2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@tycho.nsa.gov>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul@paul-moore.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 * Copyright (C) 2016 Mellanox Technologies
22 * This program is free software; you can redistribute it and/or modify
23 * it under the terms of the GNU General Public License version 2,
24 * as published by the Free Software Foundation.
27 #include <linux/init.h>
29 #include <linux/kernel.h>
30 #include <linux/tracehook.h>
31 #include <linux/errno.h>
32 #include <linux/sched/signal.h>
33 #include <linux/sched/task.h>
34 #include <linux/lsm_hooks.h>
35 #include <linux/xattr.h>
36 #include <linux/capability.h>
37 #include <linux/unistd.h>
39 #include <linux/mman.h>
40 #include <linux/slab.h>
41 #include <linux/pagemap.h>
42 #include <linux/proc_fs.h>
43 #include <linux/swap.h>
44 #include <linux/spinlock.h>
45 #include <linux/syscalls.h>
46 #include <linux/dcache.h>
47 #include <linux/file.h>
48 #include <linux/fdtable.h>
49 #include <linux/namei.h>
50 #include <linux/mount.h>
51 #include <linux/netfilter_ipv4.h>
52 #include <linux/netfilter_ipv6.h>
53 #include <linux/tty.h>
55 #include <net/ip.h> /* for local_port_range[] */
56 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
57 #include <net/inet_connection_sock.h>
58 #include <net/net_namespace.h>
59 #include <net/netlabel.h>
60 #include <linux/uaccess.h>
61 #include <asm/ioctls.h>
62 #include <linux/atomic.h>
63 #include <linux/bitops.h>
64 #include <linux/interrupt.h>
65 #include <linux/netdevice.h> /* for network interface checks */
66 #include <net/netlink.h>
67 #include <linux/tcp.h>
68 #include <linux/udp.h>
69 #include <linux/dccp.h>
70 #include <linux/sctp.h>
71 #include <net/sctp/structs.h>
72 #include <linux/quota.h>
73 #include <linux/un.h> /* for Unix socket types */
74 #include <net/af_unix.h> /* for Unix socket types */
75 #include <linux/parser.h>
76 #include <linux/nfs_mount.h>
78 #include <linux/hugetlb.h>
79 #include <linux/personality.h>
80 #include <linux/audit.h>
81 #include <linux/string.h>
82 #include <linux/selinux.h>
83 #include <linux/mutex.h>
84 #include <linux/posix-timers.h>
85 #include <linux/syslog.h>
86 #include <linux/user_namespace.h>
87 #include <linux/export.h>
88 #include <linux/msg.h>
89 #include <linux/shm.h>
90 #include <linux/bpf.h>
103 struct selinux_state selinux_state;
105 /* SECMARK reference count */
106 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
108 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
109 static int selinux_enforcing_boot;
111 static int __init enforcing_setup(char *str)
113 unsigned long enforcing;
114 if (!kstrtoul(str, 0, &enforcing))
115 selinux_enforcing_boot = enforcing ? 1 : 0;
118 __setup("enforcing=", enforcing_setup);
120 #define selinux_enforcing_boot 1
123 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
124 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
126 static int __init selinux_enabled_setup(char *str)
128 unsigned long enabled;
129 if (!kstrtoul(str, 0, &enabled))
130 selinux_enabled = enabled ? 1 : 0;
133 __setup("selinux=", selinux_enabled_setup);
135 int selinux_enabled = 1;
138 static unsigned int selinux_checkreqprot_boot =
139 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
141 static int __init checkreqprot_setup(char *str)
143 unsigned long checkreqprot;
145 if (!kstrtoul(str, 0, &checkreqprot))
146 selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
149 __setup("checkreqprot=", checkreqprot_setup);
151 static struct kmem_cache *sel_inode_cache;
152 static struct kmem_cache *file_security_cache;
155 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
158 * This function checks the SECMARK reference counter to see if any SECMARK
159 * targets are currently configured, if the reference counter is greater than
160 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
161 * enabled, false (0) if SECMARK is disabled. If the always_check_network
162 * policy capability is enabled, SECMARK is always considered enabled.
165 static int selinux_secmark_enabled(void)
167 return (selinux_policycap_alwaysnetwork() ||
168 atomic_read(&selinux_secmark_refcount));
172 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
175 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
176 * (1) if any are enabled or false (0) if neither are enabled. If the
177 * always_check_network policy capability is enabled, peer labeling
178 * is always considered enabled.
181 static int selinux_peerlbl_enabled(void)
183 return (selinux_policycap_alwaysnetwork() ||
184 netlbl_enabled() || selinux_xfrm_enabled());
187 static int selinux_netcache_avc_callback(u32 event)
189 if (event == AVC_CALLBACK_RESET) {
198 static int selinux_lsm_notifier_avc_callback(u32 event)
200 if (event == AVC_CALLBACK_RESET) {
202 call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
209 * initialise the security for the init task
211 static void cred_init_security(void)
213 struct cred *cred = (struct cred *) current->real_cred;
214 struct task_security_struct *tsec;
216 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
218 panic("SELinux: Failed to initialize initial task.\n");
220 tsec->osid = tsec->sid = SECINITSID_KERNEL;
221 cred->security = tsec;
225 * get the security ID of a set of credentials
227 static inline u32 cred_sid(const struct cred *cred)
229 const struct task_security_struct *tsec;
231 tsec = cred->security;
236 * get the objective security ID of a task
238 static inline u32 task_sid(const struct task_struct *task)
243 sid = cred_sid(__task_cred(task));
248 /* Allocate and free functions for each kind of security blob. */
250 static int inode_alloc_security(struct inode *inode)
252 struct inode_security_struct *isec;
253 u32 sid = current_sid();
255 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
259 spin_lock_init(&isec->lock);
260 INIT_LIST_HEAD(&isec->list);
262 isec->sid = SECINITSID_UNLABELED;
263 isec->sclass = SECCLASS_FILE;
264 isec->task_sid = sid;
265 isec->initialized = LABEL_INVALID;
266 inode->i_security = isec;
271 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
274 * Try reloading inode security labels that have been marked as invalid. The
275 * @may_sleep parameter indicates when sleeping and thus reloading labels is
276 * allowed; when set to false, returns -ECHILD when the label is
277 * invalid. The @dentry parameter should be set to a dentry of the inode.
279 static int __inode_security_revalidate(struct inode *inode,
280 struct dentry *dentry,
283 struct inode_security_struct *isec = inode->i_security;
285 might_sleep_if(may_sleep);
287 if (selinux_state.initialized &&
288 isec->initialized != LABEL_INITIALIZED) {
293 * Try reloading the inode security label. This will fail if
294 * @opt_dentry is NULL and no dentry for this inode can be
295 * found; in that case, continue using the old label.
297 inode_doinit_with_dentry(inode, dentry);
302 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
304 return inode->i_security;
307 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
311 error = __inode_security_revalidate(inode, NULL, !rcu);
313 return ERR_PTR(error);
314 return inode->i_security;
318 * Get the security label of an inode.
320 static struct inode_security_struct *inode_security(struct inode *inode)
322 __inode_security_revalidate(inode, NULL, true);
323 return inode->i_security;
326 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
328 struct inode *inode = d_backing_inode(dentry);
330 return inode->i_security;
334 * Get the security label of a dentry's backing inode.
336 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
338 struct inode *inode = d_backing_inode(dentry);
340 __inode_security_revalidate(inode, dentry, true);
341 return inode->i_security;
344 static void inode_free_rcu(struct rcu_head *head)
346 struct inode_security_struct *isec;
348 isec = container_of(head, struct inode_security_struct, rcu);
349 kmem_cache_free(sel_inode_cache, isec);
352 static void inode_free_security(struct inode *inode)
354 struct inode_security_struct *isec = inode->i_security;
355 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
358 * As not all inode security structures are in a list, we check for
359 * empty list outside of the lock to make sure that we won't waste
360 * time taking a lock doing nothing.
362 * The list_del_init() function can be safely called more than once.
363 * It should not be possible for this function to be called with
364 * concurrent list_add(), but for better safety against future changes
365 * in the code, we use list_empty_careful() here.
367 if (!list_empty_careful(&isec->list)) {
368 spin_lock(&sbsec->isec_lock);
369 list_del_init(&isec->list);
370 spin_unlock(&sbsec->isec_lock);
374 * The inode may still be referenced in a path walk and
375 * a call to selinux_inode_permission() can be made
376 * after inode_free_security() is called. Ideally, the VFS
377 * wouldn't do this, but fixing that is a much harder
378 * job. For now, simply free the i_security via RCU, and
379 * leave the current inode->i_security pointer intact.
