1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * NSA Security-Enhanced Linux (SELinux) security module
4 *
5 * This file contains the SELinux hook function implementations.
6 *
7 * Authors: Stephen Smalley, <sds@tycho.nsa.gov>
8 * Chris Vance, <cvance@nai.com>
9 * Wayne Salamon, <wsalamon@nai.com>
10 * James Morris <jmorris@redhat.com>
11 *
12 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
13 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
14 * Eric Paris <eparis@redhat.com>
15 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
16 * <dgoeddel@trustedcs.com>
17 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
18 * Paul Moore <paul@paul-moore.com>
19 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
20 * Yuichi Nakamura <ynakam@hitachisoft.jp>
21 * Copyright (C) 2016 Mellanox Technologies
22 */
23
24 #include <linux/init.h>
25 #include <linux/kd.h>
26 #include <linux/kernel.h>
27 #include <linux/tracehook.h>
28 #include <linux/errno.h>
29 #include <linux/sched/signal.h>
30 #include <linux/sched/task.h>
31 #include <linux/lsm_hooks.h>
32 #include <linux/xattr.h>
33 #include <linux/capability.h>
34 #include <linux/unistd.h>
35 #include <linux/mm.h>
36 #include <linux/mman.h>
37 #include <linux/slab.h>
38 #include <linux/pagemap.h>
39 #include <linux/proc_fs.h>
40 #include <linux/swap.h>
41 #include <linux/spinlock.h>
42 #include <linux/syscalls.h>
43 #include <linux/dcache.h>
44 #include <linux/file.h>
45 #include <linux/fdtable.h>
46 #include <linux/namei.h>
47 #include <linux/mount.h>
48 #include <linux/fs_context.h>
49 #include <linux/fs_parser.h>
50 #include <linux/netfilter_ipv4.h>
51 #include <linux/netfilter_ipv6.h>
52 #include <linux/tty.h>
53 #include <net/icmp.h>
54 #include <net/ip.h> /* for local_port_range[] */
55 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
56 #include <net/inet_connection_sock.h>
57 #include <net/net_namespace.h>
58 #include <net/netlabel.h>
59 #include <linux/uaccess.h>
60 #include <asm/ioctls.h>
61 #include <linux/atomic.h>
62 #include <linux/bitops.h>
63 #include <linux/interrupt.h>
64 #include <linux/netdevice.h> /* for network interface checks */
65 #include <net/netlink.h>
66 #include <linux/tcp.h>
67 #include <linux/udp.h>
68 #include <linux/dccp.h>
69 #include <linux/sctp.h>
70 #include <net/sctp/structs.h>
71 #include <linux/quota.h>
72 #include <linux/un.h> /* for Unix socket types */
73 #include <net/af_unix.h> /* for Unix socket types */
74 #include <linux/parser.h>
75 #include <linux/nfs_mount.h>
76 #include <net/ipv6.h>
77 #include <linux/hugetlb.h>
78 #include <linux/personality.h>
79 #include <linux/audit.h>
80 #include <linux/string.h>
81 #include <linux/mutex.h>
82 #include <linux/posix-timers.h>
83 #include <linux/syslog.h>
84 #include <linux/user_namespace.h>
85 #include <linux/export.h>
86 #include <linux/msg.h>
87 #include <linux/shm.h>
88 #include <linux/bpf.h>
89 #include <linux/kernfs.h>
90 #include <linux/stringhash.h> /* for hashlen_string() */
91 #include <uapi/linux/mount.h>
92 #include <linux/fsnotify.h>
93 #include <linux/fanotify.h>
94
95 #include "avc.h"
96 #include "objsec.h"
97 #include "netif.h"
98 #include "netnode.h"
99 #include "netport.h"
100 #include "ibpkey.h"
101 #include "xfrm.h"
102 #include "netlabel.h"
103 #include "audit.h"
104 #include "avc_ss.h"
105
106 struct selinux_state selinux_state;
107
108 /* SECMARK reference count */
109 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
110
111 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
112 static int selinux_enforcing_boot;
113
enforcing_setup(char * str)114 static int __init enforcing_setup(char *str)
115 {
116 unsigned long enforcing;
117 if (!kstrtoul(str, 0, &enforcing))
118 selinux_enforcing_boot = enforcing ? 1 : 0;
119 return 1;
120 }
121 __setup("enforcing=", enforcing_setup);
122 #else
123 #define selinux_enforcing_boot 1
124 #endif
125
126 int selinux_enabled __lsm_ro_after_init = 1;
127 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
selinux_enabled_setup(char * str)128 static int __init selinux_enabled_setup(char *str)
129 {
130 unsigned long enabled;
131 if (!kstrtoul(str, 0, &enabled))
132 selinux_enabled = enabled ? 1 : 0;
133 return 1;
134 }
135 __setup("selinux=", selinux_enabled_setup);
136 #endif
137
138 static unsigned int selinux_checkreqprot_boot =
139 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
140
checkreqprot_setup(char * str)141 static int __init checkreqprot_setup(char *str)
142 {
143 unsigned long checkreqprot;
144
145 if (!kstrtoul(str, 0, &checkreqprot))
146 selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
147 return 1;
148 }
149 __setup("checkreqprot=", checkreqprot_setup);
150
151 /**
152 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
153 *
154 * Description:
155 * This function checks the SECMARK reference counter to see if any SECMARK
156 * targets are currently configured, if the reference counter is greater than
157 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
158 * enabled, false (0) if SECMARK is disabled. If the always_check_network
159 * policy capability is enabled, SECMARK is always considered enabled.
160 *
161 */
selinux_secmark_enabled(void)162 static int selinux_secmark_enabled(void)
163 {
164 return (selinux_policycap_alwaysnetwork() ||
165 atomic_read(&selinux_secmark_refcount));
166 }
167
168 /**
169 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
170 *
171 * Description:
172 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
173 * (1) if any are enabled or false (0) if neither are enabled. If the
174 * always_check_network policy capability is enabled, peer labeling
175 * is always considered enabled.
176 *
177 */
selinux_peerlbl_enabled(void)178 static int selinux_peerlbl_enabled(void)
179 {
180 return (selinux_policycap_alwaysnetwork() ||
181 netlbl_enabled() || selinux_xfrm_enabled());
182 }
183
selinux_netcache_avc_callback(u32 event)184 static int selinux_netcache_avc_callback(u32 event)
185 {
186 if (event == AVC_CALLBACK_RESET) {
187 sel_netif_flush();
188 sel_netnode_flush();
189 sel_netport_flush();
190 synchronize_net();
191 }
192 return 0;
193 }
194
selinux_lsm_notifier_avc_callback(u32 event)195 static int selinux_lsm_notifier_avc_callback(u32 event)
196 {
197 if (event == AVC_CALLBACK_RESET) {
198 sel_ib_pkey_flush();
199 call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL);
200 }
201
202 return 0;
203 }
204
205 /*
206 * initialise the security for the init task
207 */
cred_init_security(void)208 static void cred_init_security(void)
209 {
210 struct cred *cred = (struct cred *) current->real_cred;
211 struct task_security_struct *tsec;
212
213 tsec = selinux_cred(cred);
214 tsec->osid = tsec->sid = SECINITSID_KERNEL;
215 }
216
217 /*
218 * get the security ID of a set of credentials
219 */
cred_sid(const struct cred * cred)220 static inline u32 cred_sid(const struct cred *cred)
221 {
222 const struct task_security_struct *tsec;
223
224 tsec = selinux_cred(cred);
225 return tsec->sid;
226 }
227
228 /*
229 * get the objective security ID of a task
230 */
task_sid(const struct task_struct * task)231 static inline u32 task_sid(const struct task_struct *task)
232 {
233 u32 sid;
234
235 rcu_read_lock();
236 sid = cred_sid(__task_cred(task));
237 rcu_read_unlock();
238 return sid;
239 }
240
241 /* Allocate and free functions for each kind of security blob. */
242
inode_alloc_security(struct inode * inode)243 static int inode_alloc_security(struct inode *inode)
244 {
245 struct inode_security_struct *isec = selinux_inode(inode);
246 u32 sid = current_sid();
247
248 spin_lock_init(&isec->lock);
249 INIT_LIST_HEAD(&isec->list);
250 isec->inode = inode;
251 isec->sid = SECINITSID_UNLABELED;
252 isec->sclass = SECCLASS_FILE;
253 isec->task_sid = sid;
254 isec->initialized = LABEL_INVALID;
255
256 return 0;
257 }
258
259 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
260
261 /*
262 * Try reloading inode security labels that have been marked as invalid. The
263 * @may_sleep parameter indicates when sleeping and thus reloading labels is
264 * allowed; when set to false, returns -ECHILD when the label is
265 * invalid. The @dentry parameter should be set to a dentry of the inode.
266 */
__inode_security_revalidate(struct inode * inode,struct dentry * dentry,bool may_sleep)267 static int __inode_security_revalidate(struct inode *inode,
268 struct dentry *dentry,
269 bool may_sleep)
270 {
271 struct inode_security_struct *isec = selinux_inode(inode);
272
273 might_sleep_if(may_sleep);
274
275 if (selinux_state.initialized &&
276 isec->initialized != LABEL_INITIALIZED) {
277 if (!may_sleep)
278 return -ECHILD;
279
280 /*
281 * Try reloading the inode security label. This will fail if
282 * @opt_dentry is NULL and no dentry for this inode can be
283 * found; in that case, continue using the old label.
284 */
285 inode_doinit_with_dentry(inode, dentry);
286 }
287 return 0;
288 }
289
inode_security_novalidate(struct inode * inode)290 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
291 {
292 return selinux_inode(inode);
293 }
294
inode_security_rcu(struct inode * inode,bool rcu)295 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
296 {
297 int error;
298
299 error = __inode_security_revalidate(inode, NULL, !rcu);
300 if (error)
301 return ERR_PTR(error);
302 return selinux_inode(inode);
303 }
304
305 /*
306 * Get the security label of an inode.
307 */
inode_security(struct inode * inode)308 static struct inode_security_struct *inode_security(struct inode *inode)
309 {
310 __inode_security_revalidate(inode, NULL, true);
311 return selinux_inode(inode);
312 }
313
backing_inode_security_novalidate(struct dentry * dentry)314 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
315 {
316 struct inode *inode = d_backing_inode(dentry);
317
318 return selinux_inode(inode);
319 }
320
321 /*
322 * Get the security label of a dentry's backing inode.
323 */
backing_inode_security(struct dentry * dentry)324 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
325 {
326 struct inode *inode = d_backing_inode(dentry);
327
328 __inode_security_revalidate(inode, dentry, true);
329 return selinux_inode(inode);
330 }
331
inode_free_security(struct inode * inode)332 static void inode_free_security(struct inode *inode)
333 {
334 struct inode_security_struct *isec = selinux_inode(inode);
335 struct superblock_security_struct *sbsec;
336
337 if (!isec)
338 return;
339 sbsec = inode->i_sb->s_security;
340 /*
341 * As not all inode security structures are in a list, we check for
342 * empty list outside of the lock to make sure that we won't waste
343 * time taking a lock doing nothing.
344 *
345 * The list_del_init() function can be safely called more than once.
346 * It should not be possible for this function to be called with
347 * concurrent list_add(), but for better safety against future changes
348 * in the code, we use list_empty_careful() here.
349 */
350 if (!list_empty_careful(&isec->list)) {
351 spin_lock(&sbsec->isec_lock);
352 list_del_init(&isec->list);
353 spin_unlock(&sbsec->isec_lock);
354 }
355 }
356
file_alloc_security(struct file * file)357 static int file_alloc_security(struct file *file)
358 {
359 struct file_security_struct *fsec = selinux_file(file);
360 u32 sid = current_sid();
361
362 fsec->sid = sid;
363 fsec->fown_sid = sid;
364
365 return 0;
366 }
367
superblock_alloc_security(struct super_block * sb)368 static int superblock_alloc_security(struct super_block *sb)
369 {
370 struct superblock_security_struct *sbsec;
371
372 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
373 if (!sbsec)
374 return -ENOMEM;
375
376 mutex_init(&sbsec->lock);
377 INIT_LIST_HEAD(&sbsec->isec_head);
378 spin_lock_init(&sbsec->isec_lock);
379 sbsec->sb = sb;
380 sbsec->sid = SECINITSID_UNLABELED;
381 sbsec->def_sid = SECINITSID_FILE;
382 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
383 sb->s_security = sbsec;
384
385 return 0;
386 }
387
superblock_free_security(struct super_block * sb)388 static void superblock_free_security(struct super_block *sb)
389 {
390 struct superblock_security_struct *sbsec = sb->s_security;
391 sb->s_security = NULL;
392 kfree(sbsec);
393 }
394
395 struct selinux_mnt_opts {
396 const char *fscontext, *context, *rootcontext, *defcontext;
397 };
398
selinux_free_mnt_opts(void * mnt_opts)399 static void selinux_free_mnt_opts(void *mnt_opts)
400 {
401 struct selinux_mnt_opts *opts = mnt_opts;
402 kfree(opts->fscontext);
403 kfree(opts->context);
404 kfree(opts->rootcontext);
405 kfree(opts->defcontext);
406 kfree(opts);
407 }
408
inode_doinit(struct inode * inode)409 static inline int inode_doinit(struct inode *inode)
410 {
411 return inode_doinit_with_dentry(inode, NULL);
412 }
413
414 enum {
415 Opt_error = -1,
416 Opt_context = 0,
417 Opt_defcontext = 1,
418 Opt_fscontext = 2,
419 Opt_rootcontext = 3,
420 Opt_seclabel = 4,
421 };
422
423 #define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg}
424 static struct {
425 const char *name;
426 int len;
427 int opt;
428 bool has_arg;
429 } tokens[] = {
430 A(context, true),
431 A(fscontext, true),
432 A(defcontext, true),
433 A(rootcontext, true),
434 A(seclabel, false),
435 };
436 #undef A
437
match_opt_prefix(char * s,int l,char ** arg)438 static int match_opt_prefix(char *s, int l, char **arg)
439 {
440 int i;
441
442 for (i = 0; i < ARRAY_SIZE(tokens); i++) {
443 size_t len = tokens[i].len;
444 if (len > l || memcmp(s, tokens[i].name, len))
445 continue;
446 if (tokens[i].has_arg) {
447 if (len == l || s[len] != '=')
448 continue;
449 *arg = s + len + 1;
450 } else if (len != l)
451 continue;
452 return tokens[i].opt;
453 }
454 return Opt_error;
455 }
456
457 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
458
may_context_mount_sb_relabel(u32 sid,struct superblock_security_struct * sbsec,const struct cred * cred)459 static int may_context_mount_sb_relabel(u32 sid,
460 struct superblock_security_struct *sbsec,
461 const struct cred *cred)
462 {
463 const struct task_security_struct *tsec = selinux_cred(cred);
464 int rc;
465
466 rc = avc_has_perm(&selinux_state,
467 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
468 FILESYSTEM__RELABELFROM, NULL);
469 if (rc)
470 return rc;
471
472 rc = avc_has_perm(&selinux_state,
473 tsec->sid, sid, SECCLASS_FILESYSTEM,
474 FILESYSTEM__RELABELTO, NULL);
475 return rc;
476 }
477
may_context_mount_inode_relabel(u32 sid,struct superblock_security_struct * sbsec,const struct cred * cred)478 static int may_context_mount_inode_relabel(u32 sid,
479 struct superblock_security_struct *sbsec,
480 const struct cred *cred)
481 {
482 const struct task_security_struct *tsec = selinux_cred(cred);
483 int rc;
484 rc = avc_has_perm(&selinux_state,
485 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
486 FILESYSTEM__RELABELFROM, NULL);
487 if (rc)
488 return rc;
489
490 rc = avc_has_perm(&selinux_state,
491 sid, sbsec->sid, SECCLASS_FILESYSTEM,
492 FILESYSTEM__ASSOCIATE, NULL);
493 return rc;
494 }
495
selinux_is_genfs_special_handling(struct super_block * sb)496 static int selinux_is_genfs_special_handling(struct super_block *sb)
497 {
498 /* Special handling. Genfs but also in-core setxattr handler */
499 return !strcmp(sb->s_type->name, "sysfs") ||
500 !strcmp(sb->s_type->name, "pstore") ||
501 !strcmp(sb->s_type->name, "debugfs") ||
502 !strcmp(sb->s_type->name, "tracefs") ||
503 !strcmp(sb->s_type->name, "rootfs") ||
504 (selinux_policycap_cgroupseclabel() &&
505 (!strcmp(sb->s_type->name, "cgroup") ||
506 !strcmp(sb->s_type->name, "cgroup2")));
507 }
508
selinux_is_sblabel_mnt(struct super_block * sb)509 static int selinux_is_sblabel_mnt(struct super_block *sb)
510 {
511 struct superblock_security_struct *sbsec = sb->s_security;
512
513 /*
514 * IMPORTANT: Double-check logic in this function when adding a new
515 * SECURITY_FS_USE_* definition!
516 */
517 BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7);
518
519 switch (sbsec->behavior) {
520 case SECURITY_FS_USE_XATTR:
521 case SECURITY_FS_USE_TRANS:
522 case SECURITY_FS_USE_TASK:
523 case SECURITY_FS_USE_NATIVE:
524 return 1;
525
526 case SECURITY_FS_USE_GENFS:
527 return selinux_is_genfs_special_handling(sb);
528
529 /* Never allow relabeling on context mounts */
530 case SECURITY_FS_USE_MNTPOINT:
531 case SECURITY_FS_USE_NONE:
532 default:
533 return 0;
534 }
535 }
536
sb_finish_set_opts(struct super_block * sb)537 static int sb_finish_set_opts(struct super_block *sb)
538 {
539 struct superblock_security_struct *sbsec = sb->s_security;
540 struct dentry *root = sb->s_root;
541 struct inode *root_inode = d_backing_inode(root);
542 int rc = 0;
543
544 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
545 /* Make sure that the xattr handler exists and that no
546 error other than -ENODATA is returned by getxattr on
547 the root directory. -ENODATA is ok, as this may be
548 the first boot of the SELinux kernel before we have
549 assigned xattr values to the filesystem. */
550 if (!(root_inode->i_opflags & IOP_XATTR)) {
551 pr_warn("SELinux: (dev %s, type %s) has no "
552 "xattr support\n", sb->s_id, sb->s_type->name);
553 rc = -EOPNOTSUPP;
554 goto out;
555 }
556
557 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL,
558 0, XATTR_NOSECURITY);
559 if (rc < 0 && rc != -ENODATA) {
560 if (rc == -EOPNOTSUPP)
561 pr_warn("SELinux: (dev %s, type "
562 "%s) has no security xattr handler\n",
563 sb->s_id, sb->s_type->name);
564 else
565 pr_warn("SELinux: (dev %s, type "
566 "%s) getxattr errno %d\n", sb->s_id,
567 sb->s_type->name, -rc);
568 goto out;
569 }
570 }
571
572 sbsec->flags |= SE_SBINITIALIZED;
573
574 /*
575 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
576 * leave the flag untouched because sb_clone_mnt_opts might be handing
577 * us a superblock that needs the flag to be cleared.
578 */
579 if (selinux_is_sblabel_mnt(sb))
580 sbsec->flags |= SBLABEL_MNT;
581 else
582 sbsec->flags &= ~SBLABEL_MNT;
583
584 /* Initialize the root inode. */
585 rc = inode_doinit_with_dentry(root_inode, root);
586
587 /* Initialize any other inodes associated with the superblock, e.g.
588 inodes created prior to initial policy load or inodes created
589 during get_sb by a pseudo filesystem that directly
590 populates itself. */
591 spin_lock(&sbsec->isec_lock);
592 while (!list_empty(&sbsec->isec_head)) {
593 struct inode_security_struct *isec =
594 list_first_entry(&sbsec->isec_head,
595 struct inode_security_struct, list);
596 struct inode *inode = isec->inode;
597 list_del_init(&isec->list);
598 spin_unlock(&sbsec->isec_lock);
599 inode = igrab(inode);
600 if (inode) {
601 if (!IS_PRIVATE(inode))
602 inode_doinit(inode);
603 iput(inode);
604 }
605 spin_lock(&sbsec->isec_lock);
606 }
607 spin_unlock(&sbsec->isec_lock);
608 out:
609 return rc;
610 }
611
bad_option(struct superblock_security_struct * sbsec,char flag,u32 old_sid,u32 new_sid)612 static int bad_option(struct superblock_security_struct *sbsec, char flag,
613 u32 old_sid, u32 new_sid)
614 {
615 char mnt_flags = sbsec->flags & SE_MNTMASK;
616
617 /* check if the old mount command had the same options */
618 if (sbsec->flags & SE_SBINITIALIZED)
619 if (!(sbsec->flags & flag) ||
620 (old_sid != new_sid))
621 return 1;
622
623 /* check if we were passed the same options twice,
624 * aka someone passed context=a,context=b
625 */
626 if (!(sbsec->flags & SE_SBINITIALIZED))
627 if (mnt_flags & flag)
628 return 1;
629 return 0;
630 }
631
parse_sid(struct super_block * sb,const char * s,u32 * sid)632 static int parse_sid(struct super_block *sb, const char *s, u32 *sid)
633 {
634 int rc = security_context_str_to_sid(&selinux_state, s,
635 sid, GFP_KERNEL);
636 if (rc)
637 pr_warn("SELinux: security_context_str_to_sid"
638 "(%s) failed for (dev %s, type %s) errno=%d\n",
639 s, sb->s_id, sb->s_type->name, rc);
640 return rc;
641 }
642
643 /*
644 * Allow filesystems with binary mount data to explicitly set mount point
645 * labeling information.
646 */
selinux_set_mnt_opts(struct super_block * sb,void * mnt_opts,unsigned long kern_flags,unsigned long * set_kern_flags)647 static int selinux_set_mnt_opts(struct super_block *sb,
648 void *mnt_opts,
649 unsigned long kern_flags,
650 unsigned long *set_kern_flags)
651 {
652 const struct cred *cred = current_cred();
653 struct superblock_security_struct *sbsec = sb->s_security;
654 struct dentry *root = sbsec->sb->s_root;
655 struct selinux_mnt_opts *opts = mnt_opts;
656 struct inode_security_struct *root_isec;
657 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
658 u32 defcontext_sid = 0;
659 int rc = 0;
660
661 mutex_lock(&sbsec->lock);
662
663 if (!selinux_state.initialized) {
664 if (!opts) {
665 /* Defer initialization until selinux_complete_init,
666 after the initial policy is loaded and the security
667 server is ready to handle calls. */
668 goto out;
669 }
670 rc = -EINVAL;
671 pr_warn("SELinux: Unable to set superblock options "
672 "before the security server is initialized\n");
673 goto out;
674 }
675 if (kern_flags && !set_kern_flags) {
676 /* Specifying internal flags without providing a place to
677 * place the results is not allowed */
678 rc = -EINVAL;
679 goto out;
680 }
681
682 /*
683 * Binary mount data FS will come through this function twice. Once
684 * from an explicit call and once from the generic calls from the vfs.
685 * Since the generic VFS calls will not contain any security mount data
686 * we need to skip the double mount verification.
687 *
688 * This does open a hole in which we will not notice if the first
689 * mount using this sb set explict options and a second mount using
690 * this sb does not set any security options. (The first options
691 * will be used for both mounts)
692 */
693 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
694 && !opts)
695 goto out;
696
697 root_isec = backing_inode_security_novalidate(root);
698
699 /*
700 * parse the mount options, check if they are valid sids.
701 * also check if someone is trying to mount the same sb more
702 * than once with different security options.
703 */
704 if (opts) {
705 if (opts->fscontext) {
706 rc = parse_sid(sb, opts->fscontext, &fscontext_sid);
707 if (rc)
708 goto out;
709 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
710 fscontext_sid))
711 goto out_double_mount;
712 sbsec->flags |= FSCONTEXT_MNT;
713 }
714 if (opts->context) {
715 rc = parse_sid(sb, opts->context, &context_sid);
716 if (rc)
717 goto out;
718 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
719 context_sid))
720 goto out_double_mount;
721 sbsec->flags |= CONTEXT_MNT;
722 }
723 if (opts->rootcontext) {
724 rc = parse_sid(sb, opts->rootcontext, &rootcontext_sid);
725 if (rc)
726 goto out;
727 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
728 rootcontext_sid))
729 goto out_double_mount;
730 sbsec->flags |= ROOTCONTEXT_MNT;
731 }
732 if (opts->defcontext) {
733 rc = parse_sid(sb, opts->defcontext, &defcontext_sid);
734 if (rc)
735 goto out;
736 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
737 defcontext_sid))
738 goto out_double_mount;
739 sbsec->flags |= DEFCONTEXT_MNT;
740 }
741 }
742
743 if (sbsec->flags & SE_SBINITIALIZED) {
744 /* previously mounted with options, but not on this attempt? */
745 if ((sbsec->flags & SE_MNTMASK) && !opts)
746 goto out_double_mount;
747 rc = 0;
748 goto out;
749 }
750
751 if (strcmp(sb->s_type->name, "proc") == 0)
752 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
753
754 if (!strcmp(sb->s_type->name, "debugfs") ||
755 !strcmp(sb->s_type->name, "tracefs") ||
756 !strcmp(sb->s_type->name, "binder") ||
757 !strcmp(sb->s_type->name, "bpf") ||
758 !strcmp(sb->s_type->name, "pstore"))
759 sbsec->flags |= SE_SBGENFS;
760
761 if (!strcmp(sb->s_type->name, "sysfs") ||
762 !strcmp(sb->s_type->name, "cgroup") ||
763 !strcmp(sb->s_type->name, "cgroup2"))
764 sbsec->flags |= SE_SBGENFS | SE_SBGENFS_XATTR;
765
766 if (!sbsec->behavior) {
767 /*
768 * Determine the labeling behavior to use for this
769 * filesystem type.
770 */
771 rc = security_fs_use(&selinux_state, sb);
772 if (rc) {
773 pr_warn("%s: security_fs_use(%s) returned %d\n",
774 __func__, sb->s_type->name, rc);
775 goto out;
776 }
777 }
778
779 /*
780 * If this is a user namespace mount and the filesystem type is not
781 * explicitly whitelisted, then no contexts are allowed on the command
782 * line and security labels must be ignored.
783 */
784 if (sb->s_user_ns != &init_user_ns &&
785 strcmp(sb->s_type->name, "tmpfs") &&
786 strcmp(sb->s_type->name, "ramfs") &&
787 strcmp(sb->s_type->name, "devpts")) {
788 if (context_sid || fscontext_sid || rootcontext_sid ||
789 defcontext_sid) {
790 rc = -EACCES;
791 goto out;
792 }
793 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
794 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
795 rc = security_transition_sid(&selinux_state,
796 current_sid(),
797 current_sid(),
798 SECCLASS_FILE, NULL,
799 &sbsec->mntpoint_sid);
800 if (rc)
801 goto out;
802 }
803 goto out_set_opts;
804 }
805
806 /* sets the context of the superblock for the fs being mounted. */
807 if (fscontext_sid) {
808 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
809 if (rc)
810 goto out;
811
812 sbsec->sid = fscontext_sid;
813 }
814
815 /*
816 * Switch to using mount point labeling behavior.
817 * sets the label used on all file below the mountpoint, and will set
818 * the superblock context if not already set.
819 */
820 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
821 sbsec->behavior = SECURITY_FS_USE_NATIVE;
822 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
823 }
824
825 if (context_sid) {
826 if (!fscontext_sid) {
827 rc = may_context_mount_sb_relabel(context_sid, sbsec,
828 cred);
829 if (rc)
830 goto out;
831 sbsec->sid = context_sid;
832 } else {
833 rc = may_context_mount_inode_relabel(context_sid, sbsec,
834 cred);
835 if (rc)
836 goto out;
837 }
838 if (!rootcontext_sid)
839 rootcontext_sid = context_sid;
840
841 sbsec->mntpoint_sid = context_sid;
842 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
843 }
844
845 if (rootcontext_sid) {
846 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
847 cred);
848 if (rc)
849 goto out;
850
851 root_isec->sid = rootcontext_sid;
852 root_isec->initialized = LABEL_INITIALIZED;
853 }
854
855 if (defcontext_sid) {
856 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
857 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
858 rc = -EINVAL;
859 pr_warn("SELinux: defcontext option is "
860 "invalid for this filesystem type\n");
861 goto out;
862 }
863
864 if (defcontext_sid != sbsec->def_sid) {
865 rc = may_context_mount_inode_relabel(defcontext_sid,
866 sbsec, cred);
867 if (rc)
868 goto out;
869 }
870
871 sbsec->def_sid = defcontext_sid;
872 }
873
874 out_set_opts:
875 rc = sb_finish_set_opts(sb);
876 out:
877 mutex_unlock(&sbsec->lock);
878 return rc;
879 out_double_mount:
880 rc = -EINVAL;
881 pr_warn("SELinux: mount invalid. Same superblock, different "
882 "security settings for (dev %s, type %s)\n", sb->s_id,
883 sb->s_type->name);
884 goto out;
885 }
886
selinux_cmp_sb_context(const struct super_block * oldsb,const struct super_block * newsb)887 static int selinux_cmp_sb_context(const struct super_block *oldsb,
888 const struct super_block *newsb)
889 {
890 struct superblock_security_struct *old = oldsb->s_security;
891 struct superblock_security_struct *new = newsb->s_security;
892 char oldflags = old->flags & SE_MNTMASK;
893 char newflags = new->flags & SE_MNTMASK;
894
895 if (oldflags != newflags)
896 goto mismatch;
897 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
898 goto mismatch;
899 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
900 goto mismatch;
901 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
902 goto mismatch;
903 if (oldflags & ROOTCONTEXT_MNT) {
904 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
905 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
906 if (oldroot->sid != newroot->sid)
907 goto mismatch;
908 }
909 return 0;
910 mismatch:
911 pr_warn("SELinux: mount invalid. Same superblock, "
912 "different security settings for (dev %s, "
913 "type %s)\n", newsb->s_id, newsb->s_type->name);
914 return -EBUSY;
915 }
916
selinux_sb_clone_mnt_opts(const struct super_block * oldsb,struct super_block * newsb,unsigned long kern_flags,unsigned long * set_kern_flags)917 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
918 struct super_block *newsb,
919 unsigned long kern_flags,
920 unsigned long *set_kern_flags)
921 {
922 int rc = 0;
923 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
924 struct superblock_security_struct *newsbsec = newsb->s_security;
925
926 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
927 int set_context = (oldsbsec->flags & CONTEXT_MNT);
928 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
929
930 /*
931 * if the parent was able to be mounted it clearly had no special lsm
932 * mount options. thus we can safely deal with this superblock later
933 */
934 if (!selinux_state.initialized)
935 return 0;
936
937 /*
938 * Specifying internal flags without providing a place to
939 * place the results is not allowed.
