1 /*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@tycho.nsa.gov>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul@paul-moore.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 * Copyright (C) 2016 Mellanox Technologies
21 *
22 * This program is free software; you can redistribute it and/or modify
23 * it under the terms of the GNU General Public License version 2,
24 * as published by the Free Software Foundation.
25 */
26
27 #include <linux/init.h>
28 #include <linux/kd.h>
29 #include <linux/kernel.h>
30 #include <linux/tracehook.h>
31 #include <linux/errno.h>
32 #include <linux/sched/signal.h>
33 #include <linux/sched/task.h>
34 #include <linux/lsm_hooks.h>
35 #include <linux/xattr.h>
36 #include <linux/capability.h>
37 #include <linux/unistd.h>
38 #include <linux/mm.h>
39 #include <linux/mman.h>
40 #include <linux/slab.h>
41 #include <linux/pagemap.h>
42 #include <linux/proc_fs.h>
43 #include <linux/swap.h>
44 #include <linux/spinlock.h>
45 #include <linux/syscalls.h>
46 #include <linux/dcache.h>
47 #include <linux/file.h>
48 #include <linux/fdtable.h>
49 #include <linux/namei.h>
50 #include <linux/mount.h>
51 #include <linux/netfilter_ipv4.h>
52 #include <linux/netfilter_ipv6.h>
53 #include <linux/tty.h>
54 #include <net/icmp.h>
55 #include <net/ip.h> /* for local_port_range[] */
56 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
57 #include <net/inet_connection_sock.h>
58 #include <net/net_namespace.h>
59 #include <net/netlabel.h>
60 #include <linux/uaccess.h>
61 #include <asm/ioctls.h>
62 #include <linux/atomic.h>
63 #include <linux/bitops.h>
64 #include <linux/interrupt.h>
65 #include <linux/netdevice.h> /* for network interface checks */
66 #include <net/netlink.h>
67 #include <linux/tcp.h>
68 #include <linux/udp.h>
69 #include <linux/dccp.h>
70 #include <linux/sctp.h>
71 #include <net/sctp/structs.h>
72 #include <linux/quota.h>
73 #include <linux/un.h> /* for Unix socket types */
74 #include <net/af_unix.h> /* for Unix socket types */
75 #include <linux/parser.h>
76 #include <linux/nfs_mount.h>
77 #include <net/ipv6.h>
78 #include <linux/hugetlb.h>
79 #include <linux/personality.h>
80 #include <linux/audit.h>
81 #include <linux/string.h>
82 #include <linux/selinux.h>
83 #include <linux/mutex.h>
84 #include <linux/posix-timers.h>
85 #include <linux/syslog.h>
86 #include <linux/user_namespace.h>
87 #include <linux/export.h>
88 #include <linux/msg.h>
89 #include <linux/shm.h>
90 #include <linux/bpf.h>
91
92 #include "avc.h"
93 #include "objsec.h"
94 #include "netif.h"
95 #include "netnode.h"
96 #include "netport.h"
97 #include "ibpkey.h"
98 #include "xfrm.h"
99 #include "netlabel.h"
100 #include "audit.h"
101 #include "avc_ss.h"
102
103 struct selinux_state selinux_state;
104
105 /* SECMARK reference count */
106 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
107
108 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
109 static int selinux_enforcing_boot;
110
enforcing_setup(char * str)111 static int __init enforcing_setup(char *str)
112 {
113 unsigned long enforcing;
114 if (!kstrtoul(str, 0, &enforcing))
115 selinux_enforcing_boot = enforcing ? 1 : 0;
116 return 1;
117 }
118 __setup("enforcing=", enforcing_setup);
119 #else
120 #define selinux_enforcing_boot 1
121 #endif
122
123 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
124 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
125
selinux_enabled_setup(char * str)126 static int __init selinux_enabled_setup(char *str)
127 {
128 unsigned long enabled;
129 if (!kstrtoul(str, 0, &enabled))
130 selinux_enabled = enabled ? 1 : 0;
131 return 1;
132 }
133 __setup("selinux=", selinux_enabled_setup);
134 #else
135 int selinux_enabled = 1;
136 #endif
137
138 static unsigned int selinux_checkreqprot_boot =
139 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
140
checkreqprot_setup(char * str)141 static int __init checkreqprot_setup(char *str)
142 {
143 unsigned long checkreqprot;
144
145 if (!kstrtoul(str, 0, &checkreqprot))
146 selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
147 return 1;
148 }
149 __setup("checkreqprot=", checkreqprot_setup);
150
151 static struct kmem_cache *sel_inode_cache;
152 static struct kmem_cache *file_security_cache;
153
154 /**
155 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
156 *
157 * Description:
158 * This function checks the SECMARK reference counter to see if any SECMARK
159 * targets are currently configured, if the reference counter is greater than
160 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
161 * enabled, false (0) if SECMARK is disabled. If the always_check_network
162 * policy capability is enabled, SECMARK is always considered enabled.
163 *
164 */
selinux_secmark_enabled(void)165 static int selinux_secmark_enabled(void)
166 {
167 return (selinux_policycap_alwaysnetwork() ||
168 atomic_read(&selinux_secmark_refcount));
169 }
170
171 /**
172 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
173 *
174 * Description:
175 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
176 * (1) if any are enabled or false (0) if neither are enabled. If the
177 * always_check_network policy capability is enabled, peer labeling
178 * is always considered enabled.
179 *
180 */
selinux_peerlbl_enabled(void)181 static int selinux_peerlbl_enabled(void)
182 {
183 return (selinux_policycap_alwaysnetwork() ||
184 netlbl_enabled() || selinux_xfrm_enabled());
185 }
186
selinux_netcache_avc_callback(u32 event)187 static int selinux_netcache_avc_callback(u32 event)
188 {
189 if (event == AVC_CALLBACK_RESET) {
190 sel_netif_flush();
191 sel_netnode_flush();
192 sel_netport_flush();
193 synchronize_net();
194 }
195 return 0;
196 }
197
selinux_lsm_notifier_avc_callback(u32 event)198 static int selinux_lsm_notifier_avc_callback(u32 event)
199 {
200 if (event == AVC_CALLBACK_RESET) {
201 sel_ib_pkey_flush();
202 call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
203 }
204
205 return 0;
206 }
207
208 /*
209 * initialise the security for the init task
210 */
cred_init_security(void)211 static void cred_init_security(void)
212 {
213 struct cred *cred = (struct cred *) current->real_cred;
214 struct task_security_struct *tsec;
215
216 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
217 if (!tsec)
218 panic("SELinux: Failed to initialize initial task.\n");
219
220 tsec->osid = tsec->sid = SECINITSID_KERNEL;
221 cred->security = tsec;
222 }
223
224 /*
225 * get the security ID of a set of credentials
226 */
cred_sid(const struct cred * cred)227 static inline u32 cred_sid(const struct cred *cred)
228 {
229 const struct task_security_struct *tsec;
230
231 tsec = cred->security;
232 return tsec->sid;
233 }
234
235 /*
236 * get the objective security ID of a task
237 */
task_sid(const struct task_struct * task)238 static inline u32 task_sid(const struct task_struct *task)
239 {
240 u32 sid;
241
242 rcu_read_lock();
243 sid = cred_sid(__task_cred(task));
244 rcu_read_unlock();
245 return sid;
246 }
247
248 /* Allocate and free functions for each kind of security blob. */
249
inode_alloc_security(struct inode * inode)250 static int inode_alloc_security(struct inode *inode)
251 {
252 struct inode_security_struct *isec;
253 u32 sid = current_sid();
254
255 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
256 if (!isec)
257 return -ENOMEM;
258
259 spin_lock_init(&isec->lock);
260 INIT_LIST_HEAD(&isec->list);
261 isec->inode = inode;
262 isec->sid = SECINITSID_UNLABELED;
263 isec->sclass = SECCLASS_FILE;
264 isec->task_sid = sid;
265 isec->initialized = LABEL_INVALID;
266 inode->i_security = isec;
267
268 return 0;
269 }
270
271 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
272
273 /*
274 * Try reloading inode security labels that have been marked as invalid. The
275 * @may_sleep parameter indicates when sleeping and thus reloading labels is
276 * allowed; when set to false, returns -ECHILD when the label is
277 * invalid. The @dentry parameter should be set to a dentry of the inode.
278 */
__inode_security_revalidate(struct inode * inode,struct dentry * dentry,bool may_sleep)279 static int __inode_security_revalidate(struct inode *inode,
280 struct dentry *dentry,
281 bool may_sleep)
282 {
283 struct inode_security_struct *isec = inode->i_security;
284
285 might_sleep_if(may_sleep);
286
287 if (selinux_state.initialized &&
288 isec->initialized != LABEL_INITIALIZED) {
289 if (!may_sleep)
290 return -ECHILD;
291
292 /*
293 * Try reloading the inode security label. This will fail if
294 * @opt_dentry is NULL and no dentry for this inode can be
295 * found; in that case, continue using the old label.
296 */
297 inode_doinit_with_dentry(inode, dentry);
298 }
299 return 0;
300 }
301
inode_security_novalidate(struct inode * inode)302 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
303 {
304 return inode->i_security;
305 }
306
inode_security_rcu(struct inode * inode,bool rcu)307 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
308 {
309 int error;
310
311 error = __inode_security_revalidate(inode, NULL, !rcu);
312 if (error)
313 return ERR_PTR(error);
314 return inode->i_security;
315 }
316
317 /*
318 * Get the security label of an inode.
319 */
inode_security(struct inode * inode)320 static struct inode_security_struct *inode_security(struct inode *inode)
321 {
322 __inode_security_revalidate(inode, NULL, true);
323 return inode->i_security;
324 }
325
backing_inode_security_novalidate(struct dentry * dentry)326 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
327 {
328 struct inode *inode = d_backing_inode(dentry);
329
330 return inode->i_security;
331 }
332
333 /*
334 * Get the security label of a dentry's backing inode.
335 */
backing_inode_security(struct dentry * dentry)336 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
337 {
338 struct inode *inode = d_backing_inode(dentry);
339
340 __inode_security_revalidate(inode, dentry, true);
341 return inode->i_security;
342 }
343
inode_free_rcu(struct rcu_head * head)344 static void inode_free_rcu(struct rcu_head *head)
345 {
346 struct inode_security_struct *isec;
347
348 isec = container_of(head, struct inode_security_struct, rcu);
349 kmem_cache_free(sel_inode_cache, isec);
350 }
351
inode_free_security(struct inode * inode)352 static void inode_free_security(struct inode *inode)
353 {
354 struct inode_security_struct *isec = inode->i_security;
355 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
356
357 /*
358 * As not all inode security structures are in a list, we check for
359 * empty list outside of the lock to make sure that we won't waste
360 * time taking a lock doing nothing.
361 *
362 * The list_del_init() function can be safely called more than once.
363 * It should not be possible for this function to be called with
364 * concurrent list_add(), but for better safety against future changes
365 * in the code, we use list_empty_careful() here.
366 */
367 if (!list_empty_careful(&isec->list)) {
368 spin_lock(&sbsec->isec_lock);
369 list_del_init(&isec->list);
370 spin_unlock(&sbsec->isec_lock);
371 }
372
373 /*
374 * The inode may still be referenced in a path walk and
375 * a call to selinux_inode_permission() can be made
376 * after inode_free_security() is called. Ideally, the VFS
377 * wouldn't do this, but fixing that is a much harder
378 * job. For now, simply free the i_security via RCU, and
379 * leave the current inode->i_security pointer intact.
380 * The inode will be freed after the RCU grace period too.
381 */
382 call_rcu(&isec->rcu, inode_free_rcu);
383 }
384
file_alloc_security(struct file * file)385 static int file_alloc_security(struct file *file)
386 {
387 struct file_security_struct *fsec;
388 u32 sid = current_sid();
389
390 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
391 if (!fsec)
392 return -ENOMEM;
393
394 fsec->sid = sid;
395 fsec->fown_sid = sid;
396 file->f_security = fsec;
397
398 return 0;
399 }
400
file_free_security(struct file * file)401 static void file_free_security(struct file *file)
402 {
403 struct file_security_struct *fsec = file->f_security;
404 file->f_security = NULL;
405 kmem_cache_free(file_security_cache, fsec);
406 }
407
superblock_alloc_security(struct super_block * sb)408 static int superblock_alloc_security(struct super_block *sb)
409 {
410 struct superblock_security_struct *sbsec;
411
412 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
413 if (!sbsec)
414 return -ENOMEM;
415
416 mutex_init(&sbsec->lock);
417 INIT_LIST_HEAD(&sbsec->isec_head);
418 spin_lock_init(&sbsec->isec_lock);
419 sbsec->sb = sb;
420 sbsec->sid = SECINITSID_UNLABELED;
421 sbsec->def_sid = SECINITSID_FILE;
422 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
423 sb->s_security = sbsec;
424
425 return 0;
426 }
427
superblock_free_security(struct super_block * sb)428 static void superblock_free_security(struct super_block *sb)
429 {
430 struct superblock_security_struct *sbsec = sb->s_security;
431 sb->s_security = NULL;
432 kfree(sbsec);
433 }
434
inode_doinit(struct inode * inode)435 static inline int inode_doinit(struct inode *inode)
436 {
437 return inode_doinit_with_dentry(inode, NULL);
438 }
439
440 enum {
441 Opt_error = -1,
442 Opt_context = 1,
443 Opt_fscontext = 2,
444 Opt_defcontext = 3,
445 Opt_rootcontext = 4,
446 Opt_labelsupport = 5,
447 Opt_nextmntopt = 6,
448 };
449
450 #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
451
452 static const match_table_t tokens = {
453 {Opt_context, CONTEXT_STR "%s"},
454 {Opt_fscontext, FSCONTEXT_STR "%s"},
455 {Opt_defcontext, DEFCONTEXT_STR "%s"},
456 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
457 {Opt_labelsupport, LABELSUPP_STR},
458 {Opt_error, NULL},
459 };
460
461 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
462
may_context_mount_sb_relabel(u32 sid,struct superblock_security_struct * sbsec,const struct cred * cred)463 static int may_context_mount_sb_relabel(u32 sid,
464 struct superblock_security_struct *sbsec,
465 const struct cred *cred)
466 {
467 const struct task_security_struct *tsec = cred->security;
468 int rc;
469
470 rc = avc_has_perm(&selinux_state,
471 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
472 FILESYSTEM__RELABELFROM, NULL);
473 if (rc)
474 return rc;
475
476 rc = avc_has_perm(&selinux_state,
477 tsec->sid, sid, SECCLASS_FILESYSTEM,
478 FILESYSTEM__RELABELTO, NULL);
479 return rc;
480 }
481
may_context_mount_inode_relabel(u32 sid,struct superblock_security_struct * sbsec,const struct cred * cred)482 static int may_context_mount_inode_relabel(u32 sid,
483 struct superblock_security_struct *sbsec,
484 const struct cred *cred)
485 {
486 const struct task_security_struct *tsec = cred->security;
487 int rc;
488 rc = avc_has_perm(&selinux_state,
489 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
490 FILESYSTEM__RELABELFROM, NULL);
491 if (rc)
492 return rc;
493
494 rc = avc_has_perm(&selinux_state,
495 sid, sbsec->sid, SECCLASS_FILESYSTEM,
496 FILESYSTEM__ASSOCIATE, NULL);
497 return rc;
498 }
499
selinux_is_sblabel_mnt(struct super_block * sb)500 static int selinux_is_sblabel_mnt(struct super_block *sb)
501 {
502 struct superblock_security_struct *sbsec = sb->s_security;
503
504 return sbsec->behavior == SECURITY_FS_USE_XATTR ||
505 sbsec->behavior == SECURITY_FS_USE_TRANS ||
506 sbsec->behavior == SECURITY_FS_USE_TASK ||
507 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
508 /* Special handling. Genfs but also in-core setxattr handler */
509 !strcmp(sb->s_type->name, "sysfs") ||
510 !strcmp(sb->s_type->name, "pstore") ||
511 !strcmp(sb->s_type->name, "debugfs") ||
512 !strcmp(sb->s_type->name, "tracefs") ||
513 !strcmp(sb->s_type->name, "rootfs") ||
514 (selinux_policycap_cgroupseclabel() &&
515 (!strcmp(sb->s_type->name, "cgroup") ||
516 !strcmp(sb->s_type->name, "cgroup2")));
517 }
518
sb_finish_set_opts(struct super_block * sb)519 static int sb_finish_set_opts(struct super_block *sb)
520 {
521 struct superblock_security_struct *sbsec = sb->s_security;
522 struct dentry *root = sb->s_root;
523 struct inode *root_inode = d_backing_inode(root);
524 int rc = 0;
525
526 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
527 /* Make sure that the xattr handler exists and that no
528 error other than -ENODATA is returned by getxattr on
529 the root directory. -ENODATA is ok, as this may be
530 the first boot of the SELinux kernel before we have
531 assigned xattr values to the filesystem. */
532 if (!(root_inode->i_opflags & IOP_XATTR)) {
533 pr_warn("SELinux: (dev %s, type %s) has no "
534 "xattr support\n", sb->s_id, sb->s_type->name);
535 rc = -EOPNOTSUPP;
536 goto out;
537 }
538
539 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
540 if (rc < 0 && rc != -ENODATA) {
541 if (rc == -EOPNOTSUPP)
542 pr_warn("SELinux: (dev %s, type "
543 "%s) has no security xattr handler\n",
544 sb->s_id, sb->s_type->name);
545 else
546 pr_warn("SELinux: (dev %s, type "
547 "%s) getxattr errno %d\n", sb->s_id,
548 sb->s_type->name, -rc);
549 goto out;
550 }
551 }
552
553 sbsec->flags |= SE_SBINITIALIZED;
554
555 /*
556 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
557 * leave the flag untouched because sb_clone_mnt_opts might be handing
558 * us a superblock that needs the flag to be cleared.
559 */
560 if (selinux_is_sblabel_mnt(sb))
561 sbsec->flags |= SBLABEL_MNT;
562 else
563 sbsec->flags &= ~SBLABEL_MNT;
564
565 /* Initialize the root inode. */
566 rc = inode_doinit_with_dentry(root_inode, root);
567
568 /* Initialize any other inodes associated with the superblock, e.g.
569 inodes created prior to initial policy load or inodes created
570 during get_sb by a pseudo filesystem that directly
571 populates itself. */
572 spin_lock(&sbsec->isec_lock);
573 next_inode:
574 if (!list_empty(&sbsec->isec_head)) {
575 struct inode_security_struct *isec =
576 list_entry(sbsec->isec_head.next,
577 struct inode_security_struct, list);
578 struct inode *inode = isec->inode;
579 list_del_init(&isec->list);
580 spin_unlock(&sbsec->isec_lock);
581 inode = igrab(inode);
582 if (inode) {
583 if (!IS_PRIVATE(inode))
584 inode_doinit(inode);
585 iput(inode);
586 }
587 spin_lock(&sbsec->isec_lock);
588 goto next_inode;
589 }
590 spin_unlock(&sbsec->isec_lock);
591 out:
592 return rc;
593 }
594
595 /*
596 * This function should allow an FS to ask what it's mount security
597 * options were so it can use those later for submounts, displaying
598 * mount options, or whatever.
599 */
selinux_get_mnt_opts(const struct super_block * sb,struct security_mnt_opts * opts)600 static int selinux_get_mnt_opts(const struct super_block *sb,
601 struct security_mnt_opts *opts)
602 {
603 int rc = 0, i;
604 struct superblock_security_struct *sbsec = sb->s_security;
605 char *context = NULL;
606 u32 len;
607 char tmp;
608
609 security_init_mnt_opts(opts);
610
611 if (!(sbsec->flags & SE_SBINITIALIZED))
612 return -EINVAL;
613
614 if (!selinux_state.initialized)
615 return -EINVAL;
616
617 /* make sure we always check enough bits to cover the mask */
618 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
619
620 tmp = sbsec->flags & SE_MNTMASK;
621 /* count the number of mount options for this sb */
622 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
623 if (tmp & 0x01)
624 opts->num_mnt_opts++;
625 tmp >>= 1;
626 }
627 /* Check if the Label support flag is set */
628 if (sbsec->flags & SBLABEL_MNT)
629 opts->num_mnt_opts++;
630
631 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
632 if (!opts->mnt_opts) {
633 rc = -ENOMEM;
634 goto out_free;
635 }
636
637 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
638 if (!opts->mnt_opts_flags) {
639 rc = -ENOMEM;
640 goto out_free;
641 }
642
643 i = 0;
644 if (sbsec->flags & FSCONTEXT_MNT) {
645 rc = security_sid_to_context(&selinux_state, sbsec->sid,
646 &context, &len);
647 if (rc)
648 goto out_free;
649 opts->mnt_opts[i] = context;
650 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
651 }
652 if (sbsec->flags & CONTEXT_MNT) {
653 rc = security_sid_to_context(&selinux_state,
654 sbsec->mntpoint_sid,
655 &context, &len);
656 if (rc)
657 goto out_free;
658 opts->mnt_opts[i] = context;
659 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
660 }
661 if (sbsec->flags & DEFCONTEXT_MNT) {
662 rc = security_sid_to_context(&selinux_state, sbsec->def_sid,
663 &context, &len);
664 if (rc)
665 goto out_free;
666 opts->mnt_opts[i] = context;
667 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
668 }
669 if (sbsec->flags & ROOTCONTEXT_MNT) {
670 struct dentry *root = sbsec->sb->s_root;
671 struct inode_security_struct *isec = backing_inode_security(root);
672
673 rc = security_sid_to_context(&selinux_state, isec->sid,
674 &context, &len);
675 if (rc)
676 goto out_free;
677 opts->mnt_opts[i] = context;
678 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
679 }
680 if (sbsec->flags & SBLABEL_MNT) {
681 opts->mnt_opts[i] = NULL;
682 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
683 }
684
685 BUG_ON(i != opts->num_mnt_opts);
686
687 return 0;
688
689 out_free:
690 security_free_mnt_opts(opts);
691 return rc;
692 }
693
bad_option(struct superblock_security_struct * sbsec,char flag,u32 old_sid,u32 new_sid)694 static int bad_option(struct superblock_security_struct *sbsec, char flag,
695 u32 old_sid, u32 new_sid)
696 {
697 char mnt_flags = sbsec->flags & SE_MNTMASK;
698
699 /* check if the old mount command had the same options */
700 if (sbsec->flags & SE_SBINITIALIZED)
701 if (!(sbsec->flags & flag) ||
702 (old_sid != new_sid))
703 return 1;
704
705 /* check if we were passed the same options twice,
706 * aka someone passed context=a,context=b
707 */
708 if (!(sbsec->flags & SE_SBINITIALIZED))
709 if (mnt_flags & flag)
710 return 1;
711 return 0;
712 }
713
714 /*
715 * Allow filesystems with binary mount data to explicitly set mount point
716 * labeling information.
717 */
selinux_set_mnt_opts(struct super_block * sb,struct security_mnt_opts * opts,unsigned long kern_flags,unsigned long * set_kern_flags)718 static int selinux_set_mnt_opts(struct super_block *sb,
719 struct security_mnt_opts *opts,
720 unsigned long kern_flags,
721 unsigned long *set_kern_flags)
722 {
723 const struct cred *cred = current_cred();
724 int rc = 0, i;
725 struct superblock_security_struct *sbsec = sb->s_security;
726 const char *name = sb->s_type->name;
727 struct dentry *root = sbsec->sb->s_root;
728 struct inode_security_struct *root_isec;
729 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
730 u32 defcontext_sid = 0;
731 char **mount_options = opts->mnt_opts;
732 int *flags = opts->mnt_opts_flags;
733 int num_opts = opts->num_mnt_opts;
734
735 mutex_lock(&sbsec->lock);
736
737 if (!selinux_state.initialized) {
738 if (!num_opts) {
739 /* Defer initialization until selinux_complete_init,
740 after the initial policy is loaded and the security
741 server is ready to handle calls. */
742 goto out;
743 }
744 rc = -EINVAL;
745 pr_warn("SELinux: Unable to set superblock options "
746 "before the security server is initialized\n");
747 goto out;
748 }
749 if (kern_flags && !set_kern_flags) {
750 /* Specifying internal flags without providing a place to
751 * place the results is not allowed */
752 rc = -EINVAL;
753 goto out;
754 }
755
756 /*
757 * Binary mount data FS will come through this function twice. Once
758 * from an explicit call and once from the generic calls from the vfs.
759 * Since the generic VFS calls will not contain any security mount data
760 * we need to skip the double mount verification.
761 *
762 * This does open a hole in which we will not notice if the first
763 * mount using this sb set explict options and a second mount using
764 * this sb does not set any security options. (The first options
765 * will be used for both mounts)
766 */
767 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
768 && (num_opts == 0))
769 goto out;
770
771 root_isec = backing_inode_security_novalidate(root);
772
773 /*
774 * parse the mount options, check if they are valid sids.
775 * also check if someone is trying to mount the same sb more
776 * than once with different security options.
777 */
778 for (i = 0; i < num_opts; i++) {
779 u32 sid;
780
781 if (flags[i] == SBLABEL_MNT)
782 continue;
783 rc = security_context_str_to_sid(&selinux_state,
784 mount_options[i], &sid,
785 GFP_KERNEL);
786 if (rc) {
787 pr_warn("SELinux: security_context_str_to_sid"
788 "(%s) failed for (dev %s, type %s) errno=%d\n",
789 mount_options[i], sb->s_id, name, rc);
790 goto out;
791 }
792 switch (flags[i]) {
793 case FSCONTEXT_MNT:
794 fscontext_sid = sid;
795
796 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
797 fscontext_sid))
798 goto out_double_mount;
799
800 sbsec->flags |= FSCONTEXT_MNT;
801 break;
802 case CONTEXT_MNT:
803 context_sid = sid;
804
805 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
806 context_sid))
807 goto out_double_mount;
808
809 sbsec->flags |= CONTEXT_MNT;
810 break;
811 case ROOTCONTEXT_MNT:
812 rootcontext_sid = sid;
813
814 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
815 rootcontext_sid))
816 goto out_double_mount;
817
818 sbsec->flags |= ROOTCONTEXT_MNT;
819
820 break;
821 case DEFCONTEXT_MNT:
822 defcontext_sid = sid;
823
824 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
825 defcontext_sid))
826 goto out_double_mount;
827
828 sbsec->flags |= DEFCONTEXT_MNT;
829
830 break;
831 default:
832 rc = -EINVAL;
833 goto out;
834 }
835 }
836
837 if (sbsec->flags & SE_SBINITIALIZED) {
838 /* previously mounted with options, but not on this attempt? */
839 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
840 goto out_double_mount;
841 rc = 0;
842 goto out;
843 }
844
845 if (strcmp(sb->s_type->name, "proc") == 0)
846 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
847
848 if (!strcmp(sb->s_type->name, "debugfs") ||
849 !strcmp(sb->s_type->name, "tracefs") ||
850 !strcmp(sb->s_type->name, "sysfs") ||
851 !strcmp(sb->s_type->name, "pstore") ||
852 !strcmp(sb->s_type->name, "cgroup") ||
853 !strcmp(sb->s_type->name, "cgroup2"))
854 sbsec->flags |= SE_SBGENFS;
855
856 if (!sbsec->behavior) {
857 /*
858 * Determine the labeling behavior to use for this
859 * filesystem type.
860 */
861 rc = security_fs_use(&selinux_state, sb);
862 if (rc) {
863 pr_warn("%s: security_fs_use(%s) returned %d\n",
864 __func__, sb->s_type->name, rc);
865 goto out;
866 }
867 }
868
869 /*
870 * If this is a user namespace mount and the filesystem type is not
871 * explicitly whitelisted, then no contexts are allowed on the command
872 * line and security labels must be ignored.
873 */
874 if (sb->s_user_ns != &init_user_ns &&
875 strcmp(sb->s_type->name, "tmpfs") &&
876 strcmp(sb->s_type->name, "ramfs") &&
877 strcmp(sb->s_type->name, "devpts")) {
878 if (context_sid || fscontext_sid || rootcontext_sid ||
879 defcontext_sid) {
880 rc = -EACCES;
881 goto out;
882 }
883 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
884 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
885 rc = security_transition_sid(&selinux_state,
886 current_sid(),
887 current_sid(),
888 SECCLASS_FILE, NULL,
889 &sbsec->mntpoint_sid);
890 if (rc)
891 goto out;
892 }
893 goto out_set_opts;
894 }
895
896 /* sets the context of the superblock for the fs being mounted. */
897 if (fscontext_sid) {
898 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
899 if (rc)
900 goto out;
901
902 sbsec->sid = fscontext_sid;
903 }
904
905 /*
906 * Switch to using mount point labeling behavior.
907 * sets the label used on all file below the mountpoint, and will set
908 * the superblock context if not already set.