380 * The inode will be freed after the RCU grace period too.
382 call_rcu(&isec->rcu, inode_free_rcu);
385 static int file_alloc_security(struct file *file)
387 struct file_security_struct *fsec;
388 u32 sid = current_sid();
390 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
395 fsec->fown_sid = sid;
396 file->f_security = fsec;
401 static void file_free_security(struct file *file)
403 struct file_security_struct *fsec = file->f_security;
404 file->f_security = NULL;
405 kmem_cache_free(file_security_cache, fsec);
408 static int superblock_alloc_security(struct super_block *sb)
410 struct superblock_security_struct *sbsec;
412 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
416 mutex_init(&sbsec->lock);
417 INIT_LIST_HEAD(&sbsec->isec_head);
418 spin_lock_init(&sbsec->isec_lock);
420 sbsec->sid = SECINITSID_UNLABELED;
421 sbsec->def_sid = SECINITSID_FILE;
422 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
423 sb->s_security = sbsec;
428 static void superblock_free_security(struct super_block *sb)
430 struct superblock_security_struct *sbsec = sb->s_security;
431 sb->s_security = NULL;
435 static inline int inode_doinit(struct inode *inode)
437 return inode_doinit_with_dentry(inode, NULL);
446 Opt_labelsupport = 5,
450 #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
452 static const match_table_t tokens = {
453 {Opt_context, CONTEXT_STR "%s"},
454 {Opt_fscontext, FSCONTEXT_STR "%s"},
455 {Opt_defcontext, DEFCONTEXT_STR "%s"},
456 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
457 {Opt_labelsupport, LABELSUPP_STR},
461 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
463 static int may_context_mount_sb_relabel(u32 sid,
464 struct superblock_security_struct *sbsec,
465 const struct cred *cred)
467 const struct task_security_struct *tsec = cred->security;
470 rc = avc_has_perm(&selinux_state,
471 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
472 FILESYSTEM__RELABELFROM, NULL);
476 rc = avc_has_perm(&selinux_state,
477 tsec->sid, sid, SECCLASS_FILESYSTEM,
478 FILESYSTEM__RELABELTO, NULL);
482 static int may_context_mount_inode_relabel(u32 sid,
483 struct superblock_security_struct *sbsec,
484 const struct cred *cred)
486 const struct task_security_struct *tsec = cred->security;
488 rc = avc_has_perm(&selinux_state,
489 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
490 FILESYSTEM__RELABELFROM, NULL);
494 rc = avc_has_perm(&selinux_state,
495 sid, sbsec->sid, SECCLASS_FILESYSTEM,
496 FILESYSTEM__ASSOCIATE, NULL);
500 static int selinux_is_genfs_special_handling(struct super_block *sb)
502 /* Special handling. Genfs but also in-core setxattr handler */
503 return !strcmp(sb->s_type->name, "sysfs") ||
504 !strcmp(sb->s_type->name, "pstore") ||
505 !strcmp(sb->s_type->name, "debugfs") ||
506 !strcmp(sb->s_type->name, "tracefs") ||
507 !strcmp(sb->s_type->name, "rootfs") ||
508 (selinux_policycap_cgroupseclabel() &&
509 (!strcmp(sb->s_type->name, "cgroup") ||
510 !strcmp(sb->s_type->name, "cgroup2")));
513 static int selinux_is_sblabel_mnt(struct super_block *sb)
515 struct superblock_security_struct *sbsec = sb->s_security;
518 * IMPORTANT: Double-check logic in this function when adding a new
519 * SECURITY_FS_USE_* definition!
521 BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7);
523 switch (sbsec->behavior) {
524 case SECURITY_FS_USE_XATTR:
525 case SECURITY_FS_USE_TRANS:
526 case SECURITY_FS_USE_TASK:
527 case SECURITY_FS_USE_NATIVE:
530 case SECURITY_FS_USE_GENFS:
531 return selinux_is_genfs_special_handling(sb);
533 /* Never allow relabeling on context mounts */
534 case SECURITY_FS_USE_MNTPOINT:
535 case SECURITY_FS_USE_NONE:
541 static int sb_finish_set_opts(struct super_block *sb)
543 struct superblock_security_struct *sbsec = sb->s_security;
544 struct dentry *root = sb->s_root;
545 struct inode *root_inode = d_backing_inode(root);
548 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
549 /* Make sure that the xattr handler exists and that no
550 error other than -ENODATA is returned by getxattr on
551 the root directory. -ENODATA is ok, as this may be
552 the first boot of the SELinux kernel before we have
553 assigned xattr values to the filesystem. */
554 if (!(root_inode->i_opflags & IOP_XATTR)) {
555 pr_warn("SELinux: (dev %s, type %s) has no "
556 "xattr support\n", sb->s_id, sb->s_type->name);
561 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
562 if (rc < 0 && rc != -ENODATA) {
563 if (rc == -EOPNOTSUPP)
564 pr_warn("SELinux: (dev %s, type "
565 "%s) has no security xattr handler\n",
566 sb->s_id, sb->s_type->name);
568 pr_warn("SELinux: (dev %s, type "
569 "%s) getxattr errno %d\n", sb->s_id,
570 sb->s_type->name, -rc);
575 sbsec->flags |= SE_SBINITIALIZED;
578 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
579 * leave the flag untouched because sb_clone_mnt_opts might be handing
580 * us a superblock that needs the flag to be cleared.
582 if (selinux_is_sblabel_mnt(sb))
583 sbsec->flags |= SBLABEL_MNT;
585 sbsec->flags &= ~SBLABEL_MNT;
587 /* Initialize the root inode. */
588 rc = inode_doinit_with_dentry(root_inode, root);
590 /* Initialize any other inodes associated with the superblock, e.g.
591 inodes created prior to initial policy load or inodes created
592 during get_sb by a pseudo filesystem that directly
594 spin_lock(&sbsec->isec_lock);
596 if (!list_empty(&sbsec->isec_head)) {
597 struct inode_security_struct *isec =
598 list_entry(sbsec->isec_head.next,
599 struct inode_security_struct, list);
600 struct inode *inode = isec->inode;
601 list_del_init(&isec->list);
602 spin_unlock(&sbsec->isec_lock);
603 inode = igrab(inode);
605 if (!IS_PRIVATE(inode))
609 spin_lock(&sbsec->isec_lock);
612 spin_unlock(&sbsec->isec_lock);
618 * This function should allow an FS to ask what it's mount security
619 * options were so it can use those later for submounts, displaying
620 * mount options, or whatever.
622 static int selinux_get_mnt_opts(const struct super_block *sb,
623 struct security_mnt_opts *opts)
626 struct superblock_security_struct *sbsec = sb->s_security;
627 char *context = NULL;
631 security_init_mnt_opts(opts);
633 if (!(sbsec->flags & SE_SBINITIALIZED))
636 if (!selinux_state.initialized)
639 /* make sure we always check enough bits to cover the mask */
640 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
642 tmp = sbsec->flags & SE_MNTMASK;
643 /* count the number of mount options for this sb */
644 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
646 opts->num_mnt_opts++;
649 /* Check if the Label support flag is set */
650 if (sbsec->flags & SBLABEL_MNT)
651 opts->num_mnt_opts++;
653 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
654 if (!opts->mnt_opts) {
659 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
660 if (!opts->mnt_opts_flags) {
666 if (sbsec->flags & FSCONTEXT_MNT) {
667 rc = security_sid_to_context(&selinux_state, sbsec->sid,
671 opts->mnt_opts[i] = context;
672 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
674 if (sbsec->flags & CONTEXT_MNT) {
675 rc = security_sid_to_context(&selinux_state,
680 opts->mnt_opts[i] = context;
681 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
683 if (sbsec->flags & DEFCONTEXT_MNT) {
684 rc = security_sid_to_context(&selinux_state, sbsec->def_sid,
688 opts->mnt_opts[i] = context;
689 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
691 if (sbsec->flags & ROOTCONTEXT_MNT) {
692 struct dentry *root = sbsec->sb->s_root;
693 struct inode_security_struct *isec = backing_inode_security(root);
695 rc = security_sid_to_context(&selinux_state, isec->sid,
699 opts->mnt_opts[i] = context;
700 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
702 if (sbsec->flags & SBLABEL_MNT) {
703 opts->mnt_opts[i] = NULL;
704 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
707 BUG_ON(i != opts->num_mnt_opts);
712 security_free_mnt_opts(opts);
716 static int bad_option(struct superblock_security_struct *sbsec, char flag,
717 u32 old_sid, u32 new_sid)
719 char mnt_flags = sbsec->flags & SE_MNTMASK;
721 /* check if the old mount command had the same options */
722 if (sbsec->flags & SE_SBINITIALIZED)
723 if (!(sbsec->flags & flag) ||
724 (old_sid != new_sid))
727 /* check if we were passed the same options twice,
728 * aka someone passed context=a,context=b
730 if (!(sbsec->flags & SE_SBINITIALIZED))
731 if (mnt_flags & flag)
737 * Allow filesystems with binary mount data to explicitly set mount point
738 * labeling information.