940 */
941 if (kern_flags && !set_kern_flags)
942 return -EINVAL;
943
944 /* how can we clone if the old one wasn't set up?? */
945 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
946
947 /* if fs is reusing a sb, make sure that the contexts match */
948 if (newsbsec->flags & SE_SBINITIALIZED) {
949 if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context)
950 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
951 return selinux_cmp_sb_context(oldsb, newsb);
952 }
953
954 mutex_lock(&newsbsec->lock);
955
956 newsbsec->flags = oldsbsec->flags;
957
958 newsbsec->sid = oldsbsec->sid;
959 newsbsec->def_sid = oldsbsec->def_sid;
960 newsbsec->behavior = oldsbsec->behavior;
961
962 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
963 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
964 rc = security_fs_use(&selinux_state, newsb);
965 if (rc)
966 goto out;
967 }
968
969 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
970 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
971 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
972 }
973
974 if (set_context) {
975 u32 sid = oldsbsec->mntpoint_sid;
976
977 if (!set_fscontext)
978 newsbsec->sid = sid;
979 if (!set_rootcontext) {
980 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
981 newisec->sid = sid;
982 }
983 newsbsec->mntpoint_sid = sid;
984 }
985 if (set_rootcontext) {
986 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
987 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
988
989 newisec->sid = oldisec->sid;
990 }
991
992 sb_finish_set_opts(newsb);
993 out:
994 mutex_unlock(&newsbsec->lock);
995 return rc;
996 }
997
selinux_add_opt(int token,const char * s,void ** mnt_opts)998 static int selinux_add_opt(int token, const char *s, void **mnt_opts)
999 {
1000 struct selinux_mnt_opts *opts = *mnt_opts;
1001 bool is_alloc_opts = false;
1002
1003 if (token == Opt_seclabel) /* eaten and completely ignored */
1004 return 0;
1005
1006 if (!s)
1007 return -ENOMEM;
1008
1009 if (!opts) {
1010 opts = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL);
1011 if (!opts)
1012 return -ENOMEM;
1013 *mnt_opts = opts;
1014 is_alloc_opts = true;
1015 }
1016
1017 switch (token) {
1018 case Opt_context:
1019 if (opts->context || opts->defcontext)
1020 goto Einval;
1021 opts->context = s;
1022 break;
1023 case Opt_fscontext:
1024 if (opts->fscontext)
1025 goto Einval;
1026 opts->fscontext = s;
1027 break;
1028 case Opt_rootcontext:
1029 if (opts->rootcontext)
1030 goto Einval;
1031 opts->rootcontext = s;
1032 break;
1033 case Opt_defcontext:
1034 if (opts->context || opts->defcontext)
1035 goto Einval;
1036 opts->defcontext = s;
1037 break;
1038 }
1039 return 0;
1040 Einval:
1041 if (is_alloc_opts) {
1042 kfree(opts);
1043 *mnt_opts = NULL;
1044 }
1045 pr_warn(SEL_MOUNT_FAIL_MSG);
1046 return -EINVAL;
1047 }
1048
selinux_add_mnt_opt(const char * option,const char * val,int len,void ** mnt_opts)1049 static int selinux_add_mnt_opt(const char *option, const char *val, int len,
1050 void **mnt_opts)
1051 {
1052 int token = Opt_error;
1053 int rc, i;
1054
1055 for (i = 0; i < ARRAY_SIZE(tokens); i++) {
1056 if (strcmp(option, tokens[i].name) == 0) {
1057 token = tokens[i].opt;
1058 break;
1059 }
1060 }
1061
1062 if (token == Opt_error)
1063 return -EINVAL;
1064
1065 if (token != Opt_seclabel) {
1066 val = kmemdup_nul(val, len, GFP_KERNEL);
1067 if (!val) {
1068 rc = -ENOMEM;
1069 goto free_opt;
1070 }
1071 }
1072 rc = selinux_add_opt(token, val, mnt_opts);
1073 if (unlikely(rc)) {
1074 kfree(val);
1075 goto free_opt;
1076 }
1077 return rc;
1078
1079 free_opt:
1080 if (*mnt_opts) {
1081 selinux_free_mnt_opts(*mnt_opts);
1082 *mnt_opts = NULL;
1083 }
1084 return rc;
1085 }
1086
show_sid(struct seq_file * m,u32 sid)1087 static int show_sid(struct seq_file *m, u32 sid)
1088 {
1089 char *context = NULL;
1090 u32 len;
1091 int rc;
1092
1093 rc = security_sid_to_context(&selinux_state, sid,
1094 &context, &len);
1095 if (!rc) {
1096 bool has_comma = context && strchr(context, ',');
1097
1098 seq_putc(m, '=');
1099 if (has_comma)
1100 seq_putc(m, '\"');
1101 seq_escape(m, context, "\"\n\\");
1102 if (has_comma)
1103 seq_putc(m, '\"');
1104 }
1105 kfree(context);
1106 return rc;
1107 }
1108
selinux_sb_show_options(struct seq_file * m,struct super_block * sb)1109 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1110 {
1111 struct superblock_security_struct *sbsec = sb->s_security;
1112 int rc;
1113
1114 if (!(sbsec->flags & SE_SBINITIALIZED))
1115 return 0;
1116
1117 if (!selinux_state.initialized)
1118 return 0;
1119
1120 if (sbsec->flags & FSCONTEXT_MNT) {
1121 seq_putc(m, ',');
1122 seq_puts(m, FSCONTEXT_STR);
1123 rc = show_sid(m, sbsec->sid);
1124 if (rc)
1125 return rc;
1126 }
1127 if (sbsec->flags & CONTEXT_MNT) {
1128 seq_putc(m, ',');
1129 seq_puts(m, CONTEXT_STR);
1130 rc = show_sid(m, sbsec->mntpoint_sid);
1131 if (rc)
1132 return rc;
1133 }
1134 if (sbsec->flags & DEFCONTEXT_MNT) {
1135 seq_putc(m, ',');
1136 seq_puts(m, DEFCONTEXT_STR);
1137 rc = show_sid(m, sbsec->def_sid);
1138 if (rc)
1139 return rc;
1140 }
1141 if (sbsec->flags & ROOTCONTEXT_MNT) {
1142 struct dentry *root = sbsec->sb->s_root;
1143 struct inode_security_struct *isec = backing_inode_security(root);
1144 seq_putc(m, ',');
1145 seq_puts(m, ROOTCONTEXT_STR);
1146 rc = show_sid(m, isec->sid);
1147 if (rc)
1148 return rc;
1149 }
1150 if (sbsec->flags & SBLABEL_MNT) {
1151 seq_putc(m, ',');
1152 seq_puts(m, SECLABEL_STR);
1153 }
1154 return 0;
1155 }
1156
inode_mode_to_security_class(umode_t mode)1157 static inline u16 inode_mode_to_security_class(umode_t mode)
1158 {
1159 switch (mode & S_IFMT) {
1160 case S_IFSOCK:
1161 return SECCLASS_SOCK_FILE;
1162 case S_IFLNK:
1163 return SECCLASS_LNK_FILE;
1164 case S_IFREG:
1165 return SECCLASS_FILE;
1166 case S_IFBLK:
1167 return SECCLASS_BLK_FILE;
1168 case S_IFDIR:
1169 return SECCLASS_DIR;
1170 case S_IFCHR:
1171 return SECCLASS_CHR_FILE;
1172 case S_IFIFO:
1173 return SECCLASS_FIFO_FILE;
1174
1175 }
1176
1177 return SECCLASS_FILE;
1178 }
1179
default_protocol_stream(int protocol)1180 static inline int default_protocol_stream(int protocol)
1181 {
1182 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1183 }
1184
default_protocol_dgram(int protocol)1185 static inline int default_protocol_dgram(int protocol)
1186 {
1187 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1188 }
1189
socket_type_to_security_class(int family,int type,int protocol)1190 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1191 {
1192 int extsockclass = selinux_policycap_extsockclass();
1193
1194 switch (family) {
1195 case PF_UNIX:
1196 switch (type) {
1197 case SOCK_STREAM:
1198 case SOCK_SEQPACKET:
1199 return SECCLASS_UNIX_STREAM_SOCKET;
1200 case SOCK_DGRAM:
1201 case SOCK_RAW:
1202 return SECCLASS_UNIX_DGRAM_SOCKET;
1203 }
1204 break;
1205 case PF_INET:
1206 case PF_INET6:
1207 switch (type) {
1208 case SOCK_STREAM:
1209 case SOCK_SEQPACKET:
1210 if (default_protocol_stream(protocol))
1211 return SECCLASS_TCP_SOCKET;
1212 else if (extsockclass && protocol == IPPROTO_SCTP)
1213 return SECCLASS_SCTP_SOCKET;
1214 else
1215 return SECCLASS_RAWIP_SOCKET;
1216 case SOCK_DGRAM:
1217 if (default_protocol_dgram(protocol))
1218 return SECCLASS_UDP_SOCKET;
1219 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1220 protocol == IPPROTO_ICMPV6))
1221 return SECCLASS_ICMP_SOCKET;
1222 else
1223 return SECCLASS_RAWIP_SOCKET;
1224 case SOCK_DCCP:
1225 return SECCLASS_DCCP_SOCKET;
1226 default:
1227 return SECCLASS_RAWIP_SOCKET;
1228 }
1229 break;
1230 case PF_NETLINK:
1231 switch (protocol) {
1232 case NETLINK_ROUTE:
1233 return SECCLASS_NETLINK_ROUTE_SOCKET;
1234 case NETLINK_SOCK_DIAG:
1235 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1236 case NETLINK_NFLOG:
1237 return SECCLASS_NETLINK_NFLOG_SOCKET;
1238 case NETLINK_XFRM:
1239 return SECCLASS_NETLINK_XFRM_SOCKET;
1240 case NETLINK_SELINUX:
1241 return SECCLASS_NETLINK_SELINUX_SOCKET;
1242 case NETLINK_ISCSI:
1243 return SECCLASS_NETLINK_ISCSI_SOCKET;
1244 case NETLINK_AUDIT:
1245 return SECCLASS_NETLINK_AUDIT_SOCKET;
1246 case NETLINK_FIB_LOOKUP:
1247 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1248 case NETLINK_CONNECTOR:
1249 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1250 case NETLINK_NETFILTER:
1251 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1252 case NETLINK_DNRTMSG:
1253 return SECCLASS_NETLINK_DNRT_SOCKET;
1254 case NETLINK_KOBJECT_UEVENT:
1255 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1256 case NETLINK_GENERIC:
1257 return SECCLASS_NETLINK_GENERIC_SOCKET;
1258 case NETLINK_SCSITRANSPORT:
1259 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1260 case NETLINK_RDMA:
1261 return SECCLASS_NETLINK_RDMA_SOCKET;
1262 case NETLINK_CRYPTO:
1263 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1264 default:
1265 return SECCLASS_NETLINK_SOCKET;
1266 }
1267 case PF_PACKET:
1268 return SECCLASS_PACKET_SOCKET;
1269 case PF_KEY:
1270 return SECCLASS_KEY_SOCKET;
1271 case PF_APPLETALK:
1272 return SECCLASS_APPLETALK_SOCKET;
1273 }
1274
1275 if (extsockclass) {
1276 switch (family) {
1277 case PF_AX25:
1278 return SECCLASS_AX25_SOCKET;
1279 case PF_IPX:
1280 return SECCLASS_IPX_SOCKET;
1281 case PF_NETROM:
1282 return SECCLASS_NETROM_SOCKET;
1283 case PF_ATMPVC:
1284 return SECCLASS_ATMPVC_SOCKET;
1285 case PF_X25:
1286 return SECCLASS_X25_SOCKET;
1287 case PF_ROSE:
1288 return SECCLASS_ROSE_SOCKET;
1289 case PF_DECnet:
1290 return SECCLASS_DECNET_SOCKET;
1291 case PF_ATMSVC:
1292 return SECCLASS_ATMSVC_SOCKET;
1293 case PF_RDS:
1294 return SECCLASS_RDS_SOCKET;
1295 case PF_IRDA:
1296 return SECCLASS_IRDA_SOCKET;
1297 case PF_PPPOX:
1298 return SECCLASS_PPPOX_SOCKET;
1299 case PF_LLC:
1300 return SECCLASS_LLC_SOCKET;
1301 case PF_CAN:
1302 return SECCLASS_CAN_SOCKET;
1303 case PF_TIPC:
1304 return SECCLASS_TIPC_SOCKET;
1305 case PF_BLUETOOTH:
1306 return SECCLASS_BLUETOOTH_SOCKET;
1307 case PF_IUCV:
1308 return SECCLASS_IUCV_SOCKET;
1309 case PF_RXRPC:
1310 return SECCLASS_RXRPC_SOCKET;
1311 case PF_ISDN:
1312 return SECCLASS_ISDN_SOCKET;
1313 case PF_PHONET:
1314 return SECCLASS_PHONET_SOCKET;
1315 case PF_IEEE802154:
1316 return SECCLASS_IEEE802154_SOCKET;
1317 case PF_CAIF:
1318 return SECCLASS_CAIF_SOCKET;
1319 case PF_ALG:
1320 return SECCLASS_ALG_SOCKET;
1321 case PF_NFC:
1322 return SECCLASS_NFC_SOCKET;
1323 case PF_VSOCK:
1324 return SECCLASS_VSOCK_SOCKET;
1325 case PF_KCM:
1326 return SECCLASS_KCM_SOCKET;
1327 case PF_QIPCRTR:
1328 return SECCLASS_QIPCRTR_SOCKET;
1329 case PF_SMC:
1330 return SECCLASS_SMC_SOCKET;
1331 case PF_XDP:
1332 return SECCLASS_XDP_SOCKET;
1333 #if PF_MAX > 45
1334 #error New address family defined, please update this function.
1335 #endif
1336 }
1337 }
1338
1339 return SECCLASS_SOCKET;
1340 }
1341
selinux_genfs_get_sid(struct dentry * dentry,u16 tclass,u16 flags,u32 * sid)1342 static int selinux_genfs_get_sid(struct dentry *dentry,
1343 u16 tclass,
1344 u16 flags,
1345 u32 *sid)
1346 {
1347 int rc;
1348 struct super_block *sb = dentry->d_sb;
1349 char *buffer, *path;
1350
1351 buffer = (char *)__get_free_page(GFP_KERNEL);
1352 if (!buffer)
1353 return -ENOMEM;
1354
1355 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1356 if (IS_ERR(path))
1357 rc = PTR_ERR(path);
1358 else {
1359 if (flags & SE_SBPROC) {
1360 /* each process gets a /proc/PID/ entry. Strip off the
1361 * PID part to get a valid selinux labeling.
1362 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1363 while (path[1] >= '0' && path[1] <= '9') {
1364 path[1] = '/';
1365 path++;
1366 }
1367 }
1368 rc = security_genfs_sid(&selinux_state, sb->s_type->name,
1369 path, tclass, sid);
1370 if (rc == -ENOENT) {
1371 /* No match in policy, mark as unlabeled. */
1372 *sid = SECINITSID_UNLABELED;
1373 rc = 0;
1374 }
1375 }
1376 free_page((unsigned long)buffer);
1377 return rc;
1378 }
1379
inode_doinit_use_xattr(struct inode * inode,struct dentry * dentry,u32 def_sid,u32 * sid)1380 static int inode_doinit_use_xattr(struct inode *inode, struct dentry *dentry,
1381 u32 def_sid, u32 *sid)
1382 {
1383 #define INITCONTEXTLEN 255
1384 char *context;
1385 unsigned int len;
1386 int rc;
1387
1388 len = INITCONTEXTLEN;
1389 context = kmalloc(len + 1, GFP_NOFS);
1390 if (!context)
1391 return -ENOMEM;
1392
1393 context[len] = '\0';
1394 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len,
1395 XATTR_NOSECURITY);
1396 if (rc == -ERANGE) {
1397 kfree(context);
1398
1399 /* Need a larger buffer. Query for the right size. */
1400 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0,
1401 XATTR_NOSECURITY);
1402 if (rc < 0)
1403 return rc;
1404
1405 len = rc;
1406 context = kmalloc(len + 1, GFP_NOFS);
1407 if (!context)
1408 return -ENOMEM;
1409
1410 context[len] = '\0';
1411 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX,
1412 context, len, XATTR_NOSECURITY);
1413 }
1414 if (rc < 0) {
1415 kfree(context);
1416 if (rc != -ENODATA) {
1417 pr_warn("SELinux: %s: getxattr returned %d for dev=%s ino=%ld\n",
1418 __func__, -rc, inode->i_sb->s_id, inode->i_ino);
1419 return rc;
1420 }
1421 *sid = def_sid;
1422 return 0;
1423 }
1424
1425 rc = security_context_to_sid_default(&selinux_state, context, rc, sid,
1426 def_sid, GFP_NOFS);
1427 if (rc) {
1428 char *dev = inode->i_sb->s_id;
1429 unsigned long ino = inode->i_ino;
1430
1431 if (rc == -EINVAL) {
1432 pr_notice_ratelimited("SELinux: inode=%lu on dev=%s was found to have an invalid context=%s. This indicates you may need to relabel the inode or the filesystem in question.\n",
1433 ino, dev, context);
1434 } else {
1435 pr_warn("SELinux: %s: context_to_sid(%s) returned %d for dev=%s ino=%ld\n",
1436 __func__, context, -rc, dev, ino);
1437 }
1438 }
1439 kfree(context);
1440 return 0;
1441 }
1442
1443 /* The inode's security attributes must be initialized before first use. */
inode_doinit_with_dentry(struct inode * inode,struct dentry * opt_dentry)1444 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1445 {
1446 struct superblock_security_struct *sbsec = NULL;
1447 struct inode_security_struct *isec = selinux_inode(inode);
1448 u32 task_sid, sid = 0;
1449 u16 sclass;
1450 struct dentry *dentry;
1451 int rc = 0;
1452
1453 if (isec->initialized == LABEL_INITIALIZED)
1454 return 0;
1455
1456 spin_lock(&isec->lock);
1457 if (isec->initialized == LABEL_INITIALIZED)
1458 goto out_unlock;
1459
1460 if (isec->sclass == SECCLASS_FILE)
1461 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1462
1463 sbsec = inode->i_sb->s_security;
1464 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1465 /* Defer initialization until selinux_complete_init,
1466 after the initial policy is loaded and the security
1467 server is ready to handle calls. */
1468 spin_lock(&sbsec->isec_lock);
1469 if (list_empty(&isec->list))
1470 list_add(&isec->list, &sbsec->isec_head);
1471 spin_unlock(&sbsec->isec_lock);
1472 goto out_unlock;
1473 }
1474
1475 sclass = isec->sclass;
1476 task_sid = isec->task_sid;
1477 sid = isec->sid;
1478 isec->initialized = LABEL_PENDING;
1479 spin_unlock(&isec->lock);
1480
1481 switch (sbsec->behavior) {
1482 case SECURITY_FS_USE_NATIVE:
1483 break;
1484 case SECURITY_FS_USE_XATTR:
1485 if (!(inode->i_opflags & IOP_XATTR)) {
1486 sid = sbsec->def_sid;
1487 break;
1488 }
1489 /* Need a dentry, since the xattr API requires one.
1490 Life would be simpler if we could just pass the inode. */
1491 if (opt_dentry) {
1492 /* Called from d_instantiate or d_splice_alias. */
1493 dentry = dget(opt_dentry);
1494 } else {
1495 /*
1496 * Called from selinux_complete_init, try to find a dentry.
1497 * Some filesystems really want a connected one, so try
1498 * that first. We could split SECURITY_FS_USE_XATTR in
1499 * two, depending upon that...
1500 */
1501 dentry = d_find_alias(inode);
1502 if (!dentry)
1503 dentry = d_find_any_alias(inode);
1504 }
1505 if (!dentry) {
1506 /*
1507 * this is can be hit on boot when a file is accessed
1508 * before the policy is loaded. When we load policy we
1509 * may find inodes that have no dentry on the
1510 * sbsec->isec_head list. No reason to complain as these
1511 * will get fixed up the next time we go through
1512 * inode_doinit with a dentry, before these inodes could
1513 * be used again by userspace.
1514 */
1515 goto out_invalid;
1516 }
1517
1518 rc = inode_doinit_use_xattr(inode, dentry, sbsec->def_sid,
1519 &sid);
1520 dput(dentry);
1521 if (rc)
1522 goto out;
1523 break;
1524 case SECURITY_FS_USE_TASK:
1525 sid = task_sid;
1526 break;
1527 case SECURITY_FS_USE_TRANS:
1528 /* Default to the fs SID. */
1529 sid = sbsec->sid;
1530
1531 /* Try to obtain a transition SID. */
1532 rc = security_transition_sid(&selinux_state, task_sid, sid,
1533 sclass, NULL, &sid);
1534 if (rc)
1535 goto out;
1536 break;
1537 case SECURITY_FS_USE_MNTPOINT:
1538 sid = sbsec->mntpoint_sid;
1539 break;
1540 default:
1541 /* Default to the fs superblock SID. */
1542 sid = sbsec->sid;
1543
1544 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1545 /* We must have a dentry to determine the label on
1546 * procfs inodes */
1547 if (opt_dentry) {
1548 /* Called from d_instantiate or
1549 * d_splice_alias. */
1550 dentry = dget(opt_dentry);
1551 } else {
1552 /* Called from selinux_complete_init, try to
1553 * find a dentry. Some filesystems really want
1554 * a connected one, so try that first.
1555 */
1556 dentry = d_find_alias(inode);
1557 if (!dentry)
1558 dentry = d_find_any_alias(inode);
1559 }
1560 /*
1561 * This can be hit on boot when a file is accessed
1562 * before the policy is loaded. When we load policy we
1563 * may find inodes that have no dentry on the
1564 * sbsec->isec_head list. No reason to complain as
1565 * these will get fixed up the next time we go through
1566 * inode_doinit() with a dentry, before these inodes
1567 * could be used again by userspace.
1568 */
1569 if (!dentry)
1570 goto out_invalid;
1571 rc = selinux_genfs_get_sid(dentry, sclass,
1572 sbsec->flags, &sid);
1573 if (rc) {
1574 dput(dentry);
1575 goto out;
1576 }
1577
1578 if ((sbsec->flags & SE_SBGENFS_XATTR) &&
1579 (inode->i_opflags & IOP_XATTR)) {
1580 rc = inode_doinit_use_xattr(inode, dentry,
1581 sid, &sid);
1582 if (rc) {
1583 dput(dentry);
1584 goto out;
1585 }
1586 }
1587 dput(dentry);
1588 }
1589 break;
1590 }
1591
1592 out:
1593 spin_lock(&isec->lock);
1594 if (isec->initialized == LABEL_PENDING) {
1595 if (rc) {
1596 isec->initialized = LABEL_INVALID;
1597 goto out_unlock;
1598 }
1599 isec->initialized = LABEL_INITIALIZED;
1600 isec->sid = sid;
1601 }
1602
1603 out_unlock:
1604 spin_unlock(&isec->lock);
1605 return rc;
1606
1607 out_invalid:
1608 spin_lock(&isec->lock);
1609 if (isec->initialized == LABEL_PENDING) {
1610 isec->initialized = LABEL_INVALID;
1611 isec->sid = sid;
1612 }
1613 spin_unlock(&isec->lock);
1614 return 0;
1615 }
1616
1617 /* Convert a Linux signal to an access vector. */
signal_to_av(int sig)1618 static inline u32 signal_to_av(int sig)
1619 {
1620 u32 perm = 0;
1621
1622 switch (sig) {
1623 case SIGCHLD:
1624 /* Commonly granted from child to parent. */
1625 perm = PROCESS__SIGCHLD;
1626 break;
1627 case SIGKILL:
1628 /* Cannot be caught or ignored */
1629 perm = PROCESS__SIGKILL;
1630 break;
1631 case SIGSTOP:
1632 /* Cannot be caught or ignored */
1633 perm = PROCESS__SIGSTOP;
1634 break;
1635 default:
1636 /* All other signals. */
1637 perm = PROCESS__SIGNAL;
1638 break;
1639 }
1640
1641 return perm;
1642 }
1643
1644 #if CAP_LAST_CAP > 63
1645 #error Fix SELinux to handle capabilities > 63.
1646 #endif
1647
1648 /* Check whether a task is allowed to use a capability. */
cred_has_capability(const struct cred * cred,int cap,unsigned int opts,bool initns)1649 static int cred_has_capability(const struct cred *cred,
1650 int cap, unsigned int opts, bool initns)
1651 {
1652 struct common_audit_data ad;
1653 struct av_decision avd;
1654 u16 sclass;
1655 u32 sid = cred_sid(cred);
1656 u32 av = CAP_TO_MASK(cap);
1657 int rc;
1658
1659 ad.type = LSM_AUDIT_DATA_CAP;
1660 ad.u.cap = cap;
1661
1662 switch (CAP_TO_INDEX(cap)) {
1663 case 0:
1664 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1665 break;
1666 case 1:
1667 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1668 break;
1669 default:
1670 pr_err("SELinux: out of range capability %d\n", cap);
1671 BUG();
1672 return -EINVAL;
1673 }
1674
1675 rc = avc_has_perm_noaudit(&selinux_state,
1676 sid, sid, sclass, av, 0, &avd);
1677 if (!(opts & CAP_OPT_NOAUDIT)) {
1678 int rc2 = avc_audit(&selinux_state,
1679 sid, sid, sclass, av, &avd, rc, &ad, 0);
1680 if (rc2)
1681 return rc2;
1682 }
1683 return rc;
1684 }
1685
1686 /* Check whether a task has a particular permission to an inode.
1687 The 'adp' parameter is optional and allows other audit
1688 data to be passed (e.g. the dentry). */
inode_has_perm(const struct cred * cred,struct inode * inode,u32 perms,struct common_audit_data * adp)1689 static int inode_has_perm(const struct cred *cred,
1690 struct inode *inode,
1691 u32 perms,
1692 struct common_audit_data *adp)
1693 {
1694 struct inode_security_struct *isec;
1695 u32 sid;
1696
1697 validate_creds(cred);
1698
1699 if (unlikely(IS_PRIVATE(inode)))
1700 return 0;
1701
1702 sid = cred_sid(cred);
1703 isec = selinux_inode(inode);
1704
1705 return avc_has_perm(&selinux_state,
1706 sid, isec->sid, isec->sclass, perms, adp);
1707 }
1708
1709 /* Same as inode_has_perm, but pass explicit audit data containing
1710 the dentry to help the auditing code to more easily generate the
1711 pathname if needed. */
dentry_has_perm(const struct cred * cred,struct dentry * dentry,u32 av)1712 static inline int dentry_has_perm(const struct cred *cred,
1713 struct dentry *dentry,
1714 u32 av)
1715 {
1716 struct inode *inode = d_backing_inode(dentry);
1717 struct common_audit_data ad;
1718
1719 ad.type = LSM_AUDIT_DATA_DENTRY;
1720 ad.u.dentry = dentry;
1721 __inode_security_revalidate(inode, dentry, true);
1722 return inode_has_perm(cred, inode, av, &ad);
1723 }
1724
1725 /* Same as inode_has_perm, but pass explicit audit data containing
1726 the path to help the auditing code to more easily generate the
1727 pathname if needed. */
path_has_perm(const struct cred * cred,const struct path * path,u32 av)1728 static inline int path_has_perm(const struct cred *cred,
1729 const struct path *path,
1730 u32 av)
1731 {
1732 struct inode *inode = d_backing_inode(path->dentry);
1733 struct common_audit_data ad;
1734
1735 ad.type = LSM_AUDIT_DATA_PATH;
1736 ad.u.path = *path;
1737 __inode_security_revalidate(inode, path->dentry, true);
1738 return inode_has_perm(cred, inode, av, &ad);
1739 }
1740
1741 /* Same as path_has_perm, but uses the inode from the file struct. */
file_path_has_perm(const struct cred * cred,struct file * file,u32 av)1742 static inline int file_path_has_perm(const struct cred *cred,
1743 struct file *file,
1744 u32 av)
1745 {
1746 struct common_audit_data ad;
1747
1748 ad.type = LSM_AUDIT_DATA_FILE;
1749 ad.u.file = file;
1750 return inode_has_perm(cred, file_inode(file), av, &ad);
1751 }
1752
1753 #ifdef CONFIG_BPF_SYSCALL
1754 static int bpf_fd_pass(struct file *file, u32 sid);
1755 #endif
1756
1757 /* Check whether a task can use an open file descriptor to
1758 access an inode in a given way. Check access to the
1759 descriptor itself, and then use dentry_has_perm to
1760 check a particular permission to the file.
1761 Access to the descriptor is implicitly granted if it
1762 has the same SID as the process. If av is zero, then
1763 access to the file is not checked, e.g. for cases
1764 where only the descriptor is affected like seek. */
file_has_perm(const struct cred * cred,struct file * file,u32 av)1765 static int file_has_perm(const struct cred *cred,
1766 struct file *file,
1767 u32 av)
1768 {
1769 struct file_security_struct *fsec = selinux_file(file);
1770 struct inode *inode = file_inode(file);
1771 struct common_audit_data ad;
1772 u32 sid = cred_sid(cred);
1773 int rc;
1774
1775 ad.type = LSM_AUDIT_DATA_FILE;
1776 ad.u.file = file;
1777
1778 if (sid != fsec->sid) {
1779 rc = avc_has_perm(&selinux_state,
1780 sid, fsec->sid,
1781 SECCLASS_FD,
1782 FD__USE,
1783 &ad);
1784 if (rc)
1785 goto out;
1786 }
1787
1788 #ifdef CONFIG_BPF_SYSCALL
1789 rc = bpf_fd_pass(file, cred_sid(cred));
1790 if (rc)
1791 return rc;
1792 #endif
1793
1794 /* av is zero if only checking access to the descriptor. */
1795 rc = 0;
1796 if (av)
1797 rc = inode_has_perm(cred, inode, av, &ad);
1798
1799 out:
1800 return rc;
1801 }
1802
1803 /*
1804 * Determine the label for an inode that might be unioned.