909 */
910 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
911 sbsec->behavior = SECURITY_FS_USE_NATIVE;
912 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
913 }
914
915 if (context_sid) {
916 if (!fscontext_sid) {
917 rc = may_context_mount_sb_relabel(context_sid, sbsec,
918 cred);
919 if (rc)
920 goto out;
921 sbsec->sid = context_sid;
922 } else {
923 rc = may_context_mount_inode_relabel(context_sid, sbsec,
924 cred);
925 if (rc)
926 goto out;
927 }
928 if (!rootcontext_sid)
929 rootcontext_sid = context_sid;
930
931 sbsec->mntpoint_sid = context_sid;
932 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
933 }
934
935 if (rootcontext_sid) {
936 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
937 cred);
938 if (rc)
939 goto out;
940
941 root_isec->sid = rootcontext_sid;
942 root_isec->initialized = LABEL_INITIALIZED;
943 }
944
945 if (defcontext_sid) {
946 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
947 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
948 rc = -EINVAL;
949 pr_warn("SELinux: defcontext option is "
950 "invalid for this filesystem type\n");
951 goto out;
952 }
953
954 if (defcontext_sid != sbsec->def_sid) {
955 rc = may_context_mount_inode_relabel(defcontext_sid,
956 sbsec, cred);
957 if (rc)
958 goto out;
959 }
960
961 sbsec->def_sid = defcontext_sid;
962 }
963
964 out_set_opts:
965 rc = sb_finish_set_opts(sb);
966 out:
967 mutex_unlock(&sbsec->lock);
968 return rc;
969 out_double_mount:
970 rc = -EINVAL;
971 pr_warn("SELinux: mount invalid. Same superblock, different "
972 "security settings for (dev %s, type %s)\n", sb->s_id, name);
973 goto out;
974 }
975
selinux_cmp_sb_context(const struct super_block * oldsb,const struct super_block * newsb)976 static int selinux_cmp_sb_context(const struct super_block *oldsb,
977 const struct super_block *newsb)
978 {
979 struct superblock_security_struct *old = oldsb->s_security;
980 struct superblock_security_struct *new = newsb->s_security;
981 char oldflags = old->flags & SE_MNTMASK;
982 char newflags = new->flags & SE_MNTMASK;
983
984 if (oldflags != newflags)
985 goto mismatch;
986 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
987 goto mismatch;
988 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
989 goto mismatch;
990 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
991 goto mismatch;
992 if (oldflags & ROOTCONTEXT_MNT) {
993 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
994 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
995 if (oldroot->sid != newroot->sid)
996 goto mismatch;
997 }
998 return 0;
999 mismatch:
1000 pr_warn("SELinux: mount invalid. Same superblock, "
1001 "different security settings for (dev %s, "
1002 "type %s)\n", newsb->s_id, newsb->s_type->name);
1003 return -EBUSY;
1004 }
1005
selinux_sb_clone_mnt_opts(const struct super_block * oldsb,struct super_block * newsb,unsigned long kern_flags,unsigned long * set_kern_flags)1006 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
1007 struct super_block *newsb,
1008 unsigned long kern_flags,
1009 unsigned long *set_kern_flags)
1010 {
1011 int rc = 0;
1012 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
1013 struct superblock_security_struct *newsbsec = newsb->s_security;
1014
1015 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
1016 int set_context = (oldsbsec->flags & CONTEXT_MNT);
1017 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1018
1019 /*
1020 * if the parent was able to be mounted it clearly had no special lsm
1021 * mount options. thus we can safely deal with this superblock later
1022 */
1023 if (!selinux_state.initialized)
1024 return 0;
1025
1026 /*
1027 * Specifying internal flags without providing a place to
1028 * place the results is not allowed.
1029 */
1030 if (kern_flags && !set_kern_flags)
1031 return -EINVAL;
1032
1033 /* how can we clone if the old one wasn't set up?? */
1034 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
1035
1036 /* if fs is reusing a sb, make sure that the contexts match */
1037 if (newsbsec->flags & SE_SBINITIALIZED)
1038 return selinux_cmp_sb_context(oldsb, newsb);
1039
1040 mutex_lock(&newsbsec->lock);
1041
1042 newsbsec->flags = oldsbsec->flags;
1043
1044 newsbsec->sid = oldsbsec->sid;
1045 newsbsec->def_sid = oldsbsec->def_sid;
1046 newsbsec->behavior = oldsbsec->behavior;
1047
1048 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
1049 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
1050 rc = security_fs_use(&selinux_state, newsb);
1051 if (rc)
1052 goto out;
1053 }
1054
1055 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
1056 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
1057 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
1058 }
1059
1060 if (set_context) {
1061 u32 sid = oldsbsec->mntpoint_sid;
1062
1063 if (!set_fscontext)
1064 newsbsec->sid = sid;
1065 if (!set_rootcontext) {
1066 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1067 newisec->sid = sid;
1068 }
1069 newsbsec->mntpoint_sid = sid;
1070 }
1071 if (set_rootcontext) {
1072 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
1073 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1074
1075 newisec->sid = oldisec->sid;
1076 }
1077
1078 sb_finish_set_opts(newsb);
1079 out:
1080 mutex_unlock(&newsbsec->lock);
1081 return rc;
1082 }
1083
selinux_parse_opts_str(char * options,struct security_mnt_opts * opts)1084 static int selinux_parse_opts_str(char *options,
1085 struct security_mnt_opts *opts)
1086 {
1087 char *p;
1088 char *context = NULL, *defcontext = NULL;
1089 char *fscontext = NULL, *rootcontext = NULL;
1090 int rc, num_mnt_opts = 0;
1091
1092 opts->num_mnt_opts = 0;
1093
1094 /* Standard string-based options. */
1095 while ((p = strsep(&options, "|")) != NULL) {
1096 int token;
1097 substring_t args[MAX_OPT_ARGS];
1098
1099 if (!*p)
1100 continue;
1101
1102 token = match_token(p, tokens, args);
1103
1104 switch (token) {
1105 case Opt_context:
1106 if (context || defcontext) {
1107 rc = -EINVAL;
1108 pr_warn(SEL_MOUNT_FAIL_MSG);
1109 goto out_err;
1110 }
1111 context = match_strdup(&args[0]);
1112 if (!context) {
1113 rc = -ENOMEM;
1114 goto out_err;
1115 }
1116 break;
1117
1118 case Opt_fscontext:
1119 if (fscontext) {
1120 rc = -EINVAL;
1121 pr_warn(SEL_MOUNT_FAIL_MSG);
1122 goto out_err;
1123 }
1124 fscontext = match_strdup(&args[0]);
1125 if (!fscontext) {
1126 rc = -ENOMEM;
1127 goto out_err;
1128 }
1129 break;
1130
1131 case Opt_rootcontext:
1132 if (rootcontext) {
1133 rc = -EINVAL;
1134 pr_warn(SEL_MOUNT_FAIL_MSG);
1135 goto out_err;
1136 }
1137 rootcontext = match_strdup(&args[0]);
1138 if (!rootcontext) {
1139 rc = -ENOMEM;
1140 goto out_err;
1141 }
1142 break;
1143
1144 case Opt_defcontext:
1145 if (context || defcontext) {
1146 rc = -EINVAL;
1147 pr_warn(SEL_MOUNT_FAIL_MSG);
1148 goto out_err;
1149 }
1150 defcontext = match_strdup(&args[0]);
1151 if (!defcontext) {
1152 rc = -ENOMEM;
1153 goto out_err;
1154 }
1155 break;
1156 case Opt_labelsupport:
1157 break;
1158 default:
1159 rc = -EINVAL;
1160 pr_warn("SELinux: unknown mount option\n");
1161 goto out_err;
1162
1163 }
1164 }
1165
1166 rc = -ENOMEM;
1167 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
1168 if (!opts->mnt_opts)
1169 goto out_err;
1170
1171 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
1172 GFP_KERNEL);
1173 if (!opts->mnt_opts_flags)
1174 goto out_err;
1175
1176 if (fscontext) {
1177 opts->mnt_opts[num_mnt_opts] = fscontext;
1178 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1179 }
1180 if (context) {
1181 opts->mnt_opts[num_mnt_opts] = context;
1182 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1183 }
1184 if (rootcontext) {
1185 opts->mnt_opts[num_mnt_opts] = rootcontext;
1186 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1187 }
1188 if (defcontext) {
1189 opts->mnt_opts[num_mnt_opts] = defcontext;
1190 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1191 }
1192
1193 opts->num_mnt_opts = num_mnt_opts;
1194 return 0;
1195
1196 out_err:
1197 security_free_mnt_opts(opts);
1198 kfree(context);
1199 kfree(defcontext);
1200 kfree(fscontext);
1201 kfree(rootcontext);
1202 return rc;
1203 }
1204 /*
1205 * string mount options parsing and call set the sbsec
1206 */
superblock_doinit(struct super_block * sb,void * data)1207 static int superblock_doinit(struct super_block *sb, void *data)
1208 {
1209 int rc = 0;
1210 char *options = data;
1211 struct security_mnt_opts opts;
1212
1213 security_init_mnt_opts(&opts);
1214
1215 if (!data)
1216 goto out;
1217
1218 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1219
1220 rc = selinux_parse_opts_str(options, &opts);
1221 if (rc)
1222 goto out_err;
1223
1224 out:
1225 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1226
1227 out_err:
1228 security_free_mnt_opts(&opts);
1229 return rc;
1230 }
1231
selinux_write_opts(struct seq_file * m,struct security_mnt_opts * opts)1232 static void selinux_write_opts(struct seq_file *m,
1233 struct security_mnt_opts *opts)
1234 {
1235 int i;
1236 char *prefix;
1237
1238 for (i = 0; i < opts->num_mnt_opts; i++) {
1239 char *has_comma;
1240
1241 if (opts->mnt_opts[i])
1242 has_comma = strchr(opts->mnt_opts[i], ',');
1243 else
1244 has_comma = NULL;
1245
1246 switch (opts->mnt_opts_flags[i]) {
1247 case CONTEXT_MNT:
1248 prefix = CONTEXT_STR;
1249 break;
1250 case FSCONTEXT_MNT:
1251 prefix = FSCONTEXT_STR;
1252 break;
1253 case ROOTCONTEXT_MNT:
1254 prefix = ROOTCONTEXT_STR;
1255 break;
1256 case DEFCONTEXT_MNT:
1257 prefix = DEFCONTEXT_STR;
1258 break;
1259 case SBLABEL_MNT:
1260 seq_putc(m, ',');
1261 seq_puts(m, LABELSUPP_STR);
1262 continue;
1263 default:
1264 BUG();
1265 return;
1266 };
1267 /* we need a comma before each option */
1268 seq_putc(m, ',');
1269 seq_puts(m, prefix);
1270 if (has_comma)
1271 seq_putc(m, '\"');
1272 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
1273 if (has_comma)
1274 seq_putc(m, '\"');
1275 }
1276 }
1277
selinux_sb_show_options(struct seq_file * m,struct super_block * sb)1278 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1279 {
1280 struct security_mnt_opts opts;
1281 int rc;
1282
1283 rc = selinux_get_mnt_opts(sb, &opts);
1284 if (rc) {
1285 /* before policy load we may get EINVAL, don't show anything */
1286 if (rc == -EINVAL)
1287 rc = 0;
1288 return rc;
1289 }
1290
1291 selinux_write_opts(m, &opts);
1292
1293 security_free_mnt_opts(&opts);
1294
1295 return rc;
1296 }
1297
inode_mode_to_security_class(umode_t mode)1298 static inline u16 inode_mode_to_security_class(umode_t mode)
1299 {
1300 switch (mode & S_IFMT) {
1301 case S_IFSOCK:
1302 return SECCLASS_SOCK_FILE;
1303 case S_IFLNK:
1304 return SECCLASS_LNK_FILE;
1305 case S_IFREG:
1306 return SECCLASS_FILE;
1307 case S_IFBLK:
1308 return SECCLASS_BLK_FILE;
1309 case S_IFDIR:
1310 return SECCLASS_DIR;
1311 case S_IFCHR:
1312 return SECCLASS_CHR_FILE;
1313 case S_IFIFO:
1314 return SECCLASS_FIFO_FILE;
1315
1316 }
1317
1318 return SECCLASS_FILE;
1319 }
1320
default_protocol_stream(int protocol)1321 static inline int default_protocol_stream(int protocol)
1322 {
1323 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1324 }
1325
default_protocol_dgram(int protocol)1326 static inline int default_protocol_dgram(int protocol)
1327 {
1328 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1329 }
1330
socket_type_to_security_class(int family,int type,int protocol)1331 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1332 {
1333 int extsockclass = selinux_policycap_extsockclass();
1334
1335 switch (family) {
1336 case PF_UNIX:
1337 switch (type) {
1338 case SOCK_STREAM:
1339 case SOCK_SEQPACKET:
1340 return SECCLASS_UNIX_STREAM_SOCKET;
1341 case SOCK_DGRAM:
1342 case SOCK_RAW:
1343 return SECCLASS_UNIX_DGRAM_SOCKET;
1344 }
1345 break;
1346 case PF_INET:
1347 case PF_INET6:
1348 switch (type) {
1349 case SOCK_STREAM:
1350 case SOCK_SEQPACKET:
1351 if (default_protocol_stream(protocol))
1352 return SECCLASS_TCP_SOCKET;
1353 else if (extsockclass && protocol == IPPROTO_SCTP)
1354 return SECCLASS_SCTP_SOCKET;
1355 else
1356 return SECCLASS_RAWIP_SOCKET;
1357 case SOCK_DGRAM:
1358 if (default_protocol_dgram(protocol))
1359 return SECCLASS_UDP_SOCKET;
1360 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1361 protocol == IPPROTO_ICMPV6))
1362 return SECCLASS_ICMP_SOCKET;
1363 else
1364 return SECCLASS_RAWIP_SOCKET;
1365 case SOCK_DCCP:
1366 return SECCLASS_DCCP_SOCKET;
1367 default:
1368 return SECCLASS_RAWIP_SOCKET;
1369 }
1370 break;
1371 case PF_NETLINK:
1372 switch (protocol) {
1373 case NETLINK_ROUTE:
1374 return SECCLASS_NETLINK_ROUTE_SOCKET;
1375 case NETLINK_SOCK_DIAG:
1376 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1377 case NETLINK_NFLOG:
1378 return SECCLASS_NETLINK_NFLOG_SOCKET;
1379 case NETLINK_XFRM:
1380 return SECCLASS_NETLINK_XFRM_SOCKET;
1381 case NETLINK_SELINUX:
1382 return SECCLASS_NETLINK_SELINUX_SOCKET;
1383 case NETLINK_ISCSI:
1384 return SECCLASS_NETLINK_ISCSI_SOCKET;
1385 case NETLINK_AUDIT:
1386 return SECCLASS_NETLINK_AUDIT_SOCKET;
1387 case NETLINK_FIB_LOOKUP:
1388 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1389 case NETLINK_CONNECTOR:
1390 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1391 case NETLINK_NETFILTER:
1392 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1393 case NETLINK_DNRTMSG:
1394 return SECCLASS_NETLINK_DNRT_SOCKET;
1395 case NETLINK_KOBJECT_UEVENT:
1396 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1397 case NETLINK_GENERIC:
1398 return SECCLASS_NETLINK_GENERIC_SOCKET;
1399 case NETLINK_SCSITRANSPORT:
1400 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1401 case NETLINK_RDMA:
1402 return SECCLASS_NETLINK_RDMA_SOCKET;
1403 case NETLINK_CRYPTO:
1404 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1405 default:
1406 return SECCLASS_NETLINK_SOCKET;
1407 }
1408 case PF_PACKET:
1409 return SECCLASS_PACKET_SOCKET;
1410 case PF_KEY:
1411 return SECCLASS_KEY_SOCKET;
1412 case PF_APPLETALK:
1413 return SECCLASS_APPLETALK_SOCKET;
1414 }
1415
1416 if (extsockclass) {
1417 switch (family) {
1418 case PF_AX25:
1419 return SECCLASS_AX25_SOCKET;
1420 case PF_IPX:
1421 return SECCLASS_IPX_SOCKET;
1422 case PF_NETROM:
1423 return SECCLASS_NETROM_SOCKET;
1424 case PF_ATMPVC:
1425 return SECCLASS_ATMPVC_SOCKET;
1426 case PF_X25:
1427 return SECCLASS_X25_SOCKET;
1428 case PF_ROSE:
1429 return SECCLASS_ROSE_SOCKET;
1430 case PF_DECnet:
1431 return SECCLASS_DECNET_SOCKET;
1432 case PF_ATMSVC:
1433 return SECCLASS_ATMSVC_SOCKET;
1434 case PF_RDS:
1435 return SECCLASS_RDS_SOCKET;
1436 case PF_IRDA:
1437 return SECCLASS_IRDA_SOCKET;
1438 case PF_PPPOX:
1439 return SECCLASS_PPPOX_SOCKET;
1440 case PF_LLC:
1441 return SECCLASS_LLC_SOCKET;
1442 case PF_CAN:
1443 return SECCLASS_CAN_SOCKET;
1444 case PF_TIPC:
1445 return SECCLASS_TIPC_SOCKET;
1446 case PF_BLUETOOTH:
1447 return SECCLASS_BLUETOOTH_SOCKET;
1448 case PF_IUCV:
1449 return SECCLASS_IUCV_SOCKET;
1450 case PF_RXRPC:
1451 return SECCLASS_RXRPC_SOCKET;
1452 case PF_ISDN:
1453 return SECCLASS_ISDN_SOCKET;
1454 case PF_PHONET:
1455 return SECCLASS_PHONET_SOCKET;
1456 case PF_IEEE802154:
1457 return SECCLASS_IEEE802154_SOCKET;
1458 case PF_CAIF:
1459 return SECCLASS_CAIF_SOCKET;
1460 case PF_ALG:
1461 return SECCLASS_ALG_SOCKET;
1462 case PF_NFC:
1463 return SECCLASS_NFC_SOCKET;
1464 case PF_VSOCK:
1465 return SECCLASS_VSOCK_SOCKET;
1466 case PF_KCM:
1467 return SECCLASS_KCM_SOCKET;
1468 case PF_QIPCRTR:
1469 return SECCLASS_QIPCRTR_SOCKET;
1470 case PF_SMC:
1471 return SECCLASS_SMC_SOCKET;
1472 case PF_XDP:
1473 return SECCLASS_XDP_SOCKET;
1474 #if PF_MAX > 45
1475 #error New address family defined, please update this function.
1476 #endif
1477 }
1478 }
1479
1480 return SECCLASS_SOCKET;
1481 }
1482
selinux_genfs_get_sid(struct dentry * dentry,u16 tclass,u16 flags,u32 * sid)1483 static int selinux_genfs_get_sid(struct dentry *dentry,
1484 u16 tclass,
1485 u16 flags,
1486 u32 *sid)
1487 {
1488 int rc;
1489 struct super_block *sb = dentry->d_sb;
1490 char *buffer, *path;
1491
1492 buffer = (char *)__get_free_page(GFP_KERNEL);
1493 if (!buffer)
1494 return -ENOMEM;
1495
1496 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1497 if (IS_ERR(path))
1498 rc = PTR_ERR(path);
1499 else {
1500 if (flags & SE_SBPROC) {
1501 /* each process gets a /proc/PID/ entry. Strip off the
1502 * PID part to get a valid selinux labeling.
1503 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1504 while (path[1] >= '0' && path[1] <= '9') {
1505 path[1] = '/';
1506 path++;
1507 }
1508 }
1509 rc = security_genfs_sid(&selinux_state, sb->s_type->name,
1510 path, tclass, sid);
1511 }
1512 free_page((unsigned long)buffer);
1513 return rc;
1514 }
1515
1516 /* The inode's security attributes must be initialized before first use. */
inode_doinit_with_dentry(struct inode * inode,struct dentry * opt_dentry)1517 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1518 {
1519 struct superblock_security_struct *sbsec = NULL;
1520 struct inode_security_struct *isec = inode->i_security;
1521 u32 task_sid, sid = 0;
1522 u16 sclass;
1523 struct dentry *dentry;
1524 #define INITCONTEXTLEN 255
1525 char *context = NULL;
1526 unsigned len = 0;
1527 int rc = 0;
1528
1529 if (isec->initialized == LABEL_INITIALIZED)
1530 return 0;
1531
1532 spin_lock(&isec->lock);
1533 if (isec->initialized == LABEL_INITIALIZED)
1534 goto out_unlock;
1535
1536 if (isec->sclass == SECCLASS_FILE)
1537 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1538
1539 sbsec = inode->i_sb->s_security;
1540 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1541 /* Defer initialization until selinux_complete_init,
1542 after the initial policy is loaded and the security
1543 server is ready to handle calls. */
1544 spin_lock(&sbsec->isec_lock);
1545 if (list_empty(&isec->list))
1546 list_add(&isec->list, &sbsec->isec_head);
1547 spin_unlock(&sbsec->isec_lock);
1548 goto out_unlock;
1549 }
1550
1551 sclass = isec->sclass;
1552 task_sid = isec->task_sid;
1553 sid = isec->sid;
1554 isec->initialized = LABEL_PENDING;
1555 spin_unlock(&isec->lock);
1556
1557 switch (sbsec->behavior) {
1558 case SECURITY_FS_USE_NATIVE:
1559 break;
1560 case SECURITY_FS_USE_XATTR:
1561 if (!(inode->i_opflags & IOP_XATTR)) {
1562 sid = sbsec->def_sid;
1563 break;
1564 }
1565 /* Need a dentry, since the xattr API requires one.
1566 Life would be simpler if we could just pass the inode. */
1567 if (opt_dentry) {
1568 /* Called from d_instantiate or d_splice_alias. */
1569 dentry = dget(opt_dentry);
1570 } else {
1571 /*
1572 * Called from selinux_complete_init, try to find a dentry.
1573 * Some filesystems really want a connected one, so try
1574 * that first. We could split SECURITY_FS_USE_XATTR in
1575 * two, depending upon that...
1576 */
1577 dentry = d_find_alias(inode);
1578 if (!dentry)
1579 dentry = d_find_any_alias(inode);
1580 }
1581 if (!dentry) {
1582 /*
1583 * this is can be hit on boot when a file is accessed
1584 * before the policy is loaded. When we load policy we
1585 * may find inodes that have no dentry on the
1586 * sbsec->isec_head list. No reason to complain as these
1587 * will get fixed up the next time we go through
1588 * inode_doinit with a dentry, before these inodes could
1589 * be used again by userspace.
1590 */
1591 goto out;
1592 }
1593
1594 len = INITCONTEXTLEN;
1595 context = kmalloc(len+1, GFP_NOFS);
1596 if (!context) {
1597 rc = -ENOMEM;
1598 dput(dentry);
1599 goto out;
1600 }
1601 context[len] = '\0';
1602 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1603 if (rc == -ERANGE) {
1604 kfree(context);
1605
1606 /* Need a larger buffer. Query for the right size. */
1607 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1608 if (rc < 0) {
1609 dput(dentry);
1610 goto out;
1611 }
1612 len = rc;
1613 context = kmalloc(len+1, GFP_NOFS);
1614 if (!context) {
1615 rc = -ENOMEM;
1616 dput(dentry);
1617 goto out;
1618 }
1619 context[len] = '\0';
1620 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1621 }
1622 dput(dentry);
1623 if (rc < 0) {
1624 if (rc != -ENODATA) {
1625 pr_warn("SELinux: %s: getxattr returned "
1626 "%d for dev=%s ino=%ld\n", __func__,
1627 -rc, inode->i_sb->s_id, inode->i_ino);
1628 kfree(context);
1629 goto out;
1630 }
1631 /* Map ENODATA to the default file SID */
1632 sid = sbsec->def_sid;
1633 rc = 0;
1634 } else {
1635 rc = security_context_to_sid_default(&selinux_state,
1636 context, rc, &sid,
1637 sbsec->def_sid,
1638 GFP_NOFS);
1639 if (rc) {
1640 char *dev = inode->i_sb->s_id;
1641 unsigned long ino = inode->i_ino;
1642
1643 if (rc == -EINVAL) {
1644 if (printk_ratelimit())
1645 pr_notice("SELinux: inode=%lu on dev=%s was found to have an invalid "
1646 "context=%s. This indicates you may need to relabel the inode or the "
1647 "filesystem in question.\n", ino, dev, context);
1648 } else {
1649 pr_warn("SELinux: %s: context_to_sid(%s) "
1650 "returned %d for dev=%s ino=%ld\n",
1651 __func__, context, -rc, dev, ino);
1652 }
1653 kfree(context);
1654 /* Leave with the unlabeled SID */
1655 rc = 0;
1656 break;
1657 }
1658 }
1659 kfree(context);
1660 break;
1661 case SECURITY_FS_USE_TASK:
1662 sid = task_sid;
1663 break;
1664 case SECURITY_FS_USE_TRANS:
1665 /* Default to the fs SID. */
1666 sid = sbsec->sid;
1667
1668 /* Try to obtain a transition SID. */
1669 rc = security_transition_sid(&selinux_state, task_sid, sid,
1670 sclass, NULL, &sid);
1671 if (rc)
1672 goto out;
1673 break;
1674 case SECURITY_FS_USE_MNTPOINT:
1675 sid = sbsec->mntpoint_sid;
1676 break;
1677 default:
1678 /* Default to the fs superblock SID. */
1679 sid = sbsec->sid;
1680
1681 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1682 /* We must have a dentry to determine the label on
1683 * procfs inodes */
1684 if (opt_dentry) {
1685 /* Called from d_instantiate or
1686 * d_splice_alias. */
1687 dentry = dget(opt_dentry);
1688 } else {
1689 /* Called from selinux_complete_init, try to
1690 * find a dentry. Some filesystems really want
1691 * a connected one, so try that first.
1692 */
1693 dentry = d_find_alias(inode);
1694 if (!dentry)
1695 dentry = d_find_any_alias(inode);
1696 }
1697 /*
1698 * This can be hit on boot when a file is accessed
1699 * before the policy is loaded. When we load policy we
1700 * may find inodes that have no dentry on the
1701 * sbsec->isec_head list. No reason to complain as
1702 * these will get fixed up the next time we go through
1703 * inode_doinit() with a dentry, before these inodes
1704 * could be used again by userspace.
1705 */
1706 if (!dentry)
1707 goto out;
1708 rc = selinux_genfs_get_sid(dentry, sclass,
1709 sbsec->flags, &sid);
1710 dput(dentry);
1711 if (rc)
1712 goto out;
1713 }
1714 break;
1715 }
1716
1717 out:
1718 spin_lock(&isec->lock);
1719 if (isec->initialized == LABEL_PENDING) {
1720 if (!sid || rc) {
1721 isec->initialized = LABEL_INVALID;
1722 goto out_unlock;
1723 }
1724
1725 isec->initialized = LABEL_INITIALIZED;
1726 isec->sid = sid;
1727 }
1728
1729 out_unlock:
1730 spin_unlock(&isec->lock);
1731 return rc;
1732 }
1733
1734 /* Convert a Linux signal to an access vector. */
signal_to_av(int sig)1735 static inline u32 signal_to_av(int sig)
1736 {
1737 u32 perm = 0;
1738
1739 switch (sig) {
1740 case SIGCHLD:
1741 /* Commonly granted from child to parent. */
1742 perm = PROCESS__SIGCHLD;
1743 break;
1744 case SIGKILL:
1745 /* Cannot be caught or ignored */
1746 perm = PROCESS__SIGKILL;
1747 break;
1748 case SIGSTOP:
1749 /* Cannot be caught or ignored */
1750 perm = PROCESS__SIGSTOP;
1751 break;
1752 default:
1753 /* All other signals. */
1754 perm = PROCESS__SIGNAL;
1755 break;
1756 }
1757
1758 return perm;
1759 }
1760
1761 #if CAP_LAST_CAP > 63
1762 #error Fix SELinux to handle capabilities > 63.
1763 #endif
1764
1765 /* Check whether a task is allowed to use a capability. */
cred_has_capability(const struct cred * cred,int cap,int audit,bool initns)1766 static int cred_has_capability(const struct cred *cred,
1767 int cap, int audit, bool initns)
1768 {
1769 struct common_audit_data ad;
1770 struct av_decision avd;
1771 u16 sclass;
1772 u32 sid = cred_sid(cred);
1773 u32 av = CAP_TO_MASK(cap);
1774 int rc;
1775
1776 ad.type = LSM_AUDIT_DATA_CAP;
1777 ad.u.cap = cap;
1778
1779 switch (CAP_TO_INDEX(cap)) {
1780 case 0:
1781 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1782 break;
1783 case 1:
1784 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1785 break;
1786 default:
1787 pr_err("SELinux: out of range capability %d\n", cap);
1788 BUG();
1789 return -EINVAL;
1790 }
1791
1792 rc = avc_has_perm_noaudit(&selinux_state,
1793 sid, sid, sclass, av, 0, &avd);
1794 if (audit == SECURITY_CAP_AUDIT) {
1795 int rc2 = avc_audit(&selinux_state,
1796 sid, sid, sclass, av, &avd, rc, &ad, 0);
1797 if (rc2)
1798 return rc2;
1799 }
1800 return rc;
1801 }
1802
1803 /* Check whether a task has a particular permission to an inode.
1804 The 'adp' parameter is optional and allows other audit
1805 data to be passed (e.g. the dentry). */
inode_has_perm(const struct cred * cred,struct inode * inode,u32 perms,struct common_audit_data * adp)1806 static int inode_has_perm(const struct cred *cred,
1807 struct inode *inode,
1808 u32 perms,
1809 struct common_audit_data *adp)
1810 {
1811 struct inode_security_struct *isec;
1812 u32 sid;
1813
1814 validate_creds(cred);
1815
1816 if (unlikely(IS_PRIVATE(inode)))
1817 return 0;
1818
1819 sid = cred_sid(cred);
1820 isec = inode->i_security;
1821
1822 return avc_has_perm(&selinux_state,
1823 sid, isec->sid, isec->sclass, perms, adp);
1824 }
1825
1826 /* Same as inode_has_perm, but pass explicit audit data containing
1827 the dentry to help the auditing code to more easily generate the
1828 pathname if needed. */
dentry_has_perm(const struct cred * cred,struct dentry * dentry,u32 av)1829 static inline int dentry_has_perm(const struct cred *cred,
1830 struct dentry *dentry,
1831 u32 av)
1832 {
1833 struct inode *inode = d_backing_inode(dentry);
1834 struct common_audit_data ad;
1835
1836 ad.type = LSM_AUDIT_DATA_DENTRY;
1837 ad.u.dentry = dentry;
1838 __inode_security_revalidate(inode, dentry, true);
1839 return inode_has_perm(cred, inode, av, &ad);
1840 }
1841
1842 /* Same as inode_has_perm, but pass explicit audit data containing
1843 the path to help the auditing code to more easily generate the
1844 pathname if needed. */
path_has_perm(const struct cred * cred,const struct path * path,u32 av)1845 static inline int path_has_perm(const struct cred *cred,
1846 const struct path *path,
1847 u32 av)
1848 {
1849 struct inode *inode = d_backing_inode(path->dentry);
1850 struct common_audit_data ad;
1851
1852 ad.type = LSM_AUDIT_DATA_PATH;
1853 ad.u.path = *path;
1854 __inode_security_revalidate(inode, path->dentry, true);
1855 return inode_has_perm(cred, inode, av, &ad);
1856 }
1857
1858 /* Same as path_has_perm, but uses the inode from the file struct. */
file_path_has_perm(const struct cred * cred,struct file * file,u32 av)1859 static inline int file_path_has_perm(const struct cred *cred,
1860 struct file *file,
1861 u32 av)
1862 {
1863 struct common_audit_data ad;
1864
1865 ad.type = LSM_AUDIT_DATA_FILE;
1866 ad.u.file = file;
1867 return inode_has_perm(cred, file_inode(file), av, &ad);
1868 }
1869
1870 #ifdef CONFIG_BPF_SYSCALL
1871 static int bpf_fd_pass(struct file *file, u32 sid);
1872 #endif
1873
1874 /* Check whether a task can use an open file descriptor to
1875 access an inode in a given way. Check access to the
1876 descriptor itself, and then use dentry_has_perm to
1877 check a particular permission to the file.
