1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  *  NSA Security-Enhanced Linux (SELinux) security module
4  *
5  *  This file contains the SELinux hook function implementations.
6  *
7  *  Authors:  Stephen Smalley, <sds@tycho.nsa.gov>
8  *	      Chris Vance, <cvance@nai.com>
9  *	      Wayne Salamon, <wsalamon@nai.com>
10  *	      James Morris <jmorris@redhat.com>
11  *
12  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
13  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
14  *					   Eric Paris <eparis@redhat.com>
15  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
16  *			    <dgoeddel@trustedcs.com>
17  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
18  *	Paul Moore <paul@paul-moore.com>
19  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
20  *		       Yuichi Nakamura <ynakam@hitachisoft.jp>
21  *  Copyright (C) 2016 Mellanox Technologies
22  */
23 
24 #include <linux/init.h>
25 #include <linux/kd.h>
26 #include <linux/kernel.h>
27 #include <linux/kernel_read_file.h>
28 #include <linux/tracehook.h>
29 #include <linux/errno.h>
30 #include <linux/sched/signal.h>
31 #include <linux/sched/task.h>
32 #include <linux/lsm_hooks.h>
33 #include <linux/xattr.h>
34 #include <linux/capability.h>
35 #include <linux/unistd.h>
36 #include <linux/mm.h>
37 #include <linux/mman.h>
38 #include <linux/slab.h>
39 #include <linux/pagemap.h>
40 #include <linux/proc_fs.h>
41 #include <linux/swap.h>
42 #include <linux/spinlock.h>
43 #include <linux/syscalls.h>
44 #include <linux/dcache.h>
45 #include <linux/file.h>
46 #include <linux/fdtable.h>
47 #include <linux/namei.h>
48 #include <linux/mount.h>
49 #include <linux/fs_context.h>
50 #include <linux/fs_parser.h>
51 #include <linux/netfilter_ipv4.h>
52 #include <linux/netfilter_ipv6.h>
53 #include <linux/tty.h>
54 #include <net/icmp.h>
55 #include <net/ip.h>		/* for local_port_range[] */
56 #include <net/tcp.h>		/* struct or_callable used in sock_rcv_skb */
57 #include <net/inet_connection_sock.h>
58 #include <net/net_namespace.h>
59 #include <net/netlabel.h>
60 #include <linux/uaccess.h>
61 #include <asm/ioctls.h>
62 #include <linux/atomic.h>
63 #include <linux/bitops.h>
64 #include <linux/interrupt.h>
65 #include <linux/netdevice.h>	/* for network interface checks */
66 #include <net/netlink.h>
67 #include <linux/tcp.h>
68 #include <linux/udp.h>
69 #include <linux/dccp.h>
70 #include <linux/sctp.h>
71 #include <net/sctp/structs.h>
72 #include <linux/quota.h>
73 #include <linux/un.h>		/* for Unix socket types */
74 #include <net/af_unix.h>	/* for Unix socket types */
75 #include <linux/parser.h>
76 #include <linux/nfs_mount.h>
77 #include <net/ipv6.h>
78 #include <linux/hugetlb.h>
79 #include <linux/personality.h>
80 #include <linux/audit.h>
81 #include <linux/string.h>
82 #include <linux/mutex.h>
83 #include <linux/posix-timers.h>
84 #include <linux/syslog.h>
85 #include <linux/user_namespace.h>
86 #include <linux/export.h>
87 #include <linux/msg.h>
88 #include <linux/shm.h>
89 #include <linux/bpf.h>
90 #include <linux/kernfs.h>
91 #include <linux/stringhash.h>	/* for hashlen_string() */
92 #include <uapi/linux/mount.h>
93 #include <linux/fsnotify.h>
94 #include <linux/fanotify.h>
95 
96 #include "avc.h"
97 #include "objsec.h"
98 #include "netif.h"
99 #include "netnode.h"
100 #include "netport.h"
101 #include "ibpkey.h"
102 #include "xfrm.h"
103 #include "netlabel.h"
104 #include "audit.h"
105 #include "avc_ss.h"
106 
107 struct selinux_state selinux_state;
108 
109 /* SECMARK reference count */
110 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
111 
112 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
113 static int selinux_enforcing_boot __initdata;
114 
enforcing_setup(char * str)115 static int __init enforcing_setup(char *str)
116 {
117 	unsigned long enforcing;
118 	if (!kstrtoul(str, 0, &enforcing))
119 		selinux_enforcing_boot = enforcing ? 1 : 0;
120 	return 1;
121 }
122 __setup("enforcing=", enforcing_setup);
123 #else
124 #define selinux_enforcing_boot 1
125 #endif
126 
127 int selinux_enabled_boot __initdata = 1;
128 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
selinux_enabled_setup(char * str)129 static int __init selinux_enabled_setup(char *str)
130 {
131 	unsigned long enabled;
132 	if (!kstrtoul(str, 0, &enabled))
133 		selinux_enabled_boot = enabled ? 1 : 0;
134 	return 1;
135 }
136 __setup("selinux=", selinux_enabled_setup);
137 #endif
138 
139 static unsigned int selinux_checkreqprot_boot =
140 	CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
141 
checkreqprot_setup(char * str)142 static int __init checkreqprot_setup(char *str)
143 {
144 	unsigned long checkreqprot;
145 
146 	if (!kstrtoul(str, 0, &checkreqprot)) {
147 		selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
148 		if (checkreqprot)
149 			pr_warn("SELinux: checkreqprot set to 1 via kernel parameter.  This is deprecated and will be rejected in a future kernel release.\n");
150 	}
151 	return 1;
152 }
153 __setup("checkreqprot=", checkreqprot_setup);
154 
155 /**
156  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
157  *
158  * Description:
159  * This function checks the SECMARK reference counter to see if any SECMARK
160  * targets are currently configured, if the reference counter is greater than
161  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
162  * enabled, false (0) if SECMARK is disabled.  If the always_check_network
163  * policy capability is enabled, SECMARK is always considered enabled.
164  *
165  */
selinux_secmark_enabled(void)166 static int selinux_secmark_enabled(void)
167 {
168 	return (selinux_policycap_alwaysnetwork() ||
169 		atomic_read(&selinux_secmark_refcount));
170 }
171 
172 /**
173  * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
174  *
175  * Description:
176  * This function checks if NetLabel or labeled IPSEC is enabled.  Returns true
177  * (1) if any are enabled or false (0) if neither are enabled.  If the
178  * always_check_network policy capability is enabled, peer labeling
179  * is always considered enabled.
180  *
181  */
selinux_peerlbl_enabled(void)182 static int selinux_peerlbl_enabled(void)
183 {
184 	return (selinux_policycap_alwaysnetwork() ||
185 		netlbl_enabled() || selinux_xfrm_enabled());
186 }
187 
selinux_netcache_avc_callback(u32 event)188 static int selinux_netcache_avc_callback(u32 event)
189 {
190 	if (event == AVC_CALLBACK_RESET) {
191 		sel_netif_flush();
192 		sel_netnode_flush();
193 		sel_netport_flush();
194 		synchronize_net();
195 	}
196 	return 0;
197 }
198 
selinux_lsm_notifier_avc_callback(u32 event)199 static int selinux_lsm_notifier_avc_callback(u32 event)
200 {
201 	if (event == AVC_CALLBACK_RESET) {
202 		sel_ib_pkey_flush();
203 		call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL);
204 	}
205 
206 	return 0;
207 }
208 
209 /*
210  * initialise the security for the init task
211  */
cred_init_security(void)212 static void cred_init_security(void)
213 {
214 	struct cred *cred = (struct cred *) current->real_cred;
215 	struct task_security_struct *tsec;
216 
217 	tsec = selinux_cred(cred);
218 	tsec->osid = tsec->sid = SECINITSID_KERNEL;
219 }
220 
221 /*
222  * get the security ID of a set of credentials
223  */
cred_sid(const struct cred * cred)224 static inline u32 cred_sid(const struct cred *cred)
225 {
226 	const struct task_security_struct *tsec;
227 
228 	tsec = selinux_cred(cred);
229 	return tsec->sid;
230 }
231 
232 /*
233  * get the subjective security ID of a task
234  */
task_sid_subj(const struct task_struct * task)235 static inline u32 task_sid_subj(const struct task_struct *task)
236 {
237 	u32 sid;
238 
239 	rcu_read_lock();
240 	sid = cred_sid(rcu_dereference(task->cred));
241 	rcu_read_unlock();
242 	return sid;
243 }
244 
245 /*
246  * get the objective security ID of a task
247  */
task_sid_obj(const struct task_struct * task)248 static inline u32 task_sid_obj(const struct task_struct *task)
249 {
250 	u32 sid;
251 
252 	rcu_read_lock();
253 	sid = cred_sid(__task_cred(task));
254 	rcu_read_unlock();
255 	return sid;
256 }
257 
258 /*
259  * get the security ID of a task for use with binder
260  */
task_sid_binder(const struct task_struct * task)261 static inline u32 task_sid_binder(const struct task_struct *task)
262 {
263 	/*
264 	 * In many case where this function is used we should be using the
265 	 * task's subjective SID, but we can't reliably access the subjective
266 	 * creds of a task other than our own so we must use the objective
267 	 * creds/SID, which are safe to access.  The downside is that if a task
268 	 * is temporarily overriding it's creds it will not be reflected here;
269 	 * however, it isn't clear that binder would handle that case well
270 	 * anyway.
271 	 *
272 	 * If this ever changes and we can safely reference the subjective
273 	 * creds/SID of another task, this function will make it easier to
274 	 * identify the various places where we make use of the task SIDs in
275 	 * the binder code.  It is also likely that we will need to adjust
276 	 * the main drivers/android binder code as well.
277 	 */
278 	return task_sid_obj(task);
279 }
280 
281 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
282 
283 /*
284  * Try reloading inode security labels that have been marked as invalid.  The
285  * @may_sleep parameter indicates when sleeping and thus reloading labels is
286  * allowed; when set to false, returns -ECHILD when the label is
287  * invalid.  The @dentry parameter should be set to a dentry of the inode.
288  */
__inode_security_revalidate(struct inode * inode,struct dentry * dentry,bool may_sleep)289 static int __inode_security_revalidate(struct inode *inode,
290 				       struct dentry *dentry,
291 				       bool may_sleep)
292 {
293 	struct inode_security_struct *isec = selinux_inode(inode);
294 
295 	might_sleep_if(may_sleep);
296 
297 	if (selinux_initialized(&selinux_state) &&
298 	    isec->initialized != LABEL_INITIALIZED) {
299 		if (!may_sleep)
300 			return -ECHILD;
301 
302 		/*
303 		 * Try reloading the inode security label.  This will fail if
304 		 * @opt_dentry is NULL and no dentry for this inode can be
305 		 * found; in that case, continue using the old label.
306 		 */
307 		inode_doinit_with_dentry(inode, dentry);
308 	}
309 	return 0;
310 }
311 
inode_security_novalidate(struct inode * inode)312 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
313 {
314 	return selinux_inode(inode);
315 }
316 
inode_security_rcu(struct inode * inode,bool rcu)317 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
318 {
319 	int error;
320 
321 	error = __inode_security_revalidate(inode, NULL, !rcu);
322 	if (error)
323 		return ERR_PTR(error);
324 	return selinux_inode(inode);
325 }
326 
327 /*
328  * Get the security label of an inode.
329  */
inode_security(struct inode * inode)330 static struct inode_security_struct *inode_security(struct inode *inode)
331 {
332 	__inode_security_revalidate(inode, NULL, true);
333 	return selinux_inode(inode);
334 }
335 
backing_inode_security_novalidate(struct dentry * dentry)336 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
337 {
338 	struct inode *inode = d_backing_inode(dentry);
339 
340 	return selinux_inode(inode);
341 }
342 
343 /*
344  * Get the security label of a dentry's backing inode.
345  */
backing_inode_security(struct dentry * dentry)346 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
347 {
348 	struct inode *inode = d_backing_inode(dentry);
349 
350 	__inode_security_revalidate(inode, dentry, true);
351 	return selinux_inode(inode);
352 }
353 
inode_free_security(struct inode * inode)354 static void inode_free_security(struct inode *inode)
355 {
356 	struct inode_security_struct *isec = selinux_inode(inode);
357 	struct superblock_security_struct *sbsec;
358 
359 	if (!isec)
360 		return;
361 	sbsec = selinux_superblock(inode->i_sb);
362 	/*
363 	 * As not all inode security structures are in a list, we check for
364 	 * empty list outside of the lock to make sure that we won't waste
365 	 * time taking a lock doing nothing.
366 	 *
367 	 * The list_del_init() function can be safely called more than once.
368 	 * It should not be possible for this function to be called with
369 	 * concurrent list_add(), but for better safety against future changes
370 	 * in the code, we use list_empty_careful() here.
371 	 */
372 	if (!list_empty_careful(&isec->list)) {
373 		spin_lock(&sbsec->isec_lock);
374 		list_del_init(&isec->list);
375 		spin_unlock(&sbsec->isec_lock);
376 	}
377 }
378 
379 struct selinux_mnt_opts {
380 	const char *fscontext, *context, *rootcontext, *defcontext;
381 };
382 
selinux_free_mnt_opts(void * mnt_opts)383 static void selinux_free_mnt_opts(void *mnt_opts)
384 {
385 	struct selinux_mnt_opts *opts = mnt_opts;
386 	kfree(opts->fscontext);
387 	kfree(opts->context);
388 	kfree(opts->rootcontext);
389 	kfree(opts->defcontext);
390 	kfree(opts);
391 }
392 
393 enum {
394 	Opt_error = -1,
395 	Opt_context = 0,
396 	Opt_defcontext = 1,
397 	Opt_fscontext = 2,
398 	Opt_rootcontext = 3,
399 	Opt_seclabel = 4,
400 };
401 
402 #define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg}
403 static struct {
404 	const char *name;
405 	int len;
406 	int opt;
407 	bool has_arg;
408 } tokens[] = {
409 	A(context, true),
410 	A(fscontext, true),
411 	A(defcontext, true),
412 	A(rootcontext, true),
413 	A(seclabel, false),
414 };
415 #undef A
416 
match_opt_prefix(char * s,int l,char ** arg)417 static int match_opt_prefix(char *s, int l, char **arg)
418 {
419 	int i;
420 
421 	for (i = 0; i < ARRAY_SIZE(tokens); i++) {
422 		size_t len = tokens[i].len;
423 		if (len > l || memcmp(s, tokens[i].name, len))
424 			continue;
425 		if (tokens[i].has_arg) {
426 			if (len == l || s[len] != '=')
427 				continue;
428 			*arg = s + len + 1;
429 		} else if (len != l)
430 			continue;
431 		return tokens[i].opt;
432 	}
433 	return Opt_error;
434 }
435 
436 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
437 
may_context_mount_sb_relabel(u32 sid,struct superblock_security_struct * sbsec,const struct cred * cred)438 static int may_context_mount_sb_relabel(u32 sid,
439 			struct superblock_security_struct *sbsec,
440 			const struct cred *cred)
441 {
442 	const struct task_security_struct *tsec = selinux_cred(cred);
443 	int rc;
444 
445 	rc = avc_has_perm(&selinux_state,
446 			  tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
447 			  FILESYSTEM__RELABELFROM, NULL);
448 	if (rc)
449 		return rc;
450 
451 	rc = avc_has_perm(&selinux_state,
452 			  tsec->sid, sid, SECCLASS_FILESYSTEM,
453 			  FILESYSTEM__RELABELTO, NULL);
454 	return rc;
455 }
456 
may_context_mount_inode_relabel(u32 sid,struct superblock_security_struct * sbsec,const struct cred * cred)457 static int may_context_mount_inode_relabel(u32 sid,
458 			struct superblock_security_struct *sbsec,
459 			const struct cred *cred)
460 {
461 	const struct task_security_struct *tsec = selinux_cred(cred);
462 	int rc;
463 	rc = avc_has_perm(&selinux_state,
464 			  tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
465 			  FILESYSTEM__RELABELFROM, NULL);
466 	if (rc)
467 		return rc;
468 
469 	rc = avc_has_perm(&selinux_state,
470 			  sid, sbsec->sid, SECCLASS_FILESYSTEM,
471 			  FILESYSTEM__ASSOCIATE, NULL);
472 	return rc;
473 }
474 
selinux_is_genfs_special_handling(struct super_block * sb)475 static int selinux_is_genfs_special_handling(struct super_block *sb)
476 {
477 	/* Special handling. Genfs but also in-core setxattr handler */
478 	return	!strcmp(sb->s_type->name, "sysfs") ||
479 		!strcmp(sb->s_type->name, "pstore") ||
480 		!strcmp(sb->s_type->name, "debugfs") ||
481 		!strcmp(sb->s_type->name, "tracefs") ||
482 		!strcmp(sb->s_type->name, "rootfs") ||
483 		(selinux_policycap_cgroupseclabel() &&
484 		 (!strcmp(sb->s_type->name, "cgroup") ||
485 		  !strcmp(sb->s_type->name, "cgroup2")));
486 }
487 
selinux_is_sblabel_mnt(struct super_block * sb)488 static int selinux_is_sblabel_mnt(struct super_block *sb)
489 {
490 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
491 
492 	/*
493 	 * IMPORTANT: Double-check logic in this function when adding a new
494 	 * SECURITY_FS_USE_* definition!
495 	 */
496 	BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7);
497 
498 	switch (sbsec->behavior) {
499 	case SECURITY_FS_USE_XATTR:
500 	case SECURITY_FS_USE_TRANS:
501 	case SECURITY_FS_USE_TASK:
502 	case SECURITY_FS_USE_NATIVE:
503 		return 1;
504 
505 	case SECURITY_FS_USE_GENFS:
506 		return selinux_is_genfs_special_handling(sb);
507 
508 	/* Never allow relabeling on context mounts */
509 	case SECURITY_FS_USE_MNTPOINT:
510 	case SECURITY_FS_USE_NONE:
511 	default:
512 		return 0;
513 	}
514 }
515 
sb_check_xattr_support(struct super_block * sb)516 static int sb_check_xattr_support(struct super_block *sb)
517 {
518 	struct superblock_security_struct *sbsec = sb->s_security;
519 	struct dentry *root = sb->s_root;
520 	struct inode *root_inode = d_backing_inode(root);
521 	u32 sid;
522 	int rc;
523 
524 	/*
525 	 * Make sure that the xattr handler exists and that no
526 	 * error other than -ENODATA is returned by getxattr on
527 	 * the root directory.  -ENODATA is ok, as this may be
528 	 * the first boot of the SELinux kernel before we have
529 	 * assigned xattr values to the filesystem.
530 	 */
531 	if (!(root_inode->i_opflags & IOP_XATTR)) {
532 		pr_warn("SELinux: (dev %s, type %s) has no xattr support\n",
533 			sb->s_id, sb->s_type->name);
534 		goto fallback;
535 	}
536 
537 	rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
538 	if (rc < 0 && rc != -ENODATA) {
539 		if (rc == -EOPNOTSUPP) {
540 			pr_warn("SELinux: (dev %s, type %s) has no security xattr handler\n",
541 				sb->s_id, sb->s_type->name);
542 			goto fallback;
543 		} else {
544 			pr_warn("SELinux: (dev %s, type %s) getxattr errno %d\n",
545 				sb->s_id, sb->s_type->name, -rc);
546 			return rc;
547 		}
548 	}
549 	return 0;
550 
551 fallback:
552 	/* No xattr support - try to fallback to genfs if possible. */
553 	rc = security_genfs_sid(&selinux_state, sb->s_type->name, "/",
554 				SECCLASS_DIR, &sid);
555 	if (rc)
556 		return -EOPNOTSUPP;
557 
558 	pr_warn("SELinux: (dev %s, type %s) falling back to genfs\n",
559 		sb->s_id, sb->s_type->name);
560 	sbsec->behavior = SECURITY_FS_USE_GENFS;
561 	sbsec->sid = sid;
562 	return 0;
563 }
564 
sb_finish_set_opts(struct super_block * sb)565 static int sb_finish_set_opts(struct super_block *sb)
566 {
567 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
568 	struct dentry *root = sb->s_root;
569 	struct inode *root_inode = d_backing_inode(root);
570 	int rc = 0;
571 
572 	if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
573 		rc = sb_check_xattr_support(sb);
574 		if (rc)
575 			return rc;
576 	}
577 
578 	sbsec->flags |= SE_SBINITIALIZED;
579 
580 	/*
581 	 * Explicitly set or clear SBLABEL_MNT.  It's not sufficient to simply
582 	 * leave the flag untouched because sb_clone_mnt_opts might be handing
583 	 * us a superblock that needs the flag to be cleared.
584 	 */
585 	if (selinux_is_sblabel_mnt(sb))
586 		sbsec->flags |= SBLABEL_MNT;
587 	else
588 		sbsec->flags &= ~SBLABEL_MNT;
589 
590 	/* Initialize the root inode. */
591 	rc = inode_doinit_with_dentry(root_inode, root);
592 
593 	/* Initialize any other inodes associated with the superblock, e.g.
594 	   inodes created prior to initial policy load or inodes created
595 	   during get_sb by a pseudo filesystem that directly
596 	   populates itself. */
597 	spin_lock(&sbsec->isec_lock);
598 	while (!list_empty(&sbsec->isec_head)) {
599 		struct inode_security_struct *isec =
600 				list_first_entry(&sbsec->isec_head,
601 					   struct inode_security_struct, list);
602 		struct inode *inode = isec->inode;
603 		list_del_init(&isec->list);
604 		spin_unlock(&sbsec->isec_lock);
605 		inode = igrab(inode);
606 		if (inode) {
607 			if (!IS_PRIVATE(inode))
608 				inode_doinit_with_dentry(inode, NULL);
609 			iput(inode);
610 		}
611 		spin_lock(&sbsec->isec_lock);
612 	}
613 	spin_unlock(&sbsec->isec_lock);
614 	return rc;
615 }
616 
bad_option(struct superblock_security_struct * sbsec,char flag,u32 old_sid,u32 new_sid)617 static int bad_option(struct superblock_security_struct *sbsec, char flag,
618 		      u32 old_sid, u32 new_sid)
619 {
620 	char mnt_flags = sbsec->flags & SE_MNTMASK;
621 
622 	/* check if the old mount command had the same options */
623 	if (sbsec->flags & SE_SBINITIALIZED)
624 		if (!(sbsec->flags & flag) ||
625 		    (old_sid != new_sid))
626 			return 1;
627 
628 	/* check if we were passed the same options twice,
629 	 * aka someone passed context=a,context=b
630 	 */
631 	if (!(sbsec->flags & SE_SBINITIALIZED))
632 		if (mnt_flags & flag)
633 			return 1;
634 	return 0;
635 }
636 
parse_sid(struct super_block * sb,const char * s,u32 * sid)637 static int parse_sid(struct super_block *sb, const char *s, u32 *sid)
638 {
639 	int rc = security_context_str_to_sid(&selinux_state, s,
640 					     sid, GFP_KERNEL);
641 	if (rc)
642 		pr_warn("SELinux: security_context_str_to_sid"
643 		       "(%s) failed for (dev %s, type %s) errno=%d\n",
644 		       s, sb->s_id, sb->s_type->name, rc);
645 	return rc;
646 }
647 
648 /*
649  * Allow filesystems with binary mount data to explicitly set mount point
650  * labeling information.
651  */
selinux_set_mnt_opts(struct super_block * sb,void * mnt_opts,unsigned long kern_flags,unsigned long * set_kern_flags)652 static int selinux_set_mnt_opts(struct super_block *sb,
653 				void *mnt_opts,
654 				unsigned long kern_flags,
655 				unsigned long *set_kern_flags)
656 {
657 	const struct cred *cred = current_cred();
658 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
659 	struct dentry *root = sb->s_root;
660 	struct selinux_mnt_opts *opts = mnt_opts;
661 	struct inode_security_struct *root_isec;
662 	u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
663 	u32 defcontext_sid = 0;
664 	int rc = 0;
665 
666 	mutex_lock(&sbsec->lock);
667 
668 	if (!selinux_initialized(&selinux_state)) {
669 		if (!opts) {
670 			/* Defer initialization until selinux_complete_init,
671 			   after the initial policy is loaded and the security
672 			   server is ready to handle calls. */
673 			goto out;
674 		}
675 		rc = -EINVAL;
676 		pr_warn("SELinux: Unable to set superblock options "
677 			"before the security server is initialized\n");
678 		goto out;
679 	}
680 	if (kern_flags && !set_kern_flags) {
681 		/* Specifying internal flags without providing a place to
682 		 * place the results is not allowed */
683 		rc = -EINVAL;
684 		goto out;
685 	}
686 
687 	/*
688 	 * Binary mount data FS will come through this function twice.  Once
689 	 * from an explicit call and once from the generic calls from the vfs.
690 	 * Since the generic VFS calls will not contain any security mount data
691 	 * we need to skip the double mount verification.
692 	 *
693 	 * This does open a hole in which we will not notice if the first
694 	 * mount using this sb set explict options and a second mount using
695 	 * this sb does not set any security options.  (The first options
696 	 * will be used for both mounts)
697 	 */
698 	if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
699 	    && !opts)
700 		goto out;
701 
702 	root_isec = backing_inode_security_novalidate(root);
703 
704 	/*
705 	 * parse the mount options, check if they are valid sids.
706 	 * also check if someone is trying to mount the same sb more
707 	 * than once with different security options.
708 	 */
709 	if (opts) {
710 		if (opts->fscontext) {
711 			rc = parse_sid(sb, opts->fscontext, &fscontext_sid);
712 			if (rc)
713 				goto out;
714 			if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
715 					fscontext_sid))
716 				goto out_double_mount;
717 			sbsec->flags |= FSCONTEXT_MNT;
718 		}
719 		if (opts->context) {
720 			rc = parse_sid(sb, opts->context, &context_sid);
721 			if (rc)
722 				goto out;
723 			if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
724 					context_sid))
725 				goto out_double_mount;
726 			sbsec->flags |= CONTEXT_MNT;
727 		}
728 		if (opts->rootcontext) {
729 			rc = parse_sid(sb, opts->rootcontext, &rootcontext_sid);
730 			if (rc)
731 				goto out;
732 			if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
733 					rootcontext_sid))
734 				goto out_double_mount;
735 			sbsec->flags |= ROOTCONTEXT_MNT;
736 		}
737 		if (opts->defcontext) {
738 			rc = parse_sid(sb, opts->defcontext, &defcontext_sid);
739 			if (rc)
740 				goto out;
741 			if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
742 					defcontext_sid))
743 				goto out_double_mount;
744 			sbsec->flags |= DEFCONTEXT_MNT;
745 		}
746 	}
747 
748 	if (sbsec->flags & SE_SBINITIALIZED) {
749 		/* previously mounted with options, but not on this attempt? */
750 		if ((sbsec->flags & SE_MNTMASK) && !opts)
751 			goto out_double_mount;
752 		rc = 0;
753 		goto out;
754 	}
755 
756 	if (strcmp(sb->s_type->name, "proc") == 0)
757 		sbsec->flags |= SE_SBPROC | SE_SBGENFS;
758 
759 	if (!strcmp(sb->s_type->name, "debugfs") ||
760 	    !strcmp(sb->s_type->name, "tracefs") ||
761 	    !strcmp(sb->s_type->name, "binder") ||
762 	    !strcmp(sb->s_type->name, "bpf") ||
763 	    !strcmp(sb->s_type->name, "pstore"))
764 		sbsec->flags |= SE_SBGENFS;
765 
766 	if (!strcmp(sb->s_type->name, "sysfs") ||
767 	    !strcmp(sb->s_type->name, "cgroup") ||
768 	    !strcmp(sb->s_type->name, "cgroup2"))
769 		sbsec->flags |= SE_SBGENFS | SE_SBGENFS_XATTR;
770 
771 	if (!sbsec->behavior) {
772 		/*
773 		 * Determine the labeling behavior to use for this
774 		 * filesystem type.
775 		 */
776 		rc = security_fs_use(&selinux_state, sb);
777 		if (rc) {
778 			pr_warn("%s: security_fs_use(%s) returned %d\n",
779 					__func__, sb->s_type->name, rc);
780 			goto out;
781 		}
782 	}
783 
784 	/*
785 	 * If this is a user namespace mount and the filesystem type is not
786 	 * explicitly whitelisted, then no contexts are allowed on the command
787 	 * line and security labels must be ignored.
788 	 */
789 	if (sb->s_user_ns != &init_user_ns &&
790 	    strcmp(sb->s_type->name, "tmpfs") &&
791 	    strcmp(sb->s_type->name, "ramfs") &&
792 	    strcmp(sb->s_type->name, "devpts") &&
793 	    strcmp(sb->s_type->name, "overlay")) {
794 		if (context_sid || fscontext_sid || rootcontext_sid ||
795 		    defcontext_sid) {
796 			rc = -EACCES;
797 			goto out;
798 		}
799 		if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
800 			sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
801 			rc = security_transition_sid(&selinux_state,
802 						     current_sid(),
803 						     current_sid(),
804 						     SECCLASS_FILE, NULL,
805 						     &sbsec->mntpoint_sid);
806 			if (rc)
807 				goto out;
808 		}
809 		goto out_set_opts;
810 	}
811 
812 	/* sets the context of the superblock for the fs being mounted. */
813 	if (fscontext_sid) {
814 		rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
815 		if (rc)
816 			goto out;
817 
818 		sbsec->sid = fscontext_sid;
819 	}
820 
821 	/*
822 	 * Switch to using mount point labeling behavior.
823 	 * sets the label used on all file below the mountpoint, and will set
824 	 * the superblock context if not already set.
825 	 */
826 	if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
827 		sbsec->behavior = SECURITY_FS_USE_NATIVE;
828 		*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
829 	}
830 
831 	if (context_sid) {
832 		if (!fscontext_sid) {
833 			rc = may_context_mount_sb_relabel(context_sid, sbsec,
834 							  cred);
835 			if (rc)
836 				goto out;
837 			sbsec->sid = context_sid;
838 		} else {
839 			rc = may_context_mount_inode_relabel(context_sid, sbsec,
840 							     cred);
841 			if (rc)
842 				goto out;
843 		}
844 		if (!rootcontext_sid)
845 			rootcontext_sid = context_sid;
846 
847 		sbsec->mntpoint_sid = context_sid;
848 		sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
849 	}
850 
851 	if (rootcontext_sid) {
852 		rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
853 						     cred);
854 		if (rc)
855 			goto out;
856 
857 		root_isec->sid = rootcontext_sid;
858 		root_isec->initialized = LABEL_INITIALIZED;
859 	}
860 
861 	if (defcontext_sid) {
862 		if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
863 			sbsec->behavior != SECURITY_FS_USE_NATIVE) {
864 			rc = -EINVAL;
865 			pr_warn("SELinux: defcontext option is "
866 			       "invalid for this filesystem type\n");
867 			goto out;
868 		}
869 
870 		if (defcontext_sid != sbsec->def_sid) {
871 			rc = may_context_mount_inode_relabel(defcontext_sid,
872 							     sbsec, cred);
873 			if (rc)
874 				goto out;
875 		}
876 
877 		sbsec->def_sid = defcontext_sid;
878 	}
879 
880 out_set_opts:
881 	rc = sb_finish_set_opts(sb);
882 out:
883 	mutex_unlock(&sbsec->lock);
884 	return rc;
885 out_double_mount:
886 	rc = -EINVAL;
887 	pr_warn("SELinux: mount invalid.  Same superblock, different "
888 	       "security settings for (dev %s, type %s)\n", sb->s_id,
889 	       sb->s_type->name);
890 	goto out;
891 }
892 
selinux_cmp_sb_context(const struct super_block * oldsb,const struct super_block * newsb)893 static int selinux_cmp_sb_context(const struct super_block *oldsb,
894 				    const struct super_block *newsb)
895 {
896 	struct superblock_security_struct *old = selinux_superblock(oldsb);
897 	struct superblock_security_struct *new = selinux_superblock(newsb);
898 	char oldflags = old->flags & SE_MNTMASK;
899 	char newflags = new->flags & SE_MNTMASK;
900 
901 	if (oldflags != newflags)
902 		goto mismatch;
903 	if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
904 		goto mismatch;
905 	if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
906 		goto mismatch;
907 	if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
908 		goto mismatch;
909 	if (oldflags & ROOTCONTEXT_MNT) {
910 		struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
911 		struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
912 		if (oldroot->sid != newroot->sid)
913 			goto mismatch;
914 	}
915 	return 0;
916 mismatch:
917 	pr_warn("SELinux: mount invalid.  Same superblock, "
918 			    "different security settings for (dev %s, "
919 			    "type %s)\n", newsb->s_id, newsb->s_type->name);
920 	return -EBUSY;
921 }
922 
selinux_sb_clone_mnt_opts(const struct super_block * oldsb,struct super_block * newsb,unsigned long kern_flags,unsigned long * set_kern_flags)923 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
924 					struct super_block *newsb,
925 					unsigned long kern_flags,
926 					unsigned long *set_kern_flags)
927 {
928 	int rc = 0;
929 	const struct superblock_security_struct *oldsbsec =
930 						selinux_superblock(oldsb);
931 	struct superblock_security_struct *newsbsec = selinux_superblock(newsb);
932 
933 	int set_fscontext =	(oldsbsec->flags & FSCONTEXT_MNT);
934 	int set_context =	(oldsbsec->flags & CONTEXT_MNT);
935 	int set_rootcontext =	(oldsbsec->flags & ROOTCONTEXT_MNT);
936 
937 	/*
938 	 * if the parent was able to be mounted it clearly had no special lsm
939 	 * mount options.  thus we can safely deal with this superblock later
940 	 */
941 	if (!selinux_initialized(&selinux_state))
942 		return 0;
943 
944 	/*
945 	 * Specifying internal flags without providing a place to
946 	 * place the results is not allowed.
