(const void *p, struct file *file, unsigned fd)
2417 {
2418 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2419 }
2420
2421 /* Derived from fs/exec.c:flush_old_files. */
flush_unauthorized_files(const struct cred * cred,struct files_struct * files)2422 static inline void flush_unauthorized_files(const struct cred *cred,
2423 struct files_struct *files)
2424 {
2425 struct file *file, *devnull = NULL;
2426 struct tty_struct *tty;
2427 int drop_tty = 0;
2428 unsigned n;
2429
2430 tty = get_current_tty();
2431 if (tty) {
2432 spin_lock(&tty->files_lock);
2433 if (!list_empty(&tty->tty_files)) {
2434 struct tty_file_private *file_priv;
2435
2436 /* Revalidate access to controlling tty.
2437 Use file_path_has_perm on the tty path directly
2438 rather than using file_has_perm, as this particular
2439 open file may belong to another process and we are
2440 only interested in the inode-based check here. */
2441 file_priv = list_first_entry(&tty->tty_files,
2442 struct tty_file_private, list);
2443 file = file_priv->file;
2444 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2445 drop_tty = 1;
2446 }
2447 spin_unlock(&tty->files_lock);
2448 tty_kref_put(tty);
2449 }
2450 /* Reset controlling tty. */
2451 if (drop_tty)
2452 no_tty();
2453
2454 /* Revalidate access to inherited open files. */
2455 n = iterate_fd(files, 0, match_file, cred);
2456 if (!n) /* none found? */
2457 return;
2458
2459 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2460 if (IS_ERR(devnull))
2461 devnull = NULL;
2462 /* replace all the matching ones with this */
2463 do {
2464 replace_fd(n - 1, devnull, 0);
2465 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2466 if (devnull)
2467 fput(devnull);
2468 }
2469
2470 /*
2471 * Prepare a process for imminent new credential changes due to exec
2472 */
selinux_bprm_committing_creds(struct linux_binprm * bprm)2473 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2474 {
2475 struct task_security_struct *new_tsec;
2476 struct rlimit *rlim, *initrlim;
2477 int rc, i;
2478
2479 new_tsec = selinux_cred(bprm->cred);
2480 if (new_tsec->sid == new_tsec->osid)
2481 return;
2482
2483 /* Close files for which the new task SID is not authorized. */
2484 flush_unauthorized_files(bprm->cred, current->files);
2485
2486 /* Always clear parent death signal on SID transitions. */
2487 current->pdeath_signal = 0;
2488
2489 /* Check whether the new SID can inherit resource limits from the old
2490 * SID. If not, reset all soft limits to the lower of the current
2491 * task's hard limit and the init task's soft limit.
2492 *
2493 * Note that the setting of hard limits (even to lower them) can be
2494 * controlled by the setrlimit check. The inclusion of the init task's
2495 * soft limit into the computation is to avoid resetting soft limits
2496 * higher than the default soft limit for cases where the default is
2497 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2498 */
2499 rc = avc_has_perm(&selinux_state,
2500 new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2501 PROCESS__RLIMITINH, NULL);
2502 if (rc) {
2503 /* protect against do_prlimit() */
2504 task_lock(current);
2505 for (i = 0; i < RLIM_NLIMITS; i++) {
2506 rlim = current->signal->rlim + i;
2507 initrlim = init_task.signal->rlim + i;
2508 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2509 }
2510 task_unlock(current);
2511 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2512 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2513 }
2514 }
2515
2516 /*
2517 * Clean up the process immediately after the installation of new credentials
2518 * due to exec
2519 */
selinux_bprm_committed_creds(struct linux_binprm * bprm)2520 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2521 {
2522 const struct task_security_struct *tsec = selinux_cred(current_cred());
2523 u32 osid, sid;
2524 int rc;
2525
2526 osid = tsec->osid;
2527 sid = tsec->sid;
2528
2529 if (sid == osid)
2530 return;
2531
2532 /* Check whether the new SID can inherit signal state from the old SID.
2533 * If not, clear itimers to avoid subsequent signal generation and
2534 * flush and unblock signals.
2535 *
2536 * This must occur _after_ the task SID has been updated so that any
2537 * kill done after the flush will be checked against the new SID.
2538 */
2539 rc = avc_has_perm(&selinux_state,
2540 osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2541 if (rc) {
2542 clear_itimer();
2543
2544 spin_lock_irq(¤t->sighand->siglock);
2545 if (!fatal_signal_pending(current)) {
2546 flush_sigqueue(¤t->pending);
2547 flush_sigqueue(¤t->signal->shared_pending);
2548 flush_signal_handlers(current, 1);
2549 sigemptyset(¤t->blocked);
2550 recalc_sigpending();
2551 }
2552 spin_unlock_irq(¤t->sighand->siglock);
2553 }
2554
2555 /* Wake up the parent if it is waiting so that it can recheck
2556 * wait permission to the new task SID. */
2557 read_lock(&tasklist_lock);
2558 __wake_up_parent(current, current->real_parent);
2559 read_unlock(&tasklist_lock);
2560 }
2561
2562 /* superblock security operations */
2563
selinux_sb_alloc_security(struct super_block * sb)2564 static int selinux_sb_alloc_security(struct super_block *sb)
2565 {
2566 struct superblock_security_struct *sbsec;
2567
2568 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
2569 if (!sbsec)
2570 return -ENOMEM;
2571
2572 mutex_init(&sbsec->lock);
2573 INIT_LIST_HEAD(&sbsec->isec_head);
2574 spin_lock_init(&sbsec->isec_lock);
2575 sbsec->sb = sb;
2576 sbsec->sid = SECINITSID_UNLABELED;
2577 sbsec->def_sid = SECINITSID_FILE;
2578 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
2579 sb->s_security = sbsec;
2580
2581 return 0;
2582 }
2583
selinux_sb_free_security(struct super_block * sb)2584 static void selinux_sb_free_security(struct super_block *sb)
2585 {
2586 superblock_free_security(sb);
2587 }
2588
opt_len(const char * s)2589 static inline int opt_len(const char *s)
2590 {
2591 bool open_quote = false;
2592 int len;
2593 char c;
2594
2595 for (len = 0; (c = s[len]) != '\0'; len++) {
2596 if (c == '"')
2597 open_quote = !open_quote;
2598 if (c == ',' && !open_quote)
2599 break;
2600 }
2601 return len;
2602 }
2603
selinux_sb_eat_lsm_opts(char * options,void ** mnt_opts)2604 static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts)
2605 {
2606 char *from = options;
2607 char *to = options;
2608 bool first = true;
2609 int rc;
2610
2611 while (1) {
2612 int len = opt_len(from);
2613 int token;
2614 char *arg = NULL;
2615
2616 token = match_opt_prefix(from, len, &arg);
2617
2618 if (token != Opt_error) {
2619 char *p, *q;
2620
2621 /* strip quotes */
2622 if (arg) {
2623 for (p = q = arg; p < from + len; p++) {
2624 char c = *p;
2625 if (c != '"')
2626 *q++ = c;
2627 }
2628 arg = kmemdup_nul(arg, q - arg, GFP_KERNEL);
2629 if (!arg) {
2630 rc = -ENOMEM;
2631 goto free_opt;
2632 }
2633 }
2634 rc = selinux_add_opt(token, arg, mnt_opts);
2635 if (unlikely(rc)) {
2636 kfree(arg);
2637 goto free_opt;
2638 }
2639 } else {
2640 if (!first) { // copy with preceding comma
2641 from--;
2642 len++;
2643 }
2644 if (to != from)
2645 memmove(to, from, len);
2646 to += len;
2647 first = false;
2648 }
2649 if (!from[len])
2650 break;
2651 from += len + 1;
2652 }
2653 *to = '\0';
2654 return 0;
2655
2656 free_opt:
2657 if (*mnt_opts) {
2658 selinux_free_mnt_opts(*mnt_opts);
2659 *mnt_opts = NULL;
2660 }
2661 return rc;
2662 }
2663
selinux_sb_remount(struct super_block * sb,void * mnt_opts)2664 static int selinux_sb_remount(struct super_block *sb, void *mnt_opts)
2665 {
2666 struct selinux_mnt_opts *opts = mnt_opts;
2667 struct superblock_security_struct *sbsec = sb->s_security;
2668 u32 sid;
2669 int rc;
2670
2671 if (!(sbsec->flags & SE_SBINITIALIZED))
2672 return 0;
2673
2674 if (!opts)
2675 return 0;
2676
2677 if (opts->fscontext) {
2678 rc = parse_sid(sb, opts->fscontext, &sid);
2679 if (rc)
2680 return rc;
2681 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2682 goto out_bad_option;
2683 }
2684 if (opts->context) {
2685 rc = parse_sid(sb, opts->context, &sid);
2686 if (rc)
2687 return rc;
2688 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2689 goto out_bad_option;
2690 }
2691 if (opts->rootcontext) {
2692 struct inode_security_struct *root_isec;
2693 root_isec = backing_inode_security(sb->s_root);
2694 rc = parse_sid(sb, opts->rootcontext, &sid);
2695 if (rc)
2696 return rc;
2697 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2698 goto out_bad_option;
2699 }
2700 if (opts->defcontext) {
2701 rc = parse_sid(sb, opts->defcontext, &sid);
2702 if (rc)
2703 return rc;
2704 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2705 goto out_bad_option;
2706 }
2707 return 0;
2708
2709 out_bad_option:
2710 pr_warn("SELinux: unable to change security options "
2711 "during remount (dev %s, type=%s)\n", sb->s_id,
2712 sb->s_type->name);
2713 return -EINVAL;
2714 }
2715
selinux_sb_kern_mount(struct super_block * sb)2716 static int selinux_sb_kern_mount(struct super_block *sb)
2717 {
2718 const struct cred *cred = current_cred();
2719 struct common_audit_data ad;
2720
2721 ad.type = LSM_AUDIT_DATA_DENTRY;
2722 ad.u.dentry = sb->s_root;
2723 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2724 }
2725
selinux_sb_statfs(struct dentry * dentry)2726 static int selinux_sb_statfs(struct dentry *dentry)
2727 {
2728 const struct cred *cred = current_cred();
2729 struct common_audit_data ad;
2730
2731 ad.type = LSM_AUDIT_DATA_DENTRY;
2732 ad.u.dentry = dentry->d_sb->s_root;
2733 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2734 }
2735
selinux_mount(const char * dev_name,const struct path * path,const char * type,unsigned long flags,void * data)2736 static int selinux_mount(const char *dev_name,
2737 const struct path *path,
2738 const char *type,
2739 unsigned long flags,
2740 void *data)
2741 {
2742 const struct cred *cred = current_cred();
2743
2744 if (flags & MS_REMOUNT)
2745 return superblock_has_perm(cred, path->dentry->d_sb,
2746 FILESYSTEM__REMOUNT, NULL);
2747 else
2748 return path_has_perm(cred, path, FILE__MOUNTON);
2749 }
2750
selinux_move_mount(const struct path * from_path,const struct path * to_path)2751 static int selinux_move_mount(const struct path *from_path,
2752 const struct path *to_path)
2753 {
2754 const struct cred *cred = current_cred();
2755
2756 return path_has_perm(cred, to_path, FILE__MOUNTON);
2757 }
2758
selinux_umount(struct vfsmount * mnt,int flags)2759 static int selinux_umount(struct vfsmount *mnt, int flags)
2760 {
2761 const struct cred *cred = current_cred();
2762
2763 return superblock_has_perm(cred, mnt->mnt_sb,
2764 FILESYSTEM__UNMOUNT, NULL);
2765 }
2766
selinux_fs_context_dup(struct fs_context * fc,struct fs_context * src_fc)2767 static int selinux_fs_context_dup(struct fs_context *fc,
2768 struct fs_context *src_fc)
2769 {
2770 const struct selinux_mnt_opts *src = src_fc->security;
2771 struct selinux_mnt_opts *opts;
2772
2773 if (!src)
2774 return 0;
2775
2776 fc->security = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL);
2777 if (!fc->security)
2778 return -ENOMEM;
2779
2780 opts = fc->security;
2781
2782 if (src->fscontext) {
2783 opts->fscontext = kstrdup(src->fscontext, GFP_KERNEL);
2784 if (!opts->fscontext)
2785 return -ENOMEM;
2786 }
2787 if (src->context) {
2788 opts->context = kstrdup(src->context, GFP_KERNEL);
2789 if (!opts->context)
2790 return -ENOMEM;
2791 }
2792 if (src->rootcontext) {
2793 opts->rootcontext = kstrdup(src->rootcontext, GFP_KERNEL);
2794 if (!opts->rootcontext)
2795 return -ENOMEM;
2796 }
2797 if (src->defcontext) {
2798 opts->defcontext = kstrdup(src->defcontext, GFP_KERNEL);
2799 if (!opts->defcontext)
2800 return -ENOMEM;
2801 }
2802 return 0;
2803 }
2804
2805 static const struct fs_parameter_spec selinux_fs_parameters[] = {
2806 fsparam_string(CONTEXT_STR, Opt_context),
2807 fsparam_string(DEFCONTEXT_STR, Opt_defcontext),
2808 fsparam_string(FSCONTEXT_STR, Opt_fscontext),
2809 fsparam_string(ROOTCONTEXT_STR, Opt_rootcontext),
2810 fsparam_flag (SECLABEL_STR, Opt_seclabel),
2811 {}
2812 };
2813
selinux_fs_context_parse_param(struct fs_context * fc,struct fs_parameter * param)2814 static int selinux_fs_context_parse_param(struct fs_context *fc,
2815 struct fs_parameter *param)
2816 {
2817 struct fs_parse_result result;
2818 int opt, rc;
2819
2820 opt = fs_parse(fc, selinux_fs_parameters, param, &result);
2821 if (opt < 0)
2822 return opt;
2823
2824 rc = selinux_add_opt(opt, param->string, &fc->security);
2825 if (!rc)
2826 param->string = NULL;
2827
2828 return rc;
2829 }
2830
2831 /* inode security operations */
2832
selinux_inode_alloc_security(struct inode * inode)2833 static int selinux_inode_alloc_security(struct inode *inode)
2834 {
2835 struct inode_security_struct *isec = selinux_inode(inode);
2836 u32 sid = current_sid();
2837
2838 spin_lock_init(&isec->lock);
2839 INIT_LIST_HEAD(&isec->list);
2840 isec->inode = inode;
2841 isec->sid = SECINITSID_UNLABELED;
2842 isec->sclass = SECCLASS_FILE;
2843 isec->task_sid = sid;
2844 isec->initialized = LABEL_INVALID;
2845
2846 return 0;
2847 }
2848
selinux_inode_free_security(struct inode * inode)2849 static void selinux_inode_free_security(struct inode *inode)
2850 {
2851 inode_free_security(inode);
2852 }
2853
selinux_dentry_init_security(struct dentry * dentry,int mode,const struct qstr * name,void ** ctx,u32 * ctxlen)2854 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2855 const struct qstr *name, void **ctx,
2856 u32 *ctxlen)
2857 {
2858 u32 newsid;
2859 int rc;
2860
2861 rc = selinux_determine_inode_label(selinux_cred(current_cred()),
2862 d_inode(dentry->d_parent), name,
2863 inode_mode_to_security_class(mode),
2864 &newsid);
2865 if (rc)
2866 return rc;
2867
2868 return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
2869 ctxlen);
2870 }
2871
selinux_dentry_create_files_as(struct dentry * dentry,int mode,struct qstr * name,const struct cred * old,struct cred * new)2872 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2873 struct qstr *name,
2874 const struct cred *old,
2875 struct cred *new)
2876 {
2877 u32 newsid;
2878 int rc;
2879 struct task_security_struct *tsec;
2880
2881 rc = selinux_determine_inode_label(selinux_cred(old),
2882 d_inode(dentry->d_parent), name,
2883 inode_mode_to_security_class(mode),
2884 &newsid);
2885 if (rc)
2886 return rc;
2887
2888 tsec = selinux_cred(new);
2889 tsec->create_sid = newsid;
2890 return 0;
2891 }
2892
selinux_inode_init_security(struct inode * inode,struct inode * dir,const struct qstr * qstr,const char ** name,void ** value,size_t * len)2893 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2894 const struct qstr *qstr,
2895 const char **name,
2896 void **value, size_t *len)
2897 {
2898 const struct task_security_struct *tsec = selinux_cred(current_cred());
2899 struct superblock_security_struct *sbsec;
2900 u32 newsid, clen;
2901 int rc;
2902 char *context;
2903
2904 sbsec = dir->i_sb->s_security;
2905
2906 newsid = tsec->create_sid;
2907
2908 rc = selinux_determine_inode_label(tsec, dir, qstr,
2909 inode_mode_to_security_class(inode->i_mode),
2910 &newsid);
2911 if (rc)
2912 return rc;
2913
2914 /* Possibly defer initialization to selinux_complete_init. */
2915 if (sbsec->flags & SE_SBINITIALIZED) {
2916 struct inode_security_struct *isec = selinux_inode(inode);
2917 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2918 isec->sid = newsid;
2919 isec->initialized = LABEL_INITIALIZED;
2920 }
2921
2922 if (!selinux_initialized(&selinux_state) ||
2923 !(sbsec->flags & SBLABEL_MNT))
2924 return -EOPNOTSUPP;
2925
2926 if (name)
2927 *name = XATTR_SELINUX_SUFFIX;
2928
2929 if (value && len) {
2930 rc = security_sid_to_context_force(&selinux_state, newsid,
2931 &context, &clen);
2932 if (rc)
2933 return rc;
2934 *value = context;
2935 *len = clen;
2936 }
2937
2938 return 0;
2939 }
2940
selinux_inode_create(struct inode * dir,struct dentry * dentry,umode_t mode)2941 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2942 {
2943 return may_create(dir, dentry, SECCLASS_FILE);
2944 }
2945
selinux_inode_link(struct dentry * old_dentry,struct inode * dir,struct dentry * new_dentry)2946 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2947 {
2948 return may_link(dir, old_dentry, MAY_LINK);
2949 }
2950
selinux_inode_unlink(struct inode * dir,struct dentry * dentry)2951 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2952 {
2953 return may_link(dir, dentry, MAY_UNLINK);
2954 }
2955
selinux_inode_symlink(struct inode * dir,struct dentry * dentry,const char * name)2956 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2957 {
2958 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2959 }
2960
selinux_inode_mkdir(struct inode * dir,struct dentry * dentry,umode_t mask)2961 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2962 {
2963 return may_create(dir, dentry, SECCLASS_DIR);
2964 }
2965
selinux_inode_rmdir(struct inode * dir,struct dentry * dentry)2966 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2967 {
2968 return may_link(dir, dentry, MAY_RMDIR);
2969 }
2970
selinux_inode_mknod(struct inode * dir,struct dentry * dentry,umode_t mode,dev_t dev)2971 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2972 {
2973 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2974 }
2975
selinux_inode_rename(struct inode * old_inode,struct dentry * old_dentry,struct inode * new_inode,struct dentry * new_dentry)2976 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2977 struct inode *new_inode, struct dentry *new_dentry)
2978 {
2979 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2980 }
2981
selinux_inode_readlink(struct dentry * dentry)2982 static int selinux_inode_readlink(struct dentry *dentry)
2983 {
2984 const struct cred *cred = current_cred();
2985
2986 return dentry_has_perm(cred, dentry, FILE__READ);
2987 }
2988
selinux_inode_follow_link(struct dentry * dentry,struct inode * inode,bool rcu)2989 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
2990 bool rcu)
2991 {
2992 const struct cred *cred = current_cred();
2993 struct common_audit_data ad;
2994 struct inode_security_struct *isec;
2995 u32 sid;
2996
2997 validate_creds(cred);
2998
2999 ad.type = LSM_AUDIT_DATA_DENTRY;
3000 ad.u.dentry = dentry;
3001 sid = cred_sid(cred);
3002 isec = inode_security_rcu(inode, rcu);
3003 if (IS_ERR(isec))
3004 return PTR_ERR(isec);
3005
3006 return avc_has_perm_flags(&selinux_state,
3007 sid, isec->sid, isec->sclass, FILE__READ, &ad,
3008 rcu ? MAY_NOT_BLOCK : 0);
3009 }
3010
audit_inode_permission(struct inode * inode,u32 perms,u32 audited,u32 denied,int result)3011 static noinline int audit_inode_permission(struct inode *inode,
3012 u32 perms, u32 audited, u32 denied,
3013 int result)
3014 {
3015 struct common_audit_data ad;
3016 struct inode_security_struct *isec = selinux_inode(inode);
3017 int rc;
3018
3019 ad.type = LSM_AUDIT_DATA_INODE;
3020 ad.u.inode = inode;
3021
3022 rc = slow_avc_audit(&selinux_state,
3023 current_sid(), isec->sid, isec->sclass, perms,
3024 audited, denied, result, &ad);
3025 if (rc)
3026 return rc;
3027 return 0;
3028 }
3029
selinux_inode_permission(struct inode * inode,int mask)3030 static int selinux_inode_permission(struct inode *inode, int mask)
3031 {
3032 const struct cred *cred = current_cred();
3033 u32 perms;
3034 bool from_access;
3035 bool no_block = mask & MAY_NOT_BLOCK;
3036 struct inode_security_struct *isec;
3037 u32 sid;
3038 struct av_decision avd;
3039 int rc, rc2;
3040 u32 audited, denied;
3041
3042 from_access = mask & MAY_ACCESS;
3043 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3044
3045 /* No permission to check. Existence test. */
3046 if (!mask)
3047 return 0;
3048
3049 validate_creds(cred);
3050
3051 if (unlikely(IS_PRIVATE(inode)))
3052 return 0;
3053
3054 perms = file_mask_to_av(inode->i_mode, mask);
3055
3056 sid = cred_sid(cred);
3057 isec = inode_security_rcu(inode, no_block);
3058 if (IS_ERR(isec))
3059 return PTR_ERR(isec);
3060
3061 rc = avc_has_perm_noaudit(&selinux_state,
3062 sid, isec->sid, isec->sclass, perms,
3063 no_block ? AVC_NONBLOCKING : 0,
3064 &avd);
3065 audited = avc_audit_required(perms, &avd, rc,
3066 from_access ? FILE__AUDIT_ACCESS : 0,
3067 &denied);
3068 if (likely(!audited))
3069 return rc;
3070
3071 /* fall back to ref-walk if we have to generate audit */
3072 if (no_block)
3073 return -ECHILD;
3074
3075 rc2 = audit_inode_permission(inode, perms, audited, denied, rc);
3076 if (rc2)
3077 return rc2;
3078 return rc;
3079 }
3080
selinux_inode_setattr(struct dentry * dentry,struct iattr * iattr)3081 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3082 {
3083 const struct cred *cred = current_cred();
3084 struct inode *inode = d_backing_inode(dentry);
3085 unsigned int ia_valid = iattr->ia_valid;
3086 __u32 av = FILE__WRITE;
3087
3088 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3089 if (ia_valid & ATTR_FORCE) {
3090 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3091 ATTR_FORCE);
3092 if (!ia_valid)
3093 return 0;
3094 }
3095
3096 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3097 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3098 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3099
3100 if (selinux_policycap_openperm() &&
3101 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3102 (ia_valid & ATTR_SIZE) &&
3103 !(ia_valid & ATTR_FILE))
3104 av |= FILE__OPEN;
3105
3106 return dentry_has_perm(cred, dentry, av);
3107 }
3108
selinux_inode_getattr(const struct path * path)3109 static int selinux_inode_getattr(const struct path *path)
3110 {
3111 return path_has_perm(current_cred(), path, FILE__GETATTR);
3112 }
3113
has_cap_mac_admin(bool audit)3114 static bool has_cap_mac_admin(bool audit)
3115 {
3116 const struct cred *cred = current_cred();
3117 unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT;
3118
3119 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts))
3120 return false;
3121 if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true))
3122 return false;
3123 return true;
3124 }
3125
selinux_inode_setxattr(struct dentry * dentry,const char * name,const void * value,size_t size,int flags)3126 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3127 const void *value, size_t size, int flags)
3128 {
3129 struct inode *inode = d_backing_inode(dentry);
3130 struct inode_security_struct *isec;
3131 struct superblock_security_struct *sbsec;
3132 struct common_audit_data ad;
3133 u32 newsid, sid = current_sid();
3134 int rc = 0;
3135
3136 if (strcmp(name, XATTR_NAME_SELINUX)) {
3137 rc = cap_inode_setxattr(dentry, name, value, size, flags);
3138 if (rc)
3139 return rc;
3140
3141 /* Not an attribute we recognize, so just check the
3142 ordinary setattr permission. */
3143 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3144 }
3145
3146 if (!selinux_initialized(&selinux_state))
3147 return (inode_owner_or_capable(inode) ? 0 : -EPERM);
3148
3149 sbsec = inode->i_sb->s_security;
3150 if (!(sbsec->flags & SBLABEL_MNT))
3151 return -EOPNOTSUPP;
3152
3153 if (!inode_owner_or_capable(inode))
3154 return -EPERM;
3155
3156 ad.type = LSM_AUDIT_DATA_DENTRY;
3157 ad.u.dentry = dentry;
3158
3159 isec = backing_inode_security(dentry);
3160 rc = avc_has_perm(&selinux_state,
3161 sid, isec->sid, isec->sclass,
3162 FILE__RELABELFROM, &ad);
3163 if (rc)
3164 return rc;
3165
3166 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3167 GFP_KERNEL);
3168 if (rc == -EINVAL) {
3169 if (!has_cap_mac_admin(true)) {
3170 struct audit_buffer *ab;
3171 size_t audit_size;
3172
3173 /* We strip a nul only if it is at the end, otherwise the
3174 * context contains a nul and we should audit that */
3175 if (value) {
3176 const char *str = value;
3177
3178 if (str[size - 1] == '\0')
3179 audit_size = size - 1;
3180 else
3181 audit_size = size;
3182 } else {
3183 audit_size = 0;
3184 }
3185 ab = audit_log_start(audit_context(),
3186 GFP_ATOMIC, AUDIT_SELINUX_ERR);
3187 audit_log_format(ab, "op=setxattr invalid_context=");
3188 audit_log_n_untrustedstring(ab, value, audit_size);
3189 audit_log_end(ab);
3190
3191 return rc;
3192 }
3193 rc = security_context_to_sid_force(&selinux_state, value,
3194 size, &newsid);
3195 }
3196 if (rc)
3197 return rc;
3198
3199 rc = avc_has_perm(&selinux_state,
3200 sid, newsid, isec->sclass,
3201 FILE__RELABELTO, &ad);
3202 if (rc)
3203 return rc;
3204
3205 rc = security_validate_transition(&selinux_state, isec->sid, newsid,
3206 sid, isec->sclass);
3207 if (rc)
3208 return rc;
3209
3210 return avc_has_perm(&selinux_state,
3211 newsid,
3212 sbsec->sid,
3213 SECCLASS_FILESYSTEM,
3214 FILESYSTEM__ASSOCIATE,
3215 &ad);
3216 }
3217
selinux_inode_post_setxattr(struct dentry * dentry,const char * name,const void * value,size_t size,int flags)3218 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3219 const void *value, size_t size,
3220 int flags)
3221 {
3222 struct inode *inode = d_backing_inode(dentry);
3223 struct inode_security_struct *isec;
3224 u32 newsid;
3225 int rc;
3226
3227 if (strcmp(name, XATTR_NAME_SELINUX)) {
3228 /* Not an attribute we recognize, so nothing to do. */
3229 return;
3230 }
3231
3232 if (!selinux_initialized(&selinux_state)) {
3233 /* If we haven't even been initialized, then we can't validate
3234 * against a policy, so leave the label as invalid. It may
3235 * resolve to a valid label on the next revalidation try if
3236 * we've since initialized.