1805 */
1806 static int
selinux_determine_inode_label(const struct task_security_struct * tsec,struct inode * dir,const struct qstr * name,u16 tclass,u32 * _new_isid)1807 selinux_determine_inode_label(const struct task_security_struct *tsec,
1808 struct inode *dir,
1809 const struct qstr *name, u16 tclass,
1810 u32 *_new_isid)
1811 {
1812 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1813
1814 if ((sbsec->flags & SE_SBINITIALIZED) &&
1815 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1816 *_new_isid = sbsec->mntpoint_sid;
1817 } else if ((sbsec->flags & SBLABEL_MNT) &&
1818 tsec->create_sid) {
1819 *_new_isid = tsec->create_sid;
1820 } else {
1821 const struct inode_security_struct *dsec = inode_security(dir);
1822 return security_transition_sid(&selinux_state, tsec->sid,
1823 dsec->sid, tclass,
1824 name, _new_isid);
1825 }
1826
1827 return 0;
1828 }
1829
1830 /* Check whether a task can create a file. */
may_create(struct inode * dir,struct dentry * dentry,u16 tclass)1831 static int may_create(struct inode *dir,
1832 struct dentry *dentry,
1833 u16 tclass)
1834 {
1835 const struct task_security_struct *tsec = selinux_cred(current_cred());
1836 struct inode_security_struct *dsec;
1837 struct superblock_security_struct *sbsec;
1838 u32 sid, newsid;
1839 struct common_audit_data ad;
1840 int rc;
1841
1842 dsec = inode_security(dir);
1843 sbsec = dir->i_sb->s_security;
1844
1845 sid = tsec->sid;
1846
1847 ad.type = LSM_AUDIT_DATA_DENTRY;
1848 ad.u.dentry = dentry;
1849
1850 rc = avc_has_perm(&selinux_state,
1851 sid, dsec->sid, SECCLASS_DIR,
1852 DIR__ADD_NAME | DIR__SEARCH,
1853 &ad);
1854 if (rc)
1855 return rc;
1856
1857 rc = selinux_determine_inode_label(selinux_cred(current_cred()), dir,
1858 &dentry->d_name, tclass, &newsid);
1859 if (rc)
1860 return rc;
1861
1862 rc = avc_has_perm(&selinux_state,
1863 sid, newsid, tclass, FILE__CREATE, &ad);
1864 if (rc)
1865 return rc;
1866
1867 return avc_has_perm(&selinux_state,
1868 newsid, sbsec->sid,
1869 SECCLASS_FILESYSTEM,
1870 FILESYSTEM__ASSOCIATE, &ad);
1871 }
1872
1873 #define MAY_LINK 0
1874 #define MAY_UNLINK 1
1875 #define MAY_RMDIR 2
1876
1877 /* Check whether a task can link, unlink, or rmdir a file/directory. */
may_link(struct inode * dir,struct dentry * dentry,int kind)1878 static int may_link(struct inode *dir,
1879 struct dentry *dentry,
1880 int kind)
1881
1882 {
1883 struct inode_security_struct *dsec, *isec;
1884 struct common_audit_data ad;
1885 u32 sid = current_sid();
1886 u32 av;
1887 int rc;
1888
1889 dsec = inode_security(dir);
1890 isec = backing_inode_security(dentry);
1891
1892 ad.type = LSM_AUDIT_DATA_DENTRY;
1893 ad.u.dentry = dentry;
1894
1895 av = DIR__SEARCH;
1896 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1897 rc = avc_has_perm(&selinux_state,
1898 sid, dsec->sid, SECCLASS_DIR, av, &ad);
1899 if (rc)
1900 return rc;
1901
1902 switch (kind) {
1903 case MAY_LINK:
1904 av = FILE__LINK;
1905 break;
1906 case MAY_UNLINK:
1907 av = FILE__UNLINK;
1908 break;
1909 case MAY_RMDIR:
1910 av = DIR__RMDIR;
1911 break;
1912 default:
1913 pr_warn("SELinux: %s: unrecognized kind %d\n",
1914 __func__, kind);
1915 return 0;
1916 }
1917
1918 rc = avc_has_perm(&selinux_state,
1919 sid, isec->sid, isec->sclass, av, &ad);
1920 return rc;
1921 }
1922
may_rename(struct inode * old_dir,struct dentry * old_dentry,struct inode * new_dir,struct dentry * new_dentry)1923 static inline int may_rename(struct inode *old_dir,
1924 struct dentry *old_dentry,
1925 struct inode *new_dir,
1926 struct dentry *new_dentry)
1927 {
1928 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1929 struct common_audit_data ad;
1930 u32 sid = current_sid();
1931 u32 av;
1932 int old_is_dir, new_is_dir;
1933 int rc;
1934
1935 old_dsec = inode_security(old_dir);
1936 old_isec = backing_inode_security(old_dentry);
1937 old_is_dir = d_is_dir(old_dentry);
1938 new_dsec = inode_security(new_dir);
1939
1940 ad.type = LSM_AUDIT_DATA_DENTRY;
1941
1942 ad.u.dentry = old_dentry;
1943 rc = avc_has_perm(&selinux_state,
1944 sid, old_dsec->sid, SECCLASS_DIR,
1945 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1946 if (rc)
1947 return rc;
1948 rc = avc_has_perm(&selinux_state,
1949 sid, old_isec->sid,
1950 old_isec->sclass, FILE__RENAME, &ad);
1951 if (rc)
1952 return rc;
1953 if (old_is_dir && new_dir != old_dir) {
1954 rc = avc_has_perm(&selinux_state,
1955 sid, old_isec->sid,
1956 old_isec->sclass, DIR__REPARENT, &ad);
1957 if (rc)
1958 return rc;
1959 }
1960
1961 ad.u.dentry = new_dentry;
1962 av = DIR__ADD_NAME | DIR__SEARCH;
1963 if (d_is_positive(new_dentry))
1964 av |= DIR__REMOVE_NAME;
1965 rc = avc_has_perm(&selinux_state,
1966 sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1967 if (rc)
1968 return rc;
1969 if (d_is_positive(new_dentry)) {
1970 new_isec = backing_inode_security(new_dentry);
1971 new_is_dir = d_is_dir(new_dentry);
1972 rc = avc_has_perm(&selinux_state,
1973 sid, new_isec->sid,
1974 new_isec->sclass,
1975 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1976 if (rc)
1977 return rc;
1978 }
1979
1980 return 0;
1981 }
1982
1983 /* Check whether a task can perform a filesystem operation. */
superblock_has_perm(const struct cred * cred,struct super_block * sb,u32 perms,struct common_audit_data * ad)1984 static int superblock_has_perm(const struct cred *cred,
1985 struct super_block *sb,
1986 u32 perms,
1987 struct common_audit_data *ad)
1988 {
1989 struct superblock_security_struct *sbsec;
1990 u32 sid = cred_sid(cred);
1991
1992 sbsec = sb->s_security;
1993 return avc_has_perm(&selinux_state,
1994 sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1995 }
1996
1997 /* Convert a Linux mode and permission mask to an access vector. */
file_mask_to_av(int mode,int mask)1998 static inline u32 file_mask_to_av(int mode, int mask)
1999 {
2000 u32 av = 0;
2001
2002 if (!S_ISDIR(mode)) {
2003 if (mask & MAY_EXEC)
2004 av |= FILE__EXECUTE;
2005 if (mask & MAY_READ)
2006 av |= FILE__READ;
2007
2008 if (mask & MAY_APPEND)
2009 av |= FILE__APPEND;
2010 else if (mask & MAY_WRITE)
2011 av |= FILE__WRITE;
2012
2013 } else {
2014 if (mask & MAY_EXEC)
2015 av |= DIR__SEARCH;
2016 if (mask & MAY_WRITE)
2017 av |= DIR__WRITE;
2018 if (mask & MAY_READ)
2019 av |= DIR__READ;
2020 }
2021
2022 return av;
2023 }
2024
2025 /* Convert a Linux file to an access vector. */
file_to_av(struct file * file)2026 static inline u32 file_to_av(struct file *file)
2027 {
2028 u32 av = 0;
2029
2030 if (file->f_mode & FMODE_READ)
2031 av |= FILE__READ;
2032 if (file->f_mode & FMODE_WRITE) {
2033 if (file->f_flags & O_APPEND)
2034 av |= FILE__APPEND;
2035 else
2036 av |= FILE__WRITE;
2037 }
2038 if (!av) {
2039 /*
2040 * Special file opened with flags 3 for ioctl-only use.
2041 */
2042 av = FILE__IOCTL;
2043 }
2044
2045 return av;
2046 }
2047
2048 /*
2049 * Convert a file to an access vector and include the correct open
2050 * open permission.
2051 */
open_file_to_av(struct file * file)2052 static inline u32 open_file_to_av(struct file *file)
2053 {
2054 u32 av = file_to_av(file);
2055 struct inode *inode = file_inode(file);
2056
2057 if (selinux_policycap_openperm() &&
2058 inode->i_sb->s_magic != SOCKFS_MAGIC)
2059 av |= FILE__OPEN;
2060
2061 return av;
2062 }
2063
2064 /* Hook functions begin here. */
2065
selinux_binder_set_context_mgr(const struct cred * mgr)2066 static int selinux_binder_set_context_mgr(const struct cred *mgr)
2067 {
2068 return avc_has_perm(&selinux_state,
2069 current_sid(), cred_sid(mgr), SECCLASS_BINDER,
2070 BINDER__SET_CONTEXT_MGR, NULL);
2071 }
2072
selinux_binder_transaction(const struct cred * from,const struct cred * to)2073 static int selinux_binder_transaction(const struct cred *from,
2074 const struct cred *to)
2075 {
2076 u32 mysid = current_sid();
2077 u32 fromsid = cred_sid(from);
2078 u32 tosid = cred_sid(to);
2079 int rc;
2080
2081 if (mysid != fromsid) {
2082 rc = avc_has_perm(&selinux_state,
2083 mysid, fromsid, SECCLASS_BINDER,
2084 BINDER__IMPERSONATE, NULL);
2085 if (rc)
2086 return rc;
2087 }
2088
2089 return avc_has_perm(&selinux_state, fromsid, tosid,
2090 SECCLASS_BINDER, BINDER__CALL, NULL);
2091 }
2092
selinux_binder_transfer_binder(const struct cred * from,const struct cred * to)2093 static int selinux_binder_transfer_binder(const struct cred *from,
2094 const struct cred *to)
2095 {
2096 return avc_has_perm(&selinux_state,
2097 cred_sid(from), cred_sid(to),
2098 SECCLASS_BINDER, BINDER__TRANSFER,
2099 NULL);
2100 }
2101
selinux_binder_transfer_file(const struct cred * from,const struct cred * to,struct file * file)2102 static int selinux_binder_transfer_file(const struct cred *from,
2103 const struct cred *to,
2104 struct file *file)
2105 {
2106 u32 sid = cred_sid(to);
2107 struct file_security_struct *fsec = selinux_file(file);
2108 struct dentry *dentry = file->f_path.dentry;
2109 struct inode_security_struct *isec;
2110 struct common_audit_data ad;
2111 int rc;
2112
2113 ad.type = LSM_AUDIT_DATA_PATH;
2114 ad.u.path = file->f_path;
2115
2116 if (sid != fsec->sid) {
2117 rc = avc_has_perm(&selinux_state,
2118 sid, fsec->sid,
2119 SECCLASS_FD,
2120 FD__USE,
2121 &ad);
2122 if (rc)
2123 return rc;
2124 }
2125
2126 #ifdef CONFIG_BPF_SYSCALL
2127 rc = bpf_fd_pass(file, sid);
2128 if (rc)
2129 return rc;
2130 #endif
2131
2132 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2133 return 0;
2134
2135 isec = backing_inode_security(dentry);
2136 return avc_has_perm(&selinux_state,
2137 sid, isec->sid, isec->sclass, file_to_av(file),
2138 &ad);
2139 }
2140
selinux_ptrace_access_check(struct task_struct * child,unsigned int mode)2141 static int selinux_ptrace_access_check(struct task_struct *child,
2142 unsigned int mode)
2143 {
2144 u32 sid = current_sid();
2145 u32 csid = task_sid(child);
2146
2147 if (mode & PTRACE_MODE_READ)
2148 return avc_has_perm(&selinux_state,
2149 sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2150
2151 return avc_has_perm(&selinux_state,
2152 sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2153 }
2154
selinux_ptrace_traceme(struct task_struct * parent)2155 static int selinux_ptrace_traceme(struct task_struct *parent)
2156 {
2157 return avc_has_perm(&selinux_state,
2158 task_sid(parent), current_sid(), SECCLASS_PROCESS,
2159 PROCESS__PTRACE, NULL);
2160 }
2161
selinux_capget(struct task_struct * target,kernel_cap_t * effective,kernel_cap_t * inheritable,kernel_cap_t * permitted)2162 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2163 kernel_cap_t *inheritable, kernel_cap_t *permitted)
2164 {
2165 return avc_has_perm(&selinux_state,
2166 current_sid(), task_sid(target), SECCLASS_PROCESS,
2167 PROCESS__GETCAP, NULL);
2168 }
2169
selinux_capset(struct cred * new,const struct cred * old,const kernel_cap_t * effective,const kernel_cap_t * inheritable,const kernel_cap_t * permitted)2170 static int selinux_capset(struct cred *new, const struct cred *old,
2171 const kernel_cap_t *effective,
2172 const kernel_cap_t *inheritable,
2173 const kernel_cap_t *permitted)
2174 {
2175 return avc_has_perm(&selinux_state,
2176 cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2177 PROCESS__SETCAP, NULL);
2178 }
2179
2180 /*
2181 * (This comment used to live with the selinux_task_setuid hook,
2182 * which was removed).
2183 *
2184 * Since setuid only affects the current process, and since the SELinux
2185 * controls are not based on the Linux identity attributes, SELinux does not
2186 * need to control this operation. However, SELinux does control the use of
2187 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2188 */
2189
selinux_capable(const struct cred * cred,struct user_namespace * ns,int cap,unsigned int opts)2190 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2191 int cap, unsigned int opts)
2192 {
2193 return cred_has_capability(cred, cap, opts, ns == &init_user_ns);
2194 }
2195
selinux_quotactl(int cmds,int type,int id,struct super_block * sb)2196 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2197 {
2198 const struct cred *cred = current_cred();
2199 int rc = 0;
2200
2201 if (!sb)
2202 return 0;
2203
2204 switch (cmds) {
2205 case Q_SYNC:
2206 case Q_QUOTAON:
2207 case Q_QUOTAOFF:
2208 case Q_SETINFO:
2209 case Q_SETQUOTA:
2210 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2211 break;
2212 case Q_GETFMT:
2213 case Q_GETINFO:
2214 case Q_GETQUOTA:
2215 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2216 break;
2217 default:
2218 rc = 0; /* let the kernel handle invalid cmds */
2219 break;
2220 }
2221 return rc;
2222 }
2223
selinux_quota_on(struct dentry * dentry)2224 static int selinux_quota_on(struct dentry *dentry)
2225 {
2226 const struct cred *cred = current_cred();
2227
2228 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2229 }
2230
selinux_syslog(int type)2231 static int selinux_syslog(int type)
2232 {
2233 switch (type) {
2234 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2235 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2236 return avc_has_perm(&selinux_state,
2237 current_sid(), SECINITSID_KERNEL,
2238 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2239 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2240 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2241 /* Set level of messages printed to console */
2242 case SYSLOG_ACTION_CONSOLE_LEVEL:
2243 return avc_has_perm(&selinux_state,
2244 current_sid(), SECINITSID_KERNEL,
2245 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2246 NULL);
2247 }
2248 /* All other syslog types */
2249 return avc_has_perm(&selinux_state,
2250 current_sid(), SECINITSID_KERNEL,
2251 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2252 }
2253
2254 /*
2255 * Check that a process has enough memory to allocate a new virtual
2256 * mapping. 0 means there is enough memory for the allocation to
2257 * succeed and -ENOMEM implies there is not.
2258 *
2259 * Do not audit the selinux permission check, as this is applied to all
2260 * processes that allocate mappings.
2261 */
selinux_vm_enough_memory(struct mm_struct * mm,long pages)2262 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2263 {
2264 int rc, cap_sys_admin = 0;
2265
2266 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2267 CAP_OPT_NOAUDIT, true);
2268 if (rc == 0)
2269 cap_sys_admin = 1;
2270
2271 return cap_sys_admin;
2272 }
2273
2274 /* binprm security operations */
2275
ptrace_parent_sid(void)2276 static u32 ptrace_parent_sid(void)
2277 {
2278 u32 sid = 0;
2279 struct task_struct *tracer;
2280
2281 rcu_read_lock();
2282 tracer = ptrace_parent(current);
2283 if (tracer)
2284 sid = task_sid(tracer);
2285 rcu_read_unlock();
2286
2287 return sid;
2288 }
2289
check_nnp_nosuid(const struct linux_binprm * bprm,const struct task_security_struct * old_tsec,const struct task_security_struct * new_tsec)2290 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2291 const struct task_security_struct *old_tsec,
2292 const struct task_security_struct *new_tsec)
2293 {
2294 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2295 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2296 int rc;
2297 u32 av;
2298
2299 if (!nnp && !nosuid)
2300 return 0; /* neither NNP nor nosuid */
2301
2302 if (new_tsec->sid == old_tsec->sid)
2303 return 0; /* No change in credentials */
2304
2305 /*
2306 * If the policy enables the nnp_nosuid_transition policy capability,
2307 * then we permit transitions under NNP or nosuid if the
2308 * policy allows the corresponding permission between
2309 * the old and new contexts.
2310 */
2311 if (selinux_policycap_nnp_nosuid_transition()) {
2312 av = 0;
2313 if (nnp)
2314 av |= PROCESS2__NNP_TRANSITION;
2315 if (nosuid)
2316 av |= PROCESS2__NOSUID_TRANSITION;
2317 rc = avc_has_perm(&selinux_state,
2318 old_tsec->sid, new_tsec->sid,
2319 SECCLASS_PROCESS2, av, NULL);
2320 if (!rc)
2321 return 0;
2322 }
2323
2324 /*
2325 * We also permit NNP or nosuid transitions to bounded SIDs,
2326 * i.e. SIDs that are guaranteed to only be allowed a subset
2327 * of the permissions of the current SID.
2328 */
2329 rc = security_bounded_transition(&selinux_state, old_tsec->sid,
2330 new_tsec->sid);
2331 if (!rc)
2332 return 0;
2333
2334 /*
2335 * On failure, preserve the errno values for NNP vs nosuid.
2336 * NNP: Operation not permitted for caller.
2337 * nosuid: Permission denied to file.
2338 */
2339 if (nnp)
2340 return -EPERM;
2341 return -EACCES;
2342 }
2343
selinux_bprm_set_creds(struct linux_binprm * bprm)2344 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2345 {
2346 const struct task_security_struct *old_tsec;
2347 struct task_security_struct *new_tsec;
2348 struct inode_security_struct *isec;
2349 struct common_audit_data ad;
2350 struct inode *inode = file_inode(bprm->file);
2351 int rc;
2352
2353 /* SELinux context only depends on initial program or script and not
2354 * the script interpreter */
2355 if (bprm->called_set_creds)
2356 return 0;
2357
2358 old_tsec = selinux_cred(current_cred());
2359 new_tsec = selinux_cred(bprm->cred);
2360 isec = inode_security(inode);
2361
2362 /* Default to the current task SID. */
2363 new_tsec->sid = old_tsec->sid;
2364 new_tsec->osid = old_tsec->sid;
2365
2366 /* Reset fs, key, and sock SIDs on execve. */
2367 new_tsec->create_sid = 0;
2368 new_tsec->keycreate_sid = 0;
2369 new_tsec->sockcreate_sid = 0;
2370
2371 if (old_tsec->exec_sid) {
2372 new_tsec->sid = old_tsec->exec_sid;
2373 /* Reset exec SID on execve. */
2374 new_tsec->exec_sid = 0;
2375
2376 /* Fail on NNP or nosuid if not an allowed transition. */
2377 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2378 if (rc)
2379 return rc;
2380 } else {
2381 /* Check for a default transition on this program. */
2382 rc = security_transition_sid(&selinux_state, old_tsec->sid,
2383 isec->sid, SECCLASS_PROCESS, NULL,
2384 &new_tsec->sid);
2385 if (rc)
2386 return rc;
2387
2388 /*
2389 * Fallback to old SID on NNP or nosuid if not an allowed
2390 * transition.
2391 */
2392 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2393 if (rc)
2394 new_tsec->sid = old_tsec->sid;
2395 }
2396
2397 ad.type = LSM_AUDIT_DATA_FILE;
2398 ad.u.file = bprm->file;
2399
2400 if (new_tsec->sid == old_tsec->sid) {
2401 rc = avc_has_perm(&selinux_state,
2402 old_tsec->sid, isec->sid,
2403 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2404 if (rc)
2405 return rc;
2406 } else {
2407 /* Check permissions for the transition. */
2408 rc = avc_has_perm(&selinux_state,
2409 old_tsec->sid, new_tsec->sid,
2410 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2411 if (rc)
2412 return rc;
2413
2414 rc = avc_has_perm(&selinux_state,
2415 new_tsec->sid, isec->sid,
2416 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2417 if (rc)
2418 return rc;
2419
2420 /* Check for shared state */
2421 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2422 rc = avc_has_perm(&selinux_state,
2423 old_tsec->sid, new_tsec->sid,
2424 SECCLASS_PROCESS, PROCESS__SHARE,
2425 NULL);
2426 if (rc)
2427 return -EPERM;
2428 }
2429
2430 /* Make sure that anyone attempting to ptrace over a task that
2431 * changes its SID has the appropriate permit */
2432 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2433 u32 ptsid = ptrace_parent_sid();
2434 if (ptsid != 0) {
2435 rc = avc_has_perm(&selinux_state,
2436 ptsid, new_tsec->sid,
2437 SECCLASS_PROCESS,
2438 PROCESS__PTRACE, NULL);
2439 if (rc)
2440 return -EPERM;
2441 }
2442 }
2443
2444 /* Clear any possibly unsafe personality bits on exec: */
2445 bprm->per_clear |= PER_CLEAR_ON_SETID;
2446
2447 /* Enable secure mode for SIDs transitions unless
2448 the noatsecure permission is granted between
2449 the two SIDs, i.e. ahp returns 0. */
2450 rc = avc_has_perm(&selinux_state,
2451 old_tsec->sid, new_tsec->sid,
2452 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2453 NULL);
2454 bprm->secureexec |= !!rc;
2455 }
2456
2457 return 0;
2458 }
2459
match_file(const void * p,struct file * file,unsigned fd)2460 static int match_file(const void *p, struct file *file, unsigned fd)
2461 {
2462 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2463 }
2464
2465 /* Derived from fs/exec.c:flush_old_files. */
flush_unauthorized_files(const struct cred * cred,struct files_struct * files)2466 static inline void flush_unauthorized_files(const struct cred *cred,
2467 struct files_struct *files)
2468 {
2469 struct file *file, *devnull = NULL;
2470 struct tty_struct *tty;
2471 int drop_tty = 0;
2472 unsigned n;
2473
2474 tty = get_current_tty();
2475 if (tty) {
2476 spin_lock(&tty->files_lock);
2477 if (!list_empty(&tty->tty_files)) {
2478 struct tty_file_private *file_priv;
2479
2480 /* Revalidate access to controlling tty.
2481 Use file_path_has_perm on the tty path directly
2482 rather than using file_has_perm, as this particular
2483 open file may belong to another process and we are
2484 only interested in the inode-based check here. */
2485 file_priv = list_first_entry(&tty->tty_files,
2486 struct tty_file_private, list);
2487 file = file_priv->file;
2488 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2489 drop_tty = 1;
2490 }
2491 spin_unlock(&tty->files_lock);
2492 tty_kref_put(tty);
2493 }
2494 /* Reset controlling tty. */
2495 if (drop_tty)
2496 no_tty();
2497
2498 /* Revalidate access to inherited open files. */
2499 n = iterate_fd(files, 0, match_file, cred);
2500 if (!n) /* none found? */
2501 return;
2502
2503 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2504 if (IS_ERR(devnull))
2505 devnull = NULL;
2506 /* replace all the matching ones with this */
2507 do {
2508 replace_fd(n - 1, devnull, 0);
2509 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2510 if (devnull)
2511 fput(devnull);
2512 }
2513
2514 /*
2515 * Prepare a process for imminent new credential changes due to exec
2516 */
selinux_bprm_committing_creds(struct linux_binprm * bprm)2517 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2518 {
2519 struct task_security_struct *new_tsec;
2520 struct rlimit *rlim, *initrlim;
2521 int rc, i;
2522
2523 new_tsec = selinux_cred(bprm->cred);
2524 if (new_tsec->sid == new_tsec->osid)
2525 return;
2526
2527 /* Close files for which the new task SID is not authorized. */
2528 flush_unauthorized_files(bprm->cred, current->files);
2529
2530 /* Always clear parent death signal on SID transitions. */
2531 current->pdeath_signal = 0;
2532
2533 /* Check whether the new SID can inherit resource limits from the old
2534 * SID. If not, reset all soft limits to the lower of the current
2535 * task's hard limit and the init task's soft limit.
2536 *
2537 * Note that the setting of hard limits (even to lower them) can be
2538 * controlled by the setrlimit check. The inclusion of the init task's
2539 * soft limit into the computation is to avoid resetting soft limits
2540 * higher than the default soft limit for cases where the default is
2541 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2542 */
2543 rc = avc_has_perm(&selinux_state,
2544 new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2545 PROCESS__RLIMITINH, NULL);
2546 if (rc) {
2547 /* protect against do_prlimit() */
2548 task_lock(current);
2549 for (i = 0; i < RLIM_NLIMITS; i++) {
2550 rlim = current->signal->rlim + i;
2551 initrlim = init_task.signal->rlim + i;
2552 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2553 }
2554 task_unlock(current);
2555 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2556 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2557 }
2558 }
2559
2560 /*
2561 * Clean up the process immediately after the installation of new credentials
2562 * due to exec
2563 */
selinux_bprm_committed_creds(struct linux_binprm * bprm)2564 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2565 {
2566 const struct task_security_struct *tsec = selinux_cred(current_cred());
2567 struct itimerval itimer;
2568 u32 osid, sid;
2569 int rc, i;
2570
2571 osid = tsec->osid;
2572 sid = tsec->sid;
2573
2574 if (sid == osid)
2575 return;
2576
2577 /* Check whether the new SID can inherit signal state from the old SID.
2578 * If not, clear itimers to avoid subsequent signal generation and
2579 * flush and unblock signals.
2580 *
2581 * This must occur _after_ the task SID has been updated so that any
2582 * kill done after the flush will be checked against the new SID.