947 	 */
948 	if (kern_flags && !set_kern_flags)
949 		return -EINVAL;
950 
951 	/* how can we clone if the old one wasn't set up?? */
952 	BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
953 
954 	/* if fs is reusing a sb, make sure that the contexts match */
955 	if (newsbsec->flags & SE_SBINITIALIZED) {
956 		if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context)
957 			*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
958 		return selinux_cmp_sb_context(oldsb, newsb);
959 	}
960 
961 	mutex_lock(&newsbsec->lock);
962 
963 	newsbsec->flags = oldsbsec->flags;
964 
965 	newsbsec->sid = oldsbsec->sid;
966 	newsbsec->def_sid = oldsbsec->def_sid;
967 	newsbsec->behavior = oldsbsec->behavior;
968 
969 	if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
970 		!(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
971 		rc = security_fs_use(&selinux_state, newsb);
972 		if (rc)
973 			goto out;
974 	}
975 
976 	if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
977 		newsbsec->behavior = SECURITY_FS_USE_NATIVE;
978 		*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
979 	}
980 
981 	if (set_context) {
982 		u32 sid = oldsbsec->mntpoint_sid;
983 
984 		if (!set_fscontext)
985 			newsbsec->sid = sid;
986 		if (!set_rootcontext) {
987 			struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
988 			newisec->sid = sid;
989 		}
990 		newsbsec->mntpoint_sid = sid;
991 	}
992 	if (set_rootcontext) {
993 		const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
994 		struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
995 
996 		newisec->sid = oldisec->sid;
997 	}
998 
999 	sb_finish_set_opts(newsb);
1000 out:
1001 	mutex_unlock(&newsbsec->lock);
1002 	return rc;
1003 }
1004 
selinux_add_opt(int token,const char * s,void ** mnt_opts)1005 static int selinux_add_opt(int token, const char *s, void **mnt_opts)
1006 {
1007 	struct selinux_mnt_opts *opts = *mnt_opts;
1008 
1009 	if (token == Opt_seclabel)	/* eaten and completely ignored */
1010 		return 0;
1011 
1012 	if (!opts) {
1013 		opts = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL);
1014 		if (!opts)
1015 			return -ENOMEM;
1016 		*mnt_opts = opts;
1017 	}
1018 	if (!s)
1019 		return -ENOMEM;
1020 	switch (token) {
1021 	case Opt_context:
1022 		if (opts->context || opts->defcontext)
1023 			goto Einval;
1024 		opts->context = s;
1025 		break;
1026 	case Opt_fscontext:
1027 		if (opts->fscontext)
1028 			goto Einval;
1029 		opts->fscontext = s;
1030 		break;
1031 	case Opt_rootcontext:
1032 		if (opts->rootcontext)
1033 			goto Einval;
1034 		opts->rootcontext = s;
1035 		break;
1036 	case Opt_defcontext:
1037 		if (opts->context || opts->defcontext)
1038 			goto Einval;
1039 		opts->defcontext = s;
1040 		break;
1041 	}
1042 	return 0;
1043 Einval:
1044 	pr_warn(SEL_MOUNT_FAIL_MSG);
1045 	return -EINVAL;
1046 }
1047 
selinux_add_mnt_opt(const char * option,const char * val,int len,void ** mnt_opts)1048 static int selinux_add_mnt_opt(const char *option, const char *val, int len,
1049 			       void **mnt_opts)
1050 {
1051 	int token = Opt_error;
1052 	int rc, i;
1053 
1054 	for (i = 0; i < ARRAY_SIZE(tokens); i++) {
1055 		if (strcmp(option, tokens[i].name) == 0) {
1056 			token = tokens[i].opt;
1057 			break;
1058 		}
1059 	}
1060 
1061 	if (token == Opt_error)
1062 		return -EINVAL;
1063 
1064 	if (token != Opt_seclabel) {
1065 		val = kmemdup_nul(val, len, GFP_KERNEL);
1066 		if (!val) {
1067 			rc = -ENOMEM;
1068 			goto free_opt;
1069 		}
1070 	}
1071 	rc = selinux_add_opt(token, val, mnt_opts);
1072 	if (unlikely(rc)) {
1073 		kfree(val);
1074 		goto free_opt;
1075 	}
1076 	return rc;
1077 
1078 free_opt:
1079 	if (*mnt_opts) {
1080 		selinux_free_mnt_opts(*mnt_opts);
1081 		*mnt_opts = NULL;
1082 	}
1083 	return rc;
1084 }
1085 
show_sid(struct seq_file * m,u32 sid)1086 static int show_sid(struct seq_file *m, u32 sid)
1087 {
1088 	char *context = NULL;
1089 	u32 len;
1090 	int rc;
1091 
1092 	rc = security_sid_to_context(&selinux_state, sid,
1093 					     &context, &len);
1094 	if (!rc) {
1095 		bool has_comma = context && strchr(context, ',');
1096 
1097 		seq_putc(m, '=');
1098 		if (has_comma)
1099 			seq_putc(m, '\"');
1100 		seq_escape(m, context, "\"\n\\");
1101 		if (has_comma)
1102 			seq_putc(m, '\"');
1103 	}
1104 	kfree(context);
1105 	return rc;
1106 }
1107 
selinux_sb_show_options(struct seq_file * m,struct super_block * sb)1108 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1109 {
1110 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
1111 	int rc;
1112 
1113 	if (!(sbsec->flags & SE_SBINITIALIZED))
1114 		return 0;
1115 
1116 	if (!selinux_initialized(&selinux_state))
1117 		return 0;
1118 
1119 	if (sbsec->flags & FSCONTEXT_MNT) {
1120 		seq_putc(m, ',');
1121 		seq_puts(m, FSCONTEXT_STR);
1122 		rc = show_sid(m, sbsec->sid);
1123 		if (rc)
1124 			return rc;
1125 	}
1126 	if (sbsec->flags & CONTEXT_MNT) {
1127 		seq_putc(m, ',');
1128 		seq_puts(m, CONTEXT_STR);
1129 		rc = show_sid(m, sbsec->mntpoint_sid);
1130 		if (rc)
1131 			return rc;
1132 	}
1133 	if (sbsec->flags & DEFCONTEXT_MNT) {
1134 		seq_putc(m, ',');
1135 		seq_puts(m, DEFCONTEXT_STR);
1136 		rc = show_sid(m, sbsec->def_sid);
1137 		if (rc)
1138 			return rc;
1139 	}
1140 	if (sbsec->flags & ROOTCONTEXT_MNT) {
1141 		struct dentry *root = sb->s_root;
1142 		struct inode_security_struct *isec = backing_inode_security(root);
1143 		seq_putc(m, ',');
1144 		seq_puts(m, ROOTCONTEXT_STR);
1145 		rc = show_sid(m, isec->sid);
1146 		if (rc)
1147 			return rc;
1148 	}
1149 	if (sbsec->flags & SBLABEL_MNT) {
1150 		seq_putc(m, ',');
1151 		seq_puts(m, SECLABEL_STR);
1152 	}
1153 	return 0;
1154 }
1155 
inode_mode_to_security_class(umode_t mode)1156 static inline u16 inode_mode_to_security_class(umode_t mode)
1157 {
1158 	switch (mode & S_IFMT) {
1159 	case S_IFSOCK:
1160 		return SECCLASS_SOCK_FILE;
1161 	case S_IFLNK:
1162 		return SECCLASS_LNK_FILE;
1163 	case S_IFREG:
1164 		return SECCLASS_FILE;
1165 	case S_IFBLK:
1166 		return SECCLASS_BLK_FILE;
1167 	case S_IFDIR:
1168 		return SECCLASS_DIR;
1169 	case S_IFCHR:
1170 		return SECCLASS_CHR_FILE;
1171 	case S_IFIFO:
1172 		return SECCLASS_FIFO_FILE;
1173 
1174 	}
1175 
1176 	return SECCLASS_FILE;
1177 }
1178 
default_protocol_stream(int protocol)1179 static inline int default_protocol_stream(int protocol)
1180 {
1181 	return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP ||
1182 		protocol == IPPROTO_MPTCP);
1183 }
1184 
default_protocol_dgram(int protocol)1185 static inline int default_protocol_dgram(int protocol)
1186 {
1187 	return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1188 }
1189 
socket_type_to_security_class(int family,int type,int protocol)1190 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1191 {
1192 	int extsockclass = selinux_policycap_extsockclass();
1193 
1194 	switch (family) {
1195 	case PF_UNIX:
1196 		switch (type) {
1197 		case SOCK_STREAM:
1198 		case SOCK_SEQPACKET:
1199 			return SECCLASS_UNIX_STREAM_SOCKET;
1200 		case SOCK_DGRAM:
1201 		case SOCK_RAW:
1202 			return SECCLASS_UNIX_DGRAM_SOCKET;
1203 		}
1204 		break;
1205 	case PF_INET:
1206 	case PF_INET6:
1207 		switch (type) {
1208 		case SOCK_STREAM:
1209 		case SOCK_SEQPACKET:
1210 			if (default_protocol_stream(protocol))
1211 				return SECCLASS_TCP_SOCKET;
1212 			else if (extsockclass && protocol == IPPROTO_SCTP)
1213 				return SECCLASS_SCTP_SOCKET;
1214 			else
1215 				return SECCLASS_RAWIP_SOCKET;
1216 		case SOCK_DGRAM:
1217 			if (default_protocol_dgram(protocol))
1218 				return SECCLASS_UDP_SOCKET;
1219 			else if (extsockclass && (protocol == IPPROTO_ICMP ||
1220 						  protocol == IPPROTO_ICMPV6))
1221 				return SECCLASS_ICMP_SOCKET;
1222 			else
1223 				return SECCLASS_RAWIP_SOCKET;
1224 		case SOCK_DCCP:
1225 			return SECCLASS_DCCP_SOCKET;
1226 		default:
1227 			return SECCLASS_RAWIP_SOCKET;
1228 		}
1229 		break;
1230 	case PF_NETLINK:
1231 		switch (protocol) {
1232 		case NETLINK_ROUTE:
1233 			return SECCLASS_NETLINK_ROUTE_SOCKET;
1234 		case NETLINK_SOCK_DIAG:
1235 			return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1236 		case NETLINK_NFLOG:
1237 			return SECCLASS_NETLINK_NFLOG_SOCKET;
1238 		case NETLINK_XFRM:
1239 			return SECCLASS_NETLINK_XFRM_SOCKET;
1240 		case NETLINK_SELINUX:
1241 			return SECCLASS_NETLINK_SELINUX_SOCKET;
1242 		case NETLINK_ISCSI:
1243 			return SECCLASS_NETLINK_ISCSI_SOCKET;
1244 		case NETLINK_AUDIT:
1245 			return SECCLASS_NETLINK_AUDIT_SOCKET;
1246 		case NETLINK_FIB_LOOKUP:
1247 			return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1248 		case NETLINK_CONNECTOR:
1249 			return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1250 		case NETLINK_NETFILTER:
1251 			return SECCLASS_NETLINK_NETFILTER_SOCKET;
1252 		case NETLINK_DNRTMSG:
1253 			return SECCLASS_NETLINK_DNRT_SOCKET;
1254 		case NETLINK_KOBJECT_UEVENT:
1255 			return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1256 		case NETLINK_GENERIC:
1257 			return SECCLASS_NETLINK_GENERIC_SOCKET;
1258 		case NETLINK_SCSITRANSPORT:
1259 			return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1260 		case NETLINK_RDMA:
1261 			return SECCLASS_NETLINK_RDMA_SOCKET;
1262 		case NETLINK_CRYPTO:
1263 			return SECCLASS_NETLINK_CRYPTO_SOCKET;
1264 		default:
1265 			return SECCLASS_NETLINK_SOCKET;
1266 		}
1267 	case PF_PACKET:
1268 		return SECCLASS_PACKET_SOCKET;
1269 	case PF_KEY:
1270 		return SECCLASS_KEY_SOCKET;
1271 	case PF_APPLETALK:
1272 		return SECCLASS_APPLETALK_SOCKET;
1273 	}
1274 
1275 	if (extsockclass) {
1276 		switch (family) {
1277 		case PF_AX25:
1278 			return SECCLASS_AX25_SOCKET;
1279 		case PF_IPX:
1280 			return SECCLASS_IPX_SOCKET;
1281 		case PF_NETROM:
1282 			return SECCLASS_NETROM_SOCKET;
1283 		case PF_ATMPVC:
1284 			return SECCLASS_ATMPVC_SOCKET;
1285 		case PF_X25:
1286 			return SECCLASS_X25_SOCKET;
1287 		case PF_ROSE:
1288 			return SECCLASS_ROSE_SOCKET;
1289 		case PF_DECnet:
1290 			return SECCLASS_DECNET_SOCKET;
1291 		case PF_ATMSVC:
1292 			return SECCLASS_ATMSVC_SOCKET;
1293 		case PF_RDS:
1294 			return SECCLASS_RDS_SOCKET;
1295 		case PF_IRDA:
1296 			return SECCLASS_IRDA_SOCKET;
1297 		case PF_PPPOX:
1298 			return SECCLASS_PPPOX_SOCKET;
1299 		case PF_LLC:
1300 			return SECCLASS_LLC_SOCKET;
1301 		case PF_CAN:
1302 			return SECCLASS_CAN_SOCKET;
1303 		case PF_TIPC:
1304 			return SECCLASS_TIPC_SOCKET;
1305 		case PF_BLUETOOTH:
1306 			return SECCLASS_BLUETOOTH_SOCKET;
1307 		case PF_IUCV:
1308 			return SECCLASS_IUCV_SOCKET;
1309 		case PF_RXRPC:
1310 			return SECCLASS_RXRPC_SOCKET;
1311 		case PF_ISDN:
1312 			return SECCLASS_ISDN_SOCKET;
1313 		case PF_PHONET:
1314 			return SECCLASS_PHONET_SOCKET;
1315 		case PF_IEEE802154:
1316 			return SECCLASS_IEEE802154_SOCKET;
1317 		case PF_CAIF:
1318 			return SECCLASS_CAIF_SOCKET;
1319 		case PF_ALG:
1320 			return SECCLASS_ALG_SOCKET;
1321 		case PF_NFC:
1322 			return SECCLASS_NFC_SOCKET;
1323 		case PF_VSOCK:
1324 			return SECCLASS_VSOCK_SOCKET;
1325 		case PF_KCM:
1326 			return SECCLASS_KCM_SOCKET;
1327 		case PF_QIPCRTR:
1328 			return SECCLASS_QIPCRTR_SOCKET;
1329 		case PF_SMC:
1330 			return SECCLASS_SMC_SOCKET;
1331 		case PF_XDP:
1332 			return SECCLASS_XDP_SOCKET;
1333 		case PF_MCTP:
1334 			return SECCLASS_MCTP_SOCKET;
1335 #if PF_MAX > 46
1336 #error New address family defined, please update this function.
1337 #endif
1338 		}
1339 	}
1340 
1341 	return SECCLASS_SOCKET;
1342 }
1343 
selinux_genfs_get_sid(struct dentry * dentry,u16 tclass,u16 flags,u32 * sid)1344 static int selinux_genfs_get_sid(struct dentry *dentry,
1345 				 u16 tclass,
1346 				 u16 flags,
1347 				 u32 *sid)
1348 {
1349 	int rc;
1350 	struct super_block *sb = dentry->d_sb;
1351 	char *buffer, *path;
1352 
1353 	buffer = (char *)__get_free_page(GFP_KERNEL);
1354 	if (!buffer)
1355 		return -ENOMEM;
1356 
1357 	path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1358 	if (IS_ERR(path))
1359 		rc = PTR_ERR(path);
1360 	else {
1361 		if (flags & SE_SBPROC) {
1362 			/* each process gets a /proc/PID/ entry. Strip off the
1363 			 * PID part to get a valid selinux labeling.
1364 			 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1365 			while (path[1] >= '0' && path[1] <= '9') {
1366 				path[1] = '/';
1367 				path++;
1368 			}
1369 		}
1370 		rc = security_genfs_sid(&selinux_state, sb->s_type->name,
1371 					path, tclass, sid);
1372 		if (rc == -ENOENT) {
1373 			/* No match in policy, mark as unlabeled. */
1374 			*sid = SECINITSID_UNLABELED;
1375 			rc = 0;
1376 		}
1377 	}
1378 	free_page((unsigned long)buffer);
1379 	return rc;
1380 }
1381 
inode_doinit_use_xattr(struct inode * inode,struct dentry * dentry,u32 def_sid,u32 * sid)1382 static int inode_doinit_use_xattr(struct inode *inode, struct dentry *dentry,
1383 				  u32 def_sid, u32 *sid)
1384 {
1385 #define INITCONTEXTLEN 255
1386 	char *context;
1387 	unsigned int len;
1388 	int rc;
1389 
1390 	len = INITCONTEXTLEN;
1391 	context = kmalloc(len + 1, GFP_NOFS);
1392 	if (!context)
1393 		return -ENOMEM;
1394 
1395 	context[len] = '\0';
1396 	rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1397 	if (rc == -ERANGE) {
1398 		kfree(context);
1399 
1400 		/* Need a larger buffer.  Query for the right size. */
1401 		rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1402 		if (rc < 0)
1403 			return rc;
1404 
1405 		len = rc;
1406 		context = kmalloc(len + 1, GFP_NOFS);
1407 		if (!context)
1408 			return -ENOMEM;
1409 
1410 		context[len] = '\0';
1411 		rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX,
1412 				    context, len);
1413 	}
1414 	if (rc < 0) {
1415 		kfree(context);
1416 		if (rc != -ENODATA) {
1417 			pr_warn("SELinux: %s:  getxattr returned %d for dev=%s ino=%ld\n",
1418 				__func__, -rc, inode->i_sb->s_id, inode->i_ino);
1419 			return rc;
1420 		}
1421 		*sid = def_sid;
1422 		return 0;
1423 	}
1424 
1425 	rc = security_context_to_sid_default(&selinux_state, context, rc, sid,
1426 					     def_sid, GFP_NOFS);
1427 	if (rc) {
1428 		char *dev = inode->i_sb->s_id;
1429 		unsigned long ino = inode->i_ino;
1430 
1431 		if (rc == -EINVAL) {
1432 			pr_notice_ratelimited("SELinux: inode=%lu on dev=%s was found to have an invalid context=%s.  This indicates you may need to relabel the inode or the filesystem in question.\n",
1433 					      ino, dev, context);
1434 		} else {
1435 			pr_warn("SELinux: %s:  context_to_sid(%s) returned %d for dev=%s ino=%ld\n",
1436 				__func__, context, -rc, dev, ino);
1437 		}
1438 	}
1439 	kfree(context);
1440 	return 0;
1441 }
1442 
1443 /* The inode's security attributes must be initialized before first use. */
inode_doinit_with_dentry(struct inode * inode,struct dentry * opt_dentry)1444 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1445 {
1446 	struct superblock_security_struct *sbsec = NULL;
1447 	struct inode_security_struct *isec = selinux_inode(inode);
1448 	u32 task_sid, sid = 0;
1449 	u16 sclass;
1450 	struct dentry *dentry;
1451 	int rc = 0;
1452 
1453 	if (isec->initialized == LABEL_INITIALIZED)
1454 		return 0;
1455 
1456 	spin_lock(&isec->lock);
1457 	if (isec->initialized == LABEL_INITIALIZED)
1458 		goto out_unlock;
1459 
1460 	if (isec->sclass == SECCLASS_FILE)
1461 		isec->sclass = inode_mode_to_security_class(inode->i_mode);
1462 
1463 	sbsec = selinux_superblock(inode->i_sb);
1464 	if (!(sbsec->flags & SE_SBINITIALIZED)) {
1465 		/* Defer initialization until selinux_complete_init,
1466 		   after the initial policy is loaded and the security
1467 		   server is ready to handle calls. */
1468 		spin_lock(&sbsec->isec_lock);
1469 		if (list_empty(&isec->list))
1470 			list_add(&isec->list, &sbsec->isec_head);
1471 		spin_unlock(&sbsec->isec_lock);
1472 		goto out_unlock;
1473 	}
1474 
1475 	sclass = isec->sclass;
1476 	task_sid = isec->task_sid;
1477 	sid = isec->sid;
1478 	isec->initialized = LABEL_PENDING;
1479 	spin_unlock(&isec->lock);
1480 
1481 	switch (sbsec->behavior) {
1482 	case SECURITY_FS_USE_NATIVE:
1483 		break;
1484 	case SECURITY_FS_USE_XATTR:
1485 		if (!(inode->i_opflags & IOP_XATTR)) {
1486 			sid = sbsec->def_sid;
1487 			break;
1488 		}
1489 		/* Need a dentry, since the xattr API requires one.
1490 		   Life would be simpler if we could just pass the inode. */
1491 		if (opt_dentry) {
1492 			/* Called from d_instantiate or d_splice_alias. */
1493 			dentry = dget(opt_dentry);
1494 		} else {
1495 			/*
1496 			 * Called from selinux_complete_init, try to find a dentry.
1497 			 * Some filesystems really want a connected one, so try
1498 			 * that first.  We could split SECURITY_FS_USE_XATTR in
1499 			 * two, depending upon that...
1500 			 */
1501 			dentry = d_find_alias(inode);
1502 			if (!dentry)
1503 				dentry = d_find_any_alias(inode);
1504 		}
1505 		if (!dentry) {
1506 			/*
1507 			 * this is can be hit on boot when a file is accessed
1508 			 * before the policy is loaded.  When we load policy we
1509 			 * may find inodes that have no dentry on the
1510 			 * sbsec->isec_head list.  No reason to complain as these
1511 			 * will get fixed up the next time we go through
1512 			 * inode_doinit with a dentry, before these inodes could
1513 			 * be used again by userspace.
1514 			 */
1515 			goto out_invalid;
1516 		}
1517 
1518 		rc = inode_doinit_use_xattr(inode, dentry, sbsec->def_sid,
1519 					    &sid);
1520 		dput(dentry);
1521 		if (rc)
1522 			goto out;
1523 		break;
1524 	case SECURITY_FS_USE_TASK:
1525 		sid = task_sid;
1526 		break;
1527 	case SECURITY_FS_USE_TRANS:
1528 		/* Default to the fs SID. */
1529 		sid = sbsec->sid;
1530 
1531 		/* Try to obtain a transition SID. */
1532 		rc = security_transition_sid(&selinux_state, task_sid, sid,
1533 					     sclass, NULL, &sid);
1534 		if (rc)
1535 			goto out;
1536 		break;
1537 	case SECURITY_FS_USE_MNTPOINT:
1538 		sid = sbsec->mntpoint_sid;
1539 		break;
1540 	default:
1541 		/* Default to the fs superblock SID. */
1542 		sid = sbsec->sid;
1543 
1544 		if ((sbsec->flags & SE_SBGENFS) &&
1545 		     (!S_ISLNK(inode->i_mode) ||
1546 		      selinux_policycap_genfs_seclabel_symlinks())) {
1547 			/* We must have a dentry to determine the label on
1548 			 * procfs inodes */
1549 			if (opt_dentry) {
1550 				/* Called from d_instantiate or
1551 				 * d_splice_alias. */
1552 				dentry = dget(opt_dentry);
1553 			} else {
1554 				/* Called from selinux_complete_init, try to
1555 				 * find a dentry.  Some filesystems really want
1556 				 * a connected one, so try that first.
1557 				 */
1558 				dentry = d_find_alias(inode);
1559 				if (!dentry)
1560 					dentry = d_find_any_alias(inode);
1561 			}
1562 			/*
1563 			 * This can be hit on boot when a file is accessed
1564 			 * before the policy is loaded.  When we load policy we
1565 			 * may find inodes that have no dentry on the
1566 			 * sbsec->isec_head list.  No reason to complain as
1567 			 * these will get fixed up the next time we go through
1568 			 * inode_doinit() with a dentry, before these inodes
1569 			 * could be used again by userspace.
1570 			 */
1571 			if (!dentry)
1572 				goto out_invalid;
1573 			rc = selinux_genfs_get_sid(dentry, sclass,
1574 						   sbsec->flags, &sid);
1575 			if (rc) {
1576 				dput(dentry);
1577 				goto out;
1578 			}
1579 
1580 			if ((sbsec->flags & SE_SBGENFS_XATTR) &&
1581 			    (inode->i_opflags & IOP_XATTR)) {
1582 				rc = inode_doinit_use_xattr(inode, dentry,
1583 							    sid, &sid);
1584 				if (rc) {
1585 					dput(dentry);
1586 					goto out;
1587 				}
1588 			}
1589 			dput(dentry);
1590 		}
1591 		break;
1592 	}
1593 
1594 out:
1595 	spin_lock(&isec->lock);
1596 	if (isec->initialized == LABEL_PENDING) {
1597 		if (rc) {
1598 			isec->initialized = LABEL_INVALID;
1599 			goto out_unlock;
1600 		}
1601 		isec->initialized = LABEL_INITIALIZED;
1602 		isec->sid = sid;
1603 	}
1604 
1605 out_unlock:
1606 	spin_unlock(&isec->lock);
1607 	return rc;
1608 
1609 out_invalid:
1610 	spin_lock(&isec->lock);
1611 	if (isec->initialized == LABEL_PENDING) {
1612 		isec->initialized = LABEL_INVALID;
1613 		isec->sid = sid;
1614 	}
1615 	spin_unlock(&isec->lock);
1616 	return 0;
1617 }
1618 
1619 /* Convert a Linux signal to an access vector. */
signal_to_av(int sig)1620 static inline u32 signal_to_av(int sig)
1621 {
1622 	u32 perm = 0;
1623 
1624 	switch (sig) {
1625 	case SIGCHLD:
1626 		/* Commonly granted from child to parent. */
1627 		perm = PROCESS__SIGCHLD;
1628 		break;
1629 	case SIGKILL:
1630 		/* Cannot be caught or ignored */
1631 		perm = PROCESS__SIGKILL;
1632 		break;
1633 	case SIGSTOP:
1634 		/* Cannot be caught or ignored */
1635 		perm = PROCESS__SIGSTOP;
1636 		break;
1637 	default:
1638 		/* All other signals. */
1639 		perm = PROCESS__SIGNAL;
1640 		break;
1641 	}
1642 
1643 	return perm;
1644 }
1645 
1646 #if CAP_LAST_CAP > 63
1647 #error Fix SELinux to handle capabilities > 63.
1648 #endif
1649 
1650 /* Check whether a task is allowed to use a capability. */
cred_has_capability(const struct cred * cred,int cap,unsigned int opts,bool initns)1651 static int cred_has_capability(const struct cred *cred,
1652 			       int cap, unsigned int opts, bool initns)
1653 {
1654 	struct common_audit_data ad;
1655 	struct av_decision avd;
1656 	u16 sclass;
1657 	u32 sid = cred_sid(cred);
1658 	u32 av = CAP_TO_MASK(cap);
1659 	int rc;
1660 
1661 	ad.type = LSM_AUDIT_DATA_CAP;
1662 	ad.u.cap = cap;
1663 
1664 	switch (CAP_TO_INDEX(cap)) {
1665 	case 0:
1666 		sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1667 		break;
1668 	case 1:
1669 		sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1670 		break;
1671 	default:
1672 		pr_err("SELinux:  out of range capability %d\n", cap);
1673 		BUG();
1674 		return -EINVAL;
1675 	}
1676 
1677 	rc = avc_has_perm_noaudit(&selinux_state,
1678 				  sid, sid, sclass, av, 0, &avd);
1679 	if (!(opts & CAP_OPT_NOAUDIT)) {
1680 		int rc2 = avc_audit(&selinux_state,
1681 				    sid, sid, sclass, av, &avd, rc, &ad);
1682 		if (rc2)
1683 			return rc2;
1684 	}
1685 	return rc;
1686 }
1687 
1688 /* Check whether a task has a particular permission to an inode.
1689    The 'adp' parameter is optional and allows other audit
1690    data to be passed (e.g. the dentry). */
inode_has_perm(const struct cred * cred,struct inode * inode,u32 perms,struct common_audit_data * adp)1691 static int inode_has_perm(const struct cred *cred,
1692 			  struct inode *inode,
1693 			  u32 perms,
1694 			  struct common_audit_data *adp)
1695 {
1696 	struct inode_security_struct *isec;
1697 	u32 sid;
1698 
1699 	validate_creds(cred);
1700 
1701 	if (unlikely(IS_PRIVATE(inode)))
1702 		return 0;
1703 
1704 	sid = cred_sid(cred);
1705 	isec = selinux_inode(inode);
1706 
1707 	return avc_has_perm(&selinux_state,
1708 			    sid, isec->sid, isec->sclass, perms, adp);
1709 }
1710 
1711 /* Same as inode_has_perm, but pass explicit audit data containing
1712    the dentry to help the auditing code to more easily generate the
1713    pathname if needed. */
dentry_has_perm(const struct cred * cred,struct dentry * dentry,u32 av)1714 static inline int dentry_has_perm(const struct cred *cred,
1715 				  struct dentry *dentry,
1716 				  u32 av)
1717 {
1718 	struct inode *inode = d_backing_inode(dentry);
1719 	struct common_audit_data ad;
1720 
1721 	ad.type = LSM_AUDIT_DATA_DENTRY;
1722 	ad.u.dentry = dentry;
1723 	__inode_security_revalidate(inode, dentry, true);
1724 	return inode_has_perm(cred, inode, av, &ad);
1725 }
1726 
1727 /* Same as inode_has_perm, but pass explicit audit data containing
1728    the path to help the auditing code to more easily generate the
1729    pathname if needed. */
path_has_perm(const struct cred * cred,const struct path * path,u32 av)1730 static inline int path_has_perm(const struct cred *cred,
1731 				const struct path *path,
1732 				u32 av)
1733 {
1734 	struct inode *inode = d_backing_inode(path->dentry);
1735 	struct common_audit_data ad;
1736 
1737 	ad.type = LSM_AUDIT_DATA_PATH;
1738 	ad.u.path = *path;
1739 	__inode_security_revalidate(inode, path->dentry, true);
1740 	return inode_has_perm(cred, inode, av, &ad);
1741 }
1742 
1743 /* Same as path_has_perm, but uses the inode from the file struct. */
file_path_has_perm(const struct cred * cred,struct file * file,u32 av)1744 static inline int file_path_has_perm(const struct cred *cred,
1745 				     struct file *file,
1746 				     u32 av)
1747 {
1748 	struct common_audit_data ad;
1749 
1750 	ad.type = LSM_AUDIT_DATA_FILE;
1751 	ad.u.file = file;
1752 	return inode_has_perm(cred, file_inode(file), av, &ad);
1753 }
1754 
1755 #ifdef CONFIG_BPF_SYSCALL
1756 static int bpf_fd_pass(struct file *file, u32 sid);
1757 #endif
1758 
1759 /* Check whether a task can use an open file descriptor to
1760    access an inode in a given way.  Check access to the
1761    descriptor itself, and then use dentry_has_perm to
1762    check a particular permission to the file.
1763    Access to the descriptor is implicitly granted if it
1764    has the same SID as the process.  If av is zero, then
1765    access to the file is not checked, e.g. for cases
1766    where only the descriptor is affected like seek. */
file_has_perm(const struct cred * cred,struct file * file,u32 av)1767 static int file_has_perm(const struct cred *cred,
1768 			 struct file *file,
1769 			 u32 av)
1770 {
1771 	struct file_security_struct *fsec = selinux_file(file);
1772 	struct inode *inode = file_inode(file);
1773 	struct common_audit_data ad;
1774 	u32 sid = cred_sid(cred);
1775 	int rc;
1776 
1777 	ad.type = LSM_AUDIT_DATA_FILE;
1778 	ad.u.file = file;
1779 
1780 	if (sid != fsec->sid) {
1781 		rc = avc_has_perm(&selinux_state,
1782 				  sid, fsec->sid,
1783 				  SECCLASS_FD,
1784 				  FD__USE,
1785 				  &ad);
1786 		if (rc)
1787 			goto out;
1788 	}
1789 
1790 #ifdef CONFIG_BPF_SYSCALL
1791 	rc = bpf_fd_pass(file, cred_sid(cred));
1792 	if (rc)
1793 		return rc;
1794 #endif
1795 
1796 	/* av is zero if only checking access to the descriptor. */
1797 	rc = 0;
1798 	if (av)
1799 		rc = inode_has_perm(cred, inode, av, &ad);
1800 
1801 out:
1802 	return rc;
1803 }
1804 
1805 /*
1806  * Determine the label for an inode that might be unioned.