1878 Access to the descriptor is implicitly granted if it
1879 has the same SID as the process. If av is zero, then
1880 access to the file is not checked, e.g. for cases
1881 where only the descriptor is affected like seek. */
file_has_perm(const struct cred * cred,struct file * file,u32 av)1882 static int file_has_perm(const struct cred *cred,
1883 struct file *file,
1884 u32 av)
1885 {
1886 struct file_security_struct *fsec = file->f_security;
1887 struct inode *inode = file_inode(file);
1888 struct common_audit_data ad;
1889 u32 sid = cred_sid(cred);
1890 int rc;
1891
1892 ad.type = LSM_AUDIT_DATA_FILE;
1893 ad.u.file = file;
1894
1895 if (sid != fsec->sid) {
1896 rc = avc_has_perm(&selinux_state,
1897 sid, fsec->sid,
1898 SECCLASS_FD,
1899 FD__USE,
1900 &ad);
1901 if (rc)
1902 goto out;
1903 }
1904
1905 #ifdef CONFIG_BPF_SYSCALL
1906 rc = bpf_fd_pass(file, cred_sid(cred));
1907 if (rc)
1908 return rc;
1909 #endif
1910
1911 /* av is zero if only checking access to the descriptor. */
1912 rc = 0;
1913 if (av)
1914 rc = inode_has_perm(cred, inode, av, &ad);
1915
1916 out:
1917 return rc;
1918 }
1919
1920 /*
1921 * Determine the label for an inode that might be unioned.
1922 */
1923 static int
selinux_determine_inode_label(const struct task_security_struct * tsec,struct inode * dir,const struct qstr * name,u16 tclass,u32 * _new_isid)1924 selinux_determine_inode_label(const struct task_security_struct *tsec,
1925 struct inode *dir,
1926 const struct qstr *name, u16 tclass,
1927 u32 *_new_isid)
1928 {
1929 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1930
1931 if ((sbsec->flags & SE_SBINITIALIZED) &&
1932 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1933 *_new_isid = sbsec->mntpoint_sid;
1934 } else if ((sbsec->flags & SBLABEL_MNT) &&
1935 tsec->create_sid) {
1936 *_new_isid = tsec->create_sid;
1937 } else {
1938 const struct inode_security_struct *dsec = inode_security(dir);
1939 return security_transition_sid(&selinux_state, tsec->sid,
1940 dsec->sid, tclass,
1941 name, _new_isid);
1942 }
1943
1944 return 0;
1945 }
1946
1947 /* Check whether a task can create a file. */
may_create(struct inode * dir,struct dentry * dentry,u16 tclass)1948 static int may_create(struct inode *dir,
1949 struct dentry *dentry,
1950 u16 tclass)
1951 {
1952 const struct task_security_struct *tsec = current_security();
1953 struct inode_security_struct *dsec;
1954 struct superblock_security_struct *sbsec;
1955 u32 sid, newsid;
1956 struct common_audit_data ad;
1957 int rc;
1958
1959 dsec = inode_security(dir);
1960 sbsec = dir->i_sb->s_security;
1961
1962 sid = tsec->sid;
1963
1964 ad.type = LSM_AUDIT_DATA_DENTRY;
1965 ad.u.dentry = dentry;
1966
1967 rc = avc_has_perm(&selinux_state,
1968 sid, dsec->sid, SECCLASS_DIR,
1969 DIR__ADD_NAME | DIR__SEARCH,
1970 &ad);
1971 if (rc)
1972 return rc;
1973
1974 rc = selinux_determine_inode_label(current_security(), dir,
1975 &dentry->d_name, tclass, &newsid);
1976 if (rc)
1977 return rc;
1978
1979 rc = avc_has_perm(&selinux_state,
1980 sid, newsid, tclass, FILE__CREATE, &ad);
1981 if (rc)
1982 return rc;
1983
1984 return avc_has_perm(&selinux_state,
1985 newsid, sbsec->sid,
1986 SECCLASS_FILESYSTEM,
1987 FILESYSTEM__ASSOCIATE, &ad);
1988 }
1989
1990 #define MAY_LINK 0
1991 #define MAY_UNLINK 1
1992 #define MAY_RMDIR 2
1993
1994 /* Check whether a task can link, unlink, or rmdir a file/directory. */
may_link(struct inode * dir,struct dentry * dentry,int kind)1995 static int may_link(struct inode *dir,
1996 struct dentry *dentry,
1997 int kind)
1998
1999 {
2000 struct inode_security_struct *dsec, *isec;
2001 struct common_audit_data ad;
2002 u32 sid = current_sid();
2003 u32 av;
2004 int rc;
2005
2006 dsec = inode_security(dir);
2007 isec = backing_inode_security(dentry);
2008
2009 ad.type = LSM_AUDIT_DATA_DENTRY;
2010 ad.u.dentry = dentry;
2011
2012 av = DIR__SEARCH;
2013 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
2014 rc = avc_has_perm(&selinux_state,
2015 sid, dsec->sid, SECCLASS_DIR, av, &ad);
2016 if (rc)
2017 return rc;
2018
2019 switch (kind) {
2020 case MAY_LINK:
2021 av = FILE__LINK;
2022 break;
2023 case MAY_UNLINK:
2024 av = FILE__UNLINK;
2025 break;
2026 case MAY_RMDIR:
2027 av = DIR__RMDIR;
2028 break;
2029 default:
2030 pr_warn("SELinux: %s: unrecognized kind %d\n",
2031 __func__, kind);
2032 return 0;
2033 }
2034
2035 rc = avc_has_perm(&selinux_state,
2036 sid, isec->sid, isec->sclass, av, &ad);
2037 return rc;
2038 }
2039
may_rename(struct inode * old_dir,struct dentry * old_dentry,struct inode * new_dir,struct dentry * new_dentry)2040 static inline int may_rename(struct inode *old_dir,
2041 struct dentry *old_dentry,
2042 struct inode *new_dir,
2043 struct dentry *new_dentry)
2044 {
2045 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2046 struct common_audit_data ad;
2047 u32 sid = current_sid();
2048 u32 av;
2049 int old_is_dir, new_is_dir;
2050 int rc;
2051
2052 old_dsec = inode_security(old_dir);
2053 old_isec = backing_inode_security(old_dentry);
2054 old_is_dir = d_is_dir(old_dentry);
2055 new_dsec = inode_security(new_dir);
2056
2057 ad.type = LSM_AUDIT_DATA_DENTRY;
2058
2059 ad.u.dentry = old_dentry;
2060 rc = avc_has_perm(&selinux_state,
2061 sid, old_dsec->sid, SECCLASS_DIR,
2062 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
2063 if (rc)
2064 return rc;
2065 rc = avc_has_perm(&selinux_state,
2066 sid, old_isec->sid,
2067 old_isec->sclass, FILE__RENAME, &ad);
2068 if (rc)
2069 return rc;
2070 if (old_is_dir && new_dir != old_dir) {
2071 rc = avc_has_perm(&selinux_state,
2072 sid, old_isec->sid,
2073 old_isec->sclass, DIR__REPARENT, &ad);
2074 if (rc)
2075 return rc;
2076 }
2077
2078 ad.u.dentry = new_dentry;
2079 av = DIR__ADD_NAME | DIR__SEARCH;
2080 if (d_is_positive(new_dentry))
2081 av |= DIR__REMOVE_NAME;
2082 rc = avc_has_perm(&selinux_state,
2083 sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
2084 if (rc)
2085 return rc;
2086 if (d_is_positive(new_dentry)) {
2087 new_isec = backing_inode_security(new_dentry);
2088 new_is_dir = d_is_dir(new_dentry);
2089 rc = avc_has_perm(&selinux_state,
2090 sid, new_isec->sid,
2091 new_isec->sclass,
2092 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
2093 if (rc)
2094 return rc;
2095 }
2096
2097 return 0;
2098 }
2099
2100 /* Check whether a task can perform a filesystem operation. */
superblock_has_perm(const struct cred * cred,struct super_block * sb,u32 perms,struct common_audit_data * ad)2101 static int superblock_has_perm(const struct cred *cred,
2102 struct super_block *sb,
2103 u32 perms,
2104 struct common_audit_data *ad)
2105 {
2106 struct superblock_security_struct *sbsec;
2107 u32 sid = cred_sid(cred);
2108
2109 sbsec = sb->s_security;
2110 return avc_has_perm(&selinux_state,
2111 sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
2112 }
2113
2114 /* Convert a Linux mode and permission mask to an access vector. */
file_mask_to_av(int mode,int mask)2115 static inline u32 file_mask_to_av(int mode, int mask)
2116 {
2117 u32 av = 0;
2118
2119 if (!S_ISDIR(mode)) {
2120 if (mask & MAY_EXEC)
2121 av |= FILE__EXECUTE;
2122 if (mask & MAY_READ)
2123 av |= FILE__READ;
2124
2125 if (mask & MAY_APPEND)
2126 av |= FILE__APPEND;
2127 else if (mask & MAY_WRITE)
2128 av |= FILE__WRITE;
2129
2130 } else {
2131 if (mask & MAY_EXEC)
2132 av |= DIR__SEARCH;
2133 if (mask & MAY_WRITE)
2134 av |= DIR__WRITE;
2135 if (mask & MAY_READ)
2136 av |= DIR__READ;
2137 }
2138
2139 return av;
2140 }
2141
2142 /* Convert a Linux file to an access vector. */
file_to_av(struct file * file)2143 static inline u32 file_to_av(struct file *file)
2144 {
2145 u32 av = 0;
2146
2147 if (file->f_mode & FMODE_READ)
2148 av |= FILE__READ;
2149 if (file->f_mode & FMODE_WRITE) {
2150 if (file->f_flags & O_APPEND)
2151 av |= FILE__APPEND;
2152 else
2153 av |= FILE__WRITE;
2154 }
2155 if (!av) {
2156 /*
2157 * Special file opened with flags 3 for ioctl-only use.
2158 */
2159 av = FILE__IOCTL;
2160 }
2161
2162 return av;
2163 }
2164
2165 /*
2166 * Convert a file to an access vector and include the correct open
2167 * open permission.
2168 */
open_file_to_av(struct file * file)2169 static inline u32 open_file_to_av(struct file *file)
2170 {
2171 u32 av = file_to_av(file);
2172 struct inode *inode = file_inode(file);
2173
2174 if (selinux_policycap_openperm() &&
2175 inode->i_sb->s_magic != SOCKFS_MAGIC)
2176 av |= FILE__OPEN;
2177
2178 return av;
2179 }
2180
2181 /* Hook functions begin here. */
2182
selinux_binder_set_context_mgr(struct task_struct * mgr)2183 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2184 {
2185 u32 mysid = current_sid();
2186 u32 mgrsid = task_sid(mgr);
2187
2188 return avc_has_perm(&selinux_state,
2189 mysid, mgrsid, SECCLASS_BINDER,
2190 BINDER__SET_CONTEXT_MGR, NULL);
2191 }
2192
selinux_binder_transaction(struct task_struct * from,struct task_struct * to)2193 static int selinux_binder_transaction(struct task_struct *from,
2194 struct task_struct *to)
2195 {
2196 u32 mysid = current_sid();
2197 u32 fromsid = task_sid(from);
2198 u32 tosid = task_sid(to);
2199 int rc;
2200
2201 if (mysid != fromsid) {
2202 rc = avc_has_perm(&selinux_state,
2203 mysid, fromsid, SECCLASS_BINDER,
2204 BINDER__IMPERSONATE, NULL);
2205 if (rc)
2206 return rc;
2207 }
2208
2209 return avc_has_perm(&selinux_state,
2210 fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2211 NULL);
2212 }
2213
selinux_binder_transfer_binder(struct task_struct * from,struct task_struct * to)2214 static int selinux_binder_transfer_binder(struct task_struct *from,
2215 struct task_struct *to)
2216 {
2217 u32 fromsid = task_sid(from);
2218 u32 tosid = task_sid(to);
2219
2220 return avc_has_perm(&selinux_state,
2221 fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2222 NULL);
2223 }
2224
selinux_binder_transfer_file(struct task_struct * from,struct task_struct * to,struct file * file)2225 static int selinux_binder_transfer_file(struct task_struct *from,
2226 struct task_struct *to,
2227 struct file *file)
2228 {
2229 u32 sid = task_sid(to);
2230 struct file_security_struct *fsec = file->f_security;
2231 struct dentry *dentry = file->f_path.dentry;
2232 struct inode_security_struct *isec;
2233 struct common_audit_data ad;
2234 int rc;
2235
2236 ad.type = LSM_AUDIT_DATA_PATH;
2237 ad.u.path = file->f_path;
2238
2239 if (sid != fsec->sid) {
2240 rc = avc_has_perm(&selinux_state,
2241 sid, fsec->sid,
2242 SECCLASS_FD,
2243 FD__USE,
2244 &ad);
2245 if (rc)
2246 return rc;
2247 }
2248
2249 #ifdef CONFIG_BPF_SYSCALL
2250 rc = bpf_fd_pass(file, sid);
2251 if (rc)
2252 return rc;
2253 #endif
2254
2255 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2256 return 0;
2257
2258 isec = backing_inode_security(dentry);
2259 return avc_has_perm(&selinux_state,
2260 sid, isec->sid, isec->sclass, file_to_av(file),
2261 &ad);
2262 }
2263
selinux_ptrace_access_check(struct task_struct * child,unsigned int mode)2264 static int selinux_ptrace_access_check(struct task_struct *child,
2265 unsigned int mode)
2266 {
2267 u32 sid = current_sid();
2268 u32 csid = task_sid(child);
2269
2270 if (mode & PTRACE_MODE_READ)
2271 return avc_has_perm(&selinux_state,
2272 sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2273
2274 return avc_has_perm(&selinux_state,
2275 sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2276 }
2277
selinux_ptrace_traceme(struct task_struct * parent)2278 static int selinux_ptrace_traceme(struct task_struct *parent)
2279 {
2280 return avc_has_perm(&selinux_state,
2281 task_sid(parent), current_sid(), SECCLASS_PROCESS,
2282 PROCESS__PTRACE, NULL);
2283 }
2284
selinux_capget(struct task_struct * target,kernel_cap_t * effective,kernel_cap_t * inheritable,kernel_cap_t * permitted)2285 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2286 kernel_cap_t *inheritable, kernel_cap_t *permitted)
2287 {
2288 return avc_has_perm(&selinux_state,
2289 current_sid(), task_sid(target), SECCLASS_PROCESS,
2290 PROCESS__GETCAP, NULL);
2291 }
2292
selinux_capset(struct cred * new,const struct cred * old,const kernel_cap_t * effective,const kernel_cap_t * inheritable,const kernel_cap_t * permitted)2293 static int selinux_capset(struct cred *new, const struct cred *old,
2294 const kernel_cap_t *effective,
2295 const kernel_cap_t *inheritable,
2296 const kernel_cap_t *permitted)
2297 {
2298 return avc_has_perm(&selinux_state,
2299 cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2300 PROCESS__SETCAP, NULL);
2301 }
2302
2303 /*
2304 * (This comment used to live with the selinux_task_setuid hook,
2305 * which was removed).
2306 *
2307 * Since setuid only affects the current process, and since the SELinux
2308 * controls are not based on the Linux identity attributes, SELinux does not
2309 * need to control this operation. However, SELinux does control the use of
2310 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2311 */
2312
selinux_capable(const struct cred * cred,struct user_namespace * ns,int cap,int audit)2313 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2314 int cap, int audit)
2315 {
2316 return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
2317 }
2318
selinux_quotactl(int cmds,int type,int id,struct super_block * sb)2319 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2320 {
2321 const struct cred *cred = current_cred();
2322 int rc = 0;
2323
2324 if (!sb)
2325 return 0;
2326
2327 switch (cmds) {
2328 case Q_SYNC:
2329 case Q_QUOTAON:
2330 case Q_QUOTAOFF:
2331 case Q_SETINFO:
2332 case Q_SETQUOTA:
2333 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2334 break;
2335 case Q_GETFMT:
2336 case Q_GETINFO:
2337 case Q_GETQUOTA:
2338 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2339 break;
2340 default:
2341 rc = 0; /* let the kernel handle invalid cmds */
2342 break;
2343 }
2344 return rc;
2345 }
2346
selinux_quota_on(struct dentry * dentry)2347 static int selinux_quota_on(struct dentry *dentry)
2348 {
2349 const struct cred *cred = current_cred();
2350
2351 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2352 }
2353
selinux_syslog(int type)2354 static int selinux_syslog(int type)
2355 {
2356 switch (type) {
2357 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2358 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2359 return avc_has_perm(&selinux_state,
2360 current_sid(), SECINITSID_KERNEL,
2361 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2362 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2363 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2364 /* Set level of messages printed to console */
2365 case SYSLOG_ACTION_CONSOLE_LEVEL:
2366 return avc_has_perm(&selinux_state,
2367 current_sid(), SECINITSID_KERNEL,
2368 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2369 NULL);
2370 }
2371 /* All other syslog types */
2372 return avc_has_perm(&selinux_state,
2373 current_sid(), SECINITSID_KERNEL,
2374 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2375 }
2376
2377 /*
2378 * Check that a process has enough memory to allocate a new virtual
2379 * mapping. 0 means there is enough memory for the allocation to
2380 * succeed and -ENOMEM implies there is not.
2381 *
2382 * Do not audit the selinux permission check, as this is applied to all
2383 * processes that allocate mappings.
2384 */
selinux_vm_enough_memory(struct mm_struct * mm,long pages)2385 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2386 {
2387 int rc, cap_sys_admin = 0;
2388
2389 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2390 SECURITY_CAP_NOAUDIT, true);
2391 if (rc == 0)
2392 cap_sys_admin = 1;
2393
2394 return cap_sys_admin;
2395 }
2396
2397 /* binprm security operations */
2398
ptrace_parent_sid(void)2399 static u32 ptrace_parent_sid(void)
2400 {
2401 u32 sid = 0;
2402 struct task_struct *tracer;
2403
2404 rcu_read_lock();
2405 tracer = ptrace_parent(current);
2406 if (tracer)
2407 sid = task_sid(tracer);
2408 rcu_read_unlock();
2409
2410 return sid;
2411 }
2412
check_nnp_nosuid(const struct linux_binprm * bprm,const struct task_security_struct * old_tsec,const struct task_security_struct * new_tsec)2413 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2414 const struct task_security_struct *old_tsec,
2415 const struct task_security_struct *new_tsec)
2416 {
2417 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2418 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2419 int rc;
2420 u32 av;
2421
2422 if (!nnp && !nosuid)
2423 return 0; /* neither NNP nor nosuid */
2424
2425 if (new_tsec->sid == old_tsec->sid)
2426 return 0; /* No change in credentials */
2427
2428 /*
2429 * If the policy enables the nnp_nosuid_transition policy capability,
2430 * then we permit transitions under NNP or nosuid if the
2431 * policy allows the corresponding permission between
2432 * the old and new contexts.
2433 */
2434 if (selinux_policycap_nnp_nosuid_transition()) {
2435 av = 0;
2436 if (nnp)
2437 av |= PROCESS2__NNP_TRANSITION;
2438 if (nosuid)
2439 av |= PROCESS2__NOSUID_TRANSITION;
2440 rc = avc_has_perm(&selinux_state,
2441 old_tsec->sid, new_tsec->sid,
2442 SECCLASS_PROCESS2, av, NULL);
2443 if (!rc)
2444 return 0;
2445 }
2446
2447 /*
2448 * We also permit NNP or nosuid transitions to bounded SIDs,
2449 * i.e. SIDs that are guaranteed to only be allowed a subset
2450 * of the permissions of the current SID.
2451 */
2452 rc = security_bounded_transition(&selinux_state, old_tsec->sid,
2453 new_tsec->sid);
2454 if (!rc)
2455 return 0;
2456
2457 /*
2458 * On failure, preserve the errno values for NNP vs nosuid.
2459 * NNP: Operation not permitted for caller.
2460 * nosuid: Permission denied to file.
2461 */
2462 if (nnp)
2463 return -EPERM;
2464 return -EACCES;
2465 }
2466
selinux_bprm_set_creds(struct linux_binprm * bprm)2467 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2468 {
2469 const struct task_security_struct *old_tsec;
2470 struct task_security_struct *new_tsec;
2471 struct inode_security_struct *isec;
2472 struct common_audit_data ad;
2473 struct inode *inode = file_inode(bprm->file);
2474 int rc;
2475
2476 /* SELinux context only depends on initial program or script and not
2477 * the script interpreter */
2478 if (bprm->called_set_creds)
2479 return 0;
2480
2481 old_tsec = current_security();
2482 new_tsec = bprm->cred->security;
2483 isec = inode_security(inode);
2484
2485 /* Default to the current task SID. */
2486 new_tsec->sid = old_tsec->sid;
2487 new_tsec->osid = old_tsec->sid;
2488
2489 /* Reset fs, key, and sock SIDs on execve. */
2490 new_tsec->create_sid = 0;
2491 new_tsec->keycreate_sid = 0;
2492 new_tsec->sockcreate_sid = 0;
2493
2494 if (old_tsec->exec_sid) {
2495 new_tsec->sid = old_tsec->exec_sid;
2496 /* Reset exec SID on execve. */
2497 new_tsec->exec_sid = 0;
2498
2499 /* Fail on NNP or nosuid if not an allowed transition. */
2500 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2501 if (rc)
2502 return rc;
2503 } else {
2504 /* Check for a default transition on this program. */
2505 rc = security_transition_sid(&selinux_state, old_tsec->sid,
2506 isec->sid, SECCLASS_PROCESS, NULL,
2507 &new_tsec->sid);
2508 if (rc)
2509 return rc;
2510
2511 /*
2512 * Fallback to old SID on NNP or nosuid if not an allowed
2513 * transition.
2514 */
2515 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2516 if (rc)
2517 new_tsec->sid = old_tsec->sid;
2518 }
2519
2520 ad.type = LSM_AUDIT_DATA_FILE;
2521 ad.u.file = bprm->file;
2522
2523 if (new_tsec->sid == old_tsec->sid) {
2524 rc = avc_has_perm(&selinux_state,
2525 old_tsec->sid, isec->sid,
2526 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2527 if (rc)
2528 return rc;
2529 } else {
2530 /* Check permissions for the transition. */
2531 rc = avc_has_perm(&selinux_state,
2532 old_tsec->sid, new_tsec->sid,
2533 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2534 if (rc)
2535 return rc;
2536
2537 rc = avc_has_perm(&selinux_state,
2538 new_tsec->sid, isec->sid,
2539 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2540 if (rc)
2541 return rc;
2542
2543 /* Check for shared state */
2544 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2545 rc = avc_has_perm(&selinux_state,
2546 old_tsec->sid, new_tsec->sid,
2547 SECCLASS_PROCESS, PROCESS__SHARE,
2548 NULL);
2549 if (rc)
2550 return -EPERM;
2551 }
2552
2553 /* Make sure that anyone attempting to ptrace over a task that
2554 * changes its SID has the appropriate permit */
2555 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2556 u32 ptsid = ptrace_parent_sid();
2557 if (ptsid != 0) {
2558 rc = avc_has_perm(&selinux_state,
2559 ptsid, new_tsec->sid,
2560 SECCLASS_PROCESS,
2561 PROCESS__PTRACE, NULL);
2562 if (rc)
2563 return -EPERM;
2564 }
2565 }
2566
2567 /* Clear any possibly unsafe personality bits on exec: */
2568 bprm->per_clear |= PER_CLEAR_ON_SETID;
2569
2570 /* Enable secure mode for SIDs transitions unless
2571 the noatsecure permission is granted between
2572 the two SIDs, i.e. ahp returns 0. */
2573 rc = avc_has_perm(&selinux_state,
2574 old_tsec->sid, new_tsec->sid,
2575 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2576 NULL);
2577 bprm->secureexec |= !!rc;
2578 }
2579
2580 return 0;
2581 }
2582
match_file(const void * p,struct file * file,unsigned fd)2583 static int match_file(const void *p, struct file *file, unsigned fd)
2584 {
2585 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2586 }
2587
2588 /* Derived from fs/exec.c:flush_old_files. */
flush_unauthorized_files(const struct cred * cred,struct files_struct * files)2589 static inline void flush_unauthorized_files(const struct cred *cred,
2590 struct files_struct *files)
2591 {
2592 struct file *file, *devnull = NULL;
2593 struct tty_struct *tty;
2594 int drop_tty = 0;
2595 unsigned n;
2596
2597 tty = get_current_tty();
2598 if (tty) {
2599 spin_lock(&tty->files_lock);
2600 if (!list_empty(&tty->tty_files)) {
2601 struct tty_file_private *file_priv;
2602
2603 /* Revalidate access to controlling tty.
2604 Use file_path_has_perm on the tty path directly
2605 rather than using file_has_perm, as this particular
2606 open file may belong to another process and we are
2607 only interested in the inode-based check here. */
2608 file_priv = list_first_entry(&tty->tty_files,
2609 struct tty_file_private, list);
2610 file = file_priv->file;
2611 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2612 drop_tty = 1;
2613 }
2614 spin_unlock(&tty->files_lock);
2615 tty_kref_put(tty);
2616 }
2617 /* Reset controlling tty. */
2618 if (drop_tty)
2619 no_tty();
2620
2621 /* Revalidate access to inherited open files. */
2622 n = iterate_fd(files, 0, match_file, cred);
2623 if (!n) /* none found? */
2624 return;
2625
2626 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2627 if (IS_ERR(devnull))
2628 devnull = NULL;
2629 /* replace all the matching ones with this */
2630 do {
2631 replace_fd(n - 1, devnull, 0);
2632 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2633 if (devnull)
2634 fput(devnull);
2635 }
2636
2637 /*
2638 * Prepare a process for imminent new credential changes due to exec
2639 */
selinux_bprm_committing_creds(struct linux_binprm * bprm)2640 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2641 {
2642 struct task_security_struct *new_tsec;
2643 struct rlimit *rlim, *initrlim;
2644 int rc, i;
2645
2646 new_tsec = bprm->cred->security;
2647 if (new_tsec->sid == new_tsec->osid)
2648 return;
2649
2650 /* Close files for which the new task SID is not authorized. */
2651 flush_unauthorized_files(bprm->cred, current->files);
2652
2653 /* Always clear parent death signal on SID transitions. */
2654 current->pdeath_signal = 0;
2655
2656 /* Check whether the new SID can inherit resource limits from the old
2657 * SID. If not, reset all soft limits to the lower of the current
2658 * task's hard limit and the init task's soft limit.
2659 *
2660 * Note that the setting of hard limits (even to lower them) can be
2661 * controlled by the setrlimit check. The inclusion of the init task's
2662 * soft limit into the computation is to avoid resetting soft limits
2663 * higher than the default soft limit for cases where the default is
2664 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2665 */
2666 rc = avc_has_perm(&selinux_state,
2667 new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2668 PROCESS__RLIMITINH, NULL);
2669 if (rc) {
2670 /* protect against do_prlimit() */
2671 task_lock(current);
2672 for (i = 0; i < RLIM_NLIMITS; i++) {
2673 rlim = current->signal->rlim + i;
2674 initrlim = init_task.signal->rlim + i;
2675 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2676 }
2677 task_unlock(current);
2678 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2679 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2680 }
2681 }
2682
2683 /*
2684 * Clean up the process immediately after the installation of new credentials
2685 * due to exec
2686 */
selinux_bprm_committed_creds(struct linux_binprm * bprm)2687 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2688 {
2689 const struct task_security_struct *tsec = current_security();
2690 struct itimerval itimer;
2691 u32 osid, sid;
2692 int rc, i;
2693
2694 osid = tsec->osid;
2695 sid = tsec->sid;
2696
2697 if (sid == osid)
2698 return;
2699
2700 /* Check whether the new SID can inherit signal state from the old SID.
2701 * If not, clear itimers to avoid subsequent signal generation and
2702 * flush and unblock signals.
2703 *
2704 * This must occur _after_ the task SID has been updated so that any
2705 * kill done after the flush will be checked against the new SID.