2583 */
2584 rc = avc_has_perm(&selinux_state,
2585 osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2586 if (rc) {
2587 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2588 memset(&itimer, 0, sizeof itimer);
2589 for (i = 0; i < 3; i++)
2590 do_setitimer(i, &itimer, NULL);
2591 }
2592 spin_lock_irq(¤t->sighand->siglock);
2593 if (!fatal_signal_pending(current)) {
2594 flush_sigqueue(¤t->pending);
2595 flush_sigqueue(¤t->signal->shared_pending);
2596 flush_signal_handlers(current, 1);
2597 sigemptyset(¤t->blocked);
2598 recalc_sigpending();
2599 }
2600 spin_unlock_irq(¤t->sighand->siglock);
2601 }
2602
2603 /* Wake up the parent if it is waiting so that it can recheck
2604 * wait permission to the new task SID. */
2605 read_lock(&tasklist_lock);
2606 __wake_up_parent(current, current->real_parent);
2607 read_unlock(&tasklist_lock);
2608 }
2609
2610 /* superblock security operations */
2611
selinux_sb_alloc_security(struct super_block * sb)2612 static int selinux_sb_alloc_security(struct super_block *sb)
2613 {
2614 return superblock_alloc_security(sb);
2615 }
2616
selinux_sb_free_security(struct super_block * sb)2617 static void selinux_sb_free_security(struct super_block *sb)
2618 {
2619 superblock_free_security(sb);
2620 }
2621
opt_len(const char * s)2622 static inline int opt_len(const char *s)
2623 {
2624 bool open_quote = false;
2625 int len;
2626 char c;
2627
2628 for (len = 0; (c = s[len]) != '\0'; len++) {
2629 if (c == '"')
2630 open_quote = !open_quote;
2631 if (c == ',' && !open_quote)
2632 break;
2633 }
2634 return len;
2635 }
2636
selinux_sb_eat_lsm_opts(char * options,void ** mnt_opts)2637 static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts)
2638 {
2639 char *from = options;
2640 char *to = options;
2641 bool first = true;
2642 int rc;
2643
2644 while (1) {
2645 int len = opt_len(from);
2646 int token;
2647 char *arg = NULL;
2648
2649 token = match_opt_prefix(from, len, &arg);
2650
2651 if (token != Opt_error) {
2652 char *p, *q;
2653
2654 /* strip quotes */
2655 if (arg) {
2656 for (p = q = arg; p < from + len; p++) {
2657 char c = *p;
2658 if (c != '"')
2659 *q++ = c;
2660 }
2661 arg = kmemdup_nul(arg, q - arg, GFP_KERNEL);
2662 if (!arg) {
2663 rc = -ENOMEM;
2664 goto free_opt;
2665 }
2666 }
2667 rc = selinux_add_opt(token, arg, mnt_opts);
2668 if (unlikely(rc)) {
2669 kfree(arg);
2670 goto free_opt;
2671 }
2672 } else {
2673 if (!first) { // copy with preceding comma
2674 from--;
2675 len++;
2676 }
2677 if (to != from)
2678 memmove(to, from, len);
2679 to += len;
2680 first = false;
2681 }
2682 if (!from[len])
2683 break;
2684 from += len + 1;
2685 }
2686 *to = '\0';
2687 return 0;
2688
2689 free_opt:
2690 if (*mnt_opts) {
2691 selinux_free_mnt_opts(*mnt_opts);
2692 *mnt_opts = NULL;
2693 }
2694 return rc;
2695 }
2696
selinux_sb_remount(struct super_block * sb,void * mnt_opts)2697 static int selinux_sb_remount(struct super_block *sb, void *mnt_opts)
2698 {
2699 struct selinux_mnt_opts *opts = mnt_opts;
2700 struct superblock_security_struct *sbsec = sb->s_security;
2701 u32 sid;
2702 int rc;
2703
2704 if (!(sbsec->flags & SE_SBINITIALIZED))
2705 return 0;
2706
2707 if (!opts)
2708 return 0;
2709
2710 if (opts->fscontext) {
2711 rc = parse_sid(sb, opts->fscontext, &sid);
2712 if (rc)
2713 return rc;
2714 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2715 goto out_bad_option;
2716 }
2717 if (opts->context) {
2718 rc = parse_sid(sb, opts->context, &sid);
2719 if (rc)
2720 return rc;
2721 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2722 goto out_bad_option;
2723 }
2724 if (opts->rootcontext) {
2725 struct inode_security_struct *root_isec;
2726 root_isec = backing_inode_security(sb->s_root);
2727 rc = parse_sid(sb, opts->rootcontext, &sid);
2728 if (rc)
2729 return rc;
2730 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2731 goto out_bad_option;
2732 }
2733 if (opts->defcontext) {
2734 rc = parse_sid(sb, opts->defcontext, &sid);
2735 if (rc)
2736 return rc;
2737 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2738 goto out_bad_option;
2739 }
2740 return 0;
2741
2742 out_bad_option:
2743 pr_warn("SELinux: unable to change security options "
2744 "during remount (dev %s, type=%s)\n", sb->s_id,
2745 sb->s_type->name);
2746 return -EINVAL;
2747 }
2748
selinux_sb_kern_mount(struct super_block * sb)2749 static int selinux_sb_kern_mount(struct super_block *sb)
2750 {
2751 const struct cred *cred = current_cred();
2752 struct common_audit_data ad;
2753
2754 ad.type = LSM_AUDIT_DATA_DENTRY;
2755 ad.u.dentry = sb->s_root;
2756 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2757 }
2758
selinux_sb_statfs(struct dentry * dentry)2759 static int selinux_sb_statfs(struct dentry *dentry)
2760 {
2761 const struct cred *cred = current_cred();
2762 struct common_audit_data ad;
2763
2764 ad.type = LSM_AUDIT_DATA_DENTRY;
2765 ad.u.dentry = dentry->d_sb->s_root;
2766 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2767 }
2768
selinux_mount(const char * dev_name,const struct path * path,const char * type,unsigned long flags,void * data)2769 static int selinux_mount(const char *dev_name,
2770 const struct path *path,
2771 const char *type,
2772 unsigned long flags,
2773 void *data)
2774 {
2775 const struct cred *cred = current_cred();
2776
2777 if (flags & MS_REMOUNT)
2778 return superblock_has_perm(cred, path->dentry->d_sb,
2779 FILESYSTEM__REMOUNT, NULL);
2780 else
2781 return path_has_perm(cred, path, FILE__MOUNTON);
2782 }
2783
selinux_move_mount(const struct path * from_path,const struct path * to_path)2784 static int selinux_move_mount(const struct path *from_path,
2785 const struct path *to_path)
2786 {
2787 const struct cred *cred = current_cred();
2788
2789 return path_has_perm(cred, to_path, FILE__MOUNTON);
2790 }
2791
selinux_umount(struct vfsmount * mnt,int flags)2792 static int selinux_umount(struct vfsmount *mnt, int flags)
2793 {
2794 const struct cred *cred = current_cred();
2795
2796 return superblock_has_perm(cred, mnt->mnt_sb,
2797 FILESYSTEM__UNMOUNT, NULL);
2798 }
2799
selinux_fs_context_dup(struct fs_context * fc,struct fs_context * src_fc)2800 static int selinux_fs_context_dup(struct fs_context *fc,
2801 struct fs_context *src_fc)
2802 {
2803 const struct selinux_mnt_opts *src = src_fc->security;
2804 struct selinux_mnt_opts *opts;
2805
2806 if (!src)
2807 return 0;
2808
2809 fc->security = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL);
2810 if (!fc->security)
2811 return -ENOMEM;
2812
2813 opts = fc->security;
2814
2815 if (src->fscontext) {
2816 opts->fscontext = kstrdup(src->fscontext, GFP_KERNEL);
2817 if (!opts->fscontext)
2818 return -ENOMEM;
2819 }
2820 if (src->context) {
2821 opts->context = kstrdup(src->context, GFP_KERNEL);
2822 if (!opts->context)
2823 return -ENOMEM;
2824 }
2825 if (src->rootcontext) {
2826 opts->rootcontext = kstrdup(src->rootcontext, GFP_KERNEL);
2827 if (!opts->rootcontext)
2828 return -ENOMEM;
2829 }
2830 if (src->defcontext) {
2831 opts->defcontext = kstrdup(src->defcontext, GFP_KERNEL);
2832 if (!opts->defcontext)
2833 return -ENOMEM;
2834 }
2835 return 0;
2836 }
2837
2838 static const struct fs_parameter_spec selinux_param_specs[] = {
2839 fsparam_string(CONTEXT_STR, Opt_context),
2840 fsparam_string(DEFCONTEXT_STR, Opt_defcontext),
2841 fsparam_string(FSCONTEXT_STR, Opt_fscontext),
2842 fsparam_string(ROOTCONTEXT_STR, Opt_rootcontext),
2843 fsparam_flag (SECLABEL_STR, Opt_seclabel),
2844 {}
2845 };
2846
2847 static const struct fs_parameter_description selinux_fs_parameters = {
2848 .name = "SELinux",
2849 .specs = selinux_param_specs,
2850 };
2851
selinux_fs_context_parse_param(struct fs_context * fc,struct fs_parameter * param)2852 static int selinux_fs_context_parse_param(struct fs_context *fc,
2853 struct fs_parameter *param)
2854 {
2855 struct fs_parse_result result;
2856 int opt, rc;
2857
2858 opt = fs_parse(fc, &selinux_fs_parameters, param, &result);
2859 if (opt < 0)
2860 return opt;
2861
2862 rc = selinux_add_opt(opt, param->string, &fc->security);
2863 if (!rc)
2864 param->string = NULL;
2865
2866 return rc;
2867 }
2868
2869 /* inode security operations */
2870
selinux_inode_alloc_security(struct inode * inode)2871 static int selinux_inode_alloc_security(struct inode *inode)
2872 {
2873 return inode_alloc_security(inode);
2874 }
2875
selinux_inode_free_security(struct inode * inode)2876 static void selinux_inode_free_security(struct inode *inode)
2877 {
2878 inode_free_security(inode);
2879 }
2880
selinux_dentry_init_security(struct dentry * dentry,int mode,const struct qstr * name,void ** ctx,u32 * ctxlen)2881 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2882 const struct qstr *name, void **ctx,
2883 u32 *ctxlen)
2884 {
2885 u32 newsid;
2886 int rc;
2887
2888 rc = selinux_determine_inode_label(selinux_cred(current_cred()),
2889 d_inode(dentry->d_parent), name,
2890 inode_mode_to_security_class(mode),
2891 &newsid);
2892 if (rc)
2893 return rc;
2894
2895 return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
2896 ctxlen);
2897 }
2898
selinux_dentry_create_files_as(struct dentry * dentry,int mode,struct qstr * name,const struct cred * old,struct cred * new)2899 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2900 struct qstr *name,
2901 const struct cred *old,
2902 struct cred *new)
2903 {
2904 u32 newsid;
2905 int rc;
2906 struct task_security_struct *tsec;
2907
2908 rc = selinux_determine_inode_label(selinux_cred(old),
2909 d_inode(dentry->d_parent), name,
2910 inode_mode_to_security_class(mode),
2911 &newsid);
2912 if (rc)
2913 return rc;
2914
2915 tsec = selinux_cred(new);
2916 tsec->create_sid = newsid;
2917 return 0;
2918 }
2919
selinux_inode_init_security(struct inode * inode,struct inode * dir,const struct qstr * qstr,const char ** name,void ** value,size_t * len)2920 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2921 const struct qstr *qstr,
2922 const char **name,
2923 void **value, size_t *len)
2924 {
2925 const struct task_security_struct *tsec = selinux_cred(current_cred());
2926 struct superblock_security_struct *sbsec;
2927 u32 newsid, clen;
2928 int rc;
2929 char *context;
2930
2931 sbsec = dir->i_sb->s_security;
2932
2933 newsid = tsec->create_sid;
2934
2935 rc = selinux_determine_inode_label(selinux_cred(current_cred()),
2936 dir, qstr,
2937 inode_mode_to_security_class(inode->i_mode),
2938 &newsid);
2939 if (rc)
2940 return rc;
2941
2942 /* Possibly defer initialization to selinux_complete_init. */
2943 if (sbsec->flags & SE_SBINITIALIZED) {
2944 struct inode_security_struct *isec = selinux_inode(inode);
2945 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2946 isec->sid = newsid;
2947 isec->initialized = LABEL_INITIALIZED;
2948 }
2949
2950 if (!selinux_state.initialized || !(sbsec->flags & SBLABEL_MNT))
2951 return -EOPNOTSUPP;
2952
2953 if (name)
2954 *name = XATTR_SELINUX_SUFFIX;
2955
2956 if (value && len) {
2957 rc = security_sid_to_context_force(&selinux_state, newsid,
2958 &context, &clen);
2959 if (rc)
2960 return rc;
2961 *value = context;
2962 *len = clen;
2963 }
2964
2965 return 0;
2966 }
2967
selinux_inode_create(struct inode * dir,struct dentry * dentry,umode_t mode)2968 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2969 {
2970 return may_create(dir, dentry, SECCLASS_FILE);
2971 }
2972
selinux_inode_link(struct dentry * old_dentry,struct inode * dir,struct dentry * new_dentry)2973 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2974 {
2975 return may_link(dir, old_dentry, MAY_LINK);
2976 }
2977
selinux_inode_unlink(struct inode * dir,struct dentry * dentry)2978 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2979 {
2980 return may_link(dir, dentry, MAY_UNLINK);
2981 }
2982
selinux_inode_symlink(struct inode * dir,struct dentry * dentry,const char * name)2983 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2984 {
2985 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2986 }
2987
selinux_inode_mkdir(struct inode * dir,struct dentry * dentry,umode_t mask)2988 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2989 {
2990 return may_create(dir, dentry, SECCLASS_DIR);
2991 }
2992
selinux_inode_rmdir(struct inode * dir,struct dentry * dentry)2993 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2994 {
2995 return may_link(dir, dentry, MAY_RMDIR);
2996 }
2997
selinux_inode_mknod(struct inode * dir,struct dentry * dentry,umode_t mode,dev_t dev)2998 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2999 {
3000 return may_create(dir, dentry, inode_mode_to_security_class(mode));
3001 }
3002
selinux_inode_rename(struct inode * old_inode,struct dentry * old_dentry,struct inode * new_inode,struct dentry * new_dentry)3003 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
3004 struct inode *new_inode, struct dentry *new_dentry)
3005 {
3006 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
3007 }
3008
selinux_inode_readlink(struct dentry * dentry)3009 static int selinux_inode_readlink(struct dentry *dentry)
3010 {
3011 const struct cred *cred = current_cred();
3012
3013 return dentry_has_perm(cred, dentry, FILE__READ);
3014 }
3015
selinux_inode_follow_link(struct dentry * dentry,struct inode * inode,bool rcu)3016 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3017 bool rcu)
3018 {
3019 const struct cred *cred = current_cred();
3020 struct common_audit_data ad;
3021 struct inode_security_struct *isec;
3022 u32 sid;
3023
3024 validate_creds(cred);
3025
3026 ad.type = LSM_AUDIT_DATA_DENTRY;
3027 ad.u.dentry = dentry;
3028 sid = cred_sid(cred);
3029 isec = inode_security_rcu(inode, rcu);
3030 if (IS_ERR(isec))
3031 return PTR_ERR(isec);
3032
3033 return avc_has_perm_flags(&selinux_state,
3034 sid, isec->sid, isec->sclass, FILE__READ, &ad,
3035 rcu ? MAY_NOT_BLOCK : 0);
3036 }
3037
audit_inode_permission(struct inode * inode,u32 perms,u32 audited,u32 denied,int result)3038 static noinline int audit_inode_permission(struct inode *inode,
3039 u32 perms, u32 audited, u32 denied,
3040 int result)
3041 {
3042 struct common_audit_data ad;
3043 struct inode_security_struct *isec = selinux_inode(inode);
3044 int rc;
3045
3046 ad.type = LSM_AUDIT_DATA_INODE;
3047 ad.u.inode = inode;
3048
3049 rc = slow_avc_audit(&selinux_state,
3050 current_sid(), isec->sid, isec->sclass, perms,
3051 audited, denied, result, &ad);
3052 if (rc)
3053 return rc;
3054 return 0;
3055 }
3056
selinux_inode_permission(struct inode * inode,int mask)3057 static int selinux_inode_permission(struct inode *inode, int mask)
3058 {
3059 const struct cred *cred = current_cred();
3060 u32 perms;
3061 bool from_access;
3062 unsigned flags = mask & MAY_NOT_BLOCK;
3063 struct inode_security_struct *isec;
3064 u32 sid;
3065 struct av_decision avd;
3066 int rc, rc2;
3067 u32 audited, denied;
3068
3069 from_access = mask & MAY_ACCESS;
3070 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3071
3072 /* No permission to check. Existence test. */
3073 if (!mask)
3074 return 0;
3075
3076 validate_creds(cred);
3077
3078 if (unlikely(IS_PRIVATE(inode)))
3079 return 0;
3080
3081 perms = file_mask_to_av(inode->i_mode, mask);
3082
3083 sid = cred_sid(cred);
3084 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3085 if (IS_ERR(isec))
3086 return PTR_ERR(isec);
3087
3088 rc = avc_has_perm_noaudit(&selinux_state,
3089 sid, isec->sid, isec->sclass, perms,
3090 (flags & MAY_NOT_BLOCK) ? AVC_NONBLOCKING : 0,
3091 &avd);
3092 audited = avc_audit_required(perms, &avd, rc,
3093 from_access ? FILE__AUDIT_ACCESS : 0,
3094 &denied);
3095 if (likely(!audited))
3096 return rc;
3097
3098 /* fall back to ref-walk if we have to generate audit */
3099 if (flags & MAY_NOT_BLOCK)
3100 return -ECHILD;
3101
3102 rc2 = audit_inode_permission(inode, perms, audited, denied, rc);
3103 if (rc2)
3104 return rc2;
3105 return rc;
3106 }
3107
selinux_inode_setattr(struct dentry * dentry,struct iattr * iattr)3108 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3109 {
3110 const struct cred *cred = current_cred();
3111 struct inode *inode = d_backing_inode(dentry);
3112 unsigned int ia_valid = iattr->ia_valid;
3113 __u32 av = FILE__WRITE;
3114
3115 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3116 if (ia_valid & ATTR_FORCE) {
3117 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3118 ATTR_FORCE);
3119 if (!ia_valid)
3120 return 0;
3121 }
3122
3123 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3124 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3125 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3126
3127 if (selinux_policycap_openperm() &&
3128 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3129 (ia_valid & ATTR_SIZE) &&
3130 !(ia_valid & ATTR_FILE))
3131 av |= FILE__OPEN;
3132
3133 return dentry_has_perm(cred, dentry, av);
3134 }
3135
selinux_inode_getattr(const struct path * path)3136 static int selinux_inode_getattr(const struct path *path)
3137 {
3138 return path_has_perm(current_cred(), path, FILE__GETATTR);
3139 }
3140
has_cap_mac_admin(bool audit)3141 static bool has_cap_mac_admin(bool audit)
3142 {
3143 const struct cred *cred = current_cred();
3144 unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT;
3145
3146 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts))
3147 return false;
3148 if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true))
3149 return false;
3150 return true;
3151 }
3152
selinux_inode_setxattr(struct dentry * dentry,const char * name,const void * value,size_t size,int flags)3153 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3154 const void *value, size_t size, int flags)
3155 {
3156 struct inode *inode = d_backing_inode(dentry);
3157 struct inode_security_struct *isec;
3158 struct superblock_security_struct *sbsec;
3159 struct common_audit_data ad;
3160 u32 newsid, sid = current_sid();
3161 int rc = 0;
3162
3163 if (strcmp(name, XATTR_NAME_SELINUX)) {
3164 rc = cap_inode_setxattr(dentry, name, value, size, flags);
3165 if (rc)
3166 return rc;
3167
3168 /* Not an attribute we recognize, so just check the
3169 ordinary setattr permission. */
3170 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3171 }
3172
3173 if (!selinux_state.initialized)
3174 return (inode_owner_or_capable(inode) ? 0 : -EPERM);
3175
3176 sbsec = inode->i_sb->s_security;
3177 if (!(sbsec->flags & SBLABEL_MNT))
3178 return -EOPNOTSUPP;
3179
3180 if (!inode_owner_or_capable(inode))
3181 return -EPERM;
3182
3183 ad.type = LSM_AUDIT_DATA_DENTRY;
3184 ad.u.dentry = dentry;
3185
3186 isec = backing_inode_security(dentry);
3187 rc = avc_has_perm(&selinux_state,
3188 sid, isec->sid, isec->sclass,
3189 FILE__RELABELFROM, &ad);
3190 if (rc)
3191 return rc;
3192
3193 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3194 GFP_KERNEL);
3195 if (rc == -EINVAL) {
3196 if (!has_cap_mac_admin(true)) {
3197 struct audit_buffer *ab;
3198 size_t audit_size;
3199
3200 /* We strip a nul only if it is at the end, otherwise the
3201 * context contains a nul and we should audit that */
3202 if (value) {
3203 const char *str = value;
3204
3205 if (str[size - 1] == '\0')
3206 audit_size = size - 1;
3207 else
3208 audit_size = size;
3209 } else {
3210 audit_size = 0;
3211 }
3212 ab = audit_log_start(audit_context(),
3213 GFP_ATOMIC, AUDIT_SELINUX_ERR);
3214 audit_log_format(ab, "op=setxattr invalid_context=");
3215 audit_log_n_untrustedstring(ab, value, audit_size);
3216 audit_log_end(ab);
3217
3218 return rc;
3219 }
3220 rc = security_context_to_sid_force(&selinux_state, value,
3221 size, &newsid);
3222 }
3223 if (rc)
3224 return rc;
3225
3226 rc = avc_has_perm(&selinux_state,
3227 sid, newsid, isec->sclass,
3228 FILE__RELABELTO, &ad);
3229 if (rc)
3230 return rc;
3231
3232 rc = security_validate_transition(&selinux_state, isec->sid, newsid,
3233 sid, isec->sclass);
3234 if (rc)
3235 return rc;
3236
3237 return avc_has_perm(&selinux_state,
3238 newsid,
3239 sbsec->sid,
3240 SECCLASS_FILESYSTEM,
3241 FILESYSTEM__ASSOCIATE,
3242 &ad);
3243 }
3244
selinux_inode_post_setxattr(struct dentry * dentry,const char * name,const void * value,size_t size,int flags)3245 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3246 const void *value, size_t size,
3247 int flags)
3248 {
3249 struct inode *inode = d_backing_inode(dentry);
3250 struct inode_security_struct *isec;
3251 u32 newsid;
3252 int rc;
3253
3254 if (strcmp(name, XATTR_NAME_SELINUX)) {
3255 /* Not an attribute we recognize, so nothing to do. */
3256 return;
3257 }
3258
3259 if (!selinux_state.initialized) {
3260 /* If we haven't even been initialized, then we can't validate
3261 * against a policy, so leave the label as invalid. It may
3262 * resolve to a valid label on the next revalidation try if
3263 * we've since initialized.
3264 */
3265 return;
3266 }
3267
3268 rc = security_context_to_sid_force(&selinux_state, value, size,
3269 &newsid);
3270 if (rc) {
3271 pr_err("SELinux: unable to map context to SID"
3272 "for (%s, %lu), rc=%d\n",
3273 inode->i_sb->s_id, inode->i_ino, -rc);
3274 return;
3275 }
3276
3277 isec = backing_inode_security(dentry);
3278 spin_lock(&isec->lock);
3279 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3280 isec->sid = newsid;
3281 isec->initialized = LABEL_INITIALIZED;
3282 spin_unlock(&isec->lock);
3283
3284 return;
3285 }
3286
selinux_inode_getxattr(struct dentry * dentry,const char * name)3287 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3288 {
3289 const struct cred *cred = current_cred();
3290
3291 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3292 }
3293
selinux_inode_listxattr(struct dentry * dentry)3294 static int selinux_inode_listxattr(struct dentry *dentry)
3295 {
3296 const struct cred *cred = current_cred();
3297
3298 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3299 }
3300
selinux_inode_removexattr(struct dentry * dentry,const char * name)3301 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3302 {
3303 if (strcmp(name, XATTR_NAME_SELINUX)) {
3304 int rc = cap_inode_removexattr(dentry, name);
3305 if (rc)
3306 return rc;
3307
3308 /* Not an attribute we recognize, so just check the
3309 ordinary setattr permission. */
3310 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3311 }
3312
3313 /* No one is allowed to remove a SELinux security label.
3314 You can change the label, but all data must be labeled. */
3315 return -EACCES;
3316 }
3317
selinux_path_notify(const struct path * path,u64 mask,unsigned int obj_type)3318 static int selinux_path_notify(const struct path *path, u64 mask,
3319 unsigned int obj_type)
3320 {
3321 int ret;
3322 u32 perm;
3323
3324 struct common_audit_data ad;
3325
3326 ad.type = LSM_AUDIT_DATA_PATH;
3327 ad.u.path = *path;
3328
3329 /*
3330 * Set permission needed based on the type of mark being set.
3331 * Performs an additional check for sb watches.
3332 */
3333 switch (obj_type) {
3334 case FSNOTIFY_OBJ_TYPE_VFSMOUNT:
3335 perm = FILE__WATCH_MOUNT;
3336 break;
3337 case FSNOTIFY_OBJ_TYPE_SB:
3338 perm = FILE__WATCH_SB;
3339 ret = superblock_has_perm(current_cred(), path->dentry->d_sb,
3340 FILESYSTEM__WATCH, &ad);
3341 if (ret)
3342 return ret;
3343 break;
3344 case FSNOTIFY_OBJ_TYPE_INODE:
3345 perm = FILE__WATCH;
3346 break;
3347 default:
3348 return -EINVAL;
3349 }
3350
3351 /* blocking watches require the file:watch_with_perm permission */
3352 if (mask & (ALL_FSNOTIFY_PERM_EVENTS))
3353 perm |= FILE__WATCH_WITH_PERM;
3354
3355 /* watches on read-like events need the file:watch_reads permission */
3356 if (mask & (FS_ACCESS | FS_ACCESS_PERM | FS_CLOSE_NOWRITE))
3357 perm |= FILE__WATCH_READS;
3358
3359 return path_has_perm(current_cred(), path, perm);
3360 }
3361
3362 /*
3363 * Copy the inode security context value to the user.
3364 *
3365 * Permission check is handled by selinux_inode_getxattr hook.
3366 */
selinux_inode_getsecurity(struct inode * inode,const char * name,void ** buffer,bool alloc)3367 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
3368 {
3369 u32 size;
3370 int error;
3371 char *context = NULL;
3372 struct inode_security_struct *isec;
3373
3374 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3375 return -EOPNOTSUPP;
3376
3377 /*
3378 * If the caller has CAP_MAC_ADMIN, then get the raw context
3379 * value even if it is not defined by current policy; otherwise,
3380 * use the in-core value under current policy.
3381 * Use the non-auditing forms of the permission checks since
3382 * getxattr may be called by unprivileged processes commonly
3383 * and lack of permission just means that we fall back to the
3384 * in-core context value, not a denial.
3385 */
3386 isec = inode_security(inode);
3387 if (has_cap_mac_admin(false))
3388 error = security_sid_to_context_force(&selinux_state,
3389 isec->sid, &context,
3390 &size);
3391 else
3392 error = security_sid_to_context(&selinux_state, isec->sid,
3393 &context, &size);
3394 if (error)
3395 return error;
3396 error = size;
3397 if (alloc) {
3398 *buffer = context;
3399 goto out_nofree;
3400 }
3401 kfree(context);
3402 out_nofree:
3403 return error;
3404 }
3405
selinux_inode_setsecurity(struct inode * inode,const char * name,const void * value,size_t size,int flags)3406 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3407 const void *value, size_t size, int flags)
3408 {
3409 struct inode_security_struct *isec = inode_security_novalidate(inode);
3410 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
3411 u32 newsid;
3412 int rc;
3413
3414 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3415 return -EOPNOTSUPP;
3416
3417 if (!(sbsec->flags & SBLABEL_MNT))
3418 return -EOPNOTSUPP;
3419
3420 if (!value || !size)
3421 return -EACCES;
3422
3423 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3424 GFP_KERNEL);
3425 if (rc)
3426 return rc;
3427
3428 spin_lock(&isec->lock);
3429 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3430 isec->sid = newsid;
3431 isec->initialized = LABEL_INITIALIZED;
3432 spin_unlock(&isec->lock);
3433 return 0;
3434 }
3435
selinux_inode_listsecurity(struct inode * inode,char * buffer,size_t buffer_size)3436 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3437 {
3438 const int len = sizeof(XATTR_NAME_SELINUX);
3439 if (buffer && len <= buffer_size)
3440 memcpy(buffer, XATTR_NAME_SELINUX, len);
3441 return len;
3442 }
3443
selinux_inode_getsecid(struct inode * inode,u32 * secid)3444 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3445 {
3446 struct inode_security_struct *isec = inode_security_novalidate(inode);
3447 *secid = isec->sid;
3448 }
3449
selinux_inode_copy_up(struct dentry * src,struct cred ** new)3450 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3451 {
3452 u32 sid;
3453 struct task_security_struct *tsec;
3454 struct cred *new_creds = *new;
3455
3456 if (new_creds == NULL) {
3457 new_creds = prepare_creds();
3458 if (!new_creds)
3459 return -ENOMEM;
3460 }
3461
3462 tsec = selinux_cred(new_creds);
3463 /* Get label from overlay inode and set it in create_sid */
3464 selinux_inode_getsecid(d_inode(src), &sid);
3465 tsec->create_sid = sid;
3466 *new = new_creds;
3467 return 0;
3468 }
3469
selinux_inode_copy_up_xattr(const char * name)3470 static int selinux_inode_copy_up_xattr(const char *name)
3471 {
3472 /* The copy_up hook above sets the initial context on an inode, but we
3473 * don't then want to overwrite it by blindly copying all the lower
3474 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3475 */
3476 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3477 return 1; /* Discard */
3478 /*
3479 * Any other attribute apart from SELINUX is not claimed, supported
3480 * by selinux.
3481 */
3482 return -EOPNOTSUPP;
3483 }
3484
3485 /* kernfs node operations */
3486
selinux_kernfs_init_security(struct kernfs_node * kn_dir,struct kernfs_node * kn)3487 static int selinux_kernfs_init_security(struct kernfs_node *kn_dir,
3488 struct kernfs_node *kn)
3489 {
3490 const struct task_security_struct *tsec = selinux_cred(current_cred());
3491 u32 parent_sid, newsid, clen;
3492 int rc;
3493 char *context;
3494
3495 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, NULL, 0);
3496 if (rc == -ENODATA)
3497 return 0;
3498 else if (rc < 0)
3499 return rc;
3500
3501 clen = (u32)rc;
3502 context = kmalloc(clen, GFP_KERNEL);
3503 if (!context)
3504 return -ENOMEM;
3505
3506 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, context, clen);
3507 if (rc < 0) {
3508 kfree(context);
3509 return rc;
3510 }
3511
3512 rc = security_context_to_sid(&selinux_state, context, clen, &parent_sid,
3513 GFP_KERNEL);
3514 kfree(context);
3515 if (rc)
3516 return rc;
3517
3518 if (tsec->create_sid) {
3519 newsid = tsec->create_sid;
3520 } else {
3521 u16 secclass = inode_mode_to_security_class(kn->mode);
3522 struct qstr q;
3523
3524 q.name = kn->name;
3525 q.hash_len = hashlen_string(kn_dir, kn->name);
3526
3527 rc = security_transition_sid(&selinux_state, tsec->sid,
3528 parent_sid, secclass, &q,
3529 &newsid);
3530 if (rc)
3531 return rc;
3532 }
3533
3534 rc = security_sid_to_context_force(&selinux_state, newsid,
3535 &context, &clen);
3536 if (rc)
3537 return rc;
3538
3539 rc = kernfs_xattr_set(kn, XATTR_NAME_SELINUX, context, clen,
3540 XATTR_CREATE);
3541 kfree(context);
3542 return rc;
3543 }
3544
3545
3546 /* file security operations */
3547
selinux_revalidate_file_permission(struct file * file,int mask)3548 static int selinux_revalidate_file_permission(struct file *file, int mask)
3549 {
3550 const struct cred *cred = current_cred();
3551 struct inode *inode = file_inode(file);
3552
3553 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3554 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3555 mask |= MAY_APPEND;
3556
3557 return file_has_perm(cred, file,
3558 file_mask_to_av(inode->i_mode, mask));
3559 }
3560
selinux_file_permission(struct file * file,int mask)3561 static int selinux_file_permission(struct file *file, int mask)
3562 {
3563 struct inode *inode = file_inode(file);
3564 struct file_security_struct *fsec = selinux_file(file);
3565 struct inode_security_struct *isec;
3566 u32 sid = current_sid();
3567
3568 if (!mask)
3569 /* No permission to check. Existence test. */
3570 return 0;
3571
3572 isec = inode_security(inode);
3573 if (sid == fsec->sid && fsec->isid == isec->sid &&
3574 fsec->pseqno == avc_policy_seqno(&selinux_state))
3575 /* No change since file_open check. */
3576 return 0;
3577
3578 return selinux_revalidate_file_permission(file, mask);
3579 }
3580
selinux_file_alloc_security(struct file * file)3581 static int selinux_file_alloc_security(struct file *file)
3582 {
3583 return file_alloc_security(file);
3584 }
3585
3586 /*
3587 * Check whether a task has the ioctl permission and cmd
3588 * operation to an inode.
3589 */
ioctl_has_perm(const struct cred * cred,struct file * file,u32 requested,u16 cmd)3590 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3591 u32 requested, u16 cmd)
3592 {
3593 struct common_audit_data ad;
3594 struct file_security_struct *fsec = selinux_file(file);
3595 struct inode *inode = file_inode(file);
3596 struct inode_security_struct *isec;
3597 struct lsm_ioctlop_audit ioctl;
3598 u32 ssid = cred_sid(cred);
3599 int rc;
3600 u8 driver = cmd >> 8;
3601 u8 xperm = cmd & 0xff;
3602
3603 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3604 ad.u.op = &ioctl;
3605 ad.u.op->cmd = cmd;
3606 ad.u.op->path = file->f_path;
3607
3608 if (ssid != fsec->sid) {
3609 rc = avc_has_perm(&selinux_state,
3610 ssid, fsec->sid,
3611 SECCLASS_FD,
3612 FD__USE,
3613 &ad);
3614 if (rc)
3615 goto out;
3616 }
3617
3618 if (unlikely(IS_PRIVATE(inode)))
3619 return 0;
3620
3621 isec = inode_security(inode);
3622 rc = avc_has_extended_perms(&selinux_state,
3623 ssid, isec->sid, isec->sclass,
3624 requested, driver, xperm, &ad);
3625 out:
3626 return rc;
3627 }
3628
selinux_file_ioctl(struct file * file,unsigned int cmd,unsigned long arg)3629 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3630 unsigned long arg)
3631 {
3632 const struct cred *cred = current_cred();
3633 int error = 0;
3634
3635 switch (cmd) {
3636 case FIONREAD:
3637 /* fall through */
3638 case FIBMAP:
3639 /* fall through */
3640 case FIGETBSZ:
3641 /* fall through */
3642 case FS_IOC_GETFLAGS:
3643 /* fall through */
3644 case FS_IOC_GETVERSION:
3645 error = file_has_perm(cred, file, FILE__GETATTR);
3646 break;
3647
3648 case FS_IOC_SETFLAGS:
3649 /* fall through */
3650 case FS_IOC_SETVERSION:
3651 error = file_has_perm(cred, file, FILE__SETATTR);
3652 break;
3653
3654 /* sys_ioctl() checks */
3655 case FIONBIO:
3656 /* fall through */
3657 case FIOASYNC:
3658 error = file_has_perm(cred, file, 0);
3659 break;
3660
3661 case KDSKBENT:
3662 case KDSKBSENT:
3663 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3664 CAP_OPT_NONE, true);
3665 break;
3666
3667 /* default case assumes that the command will go
3668 * to the file's ioctl() function.
3669 */
3670 default:
3671 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3672 }
3673 return error;
3674 }
3675
selinux_file_ioctl_compat(struct file * file,unsigned int cmd,unsigned long arg)3676 static int selinux_file_ioctl_compat(struct file *file, unsigned int cmd,
3677 unsigned long arg)
3678 {
3679 /*
3680 * If we are in a 64-bit kernel running 32-bit userspace, we need to
3681 * make sure we don't compare 32-bit flags to 64-bit flags.
3682 */
3683 switch (cmd) {
3684 case FS_IOC32_GETFLAGS:
3685 cmd = FS_IOC_GETFLAGS;
3686 break;
3687 case FS_IOC32_SETFLAGS:
3688 cmd = FS_IOC_SETFLAGS;
3689 break;
3690 case FS_IOC32_GETVERSION:
3691 cmd = FS_IOC_GETVERSION;
3692 break;
3693 case FS_IOC32_SETVERSION:
3694 cmd = FS_IOC_SETVERSION;
3695 break;
3696 default:
3697 break;
3698 }
3699
3700 return selinux_file_ioctl(file, cmd, arg);
3701 }
3702
3703 static int default_noexec;
3704
file_map_prot_check(struct file * file,unsigned long prot,int shared)3705 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3706 {
3707 const struct cred *cred = current_cred();
3708 u32 sid = cred_sid(cred);
3709 int rc = 0;
3710
3711 if (default_noexec &&
3712 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3713 (!shared && (prot & PROT_WRITE)))) {
3714 /*
3715 * We are making executable an anonymous mapping or a
3716 * private file mapping that will also be writable.
3717 * This has an additional check.