1807  */
1808 static int
selinux_determine_inode_label(const struct task_security_struct * tsec,struct inode * dir,const struct qstr * name,u16 tclass,u32 * _new_isid)1809 selinux_determine_inode_label(const struct task_security_struct *tsec,
1810 				 struct inode *dir,
1811 				 const struct qstr *name, u16 tclass,
1812 				 u32 *_new_isid)
1813 {
1814 	const struct superblock_security_struct *sbsec =
1815 						selinux_superblock(dir->i_sb);
1816 
1817 	if ((sbsec->flags & SE_SBINITIALIZED) &&
1818 	    (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1819 		*_new_isid = sbsec->mntpoint_sid;
1820 	} else if ((sbsec->flags & SBLABEL_MNT) &&
1821 		   tsec->create_sid) {
1822 		*_new_isid = tsec->create_sid;
1823 	} else {
1824 		const struct inode_security_struct *dsec = inode_security(dir);
1825 		return security_transition_sid(&selinux_state, tsec->sid,
1826 					       dsec->sid, tclass,
1827 					       name, _new_isid);
1828 	}
1829 
1830 	return 0;
1831 }
1832 
1833 /* Check whether a task can create a file. */
may_create(struct inode * dir,struct dentry * dentry,u16 tclass)1834 static int may_create(struct inode *dir,
1835 		      struct dentry *dentry,
1836 		      u16 tclass)
1837 {
1838 	const struct task_security_struct *tsec = selinux_cred(current_cred());
1839 	struct inode_security_struct *dsec;
1840 	struct superblock_security_struct *sbsec;
1841 	u32 sid, newsid;
1842 	struct common_audit_data ad;
1843 	int rc;
1844 
1845 	dsec = inode_security(dir);
1846 	sbsec = selinux_superblock(dir->i_sb);
1847 
1848 	sid = tsec->sid;
1849 
1850 	ad.type = LSM_AUDIT_DATA_DENTRY;
1851 	ad.u.dentry = dentry;
1852 
1853 	rc = avc_has_perm(&selinux_state,
1854 			  sid, dsec->sid, SECCLASS_DIR,
1855 			  DIR__ADD_NAME | DIR__SEARCH,
1856 			  &ad);
1857 	if (rc)
1858 		return rc;
1859 
1860 	rc = selinux_determine_inode_label(tsec, dir, &dentry->d_name, tclass,
1861 					   &newsid);
1862 	if (rc)
1863 		return rc;
1864 
1865 	rc = avc_has_perm(&selinux_state,
1866 			  sid, newsid, tclass, FILE__CREATE, &ad);
1867 	if (rc)
1868 		return rc;
1869 
1870 	return avc_has_perm(&selinux_state,
1871 			    newsid, sbsec->sid,
1872 			    SECCLASS_FILESYSTEM,
1873 			    FILESYSTEM__ASSOCIATE, &ad);
1874 }
1875 
1876 #define MAY_LINK	0
1877 #define MAY_UNLINK	1
1878 #define MAY_RMDIR	2
1879 
1880 /* Check whether a task can link, unlink, or rmdir a file/directory. */
may_link(struct inode * dir,struct dentry * dentry,int kind)1881 static int may_link(struct inode *dir,
1882 		    struct dentry *dentry,
1883 		    int kind)
1884 
1885 {
1886 	struct inode_security_struct *dsec, *isec;
1887 	struct common_audit_data ad;
1888 	u32 sid = current_sid();
1889 	u32 av;
1890 	int rc;
1891 
1892 	dsec = inode_security(dir);
1893 	isec = backing_inode_security(dentry);
1894 
1895 	ad.type = LSM_AUDIT_DATA_DENTRY;
1896 	ad.u.dentry = dentry;
1897 
1898 	av = DIR__SEARCH;
1899 	av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1900 	rc = avc_has_perm(&selinux_state,
1901 			  sid, dsec->sid, SECCLASS_DIR, av, &ad);
1902 	if (rc)
1903 		return rc;
1904 
1905 	switch (kind) {
1906 	case MAY_LINK:
1907 		av = FILE__LINK;
1908 		break;
1909 	case MAY_UNLINK:
1910 		av = FILE__UNLINK;
1911 		break;
1912 	case MAY_RMDIR:
1913 		av = DIR__RMDIR;
1914 		break;
1915 	default:
1916 		pr_warn("SELinux: %s:  unrecognized kind %d\n",
1917 			__func__, kind);
1918 		return 0;
1919 	}
1920 
1921 	rc = avc_has_perm(&selinux_state,
1922 			  sid, isec->sid, isec->sclass, av, &ad);
1923 	return rc;
1924 }
1925 
may_rename(struct inode * old_dir,struct dentry * old_dentry,struct inode * new_dir,struct dentry * new_dentry)1926 static inline int may_rename(struct inode *old_dir,
1927 			     struct dentry *old_dentry,
1928 			     struct inode *new_dir,
1929 			     struct dentry *new_dentry)
1930 {
1931 	struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1932 	struct common_audit_data ad;
1933 	u32 sid = current_sid();
1934 	u32 av;
1935 	int old_is_dir, new_is_dir;
1936 	int rc;
1937 
1938 	old_dsec = inode_security(old_dir);
1939 	old_isec = backing_inode_security(old_dentry);
1940 	old_is_dir = d_is_dir(old_dentry);
1941 	new_dsec = inode_security(new_dir);
1942 
1943 	ad.type = LSM_AUDIT_DATA_DENTRY;
1944 
1945 	ad.u.dentry = old_dentry;
1946 	rc = avc_has_perm(&selinux_state,
1947 			  sid, old_dsec->sid, SECCLASS_DIR,
1948 			  DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1949 	if (rc)
1950 		return rc;
1951 	rc = avc_has_perm(&selinux_state,
1952 			  sid, old_isec->sid,
1953 			  old_isec->sclass, FILE__RENAME, &ad);
1954 	if (rc)
1955 		return rc;
1956 	if (old_is_dir && new_dir != old_dir) {
1957 		rc = avc_has_perm(&selinux_state,
1958 				  sid, old_isec->sid,
1959 				  old_isec->sclass, DIR__REPARENT, &ad);
1960 		if (rc)
1961 			return rc;
1962 	}
1963 
1964 	ad.u.dentry = new_dentry;
1965 	av = DIR__ADD_NAME | DIR__SEARCH;
1966 	if (d_is_positive(new_dentry))
1967 		av |= DIR__REMOVE_NAME;
1968 	rc = avc_has_perm(&selinux_state,
1969 			  sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1970 	if (rc)
1971 		return rc;
1972 	if (d_is_positive(new_dentry)) {
1973 		new_isec = backing_inode_security(new_dentry);
1974 		new_is_dir = d_is_dir(new_dentry);
1975 		rc = avc_has_perm(&selinux_state,
1976 				  sid, new_isec->sid,
1977 				  new_isec->sclass,
1978 				  (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1979 		if (rc)
1980 			return rc;
1981 	}
1982 
1983 	return 0;
1984 }
1985 
1986 /* Check whether a task can perform a filesystem operation. */
superblock_has_perm(const struct cred * cred,struct super_block * sb,u32 perms,struct common_audit_data * ad)1987 static int superblock_has_perm(const struct cred *cred,
1988 			       struct super_block *sb,
1989 			       u32 perms,
1990 			       struct common_audit_data *ad)
1991 {
1992 	struct superblock_security_struct *sbsec;
1993 	u32 sid = cred_sid(cred);
1994 
1995 	sbsec = selinux_superblock(sb);
1996 	return avc_has_perm(&selinux_state,
1997 			    sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1998 }
1999 
2000 /* Convert a Linux mode and permission mask to an access vector. */
file_mask_to_av(int mode,int mask)2001 static inline u32 file_mask_to_av(int mode, int mask)
2002 {
2003 	u32 av = 0;
2004 
2005 	if (!S_ISDIR(mode)) {
2006 		if (mask & MAY_EXEC)
2007 			av |= FILE__EXECUTE;
2008 		if (mask & MAY_READ)
2009 			av |= FILE__READ;
2010 
2011 		if (mask & MAY_APPEND)
2012 			av |= FILE__APPEND;
2013 		else if (mask & MAY_WRITE)
2014 			av |= FILE__WRITE;
2015 
2016 	} else {
2017 		if (mask & MAY_EXEC)
2018 			av |= DIR__SEARCH;
2019 		if (mask & MAY_WRITE)
2020 			av |= DIR__WRITE;
2021 		if (mask & MAY_READ)
2022 			av |= DIR__READ;
2023 	}
2024 
2025 	return av;
2026 }
2027 
2028 /* Convert a Linux file to an access vector. */
file_to_av(struct file * file)2029 static inline u32 file_to_av(struct file *file)
2030 {
2031 	u32 av = 0;
2032 
2033 	if (file->f_mode & FMODE_READ)
2034 		av |= FILE__READ;
2035 	if (file->f_mode & FMODE_WRITE) {
2036 		if (file->f_flags & O_APPEND)
2037 			av |= FILE__APPEND;
2038 		else
2039 			av |= FILE__WRITE;
2040 	}
2041 	if (!av) {
2042 		/*
2043 		 * Special file opened with flags 3 for ioctl-only use.
2044 		 */
2045 		av = FILE__IOCTL;
2046 	}
2047 
2048 	return av;
2049 }
2050 
2051 /*
2052  * Convert a file to an access vector and include the correct
2053  * open permission.
2054  */
open_file_to_av(struct file * file)2055 static inline u32 open_file_to_av(struct file *file)
2056 {
2057 	u32 av = file_to_av(file);
2058 	struct inode *inode = file_inode(file);
2059 
2060 	if (selinux_policycap_openperm() &&
2061 	    inode->i_sb->s_magic != SOCKFS_MAGIC)
2062 		av |= FILE__OPEN;
2063 
2064 	return av;
2065 }
2066 
2067 /* Hook functions begin here. */
2068 
selinux_binder_set_context_mgr(struct task_struct * mgr)2069 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2070 {
2071 	return avc_has_perm(&selinux_state,
2072 			    current_sid(), task_sid_binder(mgr), SECCLASS_BINDER,
2073 			    BINDER__SET_CONTEXT_MGR, NULL);
2074 }
2075 
selinux_binder_transaction(struct task_struct * from,struct task_struct * to)2076 static int selinux_binder_transaction(struct task_struct *from,
2077 				      struct task_struct *to)
2078 {
2079 	u32 mysid = current_sid();
2080 	u32 fromsid = task_sid_binder(from);
2081 	int rc;
2082 
2083 	if (mysid != fromsid) {
2084 		rc = avc_has_perm(&selinux_state,
2085 				  mysid, fromsid, SECCLASS_BINDER,
2086 				  BINDER__IMPERSONATE, NULL);
2087 		if (rc)
2088 			return rc;
2089 	}
2090 
2091 	return avc_has_perm(&selinux_state, fromsid, task_sid_binder(to),
2092 			    SECCLASS_BINDER, BINDER__CALL, NULL);
2093 }
2094 
selinux_binder_transfer_binder(struct task_struct * from,struct task_struct * to)2095 static int selinux_binder_transfer_binder(struct task_struct *from,
2096 					  struct task_struct *to)
2097 {
2098 	return avc_has_perm(&selinux_state,
2099 			    task_sid_binder(from), task_sid_binder(to),
2100 			    SECCLASS_BINDER, BINDER__TRANSFER,
2101 			    NULL);
2102 }
2103 
selinux_binder_transfer_file(struct task_struct * from,struct task_struct * to,struct file * file)2104 static int selinux_binder_transfer_file(struct task_struct *from,
2105 					struct task_struct *to,
2106 					struct file *file)
2107 {
2108 	u32 sid = task_sid_binder(to);
2109 	struct file_security_struct *fsec = selinux_file(file);
2110 	struct dentry *dentry = file->f_path.dentry;
2111 	struct inode_security_struct *isec;
2112 	struct common_audit_data ad;
2113 	int rc;
2114 
2115 	ad.type = LSM_AUDIT_DATA_PATH;
2116 	ad.u.path = file->f_path;
2117 
2118 	if (sid != fsec->sid) {
2119 		rc = avc_has_perm(&selinux_state,
2120 				  sid, fsec->sid,
2121 				  SECCLASS_FD,
2122 				  FD__USE,
2123 				  &ad);
2124 		if (rc)
2125 			return rc;
2126 	}
2127 
2128 #ifdef CONFIG_BPF_SYSCALL
2129 	rc = bpf_fd_pass(file, sid);
2130 	if (rc)
2131 		return rc;
2132 #endif
2133 
2134 	if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2135 		return 0;
2136 
2137 	isec = backing_inode_security(dentry);
2138 	return avc_has_perm(&selinux_state,
2139 			    sid, isec->sid, isec->sclass, file_to_av(file),
2140 			    &ad);
2141 }
2142 
selinux_ptrace_access_check(struct task_struct * child,unsigned int mode)2143 static int selinux_ptrace_access_check(struct task_struct *child,
2144 				       unsigned int mode)
2145 {
2146 	u32 sid = current_sid();
2147 	u32 csid = task_sid_obj(child);
2148 
2149 	if (mode & PTRACE_MODE_READ)
2150 		return avc_has_perm(&selinux_state,
2151 				    sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2152 
2153 	return avc_has_perm(&selinux_state,
2154 			    sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2155 }
2156 
selinux_ptrace_traceme(struct task_struct * parent)2157 static int selinux_ptrace_traceme(struct task_struct *parent)
2158 {
2159 	return avc_has_perm(&selinux_state,
2160 			    task_sid_obj(parent), task_sid_obj(current),
2161 			    SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2162 }
2163 
selinux_capget(struct task_struct * target,kernel_cap_t * effective,kernel_cap_t * inheritable,kernel_cap_t * permitted)2164 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2165 			  kernel_cap_t *inheritable, kernel_cap_t *permitted)
2166 {
2167 	return avc_has_perm(&selinux_state,
2168 			    current_sid(), task_sid_obj(target), SECCLASS_PROCESS,
2169 			    PROCESS__GETCAP, NULL);
2170 }
2171 
selinux_capset(struct cred * new,const struct cred * old,const kernel_cap_t * effective,const kernel_cap_t * inheritable,const kernel_cap_t * permitted)2172 static int selinux_capset(struct cred *new, const struct cred *old,
2173 			  const kernel_cap_t *effective,
2174 			  const kernel_cap_t *inheritable,
2175 			  const kernel_cap_t *permitted)
2176 {
2177 	return avc_has_perm(&selinux_state,
2178 			    cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2179 			    PROCESS__SETCAP, NULL);
2180 }
2181 
2182 /*
2183  * (This comment used to live with the selinux_task_setuid hook,
2184  * which was removed).
2185  *
2186  * Since setuid only affects the current process, and since the SELinux
2187  * controls are not based on the Linux identity attributes, SELinux does not
2188  * need to control this operation.  However, SELinux does control the use of
2189  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2190  */
2191 
selinux_capable(const struct cred * cred,struct user_namespace * ns,int cap,unsigned int opts)2192 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2193 			   int cap, unsigned int opts)
2194 {
2195 	return cred_has_capability(cred, cap, opts, ns == &init_user_ns);
2196 }
2197 
selinux_quotactl(int cmds,int type,int id,struct super_block * sb)2198 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2199 {
2200 	const struct cred *cred = current_cred();
2201 	int rc = 0;
2202 
2203 	if (!sb)
2204 		return 0;
2205 
2206 	switch (cmds) {
2207 	case Q_SYNC:
2208 	case Q_QUOTAON:
2209 	case Q_QUOTAOFF:
2210 	case Q_SETINFO:
2211 	case Q_SETQUOTA:
2212 	case Q_XQUOTAOFF:
2213 	case Q_XQUOTAON:
2214 	case Q_XSETQLIM:
2215 		rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2216 		break;
2217 	case Q_GETFMT:
2218 	case Q_GETINFO:
2219 	case Q_GETQUOTA:
2220 	case Q_XGETQUOTA:
2221 	case Q_XGETQSTAT:
2222 	case Q_XGETQSTATV:
2223 	case Q_XGETNEXTQUOTA:
2224 		rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2225 		break;
2226 	default:
2227 		rc = 0;  /* let the kernel handle invalid cmds */
2228 		break;
2229 	}
2230 	return rc;
2231 }
2232 
selinux_quota_on(struct dentry * dentry)2233 static int selinux_quota_on(struct dentry *dentry)
2234 {
2235 	const struct cred *cred = current_cred();
2236 
2237 	return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2238 }
2239 
selinux_syslog(int type)2240 static int selinux_syslog(int type)
2241 {
2242 	switch (type) {
2243 	case SYSLOG_ACTION_READ_ALL:	/* Read last kernel messages */
2244 	case SYSLOG_ACTION_SIZE_BUFFER:	/* Return size of the log buffer */
2245 		return avc_has_perm(&selinux_state,
2246 				    current_sid(), SECINITSID_KERNEL,
2247 				    SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2248 	case SYSLOG_ACTION_CONSOLE_OFF:	/* Disable logging to console */
2249 	case SYSLOG_ACTION_CONSOLE_ON:	/* Enable logging to console */
2250 	/* Set level of messages printed to console */
2251 	case SYSLOG_ACTION_CONSOLE_LEVEL:
2252 		return avc_has_perm(&selinux_state,
2253 				    current_sid(), SECINITSID_KERNEL,
2254 				    SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2255 				    NULL);
2256 	}
2257 	/* All other syslog types */
2258 	return avc_has_perm(&selinux_state,
2259 			    current_sid(), SECINITSID_KERNEL,
2260 			    SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2261 }
2262 
2263 /*
2264  * Check that a process has enough memory to allocate a new virtual
2265  * mapping. 0 means there is enough memory for the allocation to
2266  * succeed and -ENOMEM implies there is not.
2267  *
2268  * Do not audit the selinux permission check, as this is applied to all
2269  * processes that allocate mappings.
2270  */
selinux_vm_enough_memory(struct mm_struct * mm,long pages)2271 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2272 {
2273 	int rc, cap_sys_admin = 0;
2274 
2275 	rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2276 				 CAP_OPT_NOAUDIT, true);
2277 	if (rc == 0)
2278 		cap_sys_admin = 1;
2279 
2280 	return cap_sys_admin;
2281 }
2282 
2283 /* binprm security operations */
2284 
ptrace_parent_sid(void)2285 static u32 ptrace_parent_sid(void)
2286 {
2287 	u32 sid = 0;
2288 	struct task_struct *tracer;
2289 
2290 	rcu_read_lock();
2291 	tracer = ptrace_parent(current);
2292 	if (tracer)
2293 		sid = task_sid_obj(tracer);
2294 	rcu_read_unlock();
2295 
2296 	return sid;
2297 }
2298 
check_nnp_nosuid(const struct linux_binprm * bprm,const struct task_security_struct * old_tsec,const struct task_security_struct * new_tsec)2299 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2300 			    const struct task_security_struct *old_tsec,
2301 			    const struct task_security_struct *new_tsec)
2302 {
2303 	int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2304 	int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2305 	int rc;
2306 	u32 av;
2307 
2308 	if (!nnp && !nosuid)
2309 		return 0; /* neither NNP nor nosuid */
2310 
2311 	if (new_tsec->sid == old_tsec->sid)
2312 		return 0; /* No change in credentials */
2313 
2314 	/*
2315 	 * If the policy enables the nnp_nosuid_transition policy capability,
2316 	 * then we permit transitions under NNP or nosuid if the
2317 	 * policy allows the corresponding permission between
2318 	 * the old and new contexts.
2319 	 */
2320 	if (selinux_policycap_nnp_nosuid_transition()) {
2321 		av = 0;
2322 		if (nnp)
2323 			av |= PROCESS2__NNP_TRANSITION;
2324 		if (nosuid)
2325 			av |= PROCESS2__NOSUID_TRANSITION;
2326 		rc = avc_has_perm(&selinux_state,
2327 				  old_tsec->sid, new_tsec->sid,
2328 				  SECCLASS_PROCESS2, av, NULL);
2329 		if (!rc)
2330 			return 0;
2331 	}
2332 
2333 	/*
2334 	 * We also permit NNP or nosuid transitions to bounded SIDs,
2335 	 * i.e. SIDs that are guaranteed to only be allowed a subset
2336 	 * of the permissions of the current SID.
2337 	 */
2338 	rc = security_bounded_transition(&selinux_state, old_tsec->sid,
2339 					 new_tsec->sid);
2340 	if (!rc)
2341 		return 0;
2342 
2343 	/*
2344 	 * On failure, preserve the errno values for NNP vs nosuid.
2345 	 * NNP:  Operation not permitted for caller.
2346 	 * nosuid:  Permission denied to file.
2347 	 */
2348 	if (nnp)
2349 		return -EPERM;
2350 	return -EACCES;
2351 }
2352 
selinux_bprm_creds_for_exec(struct linux_binprm * bprm)2353 static int selinux_bprm_creds_for_exec(struct linux_binprm *bprm)
2354 {
2355 	const struct task_security_struct *old_tsec;
2356 	struct task_security_struct *new_tsec;
2357 	struct inode_security_struct *isec;
2358 	struct common_audit_data ad;
2359 	struct inode *inode = file_inode(bprm->file);
2360 	int rc;
2361 
2362 	/* SELinux context only depends on initial program or script and not
2363 	 * the script interpreter */
2364 
2365 	old_tsec = selinux_cred(current_cred());
2366 	new_tsec = selinux_cred(bprm->cred);
2367 	isec = inode_security(inode);
2368 
2369 	/* Default to the current task SID. */
2370 	new_tsec->sid = old_tsec->sid;
2371 	new_tsec->osid = old_tsec->sid;
2372 
2373 	/* Reset fs, key, and sock SIDs on execve. */
2374 	new_tsec->create_sid = 0;
2375 	new_tsec->keycreate_sid = 0;
2376 	new_tsec->sockcreate_sid = 0;
2377 
2378 	if (old_tsec->exec_sid) {
2379 		new_tsec->sid = old_tsec->exec_sid;
2380 		/* Reset exec SID on execve. */
2381 		new_tsec->exec_sid = 0;
2382 
2383 		/* Fail on NNP or nosuid if not an allowed transition. */
2384 		rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2385 		if (rc)
2386 			return rc;
2387 	} else {
2388 		/* Check for a default transition on this program. */
2389 		rc = security_transition_sid(&selinux_state, old_tsec->sid,
2390 					     isec->sid, SECCLASS_PROCESS, NULL,
2391 					     &new_tsec->sid);
2392 		if (rc)
2393 			return rc;
2394 
2395 		/*
2396 		 * Fallback to old SID on NNP or nosuid if not an allowed
2397 		 * transition.
2398 		 */
2399 		rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2400 		if (rc)
2401 			new_tsec->sid = old_tsec->sid;
2402 	}
2403 
2404 	ad.type = LSM_AUDIT_DATA_FILE;
2405 	ad.u.file = bprm->file;
2406 
2407 	if (new_tsec->sid == old_tsec->sid) {
2408 		rc = avc_has_perm(&selinux_state,
2409 				  old_tsec->sid, isec->sid,
2410 				  SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2411 		if (rc)
2412 			return rc;
2413 	} else {
2414 		/* Check permissions for the transition. */
2415 		rc = avc_has_perm(&selinux_state,
2416 				  old_tsec->sid, new_tsec->sid,
2417 				  SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2418 		if (rc)
2419 			return rc;
2420 
2421 		rc = avc_has_perm(&selinux_state,
2422 				  new_tsec->sid, isec->sid,
2423 				  SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2424 		if (rc)
2425 			return rc;
2426 
2427 		/* Check for shared state */
2428 		if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2429 			rc = avc_has_perm(&selinux_state,
2430 					  old_tsec->sid, new_tsec->sid,
2431 					  SECCLASS_PROCESS, PROCESS__SHARE,
2432 					  NULL);
2433 			if (rc)
2434 				return -EPERM;
2435 		}
2436 
2437 		/* Make sure that anyone attempting to ptrace over a task that
2438 		 * changes its SID has the appropriate permit */
2439 		if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2440 			u32 ptsid = ptrace_parent_sid();
2441 			if (ptsid != 0) {
2442 				rc = avc_has_perm(&selinux_state,
2443 						  ptsid, new_tsec->sid,
2444 						  SECCLASS_PROCESS,
2445 						  PROCESS__PTRACE, NULL);
2446 				if (rc)
2447 					return -EPERM;
2448 			}
2449 		}
2450 
2451 		/* Clear any possibly unsafe personality bits on exec: */
2452 		bprm->per_clear |= PER_CLEAR_ON_SETID;
2453 
2454 		/* Enable secure mode for SIDs transitions unless
2455 		   the noatsecure permission is granted between
2456 		   the two SIDs, i.e. ahp returns 0. */
2457 		rc = avc_has_perm(&selinux_state,
2458 				  old_tsec->sid, new_tsec->sid,
2459 				  SECCLASS_PROCESS, PROCESS__NOATSECURE,
2460 				  NULL);
2461 		bprm->secureexec |= !!rc;
2462 	}
2463 
2464 	return 0;
2465 }
2466 
match_file(const void * p,struct file * file,unsigned fd)2467 static int match_file(const void *p, struct file *file, unsigned fd)
2468 {
2469 	return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2470 }
2471 
2472 /* Derived from fs/exec.c:flush_old_files. */
flush_unauthorized_files(const struct cred * cred,struct files_struct * files)2473 static inline void flush_unauthorized_files(const struct cred *cred,
2474 					    struct files_struct *files)
2475 {
2476 	struct file *file, *devnull = NULL;
2477 	struct tty_struct *tty;
2478 	int drop_tty = 0;
2479 	unsigned n;
2480 
2481 	tty = get_current_tty();
2482 	if (tty) {
2483 		spin_lock(&tty->files_lock);
2484 		if (!list_empty(&tty->tty_files)) {
2485 			struct tty_file_private *file_priv;
2486 
2487 			/* Revalidate access to controlling tty.
2488 			   Use file_path_has_perm on the tty path directly
2489 			   rather than using file_has_perm, as this particular
2490 			   open file may belong to another process and we are
2491 			   only interested in the inode-based check here. */
2492 			file_priv = list_first_entry(&tty->tty_files,
2493 						struct tty_file_private, list);
2494 			file = file_priv->file;
2495 			if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2496 				drop_tty = 1;
2497 		}
2498 		spin_unlock(&tty->files_lock);
2499 		tty_kref_put(tty);
2500 	}
2501 	/* Reset controlling tty. */
2502 	if (drop_tty)
2503 		no_tty();
2504 
2505 	/* Revalidate access to inherited open files. */
2506 	n = iterate_fd(files, 0, match_file, cred);
2507 	if (!n) /* none found? */
2508 		return;
2509 
2510 	devnull = dentry_open(&selinux_null, O_RDWR, cred);
2511 	if (IS_ERR(devnull))
2512 		devnull = NULL;
2513 	/* replace all the matching ones with this */
2514 	do {
2515 		replace_fd(n - 1, devnull, 0);
2516 	} while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2517 	if (devnull)
2518 		fput(devnull);
2519 }
2520 
2521 /*
2522  * Prepare a process for imminent new credential changes due to exec
2523  */
selinux_bprm_committing_creds(struct linux_binprm * bprm)2524 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2525 {
2526 	struct task_security_struct *new_tsec;
2527 	struct rlimit *rlim, *initrlim;
2528 	int rc, i;
2529 
2530 	new_tsec = selinux_cred(bprm->cred);
2531 	if (new_tsec->sid == new_tsec->osid)
2532 		return;
2533 
2534 	/* Close files for which the new task SID is not authorized. */
2535 	flush_unauthorized_files(bprm->cred, current->files);
2536 
2537 	/* Always clear parent death signal on SID transitions. */
2538 	current->pdeath_signal = 0;
2539 
2540 	/* Check whether the new SID can inherit resource limits from the old
2541 	 * SID.  If not, reset all soft limits to the lower of the current
2542 	 * task's hard limit and the init task's soft limit.
2543 	 *
2544 	 * Note that the setting of hard limits (even to lower them) can be
2545 	 * controlled by the setrlimit check.  The inclusion of the init task's
2546 	 * soft limit into the computation is to avoid resetting soft limits
2547 	 * higher than the default soft limit for cases where the default is
2548 	 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2549 	 */
2550 	rc = avc_has_perm(&selinux_state,
2551 			  new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2552 			  PROCESS__RLIMITINH, NULL);
2553 	if (rc) {
2554 		/* protect against do_prlimit() */
2555 		task_lock(current);
2556 		for (i = 0; i < RLIM_NLIMITS; i++) {
2557 			rlim = current->signal->rlim + i;
2558 			initrlim = init_task.signal->rlim + i;
2559 			rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2560 		}
2561 		task_unlock(current);
2562 		if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2563 			update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2564 	}
2565 }
2566 
2567 /*
2568  * Clean up the process immediately after the installation of new credentials
2569  * due to exec
2570  */
selinux_bprm_committed_creds(struct linux_binprm * bprm)2571 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2572 {
2573 	const struct task_security_struct *tsec = selinux_cred(current_cred());
2574 	u32 osid, sid;
2575 	int rc;
2576 
2577 	osid = tsec->osid;
2578 	sid = tsec->sid;
2579 
2580 	if (sid == osid)
2581 		return;
2582 
2583 	/* Check whether the new SID can inherit signal state from the old SID.
2584 	 * If not, clear itimers to avoid subsequent signal generation and
2585 	 * flush and unblock signals.
2586 	 *
2587 	 * This must occur _after_ the task SID has been updated so that any
2588 	 * kill done after the flush will be checked against the new SID.
2589 	 */
2590 	rc = avc_has_perm(&selinux_state,
2591 			  osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2592 	if (rc) {
2593 		clear_itimer();
2594 
2595 		spin_lock_irq(&current->sighand->siglock);
2596 		if (!fatal_signal_pending(current)) {
2597 			flush_sigqueue(&current->pending);
2598 			flush_sigqueue(&current->signal->shared_pending);
2599 			flush_signal_handlers(current, 1);
2600 			sigemptyset(&current->blocked);
2601 			recalc_sigpending();
2602 		}
2603 		spin_unlock_irq(&current->sighand->siglock);
2604 	}
2605 
2606 	/* Wake up the parent if it is waiting so that it can recheck
2607 	 * wait permission to the new task SID. */
2608 	read_lock(&tasklist_lock);
2609 	__wake_up_parent(current, current->real_parent);
2610 	read_unlock(&tasklist_lock);
2611 }
2612 
2613 /* superblock security operations */
2614 
selinux_sb_alloc_security(struct super_block * sb)2615 static int selinux_sb_alloc_security(struct super_block *sb)
2616 {
2617 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
2618 
2619 	mutex_init(&sbsec->lock);
2620 	INIT_LIST_HEAD(&sbsec->isec_head);
2621 	spin_lock_init(&sbsec->isec_lock);
2622 	sbsec->sid = SECINITSID_UNLABELED;
2623 	sbsec->def_sid = SECINITSID_FILE;
2624 	sbsec->mntpoint_sid = SECINITSID_UNLABELED;
2625 
2626 	return 0;
2627 }
2628 
opt_len(const char * s)2629 static inline int opt_len(const char *s)
2630 {
2631 	bool open_quote = false;
2632 	int len;
2633 	char c;
2634 
2635 	for (len = 0; (c = s[len]) != '\0'; len++) {
2636 		if (c == '"')
2637 			open_quote = !open_quote;
2638 		if (c == ',' && !open_quote)
2639 			break;
2640 	}
2641 	return len;
2642 }
2643 
selinux_sb_eat_lsm_opts(char * options,void ** mnt_opts)2644 static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts)
2645 {
2646 	char *from = options;
2647 	char *to = options;
2648 	bool first = true;
2649 	int rc;
2650 
2651 	while (1) {
2652 		int len = opt_len(from);
2653 		int token;
2654 		char *arg = NULL;
2655 
2656 		token = match_opt_prefix(from, len, &arg);
2657 
2658 		if (token != Opt_error) {
2659 			char *p, *q;
2660 
2661 			/* strip quotes */
2662 			if (arg) {
2663 				for (p = q = arg; p < from + len; p++) {
2664 					char c = *p;
2665 					if (c != '"')
2666 						*q++ = c;
2667 				}
2668 				arg = kmemdup_nul(arg, q - arg, GFP_KERNEL);
2669 				if (!arg) {
2670 					rc = -ENOMEM;
2671 					goto free_opt;
2672 				}
2673 			}
2674 			rc = selinux_add_opt(token, arg, mnt_opts);
2675 			if (unlikely(rc)) {
2676 				kfree(arg);
2677 				goto free_opt;
2678 			}
2679 		} else {
2680 			if (!first) {	// copy with preceding comma
2681 				from--;
2682 				len++;
2683 			}
2684 			if (to != from)
2685 				memmove(to, from, len);
2686 			to += len;
2687 			first = false;
2688 		}
2689 		if (!from[len])
2690 			break;
2691 		from += len + 1;
2692 	}
2693 	*to = '\0';
2694 	return 0;
2695 
2696 free_opt:
2697 	if (*mnt_opts) {
2698 		selinux_free_mnt_opts(*mnt_opts);
2699 		*mnt_opts = NULL;
2700 	}
2701 	return rc;
2702 }
2703 
selinux_sb_mnt_opts_compat(struct super_block * sb,void * mnt_opts)2704 static int selinux_sb_mnt_opts_compat(struct super_block *sb, void *mnt_opts)
2705 {
2706 	struct selinux_mnt_opts *opts = mnt_opts;
2707 	struct superblock_security_struct *sbsec = sb->s_security;
2708 	u32 sid;
2709 	int rc;
2710 
2711 	/*
2712 	 * Superblock not initialized (i.e. no options) - reject if any
2713 	 * options specified, otherwise accept.
2714 	 */
2715 	if (!(sbsec->flags & SE_SBINITIALIZED))
2716 		return opts ? 1 : 0;
2717 
2718 	/*
2719 	 * Superblock initialized and no options specified - reject if
2720 	 * superblock has any options set, otherwise accept.