2706 */
2707 rc = avc_has_perm(&selinux_state,
2708 osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2709 if (rc) {
2710 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2711 memset(&itimer, 0, sizeof itimer);
2712 for (i = 0; i < 3; i++)
2713 do_setitimer(i, &itimer, NULL);
2714 }
2715 spin_lock_irq(¤t->sighand->siglock);
2716 if (!fatal_signal_pending(current)) {
2717 flush_sigqueue(¤t->pending);
2718 flush_sigqueue(¤t->signal->shared_pending);
2719 flush_signal_handlers(current, 1);
2720 sigemptyset(¤t->blocked);
2721 recalc_sigpending();
2722 }
2723 spin_unlock_irq(¤t->sighand->siglock);
2724 }
2725
2726 /* Wake up the parent if it is waiting so that it can recheck
2727 * wait permission to the new task SID. */
2728 read_lock(&tasklist_lock);
2729 __wake_up_parent(current, current->real_parent);
2730 read_unlock(&tasklist_lock);
2731 }
2732
2733 /* superblock security operations */
2734
selinux_sb_alloc_security(struct super_block * sb)2735 static int selinux_sb_alloc_security(struct super_block *sb)
2736 {
2737 return superblock_alloc_security(sb);
2738 }
2739
selinux_sb_free_security(struct super_block * sb)2740 static void selinux_sb_free_security(struct super_block *sb)
2741 {
2742 superblock_free_security(sb);
2743 }
2744
match_prefix(char * prefix,int plen,char * option,int olen)2745 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2746 {
2747 if (plen > olen)
2748 return 0;
2749
2750 return !memcmp(prefix, option, plen);
2751 }
2752
selinux_option(char * option,int len)2753 static inline int selinux_option(char *option, int len)
2754 {
2755 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2756 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2757 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2758 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2759 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2760 }
2761
take_option(char ** to,char * from,int * first,int len)2762 static inline void take_option(char **to, char *from, int *first, int len)
2763 {
2764 if (!*first) {
2765 **to = ',';
2766 *to += 1;
2767 } else
2768 *first = 0;
2769 memcpy(*to, from, len);
2770 *to += len;
2771 }
2772
take_selinux_option(char ** to,char * from,int * first,int len)2773 static inline void take_selinux_option(char **to, char *from, int *first,
2774 int len)
2775 {
2776 int current_size = 0;
2777
2778 if (!*first) {
2779 **to = '|';
2780 *to += 1;
2781 } else
2782 *first = 0;
2783
2784 while (current_size < len) {
2785 if (*from != '"') {
2786 **to = *from;
2787 *to += 1;
2788 }
2789 from += 1;
2790 current_size += 1;
2791 }
2792 }
2793
selinux_sb_copy_data(char * orig,char * copy)2794 static int selinux_sb_copy_data(char *orig, char *copy)
2795 {
2796 int fnosec, fsec, rc = 0;
2797 char *in_save, *in_curr, *in_end;
2798 char *sec_curr, *nosec_save, *nosec;
2799 int open_quote = 0;
2800
2801 in_curr = orig;
2802 sec_curr = copy;
2803
2804 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2805 if (!nosec) {
2806 rc = -ENOMEM;
2807 goto out;
2808 }
2809
2810 nosec_save = nosec;
2811 fnosec = fsec = 1;
2812 in_save = in_end = orig;
2813
2814 do {
2815 if (*in_end == '"')
2816 open_quote = !open_quote;
2817 if ((*in_end == ',' && open_quote == 0) ||
2818 *in_end == '\0') {
2819 int len = in_end - in_curr;
2820
2821 if (selinux_option(in_curr, len))
2822 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2823 else
2824 take_option(&nosec, in_curr, &fnosec, len);
2825
2826 in_curr = in_end + 1;
2827 }
2828 } while (*in_end++);
2829
2830 strcpy(in_save, nosec_save);
2831 free_page((unsigned long)nosec_save);
2832 out:
2833 return rc;
2834 }
2835
selinux_sb_remount(struct super_block * sb,void * data)2836 static int selinux_sb_remount(struct super_block *sb, void *data)
2837 {
2838 int rc, i, *flags;
2839 struct security_mnt_opts opts;
2840 char *secdata, **mount_options;
2841 struct superblock_security_struct *sbsec = sb->s_security;
2842
2843 if (!(sbsec->flags & SE_SBINITIALIZED))
2844 return 0;
2845
2846 if (!data)
2847 return 0;
2848
2849 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2850 return 0;
2851
2852 security_init_mnt_opts(&opts);
2853 secdata = alloc_secdata();
2854 if (!secdata)
2855 return -ENOMEM;
2856 rc = selinux_sb_copy_data(data, secdata);
2857 if (rc)
2858 goto out_free_secdata;
2859
2860 rc = selinux_parse_opts_str(secdata, &opts);
2861 if (rc)
2862 goto out_free_secdata;
2863
2864 mount_options = opts.mnt_opts;
2865 flags = opts.mnt_opts_flags;
2866
2867 for (i = 0; i < opts.num_mnt_opts; i++) {
2868 u32 sid;
2869
2870 if (flags[i] == SBLABEL_MNT)
2871 continue;
2872 rc = security_context_str_to_sid(&selinux_state,
2873 mount_options[i], &sid,
2874 GFP_KERNEL);
2875 if (rc) {
2876 pr_warn("SELinux: security_context_str_to_sid"
2877 "(%s) failed for (dev %s, type %s) errno=%d\n",
2878 mount_options[i], sb->s_id, sb->s_type->name, rc);
2879 goto out_free_opts;
2880 }
2881 rc = -EINVAL;
2882 switch (flags[i]) {
2883 case FSCONTEXT_MNT:
2884 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2885 goto out_bad_option;
2886 break;
2887 case CONTEXT_MNT:
2888 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2889 goto out_bad_option;
2890 break;
2891 case ROOTCONTEXT_MNT: {
2892 struct inode_security_struct *root_isec;
2893 root_isec = backing_inode_security(sb->s_root);
2894
2895 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2896 goto out_bad_option;
2897 break;
2898 }
2899 case DEFCONTEXT_MNT:
2900 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2901 goto out_bad_option;
2902 break;
2903 default:
2904 goto out_free_opts;
2905 }
2906 }
2907
2908 rc = 0;
2909 out_free_opts:
2910 security_free_mnt_opts(&opts);
2911 out_free_secdata:
2912 free_secdata(secdata);
2913 return rc;
2914 out_bad_option:
2915 pr_warn("SELinux: unable to change security options "
2916 "during remount (dev %s, type=%s)\n", sb->s_id,
2917 sb->s_type->name);
2918 goto out_free_opts;
2919 }
2920
selinux_sb_kern_mount(struct super_block * sb,int flags,void * data)2921 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2922 {
2923 const struct cred *cred = current_cred();
2924 struct common_audit_data ad;
2925 int rc;
2926
2927 rc = superblock_doinit(sb, data);
2928 if (rc)
2929 return rc;
2930
2931 /* Allow all mounts performed by the kernel */
2932 if (flags & MS_KERNMOUNT)
2933 return 0;
2934
2935 ad.type = LSM_AUDIT_DATA_DENTRY;
2936 ad.u.dentry = sb->s_root;
2937 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2938 }
2939
selinux_sb_statfs(struct dentry * dentry)2940 static int selinux_sb_statfs(struct dentry *dentry)
2941 {
2942 const struct cred *cred = current_cred();
2943 struct common_audit_data ad;
2944
2945 ad.type = LSM_AUDIT_DATA_DENTRY;
2946 ad.u.dentry = dentry->d_sb->s_root;
2947 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2948 }
2949
selinux_mount(const char * dev_name,const struct path * path,const char * type,unsigned long flags,void * data)2950 static int selinux_mount(const char *dev_name,
2951 const struct path *path,
2952 const char *type,
2953 unsigned long flags,
2954 void *data)
2955 {
2956 const struct cred *cred = current_cred();
2957
2958 if (flags & MS_REMOUNT)
2959 return superblock_has_perm(cred, path->dentry->d_sb,
2960 FILESYSTEM__REMOUNT, NULL);
2961 else
2962 return path_has_perm(cred, path, FILE__MOUNTON);
2963 }
2964
selinux_umount(struct vfsmount * mnt,int flags)2965 static int selinux_umount(struct vfsmount *mnt, int flags)
2966 {
2967 const struct cred *cred = current_cred();
2968
2969 return superblock_has_perm(cred, mnt->mnt_sb,
2970 FILESYSTEM__UNMOUNT, NULL);
2971 }
2972
2973 /* inode security operations */
2974
selinux_inode_alloc_security(struct inode * inode)2975 static int selinux_inode_alloc_security(struct inode *inode)
2976 {
2977 return inode_alloc_security(inode);
2978 }
2979
selinux_inode_free_security(struct inode * inode)2980 static void selinux_inode_free_security(struct inode *inode)
2981 {
2982 inode_free_security(inode);
2983 }
2984
selinux_dentry_init_security(struct dentry * dentry,int mode,const struct qstr * name,void ** ctx,u32 * ctxlen)2985 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2986 const struct qstr *name, void **ctx,
2987 u32 *ctxlen)
2988 {
2989 u32 newsid;
2990 int rc;
2991
2992 rc = selinux_determine_inode_label(current_security(),
2993 d_inode(dentry->d_parent), name,
2994 inode_mode_to_security_class(mode),
2995 &newsid);
2996 if (rc)
2997 return rc;
2998
2999 return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
3000 ctxlen);
3001 }
3002
selinux_dentry_create_files_as(struct dentry * dentry,int mode,struct qstr * name,const struct cred * old,struct cred * new)3003 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
3004 struct qstr *name,
3005 const struct cred *old,
3006 struct cred *new)
3007 {
3008 u32 newsid;
3009 int rc;
3010 struct task_security_struct *tsec;
3011
3012 rc = selinux_determine_inode_label(old->security,
3013 d_inode(dentry->d_parent), name,
3014 inode_mode_to_security_class(mode),
3015 &newsid);
3016 if (rc)
3017 return rc;
3018
3019 tsec = new->security;
3020 tsec->create_sid = newsid;
3021 return 0;
3022 }
3023
selinux_inode_init_security(struct inode * inode,struct inode * dir,const struct qstr * qstr,const char ** name,void ** value,size_t * len)3024 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
3025 const struct qstr *qstr,
3026 const char **name,
3027 void **value, size_t *len)
3028 {
3029 const struct task_security_struct *tsec = current_security();
3030 struct superblock_security_struct *sbsec;
3031 u32 newsid, clen;
3032 int rc;
3033 char *context;
3034
3035 sbsec = dir->i_sb->s_security;
3036
3037 newsid = tsec->create_sid;
3038
3039 rc = selinux_determine_inode_label(current_security(),
3040 dir, qstr,
3041 inode_mode_to_security_class(inode->i_mode),
3042 &newsid);
3043 if (rc)
3044 return rc;
3045
3046 /* Possibly defer initialization to selinux_complete_init. */
3047 if (sbsec->flags & SE_SBINITIALIZED) {
3048 struct inode_security_struct *isec = inode->i_security;
3049 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3050 isec->sid = newsid;
3051 isec->initialized = LABEL_INITIALIZED;
3052 }
3053
3054 if (!selinux_state.initialized || !(sbsec->flags & SBLABEL_MNT))
3055 return -EOPNOTSUPP;
3056
3057 if (name)
3058 *name = XATTR_SELINUX_SUFFIX;
3059
3060 if (value && len) {
3061 rc = security_sid_to_context_force(&selinux_state, newsid,
3062 &context, &clen);
3063 if (rc)
3064 return rc;
3065 *value = context;
3066 *len = clen;
3067 }
3068
3069 return 0;
3070 }
3071
selinux_inode_create(struct inode * dir,struct dentry * dentry,umode_t mode)3072 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
3073 {
3074 return may_create(dir, dentry, SECCLASS_FILE);
3075 }
3076
selinux_inode_link(struct dentry * old_dentry,struct inode * dir,struct dentry * new_dentry)3077 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
3078 {
3079 return may_link(dir, old_dentry, MAY_LINK);
3080 }
3081
selinux_inode_unlink(struct inode * dir,struct dentry * dentry)3082 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
3083 {
3084 return may_link(dir, dentry, MAY_UNLINK);
3085 }
3086
selinux_inode_symlink(struct inode * dir,struct dentry * dentry,const char * name)3087 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
3088 {
3089 return may_create(dir, dentry, SECCLASS_LNK_FILE);
3090 }
3091
selinux_inode_mkdir(struct inode * dir,struct dentry * dentry,umode_t mask)3092 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
3093 {
3094 return may_create(dir, dentry, SECCLASS_DIR);
3095 }
3096
selinux_inode_rmdir(struct inode * dir,struct dentry * dentry)3097 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
3098 {
3099 return may_link(dir, dentry, MAY_RMDIR);
3100 }
3101
selinux_inode_mknod(struct inode * dir,struct dentry * dentry,umode_t mode,dev_t dev)3102 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
3103 {
3104 return may_create(dir, dentry, inode_mode_to_security_class(mode));
3105 }
3106
selinux_inode_rename(struct inode * old_inode,struct dentry * old_dentry,struct inode * new_inode,struct dentry * new_dentry)3107 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
3108 struct inode *new_inode, struct dentry *new_dentry)
3109 {
3110 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
3111 }
3112
selinux_inode_readlink(struct dentry * dentry)3113 static int selinux_inode_readlink(struct dentry *dentry)
3114 {
3115 const struct cred *cred = current_cred();
3116
3117 return dentry_has_perm(cred, dentry, FILE__READ);
3118 }
3119
selinux_inode_follow_link(struct dentry * dentry,struct inode * inode,bool rcu)3120 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3121 bool rcu)
3122 {
3123 const struct cred *cred = current_cred();
3124 struct common_audit_data ad;
3125 struct inode_security_struct *isec;
3126 u32 sid;
3127
3128 validate_creds(cred);
3129
3130 ad.type = LSM_AUDIT_DATA_DENTRY;
3131 ad.u.dentry = dentry;
3132 sid = cred_sid(cred);
3133 isec = inode_security_rcu(inode, rcu);
3134 if (IS_ERR(isec))
3135 return PTR_ERR(isec);
3136
3137 return avc_has_perm_flags(&selinux_state,
3138 sid, isec->sid, isec->sclass, FILE__READ, &ad,
3139 rcu ? MAY_NOT_BLOCK : 0);
3140 }
3141
audit_inode_permission(struct inode * inode,u32 perms,u32 audited,u32 denied,int result,unsigned flags)3142 static noinline int audit_inode_permission(struct inode *inode,
3143 u32 perms, u32 audited, u32 denied,
3144 int result,
3145 unsigned flags)
3146 {
3147 struct common_audit_data ad;
3148 struct inode_security_struct *isec = inode->i_security;
3149 int rc;
3150
3151 ad.type = LSM_AUDIT_DATA_INODE;
3152 ad.u.inode = inode;
3153
3154 rc = slow_avc_audit(&selinux_state,
3155 current_sid(), isec->sid, isec->sclass, perms,
3156 audited, denied, result, &ad, flags);
3157 if (rc)
3158 return rc;
3159 return 0;
3160 }
3161
selinux_inode_permission(struct inode * inode,int mask)3162 static int selinux_inode_permission(struct inode *inode, int mask)
3163 {
3164 const struct cred *cred = current_cred();
3165 u32 perms;
3166 bool from_access;
3167 unsigned flags = mask & MAY_NOT_BLOCK;
3168 struct inode_security_struct *isec;
3169 u32 sid;
3170 struct av_decision avd;
3171 int rc, rc2;
3172 u32 audited, denied;
3173
3174 from_access = mask & MAY_ACCESS;
3175 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3176
3177 /* No permission to check. Existence test. */
3178 if (!mask)
3179 return 0;
3180
3181 validate_creds(cred);
3182
3183 if (unlikely(IS_PRIVATE(inode)))
3184 return 0;
3185
3186 perms = file_mask_to_av(inode->i_mode, mask);
3187
3188 sid = cred_sid(cred);
3189 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3190 if (IS_ERR(isec))
3191 return PTR_ERR(isec);
3192
3193 rc = avc_has_perm_noaudit(&selinux_state,
3194 sid, isec->sid, isec->sclass, perms, 0, &avd);
3195 audited = avc_audit_required(perms, &avd, rc,
3196 from_access ? FILE__AUDIT_ACCESS : 0,
3197 &denied);
3198 if (likely(!audited))
3199 return rc;
3200
3201 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
3202 if (rc2)
3203 return rc2;
3204 return rc;
3205 }
3206
selinux_inode_setattr(struct dentry * dentry,struct iattr * iattr)3207 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3208 {
3209 const struct cred *cred = current_cred();
3210 struct inode *inode = d_backing_inode(dentry);
3211 unsigned int ia_valid = iattr->ia_valid;
3212 __u32 av = FILE__WRITE;
3213
3214 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3215 if (ia_valid & ATTR_FORCE) {
3216 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3217 ATTR_FORCE);
3218 if (!ia_valid)
3219 return 0;
3220 }
3221
3222 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3223 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3224 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3225
3226 if (selinux_policycap_openperm() &&
3227 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3228 (ia_valid & ATTR_SIZE) &&
3229 !(ia_valid & ATTR_FILE))
3230 av |= FILE__OPEN;
3231
3232 return dentry_has_perm(cred, dentry, av);
3233 }
3234
selinux_inode_getattr(const struct path * path)3235 static int selinux_inode_getattr(const struct path *path)
3236 {
3237 return path_has_perm(current_cred(), path, FILE__GETATTR);
3238 }
3239
has_cap_mac_admin(bool audit)3240 static bool has_cap_mac_admin(bool audit)
3241 {
3242 const struct cred *cred = current_cred();
3243 int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT;
3244
3245 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit))
3246 return false;
3247 if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true))
3248 return false;
3249 return true;
3250 }
3251
selinux_inode_setxattr(struct dentry * dentry,const char * name,const void * value,size_t size,int flags)3252 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3253 const void *value, size_t size, int flags)
3254 {
3255 struct inode *inode = d_backing_inode(dentry);
3256 struct inode_security_struct *isec;
3257 struct superblock_security_struct *sbsec;
3258 struct common_audit_data ad;
3259 u32 newsid, sid = current_sid();
3260 int rc = 0;
3261
3262 if (strcmp(name, XATTR_NAME_SELINUX)) {
3263 rc = cap_inode_setxattr(dentry, name, value, size, flags);
3264 if (rc)
3265 return rc;
3266
3267 /* Not an attribute we recognize, so just check the
3268 ordinary setattr permission. */
3269 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3270 }
3271
3272 sbsec = inode->i_sb->s_security;
3273 if (!(sbsec->flags & SBLABEL_MNT))
3274 return -EOPNOTSUPP;
3275
3276 if (!inode_owner_or_capable(inode))
3277 return -EPERM;
3278
3279 ad.type = LSM_AUDIT_DATA_DENTRY;
3280 ad.u.dentry = dentry;
3281
3282 isec = backing_inode_security(dentry);
3283 rc = avc_has_perm(&selinux_state,
3284 sid, isec->sid, isec->sclass,
3285 FILE__RELABELFROM, &ad);
3286 if (rc)
3287 return rc;
3288
3289 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3290 GFP_KERNEL);
3291 if (rc == -EINVAL) {
3292 if (!has_cap_mac_admin(true)) {
3293 struct audit_buffer *ab;
3294 size_t audit_size;
3295
3296 /* We strip a nul only if it is at the end, otherwise the
3297 * context contains a nul and we should audit that */
3298 if (value) {
3299 const char *str = value;
3300
3301 if (str[size - 1] == '\0')
3302 audit_size = size - 1;
3303 else
3304 audit_size = size;
3305 } else {
3306 audit_size = 0;
3307 }
3308 ab = audit_log_start(audit_context(),
3309 GFP_ATOMIC, AUDIT_SELINUX_ERR);
3310 audit_log_format(ab, "op=setxattr invalid_context=");
3311 audit_log_n_untrustedstring(ab, value, audit_size);
3312 audit_log_end(ab);
3313
3314 return rc;
3315 }
3316 rc = security_context_to_sid_force(&selinux_state, value,
3317 size, &newsid);
3318 }
3319 if (rc)
3320 return rc;
3321
3322 rc = avc_has_perm(&selinux_state,
3323 sid, newsid, isec->sclass,
3324 FILE__RELABELTO, &ad);
3325 if (rc)
3326 return rc;
3327
3328 rc = security_validate_transition(&selinux_state, isec->sid, newsid,
3329 sid, isec->sclass);
3330 if (rc)
3331 return rc;
3332
3333 return avc_has_perm(&selinux_state,
3334 newsid,
3335 sbsec->sid,
3336 SECCLASS_FILESYSTEM,
3337 FILESYSTEM__ASSOCIATE,
3338 &ad);
3339 }
3340
selinux_inode_post_setxattr(struct dentry * dentry,const char * name,const void * value,size_t size,int flags)3341 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3342 const void *value, size_t size,
3343 int flags)
3344 {
3345 struct inode *inode = d_backing_inode(dentry);
3346 struct inode_security_struct *isec;
3347 u32 newsid;
3348 int rc;
3349
3350 if (strcmp(name, XATTR_NAME_SELINUX)) {
3351 /* Not an attribute we recognize, so nothing to do. */
3352 return;
3353 }
3354
3355 rc = security_context_to_sid_force(&selinux_state, value, size,
3356 &newsid);
3357 if (rc) {
3358 pr_err("SELinux: unable to map context to SID"
3359 "for (%s, %lu), rc=%d\n",
3360 inode->i_sb->s_id, inode->i_ino, -rc);
3361 return;
3362 }
3363
3364 isec = backing_inode_security(dentry);
3365 spin_lock(&isec->lock);
3366 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3367 isec->sid = newsid;
3368 isec->initialized = LABEL_INITIALIZED;
3369 spin_unlock(&isec->lock);
3370
3371 return;
3372 }
3373
selinux_inode_getxattr(struct dentry * dentry,const char * name)3374 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3375 {
3376 const struct cred *cred = current_cred();
3377
3378 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3379 }
3380
selinux_inode_listxattr(struct dentry * dentry)3381 static int selinux_inode_listxattr(struct dentry *dentry)
3382 {
3383 const struct cred *cred = current_cred();
3384
3385 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3386 }
3387
selinux_inode_removexattr(struct dentry * dentry,const char * name)3388 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3389 {
3390 if (strcmp(name, XATTR_NAME_SELINUX)) {
3391 int rc = cap_inode_removexattr(dentry, name);
3392 if (rc)
3393 return rc;
3394
3395 /* Not an attribute we recognize, so just check the
3396 ordinary setattr permission. */
3397 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3398 }
3399
3400 /* No one is allowed to remove a SELinux security label.
3401 You can change the label, but all data must be labeled. */
3402 return -EACCES;
3403 }
3404
3405 /*
3406 * Copy the inode security context value to the user.
3407 *
3408 * Permission check is handled by selinux_inode_getxattr hook.
3409 */
selinux_inode_getsecurity(struct inode * inode,const char * name,void ** buffer,bool alloc)3410 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
3411 {
3412 u32 size;
3413 int error;
3414 char *context = NULL;
3415 struct inode_security_struct *isec;
3416
3417 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3418 return -EOPNOTSUPP;
3419
3420 /*
3421 * If the caller has CAP_MAC_ADMIN, then get the raw context
3422 * value even if it is not defined by current policy; otherwise,
3423 * use the in-core value under current policy.
3424 * Use the non-auditing forms of the permission checks since
3425 * getxattr may be called by unprivileged processes commonly
3426 * and lack of permission just means that we fall back to the
3427 * in-core context value, not a denial.
3428 */
3429 isec = inode_security(inode);
3430 if (has_cap_mac_admin(false))
3431 error = security_sid_to_context_force(&selinux_state,
3432 isec->sid, &context,
3433 &size);
3434 else
3435 error = security_sid_to_context(&selinux_state, isec->sid,
3436 &context, &size);
3437 if (error)
3438 return error;
3439 error = size;
3440 if (alloc) {
3441 *buffer = context;
3442 goto out_nofree;
3443 }
3444 kfree(context);
3445 out_nofree:
3446 return error;
3447 }
3448
selinux_inode_setsecurity(struct inode * inode,const char * name,const void * value,size_t size,int flags)3449 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3450 const void *value, size_t size, int flags)
3451 {
3452 struct inode_security_struct *isec = inode_security_novalidate(inode);
3453 u32 newsid;
3454 int rc;
3455
3456 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3457 return -EOPNOTSUPP;
3458
3459 if (!value || !size)
3460 return -EACCES;
3461
3462 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3463 GFP_KERNEL);
3464 if (rc)
3465 return rc;
3466
3467 spin_lock(&isec->lock);
3468 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3469 isec->sid = newsid;
3470 isec->initialized = LABEL_INITIALIZED;
3471 spin_unlock(&isec->lock);
3472 return 0;
3473 }
3474
selinux_inode_listsecurity(struct inode * inode,char * buffer,size_t buffer_size)3475 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3476 {
3477 const int len = sizeof(XATTR_NAME_SELINUX);
3478 if (buffer && len <= buffer_size)
3479 memcpy(buffer, XATTR_NAME_SELINUX, len);
3480 return len;
3481 }
3482
selinux_inode_getsecid(struct inode * inode,u32 * secid)3483 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3484 {
3485 struct inode_security_struct *isec = inode_security_novalidate(inode);
3486 *secid = isec->sid;
3487 }
3488
selinux_inode_copy_up(struct dentry * src,struct cred ** new)3489 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3490 {
3491 u32 sid;
3492 struct task_security_struct *tsec;
3493 struct cred *new_creds = *new;
3494
3495 if (new_creds == NULL) {
3496 new_creds = prepare_creds();
3497 if (!new_creds)
3498 return -ENOMEM;
3499 }
3500
3501 tsec = new_creds->security;
3502 /* Get label from overlay inode and set it in create_sid */
3503 selinux_inode_getsecid(d_inode(src), &sid);
3504 tsec->create_sid = sid;
3505 *new = new_creds;
3506 return 0;
3507 }
3508
selinux_inode_copy_up_xattr(const char * name)3509 static int selinux_inode_copy_up_xattr(const char *name)
3510 {
3511 /* The copy_up hook above sets the initial context on an inode, but we
3512 * don't then want to overwrite it by blindly copying all the lower
3513 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3514 */
3515 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3516 return 1; /* Discard */
3517 /*
3518 * Any other attribute apart from SELINUX is not claimed, supported
3519 * by selinux.
3520 */
3521 return -EOPNOTSUPP;
3522 }
3523
3524 /* file security operations */
3525
selinux_revalidate_file_permission(struct file * file,int mask)3526 static int selinux_revalidate_file_permission(struct file *file, int mask)
3527 {
3528 const struct cred *cred = current_cred();
3529 struct inode *inode = file_inode(file);
3530
3531 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3532 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3533 mask |= MAY_APPEND;
3534
3535 return file_has_perm(cred, file,
3536 file_mask_to_av(inode->i_mode, mask));
3537 }
3538
selinux_file_permission(struct file * file,int mask)3539 static int selinux_file_permission(struct file *file, int mask)
3540 {
3541 struct inode *inode = file_inode(file);
3542 struct file_security_struct *fsec = file->f_security;
3543 struct inode_security_struct *isec;
3544 u32 sid = current_sid();
3545
3546 if (!mask)
3547 /* No permission to check. Existence test. */
3548 return 0;
3549
3550 isec = inode_security(inode);
3551 if (sid == fsec->sid && fsec->isid == isec->sid &&
3552 fsec->pseqno == avc_policy_seqno(&selinux_state))
3553 /* No change since file_open check. */
3554 return 0;
3555
3556 return selinux_revalidate_file_permission(file, mask);
3557 }
3558
selinux_file_alloc_security(struct file * file)3559 static int selinux_file_alloc_security(struct file *file)
3560 {
3561 return file_alloc_security(file);
3562 }
3563
selinux_file_free_security(struct file * file)3564 static void selinux_file_free_security(struct file *file)
3565 {
3566 file_free_security(file);
3567 }
3568
3569 /*
3570 * Check whether a task has the ioctl permission and cmd
3571 * operation to an inode.
3572 */
ioctl_has_perm(const struct cred * cred,struct file * file,u32 requested,u16 cmd)3573 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3574 u32 requested, u16 cmd)
3575 {
3576 struct common_audit_data ad;
3577 struct file_security_struct *fsec = file->f_security;
3578 struct inode *inode = file_inode(file);
3579 struct inode_security_struct *isec;
3580 struct lsm_ioctlop_audit ioctl;
3581 u32 ssid = cred_sid(cred);
3582 int rc;
3583 u8 driver = cmd >> 8;
3584 u8 xperm = cmd & 0xff;
3585
3586 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3587 ad.u.op = &ioctl;
3588 ad.u.op->cmd = cmd;
3589 ad.u.op->path = file->f_path;
3590
3591 if (ssid != fsec->sid) {
3592 rc = avc_has_perm(&selinux_state,
3593 ssid, fsec->sid,
3594 SECCLASS_FD,
3595 FD__USE,
3596 &ad);
3597 if (rc)
3598 goto out;
3599 }
3600
3601 if (unlikely(IS_PRIVATE(inode)))
3602 return 0;
3603
3604 isec = inode_security(inode);
3605 rc = avc_has_extended_perms(&selinux_state,
3606 ssid, isec->sid, isec->sclass,
3607 requested, driver, xperm, &ad);
3608 out:
3609 return rc;
3610 }
3611
selinux_file_ioctl(struct file * file,unsigned int cmd,unsigned long arg)3612 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3613 unsigned long arg)
3614 {
3615 const struct cred *cred = current_cred();
3616 int error = 0;
3617
3618 switch (cmd) {
3619 case FIONREAD:
3620 /* fall through */
3621 case FIBMAP:
3622 /* fall through */
3623 case FIGETBSZ:
3624 /* fall through */
3625 case FS_IOC_GETFLAGS:
3626 /* fall through */
3627 case FS_IOC_GETVERSION:
3628 error = file_has_perm(cred, file, FILE__GETATTR);
3629 break;
3630
3631 case FS_IOC_SETFLAGS:
3632 /* fall through */
3633 case FS_IOC_SETVERSION:
3634 error = file_has_perm(cred, file, FILE__SETATTR);
3635 break;
3636
3637 /* sys_ioctl() checks */
3638 case FIONBIO:
3639 /* fall through */
3640 case FIOASYNC:
3641 error = file_has_perm(cred, file, 0);
3642 break;
3643
3644 case KDSKBENT:
3645 case KDSKBSENT:
3646 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3647 SECURITY_CAP_AUDIT, true);
3648 break;
3649
3650 /* default case assumes that the command will go
3651 * to the file's ioctl() function.
3652 */
3653 default:
3654 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3655 }
3656 return error;
3657 }
3658
3659 static int default_noexec;
3660
file_map_prot_check(struct file * file,unsigned long prot,int shared)3661 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3662 {
3663 const struct cred *cred = current_cred();
3664 u32 sid = cred_sid(cred);
3665 int rc = 0;
3666
3667 if (default_noexec &&
3668 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3669 (!shared && (prot & PROT_WRITE)))) {
3670 /*
3671 * We are making executable an anonymous mapping or a
3672 * private file mapping that will also be writable.
3673 * This has an additional check.