3718 */
3719 rc = avc_has_perm(&selinux_state,
3720 sid, sid, SECCLASS_PROCESS,
3721 PROCESS__EXECMEM, NULL);
3722 if (rc)
3723 goto error;
3724 }
3725
3726 if (file) {
3727 /* read access is always possible with a mapping */
3728 u32 av = FILE__READ;
3729
3730 /* write access only matters if the mapping is shared */
3731 if (shared && (prot & PROT_WRITE))
3732 av |= FILE__WRITE;
3733
3734 if (prot & PROT_EXEC)
3735 av |= FILE__EXECUTE;
3736
3737 return file_has_perm(cred, file, av);
3738 }
3739
3740 error:
3741 return rc;
3742 }
3743
selinux_mmap_addr(unsigned long addr)3744 static int selinux_mmap_addr(unsigned long addr)
3745 {
3746 int rc = 0;
3747
3748 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3749 u32 sid = current_sid();
3750 rc = avc_has_perm(&selinux_state,
3751 sid, sid, SECCLASS_MEMPROTECT,
3752 MEMPROTECT__MMAP_ZERO, NULL);
3753 }
3754
3755 return rc;
3756 }
3757
selinux_mmap_file(struct file * file,unsigned long reqprot,unsigned long prot,unsigned long flags)3758 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3759 unsigned long prot, unsigned long flags)
3760 {
3761 struct common_audit_data ad;
3762 int rc;
3763
3764 if (file) {
3765 ad.type = LSM_AUDIT_DATA_FILE;
3766 ad.u.file = file;
3767 rc = inode_has_perm(current_cred(), file_inode(file),
3768 FILE__MAP, &ad);
3769 if (rc)
3770 return rc;
3771 }
3772
3773 if (selinux_state.checkreqprot)
3774 prot = reqprot;
3775
3776 return file_map_prot_check(file, prot,
3777 (flags & MAP_TYPE) == MAP_SHARED);
3778 }
3779
selinux_file_mprotect(struct vm_area_struct * vma,unsigned long reqprot,unsigned long prot)3780 static int selinux_file_mprotect(struct vm_area_struct *vma,
3781 unsigned long reqprot,
3782 unsigned long prot)
3783 {
3784 const struct cred *cred = current_cred();
3785 u32 sid = cred_sid(cred);
3786
3787 if (selinux_state.checkreqprot)
3788 prot = reqprot;
3789
3790 if (default_noexec &&
3791 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3792 int rc = 0;
3793 if (vma->vm_start >= vma->vm_mm->start_brk &&
3794 vma->vm_end <= vma->vm_mm->brk) {
3795 rc = avc_has_perm(&selinux_state,
3796 sid, sid, SECCLASS_PROCESS,
3797 PROCESS__EXECHEAP, NULL);
3798 } else if (!vma->vm_file &&
3799 ((vma->vm_start <= vma->vm_mm->start_stack &&
3800 vma->vm_end >= vma->vm_mm->start_stack) ||
3801 vma_is_stack_for_current(vma))) {
3802 rc = avc_has_perm(&selinux_state,
3803 sid, sid, SECCLASS_PROCESS,
3804 PROCESS__EXECSTACK, NULL);
3805 } else if (vma->vm_file && vma->anon_vma) {
3806 /*
3807 * We are making executable a file mapping that has
3808 * had some COW done. Since pages might have been
3809 * written, check ability to execute the possibly
3810 * modified content. This typically should only
3811 * occur for text relocations.
3812 */
3813 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3814 }
3815 if (rc)
3816 return rc;
3817 }
3818
3819 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3820 }
3821
selinux_file_lock(struct file * file,unsigned int cmd)3822 static int selinux_file_lock(struct file *file, unsigned int cmd)
3823 {
3824 const struct cred *cred = current_cred();
3825
3826 return file_has_perm(cred, file, FILE__LOCK);
3827 }
3828
selinux_file_fcntl(struct file * file,unsigned int cmd,unsigned long arg)3829 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3830 unsigned long arg)
3831 {
3832 const struct cred *cred = current_cred();
3833 int err = 0;
3834
3835 switch (cmd) {
3836 case F_SETFL:
3837 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3838 err = file_has_perm(cred, file, FILE__WRITE);
3839 break;
3840 }
3841 /* fall through */
3842 case F_SETOWN:
3843 case F_SETSIG:
3844 case F_GETFL:
3845 case F_GETOWN:
3846 case F_GETSIG:
3847 case F_GETOWNER_UIDS:
3848 /* Just check FD__USE permission */
3849 err = file_has_perm(cred, file, 0);
3850 break;
3851 case F_GETLK:
3852 case F_SETLK:
3853 case F_SETLKW:
3854 case F_OFD_GETLK:
3855 case F_OFD_SETLK:
3856 case F_OFD_SETLKW:
3857 #if BITS_PER_LONG == 32
3858 case F_GETLK64:
3859 case F_SETLK64:
3860 case F_SETLKW64:
3861 #endif
3862 err = file_has_perm(cred, file, FILE__LOCK);
3863 break;
3864 }
3865
3866 return err;
3867 }
3868
selinux_file_set_fowner(struct file * file)3869 static void selinux_file_set_fowner(struct file *file)
3870 {
3871 struct file_security_struct *fsec;
3872
3873 fsec = selinux_file(file);
3874 fsec->fown_sid = current_sid();
3875 }
3876
selinux_file_send_sigiotask(struct task_struct * tsk,struct fown_struct * fown,int signum)3877 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3878 struct fown_struct *fown, int signum)
3879 {
3880 struct file *file;
3881 u32 sid = task_sid(tsk);
3882 u32 perm;
3883 struct file_security_struct *fsec;
3884
3885 /* struct fown_struct is never outside the context of a struct file */
3886 file = container_of(fown, struct file, f_owner);
3887
3888 fsec = selinux_file(file);
3889
3890 if (!signum)
3891 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3892 else
3893 perm = signal_to_av(signum);
3894
3895 return avc_has_perm(&selinux_state,
3896 fsec->fown_sid, sid,
3897 SECCLASS_PROCESS, perm, NULL);
3898 }
3899
selinux_file_receive(struct file * file)3900 static int selinux_file_receive(struct file *file)
3901 {
3902 const struct cred *cred = current_cred();
3903
3904 return file_has_perm(cred, file, file_to_av(file));
3905 }
3906
selinux_file_open(struct file * file)3907 static int selinux_file_open(struct file *file)
3908 {
3909 struct file_security_struct *fsec;
3910 struct inode_security_struct *isec;
3911
3912 fsec = selinux_file(file);
3913 isec = inode_security(file_inode(file));
3914 /*
3915 * Save inode label and policy sequence number
3916 * at open-time so that selinux_file_permission
3917 * can determine whether revalidation is necessary.
3918 * Task label is already saved in the file security
3919 * struct as its SID.
3920 */
3921 fsec->isid = isec->sid;
3922 fsec->pseqno = avc_policy_seqno(&selinux_state);
3923 /*
3924 * Since the inode label or policy seqno may have changed
3925 * between the selinux_inode_permission check and the saving
3926 * of state above, recheck that access is still permitted.
3927 * Otherwise, access might never be revalidated against the
3928 * new inode label or new policy.
3929 * This check is not redundant - do not remove.
3930 */
3931 return file_path_has_perm(file->f_cred, file, open_file_to_av(file));
3932 }
3933
3934 /* task security operations */
3935
selinux_task_alloc(struct task_struct * task,unsigned long clone_flags)3936 static int selinux_task_alloc(struct task_struct *task,
3937 unsigned long clone_flags)
3938 {
3939 u32 sid = current_sid();
3940
3941 return avc_has_perm(&selinux_state,
3942 sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
3943 }
3944
3945 /*
3946 * prepare a new set of credentials for modification
3947 */
selinux_cred_prepare(struct cred * new,const struct cred * old,gfp_t gfp)3948 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3949 gfp_t gfp)
3950 {
3951 const struct task_security_struct *old_tsec = selinux_cred(old);
3952 struct task_security_struct *tsec = selinux_cred(new);
3953
3954 *tsec = *old_tsec;
3955 return 0;
3956 }
3957
3958 /*
3959 * transfer the SELinux data to a blank set of creds
3960 */
selinux_cred_transfer(struct cred * new,const struct cred * old)3961 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3962 {
3963 const struct task_security_struct *old_tsec = selinux_cred(old);
3964 struct task_security_struct *tsec = selinux_cred(new);
3965
3966 *tsec = *old_tsec;
3967 }
3968
selinux_cred_getsecid(const struct cred * c,u32 * secid)3969 static void selinux_cred_getsecid(const struct cred *c, u32 *secid)
3970 {
3971 *secid = cred_sid(c);
3972 }
3973
3974 /*
3975 * set the security data for a kernel service
3976 * - all the creation contexts are set to unlabelled
3977 */
selinux_kernel_act_as(struct cred * new,u32 secid)3978 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3979 {
3980 struct task_security_struct *tsec = selinux_cred(new);
3981 u32 sid = current_sid();
3982 int ret;
3983
3984 ret = avc_has_perm(&selinux_state,
3985 sid, secid,
3986 SECCLASS_KERNEL_SERVICE,
3987 KERNEL_SERVICE__USE_AS_OVERRIDE,
3988 NULL);
3989 if (ret == 0) {
3990 tsec->sid = secid;
3991 tsec->create_sid = 0;
3992 tsec->keycreate_sid = 0;
3993 tsec->sockcreate_sid = 0;
3994 }
3995 return ret;
3996 }
3997
3998 /*
3999 * set the file creation context in a security record to the same as the
4000 * objective context of the specified inode
4001 */
selinux_kernel_create_files_as(struct cred * new,struct inode * inode)4002 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
4003 {
4004 struct inode_security_struct *isec = inode_security(inode);
4005 struct task_security_struct *tsec = selinux_cred(new);
4006 u32 sid = current_sid();
4007 int ret;
4008
4009 ret = avc_has_perm(&selinux_state,
4010 sid, isec->sid,
4011 SECCLASS_KERNEL_SERVICE,
4012 KERNEL_SERVICE__CREATE_FILES_AS,
4013 NULL);
4014
4015 if (ret == 0)
4016 tsec->create_sid = isec->sid;
4017 return ret;
4018 }
4019
selinux_kernel_module_request(char * kmod_name)4020 static int selinux_kernel_module_request(char *kmod_name)
4021 {
4022 struct common_audit_data ad;
4023
4024 ad.type = LSM_AUDIT_DATA_KMOD;
4025 ad.u.kmod_name = kmod_name;
4026
4027 return avc_has_perm(&selinux_state,
4028 current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
4029 SYSTEM__MODULE_REQUEST, &ad);
4030 }
4031
selinux_kernel_module_from_file(struct file * file)4032 static int selinux_kernel_module_from_file(struct file *file)
4033 {
4034 struct common_audit_data ad;
4035 struct inode_security_struct *isec;
4036 struct file_security_struct *fsec;
4037 u32 sid = current_sid();
4038 int rc;
4039
4040 /* init_module */
4041 if (file == NULL)
4042 return avc_has_perm(&selinux_state,
4043 sid, sid, SECCLASS_SYSTEM,
4044 SYSTEM__MODULE_LOAD, NULL);
4045
4046 /* finit_module */
4047
4048 ad.type = LSM_AUDIT_DATA_FILE;
4049 ad.u.file = file;
4050
4051 fsec = selinux_file(file);
4052 if (sid != fsec->sid) {
4053 rc = avc_has_perm(&selinux_state,
4054 sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
4055 if (rc)
4056 return rc;
4057 }
4058
4059 isec = inode_security(file_inode(file));
4060 return avc_has_perm(&selinux_state,
4061 sid, isec->sid, SECCLASS_SYSTEM,
4062 SYSTEM__MODULE_LOAD, &ad);
4063 }
4064
selinux_kernel_read_file(struct file * file,enum kernel_read_file_id id)4065 static int selinux_kernel_read_file(struct file *file,
4066 enum kernel_read_file_id id)
4067 {
4068 int rc = 0;
4069
4070 switch (id) {
4071 case READING_MODULE:
4072 rc = selinux_kernel_module_from_file(file);
4073 break;
4074 default:
4075 break;
4076 }
4077
4078 return rc;
4079 }
4080
selinux_kernel_load_data(enum kernel_load_data_id id)4081 static int selinux_kernel_load_data(enum kernel_load_data_id id)
4082 {
4083 int rc = 0;
4084
4085 switch (id) {
4086 case LOADING_MODULE:
4087 rc = selinux_kernel_module_from_file(NULL);
4088 default:
4089 break;
4090 }
4091
4092 return rc;
4093 }
4094
selinux_task_setpgid(struct task_struct * p,pid_t pgid)4095 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
4096 {
4097 return avc_has_perm(&selinux_state,
4098 current_sid(), task_sid(p), SECCLASS_PROCESS,
4099 PROCESS__SETPGID, NULL);
4100 }
4101
selinux_task_getpgid(struct task_struct * p)4102 static int selinux_task_getpgid(struct task_struct *p)
4103 {
4104 return avc_has_perm(&selinux_state,
4105 current_sid(), task_sid(p), SECCLASS_PROCESS,
4106 PROCESS__GETPGID, NULL);
4107 }
4108
selinux_task_getsid(struct task_struct * p)4109 static int selinux_task_getsid(struct task_struct *p)
4110 {
4111 return avc_has_perm(&selinux_state,
4112 current_sid(), task_sid(p), SECCLASS_PROCESS,
4113 PROCESS__GETSESSION, NULL);
4114 }
4115
selinux_task_getsecid(struct task_struct * p,u32 * secid)4116 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
4117 {
4118 *secid = task_sid(p);
4119 }
4120
selinux_task_setnice(struct task_struct * p,int nice)4121 static int selinux_task_setnice(struct task_struct *p, int nice)
4122 {
4123 return avc_has_perm(&selinux_state,
4124 current_sid(), task_sid(p), SECCLASS_PROCESS,
4125 PROCESS__SETSCHED, NULL);
4126 }
4127
selinux_task_setioprio(struct task_struct * p,int ioprio)4128 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
4129 {
4130 return avc_has_perm(&selinux_state,
4131 current_sid(), task_sid(p), SECCLASS_PROCESS,
4132 PROCESS__SETSCHED, NULL);
4133 }
4134
selinux_task_getioprio(struct task_struct * p)4135 static int selinux_task_getioprio(struct task_struct *p)
4136 {
4137 return avc_has_perm(&selinux_state,
4138 current_sid(), task_sid(p), SECCLASS_PROCESS,
4139 PROCESS__GETSCHED, NULL);
4140 }
4141
selinux_task_prlimit(const struct cred * cred,const struct cred * tcred,unsigned int flags)4142 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
4143 unsigned int flags)
4144 {
4145 u32 av = 0;
4146
4147 if (!flags)
4148 return 0;
4149 if (flags & LSM_PRLIMIT_WRITE)
4150 av |= PROCESS__SETRLIMIT;
4151 if (flags & LSM_PRLIMIT_READ)
4152 av |= PROCESS__GETRLIMIT;
4153 return avc_has_perm(&selinux_state,
4154 cred_sid(cred), cred_sid(tcred),
4155 SECCLASS_PROCESS, av, NULL);
4156 }
4157
selinux_task_setrlimit(struct task_struct * p,unsigned int resource,struct rlimit * new_rlim)4158 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4159 struct rlimit *new_rlim)
4160 {
4161 struct rlimit *old_rlim = p->signal->rlim + resource;
4162
4163 /* Control the ability to change the hard limit (whether
4164 lowering or raising it), so that the hard limit can
4165 later be used as a safe reset point for the soft limit
4166 upon context transitions. See selinux_bprm_committing_creds. */
4167 if (old_rlim->rlim_max != new_rlim->rlim_max)
4168 return avc_has_perm(&selinux_state,
4169 current_sid(), task_sid(p),
4170 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
4171
4172 return 0;
4173 }
4174
selinux_task_setscheduler(struct task_struct * p)4175 static int selinux_task_setscheduler(struct task_struct *p)
4176 {
4177 return avc_has_perm(&selinux_state,
4178 current_sid(), task_sid(p), SECCLASS_PROCESS,
4179 PROCESS__SETSCHED, NULL);
4180 }
4181
selinux_task_getscheduler(struct task_struct * p)4182 static int selinux_task_getscheduler(struct task_struct *p)
4183 {
4184 return avc_has_perm(&selinux_state,
4185 current_sid(), task_sid(p), SECCLASS_PROCESS,
4186 PROCESS__GETSCHED, NULL);
4187 }
4188
selinux_task_movememory(struct task_struct * p)4189 static int selinux_task_movememory(struct task_struct *p)
4190 {
4191 return avc_has_perm(&selinux_state,
4192 current_sid(), task_sid(p), SECCLASS_PROCESS,
4193 PROCESS__SETSCHED, NULL);
4194 }
4195
selinux_task_kill(struct task_struct * p,struct kernel_siginfo * info,int sig,const struct cred * cred)4196 static int selinux_task_kill(struct task_struct *p, struct kernel_siginfo *info,
4197 int sig, const struct cred *cred)
4198 {
4199 u32 secid;
4200 u32 perm;
4201
4202 if (!sig)
4203 perm = PROCESS__SIGNULL; /* null signal; existence test */
4204 else
4205 perm = signal_to_av(sig);
4206 if (!cred)
4207 secid = current_sid();
4208 else
4209 secid = cred_sid(cred);
4210 return avc_has_perm(&selinux_state,
4211 secid, task_sid(p), SECCLASS_PROCESS, perm, NULL);
4212 }
4213
selinux_task_to_inode(struct task_struct * p,struct inode * inode)4214 static void selinux_task_to_inode(struct task_struct *p,
4215 struct inode *inode)
4216 {
4217 struct inode_security_struct *isec = selinux_inode(inode);
4218 u32 sid = task_sid(p);
4219
4220 spin_lock(&isec->lock);
4221 isec->sclass = inode_mode_to_security_class(inode->i_mode);
4222 isec->sid = sid;
4223 isec->initialized = LABEL_INITIALIZED;
4224 spin_unlock(&isec->lock);
4225 }
4226
4227 /* Returns error only if unable to parse addresses */
selinux_parse_skb_ipv4(struct sk_buff * skb,struct common_audit_data * ad,u8 * proto)4228 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4229 struct common_audit_data *ad, u8 *proto)
4230 {
4231 int offset, ihlen, ret = -EINVAL;
4232 struct iphdr _iph, *ih;
4233
4234 offset = skb_network_offset(skb);
4235 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
4236 if (ih == NULL)
4237 goto out;
4238
4239 ihlen = ih->ihl * 4;
4240 if (ihlen < sizeof(_iph))
4241 goto out;
4242
4243 ad->u.net->v4info.saddr = ih->saddr;
4244 ad->u.net->v4info.daddr = ih->daddr;
4245 ret = 0;
4246
4247 if (proto)
4248 *proto = ih->protocol;
4249
4250 switch (ih->protocol) {
4251 case IPPROTO_TCP: {
4252 struct tcphdr _tcph, *th;
4253
4254 if (ntohs(ih->frag_off) & IP_OFFSET)
4255 break;
4256
4257 offset += ihlen;
4258 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4259 if (th == NULL)
4260 break;
4261
4262 ad->u.net->sport = th->source;
4263 ad->u.net->dport = th->dest;
4264 break;
4265 }
4266
4267 case IPPROTO_UDP: {
4268 struct udphdr _udph, *uh;
4269
4270 if (ntohs(ih->frag_off) & IP_OFFSET)
4271 break;
4272
4273 offset += ihlen;
4274 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4275 if (uh == NULL)
4276 break;
4277
4278 ad->u.net->sport = uh->source;
4279 ad->u.net->dport = uh->dest;
4280 break;
4281 }
4282
4283 case IPPROTO_DCCP: {
4284 struct dccp_hdr _dccph, *dh;
4285
4286 if (ntohs(ih->frag_off) & IP_OFFSET)
4287 break;
4288
4289 offset += ihlen;
4290 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4291 if (dh == NULL)
4292 break;
4293
4294 ad->u.net->sport = dh->dccph_sport;
4295 ad->u.net->dport = dh->dccph_dport;
4296 break;
4297 }
4298
4299 #if IS_ENABLED(CONFIG_IP_SCTP)
4300 case IPPROTO_SCTP: {
4301 struct sctphdr _sctph, *sh;
4302
4303 if (ntohs(ih->frag_off) & IP_OFFSET)
4304 break;
4305
4306 offset += ihlen;
4307 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4308 if (sh == NULL)
4309 break;
4310
4311 ad->u.net->sport = sh->source;
4312 ad->u.net->dport = sh->dest;
4313 break;
4314 }
4315 #endif
4316 default:
4317 break;
4318 }
4319 out:
4320 return ret;
4321 }
4322
4323 #if IS_ENABLED(CONFIG_IPV6)
4324
4325 /* Returns error only if unable to parse addresses */
selinux_parse_skb_ipv6(struct sk_buff * skb,struct common_audit_data * ad,u8 * proto)4326 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4327 struct common_audit_data *ad, u8 *proto)
4328 {
4329 u8 nexthdr;
4330 int ret = -EINVAL, offset;
4331 struct ipv6hdr _ipv6h, *ip6;
4332 __be16 frag_off;
4333
4334 offset = skb_network_offset(skb);
4335 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4336 if (ip6 == NULL)
4337 goto out;
4338
4339 ad->u.net->v6info.saddr = ip6->saddr;
4340 ad->u.net->v6info.daddr = ip6->daddr;
4341 ret = 0;
4342
4343 nexthdr = ip6->nexthdr;
4344 offset += sizeof(_ipv6h);
4345 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4346 if (offset < 0)
4347 goto out;
4348
4349 if (proto)
4350 *proto = nexthdr;
4351
4352 switch (nexthdr) {
4353 case IPPROTO_TCP: {
4354 struct tcphdr _tcph, *th;
4355
4356 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4357 if (th == NULL)
4358 break;
4359
4360 ad->u.net->sport = th->source;
4361 ad->u.net->dport = th->dest;
4362 break;
4363 }
4364
4365 case IPPROTO_UDP: {
4366 struct udphdr _udph, *uh;
4367
4368 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4369 if (uh == NULL)
4370 break;
4371
4372 ad->u.net->sport = uh->source;
4373 ad->u.net->dport = uh->dest;
4374 break;
4375 }
4376
4377 case IPPROTO_DCCP: {
4378 struct dccp_hdr _dccph, *dh;
4379
4380 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4381 if (dh == NULL)
4382 break;
4383
4384 ad->u.net->sport = dh->dccph_sport;
4385 ad->u.net->dport = dh->dccph_dport;
4386 break;
4387 }
4388
4389 #if IS_ENABLED(CONFIG_IP_SCTP)
4390 case IPPROTO_SCTP: {
4391 struct sctphdr _sctph, *sh;
4392
4393 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4394 if (sh == NULL)
4395 break;
4396
4397 ad->u.net->sport = sh->source;
4398 ad->u.net->dport = sh->dest;
4399 break;
4400 }
4401 #endif
4402 /* includes fragments */
4403 default:
4404 break;
4405 }
4406 out:
4407 return ret;
4408 }
4409
4410 #endif /* IPV6 */
4411
selinux_parse_skb(struct sk_buff * skb,struct common_audit_data * ad,char ** _addrp,int src,u8 * proto)4412 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4413 char **_addrp, int src, u8 *proto)
4414 {
4415 char *addrp;
4416 int ret;
4417
4418 switch (ad->u.net->family) {
4419 case PF_INET:
4420 ret = selinux_parse_skb_ipv4(skb, ad, proto);
4421 if (ret)
4422 goto parse_error;
4423 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4424 &ad->u.net->v4info.daddr);
4425 goto okay;
4426
4427 #if IS_ENABLED(CONFIG_IPV6)
4428 case PF_INET6:
4429 ret = selinux_parse_skb_ipv6(skb, ad, proto);
4430 if (ret)
4431 goto parse_error;
4432 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4433 &ad->u.net->v6info.daddr);
4434 goto okay;
4435 #endif /* IPV6 */
4436 default:
4437 addrp = NULL;
4438 goto okay;
4439 }
4440
4441 parse_error:
4442 pr_warn(
4443 "SELinux: failure in selinux_parse_skb(),"
4444 " unable to parse packet\n");
4445 return ret;
4446
4447 okay:
4448 if (_addrp)
4449 *_addrp = addrp;
4450 return 0;
4451 }
4452
4453 /**
4454 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4455 * @skb: the packet
4456 * @family: protocol family
4457 * @sid: the packet's peer label SID
4458 *
4459 * Description:
4460 * Check the various different forms of network peer labeling and determine
4461 * the peer label/SID for the packet; most of the magic actually occurs in
4462 * the security server function security_net_peersid_cmp(). The function
4463 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4464 * or -EACCES if @sid is invalid due to inconsistencies with the different
4465 * peer labels.
4466 *
4467 */
selinux_skb_peerlbl_sid(struct sk_buff * skb,u16 family,u32 * sid)4468 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4469 {
4470 int err;
4471 u32 xfrm_sid;
4472 u32 nlbl_sid;
4473 u32 nlbl_type;
4474
4475 err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4476 if (unlikely(err))
4477 return -EACCES;
4478 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4479 if (unlikely(err))
4480 return -EACCES;
4481
4482 err = security_net_peersid_resolve(&selinux_state, nlbl_sid,
4483 nlbl_type, xfrm_sid, sid);
4484 if (unlikely(err)) {
4485 pr_warn(
4486 "SELinux: failure in selinux_skb_peerlbl_sid(),"
4487 " unable to determine packet's peer label\n");
4488 return -EACCES;
4489 }
4490
4491 return 0;
4492 }
4493
4494 /**
4495 * selinux_conn_sid - Determine the child socket label for a connection
4496 * @sk_sid: the parent socket's SID
4497 * @skb_sid: the packet's SID
4498 * @conn_sid: the resulting connection SID
4499 *
4500 * If @skb_sid is valid then the user:role:type information from @sk_sid is
4501 * combined with the MLS information from @skb_sid in order to create
4502 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy
4503 * of @sk_sid. Returns zero on success, negative values on failure.
4504 *
4505 */
selinux_conn_sid(u32 sk_sid,u32 skb_sid,u32 * conn_sid)4506 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4507 {
4508 int err = 0;
4509
4510 if (skb_sid != SECSID_NULL)
4511 err = security_sid_mls_copy(&selinux_state, sk_sid, skb_sid,
4512 conn_sid);
4513 else
4514 *conn_sid = sk_sid;
4515
4516 return err;
4517 }
4518
4519 /* socket security operations */
4520
socket_sockcreate_sid(const struct task_security_struct * tsec,u16 secclass,u32 * socksid)4521 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4522 u16 secclass, u32 *socksid)
4523 {
4524 if (tsec->sockcreate_sid > SECSID_NULL) {
4525 *socksid = tsec->sockcreate_sid;
4526 return 0;
4527 }
4528
4529 return security_transition_sid(&selinux_state, tsec->sid, tsec->sid,
4530 secclass, NULL, socksid);
4531 }
4532
sock_has_perm(struct sock * sk,u32 perms)4533 static int sock_has_perm(struct sock *sk, u32 perms)
4534 {
4535 struct sk_security_struct *sksec = sk->sk_security;
4536 struct common_audit_data ad;
4537 struct lsm_network_audit net = {0,};
4538
4539 if (sksec->sid == SECINITSID_KERNEL)
4540 return 0;
4541
4542 ad.type = LSM_AUDIT_DATA_NET;
4543 ad.u.net = &net;
4544 ad.u.net->sk = sk;
4545
4546 return avc_has_perm(&selinux_state,
4547 current_sid(), sksec->sid, sksec->sclass, perms,
4548 &ad);
4549 }
4550
selinux_socket_create(int family,int type,int protocol,int kern)4551 static int selinux_socket_create(int family, int type,
4552 int protocol, int kern)
4553 {
4554 const struct task_security_struct *tsec = selinux_cred(current_cred());
4555 u32 newsid;
4556 u16 secclass;
4557 int rc;
4558
4559 if (kern)
4560 return 0;
4561
4562 secclass = socket_type_to_security_class(family, type, protocol);
4563 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4564 if (rc)
4565 return rc;
4566
4567 return avc_has_perm(&selinux_state,
4568 tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4569 }
4570
selinux_socket_post_create(struct socket * sock,int family,int type,int protocol,int kern)4571 static int selinux_socket_post_create(struct socket *sock, int family,
4572 int type, int protocol, int kern)
4573 {
4574 const struct task_security_struct *tsec = selinux_cred(current_cred());
4575 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4576 struct sk_security_struct *sksec;
4577 u16 sclass = socket_type_to_security_class(family, type, protocol);
4578 u32 sid = SECINITSID_KERNEL;
4579 int err = 0;
4580
4581 if (!kern) {
4582 err = socket_sockcreate_sid(tsec, sclass, &sid);
4583 if (err)
4584 return err;
4585 }
4586
4587 isec->sclass = sclass;
4588 isec->sid = sid;
4589 isec->initialized = LABEL_INITIALIZED;
4590
4591 if (sock->sk) {
4592 sksec = sock->sk->sk_security;
4593 sksec->sclass = sclass;
4594 sksec->sid = sid;
4595 /* Allows detection of the first association on this socket */
4596 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4597 sksec->sctp_assoc_state = SCTP_ASSOC_UNSET;
4598
4599 err = selinux_netlbl_socket_post_create(sock->sk, family);
4600 }
4601
4602 return err;
4603 }
4604
selinux_socket_socketpair(struct socket * socka,struct socket * sockb)4605 static int selinux_socket_socketpair(struct socket *socka,
4606 struct socket *sockb)
4607 {
4608 struct sk_security_struct *sksec_a = socka->sk->sk_security;
4609 struct sk_security_struct *sksec_b = sockb->sk->sk_security;
4610
4611 sksec_a->peer_sid = sksec_b->sid;
4612 sksec_b->peer_sid = sksec_a->sid;
4613
4614 return 0;
4615 }
4616
4617 /* Range of port numbers used to automatically bind.