740 static int selinux_set_mnt_opts(struct super_block *sb,
741 struct security_mnt_opts *opts,
742 unsigned long kern_flags,
743 unsigned long *set_kern_flags)
745 const struct cred *cred = current_cred();
747 struct superblock_security_struct *sbsec = sb->s_security;
748 const char *name = sb->s_type->name;
749 struct dentry *root = sbsec->sb->s_root;
750 struct inode_security_struct *root_isec;
751 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
752 u32 defcontext_sid = 0;
753 char **mount_options = opts->mnt_opts;
754 int *flags = opts->mnt_opts_flags;
755 int num_opts = opts->num_mnt_opts;
757 mutex_lock(&sbsec->lock);
759 if (!selinux_state.initialized) {
761 /* Defer initialization until selinux_complete_init,
762 after the initial policy is loaded and the security
763 server is ready to handle calls. */
767 pr_warn("SELinux: Unable to set superblock options "
768 "before the security server is initialized\n");
771 if (kern_flags && !set_kern_flags) {
772 /* Specifying internal flags without providing a place to
773 * place the results is not allowed */
779 * Binary mount data FS will come through this function twice. Once
780 * from an explicit call and once from the generic calls from the vfs.
781 * Since the generic VFS calls will not contain any security mount data
782 * we need to skip the double mount verification.
784 * This does open a hole in which we will not notice if the first
785 * mount using this sb set explict options and a second mount using
786 * this sb does not set any security options. (The first options
787 * will be used for both mounts)
789 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
793 root_isec = backing_inode_security_novalidate(root);
796 * parse the mount options, check if they are valid sids.
797 * also check if someone is trying to mount the same sb more
798 * than once with different security options.
800 for (i = 0; i < num_opts; i++) {
803 if (flags[i] == SBLABEL_MNT)
805 rc = security_context_str_to_sid(&selinux_state,
806 mount_options[i], &sid,
809 pr_warn("SELinux: security_context_str_to_sid"
810 "(%s) failed for (dev %s, type %s) errno=%d\n",
811 mount_options[i], sb->s_id, name, rc);
818 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
820 goto out_double_mount;
822 sbsec->flags |= FSCONTEXT_MNT;
827 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
829 goto out_double_mount;
831 sbsec->flags |= CONTEXT_MNT;
833 case ROOTCONTEXT_MNT:
834 rootcontext_sid = sid;
836 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
838 goto out_double_mount;
840 sbsec->flags |= ROOTCONTEXT_MNT;
844 defcontext_sid = sid;
846 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
848 goto out_double_mount;
850 sbsec->flags |= DEFCONTEXT_MNT;
859 if (sbsec->flags & SE_SBINITIALIZED) {
860 /* previously mounted with options, but not on this attempt? */
861 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
862 goto out_double_mount;
867 if (strcmp(sb->s_type->name, "proc") == 0)
868 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
870 if (!strcmp(sb->s_type->name, "debugfs") ||
871 !strcmp(sb->s_type->name, "tracefs") ||
872 !strcmp(sb->s_type->name, "sysfs") ||
873 !strcmp(sb->s_type->name, "pstore") ||
874 !strcmp(sb->s_type->name, "cgroup") ||
875 !strcmp(sb->s_type->name, "cgroup2"))
876 sbsec->flags |= SE_SBGENFS;
878 if (!sbsec->behavior) {
880 * Determine the labeling behavior to use for this
883 rc = security_fs_use(&selinux_state, sb);
885 pr_warn("%s: security_fs_use(%s) returned %d\n",
886 __func__, sb->s_type->name, rc);
892 * If this is a user namespace mount and the filesystem type is not
893 * explicitly whitelisted, then no contexts are allowed on the command
894 * line and security labels must be ignored.
896 if (sb->s_user_ns != &init_user_ns &&
897 strcmp(sb->s_type->name, "tmpfs") &&
898 strcmp(sb->s_type->name, "ramfs") &&
899 strcmp(sb->s_type->name, "devpts")) {
900 if (context_sid || fscontext_sid || rootcontext_sid ||
905 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
906 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
907 rc = security_transition_sid(&selinux_state,
911 &sbsec->mntpoint_sid);
918 /* sets the context of the superblock for the fs being mounted. */
920 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
924 sbsec->sid = fscontext_sid;
928 * Switch to using mount point labeling behavior.
929 * sets the label used on all file below the mountpoint, and will set
930 * the superblock context if not already set.
932 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
933 sbsec->behavior = SECURITY_FS_USE_NATIVE;
934 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
938 if (!fscontext_sid) {
939 rc = may_context_mount_sb_relabel(context_sid, sbsec,
943 sbsec->sid = context_sid;
945 rc = may_context_mount_inode_relabel(context_sid, sbsec,
950 if (!rootcontext_sid)
951 rootcontext_sid = context_sid;
953 sbsec->mntpoint_sid = context_sid;
954 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
957 if (rootcontext_sid) {
958 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
963 root_isec->sid = rootcontext_sid;
964 root_isec->initialized = LABEL_INITIALIZED;
967 if (defcontext_sid) {
968 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
969 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
971 pr_warn("SELinux: defcontext option is "
972 "invalid for this filesystem type\n");
976 if (defcontext_sid != sbsec->def_sid) {
977 rc = may_context_mount_inode_relabel(defcontext_sid,
983 sbsec->def_sid = defcontext_sid;
987 rc = sb_finish_set_opts(sb);
989 mutex_unlock(&sbsec->lock);
993 pr_warn("SELinux: mount invalid. Same superblock, different "
994 "security settings for (dev %s, type %s)\n", sb->s_id, name);
998 static int selinux_cmp_sb_context(const struct super_block *oldsb,
999 const struct super_block *newsb)
1001 struct superblock_security_struct *old = oldsb->s_security;
1002 struct superblock_security_struct *new = newsb->s_security;
1003 char oldflags = old->flags & SE_MNTMASK;
1004 char newflags = new->flags & SE_MNTMASK;
1006 if (oldflags != newflags)
1008 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
1010 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
1012 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
1014 if (oldflags & ROOTCONTEXT_MNT) {
1015 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
1016 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
1017 if (oldroot->sid != newroot->sid)
1022 pr_warn("SELinux: mount invalid. Same superblock, "
1023 "different security settings for (dev %s, "
1024 "type %s)\n", newsb->s_id, newsb->s_type->name);
1028 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
1029 struct super_block *newsb,
1030 unsigned long kern_flags,
1031 unsigned long *set_kern_flags)
1034 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
1035 struct superblock_security_struct *newsbsec = newsb->s_security;
1037 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
1038 int set_context = (oldsbsec->flags & CONTEXT_MNT);
1039 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1042 * if the parent was able to be mounted it clearly had no special lsm
1043 * mount options. thus we can safely deal with this superblock later
1045 if (!selinux_state.initialized)
1049 * Specifying internal flags without providing a place to
1050 * place the results is not allowed.