3674 */
3675 rc = avc_has_perm(&selinux_state,
3676 sid, sid, SECCLASS_PROCESS,
3677 PROCESS__EXECMEM, NULL);
3678 if (rc)
3679 goto error;
3680 }
3681
3682 if (file) {
3683 /* read access is always possible with a mapping */
3684 u32 av = FILE__READ;
3685
3686 /* write access only matters if the mapping is shared */
3687 if (shared && (prot & PROT_WRITE))
3688 av |= FILE__WRITE;
3689
3690 if (prot & PROT_EXEC)
3691 av |= FILE__EXECUTE;
3692
3693 return file_has_perm(cred, file, av);
3694 }
3695
3696 error:
3697 return rc;
3698 }
3699
selinux_mmap_addr(unsigned long addr)3700 static int selinux_mmap_addr(unsigned long addr)
3701 {
3702 int rc = 0;
3703
3704 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3705 u32 sid = current_sid();
3706 rc = avc_has_perm(&selinux_state,
3707 sid, sid, SECCLASS_MEMPROTECT,
3708 MEMPROTECT__MMAP_ZERO, NULL);
3709 }
3710
3711 return rc;
3712 }
3713
selinux_mmap_file(struct file * file,unsigned long reqprot,unsigned long prot,unsigned long flags)3714 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3715 unsigned long prot, unsigned long flags)
3716 {
3717 struct common_audit_data ad;
3718 int rc;
3719
3720 if (file) {
3721 ad.type = LSM_AUDIT_DATA_FILE;
3722 ad.u.file = file;
3723 rc = inode_has_perm(current_cred(), file_inode(file),
3724 FILE__MAP, &ad);
3725 if (rc)
3726 return rc;
3727 }
3728
3729 if (selinux_state.checkreqprot)
3730 prot = reqprot;
3731
3732 return file_map_prot_check(file, prot,
3733 (flags & MAP_TYPE) == MAP_SHARED);
3734 }
3735
selinux_file_mprotect(struct vm_area_struct * vma,unsigned long reqprot,unsigned long prot)3736 static int selinux_file_mprotect(struct vm_area_struct *vma,
3737 unsigned long reqprot,
3738 unsigned long prot)
3739 {
3740 const struct cred *cred = current_cred();
3741 u32 sid = cred_sid(cred);
3742
3743 if (selinux_state.checkreqprot)
3744 prot = reqprot;
3745
3746 if (default_noexec &&
3747 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3748 int rc = 0;
3749 if (vma->vm_start >= vma->vm_mm->start_brk &&
3750 vma->vm_end <= vma->vm_mm->brk) {
3751 rc = avc_has_perm(&selinux_state,
3752 sid, sid, SECCLASS_PROCESS,
3753 PROCESS__EXECHEAP, NULL);
3754 } else if (!vma->vm_file &&
3755 ((vma->vm_start <= vma->vm_mm->start_stack &&
3756 vma->vm_end >= vma->vm_mm->start_stack) ||
3757 vma_is_stack_for_current(vma))) {
3758 rc = avc_has_perm(&selinux_state,
3759 sid, sid, SECCLASS_PROCESS,
3760 PROCESS__EXECSTACK, NULL);
3761 } else if (vma->vm_file && vma->anon_vma) {
3762 /*
3763 * We are making executable a file mapping that has
3764 * had some COW done. Since pages might have been
3765 * written, check ability to execute the possibly
3766 * modified content. This typically should only
3767 * occur for text relocations.
3768 */
3769 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3770 }
3771 if (rc)
3772 return rc;
3773 }
3774
3775 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3776 }
3777
selinux_file_lock(struct file * file,unsigned int cmd)3778 static int selinux_file_lock(struct file *file, unsigned int cmd)
3779 {
3780 const struct cred *cred = current_cred();
3781
3782 return file_has_perm(cred, file, FILE__LOCK);
3783 }
3784
selinux_file_fcntl(struct file * file,unsigned int cmd,unsigned long arg)3785 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3786 unsigned long arg)
3787 {
3788 const struct cred *cred = current_cred();
3789 int err = 0;
3790
3791 switch (cmd) {
3792 case F_SETFL:
3793 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3794 err = file_has_perm(cred, file, FILE__WRITE);
3795 break;
3796 }
3797 /* fall through */
3798 case F_SETOWN:
3799 case F_SETSIG:
3800 case F_GETFL:
3801 case F_GETOWN:
3802 case F_GETSIG:
3803 case F_GETOWNER_UIDS:
3804 /* Just check FD__USE permission */
3805 err = file_has_perm(cred, file, 0);
3806 break;
3807 case F_GETLK:
3808 case F_SETLK:
3809 case F_SETLKW:
3810 case F_OFD_GETLK:
3811 case F_OFD_SETLK:
3812 case F_OFD_SETLKW:
3813 #if BITS_PER_LONG == 32
3814 case F_GETLK64:
3815 case F_SETLK64:
3816 case F_SETLKW64:
3817 #endif
3818 err = file_has_perm(cred, file, FILE__LOCK);
3819 break;
3820 }
3821
3822 return err;
3823 }
3824
selinux_file_set_fowner(struct file * file)3825 static void selinux_file_set_fowner(struct file *file)
3826 {
3827 struct file_security_struct *fsec;
3828
3829 fsec = file->f_security;
3830 fsec->fown_sid = current_sid();
3831 }
3832
selinux_file_send_sigiotask(struct task_struct * tsk,struct fown_struct * fown,int signum)3833 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3834 struct fown_struct *fown, int signum)
3835 {
3836 struct file *file;
3837 u32 sid = task_sid(tsk);
3838 u32 perm;
3839 struct file_security_struct *fsec;
3840
3841 /* struct fown_struct is never outside the context of a struct file */
3842 file = container_of(fown, struct file, f_owner);
3843
3844 fsec = file->f_security;
3845
3846 if (!signum)
3847 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3848 else
3849 perm = signal_to_av(signum);
3850
3851 return avc_has_perm(&selinux_state,
3852 fsec->fown_sid, sid,
3853 SECCLASS_PROCESS, perm, NULL);
3854 }
3855
selinux_file_receive(struct file * file)3856 static int selinux_file_receive(struct file *file)
3857 {
3858 const struct cred *cred = current_cred();
3859
3860 return file_has_perm(cred, file, file_to_av(file));
3861 }
3862
selinux_file_open(struct file * file)3863 static int selinux_file_open(struct file *file)
3864 {
3865 struct file_security_struct *fsec;
3866 struct inode_security_struct *isec;
3867
3868 fsec = file->f_security;
3869 isec = inode_security(file_inode(file));
3870 /*
3871 * Save inode label and policy sequence number
3872 * at open-time so that selinux_file_permission
3873 * can determine whether revalidation is necessary.
3874 * Task label is already saved in the file security
3875 * struct as its SID.
3876 */
3877 fsec->isid = isec->sid;
3878 fsec->pseqno = avc_policy_seqno(&selinux_state);
3879 /*
3880 * Since the inode label or policy seqno may have changed
3881 * between the selinux_inode_permission check and the saving
3882 * of state above, recheck that access is still permitted.
3883 * Otherwise, access might never be revalidated against the
3884 * new inode label or new policy.
3885 * This check is not redundant - do not remove.
3886 */
3887 return file_path_has_perm(file->f_cred, file, open_file_to_av(file));
3888 }
3889
3890 /* task security operations */
3891
selinux_task_alloc(struct task_struct * task,unsigned long clone_flags)3892 static int selinux_task_alloc(struct task_struct *task,
3893 unsigned long clone_flags)
3894 {
3895 u32 sid = current_sid();
3896
3897 return avc_has_perm(&selinux_state,
3898 sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
3899 }
3900
3901 /*
3902 * allocate the SELinux part of blank credentials
3903 */
selinux_cred_alloc_blank(struct cred * cred,gfp_t gfp)3904 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3905 {
3906 struct task_security_struct *tsec;
3907
3908 tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3909 if (!tsec)
3910 return -ENOMEM;
3911
3912 cred->security = tsec;
3913 return 0;
3914 }
3915
3916 /*
3917 * detach and free the LSM part of a set of credentials
3918 */
selinux_cred_free(struct cred * cred)3919 static void selinux_cred_free(struct cred *cred)
3920 {
3921 struct task_security_struct *tsec = cred->security;
3922
3923 /*
3924 * cred->security == NULL if security_cred_alloc_blank() or
3925 * security_prepare_creds() returned an error.
3926 */
3927 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3928 cred->security = (void *) 0x7UL;
3929 kfree(tsec);
3930 }
3931
3932 /*
3933 * prepare a new set of credentials for modification
3934 */
selinux_cred_prepare(struct cred * new,const struct cred * old,gfp_t gfp)3935 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3936 gfp_t gfp)
3937 {
3938 const struct task_security_struct *old_tsec;
3939 struct task_security_struct *tsec;
3940
3941 old_tsec = old->security;
3942
3943 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3944 if (!tsec)
3945 return -ENOMEM;
3946
3947 new->security = tsec;
3948 return 0;
3949 }
3950
3951 /*
3952 * transfer the SELinux data to a blank set of creds
3953 */
selinux_cred_transfer(struct cred * new,const struct cred * old)3954 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3955 {
3956 const struct task_security_struct *old_tsec = old->security;
3957 struct task_security_struct *tsec = new->security;
3958
3959 *tsec = *old_tsec;
3960 }
3961
selinux_cred_getsecid(const struct cred * c,u32 * secid)3962 static void selinux_cred_getsecid(const struct cred *c, u32 *secid)
3963 {
3964 *secid = cred_sid(c);
3965 }
3966
3967 /*
3968 * set the security data for a kernel service
3969 * - all the creation contexts are set to unlabelled
3970 */
selinux_kernel_act_as(struct cred * new,u32 secid)3971 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3972 {
3973 struct task_security_struct *tsec = new->security;
3974 u32 sid = current_sid();
3975 int ret;
3976
3977 ret = avc_has_perm(&selinux_state,
3978 sid, secid,
3979 SECCLASS_KERNEL_SERVICE,
3980 KERNEL_SERVICE__USE_AS_OVERRIDE,
3981 NULL);
3982 if (ret == 0) {
3983 tsec->sid = secid;
3984 tsec->create_sid = 0;
3985 tsec->keycreate_sid = 0;
3986 tsec->sockcreate_sid = 0;
3987 }
3988 return ret;
3989 }
3990
3991 /*
3992 * set the file creation context in a security record to the same as the
3993 * objective context of the specified inode
3994 */
selinux_kernel_create_files_as(struct cred * new,struct inode * inode)3995 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3996 {
3997 struct inode_security_struct *isec = inode_security(inode);
3998 struct task_security_struct *tsec = new->security;
3999 u32 sid = current_sid();
4000 int ret;
4001
4002 ret = avc_has_perm(&selinux_state,
4003 sid, isec->sid,
4004 SECCLASS_KERNEL_SERVICE,
4005 KERNEL_SERVICE__CREATE_FILES_AS,
4006 NULL);
4007
4008 if (ret == 0)
4009 tsec->create_sid = isec->sid;
4010 return ret;
4011 }
4012
selinux_kernel_module_request(char * kmod_name)4013 static int selinux_kernel_module_request(char *kmod_name)
4014 {
4015 struct common_audit_data ad;
4016
4017 ad.type = LSM_AUDIT_DATA_KMOD;
4018 ad.u.kmod_name = kmod_name;
4019
4020 return avc_has_perm(&selinux_state,
4021 current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
4022 SYSTEM__MODULE_REQUEST, &ad);
4023 }
4024
selinux_kernel_module_from_file(struct file * file)4025 static int selinux_kernel_module_from_file(struct file *file)
4026 {
4027 struct common_audit_data ad;
4028 struct inode_security_struct *isec;
4029 struct file_security_struct *fsec;
4030 u32 sid = current_sid();
4031 int rc;
4032
4033 /* init_module */
4034 if (file == NULL)
4035 return avc_has_perm(&selinux_state,
4036 sid, sid, SECCLASS_SYSTEM,
4037 SYSTEM__MODULE_LOAD, NULL);
4038
4039 /* finit_module */
4040
4041 ad.type = LSM_AUDIT_DATA_FILE;
4042 ad.u.file = file;
4043
4044 fsec = file->f_security;
4045 if (sid != fsec->sid) {
4046 rc = avc_has_perm(&selinux_state,
4047 sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
4048 if (rc)
4049 return rc;
4050 }
4051
4052 isec = inode_security(file_inode(file));
4053 return avc_has_perm(&selinux_state,
4054 sid, isec->sid, SECCLASS_SYSTEM,
4055 SYSTEM__MODULE_LOAD, &ad);
4056 }
4057
selinux_kernel_read_file(struct file * file,enum kernel_read_file_id id)4058 static int selinux_kernel_read_file(struct file *file,
4059 enum kernel_read_file_id id)
4060 {
4061 int rc = 0;
4062
4063 switch (id) {
4064 case READING_MODULE:
4065 rc = selinux_kernel_module_from_file(file);
4066 break;
4067 default:
4068 break;
4069 }
4070
4071 return rc;
4072 }
4073
selinux_kernel_load_data(enum kernel_load_data_id id)4074 static int selinux_kernel_load_data(enum kernel_load_data_id id)
4075 {
4076 int rc = 0;
4077
4078 switch (id) {
4079 case LOADING_MODULE:
4080 rc = selinux_kernel_module_from_file(NULL);
4081 default:
4082 break;
4083 }
4084
4085 return rc;
4086 }
4087
selinux_task_setpgid(struct task_struct * p,pid_t pgid)4088 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
4089 {
4090 return avc_has_perm(&selinux_state,
4091 current_sid(), task_sid(p), SECCLASS_PROCESS,
4092 PROCESS__SETPGID, NULL);
4093 }
4094
selinux_task_getpgid(struct task_struct * p)4095 static int selinux_task_getpgid(struct task_struct *p)
4096 {
4097 return avc_has_perm(&selinux_state,
4098 current_sid(), task_sid(p), SECCLASS_PROCESS,
4099 PROCESS__GETPGID, NULL);
4100 }
4101
selinux_task_getsid(struct task_struct * p)4102 static int selinux_task_getsid(struct task_struct *p)
4103 {
4104 return avc_has_perm(&selinux_state,
4105 current_sid(), task_sid(p), SECCLASS_PROCESS,
4106 PROCESS__GETSESSION, NULL);
4107 }
4108
selinux_task_getsecid(struct task_struct * p,u32 * secid)4109 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
4110 {
4111 *secid = task_sid(p);
4112 }
4113
selinux_task_setnice(struct task_struct * p,int nice)4114 static int selinux_task_setnice(struct task_struct *p, int nice)
4115 {
4116 return avc_has_perm(&selinux_state,
4117 current_sid(), task_sid(p), SECCLASS_PROCESS,
4118 PROCESS__SETSCHED, NULL);
4119 }
4120
selinux_task_setioprio(struct task_struct * p,int ioprio)4121 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
4122 {
4123 return avc_has_perm(&selinux_state,
4124 current_sid(), task_sid(p), SECCLASS_PROCESS,
4125 PROCESS__SETSCHED, NULL);
4126 }
4127
selinux_task_getioprio(struct task_struct * p)4128 static int selinux_task_getioprio(struct task_struct *p)
4129 {
4130 return avc_has_perm(&selinux_state,
4131 current_sid(), task_sid(p), SECCLASS_PROCESS,
4132 PROCESS__GETSCHED, NULL);
4133 }
4134
selinux_task_prlimit(const struct cred * cred,const struct cred * tcred,unsigned int flags)4135 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
4136 unsigned int flags)
4137 {
4138 u32 av = 0;
4139
4140 if (!flags)
4141 return 0;
4142 if (flags & LSM_PRLIMIT_WRITE)
4143 av |= PROCESS__SETRLIMIT;
4144 if (flags & LSM_PRLIMIT_READ)
4145 av |= PROCESS__GETRLIMIT;
4146 return avc_has_perm(&selinux_state,
4147 cred_sid(cred), cred_sid(tcred),
4148 SECCLASS_PROCESS, av, NULL);
4149 }
4150
selinux_task_setrlimit(struct task_struct * p,unsigned int resource,struct rlimit * new_rlim)4151 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4152 struct rlimit *new_rlim)
4153 {
4154 struct rlimit *old_rlim = p->signal->rlim + resource;
4155
4156 /* Control the ability to change the hard limit (whether
4157 lowering or raising it), so that the hard limit can
4158 later be used as a safe reset point for the soft limit
4159 upon context transitions. See selinux_bprm_committing_creds. */
4160 if (old_rlim->rlim_max != new_rlim->rlim_max)
4161 return avc_has_perm(&selinux_state,
4162 current_sid(), task_sid(p),
4163 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
4164
4165 return 0;
4166 }
4167
selinux_task_setscheduler(struct task_struct * p)4168 static int selinux_task_setscheduler(struct task_struct *p)
4169 {
4170 return avc_has_perm(&selinux_state,
4171 current_sid(), task_sid(p), SECCLASS_PROCESS,
4172 PROCESS__SETSCHED, NULL);
4173 }
4174
selinux_task_getscheduler(struct task_struct * p)4175 static int selinux_task_getscheduler(struct task_struct *p)
4176 {
4177 return avc_has_perm(&selinux_state,
4178 current_sid(), task_sid(p), SECCLASS_PROCESS,
4179 PROCESS__GETSCHED, NULL);
4180 }
4181
selinux_task_movememory(struct task_struct * p)4182 static int selinux_task_movememory(struct task_struct *p)
4183 {
4184 return avc_has_perm(&selinux_state,
4185 current_sid(), task_sid(p), SECCLASS_PROCESS,
4186 PROCESS__SETSCHED, NULL);
4187 }
4188
selinux_task_kill(struct task_struct * p,struct siginfo * info,int sig,const struct cred * cred)4189 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
4190 int sig, const struct cred *cred)
4191 {
4192 u32 secid;
4193 u32 perm;
4194
4195 if (!sig)
4196 perm = PROCESS__SIGNULL; /* null signal; existence test */
4197 else
4198 perm = signal_to_av(sig);
4199 if (!cred)
4200 secid = current_sid();
4201 else
4202 secid = cred_sid(cred);
4203 return avc_has_perm(&selinux_state,
4204 secid, task_sid(p), SECCLASS_PROCESS, perm, NULL);
4205 }
4206
selinux_task_to_inode(struct task_struct * p,struct inode * inode)4207 static void selinux_task_to_inode(struct task_struct *p,
4208 struct inode *inode)
4209 {
4210 struct inode_security_struct *isec = inode->i_security;
4211 u32 sid = task_sid(p);
4212
4213 spin_lock(&isec->lock);
4214 isec->sclass = inode_mode_to_security_class(inode->i_mode);
4215 isec->sid = sid;
4216 isec->initialized = LABEL_INITIALIZED;
4217 spin_unlock(&isec->lock);
4218 }
4219
4220 /* Returns error only if unable to parse addresses */
selinux_parse_skb_ipv4(struct sk_buff * skb,struct common_audit_data * ad,u8 * proto)4221 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4222 struct common_audit_data *ad, u8 *proto)
4223 {
4224 int offset, ihlen, ret = -EINVAL;
4225 struct iphdr _iph, *ih;
4226
4227 offset = skb_network_offset(skb);
4228 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
4229 if (ih == NULL)
4230 goto out;
4231
4232 ihlen = ih->ihl * 4;
4233 if (ihlen < sizeof(_iph))
4234 goto out;
4235
4236 ad->u.net->v4info.saddr = ih->saddr;
4237 ad->u.net->v4info.daddr = ih->daddr;
4238 ret = 0;
4239
4240 if (proto)
4241 *proto = ih->protocol;
4242
4243 switch (ih->protocol) {
4244 case IPPROTO_TCP: {
4245 struct tcphdr _tcph, *th;
4246
4247 if (ntohs(ih->frag_off) & IP_OFFSET)
4248 break;
4249
4250 offset += ihlen;
4251 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4252 if (th == NULL)
4253 break;
4254
4255 ad->u.net->sport = th->source;
4256 ad->u.net->dport = th->dest;
4257 break;
4258 }
4259
4260 case IPPROTO_UDP: {
4261 struct udphdr _udph, *uh;
4262
4263 if (ntohs(ih->frag_off) & IP_OFFSET)
4264 break;
4265
4266 offset += ihlen;
4267 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4268 if (uh == NULL)
4269 break;
4270
4271 ad->u.net->sport = uh->source;
4272 ad->u.net->dport = uh->dest;
4273 break;
4274 }
4275
4276 case IPPROTO_DCCP: {
4277 struct dccp_hdr _dccph, *dh;
4278
4279 if (ntohs(ih->frag_off) & IP_OFFSET)
4280 break;
4281
4282 offset += ihlen;
4283 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4284 if (dh == NULL)
4285 break;
4286
4287 ad->u.net->sport = dh->dccph_sport;
4288 ad->u.net->dport = dh->dccph_dport;
4289 break;
4290 }
4291
4292 #if IS_ENABLED(CONFIG_IP_SCTP)
4293 case IPPROTO_SCTP: {
4294 struct sctphdr _sctph, *sh;
4295
4296 if (ntohs(ih->frag_off) & IP_OFFSET)
4297 break;
4298
4299 offset += ihlen;
4300 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4301 if (sh == NULL)
4302 break;
4303
4304 ad->u.net->sport = sh->source;
4305 ad->u.net->dport = sh->dest;
4306 break;
4307 }
4308 #endif
4309 default:
4310 break;
4311 }
4312 out:
4313 return ret;
4314 }
4315
4316 #if IS_ENABLED(CONFIG_IPV6)
4317
4318 /* Returns error only if unable to parse addresses */
selinux_parse_skb_ipv6(struct sk_buff * skb,struct common_audit_data * ad,u8 * proto)4319 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4320 struct common_audit_data *ad, u8 *proto)
4321 {
4322 u8 nexthdr;
4323 int ret = -EINVAL, offset;
4324 struct ipv6hdr _ipv6h, *ip6;
4325 __be16 frag_off;
4326
4327 offset = skb_network_offset(skb);
4328 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4329 if (ip6 == NULL)
4330 goto out;
4331
4332 ad->u.net->v6info.saddr = ip6->saddr;
4333 ad->u.net->v6info.daddr = ip6->daddr;
4334 ret = 0;
4335
4336 nexthdr = ip6->nexthdr;
4337 offset += sizeof(_ipv6h);
4338 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4339 if (offset < 0)
4340 goto out;
4341
4342 if (proto)
4343 *proto = nexthdr;
4344
4345 switch (nexthdr) {
4346 case IPPROTO_TCP: {
4347 struct tcphdr _tcph, *th;
4348
4349 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4350 if (th == NULL)
4351 break;
4352
4353 ad->u.net->sport = th->source;
4354 ad->u.net->dport = th->dest;
4355 break;
4356 }
4357
4358 case IPPROTO_UDP: {
4359 struct udphdr _udph, *uh;
4360
4361 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4362 if (uh == NULL)
4363 break;
4364
4365 ad->u.net->sport = uh->source;
4366 ad->u.net->dport = uh->dest;
4367 break;
4368 }
4369
4370 case IPPROTO_DCCP: {
4371 struct dccp_hdr _dccph, *dh;
4372
4373 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4374 if (dh == NULL)
4375 break;
4376
4377 ad->u.net->sport = dh->dccph_sport;
4378 ad->u.net->dport = dh->dccph_dport;
4379 break;
4380 }
4381
4382 #if IS_ENABLED(CONFIG_IP_SCTP)
4383 case IPPROTO_SCTP: {
4384 struct sctphdr _sctph, *sh;
4385
4386 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4387 if (sh == NULL)
4388 break;
4389
4390 ad->u.net->sport = sh->source;
4391 ad->u.net->dport = sh->dest;
4392 break;
4393 }
4394 #endif
4395 /* includes fragments */
4396 default:
4397 break;
4398 }
4399 out:
4400 return ret;
4401 }
4402
4403 #endif /* IPV6 */
4404
selinux_parse_skb(struct sk_buff * skb,struct common_audit_data * ad,char ** _addrp,int src,u8 * proto)4405 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4406 char **_addrp, int src, u8 *proto)
4407 {
4408 char *addrp;
4409 int ret;
4410
4411 switch (ad->u.net->family) {
4412 case PF_INET:
4413 ret = selinux_parse_skb_ipv4(skb, ad, proto);
4414 if (ret)
4415 goto parse_error;
4416 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4417 &ad->u.net->v4info.daddr);
4418 goto okay;
4419
4420 #if IS_ENABLED(CONFIG_IPV6)
4421 case PF_INET6:
4422 ret = selinux_parse_skb_ipv6(skb, ad, proto);
4423 if (ret)
4424 goto parse_error;
4425 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4426 &ad->u.net->v6info.daddr);
4427 goto okay;
4428 #endif /* IPV6 */
4429 default:
4430 addrp = NULL;
4431 goto okay;
4432 }
4433
4434 parse_error:
4435 pr_warn(
4436 "SELinux: failure in selinux_parse_skb(),"
4437 " unable to parse packet\n");
4438 return ret;
4439
4440 okay:
4441 if (_addrp)
4442 *_addrp = addrp;
4443 return 0;
4444 }
4445
4446 /**
4447 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4448 * @skb: the packet
4449 * @family: protocol family
4450 * @sid: the packet's peer label SID
4451 *
4452 * Description:
4453 * Check the various different forms of network peer labeling and determine
4454 * the peer label/SID for the packet; most of the magic actually occurs in
4455 * the security server function security_net_peersid_cmp(). The function
4456 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4457 * or -EACCES if @sid is invalid due to inconsistencies with the different
4458 * peer labels.
4459 *
4460 */
selinux_skb_peerlbl_sid(struct sk_buff * skb,u16 family,u32 * sid)4461 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4462 {
4463 int err;
4464 u32 xfrm_sid;
4465 u32 nlbl_sid;
4466 u32 nlbl_type;
4467
4468 err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4469 if (unlikely(err))
4470 return -EACCES;
4471 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4472 if (unlikely(err))
4473 return -EACCES;
4474
4475 err = security_net_peersid_resolve(&selinux_state, nlbl_sid,
4476 nlbl_type, xfrm_sid, sid);
4477 if (unlikely(err)) {
4478 pr_warn(
4479 "SELinux: failure in selinux_skb_peerlbl_sid(),"
4480 " unable to determine packet's peer label\n");
4481 return -EACCES;
4482 }
4483
4484 return 0;
4485 }
4486
4487 /**
4488 * selinux_conn_sid - Determine the child socket label for a connection
4489 * @sk_sid: the parent socket's SID
4490 * @skb_sid: the packet's SID
4491 * @conn_sid: the resulting connection SID
4492 *
4493 * If @skb_sid is valid then the user:role:type information from @sk_sid is
4494 * combined with the MLS information from @skb_sid in order to create
4495 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy
4496 * of @sk_sid. Returns zero on success, negative values on failure.
4497 *
4498 */
selinux_conn_sid(u32 sk_sid,u32 skb_sid,u32 * conn_sid)4499 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4500 {
4501 int err = 0;
4502
4503 if (skb_sid != SECSID_NULL)
4504 err = security_sid_mls_copy(&selinux_state, sk_sid, skb_sid,
4505 conn_sid);
4506 else
4507 *conn_sid = sk_sid;
4508
4509 return err;
4510 }
4511
4512 /* socket security operations */
4513
socket_sockcreate_sid(const struct task_security_struct * tsec,u16 secclass,u32 * socksid)4514 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4515 u16 secclass, u32 *socksid)
4516 {
4517 if (tsec->sockcreate_sid > SECSID_NULL) {
4518 *socksid = tsec->sockcreate_sid;
4519 return 0;
4520 }
4521
4522 return security_transition_sid(&selinux_state, tsec->sid, tsec->sid,
4523 secclass, NULL, socksid);
4524 }
4525
sock_has_perm(struct sock * sk,u32 perms)4526 static int sock_has_perm(struct sock *sk, u32 perms)
4527 {
4528 struct sk_security_struct *sksec = sk->sk_security;
4529 struct common_audit_data ad;
4530 struct lsm_network_audit net = {0,};
4531
4532 if (sksec->sid == SECINITSID_KERNEL)
4533 return 0;
4534
4535 ad.type = LSM_AUDIT_DATA_NET;
4536 ad.u.net = &net;
4537 ad.u.net->sk = sk;
4538
4539 return avc_has_perm(&selinux_state,
4540 current_sid(), sksec->sid, sksec->sclass, perms,
4541 &ad);
4542 }
4543
selinux_socket_create(int family,int type,int protocol,int kern)4544 static int selinux_socket_create(int family, int type,
4545 int protocol, int kern)
4546 {
4547 const struct task_security_struct *tsec = current_security();
4548 u32 newsid;
4549 u16 secclass;
4550 int rc;
4551
4552 if (kern)
4553 return 0;
4554
4555 secclass = socket_type_to_security_class(family, type, protocol);
4556 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4557 if (rc)
4558 return rc;
4559
4560 return avc_has_perm(&selinux_state,
4561 tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4562 }
4563
selinux_socket_post_create(struct socket * sock,int family,int type,int protocol,int kern)4564 static int selinux_socket_post_create(struct socket *sock, int family,
4565 int type, int protocol, int kern)
4566 {
4567 const struct task_security_struct *tsec = current_security();
4568 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4569 struct sk_security_struct *sksec;
4570 u16 sclass = socket_type_to_security_class(family, type, protocol);
4571 u32 sid = SECINITSID_KERNEL;
4572 int err = 0;
4573
4574 if (!kern) {
4575 err = socket_sockcreate_sid(tsec, sclass, &sid);
4576 if (err)
4577 return err;
4578 }
4579
4580 isec->sclass = sclass;
4581 isec->sid = sid;
4582 isec->initialized = LABEL_INITIALIZED;
4583
4584 if (sock->sk) {
4585 sksec = sock->sk->sk_security;
4586 sksec->sclass = sclass;
4587 sksec->sid = sid;
4588 /* Allows detection of the first association on this socket */
4589 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4590 sksec->sctp_assoc_state = SCTP_ASSOC_UNSET;
4591
4592 err = selinux_netlbl_socket_post_create(sock->sk, family);
4593 }
4594
4595 return err;
4596 }
4597
selinux_socket_socketpair(struct socket * socka,struct socket * sockb)4598 static int selinux_socket_socketpair(struct socket *socka,
4599 struct socket *sockb)
4600 {
4601 struct sk_security_struct *sksec_a = socka->sk->sk_security;
4602 struct sk_security_struct *sksec_b = sockb->sk->sk_security;
4603
4604 sksec_a->peer_sid = sksec_b->sid;
4605 sksec_b->peer_sid = sksec_a->sid;
4606
4607 return 0;
4608 }
4609
4610 /* Range of port numbers used to automatically bind.