2721 	 */
2722 	if (!opts)
2723 		return (sbsec->flags & SE_MNTMASK) ? 1 : 0;
2724 
2725 	if (opts->fscontext) {
2726 		rc = parse_sid(sb, opts->fscontext, &sid);
2727 		if (rc)
2728 			return 1;
2729 		if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2730 			return 1;
2731 	}
2732 	if (opts->context) {
2733 		rc = parse_sid(sb, opts->context, &sid);
2734 		if (rc)
2735 			return 1;
2736 		if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2737 			return 1;
2738 	}
2739 	if (opts->rootcontext) {
2740 		struct inode_security_struct *root_isec;
2741 
2742 		root_isec = backing_inode_security(sb->s_root);
2743 		rc = parse_sid(sb, opts->rootcontext, &sid);
2744 		if (rc)
2745 			return 1;
2746 		if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2747 			return 1;
2748 	}
2749 	if (opts->defcontext) {
2750 		rc = parse_sid(sb, opts->defcontext, &sid);
2751 		if (rc)
2752 			return 1;
2753 		if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2754 			return 1;
2755 	}
2756 	return 0;
2757 }
2758 
selinux_sb_remount(struct super_block * sb,void * mnt_opts)2759 static int selinux_sb_remount(struct super_block *sb, void *mnt_opts)
2760 {
2761 	struct selinux_mnt_opts *opts = mnt_opts;
2762 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
2763 	u32 sid;
2764 	int rc;
2765 
2766 	if (!(sbsec->flags & SE_SBINITIALIZED))
2767 		return 0;
2768 
2769 	if (!opts)
2770 		return 0;
2771 
2772 	if (opts->fscontext) {
2773 		rc = parse_sid(sb, opts->fscontext, &sid);
2774 		if (rc)
2775 			return rc;
2776 		if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2777 			goto out_bad_option;
2778 	}
2779 	if (opts->context) {
2780 		rc = parse_sid(sb, opts->context, &sid);
2781 		if (rc)
2782 			return rc;
2783 		if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2784 			goto out_bad_option;
2785 	}
2786 	if (opts->rootcontext) {
2787 		struct inode_security_struct *root_isec;
2788 		root_isec = backing_inode_security(sb->s_root);
2789 		rc = parse_sid(sb, opts->rootcontext, &sid);
2790 		if (rc)
2791 			return rc;
2792 		if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2793 			goto out_bad_option;
2794 	}
2795 	if (opts->defcontext) {
2796 		rc = parse_sid(sb, opts->defcontext, &sid);
2797 		if (rc)
2798 			return rc;
2799 		if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2800 			goto out_bad_option;
2801 	}
2802 	return 0;
2803 
2804 out_bad_option:
2805 	pr_warn("SELinux: unable to change security options "
2806 	       "during remount (dev %s, type=%s)\n", sb->s_id,
2807 	       sb->s_type->name);
2808 	return -EINVAL;
2809 }
2810 
selinux_sb_kern_mount(struct super_block * sb)2811 static int selinux_sb_kern_mount(struct super_block *sb)
2812 {
2813 	const struct cred *cred = current_cred();
2814 	struct common_audit_data ad;
2815 
2816 	ad.type = LSM_AUDIT_DATA_DENTRY;
2817 	ad.u.dentry = sb->s_root;
2818 	return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2819 }
2820 
selinux_sb_statfs(struct dentry * dentry)2821 static int selinux_sb_statfs(struct dentry *dentry)
2822 {
2823 	const struct cred *cred = current_cred();
2824 	struct common_audit_data ad;
2825 
2826 	ad.type = LSM_AUDIT_DATA_DENTRY;
2827 	ad.u.dentry = dentry->d_sb->s_root;
2828 	return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2829 }
2830 
selinux_mount(const char * dev_name,const struct path * path,const char * type,unsigned long flags,void * data)2831 static int selinux_mount(const char *dev_name,
2832 			 const struct path *path,
2833 			 const char *type,
2834 			 unsigned long flags,
2835 			 void *data)
2836 {
2837 	const struct cred *cred = current_cred();
2838 
2839 	if (flags & MS_REMOUNT)
2840 		return superblock_has_perm(cred, path->dentry->d_sb,
2841 					   FILESYSTEM__REMOUNT, NULL);
2842 	else
2843 		return path_has_perm(cred, path, FILE__MOUNTON);
2844 }
2845 
selinux_move_mount(const struct path * from_path,const struct path * to_path)2846 static int selinux_move_mount(const struct path *from_path,
2847 			      const struct path *to_path)
2848 {
2849 	const struct cred *cred = current_cred();
2850 
2851 	return path_has_perm(cred, to_path, FILE__MOUNTON);
2852 }
2853 
selinux_umount(struct vfsmount * mnt,int flags)2854 static int selinux_umount(struct vfsmount *mnt, int flags)
2855 {
2856 	const struct cred *cred = current_cred();
2857 
2858 	return superblock_has_perm(cred, mnt->mnt_sb,
2859 				   FILESYSTEM__UNMOUNT, NULL);
2860 }
2861 
selinux_fs_context_dup(struct fs_context * fc,struct fs_context * src_fc)2862 static int selinux_fs_context_dup(struct fs_context *fc,
2863 				  struct fs_context *src_fc)
2864 {
2865 	const struct selinux_mnt_opts *src = src_fc->security;
2866 	struct selinux_mnt_opts *opts;
2867 
2868 	if (!src)
2869 		return 0;
2870 
2871 	fc->security = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL);
2872 	if (!fc->security)
2873 		return -ENOMEM;
2874 
2875 	opts = fc->security;
2876 
2877 	if (src->fscontext) {
2878 		opts->fscontext = kstrdup(src->fscontext, GFP_KERNEL);
2879 		if (!opts->fscontext)
2880 			return -ENOMEM;
2881 	}
2882 	if (src->context) {
2883 		opts->context = kstrdup(src->context, GFP_KERNEL);
2884 		if (!opts->context)
2885 			return -ENOMEM;
2886 	}
2887 	if (src->rootcontext) {
2888 		opts->rootcontext = kstrdup(src->rootcontext, GFP_KERNEL);
2889 		if (!opts->rootcontext)
2890 			return -ENOMEM;
2891 	}
2892 	if (src->defcontext) {
2893 		opts->defcontext = kstrdup(src->defcontext, GFP_KERNEL);
2894 		if (!opts->defcontext)
2895 			return -ENOMEM;
2896 	}
2897 	return 0;
2898 }
2899 
2900 static const struct fs_parameter_spec selinux_fs_parameters[] = {
2901 	fsparam_string(CONTEXT_STR,	Opt_context),
2902 	fsparam_string(DEFCONTEXT_STR,	Opt_defcontext),
2903 	fsparam_string(FSCONTEXT_STR,	Opt_fscontext),
2904 	fsparam_string(ROOTCONTEXT_STR,	Opt_rootcontext),
2905 	fsparam_flag  (SECLABEL_STR,	Opt_seclabel),
2906 	{}
2907 };
2908 
selinux_fs_context_parse_param(struct fs_context * fc,struct fs_parameter * param)2909 static int selinux_fs_context_parse_param(struct fs_context *fc,
2910 					  struct fs_parameter *param)
2911 {
2912 	struct fs_parse_result result;
2913 	int opt, rc;
2914 
2915 	opt = fs_parse(fc, selinux_fs_parameters, param, &result);
2916 	if (opt < 0)
2917 		return opt;
2918 
2919 	rc = selinux_add_opt(opt, param->string, &fc->security);
2920 	if (!rc) {
2921 		param->string = NULL;
2922 		rc = 1;
2923 	}
2924 	return rc;
2925 }
2926 
2927 /* inode security operations */
2928 
selinux_inode_alloc_security(struct inode * inode)2929 static int selinux_inode_alloc_security(struct inode *inode)
2930 {
2931 	struct inode_security_struct *isec = selinux_inode(inode);
2932 	u32 sid = current_sid();
2933 
2934 	spin_lock_init(&isec->lock);
2935 	INIT_LIST_HEAD(&isec->list);
2936 	isec->inode = inode;
2937 	isec->sid = SECINITSID_UNLABELED;
2938 	isec->sclass = SECCLASS_FILE;
2939 	isec->task_sid = sid;
2940 	isec->initialized = LABEL_INVALID;
2941 
2942 	return 0;
2943 }
2944 
selinux_inode_free_security(struct inode * inode)2945 static void selinux_inode_free_security(struct inode *inode)
2946 {
2947 	inode_free_security(inode);
2948 }
2949 
selinux_dentry_init_security(struct dentry * dentry,int mode,const struct qstr * name,void ** ctx,u32 * ctxlen)2950 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2951 					const struct qstr *name, void **ctx,
2952 					u32 *ctxlen)
2953 {
2954 	u32 newsid;
2955 	int rc;
2956 
2957 	rc = selinux_determine_inode_label(selinux_cred(current_cred()),
2958 					   d_inode(dentry->d_parent), name,
2959 					   inode_mode_to_security_class(mode),
2960 					   &newsid);
2961 	if (rc)
2962 		return rc;
2963 
2964 	return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
2965 				       ctxlen);
2966 }
2967 
selinux_dentry_create_files_as(struct dentry * dentry,int mode,struct qstr * name,const struct cred * old,struct cred * new)2968 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2969 					  struct qstr *name,
2970 					  const struct cred *old,
2971 					  struct cred *new)
2972 {
2973 	u32 newsid;
2974 	int rc;
2975 	struct task_security_struct *tsec;
2976 
2977 	rc = selinux_determine_inode_label(selinux_cred(old),
2978 					   d_inode(dentry->d_parent), name,
2979 					   inode_mode_to_security_class(mode),
2980 					   &newsid);
2981 	if (rc)
2982 		return rc;
2983 
2984 	tsec = selinux_cred(new);
2985 	tsec->create_sid = newsid;
2986 	return 0;
2987 }
2988 
selinux_inode_init_security(struct inode * inode,struct inode * dir,const struct qstr * qstr,const char ** name,void ** value,size_t * len)2989 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2990 				       const struct qstr *qstr,
2991 				       const char **name,
2992 				       void **value, size_t *len)
2993 {
2994 	const struct task_security_struct *tsec = selinux_cred(current_cred());
2995 	struct superblock_security_struct *sbsec;
2996 	u32 newsid, clen;
2997 	int rc;
2998 	char *context;
2999 
3000 	sbsec = selinux_superblock(dir->i_sb);
3001 
3002 	newsid = tsec->create_sid;
3003 
3004 	rc = selinux_determine_inode_label(tsec, dir, qstr,
3005 		inode_mode_to_security_class(inode->i_mode),
3006 		&newsid);
3007 	if (rc)
3008 		return rc;
3009 
3010 	/* Possibly defer initialization to selinux_complete_init. */
3011 	if (sbsec->flags & SE_SBINITIALIZED) {
3012 		struct inode_security_struct *isec = selinux_inode(inode);
3013 		isec->sclass = inode_mode_to_security_class(inode->i_mode);
3014 		isec->sid = newsid;
3015 		isec->initialized = LABEL_INITIALIZED;
3016 	}
3017 
3018 	if (!selinux_initialized(&selinux_state) ||
3019 	    !(sbsec->flags & SBLABEL_MNT))
3020 		return -EOPNOTSUPP;
3021 
3022 	if (name)
3023 		*name = XATTR_SELINUX_SUFFIX;
3024 
3025 	if (value && len) {
3026 		rc = security_sid_to_context_force(&selinux_state, newsid,
3027 						   &context, &clen);
3028 		if (rc)
3029 			return rc;
3030 		*value = context;
3031 		*len = clen;
3032 	}
3033 
3034 	return 0;
3035 }
3036 
selinux_inode_init_security_anon(struct inode * inode,const struct qstr * name,const struct inode * context_inode)3037 static int selinux_inode_init_security_anon(struct inode *inode,
3038 					    const struct qstr *name,
3039 					    const struct inode *context_inode)
3040 {
3041 	const struct task_security_struct *tsec = selinux_cred(current_cred());
3042 	struct common_audit_data ad;
3043 	struct inode_security_struct *isec;
3044 	int rc;
3045 
3046 	if (unlikely(!selinux_initialized(&selinux_state)))
3047 		return 0;
3048 
3049 	isec = selinux_inode(inode);
3050 
3051 	/*
3052 	 * We only get here once per ephemeral inode.  The inode has
3053 	 * been initialized via inode_alloc_security but is otherwise
3054 	 * untouched.
3055 	 */
3056 
3057 	if (context_inode) {
3058 		struct inode_security_struct *context_isec =
3059 			selinux_inode(context_inode);
3060 		if (context_isec->initialized != LABEL_INITIALIZED) {
3061 			pr_err("SELinux:  context_inode is not initialized");
3062 			return -EACCES;
3063 		}
3064 
3065 		isec->sclass = context_isec->sclass;
3066 		isec->sid = context_isec->sid;
3067 	} else {
3068 		isec->sclass = SECCLASS_ANON_INODE;
3069 		rc = security_transition_sid(
3070 			&selinux_state, tsec->sid, tsec->sid,
3071 			isec->sclass, name, &isec->sid);
3072 		if (rc)
3073 			return rc;
3074 	}
3075 
3076 	isec->initialized = LABEL_INITIALIZED;
3077 	/*
3078 	 * Now that we've initialized security, check whether we're
3079 	 * allowed to actually create this type of anonymous inode.
3080 	 */
3081 
3082 	ad.type = LSM_AUDIT_DATA_INODE;
3083 	ad.u.inode = inode;
3084 
3085 	return avc_has_perm(&selinux_state,
3086 			    tsec->sid,
3087 			    isec->sid,
3088 			    isec->sclass,
3089 			    FILE__CREATE,
3090 			    &ad);
3091 }
3092 
selinux_inode_create(struct inode * dir,struct dentry * dentry,umode_t mode)3093 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
3094 {
3095 	return may_create(dir, dentry, SECCLASS_FILE);
3096 }
3097 
selinux_inode_link(struct dentry * old_dentry,struct inode * dir,struct dentry * new_dentry)3098 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
3099 {
3100 	return may_link(dir, old_dentry, MAY_LINK);
3101 }
3102 
selinux_inode_unlink(struct inode * dir,struct dentry * dentry)3103 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
3104 {
3105 	return may_link(dir, dentry, MAY_UNLINK);
3106 }
3107 
selinux_inode_symlink(struct inode * dir,struct dentry * dentry,const char * name)3108 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
3109 {
3110 	return may_create(dir, dentry, SECCLASS_LNK_FILE);
3111 }
3112 
selinux_inode_mkdir(struct inode * dir,struct dentry * dentry,umode_t mask)3113 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
3114 {
3115 	return may_create(dir, dentry, SECCLASS_DIR);
3116 }
3117 
selinux_inode_rmdir(struct inode * dir,struct dentry * dentry)3118 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
3119 {
3120 	return may_link(dir, dentry, MAY_RMDIR);
3121 }
3122 
selinux_inode_mknod(struct inode * dir,struct dentry * dentry,umode_t mode,dev_t dev)3123 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
3124 {
3125 	return may_create(dir, dentry, inode_mode_to_security_class(mode));
3126 }
3127 
selinux_inode_rename(struct inode * old_inode,struct dentry * old_dentry,struct inode * new_inode,struct dentry * new_dentry)3128 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
3129 				struct inode *new_inode, struct dentry *new_dentry)
3130 {
3131 	return may_rename(old_inode, old_dentry, new_inode, new_dentry);
3132 }
3133 
selinux_inode_readlink(struct dentry * dentry)3134 static int selinux_inode_readlink(struct dentry *dentry)
3135 {
3136 	const struct cred *cred = current_cred();
3137 
3138 	return dentry_has_perm(cred, dentry, FILE__READ);
3139 }
3140 
selinux_inode_follow_link(struct dentry * dentry,struct inode * inode,bool rcu)3141 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3142 				     bool rcu)
3143 {
3144 	const struct cred *cred = current_cred();
3145 	struct common_audit_data ad;
3146 	struct inode_security_struct *isec;
3147 	u32 sid;
3148 
3149 	validate_creds(cred);
3150 
3151 	ad.type = LSM_AUDIT_DATA_DENTRY;
3152 	ad.u.dentry = dentry;
3153 	sid = cred_sid(cred);
3154 	isec = inode_security_rcu(inode, rcu);
3155 	if (IS_ERR(isec))
3156 		return PTR_ERR(isec);
3157 
3158 	return avc_has_perm(&selinux_state,
3159 				  sid, isec->sid, isec->sclass, FILE__READ, &ad);
3160 }
3161 
audit_inode_permission(struct inode * inode,u32 perms,u32 audited,u32 denied,int result)3162 static noinline int audit_inode_permission(struct inode *inode,
3163 					   u32 perms, u32 audited, u32 denied,
3164 					   int result)
3165 {
3166 	struct common_audit_data ad;
3167 	struct inode_security_struct *isec = selinux_inode(inode);
3168 
3169 	ad.type = LSM_AUDIT_DATA_INODE;
3170 	ad.u.inode = inode;
3171 
3172 	return slow_avc_audit(&selinux_state,
3173 			    current_sid(), isec->sid, isec->sclass, perms,
3174 			    audited, denied, result, &ad);
3175 }
3176 
selinux_inode_permission(struct inode * inode,int mask)3177 static int selinux_inode_permission(struct inode *inode, int mask)
3178 {
3179 	const struct cred *cred = current_cred();
3180 	u32 perms;
3181 	bool from_access;
3182 	bool no_block = mask & MAY_NOT_BLOCK;
3183 	struct inode_security_struct *isec;
3184 	u32 sid;
3185 	struct av_decision avd;
3186 	int rc, rc2;
3187 	u32 audited, denied;
3188 
3189 	from_access = mask & MAY_ACCESS;
3190 	mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3191 
3192 	/* No permission to check.  Existence test. */
3193 	if (!mask)
3194 		return 0;
3195 
3196 	validate_creds(cred);
3197 
3198 	if (unlikely(IS_PRIVATE(inode)))
3199 		return 0;
3200 
3201 	perms = file_mask_to_av(inode->i_mode, mask);
3202 
3203 	sid = cred_sid(cred);
3204 	isec = inode_security_rcu(inode, no_block);
3205 	if (IS_ERR(isec))
3206 		return PTR_ERR(isec);
3207 
3208 	rc = avc_has_perm_noaudit(&selinux_state,
3209 				  sid, isec->sid, isec->sclass, perms, 0,
3210 				  &avd);
3211 	audited = avc_audit_required(perms, &avd, rc,
3212 				     from_access ? FILE__AUDIT_ACCESS : 0,
3213 				     &denied);
3214 	if (likely(!audited))
3215 		return rc;
3216 
3217 	rc2 = audit_inode_permission(inode, perms, audited, denied, rc);
3218 	if (rc2)
3219 		return rc2;
3220 	return rc;
3221 }
3222 
selinux_inode_setattr(struct dentry * dentry,struct iattr * iattr)3223 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3224 {
3225 	const struct cred *cred = current_cred();
3226 	struct inode *inode = d_backing_inode(dentry);
3227 	unsigned int ia_valid = iattr->ia_valid;
3228 	__u32 av = FILE__WRITE;
3229 
3230 	/* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3231 	if (ia_valid & ATTR_FORCE) {
3232 		ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3233 			      ATTR_FORCE);
3234 		if (!ia_valid)
3235 			return 0;
3236 	}
3237 
3238 	if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3239 			ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3240 		return dentry_has_perm(cred, dentry, FILE__SETATTR);
3241 
3242 	if (selinux_policycap_openperm() &&
3243 	    inode->i_sb->s_magic != SOCKFS_MAGIC &&
3244 	    (ia_valid & ATTR_SIZE) &&
3245 	    !(ia_valid & ATTR_FILE))
3246 		av |= FILE__OPEN;
3247 
3248 	return dentry_has_perm(cred, dentry, av);
3249 }
3250 
selinux_inode_getattr(const struct path * path)3251 static int selinux_inode_getattr(const struct path *path)
3252 {
3253 	return path_has_perm(current_cred(), path, FILE__GETATTR);
3254 }
3255 
has_cap_mac_admin(bool audit)3256 static bool has_cap_mac_admin(bool audit)
3257 {
3258 	const struct cred *cred = current_cred();
3259 	unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT;
3260 
3261 	if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts))
3262 		return false;
3263 	if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true))
3264 		return false;
3265 	return true;
3266 }
3267 
selinux_inode_setxattr(struct user_namespace * mnt_userns,struct dentry * dentry,const char * name,const void * value,size_t size,int flags)3268 static int selinux_inode_setxattr(struct user_namespace *mnt_userns,
3269 				  struct dentry *dentry, const char *name,
3270 				  const void *value, size_t size, int flags)
3271 {
3272 	struct inode *inode = d_backing_inode(dentry);
3273 	struct inode_security_struct *isec;
3274 	struct superblock_security_struct *sbsec;
3275 	struct common_audit_data ad;
3276 	u32 newsid, sid = current_sid();
3277 	int rc = 0;
3278 
3279 	if (strcmp(name, XATTR_NAME_SELINUX)) {
3280 		rc = cap_inode_setxattr(dentry, name, value, size, flags);
3281 		if (rc)
3282 			return rc;
3283 
3284 		/* Not an attribute we recognize, so just check the
3285 		   ordinary setattr permission. */
3286 		return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3287 	}
3288 
3289 	if (!selinux_initialized(&selinux_state))
3290 		return (inode_owner_or_capable(mnt_userns, inode) ? 0 : -EPERM);
3291 
3292 	sbsec = selinux_superblock(inode->i_sb);
3293 	if (!(sbsec->flags & SBLABEL_MNT))
3294 		return -EOPNOTSUPP;
3295 
3296 	if (!inode_owner_or_capable(mnt_userns, inode))
3297 		return -EPERM;
3298 
3299 	ad.type = LSM_AUDIT_DATA_DENTRY;
3300 	ad.u.dentry = dentry;
3301 
3302 	isec = backing_inode_security(dentry);
3303 	rc = avc_has_perm(&selinux_state,
3304 			  sid, isec->sid, isec->sclass,
3305 			  FILE__RELABELFROM, &ad);
3306 	if (rc)
3307 		return rc;
3308 
3309 	rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3310 				     GFP_KERNEL);
3311 	if (rc == -EINVAL) {
3312 		if (!has_cap_mac_admin(true)) {
3313 			struct audit_buffer *ab;
3314 			size_t audit_size;
3315 
3316 			/* We strip a nul only if it is at the end, otherwise the
3317 			 * context contains a nul and we should audit that */
3318 			if (value) {
3319 				const char *str = value;
3320 
3321 				if (str[size - 1] == '\0')
3322 					audit_size = size - 1;
3323 				else
3324 					audit_size = size;
3325 			} else {
3326 				audit_size = 0;
3327 			}
3328 			ab = audit_log_start(audit_context(),
3329 					     GFP_ATOMIC, AUDIT_SELINUX_ERR);
3330 			if (!ab)
3331 				return rc;
3332 			audit_log_format(ab, "op=setxattr invalid_context=");
3333 			audit_log_n_untrustedstring(ab, value, audit_size);
3334 			audit_log_end(ab);
3335 
3336 			return rc;
3337 		}
3338 		rc = security_context_to_sid_force(&selinux_state, value,
3339 						   size, &newsid);
3340 	}
3341 	if (rc)
3342 		return rc;
3343 
3344 	rc = avc_has_perm(&selinux_state,
3345 			  sid, newsid, isec->sclass,
3346 			  FILE__RELABELTO, &ad);
3347 	if (rc)
3348 		return rc;
3349 
3350 	rc = security_validate_transition(&selinux_state, isec->sid, newsid,
3351 					  sid, isec->sclass);
3352 	if (rc)
3353 		return rc;
3354 
3355 	return avc_has_perm(&selinux_state,
3356 			    newsid,
3357 			    sbsec->sid,
3358 			    SECCLASS_FILESYSTEM,
3359 			    FILESYSTEM__ASSOCIATE,
3360 			    &ad);
3361 }
3362 
selinux_inode_post_setxattr(struct dentry * dentry,const char * name,const void * value,size_t size,int flags)3363 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3364 					const void *value, size_t size,
3365 					int flags)
3366 {
3367 	struct inode *inode = d_backing_inode(dentry);
3368 	struct inode_security_struct *isec;
3369 	u32 newsid;
3370 	int rc;
3371 
3372 	if (strcmp(name, XATTR_NAME_SELINUX)) {
3373 		/* Not an attribute we recognize, so nothing to do. */
3374 		return;
3375 	}
3376 
3377 	if (!selinux_initialized(&selinux_state)) {
3378 		/* If we haven't even been initialized, then we can't validate
3379 		 * against a policy, so leave the label as invalid. It may
3380 		 * resolve to a valid label on the next revalidation try if
3381 		 * we've since initialized.
3382 		 */
3383 		return;
3384 	}
3385 
3386 	rc = security_context_to_sid_force(&selinux_state, value, size,
3387 					   &newsid);
3388 	if (rc) {
3389 		pr_err("SELinux:  unable to map context to SID"
3390 		       "for (%s, %lu), rc=%d\n",
3391 		       inode->i_sb->s_id, inode->i_ino, -rc);
3392 		return;
3393 	}
3394 
3395 	isec = backing_inode_security(dentry);
3396 	spin_lock(&isec->lock);
3397 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
3398 	isec->sid = newsid;
3399 	isec->initialized = LABEL_INITIALIZED;
3400 	spin_unlock(&isec->lock);
3401 
3402 	return;
3403 }
3404 
selinux_inode_getxattr(struct dentry * dentry,const char * name)3405 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3406 {
3407 	const struct cred *cred = current_cred();
3408 
3409 	return dentry_has_perm(cred, dentry, FILE__GETATTR);
3410 }
3411 
selinux_inode_listxattr(struct dentry * dentry)3412 static int selinux_inode_listxattr(struct dentry *dentry)
3413 {
3414 	const struct cred *cred = current_cred();
3415 
3416 	return dentry_has_perm(cred, dentry, FILE__GETATTR);
3417 }
3418 
selinux_inode_removexattr(struct user_namespace * mnt_userns,struct dentry * dentry,const char * name)3419 static int selinux_inode_removexattr(struct user_namespace *mnt_userns,
3420 				     struct dentry *dentry, const char *name)
3421 {
3422 	if (strcmp(name, XATTR_NAME_SELINUX)) {
3423 		int rc = cap_inode_removexattr(mnt_userns, dentry, name);
3424 		if (rc)
3425 			return rc;
3426 
3427 		/* Not an attribute we recognize, so just check the
3428 		   ordinary setattr permission. */
3429 		return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3430 	}
3431 
3432 	if (!selinux_initialized(&selinux_state))
3433 		return 0;
3434 
3435 	/* No one is allowed to remove a SELinux security label.
3436 	   You can change the label, but all data must be labeled. */
3437 	return -EACCES;
3438 }
3439 
selinux_path_notify(const struct path * path,u64 mask,unsigned int obj_type)3440 static int selinux_path_notify(const struct path *path, u64 mask,
3441 						unsigned int obj_type)
3442 {
3443 	int ret;
3444 	u32 perm;
3445 
3446 	struct common_audit_data ad;
3447 
3448 	ad.type = LSM_AUDIT_DATA_PATH;
3449 	ad.u.path = *path;
3450 
3451 	/*
3452 	 * Set permission needed based on the type of mark being set.
3453 	 * Performs an additional check for sb watches.
3454 	 */
3455 	switch (obj_type) {
3456 	case FSNOTIFY_OBJ_TYPE_VFSMOUNT:
3457 		perm = FILE__WATCH_MOUNT;
3458 		break;
3459 	case FSNOTIFY_OBJ_TYPE_SB:
3460 		perm = FILE__WATCH_SB;
3461 		ret = superblock_has_perm(current_cred(), path->dentry->d_sb,
3462 						FILESYSTEM__WATCH, &ad);
3463 		if (ret)
3464 			return ret;
3465 		break;
3466 	case FSNOTIFY_OBJ_TYPE_INODE:
3467 		perm = FILE__WATCH;
3468 		break;
3469 	default:
3470 		return -EINVAL;
3471 	}
3472 
3473 	/* blocking watches require the file:watch_with_perm permission */
3474 	if (mask & (ALL_FSNOTIFY_PERM_EVENTS))
3475 		perm |= FILE__WATCH_WITH_PERM;
3476 
3477 	/* watches on read-like events need the file:watch_reads permission */
3478 	if (mask & (FS_ACCESS | FS_ACCESS_PERM | FS_CLOSE_NOWRITE))
3479 		perm |= FILE__WATCH_READS;
3480 
3481 	return path_has_perm(current_cred(), path, perm);
3482 }
3483 
3484 /*
3485  * Copy the inode security context value to the user.
3486  *
3487  * Permission check is handled by selinux_inode_getxattr hook.
3488  */
selinux_inode_getsecurity(struct user_namespace * mnt_userns,struct inode * inode,const char * name,void ** buffer,bool alloc)3489 static int selinux_inode_getsecurity(struct user_namespace *mnt_userns,
3490 				     struct inode *inode, const char *name,
3491 				     void **buffer, bool alloc)
3492 {
3493 	u32 size;
3494 	int error;
3495 	char *context = NULL;
3496 	struct inode_security_struct *isec;
3497 
3498 	/*
3499 	 * If we're not initialized yet, then we can't validate contexts, so
3500 	 * just let vfs_getxattr fall back to using the on-disk xattr.
3501 	 */
3502 	if (!selinux_initialized(&selinux_state) ||
3503 	    strcmp(name, XATTR_SELINUX_SUFFIX))
3504 		return -EOPNOTSUPP;
3505 
3506 	/*
3507 	 * If the caller has CAP_MAC_ADMIN, then get the raw context
3508 	 * value even if it is not defined by current policy; otherwise,
3509 	 * use the in-core value under current policy.
3510 	 * Use the non-auditing forms of the permission checks since
3511 	 * getxattr may be called by unprivileged processes commonly
3512 	 * and lack of permission just means that we fall back to the
3513 	 * in-core context value, not a denial.
3514 	 */
3515 	isec = inode_security(inode);
3516 	if (has_cap_mac_admin(false))
3517 		error = security_sid_to_context_force(&selinux_state,
3518 						      isec->sid, &context,
3519 						      &size);
3520 	else
3521 		error = security_sid_to_context(&selinux_state, isec->sid,
3522 						&context, &size);
3523 	if (error)
3524 		return error;
3525 	error = size;
3526 	if (alloc) {
3527 		*buffer = context;
3528 		goto out_nofree;
3529 	}
3530 	kfree(context);
3531 out_nofree:
3532 	return error;
3533 }
3534 
selinux_inode_setsecurity(struct inode * inode,const char * name,const void * value,size_t size,int flags)3535 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3536 				     const void *value, size_t size, int flags)
3537 {
3538 	struct inode_security_struct *isec = inode_security_novalidate(inode);
3539 	struct superblock_security_struct *sbsec;
3540 	u32 newsid;
3541 	int rc;
3542 
3543 	if (strcmp(name, XATTR_SELINUX_SUFFIX))
3544 		return -EOPNOTSUPP;
3545 
3546 	sbsec = selinux_superblock(inode->i_sb);
3547 	if (!(sbsec->flags & SBLABEL_MNT))
3548 		return -EOPNOTSUPP;
3549 
3550 	if (!value || !size)
3551 		return -EACCES;
3552 
3553 	rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3554 				     GFP_KERNEL);
3555 	if (rc)
3556 		return rc;
3557 
3558 	spin_lock(&isec->lock);
3559 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
3560 	isec->sid = newsid;
3561 	isec->initialized = LABEL_INITIALIZED;
3562 	spin_unlock(&isec->lock);
3563 	return 0;
3564 }
3565 
selinux_inode_listsecurity(struct inode * inode,char * buffer,size_t buffer_size)3566 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3567 {
3568 	const int len = sizeof(XATTR_NAME_SELINUX);
3569 
3570 	if (!selinux_initialized(&selinux_state))
3571 		return 0;
3572 
3573 	if (buffer && len <= buffer_size)
3574 		memcpy(buffer, XATTR_NAME_SELINUX, len);
3575 	return len;
3576 }
3577 
selinux_inode_getsecid(struct inode * inode,u32 * secid)3578 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3579 {
3580 	struct inode_security_struct *isec = inode_security_novalidate(inode);
3581 	*secid = isec->sid;
3582 }
3583 
selinux_inode_copy_up(struct dentry * src,struct cred ** new)3584 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3585 {
3586 	u32 sid;
3587 	struct task_security_struct *tsec;
3588 	struct cred *new_creds = *new;
3589 
3590 	if (new_creds == NULL) {
3591 		new_creds = prepare_creds();
3592 		if (!new_creds)
3593 			return -ENOMEM;
3594 	}
3595 
3596 	tsec = selinux_cred(new_creds);
3597 	/* Get label from overlay inode and set it in create_sid */
3598 	selinux_inode_getsecid(d_inode(src), &sid);
3599 	tsec->create_sid = sid;
3600 	*new = new_creds;
3601 	return 0;
3602 }
3603 
selinux_inode_copy_up_xattr(const char * name)3604 static int selinux_inode_copy_up_xattr(const char *name)
3605 {
3606 	/* The copy_up hook above sets the initial context on an inode, but we
3607 	 * don't then want to overwrite it by blindly copying all the lower
3608 	 * xattrs up.  Instead, we have to filter out SELinux-related xattrs.
3609 	 */
3610 	if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3611 		return 1; /* Discard */
3612 	/*
3613 	 * Any other attribute apart from SELINUX is not claimed, supported
3614 	 * by selinux.
3615 	 */
3616 	return -EOPNOTSUPP;
3617 }
3618 
3619 /* kernfs node operations */
3620 
selinux_kernfs_init_security(struct kernfs_node * kn_dir,struct kernfs_node * kn)3621 static int selinux_kernfs_init_security(struct kernfs_node *kn_dir,
3622 					struct kernfs_node *kn)
3623 {
3624 	const struct task_security_struct *tsec = selinux_cred(current_cred());
3625 	u32 parent_sid, newsid, clen;
3626 	int rc;
3627 	char *context;
3628 
3629 	rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, NULL, 0);
3630 	if (rc == -ENODATA)
3631 		return 0;
3632 	else if (rc < 0)
3633 		return rc;
3634 
3635 	clen = (u32)rc;
3636 	context = kmalloc(clen, GFP_KERNEL);
3637 	if (!context)
3638 		return -ENOMEM;
3639 
3640 	rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, context, clen);
3641 	if (rc < 0) {
3642 		kfree(context);
3643 		return rc;
3644 	}
3645 
3646 	rc = security_context_to_sid(&selinux_state, context, clen, &parent_sid,
3647 				     GFP_KERNEL);
3648 	kfree(context);
3649 	if (rc)
3650 		return rc;
3651 
3652 	if (tsec->create_sid) {
3653 		newsid = tsec->create_sid;
3654 	} else {
3655 		u16 secclass = inode_mode_to_security_class(kn->mode);
3656 		struct qstr q;
3657 
3658 		q.name = kn->name;
3659 		q.hash_len = hashlen_string(kn_dir, kn->name);
3660 
3661 		rc = security_transition_sid(&selinux_state, tsec->sid,
3662 					     parent_sid, secclass, &q,
3663 					     &newsid);
3664 		if (rc)
3665 			return rc;
3666 	}
3667 
3668 	rc = security_sid_to_context_force(&selinux_state, newsid,
3669 					   &context, &clen);
3670 	if (rc)
3671 		return rc;
3672 
3673 	rc = kernfs_xattr_set(kn, XATTR_NAME_SELINUX, context, clen,
3674 			      XATTR_CREATE);
3675 	kfree(context);
3676 	return rc;
3677 }
3678 
3679 
3680 /* file security operations */
3681 
selinux_revalidate_file_permission(struct file * file,int mask)3682 static int selinux_revalidate_file_permission(struct file *file, int mask)
3683 {
3684 	const struct cred *cred = current_cred();
3685 	struct inode *inode = file_inode(file);
3686 
3687 	/* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3688 	if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3689 		mask |= MAY_APPEND;
3690 
3691 	return file_has_perm(cred, file,
3692 			     file_mask_to_av(inode->i_mode, mask));
3693 }
3694 
selinux_file_permission(struct file * file,int mask)3695 static int selinux_file_permission(struct file *file, int mask)
3696 {
3697 	struct inode *inode = file_inode(file);
3698 	struct file_security_struct *fsec = selinux_file(file);
3699 	struct inode_security_struct *isec;
3700 	u32 sid = current_sid();
3701 
3702 	if (!mask)
3703 		/* No permission to check.  Existence test. */
3704 		return 0;
3705 
3706 	isec = inode_security(inode);
3707 	if (sid == fsec->sid && fsec->isid == isec->sid &&
3708 	    fsec->pseqno == avc_policy_seqno(&selinux_state))
3709 		/* No change since file_open check. */
3710 		return 0;
3711 
3712 	return selinux_revalidate_file_permission(file, mask);
3713 }
3714 
selinux_file_alloc_security(struct file * file)3715 static int selinux_file_alloc_security(struct file *file)
3716 {
3717 	struct file_security_struct *fsec = selinux_file(file);
3718 	u32 sid = current_sid();
3719 
3720 	fsec->sid = sid;
3721 	fsec->fown_sid = sid;
3722 
3723 	return 0;
3724 }
3725 
3726 /*
3727  * Check whether a task has the ioctl permission and cmd
3728  * operation to an inode.
3729  */
ioctl_has_perm(const struct cred * cred,struct file * file,u32 requested,u16 cmd)3730 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3731 		u32 requested, u16 cmd)
3732 {
3733 	struct common_audit_data ad;
3734 	struct file_security_struct *fsec = selinux_file(file);
3735 	struct inode *inode = file_inode(file);
3736 	struct inode_security_struct *isec;
3737 	struct lsm_ioctlop_audit ioctl;
3738 	u32 ssid = cred_sid(cred);
3739 	int rc;
3740 	u8 driver = cmd >> 8;
3741 	u8 xperm = cmd & 0xff;
3742 
3743 	ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3744 	ad.u.op = &ioctl;
3745 	ad.u.op->cmd = cmd;
3746 	ad.u.op->path = file->f_path;
3747 
3748 	if (ssid != fsec->sid) {
3749 		rc = avc_has_perm(&selinux_state,
3750 				  ssid, fsec->sid,
3751 				SECCLASS_FD,
3752 				FD__USE,
3753 				&ad);
3754 		if (rc)
3755 			goto out;
3756 	}
3757 
3758 	if (unlikely(IS_PRIVATE(inode)))
3759 		return 0;
3760 
3761 	isec = inode_security(inode);
3762 	rc = avc_has_extended_perms(&selinux_state,
3763 				    ssid, isec->sid, isec->sclass,
3764 				    requested, driver, xperm, &ad);
3765 out:
3766 	return rc;
3767 }
3768 
selinux_file_ioctl(struct file * file,unsigned int cmd,unsigned long arg)3769 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3770 			      unsigned long arg)
3771 {
3772 	const struct cred *cred = current_cred();
3773 	int error = 0;
3774 
3775 	switch (cmd) {
3776 	case FIONREAD:
3777 	case FIBMAP:
3778 	case FIGETBSZ:
3779 	case FS_IOC_GETFLAGS:
3780 	case FS_IOC_GETVERSION:
3781 		error = file_has_perm(cred, file, FILE__GETATTR);
3782 		break;
3783 
3784 	case FS_IOC_SETFLAGS:
3785 	case FS_IOC_SETVERSION:
3786 		error = file_has_perm(cred, file, FILE__SETATTR);
3787 		break;
3788 
3789 	/* sys_ioctl() checks */
3790 	case FIONBIO:
3791 	case FIOASYNC:
3792 		error = file_has_perm(cred, file, 0);
3793 		break;
3794 
3795 	case KDSKBENT:
3796 	case KDSKBSENT:
3797 		error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3798 					    CAP_OPT_NONE, true);
3799 		break;
3800 
3801 	/* default case assumes that the command will go
3802 	 * to the file's ioctl() function.