1052 if (kern_flags && !set_kern_flags)
1055 /* how can we clone if the old one wasn't set up?? */
1056 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
1058 /* if fs is reusing a sb, make sure that the contexts match */
1059 if (newsbsec->flags & SE_SBINITIALIZED) {
1060 if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context)
1061 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
1062 return selinux_cmp_sb_context(oldsb, newsb);
1065 mutex_lock(&newsbsec->lock);
1067 newsbsec->flags = oldsbsec->flags;
1069 newsbsec->sid = oldsbsec->sid;
1070 newsbsec->def_sid = oldsbsec->def_sid;
1071 newsbsec->behavior = oldsbsec->behavior;
1073 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
1074 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
1075 rc = security_fs_use(&selinux_state, newsb);
1080 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
1081 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
1082 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
1086 u32 sid = oldsbsec->mntpoint_sid;
1089 newsbsec->sid = sid;
1090 if (!set_rootcontext) {
1091 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1094 newsbsec->mntpoint_sid = sid;
1096 if (set_rootcontext) {
1097 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
1098 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1100 newisec->sid = oldisec->sid;
1103 sb_finish_set_opts(newsb);
1105 mutex_unlock(&newsbsec->lock);
1109 static int selinux_parse_opts_str(char *options,
1110 struct security_mnt_opts *opts)
1113 char *context = NULL, *defcontext = NULL;
1114 char *fscontext = NULL, *rootcontext = NULL;
1115 int rc, num_mnt_opts = 0;
1117 opts->num_mnt_opts = 0;
1119 /* Standard string-based options. */
1120 while ((p = strsep(&options, "|")) != NULL) {
1122 substring_t args[MAX_OPT_ARGS];
1127 token = match_token(p, tokens, args);
1131 if (context || defcontext) {
1133 pr_warn(SEL_MOUNT_FAIL_MSG);
1136 context = match_strdup(&args[0]);
1146 pr_warn(SEL_MOUNT_FAIL_MSG);
1149 fscontext = match_strdup(&args[0]);
1156 case Opt_rootcontext:
1159 pr_warn(SEL_MOUNT_FAIL_MSG);
1162 rootcontext = match_strdup(&args[0]);
1169 case Opt_defcontext:
1170 if (context || defcontext) {
1172 pr_warn(SEL_MOUNT_FAIL_MSG);
1175 defcontext = match_strdup(&args[0]);
1181 case Opt_labelsupport:
1185 pr_warn("SELinux: unknown mount option\n");
1192 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
1193 if (!opts->mnt_opts)
1196 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
1198 if (!opts->mnt_opts_flags)
1202 opts->mnt_opts[num_mnt_opts] = fscontext;
1203 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1206 opts->mnt_opts[num_mnt_opts] = context;
1207 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1210 opts->mnt_opts[num_mnt_opts] = rootcontext;
1211 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1214 opts->mnt_opts[num_mnt_opts] = defcontext;
1215 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1218 opts->num_mnt_opts = num_mnt_opts;
1222 security_free_mnt_opts(opts);
1230 * string mount options parsing and call set the sbsec
1232 static int superblock_doinit(struct super_block *sb, void *data)
1235 char *options = data;
1236 struct security_mnt_opts opts;
1238 security_init_mnt_opts(&opts);
1243 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1245 rc = selinux_parse_opts_str(options, &opts);
1250 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1253 security_free_mnt_opts(&opts);
1257 static void selinux_write_opts(struct seq_file *m,
1258 struct security_mnt_opts *opts)
1263 for (i = 0; i < opts->num_mnt_opts; i++) {
1266 if (opts->mnt_opts[i])
1267 has_comma = strchr(opts->mnt_opts[i], ',');
1271 switch (opts->mnt_opts_flags[i]) {
1273 prefix = CONTEXT_STR;
1276 prefix = FSCONTEXT_STR;
1278 case ROOTCONTEXT_MNT:
1279 prefix = ROOTCONTEXT_STR;
1281 case DEFCONTEXT_MNT:
1282 prefix = DEFCONTEXT_STR;
1286 seq_puts(m, LABELSUPP_STR);
1292 /* we need a comma before each option */
1294 seq_puts(m, prefix);
1297 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
1303 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1305 struct security_mnt_opts opts;
1308 rc = selinux_get_mnt_opts(sb, &opts);
1310 /* before policy load we may get EINVAL, don't show anything */
1316 selinux_write_opts(m, &opts);
1318 security_free_mnt_opts(&opts);
1323 static inline u16 inode_mode_to_security_class(umode_t mode)
1325 switch (mode & S_IFMT) {
1327 return SECCLASS_SOCK_FILE;
1329 return SECCLASS_LNK_FILE;
1331 return SECCLASS_FILE;
1333 return SECCLASS_BLK_FILE;
1335 return SECCLASS_DIR;
1337 return SECCLASS_CHR_FILE;
1339 return SECCLASS_FIFO_FILE;
1343 return SECCLASS_FILE;
1346 static inline int default_protocol_stream(int protocol)
1348 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1351 static inline int default_protocol_dgram(int protocol)
1353 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1356 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1358 int extsockclass = selinux_policycap_extsockclass();
1364 case SOCK_SEQPACKET:
1365 return SECCLASS_UNIX_STREAM_SOCKET;
1368 return SECCLASS_UNIX_DGRAM_SOCKET;
1375 case SOCK_SEQPACKET:
1376 if (default_protocol_stream(protocol))
1377 return SECCLASS_TCP_SOCKET;
1378 else if (extsockclass && protocol == IPPROTO_SCTP)
1379 return SECCLASS_SCTP_SOCKET;
1381 return SECCLASS_RAWIP_SOCKET;
1383 if (default_protocol_dgram(protocol))
1384 return SECCLASS_UDP_SOCKET;
1385 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1386 protocol == IPPROTO_ICMPV6))
1387 return SECCLASS_ICMP_SOCKET;
1389 return SECCLASS_RAWIP_SOCKET;
1391 return SECCLASS_DCCP_SOCKET;
1393 return SECCLASS_RAWIP_SOCKET;
1399 return SECCLASS_NETLINK_ROUTE_SOCKET;
1400 case NETLINK_SOCK_DIAG:
1401 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1403 return SECCLASS_NETLINK_NFLOG_SOCKET;
1405 return SECCLASS_NETLINK_XFRM_SOCKET;
1406 case NETLINK_SELINUX:
1407 return SECCLASS_NETLINK_SELINUX_SOCKET;
1409 return SECCLASS_NETLINK_ISCSI_SOCKET;
1411 return SECCLASS_NETLINK_AUDIT_SOCKET;
1412 case NETLINK_FIB_LOOKUP:
1413 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1414 case NETLINK_CONNECTOR:
1415 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1416 case NETLINK_NETFILTER:
1417 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1418 case NETLINK_DNRTMSG:
1419 return SECCLASS_NETLINK_DNRT_SOCKET;
1420 case NETLINK_KOBJECT_UEVENT:
1421 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1422 case NETLINK_GENERIC:
1423 return SECCLASS_NETLINK_GENERIC_SOCKET;
1424 case NETLINK_SCSITRANSPORT:
1425 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1427 return SECCLASS_NETLINK_RDMA_SOCKET;
1428 case NETLINK_CRYPTO:
1429 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1431 return SECCLASS_NETLINK_SOCKET;
1434 return SECCLASS_PACKET_SOCKET;
1436 return SECCLASS_KEY_SOCKET;
1438 return SECCLASS_APPLETALK_SOCKET;
1444 return SECCLASS_AX25_SOCKET;
1446 return SECCLASS_IPX_SOCKET;
1448 return SECCLASS_NETROM_SOCKET;
1450 return SECCLASS_ATMPVC_SOCKET;
1452 return SECCLASS_X25_SOCKET;
1454 return SECCLASS_ROSE_SOCKET;
1456 return SECCLASS_DECNET_SOCKET;
1458 return SECCLASS_ATMSVC_SOCKET;
1460 return SECCLASS_RDS_SOCKET;
1462 return SECCLASS_IRDA_SOCKET;
1464 return SECCLASS_PPPOX_SOCKET;
1466 return SECCLASS_LLC_SOCKET;
1468 return SECCLASS_CAN_SOCKET;
1470 return SECCLASS_TIPC_SOCKET;
1472 return SECCLASS_BLUETOOTH_SOCKET;
1474 return SECCLASS_IUCV_SOCKET;
1476 return SECCLASS_RXRPC_SOCKET;
1478 return SECCLASS_ISDN_SOCKET;
1480 return SECCLASS_PHONET_SOCKET;
1482 return SECCLASS_IEEE802154_SOCKET;
1484 return SECCLASS_CAIF_SOCKET;
1486 return SECCLASS_ALG_SOCKET;
1488 return SECCLASS_NFC_SOCKET;
1490 return SECCLASS_VSOCK_SOCKET;
1492 return SECCLASS_KCM_SOCKET;
1494 return SECCLASS_QIPCRTR_SOCKET;
1496 return SECCLASS_SMC_SOCKET;
1498 return SECCLASS_XDP_SOCKET;
1500 #error New address family defined, please update this function.
1505 return SECCLASS_SOCKET;
1508 static int selinux_genfs_get_sid(struct dentry *dentry,
1514 struct super_block *sb = dentry->d_sb;
1515 char *buffer, *path;
1517 buffer = (char *)__get_free_page(GFP_KERNEL);
1521 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1525 if (flags & SE_SBPROC) {
1526 /* each process gets a /proc/PID/ entry. Strip off the
1527 * PID part to get a valid selinux labeling.