3237 */
3238 return;
3239 }
3240
3241 rc = security_context_to_sid_force(&selinux_state, value, size,
3242 &newsid);
3243 if (rc) {
3244 pr_err("SELinux: unable to map context to SID"
3245 "for (%s, %lu), rc=%d\n",
3246 inode->i_sb->s_id, inode->i_ino, -rc);
3247 return;
3248 }
3249
3250 isec = backing_inode_security(dentry);
3251 spin_lock(&isec->lock);
3252 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3253 isec->sid = newsid;
3254 isec->initialized = LABEL_INITIALIZED;
3255 spin_unlock(&isec->lock);
3256
3257 return;
3258 }
3259
selinux_inode_getxattr(struct dentry * dentry,const char * name)3260 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3261 {
3262 const struct cred *cred = current_cred();
3263
3264 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3265 }
3266
selinux_inode_listxattr(struct dentry * dentry)3267 static int selinux_inode_listxattr(struct dentry *dentry)
3268 {
3269 const struct cred *cred = current_cred();
3270
3271 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3272 }
3273
selinux_inode_removexattr(struct dentry * dentry,const char * name)3274 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3275 {
3276 if (strcmp(name, XATTR_NAME_SELINUX)) {
3277 int rc = cap_inode_removexattr(dentry, name);
3278 if (rc)
3279 return rc;
3280
3281 /* Not an attribute we recognize, so just check the
3282 ordinary setattr permission. */
3283 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3284 }
3285
3286 if (!selinux_initialized(&selinux_state))
3287 return 0;
3288
3289 /* No one is allowed to remove a SELinux security label.
3290 You can change the label, but all data must be labeled. */
3291 return -EACCES;
3292 }
3293
selinux_path_notify(const struct path * path,u64 mask,unsigned int obj_type)3294 static int selinux_path_notify(const struct path *path, u64 mask,
3295 unsigned int obj_type)
3296 {
3297 int ret;
3298 u32 perm;
3299
3300 struct common_audit_data ad;
3301
3302 ad.type = LSM_AUDIT_DATA_PATH;
3303 ad.u.path = *path;
3304
3305 /*
3306 * Set permission needed based on the type of mark being set.
3307 * Performs an additional check for sb watches.
3308 */
3309 switch (obj_type) {
3310 case FSNOTIFY_OBJ_TYPE_VFSMOUNT:
3311 perm = FILE__WATCH_MOUNT;
3312 break;
3313 case FSNOTIFY_OBJ_TYPE_SB:
3314 perm = FILE__WATCH_SB;
3315 ret = superblock_has_perm(current_cred(), path->dentry->d_sb,
3316 FILESYSTEM__WATCH, &ad);
3317 if (ret)
3318 return ret;
3319 break;
3320 case FSNOTIFY_OBJ_TYPE_INODE:
3321 perm = FILE__WATCH;
3322 break;
3323 default:
3324 return -EINVAL;
3325 }
3326
3327 /* blocking watches require the file:watch_with_perm permission */
3328 if (mask & (ALL_FSNOTIFY_PERM_EVENTS))
3329 perm |= FILE__WATCH_WITH_PERM;
3330
3331 /* watches on read-like events need the file:watch_reads permission */
3332 if (mask & (FS_ACCESS | FS_ACCESS_PERM | FS_CLOSE_NOWRITE))
3333 perm |= FILE__WATCH_READS;
3334
3335 return path_has_perm(current_cred(), path, perm);
3336 }
3337
3338 /*
3339 * Copy the inode security context value to the user.
3340 *
3341 * Permission check is handled by selinux_inode_getxattr hook.
3342 */
selinux_inode_getsecurity(struct inode * inode,const char * name,void ** buffer,bool alloc)3343 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
3344 {
3345 u32 size;
3346 int error;
3347 char *context = NULL;
3348 struct inode_security_struct *isec;
3349
3350 /*
3351 * If we're not initialized yet, then we can't validate contexts, so
3352 * just let vfs_getxattr fall back to using the on-disk xattr.
3353 */
3354 if (!selinux_initialized(&selinux_state) ||
3355 strcmp(name, XATTR_SELINUX_SUFFIX))
3356 return -EOPNOTSUPP;
3357
3358 /*
3359 * If the caller has CAP_MAC_ADMIN, then get the raw context
3360 * value even if it is not defined by current policy; otherwise,
3361 * use the in-core value under current policy.
3362 * Use the non-auditing forms of the permission checks since
3363 * getxattr may be called by unprivileged processes commonly
3364 * and lack of permission just means that we fall back to the
3365 * in-core context value, not a denial.
3366 */
3367 isec = inode_security(inode);
3368 if (has_cap_mac_admin(false))
3369 error = security_sid_to_context_force(&selinux_state,
3370 isec->sid, &context,
3371 &size);
3372 else
3373 error = security_sid_to_context(&selinux_state, isec->sid,
3374 &context, &size);
3375 if (error)
3376 return error;
3377 error = size;
3378 if (alloc) {
3379 *buffer = context;
3380 goto out_nofree;
3381 }
3382 kfree(context);
3383 out_nofree:
3384 return error;
3385 }
3386
selinux_inode_setsecurity(struct inode * inode,const char * name,const void * value,size_t size,int flags)3387 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3388 const void *value, size_t size, int flags)
3389 {
3390 struct inode_security_struct *isec = inode_security_novalidate(inode);
3391 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
3392 u32 newsid;
3393 int rc;
3394
3395 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3396 return -EOPNOTSUPP;
3397
3398 if (!(sbsec->flags & SBLABEL_MNT))
3399 return -EOPNOTSUPP;
3400
3401 if (!value || !size)
3402 return -EACCES;
3403
3404 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3405 GFP_KERNEL);
3406 if (rc)
3407 return rc;
3408
3409 spin_lock(&isec->lock);
3410 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3411 isec->sid = newsid;
3412 isec->initialized = LABEL_INITIALIZED;
3413 spin_unlock(&isec->lock);
3414 return 0;
3415 }
3416
selinux_inode_listsecurity(struct inode * inode,char * buffer,size_t buffer_size)3417 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3418 {
3419 const int len = sizeof(XATTR_NAME_SELINUX);
3420
3421 if (!selinux_initialized(&selinux_state))
3422 return 0;
3423
3424 if (buffer && len <= buffer_size)
3425 memcpy(buffer, XATTR_NAME_SELINUX, len);
3426 return len;
3427 }
3428
selinux_inode_getsecid(struct inode * inode,u32 * secid)3429 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3430 {
3431 struct inode_security_struct *isec = inode_security_novalidate(inode);
3432 *secid = isec->sid;
3433 }
3434
selinux_inode_copy_up(struct dentry * src,struct cred ** new)3435 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3436 {
3437 u32 sid;
3438 struct task_security_struct *tsec;
3439 struct cred *new_creds = *new;
3440
3441 if (new_creds == NULL) {
3442 new_creds = prepare_creds();
3443 if (!new_creds)
3444 return -ENOMEM;
3445 }
3446
3447 tsec = selinux_cred(new_creds);
3448 /* Get label from overlay inode and set it in create_sid */
3449 selinux_inode_getsecid(d_inode(src), &sid);
3450 tsec->create_sid = sid;
3451 *new = new_creds;
3452 return 0;
3453 }
3454
selinux_inode_copy_up_xattr(const char * name)3455 static int selinux_inode_copy_up_xattr(const char *name)
3456 {
3457 /* The copy_up hook above sets the initial context on an inode, but we
3458 * don't then want to overwrite it by blindly copying all the lower
3459 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3460 */
3461 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3462 return 1; /* Discard */
3463 /*
3464 * Any other attribute apart from SELINUX is not claimed, supported
3465 * by selinux.
3466 */
3467 return -EOPNOTSUPP;
3468 }
3469
3470 /* kernfs node operations */
3471
selinux_kernfs_init_security(struct kernfs_node * kn_dir,struct kernfs_node * kn)3472 static int selinux_kernfs_init_security(struct kernfs_node *kn_dir,
3473 struct kernfs_node *kn)
3474 {
3475 const struct task_security_struct *tsec = selinux_cred(current_cred());
3476 u32 parent_sid, newsid, clen;
3477 int rc;
3478 char *context;
3479
3480 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, NULL, 0);
3481 if (rc == -ENODATA)
3482 return 0;
3483 else if (rc < 0)
3484 return rc;
3485
3486 clen = (u32)rc;
3487 context = kmalloc(clen, GFP_KERNEL);
3488 if (!context)
3489 return -ENOMEM;
3490
3491 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, context, clen);
3492 if (rc < 0) {
3493 kfree(context);
3494 return rc;
3495 }
3496
3497 rc = security_context_to_sid(&selinux_state, context, clen, &parent_sid,
3498 GFP_KERNEL);
3499 kfree(context);
3500 if (rc)
3501 return rc;
3502
3503 if (tsec->create_sid) {
3504 newsid = tsec->create_sid;
3505 } else {
3506 u16 secclass = inode_mode_to_security_class(kn->mode);
3507 struct qstr q;
3508
3509 q.name = kn->name;
3510 q.hash_len = hashlen_string(kn_dir, kn->name);
3511
3512 rc = security_transition_sid(&selinux_state, tsec->sid,
3513 parent_sid, secclass, &q,
3514 &newsid);
3515 if (rc)
3516 return rc;
3517 }
3518
3519 rc = security_sid_to_context_force(&selinux_state, newsid,
3520 &context, &clen);
3521 if (rc)
3522 return rc;
3523
3524 rc = kernfs_xattr_set(kn, XATTR_NAME_SELINUX, context, clen,
3525 XATTR_CREATE);
3526 kfree(context);
3527 return rc;
3528 }
3529
3530
3531 /* file security operations */
3532
selinux_revalidate_file_permission(struct file * file,int mask)3533 static int selinux_revalidate_file_permission(struct file *file, int mask)
3534 {
3535 const struct cred *cred = current_cred();
3536 struct inode *inode = file_inode(file);
3537
3538 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3539 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3540 mask |= MAY_APPEND;
3541
3542 return file_has_perm(cred, file,
3543 file_mask_to_av(inode->i_mode, mask));
3544 }
3545
selinux_file_permission(struct file * file,int mask)3546 static int selinux_file_permission(struct file *file, int mask)
3547 {
3548 struct inode *inode = file_inode(file);
3549 struct file_security_struct *fsec = selinux_file(file);
3550 struct inode_security_struct *isec;
3551 u32 sid = current_sid();
3552
3553 if (!mask)
3554 /* No permission to check. Existence test. */
3555 return 0;
3556
3557 isec = inode_security(inode);
3558 if (sid == fsec->sid && fsec->isid == isec->sid &&
3559 fsec->pseqno == avc_policy_seqno(&selinux_state))
3560 /* No change since file_open check. */
3561 return 0;
3562
3563 return selinux_revalidate_file_permission(file, mask);
3564 }
3565
selinux_file_alloc_security(struct file * file)3566 static int selinux_file_alloc_security(struct file *file)
3567 {
3568 struct file_security_struct *fsec = selinux_file(file);
3569 u32 sid = current_sid();
3570
3571 fsec->sid = sid;
3572 fsec->fown_sid = sid;
3573
3574 return 0;
3575 }
3576
3577 /*
3578 * Check whether a task has the ioctl permission and cmd
3579 * operation to an inode.
3580 */
ioctl_has_perm(const struct cred * cred,struct file * file,u32 requested,u16 cmd)3581 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3582 u32 requested, u16 cmd)
3583 {
3584 struct common_audit_data ad;
3585 struct file_security_struct *fsec = selinux_file(file);
3586 struct inode *inode = file_inode(file);
3587 struct inode_security_struct *isec;
3588 struct lsm_ioctlop_audit ioctl;
3589 u32 ssid = cred_sid(cred);
3590 int rc;
3591 u8 driver = cmd >> 8;
3592 u8 xperm = cmd & 0xff;
3593
3594 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3595 ad.u.op = &ioctl;
3596 ad.u.op->cmd = cmd;
3597 ad.u.op->path = file->f_path;
3598
3599 if (ssid != fsec->sid) {
3600 rc = avc_has_perm(&selinux_state,
3601 ssid, fsec->sid,
3602 SECCLASS_FD,
3603 FD__USE,
3604 &ad);
3605 if (rc)
3606 goto out;
3607 }
3608
3609 if (unlikely(IS_PRIVATE(inode)))
3610 return 0;
3611
3612 isec = inode_security(inode);
3613 rc = avc_has_extended_perms(&selinux_state,
3614 ssid, isec->sid, isec->sclass,
3615 requested, driver, xperm, &ad);
3616 out:
3617 return rc;
3618 }
3619
selinux_file_ioctl(struct file * file,unsigned int cmd,unsigned long arg)3620 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3621 unsigned long arg)
3622 {
3623 const struct cred *cred = current_cred();
3624 int error = 0;
3625
3626 switch (cmd) {
3627 case FIONREAD:
3628 case FIBMAP:
3629 case FIGETBSZ:
3630 case FS_IOC_GETFLAGS:
3631 case FS_IOC_GETVERSION:
3632 error = file_has_perm(cred, file, FILE__GETATTR);
3633 break;
3634
3635 case FS_IOC_SETFLAGS:
3636 case FS_IOC_SETVERSION:
3637 error = file_has_perm(cred, file, FILE__SETATTR);
3638 break;
3639
3640 /* sys_ioctl() checks */
3641 case FIONBIO:
3642 case FIOASYNC:
3643 error = file_has_perm(cred, file, 0);
3644 break;
3645
3646 case KDSKBENT:
3647 case KDSKBSENT:
3648 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3649 CAP_OPT_NONE, true);
3650 break;
3651
3652 case FIOCLEX:
3653 case FIONCLEX:
3654 if (!selinux_policycap_ioctl_skip_cloexec())
3655 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3656 break;
3657
3658 /* default case assumes that the command will go
3659 * to the file's ioctl() function.
3660 */
3661 default:
3662 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3663 }
3664 return error;
3665 }
3666
selinux_file_ioctl_compat(struct file * file,unsigned int cmd,unsigned long arg)3667 static int selinux_file_ioctl_compat(struct file *file, unsigned int cmd,
3668 unsigned long arg)
3669 {
3670 /*
3671 * If we are in a 64-bit kernel running 32-bit userspace, we need to
3672 * make sure we don't compare 32-bit flags to 64-bit flags.
3673 */
3674 switch (cmd) {
3675 case FS_IOC32_GETFLAGS:
3676 cmd = FS_IOC_GETFLAGS;
3677 break;
3678 case FS_IOC32_SETFLAGS:
3679 cmd = FS_IOC_SETFLAGS;
3680 break;
3681 case FS_IOC32_GETVERSION:
3682 cmd = FS_IOC_GETVERSION;
3683 break;
3684 case FS_IOC32_SETVERSION:
3685 cmd = FS_IOC_SETVERSION;
3686 break;
3687 default:
3688 break;
3689 }
3690
3691 return selinux_file_ioctl(file, cmd, arg);
3692 }
3693
3694 static int default_noexec __ro_after_init;
3695
file_map_prot_check(struct file * file,unsigned long prot,int shared)3696 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3697 {
3698 const struct cred *cred = current_cred();
3699 u32 sid = cred_sid(cred);
3700 int rc = 0;
3701
3702 if (default_noexec &&
3703 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3704 (!shared && (prot & PROT_WRITE)))) {
3705 /*
3706 * We are making executable an anonymous mapping or a
3707 * private file mapping that will also be writable.
3708 * This has an additional check.