4618 Need to determine whether we should perform a name_bind
4619 permission check between the socket and the port number. */
4620
selinux_socket_bind(struct socket * sock,struct sockaddr * address,int addrlen)4621 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4622 {
4623 struct sock *sk = sock->sk;
4624 struct sk_security_struct *sksec = sk->sk_security;
4625 u16 family;
4626 int err;
4627
4628 err = sock_has_perm(sk, SOCKET__BIND);
4629 if (err)
4630 goto out;
4631
4632 /* If PF_INET or PF_INET6, check name_bind permission for the port. */
4633 family = sk->sk_family;
4634 if (family == PF_INET || family == PF_INET6) {
4635 char *addrp;
4636 struct common_audit_data ad;
4637 struct lsm_network_audit net = {0,};
4638 struct sockaddr_in *addr4 = NULL;
4639 struct sockaddr_in6 *addr6 = NULL;
4640 u16 family_sa;
4641 unsigned short snum;
4642 u32 sid, node_perm;
4643
4644 /*
4645 * sctp_bindx(3) calls via selinux_sctp_bind_connect()
4646 * that validates multiple binding addresses. Because of this
4647 * need to check address->sa_family as it is possible to have
4648 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4649 */
4650 if (addrlen < offsetofend(struct sockaddr, sa_family))
4651 return -EINVAL;
4652 family_sa = address->sa_family;
4653 switch (family_sa) {
4654 case AF_UNSPEC:
4655 case AF_INET:
4656 if (addrlen < sizeof(struct sockaddr_in))
4657 return -EINVAL;
4658 addr4 = (struct sockaddr_in *)address;
4659 if (family_sa == AF_UNSPEC) {
4660 if (family == PF_INET6) {
4661 /* Length check from inet6_bind_sk() */
4662 if (addrlen < SIN6_LEN_RFC2133)
4663 return -EINVAL;
4664 /* Family check from __inet6_bind() */
4665 goto err_af;
4666 }
4667 /* see __inet_bind(), we only want to allow
4668 * AF_UNSPEC if the address is INADDR_ANY
4669 */
4670 if (addr4->sin_addr.s_addr != htonl(INADDR_ANY))
4671 goto err_af;
4672 family_sa = AF_INET;
4673 }
4674 snum = ntohs(addr4->sin_port);
4675 addrp = (char *)&addr4->sin_addr.s_addr;
4676 break;
4677 case AF_INET6:
4678 if (addrlen < SIN6_LEN_RFC2133)
4679 return -EINVAL;
4680 addr6 = (struct sockaddr_in6 *)address;
4681 snum = ntohs(addr6->sin6_port);
4682 addrp = (char *)&addr6->sin6_addr.s6_addr;
4683 break;
4684 default:
4685 goto err_af;
4686 }
4687
4688 ad.type = LSM_AUDIT_DATA_NET;
4689 ad.u.net = &net;
4690 ad.u.net->sport = htons(snum);
4691 ad.u.net->family = family_sa;
4692
4693 if (snum) {
4694 int low, high;
4695
4696 inet_get_local_port_range(sock_net(sk), &low, &high);
4697
4698 if (snum < max(inet_prot_sock(sock_net(sk)), low) ||
4699 snum > high) {
4700 err = sel_netport_sid(sk->sk_protocol,
4701 snum, &sid);
4702 if (err)
4703 goto out;
4704 err = avc_has_perm(&selinux_state,
4705 sksec->sid, sid,
4706 sksec->sclass,
4707 SOCKET__NAME_BIND, &ad);
4708 if (err)
4709 goto out;
4710 }
4711 }
4712
4713 switch (sksec->sclass) {
4714 case SECCLASS_TCP_SOCKET:
4715 node_perm = TCP_SOCKET__NODE_BIND;
4716 break;
4717
4718 case SECCLASS_UDP_SOCKET:
4719 node_perm = UDP_SOCKET__NODE_BIND;
4720 break;
4721
4722 case SECCLASS_DCCP_SOCKET:
4723 node_perm = DCCP_SOCKET__NODE_BIND;
4724 break;
4725
4726 case SECCLASS_SCTP_SOCKET:
4727 node_perm = SCTP_SOCKET__NODE_BIND;
4728 break;
4729
4730 default:
4731 node_perm = RAWIP_SOCKET__NODE_BIND;
4732 break;
4733 }
4734
4735 err = sel_netnode_sid(addrp, family_sa, &sid);
4736 if (err)
4737 goto out;
4738
4739 if (family_sa == AF_INET)
4740 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4741 else
4742 ad.u.net->v6info.saddr = addr6->sin6_addr;
4743
4744 err = avc_has_perm(&selinux_state,
4745 sksec->sid, sid,
4746 sksec->sclass, node_perm, &ad);
4747 if (err)
4748 goto out;
4749 }
4750 out:
4751 return err;
4752 err_af:
4753 /* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */
4754 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4755 return -EINVAL;
4756 return -EAFNOSUPPORT;
4757 }
4758
4759 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3)
4760 * and sctp_sendmsg(3) as described in Documentation/security/SCTP.rst
4761 */
selinux_socket_connect_helper(struct socket * sock,struct sockaddr * address,int addrlen)4762 static int selinux_socket_connect_helper(struct socket *sock,
4763 struct sockaddr *address, int addrlen)
4764 {
4765 struct sock *sk = sock->sk;
4766 struct sk_security_struct *sksec = sk->sk_security;
4767 int err;
4768
4769 err = sock_has_perm(sk, SOCKET__CONNECT);
4770 if (err)
4771 return err;
4772 if (addrlen < offsetofend(struct sockaddr, sa_family))
4773 return -EINVAL;
4774
4775 /* connect(AF_UNSPEC) has special handling, as it is a documented
4776 * way to disconnect the socket
4777 */
4778 if (address->sa_family == AF_UNSPEC)
4779 return 0;
4780
4781 /*
4782 * If a TCP, DCCP or SCTP socket, check name_connect permission
4783 * for the port.
4784 */
4785 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4786 sksec->sclass == SECCLASS_DCCP_SOCKET ||
4787 sksec->sclass == SECCLASS_SCTP_SOCKET) {
4788 struct common_audit_data ad;
4789 struct lsm_network_audit net = {0,};
4790 struct sockaddr_in *addr4 = NULL;
4791 struct sockaddr_in6 *addr6 = NULL;
4792 unsigned short snum;
4793 u32 sid, perm;
4794
4795 /* sctp_connectx(3) calls via selinux_sctp_bind_connect()
4796 * that validates multiple connect addresses. Because of this
4797 * need to check address->sa_family as it is possible to have
4798 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4799 */
4800 switch (address->sa_family) {
4801 case AF_INET:
4802 addr4 = (struct sockaddr_in *)address;
4803 if (addrlen < sizeof(struct sockaddr_in))
4804 return -EINVAL;
4805 snum = ntohs(addr4->sin_port);
4806 break;
4807 case AF_INET6:
4808 addr6 = (struct sockaddr_in6 *)address;
4809 if (addrlen < SIN6_LEN_RFC2133)
4810 return -EINVAL;
4811 snum = ntohs(addr6->sin6_port);
4812 break;
4813 default:
4814 /* Note that SCTP services expect -EINVAL, whereas
4815 * others expect -EAFNOSUPPORT.
4816 */
4817 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4818 return -EINVAL;
4819 else
4820 return -EAFNOSUPPORT;
4821 }
4822
4823 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4824 if (err)
4825 return err;
4826
4827 switch (sksec->sclass) {
4828 case SECCLASS_TCP_SOCKET:
4829 perm = TCP_SOCKET__NAME_CONNECT;
4830 break;
4831 case SECCLASS_DCCP_SOCKET:
4832 perm = DCCP_SOCKET__NAME_CONNECT;
4833 break;
4834 case SECCLASS_SCTP_SOCKET:
4835 perm = SCTP_SOCKET__NAME_CONNECT;
4836 break;
4837 }
4838
4839 ad.type = LSM_AUDIT_DATA_NET;
4840 ad.u.net = &net;
4841 ad.u.net->dport = htons(snum);
4842 ad.u.net->family = address->sa_family;
4843 err = avc_has_perm(&selinux_state,
4844 sksec->sid, sid, sksec->sclass, perm, &ad);
4845 if (err)
4846 return err;
4847 }
4848
4849 return 0;
4850 }
4851
4852 /* Supports connect(2), see comments in selinux_socket_connect_helper() */
selinux_socket_connect(struct socket * sock,struct sockaddr * address,int addrlen)4853 static int selinux_socket_connect(struct socket *sock,
4854 struct sockaddr *address, int addrlen)
4855 {
4856 int err;
4857 struct sock *sk = sock->sk;
4858
4859 err = selinux_socket_connect_helper(sock, address, addrlen);
4860 if (err)
4861 return err;
4862
4863 return selinux_netlbl_socket_connect(sk, address);
4864 }
4865
selinux_socket_listen(struct socket * sock,int backlog)4866 static int selinux_socket_listen(struct socket *sock, int backlog)
4867 {
4868 return sock_has_perm(sock->sk, SOCKET__LISTEN);
4869 }
4870
selinux_socket_accept(struct socket * sock,struct socket * newsock)4871 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4872 {
4873 int err;
4874 struct inode_security_struct *isec;
4875 struct inode_security_struct *newisec;
4876 u16 sclass;
4877 u32 sid;
4878
4879 err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
4880 if (err)
4881 return err;
4882
4883 isec = inode_security_novalidate(SOCK_INODE(sock));
4884 spin_lock(&isec->lock);
4885 sclass = isec->sclass;
4886 sid = isec->sid;
4887 spin_unlock(&isec->lock);
4888
4889 newisec = inode_security_novalidate(SOCK_INODE(newsock));
4890 newisec->sclass = sclass;
4891 newisec->sid = sid;
4892 newisec->initialized = LABEL_INITIALIZED;
4893
4894 return 0;
4895 }
4896
selinux_socket_sendmsg(struct socket * sock,struct msghdr * msg,int size)4897 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4898 int size)
4899 {
4900 return sock_has_perm(sock->sk, SOCKET__WRITE);
4901 }
4902
selinux_socket_recvmsg(struct socket * sock,struct msghdr * msg,int size,int flags)4903 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4904 int size, int flags)
4905 {
4906 return sock_has_perm(sock->sk, SOCKET__READ);
4907 }
4908
selinux_socket_getsockname(struct socket * sock)4909 static int selinux_socket_getsockname(struct socket *sock)
4910 {
4911 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4912 }
4913
selinux_socket_getpeername(struct socket * sock)4914 static int selinux_socket_getpeername(struct socket *sock)
4915 {
4916 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4917 }
4918
selinux_socket_setsockopt(struct socket * sock,int level,int optname)4919 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4920 {
4921 int err;
4922
4923 err = sock_has_perm(sock->sk, SOCKET__SETOPT);
4924 if (err)
4925 return err;
4926
4927 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4928 }
4929
selinux_socket_getsockopt(struct socket * sock,int level,int optname)4930 static int selinux_socket_getsockopt(struct socket *sock, int level,
4931 int optname)
4932 {
4933 return sock_has_perm(sock->sk, SOCKET__GETOPT);
4934 }
4935
selinux_socket_shutdown(struct socket * sock,int how)4936 static int selinux_socket_shutdown(struct socket *sock, int how)
4937 {
4938 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
4939 }
4940
selinux_socket_unix_stream_connect(struct sock * sock,struct sock * other,struct sock * newsk)4941 static int selinux_socket_unix_stream_connect(struct sock *sock,
4942 struct sock *other,
4943 struct sock *newsk)
4944 {
4945 struct sk_security_struct *sksec_sock = sock->sk_security;
4946 struct sk_security_struct *sksec_other = other->sk_security;
4947 struct sk_security_struct *sksec_new = newsk->sk_security;
4948 struct common_audit_data ad;
4949 struct lsm_network_audit net = {0,};
4950 int err;
4951
4952 ad.type = LSM_AUDIT_DATA_NET;
4953 ad.u.net = &net;
4954 ad.u.net->sk = other;
4955
4956 err = avc_has_perm(&selinux_state,
4957 sksec_sock->sid, sksec_other->sid,
4958 sksec_other->sclass,
4959 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4960 if (err)
4961 return err;
4962
4963 /* server child socket */
4964 sksec_new->peer_sid = sksec_sock->sid;
4965 err = security_sid_mls_copy(&selinux_state, sksec_other->sid,
4966 sksec_sock->sid, &sksec_new->sid);
4967 if (err)
4968 return err;
4969
4970 /* connecting socket */
4971 sksec_sock->peer_sid = sksec_new->sid;
4972
4973 return 0;
4974 }
4975
selinux_socket_unix_may_send(struct socket * sock,struct socket * other)4976 static int selinux_socket_unix_may_send(struct socket *sock,
4977 struct socket *other)
4978 {
4979 struct sk_security_struct *ssec = sock->sk->sk_security;
4980 struct sk_security_struct *osec = other->sk->sk_security;
4981 struct common_audit_data ad;
4982 struct lsm_network_audit net = {0,};
4983
4984 ad.type = LSM_AUDIT_DATA_NET;
4985 ad.u.net = &net;
4986 ad.u.net->sk = other->sk;
4987
4988 return avc_has_perm(&selinux_state,
4989 ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4990 &ad);
4991 }
4992
selinux_inet_sys_rcv_skb(struct net * ns,int ifindex,char * addrp,u16 family,u32 peer_sid,struct common_audit_data * ad)4993 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4994 char *addrp, u16 family, u32 peer_sid,
4995 struct common_audit_data *ad)
4996 {
4997 int err;
4998 u32 if_sid;
4999 u32 node_sid;
5000
5001 err = sel_netif_sid(ns, ifindex, &if_sid);
5002 if (err)
5003 return err;
5004 err = avc_has_perm(&selinux_state,
5005 peer_sid, if_sid,
5006 SECCLASS_NETIF, NETIF__INGRESS, ad);
5007 if (err)
5008 return err;
5009
5010 err = sel_netnode_sid(addrp, family, &node_sid);
5011 if (err)
5012 return err;
5013 return avc_has_perm(&selinux_state,
5014 peer_sid, node_sid,
5015 SECCLASS_NODE, NODE__RECVFROM, ad);
5016 }
5017
selinux_sock_rcv_skb_compat(struct sock * sk,struct sk_buff * skb,u16 family)5018 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
5019 u16 family)
5020 {
5021 int err = 0;
5022 struct sk_security_struct *sksec = sk->sk_security;
5023 u32 sk_sid = sksec->sid;
5024 struct common_audit_data ad;
5025 struct lsm_network_audit net = {0,};
5026 char *addrp;
5027
5028 ad.type = LSM_AUDIT_DATA_NET;
5029 ad.u.net = &net;
5030 ad.u.net->netif = skb->skb_iif;
5031 ad.u.net->family = family;
5032 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5033 if (err)
5034 return err;
5035
5036 if (selinux_secmark_enabled()) {
5037 err = avc_has_perm(&selinux_state,
5038 sk_sid, skb->secmark, SECCLASS_PACKET,
5039 PACKET__RECV, &ad);
5040 if (err)
5041 return err;
5042 }
5043
5044 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
5045 if (err)
5046 return err;
5047 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
5048
5049 return err;
5050 }
5051
selinux_socket_sock_rcv_skb(struct sock * sk,struct sk_buff * skb)5052 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
5053 {
5054 int err;
5055 struct sk_security_struct *sksec = sk->sk_security;
5056 u16 family = sk->sk_family;
5057 u32 sk_sid = sksec->sid;
5058 struct common_audit_data ad;
5059 struct lsm_network_audit net = {0,};
5060 char *addrp;
5061 u8 secmark_active;
5062 u8 peerlbl_active;
5063
5064 if (family != PF_INET && family != PF_INET6)
5065 return 0;
5066
5067 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
5068 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5069 family = PF_INET;
5070
5071 /* If any sort of compatibility mode is enabled then handoff processing
5072 * to the selinux_sock_rcv_skb_compat() function to deal with the
5073 * special handling. We do this in an attempt to keep this function
5074 * as fast and as clean as possible. */
5075 if (!selinux_policycap_netpeer())
5076 return selinux_sock_rcv_skb_compat(sk, skb, family);
5077
5078 secmark_active = selinux_secmark_enabled();
5079 peerlbl_active = selinux_peerlbl_enabled();
5080 if (!secmark_active && !peerlbl_active)
5081 return 0;
5082
5083 ad.type = LSM_AUDIT_DATA_NET;
5084 ad.u.net = &net;
5085 ad.u.net->netif = skb->skb_iif;
5086 ad.u.net->family = family;
5087 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5088 if (err)
5089 return err;
5090
5091 if (peerlbl_active) {
5092 u32 peer_sid;
5093
5094 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
5095 if (err)
5096 return err;
5097 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
5098 addrp, family, peer_sid, &ad);
5099 if (err) {
5100 selinux_netlbl_err(skb, family, err, 0);
5101 return err;
5102 }
5103 err = avc_has_perm(&selinux_state,
5104 sk_sid, peer_sid, SECCLASS_PEER,
5105 PEER__RECV, &ad);
5106 if (err) {
5107 selinux_netlbl_err(skb, family, err, 0);
5108 return err;
5109 }
5110 }
5111
5112 if (secmark_active) {
5113 err = avc_has_perm(&selinux_state,
5114 sk_sid, skb->secmark, SECCLASS_PACKET,
5115 PACKET__RECV, &ad);
5116 if (err)
5117 return err;
5118 }
5119
5120 return err;
5121 }
5122
selinux_socket_getpeersec_stream(struct socket * sock,char __user * optval,int __user * optlen,unsigned len)5123 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
5124 int __user *optlen, unsigned len)
5125 {
5126 int err = 0;
5127 char *scontext;
5128 u32 scontext_len;
5129 struct sk_security_struct *sksec = sock->sk->sk_security;
5130 u32 peer_sid = SECSID_NULL;
5131
5132 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
5133 sksec->sclass == SECCLASS_TCP_SOCKET ||
5134 sksec->sclass == SECCLASS_SCTP_SOCKET)
5135 peer_sid = sksec->peer_sid;
5136 if (peer_sid == SECSID_NULL)
5137 return -ENOPROTOOPT;
5138
5139 err = security_sid_to_context(&selinux_state, peer_sid, &scontext,
5140 &scontext_len);
5141 if (err)
5142 return err;
5143
5144 if (scontext_len > len) {
5145 err = -ERANGE;
5146 goto out_len;
5147 }
5148
5149 if (copy_to_user(optval, scontext, scontext_len))
5150 err = -EFAULT;
5151
5152 out_len:
5153 if (put_user(scontext_len, optlen))
5154 err = -EFAULT;
5155 kfree(scontext);
5156 return err;
5157 }
5158
selinux_socket_getpeersec_dgram(struct socket * sock,struct sk_buff * skb,u32 * secid)5159 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
5160 {
5161 u32 peer_secid = SECSID_NULL;
5162 u16 family;
5163 struct inode_security_struct *isec;
5164
5165 if (skb && skb->protocol == htons(ETH_P_IP))
5166 family = PF_INET;
5167 else if (skb && skb->protocol == htons(ETH_P_IPV6))
5168 family = PF_INET6;
5169 else if (sock)
5170 family = sock->sk->sk_family;
5171 else
5172 goto out;
5173
5174 if (sock && family == PF_UNIX) {
5175 isec = inode_security_novalidate(SOCK_INODE(sock));
5176 peer_secid = isec->sid;
5177 } else if (skb)
5178 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
5179
5180 out:
5181 *secid = peer_secid;
5182 if (peer_secid == SECSID_NULL)
5183 return -EINVAL;
5184 return 0;
5185 }
5186
selinux_sk_alloc_security(struct sock * sk,int family,gfp_t priority)5187 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
5188 {
5189 struct sk_security_struct *sksec;
5190
5191 sksec = kzalloc(sizeof(*sksec), priority);
5192 if (!sksec)
5193 return -ENOMEM;
5194
5195 sksec->peer_sid = SECINITSID_UNLABELED;
5196 sksec->sid = SECINITSID_UNLABELED;
5197 sksec->sclass = SECCLASS_SOCKET;
5198 selinux_netlbl_sk_security_reset(sksec);
5199 sk->sk_security = sksec;
5200
5201 return 0;
5202 }
5203
selinux_sk_free_security(struct sock * sk)5204 static void selinux_sk_free_security(struct sock *sk)
5205 {
5206 struct sk_security_struct *sksec = sk->sk_security;
5207
5208 sk->sk_security = NULL;
5209 selinux_netlbl_sk_security_free(sksec);
5210 kfree(sksec);
5211 }
5212
selinux_sk_clone_security(const struct sock * sk,struct sock * newsk)5213 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
5214 {
5215 struct sk_security_struct *sksec = sk->sk_security;
5216 struct sk_security_struct *newsksec = newsk->sk_security;
5217
5218 newsksec->sid = sksec->sid;
5219 newsksec->peer_sid = sksec->peer_sid;
5220 newsksec->sclass = sksec->sclass;
5221
5222 selinux_netlbl_sk_security_reset(newsksec);
5223 }
5224
selinux_sk_getsecid(struct sock * sk,u32 * secid)5225 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
5226 {
5227 if (!sk)
5228 *secid = SECINITSID_ANY_SOCKET;
5229 else {
5230 struct sk_security_struct *sksec = sk->sk_security;
5231
5232 *secid = sksec->sid;
5233 }
5234 }
5235
selinux_sock_graft(struct sock * sk,struct socket * parent)5236 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
5237 {
5238 struct inode_security_struct *isec =
5239 inode_security_novalidate(SOCK_INODE(parent));
5240 struct sk_security_struct *sksec = sk->sk_security;
5241
5242 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
5243 sk->sk_family == PF_UNIX)
5244 isec->sid = sksec->sid;
5245 sksec->sclass = isec->sclass;
5246 }
5247
5248 /* Called whenever SCTP receives an INIT chunk. This happens when an incoming
5249 * connect(2), sctp_connectx(3) or sctp_sendmsg(3) (with no association
5250 * already present).
5251 */
selinux_sctp_assoc_request(struct sctp_endpoint * ep,struct sk_buff * skb)5252 static int selinux_sctp_assoc_request(struct sctp_endpoint *ep,
5253 struct sk_buff *skb)
5254 {
5255 struct sk_security_struct *sksec = ep->base.sk->sk_security;
5256 struct common_audit_data ad;
5257 struct lsm_network_audit net = {0,};
5258 u8 peerlbl_active;
5259 u32 peer_sid = SECINITSID_UNLABELED;
5260 u32 conn_sid;
5261 int err = 0;
5262
5263 if (!selinux_policycap_extsockclass())
5264 return 0;
5265
5266 peerlbl_active = selinux_peerlbl_enabled();
5267
5268 if (peerlbl_active) {
5269 /* This will return peer_sid = SECSID_NULL if there are
5270 * no peer labels, see security_net_peersid_resolve().
5271 */
5272 err = selinux_skb_peerlbl_sid(skb, ep->base.sk->sk_family,
5273 &peer_sid);
5274 if (err)
5275 return err;
5276
5277 if (peer_sid == SECSID_NULL)
5278 peer_sid = SECINITSID_UNLABELED;
5279 }
5280
5281 if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) {
5282 sksec->sctp_assoc_state = SCTP_ASSOC_SET;
5283
5284 /* Here as first association on socket. As the peer SID
5285 * was allowed by peer recv (and the netif/node checks),
5286 * then it is approved by policy and used as the primary
5287 * peer SID for getpeercon(3).
5288 */
5289 sksec->peer_sid = peer_sid;
5290 } else if (sksec->peer_sid != peer_sid) {
5291 /* Other association peer SIDs are checked to enforce
5292 * consistency among the peer SIDs.
5293 */
5294 ad.type = LSM_AUDIT_DATA_NET;
5295 ad.u.net = &net;
5296 ad.u.net->sk = ep->base.sk;
5297 err = avc_has_perm(&selinux_state,
5298 sksec->peer_sid, peer_sid, sksec->sclass,
5299 SCTP_SOCKET__ASSOCIATION, &ad);
5300 if (err)
5301 return err;
5302 }
5303
5304 /* Compute the MLS component for the connection and store
5305 * the information in ep. This will be used by SCTP TCP type
5306 * sockets and peeled off connections as they cause a new
5307 * socket to be generated. selinux_sctp_sk_clone() will then
5308 * plug this into the new socket.
5309 */
5310 err = selinux_conn_sid(sksec->sid, peer_sid, &conn_sid);
5311 if (err)
5312 return err;
5313
5314 ep->secid = conn_sid;
5315 ep->peer_secid = peer_sid;
5316
5317 /* Set any NetLabel labels including CIPSO/CALIPSO options. */
5318 return selinux_netlbl_sctp_assoc_request(ep, skb);
5319 }
5320
5321 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting
5322 * based on their @optname.
5323 */
selinux_sctp_bind_connect(struct sock * sk,int optname,struct sockaddr * address,int addrlen)5324 static int selinux_sctp_bind_connect(struct sock *sk, int optname,
5325 struct sockaddr *address,
5326 int addrlen)
5327 {
5328 int len, err = 0, walk_size = 0;
5329 void *addr_buf;
5330 struct sockaddr *addr;
5331 struct socket *sock;
5332
5333 if (!selinux_policycap_extsockclass())
5334 return 0;
5335
5336 /* Process one or more addresses that may be IPv4 or IPv6 */
5337 sock = sk->sk_socket;
5338 addr_buf = address;
5339
5340 while (walk_size < addrlen) {
5341 if (walk_size + sizeof(sa_family_t) > addrlen)
5342 return -EINVAL;
5343
5344 addr = addr_buf;
5345 switch (addr->sa_family) {
5346 case AF_UNSPEC:
5347 case AF_INET:
5348 len = sizeof(struct sockaddr_in);
5349 break;
5350 case AF_INET6:
5351 len = sizeof(struct sockaddr_in6);
5352 break;
5353 default:
5354 return -EINVAL;
5355 }
5356
5357 if (walk_size + len > addrlen)
5358 return -EINVAL;
5359
5360 err = -EINVAL;
5361 switch (optname) {
5362 /* Bind checks */
5363 case SCTP_PRIMARY_ADDR:
5364 case SCTP_SET_PEER_PRIMARY_ADDR:
5365 case SCTP_SOCKOPT_BINDX_ADD:
5366 err = selinux_socket_bind(sock, addr, len);
5367 break;
5368 /* Connect checks */
5369 case SCTP_SOCKOPT_CONNECTX:
5370 case SCTP_PARAM_SET_PRIMARY:
5371 case SCTP_PARAM_ADD_IP:
5372 case SCTP_SENDMSG_CONNECT:
5373 err = selinux_socket_connect_helper(sock, addr, len);
5374 if (err)
5375 return err;
5376
5377 /* As selinux_sctp_bind_connect() is called by the
5378 * SCTP protocol layer, the socket is already locked,
5379 * therefore selinux_netlbl_socket_connect_locked() is
5380 * is called here. The situations handled are:
5381 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2),
5382 * whenever a new IP address is added or when a new
5383 * primary address is selected.
5384 * Note that an SCTP connect(2) call happens before
5385 * the SCTP protocol layer and is handled via
5386 * selinux_socket_connect().
5387 */
5388 err = selinux_netlbl_socket_connect_locked(sk, addr);
5389 break;
5390 }
5391
5392 if (err)
5393 return err;
5394
5395 addr_buf += len;
5396 walk_size += len;
5397 }
5398
5399 return 0;
5400 }
5401
5402 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */
selinux_sctp_sk_clone(struct sctp_endpoint * ep,struct sock * sk,struct sock * newsk)5403 static void selinux_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk,
5404 struct sock *newsk)
5405 {
5406 struct sk_security_struct *sksec = sk->sk_security;
5407 struct sk_security_struct *newsksec = newsk->sk_security;
5408
5409 /* If policy does not support SECCLASS_SCTP_SOCKET then call
5410 * the non-sctp clone version.
5411 */
5412 if (!selinux_policycap_extsockclass())
5413 return selinux_sk_clone_security(sk, newsk);
5414
5415 newsksec->sid = ep->secid;
5416 newsksec->peer_sid = ep->peer_secid;
5417 newsksec->sclass = sksec->sclass;
5418 selinux_netlbl_sctp_sk_clone(sk, newsk);
5419 }
5420
selinux_inet_conn_request(struct sock * sk,struct sk_buff * skb,struct request_sock * req)5421 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
5422 struct request_sock *req)
5423 {
5424 struct sk_security_struct *sksec = sk->sk_security;
5425 int err;
5426 u16 family = req->rsk_ops->family;
5427 u32 connsid;
5428 u32 peersid;
5429
5430 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
5431 if (err)
5432 return err;
5433 err = selinux_conn_sid(sksec->sid, peersid, &connsid);
5434 if (err)
5435 return err;
5436 req->secid = connsid;
5437 req->peer_secid = peersid;
5438
5439 return selinux_netlbl_inet_conn_request(req, family);
5440 }
5441
selinux_inet_csk_clone(struct sock * newsk,const struct request_sock * req)5442 static void selinux_inet_csk_clone(struct sock *newsk,
5443 const struct request_sock *req)
5444 {
5445 struct sk_security_struct *newsksec = newsk->sk_security;
5446
5447 newsksec->sid = req->secid;
5448 newsksec->peer_sid = req->peer_secid;
5449 /* NOTE: Ideally, we should also get the isec->sid for the
5450 new socket in sync, but we don't have the isec available yet.