3803 	 */
3804 	default:
3805 		error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3806 	}
3807 	return error;
3808 }
3809 
3810 static int default_noexec __ro_after_init;
3811 
file_map_prot_check(struct file * file,unsigned long prot,int shared)3812 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3813 {
3814 	const struct cred *cred = current_cred();
3815 	u32 sid = cred_sid(cred);
3816 	int rc = 0;
3817 
3818 	if (default_noexec &&
3819 	    (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3820 				   (!shared && (prot & PROT_WRITE)))) {
3821 		/*
3822 		 * We are making executable an anonymous mapping or a
3823 		 * private file mapping that will also be writable.
3824 		 * This has an additional check.
3825 		 */
3826 		rc = avc_has_perm(&selinux_state,
3827 				  sid, sid, SECCLASS_PROCESS,
3828 				  PROCESS__EXECMEM, NULL);
3829 		if (rc)
3830 			goto error;
3831 	}
3832 
3833 	if (file) {
3834 		/* read access is always possible with a mapping */
3835 		u32 av = FILE__READ;
3836 
3837 		/* write access only matters if the mapping is shared */
3838 		if (shared && (prot & PROT_WRITE))
3839 			av |= FILE__WRITE;
3840 
3841 		if (prot & PROT_EXEC)
3842 			av |= FILE__EXECUTE;
3843 
3844 		return file_has_perm(cred, file, av);
3845 	}
3846 
3847 error:
3848 	return rc;
3849 }
3850 
selinux_mmap_addr(unsigned long addr)3851 static int selinux_mmap_addr(unsigned long addr)
3852 {
3853 	int rc = 0;
3854 
3855 	if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3856 		u32 sid = current_sid();
3857 		rc = avc_has_perm(&selinux_state,
3858 				  sid, sid, SECCLASS_MEMPROTECT,
3859 				  MEMPROTECT__MMAP_ZERO, NULL);
3860 	}
3861 
3862 	return rc;
3863 }
3864 
selinux_mmap_file(struct file * file,unsigned long reqprot,unsigned long prot,unsigned long flags)3865 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3866 			     unsigned long prot, unsigned long flags)
3867 {
3868 	struct common_audit_data ad;
3869 	int rc;
3870 
3871 	if (file) {
3872 		ad.type = LSM_AUDIT_DATA_FILE;
3873 		ad.u.file = file;
3874 		rc = inode_has_perm(current_cred(), file_inode(file),
3875 				    FILE__MAP, &ad);
3876 		if (rc)
3877 			return rc;
3878 	}
3879 
3880 	if (checkreqprot_get(&selinux_state))
3881 		prot = reqprot;
3882 
3883 	return file_map_prot_check(file, prot,
3884 				   (flags & MAP_TYPE) == MAP_SHARED);
3885 }
3886 
selinux_file_mprotect(struct vm_area_struct * vma,unsigned long reqprot,unsigned long prot)3887 static int selinux_file_mprotect(struct vm_area_struct *vma,
3888 				 unsigned long reqprot,
3889 				 unsigned long prot)
3890 {
3891 	const struct cred *cred = current_cred();
3892 	u32 sid = cred_sid(cred);
3893 
3894 	if (checkreqprot_get(&selinux_state))
3895 		prot = reqprot;
3896 
3897 	if (default_noexec &&
3898 	    (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3899 		int rc = 0;
3900 		if (vma->vm_start >= vma->vm_mm->start_brk &&
3901 		    vma->vm_end <= vma->vm_mm->brk) {
3902 			rc = avc_has_perm(&selinux_state,
3903 					  sid, sid, SECCLASS_PROCESS,
3904 					  PROCESS__EXECHEAP, NULL);
3905 		} else if (!vma->vm_file &&
3906 			   ((vma->vm_start <= vma->vm_mm->start_stack &&
3907 			     vma->vm_end >= vma->vm_mm->start_stack) ||
3908 			    vma_is_stack_for_current(vma))) {
3909 			rc = avc_has_perm(&selinux_state,
3910 					  sid, sid, SECCLASS_PROCESS,
3911 					  PROCESS__EXECSTACK, NULL);
3912 		} else if (vma->vm_file && vma->anon_vma) {
3913 			/*
3914 			 * We are making executable a file mapping that has
3915 			 * had some COW done. Since pages might have been
3916 			 * written, check ability to execute the possibly
3917 			 * modified content.  This typically should only
3918 			 * occur for text relocations.
3919 			 */
3920 			rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3921 		}
3922 		if (rc)
3923 			return rc;
3924 	}
3925 
3926 	return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3927 }
3928 
selinux_file_lock(struct file * file,unsigned int cmd)3929 static int selinux_file_lock(struct file *file, unsigned int cmd)
3930 {
3931 	const struct cred *cred = current_cred();
3932 
3933 	return file_has_perm(cred, file, FILE__LOCK);
3934 }
3935 
selinux_file_fcntl(struct file * file,unsigned int cmd,unsigned long arg)3936 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3937 			      unsigned long arg)
3938 {
3939 	const struct cred *cred = current_cred();
3940 	int err = 0;
3941 
3942 	switch (cmd) {
3943 	case F_SETFL:
3944 		if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3945 			err = file_has_perm(cred, file, FILE__WRITE);
3946 			break;
3947 		}
3948 		fallthrough;
3949 	case F_SETOWN:
3950 	case F_SETSIG:
3951 	case F_GETFL:
3952 	case F_GETOWN:
3953 	case F_GETSIG:
3954 	case F_GETOWNER_UIDS:
3955 		/* Just check FD__USE permission */
3956 		err = file_has_perm(cred, file, 0);
3957 		break;
3958 	case F_GETLK:
3959 	case F_SETLK:
3960 	case F_SETLKW:
3961 	case F_OFD_GETLK:
3962 	case F_OFD_SETLK:
3963 	case F_OFD_SETLKW:
3964 #if BITS_PER_LONG == 32
3965 	case F_GETLK64:
3966 	case F_SETLK64:
3967 	case F_SETLKW64:
3968 #endif
3969 		err = file_has_perm(cred, file, FILE__LOCK);
3970 		break;
3971 	}
3972 
3973 	return err;
3974 }
3975 
selinux_file_set_fowner(struct file * file)3976 static void selinux_file_set_fowner(struct file *file)
3977 {
3978 	struct file_security_struct *fsec;
3979 
3980 	fsec = selinux_file(file);
3981 	fsec->fown_sid = current_sid();
3982 }
3983 
selinux_file_send_sigiotask(struct task_struct * tsk,struct fown_struct * fown,int signum)3984 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3985 				       struct fown_struct *fown, int signum)
3986 {
3987 	struct file *file;
3988 	u32 sid = task_sid_obj(tsk);
3989 	u32 perm;
3990 	struct file_security_struct *fsec;
3991 
3992 	/* struct fown_struct is never outside the context of a struct file */
3993 	file = container_of(fown, struct file, f_owner);
3994 
3995 	fsec = selinux_file(file);
3996 
3997 	if (!signum)
3998 		perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3999 	else
4000 		perm = signal_to_av(signum);
4001 
4002 	return avc_has_perm(&selinux_state,
4003 			    fsec->fown_sid, sid,
4004 			    SECCLASS_PROCESS, perm, NULL);
4005 }
4006 
selinux_file_receive(struct file * file)4007 static int selinux_file_receive(struct file *file)
4008 {
4009 	const struct cred *cred = current_cred();
4010 
4011 	return file_has_perm(cred, file, file_to_av(file));
4012 }
4013 
selinux_file_open(struct file * file)4014 static int selinux_file_open(struct file *file)
4015 {
4016 	struct file_security_struct *fsec;
4017 	struct inode_security_struct *isec;
4018 
4019 	fsec = selinux_file(file);
4020 	isec = inode_security(file_inode(file));
4021 	/*
4022 	 * Save inode label and policy sequence number
4023 	 * at open-time so that selinux_file_permission
4024 	 * can determine whether revalidation is necessary.
4025 	 * Task label is already saved in the file security
4026 	 * struct as its SID.
4027 	 */
4028 	fsec->isid = isec->sid;
4029 	fsec->pseqno = avc_policy_seqno(&selinux_state);
4030 	/*
4031 	 * Since the inode label or policy seqno may have changed
4032 	 * between the selinux_inode_permission check and the saving
4033 	 * of state above, recheck that access is still permitted.
4034 	 * Otherwise, access might never be revalidated against the
4035 	 * new inode label or new policy.
4036 	 * This check is not redundant - do not remove.
4037 	 */
4038 	return file_path_has_perm(file->f_cred, file, open_file_to_av(file));
4039 }
4040 
4041 /* task security operations */
4042 
selinux_task_alloc(struct task_struct * task,unsigned long clone_flags)4043 static int selinux_task_alloc(struct task_struct *task,
4044 			      unsigned long clone_flags)
4045 {
4046 	u32 sid = current_sid();
4047 
4048 	return avc_has_perm(&selinux_state,
4049 			    sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
4050 }
4051 
4052 /*
4053  * prepare a new set of credentials for modification
4054  */
selinux_cred_prepare(struct cred * new,const struct cred * old,gfp_t gfp)4055 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
4056 				gfp_t gfp)
4057 {
4058 	const struct task_security_struct *old_tsec = selinux_cred(old);
4059 	struct task_security_struct *tsec = selinux_cred(new);
4060 
4061 	*tsec = *old_tsec;
4062 	return 0;
4063 }
4064 
4065 /*
4066  * transfer the SELinux data to a blank set of creds
4067  */
selinux_cred_transfer(struct cred * new,const struct cred * old)4068 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
4069 {
4070 	const struct task_security_struct *old_tsec = selinux_cred(old);
4071 	struct task_security_struct *tsec = selinux_cred(new);
4072 
4073 	*tsec = *old_tsec;
4074 }
4075 
selinux_cred_getsecid(const struct cred * c,u32 * secid)4076 static void selinux_cred_getsecid(const struct cred *c, u32 *secid)
4077 {
4078 	*secid = cred_sid(c);
4079 }
4080 
4081 /*
4082  * set the security data for a kernel service
4083  * - all the creation contexts are set to unlabelled
4084  */
selinux_kernel_act_as(struct cred * new,u32 secid)4085 static int selinux_kernel_act_as(struct cred *new, u32 secid)
4086 {
4087 	struct task_security_struct *tsec = selinux_cred(new);
4088 	u32 sid = current_sid();
4089 	int ret;
4090 
4091 	ret = avc_has_perm(&selinux_state,
4092 			   sid, secid,
4093 			   SECCLASS_KERNEL_SERVICE,
4094 			   KERNEL_SERVICE__USE_AS_OVERRIDE,
4095 			   NULL);
4096 	if (ret == 0) {
4097 		tsec->sid = secid;
4098 		tsec->create_sid = 0;
4099 		tsec->keycreate_sid = 0;
4100 		tsec->sockcreate_sid = 0;
4101 	}
4102 	return ret;
4103 }
4104 
4105 /*
4106  * set the file creation context in a security record to the same as the
4107  * objective context of the specified inode
4108  */
selinux_kernel_create_files_as(struct cred * new,struct inode * inode)4109 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
4110 {
4111 	struct inode_security_struct *isec = inode_security(inode);
4112 	struct task_security_struct *tsec = selinux_cred(new);
4113 	u32 sid = current_sid();
4114 	int ret;
4115 
4116 	ret = avc_has_perm(&selinux_state,
4117 			   sid, isec->sid,
4118 			   SECCLASS_KERNEL_SERVICE,
4119 			   KERNEL_SERVICE__CREATE_FILES_AS,
4120 			   NULL);
4121 
4122 	if (ret == 0)
4123 		tsec->create_sid = isec->sid;
4124 	return ret;
4125 }
4126 
selinux_kernel_module_request(char * kmod_name)4127 static int selinux_kernel_module_request(char *kmod_name)
4128 {
4129 	struct common_audit_data ad;
4130 
4131 	ad.type = LSM_AUDIT_DATA_KMOD;
4132 	ad.u.kmod_name = kmod_name;
4133 
4134 	return avc_has_perm(&selinux_state,
4135 			    current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
4136 			    SYSTEM__MODULE_REQUEST, &ad);
4137 }
4138 
selinux_kernel_module_from_file(struct file * file)4139 static int selinux_kernel_module_from_file(struct file *file)
4140 {
4141 	struct common_audit_data ad;
4142 	struct inode_security_struct *isec;
4143 	struct file_security_struct *fsec;
4144 	u32 sid = current_sid();
4145 	int rc;
4146 
4147 	/* init_module */
4148 	if (file == NULL)
4149 		return avc_has_perm(&selinux_state,
4150 				    sid, sid, SECCLASS_SYSTEM,
4151 					SYSTEM__MODULE_LOAD, NULL);
4152 
4153 	/* finit_module */
4154 
4155 	ad.type = LSM_AUDIT_DATA_FILE;
4156 	ad.u.file = file;
4157 
4158 	fsec = selinux_file(file);
4159 	if (sid != fsec->sid) {
4160 		rc = avc_has_perm(&selinux_state,
4161 				  sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
4162 		if (rc)
4163 			return rc;
4164 	}
4165 
4166 	isec = inode_security(file_inode(file));
4167 	return avc_has_perm(&selinux_state,
4168 			    sid, isec->sid, SECCLASS_SYSTEM,
4169 				SYSTEM__MODULE_LOAD, &ad);
4170 }
4171 
selinux_kernel_read_file(struct file * file,enum kernel_read_file_id id,bool contents)4172 static int selinux_kernel_read_file(struct file *file,
4173 				    enum kernel_read_file_id id,
4174 				    bool contents)
4175 {
4176 	int rc = 0;
4177 
4178 	switch (id) {
4179 	case READING_MODULE:
4180 		rc = selinux_kernel_module_from_file(contents ? file : NULL);
4181 		break;
4182 	default:
4183 		break;
4184 	}
4185 
4186 	return rc;
4187 }
4188 
selinux_kernel_load_data(enum kernel_load_data_id id,bool contents)4189 static int selinux_kernel_load_data(enum kernel_load_data_id id, bool contents)
4190 {
4191 	int rc = 0;
4192 
4193 	switch (id) {
4194 	case LOADING_MODULE:
4195 		rc = selinux_kernel_module_from_file(NULL);
4196 		break;
4197 	default:
4198 		break;
4199 	}
4200 
4201 	return rc;
4202 }
4203 
selinux_task_setpgid(struct task_struct * p,pid_t pgid)4204 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
4205 {
4206 	return avc_has_perm(&selinux_state,
4207 			    current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4208 			    PROCESS__SETPGID, NULL);
4209 }
4210 
selinux_task_getpgid(struct task_struct * p)4211 static int selinux_task_getpgid(struct task_struct *p)
4212 {
4213 	return avc_has_perm(&selinux_state,
4214 			    current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4215 			    PROCESS__GETPGID, NULL);
4216 }
4217 
selinux_task_getsid(struct task_struct * p)4218 static int selinux_task_getsid(struct task_struct *p)
4219 {
4220 	return avc_has_perm(&selinux_state,
4221 			    current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4222 			    PROCESS__GETSESSION, NULL);
4223 }
4224 
selinux_task_getsecid_subj(struct task_struct * p,u32 * secid)4225 static void selinux_task_getsecid_subj(struct task_struct *p, u32 *secid)
4226 {
4227 	*secid = task_sid_subj(p);
4228 }
4229 
selinux_task_getsecid_obj(struct task_struct * p,u32 * secid)4230 static void selinux_task_getsecid_obj(struct task_struct *p, u32 *secid)
4231 {
4232 	*secid = task_sid_obj(p);
4233 }
4234 
selinux_task_setnice(struct task_struct * p,int nice)4235 static int selinux_task_setnice(struct task_struct *p, int nice)
4236 {
4237 	return avc_has_perm(&selinux_state,
4238 			    current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4239 			    PROCESS__SETSCHED, NULL);
4240 }
4241 
selinux_task_setioprio(struct task_struct * p,int ioprio)4242 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
4243 {
4244 	return avc_has_perm(&selinux_state,
4245 			    current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4246 			    PROCESS__SETSCHED, NULL);
4247 }
4248 
selinux_task_getioprio(struct task_struct * p)4249 static int selinux_task_getioprio(struct task_struct *p)
4250 {
4251 	return avc_has_perm(&selinux_state,
4252 			    current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4253 			    PROCESS__GETSCHED, NULL);
4254 }
4255 
selinux_task_prlimit(const struct cred * cred,const struct cred * tcred,unsigned int flags)4256 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
4257 				unsigned int flags)
4258 {
4259 	u32 av = 0;
4260 
4261 	if (!flags)
4262 		return 0;
4263 	if (flags & LSM_PRLIMIT_WRITE)
4264 		av |= PROCESS__SETRLIMIT;
4265 	if (flags & LSM_PRLIMIT_READ)
4266 		av |= PROCESS__GETRLIMIT;
4267 	return avc_has_perm(&selinux_state,
4268 			    cred_sid(cred), cred_sid(tcred),
4269 			    SECCLASS_PROCESS, av, NULL);
4270 }
4271 
selinux_task_setrlimit(struct task_struct * p,unsigned int resource,struct rlimit * new_rlim)4272 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4273 		struct rlimit *new_rlim)
4274 {
4275 	struct rlimit *old_rlim = p->signal->rlim + resource;
4276 
4277 	/* Control the ability to change the hard limit (whether
4278 	   lowering or raising it), so that the hard limit can
4279 	   later be used as a safe reset point for the soft limit
4280 	   upon context transitions.  See selinux_bprm_committing_creds. */
4281 	if (old_rlim->rlim_max != new_rlim->rlim_max)
4282 		return avc_has_perm(&selinux_state,
4283 				    current_sid(), task_sid_obj(p),
4284 				    SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
4285 
4286 	return 0;
4287 }
4288 
selinux_task_setscheduler(struct task_struct * p)4289 static int selinux_task_setscheduler(struct task_struct *p)
4290 {
4291 	return avc_has_perm(&selinux_state,
4292 			    current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4293 			    PROCESS__SETSCHED, NULL);
4294 }
4295 
selinux_task_getscheduler(struct task_struct * p)4296 static int selinux_task_getscheduler(struct task_struct *p)
4297 {
4298 	return avc_has_perm(&selinux_state,
4299 			    current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4300 			    PROCESS__GETSCHED, NULL);
4301 }
4302 
selinux_task_movememory(struct task_struct * p)4303 static int selinux_task_movememory(struct task_struct *p)
4304 {
4305 	return avc_has_perm(&selinux_state,
4306 			    current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4307 			    PROCESS__SETSCHED, NULL);
4308 }
4309 
selinux_task_kill(struct task_struct * p,struct kernel_siginfo * info,int sig,const struct cred * cred)4310 static int selinux_task_kill(struct task_struct *p, struct kernel_siginfo *info,
4311 				int sig, const struct cred *cred)
4312 {
4313 	u32 secid;
4314 	u32 perm;
4315 
4316 	if (!sig)
4317 		perm = PROCESS__SIGNULL; /* null signal; existence test */
4318 	else
4319 		perm = signal_to_av(sig);
4320 	if (!cred)
4321 		secid = current_sid();
4322 	else
4323 		secid = cred_sid(cred);
4324 	return avc_has_perm(&selinux_state,
4325 			    secid, task_sid_obj(p), SECCLASS_PROCESS, perm, NULL);
4326 }
4327 
selinux_task_to_inode(struct task_struct * p,struct inode * inode)4328 static void selinux_task_to_inode(struct task_struct *p,
4329 				  struct inode *inode)
4330 {
4331 	struct inode_security_struct *isec = selinux_inode(inode);
4332 	u32 sid = task_sid_obj(p);
4333 
4334 	spin_lock(&isec->lock);
4335 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
4336 	isec->sid = sid;
4337 	isec->initialized = LABEL_INITIALIZED;
4338 	spin_unlock(&isec->lock);
4339 }
4340 
4341 /* Returns error only if unable to parse addresses */
selinux_parse_skb_ipv4(struct sk_buff * skb,struct common_audit_data * ad,u8 * proto)4342 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4343 			struct common_audit_data *ad, u8 *proto)
4344 {
4345 	int offset, ihlen, ret = -EINVAL;
4346 	struct iphdr _iph, *ih;
4347 
4348 	offset = skb_network_offset(skb);
4349 	ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
4350 	if (ih == NULL)
4351 		goto out;
4352 
4353 	ihlen = ih->ihl * 4;
4354 	if (ihlen < sizeof(_iph))
4355 		goto out;
4356 
4357 	ad->u.net->v4info.saddr = ih->saddr;
4358 	ad->u.net->v4info.daddr = ih->daddr;
4359 	ret = 0;
4360 
4361 	if (proto)
4362 		*proto = ih->protocol;
4363 
4364 	switch (ih->protocol) {
4365 	case IPPROTO_TCP: {
4366 		struct tcphdr _tcph, *th;
4367 
4368 		if (ntohs(ih->frag_off) & IP_OFFSET)
4369 			break;
4370 
4371 		offset += ihlen;
4372 		th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4373 		if (th == NULL)
4374 			break;
4375 
4376 		ad->u.net->sport = th->source;
4377 		ad->u.net->dport = th->dest;
4378 		break;
4379 	}
4380 
4381 	case IPPROTO_UDP: {
4382 		struct udphdr _udph, *uh;
4383 
4384 		if (ntohs(ih->frag_off) & IP_OFFSET)
4385 			break;
4386 
4387 		offset += ihlen;
4388 		uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4389 		if (uh == NULL)
4390 			break;
4391 
4392 		ad->u.net->sport = uh->source;
4393 		ad->u.net->dport = uh->dest;
4394 		break;
4395 	}
4396 
4397 	case IPPROTO_DCCP: {
4398 		struct dccp_hdr _dccph, *dh;
4399 
4400 		if (ntohs(ih->frag_off) & IP_OFFSET)
4401 			break;
4402 
4403 		offset += ihlen;
4404 		dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4405 		if (dh == NULL)
4406 			break;
4407 
4408 		ad->u.net->sport = dh->dccph_sport;
4409 		ad->u.net->dport = dh->dccph_dport;
4410 		break;
4411 	}
4412 
4413 #if IS_ENABLED(CONFIG_IP_SCTP)
4414 	case IPPROTO_SCTP: {
4415 		struct sctphdr _sctph, *sh;
4416 
4417 		if (ntohs(ih->frag_off) & IP_OFFSET)
4418 			break;
4419 
4420 		offset += ihlen;
4421 		sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4422 		if (sh == NULL)
4423 			break;
4424 
4425 		ad->u.net->sport = sh->source;
4426 		ad->u.net->dport = sh->dest;
4427 		break;
4428 	}
4429 #endif
4430 	default:
4431 		break;
4432 	}
4433 out:
4434 	return ret;
4435 }
4436 
4437 #if IS_ENABLED(CONFIG_IPV6)
4438 
4439 /* Returns error only if unable to parse addresses */
selinux_parse_skb_ipv6(struct sk_buff * skb,struct common_audit_data * ad,u8 * proto)4440 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4441 			struct common_audit_data *ad, u8 *proto)
4442 {
4443 	u8 nexthdr;
4444 	int ret = -EINVAL, offset;
4445 	struct ipv6hdr _ipv6h, *ip6;
4446 	__be16 frag_off;
4447 
4448 	offset = skb_network_offset(skb);
4449 	ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4450 	if (ip6 == NULL)
4451 		goto out;
4452 
4453 	ad->u.net->v6info.saddr = ip6->saddr;
4454 	ad->u.net->v6info.daddr = ip6->daddr;
4455 	ret = 0;
4456 
4457 	nexthdr = ip6->nexthdr;
4458 	offset += sizeof(_ipv6h);
4459 	offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4460 	if (offset < 0)
4461 		goto out;
4462 
4463 	if (proto)
4464 		*proto = nexthdr;
4465 
4466 	switch (nexthdr) {
4467 	case IPPROTO_TCP: {
4468 		struct tcphdr _tcph, *th;
4469 
4470 		th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4471 		if (th == NULL)
4472 			break;
4473 
4474 		ad->u.net->sport = th->source;
4475 		ad->u.net->dport = th->dest;
4476 		break;
4477 	}
4478 
4479 	case IPPROTO_UDP: {
4480 		struct udphdr _udph, *uh;
4481 
4482 		uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4483 		if (uh == NULL)
4484 			break;
4485 
4486 		ad->u.net->sport = uh->source;
4487 		ad->u.net->dport = uh->dest;
4488 		break;
4489 	}
4490 
4491 	case IPPROTO_DCCP: {
4492 		struct dccp_hdr _dccph, *dh;
4493 
4494 		dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4495 		if (dh == NULL)
4496 			break;
4497 
4498 		ad->u.net->sport = dh->dccph_sport;
4499 		ad->u.net->dport = dh->dccph_dport;
4500 		break;
4501 	}
4502 
4503 #if IS_ENABLED(CONFIG_IP_SCTP)
4504 	case IPPROTO_SCTP: {
4505 		struct sctphdr _sctph, *sh;
4506 
4507 		sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4508 		if (sh == NULL)
4509 			break;
4510 
4511 		ad->u.net->sport = sh->source;
4512 		ad->u.net->dport = sh->dest;
4513 		break;
4514 	}
4515 #endif
4516 	/* includes fragments */
4517 	default:
4518 		break;
4519 	}
4520 out:
4521 	return ret;
4522 }
4523 
4524 #endif /* IPV6 */
4525 
selinux_parse_skb(struct sk_buff * skb,struct common_audit_data * ad,char ** _addrp,int src,u8 * proto)4526 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4527 			     char **_addrp, int src, u8 *proto)
4528 {
4529 	char *addrp;
4530 	int ret;
4531 
4532 	switch (ad->u.net->family) {
4533 	case PF_INET:
4534 		ret = selinux_parse_skb_ipv4(skb, ad, proto);
4535 		if (ret)
4536 			goto parse_error;
4537 		addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4538 				       &ad->u.net->v4info.daddr);
4539 		goto okay;
4540 
4541 #if IS_ENABLED(CONFIG_IPV6)
4542 	case PF_INET6:
4543 		ret = selinux_parse_skb_ipv6(skb, ad, proto);
4544 		if (ret)
4545 			goto parse_error;
4546 		addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4547 				       &ad->u.net->v6info.daddr);
4548 		goto okay;
4549 #endif	/* IPV6 */
4550 	default:
4551 		addrp = NULL;
4552 		goto okay;
4553 	}
4554 
4555 parse_error:
4556 	pr_warn(
4557 	       "SELinux: failure in selinux_parse_skb(),"
4558 	       " unable to parse packet\n");
4559 	return ret;
4560 
4561 okay:
4562 	if (_addrp)
4563 		*_addrp = addrp;
4564 	return 0;
4565 }
4566 
4567 /**
4568  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4569  * @skb: the packet
4570  * @family: protocol family
4571  * @sid: the packet's peer label SID
4572  *
4573  * Description:
4574  * Check the various different forms of network peer labeling and determine
4575  * the peer label/SID for the packet; most of the magic actually occurs in
4576  * the security server function security_net_peersid_cmp().  The function
4577  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4578  * or -EACCES if @sid is invalid due to inconsistencies with the different
4579  * peer labels.
4580  *
4581  */
selinux_skb_peerlbl_sid(struct sk_buff * skb,u16 family,u32 * sid)4582 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4583 {
4584 	int err;
4585 	u32 xfrm_sid;
4586 	u32 nlbl_sid;
4587 	u32 nlbl_type;
4588 
4589 	err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4590 	if (unlikely(err))
4591 		return -EACCES;
4592 	err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4593 	if (unlikely(err))
4594 		return -EACCES;
4595 
4596 	err = security_net_peersid_resolve(&selinux_state, nlbl_sid,
4597 					   nlbl_type, xfrm_sid, sid);
4598 	if (unlikely(err)) {
4599 		pr_warn(
4600 		       "SELinux: failure in selinux_skb_peerlbl_sid(),"
4601 		       " unable to determine packet's peer label\n");
4602 		return -EACCES;
4603 	}
4604 
4605 	return 0;
4606 }
4607 
4608 /**
4609  * selinux_conn_sid - Determine the child socket label for a connection
4610  * @sk_sid: the parent socket's SID
4611  * @skb_sid: the packet's SID
4612  * @conn_sid: the resulting connection SID
4613  *
4614  * If @skb_sid is valid then the user:role:type information from @sk_sid is
4615  * combined with the MLS information from @skb_sid in order to create
4616  * @conn_sid.  If @skb_sid is not valid then @conn_sid is simply a copy
4617  * of @sk_sid.  Returns zero on success, negative values on failure.
4618  *
4619  */
selinux_conn_sid(u32 sk_sid,u32 skb_sid,u32 * conn_sid)4620 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4621 {
4622 	int err = 0;
4623 
4624 	if (skb_sid != SECSID_NULL)
4625 		err = security_sid_mls_copy(&selinux_state, sk_sid, skb_sid,
4626 					    conn_sid);
4627 	else
4628 		*conn_sid = sk_sid;
4629 
4630 	return err;
4631 }
4632 
4633 /* socket security operations */
4634 
socket_sockcreate_sid(const struct task_security_struct * tsec,u16 secclass,u32 * socksid)4635 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4636 				 u16 secclass, u32 *socksid)
4637 {
4638 	if (tsec->sockcreate_sid > SECSID_NULL) {
4639 		*socksid = tsec->sockcreate_sid;
4640 		return 0;
4641 	}
4642 
4643 	return security_transition_sid(&selinux_state, tsec->sid, tsec->sid,
4644 				       secclass, NULL, socksid);
4645 }
4646 
sock_has_perm(struct sock * sk,u32 perms)4647 static int sock_has_perm(struct sock *sk, u32 perms)
4648 {
4649 	struct sk_security_struct *sksec = sk->sk_security;
4650 	struct common_audit_data ad;
4651 	struct lsm_network_audit net = {0,};
4652 
4653 	if (sksec->sid == SECINITSID_KERNEL)
4654 		return 0;
4655 
4656 	ad.type = LSM_AUDIT_DATA_NET;
4657 	ad.u.net = &net;
4658 	ad.u.net->sk = sk;
4659 
4660 	return avc_has_perm(&selinux_state,
4661 			    current_sid(), sksec->sid, sksec->sclass, perms,
4662 			    &ad);
4663 }
4664 
selinux_socket_create(int family,int type,int protocol,int kern)4665 static int selinux_socket_create(int family, int type,
4666 				 int protocol, int kern)
4667 {
4668 	const struct task_security_struct *tsec = selinux_cred(current_cred());
4669 	u32 newsid;
4670 	u16 secclass;
4671 	int rc;
4672 
4673 	if (kern)
4674 		return 0;
4675 
4676 	secclass = socket_type_to_security_class(family, type, protocol);
4677 	rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4678 	if (rc)
4679 		return rc;
4680 
4681 	return avc_has_perm(&selinux_state,
4682 			    tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4683 }
4684 
selinux_socket_post_create(struct socket * sock,int family,int type,int protocol,int kern)4685 static int selinux_socket_post_create(struct socket *sock, int family,
4686 				      int type, int protocol, int kern)
4687 {
4688 	const struct task_security_struct *tsec = selinux_cred(current_cred());
4689 	struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4690 	struct sk_security_struct *sksec;
4691 	u16 sclass = socket_type_to_security_class(family, type, protocol);
4692 	u32 sid = SECINITSID_KERNEL;
4693 	int err = 0;
4694 
4695 	if (!kern) {
4696 		err = socket_sockcreate_sid(tsec, sclass, &sid);
4697 		if (err)
4698 			return err;
4699 	}
4700 
4701 	isec->sclass = sclass;
4702 	isec->sid = sid;
4703 	isec->initialized = LABEL_INITIALIZED;
4704 
4705 	if (sock->sk) {
4706 		sksec = sock->sk->sk_security;
4707 		sksec->sclass = sclass;
4708 		sksec->sid = sid;
4709 		/* Allows detection of the first association on this socket */
4710 		if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4711 			sksec->sctp_assoc_state = SCTP_ASSOC_UNSET;
4712 
4713 		err = selinux_netlbl_socket_post_create(sock->sk, family);
4714 	}
4715 
4716 	return err;
4717 }
4718 
selinux_socket_socketpair(struct socket * socka,struct socket * sockb)4719 static int selinux_socket_socketpair(struct socket *socka,
4720 				     struct socket *sockb)
4721 {
4722 	struct sk_security_struct *sksec_a = socka->sk->sk_security;
4723 	struct sk_security_struct *sksec_b = sockb->sk->sk_security;
4724 
4725 	sksec_a->peer_sid = sksec_b->sid;
4726 	sksec_b->peer_sid = sksec_a->sid;
4727 
4728 	return 0;
4729 }
4730 
4731 /* Range of port numbers used to automatically bind.