3709 */
3710 rc = avc_has_perm(&selinux_state,
3711 sid, sid, SECCLASS_PROCESS,
3712 PROCESS__EXECMEM, NULL);
3713 if (rc)
3714 goto error;
3715 }
3716
3717 if (file) {
3718 /* read access is always possible with a mapping */
3719 u32 av = FILE__READ;
3720
3721 /* write access only matters if the mapping is shared */
3722 if (shared && (prot & PROT_WRITE))
3723 av |= FILE__WRITE;
3724
3725 if (prot & PROT_EXEC)
3726 av |= FILE__EXECUTE;
3727
3728 return file_has_perm(cred, file, av);
3729 }
3730
3731 error:
3732 return rc;
3733 }
3734
selinux_mmap_addr(unsigned long addr)3735 static int selinux_mmap_addr(unsigned long addr)
3736 {
3737 int rc = 0;
3738
3739 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3740 u32 sid = current_sid();
3741 rc = avc_has_perm(&selinux_state,
3742 sid, sid, SECCLASS_MEMPROTECT,
3743 MEMPROTECT__MMAP_ZERO, NULL);
3744 }
3745
3746 return rc;
3747 }
3748
selinux_mmap_file(struct file * file,unsigned long reqprot,unsigned long prot,unsigned long flags)3749 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3750 unsigned long prot, unsigned long flags)
3751 {
3752 struct common_audit_data ad;
3753 int rc;
3754
3755 if (file) {
3756 ad.type = LSM_AUDIT_DATA_FILE;
3757 ad.u.file = file;
3758 rc = inode_has_perm(current_cred(), file_inode(file),
3759 FILE__MAP, &ad);
3760 if (rc)
3761 return rc;
3762 }
3763
3764 if (checkreqprot_get(&selinux_state))
3765 prot = reqprot;
3766
3767 return file_map_prot_check(file, prot,
3768 (flags & MAP_TYPE) == MAP_SHARED);
3769 }
3770
selinux_file_mprotect(struct vm_area_struct * vma,unsigned long reqprot,unsigned long prot)3771 static int selinux_file_mprotect(struct vm_area_struct *vma,
3772 unsigned long reqprot,
3773 unsigned long prot)
3774 {
3775 const struct cred *cred = current_cred();
3776 u32 sid = cred_sid(cred);
3777
3778 if (checkreqprot_get(&selinux_state))
3779 prot = reqprot;
3780
3781 if (default_noexec &&
3782 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3783 int rc = 0;
3784 if (vma->vm_start >= vma->vm_mm->start_brk &&
3785 vma->vm_end <= vma->vm_mm->brk) {
3786 rc = avc_has_perm(&selinux_state,
3787 sid, sid, SECCLASS_PROCESS,
3788 PROCESS__EXECHEAP, NULL);
3789 } else if (!vma->vm_file &&
3790 ((vma->vm_start <= vma->vm_mm->start_stack &&
3791 vma->vm_end >= vma->vm_mm->start_stack) ||
3792 vma_is_stack_for_current(vma))) {
3793 rc = avc_has_perm(&selinux_state,
3794 sid, sid, SECCLASS_PROCESS,
3795 PROCESS__EXECSTACK, NULL);
3796 } else if (vma->vm_file && vma->anon_vma) {
3797 /*
3798 * We are making executable a file mapping that has
3799 * had some COW done. Since pages might have been
3800 * written, check ability to execute the possibly
3801 * modified content. This typically should only
3802 * occur for text relocations.
3803 */
3804 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3805 }
3806 if (rc)
3807 return rc;
3808 }
3809
3810 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3811 }
3812
selinux_file_lock(struct file * file,unsigned int cmd)3813 static int selinux_file_lock(struct file *file, unsigned int cmd)
3814 {
3815 const struct cred *cred = current_cred();
3816
3817 return file_has_perm(cred, file, FILE__LOCK);
3818 }
3819
selinux_file_fcntl(struct file * file,unsigned int cmd,unsigned long arg)3820 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3821 unsigned long arg)
3822 {
3823 const struct cred *cred = current_cred();
3824 int err = 0;
3825
3826 switch (cmd) {
3827 case F_SETFL:
3828 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3829 err = file_has_perm(cred, file, FILE__WRITE);
3830 break;
3831 }
3832 fallthrough;
3833 case F_SETOWN:
3834 case F_SETSIG:
3835 case F_GETFL:
3836 case F_GETOWN:
3837 case F_GETSIG:
3838 case F_GETOWNER_UIDS:
3839 /* Just check FD__USE permission */
3840 err = file_has_perm(cred, file, 0);
3841 break;
3842 case F_GETLK:
3843 case F_SETLK:
3844 case F_SETLKW:
3845 case F_OFD_GETLK:
3846 case F_OFD_SETLK:
3847 case F_OFD_SETLKW:
3848 #if BITS_PER_LONG == 32
3849 case F_GETLK64:
3850 case F_SETLK64:
3851 case F_SETLKW64:
3852 #endif
3853 err = file_has_perm(cred, file, FILE__LOCK);
3854 break;
3855 }
3856
3857 return err;
3858 }
3859
selinux_file_set_fowner(struct file * file)3860 static void selinux_file_set_fowner(struct file *file)
3861 {
3862 struct file_security_struct *fsec;
3863
3864 fsec = selinux_file(file);
3865 fsec->fown_sid = current_sid();
3866 }
3867
selinux_file_send_sigiotask(struct task_struct * tsk,struct fown_struct * fown,int signum)3868 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3869 struct fown_struct *fown, int signum)
3870 {
3871 struct file *file;
3872 u32 sid = task_sid(tsk);
3873 u32 perm;
3874 struct file_security_struct *fsec;
3875
3876 /* struct fown_struct is never outside the context of a struct file */
3877 file = container_of(fown, struct file, f_owner);
3878
3879 fsec = selinux_file(file);
3880
3881 if (!signum)
3882 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3883 else
3884 perm = signal_to_av(signum);
3885
3886 return avc_has_perm(&selinux_state,
3887 fsec->fown_sid, sid,
3888 SECCLASS_PROCESS, perm, NULL);
3889 }
3890
selinux_file_receive(struct file * file)3891 static int selinux_file_receive(struct file *file)
3892 {
3893 const struct cred *cred = current_cred();
3894
3895 return file_has_perm(cred, file, file_to_av(file));
3896 }
3897
selinux_file_open(struct file * file)3898 static int selinux_file_open(struct file *file)
3899 {
3900 struct file_security_struct *fsec;
3901 struct inode_security_struct *isec;
3902
3903 fsec = selinux_file(file);
3904 isec = inode_security(file_inode(file));
3905 /*
3906 * Save inode label and policy sequence number
3907 * at open-time so that selinux_file_permission
3908 * can determine whether revalidation is necessary.
3909 * Task label is already saved in the file security
3910 * struct as its SID.
3911 */
3912 fsec->isid = isec->sid;
3913 fsec->pseqno = avc_policy_seqno(&selinux_state);
3914 /*
3915 * Since the inode label or policy seqno may have changed
3916 * between the selinux_inode_permission check and the saving
3917 * of state above, recheck that access is still permitted.
3918 * Otherwise, access might never be revalidated against the
3919 * new inode label or new policy.
3920 * This check is not redundant - do not remove.
3921 */
3922 return file_path_has_perm(file->f_cred, file, open_file_to_av(file));
3923 }
3924
3925 /* task security operations */
3926
selinux_task_alloc(struct task_struct * task,unsigned long clone_flags)3927 static int selinux_task_alloc(struct task_struct *task,
3928 unsigned long clone_flags)
3929 {
3930 u32 sid = current_sid();
3931
3932 return avc_has_perm(&selinux_state,
3933 sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
3934 }
3935
3936 /*
3937 * prepare a new set of credentials for modification
3938 */
selinux_cred_prepare(struct cred * new,const struct cred * old,gfp_t gfp)3939 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3940 gfp_t gfp)
3941 {
3942 const struct task_security_struct *old_tsec = selinux_cred(old);
3943 struct task_security_struct *tsec = selinux_cred(new);
3944
3945 *tsec = *old_tsec;
3946 return 0;
3947 }
3948
3949 /*
3950 * transfer the SELinux data to a blank set of creds
3951 */
selinux_cred_transfer(struct cred * new,const struct cred * old)3952 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3953 {
3954 const struct task_security_struct *old_tsec = selinux_cred(old);
3955 struct task_security_struct *tsec = selinux_cred(new);
3956
3957 *tsec = *old_tsec;
3958 }
3959
selinux_cred_getsecid(const struct cred * c,u32 * secid)3960 static void selinux_cred_getsecid(const struct cred *c, u32 *secid)
3961 {
3962 *secid = cred_sid(c);
3963 }
3964
3965 /*
3966 * set the security data for a kernel service
3967 * - all the creation contexts are set to unlabelled
3968 */
selinux_kernel_act_as(struct cred * new,u32 secid)3969 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3970 {
3971 struct task_security_struct *tsec = selinux_cred(new);
3972 u32 sid = current_sid();
3973 int ret;
3974
3975 ret = avc_has_perm(&selinux_state,
3976 sid, secid,
3977 SECCLASS_KERNEL_SERVICE,
3978 KERNEL_SERVICE__USE_AS_OVERRIDE,
3979 NULL);
3980 if (ret == 0) {
3981 tsec->sid = secid;
3982 tsec->create_sid = 0;
3983 tsec->keycreate_sid = 0;
3984 tsec->sockcreate_sid = 0;
3985 }
3986 return ret;
3987 }
3988
3989 /*
3990 * set the file creation context in a security record to the same as the
3991 * objective context of the specified inode
3992 */
selinux_kernel_create_files_as(struct cred * new,struct inode * inode)3993 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3994 {
3995 struct inode_security_struct *isec = inode_security(inode);
3996 struct task_security_struct *tsec = selinux_cred(new);
3997 u32 sid = current_sid();
3998 int ret;
3999
4000 ret = avc_has_perm(&selinux_state,
4001 sid, isec->sid,
4002 SECCLASS_KERNEL_SERVICE,
4003 KERNEL_SERVICE__CREATE_FILES_AS,
4004 NULL);
4005
4006 if (ret == 0)
4007 tsec->create_sid = isec->sid;
4008 return ret;
4009 }
4010
selinux_kernel_module_request(char * kmod_name)4011 static int selinux_kernel_module_request(char *kmod_name)
4012 {
4013 struct common_audit_data ad;
4014
4015 ad.type = LSM_AUDIT_DATA_KMOD;
4016 ad.u.kmod_name = kmod_name;
4017
4018 return avc_has_perm(&selinux_state,
4019 current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
4020 SYSTEM__MODULE_REQUEST, &ad);
4021 }
4022
selinux_kernel_module_from_file(struct file * file)4023 static int selinux_kernel_module_from_file(struct file *file)
4024 {
4025 struct common_audit_data ad;
4026 struct inode_security_struct *isec;
4027 struct file_security_struct *fsec;
4028 u32 sid = current_sid();
4029 int rc;
4030
4031 /* init_module */
4032 if (file == NULL)
4033 return avc_has_perm(&selinux_state,
4034 sid, sid, SECCLASS_SYSTEM,
4035 SYSTEM__MODULE_LOAD, NULL);
4036
4037 /* finit_module */
4038
4039 ad.type = LSM_AUDIT_DATA_FILE;
4040 ad.u.file = file;
4041
4042 fsec = selinux_file(file);
4043 if (sid != fsec->sid) {
4044 rc = avc_has_perm(&selinux_state,
4045 sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
4046 if (rc)
4047 return rc;
4048 }
4049
4050 isec = inode_security(file_inode(file));
4051 return avc_has_perm(&selinux_state,
4052 sid, isec->sid, SECCLASS_SYSTEM,
4053 SYSTEM__MODULE_LOAD, &ad);
4054 }
4055
selinux_kernel_read_file(struct file * file,enum kernel_read_file_id id,bool contents)4056 static int selinux_kernel_read_file(struct file *file,
4057 enum kernel_read_file_id id,
4058 bool contents)
4059 {
4060 int rc = 0;
4061
4062 switch (id) {
4063 case READING_MODULE:
4064 rc = selinux_kernel_module_from_file(contents ? file : NULL);
4065 break;
4066 default:
4067 break;
4068 }
4069
4070 return rc;
4071 }
4072
selinux_kernel_load_data(enum kernel_load_data_id id,bool contents)4073 static int selinux_kernel_load_data(enum kernel_load_data_id id, bool contents)
4074 {
4075 int rc = 0;
4076
4077 switch (id) {
4078 case LOADING_MODULE:
4079 rc = selinux_kernel_module_from_file(NULL);
4080 default:
4081 break;
4082 }
4083
4084 return rc;
4085 }
4086
selinux_task_setpgid(struct task_struct * p,pid_t pgid)4087 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
4088 {
4089 return avc_has_perm(&selinux_state,
4090 current_sid(), task_sid(p), SECCLASS_PROCESS,
4091 PROCESS__SETPGID, NULL);
4092 }
4093
selinux_task_getpgid(struct task_struct * p)4094 static int selinux_task_getpgid(struct task_struct *p)
4095 {
4096 return avc_has_perm(&selinux_state,
4097 current_sid(), task_sid(p), SECCLASS_PROCESS,
4098 PROCESS__GETPGID, NULL);
4099 }
4100
selinux_task_getsid(struct task_struct * p)4101 static int selinux_task_getsid(struct task_struct *p)
4102 {
4103 return avc_has_perm(&selinux_state,
4104 current_sid(), task_sid(p), SECCLASS_PROCESS,
4105 PROCESS__GETSESSION, NULL);
4106 }
4107
selinux_task_getsecid(struct task_struct * p,u32 * secid)4108 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
4109 {
4110 *secid = task_sid(p);
4111 }
4112
selinux_task_setnice(struct task_struct * p,int nice)4113 static int selinux_task_setnice(struct task_struct *p, int nice)
4114 {
4115 return avc_has_perm(&selinux_state,
4116 current_sid(), task_sid(p), SECCLASS_PROCESS,
4117 PROCESS__SETSCHED, NULL);
4118 }
4119
selinux_task_setioprio(struct task_struct * p,int ioprio)4120 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
4121 {
4122 return avc_has_perm(&selinux_state,
4123 current_sid(), task_sid(p), SECCLASS_PROCESS,
4124 PROCESS__SETSCHED, NULL);
4125 }
4126
selinux_task_getioprio(struct task_struct * p)4127 static int selinux_task_getioprio(struct task_struct *p)
4128 {
4129 return avc_has_perm(&selinux_state,
4130 current_sid(), task_sid(p), SECCLASS_PROCESS,
4131 PROCESS__GETSCHED, NULL);
4132 }
4133
selinux_task_prlimit(const struct cred * cred,const struct cred * tcred,unsigned int flags)4134 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
4135 unsigned int flags)
4136 {
4137 u32 av = 0;
4138
4139 if (!flags)
4140 return 0;
4141 if (flags & LSM_PRLIMIT_WRITE)
4142 av |= PROCESS__SETRLIMIT;
4143 if (flags & LSM_PRLIMIT_READ)
4144 av |= PROCESS__GETRLIMIT;
4145 return avc_has_perm(&selinux_state,
4146 cred_sid(cred), cred_sid(tcred),
4147 SECCLASS_PROCESS, av, NULL);
4148 }
4149
selinux_task_setrlimit(struct task_struct * p,unsigned int resource,struct rlimit * new_rlim)4150 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4151 struct rlimit *new_rlim)
4152 {
4153 struct rlimit *old_rlim = p->signal->rlim + resource;
4154
4155 /* Control the ability to change the hard limit (whether
4156 lowering or raising it), so that the hard limit can
4157 later be used as a safe reset point for the soft limit
4158 upon context transitions. See selinux_bprm_committing_creds. */
4159 if (old_rlim->rlim_max != new_rlim->rlim_max)
4160 return avc_has_perm(&selinux_state,
4161 current_sid(), task_sid(p),
4162 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
4163
4164 return 0;
4165 }
4166
selinux_task_setscheduler(struct task_struct * p)4167 static int selinux_task_setscheduler(struct task_struct *p)
4168 {
4169 return avc_has_perm(&selinux_state,
4170 current_sid(), task_sid(p), SECCLASS_PROCESS,
4171 PROCESS__SETSCHED, NULL);
4172 }
4173
selinux_task_getscheduler(struct task_struct * p)4174 static int selinux_task_getscheduler(struct task_struct *p)
4175 {
4176 return avc_has_perm(&selinux_state,
4177 current_sid(), task_sid(p), SECCLASS_PROCESS,
4178 PROCESS__GETSCHED, NULL);
4179 }
4180
selinux_task_movememory(struct task_struct * p)4181 static int selinux_task_movememory(struct task_struct *p)
4182 {
4183 return avc_has_perm(&selinux_state,
4184 current_sid(), task_sid(p), SECCLASS_PROCESS,
4185 PROCESS__SETSCHED, NULL);
4186 }
4187
selinux_task_kill(struct task_struct * p,struct kernel_siginfo * info,int sig,const struct cred * cred)4188 static int selinux_task_kill(struct task_struct *p, struct kernel_siginfo *info,
4189 int sig, const struct cred *cred)
4190 {
4191 u32 secid;
4192 u32 perm;
4193
4194 if (!sig)
4195 perm = PROCESS__SIGNULL; /* null signal; existence test */
4196 else
4197 perm = signal_to_av(sig);
4198 if (!cred)
4199 secid = current_sid();
4200 else
4201 secid = cred_sid(cred);
4202 return avc_has_perm(&selinux_state,
4203 secid, task_sid(p), SECCLASS_PROCESS, perm, NULL);
4204 }
4205
selinux_task_to_inode(struct task_struct * p,struct inode * inode)4206 static void selinux_task_to_inode(struct task_struct *p,
4207 struct inode *inode)
4208 {
4209 struct inode_security_struct *isec = selinux_inode(inode);
4210 u32 sid = task_sid(p);
4211
4212 spin_lock(&isec->lock);
4213 isec->sclass = inode_mode_to_security_class(inode->i_mode);
4214 isec->sid = sid;
4215 isec->initialized = LABEL_INITIALIZED;
4216 spin_unlock(&isec->lock);
4217 }
4218
4219 /* Returns error only if unable to parse addresses */
selinux_parse_skb_ipv4(struct sk_buff * skb,struct common_audit_data * ad,u8 * proto)4220 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4221 struct common_audit_data *ad, u8 *proto)
4222 {
4223 int offset, ihlen, ret = -EINVAL;
4224 struct iphdr _iph, *ih;
4225
4226 offset = skb_network_offset(skb);
4227 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
4228 if (ih == NULL)
4229 goto out;
4230
4231 ihlen = ih->ihl * 4;
4232 if (ihlen < sizeof(_iph))
4233 goto out;
4234
4235 ad->u.net->v4info.saddr = ih->saddr;
4236 ad->u.net->v4info.daddr = ih->daddr;
4237 ret = 0;
4238
4239 if (proto)
4240 *proto = ih->protocol;
4241
4242 switch (ih->protocol) {
4243 case IPPROTO_TCP: {
4244 struct tcphdr _tcph, *th;
4245
4246 if (ntohs(ih->frag_off) & IP_OFFSET)
4247 break;
4248
4249 offset += ihlen;
4250 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4251 if (th == NULL)
4252 break;
4253
4254 ad->u.net->sport = th->source;
4255 ad->u.net->dport = th->dest;
4256 break;
4257 }
4258
4259 case IPPROTO_UDP: {
4260 struct udphdr _udph, *uh;
4261
4262 if (ntohs(ih->frag_off) & IP_OFFSET)
4263 break;
4264
4265 offset += ihlen;
4266 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4267 if (uh == NULL)
4268 break;
4269
4270 ad->u.net->sport = uh->source;
4271 ad->u.net->dport = uh->dest;
4272 break;
4273 }
4274
4275 case IPPROTO_DCCP: {
4276 struct dccp_hdr _dccph, *dh;
4277
4278 if (ntohs(ih->frag_off) & IP_OFFSET)
4279 break;
4280
4281 offset += ihlen;
4282 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4283 if (dh == NULL)
4284 break;
4285
4286 ad->u.net->sport = dh->dccph_sport;
4287 ad->u.net->dport = dh->dccph_dport;
4288 break;
4289 }
4290
4291 #if IS_ENABLED(CONFIG_IP_SCTP)
4292 case IPPROTO_SCTP: {
4293 struct sctphdr _sctph, *sh;
4294
4295 if (ntohs(ih->frag_off) & IP_OFFSET)
4296 break;
4297
4298 offset += ihlen;
4299 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4300 if (sh == NULL)
4301 break;
4302
4303 ad->u.net->sport = sh->source;
4304 ad->u.net->dport = sh->dest;
4305 break;
4306 }
4307 #endif
4308 default:
4309 break;
4310 }
4311 out:
4312 return ret;
4313 }
4314
4315 #if IS_ENABLED(CONFIG_IPV6)
4316
4317 /* Returns error only if unable to parse addresses */
selinux_parse_skb_ipv6(struct sk_buff * skb,struct common_audit_data * ad,u8 * proto)4318 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4319 struct common_audit_data *ad, u8 *proto)
4320 {
4321 u8 nexthdr;
4322 int ret = -EINVAL, offset;
4323 struct ipv6hdr _ipv6h, *ip6;
4324 __be16 frag_off;
4325
4326 offset = skb_network_offset(skb);
4327 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4328 if (ip6 == NULL)
4329 goto out;
4330
4331 ad->u.net->v6info.saddr = ip6->saddr;
4332 ad->u.net->v6info.daddr = ip6->daddr;
4333 ret = 0;
4334
4335 nexthdr = ip6->nexthdr;
4336 offset += sizeof(_ipv6h);
4337 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4338 if (offset < 0)
4339 goto out;
4340
4341 if (proto)
4342 *proto = nexthdr;
4343
4344 switch (nexthdr) {
4345 case IPPROTO_TCP: {
4346 struct tcphdr _tcph, *th;
4347
4348 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4349 if (th == NULL)
4350 break;
4351
4352 ad->u.net->sport = th->source;
4353 ad->u.net->dport = th->dest;
4354 break;
4355 }
4356
4357 case IPPROTO_UDP: {
4358 struct udphdr _udph, *uh;
4359
4360 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4361 if (uh == NULL)
4362 break;
4363
4364 ad->u.net->sport = uh->source;
4365 ad->u.net->dport = uh->dest;
4366 break;
4367 }
4368
4369 case IPPROTO_DCCP: {
4370 struct dccp_hdr _dccph, *dh;
4371
4372 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4373 if (dh == NULL)
4374 break;
4375
4376 ad->u.net->sport = dh->dccph_sport;
4377 ad->u.net->dport = dh->dccph_dport;
4378 break;
4379 }
4380
4381 #if IS_ENABLED(CONFIG_IP_SCTP)
4382 case IPPROTO_SCTP: {
4383 struct sctphdr _sctph, *sh;
4384
4385 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4386 if (sh == NULL)
4387 break;
4388
4389 ad->u.net->sport = sh->source;
4390 ad->u.net->dport = sh->dest;
4391 break;
4392 }
4393 #endif
4394 /* includes fragments */
4395 default:
4396 break;
4397 }
4398 out:
4399 return ret;
4400 }
4401
4402 #endif /* IPV6 */
4403
selinux_parse_skb(struct sk_buff * skb,struct common_audit_data * ad,char ** _addrp,int src,u8 * proto)4404 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4405 char **_addrp, int src, u8 *proto)
4406 {
4407 char *addrp;
4408 int ret;
4409
4410 switch (ad->u.net->family) {
4411 case PF_INET:
4412 ret = selinux_parse_skb_ipv4(skb, ad, proto);
4413 if (ret)
4414 goto parse_error;
4415 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4416 &ad->u.net->v4info.daddr);
4417 goto okay;
4418
4419 #if IS_ENABLED(CONFIG_IPV6)
4420 case PF_INET6:
4421 ret = selinux_parse_skb_ipv6(skb, ad, proto);
4422 if (ret)
4423 goto parse_error;
4424 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4425 &ad->u.net->v6info.daddr);
4426 goto okay;
4427 #endif /* IPV6 */
4428 default:
4429 addrp = NULL;
4430 goto okay;
4431 }
4432
4433 parse_error:
4434 pr_warn(
4435 "SELinux: failure in selinux_parse_skb(),"
4436 " unable to parse packet\n");
4437 return ret;
4438
4439 okay:
4440 if (_addrp)
4441 *_addrp = addrp;
4442 return 0;
4443 }
4444
4445 /**
4446 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4447 * @skb: the packet
4448 * @family: protocol family
4449 * @sid: the packet's peer label SID
4450 *
4451 * Description:
4452 * Check the various different forms of network peer labeling and determine
4453 * the peer label/SID for the packet; most of the magic actually occurs in
4454 * the security server function security_net_peersid_cmp(). The function
4455 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4456 * or -EACCES if @sid is invalid due to inconsistencies with the different
4457 * peer labels.