4611 Need to determine whether we should perform a name_bind
4612 permission check between the socket and the port number. */
4613
selinux_socket_bind(struct socket * sock,struct sockaddr * address,int addrlen)4614 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4615 {
4616 struct sock *sk = sock->sk;
4617 struct sk_security_struct *sksec = sk->sk_security;
4618 u16 family;
4619 int err;
4620
4621 err = sock_has_perm(sk, SOCKET__BIND);
4622 if (err)
4623 goto out;
4624
4625 /* If PF_INET or PF_INET6, check name_bind permission for the port. */
4626 family = sk->sk_family;
4627 if (family == PF_INET || family == PF_INET6) {
4628 char *addrp;
4629 struct common_audit_data ad;
4630 struct lsm_network_audit net = {0,};
4631 struct sockaddr_in *addr4 = NULL;
4632 struct sockaddr_in6 *addr6 = NULL;
4633 u16 family_sa = address->sa_family;
4634 unsigned short snum;
4635 u32 sid, node_perm;
4636
4637 /*
4638 * sctp_bindx(3) calls via selinux_sctp_bind_connect()
4639 * that validates multiple binding addresses. Because of this
4640 * need to check address->sa_family as it is possible to have
4641 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4642 */
4643 switch (family_sa) {
4644 case AF_UNSPEC:
4645 case AF_INET:
4646 if (addrlen < sizeof(struct sockaddr_in))
4647 return -EINVAL;
4648 addr4 = (struct sockaddr_in *)address;
4649 if (family_sa == AF_UNSPEC) {
4650 /* see __inet_bind(), we only want to allow
4651 * AF_UNSPEC if the address is INADDR_ANY
4652 */
4653 if (addr4->sin_addr.s_addr != htonl(INADDR_ANY))
4654 goto err_af;
4655 family_sa = AF_INET;
4656 }
4657 snum = ntohs(addr4->sin_port);
4658 addrp = (char *)&addr4->sin_addr.s_addr;
4659 break;
4660 case AF_INET6:
4661 if (addrlen < SIN6_LEN_RFC2133)
4662 return -EINVAL;
4663 addr6 = (struct sockaddr_in6 *)address;
4664 snum = ntohs(addr6->sin6_port);
4665 addrp = (char *)&addr6->sin6_addr.s6_addr;
4666 break;
4667 default:
4668 goto err_af;
4669 }
4670
4671 ad.type = LSM_AUDIT_DATA_NET;
4672 ad.u.net = &net;
4673 ad.u.net->sport = htons(snum);
4674 ad.u.net->family = family_sa;
4675
4676 if (snum) {
4677 int low, high;
4678
4679 inet_get_local_port_range(sock_net(sk), &low, &high);
4680
4681 if (snum < max(inet_prot_sock(sock_net(sk)), low) ||
4682 snum > high) {
4683 err = sel_netport_sid(sk->sk_protocol,
4684 snum, &sid);
4685 if (err)
4686 goto out;
4687 err = avc_has_perm(&selinux_state,
4688 sksec->sid, sid,
4689 sksec->sclass,
4690 SOCKET__NAME_BIND, &ad);
4691 if (err)
4692 goto out;
4693 }
4694 }
4695
4696 switch (sksec->sclass) {
4697 case SECCLASS_TCP_SOCKET:
4698 node_perm = TCP_SOCKET__NODE_BIND;
4699 break;
4700
4701 case SECCLASS_UDP_SOCKET:
4702 node_perm = UDP_SOCKET__NODE_BIND;
4703 break;
4704
4705 case SECCLASS_DCCP_SOCKET:
4706 node_perm = DCCP_SOCKET__NODE_BIND;
4707 break;
4708
4709 case SECCLASS_SCTP_SOCKET:
4710 node_perm = SCTP_SOCKET__NODE_BIND;
4711 break;
4712
4713 default:
4714 node_perm = RAWIP_SOCKET__NODE_BIND;
4715 break;
4716 }
4717
4718 err = sel_netnode_sid(addrp, family_sa, &sid);
4719 if (err)
4720 goto out;
4721
4722 if (family_sa == AF_INET)
4723 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4724 else
4725 ad.u.net->v6info.saddr = addr6->sin6_addr;
4726
4727 err = avc_has_perm(&selinux_state,
4728 sksec->sid, sid,
4729 sksec->sclass, node_perm, &ad);
4730 if (err)
4731 goto out;
4732 }
4733 out:
4734 return err;
4735 err_af:
4736 /* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */
4737 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4738 return -EINVAL;
4739 return -EAFNOSUPPORT;
4740 }
4741
4742 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3)
4743 * and sctp_sendmsg(3) as described in Documentation/security/LSM-sctp.rst
4744 */
selinux_socket_connect_helper(struct socket * sock,struct sockaddr * address,int addrlen)4745 static int selinux_socket_connect_helper(struct socket *sock,
4746 struct sockaddr *address, int addrlen)
4747 {
4748 struct sock *sk = sock->sk;
4749 struct sk_security_struct *sksec = sk->sk_security;
4750 int err;
4751
4752 err = sock_has_perm(sk, SOCKET__CONNECT);
4753 if (err)
4754 return err;
4755
4756 /*
4757 * If a TCP, DCCP or SCTP socket, check name_connect permission
4758 * for the port.
4759 */
4760 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4761 sksec->sclass == SECCLASS_DCCP_SOCKET ||
4762 sksec->sclass == SECCLASS_SCTP_SOCKET) {
4763 struct common_audit_data ad;
4764 struct lsm_network_audit net = {0,};
4765 struct sockaddr_in *addr4 = NULL;
4766 struct sockaddr_in6 *addr6 = NULL;
4767 unsigned short snum;
4768 u32 sid, perm;
4769
4770 /* sctp_connectx(3) calls via selinux_sctp_bind_connect()
4771 * that validates multiple connect addresses. Because of this
4772 * need to check address->sa_family as it is possible to have
4773 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4774 */
4775 switch (address->sa_family) {
4776 case AF_INET:
4777 addr4 = (struct sockaddr_in *)address;
4778 if (addrlen < sizeof(struct sockaddr_in))
4779 return -EINVAL;
4780 snum = ntohs(addr4->sin_port);
4781 break;
4782 case AF_INET6:
4783 addr6 = (struct sockaddr_in6 *)address;
4784 if (addrlen < SIN6_LEN_RFC2133)
4785 return -EINVAL;
4786 snum = ntohs(addr6->sin6_port);
4787 break;
4788 default:
4789 /* Note that SCTP services expect -EINVAL, whereas
4790 * others expect -EAFNOSUPPORT.
4791 */
4792 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4793 return -EINVAL;
4794 else
4795 return -EAFNOSUPPORT;
4796 }
4797
4798 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4799 if (err)
4800 return err;
4801
4802 switch (sksec->sclass) {
4803 case SECCLASS_TCP_SOCKET:
4804 perm = TCP_SOCKET__NAME_CONNECT;
4805 break;
4806 case SECCLASS_DCCP_SOCKET:
4807 perm = DCCP_SOCKET__NAME_CONNECT;
4808 break;
4809 case SECCLASS_SCTP_SOCKET:
4810 perm = SCTP_SOCKET__NAME_CONNECT;
4811 break;
4812 }
4813
4814 ad.type = LSM_AUDIT_DATA_NET;
4815 ad.u.net = &net;
4816 ad.u.net->dport = htons(snum);
4817 ad.u.net->family = address->sa_family;
4818 err = avc_has_perm(&selinux_state,
4819 sksec->sid, sid, sksec->sclass, perm, &ad);
4820 if (err)
4821 return err;
4822 }
4823
4824 return 0;
4825 }
4826
4827 /* Supports connect(2), see comments in selinux_socket_connect_helper() */
selinux_socket_connect(struct socket * sock,struct sockaddr * address,int addrlen)4828 static int selinux_socket_connect(struct socket *sock,
4829 struct sockaddr *address, int addrlen)
4830 {
4831 int err;
4832 struct sock *sk = sock->sk;
4833
4834 err = selinux_socket_connect_helper(sock, address, addrlen);
4835 if (err)
4836 return err;
4837
4838 return selinux_netlbl_socket_connect(sk, address);
4839 }
4840
selinux_socket_listen(struct socket * sock,int backlog)4841 static int selinux_socket_listen(struct socket *sock, int backlog)
4842 {
4843 return sock_has_perm(sock->sk, SOCKET__LISTEN);
4844 }
4845
selinux_socket_accept(struct socket * sock,struct socket * newsock)4846 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4847 {
4848 int err;
4849 struct inode_security_struct *isec;
4850 struct inode_security_struct *newisec;
4851 u16 sclass;
4852 u32 sid;
4853
4854 err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
4855 if (err)
4856 return err;
4857
4858 isec = inode_security_novalidate(SOCK_INODE(sock));
4859 spin_lock(&isec->lock);
4860 sclass = isec->sclass;
4861 sid = isec->sid;
4862 spin_unlock(&isec->lock);
4863
4864 newisec = inode_security_novalidate(SOCK_INODE(newsock));
4865 newisec->sclass = sclass;
4866 newisec->sid = sid;
4867 newisec->initialized = LABEL_INITIALIZED;
4868
4869 return 0;
4870 }
4871
selinux_socket_sendmsg(struct socket * sock,struct msghdr * msg,int size)4872 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4873 int size)
4874 {
4875 return sock_has_perm(sock->sk, SOCKET__WRITE);
4876 }
4877
selinux_socket_recvmsg(struct socket * sock,struct msghdr * msg,int size,int flags)4878 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4879 int size, int flags)
4880 {
4881 return sock_has_perm(sock->sk, SOCKET__READ);
4882 }
4883
selinux_socket_getsockname(struct socket * sock)4884 static int selinux_socket_getsockname(struct socket *sock)
4885 {
4886 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4887 }
4888
selinux_socket_getpeername(struct socket * sock)4889 static int selinux_socket_getpeername(struct socket *sock)
4890 {
4891 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4892 }
4893
selinux_socket_setsockopt(struct socket * sock,int level,int optname)4894 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4895 {
4896 int err;
4897
4898 err = sock_has_perm(sock->sk, SOCKET__SETOPT);
4899 if (err)
4900 return err;
4901
4902 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4903 }
4904
selinux_socket_getsockopt(struct socket * sock,int level,int optname)4905 static int selinux_socket_getsockopt(struct socket *sock, int level,
4906 int optname)
4907 {
4908 return sock_has_perm(sock->sk, SOCKET__GETOPT);
4909 }
4910
selinux_socket_shutdown(struct socket * sock,int how)4911 static int selinux_socket_shutdown(struct socket *sock, int how)
4912 {
4913 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
4914 }
4915
selinux_socket_unix_stream_connect(struct sock * sock,struct sock * other,struct sock * newsk)4916 static int selinux_socket_unix_stream_connect(struct sock *sock,
4917 struct sock *other,
4918 struct sock *newsk)
4919 {
4920 struct sk_security_struct *sksec_sock = sock->sk_security;
4921 struct sk_security_struct *sksec_other = other->sk_security;
4922 struct sk_security_struct *sksec_new = newsk->sk_security;
4923 struct common_audit_data ad;
4924 struct lsm_network_audit net = {0,};
4925 int err;
4926
4927 ad.type = LSM_AUDIT_DATA_NET;
4928 ad.u.net = &net;
4929 ad.u.net->sk = other;
4930
4931 err = avc_has_perm(&selinux_state,
4932 sksec_sock->sid, sksec_other->sid,
4933 sksec_other->sclass,
4934 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4935 if (err)
4936 return err;
4937
4938 /* server child socket */
4939 sksec_new->peer_sid = sksec_sock->sid;
4940 err = security_sid_mls_copy(&selinux_state, sksec_other->sid,
4941 sksec_sock->sid, &sksec_new->sid);
4942 if (err)
4943 return err;
4944
4945 /* connecting socket */
4946 sksec_sock->peer_sid = sksec_new->sid;
4947
4948 return 0;
4949 }
4950
selinux_socket_unix_may_send(struct socket * sock,struct socket * other)4951 static int selinux_socket_unix_may_send(struct socket *sock,
4952 struct socket *other)
4953 {
4954 struct sk_security_struct *ssec = sock->sk->sk_security;
4955 struct sk_security_struct *osec = other->sk->sk_security;
4956 struct common_audit_data ad;
4957 struct lsm_network_audit net = {0,};
4958
4959 ad.type = LSM_AUDIT_DATA_NET;
4960 ad.u.net = &net;
4961 ad.u.net->sk = other->sk;
4962
4963 return avc_has_perm(&selinux_state,
4964 ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4965 &ad);
4966 }
4967
selinux_inet_sys_rcv_skb(struct net * ns,int ifindex,char * addrp,u16 family,u32 peer_sid,struct common_audit_data * ad)4968 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4969 char *addrp, u16 family, u32 peer_sid,
4970 struct common_audit_data *ad)
4971 {
4972 int err;
4973 u32 if_sid;
4974 u32 node_sid;
4975
4976 err = sel_netif_sid(ns, ifindex, &if_sid);
4977 if (err)
4978 return err;
4979 err = avc_has_perm(&selinux_state,
4980 peer_sid, if_sid,
4981 SECCLASS_NETIF, NETIF__INGRESS, ad);
4982 if (err)
4983 return err;
4984
4985 err = sel_netnode_sid(addrp, family, &node_sid);
4986 if (err)
4987 return err;
4988 return avc_has_perm(&selinux_state,
4989 peer_sid, node_sid,
4990 SECCLASS_NODE, NODE__RECVFROM, ad);
4991 }
4992
selinux_sock_rcv_skb_compat(struct sock * sk,struct sk_buff * skb,u16 family)4993 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4994 u16 family)
4995 {
4996 int err = 0;
4997 struct sk_security_struct *sksec = sk->sk_security;
4998 u32 sk_sid = sksec->sid;
4999 struct common_audit_data ad;
5000 struct lsm_network_audit net = {0,};
5001 char *addrp;
5002
5003 ad.type = LSM_AUDIT_DATA_NET;
5004 ad.u.net = &net;
5005 ad.u.net->netif = skb->skb_iif;
5006 ad.u.net->family = family;
5007 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5008 if (err)
5009 return err;
5010
5011 if (selinux_secmark_enabled()) {
5012 err = avc_has_perm(&selinux_state,
5013 sk_sid, skb->secmark, SECCLASS_PACKET,
5014 PACKET__RECV, &ad);
5015 if (err)
5016 return err;
5017 }
5018
5019 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
5020 if (err)
5021 return err;
5022 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
5023
5024 return err;
5025 }
5026
selinux_socket_sock_rcv_skb(struct sock * sk,struct sk_buff * skb)5027 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
5028 {
5029 int err;
5030 struct sk_security_struct *sksec = sk->sk_security;
5031 u16 family = sk->sk_family;
5032 u32 sk_sid = sksec->sid;
5033 struct common_audit_data ad;
5034 struct lsm_network_audit net = {0,};
5035 char *addrp;
5036 u8 secmark_active;
5037 u8 peerlbl_active;
5038
5039 if (family != PF_INET && family != PF_INET6)
5040 return 0;
5041
5042 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
5043 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5044 family = PF_INET;
5045
5046 /* If any sort of compatibility mode is enabled then handoff processing
5047 * to the selinux_sock_rcv_skb_compat() function to deal with the
5048 * special handling. We do this in an attempt to keep this function
5049 * as fast and as clean as possible. */
5050 if (!selinux_policycap_netpeer())
5051 return selinux_sock_rcv_skb_compat(sk, skb, family);
5052
5053 secmark_active = selinux_secmark_enabled();
5054 peerlbl_active = selinux_peerlbl_enabled();
5055 if (!secmark_active && !peerlbl_active)
5056 return 0;
5057
5058 ad.type = LSM_AUDIT_DATA_NET;
5059 ad.u.net = &net;
5060 ad.u.net->netif = skb->skb_iif;
5061 ad.u.net->family = family;
5062 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5063 if (err)
5064 return err;
5065
5066 if (peerlbl_active) {
5067 u32 peer_sid;
5068
5069 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
5070 if (err)
5071 return err;
5072 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
5073 addrp, family, peer_sid, &ad);
5074 if (err) {
5075 selinux_netlbl_err(skb, family, err, 0);
5076 return err;
5077 }
5078 err = avc_has_perm(&selinux_state,
5079 sk_sid, peer_sid, SECCLASS_PEER,
5080 PEER__RECV, &ad);
5081 if (err) {
5082 selinux_netlbl_err(skb, family, err, 0);
5083 return err;
5084 }
5085 }
5086
5087 if (secmark_active) {
5088 err = avc_has_perm(&selinux_state,
5089 sk_sid, skb->secmark, SECCLASS_PACKET,
5090 PACKET__RECV, &ad);
5091 if (err)
5092 return err;
5093 }
5094
5095 return err;
5096 }
5097
selinux_socket_getpeersec_stream(struct socket * sock,char __user * optval,int __user * optlen,unsigned len)5098 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
5099 int __user *optlen, unsigned len)
5100 {
5101 int err = 0;
5102 char *scontext;
5103 u32 scontext_len;
5104 struct sk_security_struct *sksec = sock->sk->sk_security;
5105 u32 peer_sid = SECSID_NULL;
5106
5107 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
5108 sksec->sclass == SECCLASS_TCP_SOCKET ||
5109 sksec->sclass == SECCLASS_SCTP_SOCKET)
5110 peer_sid = sksec->peer_sid;
5111 if (peer_sid == SECSID_NULL)
5112 return -ENOPROTOOPT;
5113
5114 err = security_sid_to_context(&selinux_state, peer_sid, &scontext,
5115 &scontext_len);
5116 if (err)
5117 return err;
5118
5119 if (scontext_len > len) {
5120 err = -ERANGE;
5121 goto out_len;
5122 }
5123
5124 if (copy_to_user(optval, scontext, scontext_len))
5125 err = -EFAULT;
5126
5127 out_len:
5128 if (put_user(scontext_len, optlen))
5129 err = -EFAULT;
5130 kfree(scontext);
5131 return err;
5132 }
5133
selinux_socket_getpeersec_dgram(struct socket * sock,struct sk_buff * skb,u32 * secid)5134 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
5135 {
5136 u32 peer_secid = SECSID_NULL;
5137 u16 family;
5138 struct inode_security_struct *isec;
5139
5140 if (skb && skb->protocol == htons(ETH_P_IP))
5141 family = PF_INET;
5142 else if (skb && skb->protocol == htons(ETH_P_IPV6))
5143 family = PF_INET6;
5144 else if (sock)
5145 family = sock->sk->sk_family;
5146 else
5147 goto out;
5148
5149 if (sock && family == PF_UNIX) {
5150 isec = inode_security_novalidate(SOCK_INODE(sock));
5151 peer_secid = isec->sid;
5152 } else if (skb)
5153 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
5154
5155 out:
5156 *secid = peer_secid;
5157 if (peer_secid == SECSID_NULL)
5158 return -EINVAL;
5159 return 0;
5160 }
5161
selinux_sk_alloc_security(struct sock * sk,int family,gfp_t priority)5162 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
5163 {
5164 struct sk_security_struct *sksec;
5165
5166 sksec = kzalloc(sizeof(*sksec), priority);
5167 if (!sksec)
5168 return -ENOMEM;
5169
5170 sksec->peer_sid = SECINITSID_UNLABELED;
5171 sksec->sid = SECINITSID_UNLABELED;
5172 sksec->sclass = SECCLASS_SOCKET;
5173 selinux_netlbl_sk_security_reset(sksec);
5174 sk->sk_security = sksec;
5175
5176 return 0;
5177 }
5178
selinux_sk_free_security(struct sock * sk)5179 static void selinux_sk_free_security(struct sock *sk)
5180 {
5181 struct sk_security_struct *sksec = sk->sk_security;
5182
5183 sk->sk_security = NULL;
5184 selinux_netlbl_sk_security_free(sksec);
5185 kfree(sksec);
5186 }
5187
selinux_sk_clone_security(const struct sock * sk,struct sock * newsk)5188 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
5189 {
5190 struct sk_security_struct *sksec = sk->sk_security;
5191 struct sk_security_struct *newsksec = newsk->sk_security;
5192
5193 newsksec->sid = sksec->sid;
5194 newsksec->peer_sid = sksec->peer_sid;
5195 newsksec->sclass = sksec->sclass;
5196
5197 selinux_netlbl_sk_security_reset(newsksec);
5198 }
5199
selinux_sk_getsecid(struct sock * sk,u32 * secid)5200 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
5201 {
5202 if (!sk)
5203 *secid = SECINITSID_ANY_SOCKET;
5204 else {
5205 struct sk_security_struct *sksec = sk->sk_security;
5206
5207 *secid = sksec->sid;
5208 }
5209 }
5210
selinux_sock_graft(struct sock * sk,struct socket * parent)5211 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
5212 {
5213 struct inode_security_struct *isec =
5214 inode_security_novalidate(SOCK_INODE(parent));
5215 struct sk_security_struct *sksec = sk->sk_security;
5216
5217 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
5218 sk->sk_family == PF_UNIX)
5219 isec->sid = sksec->sid;
5220 sksec->sclass = isec->sclass;
5221 }
5222
5223 /* Called whenever SCTP receives an INIT chunk. This happens when an incoming
5224 * connect(2), sctp_connectx(3) or sctp_sendmsg(3) (with no association
5225 * already present).
5226 */
selinux_sctp_assoc_request(struct sctp_endpoint * ep,struct sk_buff * skb)5227 static int selinux_sctp_assoc_request(struct sctp_endpoint *ep,
5228 struct sk_buff *skb)
5229 {
5230 struct sk_security_struct *sksec = ep->base.sk->sk_security;
5231 struct common_audit_data ad;
5232 struct lsm_network_audit net = {0,};
5233 u8 peerlbl_active;
5234 u32 peer_sid = SECINITSID_UNLABELED;
5235 u32 conn_sid;
5236 int err = 0;
5237
5238 if (!selinux_policycap_extsockclass())
5239 return 0;
5240
5241 peerlbl_active = selinux_peerlbl_enabled();
5242
5243 if (peerlbl_active) {
5244 /* This will return peer_sid = SECSID_NULL if there are
5245 * no peer labels, see security_net_peersid_resolve().
5246 */
5247 err = selinux_skb_peerlbl_sid(skb, ep->base.sk->sk_family,
5248 &peer_sid);
5249 if (err)
5250 return err;
5251
5252 if (peer_sid == SECSID_NULL)
5253 peer_sid = SECINITSID_UNLABELED;
5254 }
5255
5256 if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) {
5257 sksec->sctp_assoc_state = SCTP_ASSOC_SET;
5258
5259 /* Here as first association on socket. As the peer SID
5260 * was allowed by peer recv (and the netif/node checks),
5261 * then it is approved by policy and used as the primary
5262 * peer SID for getpeercon(3).
5263 */
5264 sksec->peer_sid = peer_sid;
5265 } else if (sksec->peer_sid != peer_sid) {
5266 /* Other association peer SIDs are checked to enforce
5267 * consistency among the peer SIDs.
5268 */
5269 ad.type = LSM_AUDIT_DATA_NET;
5270 ad.u.net = &net;
5271 ad.u.net->sk = ep->base.sk;
5272 err = avc_has_perm(&selinux_state,
5273 sksec->peer_sid, peer_sid, sksec->sclass,
5274 SCTP_SOCKET__ASSOCIATION, &ad);
5275 if (err)
5276 return err;
5277 }
5278
5279 /* Compute the MLS component for the connection and store
5280 * the information in ep. This will be used by SCTP TCP type
5281 * sockets and peeled off connections as they cause a new
5282 * socket to be generated. selinux_sctp_sk_clone() will then
5283 * plug this into the new socket.
5284 */
5285 err = selinux_conn_sid(sksec->sid, peer_sid, &conn_sid);
5286 if (err)
5287 return err;
5288
5289 ep->secid = conn_sid;
5290 ep->peer_secid = peer_sid;
5291
5292 /* Set any NetLabel labels including CIPSO/CALIPSO options. */
5293 return selinux_netlbl_sctp_assoc_request(ep, skb);
5294 }
5295
5296 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting
5297 * based on their @optname.
5298 */
selinux_sctp_bind_connect(struct sock * sk,int optname,struct sockaddr * address,int addrlen)5299 static int selinux_sctp_bind_connect(struct sock *sk, int optname,
5300 struct sockaddr *address,
5301 int addrlen)
5302 {
5303 int len, err = 0, walk_size = 0;
5304 void *addr_buf;
5305 struct sockaddr *addr;
5306 struct socket *sock;
5307
5308 if (!selinux_policycap_extsockclass())
5309 return 0;
5310
5311 /* Process one or more addresses that may be IPv4 or IPv6 */
5312 sock = sk->sk_socket;
5313 addr_buf = address;
5314
5315 while (walk_size < addrlen) {
5316 addr = addr_buf;
5317 switch (addr->sa_family) {
5318 case AF_UNSPEC:
5319 case AF_INET:
5320 len = sizeof(struct sockaddr_in);
5321 break;
5322 case AF_INET6:
5323 len = sizeof(struct sockaddr_in6);
5324 break;
5325 default:
5326 return -EINVAL;
5327 }
5328
5329 err = -EINVAL;
5330 switch (optname) {
5331 /* Bind checks */
5332 case SCTP_PRIMARY_ADDR:
5333 case SCTP_SET_PEER_PRIMARY_ADDR:
5334 case SCTP_SOCKOPT_BINDX_ADD:
5335 err = selinux_socket_bind(sock, addr, len);
5336 break;
5337 /* Connect checks */
5338 case SCTP_SOCKOPT_CONNECTX:
5339 case SCTP_PARAM_SET_PRIMARY:
5340 case SCTP_PARAM_ADD_IP:
5341 case SCTP_SENDMSG_CONNECT:
5342 err = selinux_socket_connect_helper(sock, addr, len);
5343 if (err)
5344 return err;
5345
5346 /* As selinux_sctp_bind_connect() is called by the
5347 * SCTP protocol layer, the socket is already locked,
5348 * therefore selinux_netlbl_socket_connect_locked() is
5349 * is called here. The situations handled are:
5350 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2),
5351 * whenever a new IP address is added or when a new
5352 * primary address is selected.
5353 * Note that an SCTP connect(2) call happens before
5354 * the SCTP protocol layer and is handled via
5355 * selinux_socket_connect().
5356 */
5357 err = selinux_netlbl_socket_connect_locked(sk, addr);
5358 break;
5359 }
5360
5361 if (err)
5362 return err;
5363
5364 addr_buf += len;
5365 walk_size += len;
5366 }
5367
5368 return 0;
5369 }
5370
5371 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */
selinux_sctp_sk_clone(struct sctp_endpoint * ep,struct sock * sk,struct sock * newsk)5372 static void selinux_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk,
5373 struct sock *newsk)
5374 {
5375 struct sk_security_struct *sksec = sk->sk_security;
5376 struct sk_security_struct *newsksec = newsk->sk_security;
5377
5378 /* If policy does not support SECCLASS_SCTP_SOCKET then call
5379 * the non-sctp clone version.
5380 */
5381 if (!selinux_policycap_extsockclass())
5382 return selinux_sk_clone_security(sk, newsk);
5383
5384 newsksec->sid = ep->secid;
5385 newsksec->peer_sid = ep->peer_secid;
5386 newsksec->sclass = sksec->sclass;
5387 selinux_netlbl_sctp_sk_clone(sk, newsk);
5388 }
5389
selinux_inet_conn_request(struct sock * sk,struct sk_buff * skb,struct request_sock * req)5390 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
5391 struct request_sock *req)
5392 {
5393 struct sk_security_struct *sksec = sk->sk_security;
5394 int err;
5395 u16 family = req->rsk_ops->family;
5396 u32 connsid;
5397 u32 peersid;
5398
5399 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
5400 if (err)
5401 return err;
5402 err = selinux_conn_sid(sksec->sid, peersid, &connsid);
5403 if (err)
5404 return err;
5405 req->secid = connsid;
5406 req->peer_secid = peersid;
5407
5408 return selinux_netlbl_inet_conn_request(req, family);
5409 }
5410
selinux_inet_csk_clone(struct sock * newsk,const struct request_sock * req)5411 static void selinux_inet_csk_clone(struct sock *newsk,
5412 const struct request_sock *req)
5413 {
5414 struct sk_security_struct *newsksec = newsk->sk_security;
5415
5416 newsksec->sid = req->secid;
5417 newsksec->peer_sid = req->peer_secid;
5418 /* NOTE: Ideally, we should also get the isec->sid for the
5419 new socket in sync, but we don't have the isec available yet.