4732    Need to determine whether we should perform a name_bind
4733    permission check between the socket and the port number. */
4734 
selinux_socket_bind(struct socket * sock,struct sockaddr * address,int addrlen)4735 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4736 {
4737 	struct sock *sk = sock->sk;
4738 	struct sk_security_struct *sksec = sk->sk_security;
4739 	u16 family;
4740 	int err;
4741 
4742 	err = sock_has_perm(sk, SOCKET__BIND);
4743 	if (err)
4744 		goto out;
4745 
4746 	/* If PF_INET or PF_INET6, check name_bind permission for the port. */
4747 	family = sk->sk_family;
4748 	if (family == PF_INET || family == PF_INET6) {
4749 		char *addrp;
4750 		struct common_audit_data ad;
4751 		struct lsm_network_audit net = {0,};
4752 		struct sockaddr_in *addr4 = NULL;
4753 		struct sockaddr_in6 *addr6 = NULL;
4754 		u16 family_sa;
4755 		unsigned short snum;
4756 		u32 sid, node_perm;
4757 
4758 		/*
4759 		 * sctp_bindx(3) calls via selinux_sctp_bind_connect()
4760 		 * that validates multiple binding addresses. Because of this
4761 		 * need to check address->sa_family as it is possible to have
4762 		 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4763 		 */
4764 		if (addrlen < offsetofend(struct sockaddr, sa_family))
4765 			return -EINVAL;
4766 		family_sa = address->sa_family;
4767 		switch (family_sa) {
4768 		case AF_UNSPEC:
4769 		case AF_INET:
4770 			if (addrlen < sizeof(struct sockaddr_in))
4771 				return -EINVAL;
4772 			addr4 = (struct sockaddr_in *)address;
4773 			if (family_sa == AF_UNSPEC) {
4774 				/* see __inet_bind(), we only want to allow
4775 				 * AF_UNSPEC if the address is INADDR_ANY
4776 				 */
4777 				if (addr4->sin_addr.s_addr != htonl(INADDR_ANY))
4778 					goto err_af;
4779 				family_sa = AF_INET;
4780 			}
4781 			snum = ntohs(addr4->sin_port);
4782 			addrp = (char *)&addr4->sin_addr.s_addr;
4783 			break;
4784 		case AF_INET6:
4785 			if (addrlen < SIN6_LEN_RFC2133)
4786 				return -EINVAL;
4787 			addr6 = (struct sockaddr_in6 *)address;
4788 			snum = ntohs(addr6->sin6_port);
4789 			addrp = (char *)&addr6->sin6_addr.s6_addr;
4790 			break;
4791 		default:
4792 			goto err_af;
4793 		}
4794 
4795 		ad.type = LSM_AUDIT_DATA_NET;
4796 		ad.u.net = &net;
4797 		ad.u.net->sport = htons(snum);
4798 		ad.u.net->family = family_sa;
4799 
4800 		if (snum) {
4801 			int low, high;
4802 
4803 			inet_get_local_port_range(sock_net(sk), &low, &high);
4804 
4805 			if (inet_port_requires_bind_service(sock_net(sk), snum) ||
4806 			    snum < low || snum > high) {
4807 				err = sel_netport_sid(sk->sk_protocol,
4808 						      snum, &sid);
4809 				if (err)
4810 					goto out;
4811 				err = avc_has_perm(&selinux_state,
4812 						   sksec->sid, sid,
4813 						   sksec->sclass,
4814 						   SOCKET__NAME_BIND, &ad);
4815 				if (err)
4816 					goto out;
4817 			}
4818 		}
4819 
4820 		switch (sksec->sclass) {
4821 		case SECCLASS_TCP_SOCKET:
4822 			node_perm = TCP_SOCKET__NODE_BIND;
4823 			break;
4824 
4825 		case SECCLASS_UDP_SOCKET:
4826 			node_perm = UDP_SOCKET__NODE_BIND;
4827 			break;
4828 
4829 		case SECCLASS_DCCP_SOCKET:
4830 			node_perm = DCCP_SOCKET__NODE_BIND;
4831 			break;
4832 
4833 		case SECCLASS_SCTP_SOCKET:
4834 			node_perm = SCTP_SOCKET__NODE_BIND;
4835 			break;
4836 
4837 		default:
4838 			node_perm = RAWIP_SOCKET__NODE_BIND;
4839 			break;
4840 		}
4841 
4842 		err = sel_netnode_sid(addrp, family_sa, &sid);
4843 		if (err)
4844 			goto out;
4845 
4846 		if (family_sa == AF_INET)
4847 			ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4848 		else
4849 			ad.u.net->v6info.saddr = addr6->sin6_addr;
4850 
4851 		err = avc_has_perm(&selinux_state,
4852 				   sksec->sid, sid,
4853 				   sksec->sclass, node_perm, &ad);
4854 		if (err)
4855 			goto out;
4856 	}
4857 out:
4858 	return err;
4859 err_af:
4860 	/* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */
4861 	if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4862 		return -EINVAL;
4863 	return -EAFNOSUPPORT;
4864 }
4865 
4866 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3)
4867  * and sctp_sendmsg(3) as described in Documentation/security/SCTP.rst
4868  */
selinux_socket_connect_helper(struct socket * sock,struct sockaddr * address,int addrlen)4869 static int selinux_socket_connect_helper(struct socket *sock,
4870 					 struct sockaddr *address, int addrlen)
4871 {
4872 	struct sock *sk = sock->sk;
4873 	struct sk_security_struct *sksec = sk->sk_security;
4874 	int err;
4875 
4876 	err = sock_has_perm(sk, SOCKET__CONNECT);
4877 	if (err)
4878 		return err;
4879 	if (addrlen < offsetofend(struct sockaddr, sa_family))
4880 		return -EINVAL;
4881 
4882 	/* connect(AF_UNSPEC) has special handling, as it is a documented
4883 	 * way to disconnect the socket
4884 	 */
4885 	if (address->sa_family == AF_UNSPEC)
4886 		return 0;
4887 
4888 	/*
4889 	 * If a TCP, DCCP or SCTP socket, check name_connect permission
4890 	 * for the port.
4891 	 */
4892 	if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4893 	    sksec->sclass == SECCLASS_DCCP_SOCKET ||
4894 	    sksec->sclass == SECCLASS_SCTP_SOCKET) {
4895 		struct common_audit_data ad;
4896 		struct lsm_network_audit net = {0,};
4897 		struct sockaddr_in *addr4 = NULL;
4898 		struct sockaddr_in6 *addr6 = NULL;
4899 		unsigned short snum;
4900 		u32 sid, perm;
4901 
4902 		/* sctp_connectx(3) calls via selinux_sctp_bind_connect()
4903 		 * that validates multiple connect addresses. Because of this
4904 		 * need to check address->sa_family as it is possible to have
4905 		 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4906 		 */
4907 		switch (address->sa_family) {
4908 		case AF_INET:
4909 			addr4 = (struct sockaddr_in *)address;
4910 			if (addrlen < sizeof(struct sockaddr_in))
4911 				return -EINVAL;
4912 			snum = ntohs(addr4->sin_port);
4913 			break;
4914 		case AF_INET6:
4915 			addr6 = (struct sockaddr_in6 *)address;
4916 			if (addrlen < SIN6_LEN_RFC2133)
4917 				return -EINVAL;
4918 			snum = ntohs(addr6->sin6_port);
4919 			break;
4920 		default:
4921 			/* Note that SCTP services expect -EINVAL, whereas
4922 			 * others expect -EAFNOSUPPORT.
4923 			 */
4924 			if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4925 				return -EINVAL;
4926 			else
4927 				return -EAFNOSUPPORT;
4928 		}
4929 
4930 		err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4931 		if (err)
4932 			return err;
4933 
4934 		switch (sksec->sclass) {
4935 		case SECCLASS_TCP_SOCKET:
4936 			perm = TCP_SOCKET__NAME_CONNECT;
4937 			break;
4938 		case SECCLASS_DCCP_SOCKET:
4939 			perm = DCCP_SOCKET__NAME_CONNECT;
4940 			break;
4941 		case SECCLASS_SCTP_SOCKET:
4942 			perm = SCTP_SOCKET__NAME_CONNECT;
4943 			break;
4944 		}
4945 
4946 		ad.type = LSM_AUDIT_DATA_NET;
4947 		ad.u.net = &net;
4948 		ad.u.net->dport = htons(snum);
4949 		ad.u.net->family = address->sa_family;
4950 		err = avc_has_perm(&selinux_state,
4951 				   sksec->sid, sid, sksec->sclass, perm, &ad);
4952 		if (err)
4953 			return err;
4954 	}
4955 
4956 	return 0;
4957 }
4958 
4959 /* Supports connect(2), see comments in selinux_socket_connect_helper() */
selinux_socket_connect(struct socket * sock,struct sockaddr * address,int addrlen)4960 static int selinux_socket_connect(struct socket *sock,
4961 				  struct sockaddr *address, int addrlen)
4962 {
4963 	int err;
4964 	struct sock *sk = sock->sk;
4965 
4966 	err = selinux_socket_connect_helper(sock, address, addrlen);
4967 	if (err)
4968 		return err;
4969 
4970 	return selinux_netlbl_socket_connect(sk, address);
4971 }
4972 
selinux_socket_listen(struct socket * sock,int backlog)4973 static int selinux_socket_listen(struct socket *sock, int backlog)
4974 {
4975 	return sock_has_perm(sock->sk, SOCKET__LISTEN);
4976 }
4977 
selinux_socket_accept(struct socket * sock,struct socket * newsock)4978 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4979 {
4980 	int err;
4981 	struct inode_security_struct *isec;
4982 	struct inode_security_struct *newisec;
4983 	u16 sclass;
4984 	u32 sid;
4985 
4986 	err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
4987 	if (err)
4988 		return err;
4989 
4990 	isec = inode_security_novalidate(SOCK_INODE(sock));
4991 	spin_lock(&isec->lock);
4992 	sclass = isec->sclass;
4993 	sid = isec->sid;
4994 	spin_unlock(&isec->lock);
4995 
4996 	newisec = inode_security_novalidate(SOCK_INODE(newsock));
4997 	newisec->sclass = sclass;
4998 	newisec->sid = sid;
4999 	newisec->initialized = LABEL_INITIALIZED;
5000 
5001 	return 0;
5002 }
5003 
selinux_socket_sendmsg(struct socket * sock,struct msghdr * msg,int size)5004 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
5005 				  int size)
5006 {
5007 	return sock_has_perm(sock->sk, SOCKET__WRITE);
5008 }
5009 
selinux_socket_recvmsg(struct socket * sock,struct msghdr * msg,int size,int flags)5010 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
5011 				  int size, int flags)
5012 {
5013 	return sock_has_perm(sock->sk, SOCKET__READ);
5014 }
5015 
selinux_socket_getsockname(struct socket * sock)5016 static int selinux_socket_getsockname(struct socket *sock)
5017 {
5018 	return sock_has_perm(sock->sk, SOCKET__GETATTR);
5019 }
5020 
selinux_socket_getpeername(struct socket * sock)5021 static int selinux_socket_getpeername(struct socket *sock)
5022 {
5023 	return sock_has_perm(sock->sk, SOCKET__GETATTR);
5024 }
5025 
selinux_socket_setsockopt(struct socket * sock,int level,int optname)5026 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
5027 {
5028 	int err;
5029 
5030 	err = sock_has_perm(sock->sk, SOCKET__SETOPT);
5031 	if (err)
5032 		return err;
5033 
5034 	return selinux_netlbl_socket_setsockopt(sock, level, optname);
5035 }
5036 
selinux_socket_getsockopt(struct socket * sock,int level,int optname)5037 static int selinux_socket_getsockopt(struct socket *sock, int level,
5038 				     int optname)
5039 {
5040 	return sock_has_perm(sock->sk, SOCKET__GETOPT);
5041 }
5042 
selinux_socket_shutdown(struct socket * sock,int how)5043 static int selinux_socket_shutdown(struct socket *sock, int how)
5044 {
5045 	return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
5046 }
5047 
selinux_socket_unix_stream_connect(struct sock * sock,struct sock * other,struct sock * newsk)5048 static int selinux_socket_unix_stream_connect(struct sock *sock,
5049 					      struct sock *other,
5050 					      struct sock *newsk)
5051 {
5052 	struct sk_security_struct *sksec_sock = sock->sk_security;
5053 	struct sk_security_struct *sksec_other = other->sk_security;
5054 	struct sk_security_struct *sksec_new = newsk->sk_security;
5055 	struct common_audit_data ad;
5056 	struct lsm_network_audit net = {0,};
5057 	int err;
5058 
5059 	ad.type = LSM_AUDIT_DATA_NET;
5060 	ad.u.net = &net;
5061 	ad.u.net->sk = other;
5062 
5063 	err = avc_has_perm(&selinux_state,
5064 			   sksec_sock->sid, sksec_other->sid,
5065 			   sksec_other->sclass,
5066 			   UNIX_STREAM_SOCKET__CONNECTTO, &ad);
5067 	if (err)
5068 		return err;
5069 
5070 	/* server child socket */
5071 	sksec_new->peer_sid = sksec_sock->sid;
5072 	err = security_sid_mls_copy(&selinux_state, sksec_other->sid,
5073 				    sksec_sock->sid, &sksec_new->sid);
5074 	if (err)
5075 		return err;
5076 
5077 	/* connecting socket */
5078 	sksec_sock->peer_sid = sksec_new->sid;
5079 
5080 	return 0;
5081 }
5082 
selinux_socket_unix_may_send(struct socket * sock,struct socket * other)5083 static int selinux_socket_unix_may_send(struct socket *sock,
5084 					struct socket *other)
5085 {
5086 	struct sk_security_struct *ssec = sock->sk->sk_security;
5087 	struct sk_security_struct *osec = other->sk->sk_security;
5088 	struct common_audit_data ad;
5089 	struct lsm_network_audit net = {0,};
5090 
5091 	ad.type = LSM_AUDIT_DATA_NET;
5092 	ad.u.net = &net;
5093 	ad.u.net->sk = other->sk;
5094 
5095 	return avc_has_perm(&selinux_state,
5096 			    ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
5097 			    &ad);
5098 }
5099 
selinux_inet_sys_rcv_skb(struct net * ns,int ifindex,char * addrp,u16 family,u32 peer_sid,struct common_audit_data * ad)5100 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
5101 				    char *addrp, u16 family, u32 peer_sid,
5102 				    struct common_audit_data *ad)
5103 {
5104 	int err;
5105 	u32 if_sid;
5106 	u32 node_sid;
5107 
5108 	err = sel_netif_sid(ns, ifindex, &if_sid);
5109 	if (err)
5110 		return err;
5111 	err = avc_has_perm(&selinux_state,
5112 			   peer_sid, if_sid,
5113 			   SECCLASS_NETIF, NETIF__INGRESS, ad);
5114 	if (err)
5115 		return err;
5116 
5117 	err = sel_netnode_sid(addrp, family, &node_sid);
5118 	if (err)
5119 		return err;
5120 	return avc_has_perm(&selinux_state,
5121 			    peer_sid, node_sid,
5122 			    SECCLASS_NODE, NODE__RECVFROM, ad);
5123 }
5124 
selinux_sock_rcv_skb_compat(struct sock * sk,struct sk_buff * skb,u16 family)5125 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
5126 				       u16 family)
5127 {
5128 	int err = 0;
5129 	struct sk_security_struct *sksec = sk->sk_security;
5130 	u32 sk_sid = sksec->sid;
5131 	struct common_audit_data ad;
5132 	struct lsm_network_audit net = {0,};
5133 	char *addrp;
5134 
5135 	ad.type = LSM_AUDIT_DATA_NET;
5136 	ad.u.net = &net;
5137 	ad.u.net->netif = skb->skb_iif;
5138 	ad.u.net->family = family;
5139 	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5140 	if (err)
5141 		return err;
5142 
5143 	if (selinux_secmark_enabled()) {
5144 		err = avc_has_perm(&selinux_state,
5145 				   sk_sid, skb->secmark, SECCLASS_PACKET,
5146 				   PACKET__RECV, &ad);
5147 		if (err)
5148 			return err;
5149 	}
5150 
5151 	err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
5152 	if (err)
5153 		return err;
5154 	err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
5155 
5156 	return err;
5157 }
5158 
selinux_socket_sock_rcv_skb(struct sock * sk,struct sk_buff * skb)5159 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
5160 {
5161 	int err;
5162 	struct sk_security_struct *sksec = sk->sk_security;
5163 	u16 family = sk->sk_family;
5164 	u32 sk_sid = sksec->sid;
5165 	struct common_audit_data ad;
5166 	struct lsm_network_audit net = {0,};
5167 	char *addrp;
5168 	u8 secmark_active;
5169 	u8 peerlbl_active;
5170 
5171 	if (family != PF_INET && family != PF_INET6)
5172 		return 0;
5173 
5174 	/* Handle mapped IPv4 packets arriving via IPv6 sockets */
5175 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5176 		family = PF_INET;
5177 
5178 	/* If any sort of compatibility mode is enabled then handoff processing
5179 	 * to the selinux_sock_rcv_skb_compat() function to deal with the
5180 	 * special handling.  We do this in an attempt to keep this function
5181 	 * as fast and as clean as possible. */
5182 	if (!selinux_policycap_netpeer())
5183 		return selinux_sock_rcv_skb_compat(sk, skb, family);
5184 
5185 	secmark_active = selinux_secmark_enabled();
5186 	peerlbl_active = selinux_peerlbl_enabled();
5187 	if (!secmark_active && !peerlbl_active)
5188 		return 0;
5189 
5190 	ad.type = LSM_AUDIT_DATA_NET;
5191 	ad.u.net = &net;
5192 	ad.u.net->netif = skb->skb_iif;
5193 	ad.u.net->family = family;
5194 	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5195 	if (err)
5196 		return err;
5197 
5198 	if (peerlbl_active) {
5199 		u32 peer_sid;
5200 
5201 		err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
5202 		if (err)
5203 			return err;
5204 		err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
5205 					       addrp, family, peer_sid, &ad);
5206 		if (err) {
5207 			selinux_netlbl_err(skb, family, err, 0);
5208 			return err;
5209 		}
5210 		err = avc_has_perm(&selinux_state,
5211 				   sk_sid, peer_sid, SECCLASS_PEER,
5212 				   PEER__RECV, &ad);
5213 		if (err) {
5214 			selinux_netlbl_err(skb, family, err, 0);
5215 			return err;
5216 		}
5217 	}
5218 
5219 	if (secmark_active) {
5220 		err = avc_has_perm(&selinux_state,
5221 				   sk_sid, skb->secmark, SECCLASS_PACKET,
5222 				   PACKET__RECV, &ad);
5223 		if (err)
5224 			return err;
5225 	}
5226 
5227 	return err;
5228 }
5229 
selinux_socket_getpeersec_stream(struct socket * sock,char __user * optval,int __user * optlen,unsigned len)5230 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
5231 					    int __user *optlen, unsigned len)
5232 {
5233 	int err = 0;
5234 	char *scontext;
5235 	u32 scontext_len;
5236 	struct sk_security_struct *sksec = sock->sk->sk_security;
5237 	u32 peer_sid = SECSID_NULL;
5238 
5239 	if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
5240 	    sksec->sclass == SECCLASS_TCP_SOCKET ||
5241 	    sksec->sclass == SECCLASS_SCTP_SOCKET)
5242 		peer_sid = sksec->peer_sid;
5243 	if (peer_sid == SECSID_NULL)
5244 		return -ENOPROTOOPT;
5245 
5246 	err = security_sid_to_context(&selinux_state, peer_sid, &scontext,
5247 				      &scontext_len);
5248 	if (err)
5249 		return err;
5250 
5251 	if (scontext_len > len) {
5252 		err = -ERANGE;
5253 		goto out_len;
5254 	}
5255 
5256 	if (copy_to_user(optval, scontext, scontext_len))
5257 		err = -EFAULT;
5258 
5259 out_len:
5260 	if (put_user(scontext_len, optlen))
5261 		err = -EFAULT;
5262 	kfree(scontext);
5263 	return err;
5264 }
5265 
selinux_socket_getpeersec_dgram(struct socket * sock,struct sk_buff * skb,u32 * secid)5266 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
5267 {
5268 	u32 peer_secid = SECSID_NULL;
5269 	u16 family;
5270 	struct inode_security_struct *isec;
5271 
5272 	if (skb && skb->protocol == htons(ETH_P_IP))
5273 		family = PF_INET;
5274 	else if (skb && skb->protocol == htons(ETH_P_IPV6))
5275 		family = PF_INET6;
5276 	else if (sock)
5277 		family = sock->sk->sk_family;
5278 	else
5279 		goto out;
5280 
5281 	if (sock && family == PF_UNIX) {
5282 		isec = inode_security_novalidate(SOCK_INODE(sock));
5283 		peer_secid = isec->sid;
5284 	} else if (skb)
5285 		selinux_skb_peerlbl_sid(skb, family, &peer_secid);
5286 
5287 out:
5288 	*secid = peer_secid;
5289 	if (peer_secid == SECSID_NULL)
5290 		return -EINVAL;
5291 	return 0;
5292 }
5293 
selinux_sk_alloc_security(struct sock * sk,int family,gfp_t priority)5294 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
5295 {
5296 	struct sk_security_struct *sksec;
5297 
5298 	sksec = kzalloc(sizeof(*sksec), priority);
5299 	if (!sksec)
5300 		return -ENOMEM;
5301 
5302 	sksec->peer_sid = SECINITSID_UNLABELED;
5303 	sksec->sid = SECINITSID_UNLABELED;
5304 	sksec->sclass = SECCLASS_SOCKET;
5305 	selinux_netlbl_sk_security_reset(sksec);
5306 	sk->sk_security = sksec;
5307 
5308 	return 0;
5309 }
5310 
selinux_sk_free_security(struct sock * sk)5311 static void selinux_sk_free_security(struct sock *sk)
5312 {
5313 	struct sk_security_struct *sksec = sk->sk_security;
5314 
5315 	sk->sk_security = NULL;
5316 	selinux_netlbl_sk_security_free(sksec);
5317 	kfree(sksec);
5318 }
5319 
selinux_sk_clone_security(const struct sock * sk,struct sock * newsk)5320 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
5321 {
5322 	struct sk_security_struct *sksec = sk->sk_security;
5323 	struct sk_security_struct *newsksec = newsk->sk_security;
5324 
5325 	newsksec->sid = sksec->sid;
5326 	newsksec->peer_sid = sksec->peer_sid;
5327 	newsksec->sclass = sksec->sclass;
5328 
5329 	selinux_netlbl_sk_security_reset(newsksec);
5330 }
5331 
selinux_sk_getsecid(struct sock * sk,u32 * secid)5332 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
5333 {
5334 	if (!sk)
5335 		*secid = SECINITSID_ANY_SOCKET;
5336 	else {
5337 		struct sk_security_struct *sksec = sk->sk_security;
5338 
5339 		*secid = sksec->sid;
5340 	}
5341 }
5342 
selinux_sock_graft(struct sock * sk,struct socket * parent)5343 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
5344 {
5345 	struct inode_security_struct *isec =
5346 		inode_security_novalidate(SOCK_INODE(parent));
5347 	struct sk_security_struct *sksec = sk->sk_security;
5348 
5349 	if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
5350 	    sk->sk_family == PF_UNIX)
5351 		isec->sid = sksec->sid;
5352 	sksec->sclass = isec->sclass;
5353 }
5354 
5355 /* Called whenever SCTP receives an INIT chunk. This happens when an incoming
5356  * connect(2), sctp_connectx(3) or sctp_sendmsg(3) (with no association
5357  * already present).
5358  */
selinux_sctp_assoc_request(struct sctp_endpoint * ep,struct sk_buff * skb)5359 static int selinux_sctp_assoc_request(struct sctp_endpoint *ep,
5360 				      struct sk_buff *skb)
5361 {
5362 	struct sk_security_struct *sksec = ep->base.sk->sk_security;
5363 	struct common_audit_data ad;
5364 	struct lsm_network_audit net = {0,};
5365 	u8 peerlbl_active;
5366 	u32 peer_sid = SECINITSID_UNLABELED;
5367 	u32 conn_sid;
5368 	int err = 0;
5369 
5370 	if (!selinux_policycap_extsockclass())
5371 		return 0;
5372 
5373 	peerlbl_active = selinux_peerlbl_enabled();
5374 
5375 	if (peerlbl_active) {
5376 		/* This will return peer_sid = SECSID_NULL if there are
5377 		 * no peer labels, see security_net_peersid_resolve().
5378 		 */
5379 		err = selinux_skb_peerlbl_sid(skb, ep->base.sk->sk_family,
5380 					      &peer_sid);
5381 		if (err)
5382 			return err;
5383 
5384 		if (peer_sid == SECSID_NULL)
5385 			peer_sid = SECINITSID_UNLABELED;
5386 	}
5387 
5388 	if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) {
5389 		sksec->sctp_assoc_state = SCTP_ASSOC_SET;
5390 
5391 		/* Here as first association on socket. As the peer SID
5392 		 * was allowed by peer recv (and the netif/node checks),
5393 		 * then it is approved by policy and used as the primary
5394 		 * peer SID for getpeercon(3).
5395 		 */
5396 		sksec->peer_sid = peer_sid;
5397 	} else if  (sksec->peer_sid != peer_sid) {
5398 		/* Other association peer SIDs are checked to enforce
5399 		 * consistency among the peer SIDs.
5400 		 */
5401 		ad.type = LSM_AUDIT_DATA_NET;
5402 		ad.u.net = &net;
5403 		ad.u.net->sk = ep->base.sk;
5404 		err = avc_has_perm(&selinux_state,
5405 				   sksec->peer_sid, peer_sid, sksec->sclass,
5406 				   SCTP_SOCKET__ASSOCIATION, &ad);
5407 		if (err)
5408 			return err;
5409 	}
5410 
5411 	/* Compute the MLS component for the connection and store
5412 	 * the information in ep. This will be used by SCTP TCP type
5413 	 * sockets and peeled off connections as they cause a new
5414 	 * socket to be generated. selinux_sctp_sk_clone() will then
5415 	 * plug this into the new socket.
5416 	 */
5417 	err = selinux_conn_sid(sksec->sid, peer_sid, &conn_sid);
5418 	if (err)
5419 		return err;
5420 
5421 	ep->secid = conn_sid;
5422 	ep->peer_secid = peer_sid;
5423 
5424 	/* Set any NetLabel labels including CIPSO/CALIPSO options. */
5425 	return selinux_netlbl_sctp_assoc_request(ep, skb);
5426 }
5427 
5428 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting
5429  * based on their @optname.
5430  */
selinux_sctp_bind_connect(struct sock * sk,int optname,struct sockaddr * address,int addrlen)5431 static int selinux_sctp_bind_connect(struct sock *sk, int optname,
5432 				     struct sockaddr *address,
5433 				     int addrlen)
5434 {
5435 	int len, err = 0, walk_size = 0;
5436 	void *addr_buf;
5437 	struct sockaddr *addr;
5438 	struct socket *sock;
5439 
5440 	if (!selinux_policycap_extsockclass())
5441 		return 0;
5442 
5443 	/* Process one or more addresses that may be IPv4 or IPv6 */
5444 	sock = sk->sk_socket;
5445 	addr_buf = address;
5446 
5447 	while (walk_size < addrlen) {
5448 		if (walk_size + sizeof(sa_family_t) > addrlen)
5449 			return -EINVAL;
5450 
5451 		addr = addr_buf;
5452 		switch (addr->sa_family) {
5453 		case AF_UNSPEC:
5454 		case AF_INET:
5455 			len = sizeof(struct sockaddr_in);
5456 			break;
5457 		case AF_INET6:
5458 			len = sizeof(struct sockaddr_in6);
5459 			break;
5460 		default:
5461 			return -EINVAL;
5462 		}
5463 
5464 		if (walk_size + len > addrlen)
5465 			return -EINVAL;
5466 
5467 		err = -EINVAL;
5468 		switch (optname) {
5469 		/* Bind checks */
5470 		case SCTP_PRIMARY_ADDR:
5471 		case SCTP_SET_PEER_PRIMARY_ADDR:
5472 		case SCTP_SOCKOPT_BINDX_ADD:
5473 			err = selinux_socket_bind(sock, addr, len);
5474 			break;
5475 		/* Connect checks */
5476 		case SCTP_SOCKOPT_CONNECTX:
5477 		case SCTP_PARAM_SET_PRIMARY:
5478 		case SCTP_PARAM_ADD_IP:
5479 		case SCTP_SENDMSG_CONNECT:
5480 			err = selinux_socket_connect_helper(sock, addr, len);
5481 			if (err)
5482 				return err;
5483 
5484 			/* As selinux_sctp_bind_connect() is called by the
5485 			 * SCTP protocol layer, the socket is already locked,
5486 			 * therefore selinux_netlbl_socket_connect_locked()
5487 			 * is called here. The situations handled are:
5488 			 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2),
5489 			 * whenever a new IP address is added or when a new
5490 			 * primary address is selected.
5491 			 * Note that an SCTP connect(2) call happens before
5492 			 * the SCTP protocol layer and is handled via
5493 			 * selinux_socket_connect().
5494 			 */
5495 			err = selinux_netlbl_socket_connect_locked(sk, addr);
5496 			break;
5497 		}
5498 
5499 		if (err)
5500 			return err;
5501 
5502 		addr_buf += len;
5503 		walk_size += len;
5504 	}
5505 
5506 	return 0;
5507 }
5508 
5509 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */
selinux_sctp_sk_clone(struct sctp_endpoint * ep,struct sock * sk,struct sock * newsk)5510 static void selinux_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk,
5511 				  struct sock *newsk)
5512 {
5513 	struct sk_security_struct *sksec = sk->sk_security;
5514 	struct sk_security_struct *newsksec = newsk->sk_security;
5515 
5516 	/* If policy does not support SECCLASS_SCTP_SOCKET then call
5517 	 * the non-sctp clone version.
5518 	 */
5519 	if (!selinux_policycap_extsockclass())
5520 		return selinux_sk_clone_security(sk, newsk);
5521 
5522 	newsksec->sid = ep->secid;
5523 	newsksec->peer_sid = ep->peer_secid;
5524 	newsksec->sclass = sksec->sclass;
5525 	selinux_netlbl_sctp_sk_clone(sk, newsk);
5526 }
5527 
selinux_inet_conn_request(const struct sock * sk,struct sk_buff * skb,struct request_sock * req)5528 static int selinux_inet_conn_request(const struct sock *sk, struct sk_buff *skb,
5529 				     struct request_sock *req)
5530 {
5531 	struct sk_security_struct *sksec = sk->sk_security;
5532 	int err;
5533 	u16 family = req->rsk_ops->family;
5534 	u32 connsid;
5535 	u32 peersid;
5536 
5537 	err = selinux_skb_peerlbl_sid(skb, family, &peersid);
5538 	if (err)
5539 		return err;
5540 	err = selinux_conn_sid(sksec->sid, peersid, &connsid);
5541 	if (err)
5542 		return err;
5543 	req->secid = connsid;
5544 	req->peer_secid = peersid;
5545 
5546 	return selinux_netlbl_inet_conn_request(req, family);
5547 }
5548 
selinux_inet_csk_clone(struct sock * newsk,const struct request_sock * req)5549 static void selinux_inet_csk_clone(struct sock *newsk,
5550 				   const struct request_sock *req)
5551 {
5552 	struct sk_security_struct *newsksec = newsk->sk_security;
5553 
5554 	newsksec->sid = req->secid;
5555 	newsksec->peer_sid = req->peer_secid;
5556 	/* NOTE: Ideally, we should also get the isec->sid for the
5557 	   new socket in sync, but we don't have the isec available yet.
5558 	   So we will wait until sock_graft to do it, by which
5559 	   time it will have been created and available. */
5560 
5561 	/* We don't need to take any sort of lock here as we are the only
5562 	 * thread with access to newsksec */
5563 	selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
5564 }
5565 
selinux_inet_conn_established(struct sock * sk,struct sk_buff * skb)5566 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
5567 {
5568 	u16 family = sk->sk_family;
5569 	struct sk_security_struct *sksec = sk->sk_security;
5570 
5571 	/* handle mapped IPv4 packets arriving via IPv6 sockets */
5572 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5573 		family = PF_INET;
5574 
5575 	selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
5576 }
5577 
selinux_secmark_relabel_packet(u32 sid)5578 static int selinux_secmark_relabel_packet(u32 sid)
5579 {
5580 	const struct task_security_struct *__tsec;
5581 	u32 tsid;
5582 
5583 	__tsec = selinux_cred(current_cred());
5584 	tsid = __tsec->sid;
5585 
5586 	return avc_has_perm(&selinux_state,
5587 			    tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO,
5588 			    NULL);
5589 }
5590 
selinux_secmark_refcount_inc(void)5591 static void selinux_secmark_refcount_inc(void)
5592 {
5593 	atomic_inc(&selinux_secmark_refcount);
5594 }
5595 
selinux_secmark_refcount_dec(void)5596 static void selinux_secmark_refcount_dec(void)
5597 {
5598 	atomic_dec(&selinux_secmark_refcount);
5599 }
5600 
selinux_req_classify_flow(const struct request_sock * req,struct flowi_common * flic)5601 static void selinux_req_classify_flow(const struct request_sock *req,
5602 				      struct flowi_common *flic)
5603 {
5604 	flic->flowic_secid = req->secid;
5605 }
5606 
selinux_tun_dev_alloc_security(void ** security)5607 static int selinux_tun_dev_alloc_security(void **security)
5608 {
5609 	struct tun_security_struct *tunsec;
5610 
5611 	tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
5612 	if (!tunsec)
5613 		return -ENOMEM;
5614 	tunsec->sid = current_sid();
5615 
5616 	*security = tunsec;
5617 	return 0;
5618 }
5619 
selinux_tun_dev_free_security(void * security)5620 static void selinux_tun_dev_free_security(void *security)
5621 {
5622 	kfree(security);
5623 }
5624 
selinux_tun_dev_create(void)5625 static int selinux_tun_dev_create(void)
5626 {
5627 	u32 sid = current_sid();
5628 
5629 	/* we aren't taking into account the "sockcreate" SID since the socket
5630 	 * that is being created here is not a socket in the traditional sense,
5631 	 * instead it is a private sock, accessible only to the kernel, and
5632 	 * representing a wide range of network traffic spanning multiple
5633 	 * connections unlike traditional sockets - check the TUN driver to
5634 	 * get a better understanding of why this socket is special */
5635 
5636 	return avc_has_perm(&selinux_state,
5637 			    sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5638 			    NULL);
5639 }
5640 
selinux_tun_dev_attach_queue(void * security)5641 static int selinux_tun_dev_attach_queue(void *security)
5642 {
5643 	struct tun_security_struct *tunsec = security;
5644 
5645 	return avc_has_perm(&selinux_state,
5646 			    current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5647 			    TUN_SOCKET__ATTACH_QUEUE, NULL);
5648 }
5649 
selinux_tun_dev_attach(struct sock * sk,void * security)5650 static int selinux_tun_dev_attach(struct sock *sk, void *security)
5651 {
5652 	struct tun_security_struct *tunsec = security;
5653 	struct sk_security_struct *sksec = sk->sk_security;
5654 
5655 	/* we don't currently perform any NetLabel based labeling here and it
5656 	 * isn't clear that we would want to do so anyway; while we could apply
5657 	 * labeling without the support of the TUN user the resulting labeled
5658 	 * traffic from the other end of the connection would almost certainly
5659 	 * cause confusion to the TUN user that had no idea network labeling
5660 	 * protocols were being used */
5661 
5662 	sksec->sid = tunsec->sid;
5663 	sksec->sclass = SECCLASS_TUN_SOCKET;
5664 
5665 	return 0;
5666 }
5667 
selinux_tun_dev_open(void * security)5668 static int selinux_tun_dev_open(void *security)
5669 {
5670 	struct tun_security_struct *tunsec = security;
5671 	u32 sid = current_sid();
5672 	int err;
5673 
5674 	err = avc_has_perm(&selinux_state,
5675 			   sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5676 			   TUN_SOCKET__RELABELFROM, NULL);
5677 	if (err)
5678 		return err;
5679 	err = avc_has_perm(&selinux_state,
5680 			   sid, sid, SECCLASS_TUN_SOCKET,
5681 			   TUN_SOCKET__RELABELTO, NULL);
5682 	if (err)
5683 		return err;
5684 	tunsec->sid = sid;
5685 
5686 	return 0;
5687 }
5688 
5689 #ifdef CONFIG_NETFILTER
5690 
selinux_ip_forward(struct sk_buff * skb,const struct net_device * indev,u16 family)5691 static unsigned int selinux_ip_forward(struct sk_buff *skb,
5692 				       const struct net_device *indev,
5693 				       u16 family)
5694 {
5695 	int err;
5696 	char *addrp;
5697 	u32 peer_sid;
5698 	struct common_audit_data ad;
5699 	struct lsm_network_audit net = {0,};
5700 	u8 secmark_active;
5701 	u8 netlbl_active;
5702 	u8 peerlbl_active;
5703 
5704 	if (!selinux_policycap_netpeer())
5705 		return NF_ACCEPT;
5706 
5707 	secmark_active = selinux_secmark_enabled();
5708 	netlbl_active = netlbl_enabled();
5709 	peerlbl_active = selinux_peerlbl_enabled();
5710 	if (!secmark_active && !peerlbl_active)
5711 		return NF_ACCEPT;
5712 
5713 	if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5714 		return NF_DROP;
5715 
5716 	ad.type = LSM_AUDIT_DATA_NET;
5717 	ad.u.net = &net;
5718 	ad.u.net->netif = indev->ifindex;
5719 	ad.u.net->family = family;
5720 	if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5721 		return NF_DROP;
5722 
5723 	if (peerlbl_active) {
5724 		err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
5725 					       addrp, family, peer_sid, &ad);
5726 		if (err) {
5727 			selinux_netlbl_err(skb, family, err, 1);
5728 			return NF_DROP;
5729 		}
5730 	}
5731 
5732 	if (secmark_active)
5733 		if (avc_has_perm(&selinux_state,
5734 				 peer_sid, skb->secmark,
5735 				 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5736 			return NF_DROP;
5737 
5738 	if (netlbl_active)
5739 		/* we do this in the FORWARD path and not the POST_ROUTING
5740 		 * path because we want to make sure we apply the necessary
5741 		 * labeling before IPsec is applied so we can leverage AH
5742 		 * protection */
5743 		if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5744 			return NF_DROP;
5745 
5746 	return NF_ACCEPT;
5747 }
5748 
selinux_ipv4_forward(void * priv,struct sk_buff * skb,const struct nf_hook_state * state)5749 static unsigned int selinux_ipv4_forward(void *priv,
5750 					 struct sk_buff *skb,
5751 					 const struct nf_hook_state *state)
5752 {
5753 	return selinux_ip_forward(skb, state->in, PF_INET);
5754 }
5755 
5756 #if IS_ENABLED(CONFIG_IPV6)
selinux_ipv6_forward(void * priv,struct sk_buff * skb,const struct nf_hook_state * state)5757 static unsigned int selinux_ipv6_forward(void *priv,
5758 					 struct sk_buff *skb,
5759 					 const struct nf_hook_state *state)
5760 {
5761 	return selinux_ip_forward(skb, state->in, PF_INET6);
5762 }
5763 #endif	/* IPV6 */
5764 
selinux_ip_output(struct sk_buff * skb,u16 family)5765 static unsigned int selinux_ip_output(struct sk_buff *skb,
5766 				      u16 family)
5767 {
5768 	struct sock *sk;
5769 	u32 sid;
5770 
5771 	if (!netlbl_enabled())
5772 		return NF_ACCEPT;
5773 
5774 	/* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5775 	 * because we want to make sure we apply the necessary labeling
5776 	 * before IPsec is applied so we can leverage AH protection */
5777 	sk = skb->sk;
5778 	if (sk) {
5779 		struct sk_security_struct *sksec;
5780 
5781 		if (sk_listener(sk))
5782 			/* if the socket is the listening state then this
5783 			 * packet is a SYN-ACK packet which means it needs to
5784 			 * be labeled based on the connection/request_sock and
5785 			 * not the parent socket.  unfortunately, we can't
5786 			 * lookup the request_sock yet as it isn't queued on
5787 			 * the parent socket until after the SYN-ACK is sent.