1528 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1529 while (path[1] >= '0' && path[1] <= '9') {
1534 rc = security_genfs_sid(&selinux_state, sb->s_type->name,
1536 if (rc == -ENOENT) {
1537 /* No match in policy, mark as unlabeled. */
1538 *sid = SECINITSID_UNLABELED;
1542 free_page((unsigned long)buffer);
1546 /* The inode's security attributes must be initialized before first use. */
1547 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1549 struct superblock_security_struct *sbsec = NULL;
1550 struct inode_security_struct *isec = inode->i_security;
1551 u32 task_sid, sid = 0;
1553 struct dentry *dentry;
1554 #define INITCONTEXTLEN 255
1555 char *context = NULL;
1559 if (isec->initialized == LABEL_INITIALIZED)
1562 spin_lock(&isec->lock);
1563 if (isec->initialized == LABEL_INITIALIZED)
1566 if (isec->sclass == SECCLASS_FILE)
1567 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1569 sbsec = inode->i_sb->s_security;
1570 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1571 /* Defer initialization until selinux_complete_init,
1572 after the initial policy is loaded and the security
1573 server is ready to handle calls. */
1574 spin_lock(&sbsec->isec_lock);
1575 if (list_empty(&isec->list))
1576 list_add(&isec->list, &sbsec->isec_head);
1577 spin_unlock(&sbsec->isec_lock);
1581 sclass = isec->sclass;
1582 task_sid = isec->task_sid;
1584 isec->initialized = LABEL_PENDING;
1585 spin_unlock(&isec->lock);
1587 switch (sbsec->behavior) {
1588 case SECURITY_FS_USE_NATIVE:
1590 case SECURITY_FS_USE_XATTR:
1591 if (!(inode->i_opflags & IOP_XATTR)) {
1592 sid = sbsec->def_sid;
1595 /* Need a dentry, since the xattr API requires one.
1596 Life would be simpler if we could just pass the inode. */
1598 /* Called from d_instantiate or d_splice_alias. */
1599 dentry = dget(opt_dentry);
1602 * Called from selinux_complete_init, try to find a dentry.
1603 * Some filesystems really want a connected one, so try
1604 * that first. We could split SECURITY_FS_USE_XATTR in
1605 * two, depending upon that...
1607 dentry = d_find_alias(inode);
1609 dentry = d_find_any_alias(inode);
1613 * this is can be hit on boot when a file is accessed
1614 * before the policy is loaded. When we load policy we
1615 * may find inodes that have no dentry on the
1616 * sbsec->isec_head list. No reason to complain as these
1617 * will get fixed up the next time we go through
1618 * inode_doinit with a dentry, before these inodes could
1619 * be used again by userspace.
1624 len = INITCONTEXTLEN;
1625 context = kmalloc(len+1, GFP_NOFS);
1631 context[len] = '\0';
1632 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1633 if (rc == -ERANGE) {
1636 /* Need a larger buffer. Query for the right size. */
1637 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1643 context = kmalloc(len+1, GFP_NOFS);
1649 context[len] = '\0';
1650 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1654 if (rc != -ENODATA) {
1655 pr_warn("SELinux: %s: getxattr returned "
1656 "%d for dev=%s ino=%ld\n", __func__,
1657 -rc, inode->i_sb->s_id, inode->i_ino);
1661 /* Map ENODATA to the default file SID */
1662 sid = sbsec->def_sid;
1665 rc = security_context_to_sid_default(&selinux_state,
1670 char *dev = inode->i_sb->s_id;
1671 unsigned long ino = inode->i_ino;
1673 if (rc == -EINVAL) {
1674 if (printk_ratelimit())
1675 pr_notice("SELinux: inode=%lu on dev=%s was found to have an invalid "
1676 "context=%s. This indicates you may need to relabel the inode or the "
1677 "filesystem in question.\n", ino, dev, context);
1679 pr_warn("SELinux: %s: context_to_sid(%s) "
1680 "returned %d for dev=%s ino=%ld\n",
1681 __func__, context, -rc, dev, ino);
1684 /* Leave with the unlabeled SID */
1691 case SECURITY_FS_USE_TASK:
1694 case SECURITY_FS_USE_TRANS:
1695 /* Default to the fs SID. */
1698 /* Try to obtain a transition SID. */
1699 rc = security_transition_sid(&selinux_state, task_sid, sid,
1700 sclass, NULL, &sid);
1704 case SECURITY_FS_USE_MNTPOINT:
1705 sid = sbsec->mntpoint_sid;
1708 /* Default to the fs superblock SID. */
1711 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1712 /* We must have a dentry to determine the label on
1715 /* Called from d_instantiate or
1716 * d_splice_alias. */
1717 dentry = dget(opt_dentry);
1719 /* Called from selinux_complete_init, try to
1720 * find a dentry. Some filesystems really want
1721 * a connected one, so try that first.
1723 dentry = d_find_alias(inode);
1725 dentry = d_find_any_alias(inode);
1728 * This can be hit on boot when a file is accessed
1729 * before the policy is loaded. When we load policy we
1730 * may find inodes that have no dentry on the
1731 * sbsec->isec_head list. No reason to complain as
1732 * these will get fixed up the next time we go through
1733 * inode_doinit() with a dentry, before these inodes
1734 * could be used again by userspace.
1738 rc = selinux_genfs_get_sid(dentry, sclass,
1739 sbsec->flags, &sid);
1748 spin_lock(&isec->lock);
1749 if (isec->initialized == LABEL_PENDING) {
1751 isec->initialized = LABEL_INVALID;
1755 isec->initialized = LABEL_INITIALIZED;
1760 spin_unlock(&isec->lock);
1764 /* Convert a Linux signal to an access vector. */
1765 static inline u32 signal_to_av(int sig)
1771 /* Commonly granted from child to parent. */
1772 perm = PROCESS__SIGCHLD;
1775 /* Cannot be caught or ignored */
1776 perm = PROCESS__SIGKILL;
1779 /* Cannot be caught or ignored */
1780 perm = PROCESS__SIGSTOP;
1783 /* All other signals. */
1784 perm = PROCESS__SIGNAL;
1791 #if CAP_LAST_CAP > 63
1792 #error Fix SELinux to handle capabilities > 63.
1795 /* Check whether a task is allowed to use a capability. */
1796 static int cred_has_capability(const struct cred *cred,
1797 int cap, unsigned int opts, bool initns)
1799 struct common_audit_data ad;
1800 struct av_decision avd;
1802 u32 sid = cred_sid(cred);
1803 u32 av = CAP_TO_MASK(cap);
1806 ad.type = LSM_AUDIT_DATA_CAP;
1809 switch (CAP_TO_INDEX(cap)) {
1811 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1814 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1817 pr_err("SELinux: out of range capability %d\n", cap);
1822 rc = avc_has_perm_noaudit(&selinux_state,
1823 sid, sid, sclass, av, 0, &avd);
1824 if (!(opts & CAP_OPT_NOAUDIT)) {
1825 int rc2 = avc_audit(&selinux_state,
1826 sid, sid, sclass, av, &avd, rc, &ad, 0);
1833 /* Check whether a task has a particular permission to an inode.
1834 The 'adp' parameter is optional and allows other audit
1835 data to be passed (e.g. the dentry). */
1836 static int inode_has_perm(const struct cred *cred,
1837 struct inode *inode,
1839 struct common_audit_data *adp)
1841 struct inode_security_struct *isec;
1844 validate_creds(cred);
1846 if (unlikely(IS_PRIVATE(inode)))
1849 sid = cred_sid(cred);
1850 isec = inode->i_security;
1852 return avc_has_perm(&selinux_state,
1853 sid, isec->sid, isec->sclass, perms, adp);
1856 /* Same as inode_has_perm, but pass explicit audit data containing
1857 the dentry to help the auditing code to more easily generate the
1858 pathname if needed. */
1859 static inline int dentry_has_perm(const struct cred *cred,
1860 struct dentry *dentry,
1863 struct inode *inode = d_backing_inode(dentry);
1864 struct common_audit_data ad;
1866 ad.type = LSM_AUDIT_DATA_DENTRY;
1867 ad.u.dentry = dentry;
1868 __inode_security_revalidate(inode, dentry, true);
1869 return inode_has_perm(cred, inode, av, &ad);
1872 /* Same as inode_has_perm, but pass explicit audit data containing
1873 the path to help the auditing code to more easily generate the
1874 pathname if needed. */
1875 static inline int path_has_perm(const struct cred *cred,
1876 const struct path *path,
1879 struct inode *inode = d_backing_inode(path->dentry);
1880 struct common_audit_data ad;
1882 ad.type = LSM_AUDIT_DATA_PATH;
1884 __inode_security_revalidate(inode, path->dentry, true);
1885 return inode_has_perm(cred, inode, av, &ad);
1888 /* Same as path_has_perm, but uses the inode from the file struct. */
1889 static inline int file_path_has_perm(const struct cred *cred,
1893 struct common_audit_data ad;
1895 ad.type = LSM_AUDIT_DATA_FILE;
1897 return inode_has_perm(cred, file_inode(file), av, &ad);
1900 #ifdef CONFIG_BPF_SYSCALL
1901 static int bpf_fd_pass(struct file *file, u32 sid);
1904 /* Check whether a task can use an open file descriptor to
1905 access an inode in a given way. Check access to the
1906 descriptor itself, and then use dentry_has_perm to
1907 check a particular permission to the file.