5420 So we will wait until sock_graft to do it, by which
5421 time it will have been created and available. */
5422
5423 /* We don't need to take any sort of lock here as we are the only
5424 * thread with access to newsksec */
5425 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
5426 }
5427
selinux_inet_conn_established(struct sock * sk,struct sk_buff * skb)5428 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
5429 {
5430 u16 family = sk->sk_family;
5431 struct sk_security_struct *sksec = sk->sk_security;
5432
5433 /* handle mapped IPv4 packets arriving via IPv6 sockets */
5434 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5435 family = PF_INET;
5436
5437 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
5438 }
5439
selinux_secmark_relabel_packet(u32 sid)5440 static int selinux_secmark_relabel_packet(u32 sid)
5441 {
5442 const struct task_security_struct *__tsec;
5443 u32 tsid;
5444
5445 __tsec = current_security();
5446 tsid = __tsec->sid;
5447
5448 return avc_has_perm(&selinux_state,
5449 tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO,
5450 NULL);
5451 }
5452
selinux_secmark_refcount_inc(void)5453 static void selinux_secmark_refcount_inc(void)
5454 {
5455 atomic_inc(&selinux_secmark_refcount);
5456 }
5457
selinux_secmark_refcount_dec(void)5458 static void selinux_secmark_refcount_dec(void)
5459 {
5460 atomic_dec(&selinux_secmark_refcount);
5461 }
5462
selinux_req_classify_flow(const struct request_sock * req,struct flowi * fl)5463 static void selinux_req_classify_flow(const struct request_sock *req,
5464 struct flowi *fl)
5465 {
5466 fl->flowi_secid = req->secid;
5467 }
5468
selinux_tun_dev_alloc_security(void ** security)5469 static int selinux_tun_dev_alloc_security(void **security)
5470 {
5471 struct tun_security_struct *tunsec;
5472
5473 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
5474 if (!tunsec)
5475 return -ENOMEM;
5476 tunsec->sid = current_sid();
5477
5478 *security = tunsec;
5479 return 0;
5480 }
5481
selinux_tun_dev_free_security(void * security)5482 static void selinux_tun_dev_free_security(void *security)
5483 {
5484 kfree(security);
5485 }
5486
selinux_tun_dev_create(void)5487 static int selinux_tun_dev_create(void)
5488 {
5489 u32 sid = current_sid();
5490
5491 /* we aren't taking into account the "sockcreate" SID since the socket
5492 * that is being created here is not a socket in the traditional sense,
5493 * instead it is a private sock, accessible only to the kernel, and
5494 * representing a wide range of network traffic spanning multiple
5495 * connections unlike traditional sockets - check the TUN driver to
5496 * get a better understanding of why this socket is special */
5497
5498 return avc_has_perm(&selinux_state,
5499 sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5500 NULL);
5501 }
5502
selinux_tun_dev_attach_queue(void * security)5503 static int selinux_tun_dev_attach_queue(void *security)
5504 {
5505 struct tun_security_struct *tunsec = security;
5506
5507 return avc_has_perm(&selinux_state,
5508 current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5509 TUN_SOCKET__ATTACH_QUEUE, NULL);
5510 }
5511
selinux_tun_dev_attach(struct sock * sk,void * security)5512 static int selinux_tun_dev_attach(struct sock *sk, void *security)
5513 {
5514 struct tun_security_struct *tunsec = security;
5515 struct sk_security_struct *sksec = sk->sk_security;
5516
5517 /* we don't currently perform any NetLabel based labeling here and it
5518 * isn't clear that we would want to do so anyway; while we could apply
5519 * labeling without the support of the TUN user the resulting labeled
5520 * traffic from the other end of the connection would almost certainly
5521 * cause confusion to the TUN user that had no idea network labeling
5522 * protocols were being used */
5523
5524 sksec->sid = tunsec->sid;
5525 sksec->sclass = SECCLASS_TUN_SOCKET;
5526
5527 return 0;
5528 }
5529
selinux_tun_dev_open(void * security)5530 static int selinux_tun_dev_open(void *security)
5531 {
5532 struct tun_security_struct *tunsec = security;
5533 u32 sid = current_sid();
5534 int err;
5535
5536 err = avc_has_perm(&selinux_state,
5537 sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5538 TUN_SOCKET__RELABELFROM, NULL);
5539 if (err)
5540 return err;
5541 err = avc_has_perm(&selinux_state,
5542 sid, sid, SECCLASS_TUN_SOCKET,
5543 TUN_SOCKET__RELABELTO, NULL);
5544 if (err)
5545 return err;
5546 tunsec->sid = sid;
5547
5548 return 0;
5549 }
5550
selinux_nlmsg_perm(struct sock * sk,struct sk_buff * skb)5551 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
5552 {
5553 int err = 0;
5554 u32 perm;
5555 struct nlmsghdr *nlh;
5556 struct sk_security_struct *sksec = sk->sk_security;
5557
5558 if (skb->len < NLMSG_HDRLEN) {
5559 err = -EINVAL;
5560 goto out;
5561 }
5562 nlh = nlmsg_hdr(skb);
5563
5564 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
5565 if (err) {
5566 if (err == -EINVAL) {
5567 pr_warn_ratelimited("SELinux: unrecognized netlink"
5568 " message: protocol=%hu nlmsg_type=%hu sclass=%s"
5569 " pig=%d comm=%s\n",
5570 sk->sk_protocol, nlh->nlmsg_type,
5571 secclass_map[sksec->sclass - 1].name,
5572 task_pid_nr(current), current->comm);
5573 if (!enforcing_enabled(&selinux_state) ||
5574 security_get_allow_unknown(&selinux_state))
5575 err = 0;
5576 }
5577
5578 /* Ignore */
5579 if (err == -ENOENT)
5580 err = 0;
5581 goto out;
5582 }
5583
5584 err = sock_has_perm(sk, perm);
5585 out:
5586 return err;
5587 }
5588
5589 #ifdef CONFIG_NETFILTER
5590
selinux_ip_forward(struct sk_buff * skb,const struct net_device * indev,u16 family)5591 static unsigned int selinux_ip_forward(struct sk_buff *skb,
5592 const struct net_device *indev,
5593 u16 family)
5594 {
5595 int err;
5596 char *addrp;
5597 u32 peer_sid;
5598 struct common_audit_data ad;
5599 struct lsm_network_audit net = {0,};
5600 u8 secmark_active;
5601 u8 netlbl_active;
5602 u8 peerlbl_active;
5603
5604 if (!selinux_policycap_netpeer())
5605 return NF_ACCEPT;
5606
5607 secmark_active = selinux_secmark_enabled();
5608 netlbl_active = netlbl_enabled();
5609 peerlbl_active = selinux_peerlbl_enabled();
5610 if (!secmark_active && !peerlbl_active)
5611 return NF_ACCEPT;
5612
5613 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5614 return NF_DROP;
5615
5616 ad.type = LSM_AUDIT_DATA_NET;
5617 ad.u.net = &net;
5618 ad.u.net->netif = indev->ifindex;
5619 ad.u.net->family = family;
5620 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5621 return NF_DROP;
5622
5623 if (peerlbl_active) {
5624 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
5625 addrp, family, peer_sid, &ad);
5626 if (err) {
5627 selinux_netlbl_err(skb, family, err, 1);
5628 return NF_DROP;
5629 }
5630 }
5631
5632 if (secmark_active)
5633 if (avc_has_perm(&selinux_state,
5634 peer_sid, skb->secmark,
5635 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5636 return NF_DROP;
5637
5638 if (netlbl_active)
5639 /* we do this in the FORWARD path and not the POST_ROUTING
5640 * path because we want to make sure we apply the necessary
5641 * labeling before IPsec is applied so we can leverage AH
5642 * protection */
5643 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5644 return NF_DROP;
5645
5646 return NF_ACCEPT;
5647 }
5648
selinux_ipv4_forward(void * priv,struct sk_buff * skb,const struct nf_hook_state * state)5649 static unsigned int selinux_ipv4_forward(void *priv,
5650 struct sk_buff *skb,
5651 const struct nf_hook_state *state)
5652 {
5653 return selinux_ip_forward(skb, state->in, PF_INET);
5654 }
5655
5656 #if IS_ENABLED(CONFIG_IPV6)
selinux_ipv6_forward(void * priv,struct sk_buff * skb,const struct nf_hook_state * state)5657 static unsigned int selinux_ipv6_forward(void *priv,
5658 struct sk_buff *skb,
5659 const struct nf_hook_state *state)
5660 {
5661 return selinux_ip_forward(skb, state->in, PF_INET6);
5662 }
5663 #endif /* IPV6 */
5664
selinux_ip_output(struct sk_buff * skb,u16 family)5665 static unsigned int selinux_ip_output(struct sk_buff *skb,
5666 u16 family)
5667 {
5668 struct sock *sk;
5669 u32 sid;
5670
5671 if (!netlbl_enabled())
5672 return NF_ACCEPT;
5673
5674 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5675 * because we want to make sure we apply the necessary labeling
5676 * before IPsec is applied so we can leverage AH protection */
5677 sk = skb->sk;
5678 if (sk) {
5679 struct sk_security_struct *sksec;
5680
5681 if (sk_listener(sk))
5682 /* if the socket is the listening state then this
5683 * packet is a SYN-ACK packet which means it needs to
5684 * be labeled based on the connection/request_sock and
5685 * not the parent socket. unfortunately, we can't
5686 * lookup the request_sock yet as it isn't queued on
5687 * the parent socket until after the SYN-ACK is sent.
5688 * the "solution" is to simply pass the packet as-is
5689 * as any IP option based labeling should be copied
5690 * from the initial connection request (in the IP
5691 * layer). it is far from ideal, but until we get a
5692 * security label in the packet itself this is the
5693 * best we can do. */
5694 return NF_ACCEPT;
5695
5696 /* standard practice, label using the parent socket */
5697 sksec = sk->sk_security;
5698 sid = sksec->sid;
5699 } else
5700 sid = SECINITSID_KERNEL;
5701 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
5702 return NF_DROP;
5703
5704 return NF_ACCEPT;
5705 }
5706
selinux_ipv4_output(void * priv,struct sk_buff * skb,const struct nf_hook_state * state)5707 static unsigned int selinux_ipv4_output(void *priv,
5708 struct sk_buff *skb,
5709 const struct nf_hook_state *state)
5710 {
5711 return selinux_ip_output(skb, PF_INET);
5712 }
5713
5714 #if IS_ENABLED(CONFIG_IPV6)
selinux_ipv6_output(void * priv,struct sk_buff * skb,const struct nf_hook_state * state)5715 static unsigned int selinux_ipv6_output(void *priv,
5716 struct sk_buff *skb,
5717 const struct nf_hook_state *state)
5718 {
5719 return selinux_ip_output(skb, PF_INET6);
5720 }
5721 #endif /* IPV6 */
5722
selinux_ip_postroute_compat(struct sk_buff * skb,int ifindex,u16 family)5723 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5724 int ifindex,
5725 u16 family)
5726 {
5727 struct sock *sk = skb_to_full_sk(skb);
5728 struct sk_security_struct *sksec;
5729 struct common_audit_data ad;
5730 struct lsm_network_audit net = {0,};
5731 char *addrp;
5732 u8 proto;
5733
5734 if (sk == NULL)
5735 return NF_ACCEPT;
5736 sksec = sk->sk_security;
5737
5738 ad.type = LSM_AUDIT_DATA_NET;
5739 ad.u.net = &net;
5740 ad.u.net->netif = ifindex;
5741 ad.u.net->family = family;
5742 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
5743 return NF_DROP;
5744
5745 if (selinux_secmark_enabled())
5746 if (avc_has_perm(&selinux_state,
5747 sksec->sid, skb->secmark,
5748 SECCLASS_PACKET, PACKET__SEND, &ad))
5749 return NF_DROP_ERR(-ECONNREFUSED);
5750
5751 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5752 return NF_DROP_ERR(-ECONNREFUSED);
5753
5754 return NF_ACCEPT;
5755 }
5756
selinux_ip_postroute(struct sk_buff * skb,const struct net_device * outdev,u16 family)5757 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5758 const struct net_device *outdev,
5759 u16 family)
5760 {
5761 u32 secmark_perm;
5762 u32 peer_sid;
5763 int ifindex = outdev->ifindex;
5764 struct sock *sk;
5765 struct common_audit_data ad;
5766 struct lsm_network_audit net = {0,};
5767 char *addrp;
5768 u8 secmark_active;
5769 u8 peerlbl_active;
5770
5771 /* If any sort of compatibility mode is enabled then handoff processing
5772 * to the selinux_ip_postroute_compat() function to deal with the
5773 * special handling. We do this in an attempt to keep this function
5774 * as fast and as clean as possible. */
5775 if (!selinux_policycap_netpeer())
5776 return selinux_ip_postroute_compat(skb, ifindex, family);
5777
5778 secmark_active = selinux_secmark_enabled();
5779 peerlbl_active = selinux_peerlbl_enabled();
5780 if (!secmark_active && !peerlbl_active)
5781 return NF_ACCEPT;
5782
5783 sk = skb_to_full_sk(skb);
5784
5785 #ifdef CONFIG_XFRM
5786 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5787 * packet transformation so allow the packet to pass without any checks
5788 * since we'll have another chance to perform access control checks
5789 * when the packet is on it's final way out.
5790 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5791 * is NULL, in this case go ahead and apply access control.
5792 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5793 * TCP listening state we cannot wait until the XFRM processing
5794 * is done as we will miss out on the SA label if we do;
5795 * unfortunately, this means more work, but it is only once per
5796 * connection. */
5797 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5798 !(sk && sk_listener(sk)))
5799 return NF_ACCEPT;
5800 #endif
5801
5802 if (sk == NULL) {
5803 /* Without an associated socket the packet is either coming
5804 * from the kernel or it is being forwarded; check the packet
5805 * to determine which and if the packet is being forwarded
5806 * query the packet directly to determine the security label. */
5807 if (skb->skb_iif) {
5808 secmark_perm = PACKET__FORWARD_OUT;
5809 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5810 return NF_DROP;
5811 } else {
5812 secmark_perm = PACKET__SEND;
5813 peer_sid = SECINITSID_KERNEL;
5814 }
5815 } else if (sk_listener(sk)) {
5816 /* Locally generated packet but the associated socket is in the
5817 * listening state which means this is a SYN-ACK packet. In
5818 * this particular case the correct security label is assigned
5819 * to the connection/request_sock but unfortunately we can't
5820 * query the request_sock as it isn't queued on the parent
5821 * socket until after the SYN-ACK packet is sent; the only
5822 * viable choice is to regenerate the label like we do in
5823 * selinux_inet_conn_request(). See also selinux_ip_output()
5824 * for similar problems. */
5825 u32 skb_sid;
5826 struct sk_security_struct *sksec;
5827
5828 sksec = sk->sk_security;
5829 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5830 return NF_DROP;
5831 /* At this point, if the returned skb peerlbl is SECSID_NULL
5832 * and the packet has been through at least one XFRM
5833 * transformation then we must be dealing with the "final"
5834 * form of labeled IPsec packet; since we've already applied
5835 * all of our access controls on this packet we can safely
5836 * pass the packet. */
5837 if (skb_sid == SECSID_NULL) {
5838 switch (family) {
5839 case PF_INET:
5840 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5841 return NF_ACCEPT;
5842 break;
5843 case PF_INET6:
5844 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5845 return NF_ACCEPT;
5846 break;
5847 default:
5848 return NF_DROP_ERR(-ECONNREFUSED);
5849 }
5850 }
5851 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5852 return NF_DROP;
5853 secmark_perm = PACKET__SEND;
5854 } else {
5855 /* Locally generated packet, fetch the security label from the
5856 * associated socket. */
5857 struct sk_security_struct *sksec = sk->sk_security;
5858 peer_sid = sksec->sid;
5859 secmark_perm = PACKET__SEND;
5860 }
5861
5862 ad.type = LSM_AUDIT_DATA_NET;
5863 ad.u.net = &net;
5864 ad.u.net->netif = ifindex;
5865 ad.u.net->family = family;
5866 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5867 return NF_DROP;
5868
5869 if (secmark_active)
5870 if (avc_has_perm(&selinux_state,
5871 peer_sid, skb->secmark,
5872 SECCLASS_PACKET, secmark_perm, &ad))
5873 return NF_DROP_ERR(-ECONNREFUSED);
5874
5875 if (peerlbl_active) {
5876 u32 if_sid;
5877 u32 node_sid;
5878
5879 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5880 return NF_DROP;
5881 if (avc_has_perm(&selinux_state,
5882 peer_sid, if_sid,
5883 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5884 return NF_DROP_ERR(-ECONNREFUSED);
5885
5886 if (sel_netnode_sid(addrp, family, &node_sid))
5887 return NF_DROP;
5888 if (avc_has_perm(&selinux_state,
5889 peer_sid, node_sid,
5890 SECCLASS_NODE, NODE__SENDTO, &ad))
5891 return NF_DROP_ERR(-ECONNREFUSED);
5892 }
5893
5894 return NF_ACCEPT;
5895 }
5896
selinux_ipv4_postroute(void * priv,struct sk_buff * skb,const struct nf_hook_state * state)5897 static unsigned int selinux_ipv4_postroute(void *priv,
5898 struct sk_buff *skb,
5899 const struct nf_hook_state *state)
5900 {
5901 return selinux_ip_postroute(skb, state->out, PF_INET);
5902 }
5903
5904 #if IS_ENABLED(CONFIG_IPV6)
selinux_ipv6_postroute(void * priv,struct sk_buff * skb,const struct nf_hook_state * state)5905 static unsigned int selinux_ipv6_postroute(void *priv,
5906 struct sk_buff *skb,
5907 const struct nf_hook_state *state)
5908 {
5909 return selinux_ip_postroute(skb, state->out, PF_INET6);
5910 }
5911 #endif /* IPV6 */
5912
5913 #endif /* CONFIG_NETFILTER */
5914
selinux_netlink_send(struct sock * sk,struct sk_buff * skb)5915 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5916 {
5917 return selinux_nlmsg_perm(sk, skb);
5918 }
5919
ipc_alloc_security(struct kern_ipc_perm * perm,u16 sclass)5920 static int ipc_alloc_security(struct kern_ipc_perm *perm,
5921 u16 sclass)
5922 {
5923 struct ipc_security_struct *isec;
5924
5925 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
5926 if (!isec)
5927 return -ENOMEM;
5928
5929 isec->sclass = sclass;
5930 isec->sid = current_sid();
5931 perm->security = isec;
5932
5933 return 0;
5934 }
5935
ipc_free_security(struct kern_ipc_perm * perm)5936 static void ipc_free_security(struct kern_ipc_perm *perm)
5937 {
5938 struct ipc_security_struct *isec = perm->security;
5939 perm->security = NULL;
5940 kfree(isec);
5941 }
5942
msg_msg_alloc_security(struct msg_msg * msg)5943 static int msg_msg_alloc_security(struct msg_msg *msg)
5944 {
5945 struct msg_security_struct *msec;
5946
5947 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
5948 if (!msec)
5949 return -ENOMEM;
5950
5951 msec->sid = SECINITSID_UNLABELED;
5952 msg->security = msec;
5953
5954 return 0;
5955 }
5956
msg_msg_free_security(struct msg_msg * msg)5957 static void msg_msg_free_security(struct msg_msg *msg)
5958 {
5959 struct msg_security_struct *msec = msg->security;
5960
5961 msg->security = NULL;
5962 kfree(msec);
5963 }
5964
ipc_has_perm(struct kern_ipc_perm * ipc_perms,u32 perms)5965 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5966 u32 perms)
5967 {
5968 struct ipc_security_struct *isec;
5969 struct common_audit_data ad;
5970 u32 sid = current_sid();
5971
5972 isec = ipc_perms->security;
5973
5974 ad.type = LSM_AUDIT_DATA_IPC;
5975 ad.u.ipc_id = ipc_perms->key;
5976
5977 return avc_has_perm(&selinux_state,
5978 sid, isec->sid, isec->sclass, perms, &ad);
5979 }
5980
selinux_msg_msg_alloc_security(struct msg_msg * msg)5981 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5982 {
5983 return msg_msg_alloc_security(msg);
5984 }
5985
selinux_msg_msg_free_security(struct msg_msg * msg)5986 static void selinux_msg_msg_free_security(struct msg_msg *msg)
5987 {
5988 msg_msg_free_security(msg);
5989 }
5990
5991 /* message queue security operations */
selinux_msg_queue_alloc_security(struct kern_ipc_perm * msq)5992 static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq)
5993 {
5994 struct ipc_security_struct *isec;
5995 struct common_audit_data ad;
5996 u32 sid = current_sid();
5997 int rc;
5998
5999 rc = ipc_alloc_security(msq, SECCLASS_MSGQ);
6000 if (rc)
6001 return rc;
6002
6003 isec = msq->security;
6004
6005 ad.type = LSM_AUDIT_DATA_IPC;
6006 ad.u.ipc_id = msq->key;
6007
6008 rc = avc_has_perm(&selinux_state,
6009 sid, isec->sid, SECCLASS_MSGQ,
6010 MSGQ__CREATE, &ad);
6011 if (rc) {
6012 ipc_free_security(msq);
6013 return rc;
6014 }
6015 return 0;
6016 }
6017
selinux_msg_queue_free_security(struct kern_ipc_perm * msq)6018 static void selinux_msg_queue_free_security(struct kern_ipc_perm *msq)
6019 {
6020 ipc_free_security(msq);
6021 }
6022
selinux_msg_queue_associate(struct kern_ipc_perm * msq,int msqflg)6023 static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
6024 {
6025 struct ipc_security_struct *isec;
6026 struct common_audit_data ad;
6027 u32 sid = current_sid();
6028
6029 isec = msq->security;
6030
6031 ad.type = LSM_AUDIT_DATA_IPC;
6032 ad.u.ipc_id = msq->key;
6033
6034 return avc_has_perm(&selinux_state,
6035 sid, isec->sid, SECCLASS_MSGQ,
6036 MSGQ__ASSOCIATE, &ad);
6037 }
6038
selinux_msg_queue_msgctl(struct kern_ipc_perm * msq,int cmd)6039 static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)
6040 {
6041 int err;
6042 int perms;
6043
6044 switch (cmd) {
6045 case IPC_INFO:
6046 case MSG_INFO:
6047 /* No specific object, just general system-wide information. */
6048 return avc_has_perm(&selinux_state,
6049 current_sid(), SECINITSID_KERNEL,
6050 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6051 case IPC_STAT:
6052 case MSG_STAT:
6053 case MSG_STAT_ANY:
6054 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
6055 break;
6056 case IPC_SET:
6057 perms = MSGQ__SETATTR;
6058 break;
6059 case IPC_RMID:
6060 perms = MSGQ__DESTROY;
6061 break;
6062 default:
6063 return 0;
6064 }
6065
6066 err = ipc_has_perm(msq, perms);
6067 return err;
6068 }
6069
selinux_msg_queue_msgsnd(struct kern_ipc_perm * msq,struct msg_msg * msg,int msqflg)6070 static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg)
6071 {
6072 struct ipc_security_struct *isec;
6073 struct msg_security_struct *msec;
6074 struct common_audit_data ad;
6075 u32 sid = current_sid();
6076 int rc;
6077
6078 isec = msq->security;
6079 msec = msg->security;
6080
6081 /*
6082 * First time through, need to assign label to the message
6083 */
6084 if (msec->sid == SECINITSID_UNLABELED) {
6085 /*
6086 * Compute new sid based on current process and
6087 * message queue this message will be stored in
6088 */
6089 rc = security_transition_sid(&selinux_state, sid, isec->sid,
6090 SECCLASS_MSG, NULL, &msec->sid);
6091 if (rc)
6092 return rc;
6093 }
6094
6095 ad.type = LSM_AUDIT_DATA_IPC;
6096 ad.u.ipc_id = msq->key;
6097
6098 /* Can this process write to the queue? */
6099 rc = avc_has_perm(&selinux_state,
6100 sid, isec->sid, SECCLASS_MSGQ,
6101 MSGQ__WRITE, &ad);
6102 if (!rc)
6103 /* Can this process send the message */
6104 rc = avc_has_perm(&selinux_state,
6105 sid, msec->sid, SECCLASS_MSG,
6106 MSG__SEND, &ad);
6107 if (!rc)
6108 /* Can the message be put in the queue? */
6109 rc = avc_has_perm(&selinux_state,
6110 msec->sid, isec->sid, SECCLASS_MSGQ,
6111 MSGQ__ENQUEUE, &ad);
6112
6113 return rc;
6114 }
6115
selinux_msg_queue_msgrcv(struct kern_ipc_perm * msq,struct msg_msg * msg,struct task_struct * target,long type,int mode)6116 static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg,
6117 struct task_struct *target,
6118 long type, int mode)
6119 {
6120 struct ipc_security_struct *isec;
6121 struct msg_security_struct *msec;
6122 struct common_audit_data ad;
6123 u32 sid = task_sid(target);
6124 int rc;
6125
6126 isec = msq->security;
6127 msec = msg->security;
6128
6129 ad.type = LSM_AUDIT_DATA_IPC;
6130 ad.u.ipc_id = msq->key;
6131
6132 rc = avc_has_perm(&selinux_state,
6133 sid, isec->sid,
6134 SECCLASS_MSGQ, MSGQ__READ, &ad);
6135 if (!rc)
6136 rc = avc_has_perm(&selinux_state,
6137 sid, msec->sid,
6138 SECCLASS_MSG, MSG__RECEIVE, &ad);
6139 return rc;
6140 }
6141
6142 /* Shared Memory security operations */
selinux_shm_alloc_security(struct kern_ipc_perm * shp)6143 static int selinux_shm_alloc_security(struct kern_ipc_perm *shp)
6144 {
6145 struct ipc_security_struct *isec;
6146 struct common_audit_data ad;
6147 u32 sid = current_sid();
6148 int rc;
6149
6150 rc = ipc_alloc_security(shp, SECCLASS_SHM);
6151 if (rc)
6152 return rc;
6153
6154 isec = shp->security;
6155
6156 ad.type = LSM_AUDIT_DATA_IPC;
6157 ad.u.ipc_id = shp->key;
6158
6159 rc = avc_has_perm(&selinux_state,
6160 sid, isec->sid, SECCLASS_SHM,
6161 SHM__CREATE, &ad);
6162 if (rc) {
6163 ipc_free_security(shp);
6164 return rc;
6165 }
6166 return 0;
6167 }
6168
selinux_shm_free_security(struct kern_ipc_perm * shp)6169 static void selinux_shm_free_security(struct kern_ipc_perm *shp)
6170 {
6171 ipc_free_security(shp);
6172 }
6173
selinux_shm_associate(struct kern_ipc_perm * shp,int shmflg)6174 static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg)
6175 {
6176 struct ipc_security_struct *isec;
6177 struct common_audit_data ad;
6178 u32 sid = current_sid();
6179
6180 isec = shp->security;
6181
6182 ad.type = LSM_AUDIT_DATA_IPC;
6183 ad.u.ipc_id = shp->key;
6184
6185 return avc_has_perm(&selinux_state,
6186 sid, isec->sid, SECCLASS_SHM,
6187 SHM__ASSOCIATE, &ad);
6188 }
6189
6190 /* Note, at this point, shp is locked down */
selinux_shm_shmctl(struct kern_ipc_perm * shp,int cmd)6191 static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd)
6192 {
6193 int perms;
6194 int err;
6195
6196 switch (cmd) {
6197 case IPC_INFO:
6198 case SHM_INFO:
6199 /* No specific object, just general system-wide information. */
6200 return avc_has_perm(&selinux_state,
6201 current_sid(), SECINITSID_KERNEL,
6202 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6203 case IPC_STAT:
6204 case SHM_STAT:
6205 case SHM_STAT_ANY:
6206 perms = SHM__GETATTR | SHM__ASSOCIATE;
6207 break;
6208 case IPC_SET:
6209 perms = SHM__SETATTR;
6210 break;
6211 case SHM_LOCK:
6212 case SHM_UNLOCK:
6213 perms = SHM__LOCK;
6214 break;
6215 case IPC_RMID:
6216 perms = SHM__DESTROY;
6217 break;
6218 default:
6219 return 0;
6220 }
6221
6222 err = ipc_has_perm(shp, perms);
6223 return err;
6224 }
6225
selinux_shm_shmat(struct kern_ipc_perm * shp,char __user * shmaddr,int shmflg)6226 static int selinux_shm_shmat(struct kern_ipc_perm *shp,
6227 char __user *shmaddr, int shmflg)
6228 {
6229 u32 perms;
6230
6231 if (shmflg & SHM_RDONLY)
6232 perms = SHM__READ;
6233 else
6234 perms = SHM__READ | SHM__WRITE;
6235
6236 return ipc_has_perm(shp, perms);
6237 }
6238
6239 /* Semaphore security operations */
selinux_sem_alloc_security(struct kern_ipc_perm * sma)6240 static int selinux_sem_alloc_security(struct kern_ipc_perm *sma)
6241 {
6242 struct ipc_security_struct *isec;
6243 struct common_audit_data ad;
6244 u32 sid = current_sid();
6245 int rc;
6246
6247 rc = ipc_alloc_security(sma, SECCLASS_SEM);
6248 if (rc)
6249 return rc;
6250
6251 isec = sma->security;
6252
6253 ad.type = LSM_AUDIT_DATA_IPC;
6254 ad.u.ipc_id = sma->key;
6255
6256 rc = avc_has_perm(&selinux_state,
6257 sid, isec->sid, SECCLASS_SEM,
6258 SEM__CREATE, &ad);
6259 if (rc) {
6260 ipc_free_security(sma);
6261 return rc;
6262 }
6263 return 0;
6264 }
6265
selinux_sem_free_security(struct kern_ipc_perm * sma)6266 static void selinux_sem_free_security(struct kern_ipc_perm *sma)
6267 {
6268 ipc_free_security(sma);
6269 }
6270
selinux_sem_associate(struct kern_ipc_perm * sma,int semflg)6271 static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg)
6272 {
6273 struct ipc_security_struct *isec;
6274 struct common_audit_data ad;
6275 u32 sid = current_sid();
6276
6277 isec = sma->security;
6278
6279 ad.type = LSM_AUDIT_DATA_IPC;
6280 ad.u.ipc_id = sma->key;
6281
6282 return avc_has_perm(&selinux_state,
6283 sid, isec->sid, SECCLASS_SEM,
6284 SEM__ASSOCIATE, &ad);
6285 }
6286
6287 /* Note, at this point, sma is locked down */
selinux_sem_semctl(struct kern_ipc_perm * sma,int cmd)6288 static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd)
6289 {
6290 int err;
6291 u32 perms;
6292
6293 switch (cmd) {
6294 case IPC_INFO:
6295 case SEM_INFO:
6296 /* No specific object, just general system-wide information. */
6297 return avc_has_perm(&selinux_state,
6298 current_sid(), SECINITSID_KERNEL,
6299 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6300 case GETPID:
6301 case GETNCNT:
6302 case GETZCNT:
6303 perms = SEM__GETATTR;
6304 break;
6305 case GETVAL:
6306 case GETALL:
6307 perms = SEM__READ;
6308 break;
6309 case SETVAL:
6310 case SETALL:
6311 perms = SEM__WRITE;
6312 break;
6313 case IPC_RMID:
6314 perms = SEM__DESTROY;
6315 break;
6316 case IPC_SET:
6317 perms = SEM__SETATTR;
6318 break;
6319 case IPC_STAT:
6320 case SEM_STAT:
6321 case SEM_STAT_ANY:
6322 perms = SEM__GETATTR | SEM__ASSOCIATE;
6323 break;
6324 default:
6325 return 0;
6326 }
6327
6328 err = ipc_has_perm(sma, perms);
6329 return err;
6330 }
6331
selinux_sem_semop(struct kern_ipc_perm * sma,struct sembuf * sops,unsigned nsops,int alter)6332 static int selinux_sem_semop(struct kern_ipc_perm *sma,
6333 struct sembuf *sops, unsigned nsops, int alter)
6334 {
6335 u32 perms;
6336
6337 if (alter)
6338 perms = SEM__READ | SEM__WRITE;
6339 else
6340 perms = SEM__READ;
6341
6342 return ipc_has_perm(sma, perms);
6343 }
6344
selinux_ipc_permission(struct kern_ipc_perm * ipcp,short flag)6345 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
6346 {
6347 u32 av = 0;
6348
6349 av = 0;
6350 if (flag & S_IRUGO)
6351 av |= IPC__UNIX_READ;
6352 if (flag & S_IWUGO)
6353 av |= IPC__UNIX_WRITE;
6354
6355 if (av == 0)
6356 return 0;
6357
6358 return ipc_has_perm(ipcp, av);
6359 }
6360
selinux_ipc_getsecid(struct kern_ipc_perm * ipcp,u32 * secid)6361 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
6362 {
6363 struct ipc_security_struct *isec = ipcp->security;
6364 *secid = isec->sid;
6365 }
6366
selinux_d_instantiate(struct dentry * dentry,struct inode * inode)6367 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
6368 {
6369 if (inode)
6370 inode_doinit_with_dentry(inode, dentry);
6371 }
6372
selinux_getprocattr(struct task_struct * p,char * name,char ** value)6373 static int selinux_getprocattr(struct task_struct *p,
6374 char *name, char **value)
6375 {
6376 const struct task_security_struct *__tsec;
6377 u32 sid;
6378 int error;
6379 unsigned len;
6380
6381 rcu_read_lock();
6382 __tsec = __task_cred(p)->security;
6383
6384 if (current != p) {
6385 error = avc_has_perm(&selinux_state,
6386 current_sid(), __tsec->sid,
6387 SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
6388 if (error)
6389 goto bad;
6390 }
6391
6392 if (!strcmp(name, "current"))
6393 sid = __tsec->sid;
6394 else if (!strcmp(name, "prev"))
6395 sid = __tsec->osid;
6396 else if (!strcmp(name, "exec"))
6397 sid = __tsec->exec_sid;
6398 else if (!strcmp(name, "fscreate"))
6399 sid = __tsec->create_sid;
6400 else if (!strcmp(name, "keycreate"))
6401 sid = __tsec->keycreate_sid;
6402 else if (!strcmp(name, "sockcreate"))
6403 sid = __tsec->sockcreate_sid;
6404 else {
6405 error = -EINVAL;
6406 goto bad;
6407 }
6408 rcu_read_unlock();
6409
6410 if (!sid)
6411 return 0;
6412
6413 error = security_sid_to_context(&selinux_state, sid, value, &len);
6414 if (error)
6415 return error;
6416 return len;
6417
6418 bad:
6419 rcu_read_unlock();
6420 return error;
6421 }
6422
selinux_setprocattr(const char * name,void * value,size_t size)6423 static int selinux_setprocattr(const char *name, void *value, size_t size)
6424 {
6425 struct task_security_struct *tsec;
6426 struct cred *new;
6427 u32 mysid = current_sid(), sid = 0, ptsid;
6428 int error;
6429 char *str = value;
6430
6431 /*
6432 * Basic control over ability to set these attributes at all.