5451 So we will wait until sock_graft to do it, by which
5452 time it will have been created and available. */
5453
5454 /* We don't need to take any sort of lock here as we are the only
5455 * thread with access to newsksec */
5456 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
5457 }
5458
selinux_inet_conn_established(struct sock * sk,struct sk_buff * skb)5459 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
5460 {
5461 u16 family = sk->sk_family;
5462 struct sk_security_struct *sksec = sk->sk_security;
5463
5464 /* handle mapped IPv4 packets arriving via IPv6 sockets */
5465 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5466 family = PF_INET;
5467
5468 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
5469 }
5470
selinux_secmark_relabel_packet(u32 sid)5471 static int selinux_secmark_relabel_packet(u32 sid)
5472 {
5473 const struct task_security_struct *__tsec;
5474 u32 tsid;
5475
5476 __tsec = selinux_cred(current_cred());
5477 tsid = __tsec->sid;
5478
5479 return avc_has_perm(&selinux_state,
5480 tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO,
5481 NULL);
5482 }
5483
selinux_secmark_refcount_inc(void)5484 static void selinux_secmark_refcount_inc(void)
5485 {
5486 atomic_inc(&selinux_secmark_refcount);
5487 }
5488
selinux_secmark_refcount_dec(void)5489 static void selinux_secmark_refcount_dec(void)
5490 {
5491 atomic_dec(&selinux_secmark_refcount);
5492 }
5493
selinux_req_classify_flow(const struct request_sock * req,struct flowi * fl)5494 static void selinux_req_classify_flow(const struct request_sock *req,
5495 struct flowi *fl)
5496 {
5497 fl->flowi_secid = req->secid;
5498 }
5499
selinux_tun_dev_alloc_security(void ** security)5500 static int selinux_tun_dev_alloc_security(void **security)
5501 {
5502 struct tun_security_struct *tunsec;
5503
5504 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
5505 if (!tunsec)
5506 return -ENOMEM;
5507 tunsec->sid = current_sid();
5508
5509 *security = tunsec;
5510 return 0;
5511 }
5512
selinux_tun_dev_free_security(void * security)5513 static void selinux_tun_dev_free_security(void *security)
5514 {
5515 kfree(security);
5516 }
5517
selinux_tun_dev_create(void)5518 static int selinux_tun_dev_create(void)
5519 {
5520 u32 sid = current_sid();
5521
5522 /* we aren't taking into account the "sockcreate" SID since the socket
5523 * that is being created here is not a socket in the traditional sense,
5524 * instead it is a private sock, accessible only to the kernel, and
5525 * representing a wide range of network traffic spanning multiple
5526 * connections unlike traditional sockets - check the TUN driver to
5527 * get a better understanding of why this socket is special */
5528
5529 return avc_has_perm(&selinux_state,
5530 sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5531 NULL);
5532 }
5533
selinux_tun_dev_attach_queue(void * security)5534 static int selinux_tun_dev_attach_queue(void *security)
5535 {
5536 struct tun_security_struct *tunsec = security;
5537
5538 return avc_has_perm(&selinux_state,
5539 current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5540 TUN_SOCKET__ATTACH_QUEUE, NULL);
5541 }
5542
selinux_tun_dev_attach(struct sock * sk,void * security)5543 static int selinux_tun_dev_attach(struct sock *sk, void *security)
5544 {
5545 struct tun_security_struct *tunsec = security;
5546 struct sk_security_struct *sksec = sk->sk_security;
5547
5548 /* we don't currently perform any NetLabel based labeling here and it
5549 * isn't clear that we would want to do so anyway; while we could apply
5550 * labeling without the support of the TUN user the resulting labeled
5551 * traffic from the other end of the connection would almost certainly
5552 * cause confusion to the TUN user that had no idea network labeling
5553 * protocols were being used */
5554
5555 sksec->sid = tunsec->sid;
5556 sksec->sclass = SECCLASS_TUN_SOCKET;
5557
5558 return 0;
5559 }
5560
selinux_tun_dev_open(void * security)5561 static int selinux_tun_dev_open(void *security)
5562 {
5563 struct tun_security_struct *tunsec = security;
5564 u32 sid = current_sid();
5565 int err;
5566
5567 err = avc_has_perm(&selinux_state,
5568 sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5569 TUN_SOCKET__RELABELFROM, NULL);
5570 if (err)
5571 return err;
5572 err = avc_has_perm(&selinux_state,
5573 sid, sid, SECCLASS_TUN_SOCKET,
5574 TUN_SOCKET__RELABELTO, NULL);
5575 if (err)
5576 return err;
5577 tunsec->sid = sid;
5578
5579 return 0;
5580 }
5581
selinux_nlmsg_perm(struct sock * sk,struct sk_buff * skb)5582 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
5583 {
5584 int rc = 0;
5585 unsigned int msg_len;
5586 unsigned int data_len = skb->len;
5587 unsigned char *data = skb->data;
5588 struct nlmsghdr *nlh;
5589 struct sk_security_struct *sksec = sk->sk_security;
5590 u16 sclass = sksec->sclass;
5591 u32 perm;
5592
5593 while (data_len >= nlmsg_total_size(0)) {
5594 nlh = (struct nlmsghdr *)data;
5595
5596 /* NOTE: the nlmsg_len field isn't reliably set by some netlink
5597 * users which means we can't reject skb's with bogus
5598 * length fields; our solution is to follow what
5599 * netlink_rcv_skb() does and simply skip processing at
5600 * messages with length fields that are clearly junk
5601 */
5602 if (nlh->nlmsg_len < NLMSG_HDRLEN || nlh->nlmsg_len > data_len)
5603 return 0;
5604
5605 rc = selinux_nlmsg_lookup(sclass, nlh->nlmsg_type, &perm);
5606 if (rc == 0) {
5607 rc = sock_has_perm(sk, perm);
5608 if (rc)
5609 return rc;
5610 } else if (rc == -EINVAL) {
5611 /* -EINVAL is a missing msg/perm mapping */
5612 pr_warn_ratelimited("SELinux: unrecognized netlink"
5613 " message: protocol=%hu nlmsg_type=%hu sclass=%s"
5614 " pid=%d comm=%s\n",
5615 sk->sk_protocol, nlh->nlmsg_type,
5616 secclass_map[sclass - 1].name,
5617 task_pid_nr(current), current->comm);
5618 if (enforcing_enabled(&selinux_state) &&
5619 !security_get_allow_unknown(&selinux_state))
5620 return rc;
5621 rc = 0;
5622 } else if (rc == -ENOENT) {
5623 /* -ENOENT is a missing socket/class mapping, ignore */
5624 rc = 0;
5625 } else {
5626 return rc;
5627 }
5628
5629 /* move to the next message after applying netlink padding */
5630 msg_len = NLMSG_ALIGN(nlh->nlmsg_len);
5631 if (msg_len >= data_len)
5632 return 0;
5633 data_len -= msg_len;
5634 data += msg_len;
5635 }
5636
5637 return rc;
5638 }
5639
5640 #ifdef CONFIG_NETFILTER
5641
selinux_ip_forward(struct sk_buff * skb,const struct net_device * indev,u16 family)5642 static unsigned int selinux_ip_forward(struct sk_buff *skb,
5643 const struct net_device *indev,
5644 u16 family)
5645 {
5646 int err;
5647 char *addrp;
5648 u32 peer_sid;
5649 struct common_audit_data ad;
5650 struct lsm_network_audit net = {0,};
5651 u8 secmark_active;
5652 u8 netlbl_active;
5653 u8 peerlbl_active;
5654
5655 if (!selinux_policycap_netpeer())
5656 return NF_ACCEPT;
5657
5658 secmark_active = selinux_secmark_enabled();
5659 netlbl_active = netlbl_enabled();
5660 peerlbl_active = selinux_peerlbl_enabled();
5661 if (!secmark_active && !peerlbl_active)
5662 return NF_ACCEPT;
5663
5664 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5665 return NF_DROP;
5666
5667 ad.type = LSM_AUDIT_DATA_NET;
5668 ad.u.net = &net;
5669 ad.u.net->netif = indev->ifindex;
5670 ad.u.net->family = family;
5671 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5672 return NF_DROP;
5673
5674 if (peerlbl_active) {
5675 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
5676 addrp, family, peer_sid, &ad);
5677 if (err) {
5678 selinux_netlbl_err(skb, family, err, 1);
5679 return NF_DROP;
5680 }
5681 }
5682
5683 if (secmark_active)
5684 if (avc_has_perm(&selinux_state,
5685 peer_sid, skb->secmark,
5686 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5687 return NF_DROP;
5688
5689 if (netlbl_active)
5690 /* we do this in the FORWARD path and not the POST_ROUTING
5691 * path because we want to make sure we apply the necessary
5692 * labeling before IPsec is applied so we can leverage AH
5693 * protection */
5694 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5695 return NF_DROP;
5696
5697 return NF_ACCEPT;
5698 }
5699
selinux_ipv4_forward(void * priv,struct sk_buff * skb,const struct nf_hook_state * state)5700 static unsigned int selinux_ipv4_forward(void *priv,
5701 struct sk_buff *skb,
5702 const struct nf_hook_state *state)
5703 {
5704 return selinux_ip_forward(skb, state->in, PF_INET);
5705 }
5706
5707 #if IS_ENABLED(CONFIG_IPV6)
selinux_ipv6_forward(void * priv,struct sk_buff * skb,const struct nf_hook_state * state)5708 static unsigned int selinux_ipv6_forward(void *priv,
5709 struct sk_buff *skb,
5710 const struct nf_hook_state *state)
5711 {
5712 return selinux_ip_forward(skb, state->in, PF_INET6);
5713 }
5714 #endif /* IPV6 */
5715
selinux_ip_output(struct sk_buff * skb,u16 family)5716 static unsigned int selinux_ip_output(struct sk_buff *skb,
5717 u16 family)
5718 {
5719 struct sock *sk;
5720 u32 sid;
5721
5722 if (!netlbl_enabled())
5723 return NF_ACCEPT;
5724
5725 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5726 * because we want to make sure we apply the necessary labeling
5727 * before IPsec is applied so we can leverage AH protection */
5728 sk = skb->sk;
5729 if (sk) {
5730 struct sk_security_struct *sksec;
5731
5732 if (sk_listener(sk))
5733 /* if the socket is the listening state then this
5734 * packet is a SYN-ACK packet which means it needs to
5735 * be labeled based on the connection/request_sock and
5736 * not the parent socket. unfortunately, we can't
5737 * lookup the request_sock yet as it isn't queued on
5738 * the parent socket until after the SYN-ACK is sent.
5739 * the "solution" is to simply pass the packet as-is
5740 * as any IP option based labeling should be copied
5741 * from the initial connection request (in the IP
5742 * layer). it is far from ideal, but until we get a
5743 * security label in the packet itself this is the
5744 * best we can do. */
5745 return NF_ACCEPT;
5746
5747 /* standard practice, label using the parent socket */
5748 sksec = sk->sk_security;
5749 sid = sksec->sid;
5750 } else
5751 sid = SECINITSID_KERNEL;
5752 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
5753 return NF_DROP;
5754
5755 return NF_ACCEPT;
5756 }
5757
selinux_ipv4_output(void * priv,struct sk_buff * skb,const struct nf_hook_state * state)5758 static unsigned int selinux_ipv4_output(void *priv,
5759 struct sk_buff *skb,
5760 const struct nf_hook_state *state)
5761 {
5762 return selinux_ip_output(skb, PF_INET);
5763 }
5764
5765 #if IS_ENABLED(CONFIG_IPV6)
selinux_ipv6_output(void * priv,struct sk_buff * skb,const struct nf_hook_state * state)5766 static unsigned int selinux_ipv6_output(void *priv,
5767 struct sk_buff *skb,
5768 const struct nf_hook_state *state)
5769 {
5770 return selinux_ip_output(skb, PF_INET6);
5771 }
5772 #endif /* IPV6 */
5773
selinux_ip_postroute_compat(struct sk_buff * skb,int ifindex,u16 family)5774 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5775 int ifindex,
5776 u16 family)
5777 {
5778 struct sock *sk = skb_to_full_sk(skb);
5779 struct sk_security_struct *sksec;
5780 struct common_audit_data ad;
5781 struct lsm_network_audit net = {0,};
5782 char *addrp;
5783 u8 proto = 0;
5784
5785 if (sk == NULL)
5786 return NF_ACCEPT;
5787 sksec = sk->sk_security;
5788
5789 ad.type = LSM_AUDIT_DATA_NET;
5790 ad.u.net = &net;
5791 ad.u.net->netif = ifindex;
5792 ad.u.net->family = family;
5793 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
5794 return NF_DROP;
5795
5796 if (selinux_secmark_enabled())
5797 if (avc_has_perm(&selinux_state,
5798 sksec->sid, skb->secmark,
5799 SECCLASS_PACKET, PACKET__SEND, &ad))
5800 return NF_DROP_ERR(-ECONNREFUSED);
5801
5802 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5803 return NF_DROP_ERR(-ECONNREFUSED);
5804
5805 return NF_ACCEPT;
5806 }
5807
selinux_ip_postroute(struct sk_buff * skb,const struct net_device * outdev,u16 family)5808 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5809 const struct net_device *outdev,
5810 u16 family)
5811 {
5812 u32 secmark_perm;
5813 u32 peer_sid;
5814 int ifindex = outdev->ifindex;
5815 struct sock *sk;
5816 struct common_audit_data ad;
5817 struct lsm_network_audit net = {0,};
5818 char *addrp;
5819 u8 secmark_active;
5820 u8 peerlbl_active;
5821
5822 /* If any sort of compatibility mode is enabled then handoff processing
5823 * to the selinux_ip_postroute_compat() function to deal with the
5824 * special handling. We do this in an attempt to keep this function
5825 * as fast and as clean as possible. */
5826 if (!selinux_policycap_netpeer())
5827 return selinux_ip_postroute_compat(skb, ifindex, family);
5828
5829 secmark_active = selinux_secmark_enabled();
5830 peerlbl_active = selinux_peerlbl_enabled();
5831 if (!secmark_active && !peerlbl_active)
5832 return NF_ACCEPT;
5833
5834 sk = skb_to_full_sk(skb);
5835
5836 #ifdef CONFIG_XFRM
5837 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5838 * packet transformation so allow the packet to pass without any checks
5839 * since we'll have another chance to perform access control checks
5840 * when the packet is on it's final way out.
5841 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5842 * is NULL, in this case go ahead and apply access control.
5843 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5844 * TCP listening state we cannot wait until the XFRM processing
5845 * is done as we will miss out on the SA label if we do;
5846 * unfortunately, this means more work, but it is only once per
5847 * connection. */
5848 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5849 !(sk && sk_listener(sk)))
5850 return NF_ACCEPT;
5851 #endif
5852
5853 if (sk == NULL) {
5854 /* Without an associated socket the packet is either coming
5855 * from the kernel or it is being forwarded; check the packet
5856 * to determine which and if the packet is being forwarded
5857 * query the packet directly to determine the security label. */
5858 if (skb->skb_iif) {
5859 secmark_perm = PACKET__FORWARD_OUT;
5860 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5861 return NF_DROP;
5862 } else {
5863 secmark_perm = PACKET__SEND;
5864 peer_sid = SECINITSID_KERNEL;
5865 }
5866 } else if (sk_listener(sk)) {
5867 /* Locally generated packet but the associated socket is in the
5868 * listening state which means this is a SYN-ACK packet. In
5869 * this particular case the correct security label is assigned
5870 * to the connection/request_sock but unfortunately we can't
5871 * query the request_sock as it isn't queued on the parent
5872 * socket until after the SYN-ACK packet is sent; the only
5873 * viable choice is to regenerate the label like we do in
5874 * selinux_inet_conn_request(). See also selinux_ip_output()
5875 * for similar problems. */
5876 u32 skb_sid;
5877 struct sk_security_struct *sksec;
5878
5879 sksec = sk->sk_security;
5880 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5881 return NF_DROP;
5882 /* At this point, if the returned skb peerlbl is SECSID_NULL
5883 * and the packet has been through at least one XFRM
5884 * transformation then we must be dealing with the "final"
5885 * form of labeled IPsec packet; since we've already applied
5886 * all of our access controls on this packet we can safely
5887 * pass the packet. */
5888 if (skb_sid == SECSID_NULL) {
5889 switch (family) {
5890 case PF_INET:
5891 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5892 return NF_ACCEPT;
5893 break;
5894 case PF_INET6:
5895 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5896 return NF_ACCEPT;
5897 break;
5898 default:
5899 return NF_DROP_ERR(-ECONNREFUSED);
5900 }
5901 }
5902 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5903 return NF_DROP;
5904 secmark_perm = PACKET__SEND;
5905 } else {
5906 /* Locally generated packet, fetch the security label from the
5907 * associated socket. */
5908 struct sk_security_struct *sksec = sk->sk_security;
5909 peer_sid = sksec->sid;
5910 secmark_perm = PACKET__SEND;
5911 }
5912
5913 ad.type = LSM_AUDIT_DATA_NET;
5914 ad.u.net = &net;
5915 ad.u.net->netif = ifindex;
5916 ad.u.net->family = family;
5917 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5918 return NF_DROP;
5919
5920 if (secmark_active)
5921 if (avc_has_perm(&selinux_state,
5922 peer_sid, skb->secmark,
5923 SECCLASS_PACKET, secmark_perm, &ad))
5924 return NF_DROP_ERR(-ECONNREFUSED);
5925
5926 if (peerlbl_active) {
5927 u32 if_sid;
5928 u32 node_sid;
5929
5930 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5931 return NF_DROP;
5932 if (avc_has_perm(&selinux_state,
5933 peer_sid, if_sid,
5934 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5935 return NF_DROP_ERR(-ECONNREFUSED);
5936
5937 if (sel_netnode_sid(addrp, family, &node_sid))
5938 return NF_DROP;
5939 if (avc_has_perm(&selinux_state,
5940 peer_sid, node_sid,
5941 SECCLASS_NODE, NODE__SENDTO, &ad))
5942 return NF_DROP_ERR(-ECONNREFUSED);
5943 }
5944
5945 return NF_ACCEPT;
5946 }
5947
selinux_ipv4_postroute(void * priv,struct sk_buff * skb,const struct nf_hook_state * state)5948 static unsigned int selinux_ipv4_postroute(void *priv,
5949 struct sk_buff *skb,
5950 const struct nf_hook_state *state)
5951 {
5952 return selinux_ip_postroute(skb, state->out, PF_INET);
5953 }
5954
5955 #if IS_ENABLED(CONFIG_IPV6)
selinux_ipv6_postroute(void * priv,struct sk_buff * skb,const struct nf_hook_state * state)5956 static unsigned int selinux_ipv6_postroute(void *priv,
5957 struct sk_buff *skb,
5958 const struct nf_hook_state *state)
5959 {
5960 return selinux_ip_postroute(skb, state->out, PF_INET6);
5961 }
5962 #endif /* IPV6 */
5963
5964 #endif /* CONFIG_NETFILTER */
5965
selinux_netlink_send(struct sock * sk,struct sk_buff * skb)5966 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5967 {
5968 return selinux_nlmsg_perm(sk, skb);
5969 }
5970
ipc_init_security(struct ipc_security_struct * isec,u16 sclass)5971 static void ipc_init_security(struct ipc_security_struct *isec, u16 sclass)
5972 {
5973 isec->sclass = sclass;
5974 isec->sid = current_sid();
5975 }
5976
msg_msg_alloc_security(struct msg_msg * msg)5977 static int msg_msg_alloc_security(struct msg_msg *msg)
5978 {
5979 struct msg_security_struct *msec;
5980
5981 msec = selinux_msg_msg(msg);
5982 msec->sid = SECINITSID_UNLABELED;
5983
5984 return 0;
5985 }
5986
ipc_has_perm(struct kern_ipc_perm * ipc_perms,u32 perms)5987 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5988 u32 perms)
5989 {
5990 struct ipc_security_struct *isec;
5991 struct common_audit_data ad;
5992 u32 sid = current_sid();
5993
5994 isec = selinux_ipc(ipc_perms);
5995
5996 ad.type = LSM_AUDIT_DATA_IPC;
5997 ad.u.ipc_id = ipc_perms->key;
5998
5999 return avc_has_perm(&selinux_state,
6000 sid, isec->sid, isec->sclass, perms, &ad);
6001 }
6002
selinux_msg_msg_alloc_security(struct msg_msg * msg)6003 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
6004 {
6005 return msg_msg_alloc_security(msg);
6006 }
6007
6008 /* message queue security operations */
selinux_msg_queue_alloc_security(struct kern_ipc_perm * msq)6009 static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq)
6010 {
6011 struct ipc_security_struct *isec;
6012 struct common_audit_data ad;
6013 u32 sid = current_sid();
6014 int rc;
6015
6016 isec = selinux_ipc(msq);
6017 ipc_init_security(isec, SECCLASS_MSGQ);
6018
6019 ad.type = LSM_AUDIT_DATA_IPC;
6020 ad.u.ipc_id = msq->key;
6021
6022 rc = avc_has_perm(&selinux_state,
6023 sid, isec->sid, SECCLASS_MSGQ,
6024 MSGQ__CREATE, &ad);
6025 return rc;
6026 }
6027
selinux_msg_queue_associate(struct kern_ipc_perm * msq,int msqflg)6028 static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
6029 {
6030 struct ipc_security_struct *isec;
6031 struct common_audit_data ad;
6032 u32 sid = current_sid();
6033
6034 isec = selinux_ipc(msq);
6035
6036 ad.type = LSM_AUDIT_DATA_IPC;
6037 ad.u.ipc_id = msq->key;
6038
6039 return avc_has_perm(&selinux_state,
6040 sid, isec->sid, SECCLASS_MSGQ,
6041 MSGQ__ASSOCIATE, &ad);
6042 }
6043
selinux_msg_queue_msgctl(struct kern_ipc_perm * msq,int cmd)6044 static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)
6045 {
6046 int err;
6047 int perms;
6048
6049 switch (cmd) {
6050 case IPC_INFO:
6051 case MSG_INFO:
6052 /* No specific object, just general system-wide information. */
6053 return avc_has_perm(&selinux_state,
6054 current_sid(), SECINITSID_KERNEL,
6055 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6056 case IPC_STAT:
6057 case MSG_STAT:
6058 case MSG_STAT_ANY:
6059 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
6060 break;
6061 case IPC_SET:
6062 perms = MSGQ__SETATTR;
6063 break;
6064 case IPC_RMID:
6065 perms = MSGQ__DESTROY;
6066 break;
6067 default:
6068 return 0;
6069 }
6070
6071 err = ipc_has_perm(msq, perms);
6072 return err;
6073 }
6074
selinux_msg_queue_msgsnd(struct kern_ipc_perm * msq,struct msg_msg * msg,int msqflg)6075 static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg)
6076 {
6077 struct ipc_security_struct *isec;
6078 struct msg_security_struct *msec;
6079 struct common_audit_data ad;
6080 u32 sid = current_sid();
6081 int rc;
6082
6083 isec = selinux_ipc(msq);
6084 msec = selinux_msg_msg(msg);
6085
6086 /*
6087 * First time through, need to assign label to the message
6088 */
6089 if (msec->sid == SECINITSID_UNLABELED) {
6090 /*
6091 * Compute new sid based on current process and
6092 * message queue this message will be stored in
6093 */
6094 rc = security_transition_sid(&selinux_state, sid, isec->sid,
6095 SECCLASS_MSG, NULL, &msec->sid);
6096 if (rc)
6097 return rc;
6098 }
6099
6100 ad.type = LSM_AUDIT_DATA_IPC;
6101 ad.u.ipc_id = msq->key;
6102
6103 /* Can this process write to the queue? */
6104 rc = avc_has_perm(&selinux_state,
6105 sid, isec->sid, SECCLASS_MSGQ,
6106 MSGQ__WRITE, &ad);
6107 if (!rc)
6108 /* Can this process send the message */
6109 rc = avc_has_perm(&selinux_state,
6110 sid, msec->sid, SECCLASS_MSG,
6111 MSG__SEND, &ad);
6112 if (!rc)
6113 /* Can the message be put in the queue? */
6114 rc = avc_has_perm(&selinux_state,
6115 msec->sid, isec->sid, SECCLASS_MSGQ,
6116 MSGQ__ENQUEUE, &ad);
6117
6118 return rc;
6119 }
6120
selinux_msg_queue_msgrcv(struct kern_ipc_perm * msq,struct msg_msg * msg,struct task_struct * target,long type,int mode)6121 static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg,
6122 struct task_struct *target,
6123 long type, int mode)
6124 {
6125 struct ipc_security_struct *isec;
6126 struct msg_security_struct *msec;
6127 struct common_audit_data ad;
6128 u32 sid = task_sid(target);
6129 int rc;
6130
6131 isec = selinux_ipc(msq);
6132 msec = selinux_msg_msg(msg);
6133
6134 ad.type = LSM_AUDIT_DATA_IPC;
6135 ad.u.ipc_id = msq->key;
6136
6137 rc = avc_has_perm(&selinux_state,
6138 sid, isec->sid,
6139 SECCLASS_MSGQ, MSGQ__READ, &ad);
6140 if (!rc)
6141 rc = avc_has_perm(&selinux_state,
6142 sid, msec->sid,
6143 SECCLASS_MSG, MSG__RECEIVE, &ad);
6144 return rc;
6145 }
6146
6147 /* Shared Memory security operations */
selinux_shm_alloc_security(struct kern_ipc_perm * shp)6148 static int selinux_shm_alloc_security(struct kern_ipc_perm *shp)
6149 {
6150 struct ipc_security_struct *isec;
6151 struct common_audit_data ad;
6152 u32 sid = current_sid();
6153 int rc;
6154
6155 isec = selinux_ipc(shp);
6156 ipc_init_security(isec, SECCLASS_SHM);
6157
6158 ad.type = LSM_AUDIT_DATA_IPC;
6159 ad.u.ipc_id = shp->key;
6160
6161 rc = avc_has_perm(&selinux_state,
6162 sid, isec->sid, SECCLASS_SHM,
6163 SHM__CREATE, &ad);
6164 return rc;
6165 }
6166
selinux_shm_associate(struct kern_ipc_perm * shp,int shmflg)6167 static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg)
6168 {
6169 struct ipc_security_struct *isec;
6170 struct common_audit_data ad;
6171 u32 sid = current_sid();
6172
6173 isec = selinux_ipc(shp);
6174
6175 ad.type = LSM_AUDIT_DATA_IPC;
6176 ad.u.ipc_id = shp->key;
6177
6178 return avc_has_perm(&selinux_state,
6179 sid, isec->sid, SECCLASS_SHM,
6180 SHM__ASSOCIATE, &ad);
6181 }
6182
6183 /* Note, at this point, shp is locked down */
selinux_shm_shmctl(struct kern_ipc_perm * shp,int cmd)6184 static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd)
6185 {
6186 int perms;
6187 int err;
6188
6189 switch (cmd) {
6190 case IPC_INFO:
6191 case SHM_INFO:
6192 /* No specific object, just general system-wide information. */
6193 return avc_has_perm(&selinux_state,
6194 current_sid(), SECINITSID_KERNEL,
6195 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6196 case IPC_STAT:
6197 case SHM_STAT:
6198 case SHM_STAT_ANY:
6199 perms = SHM__GETATTR | SHM__ASSOCIATE;
6200 break;
6201 case IPC_SET:
6202 perms = SHM__SETATTR;
6203 break;
6204 case SHM_LOCK:
6205 case SHM_UNLOCK:
6206 perms = SHM__LOCK;
6207 break;
6208 case IPC_RMID:
6209 perms = SHM__DESTROY;
6210 break;
6211 default:
6212 return 0;
6213 }
6214
6215 err = ipc_has_perm(shp, perms);
6216 return err;
6217 }
6218
selinux_shm_shmat(struct kern_ipc_perm * shp,char __user * shmaddr,int shmflg)6219 static int selinux_shm_shmat(struct kern_ipc_perm *shp,
6220 char __user *shmaddr, int shmflg)
6221 {
6222 u32 perms;
6223
6224 if (shmflg & SHM_RDONLY)
6225 perms = SHM__READ;
6226 else
6227 perms = SHM__READ | SHM__WRITE;
6228
6229 return ipc_has_perm(shp, perms);
6230 }
6231
6232 /* Semaphore security operations */
selinux_sem_alloc_security(struct kern_ipc_perm * sma)6233 static int selinux_sem_alloc_security(struct kern_ipc_perm *sma)
6234 {
6235 struct ipc_security_struct *isec;
6236 struct common_audit_data ad;
6237 u32 sid = current_sid();
6238 int rc;
6239
6240 isec = selinux_ipc(sma);
6241 ipc_init_security(isec, SECCLASS_SEM);
6242
6243 ad.type = LSM_AUDIT_DATA_IPC;
6244 ad.u.ipc_id = sma->key;
6245
6246 rc = avc_has_perm(&selinux_state,
6247 sid, isec->sid, SECCLASS_SEM,
6248 SEM__CREATE, &ad);
6249 return rc;
6250 }
6251
selinux_sem_associate(struct kern_ipc_perm * sma,int semflg)6252 static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg)
6253 {
6254 struct ipc_security_struct *isec;
6255 struct common_audit_data ad;
6256 u32 sid = current_sid();
6257
6258 isec = selinux_ipc(sma);
6259
6260 ad.type = LSM_AUDIT_DATA_IPC;
6261 ad.u.ipc_id = sma->key;
6262
6263 return avc_has_perm(&selinux_state,
6264 sid, isec->sid, SECCLASS_SEM,
6265 SEM__ASSOCIATE, &ad);
6266 }
6267
6268 /* Note, at this point, sma is locked down */
selinux_sem_semctl(struct kern_ipc_perm * sma,int cmd)6269 static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd)
6270 {
6271 int err;
6272 u32 perms;
6273
6274 switch (cmd) {
6275 case IPC_INFO:
6276 case SEM_INFO:
6277 /* No specific object, just general system-wide information. */
6278 return avc_has_perm(&selinux_state,
6279 current_sid(), SECINITSID_KERNEL,
6280 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6281 case GETPID:
6282 case GETNCNT:
6283 case GETZCNT:
6284 perms = SEM__GETATTR;
6285 break;
6286 case GETVAL:
6287 case GETALL:
6288 perms = SEM__READ;
6289 break;
6290 case SETVAL:
6291 case SETALL:
6292 perms = SEM__WRITE;
6293 break;
6294 case IPC_RMID:
6295 perms = SEM__DESTROY;
6296 break;
6297 case IPC_SET:
6298 perms = SEM__SETATTR;
6299 break;
6300 case IPC_STAT:
6301 case SEM_STAT:
6302 case SEM_STAT_ANY:
6303 perms = SEM__GETATTR | SEM__ASSOCIATE;
6304 break;
6305 default:
6306 return 0;
6307 }
6308
6309 err = ipc_has_perm(sma, perms);
6310 return err;
6311 }
6312
selinux_sem_semop(struct kern_ipc_perm * sma,struct sembuf * sops,unsigned nsops,int alter)6313 static int selinux_sem_semop(struct kern_ipc_perm *sma,
6314 struct sembuf *sops, unsigned nsops, int alter)
6315 {
6316 u32 perms;
6317
6318 if (alter)
6319 perms = SEM__READ | SEM__WRITE;
6320 else
6321 perms = SEM__READ;
6322
6323 return ipc_has_perm(sma, perms);
6324 }
6325
selinux_ipc_permission(struct kern_ipc_perm * ipcp,short flag)6326 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
6327 {
6328 u32 av = 0;
6329
6330 av = 0;
6331 if (flag & S_IRUGO)
6332 av |= IPC__UNIX_READ;
6333 if (flag & S_IWUGO)
6334 av |= IPC__UNIX_WRITE;
6335
6336 if (av == 0)
6337 return 0;
6338
6339 return ipc_has_perm(ipcp, av);
6340 }
6341
selinux_ipc_getsecid(struct kern_ipc_perm * ipcp,u32 * secid)6342 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
6343 {
6344 struct ipc_security_struct *isec = selinux_ipc(ipcp);
6345 *secid = isec->sid;
6346 }
6347
selinux_d_instantiate(struct dentry * dentry,struct inode * inode)6348 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
6349 {
6350 if (inode)
6351 inode_doinit_with_dentry(inode, dentry);
6352 }
6353
selinux_getprocattr(struct task_struct * p,char * name,char ** value)6354 static int selinux_getprocattr(struct task_struct *p,
6355 char *name, char **value)
6356 {
6357 const struct task_security_struct *__tsec;
6358 u32 sid;
6359 int error;
6360 unsigned len;
6361
6362 rcu_read_lock();
6363 __tsec = selinux_cred(__task_cred(p));
6364
6365 if (current != p) {
6366 error = avc_has_perm(&selinux_state,
6367 current_sid(), __tsec->sid,
6368 SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
6369 if (error)
6370 goto bad;
6371 }
6372
6373 if (!strcmp(name, "current"))
6374 sid = __tsec->sid;
6375 else if (!strcmp(name, "prev"))
6376 sid = __tsec->osid;
6377 else if (!strcmp(name, "exec"))
6378 sid = __tsec->exec_sid;
6379 else if (!strcmp(name, "fscreate"))
6380 sid = __tsec->create_sid;
6381 else if (!strcmp(name, "keycreate"))
6382 sid = __tsec->keycreate_sid;
6383 else if (!strcmp(name, "sockcreate"))
6384 sid = __tsec->sockcreate_sid;
6385 else {
6386 error = -EINVAL;
6387 goto bad;
6388 }
6389 rcu_read_unlock();
6390
6391 if (!sid)
6392 return 0;
6393
6394 error = security_sid_to_context(&selinux_state, sid, value, &len);
6395 if (error)
6396 return error;
6397 return len;
6398
6399 bad:
6400 rcu_read_unlock();
6401 return error;
6402 }
6403
selinux_setprocattr(const char * name,void * value,size_t size)6404 static int selinux_setprocattr(const char *name, void *value, size_t size)
6405 {
6406 struct task_security_struct *tsec;
6407 struct cred *new;
6408 u32 mysid = current_sid(), sid = 0, ptsid;
6409 int error;
6410 char *str = value;
6411
6412 /*
6413 * Basic control over ability to set these attributes at all.