1908 Access to the descriptor is implicitly granted if it
1909 has the same SID as the process. If av is zero, then
1910 access to the file is not checked, e.g. for cases
1911 where only the descriptor is affected like seek. */
1912 static int file_has_perm(const struct cred *cred,
1916 struct file_security_struct *fsec = file->f_security;
1917 struct inode *inode = file_inode(file);
1918 struct common_audit_data ad;
1919 u32 sid = cred_sid(cred);
1922 ad.type = LSM_AUDIT_DATA_FILE;
1925 if (sid != fsec->sid) {
1926 rc = avc_has_perm(&selinux_state,
1935 #ifdef CONFIG_BPF_SYSCALL
1936 rc = bpf_fd_pass(file, cred_sid(cred));
1941 /* av is zero if only checking access to the descriptor. */
1944 rc = inode_has_perm(cred, inode, av, &ad);
1951 * Determine the label for an inode that might be unioned.
1954 selinux_determine_inode_label(const struct task_security_struct *tsec,
1956 const struct qstr *name, u16 tclass,
1959 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1961 if ((sbsec->flags & SE_SBINITIALIZED) &&
1962 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1963 *_new_isid = sbsec->mntpoint_sid;
1964 } else if ((sbsec->flags & SBLABEL_MNT) &&
1966 *_new_isid = tsec->create_sid;
1968 const struct inode_security_struct *dsec = inode_security(dir);
1969 return security_transition_sid(&selinux_state, tsec->sid,
1977 /* Check whether a task can create a file. */
1978 static int may_create(struct inode *dir,
1979 struct dentry *dentry,
1982 const struct task_security_struct *tsec = current_security();
1983 struct inode_security_struct *dsec;
1984 struct superblock_security_struct *sbsec;
1986 struct common_audit_data ad;
1989 dsec = inode_security(dir);
1990 sbsec = dir->i_sb->s_security;
1994 ad.type = LSM_AUDIT_DATA_DENTRY;
1995 ad.u.dentry = dentry;
1997 rc = avc_has_perm(&selinux_state,
1998 sid, dsec->sid, SECCLASS_DIR,
1999 DIR__ADD_NAME | DIR__SEARCH,
2004 rc = selinux_determine_inode_label(current_security(), dir,
2005 &dentry->d_name, tclass, &newsid);
2009 rc = avc_has_perm(&selinux_state,
2010 sid, newsid, tclass, FILE__CREATE, &ad);
2014 return avc_has_perm(&selinux_state,
2016 SECCLASS_FILESYSTEM,
2017 FILESYSTEM__ASSOCIATE, &ad);
2021 #define MAY_UNLINK 1
2024 /* Check whether a task can link, unlink, or rmdir a file/directory. */
2025 static int may_link(struct inode *dir,
2026 struct dentry *dentry,
2030 struct inode_security_struct *dsec, *isec;
2031 struct common_audit_data ad;
2032 u32 sid = current_sid();
2036 dsec = inode_security(dir);
2037 isec = backing_inode_security(dentry);
2039 ad.type = LSM_AUDIT_DATA_DENTRY;
2040 ad.u.dentry = dentry;
2043 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
2044 rc = avc_has_perm(&selinux_state,
2045 sid, dsec->sid, SECCLASS_DIR, av, &ad);
2060 pr_warn("SELinux: %s: unrecognized kind %d\n",
2065 rc = avc_has_perm(&selinux_state,
2066 sid, isec->sid, isec->sclass, av, &ad);
2070 static inline int may_rename(struct inode *old_dir,
2071 struct dentry *old_dentry,
2072 struct inode *new_dir,
2073 struct dentry *new_dentry)
2075 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2076 struct common_audit_data ad;
2077 u32 sid = current_sid();
2079 int old_is_dir, new_is_dir;
2082 old_dsec = inode_security(old_dir);
2083 old_isec = backing_inode_security(old_dentry);
2084 old_is_dir = d_is_dir(old_dentry);
2085 new_dsec = inode_security(new_dir);
2087 ad.type = LSM_AUDIT_DATA_DENTRY;
2089 ad.u.dentry = old_dentry;
2090 rc = avc_has_perm(&selinux_state,
2091 sid, old_dsec->sid, SECCLASS_DIR,
2092 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
2095 rc = avc_has_perm(&selinux_state,
2097 old_isec->sclass, FILE__RENAME, &ad);
2100 if (old_is_dir && new_dir != old_dir) {
2101 rc = avc_has_perm(&selinux_state,
2103 old_isec->sclass, DIR__REPARENT, &ad);
2108 ad.u.dentry = new_dentry;
2109 av = DIR__ADD_NAME | DIR__SEARCH;
2110 if (d_is_positive(new_dentry))
2111 av |= DIR__REMOVE_NAME;
2112 rc = avc_has_perm(&selinux_state,
2113 sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
2116 if (d_is_positive(new_dentry)) {
2117 new_isec = backing_inode_security(new_dentry);
2118 new_is_dir = d_is_dir(new_dentry);
2119 rc = avc_has_perm(&selinux_state,
2122 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
2130 /* Check whether a task can perform a filesystem operation. */
2131 static int superblock_has_perm(const struct cred *cred,
2132 struct super_block *sb,
2134 struct common_audit_data *ad)
2136 struct superblock_security_struct *sbsec;
2137 u32 sid = cred_sid(cred);
2139 sbsec = sb->s_security;
2140 return avc_has_perm(&selinux_state,
2141 sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
2144 /* Convert a Linux mode and permission mask to an access vector. */
2145 static inline u32 file_mask_to_av(int mode, int mask)
2149 if (!S_ISDIR(mode)) {
2150 if (mask & MAY_EXEC)
2151 av |= FILE__EXECUTE;
2152 if (mask & MAY_READ)
2155 if (mask & MAY_APPEND)
2157 else if (mask & MAY_WRITE)
2161 if (mask & MAY_EXEC)
2163 if (mask & MAY_WRITE)
2165 if (mask & MAY_READ)
2172 /* Convert a Linux file to an access vector. */
2173 static inline u32 file_to_av(struct file *file)
2177 if (file->f_mode & FMODE_READ)
2179 if (file->f_mode & FMODE_WRITE) {
2180 if (file->f_flags & O_APPEND)
2187 * Special file opened with flags 3 for ioctl-only use.