5788 			 * the "solution" is to simply pass the packet as-is
5789 			 * as any IP option based labeling should be copied
5790 			 * from the initial connection request (in the IP
5791 			 * layer).  it is far from ideal, but until we get a
5792 			 * security label in the packet itself this is the
5793 			 * best we can do. */
5794 			return NF_ACCEPT;
5795 
5796 		/* standard practice, label using the parent socket */
5797 		sksec = sk->sk_security;
5798 		sid = sksec->sid;
5799 	} else
5800 		sid = SECINITSID_KERNEL;
5801 	if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
5802 		return NF_DROP;
5803 
5804 	return NF_ACCEPT;
5805 }
5806 
selinux_ipv4_output(void * priv,struct sk_buff * skb,const struct nf_hook_state * state)5807 static unsigned int selinux_ipv4_output(void *priv,
5808 					struct sk_buff *skb,
5809 					const struct nf_hook_state *state)
5810 {
5811 	return selinux_ip_output(skb, PF_INET);
5812 }
5813 
5814 #if IS_ENABLED(CONFIG_IPV6)
selinux_ipv6_output(void * priv,struct sk_buff * skb,const struct nf_hook_state * state)5815 static unsigned int selinux_ipv6_output(void *priv,
5816 					struct sk_buff *skb,
5817 					const struct nf_hook_state *state)
5818 {
5819 	return selinux_ip_output(skb, PF_INET6);
5820 }
5821 #endif	/* IPV6 */
5822 
selinux_ip_postroute_compat(struct sk_buff * skb,int ifindex,u16 family)5823 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5824 						int ifindex,
5825 						u16 family)
5826 {
5827 	struct sock *sk = skb_to_full_sk(skb);
5828 	struct sk_security_struct *sksec;
5829 	struct common_audit_data ad;
5830 	struct lsm_network_audit net = {0,};
5831 	char *addrp;
5832 	u8 proto;
5833 
5834 	if (sk == NULL)
5835 		return NF_ACCEPT;
5836 	sksec = sk->sk_security;
5837 
5838 	ad.type = LSM_AUDIT_DATA_NET;
5839 	ad.u.net = &net;
5840 	ad.u.net->netif = ifindex;
5841 	ad.u.net->family = family;
5842 	if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
5843 		return NF_DROP;
5844 
5845 	if (selinux_secmark_enabled())
5846 		if (avc_has_perm(&selinux_state,
5847 				 sksec->sid, skb->secmark,
5848 				 SECCLASS_PACKET, PACKET__SEND, &ad))
5849 			return NF_DROP_ERR(-ECONNREFUSED);
5850 
5851 	if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5852 		return NF_DROP_ERR(-ECONNREFUSED);
5853 
5854 	return NF_ACCEPT;
5855 }
5856 
selinux_ip_postroute(struct sk_buff * skb,const struct net_device * outdev,u16 family)5857 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5858 					 const struct net_device *outdev,
5859 					 u16 family)
5860 {
5861 	u32 secmark_perm;
5862 	u32 peer_sid;
5863 	int ifindex = outdev->ifindex;
5864 	struct sock *sk;
5865 	struct common_audit_data ad;
5866 	struct lsm_network_audit net = {0,};
5867 	char *addrp;
5868 	u8 secmark_active;
5869 	u8 peerlbl_active;
5870 
5871 	/* If any sort of compatibility mode is enabled then handoff processing
5872 	 * to the selinux_ip_postroute_compat() function to deal with the
5873 	 * special handling.  We do this in an attempt to keep this function
5874 	 * as fast and as clean as possible. */
5875 	if (!selinux_policycap_netpeer())
5876 		return selinux_ip_postroute_compat(skb, ifindex, family);
5877 
5878 	secmark_active = selinux_secmark_enabled();
5879 	peerlbl_active = selinux_peerlbl_enabled();
5880 	if (!secmark_active && !peerlbl_active)
5881 		return NF_ACCEPT;
5882 
5883 	sk = skb_to_full_sk(skb);
5884 
5885 #ifdef CONFIG_XFRM
5886 	/* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5887 	 * packet transformation so allow the packet to pass without any checks
5888 	 * since we'll have another chance to perform access control checks
5889 	 * when the packet is on it's final way out.
5890 	 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5891 	 *       is NULL, in this case go ahead and apply access control.
5892 	 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5893 	 *       TCP listening state we cannot wait until the XFRM processing
5894 	 *       is done as we will miss out on the SA label if we do;
5895 	 *       unfortunately, this means more work, but it is only once per
5896 	 *       connection. */
5897 	if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5898 	    !(sk && sk_listener(sk)))
5899 		return NF_ACCEPT;
5900 #endif
5901 
5902 	if (sk == NULL) {
5903 		/* Without an associated socket the packet is either coming
5904 		 * from the kernel or it is being forwarded; check the packet
5905 		 * to determine which and if the packet is being forwarded
5906 		 * query the packet directly to determine the security label. */
5907 		if (skb->skb_iif) {
5908 			secmark_perm = PACKET__FORWARD_OUT;
5909 			if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5910 				return NF_DROP;
5911 		} else {
5912 			secmark_perm = PACKET__SEND;
5913 			peer_sid = SECINITSID_KERNEL;
5914 		}
5915 	} else if (sk_listener(sk)) {
5916 		/* Locally generated packet but the associated socket is in the
5917 		 * listening state which means this is a SYN-ACK packet.  In
5918 		 * this particular case the correct security label is assigned
5919 		 * to the connection/request_sock but unfortunately we can't
5920 		 * query the request_sock as it isn't queued on the parent
5921 		 * socket until after the SYN-ACK packet is sent; the only
5922 		 * viable choice is to regenerate the label like we do in
5923 		 * selinux_inet_conn_request().  See also selinux_ip_output()
5924 		 * for similar problems. */
5925 		u32 skb_sid;
5926 		struct sk_security_struct *sksec;
5927 
5928 		sksec = sk->sk_security;
5929 		if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5930 			return NF_DROP;
5931 		/* At this point, if the returned skb peerlbl is SECSID_NULL
5932 		 * and the packet has been through at least one XFRM
5933 		 * transformation then we must be dealing with the "final"
5934 		 * form of labeled IPsec packet; since we've already applied
5935 		 * all of our access controls on this packet we can safely
5936 		 * pass the packet. */
5937 		if (skb_sid == SECSID_NULL) {
5938 			switch (family) {
5939 			case PF_INET:
5940 				if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5941 					return NF_ACCEPT;
5942 				break;
5943 			case PF_INET6:
5944 				if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5945 					return NF_ACCEPT;
5946 				break;
5947 			default:
5948 				return NF_DROP_ERR(-ECONNREFUSED);
5949 			}
5950 		}
5951 		if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5952 			return NF_DROP;
5953 		secmark_perm = PACKET__SEND;
5954 	} else {
5955 		/* Locally generated packet, fetch the security label from the
5956 		 * associated socket. */
5957 		struct sk_security_struct *sksec = sk->sk_security;
5958 		peer_sid = sksec->sid;
5959 		secmark_perm = PACKET__SEND;
5960 	}
5961 
5962 	ad.type = LSM_AUDIT_DATA_NET;
5963 	ad.u.net = &net;
5964 	ad.u.net->netif = ifindex;
5965 	ad.u.net->family = family;
5966 	if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5967 		return NF_DROP;
5968 
5969 	if (secmark_active)
5970 		if (avc_has_perm(&selinux_state,
5971 				 peer_sid, skb->secmark,
5972 				 SECCLASS_PACKET, secmark_perm, &ad))
5973 			return NF_DROP_ERR(-ECONNREFUSED);
5974 
5975 	if (peerlbl_active) {
5976 		u32 if_sid;
5977 		u32 node_sid;
5978 
5979 		if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5980 			return NF_DROP;
5981 		if (avc_has_perm(&selinux_state,
5982 				 peer_sid, if_sid,
5983 				 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5984 			return NF_DROP_ERR(-ECONNREFUSED);
5985 
5986 		if (sel_netnode_sid(addrp, family, &node_sid))
5987 			return NF_DROP;
5988 		if (avc_has_perm(&selinux_state,
5989 				 peer_sid, node_sid,
5990 				 SECCLASS_NODE, NODE__SENDTO, &ad))
5991 			return NF_DROP_ERR(-ECONNREFUSED);
5992 	}
5993 
5994 	return NF_ACCEPT;
5995 }
5996 
selinux_ipv4_postroute(void * priv,struct sk_buff * skb,const struct nf_hook_state * state)5997 static unsigned int selinux_ipv4_postroute(void *priv,
5998 					   struct sk_buff *skb,
5999 					   const struct nf_hook_state *state)
6000 {
6001 	return selinux_ip_postroute(skb, state->out, PF_INET);
6002 }
6003 
6004 #if IS_ENABLED(CONFIG_IPV6)
selinux_ipv6_postroute(void * priv,struct sk_buff * skb,const struct nf_hook_state * state)6005 static unsigned int selinux_ipv6_postroute(void *priv,
6006 					   struct sk_buff *skb,
6007 					   const struct nf_hook_state *state)
6008 {
6009 	return selinux_ip_postroute(skb, state->out, PF_INET6);
6010 }
6011 #endif	/* IPV6 */
6012 
6013 #endif	/* CONFIG_NETFILTER */
6014 
selinux_netlink_send(struct sock * sk,struct sk_buff * skb)6015 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
6016 {
6017 	int rc = 0;
6018 	unsigned int msg_len;
6019 	unsigned int data_len = skb->len;
6020 	unsigned char *data = skb->data;
6021 	struct nlmsghdr *nlh;
6022 	struct sk_security_struct *sksec = sk->sk_security;
6023 	u16 sclass = sksec->sclass;
6024 	u32 perm;
6025 
6026 	while (data_len >= nlmsg_total_size(0)) {
6027 		nlh = (struct nlmsghdr *)data;
6028 
6029 		/* NOTE: the nlmsg_len field isn't reliably set by some netlink
6030 		 *       users which means we can't reject skb's with bogus
6031 		 *       length fields; our solution is to follow what
6032 		 *       netlink_rcv_skb() does and simply skip processing at
6033 		 *       messages with length fields that are clearly junk
6034 		 */
6035 		if (nlh->nlmsg_len < NLMSG_HDRLEN || nlh->nlmsg_len > data_len)
6036 			return 0;
6037 
6038 		rc = selinux_nlmsg_lookup(sclass, nlh->nlmsg_type, &perm);
6039 		if (rc == 0) {
6040 			rc = sock_has_perm(sk, perm);
6041 			if (rc)
6042 				return rc;
6043 		} else if (rc == -EINVAL) {
6044 			/* -EINVAL is a missing msg/perm mapping */
6045 			pr_warn_ratelimited("SELinux: unrecognized netlink"
6046 				" message: protocol=%hu nlmsg_type=%hu sclass=%s"
6047 				" pid=%d comm=%s\n",
6048 				sk->sk_protocol, nlh->nlmsg_type,
6049 				secclass_map[sclass - 1].name,
6050 				task_pid_nr(current), current->comm);
6051 			if (enforcing_enabled(&selinux_state) &&
6052 			    !security_get_allow_unknown(&selinux_state))
6053 				return rc;
6054 			rc = 0;
6055 		} else if (rc == -ENOENT) {
6056 			/* -ENOENT is a missing socket/class mapping, ignore */
6057 			rc = 0;
6058 		} else {
6059 			return rc;
6060 		}
6061 
6062 		/* move to the next message after applying netlink padding */
6063 		msg_len = NLMSG_ALIGN(nlh->nlmsg_len);
6064 		if (msg_len >= data_len)
6065 			return 0;
6066 		data_len -= msg_len;
6067 		data += msg_len;
6068 	}
6069 
6070 	return rc;
6071 }
6072 
ipc_init_security(struct ipc_security_struct * isec,u16 sclass)6073 static void ipc_init_security(struct ipc_security_struct *isec, u16 sclass)
6074 {
6075 	isec->sclass = sclass;
6076 	isec->sid = current_sid();
6077 }
6078 
ipc_has_perm(struct kern_ipc_perm * ipc_perms,u32 perms)6079 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
6080 			u32 perms)
6081 {
6082 	struct ipc_security_struct *isec;
6083 	struct common_audit_data ad;
6084 	u32 sid = current_sid();
6085 
6086 	isec = selinux_ipc(ipc_perms);
6087 
6088 	ad.type = LSM_AUDIT_DATA_IPC;
6089 	ad.u.ipc_id = ipc_perms->key;
6090 
6091 	return avc_has_perm(&selinux_state,
6092 			    sid, isec->sid, isec->sclass, perms, &ad);
6093 }
6094 
selinux_msg_msg_alloc_security(struct msg_msg * msg)6095 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
6096 {
6097 	struct msg_security_struct *msec;
6098 
6099 	msec = selinux_msg_msg(msg);
6100 	msec->sid = SECINITSID_UNLABELED;
6101 
6102 	return 0;
6103 }
6104 
6105 /* message queue security operations */
selinux_msg_queue_alloc_security(struct kern_ipc_perm * msq)6106 static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq)
6107 {
6108 	struct ipc_security_struct *isec;
6109 	struct common_audit_data ad;
6110 	u32 sid = current_sid();
6111 	int rc;
6112 
6113 	isec = selinux_ipc(msq);
6114 	ipc_init_security(isec, SECCLASS_MSGQ);
6115 
6116 	ad.type = LSM_AUDIT_DATA_IPC;
6117 	ad.u.ipc_id = msq->key;
6118 
6119 	rc = avc_has_perm(&selinux_state,
6120 			  sid, isec->sid, SECCLASS_MSGQ,
6121 			  MSGQ__CREATE, &ad);
6122 	return rc;
6123 }
6124 
selinux_msg_queue_associate(struct kern_ipc_perm * msq,int msqflg)6125 static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
6126 {
6127 	struct ipc_security_struct *isec;
6128 	struct common_audit_data ad;
6129 	u32 sid = current_sid();
6130 
6131 	isec = selinux_ipc(msq);
6132 
6133 	ad.type = LSM_AUDIT_DATA_IPC;
6134 	ad.u.ipc_id = msq->key;
6135 
6136 	return avc_has_perm(&selinux_state,
6137 			    sid, isec->sid, SECCLASS_MSGQ,
6138 			    MSGQ__ASSOCIATE, &ad);
6139 }
6140 
selinux_msg_queue_msgctl(struct kern_ipc_perm * msq,int cmd)6141 static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)
6142 {
6143 	int err;
6144 	int perms;
6145 
6146 	switch (cmd) {
6147 	case IPC_INFO:
6148 	case MSG_INFO:
6149 		/* No specific object, just general system-wide information. */
6150 		return avc_has_perm(&selinux_state,
6151 				    current_sid(), SECINITSID_KERNEL,
6152 				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6153 	case IPC_STAT:
6154 	case MSG_STAT:
6155 	case MSG_STAT_ANY:
6156 		perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
6157 		break;
6158 	case IPC_SET:
6159 		perms = MSGQ__SETATTR;
6160 		break;
6161 	case IPC_RMID:
6162 		perms = MSGQ__DESTROY;
6163 		break;
6164 	default:
6165 		return 0;
6166 	}
6167 
6168 	err = ipc_has_perm(msq, perms);
6169 	return err;
6170 }
6171 
selinux_msg_queue_msgsnd(struct kern_ipc_perm * msq,struct msg_msg * msg,int msqflg)6172 static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg)
6173 {
6174 	struct ipc_security_struct *isec;
6175 	struct msg_security_struct *msec;
6176 	struct common_audit_data ad;
6177 	u32 sid = current_sid();
6178 	int rc;
6179 
6180 	isec = selinux_ipc(msq);
6181 	msec = selinux_msg_msg(msg);
6182 
6183 	/*
6184 	 * First time through, need to assign label to the message
6185 	 */
6186 	if (msec->sid == SECINITSID_UNLABELED) {
6187 		/*
6188 		 * Compute new sid based on current process and
6189 		 * message queue this message will be stored in
6190 		 */
6191 		rc = security_transition_sid(&selinux_state, sid, isec->sid,
6192 					     SECCLASS_MSG, NULL, &msec->sid);
6193 		if (rc)
6194 			return rc;
6195 	}
6196 
6197 	ad.type = LSM_AUDIT_DATA_IPC;
6198 	ad.u.ipc_id = msq->key;
6199 
6200 	/* Can this process write to the queue? */
6201 	rc = avc_has_perm(&selinux_state,
6202 			  sid, isec->sid, SECCLASS_MSGQ,
6203 			  MSGQ__WRITE, &ad);
6204 	if (!rc)
6205 		/* Can this process send the message */
6206 		rc = avc_has_perm(&selinux_state,
6207 				  sid, msec->sid, SECCLASS_MSG,
6208 				  MSG__SEND, &ad);
6209 	if (!rc)
6210 		/* Can the message be put in the queue? */
6211 		rc = avc_has_perm(&selinux_state,
6212 				  msec->sid, isec->sid, SECCLASS_MSGQ,
6213 				  MSGQ__ENQUEUE, &ad);
6214 
6215 	return rc;
6216 }
6217 
selinux_msg_queue_msgrcv(struct kern_ipc_perm * msq,struct msg_msg * msg,struct task_struct * target,long type,int mode)6218 static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg,
6219 				    struct task_struct *target,
6220 				    long type, int mode)
6221 {
6222 	struct ipc_security_struct *isec;
6223 	struct msg_security_struct *msec;
6224 	struct common_audit_data ad;
6225 	u32 sid = task_sid_obj(target);
6226 	int rc;
6227 
6228 	isec = selinux_ipc(msq);
6229 	msec = selinux_msg_msg(msg);
6230 
6231 	ad.type = LSM_AUDIT_DATA_IPC;
6232 	ad.u.ipc_id = msq->key;
6233 
6234 	rc = avc_has_perm(&selinux_state,
6235 			  sid, isec->sid,
6236 			  SECCLASS_MSGQ, MSGQ__READ, &ad);
6237 	if (!rc)
6238 		rc = avc_has_perm(&selinux_state,
6239 				  sid, msec->sid,
6240 				  SECCLASS_MSG, MSG__RECEIVE, &ad);
6241 	return rc;
6242 }
6243 
6244 /* Shared Memory security operations */
selinux_shm_alloc_security(struct kern_ipc_perm * shp)6245 static int selinux_shm_alloc_security(struct kern_ipc_perm *shp)
6246 {
6247 	struct ipc_security_struct *isec;
6248 	struct common_audit_data ad;
6249 	u32 sid = current_sid();
6250 	int rc;
6251 
6252 	isec = selinux_ipc(shp);
6253 	ipc_init_security(isec, SECCLASS_SHM);
6254 
6255 	ad.type = LSM_AUDIT_DATA_IPC;
6256 	ad.u.ipc_id = shp->key;
6257 
6258 	rc = avc_has_perm(&selinux_state,
6259 			  sid, isec->sid, SECCLASS_SHM,
6260 			  SHM__CREATE, &ad);
6261 	return rc;
6262 }
6263 
selinux_shm_associate(struct kern_ipc_perm * shp,int shmflg)6264 static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg)
6265 {
6266 	struct ipc_security_struct *isec;
6267 	struct common_audit_data ad;
6268 	u32 sid = current_sid();
6269 
6270 	isec = selinux_ipc(shp);
6271 
6272 	ad.type = LSM_AUDIT_DATA_IPC;
6273 	ad.u.ipc_id = shp->key;
6274 
6275 	return avc_has_perm(&selinux_state,
6276 			    sid, isec->sid, SECCLASS_SHM,
6277 			    SHM__ASSOCIATE, &ad);
6278 }
6279 
6280 /* Note, at this point, shp is locked down */
selinux_shm_shmctl(struct kern_ipc_perm * shp,int cmd)6281 static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd)
6282 {
6283 	int perms;
6284 	int err;
6285 
6286 	switch (cmd) {
6287 	case IPC_INFO:
6288 	case SHM_INFO:
6289 		/* No specific object, just general system-wide information. */
6290 		return avc_has_perm(&selinux_state,
6291 				    current_sid(), SECINITSID_KERNEL,
6292 				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6293 	case IPC_STAT:
6294 	case SHM_STAT:
6295 	case SHM_STAT_ANY:
6296 		perms = SHM__GETATTR | SHM__ASSOCIATE;
6297 		break;
6298 	case IPC_SET:
6299 		perms = SHM__SETATTR;
6300 		break;
6301 	case SHM_LOCK:
6302 	case SHM_UNLOCK:
6303 		perms = SHM__LOCK;
6304 		break;
6305 	case IPC_RMID:
6306 		perms = SHM__DESTROY;
6307 		break;
6308 	default:
6309 		return 0;
6310 	}
6311 
6312 	err = ipc_has_perm(shp, perms);
6313 	return err;
6314 }
6315 
selinux_shm_shmat(struct kern_ipc_perm * shp,char __user * shmaddr,int shmflg)6316 static int selinux_shm_shmat(struct kern_ipc_perm *shp,
6317 			     char __user *shmaddr, int shmflg)
6318 {
6319 	u32 perms;
6320 
6321 	if (shmflg & SHM_RDONLY)
6322 		perms = SHM__READ;
6323 	else
6324 		perms = SHM__READ | SHM__WRITE;
6325 
6326 	return ipc_has_perm(shp, perms);
6327 }
6328 
6329 /* Semaphore security operations */
selinux_sem_alloc_security(struct kern_ipc_perm * sma)6330 static int selinux_sem_alloc_security(struct kern_ipc_perm *sma)
6331 {
6332 	struct ipc_security_struct *isec;
6333 	struct common_audit_data ad;
6334 	u32 sid = current_sid();
6335 	int rc;
6336 
6337 	isec = selinux_ipc(sma);
6338 	ipc_init_security(isec, SECCLASS_SEM);
6339 
6340 	ad.type = LSM_AUDIT_DATA_IPC;
6341 	ad.u.ipc_id = sma->key;
6342 
6343 	rc = avc_has_perm(&selinux_state,
6344 			  sid, isec->sid, SECCLASS_SEM,
6345 			  SEM__CREATE, &ad);
6346 	return rc;
6347 }
6348 
selinux_sem_associate(struct kern_ipc_perm * sma,int semflg)6349 static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg)
6350 {
6351 	struct ipc_security_struct *isec;
6352 	struct common_audit_data ad;
6353 	u32 sid = current_sid();
6354 
6355 	isec = selinux_ipc(sma);
6356 
6357 	ad.type = LSM_AUDIT_DATA_IPC;
6358 	ad.u.ipc_id = sma->key;
6359 
6360 	return avc_has_perm(&selinux_state,
6361 			    sid, isec->sid, SECCLASS_SEM,
6362 			    SEM__ASSOCIATE, &ad);
6363 }
6364 
6365 /* Note, at this point, sma is locked down */
selinux_sem_semctl(struct kern_ipc_perm * sma,int cmd)6366 static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd)
6367 {
6368 	int err;
6369 	u32 perms;
6370 
6371 	switch (cmd) {
6372 	case IPC_INFO:
6373 	case SEM_INFO:
6374 		/* No specific object, just general system-wide information. */
6375 		return avc_has_perm(&selinux_state,
6376 				    current_sid(), SECINITSID_KERNEL,
6377 				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6378 	case GETPID:
6379 	case GETNCNT:
6380 	case GETZCNT:
6381 		perms = SEM__GETATTR;
6382 		break;
6383 	case GETVAL:
6384 	case GETALL:
6385 		perms = SEM__READ;
6386 		break;
6387 	case SETVAL:
6388 	case SETALL:
6389 		perms = SEM__WRITE;
6390 		break;
6391 	case IPC_RMID:
6392 		perms = SEM__DESTROY;
6393 		break;
6394 	case IPC_SET:
6395 		perms = SEM__SETATTR;
6396 		break;
6397 	case IPC_STAT:
6398 	case SEM_STAT:
6399 	case SEM_STAT_ANY:
6400 		perms = SEM__GETATTR | SEM__ASSOCIATE;
6401 		break;
6402 	default:
6403 		return 0;
6404 	}
6405 
6406 	err = ipc_has_perm(sma, perms);
6407 	return err;
6408 }
6409 
selinux_sem_semop(struct kern_ipc_perm * sma,struct sembuf * sops,unsigned nsops,int alter)6410 static int selinux_sem_semop(struct kern_ipc_perm *sma,
6411 			     struct sembuf *sops, unsigned nsops, int alter)
6412 {
6413 	u32 perms;
6414 
6415 	if (alter)
6416 		perms = SEM__READ | SEM__WRITE;
6417 	else
6418 		perms = SEM__READ;
6419 
6420 	return ipc_has_perm(sma, perms);
6421 }
6422 
selinux_ipc_permission(struct kern_ipc_perm * ipcp,short flag)6423 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
6424 {
6425 	u32 av = 0;
6426 
6427 	av = 0;
6428 	if (flag & S_IRUGO)
6429 		av |= IPC__UNIX_READ;
6430 	if (flag & S_IWUGO)
6431 		av |= IPC__UNIX_WRITE;
6432 
6433 	if (av == 0)
6434 		return 0;
6435 
6436 	return ipc_has_perm(ipcp, av);
6437 }
6438 
selinux_ipc_getsecid(struct kern_ipc_perm * ipcp,u32 * secid)6439 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
6440 {
6441 	struct ipc_security_struct *isec = selinux_ipc(ipcp);
6442 	*secid = isec->sid;
6443 }
6444 
selinux_d_instantiate(struct dentry * dentry,struct inode * inode)6445 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
6446 {
6447 	if (inode)
6448 		inode_doinit_with_dentry(inode, dentry);
6449 }
6450 
selinux_getprocattr(struct task_struct * p,char * name,char ** value)6451 static int selinux_getprocattr(struct task_struct *p,
6452 			       char *name, char **value)
6453 {
6454 	const struct task_security_struct *__tsec;
6455 	u32 sid;
6456 	int error;
6457 	unsigned len;
6458 
6459 	rcu_read_lock();
6460 	__tsec = selinux_cred(__task_cred(p));
6461 
6462 	if (current != p) {
6463 		error = avc_has_perm(&selinux_state,
6464 				     current_sid(), __tsec->sid,
6465 				     SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
6466 		if (error)
6467 			goto bad;
6468 	}
6469 
6470 	if (!strcmp(name, "current"))
6471 		sid = __tsec->sid;
6472 	else if (!strcmp(name, "prev"))
6473 		sid = __tsec->osid;
6474 	else if (!strcmp(name, "exec"))
6475 		sid = __tsec->exec_sid;
6476 	else if (!strcmp(name, "fscreate"))
6477 		sid = __tsec->create_sid;
6478 	else if (!strcmp(name, "keycreate"))
6479 		sid = __tsec->keycreate_sid;
6480 	else if (!strcmp(name, "sockcreate"))
6481 		sid = __tsec->sockcreate_sid;
6482 	else {
6483 		error = -EINVAL;
6484 		goto bad;
6485 	}
6486 	rcu_read_unlock();
6487 
6488 	if (!sid)
6489 		return 0;
6490 
6491 	error = security_sid_to_context(&selinux_state, sid, value, &len);
6492 	if (error)
6493 		return error;
6494 	return len;
6495 
6496 bad:
6497 	rcu_read_unlock();
6498 	return error;
6499 }
6500 
selinux_setprocattr(const char * name,void * value,size_t size)6501 static int selinux_setprocattr(const char *name, void *value, size_t size)
6502 {
6503 	struct task_security_struct *tsec;
6504 	struct cred *new;
6505 	u32 mysid = current_sid(), sid = 0, ptsid;
6506 	int error;
6507 	char *str = value;
6508 
6509 	/*
6510 	 * Basic control over ability to set these attributes at all.
6511 	 */
6512 	if (!strcmp(name, "exec"))
6513 		error = avc_has_perm(&selinux_state,
6514 				     mysid, mysid, SECCLASS_PROCESS,
6515 				     PROCESS__SETEXEC, NULL);
6516 	else if (!strcmp(name, "fscreate"))
6517 		error = avc_has_perm(&selinux_state,
6518 				     mysid, mysid, SECCLASS_PROCESS,
6519 				     PROCESS__SETFSCREATE, NULL);
6520 	else if (!strcmp(name, "keycreate"))
6521 		error = avc_has_perm(&selinux_state,
6522 				     mysid, mysid, SECCLASS_PROCESS,
6523 				     PROCESS__SETKEYCREATE, NULL);
6524 	else if (!strcmp(name, "sockcreate"))
6525 		error = avc_has_perm(&selinux_state,
6526 				     mysid, mysid, SECCLASS_PROCESS,
6527 				     PROCESS__SETSOCKCREATE, NULL);
6528 	else if (!strcmp(name, "current"))
6529 		error = avc_has_perm(&selinux_state,
6530 				     mysid, mysid, SECCLASS_PROCESS,
6531 				     PROCESS__SETCURRENT, NULL);
6532 	else
6533 		error = -EINVAL;
6534 	if (error)
6535 		return error;
6536 
6537 	/* Obtain a SID for the context, if one was specified. */
6538 	if (size && str[0] && str[0] != '\n') {
6539 		if (str[size-1] == '\n') {
6540 			str[size-1] = 0;
6541 			size--;
6542 		}
6543 		error = security_context_to_sid(&selinux_state, value, size,
6544 						&sid, GFP_KERNEL);
6545 		if (error == -EINVAL && !strcmp(name, "fscreate")) {
6546 			if (!has_cap_mac_admin(true)) {
6547 				struct audit_buffer *ab;
6548 				size_t audit_size;
6549 
6550 				/* We strip a nul only if it is at the end, otherwise the
6551 				 * context contains a nul and we should audit that */
6552 				if (str[size - 1] == '\0')
6553 					audit_size = size - 1;
6554 				else
6555 					audit_size = size;
6556 				ab = audit_log_start(audit_context(),
6557 						     GFP_ATOMIC,
6558 						     AUDIT_SELINUX_ERR);
6559 				if (!ab)
6560 					return error;
6561 				audit_log_format(ab, "op=fscreate invalid_context=");
6562 				audit_log_n_untrustedstring(ab, value, audit_size);
6563 				audit_log_end(ab);
6564 
6565 				return error;
6566 			}
6567 			error = security_context_to_sid_force(
6568 						      &selinux_state,
6569 						      value, size, &sid);
6570 		}
6571 		if (error)
6572 			return error;
6573 	}
6574 
6575 	new = prepare_creds();
6576 	if (!new)
6577 		return -ENOMEM;
6578 
6579 	/* Permission checking based on the specified context is
6580 	   performed during the actual operation (execve,
6581 	   open/mkdir/...), when we know the full context of the
6582 	   operation.  See selinux_bprm_creds_for_exec for the execve
6583 	   checks and may_create for the file creation checks. The
6584 	   operation will then fail if the context is not permitted. */
6585 	tsec = selinux_cred(new);
6586 	if (!strcmp(name, "exec")) {
6587 		tsec->exec_sid = sid;
6588 	} else if (!strcmp(name, "fscreate")) {
6589 		tsec->create_sid = sid;
6590 	} else if (!strcmp(name, "keycreate")) {
6591 		if (sid) {
6592 			error = avc_has_perm(&selinux_state, mysid, sid,
6593 					     SECCLASS_KEY, KEY__CREATE, NULL);
6594 			if (error)
6595 				goto abort_change;
6596 		}
6597 		tsec->keycreate_sid = sid;
6598 	} else if (!strcmp(name, "sockcreate")) {
6599 		tsec->sockcreate_sid = sid;
6600 	} else if (!strcmp(name, "current")) {
6601 		error = -EINVAL;
6602 		if (sid == 0)
6603 			goto abort_change;
6604 
6605 		/* Only allow single threaded processes to change context */
6606 		error = -EPERM;
6607 		if (!current_is_single_threaded()) {
6608 			error = security_bounded_transition(&selinux_state,
6609 							    tsec->sid, sid);
6610 			if (error)
6611 				goto abort_change;
6612 		}
6613 
6614 		/* Check permissions for the transition. */
6615 		error = avc_has_perm(&selinux_state,
6616 				     tsec->sid, sid, SECCLASS_PROCESS,
6617 				     PROCESS__DYNTRANSITION, NULL);
6618 		if (error)
6619 			goto abort_change;
6620 
6621 		/* Check for ptracing, and update the task SID if ok.