4458 *
4459 */
selinux_skb_peerlbl_sid(struct sk_buff * skb,u16 family,u32 * sid)4460 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4461 {
4462 int err;
4463 u32 xfrm_sid;
4464 u32 nlbl_sid;
4465 u32 nlbl_type;
4466
4467 err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4468 if (unlikely(err))
4469 return -EACCES;
4470 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4471 if (unlikely(err))
4472 return -EACCES;
4473
4474 err = security_net_peersid_resolve(&selinux_state, nlbl_sid,
4475 nlbl_type, xfrm_sid, sid);
4476 if (unlikely(err)) {
4477 pr_warn(
4478 "SELinux: failure in selinux_skb_peerlbl_sid(),"
4479 " unable to determine packet's peer label\n");
4480 return -EACCES;
4481 }
4482
4483 return 0;
4484 }
4485
4486 /**
4487 * selinux_conn_sid - Determine the child socket label for a connection
4488 * @sk_sid: the parent socket's SID
4489 * @skb_sid: the packet's SID
4490 * @conn_sid: the resulting connection SID
4491 *
4492 * If @skb_sid is valid then the user:role:type information from @sk_sid is
4493 * combined with the MLS information from @skb_sid in order to create
4494 * @conn_sid. If @skb_sid is not valid then @conn_sid is simply a copy
4495 * of @sk_sid. Returns zero on success, negative values on failure.
4496 *
4497 */
selinux_conn_sid(u32 sk_sid,u32 skb_sid,u32 * conn_sid)4498 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4499 {
4500 int err = 0;
4501
4502 if (skb_sid != SECSID_NULL)
4503 err = security_sid_mls_copy(&selinux_state, sk_sid, skb_sid,
4504 conn_sid);
4505 else
4506 *conn_sid = sk_sid;
4507
4508 return err;
4509 }
4510
4511 /* socket security operations */
4512
socket_sockcreate_sid(const struct task_security_struct * tsec,u16 secclass,u32 * socksid)4513 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4514 u16 secclass, u32 *socksid)
4515 {
4516 if (tsec->sockcreate_sid > SECSID_NULL) {
4517 *socksid = tsec->sockcreate_sid;
4518 return 0;
4519 }
4520
4521 return security_transition_sid(&selinux_state, tsec->sid, tsec->sid,
4522 secclass, NULL, socksid);
4523 }
4524
sock_has_perm(struct sock * sk,u32 perms)4525 static int sock_has_perm(struct sock *sk, u32 perms)
4526 {
4527 struct sk_security_struct *sksec = sk->sk_security;
4528 struct common_audit_data ad;
4529 struct lsm_network_audit net = {0,};
4530
4531 if (sksec->sid == SECINITSID_KERNEL)
4532 return 0;
4533
4534 ad.type = LSM_AUDIT_DATA_NET;
4535 ad.u.net = &net;
4536 ad.u.net->sk = sk;
4537
4538 return avc_has_perm(&selinux_state,
4539 current_sid(), sksec->sid, sksec->sclass, perms,
4540 &ad);
4541 }
4542
selinux_socket_create(int family,int type,int protocol,int kern)4543 static int selinux_socket_create(int family, int type,
4544 int protocol, int kern)
4545 {
4546 const struct task_security_struct *tsec = selinux_cred(current_cred());
4547 u32 newsid;
4548 u16 secclass;
4549 int rc;
4550
4551 if (kern)
4552 return 0;
4553
4554 secclass = socket_type_to_security_class(family, type, protocol);
4555 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4556 if (rc)
4557 return rc;
4558
4559 return avc_has_perm(&selinux_state,
4560 tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4561 }
4562
selinux_socket_post_create(struct socket * sock,int family,int type,int protocol,int kern)4563 static int selinux_socket_post_create(struct socket *sock, int family,
4564 int type, int protocol, int kern)
4565 {
4566 const struct task_security_struct *tsec = selinux_cred(current_cred());
4567 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4568 struct sk_security_struct *sksec;
4569 u16 sclass = socket_type_to_security_class(family, type, protocol);
4570 u32 sid = SECINITSID_KERNEL;
4571 int err = 0;
4572
4573 if (!kern) {
4574 err = socket_sockcreate_sid(tsec, sclass, &sid);
4575 if (err)
4576 return err;
4577 }
4578
4579 isec->sclass = sclass;
4580 isec->sid = sid;
4581 isec->initialized = LABEL_INITIALIZED;
4582
4583 if (sock->sk) {
4584 sksec = sock->sk->sk_security;
4585 sksec->sclass = sclass;
4586 sksec->sid = sid;
4587 /* Allows detection of the first association on this socket */
4588 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4589 sksec->sctp_assoc_state = SCTP_ASSOC_UNSET;
4590
4591 err = selinux_netlbl_socket_post_create(sock->sk, family);
4592 }
4593
4594 return err;
4595 }
4596
selinux_socket_socketpair(struct socket * socka,struct socket * sockb)4597 static int selinux_socket_socketpair(struct socket *socka,
4598 struct socket *sockb)
4599 {
4600 struct sk_security_struct *sksec_a = socka->sk->sk_security;
4601 struct sk_security_struct *sksec_b = sockb->sk->sk_security;
4602
4603 sksec_a->peer_sid = sksec_b->sid;
4604 sksec_b->peer_sid = sksec_a->sid;
4605
4606 return 0;
4607 }
4608
4609 /* Range of port numbers used to automatically bind.
4610 Need to determine whether we should perform a name_bind
4611 permission check between the socket and the port number. */
4612
selinux_socket_bind(struct socket * sock,struct sockaddr * address,int addrlen)4613 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4614 {
4615 struct sock *sk = sock->sk;
4616 struct sk_security_struct *sksec = sk->sk_security;
4617 u16 family;
4618 int err;
4619
4620 err = sock_has_perm(sk, SOCKET__BIND);
4621 if (err)
4622 goto out;
4623
4624 /* If PF_INET or PF_INET6, check name_bind permission for the port. */
4625 family = sk->sk_family;
4626 if (family == PF_INET || family == PF_INET6) {
4627 char *addrp;
4628 struct common_audit_data ad;
4629 struct lsm_network_audit net = {0,};
4630 struct sockaddr_in *addr4 = NULL;
4631 struct sockaddr_in6 *addr6 = NULL;
4632 u16 family_sa;
4633 unsigned short snum;
4634 u32 sid, node_perm;
4635
4636 /*
4637 * sctp_bindx(3) calls via selinux_sctp_bind_connect()
4638 * that validates multiple binding addresses. Because of this
4639 * need to check address->sa_family as it is possible to have
4640 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4641 */
4642 if (addrlen < offsetofend(struct sockaddr, sa_family))
4643 return -EINVAL;
4644 family_sa = address->sa_family;
4645 switch (family_sa) {
4646 case AF_UNSPEC:
4647 case AF_INET:
4648 if (addrlen < sizeof(struct sockaddr_in))
4649 return -EINVAL;
4650 addr4 = (struct sockaddr_in *)address;
4651 if (family_sa == AF_UNSPEC) {
4652 if (family == PF_INET6) {
4653 /* Length check from inet6_bind_sk() */
4654 if (addrlen < SIN6_LEN_RFC2133)
4655 return -EINVAL;
4656 /* Family check from __inet6_bind() */
4657 goto err_af;
4658 }
4659 /* see __inet_bind(), we only want to allow
4660 * AF_UNSPEC if the address is INADDR_ANY
4661 */
4662 if (addr4->sin_addr.s_addr != htonl(INADDR_ANY))
4663 goto err_af;
4664 family_sa = AF_INET;
4665 }
4666 snum = ntohs(addr4->sin_port);
4667 addrp = (char *)&addr4->sin_addr.s_addr;
4668 break;
4669 case AF_INET6:
4670 if (addrlen < SIN6_LEN_RFC2133)
4671 return -EINVAL;
4672 addr6 = (struct sockaddr_in6 *)address;
4673 snum = ntohs(addr6->sin6_port);
4674 addrp = (char *)&addr6->sin6_addr.s6_addr;
4675 break;
4676 default:
4677 goto err_af;
4678 }
4679
4680 ad.type = LSM_AUDIT_DATA_NET;
4681 ad.u.net = &net;
4682 ad.u.net->sport = htons(snum);
4683 ad.u.net->family = family_sa;
4684
4685 if (snum) {
4686 int low, high;
4687
4688 inet_get_local_port_range(sock_net(sk), &low, &high);
4689
4690 if (inet_port_requires_bind_service(sock_net(sk), snum) ||
4691 snum < low || snum > high) {
4692 err = sel_netport_sid(sk->sk_protocol,
4693 snum, &sid);
4694 if (err)
4695 goto out;
4696 err = avc_has_perm(&selinux_state,
4697 sksec->sid, sid,
4698 sksec->sclass,
4699 SOCKET__NAME_BIND, &ad);
4700 if (err)
4701 goto out;
4702 }
4703 }
4704
4705 switch (sksec->sclass) {
4706 case SECCLASS_TCP_SOCKET:
4707 node_perm = TCP_SOCKET__NODE_BIND;
4708 break;
4709
4710 case SECCLASS_UDP_SOCKET:
4711 node_perm = UDP_SOCKET__NODE_BIND;
4712 break;
4713
4714 case SECCLASS_DCCP_SOCKET:
4715 node_perm = DCCP_SOCKET__NODE_BIND;
4716 break;
4717
4718 case SECCLASS_SCTP_SOCKET:
4719 node_perm = SCTP_SOCKET__NODE_BIND;
4720 break;
4721
4722 default:
4723 node_perm = RAWIP_SOCKET__NODE_BIND;
4724 break;
4725 }
4726
4727 err = sel_netnode_sid(addrp, family_sa, &sid);
4728 if (err)
4729 goto out;
4730
4731 if (family_sa == AF_INET)
4732 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4733 else
4734 ad.u.net->v6info.saddr = addr6->sin6_addr;
4735
4736 err = avc_has_perm(&selinux_state,
4737 sksec->sid, sid,
4738 sksec->sclass, node_perm, &ad);
4739 if (err)
4740 goto out;
4741 }
4742 out:
4743 return err;
4744 err_af:
4745 /* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */
4746 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4747 return -EINVAL;
4748 return -EAFNOSUPPORT;
4749 }
4750
4751 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3)
4752 * and sctp_sendmsg(3) as described in Documentation/security/SCTP.rst
4753 */
selinux_socket_connect_helper(struct socket * sock,struct sockaddr * address,int addrlen)4754 static int selinux_socket_connect_helper(struct socket *sock,
4755 struct sockaddr *address, int addrlen)
4756 {
4757 struct sock *sk = sock->sk;
4758 struct sk_security_struct *sksec = sk->sk_security;
4759 int err;
4760
4761 err = sock_has_perm(sk, SOCKET__CONNECT);
4762 if (err)
4763 return err;
4764 if (addrlen < offsetofend(struct sockaddr, sa_family))
4765 return -EINVAL;
4766
4767 /* connect(AF_UNSPEC) has special handling, as it is a documented
4768 * way to disconnect the socket
4769 */
4770 if (address->sa_family == AF_UNSPEC)
4771 return 0;
4772
4773 /*
4774 * If a TCP, DCCP or SCTP socket, check name_connect permission
4775 * for the port.
4776 */
4777 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4778 sksec->sclass == SECCLASS_DCCP_SOCKET ||
4779 sksec->sclass == SECCLASS_SCTP_SOCKET) {
4780 struct common_audit_data ad;
4781 struct lsm_network_audit net = {0,};
4782 struct sockaddr_in *addr4 = NULL;
4783 struct sockaddr_in6 *addr6 = NULL;
4784 unsigned short snum;
4785 u32 sid, perm;
4786
4787 /* sctp_connectx(3) calls via selinux_sctp_bind_connect()
4788 * that validates multiple connect addresses. Because of this
4789 * need to check address->sa_family as it is possible to have
4790 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4791 */
4792 switch (address->sa_family) {
4793 case AF_INET:
4794 addr4 = (struct sockaddr_in *)address;
4795 if (addrlen < sizeof(struct sockaddr_in))
4796 return -EINVAL;
4797 snum = ntohs(addr4->sin_port);
4798 break;
4799 case AF_INET6:
4800 addr6 = (struct sockaddr_in6 *)address;
4801 if (addrlen < SIN6_LEN_RFC2133)
4802 return -EINVAL;
4803 snum = ntohs(addr6->sin6_port);
4804 break;
4805 default:
4806 /* Note that SCTP services expect -EINVAL, whereas
4807 * others expect -EAFNOSUPPORT.