2196 * Convert a file to an access vector and include the correct open
2199 static inline u32 open_file_to_av(struct file *file)
2201 u32 av = file_to_av(file);
2202 struct inode *inode = file_inode(file);
2204 if (selinux_policycap_openperm() &&
2205 inode->i_sb->s_magic != SOCKFS_MAGIC)
2211 /* Hook functions begin here. */
2213 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2215 u32 mysid = current_sid();
2216 u32 mgrsid = task_sid(mgr);
2218 return avc_has_perm(&selinux_state,
2219 mysid, mgrsid, SECCLASS_BINDER,
2220 BINDER__SET_CONTEXT_MGR, NULL);
2223 static int selinux_binder_transaction(struct task_struct *from,
2224 struct task_struct *to)
2226 u32 mysid = current_sid();
2227 u32 fromsid = task_sid(from);
2228 u32 tosid = task_sid(to);
2231 if (mysid != fromsid) {
2232 rc = avc_has_perm(&selinux_state,
2233 mysid, fromsid, SECCLASS_BINDER,
2234 BINDER__IMPERSONATE, NULL);
2239 return avc_has_perm(&selinux_state,
2240 fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2244 static int selinux_binder_transfer_binder(struct task_struct *from,
2245 struct task_struct *to)
2247 u32 fromsid = task_sid(from);
2248 u32 tosid = task_sid(to);
2250 return avc_has_perm(&selinux_state,
2251 fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2255 static int selinux_binder_transfer_file(struct task_struct *from,
2256 struct task_struct *to,
2259 u32 sid = task_sid(to);
2260 struct file_security_struct *fsec = file->f_security;
2261 struct dentry *dentry = file->f_path.dentry;
2262 struct inode_security_struct *isec;
2263 struct common_audit_data ad;
2266 ad.type = LSM_AUDIT_DATA_PATH;
2267 ad.u.path = file->f_path;
2269 if (sid != fsec->sid) {
2270 rc = avc_has_perm(&selinux_state,
2279 #ifdef CONFIG_BPF_SYSCALL
2280 rc = bpf_fd_pass(file, sid);
2285 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2288 isec = backing_inode_security(dentry);
2289 return avc_has_perm(&selinux_state,
2290 sid, isec->sid, isec->sclass, file_to_av(file),
2294 static int selinux_ptrace_access_check(struct task_struct *child,
2297 u32 sid = current_sid();
2298 u32 csid = task_sid(child);
2300 if (mode & PTRACE_MODE_READ)
2301 return avc_has_perm(&selinux_state,
2302 sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2304 return avc_has_perm(&selinux_state,
2305 sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2308 static int selinux_ptrace_traceme(struct task_struct *parent)
2310 return avc_has_perm(&selinux_state,
2311 task_sid(parent), current_sid(), SECCLASS_PROCESS,
2312 PROCESS__PTRACE, NULL);
2315 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2316 kernel_cap_t *inheritable, kernel_cap_t *permitted)
2318 return avc_has_perm(&selinux_state,
2319 current_sid(), task_sid(target), SECCLASS_PROCESS,
2320 PROCESS__GETCAP, NULL);
2323 static int selinux_capset(struct cred *new, const struct cred *old,
2324 const kernel_cap_t *effective,
2325 const kernel_cap_t *inheritable,
2326 const kernel_cap_t *permitted)
2328 return avc_has_perm(&selinux_state,
2329 cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2330 PROCESS__SETCAP, NULL);
2334 * (This comment used to live with the selinux_task_setuid hook,
2335 * which was removed).
2337 * Since setuid only affects the current process, and since the SELinux
2338 * controls are not based on the Linux identity attributes, SELinux does not
2339 * need to control this operation. However, SELinux does control the use of
2340 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2343 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2344 int cap, unsigned int opts)
2346 return cred_has_capability(cred, cap, opts, ns == &init_user_ns);
2349 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2351 const struct cred *cred = current_cred();
2363 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2368 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2371 rc = 0; /* let the kernel handle invalid cmds */
2377 static int selinux_quota_on(struct dentry *dentry)
2379 const struct cred *cred = current_cred();
2381 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2384 static int selinux_syslog(int type)
2387 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2388 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2389 return avc_has_perm(&selinux_state,
2390 current_sid(), SECINITSID_KERNEL,
2391 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2392 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2393 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2394 /* Set level of messages printed to console */
2395 case SYSLOG_ACTION_CONSOLE_LEVEL:
2396 return avc_has_perm(&selinux_state,
2397 current_sid(), SECINITSID_KERNEL,
2398 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2401 /* All other syslog types */
2402 return avc_has_perm(&selinux_state,
2403 current_sid(), SECINITSID_KERNEL,
2404 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2408 * Check that a process has enough memory to allocate a new virtual
2409 * mapping. 0 means there is enough memory for the allocation to
2410 * succeed and -ENOMEM implies there is not.
2412 * Do not audit the selinux permission check, as this is applied to all
2413 * processes that allocate mappings.
2415 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2417 int rc, cap_sys_admin = 0;
2419 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2420 CAP_OPT_NOAUDIT, true);
2424 return cap_sys_admin;
2427 /* binprm security operations */
2429 static u32 ptrace_parent_sid(void)
2432 struct task_struct *tracer;
2435 tracer = ptrace_parent(current);
2437 sid = task_sid(tracer);
2443 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2444 const struct task_security_struct *old_tsec,
2445 const struct task_security_struct *new_tsec)
2447 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2448 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2452 if (!nnp && !nosuid)
2453 return 0; /* neither NNP nor nosuid */
2455 if (new_tsec->sid == old_tsec->sid)
2456 return 0; /* No change in credentials */
2459 * If the policy enables the nnp_nosuid_transition policy capability,
2460 * then we permit transitions under NNP or nosuid if the
2461 * policy allows the corresponding permission between
2462 * the old and new contexts.
2464 if (selinux_policycap_nnp_nosuid_transition()) {
2467 av |= PROCESS2__NNP_TRANSITION;
2469 av |= PROCESS2__NOSUID_TRANSITION;
2470 rc = avc_has_perm(&selinux_state,
2471 old_tsec->sid, new_tsec->sid,
2472 SECCLASS_PROCESS2, av, NULL);
2478 * We also permit NNP or nosuid transitions to bounded SIDs,
2479 * i.e. SIDs that are guaranteed to only be allowed a subset
2480 * of the permissions of the current SID.
2482 rc = security_bounded_transition(&selinux_state, old_tsec->sid,
2488 * On failure, preserve the errno values for NNP vs nosuid.
2489 * NNP: Operation not permitted for caller.
2490 * nosuid: Permission denied to file.
2497 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2499 const struct task_security_struct *old_tsec;
2500 struct task_security_struct *new_tsec;
2501 struct inode_security_struct *isec;
2502 struct common_audit_data ad;
2503 struct inode *inode = file_inode(bprm->file);
2506 /* SELinux context only depends on initial program or script and not
2507 * the script interpreter */
2508 if (bprm->called_set_creds)
2511 old_tsec = current_security();
2512 new_tsec = bprm->cred->security;
2513 isec = inode_security(inode);
2515 /* Default to the current task SID. */
2516 new_tsec->sid = old_tsec->sid;
2517 new_tsec->osid = old_tsec->sid;
2519 /* Reset fs, key, and sock SIDs on execve. */
2520 new_tsec->create_sid = 0;
2521 new_tsec->keycreate_sid = 0;
2522 new_tsec->sockcreate_sid = 0;
2524 if (old_tsec->exec_sid) {
2525 new_tsec->sid = old_tsec->exec_sid;
2526 /* Reset exec SID on execve. */
2527 new_tsec->exec_sid = 0;
2529 /* Fail on NNP or nosuid if not an allowed transition. */
2530 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2534 /* Check for a default transition on this program. */
2535 rc = security_transition_sid(&selinux_state, old_tsec->sid,
2536 isec->sid, SECCLASS_PROCESS, NULL,
2542 * Fallback to old SID on NNP or nosuid if not an allowed
2545 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2547 new_tsec->sid = old_tsec->sid;
2550 ad.type = LSM_AUDIT_DATA_FILE;
2551 ad.u.file = bprm->file;
2553 if (new_tsec->sid == old_tsec->sid) {
2554 rc = avc_has_perm(&selinux_state,
2555 old_tsec->sid, isec->sid,
2556 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2560 /* Check permissions for the transition. */
2561 rc = avc_has_perm(&selinux_state,
2562 old_tsec->sid, new_tsec->sid,
2563 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2567 rc = avc_has_perm(&selinux_state,
2568 new_tsec->sid, isec->sid,
2569 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2573 /* Check for shared state */
2574 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2575 rc = avc_has_perm(&selinux_state,
2576 old_tsec->sid, new_tsec->sid,
2577 SECCLASS_PROCESS, PROCESS__SHARE,
2583 /* Make sure that anyone attempting to ptrace over a task that
2584 * changes its SID has the appropriate permit */
2585 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2586 u32 ptsid = ptrace_parent_sid();
2588 rc = avc_has_perm(&selinux_state,
2589 ptsid, new_tsec->sid,
2591 PROCESS__PTRACE, NULL);
2597 /* Clear any possibly unsafe personality bits on exec: */
2598 bprm->per_clear |= PER_CLEAR_ON_SETID;
2600 /* Enable secure mode for SIDs transitions unless
2601 the noatsecure permission is granted between
2602 the two SIDs, i.e. ahp returns 0. */
2603 rc = avc_has_perm(&selinux_state,
2604 old_tsec->sid, new_tsec->sid,
2605 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2607 bprm->secureexec |= !!rc;
2613 static int match_file(const void *p, struct file *file, unsigned fd)
2615 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2618 /* Derived from fs/exec.c:flush_old_files. */
2619 static inline void flush_unauthorized_files(const struct cred *cred,
2620 struct files_struct *files)
2622 struct file *file, *devnull = NULL;
2623 struct tty_struct *tty;
2627 tty = get_current_tty();
2629 spin_lock(&tty->files_lock);
2630 if (!list_empty(&tty->tty_files)) {
2631 struct tty_file_private *file_priv;
2633 /* Revalidate access to controlling tty.