6622 		   Otherwise, leave SID unchanged and fail. */
6623 		ptsid = ptrace_parent_sid();
6624 		if (ptsid != 0) {
6625 			error = avc_has_perm(&selinux_state,
6626 					     ptsid, sid, SECCLASS_PROCESS,
6627 					     PROCESS__PTRACE, NULL);
6628 			if (error)
6629 				goto abort_change;
6630 		}
6631 
6632 		tsec->sid = sid;
6633 	} else {
6634 		error = -EINVAL;
6635 		goto abort_change;
6636 	}
6637 
6638 	commit_creds(new);
6639 	return size;
6640 
6641 abort_change:
6642 	abort_creds(new);
6643 	return error;
6644 }
6645 
selinux_ismaclabel(const char * name)6646 static int selinux_ismaclabel(const char *name)
6647 {
6648 	return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
6649 }
6650 
selinux_secid_to_secctx(u32 secid,char ** secdata,u32 * seclen)6651 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
6652 {
6653 	return security_sid_to_context(&selinux_state, secid,
6654 				       secdata, seclen);
6655 }
6656 
selinux_secctx_to_secid(const char * secdata,u32 seclen,u32 * secid)6657 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
6658 {
6659 	return security_context_to_sid(&selinux_state, secdata, seclen,
6660 				       secid, GFP_KERNEL);
6661 }
6662 
selinux_release_secctx(char * secdata,u32 seclen)6663 static void selinux_release_secctx(char *secdata, u32 seclen)
6664 {
6665 	kfree(secdata);
6666 }
6667 
selinux_inode_invalidate_secctx(struct inode * inode)6668 static void selinux_inode_invalidate_secctx(struct inode *inode)
6669 {
6670 	struct inode_security_struct *isec = selinux_inode(inode);
6671 
6672 	spin_lock(&isec->lock);
6673 	isec->initialized = LABEL_INVALID;
6674 	spin_unlock(&isec->lock);
6675 }
6676 
6677 /*
6678  *	called with inode->i_mutex locked
6679  */
selinux_inode_notifysecctx(struct inode * inode,void * ctx,u32 ctxlen)6680 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
6681 {
6682 	int rc = selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX,
6683 					   ctx, ctxlen, 0);
6684 	/* Do not return error when suppressing label (SBLABEL_MNT not set). */
6685 	return rc == -EOPNOTSUPP ? 0 : rc;
6686 }
6687 
6688 /*
6689  *	called with inode->i_mutex locked
6690  */
selinux_inode_setsecctx(struct dentry * dentry,void * ctx,u32 ctxlen)6691 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
6692 {
6693 	return __vfs_setxattr_noperm(&init_user_ns, dentry, XATTR_NAME_SELINUX,
6694 				     ctx, ctxlen, 0);
6695 }
6696 
selinux_inode_getsecctx(struct inode * inode,void ** ctx,u32 * ctxlen)6697 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
6698 {
6699 	int len = 0;
6700 	len = selinux_inode_getsecurity(&init_user_ns, inode,
6701 					XATTR_SELINUX_SUFFIX, ctx, true);
6702 	if (len < 0)
6703 		return len;
6704 	*ctxlen = len;
6705 	return 0;
6706 }
6707 #ifdef CONFIG_KEYS
6708 
selinux_key_alloc(struct key * k,const struct cred * cred,unsigned long flags)6709 static int selinux_key_alloc(struct key *k, const struct cred *cred,
6710 			     unsigned long flags)
6711 {
6712 	const struct task_security_struct *tsec;
6713 	struct key_security_struct *ksec;
6714 
6715 	ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
6716 	if (!ksec)
6717 		return -ENOMEM;
6718 
6719 	tsec = selinux_cred(cred);
6720 	if (tsec->keycreate_sid)
6721 		ksec->sid = tsec->keycreate_sid;
6722 	else
6723 		ksec->sid = tsec->sid;
6724 
6725 	k->security = ksec;
6726 	return 0;
6727 }
6728 
selinux_key_free(struct key * k)6729 static void selinux_key_free(struct key *k)
6730 {
6731 	struct key_security_struct *ksec = k->security;
6732 
6733 	k->security = NULL;
6734 	kfree(ksec);
6735 }
6736 
selinux_key_permission(key_ref_t key_ref,const struct cred * cred,enum key_need_perm need_perm)6737 static int selinux_key_permission(key_ref_t key_ref,
6738 				  const struct cred *cred,
6739 				  enum key_need_perm need_perm)
6740 {
6741 	struct key *key;
6742 	struct key_security_struct *ksec;
6743 	u32 perm, sid;
6744 
6745 	switch (need_perm) {
6746 	case KEY_NEED_VIEW:
6747 		perm = KEY__VIEW;
6748 		break;
6749 	case KEY_NEED_READ:
6750 		perm = KEY__READ;
6751 		break;
6752 	case KEY_NEED_WRITE:
6753 		perm = KEY__WRITE;
6754 		break;
6755 	case KEY_NEED_SEARCH:
6756 		perm = KEY__SEARCH;
6757 		break;
6758 	case KEY_NEED_LINK:
6759 		perm = KEY__LINK;
6760 		break;
6761 	case KEY_NEED_SETATTR:
6762 		perm = KEY__SETATTR;
6763 		break;
6764 	case KEY_NEED_UNLINK:
6765 	case KEY_SYSADMIN_OVERRIDE:
6766 	case KEY_AUTHTOKEN_OVERRIDE:
6767 	case KEY_DEFER_PERM_CHECK:
6768 		return 0;
6769 	default:
6770 		WARN_ON(1);
6771 		return -EPERM;
6772 
6773 	}
6774 
6775 	sid = cred_sid(cred);
6776 	key = key_ref_to_ptr(key_ref);
6777 	ksec = key->security;
6778 
6779 	return avc_has_perm(&selinux_state,
6780 			    sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6781 }
6782 
selinux_key_getsecurity(struct key * key,char ** _buffer)6783 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6784 {
6785 	struct key_security_struct *ksec = key->security;
6786 	char *context = NULL;
6787 	unsigned len;
6788 	int rc;
6789 
6790 	rc = security_sid_to_context(&selinux_state, ksec->sid,
6791 				     &context, &len);
6792 	if (!rc)
6793 		rc = len;
6794 	*_buffer = context;
6795 	return rc;
6796 }
6797 
6798 #ifdef CONFIG_KEY_NOTIFICATIONS
selinux_watch_key(struct key * key)6799 static int selinux_watch_key(struct key *key)
6800 {
6801 	struct key_security_struct *ksec = key->security;
6802 	u32 sid = current_sid();
6803 
6804 	return avc_has_perm(&selinux_state,
6805 			    sid, ksec->sid, SECCLASS_KEY, KEY__VIEW, NULL);
6806 }
6807 #endif
6808 #endif
6809 
6810 #ifdef CONFIG_SECURITY_INFINIBAND
selinux_ib_pkey_access(void * ib_sec,u64 subnet_prefix,u16 pkey_val)6811 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6812 {
6813 	struct common_audit_data ad;
6814 	int err;
6815 	u32 sid = 0;
6816 	struct ib_security_struct *sec = ib_sec;
6817 	struct lsm_ibpkey_audit ibpkey;
6818 
6819 	err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
6820 	if (err)
6821 		return err;
6822 
6823 	ad.type = LSM_AUDIT_DATA_IBPKEY;
6824 	ibpkey.subnet_prefix = subnet_prefix;
6825 	ibpkey.pkey = pkey_val;
6826 	ad.u.ibpkey = &ibpkey;
6827 	return avc_has_perm(&selinux_state,
6828 			    sec->sid, sid,
6829 			    SECCLASS_INFINIBAND_PKEY,
6830 			    INFINIBAND_PKEY__ACCESS, &ad);
6831 }
6832 
selinux_ib_endport_manage_subnet(void * ib_sec,const char * dev_name,u8 port_num)6833 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6834 					    u8 port_num)
6835 {
6836 	struct common_audit_data ad;
6837 	int err;
6838 	u32 sid = 0;
6839 	struct ib_security_struct *sec = ib_sec;
6840 	struct lsm_ibendport_audit ibendport;
6841 
6842 	err = security_ib_endport_sid(&selinux_state, dev_name, port_num,
6843 				      &sid);
6844 
6845 	if (err)
6846 		return err;
6847 
6848 	ad.type = LSM_AUDIT_DATA_IBENDPORT;
6849 	ibendport.dev_name = dev_name;
6850 	ibendport.port = port_num;
6851 	ad.u.ibendport = &ibendport;
6852 	return avc_has_perm(&selinux_state,
6853 			    sec->sid, sid,
6854 			    SECCLASS_INFINIBAND_ENDPORT,
6855 			    INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
6856 }
6857 
selinux_ib_alloc_security(void ** ib_sec)6858 static int selinux_ib_alloc_security(void **ib_sec)
6859 {
6860 	struct ib_security_struct *sec;
6861 
6862 	sec = kzalloc(sizeof(*sec), GFP_KERNEL);
6863 	if (!sec)
6864 		return -ENOMEM;
6865 	sec->sid = current_sid();
6866 
6867 	*ib_sec = sec;
6868 	return 0;
6869 }
6870 
selinux_ib_free_security(void * ib_sec)6871 static void selinux_ib_free_security(void *ib_sec)
6872 {
6873 	kfree(ib_sec);
6874 }
6875 #endif
6876 
6877 #ifdef CONFIG_BPF_SYSCALL
selinux_bpf(int cmd,union bpf_attr * attr,unsigned int size)6878 static int selinux_bpf(int cmd, union bpf_attr *attr,
6879 				     unsigned int size)
6880 {
6881 	u32 sid = current_sid();
6882 	int ret;
6883 
6884 	switch (cmd) {
6885 	case BPF_MAP_CREATE:
6886 		ret = avc_has_perm(&selinux_state,
6887 				   sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
6888 				   NULL);
6889 		break;
6890 	case BPF_PROG_LOAD:
6891 		ret = avc_has_perm(&selinux_state,
6892 				   sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
6893 				   NULL);
6894 		break;
6895 	default:
6896 		ret = 0;
6897 		break;
6898 	}
6899 
6900 	return ret;
6901 }
6902 
bpf_map_fmode_to_av(fmode_t fmode)6903 static u32 bpf_map_fmode_to_av(fmode_t fmode)
6904 {
6905 	u32 av = 0;
6906 
6907 	if (fmode & FMODE_READ)
6908 		av |= BPF__MAP_READ;
6909 	if (fmode & FMODE_WRITE)
6910 		av |= BPF__MAP_WRITE;
6911 	return av;
6912 }
6913 
6914 /* This function will check the file pass through unix socket or binder to see
6915  * if it is a bpf related object. And apply correspinding checks on the bpf
6916  * object based on the type. The bpf maps and programs, not like other files and
6917  * socket, are using a shared anonymous inode inside the kernel as their inode.
6918  * So checking that inode cannot identify if the process have privilege to
6919  * access the bpf object and that's why we have to add this additional check in
6920  * selinux_file_receive and selinux_binder_transfer_files.
6921  */
bpf_fd_pass(struct file * file,u32 sid)6922 static int bpf_fd_pass(struct file *file, u32 sid)
6923 {
6924 	struct bpf_security_struct *bpfsec;
6925 	struct bpf_prog *prog;
6926 	struct bpf_map *map;
6927 	int ret;
6928 
6929 	if (file->f_op == &bpf_map_fops) {
6930 		map = file->private_data;
6931 		bpfsec = map->security;
6932 		ret = avc_has_perm(&selinux_state,
6933 				   sid, bpfsec->sid, SECCLASS_BPF,
6934 				   bpf_map_fmode_to_av(file->f_mode), NULL);
6935 		if (ret)
6936 			return ret;
6937 	} else if (file->f_op == &bpf_prog_fops) {
6938 		prog = file->private_data;
6939 		bpfsec = prog->aux->security;
6940 		ret = avc_has_perm(&selinux_state,
6941 				   sid, bpfsec->sid, SECCLASS_BPF,
6942 				   BPF__PROG_RUN, NULL);
6943 		if (ret)
6944 			return ret;
6945 	}
6946 	return 0;
6947 }
6948 
selinux_bpf_map(struct bpf_map * map,fmode_t fmode)6949 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)
6950 {
6951 	u32 sid = current_sid();
6952 	struct bpf_security_struct *bpfsec;
6953 
6954 	bpfsec = map->security;
6955 	return avc_has_perm(&selinux_state,
6956 			    sid, bpfsec->sid, SECCLASS_BPF,
6957 			    bpf_map_fmode_to_av(fmode), NULL);
6958 }
6959 
selinux_bpf_prog(struct bpf_prog * prog)6960 static int selinux_bpf_prog(struct bpf_prog *prog)
6961 {
6962 	u32 sid = current_sid();
6963 	struct bpf_security_struct *bpfsec;
6964 
6965 	bpfsec = prog->aux->security;
6966 	return avc_has_perm(&selinux_state,
6967 			    sid, bpfsec->sid, SECCLASS_BPF,
6968 			    BPF__PROG_RUN, NULL);
6969 }
6970 
selinux_bpf_map_alloc(struct bpf_map * map)6971 static int selinux_bpf_map_alloc(struct bpf_map *map)
6972 {
6973 	struct bpf_security_struct *bpfsec;
6974 
6975 	bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6976 	if (!bpfsec)
6977 		return -ENOMEM;
6978 
6979 	bpfsec->sid = current_sid();
6980 	map->security = bpfsec;
6981 
6982 	return 0;
6983 }
6984 
selinux_bpf_map_free(struct bpf_map * map)6985 static void selinux_bpf_map_free(struct bpf_map *map)
6986 {
6987 	struct bpf_security_struct *bpfsec = map->security;
6988 
6989 	map->security = NULL;
6990 	kfree(bpfsec);
6991 }
6992 
selinux_bpf_prog_alloc(struct bpf_prog_aux * aux)6993 static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux)
6994 {
6995 	struct bpf_security_struct *bpfsec;
6996 
6997 	bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6998 	if (!bpfsec)
6999 		return -ENOMEM;
7000 
7001 	bpfsec->sid = current_sid();
7002 	aux->security = bpfsec;
7003 
7004 	return 0;
7005 }
7006 
selinux_bpf_prog_free(struct bpf_prog_aux * aux)7007 static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
7008 {
7009 	struct bpf_security_struct *bpfsec = aux->security;
7010 
7011 	aux->security = NULL;
7012 	kfree(bpfsec);
7013 }
7014 #endif
7015 
selinux_lockdown(enum lockdown_reason what)7016 static int selinux_lockdown(enum lockdown_reason what)
7017 {
7018 	struct common_audit_data ad;
7019 	u32 sid = current_sid();
7020 	int invalid_reason = (what <= LOCKDOWN_NONE) ||
7021 			     (what == LOCKDOWN_INTEGRITY_MAX) ||
7022 			     (what >= LOCKDOWN_CONFIDENTIALITY_MAX);
7023 
7024 	if (WARN(invalid_reason, "Invalid lockdown reason")) {
7025 		audit_log(audit_context(),
7026 			  GFP_ATOMIC, AUDIT_SELINUX_ERR,
7027 			  "lockdown_reason=invalid");
7028 		return -EINVAL;
7029 	}
7030 
7031 	ad.type = LSM_AUDIT_DATA_LOCKDOWN;
7032 	ad.u.reason = what;
7033 
7034 	if (what <= LOCKDOWN_INTEGRITY_MAX)
7035 		return avc_has_perm(&selinux_state,
7036 				    sid, sid, SECCLASS_LOCKDOWN,
7037 				    LOCKDOWN__INTEGRITY, &ad);
7038 	else
7039 		return avc_has_perm(&selinux_state,
7040 				    sid, sid, SECCLASS_LOCKDOWN,
7041 				    LOCKDOWN__CONFIDENTIALITY, &ad);
7042 }
7043 
7044 struct lsm_blob_sizes selinux_blob_sizes __lsm_ro_after_init = {
7045 	.lbs_cred = sizeof(struct task_security_struct),
7046 	.lbs_file = sizeof(struct file_security_struct),
7047 	.lbs_inode = sizeof(struct inode_security_struct),
7048 	.lbs_ipc = sizeof(struct ipc_security_struct),
7049 	.lbs_msg_msg = sizeof(struct msg_security_struct),
7050 	.lbs_superblock = sizeof(struct superblock_security_struct),
7051 };
7052 
7053 #ifdef CONFIG_PERF_EVENTS
selinux_perf_event_open(struct perf_event_attr * attr,int type)7054 static int selinux_perf_event_open(struct perf_event_attr *attr, int type)
7055 {
7056 	u32 requested, sid = current_sid();
7057 
7058 	if (type == PERF_SECURITY_OPEN)
7059 		requested = PERF_EVENT__OPEN;
7060 	else if (type == PERF_SECURITY_CPU)
7061 		requested = PERF_EVENT__CPU;
7062 	else if (type == PERF_SECURITY_KERNEL)
7063 		requested = PERF_EVENT__KERNEL;
7064 	else if (type == PERF_SECURITY_TRACEPOINT)
7065 		requested = PERF_EVENT__TRACEPOINT;
7066 	else
7067 		return -EINVAL;
7068 
7069 	return avc_has_perm(&selinux_state, sid, sid, SECCLASS_PERF_EVENT,
7070 			    requested, NULL);
7071 }
7072 
selinux_perf_event_alloc(struct perf_event * event)7073 static int selinux_perf_event_alloc(struct perf_event *event)
7074 {
7075 	struct perf_event_security_struct *perfsec;
7076 
7077 	perfsec = kzalloc(sizeof(*perfsec), GFP_KERNEL);
7078 	if (!perfsec)
7079 		return -ENOMEM;
7080 
7081 	perfsec->sid = current_sid();
7082 	event->security = perfsec;
7083 
7084 	return 0;
7085 }
7086 
selinux_perf_event_free(struct perf_event * event)7087 static void selinux_perf_event_free(struct perf_event *event)
7088 {
7089 	struct perf_event_security_struct *perfsec = event->security;
7090 
7091 	event->security = NULL;
7092 	kfree(perfsec);
7093 }
7094 
selinux_perf_event_read(struct perf_event * event)7095 static int selinux_perf_event_read(struct perf_event *event)
7096 {
7097 	struct perf_event_security_struct *perfsec = event->security;
7098 	u32 sid = current_sid();
7099 
7100 	return avc_has_perm(&selinux_state, sid, perfsec->sid,
7101 			    SECCLASS_PERF_EVENT, PERF_EVENT__READ, NULL);
7102 }
7103 
selinux_perf_event_write(struct perf_event * event)7104 static int selinux_perf_event_write(struct perf_event *event)
7105 {
7106 	struct perf_event_security_struct *perfsec = event->security;
7107 	u32 sid = current_sid();
7108 
7109 	return avc_has_perm(&selinux_state, sid, perfsec->sid,
7110 			    SECCLASS_PERF_EVENT, PERF_EVENT__WRITE, NULL);
7111 }
7112 #endif
7113 
7114 /*
7115  * IMPORTANT NOTE: When adding new hooks, please be careful to keep this order:
7116  * 1. any hooks that don't belong to (2.) or (3.) below,
7117  * 2. hooks that both access structures allocated by other hooks, and allocate
7118  *    structures that can be later accessed by other hooks (mostly "cloning"
7119  *    hooks),
7120  * 3. hooks that only allocate structures that can be later accessed by other
7121  *    hooks ("allocating" hooks).
7122  *
7123  * Please follow block comment delimiters in the list to keep this order.
7124  *
7125  * This ordering is needed for SELinux runtime disable to work at least somewhat
7126  * safely. Breaking the ordering rules above might lead to NULL pointer derefs
7127  * when disabling SELinux at runtime.
7128  */
7129 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
7130 	LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
7131 	LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
7132 	LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
7133 	LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
7134 
7135 	LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
7136 	LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
7137 	LSM_HOOK_INIT(capget, selinux_capget),
7138 	LSM_HOOK_INIT(capset, selinux_capset),
7139 	LSM_HOOK_INIT(capable, selinux_capable),
7140 	LSM_HOOK_INIT(quotactl, selinux_quotactl),
7141 	LSM_HOOK_INIT(quota_on, selinux_quota_on),
7142 	LSM_HOOK_INIT(syslog, selinux_syslog),
7143 	LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
7144 
7145 	LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
7146 
7147 	LSM_HOOK_INIT(bprm_creds_for_exec, selinux_bprm_creds_for_exec),
7148 	LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
7149 	LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
7150 
7151 	LSM_HOOK_INIT(sb_free_mnt_opts, selinux_free_mnt_opts),
7152 	LSM_HOOK_INIT(sb_mnt_opts_compat, selinux_sb_mnt_opts_compat),
7153 	LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
7154 	LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
7155 	LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
7156 	LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
7157 	LSM_HOOK_INIT(sb_mount, selinux_mount),
7158 	LSM_HOOK_INIT(sb_umount, selinux_umount),
7159 	LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
7160 	LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
7161 
7162 	LSM_HOOK_INIT(move_mount, selinux_move_mount),
7163 
7164 	LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
7165 	LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
7166 
7167 	LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
7168 	LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
7169 	LSM_HOOK_INIT(inode_init_security_anon, selinux_inode_init_security_anon),
7170 	LSM_HOOK_INIT(inode_create, selinux_inode_create),
7171 	LSM_HOOK_INIT(inode_link, selinux_inode_link),
7172 	LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
7173 	LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
7174 	LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
7175 	LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
7176 	LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
7177 	LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
7178 	LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
7179 	LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
7180 	LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
7181 	LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
7182 	LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
7183 	LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
7184 	LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
7185 	LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
7186 	LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
7187 	LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
7188 	LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
7189 	LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
7190 	LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
7191 	LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
7192 	LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
7193 	LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
7194 	LSM_HOOK_INIT(path_notify, selinux_path_notify),
7195 
7196 	LSM_HOOK_INIT(kernfs_init_security, selinux_kernfs_init_security),
7197 
7198 	LSM_HOOK_INIT(file_permission, selinux_file_permission),
7199 	LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
7200 	LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
7201 	LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
7202 	LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
7203 	LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
7204 	LSM_HOOK_INIT(file_lock, selinux_file_lock),
7205 	LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
7206 	LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
7207 	LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
7208 	LSM_HOOK_INIT(file_receive, selinux_file_receive),
7209 
7210 	LSM_HOOK_INIT(file_open, selinux_file_open),
7211 
7212 	LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
7213 	LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
7214 	LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
7215 	LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid),
7216 	LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
7217 	LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
7218 	LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
7219 	LSM_HOOK_INIT(kernel_load_data, selinux_kernel_load_data),
7220 	LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
7221 	LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
7222 	LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
7223 	LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
7224 	LSM_HOOK_INIT(task_getsecid_subj, selinux_task_getsecid_subj),
7225 	LSM_HOOK_INIT(task_getsecid_obj, selinux_task_getsecid_obj),
7226 	LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
7227 	LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
7228 	LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
7229 	LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
7230 	LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
7231 	LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
7232 	LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
7233 	LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
7234 	LSM_HOOK_INIT(task_kill, selinux_task_kill),
7235 	LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
7236 
7237 	LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
7238 	LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
7239 
7240 	LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
7241 	LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
7242 	LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
7243 	LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
7244 
7245 	LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
7246 	LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
7247 	LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
7248 
7249 	LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
7250 	LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
7251 	LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
7252 
7253 	LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
7254 
7255 	LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
7256 	LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
7257 
7258 	LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
7259 	LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
7260 	LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
7261 	LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
7262 	LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
7263 	LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
7264 
7265 	LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
7266 	LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
7267 
7268 	LSM_HOOK_INIT(socket_create, selinux_socket_create),
7269 	LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
7270 	LSM_HOOK_INIT(socket_socketpair, selinux_socket_socketpair),
7271 	LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
7272 	LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
7273 	LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
7274 	LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
7275 	LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
7276 	LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
7277 	LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
7278 	LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
7279 	LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
7280 	LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
7281 	LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
7282 	LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
7283 	LSM_HOOK_INIT(socket_getpeersec_stream,
7284 			selinux_socket_getpeersec_stream),
7285 	LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
7286 	LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
7287 	LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
7288 	LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
7289 	LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
7290 	LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request),
7291 	LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone),
7292 	LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect),
7293 	LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
7294 	LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
7295 	LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
7296 	LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
7297 	LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
7298 	LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
7299 	LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
7300 	LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
7301 	LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
7302 	LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
7303 	LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
7304 	LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
7305 #ifdef CONFIG_SECURITY_INFINIBAND
7306 	LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
7307 	LSM_HOOK_INIT(ib_endport_manage_subnet,
7308 		      selinux_ib_endport_manage_subnet),
7309 	LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
7310 #endif
7311 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7312 	LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
7313 	LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
7314 	LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
7315 	LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
7316 	LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
7317 	LSM_HOOK_INIT(xfrm_state_pol_flow_match,
7318 			selinux_xfrm_state_pol_flow_match),
7319 	LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
7320 #endif
7321 
7322 #ifdef CONFIG_KEYS
7323 	LSM_HOOK_INIT(key_free, selinux_key_free),
7324 	LSM_HOOK_INIT(key_permission, selinux_key_permission),
7325 	LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
7326 #ifdef CONFIG_KEY_NOTIFICATIONS
7327 	LSM_HOOK_INIT(watch_key, selinux_watch_key),
7328 #endif
7329 #endif
7330 
7331 #ifdef CONFIG_AUDIT
7332 	LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
7333 	LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
7334 	LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
7335 #endif
7336 
7337 #ifdef CONFIG_BPF_SYSCALL
7338 	LSM_HOOK_INIT(bpf, selinux_bpf),
7339 	LSM_HOOK_INIT(bpf_map, selinux_bpf_map),
7340 	LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog),
7341 	LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free),
7342 	LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free),
7343 #endif
7344 
7345 #ifdef CONFIG_PERF_EVENTS
7346 	LSM_HOOK_INIT(perf_event_open, selinux_perf_event_open),
7347 	LSM_HOOK_INIT(perf_event_free, selinux_perf_event_free),
7348 	LSM_HOOK_INIT(perf_event_read, selinux_perf_event_read),
7349 	LSM_HOOK_INIT(perf_event_write, selinux_perf_event_write),
7350 #endif
7351 
7352 	LSM_HOOK_INIT(locked_down, selinux_lockdown),
7353 
7354 	/*
7355 	 * PUT "CLONING" (ACCESSING + ALLOCATING) HOOKS HERE
7356 	 */
7357 	LSM_HOOK_INIT(fs_context_dup, selinux_fs_context_dup),
7358 	LSM_HOOK_INIT(fs_context_parse_param, selinux_fs_context_parse_param),
7359 	LSM_HOOK_INIT(sb_eat_lsm_opts, selinux_sb_eat_lsm_opts),
7360 	LSM_HOOK_INIT(sb_add_mnt_opt, selinux_add_mnt_opt),
7361 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7362 	LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
7363 #endif
7364 
7365 	/*
7366 	 * PUT "ALLOCATING" HOOKS HERE
7367 	 */
7368 	LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
7369 	LSM_HOOK_INIT(msg_queue_alloc_security,
7370 		      selinux_msg_queue_alloc_security),
7371 	LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
7372 	LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
7373 	LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
7374 	LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
7375 	LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
7376 	LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
7377 	LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
7378 	LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
7379 #ifdef CONFIG_SECURITY_INFINIBAND
7380 	LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
7381 #endif
7382 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7383 	LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
7384 	LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
7385 	LSM_HOOK_INIT(xfrm_state_alloc_acquire,
7386 		      selinux_xfrm_state_alloc_acquire),
7387 #endif
7388 #ifdef CONFIG_KEYS
7389 	LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
7390 #endif
7391 #ifdef CONFIG_AUDIT
7392 	LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
7393 #endif
7394 #ifdef CONFIG_BPF_SYSCALL
7395 	LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc),
7396 	LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc),
7397 #endif
7398 #ifdef CONFIG_PERF_EVENTS
7399 	LSM_HOOK_INIT(perf_event_alloc, selinux_perf_event_alloc),
7400 #endif
7401 };
7402 
selinux_init(void)7403 static __init int selinux_init(void)
7404 {
7405 	pr_info("SELinux:  Initializing.\n");
7406 
7407 	memset(&selinux_state, 0, sizeof(selinux_state));
7408 	enforcing_set(&selinux_state, selinux_enforcing_boot);
7409 	checkreqprot_set(&selinux_state, selinux_checkreqprot_boot);
7410 	selinux_avc_init(&selinux_state.avc);
7411 	mutex_init(&selinux_state.status_lock);
7412 	mutex_init(&selinux_state.policy_mutex);
7413 
7414 	/* Set the security state for the initial task. */
7415 	cred_init_security();
7416 
7417 	default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
7418 
7419 	avc_init();
7420 
7421 	avtab_cache_init();
7422 
7423 	ebitmap_cache_init();
7424 
7425 	hashtab_cache_init();
7426 
7427 	security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
7428 
7429 	if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
7430 		panic("SELinux: Unable to register AVC netcache callback\n");
7431 
7432 	if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
7433 		panic("SELinux: Unable to register AVC LSM notifier callback\n");
7434 
7435 	if (selinux_enforcing_boot)
7436 		pr_debug("SELinux:  Starting in enforcing mode\n");
7437 	else
7438 		pr_debug("SELinux:  Starting in permissive mode\n");
7439 
7440 	fs_validate_description("selinux", selinux_fs_parameters);
7441 
7442 	return 0;
7443 }
7444 
delayed_superblock_init(struct super_block * sb,void * unused)7445 static void delayed_superblock_init(struct super_block *sb, void *unused)
7446 {
7447 	selinux_set_mnt_opts(sb, NULL, 0, NULL);
7448 }
7449 
selinux_complete_init(void)7450 void selinux_complete_init(void)
7451 {
7452 	pr_debug("SELinux:  Completing initialization.\n");
7453 
7454 	/* Set up any superblocks initialized prior to the policy load. */
7455 	pr_debug("SELinux:  Setting up existing superblocks.\n");
7456 	iterate_supers(delayed_superblock_init, NULL);
7457 }
7458 
7459 /* SELinux requires early initialization in order to label
7460    all processes and objects when they are created. */
7461 DEFINE_LSM(selinux) = {
7462 	.name = "selinux",
7463 	.flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE,
7464 	.enabled = &selinux_enabled_boot,
7465 	.blobs = &selinux_blob_sizes,
7466 	.init = selinux_init,
7467 };
7468 
7469 #if defined(CONFIG_NETFILTER)
7470 
7471 static const struct nf_hook_ops selinux_nf_ops[] = {
7472 	{
7473 		.hook =		selinux_ipv4_postroute,
7474 		.pf =		NFPROTO_IPV4,
7475 		.hooknum =	NF_INET_POST_ROUTING,
7476 		.priority =	NF_IP_PRI_SELINUX_LAST,
7477 	},
7478 	{
7479 		.hook =		selinux_ipv4_forward,
7480 		.pf =		NFPROTO_IPV4,
7481 		.hooknum =	NF_INET_FORWARD,
7482 		.priority =	NF_IP_PRI_SELINUX_FIRST,
7483 	},
7484 	{
7485 		.hook =		selinux_ipv4_output,
7486 		.pf =		NFPROTO_IPV4,
7487 		.hooknum =	NF_INET_LOCAL_OUT,
7488 		.priority =	NF_IP_PRI_SELINUX_FIRST,
7489 	},
7490 #if IS_ENABLED(CONFIG_IPV6)
7491 	{
7492 		.hook =		selinux_ipv6_postroute,
7493 		.pf =		NFPROTO_IPV6,
7494 		.hooknum =	NF_INET_POST_ROUTING,
7495 		.priority =	NF_IP6_PRI_SELINUX_LAST,
7496 	},
7497 	{
7498 		.hook =		selinux_ipv6_forward,
7499 		.pf =		NFPROTO_IPV6,
7500 		.hooknum =	NF_INET_FORWARD,
7501 		.priority =	NF_IP6_PRI_SELINUX_FIRST,
7502 	},
7503 	{
7504 		.hook =		selinux_ipv6_output,
7505 		.pf =		NFPROTO_IPV6,
7506 		.hooknum =	NF_INET_LOCAL_OUT,
7507 		.priority =	NF_IP6_PRI_SELINUX_FIRST,
7508 	},
7509 #endif	/* IPV6 */
7510 };
7511 
selinux_nf_register(struct net * net)7512 static int __net_init selinux_nf_register(struct net *net)
7513 {
7514 	return nf_register_net_hooks(net, selinux_nf_ops,
7515 				     ARRAY_SIZE(selinux_nf_ops));
7516 }
7517 
selinux_nf_unregister(struct net * net)7518 static void __net_exit selinux_nf_unregister(struct net *net)
7519 {
7520 	nf_unregister_net_hooks(net, selinux_nf_ops,
7521 				ARRAY_SIZE(selinux_nf_ops));
7522 }
7523 
7524 static struct pernet_operations selinux_net_ops = {
7525 	.init = selinux_nf_register,
7526 	.exit = selinux_nf_unregister,
7527 };
7528 
selinux_nf_ip_init(void)7529 static int __init selinux_nf_ip_init(void)
7530 {
7531 	int err;
7532 
7533 	if (!selinux_enabled_boot)
7534 		return 0;
7535 
7536 	pr_debug("SELinux:  Registering netfilter hooks\n");
7537 
7538 	err = register_pernet_subsys(&selinux_net_ops);
7539 	if (err)
7540 		panic("SELinux: register_pernet_subsys: error %d\n", err);
7541 
7542 	return 0;
7543 }
7544 __initcall(selinux_nf_ip_init);
7545 
7546 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
selinux_nf_ip_exit(void)7547 static void selinux_nf_ip_exit(void)
7548 {
7549 	pr_debug("SELinux:  Unregistering netfilter hooks\n");
7550 
7551 	unregister_pernet_subsys(&selinux_net_ops);
7552 }
7553 #endif
7554 
7555 #else /* CONFIG_NETFILTER */
7556 
7557 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7558 #define selinux_nf_ip_exit()
7559 #endif
7560 
7561 #endif /* CONFIG_NETFILTER */
7562 
7563 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
selinux_disable(struct selinux_state * state)7564 int selinux_disable(struct selinux_state *state)
7565 {
7566 	if (selinux_initialized(state)) {
7567 		/* Not permitted after initial policy load. */
7568 		return -EINVAL;
7569 	}
7570 
7571 	if (selinux_disabled(state)) {
7572 		/* Only do this once. */
7573 		return -EINVAL;
7574 	}
7575 
7576 	selinux_mark_disabled(state);
7577 
7578 	pr_info("SELinux:  Disabled at runtime.\n");
7579 
7580 	/*
7581 	 * Unregister netfilter hooks.
7582 	 * Must be done before security_delete_hooks() to avoid breaking
7583 	 * runtime disable.
7584 	 */
7585 	selinux_nf_ip_exit();
7586 
7587 	security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
7588 
7589 	/* Try to destroy the avc node cache */
7590 	avc_disable();
7591 
7592 	/* Unregister selinuxfs. */
7593 	exit_sel_fs();
7594 
7595 	return 0;
7596 }
7597 #endif
7598