4808 */
4809 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4810 return -EINVAL;
4811 else
4812 return -EAFNOSUPPORT;
4813 }
4814
4815 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4816 if (err)
4817 return err;
4818
4819 switch (sksec->sclass) {
4820 case SECCLASS_TCP_SOCKET:
4821 perm = TCP_SOCKET__NAME_CONNECT;
4822 break;
4823 case SECCLASS_DCCP_SOCKET:
4824 perm = DCCP_SOCKET__NAME_CONNECT;
4825 break;
4826 case SECCLASS_SCTP_SOCKET:
4827 perm = SCTP_SOCKET__NAME_CONNECT;
4828 break;
4829 }
4830
4831 ad.type = LSM_AUDIT_DATA_NET;
4832 ad.u.net = &net;
4833 ad.u.net->dport = htons(snum);
4834 ad.u.net->family = address->sa_family;
4835 err = avc_has_perm(&selinux_state,
4836 sksec->sid, sid, sksec->sclass, perm, &ad);
4837 if (err)
4838 return err;
4839 }
4840
4841 return 0;
4842 }
4843
4844 /* Supports connect(2), see comments in selinux_socket_connect_helper() */
selinux_socket_connect(struct socket * sock,struct sockaddr * address,int addrlen)4845 static int selinux_socket_connect(struct socket *sock,
4846 struct sockaddr *address, int addrlen)
4847 {
4848 int err;
4849 struct sock *sk = sock->sk;
4850
4851 err = selinux_socket_connect_helper(sock, address, addrlen);
4852 if (err)
4853 return err;
4854
4855 return selinux_netlbl_socket_connect(sk, address);
4856 }
4857
selinux_socket_listen(struct socket * sock,int backlog)4858 static int selinux_socket_listen(struct socket *sock, int backlog)
4859 {
4860 return sock_has_perm(sock->sk, SOCKET__LISTEN);
4861 }
4862
selinux_socket_accept(struct socket * sock,struct socket * newsock)4863 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4864 {
4865 int err;
4866 struct inode_security_struct *isec;
4867 struct inode_security_struct *newisec;
4868 u16 sclass;
4869 u32 sid;
4870
4871 err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
4872 if (err)
4873 return err;
4874
4875 isec = inode_security_novalidate(SOCK_INODE(sock));
4876 spin_lock(&isec->lock);
4877 sclass = isec->sclass;
4878 sid = isec->sid;
4879 spin_unlock(&isec->lock);
4880
4881 newisec = inode_security_novalidate(SOCK_INODE(newsock));
4882 newisec->sclass = sclass;
4883 newisec->sid = sid;
4884 newisec->initialized = LABEL_INITIALIZED;
4885
4886 return 0;
4887 }
4888
selinux_socket_sendmsg(struct socket * sock,struct msghdr * msg,int size)4889 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4890 int size)
4891 {
4892 return sock_has_perm(sock->sk, SOCKET__WRITE);
4893 }
4894
selinux_socket_recvmsg(struct socket * sock,struct msghdr * msg,int size,int flags)4895 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4896 int size, int flags)
4897 {
4898 return sock_has_perm(sock->sk, SOCKET__READ);
4899 }
4900
selinux_socket_getsockname(struct socket * sock)4901 static int selinux_socket_getsockname(struct socket *sock)
4902 {
4903 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4904 }
4905
selinux_socket_getpeername(struct socket * sock)4906 static int selinux_socket_getpeername(struct socket *sock)
4907 {
4908 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4909 }
4910
selinux_socket_setsockopt(struct socket * sock,int level,int optname)4911 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4912 {
4913 int err;
4914
4915 err = sock_has_perm(sock->sk, SOCKET__SETOPT);
4916 if (err)
4917 return err;
4918
4919 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4920 }
4921
selinux_socket_getsockopt(struct socket * sock,int level,int optname)4922 static int selinux_socket_getsockopt(struct socket *sock, int level,
4923 int optname)
4924 {
4925 return sock_has_perm(sock->sk, SOCKET__GETOPT);
4926 }
4927
selinux_socket_shutdown(struct socket * sock,int how)4928 static int selinux_socket_shutdown(struct socket *sock, int how)
4929 {
4930 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
4931 }
4932
selinux_socket_unix_stream_connect(struct sock * sock,struct sock * other,struct sock * newsk)4933 static int selinux_socket_unix_stream_connect(struct sock *sock,
4934 struct sock *other,
4935 struct sock *newsk)
4936 {
4937 struct sk_security_struct *sksec_sock = sock->sk_security;
4938 struct sk_security_struct *sksec_other = other->sk_security;
4939 struct sk_security_struct *sksec_new = newsk->sk_security;
4940 struct common_audit_data ad;
4941 struct lsm_network_audit net = {0,};
4942 int err;
4943
4944 ad.type = LSM_AUDIT_DATA_NET;
4945 ad.u.net = &net;
4946 ad.u.net->sk = other;
4947
4948 err = avc_has_perm(&selinux_state,
4949 sksec_sock->sid, sksec_other->sid,
4950 sksec_other->sclass,
4951 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4952 if (err)
4953 return err;
4954
4955 /* server child socket */
4956 sksec_new->peer_sid = sksec_sock->sid;
4957 err = security_sid_mls_copy(&selinux_state, sksec_other->sid,
4958 sksec_sock->sid, &sksec_new->sid);
4959 if (err)
4960 return err;
4961
4962 /* connecting socket */
4963 sksec_sock->peer_sid = sksec_new->sid;
4964
4965 return 0;
4966 }
4967
selinux_socket_unix_may_send(struct socket * sock,struct socket * other)4968 static int selinux_socket_unix_may_send(struct socket *sock,
4969 struct socket *other)
4970 {
4971 struct sk_security_struct *ssec = sock->sk->sk_security;
4972 struct sk_security_struct *osec = other->sk->sk_security;
4973 struct common_audit_data ad;
4974 struct lsm_network_audit net = {0,};
4975
4976 ad.type = LSM_AUDIT_DATA_NET;
4977 ad.u.net = &net;
4978 ad.u.net->sk = other->sk;
4979
4980 return avc_has_perm(&selinux_state,
4981 ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4982 &ad);
4983 }
4984
selinux_inet_sys_rcv_skb(struct net * ns,int ifindex,char * addrp,u16 family,u32 peer_sid,struct common_audit_data * ad)4985 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4986 char *addrp, u16 family, u32 peer_sid,
4987 struct common_audit_data *ad)
4988 {
4989 int err;
4990 u32 if_sid;
4991 u32 node_sid;
4992
4993 err = sel_netif_sid(ns, ifindex, &if_sid);
4994 if (err)
4995 return err;
4996 err = avc_has_perm(&selinux_state,
4997 peer_sid, if_sid,
4998 SECCLASS_NETIF, NETIF__INGRESS, ad);
4999 if (err)
5000 return err;
5001
5002 err = sel_netnode_sid(addrp, family, &node_sid);
5003 if (err)
5004 return err;
5005 return avc_has_perm(&selinux_state,
5006 peer_sid, node_sid,
5007 SECCLASS_NODE, NODE__RECVFROM, ad);
5008 }
5009
selinux_sock_rcv_skb_compat(struct sock * sk,struct sk_buff * skb,u16 family)5010 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
5011 u16 family)
5012 {
5013 int err = 0;
5014 struct sk_security_struct *sksec = sk->sk_security;
5015 u32 sk_sid = sksec->sid;
5016 struct common_audit_data ad;
5017 struct lsm_network_audit net = {0,};
5018 char *addrp;
5019
5020 ad.type = LSM_AUDIT_DATA_NET;
5021 ad.u.net = &net;
5022 ad.u.net->netif = skb->skb_iif;
5023 ad.u.net->family = family;
5024 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5025 if (err)
5026 return err;
5027
5028 if (selinux_secmark_enabled()) {
5029 err = avc_has_perm(&selinux_state,
5030 sk_sid, skb->secmark, SECCLASS_PACKET,
5031 PACKET__RECV, &ad);
5032 if (err)
5033 return err;
5034 }
5035
5036 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
5037 if (err)
5038 return err;
5039 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
5040
5041 return err;
5042 }
5043
selinux_socket_sock_rcv_skb(struct sock * sk,struct sk_buff * skb)5044 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
5045 {
5046 int err;
5047 struct sk_security_struct *sksec = sk->sk_security;
5048 u16 family = sk->sk_family;
5049 u32 sk_sid = sksec->sid;
5050 struct common_audit_data ad;
5051 struct lsm_network_audit net = {0,};
5052 char *addrp;
5053 u8 secmark_active;
5054 u8 peerlbl_active;
5055
5056 if (family != PF_INET && family != PF_INET6)
5057 return 0;
5058
5059 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
5060 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5061 family = PF_INET;
5062
5063 /* If any sort of compatibility mode is enabled then handoff processing
5064 * to the selinux_sock_rcv_skb_compat() function to deal with the
5065 * special handling. We do this in an attempt to keep this function
5066 * as fast and as clean as possible. */
5067 if (!selinux_policycap_netpeer())
5068 return selinux_sock_rcv_skb_compat(sk, skb, family);
5069
5070 secmark_active = selinux_secmark_enabled();
5071 peerlbl_active = selinux_peerlbl_enabled();
5072 if (!secmark_active && !peerlbl_active)
5073 return 0;
5074
5075 ad.type = LSM_AUDIT_DATA_NET;
5076 ad.u.net = &net;
5077 ad.u.net->netif = skb->skb_iif;
5078 ad.u.net->family = family;
5079 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5080 if (err)
5081 return err;
5082
5083 if (peerlbl_active) {
5084 u32 peer_sid;
5085
5086 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
5087 if (err)
5088 return err;
5089 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
5090 addrp, family, peer_sid, &ad);
5091 if (err) {
5092 selinux_netlbl_err(skb, family, err, 0);
5093 return err;
5094 }
5095 err = avc_has_perm(&selinux_state,
5096 sk_sid, peer_sid, SECCLASS_PEER,
5097 PEER__RECV, &ad);
5098 if (err) {
5099 selinux_netlbl_err(skb, family, err, 0);
5100 return err;
5101 }
5102 }
5103
5104 if (secmark_active) {
5105 err = avc_has_perm(&selinux_state,
5106 sk_sid, skb->secmark, SECCLASS_PACKET,
5107 PACKET__RECV, &ad);
5108 if (err)
5109 return err;
5110 }
5111
5112 return err;
5113 }
5114
selinux_socket_getpeersec_stream(struct socket * sock,char __user * optval,int __user * optlen,unsigned len)5115 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
5116 int __user *optlen, unsigned len)
5117 {
5118 int err = 0;
5119 char *scontext;
5120 u32 scontext_len;
5121 struct sk_security_struct *sksec = sock->sk->sk_security;
5122 u32 peer_sid = SECSID_NULL;
5123
5124 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
5125 sksec->sclass == SECCLASS_TCP_SOCKET ||
5126 sksec->sclass == SECCLASS_SCTP_SOCKET)
5127 peer_sid = sksec->peer_sid;
5128 if (peer_sid == SECSID_NULL)
5129 return -ENOPROTOOPT;
5130
5131 err = security_sid_to_context(&selinux_state, peer_sid, &scontext,
5132 &scontext_len);
5133 if (err)
5134 return err;
5135
5136 if (scontext_len > len) {
5137 err = -ERANGE;
5138 goto out_len;
5139 }
5140
5141 if (copy_to_user(optval, scontext, scontext_len))
5142 err = -EFAULT;
5143
5144 out_len:
5145 if (put_user(scontext_len, optlen))
5146 err = -EFAULT;
5147 kfree(scontext);
5148 return err;
5149 }
5150
selinux_socket_getpeersec_dgram(struct socket * sock,struct sk_buff * skb,u32 * secid)5151 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
5152 {
5153 u32 peer_secid = SECSID_NULL;
5154 u16 family;
5155 struct inode_security_struct *isec;
5156
5157 if (skb && skb->protocol == htons(ETH_P_IP))
5158 family = PF_INET;
5159 else if (skb && skb->protocol == htons(ETH_P_IPV6))
5160 family = PF_INET6;
5161 else if (sock)
5162 family = sock->sk->sk_family;
5163 else
5164 goto out;
5165
5166 if (sock && family == PF_UNIX) {
5167 isec = inode_security_novalidate(SOCK_INODE(sock));
5168 peer_secid = isec->sid;
5169 } else if (skb)
5170 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
5171
5172 out:
5173 *secid = peer_secid;
5174 if (peer_secid == SECSID_NULL)
5175 return -EINVAL;
5176 return 0;
5177 }
5178
selinux_sk_alloc_security(struct sock * sk,int family,gfp_t priority)5179 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
5180 {
5181 struct sk_security_struct *sksec;
5182
5183 sksec = kzalloc(sizeof(*sksec), priority);
5184 if (!sksec)
5185 return -ENOMEM;
5186
5187 sksec->peer_sid = SECINITSID_UNLABELED;
5188 sksec->sid = SECINITSID_UNLABELED;
5189 sksec->sclass = SECCLASS_SOCKET;
5190 selinux_netlbl_sk_security_reset(sksec);
5191 sk->sk_security = sksec;
5192
5193 return 0;
5194 }
5195
selinux_sk_free_security(struct sock * sk)5196 static void selinux_sk_free_security(struct sock *sk)
5197 {
5198 struct sk_security_struct *sksec = sk->sk_security;
5199
5200 sk->sk_security = NULL;
5201 selinux_netlbl_sk_security_free(sksec);
5202 kfree(sksec);
5203 }
5204
selinux_sk_clone_security(const struct sock * sk,struct sock * newsk)5205 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
5206 {
5207 struct sk_security_struct *sksec = sk->sk_security;
5208 struct sk_security_struct *newsksec = newsk->sk_security;
5209
5210 newsksec->sid = sksec->sid;
5211 newsksec->peer_sid = sksec->peer_sid;
5212 newsksec->sclass = sksec->sclass;
5213
5214 selinux_netlbl_sk_security_reset(newsksec);
5215 }
5216
selinux_sk_getsecid(struct sock * sk,u32 * secid)5217 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
5218 {
5219 if (!sk)
5220 *secid = SECINITSID_ANY_SOCKET;
5221 else {
5222 struct sk_security_struct *sksec = sk->sk_security;
5223
5224 *secid = sksec->sid;
5225 }
5226 }
5227
selinux_sock_graft(struct sock * sk,struct socket * parent)5228 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
5229 {
5230 struct inode_security_struct *isec =
5231 inode_security_novalidate(SOCK_INODE(parent));
5232 struct sk_security_struct *sksec = sk->sk_security;
5233
5234 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
5235 sk->sk_family == PF_UNIX)
5236 isec->sid = sksec->sid;
5237 sksec->sclass = isec->sclass;
5238 }
5239
5240 /* Called whenever SCTP receives an INIT chunk. This happens when an incoming
5241 * connect(2), sctp_connectx(3) or sctp_sendmsg(3) (with no association
5242 * already present).
5243 */
selinux_sctp_assoc_request(struct sctp_endpoint * ep,struct sk_buff * skb)5244 static int selinux_sctp_assoc_request(struct sctp_endpoint *ep,
5245 struct sk_buff *skb)
5246 {
5247 struct sk_security_struct *sksec = ep->base.sk->sk_security;
5248 struct common_audit_data ad;
5249 struct lsm_network_audit net = {0,};
5250 u8 peerlbl_active;
5251 u32 peer_sid = SECINITSID_UNLABELED;
5252 u32 conn_sid;
5253 int err = 0;
5254
5255 if (!selinux_policycap_extsockclass())
5256 return 0;
5257
5258 peerlbl_active = selinux_peerlbl_enabled();
5259
5260 if (peerlbl_active) {
5261 /* This will return peer_sid = SECSID_NULL if there are
5262 * no peer labels, see security_net_peersid_resolve().
5263 */
5264 err = selinux_skb_peerlbl_sid(skb, ep->base.sk->sk_family,
5265 &peer_sid);
5266 if (err)
5267 return err;
5268
5269 if (peer_sid == SECSID_NULL)
5270 peer_sid = SECINITSID_UNLABELED;
5271 }
5272
5273 if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) {
5274 sksec->sctp_assoc_state = SCTP_ASSOC_SET;
5275
5276 /* Here as first association on socket. As the peer SID
5277 * was allowed by peer recv (and the netif/node checks),
5278 * then it is approved by policy and used as the primary
5279 * peer SID for getpeercon(3).
5280 */
5281 sksec->peer_sid = peer_sid;
5282 } else if (sksec->peer_sid != peer_sid) {
5283 /* Other association peer SIDs are checked to enforce
5284 * consistency among the peer SIDs.
5285 */
5286 ad.type = LSM_AUDIT_DATA_NET;
5287 ad.u.net = &net;
5288 ad.u.net->sk = ep->base.sk;
5289 err = avc_has_perm(&selinux_state,
5290 sksec->peer_sid, peer_sid, sksec->sclass,
5291 SCTP_SOCKET__ASSOCIATION, &ad);
5292 if (err)
5293 return err;
5294 }
5295
5296 /* Compute the MLS component for the connection and store
5297 * the information in ep. This will be used by SCTP TCP type
5298 * sockets and peeled off connections as they cause a new
5299 * socket to be generated. selinux_sctp_sk_clone() will then
5300 * plug this into the new socket.
5301 */
5302 err = selinux_conn_sid(sksec->sid, peer_sid, &conn_sid);
5303 if (err)
5304 return err;
5305
5306 ep->secid = conn_sid;
5307 ep->peer_secid = peer_sid;
5308
5309 /* Set any NetLabel labels including CIPSO/CALIPSO options. */
5310 return selinux_netlbl_sctp_assoc_request(ep, skb);
5311 }
5312
5313 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting
5314 * based on their @optname.
5315 */
selinux_sctp_bind_connect(struct sock * sk,int optname,struct sockaddr * address,int addrlen)5316 static int selinux_sctp_bind_connect(struct sock *sk, int optname,
5317 struct sockaddr *address,
5318 int addrlen)
5319 {
5320 int len, err = 0, walk_size = 0;
5321 void *addr_buf;
5322 struct sockaddr *addr;
5323 struct socket *sock;
5324
5325 if (!selinux_policycap_extsockclass())
5326 return 0;
5327
5328 /* Process one or more addresses that may be IPv4 or IPv6 */
5329 sock = sk->sk_socket;
5330 addr_buf = address;
5331
5332 while (walk_size < addrlen) {
5333 if (walk_size + sizeof(sa_family_t) > addrlen)
5334 return -EINVAL;
5335
5336 addr = addr_buf;
5337 switch (addr->sa_family) {
5338 case AF_UNSPEC:
5339 case AF_INET:
5340 len = sizeof(struct sockaddr_in);
5341 break;
5342 case AF_INET6:
5343 len = sizeof(struct sockaddr_in6);
5344 break;
5345 default:
5346 return -EINVAL;
5347 }
5348
5349 if (walk_size + len > addrlen)
5350 return -EINVAL;
5351
5352 err = -EINVAL;
5353 switch (optname) {
5354 /* Bind checks */
5355 case SCTP_PRIMARY_ADDR:
5356 case SCTP_SET_PEER_PRIMARY_ADDR:
5357 case SCTP_SOCKOPT_BINDX_ADD:
5358 err = selinux_socket_bind(sock, addr, len);
5359 break;
5360 /* Connect checks */
5361 case SCTP_SOCKOPT_CONNECTX:
5362 case SCTP_PARAM_SET_PRIMARY:
5363 case SCTP_PARAM_ADD_IP:
5364 case SCTP_SENDMSG_CONNECT:
5365 err = selinux_socket_connect_helper(sock, addr, len);
5366 if (err)
5367 return err;
5368
5369 /* As selinux_sctp_bind_connect() is called by the
5370 * SCTP protocol layer, the socket is already locked,
5371 * therefore selinux_netlbl_socket_connect_locked()
5372 * is called here. The situations handled are:
5373 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2),
5374 * whenever a new IP address is added or when a new
5375 * primary address is selected.
5376 * Note that an SCTP connect(2) call happens before
5377 * the SCTP protocol layer and is handled via
5378 * selinux_socket_connect().
5379 */
5380 err = selinux_netlbl_socket_connect_locked(sk, addr);
5381 break;
5382 }
5383
5384 if (err)
5385 return err;
5386
5387 addr_buf += len;
5388 walk_size += len;
5389 }
5390
5391 return 0;
5392 }
5393
5394 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */
selinux_sctp_sk_clone(struct sctp_endpoint * ep,struct sock * sk,struct sock * newsk)5395 static void selinux_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk,
5396 struct sock *newsk)
5397 {
5398 struct sk_security_struct *sksec = sk->sk_security;
5399 struct sk_security_struct *newsksec = newsk->sk_security;
5400
5401 /* If policy does not support SECCLASS_SCTP_SOCKET then call
5402 * the non-sctp clone version.
5403 */
5404 if (!selinux_policycap_extsockclass())
5405 return selinux_sk_clone_security(sk, newsk);
5406
5407 newsksec->sid = ep->secid;
5408 newsksec->peer_sid = ep->peer_secid;
5409 newsksec->sclass = sksec->sclass;
5410 selinux_netlbl_sctp_sk_clone(sk, newsk);
5411 }
5412
selinux_inet_conn_request(struct sock * sk,struct sk_buff * skb,struct request_sock * req)5413 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
5414 struct request_sock *req)
5415 {
5416 struct sk_security_struct *sksec = sk->sk_security;
5417 int err;
5418 u16 family = req->rsk_ops->family;
5419 u32 connsid;
5420 u32 peersid;
5421
5422 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
5423 if (err)
5424 return err;
5425 err = selinux_conn_sid(sksec->sid, peersid, &connsid);
5426 if (err)
5427 return err;
5428 req->secid = connsid;
5429 req->peer_secid = peersid;
5430
5431 return selinux_netlbl_inet_conn_request(req, family);
5432 }
5433
selinux_inet_csk_clone(struct sock * newsk,const struct request_sock * req)5434 static void selinux_inet_csk_clone(struct sock *newsk,
5435 const struct request_sock *req)
5436 {
5437 struct sk_security_struct *newsksec = newsk->sk_security;
5438
5439 newsksec->sid = req->secid;
5440 newsksec->peer_sid = req->peer_secid;
5441 /* NOTE: Ideally, we should also get the isec->sid for the
5442 new socket in sync, but we don't have the isec available yet.
5443 So we will wait until sock_graft to do it, by which
5444 time it will have been created and available. */
5445
5446 /* We don't need to take any sort of lock here as we are the only
5447 * thread with access to newsksec */
5448 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
5449 }
5450
selinux_inet_conn_established(struct sock * sk,struct sk_buff * skb)5451 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
5452 {
5453 u16 family = sk->sk_family;
5454 struct sk_security_struct *sksec = sk->sk_security;
5455
5456 /* handle mapped IPv4 packets arriving via IPv6 sockets */
5457 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5458 family = PF_INET;
5459
5460 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
5461 }
5462
selinux_secmark_relabel_packet(u32 sid)5463 static int selinux_secmark_relabel_packet(u32 sid)
5464 {
5465 const struct task_security_struct *__tsec;
5466 u32 tsid;
5467
5468 __tsec = selinux_cred(current_cred());
5469 tsid = __tsec->sid;
5470
5471 return avc_has_perm(&selinux_state,
5472 tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO,
5473 NULL);
5474 }
5475
selinux_secmark_refcount_inc(void)5476 static void selinux_secmark_refcount_inc(void)
5477 {
5478 atomic_inc(&selinux_secmark_refcount);
5479 }
5480
selinux_secmark_refcount_dec(void)5481 static void selinux_secmark_refcount_dec(void)
5482 {
5483 atomic_dec(&selinux_secmark_refcount);
5484 }
5485
selinux_req_classify_flow(const struct request_sock * req,struct flowi_common * flic)5486 static void selinux_req_classify_flow(const struct request_sock *req,
5487 struct flowi_common *flic)
5488 {
5489 flic->flowic_secid = req->secid;
5490 }
5491
selinux_tun_dev_alloc_security(void ** security)5492 static int selinux_tun_dev_alloc_security(void **security)
5493 {
5494 struct tun_security_struct *tunsec;
5495
5496 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
5497 if (!tunsec)
5498 return -ENOMEM;
5499 tunsec->sid = current_sid();
5500
5501 *security = tunsec;
5502 return 0;
5503 }
5504
selinux_tun_dev_free_security(void * security)5505 static void selinux_tun_dev_free_security(void *security)
5506 {
5507 kfree(security);
5508 }
5509
selinux_tun_dev_create(void)5510 static int selinux_tun_dev_create(void)
5511 {
5512 u32 sid = current_sid();
5513
5514 /* we aren't taking into account the "sockcreate" SID since the socket
5515 * that is being created here is not a socket in the traditional sense,
5516 * instead it is a private sock, accessible only to the kernel, and
5517 * representing a wide range of network traffic spanning multiple
5518 * connections unlike traditional sockets - check the TUN driver to
5519 * get a better understanding of why this socket is special */
5520
5521 return avc_has_perm(&selinux_state,
5522 sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5523 NULL);
5524 }
5525
selinux_tun_dev_attach_queue(void * security)5526 static int selinux_tun_dev_attach_queue(void *security)
5527 {
5528 struct tun_security_struct *tunsec = security;
5529
5530 return avc_has_perm(&selinux_state,
5531 current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5532 TUN_SOCKET__ATTACH_QUEUE, NULL);
5533 }
5534
selinux_tun_dev_attach(struct sock * sk,void * security)5535 static int selinux_tun_dev_attach(struct sock *sk, void *security)
5536 {
5537 struct tun_security_struct *tunsec = security;
5538 struct sk_security_struct *sksec = sk->sk_security;
5539
5540 /* we don't currently perform any NetLabel based labeling here and it
5541 * isn't clear that we would want to do so anyway; while we could apply
5542 * labeling without the support of the TUN user the resulting labeled
5543 * traffic from the other end of the connection would almost certainly
5544 * cause confusion to the TUN user that had no idea network labeling
5545 * protocols were being used */
5546
5547 sksec->sid = tunsec->sid;
5548 sksec->sclass = SECCLASS_TUN_SOCKET;
5549
5550 return 0;
5551 }
5552
selinux_tun_dev_open(void * security)5553 static int selinux_tun_dev_open(void *security)
5554 {
5555 struct tun_security_struct *tunsec = security;
5556 u32 sid = current_sid();
5557 int err;
5558
5559 err = avc_has_perm(&selinux_state,
5560 sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5561 TUN_SOCKET__RELABELFROM, NULL);
5562 if (err)
5563 return err;
5564 err = avc_has_perm(&selinux_state,
5565 sid, sid, SECCLASS_TUN_SOCKET,
5566 TUN_SOCKET__RELABELTO, NULL);
5567 if (err)
5568 return err;
5569 tunsec->sid = sid;
5570
5571 return 0;
5572 }
5573
5574 #ifdef CONFIG_NETFILTER
5575
selinux_ip_forward(struct sk_buff * skb,const struct net_device * indev,u16 family)5576 static unsigned int selinux_ip_forward(struct sk_buff *skb,
5577 const struct net_device *indev,
5578 u16 family)
5579 {
5580 int err;
5581 char *addrp;
5582 u32 peer_sid;
5583 struct common_audit_data ad;
5584 struct lsm_network_audit net = {0,};
5585 u8 secmark_active;
5586 u8 netlbl_active;
5587 u8 peerlbl_active;
5588
5589 if (!selinux_policycap_netpeer())
5590 return NF_ACCEPT;
5591
5592 secmark_active = selinux_secmark_enabled();
5593 netlbl_active = netlbl_enabled();
5594 peerlbl_active = selinux_peerlbl_enabled();
5595 if (!secmark_active && !peerlbl_active)
5596 return NF_ACCEPT;
5597
5598 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5599 return NF_DROP;
5600
5601 ad.type = LSM_AUDIT_DATA_NET;
5602 ad.u.net = &net;
5603 ad.u.net->netif = indev->ifindex;
5604 ad.u.net->family = family;
5605 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5606 return NF_DROP;
5607
5608 if (peerlbl_active) {
5609 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
5610 addrp, family, peer_sid, &ad);
5611 if (err) {
5612 selinux_netlbl_err(skb, family, err, 1);
5613 return NF_DROP;
5614 }
5615 }
5616
5617 if (secmark_active)
5618 if (avc_has_perm(&selinux_state,
5619 peer_sid, skb->secmark,
5620 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5621 return NF_DROP;
5622
5623 if (netlbl_active)
5624 /* we do this in the FORWARD path and not the POST_ROUTING
5625 * path because we want to make sure we apply the necessary
5626 * labeling before IPsec is applied so we can leverage AH
5627 * protection */
5628 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5629 return NF_DROP;
5630
5631 return NF_ACCEPT;
5632 }
5633
selinux_ipv4_forward(void * priv,struct sk_buff * skb,const struct nf_hook_state * state)5634 static unsigned int selinux_ipv4_forward(void *priv,
5635 struct sk_buff *skb,
5636 const struct nf_hook_state *state)
5637 {
5638 return selinux_ip_forward(skb, state->in, PF_INET);
5639 }
5640
5641 #if IS_ENABLED(CONFIG_IPV6)
selinux_ipv6_forward(void * priv,struct sk_buff * skb,const struct nf_hook_state * state)5642 static unsigned int selinux_ipv6_forward(void *priv,
5643 struct sk_buff *skb,
5644 const struct nf_hook_state *state)
5645 {
5646 return selinux_ip_forward(skb, state->in, PF_INET6);
5647 }
5648 #endif /* IPV6 */
5649
selinux_ip_output(struct sk_buff * skb,u16 family)5650 static unsigned int selinux_ip_output(struct sk_buff *skb,
5651 u16 family)
5652 {
5653 struct sock *sk;
5654 u32 sid;
5655
5656 if (!netlbl_enabled())
5657 return NF_ACCEPT;
5658
5659 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5660 * because we want to make sure we apply the necessary labeling
5661 * before IPsec is applied so we can leverage AH protection */
5662 sk = skb->sk;
5663 if (sk) {
5664 struct sk_security_struct *sksec;
5665
5666 if (sk_listener(sk))
5667 /* if the socket is the listening state then this
5668 * packet is a SYN-ACK packet which means it needs to
5669 * be labeled based on the connection/request_sock and
5670 * not the parent socket. unfortunately, we can't
5671 * lookup the request_sock yet as it isn't queued on
5672 * the parent socket until after the SYN-ACK is sent.