6414 */
6415 if (!strcmp(name, "exec"))
6416 error = avc_has_perm(&selinux_state,
6417 mysid, mysid, SECCLASS_PROCESS,
6418 PROCESS__SETEXEC, NULL);
6419 else if (!strcmp(name, "fscreate"))
6420 error = avc_has_perm(&selinux_state,
6421 mysid, mysid, SECCLASS_PROCESS,
6422 PROCESS__SETFSCREATE, NULL);
6423 else if (!strcmp(name, "keycreate"))
6424 error = avc_has_perm(&selinux_state,
6425 mysid, mysid, SECCLASS_PROCESS,
6426 PROCESS__SETKEYCREATE, NULL);
6427 else if (!strcmp(name, "sockcreate"))
6428 error = avc_has_perm(&selinux_state,
6429 mysid, mysid, SECCLASS_PROCESS,
6430 PROCESS__SETSOCKCREATE, NULL);
6431 else if (!strcmp(name, "current"))
6432 error = avc_has_perm(&selinux_state,
6433 mysid, mysid, SECCLASS_PROCESS,
6434 PROCESS__SETCURRENT, NULL);
6435 else
6436 error = -EINVAL;
6437 if (error)
6438 return error;
6439
6440 /* Obtain a SID for the context, if one was specified. */
6441 if (size && str[0] && str[0] != '\n') {
6442 if (str[size-1] == '\n') {
6443 str[size-1] = 0;
6444 size--;
6445 }
6446 error = security_context_to_sid(&selinux_state, value, size,
6447 &sid, GFP_KERNEL);
6448 if (error == -EINVAL && !strcmp(name, "fscreate")) {
6449 if (!has_cap_mac_admin(true)) {
6450 struct audit_buffer *ab;
6451 size_t audit_size;
6452
6453 /* We strip a nul only if it is at the end, otherwise the
6454 * context contains a nul and we should audit that */
6455 if (str[size - 1] == '\0')
6456 audit_size = size - 1;
6457 else
6458 audit_size = size;
6459 ab = audit_log_start(audit_context(),
6460 GFP_ATOMIC,
6461 AUDIT_SELINUX_ERR);
6462 audit_log_format(ab, "op=fscreate invalid_context=");
6463 audit_log_n_untrustedstring(ab, value, audit_size);
6464 audit_log_end(ab);
6465
6466 return error;
6467 }
6468 error = security_context_to_sid_force(
6469 &selinux_state,
6470 value, size, &sid);
6471 }
6472 if (error)
6473 return error;
6474 }
6475
6476 new = prepare_creds();
6477 if (!new)
6478 return -ENOMEM;
6479
6480 /* Permission checking based on the specified context is
6481 performed during the actual operation (execve,
6482 open/mkdir/...), when we know the full context of the
6483 operation. See selinux_bprm_set_creds for the execve
6484 checks and may_create for the file creation checks. The
6485 operation will then fail if the context is not permitted. */
6486 tsec = selinux_cred(new);
6487 if (!strcmp(name, "exec")) {
6488 tsec->exec_sid = sid;
6489 } else if (!strcmp(name, "fscreate")) {
6490 tsec->create_sid = sid;
6491 } else if (!strcmp(name, "keycreate")) {
6492 if (sid) {
6493 error = avc_has_perm(&selinux_state, mysid, sid,
6494 SECCLASS_KEY, KEY__CREATE, NULL);
6495 if (error)
6496 goto abort_change;
6497 }
6498 tsec->keycreate_sid = sid;
6499 } else if (!strcmp(name, "sockcreate")) {
6500 tsec->sockcreate_sid = sid;
6501 } else if (!strcmp(name, "current")) {
6502 error = -EINVAL;
6503 if (sid == 0)
6504 goto abort_change;
6505
6506 /* Only allow single threaded processes to change context */
6507 error = -EPERM;
6508 if (!current_is_single_threaded()) {
6509 error = security_bounded_transition(&selinux_state,
6510 tsec->sid, sid);
6511 if (error)
6512 goto abort_change;
6513 }
6514
6515 /* Check permissions for the transition. */
6516 error = avc_has_perm(&selinux_state,
6517 tsec->sid, sid, SECCLASS_PROCESS,
6518 PROCESS__DYNTRANSITION, NULL);
6519 if (error)
6520 goto abort_change;
6521
6522 /* Check for ptracing, and update the task SID if ok.
6523 Otherwise, leave SID unchanged and fail. */
6524 ptsid = ptrace_parent_sid();
6525 if (ptsid != 0) {
6526 error = avc_has_perm(&selinux_state,
6527 ptsid, sid, SECCLASS_PROCESS,
6528 PROCESS__PTRACE, NULL);
6529 if (error)
6530 goto abort_change;
6531 }
6532
6533 tsec->sid = sid;
6534 } else {
6535 error = -EINVAL;
6536 goto abort_change;
6537 }
6538
6539 commit_creds(new);
6540 return size;
6541
6542 abort_change:
6543 abort_creds(new);
6544 return error;
6545 }
6546
selinux_ismaclabel(const char * name)6547 static int selinux_ismaclabel(const char *name)
6548 {
6549 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
6550 }
6551
selinux_secid_to_secctx(u32 secid,char ** secdata,u32 * seclen)6552 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
6553 {
6554 return security_sid_to_context(&selinux_state, secid,
6555 secdata, seclen);
6556 }
6557
selinux_secctx_to_secid(const char * secdata,u32 seclen,u32 * secid)6558 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
6559 {
6560 return security_context_to_sid(&selinux_state, secdata, seclen,
6561 secid, GFP_KERNEL);
6562 }
6563
selinux_release_secctx(char * secdata,u32 seclen)6564 static void selinux_release_secctx(char *secdata, u32 seclen)
6565 {
6566 kfree(secdata);
6567 }
6568
selinux_inode_invalidate_secctx(struct inode * inode)6569 static void selinux_inode_invalidate_secctx(struct inode *inode)
6570 {
6571 struct inode_security_struct *isec = selinux_inode(inode);
6572
6573 spin_lock(&isec->lock);
6574 isec->initialized = LABEL_INVALID;
6575 spin_unlock(&isec->lock);
6576 }
6577
6578 /*
6579 * called with inode->i_mutex locked
6580 */
selinux_inode_notifysecctx(struct inode * inode,void * ctx,u32 ctxlen)6581 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
6582 {
6583 int rc = selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX,
6584 ctx, ctxlen, 0);
6585 /* Do not return error when suppressing label (SBLABEL_MNT not set). */
6586 return rc == -EOPNOTSUPP ? 0 : rc;
6587 }
6588
6589 /*
6590 * called with inode->i_mutex locked
6591 */
selinux_inode_setsecctx(struct dentry * dentry,void * ctx,u32 ctxlen)6592 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
6593 {
6594 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
6595 }
6596
selinux_inode_getsecctx(struct inode * inode,void ** ctx,u32 * ctxlen)6597 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
6598 {
6599 int len = 0;
6600 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
6601 ctx, true);
6602 if (len < 0)
6603 return len;
6604 *ctxlen = len;
6605 return 0;
6606 }
6607 #ifdef CONFIG_KEYS
6608
selinux_key_alloc(struct key * k,const struct cred * cred,unsigned long flags)6609 static int selinux_key_alloc(struct key *k, const struct cred *cred,
6610 unsigned long flags)
6611 {
6612 const struct task_security_struct *tsec;
6613 struct key_security_struct *ksec;
6614
6615 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
6616 if (!ksec)
6617 return -ENOMEM;
6618
6619 tsec = selinux_cred(cred);
6620 if (tsec->keycreate_sid)
6621 ksec->sid = tsec->keycreate_sid;
6622 else
6623 ksec->sid = tsec->sid;
6624
6625 k->security = ksec;
6626 return 0;
6627 }
6628
selinux_key_free(struct key * k)6629 static void selinux_key_free(struct key *k)
6630 {
6631 struct key_security_struct *ksec = k->security;
6632
6633 k->security = NULL;
6634 kfree(ksec);
6635 }
6636
selinux_key_permission(key_ref_t key_ref,const struct cred * cred,unsigned perm)6637 static int selinux_key_permission(key_ref_t key_ref,
6638 const struct cred *cred,
6639 unsigned perm)
6640 {
6641 struct key *key;
6642 struct key_security_struct *ksec;
6643 u32 sid;
6644
6645 /* if no specific permissions are requested, we skip the
6646 permission check. No serious, additional covert channels
6647 appear to be created. */
6648 if (perm == 0)
6649 return 0;
6650
6651 sid = cred_sid(cred);
6652
6653 key = key_ref_to_ptr(key_ref);
6654 ksec = key->security;
6655
6656 return avc_has_perm(&selinux_state,
6657 sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6658 }
6659
selinux_key_getsecurity(struct key * key,char ** _buffer)6660 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6661 {
6662 struct key_security_struct *ksec = key->security;
6663 char *context = NULL;
6664 unsigned len;
6665 int rc;
6666
6667 rc = security_sid_to_context(&selinux_state, ksec->sid,
6668 &context, &len);
6669 if (!rc)
6670 rc = len;
6671 *_buffer = context;
6672 return rc;
6673 }
6674 #endif
6675
6676 #ifdef CONFIG_SECURITY_INFINIBAND
selinux_ib_pkey_access(void * ib_sec,u64 subnet_prefix,u16 pkey_val)6677 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6678 {
6679 struct common_audit_data ad;
6680 int err;
6681 u32 sid = 0;
6682 struct ib_security_struct *sec = ib_sec;
6683 struct lsm_ibpkey_audit ibpkey;
6684
6685 err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
6686 if (err)
6687 return err;
6688
6689 ad.type = LSM_AUDIT_DATA_IBPKEY;
6690 ibpkey.subnet_prefix = subnet_prefix;
6691 ibpkey.pkey = pkey_val;
6692 ad.u.ibpkey = &ibpkey;
6693 return avc_has_perm(&selinux_state,
6694 sec->sid, sid,
6695 SECCLASS_INFINIBAND_PKEY,
6696 INFINIBAND_PKEY__ACCESS, &ad);
6697 }
6698
selinux_ib_endport_manage_subnet(void * ib_sec,const char * dev_name,u8 port_num)6699 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6700 u8 port_num)
6701 {
6702 struct common_audit_data ad;
6703 int err;
6704 u32 sid = 0;
6705 struct ib_security_struct *sec = ib_sec;
6706 struct lsm_ibendport_audit ibendport;
6707
6708 err = security_ib_endport_sid(&selinux_state, dev_name, port_num,
6709 &sid);
6710
6711 if (err)
6712 return err;
6713
6714 ad.type = LSM_AUDIT_DATA_IBENDPORT;
6715 strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name));
6716 ibendport.port = port_num;
6717 ad.u.ibendport = &ibendport;
6718 return avc_has_perm(&selinux_state,
6719 sec->sid, sid,
6720 SECCLASS_INFINIBAND_ENDPORT,
6721 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
6722 }
6723
selinux_ib_alloc_security(void ** ib_sec)6724 static int selinux_ib_alloc_security(void **ib_sec)
6725 {
6726 struct ib_security_struct *sec;
6727
6728 sec = kzalloc(sizeof(*sec), GFP_KERNEL);
6729 if (!sec)
6730 return -ENOMEM;
6731 sec->sid = current_sid();
6732
6733 *ib_sec = sec;
6734 return 0;
6735 }
6736
selinux_ib_free_security(void * ib_sec)6737 static void selinux_ib_free_security(void *ib_sec)
6738 {
6739 kfree(ib_sec);
6740 }
6741 #endif
6742
6743 #ifdef CONFIG_BPF_SYSCALL
selinux_bpf(int cmd,union bpf_attr * attr,unsigned int size)6744 static int selinux_bpf(int cmd, union bpf_attr *attr,
6745 unsigned int size)
6746 {
6747 u32 sid = current_sid();
6748 int ret;
6749
6750 switch (cmd) {
6751 case BPF_MAP_CREATE:
6752 ret = avc_has_perm(&selinux_state,
6753 sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
6754 NULL);
6755 break;
6756 case BPF_PROG_LOAD:
6757 ret = avc_has_perm(&selinux_state,
6758 sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
6759 NULL);
6760 break;
6761 default:
6762 ret = 0;
6763 break;
6764 }
6765
6766 return ret;
6767 }
6768
bpf_map_fmode_to_av(fmode_t fmode)6769 static u32 bpf_map_fmode_to_av(fmode_t fmode)
6770 {
6771 u32 av = 0;
6772
6773 if (fmode & FMODE_READ)
6774 av |= BPF__MAP_READ;
6775 if (fmode & FMODE_WRITE)
6776 av |= BPF__MAP_WRITE;
6777 return av;
6778 }
6779
6780 /* This function will check the file pass through unix socket or binder to see
6781 * if it is a bpf related object. And apply correspinding checks on the bpf
6782 * object based on the type. The bpf maps and programs, not like other files and
6783 * socket, are using a shared anonymous inode inside the kernel as their inode.
6784 * So checking that inode cannot identify if the process have privilege to
6785 * access the bpf object and that's why we have to add this additional check in
6786 * selinux_file_receive and selinux_binder_transfer_files.
6787 */
bpf_fd_pass(struct file * file,u32 sid)6788 static int bpf_fd_pass(struct file *file, u32 sid)
6789 {
6790 struct bpf_security_struct *bpfsec;
6791 struct bpf_prog *prog;
6792 struct bpf_map *map;
6793 int ret;
6794
6795 if (file->f_op == &bpf_map_fops) {
6796 map = file->private_data;
6797 bpfsec = map->security;
6798 ret = avc_has_perm(&selinux_state,
6799 sid, bpfsec->sid, SECCLASS_BPF,
6800 bpf_map_fmode_to_av(file->f_mode), NULL);
6801 if (ret)
6802 return ret;
6803 } else if (file->f_op == &bpf_prog_fops) {
6804 prog = file->private_data;
6805 bpfsec = prog->aux->security;
6806 ret = avc_has_perm(&selinux_state,
6807 sid, bpfsec->sid, SECCLASS_BPF,
6808 BPF__PROG_RUN, NULL);
6809 if (ret)
6810 return ret;
6811 }
6812 return 0;
6813 }
6814
selinux_bpf_map(struct bpf_map * map,fmode_t fmode)6815 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)
6816 {
6817 u32 sid = current_sid();
6818 struct bpf_security_struct *bpfsec;
6819
6820 bpfsec = map->security;
6821 return avc_has_perm(&selinux_state,
6822 sid, bpfsec->sid, SECCLASS_BPF,
6823 bpf_map_fmode_to_av(fmode), NULL);
6824 }
6825
selinux_bpf_prog(struct bpf_prog * prog)6826 static int selinux_bpf_prog(struct bpf_prog *prog)
6827 {
6828 u32 sid = current_sid();
6829 struct bpf_security_struct *bpfsec;
6830
6831 bpfsec = prog->aux->security;
6832 return avc_has_perm(&selinux_state,
6833 sid, bpfsec->sid, SECCLASS_BPF,
6834 BPF__PROG_RUN, NULL);
6835 }
6836
selinux_bpf_map_alloc(struct bpf_map * map)6837 static int selinux_bpf_map_alloc(struct bpf_map *map)
6838 {
6839 struct bpf_security_struct *bpfsec;
6840
6841 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6842 if (!bpfsec)
6843 return -ENOMEM;
6844
6845 bpfsec->sid = current_sid();
6846 map->security = bpfsec;
6847
6848 return 0;
6849 }
6850
selinux_bpf_map_free(struct bpf_map * map)6851 static void selinux_bpf_map_free(struct bpf_map *map)
6852 {
6853 struct bpf_security_struct *bpfsec = map->security;
6854
6855 map->security = NULL;
6856 kfree(bpfsec);
6857 }
6858
selinux_bpf_prog_alloc(struct bpf_prog_aux * aux)6859 static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux)
6860 {
6861 struct bpf_security_struct *bpfsec;
6862
6863 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6864 if (!bpfsec)
6865 return -ENOMEM;
6866
6867 bpfsec->sid = current_sid();
6868 aux->security = bpfsec;
6869
6870 return 0;
6871 }
6872
selinux_bpf_prog_free(struct bpf_prog_aux * aux)6873 static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
6874 {
6875 struct bpf_security_struct *bpfsec = aux->security;
6876
6877 aux->security = NULL;
6878 kfree(bpfsec);
6879 }
6880 #endif
6881
6882 struct lsm_blob_sizes selinux_blob_sizes __lsm_ro_after_init = {
6883 .lbs_cred = sizeof(struct task_security_struct),
6884 .lbs_file = sizeof(struct file_security_struct),
6885 .lbs_inode = sizeof(struct inode_security_struct),
6886 .lbs_ipc = sizeof(struct ipc_security_struct),
6887 .lbs_msg_msg = sizeof(struct msg_security_struct),
6888 };
6889
6890 #ifdef CONFIG_PERF_EVENTS
selinux_perf_event_open(struct perf_event_attr * attr,int type)6891 static int selinux_perf_event_open(struct perf_event_attr *attr, int type)
6892 {
6893 u32 requested, sid = current_sid();
6894
6895 if (type == PERF_SECURITY_OPEN)
6896 requested = PERF_EVENT__OPEN;
6897 else if (type == PERF_SECURITY_CPU)
6898 requested = PERF_EVENT__CPU;
6899 else if (type == PERF_SECURITY_KERNEL)
6900 requested = PERF_EVENT__KERNEL;
6901 else if (type == PERF_SECURITY_TRACEPOINT)
6902 requested = PERF_EVENT__TRACEPOINT;
6903 else
6904 return -EINVAL;
6905
6906 return avc_has_perm(&selinux_state, sid, sid, SECCLASS_PERF_EVENT,
6907 requested, NULL);
6908 }
6909
selinux_perf_event_alloc(struct perf_event * event)6910 static int selinux_perf_event_alloc(struct perf_event *event)
6911 {
6912 struct perf_event_security_struct *perfsec;
6913
6914 perfsec = kzalloc(sizeof(*perfsec), GFP_KERNEL);
6915 if (!perfsec)
6916 return -ENOMEM;
6917
6918 perfsec->sid = current_sid();
6919 event->security = perfsec;
6920
6921 return 0;
6922 }
6923
selinux_perf_event_free(struct perf_event * event)6924 static void selinux_perf_event_free(struct perf_event *event)
6925 {
6926 struct perf_event_security_struct *perfsec = event->security;
6927
6928 event->security = NULL;
6929 kfree(perfsec);
6930 }
6931
selinux_perf_event_read(struct perf_event * event)6932 static int selinux_perf_event_read(struct perf_event *event)
6933 {
6934 struct perf_event_security_struct *perfsec = event->security;
6935 u32 sid = current_sid();
6936
6937 return avc_has_perm(&selinux_state, sid, perfsec->sid,
6938 SECCLASS_PERF_EVENT, PERF_EVENT__READ, NULL);
6939 }
6940
selinux_perf_event_write(struct perf_event * event)6941 static int selinux_perf_event_write(struct perf_event *event)
6942 {
6943 struct perf_event_security_struct *perfsec = event->security;
6944 u32 sid = current_sid();
6945
6946 return avc_has_perm(&selinux_state, sid, perfsec->sid,
6947 SECCLASS_PERF_EVENT, PERF_EVENT__WRITE, NULL);
6948 }
6949 #endif
6950
6951 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
6952 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
6953 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
6954 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
6955 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
6956
6957 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
6958 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
6959 LSM_HOOK_INIT(capget, selinux_capget),
6960 LSM_HOOK_INIT(capset, selinux_capset),
6961 LSM_HOOK_INIT(capable, selinux_capable),
6962 LSM_HOOK_INIT(quotactl, selinux_quotactl),
6963 LSM_HOOK_INIT(quota_on, selinux_quota_on),
6964 LSM_HOOK_INIT(syslog, selinux_syslog),
6965 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
6966
6967 LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
6968
6969 LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
6970 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
6971 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
6972
6973 LSM_HOOK_INIT(fs_context_dup, selinux_fs_context_dup),
6974 LSM_HOOK_INIT(fs_context_parse_param, selinux_fs_context_parse_param),
6975
6976 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
6977 LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
6978 LSM_HOOK_INIT(sb_eat_lsm_opts, selinux_sb_eat_lsm_opts),
6979 LSM_HOOK_INIT(sb_free_mnt_opts, selinux_free_mnt_opts),
6980 LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
6981 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
6982 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
6983 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
6984 LSM_HOOK_INIT(sb_mount, selinux_mount),
6985 LSM_HOOK_INIT(sb_umount, selinux_umount),
6986 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
6987 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
6988 LSM_HOOK_INIT(sb_add_mnt_opt, selinux_add_mnt_opt),
6989
6990 LSM_HOOK_INIT(move_mount, selinux_move_mount),
6991
6992 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
6993 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
6994
6995 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
6996 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
6997 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
6998 LSM_HOOK_INIT(inode_create, selinux_inode_create),
6999 LSM_HOOK_INIT(inode_link, selinux_inode_link),
7000 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
7001 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
7002 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
7003 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
7004 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
7005 LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
7006 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
7007 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
7008 LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
7009 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
7010 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
7011 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
7012 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
7013 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
7014 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
7015 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
7016 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
7017 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
7018 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
7019 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
7020 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
7021 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
7022 LSM_HOOK_INIT(path_notify, selinux_path_notify),
7023
7024 LSM_HOOK_INIT(kernfs_init_security, selinux_kernfs_init_security),
7025
7026 LSM_HOOK_INIT(file_permission, selinux_file_permission),
7027 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
7028 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
7029 LSM_HOOK_INIT(file_ioctl_compat, selinux_file_ioctl_compat),
7030 LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
7031 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
7032 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
7033 LSM_HOOK_INIT(file_lock, selinux_file_lock),
7034 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
7035 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
7036 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
7037 LSM_HOOK_INIT(file_receive, selinux_file_receive),
7038
7039 LSM_HOOK_INIT(file_open, selinux_file_open),
7040
7041 LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
7042 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
7043 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
7044 LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid),
7045 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
7046 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
7047 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
7048 LSM_HOOK_INIT(kernel_load_data, selinux_kernel_load_data),
7049 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
7050 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
7051 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
7052 LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
7053 LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
7054 LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
7055 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
7056 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
7057 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
7058 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
7059 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
7060 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
7061 LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
7062 LSM_HOOK_INIT(task_kill, selinux_task_kill),
7063 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
7064
7065 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
7066 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
7067
7068 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
7069
7070 LSM_HOOK_INIT(msg_queue_alloc_security,
7071 selinux_msg_queue_alloc_security),
7072 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
7073 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
7074 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
7075 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
7076
7077 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
7078 LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
7079 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
7080 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
7081
7082 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
7083 LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
7084 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
7085 LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
7086
7087 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
7088
7089 LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
7090 LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
7091
7092 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
7093 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
7094 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
7095 LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
7096 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
7097 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
7098 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
7099 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
7100
7101 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
7102 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
7103
7104 LSM_HOOK_INIT(socket_create, selinux_socket_create),
7105 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
7106 LSM_HOOK_INIT(socket_socketpair, selinux_socket_socketpair),
7107 LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
7108 LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
7109 LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
7110 LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
7111 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
7112 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
7113 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
7114 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
7115 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
7116 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
7117 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
7118 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
7119 LSM_HOOK_INIT(socket_getpeersec_stream,
7120 selinux_socket_getpeersec_stream),
7121 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
7122 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
7123 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
7124 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
7125 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
7126 LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
7127 LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request),
7128 LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone),
7129 LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect),
7130 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
7131 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
7132 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
7133 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
7134 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
7135 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
7136 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
7137 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
7138 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
7139 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
7140 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
7141 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
7142 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
7143 #ifdef CONFIG_SECURITY_INFINIBAND
7144 LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
7145 LSM_HOOK_INIT(ib_endport_manage_subnet,
7146 selinux_ib_endport_manage_subnet),
7147 LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
7148 LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
7149 #endif
7150 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7151 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
7152 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
7153 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
7154 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
7155 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
7156 LSM_HOOK_INIT(xfrm_state_alloc_acquire,
7157 selinux_xfrm_state_alloc_acquire),
7158 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
7159 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
7160 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
7161 LSM_HOOK_INIT(xfrm_state_pol_flow_match,
7162 selinux_xfrm_state_pol_flow_match),
7163 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
7164 #endif
7165
7166 #ifdef CONFIG_KEYS
7167 LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
7168 LSM_HOOK_INIT(key_free, selinux_key_free),
7169 LSM_HOOK_INIT(key_permission, selinux_key_permission),
7170 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
7171 #endif
7172
7173 #ifdef CONFIG_AUDIT
7174 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
7175 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
7176 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
7177 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
7178 #endif
7179
7180 #ifdef CONFIG_BPF_SYSCALL
7181 LSM_HOOK_INIT(bpf, selinux_bpf),
7182 LSM_HOOK_INIT(bpf_map, selinux_bpf_map),
7183 LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog),
7184 LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc),
7185 LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc),
7186 LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free),
7187 LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free),
7188 #endif
7189
7190 #ifdef CONFIG_PERF_EVENTS
7191 LSM_HOOK_INIT(perf_event_open, selinux_perf_event_open),
7192 LSM_HOOK_INIT(perf_event_alloc, selinux_perf_event_alloc),
7193 LSM_HOOK_INIT(perf_event_free, selinux_perf_event_free),
7194 LSM_HOOK_INIT(perf_event_read, selinux_perf_event_read),
7195 LSM_HOOK_INIT(perf_event_write, selinux_perf_event_write),
7196 #endif
7197 };
7198
selinux_init(void)7199 static __init int selinux_init(void)
7200 {
7201 pr_info("SELinux: Initializing.\n");
7202
7203 memset(&selinux_state, 0, sizeof(selinux_state));
7204 enforcing_set(&selinux_state, selinux_enforcing_boot);
7205 selinux_state.checkreqprot = selinux_checkreqprot_boot;
7206 selinux_ss_init(&selinux_state.ss);
7207 selinux_avc_init(&selinux_state.avc);
7208
7209 /* Set the security state for the initial task. */
7210 cred_init_security();
7211
7212 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
7213
7214 avc_init();
7215
7216 avtab_cache_init();
7217
7218 ebitmap_cache_init();
7219
7220 hashtab_cache_init();
7221
7222 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
7223
7224 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
7225 panic("SELinux: Unable to register AVC netcache callback\n");
7226
7227 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
7228 panic("SELinux: Unable to register AVC LSM notifier callback\n");
7229
7230 if (selinux_enforcing_boot)
7231 pr_debug("SELinux: Starting in enforcing mode\n");
7232 else
7233 pr_debug("SELinux: Starting in permissive mode\n");
7234
7235 fs_validate_description(&selinux_fs_parameters);
7236
7237 return 0;
7238 }
7239
delayed_superblock_init(struct super_block * sb,void * unused)7240 static void delayed_superblock_init(struct super_block *sb, void *unused)
7241 {
7242 selinux_set_mnt_opts(sb, NULL, 0, NULL);
7243 }
7244
selinux_complete_init(void)7245 void selinux_complete_init(void)
7246 {
7247 pr_debug("SELinux: Completing initialization.\n");
7248
7249 /* Set up any superblocks initialized prior to the policy load. */
7250 pr_debug("SELinux: Setting up existing superblocks.\n");
7251 iterate_supers(delayed_superblock_init, NULL);
7252 }
7253
7254 /* SELinux requires early initialization in order to label
7255 all processes and objects when they are created. */
7256 DEFINE_LSM(selinux) = {
7257 .name = "selinux",
7258 .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE,
7259 .enabled = &selinux_enabled,
7260 .blobs = &selinux_blob_sizes,
7261 .init = selinux_init,
7262 };
7263
7264 #if defined(CONFIG_NETFILTER)
7265
7266 static const struct nf_hook_ops selinux_nf_ops[] = {
7267 {
7268 .hook = selinux_ipv4_postroute,
7269 .pf = NFPROTO_IPV4,
7270 .hooknum = NF_INET_POST_ROUTING,
7271 .priority = NF_IP_PRI_SELINUX_LAST,
7272 },
7273 {
7274 .hook = selinux_ipv4_forward,
7275 .pf = NFPROTO_IPV4,
7276 .hooknum = NF_INET_FORWARD,
7277 .priority = NF_IP_PRI_SELINUX_FIRST,
7278 },
7279 {
7280 .hook = selinux_ipv4_output,
7281 .pf = NFPROTO_IPV4,
7282 .hooknum = NF_INET_LOCAL_OUT,
7283 .priority = NF_IP_PRI_SELINUX_FIRST,
7284 },
7285 #if IS_ENABLED(CONFIG_IPV6)
7286 {
7287 .hook = selinux_ipv6_postroute,
7288 .pf = NFPROTO_IPV6,
7289 .hooknum = NF_INET_POST_ROUTING,
7290 .priority = NF_IP6_PRI_SELINUX_LAST,
7291 },
7292 {
7293 .hook = selinux_ipv6_forward,
7294 .pf = NFPROTO_IPV6,
7295 .hooknum = NF_INET_FORWARD,
7296 .priority = NF_IP6_PRI_SELINUX_FIRST,
7297 },
7298 {
7299 .hook = selinux_ipv6_output,
7300 .pf = NFPROTO_IPV6,
7301 .hooknum = NF_INET_LOCAL_OUT,
7302 .priority = NF_IP6_PRI_SELINUX_FIRST,
7303 },
7304 #endif /* IPV6 */
7305 };
7306
selinux_nf_register(struct net * net)7307 static int __net_init selinux_nf_register(struct net *net)
7308 {
7309 return nf_register_net_hooks(net, selinux_nf_ops,
7310 ARRAY_SIZE(selinux_nf_ops));
7311 }
7312
selinux_nf_unregister(struct net * net)7313 static void __net_exit selinux_nf_unregister(struct net *net)
7314 {
7315 nf_unregister_net_hooks(net, selinux_nf_ops,
7316 ARRAY_SIZE(selinux_nf_ops));
7317 }
7318
7319 static struct pernet_operations selinux_net_ops = {
7320 .init = selinux_nf_register,
7321 .exit = selinux_nf_unregister,
7322 };
7323
selinux_nf_ip_init(void)7324 static int __init selinux_nf_ip_init(void)
7325 {
7326 int err;
7327
7328 if (!selinux_enabled)
7329 return 0;
7330
7331 pr_debug("SELinux: Registering netfilter hooks\n");
7332
7333 err = register_pernet_subsys(&selinux_net_ops);
7334 if (err)
7335 panic("SELinux: register_pernet_subsys: error %d\n", err);
7336
7337 return 0;
7338 }
7339 __initcall(selinux_nf_ip_init);
7340
7341 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
selinux_nf_ip_exit(void)7342 static void selinux_nf_ip_exit(void)
7343 {
7344 pr_debug("SELinux: Unregistering netfilter hooks\n");
7345
7346 unregister_pernet_subsys(&selinux_net_ops);
7347 }
7348 #endif
7349
7350 #else /* CONFIG_NETFILTER */
7351
7352 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7353 #define selinux_nf_ip_exit()
7354 #endif
7355
7356 #endif /* CONFIG_NETFILTER */
7357
7358 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
selinux_disable(struct selinux_state * state)7359 int selinux_disable(struct selinux_state *state)
7360 {
7361 if (state->initialized) {
7362 /* Not permitted after initial policy load. */
7363 return -EINVAL;
7364 }
7365
7366 if (state->disabled) {
7367 /* Only do this once. */
7368 return -EINVAL;
7369 }
7370
7371 state->disabled = 1;
7372
7373 pr_info("SELinux: Disabled at runtime.\n");
7374
7375 selinux_enabled = 0;
7376
7377 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
7378
7379 /* Try to destroy the avc node cache */
7380 avc_disable();
7381
7382 /* Unregister netfilter hooks. */
7383 selinux_nf_ip_exit();
7384
7385 /* Unregister selinuxfs. */
7386 exit_sel_fs();
7387
7388 return 0;
7389 }
7390 #endif
7391