6433 */
6434 if (!strcmp(name, "exec"))
6435 error = avc_has_perm(&selinux_state,
6436 mysid, mysid, SECCLASS_PROCESS,
6437 PROCESS__SETEXEC, NULL);
6438 else if (!strcmp(name, "fscreate"))
6439 error = avc_has_perm(&selinux_state,
6440 mysid, mysid, SECCLASS_PROCESS,
6441 PROCESS__SETFSCREATE, NULL);
6442 else if (!strcmp(name, "keycreate"))
6443 error = avc_has_perm(&selinux_state,
6444 mysid, mysid, SECCLASS_PROCESS,
6445 PROCESS__SETKEYCREATE, NULL);
6446 else if (!strcmp(name, "sockcreate"))
6447 error = avc_has_perm(&selinux_state,
6448 mysid, mysid, SECCLASS_PROCESS,
6449 PROCESS__SETSOCKCREATE, NULL);
6450 else if (!strcmp(name, "current"))
6451 error = avc_has_perm(&selinux_state,
6452 mysid, mysid, SECCLASS_PROCESS,
6453 PROCESS__SETCURRENT, NULL);
6454 else
6455 error = -EINVAL;
6456 if (error)
6457 return error;
6458
6459 /* Obtain a SID for the context, if one was specified. */
6460 if (size && str[0] && str[0] != '\n') {
6461 if (str[size-1] == '\n') {
6462 str[size-1] = 0;
6463 size--;
6464 }
6465 error = security_context_to_sid(&selinux_state, value, size,
6466 &sid, GFP_KERNEL);
6467 if (error == -EINVAL && !strcmp(name, "fscreate")) {
6468 if (!has_cap_mac_admin(true)) {
6469 struct audit_buffer *ab;
6470 size_t audit_size;
6471
6472 /* We strip a nul only if it is at the end, otherwise the
6473 * context contains a nul and we should audit that */
6474 if (str[size - 1] == '\0')
6475 audit_size = size - 1;
6476 else
6477 audit_size = size;
6478 ab = audit_log_start(audit_context(),
6479 GFP_ATOMIC,
6480 AUDIT_SELINUX_ERR);
6481 audit_log_format(ab, "op=fscreate invalid_context=");
6482 audit_log_n_untrustedstring(ab, value, audit_size);
6483 audit_log_end(ab);
6484
6485 return error;
6486 }
6487 error = security_context_to_sid_force(
6488 &selinux_state,
6489 value, size, &sid);
6490 }
6491 if (error)
6492 return error;
6493 }
6494
6495 new = prepare_creds();
6496 if (!new)
6497 return -ENOMEM;
6498
6499 /* Permission checking based on the specified context is
6500 performed during the actual operation (execve,
6501 open/mkdir/...), when we know the full context of the
6502 operation. See selinux_bprm_set_creds for the execve
6503 checks and may_create for the file creation checks. The
6504 operation will then fail if the context is not permitted. */
6505 tsec = new->security;
6506 if (!strcmp(name, "exec")) {
6507 tsec->exec_sid = sid;
6508 } else if (!strcmp(name, "fscreate")) {
6509 tsec->create_sid = sid;
6510 } else if (!strcmp(name, "keycreate")) {
6511 error = avc_has_perm(&selinux_state,
6512 mysid, sid, SECCLASS_KEY, KEY__CREATE,
6513 NULL);
6514 if (error)
6515 goto abort_change;
6516 tsec->keycreate_sid = sid;
6517 } else if (!strcmp(name, "sockcreate")) {
6518 tsec->sockcreate_sid = sid;
6519 } else if (!strcmp(name, "current")) {
6520 error = -EINVAL;
6521 if (sid == 0)
6522 goto abort_change;
6523
6524 /* Only allow single threaded processes to change context */
6525 error = -EPERM;
6526 if (!current_is_single_threaded()) {
6527 error = security_bounded_transition(&selinux_state,
6528 tsec->sid, sid);
6529 if (error)
6530 goto abort_change;
6531 }
6532
6533 /* Check permissions for the transition. */
6534 error = avc_has_perm(&selinux_state,
6535 tsec->sid, sid, SECCLASS_PROCESS,
6536 PROCESS__DYNTRANSITION, NULL);
6537 if (error)
6538 goto abort_change;
6539
6540 /* Check for ptracing, and update the task SID if ok.
6541 Otherwise, leave SID unchanged and fail. */
6542 ptsid = ptrace_parent_sid();
6543 if (ptsid != 0) {
6544 error = avc_has_perm(&selinux_state,
6545 ptsid, sid, SECCLASS_PROCESS,
6546 PROCESS__PTRACE, NULL);
6547 if (error)
6548 goto abort_change;
6549 }
6550
6551 tsec->sid = sid;
6552 } else {
6553 error = -EINVAL;
6554 goto abort_change;
6555 }
6556
6557 commit_creds(new);
6558 return size;
6559
6560 abort_change:
6561 abort_creds(new);
6562 return error;
6563 }
6564
selinux_ismaclabel(const char * name)6565 static int selinux_ismaclabel(const char *name)
6566 {
6567 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
6568 }
6569
selinux_secid_to_secctx(u32 secid,char ** secdata,u32 * seclen)6570 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
6571 {
6572 return security_sid_to_context(&selinux_state, secid,
6573 secdata, seclen);
6574 }
6575
selinux_secctx_to_secid(const char * secdata,u32 seclen,u32 * secid)6576 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
6577 {
6578 return security_context_to_sid(&selinux_state, secdata, seclen,
6579 secid, GFP_KERNEL);
6580 }
6581
selinux_release_secctx(char * secdata,u32 seclen)6582 static void selinux_release_secctx(char *secdata, u32 seclen)
6583 {
6584 kfree(secdata);
6585 }
6586
selinux_inode_invalidate_secctx(struct inode * inode)6587 static void selinux_inode_invalidate_secctx(struct inode *inode)
6588 {
6589 struct inode_security_struct *isec = inode->i_security;
6590
6591 spin_lock(&isec->lock);
6592 isec->initialized = LABEL_INVALID;
6593 spin_unlock(&isec->lock);
6594 }
6595
6596 /*
6597 * called with inode->i_mutex locked
6598 */
selinux_inode_notifysecctx(struct inode * inode,void * ctx,u32 ctxlen)6599 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
6600 {
6601 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
6602 }
6603
6604 /*
6605 * called with inode->i_mutex locked
6606 */
selinux_inode_setsecctx(struct dentry * dentry,void * ctx,u32 ctxlen)6607 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
6608 {
6609 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
6610 }
6611
selinux_inode_getsecctx(struct inode * inode,void ** ctx,u32 * ctxlen)6612 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
6613 {
6614 int len = 0;
6615 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
6616 ctx, true);
6617 if (len < 0)
6618 return len;
6619 *ctxlen = len;
6620 return 0;
6621 }
6622 #ifdef CONFIG_KEYS
6623
selinux_key_alloc(struct key * k,const struct cred * cred,unsigned long flags)6624 static int selinux_key_alloc(struct key *k, const struct cred *cred,
6625 unsigned long flags)
6626 {
6627 const struct task_security_struct *tsec;
6628 struct key_security_struct *ksec;
6629
6630 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
6631 if (!ksec)
6632 return -ENOMEM;
6633
6634 tsec = cred->security;
6635 if (tsec->keycreate_sid)
6636 ksec->sid = tsec->keycreate_sid;
6637 else
6638 ksec->sid = tsec->sid;
6639
6640 k->security = ksec;
6641 return 0;
6642 }
6643
selinux_key_free(struct key * k)6644 static void selinux_key_free(struct key *k)
6645 {
6646 struct key_security_struct *ksec = k->security;
6647
6648 k->security = NULL;
6649 kfree(ksec);
6650 }
6651
selinux_key_permission(key_ref_t key_ref,const struct cred * cred,unsigned perm)6652 static int selinux_key_permission(key_ref_t key_ref,
6653 const struct cred *cred,
6654 unsigned perm)
6655 {
6656 struct key *key;
6657 struct key_security_struct *ksec;
6658 u32 sid;
6659
6660 /* if no specific permissions are requested, we skip the
6661 permission check. No serious, additional covert channels
6662 appear to be created. */
6663 if (perm == 0)
6664 return 0;
6665
6666 sid = cred_sid(cred);
6667
6668 key = key_ref_to_ptr(key_ref);
6669 ksec = key->security;
6670
6671 return avc_has_perm(&selinux_state,
6672 sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6673 }
6674
selinux_key_getsecurity(struct key * key,char ** _buffer)6675 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6676 {
6677 struct key_security_struct *ksec = key->security;
6678 char *context = NULL;
6679 unsigned len;
6680 int rc;
6681
6682 rc = security_sid_to_context(&selinux_state, ksec->sid,
6683 &context, &len);
6684 if (!rc)
6685 rc = len;
6686 *_buffer = context;
6687 return rc;
6688 }
6689 #endif
6690
6691 #ifdef CONFIG_SECURITY_INFINIBAND
selinux_ib_pkey_access(void * ib_sec,u64 subnet_prefix,u16 pkey_val)6692 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6693 {
6694 struct common_audit_data ad;
6695 int err;
6696 u32 sid = 0;
6697 struct ib_security_struct *sec = ib_sec;
6698 struct lsm_ibpkey_audit ibpkey;
6699
6700 err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
6701 if (err)
6702 return err;
6703
6704 ad.type = LSM_AUDIT_DATA_IBPKEY;
6705 ibpkey.subnet_prefix = subnet_prefix;
6706 ibpkey.pkey = pkey_val;
6707 ad.u.ibpkey = &ibpkey;
6708 return avc_has_perm(&selinux_state,
6709 sec->sid, sid,
6710 SECCLASS_INFINIBAND_PKEY,
6711 INFINIBAND_PKEY__ACCESS, &ad);
6712 }
6713
selinux_ib_endport_manage_subnet(void * ib_sec,const char * dev_name,u8 port_num)6714 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6715 u8 port_num)
6716 {
6717 struct common_audit_data ad;
6718 int err;
6719 u32 sid = 0;
6720 struct ib_security_struct *sec = ib_sec;
6721 struct lsm_ibendport_audit ibendport;
6722
6723 err = security_ib_endport_sid(&selinux_state, dev_name, port_num,
6724 &sid);
6725
6726 if (err)
6727 return err;
6728
6729 ad.type = LSM_AUDIT_DATA_IBENDPORT;
6730 strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name));
6731 ibendport.port = port_num;
6732 ad.u.ibendport = &ibendport;
6733 return avc_has_perm(&selinux_state,
6734 sec->sid, sid,
6735 SECCLASS_INFINIBAND_ENDPORT,
6736 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
6737 }
6738
selinux_ib_alloc_security(void ** ib_sec)6739 static int selinux_ib_alloc_security(void **ib_sec)
6740 {
6741 struct ib_security_struct *sec;
6742
6743 sec = kzalloc(sizeof(*sec), GFP_KERNEL);
6744 if (!sec)
6745 return -ENOMEM;
6746 sec->sid = current_sid();
6747
6748 *ib_sec = sec;
6749 return 0;
6750 }
6751
selinux_ib_free_security(void * ib_sec)6752 static void selinux_ib_free_security(void *ib_sec)
6753 {
6754 kfree(ib_sec);
6755 }
6756 #endif
6757
6758 #ifdef CONFIG_BPF_SYSCALL
selinux_bpf(int cmd,union bpf_attr * attr,unsigned int size)6759 static int selinux_bpf(int cmd, union bpf_attr *attr,
6760 unsigned int size)
6761 {
6762 u32 sid = current_sid();
6763 int ret;
6764
6765 switch (cmd) {
6766 case BPF_MAP_CREATE:
6767 ret = avc_has_perm(&selinux_state,
6768 sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
6769 NULL);
6770 break;
6771 case BPF_PROG_LOAD:
6772 ret = avc_has_perm(&selinux_state,
6773 sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
6774 NULL);
6775 break;
6776 default:
6777 ret = 0;
6778 break;
6779 }
6780
6781 return ret;
6782 }
6783
bpf_map_fmode_to_av(fmode_t fmode)6784 static u32 bpf_map_fmode_to_av(fmode_t fmode)
6785 {
6786 u32 av = 0;
6787
6788 if (fmode & FMODE_READ)
6789 av |= BPF__MAP_READ;
6790 if (fmode & FMODE_WRITE)
6791 av |= BPF__MAP_WRITE;
6792 return av;
6793 }
6794
6795 /* This function will check the file pass through unix socket or binder to see
6796 * if it is a bpf related object. And apply correspinding checks on the bpf
6797 * object based on the type. The bpf maps and programs, not like other files and
6798 * socket, are using a shared anonymous inode inside the kernel as their inode.
6799 * So checking that inode cannot identify if the process have privilege to
6800 * access the bpf object and that's why we have to add this additional check in
6801 * selinux_file_receive and selinux_binder_transfer_files.
6802 */
bpf_fd_pass(struct file * file,u32 sid)6803 static int bpf_fd_pass(struct file *file, u32 sid)
6804 {
6805 struct bpf_security_struct *bpfsec;
6806 struct bpf_prog *prog;
6807 struct bpf_map *map;
6808 int ret;
6809
6810 if (file->f_op == &bpf_map_fops) {
6811 map = file->private_data;
6812 bpfsec = map->security;
6813 ret = avc_has_perm(&selinux_state,
6814 sid, bpfsec->sid, SECCLASS_BPF,
6815 bpf_map_fmode_to_av(file->f_mode), NULL);
6816 if (ret)
6817 return ret;
6818 } else if (file->f_op == &bpf_prog_fops) {
6819 prog = file->private_data;
6820 bpfsec = prog->aux->security;
6821 ret = avc_has_perm(&selinux_state,
6822 sid, bpfsec->sid, SECCLASS_BPF,
6823 BPF__PROG_RUN, NULL);
6824 if (ret)
6825 return ret;
6826 }
6827 return 0;
6828 }
6829
selinux_bpf_map(struct bpf_map * map,fmode_t fmode)6830 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)
6831 {
6832 u32 sid = current_sid();
6833 struct bpf_security_struct *bpfsec;
6834
6835 bpfsec = map->security;
6836 return avc_has_perm(&selinux_state,
6837 sid, bpfsec->sid, SECCLASS_BPF,
6838 bpf_map_fmode_to_av(fmode), NULL);
6839 }
6840
selinux_bpf_prog(struct bpf_prog * prog)6841 static int selinux_bpf_prog(struct bpf_prog *prog)
6842 {
6843 u32 sid = current_sid();
6844 struct bpf_security_struct *bpfsec;
6845
6846 bpfsec = prog->aux->security;
6847 return avc_has_perm(&selinux_state,
6848 sid, bpfsec->sid, SECCLASS_BPF,
6849 BPF__PROG_RUN, NULL);
6850 }
6851
selinux_bpf_map_alloc(struct bpf_map * map)6852 static int selinux_bpf_map_alloc(struct bpf_map *map)
6853 {
6854 struct bpf_security_struct *bpfsec;
6855
6856 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6857 if (!bpfsec)
6858 return -ENOMEM;
6859
6860 bpfsec->sid = current_sid();
6861 map->security = bpfsec;
6862
6863 return 0;
6864 }
6865
selinux_bpf_map_free(struct bpf_map * map)6866 static void selinux_bpf_map_free(struct bpf_map *map)
6867 {
6868 struct bpf_security_struct *bpfsec = map->security;
6869
6870 map->security = NULL;
6871 kfree(bpfsec);
6872 }
6873
selinux_bpf_prog_alloc(struct bpf_prog_aux * aux)6874 static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux)
6875 {
6876 struct bpf_security_struct *bpfsec;
6877
6878 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6879 if (!bpfsec)
6880 return -ENOMEM;
6881
6882 bpfsec->sid = current_sid();
6883 aux->security = bpfsec;
6884
6885 return 0;
6886 }
6887
selinux_bpf_prog_free(struct bpf_prog_aux * aux)6888 static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
6889 {
6890 struct bpf_security_struct *bpfsec = aux->security;
6891
6892 aux->security = NULL;
6893 kfree(bpfsec);
6894 }
6895 #endif
6896
6897 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
6898 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
6899 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
6900 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
6901 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
6902
6903 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
6904 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
6905 LSM_HOOK_INIT(capget, selinux_capget),
6906 LSM_HOOK_INIT(capset, selinux_capset),
6907 LSM_HOOK_INIT(capable, selinux_capable),
6908 LSM_HOOK_INIT(quotactl, selinux_quotactl),
6909 LSM_HOOK_INIT(quota_on, selinux_quota_on),
6910 LSM_HOOK_INIT(syslog, selinux_syslog),
6911 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
6912
6913 LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
6914
6915 LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
6916 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
6917 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
6918
6919 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
6920 LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
6921 LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data),
6922 LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
6923 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
6924 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
6925 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
6926 LSM_HOOK_INIT(sb_mount, selinux_mount),
6927 LSM_HOOK_INIT(sb_umount, selinux_umount),
6928 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
6929 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
6930 LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str),
6931
6932 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
6933 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
6934
6935 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
6936 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
6937 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
6938 LSM_HOOK_INIT(inode_create, selinux_inode_create),
6939 LSM_HOOK_INIT(inode_link, selinux_inode_link),
6940 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
6941 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
6942 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
6943 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
6944 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
6945 LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
6946 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
6947 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
6948 LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
6949 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
6950 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
6951 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
6952 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
6953 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
6954 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
6955 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
6956 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
6957 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
6958 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
6959 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
6960 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
6961 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
6962
6963 LSM_HOOK_INIT(file_permission, selinux_file_permission),
6964 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
6965 LSM_HOOK_INIT(file_free_security, selinux_file_free_security),
6966 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
6967 LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
6968 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
6969 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
6970 LSM_HOOK_INIT(file_lock, selinux_file_lock),
6971 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
6972 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
6973 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
6974 LSM_HOOK_INIT(file_receive, selinux_file_receive),
6975
6976 LSM_HOOK_INIT(file_open, selinux_file_open),
6977
6978 LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
6979 LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank),
6980 LSM_HOOK_INIT(cred_free, selinux_cred_free),
6981 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
6982 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
6983 LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid),
6984 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
6985 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
6986 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
6987 LSM_HOOK_INIT(kernel_load_data, selinux_kernel_load_data),
6988 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
6989 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
6990 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
6991 LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
6992 LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
6993 LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
6994 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
6995 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
6996 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
6997 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
6998 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
6999 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
7000 LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
7001 LSM_HOOK_INIT(task_kill, selinux_task_kill),
7002 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
7003
7004 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
7005 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
7006
7007 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
7008 LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security),
7009
7010 LSM_HOOK_INIT(msg_queue_alloc_security,
7011 selinux_msg_queue_alloc_security),
7012 LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security),
7013 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
7014 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
7015 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
7016 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
7017
7018 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
7019 LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security),
7020 LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
7021 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
7022 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
7023
7024 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
7025 LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security),
7026 LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
7027 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
7028 LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
7029
7030 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
7031
7032 LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
7033 LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
7034
7035 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
7036 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
7037 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
7038 LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
7039 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
7040 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
7041 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
7042 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
7043
7044 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
7045 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
7046
7047 LSM_HOOK_INIT(socket_create, selinux_socket_create),
7048 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
7049 LSM_HOOK_INIT(socket_socketpair, selinux_socket_socketpair),
7050 LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
7051 LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
7052 LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
7053 LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
7054 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
7055 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
7056 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
7057 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
7058 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
7059 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
7060 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
7061 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
7062 LSM_HOOK_INIT(socket_getpeersec_stream,
7063 selinux_socket_getpeersec_stream),
7064 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
7065 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
7066 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
7067 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
7068 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
7069 LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
7070 LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request),
7071 LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone),
7072 LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect),
7073 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
7074 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
7075 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
7076 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
7077 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
7078 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
7079 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
7080 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
7081 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
7082 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
7083 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
7084 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
7085 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
7086 #ifdef CONFIG_SECURITY_INFINIBAND
7087 LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
7088 LSM_HOOK_INIT(ib_endport_manage_subnet,
7089 selinux_ib_endport_manage_subnet),
7090 LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
7091 LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
7092 #endif
7093 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7094 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
7095 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
7096 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
7097 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
7098 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
7099 LSM_HOOK_INIT(xfrm_state_alloc_acquire,
7100 selinux_xfrm_state_alloc_acquire),
7101 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
7102 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
7103 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
7104 LSM_HOOK_INIT(xfrm_state_pol_flow_match,
7105 selinux_xfrm_state_pol_flow_match),
7106 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
7107 #endif
7108
7109 #ifdef CONFIG_KEYS
7110 LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
7111 LSM_HOOK_INIT(key_free, selinux_key_free),
7112 LSM_HOOK_INIT(key_permission, selinux_key_permission),
7113 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
7114 #endif
7115
7116 #ifdef CONFIG_AUDIT
7117 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
7118 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
7119 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
7120 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
7121 #endif
7122
7123 #ifdef CONFIG_BPF_SYSCALL
7124 LSM_HOOK_INIT(bpf, selinux_bpf),
7125 LSM_HOOK_INIT(bpf_map, selinux_bpf_map),
7126 LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog),
7127 LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc),
7128 LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc),
7129 LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free),
7130 LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free),
7131 #endif
7132 };
7133
selinux_init(void)7134 static __init int selinux_init(void)
7135 {
7136 if (!security_module_enable("selinux")) {
7137 selinux_enabled = 0;
7138 return 0;
7139 }
7140
7141 if (!selinux_enabled) {
7142 pr_info("SELinux: Disabled at boot.\n");
7143 return 0;
7144 }
7145
7146 pr_info("SELinux: Initializing.\n");
7147
7148 memset(&selinux_state, 0, sizeof(selinux_state));
7149 enforcing_set(&selinux_state, selinux_enforcing_boot);
7150 selinux_state.checkreqprot = selinux_checkreqprot_boot;
7151 selinux_ss_init(&selinux_state.ss);
7152 selinux_avc_init(&selinux_state.avc);
7153
7154 /* Set the security state for the initial task. */
7155 cred_init_security();
7156
7157 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
7158
7159 sel_inode_cache = kmem_cache_create("selinux_inode_security",
7160 sizeof(struct inode_security_struct),
7161 0, SLAB_PANIC, NULL);
7162 file_security_cache = kmem_cache_create("selinux_file_security",
7163 sizeof(struct file_security_struct),
7164 0, SLAB_PANIC, NULL);
7165 avc_init();
7166
7167 avtab_cache_init();
7168
7169 ebitmap_cache_init();
7170
7171 hashtab_cache_init();
7172
7173 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
7174
7175 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
7176 panic("SELinux: Unable to register AVC netcache callback\n");
7177
7178 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
7179 panic("SELinux: Unable to register AVC LSM notifier callback\n");
7180
7181 if (selinux_enforcing_boot)
7182 pr_debug("SELinux: Starting in enforcing mode\n");
7183 else
7184 pr_debug("SELinux: Starting in permissive mode\n");
7185
7186 return 0;
7187 }
7188
delayed_superblock_init(struct super_block * sb,void * unused)7189 static void delayed_superblock_init(struct super_block *sb, void *unused)
7190 {
7191 superblock_doinit(sb, NULL);
7192 }
7193
selinux_complete_init(void)7194 void selinux_complete_init(void)
7195 {
7196 pr_debug("SELinux: Completing initialization.\n");
7197
7198 /* Set up any superblocks initialized prior to the policy load. */
7199 pr_debug("SELinux: Setting up existing superblocks.\n");
7200 iterate_supers(delayed_superblock_init, NULL);
7201 }
7202
7203 /* SELinux requires early initialization in order to label
7204 all processes and objects when they are created. */
7205 security_initcall(selinux_init);
7206
7207 #if defined(CONFIG_NETFILTER)
7208
7209 static const struct nf_hook_ops selinux_nf_ops[] = {
7210 {
7211 .hook = selinux_ipv4_postroute,
7212 .pf = NFPROTO_IPV4,
7213 .hooknum = NF_INET_POST_ROUTING,
7214 .priority = NF_IP_PRI_SELINUX_LAST,
7215 },
7216 {
7217 .hook = selinux_ipv4_forward,
7218 .pf = NFPROTO_IPV4,
7219 .hooknum = NF_INET_FORWARD,
7220 .priority = NF_IP_PRI_SELINUX_FIRST,
7221 },
7222 {
7223 .hook = selinux_ipv4_output,
7224 .pf = NFPROTO_IPV4,
7225 .hooknum = NF_INET_LOCAL_OUT,
7226 .priority = NF_IP_PRI_SELINUX_FIRST,
7227 },
7228 #if IS_ENABLED(CONFIG_IPV6)
7229 {
7230 .hook = selinux_ipv6_postroute,
7231 .pf = NFPROTO_IPV6,
7232 .hooknum = NF_INET_POST_ROUTING,
7233 .priority = NF_IP6_PRI_SELINUX_LAST,
7234 },
7235 {
7236 .hook = selinux_ipv6_forward,
7237 .pf = NFPROTO_IPV6,
7238 .hooknum = NF_INET_FORWARD,
7239 .priority = NF_IP6_PRI_SELINUX_FIRST,
7240 },
7241 {
7242 .hook = selinux_ipv6_output,
7243 .pf = NFPROTO_IPV6,
7244 .hooknum = NF_INET_LOCAL_OUT,
7245 .priority = NF_IP6_PRI_SELINUX_FIRST,
7246 },
7247 #endif /* IPV6 */
7248 };
7249
selinux_nf_register(struct net * net)7250 static int __net_init selinux_nf_register(struct net *net)
7251 {
7252 return nf_register_net_hooks(net, selinux_nf_ops,
7253 ARRAY_SIZE(selinux_nf_ops));
7254 }
7255
selinux_nf_unregister(struct net * net)7256 static void __net_exit selinux_nf_unregister(struct net *net)
7257 {
7258 nf_unregister_net_hooks(net, selinux_nf_ops,
7259 ARRAY_SIZE(selinux_nf_ops));
7260 }
7261
7262 static struct pernet_operations selinux_net_ops = {
7263 .init = selinux_nf_register,
7264 .exit = selinux_nf_unregister,
7265 };
7266
selinux_nf_ip_init(void)7267 static int __init selinux_nf_ip_init(void)
7268 {
7269 int err;
7270
7271 if (!selinux_enabled)
7272 return 0;
7273
7274 pr_debug("SELinux: Registering netfilter hooks\n");
7275
7276 err = register_pernet_subsys(&selinux_net_ops);
7277 if (err)
7278 panic("SELinux: register_pernet_subsys: error %d\n", err);
7279
7280 return 0;
7281 }
7282 __initcall(selinux_nf_ip_init);
7283
7284 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
selinux_nf_ip_exit(void)7285 static void selinux_nf_ip_exit(void)
7286 {
7287 pr_debug("SELinux: Unregistering netfilter hooks\n");
7288
7289 unregister_pernet_subsys(&selinux_net_ops);
7290 }
7291 #endif
7292
7293 #else /* CONFIG_NETFILTER */
7294
7295 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7296 #define selinux_nf_ip_exit()
7297 #endif
7298
7299 #endif /* CONFIG_NETFILTER */
7300
7301 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
selinux_disable(struct selinux_state * state)7302 int selinux_disable(struct selinux_state *state)
7303 {
7304 if (state->initialized) {
7305 /* Not permitted after initial policy load. */
7306 return -EINVAL;
7307 }
7308
7309 if (state->disabled) {
7310 /* Only do this once. */
7311 return -EINVAL;
7312 }
7313
7314 state->disabled = 1;
7315
7316 pr_info("SELinux: Disabled at runtime.\n");
7317
7318 selinux_enabled = 0;
7319
7320 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
7321
7322 /* Try to destroy the avc node cache */
7323 avc_disable();
7324
7325 /* Unregister netfilter hooks. */
7326 selinux_nf_ip_exit();
7327
7328 /* Unregister selinuxfs. */
7329 exit_sel_fs();
7330
7331 return 0;
7332 }
7333 #endif
7334