5673 * the "solution" is to simply pass the packet as-is
5674 * as any IP option based labeling should be copied
5675 * from the initial connection request (in the IP
5676 * layer). it is far from ideal, but until we get a
5677 * security label in the packet itself this is the
5678 * best we can do. */
5679 return NF_ACCEPT;
5680
5681 /* standard practice, label using the parent socket */
5682 sksec = sk->sk_security;
5683 sid = sksec->sid;
5684 } else
5685 sid = SECINITSID_KERNEL;
5686 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
5687 return NF_DROP;
5688
5689 return NF_ACCEPT;
5690 }
5691
selinux_ipv4_output(void * priv,struct sk_buff * skb,const struct nf_hook_state * state)5692 static unsigned int selinux_ipv4_output(void *priv,
5693 struct sk_buff *skb,
5694 const struct nf_hook_state *state)
5695 {
5696 return selinux_ip_output(skb, PF_INET);
5697 }
5698
5699 #if IS_ENABLED(CONFIG_IPV6)
selinux_ipv6_output(void * priv,struct sk_buff * skb,const struct nf_hook_state * state)5700 static unsigned int selinux_ipv6_output(void *priv,
5701 struct sk_buff *skb,
5702 const struct nf_hook_state *state)
5703 {
5704 return selinux_ip_output(skb, PF_INET6);
5705 }
5706 #endif /* IPV6 */
5707
selinux_ip_postroute_compat(struct sk_buff * skb,int ifindex,u16 family)5708 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5709 int ifindex,
5710 u16 family)
5711 {
5712 struct sock *sk = skb_to_full_sk(skb);
5713 struct sk_security_struct *sksec;
5714 struct common_audit_data ad;
5715 struct lsm_network_audit net = {0,};
5716 char *addrp;
5717 u8 proto = 0;
5718
5719 if (sk == NULL)
5720 return NF_ACCEPT;
5721 sksec = sk->sk_security;
5722
5723 ad.type = LSM_AUDIT_DATA_NET;
5724 ad.u.net = &net;
5725 ad.u.net->netif = ifindex;
5726 ad.u.net->family = family;
5727 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
5728 return NF_DROP;
5729
5730 if (selinux_secmark_enabled())
5731 if (avc_has_perm(&selinux_state,
5732 sksec->sid, skb->secmark,
5733 SECCLASS_PACKET, PACKET__SEND, &ad))
5734 return NF_DROP_ERR(-ECONNREFUSED);
5735
5736 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5737 return NF_DROP_ERR(-ECONNREFUSED);
5738
5739 return NF_ACCEPT;
5740 }
5741
selinux_ip_postroute(struct sk_buff * skb,const struct net_device * outdev,u16 family)5742 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5743 const struct net_device *outdev,
5744 u16 family)
5745 {
5746 u32 secmark_perm;
5747 u32 peer_sid;
5748 int ifindex = outdev->ifindex;
5749 struct sock *sk;
5750 struct common_audit_data ad;
5751 struct lsm_network_audit net = {0,};
5752 char *addrp;
5753 u8 secmark_active;
5754 u8 peerlbl_active;
5755
5756 /* If any sort of compatibility mode is enabled then handoff processing
5757 * to the selinux_ip_postroute_compat() function to deal with the
5758 * special handling. We do this in an attempt to keep this function
5759 * as fast and as clean as possible. */
5760 if (!selinux_policycap_netpeer())
5761 return selinux_ip_postroute_compat(skb, ifindex, family);
5762
5763 secmark_active = selinux_secmark_enabled();
5764 peerlbl_active = selinux_peerlbl_enabled();
5765 if (!secmark_active && !peerlbl_active)
5766 return NF_ACCEPT;
5767
5768 sk = skb_to_full_sk(skb);
5769
5770 #ifdef CONFIG_XFRM
5771 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5772 * packet transformation so allow the packet to pass without any checks
5773 * since we'll have another chance to perform access control checks
5774 * when the packet is on it's final way out.
5775 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5776 * is NULL, in this case go ahead and apply access control.
5777 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5778 * TCP listening state we cannot wait until the XFRM processing
5779 * is done as we will miss out on the SA label if we do;
5780 * unfortunately, this means more work, but it is only once per
5781 * connection. */
5782 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5783 !(sk && sk_listener(sk)))
5784 return NF_ACCEPT;
5785 #endif
5786
5787 if (sk == NULL) {
5788 /* Without an associated socket the packet is either coming
5789 * from the kernel or it is being forwarded; check the packet
5790 * to determine which and if the packet is being forwarded
5791 * query the packet directly to determine the security label. */
5792 if (skb->skb_iif) {
5793 secmark_perm = PACKET__FORWARD_OUT;
5794 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5795 return NF_DROP;
5796 } else {
5797 secmark_perm = PACKET__SEND;
5798 peer_sid = SECINITSID_KERNEL;
5799 }
5800 } else if (sk_listener(sk)) {
5801 /* Locally generated packet but the associated socket is in the
5802 * listening state which means this is a SYN-ACK packet. In
5803 * this particular case the correct security label is assigned
5804 * to the connection/request_sock but unfortunately we can't
5805 * query the request_sock as it isn't queued on the parent
5806 * socket until after the SYN-ACK packet is sent; the only
5807 * viable choice is to regenerate the label like we do in
5808 * selinux_inet_conn_request(). See also selinux_ip_output()
5809 * for similar problems. */
5810 u32 skb_sid;
5811 struct sk_security_struct *sksec;
5812
5813 sksec = sk->sk_security;
5814 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5815 return NF_DROP;
5816 /* At this point, if the returned skb peerlbl is SECSID_NULL
5817 * and the packet has been through at least one XFRM
5818 * transformation then we must be dealing with the "final"
5819 * form of labeled IPsec packet; since we've already applied
5820 * all of our access controls on this packet we can safely
5821 * pass the packet. */
5822 if (skb_sid == SECSID_NULL) {
5823 switch (family) {
5824 case PF_INET:
5825 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5826 return NF_ACCEPT;
5827 break;
5828 case PF_INET6:
5829 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5830 return NF_ACCEPT;
5831 break;
5832 default:
5833 return NF_DROP_ERR(-ECONNREFUSED);
5834 }
5835 }
5836 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5837 return NF_DROP;
5838 secmark_perm = PACKET__SEND;
5839 } else {
5840 /* Locally generated packet, fetch the security label from the
5841 * associated socket. */
5842 struct sk_security_struct *sksec = sk->sk_security;
5843 peer_sid = sksec->sid;
5844 secmark_perm = PACKET__SEND;
5845 }
5846
5847 ad.type = LSM_AUDIT_DATA_NET;
5848 ad.u.net = &net;
5849 ad.u.net->netif = ifindex;
5850 ad.u.net->family = family;
5851 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5852 return NF_DROP;
5853
5854 if (secmark_active)
5855 if (avc_has_perm(&selinux_state,
5856 peer_sid, skb->secmark,
5857 SECCLASS_PACKET, secmark_perm, &ad))
5858 return NF_DROP_ERR(-ECONNREFUSED);
5859
5860 if (peerlbl_active) {
5861 u32 if_sid;
5862 u32 node_sid;
5863
5864 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5865 return NF_DROP;
5866 if (avc_has_perm(&selinux_state,
5867 peer_sid, if_sid,
5868 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5869 return NF_DROP_ERR(-ECONNREFUSED);
5870
5871 if (sel_netnode_sid(addrp, family, &node_sid))
5872 return NF_DROP;
5873 if (avc_has_perm(&selinux_state,
5874 peer_sid, node_sid,
5875 SECCLASS_NODE, NODE__SENDTO, &ad))
5876 return NF_DROP_ERR(-ECONNREFUSED);
5877 }
5878
5879 return NF_ACCEPT;
5880 }
5881
selinux_ipv4_postroute(void * priv,struct sk_buff * skb,const struct nf_hook_state * state)5882 static unsigned int selinux_ipv4_postroute(void *priv,
5883 struct sk_buff *skb,
5884 const struct nf_hook_state *state)
5885 {
5886 return selinux_ip_postroute(skb, state->out, PF_INET);
5887 }
5888
5889 #if IS_ENABLED(CONFIG_IPV6)
selinux_ipv6_postroute(void * priv,struct sk_buff * skb,const struct nf_hook_state * state)5890 static unsigned int selinux_ipv6_postroute(void *priv,
5891 struct sk_buff *skb,
5892 const struct nf_hook_state *state)
5893 {
5894 return selinux_ip_postroute(skb, state->out, PF_INET6);
5895 }
5896 #endif /* IPV6 */
5897
5898 #endif /* CONFIG_NETFILTER */
5899
selinux_netlink_send(struct sock * sk,struct sk_buff * skb)5900 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5901 {
5902 int rc = 0;
5903 unsigned int msg_len;
5904 unsigned int data_len = skb->len;
5905 unsigned char *data = skb->data;
5906 struct nlmsghdr *nlh;
5907 struct sk_security_struct *sksec = sk->sk_security;
5908 u16 sclass = sksec->sclass;
5909 u32 perm;
5910
5911 while (data_len >= nlmsg_total_size(0)) {
5912 nlh = (struct nlmsghdr *)data;
5913
5914 /* NOTE: the nlmsg_len field isn't reliably set by some netlink
5915 * users which means we can't reject skb's with bogus
5916 * length fields; our solution is to follow what
5917 * netlink_rcv_skb() does and simply skip processing at
5918 * messages with length fields that are clearly junk
5919 */
5920 if (nlh->nlmsg_len < NLMSG_HDRLEN || nlh->nlmsg_len > data_len)
5921 return 0;
5922
5923 rc = selinux_nlmsg_lookup(sclass, nlh->nlmsg_type, &perm);
5924 if (rc == 0) {
5925 rc = sock_has_perm(sk, perm);
5926 if (rc)
5927 return rc;
5928 } else if (rc == -EINVAL) {
5929 /* -EINVAL is a missing msg/perm mapping */
5930 pr_warn_ratelimited("SELinux: unrecognized netlink"
5931 " message: protocol=%hu nlmsg_type=%hu sclass=%s"
5932 " pid=%d comm=%s\n",
5933 sk->sk_protocol, nlh->nlmsg_type,
5934 secclass_map[sclass - 1].name,
5935 task_pid_nr(current), current->comm);
5936 if (enforcing_enabled(&selinux_state) &&
5937 !security_get_allow_unknown(&selinux_state))
5938 return rc;
5939 rc = 0;
5940 } else if (rc == -ENOENT) {
5941 /* -ENOENT is a missing socket/class mapping, ignore */
5942 rc = 0;
5943 } else {
5944 return rc;
5945 }
5946
5947 /* move to the next message after applying netlink padding */
5948 msg_len = NLMSG_ALIGN(nlh->nlmsg_len);
5949 if (msg_len >= data_len)
5950 return 0;
5951 data_len -= msg_len;
5952 data += msg_len;
5953 }
5954
5955 return rc;
5956 }
5957
ipc_init_security(struct ipc_security_struct * isec,u16 sclass)5958 static void ipc_init_security(struct ipc_security_struct *isec, u16 sclass)
5959 {
5960 isec->sclass = sclass;
5961 isec->sid = current_sid();
5962 }
5963
ipc_has_perm(struct kern_ipc_perm * ipc_perms,u32 perms)5964 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5965 u32 perms)
5966 {
5967 struct ipc_security_struct *isec;
5968 struct common_audit_data ad;
5969 u32 sid = current_sid();
5970
5971 isec = selinux_ipc(ipc_perms);
5972
5973 ad.type = LSM_AUDIT_DATA_IPC;
5974 ad.u.ipc_id = ipc_perms->key;
5975
5976 return avc_has_perm(&selinux_state,
5977 sid, isec->sid, isec->sclass, perms, &ad);
5978 }
5979
selinux_msg_msg_alloc_security(struct msg_msg * msg)5980 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5981 {
5982 struct msg_security_struct *msec;
5983
5984 msec = selinux_msg_msg(msg);
5985 msec->sid = SECINITSID_UNLABELED;
5986
5987 return 0;
5988 }
5989
5990 /* message queue security operations */
selinux_msg_queue_alloc_security(struct kern_ipc_perm * msq)5991 static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq)
5992 {
5993 struct ipc_security_struct *isec;
5994 struct common_audit_data ad;
5995 u32 sid = current_sid();
5996 int rc;
5997
5998 isec = selinux_ipc(msq);
5999 ipc_init_security(isec, SECCLASS_MSGQ);
6000
6001 ad.type = LSM_AUDIT_DATA_IPC;
6002 ad.u.ipc_id = msq->key;
6003
6004 rc = avc_has_perm(&selinux_state,
6005 sid, isec->sid, SECCLASS_MSGQ,
6006 MSGQ__CREATE, &ad);
6007 return rc;
6008 }
6009
selinux_msg_queue_associate(struct kern_ipc_perm * msq,int msqflg)6010 static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
6011 {
6012 struct ipc_security_struct *isec;
6013 struct common_audit_data ad;
6014 u32 sid = current_sid();
6015
6016 isec = selinux_ipc(msq);
6017
6018 ad.type = LSM_AUDIT_DATA_IPC;
6019 ad.u.ipc_id = msq->key;
6020
6021 return avc_has_perm(&selinux_state,
6022 sid, isec->sid, SECCLASS_MSGQ,
6023 MSGQ__ASSOCIATE, &ad);
6024 }
6025
selinux_msg_queue_msgctl(struct kern_ipc_perm * msq,int cmd)6026 static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)
6027 {
6028 int err;
6029 int perms;
6030
6031 switch (cmd) {
6032 case IPC_INFO:
6033 case MSG_INFO:
6034 /* No specific object, just general system-wide information. */
6035 return avc_has_perm(&selinux_state,
6036 current_sid(), SECINITSID_KERNEL,
6037 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6038 case IPC_STAT:
6039 case MSG_STAT:
6040 case MSG_STAT_ANY:
6041 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
6042 break;
6043 case IPC_SET:
6044 perms = MSGQ__SETATTR;
6045 break;
6046 case IPC_RMID:
6047 perms = MSGQ__DESTROY;
6048 break;
6049 default:
6050 return 0;
6051 }
6052
6053 err = ipc_has_perm(msq, perms);
6054 return err;
6055 }
6056
selinux_msg_queue_msgsnd(struct kern_ipc_perm * msq,struct msg_msg * msg,int msqflg)6057 static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg)
6058 {
6059 struct ipc_security_struct *isec;
6060 struct msg_security_struct *msec;
6061 struct common_audit_data ad;
6062 u32 sid = current_sid();
6063 int rc;
6064
6065 isec = selinux_ipc(msq);
6066 msec = selinux_msg_msg(msg);
6067
6068 /*
6069 * First time through, need to assign label to the message
6070 */
6071 if (msec->sid == SECINITSID_UNLABELED) {
6072 /*
6073 * Compute new sid based on current process and
6074 * message queue this message will be stored in
6075 */
6076 rc = security_transition_sid(&selinux_state, sid, isec->sid,
6077 SECCLASS_MSG, NULL, &msec->sid);
6078 if (rc)
6079 return rc;
6080 }
6081
6082 ad.type = LSM_AUDIT_DATA_IPC;
6083 ad.u.ipc_id = msq->key;
6084
6085 /* Can this process write to the queue? */
6086 rc = avc_has_perm(&selinux_state,
6087 sid, isec->sid, SECCLASS_MSGQ,
6088 MSGQ__WRITE, &ad);
6089 if (!rc)
6090 /* Can this process send the message */
6091 rc = avc_has_perm(&selinux_state,
6092 sid, msec->sid, SECCLASS_MSG,
6093 MSG__SEND, &ad);
6094 if (!rc)
6095 /* Can the message be put in the queue? */
6096 rc = avc_has_perm(&selinux_state,
6097 msec->sid, isec->sid, SECCLASS_MSGQ,
6098 MSGQ__ENQUEUE, &ad);
6099
6100 return rc;
6101 }
6102
selinux_msg_queue_msgrcv(struct kern_ipc_perm * msq,struct msg_msg * msg,struct task_struct * target,long type,int mode)6103 static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg,
6104 struct task_struct *target,
6105 long type, int mode)
6106 {
6107 struct ipc_security_struct *isec;
6108 struct msg_security_struct *msec;
6109 struct common_audit_data ad;
6110 u32 sid = task_sid(target);
6111 int rc;
6112
6113 isec = selinux_ipc(msq);
6114 msec = selinux_msg_msg(msg);
6115
6116 ad.type = LSM_AUDIT_DATA_IPC;
6117 ad.u.ipc_id = msq->key;
6118
6119 rc = avc_has_perm(&selinux_state,
6120 sid, isec->sid,
6121 SECCLASS_MSGQ, MSGQ__READ, &ad);
6122 if (!rc)
6123 rc = avc_has_perm(&selinux_state,
6124 sid, msec->sid,
6125 SECCLASS_MSG, MSG__RECEIVE, &ad);
6126 return rc;
6127 }
6128
6129 /* Shared Memory security operations */
selinux_shm_alloc_security(struct kern_ipc_perm * shp)6130 static int selinux_shm_alloc_security(struct kern_ipc_perm *shp)
6131 {
6132 struct ipc_security_struct *isec;
6133 struct common_audit_data ad;
6134 u32 sid = current_sid();
6135 int rc;
6136
6137 isec = selinux_ipc(shp);
6138 ipc_init_security(isec, SECCLASS_SHM);
6139
6140 ad.type = LSM_AUDIT_DATA_IPC;
6141 ad.u.ipc_id = shp->key;
6142
6143 rc = avc_has_perm(&selinux_state,
6144 sid, isec->sid, SECCLASS_SHM,
6145 SHM__CREATE, &ad);
6146 return rc;
6147 }
6148
selinux_shm_associate(struct kern_ipc_perm * shp,int shmflg)6149 static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg)
6150 {
6151 struct ipc_security_struct *isec;
6152 struct common_audit_data ad;
6153 u32 sid = current_sid();
6154
6155 isec = selinux_ipc(shp);
6156
6157 ad.type = LSM_AUDIT_DATA_IPC;
6158 ad.u.ipc_id = shp->key;
6159
6160 return avc_has_perm(&selinux_state,
6161 sid, isec->sid, SECCLASS_SHM,
6162 SHM__ASSOCIATE, &ad);
6163 }
6164
6165 /* Note, at this point, shp is locked down */
selinux_shm_shmctl(struct kern_ipc_perm * shp,int cmd)6166 static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd)
6167 {
6168 int perms;
6169 int err;
6170
6171 switch (cmd) {
6172 case IPC_INFO:
6173 case SHM_INFO:
6174 /* No specific object, just general system-wide information. */
6175 return avc_has_perm(&selinux_state,
6176 current_sid(), SECINITSID_KERNEL,
6177 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6178 case IPC_STAT:
6179 case SHM_STAT:
6180 case SHM_STAT_ANY:
6181 perms = SHM__GETATTR | SHM__ASSOCIATE;
6182 break;
6183 case IPC_SET:
6184 perms = SHM__SETATTR;
6185 break;
6186 case SHM_LOCK:
6187 case SHM_UNLOCK:
6188 perms = SHM__LOCK;
6189 break;
6190 case IPC_RMID:
6191 perms = SHM__DESTROY;
6192 break;
6193 default:
6194 return 0;
6195 }
6196
6197 err = ipc_has_perm(shp, perms);
6198 return err;
6199 }
6200
selinux_shm_shmat(struct kern_ipc_perm * shp,char __user * shmaddr,int shmflg)6201 static int selinux_shm_shmat(struct kern_ipc_perm *shp,
6202 char __user *shmaddr, int shmflg)
6203 {
6204 u32 perms;
6205
6206 if (shmflg & SHM_RDONLY)
6207 perms = SHM__READ;
6208 else
6209 perms = SHM__READ | SHM__WRITE;
6210
6211 return ipc_has_perm(shp, perms);
6212 }
6213
6214 /* Semaphore security operations */
selinux_sem_alloc_security(struct kern_ipc_perm * sma)6215 static int selinux_sem_alloc_security(struct kern_ipc_perm *sma)
6216 {
6217 struct ipc_security_struct *isec;
6218 struct common_audit_data ad;
6219 u32 sid = current_sid();
6220 int rc;
6221
6222 isec = selinux_ipc(sma);
6223 ipc_init_security(isec, SECCLASS_SEM);
6224
6225 ad.type = LSM_AUDIT_DATA_IPC;
6226 ad.u.ipc_id = sma->key;
6227
6228 rc = avc_has_perm(&selinux_state,
6229 sid, isec->sid, SECCLASS_SEM,
6230 SEM__CREATE, &ad);
6231 return rc;
6232 }
6233
selinux_sem_associate(struct kern_ipc_perm * sma,int semflg)6234 static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg)
6235 {
6236 struct ipc_security_struct *isec;
6237 struct common_audit_data ad;
6238 u32 sid = current_sid();
6239
6240 isec = selinux_ipc(sma);
6241
6242 ad.type = LSM_AUDIT_DATA_IPC;
6243 ad.u.ipc_id = sma->key;
6244
6245 return avc_has_perm(&selinux_state,
6246 sid, isec->sid, SECCLASS_SEM,
6247 SEM__ASSOCIATE, &ad);
6248 }
6249
6250 /* Note, at this point, sma is locked down */
selinux_sem_semctl(struct kern_ipc_perm * sma,int cmd)6251 static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd)
6252 {
6253 int err;
6254 u32 perms;
6255
6256 switch (cmd) {
6257 case IPC_INFO:
6258 case SEM_INFO:
6259 /* No specific object, just general system-wide information. */
6260 return avc_has_perm(&selinux_state,
6261 current_sid(), SECINITSID_KERNEL,
6262 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6263 case GETPID:
6264 case GETNCNT:
6265 case GETZCNT:
6266 perms = SEM__GETATTR;
6267 break;
6268 case GETVAL:
6269 case GETALL:
6270 perms = SEM__READ;
6271 break;
6272 case SETVAL:
6273 case SETALL:
6274 perms = SEM__WRITE;
6275 break;
6276 case IPC_RMID:
6277 perms = SEM__DESTROY;
6278 break;
6279 case IPC_SET:
6280 perms = SEM__SETATTR;
6281 break;
6282 case IPC_STAT:
6283 case SEM_STAT:
6284 case SEM_STAT_ANY:
6285 perms = SEM__GETATTR | SEM__ASSOCIATE;
6286 break;
6287 default:
6288 return 0;
6289 }
6290
6291 err = ipc_has_perm(sma, perms);
6292 return err;
6293 }
6294
selinux_sem_semop(struct kern_ipc_perm * sma,struct sembuf * sops,unsigned nsops,int alter)6295 static int selinux_sem_semop(struct kern_ipc_perm *sma,
6296 struct sembuf *sops, unsigned nsops, int alter)
6297 {
6298 u32 perms;
6299
6300 if (alter)
6301 perms = SEM__READ | SEM__WRITE;
6302 else
6303 perms = SEM__READ;
6304
6305 return ipc_has_perm(sma, perms);
6306 }
6307
selinux_ipc_permission(struct kern_ipc_perm * ipcp,short flag)6308 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
6309 {
6310 u32 av = 0;
6311
6312 av = 0;
6313 if (flag & S_IRUGO)
6314 av |= IPC__UNIX_READ;
6315 if (flag & S_IWUGO)
6316 av |= IPC__UNIX_WRITE;
6317
6318 if (av == 0)
6319 return 0;
6320
6321 return ipc_has_perm(ipcp, av);
6322 }
6323
selinux_ipc_getsecid(struct kern_ipc_perm * ipcp,u32 * secid)6324 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
6325 {
6326 struct ipc_security_struct *isec = selinux_ipc(ipcp);
6327 *secid = isec->sid;
6328 }
6329
selinux_d_instantiate(struct dentry * dentry,struct inode * inode)6330 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
6331 {
6332 if (inode)
6333 inode_doinit_with_dentry(inode, dentry);
6334 }
6335
selinux_getprocattr(struct task_struct * p,char * name,char ** value)6336 static int selinux_getprocattr(struct task_struct *p,
6337 char *name, char **value)
6338 {
6339 const struct task_security_struct *__tsec;
6340 u32 sid;
6341 int error;
6342 unsigned len;
6343
6344 rcu_read_lock();
6345 __tsec = selinux_cred(__task_cred(p));
6346
6347 if (current != p) {
6348 error = avc_has_perm(&selinux_state,
6349 current_sid(), __tsec->sid,
6350 SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
6351 if (error)
6352 goto bad;
6353 }
6354
6355 if (!strcmp(name, "current"))
6356 sid = __tsec->sid;
6357 else if (!strcmp(name, "prev"))
6358 sid = __tsec->osid;
6359 else if (!strcmp(name, "exec"))
6360 sid = __tsec->exec_sid;
6361 else if (!strcmp(name, "fscreate"))
6362 sid = __tsec->create_sid;
6363 else if (!strcmp(name, "keycreate"))
6364 sid = __tsec->keycreate_sid;
6365 else if (!strcmp(name, "sockcreate"))
6366 sid = __tsec->sockcreate_sid;
6367 else {
6368 error = -EINVAL;
6369 goto bad;
6370 }
6371 rcu_read_unlock();
6372
6373 if (!sid)
6374 return 0;
6375
6376 error = security_sid_to_context(&selinux_state, sid, value, &len);
6377 if (error)
6378 return error;
6379 return len;
6380
6381 bad:
6382 rcu_read_unlock();
6383 return error;
6384 }
6385
selinux_setprocattr(const char * name,void * value,size_t size)6386 static int selinux_setprocattr(const char *name, void *value, size_t size)
6387 {
6388 struct task_security_struct *tsec;
6389 struct cred *new;
6390 u32 mysid = current_sid(), sid = 0, ptsid;
6391 int error;
6392 char *str = value;
6393
6394 /*
6395 * Basic control over ability to set these attributes at all.
6396 */
6397 if (!strcmp(name, "exec"))
6398 error = avc_has_perm(&selinux_state,
6399 mysid, mysid, SECCLASS_PROCESS,
6400 PROCESS__SETEXEC, NULL);
6401 else if (!strcmp(name, "fscreate"))
6402 error = avc_has_perm(&selinux_state,
6403 mysid, mysid, SECCLASS_PROCESS,
6404 PROCESS__SETFSCREATE, NULL);
6405 else if (!strcmp(name, "keycreate"))
6406 error = avc_has_perm(&selinux_state,
6407 mysid, mysid, SECCLASS_PROCESS,
6408 PROCESS__SETKEYCREATE, NULL);
6409 else if (!strcmp(name, "sockcreate"))
6410 error = avc_has_perm(&selinux_state,
6411 mysid, mysid, SECCLASS_PROCESS,
6412 PROCESS__SETSOCKCREATE, NULL);
6413 else if (!strcmp(name, "current"))
6414 error = avc_has_perm(&selinux_state,
6415 mysid, mysid, SECCLASS_PROCESS,
6416 PROCESS__SETCURRENT, NULL);
6417 else
6418 error = -EINVAL;
6419 if (error)
6420 return error;
6421
6422 /* Obtain a SID for the context, if one was specified. */
6423 if (size && str[0] && str[0] != '\n') {
6424 if (str[size-1] == '\n') {
6425 str[size-1] = 0;
6426 size--;
6427 }
6428 error = security_context_to_sid(&selinux_state, value, size,
6429 &sid, GFP_KERNEL);
6430 if (error == -EINVAL && !strcmp(name, "fscreate")) {
6431 if (!has_cap_mac_admin(true)) {
6432 struct audit_buffer *ab;
6433 size_t audit_size;
6434
6435 /* We strip a nul only if it is at the end, otherwise the
6436 * context contains a nul and we should audit that */
6437 if (str[size - 1] == '\0')
6438 audit_size = size - 1;
6439 else
6440 audit_size = size;
6441 ab = audit_log_start(audit_context(),
6442 GFP_ATOMIC,
6443 AUDIT_SELINUX_ERR);
6444 audit_log_format(ab, "op=fscreate invalid_context=");
6445 audit_log_n_untrustedstring(ab, value, audit_size);
6446 audit_log_end(ab);
6447
6448 return error;
6449 }
6450 error = security_context_to_sid_force(
6451 &selinux_state,
6452 value, size, &sid);
6453 }
6454 if (error)
6455 return error;
6456 }
6457
6458 new = prepare_creds();
6459 if (!new)
6460 return -ENOMEM;
6461
6462 /* Permission checking based on the specified context is
6463 performed during the actual operation (execve,
6464 open/mkdir/...), when we know the full context of the
6465 operation. See selinux_bprm_creds_for_exec for the execve
6466 checks and may_create for the file creation checks. The
6467 operation will then fail if the context is not permitted. */
6468 tsec = selinux_cred(new);
6469 if (!strcmp(name, "exec")) {
6470 tsec->exec_sid = sid;
6471 } else if (!strcmp(name, "fscreate")) {
6472 tsec->create_sid = sid;
6473 } else if (!strcmp(name, "keycreate")) {
6474 if (sid) {
6475 error = avc_has_perm(&selinux_state, mysid, sid,
6476 SECCLASS_KEY, KEY__CREATE, NULL);
6477 if (error)
6478 goto abort_change;
6479 }
6480 tsec->keycreate_sid = sid;
6481 } else if (!strcmp(name, "sockcreate")) {
6482 tsec->sockcreate_sid = sid;
6483 } else if (!strcmp(name, "current")) {
6484 error = -EINVAL;
6485 if (sid == 0)
6486 goto abort_change;
6487
6488 /* Only allow single threaded processes to change context */
6489 error = -EPERM;
6490 if (!current_is_single_threaded()) {
6491 error = security_bounded_transition(&selinux_state,
6492 tsec->sid, sid);
6493 if (error)
6494 goto abort_change;
6495 }
6496
6497 /* Check permissions for the transition. */
6498 error = avc_has_perm(&selinux_state,
6499 tsec->sid, sid, SECCLASS_PROCESS,
6500 PROCESS__DYNTRANSITION, NULL);
6501 if (error)
6502 goto abort_change;
6503
6504 /* Check for ptracing, and update the task SID if ok.
6505 Otherwise, leave SID unchanged and fail. */
6506 ptsid = ptrace_parent_sid();
6507 if (ptsid != 0) {
6508 error = avc_has_perm(&selinux_state,
6509 ptsid, sid, SECCLASS_PROCESS,
6510 PROCESS__PTRACE, NULL);
6511 if (error)
6512 goto abort_change;
6513 }
6514
6515 tsec->sid = sid;
6516 } else {
6517 error = -EINVAL;
6518 goto abort_change;
6519 }
6520
6521 commit_creds(new);
6522 CALL_HCK_LITE_HOOK(ced_setattr_insert_lhck, current);
6523 return size;
6524
6525 abort_change:
6526 abort_creds(new);
6527 return error;
6528 }
6529
selinux_ismaclabel(const char * name)6530 static int selinux_ismaclabel(const char *name)
6531 {
6532 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
6533 }
6534
selinux_secid_to_secctx(u32 secid,char ** secdata,u32 * seclen)6535 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
6536 {
6537 return security_sid_to_context(&selinux_state, secid,
6538 secdata, seclen);
6539 }
6540
selinux_secctx_to_secid(const char * secdata,u32 seclen,u32 * secid)6541 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
6542 {
6543 return security_context_to_sid(&selinux_state, secdata, seclen,
6544 secid, GFP_KERNEL);
6545 }
6546
selinux_release_secctx(char * secdata,u32 seclen)6547 static void selinux_release_secctx(char *secdata, u32 seclen)
6548 {
6549 kfree(secdata);
6550 }
6551
selinux_inode_invalidate_secctx(struct inode * inode)6552 static void selinux_inode_invalidate_secctx(struct inode *inode)
6553 {
6554 struct inode_security_struct *isec = selinux_inode(inode);
6555
6556 spin_lock(&isec->lock);
6557 isec->initialized = LABEL_INVALID;
6558 spin_unlock(&isec->lock);
6559 }
6560
6561 /*
6562 * called with inode->i_mutex locked
6563 */
selinux_inode_notifysecctx(struct inode * inode,void * ctx,u32 ctxlen)6564 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
6565 {
6566 int rc = selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX,
6567 ctx, ctxlen, 0);
6568 /* Do not return error when suppressing label (SBLABEL_MNT not set). */
6569 return rc == -EOPNOTSUPP ? 0 : rc;
6570 }
6571
6572 /*
6573 * called with inode->i_mutex locked
6574 */
selinux_inode_setsecctx(struct dentry * dentry,void * ctx,u32 ctxlen)6575 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
6576 {
6577 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
6578 }
6579
selinux_inode_getsecctx(struct inode * inode,void ** ctx,u32 * ctxlen)6580 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
6581 {
6582 int len = 0;
6583 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
6584 ctx, true);
6585 if (len < 0)
6586 return len;
6587 *ctxlen = len;
6588 return 0;
6589 }
6590 #ifdef CONFIG_KEYS
6591
selinux_key_alloc(struct key * k,const struct cred * cred,unsigned long flags)6592 static int selinux_key_alloc(struct key *k, const struct cred *cred,
6593 unsigned long flags)
6594 {
6595 const struct task_security_struct *tsec;
6596 struct key_security_struct *ksec;
6597
6598 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
6599 if (!ksec)
6600 return -ENOMEM;
6601
6602 tsec = selinux_cred(cred);
6603 if (tsec->keycreate_sid)
6604 ksec->sid = tsec->keycreate_sid;
6605 else
6606 ksec->sid = tsec->sid;
6607
6608 k->security = ksec;
6609 return 0;
6610 }
6611
selinux_key_free(struct key * k)6612 static void selinux_key_free(struct key *k)
6613 {
6614 struct key_security_struct *ksec = k->security;
6615
6616 k->security = NULL;
6617 kfree(ksec);
6618 }
6619
selinux_key_permission(key_ref_t key_ref,const struct cred * cred,enum key_need_perm need_perm)6620 static int selinux_key_permission(key_ref_t key_ref,
6621 const struct cred *cred,
6622 enum key_need_perm need_perm)
6623 {
6624 struct key *key;
6625 struct key_security_struct *ksec;
6626 u32 perm, sid;
6627
6628 switch (need_perm) {
6629 case KEY_NEED_VIEW:
6630 perm = KEY__VIEW;
6631 break;
6632 case KEY_NEED_READ:
6633 perm = KEY__READ;
6634 break;
6635 case KEY_NEED_WRITE:
6636 perm = KEY__WRITE;
6637 break;
6638 case KEY_NEED_SEARCH:
6639 perm = KEY__SEARCH;
6640 break;
6641 case KEY_NEED_LINK:
6642 perm = KEY__LINK;
6643 break;
6644 case KEY_NEED_SETATTR:
6645 perm = KEY__SETATTR;
6646 break;
6647 case KEY_NEED_UNLINK:
6648 case KEY_SYSADMIN_OVERRIDE:
6649 case KEY_AUTHTOKEN_OVERRIDE:
6650 case KEY_DEFER_PERM_CHECK:
6651 return 0;
6652 default:
6653 WARN_ON(1);
6654 return -EPERM;
6655
6656 }
6657
6658 sid = cred_sid(cred);
6659 key = key_ref_to_ptr(key_ref);
6660 ksec = key->security;
6661
6662 return avc_has_perm(&selinux_state,
6663 sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6664 }
6665
selinux_key_getsecurity(struct key * key,char ** _buffer)6666 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6667 {
6668 struct key_security_struct *ksec = key->security;
6669 char *context = NULL;
6670 unsigned len;
6671 int rc;
6672
6673 rc = security_sid_to_context(&selinux_state, ksec->sid,
6674 &context, &len);
6675 if (!rc)
6676 rc = len;
6677 *_buffer = context;
6678 return rc;
6679 }
6680
6681 #ifdef CONFIG_KEY_NOTIFICATIONS
selinux_watch_key(struct key * key)6682 static int selinux_watch_key(struct key *key)
6683 {
6684 struct key_security_struct *ksec = key->security;
6685 u32 sid = current_sid();
6686
6687 return avc_has_perm(&selinux_state,
6688 sid, ksec->sid, SECCLASS_KEY, KEY__VIEW, NULL);
6689 }
6690 #endif
6691 #endif
6692
6693 #ifdef CONFIG_SECURITY_INFINIBAND
selinux_ib_pkey_access(void * ib_sec,u64 subnet_prefix,u16 pkey_val)6694 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6695 {
6696 struct common_audit_data ad;
6697 int err;
6698 u32 sid = 0;
6699 struct ib_security_struct *sec = ib_sec;
6700 struct lsm_ibpkey_audit ibpkey;
6701
6702 err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
6703 if (err)
6704 return err;
6705
6706 ad.type = LSM_AUDIT_DATA_IBPKEY;
6707 ibpkey.subnet_prefix = subnet_prefix;
6708 ibpkey.pkey = pkey_val;
6709 ad.u.ibpkey = &ibpkey;
6710 return avc_has_perm(&selinux_state,
6711 sec->sid, sid,
6712 SECCLASS_INFINIBAND_PKEY,
6713 INFINIBAND_PKEY__ACCESS, &ad);
6714 }
6715
selinux_ib_endport_manage_subnet(void * ib_sec,const char * dev_name,u8 port_num)6716 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6717 u8 port_num)
6718 {
6719 struct common_audit_data ad;
6720 int err;
6721 u32 sid = 0;
6722 struct ib_security_struct *sec = ib_sec;
6723 struct lsm_ibendport_audit ibendport;
6724
6725 err = security_ib_endport_sid(&selinux_state, dev_name, port_num,
6726 &sid);
6727
6728 if (err)
6729 return err;
6730
6731 ad.type = LSM_AUDIT_DATA_IBENDPORT;
6732 strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name));
6733 ibendport.port = port_num;
6734 ad.u.ibendport = &ibendport;
6735 return avc_has_perm(&selinux_state,
6736 sec->sid, sid,
6737 SECCLASS_INFINIBAND_ENDPORT,
6738 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
6739 }
6740
selinux_ib_alloc_security(void ** ib_sec)6741 static int selinux_ib_alloc_security(void **ib_sec)
6742 {
6743 struct ib_security_struct *sec;
6744
6745 sec = kzalloc(sizeof(*sec), GFP_KERNEL);
6746 if (!sec)
6747 return -ENOMEM;
6748 sec->sid = current_sid();
6749
6750 *ib_sec = sec;
6751 return 0;
6752 }
6753
selinux_ib_free_security(void * ib_sec)6754 static void selinux_ib_free_security(void *ib_sec)
6755 {
6756 kfree(ib_sec);
6757 }
6758 #endif
6759
6760 #ifdef CONFIG_BPF_SYSCALL
selinux_bpf(int cmd,union bpf_attr * attr,unsigned int size)6761 static int selinux_bpf(int cmd, union bpf_attr *attr,
6762 unsigned int size)
6763 {
6764 u32 sid = current_sid();
6765 int ret;
6766
6767 switch (cmd) {
6768 case BPF_MAP_CREATE:
6769 ret = avc_has_perm(&selinux_state,
6770 sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
6771 NULL);
6772 break;
6773 case BPF_PROG_LOAD:
6774 ret = avc_has_perm(&selinux_state,
6775 sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
6776 NULL);
6777 break;
6778 default:
6779 ret = 0;
6780 break;
6781 }
6782
6783 return ret;
6784 }
6785
bpf_map_fmode_to_av(fmode_t fmode)6786 static u32 bpf_map_fmode_to_av(fmode_t fmode)
6787 {
6788 u32 av = 0;
6789
6790 if (fmode & FMODE_READ)
6791 av |= BPF__MAP_READ;
6792 if (fmode & FMODE_WRITE)
6793 av |= BPF__MAP_WRITE;
6794 return av;
6795 }
6796
6797 /* This function will check the file pass through unix socket or binder to see
6798 * if it is a bpf related object. And apply correspinding checks on the bpf
6799 * object based on the type. The bpf maps and programs, not like other files and
6800 * socket, are using a shared anonymous inode inside the kernel as their inode.
6801 * So checking that inode cannot identify if the process have privilege to
6802 * access the bpf object and that's why we have to add this additional check in
6803 * selinux_file_receive and selinux_binder_transfer_files.
6804 */
bpf_fd_pass(struct file * file,u32 sid)6805 static int bpf_fd_pass(struct file *file, u32 sid)
6806 {
6807 struct bpf_security_struct *bpfsec;
6808 struct bpf_prog *prog;
6809 struct bpf_map *map;
6810 int ret;
6811
6812 if (file->f_op == &bpf_map_fops) {
6813 map = file->private_data;
6814 bpfsec = map->security;
6815 ret = avc_has_perm(&selinux_state,
6816 sid, bpfsec->sid, SECCLASS_BPF,
6817 bpf_map_fmode_to_av(file->f_mode), NULL);
6818 if (ret)
6819 return ret;
6820 } else if (file->f_op == &bpf_prog_fops) {
6821 prog = file->private_data;
6822 bpfsec = prog->aux->security;
6823 ret = avc_has_perm(&selinux_state,
6824 sid, bpfsec->sid, SECCLASS_BPF,
6825 BPF__PROG_RUN, NULL);
6826 if (ret)
6827 return ret;
6828 }
6829 return 0;
6830 }
6831
selinux_bpf_map(struct bpf_map * map,fmode_t fmode)6832 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)
6833 {
6834 u32 sid = current_sid();
6835 struct bpf_security_struct *bpfsec;
6836
6837 bpfsec = map->security;
6838 return avc_has_perm(&selinux_state,
6839 sid, bpfsec->sid, SECCLASS_BPF,
6840 bpf_map_fmode_to_av(fmode), NULL);
6841 }
6842
selinux_bpf_prog(struct bpf_prog * prog)6843 static int selinux_bpf_prog(struct bpf_prog *prog)
6844 {
6845 u32 sid = current_sid();
6846 struct bpf_security_struct *bpfsec;
6847
6848 bpfsec = prog->aux->security;
6849 return avc_has_perm(&selinux_state,
6850 sid, bpfsec->sid, SECCLASS_BPF,
6851 BPF__PROG_RUN, NULL);
6852 }
6853
selinux_bpf_map_alloc(struct bpf_map * map)6854 static int selinux_bpf_map_alloc(struct bpf_map *map)
6855 {
6856 struct bpf_security_struct *bpfsec;
6857
6858 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6859 if (!bpfsec)
6860 return -ENOMEM;
6861
6862 bpfsec->sid = current_sid();
6863 map->security = bpfsec;
6864
6865 return 0;
6866 }
6867
selinux_bpf_map_free(struct bpf_map * map)6868 static void selinux_bpf_map_free(struct bpf_map *map)
6869 {
6870 struct bpf_security_struct *bpfsec = map->security;
6871
6872 map->security = NULL;
6873 kfree(bpfsec);
6874 }
6875
selinux_bpf_prog_alloc(struct bpf_prog_aux * aux)6876 static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux)
6877 {
6878 struct bpf_security_struct *bpfsec;
6879
6880 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6881 if (!bpfsec)
6882 return -ENOMEM;
6883
6884 bpfsec->sid = current_sid();
6885 aux->security = bpfsec;
6886
6887 return 0;
6888 }
6889
selinux_bpf_prog_free(struct bpf_prog_aux * aux)6890 static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
6891 {
6892 struct bpf_security_struct *bpfsec = aux->security;
6893
6894 aux->security = NULL;
6895 kfree(bpfsec);
6896 }
6897 #endif
6898
selinux_lockdown(enum lockdown_reason what)6899 static int selinux_lockdown(enum lockdown_reason what)
6900 {
6901 struct common_audit_data ad;
6902 u32 sid = current_sid();
6903 int invalid_reason = (what <= LOCKDOWN_NONE) ||
6904 (what == LOCKDOWN_INTEGRITY_MAX) ||
6905 (what >= LOCKDOWN_CONFIDENTIALITY_MAX);
6906
6907 if (WARN(invalid_reason, "Invalid lockdown reason")) {
6908 audit_log(audit_context(),
6909 GFP_ATOMIC, AUDIT_SELINUX_ERR,
6910 "lockdown_reason=invalid");
6911 return -EINVAL;
6912 }
6913
6914 ad.type = LSM_AUDIT_DATA_LOCKDOWN;
6915 ad.u.reason = what;
6916
6917 if (what <= LOCKDOWN_INTEGRITY_MAX)
6918 return avc_has_perm(&selinux_state,
6919 sid, sid, SECCLASS_LOCKDOWN,
6920 LOCKDOWN__INTEGRITY, &ad);
6921 else
6922 return avc_has_perm(&selinux_state,
6923 sid, sid, SECCLASS_LOCKDOWN,
6924 LOCKDOWN__CONFIDENTIALITY, &ad);
6925 }
6926
6927 struct lsm_blob_sizes selinux_blob_sizes __lsm_ro_after_init = {
6928 .lbs_cred = sizeof(struct task_security_struct),
6929 .lbs_file = sizeof(struct file_security_struct),
6930 .lbs_inode = sizeof(struct inode_security_struct),
6931 .lbs_ipc = sizeof(struct ipc_security_struct),
6932 .lbs_msg_msg = sizeof(struct msg_security_struct),
6933 };
6934
6935 #ifdef CONFIG_PERF_EVENTS
selinux_perf_event_open(struct perf_event_attr * attr,int type)6936 static int selinux_perf_event_open(struct perf_event_attr *attr, int type)
6937 {
6938 u32 requested, sid = current_sid();
6939
6940 if (type == PERF_SECURITY_OPEN)
6941 requested = PERF_EVENT__OPEN;
6942 else if (type == PERF_SECURITY_CPU)
6943 requested = PERF_EVENT__CPU;
6944 else if (type == PERF_SECURITY_KERNEL)
6945 requested = PERF_EVENT__KERNEL;
6946 else if (type == PERF_SECURITY_TRACEPOINT)
6947 requested = PERF_EVENT__TRACEPOINT;
6948 else
6949 return -EINVAL;
6950
6951 return avc_has_perm(&selinux_state, sid, sid, SECCLASS_PERF_EVENT,
6952 requested, NULL);
6953 }
6954
selinux_perf_event_alloc(struct perf_event * event)6955 static int selinux_perf_event_alloc(struct perf_event *event)
6956 {
6957 struct perf_event_security_struct *perfsec;
6958
6959 perfsec = kzalloc(sizeof(*perfsec), GFP_KERNEL);
6960 if (!perfsec)
6961 return -ENOMEM;
6962
6963 perfsec->sid = current_sid();
6964 event->security = perfsec;
6965
6966 return 0;
6967 }
6968
selinux_perf_event_free(struct perf_event * event)6969 static void selinux_perf_event_free(struct perf_event *event)
6970 {
6971 struct perf_event_security_struct *perfsec = event->security;
6972
6973 event->security = NULL;
6974 kfree(perfsec);
6975 }
6976
selinux_perf_event_read(struct perf_event * event)6977 static int selinux_perf_event_read(struct perf_event *event)
6978 {
6979 struct perf_event_security_struct *perfsec = event->security;
6980 u32 sid = current_sid();
6981
6982 return avc_has_perm(&selinux_state, sid, perfsec->sid,
6983 SECCLASS_PERF_EVENT, PERF_EVENT__READ, NULL);
6984 }
6985
selinux_perf_event_write(struct perf_event * event)6986 static int selinux_perf_event_write(struct perf_event *event)
6987 {
6988 struct perf_event_security_struct *perfsec = event->security;
6989 u32 sid = current_sid();
6990
6991 return avc_has_perm(&selinux_state, sid, perfsec->sid,
6992 SECCLASS_PERF_EVENT, PERF_EVENT__WRITE, NULL);
6993 }
6994 #endif
6995
6996 /*
6997 * IMPORTANT NOTE: When adding new hooks, please be careful to keep this order:
6998 * 1. any hooks that don't belong to (2.) or (3.) below,
6999 * 2. hooks that both access structures allocated by other hooks, and allocate
7000 * structures that can be later accessed by other hooks (mostly "cloning"
7001 * hooks),
7002 * 3. hooks that only allocate structures that can be later accessed by other
7003 * hooks ("allocating" hooks).
7004 *
7005 * Please follow block comment delimiters in the list to keep this order.
7006 *
7007 * This ordering is needed for SELinux runtime disable to work at least somewhat
7008 * safely. Breaking the ordering rules above might lead to NULL pointer derefs
7009 * when disabling SELinux at runtime.
7010 */
7011 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
7012 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
7013 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
7014 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
7015 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
7016
7017 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
7018 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
7019 LSM_HOOK_INIT(capget, selinux_capget),
7020 LSM_HOOK_INIT(capset, selinux_capset),
7021 LSM_HOOK_INIT(capable, selinux_capable),
7022 LSM_HOOK_INIT(quotactl, selinux_quotactl),
7023 LSM_HOOK_INIT(quota_on, selinux_quota_on),
7024 LSM_HOOK_INIT(syslog, selinux_syslog),
7025 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
7026
7027 LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
7028
7029 LSM_HOOK_INIT(bprm_creds_for_exec, selinux_bprm_creds_for_exec),
7030 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
7031 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
7032
7033 LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
7034 LSM_HOOK_INIT(sb_free_mnt_opts, selinux_free_mnt_opts),
7035 LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
7036 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
7037 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
7038 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
7039 LSM_HOOK_INIT(sb_mount, selinux_mount),
7040 LSM_HOOK_INIT(sb_umount, selinux_umount),
7041 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
7042 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
7043
7044 LSM_HOOK_INIT(move_mount, selinux_move_mount),
7045
7046 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
7047 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
7048
7049 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
7050 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
7051 LSM_HOOK_INIT(inode_create, selinux_inode_create),
7052 LSM_HOOK_INIT(inode_link, selinux_inode_link),
7053 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
7054 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
7055 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
7056 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
7057 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
7058 LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
7059 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
7060 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
7061 LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
7062 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
7063 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
7064 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
7065 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
7066 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
7067 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
7068 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
7069 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
7070 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
7071 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
7072 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
7073 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
7074 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
7075 LSM_HOOK_INIT(path_notify, selinux_path_notify),
7076
7077 LSM_HOOK_INIT(kernfs_init_security, selinux_kernfs_init_security),
7078
7079 LSM_HOOK_INIT(file_permission, selinux_file_permission),
7080 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
7081 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
7082 LSM_HOOK_INIT(file_ioctl_compat, selinux_file_ioctl_compat),
7083 LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
7084 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
7085 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
7086 LSM_HOOK_INIT(file_lock, selinux_file_lock),
7087 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
7088 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
7089 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
7090 LSM_HOOK_INIT(file_receive, selinux_file_receive),
7091
7092 LSM_HOOK_INIT(file_open, selinux_file_open),
7093
7094 LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
7095 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
7096 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
7097 LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid),
7098 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
7099 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
7100 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
7101 LSM_HOOK_INIT(kernel_load_data, selinux_kernel_load_data),
7102 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
7103 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
7104 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
7105 LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
7106 LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
7107 LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
7108 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
7109 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
7110 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
7111 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
7112 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
7113 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
7114 LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
7115 LSM_HOOK_INIT(task_kill, selinux_task_kill),
7116 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
7117
7118 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
7119 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
7120
7121 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
7122 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
7123 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
7124 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
7125
7126 LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
7127 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
7128 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
7129
7130 LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
7131 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
7132 LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
7133
7134 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
7135
7136 LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
7137 LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
7138
7139 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
7140 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
7141 LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
7142 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
7143 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
7144 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
7145
7146 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
7147 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
7148
7149 LSM_HOOK_INIT(socket_create, selinux_socket_create),
7150 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
7151 LSM_HOOK_INIT(socket_socketpair, selinux_socket_socketpair),
7152 LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
7153 LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
7154 LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
7155 LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
7156 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
7157 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
7158 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
7159 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
7160 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
7161 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
7162 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
7163 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
7164 LSM_HOOK_INIT(socket_getpeersec_stream,
7165 selinux_socket_getpeersec_stream),
7166 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
7167 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
7168 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
7169 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
7170 LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
7171 LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request),
7172 LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone),
7173 LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect),
7174 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
7175 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
7176 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
7177 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
7178 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
7179 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
7180 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
7181 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
7182 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
7183 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
7184 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
7185 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
7186 #ifdef CONFIG_SECURITY_INFINIBAND
7187 LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
7188 LSM_HOOK_INIT(ib_endport_manage_subnet,
7189 selinux_ib_endport_manage_subnet),
7190 LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
7191 #endif
7192 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7193 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
7194 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
7195 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
7196 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
7197 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
7198 LSM_HOOK_INIT(xfrm_state_pol_flow_match,
7199 selinux_xfrm_state_pol_flow_match),
7200 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
7201 #endif
7202
7203 #ifdef CONFIG_KEYS
7204 LSM_HOOK_INIT(key_free, selinux_key_free),
7205 LSM_HOOK_INIT(key_permission, selinux_key_permission),
7206 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
7207 #ifdef CONFIG_KEY_NOTIFICATIONS
7208 LSM_HOOK_INIT(watch_key, selinux_watch_key),
7209 #endif
7210 #endif
7211
7212 #ifdef CONFIG_AUDIT
7213 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
7214 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
7215 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
7216 #endif
7217
7218 #ifdef CONFIG_BPF_SYSCALL
7219 LSM_HOOK_INIT(bpf, selinux_bpf),
7220 LSM_HOOK_INIT(bpf_map, selinux_bpf_map),
7221 LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog),
7222 LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free),
7223 LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free),
7224 #endif
7225
7226 #ifdef CONFIG_PERF_EVENTS
7227 LSM_HOOK_INIT(perf_event_open, selinux_perf_event_open),
7228 LSM_HOOK_INIT(perf_event_free, selinux_perf_event_free),
7229 LSM_HOOK_INIT(perf_event_read, selinux_perf_event_read),
7230 LSM_HOOK_INIT(perf_event_write, selinux_perf_event_write),
7231 #endif
7232
7233 LSM_HOOK_INIT(locked_down, selinux_lockdown),
7234
7235 /*
7236 * PUT "CLONING" (ACCESSING + ALLOCATING) HOOKS HERE
7237 */
7238 LSM_HOOK_INIT(fs_context_dup, selinux_fs_context_dup),
7239 LSM_HOOK_INIT(fs_context_parse_param, selinux_fs_context_parse_param),
7240 LSM_HOOK_INIT(sb_eat_lsm_opts, selinux_sb_eat_lsm_opts),
7241 LSM_HOOK_INIT(sb_add_mnt_opt, selinux_add_mnt_opt),
7242 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7243 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
7244 #endif
7245
7246 /*
7247 * PUT "ALLOCATING" HOOKS HERE
7248 */
7249 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
7250 LSM_HOOK_INIT(msg_queue_alloc_security,
7251 selinux_msg_queue_alloc_security),
7252 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
7253 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
7254 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
7255 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
7256 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
7257 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
7258 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
7259 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
7260 #ifdef CONFIG_SECURITY_INFINIBAND
7261 LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
7262 #endif
7263 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7264 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
7265 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
7266 LSM_HOOK_INIT(xfrm_state_alloc_acquire,
7267 selinux_xfrm_state_alloc_acquire),
7268 #endif
7269 #ifdef CONFIG_KEYS
7270 LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
7271 #endif
7272 #ifdef CONFIG_AUDIT
7273 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
7274 #endif
7275 #ifdef CONFIG_BPF_SYSCALL
7276 LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc),
7277 LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc),
7278 #endif
7279 #ifdef CONFIG_PERF_EVENTS
7280 LSM_HOOK_INIT(perf_event_alloc, selinux_perf_event_alloc),
7281 #endif
7282 };
7283
selinux_init(void)7284 static __init int selinux_init(void)
7285 {
7286 pr_info("SELinux: Initializing.\n");
7287
7288 memset(&selinux_state, 0, sizeof(selinux_state));
7289 enforcing_set(&selinux_state, selinux_enforcing_boot);
7290 checkreqprot_set(&selinux_state, selinux_checkreqprot_boot);
7291 selinux_avc_init(&selinux_state.avc);
7292 mutex_init(&selinux_state.status_lock);
7293 mutex_init(&selinux_state.policy_mutex);
7294
7295 /* Set the security state for the initial task. */
7296 cred_init_security();
7297
7298 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
7299
7300 avc_init();
7301
7302 avtab_cache_init();
7303
7304 ebitmap_cache_init();
7305
7306 hashtab_cache_init();
7307
7308 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
7309
7310 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
7311 panic("SELinux: Unable to register AVC netcache callback\n");
7312
7313 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
7314 panic("SELinux: Unable to register AVC LSM notifier callback\n");
7315
7316 if (selinux_enforcing_boot)
7317 pr_debug("SELinux: Starting in enforcing mode\n");
7318 else
7319 pr_debug("SELinux: Starting in permissive mode\n");
7320
7321 fs_validate_description("selinux", selinux_fs_parameters);
7322
7323 return 0;
7324 }
7325
delayed_superblock_init(struct super_block * sb,void * unused)7326 static void delayed_superblock_init(struct super_block *sb, void *unused)
7327 {
7328 selinux_set_mnt_opts(sb, NULL, 0, NULL);
7329 }
7330
selinux_complete_init(void)7331 void selinux_complete_init(void)
7332 {
7333 pr_debug("SELinux: Completing initialization.\n");
7334
7335 /* Set up any superblocks initialized prior to the policy load. */
7336 pr_debug("SELinux: Setting up existing superblocks.\n");
7337 iterate_supers(delayed_superblock_init, NULL);
7338 }
7339
7340 /* SELinux requires early initialization in order to label
7341 all processes and objects when they are created. */
7342 DEFINE_LSM(selinux) = {
7343 .name = "selinux",
7344 .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE,
7345 .enabled = &selinux_enabled_boot,
7346 .blobs = &selinux_blob_sizes,
7347 .init = selinux_init,
7348 };
7349
7350 #if defined(CONFIG_NETFILTER)
7351
7352 static const struct nf_hook_ops selinux_nf_ops[] = {
7353 {
7354 .hook = selinux_ipv4_postroute,
7355 .pf = NFPROTO_IPV4,
7356 .hooknum = NF_INET_POST_ROUTING,
7357 .priority = NF_IP_PRI_SELINUX_LAST,
7358 },
7359 {
7360 .hook = selinux_ipv4_forward,
7361 .pf = NFPROTO_IPV4,
7362 .hooknum = NF_INET_FORWARD,
7363 .priority = NF_IP_PRI_SELINUX_FIRST,
7364 },
7365 {
7366 .hook = selinux_ipv4_output,
7367 .pf = NFPROTO_IPV4,
7368 .hooknum = NF_INET_LOCAL_OUT,
7369 .priority = NF_IP_PRI_SELINUX_FIRST,
7370 },
7371 #if IS_ENABLED(CONFIG_IPV6)
7372 {
7373 .hook = selinux_ipv6_postroute,
7374 .pf = NFPROTO_IPV6,
7375 .hooknum = NF_INET_POST_ROUTING,
7376 .priority = NF_IP6_PRI_SELINUX_LAST,
7377 },
7378 {
7379 .hook = selinux_ipv6_forward,
7380 .pf = NFPROTO_IPV6,
7381 .hooknum = NF_INET_FORWARD,
7382 .priority = NF_IP6_PRI_SELINUX_FIRST,
7383 },
7384 {
7385 .hook = selinux_ipv6_output,
7386 .pf = NFPROTO_IPV6,
7387 .hooknum = NF_INET_LOCAL_OUT,
7388 .priority = NF_IP6_PRI_SELINUX_FIRST,
7389 },
7390 #endif /* IPV6 */
7391 };
7392
selinux_nf_register(struct net * net)7393 static int __net_init selinux_nf_register(struct net *net)
7394 {
7395 return nf_register_net_hooks(net, selinux_nf_ops,
7396 ARRAY_SIZE(selinux_nf_ops));
7397 }
7398
selinux_nf_unregister(struct net * net)7399 static void __net_exit selinux_nf_unregister(struct net *net)
7400 {
7401 nf_unregister_net_hooks(net, selinux_nf_ops,
7402 ARRAY_SIZE(selinux_nf_ops));
7403 }
7404
7405 static struct pernet_operations selinux_net_ops = {
7406 .init = selinux_nf_register,
7407 .exit = selinux_nf_unregister,
7408 };
7409
selinux_nf_ip_init(void)7410 static int __init selinux_nf_ip_init(void)
7411 {
7412 int err;
7413
7414 if (!selinux_enabled_boot)
7415 return 0;
7416
7417 pr_debug("SELinux: Registering netfilter hooks\n");
7418
7419 err = register_pernet_subsys(&selinux_net_ops);
7420 if (err)
7421 panic("SELinux: register_pernet_subsys: error %d\n", err);
7422
7423 return 0;
7424 }
7425 __initcall(selinux_nf_ip_init);
7426
7427 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
selinux_nf_ip_exit(void)7428 static void selinux_nf_ip_exit(void)
7429 {
7430 pr_debug("SELinux: Unregistering netfilter hooks\n");
7431
7432 unregister_pernet_subsys(&selinux_net_ops);
7433 }
7434 #endif
7435
7436 #else /* CONFIG_NETFILTER */
7437
7438 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7439 #define selinux_nf_ip_exit()
7440 #endif
7441
7442 #endif /* CONFIG_NETFILTER */
7443
7444 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
selinux_disable(struct selinux_state * state)7445 int selinux_disable(struct selinux_state *state)
7446 {
7447 if (selinux_initialized(state)) {
7448 /* Not permitted after initial policy load. */
7449 return -EINVAL;
7450 }
7451
7452 if (selinux_disabled(state)) {
7453 /* Only do this once. */
7454 return -EINVAL;
7455 }
7456
7457 selinux_mark_disabled(state);
7458
7459 pr_info("SELinux: Disabled at runtime.\n");
7460
7461 /*
7462 * Unregister netfilter hooks.
7463 * Must be done before security_delete_hooks() to avoid breaking
7464 * runtime disable.
7465 */
7466 selinux_nf_ip_exit();
7467
7468 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
7469
7470 /* Try to destroy the avc node cache */
7471 avc_disable();
7472
7473 /* Unregister selinuxfs. */
7474 exit_sel_fs();
7475
7476 return 0;
7477 }
7478 #endif
7479