2634 Use file_path_has_perm on the tty path directly
2635 rather than using file_has_perm, as this particular
2636 open file may belong to another process and we are
2637 only interested in the inode-based check here. */
2638 file_priv = list_first_entry(&tty->tty_files,
2639 struct tty_file_private, list);
2640 file = file_priv->file;
2641 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2644 spin_unlock(&tty->files_lock);
2647 /* Reset controlling tty. */
2651 /* Revalidate access to inherited open files. */
2652 n = iterate_fd(files, 0, match_file, cred);
2653 if (!n) /* none found? */
2656 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2657 if (IS_ERR(devnull))
2659 /* replace all the matching ones with this */
2661 replace_fd(n - 1, devnull, 0);
2662 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2668 * Prepare a process for imminent new credential changes due to exec
2670 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2672 struct task_security_struct *new_tsec;
2673 struct rlimit *rlim, *initrlim;
2676 new_tsec = bprm->cred->security;
2677 if (new_tsec->sid == new_tsec->osid)
2680 /* Close files for which the new task SID is not authorized. */
2681 flush_unauthorized_files(bprm->cred, current->files);
2683 /* Always clear parent death signal on SID transitions. */
2684 current->pdeath_signal = 0;
2686 /* Check whether the new SID can inherit resource limits from the old
2687 * SID. If not, reset all soft limits to the lower of the current
2688 * task's hard limit and the init task's soft limit.
2690 * Note that the setting of hard limits (even to lower them) can be
2691 * controlled by the setrlimit check. The inclusion of the init task's
2692 * soft limit into the computation is to avoid resetting soft limits
2693 * higher than the default soft limit for cases where the default is
2694 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2696 rc = avc_has_perm(&selinux_state,
2697 new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2698 PROCESS__RLIMITINH, NULL);
2700 /* protect against do_prlimit() */
2702 for (i = 0; i < RLIM_NLIMITS; i++) {
2703 rlim = current->signal->rlim + i;
2704 initrlim = init_task.signal->rlim + i;
2705 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2707 task_unlock(current);
2708 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2709 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2714 * Clean up the process immediately after the installation of new credentials
2717 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2719 const struct task_security_struct *tsec = current_security();
2720 struct itimerval itimer;
2730 /* Check whether the new SID can inherit signal state from the old SID.
2731 * If not, clear itimers to avoid subsequent signal generation and
2732 * flush and unblock signals.
2734 * This must occur _after_ the task SID has been updated so that any
2735 * kill done after the flush will be checked against the new SID.
2737 rc = avc_has_perm(&selinux_state,
2738 osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2740 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2741 memset(&itimer, 0, sizeof itimer);
2742 for (i = 0; i < 3; i++)
2743 do_setitimer(i, &itimer, NULL);
2745 spin_lock_irq(¤t->sighand->siglock);
2746 if (!fatal_signal_pending(current)) {
2747 flush_sigqueue(¤t->pending);
2748 flush_sigqueue(¤t->signal->shared_pending);
2749 flush_signal_handlers(current, 1);
2750 sigemptyset(¤t->blocked);
2751 recalc_sigpending();
2753 spin_unlock_irq(¤t->sighand->siglock);
2756 /* Wake up the parent if it is waiting so that it can recheck
2757 * wait permission to the new task SID. */
2758 read_lock(&tasklist_lock);
2759 __wake_up_parent(current, current->real_parent);
2760 read_unlock(&tasklist_lock);
2763 /* superblock security operations */
2765 static int selinux_sb_alloc_security(struct super_block *sb)
2767 return superblock_alloc_security(sb);
2770 static void selinux_sb_free_security(struct super_block *sb)
2772 superblock_free_security(sb);
2775 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2780 return !memcmp(prefix, option, plen);
2783 static inline int selinux_option(char *option, int len)
2785 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2786 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2787 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2788 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2789 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2792 static inline void take_option(char **to, char *from, int *first, int len)
2799 memcpy(*to, from, len);
2803 static inline void take_selinux_option(char **to, char *from, int *first,
2806 int current_size = 0;
2814 while (current_size < len) {
2824 static int selinux_sb_copy_data(char *orig, char *copy)
2826 int fnosec, fsec, rc = 0;
2827 char *in_save, *in_curr, *in_end;
2828 char *sec_curr, *nosec_save, *nosec;
2834 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2842 in_save = in_end = orig;
2846 open_quote = !open_quote;
2847 if ((*in_end == ',' && open_quote == 0) ||
2849 int len = in_end - in_curr;
2851 if (selinux_option(in_curr, len))
2852 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2854 take_option(&nosec, in_curr, &fnosec, len);
2856 in_curr = in_end + 1;
2858 } while (*in_end++);
2860 strcpy(in_save, nosec_save);
2861 free_page((unsigned long)nosec_save);
2866 static int selinux_sb_remount(struct super_block *sb, void *data)
2869 struct security_mnt_opts opts;
2870 char *secdata, **mount_options;
2871 struct superblock_security_struct *sbsec = sb->s_security;
2873 if (!(sbsec->flags & SE_SBINITIALIZED))
2879 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2882 security_init_mnt_opts(&opts);
2883 secdata = alloc_secdata();
2886 rc = selinux_sb_copy_data(data, secdata);
2888 goto out_free_secdata;
2890 rc = selinux_parse_opts_str(secdata, &opts);
2892 goto out_free_secdata;
2894 mount_options = opts.mnt_opts;
2895 flags = opts.mnt_opts_flags;
2897 for (i = 0; i < opts.num_mnt_opts; i++) {
2900 if (flags[i] == SBLABEL_MNT)
2902 rc = security_context_str_to_sid(&selinux_state,
2903 mount_options[i], &sid,
2906 pr_warn("SELinux: security_context_str_to_sid"
2907 "(%s) failed for (dev %s, type %s) errno=%d\n",
2908 mount_options[i], sb->s_id, sb->s_type->name, rc);
2914 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2915 goto out_bad_option;
2918 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2919 goto out_bad_option;
2921 case ROOTCONTEXT_MNT: {
2922 struct inode_security_struct *root_isec;
2923 root_isec = backing_inode_security(sb->s_root);
2925 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2926 goto out_bad_option;
2929 case DEFCONTEXT_MNT:
2930 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2931 goto out_bad_option;
2940 security_free_mnt_opts(&opts);
2942 free_secdata(secdata);
2945 pr_warn("SELinux: unable to change security options "
2946 "during remount (dev %s, type=%s)\n", sb->s_id,
2951 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2953 const struct cred *cred = current_cred();
2954 struct common_audit_data ad;
2957 rc = superblock_doinit(sb, data);
2961 /* Allow all mounts performed by the kernel */
2962 if (flags & (MS_KERNMOUNT | MS_SUBMOUNT))
2965 ad.type = LSM_AUDIT_DATA_DENTRY;
2966 ad.u.dentry = sb->s_root;
2967 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2970 static int selinux_sb_statfs(struct dentry *dentry)
2972 const struct cred *cred = current_cred();
2973 struct common_audit_data ad;
2975 ad.type = LSM_AUDIT_DATA_DENTRY;
2976 ad.u.dentry = dentry->d_sb->s_root;
2977 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2980 static int selinux_mount(const char *dev_name,
2981 const struct path *path,
2983 unsigned long flags,
2986 const struct cred *cred = current_cred();
2988 if (flags & MS_REMOUNT)
2989 return superblock_has_perm(cred, path->dentry->d_sb,
2990 FILESYSTEM__REMOUNT, NULL);
2992 return path_has_perm(cred, path, FILE__MOUNTON);
2995 static int selinux_umount(struct vfsmount *mnt, int flags)
2997 const struct cred *cred = current_cred();
2999 return superblock_has_perm(cred, mnt->mnt_sb,
3000 FILESYSTEM__UNMOUNT, NULL);
3003 /* inode security operations */
3005 static int selinux_inode_alloc_security(struct inode *inode)
3007 return inode_alloc_security(inode);
3010 static void selinux_inode_free_security(struct inode *inode)
3012 inode_free_security(inode);
3015 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
3016 const struct qstr *name, void **ctx,
3022 rc = selinux_determine_inode_label(current_security(),
3023 d_inode(dentry->d_parent), name,
3024 inode_mode_to_security_class(mode),
3029 return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
3033 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
3035 const struct cred *old,
3040 struct task_security_struct *tsec;
3042 rc = selinux_determine_inode_label(old->security,
3043 d_inode(dentry->d_parent), name,
3044 inode_mode_to_security_class(mode),
3049 tsec = new->security;
3050 tsec->create_sid = newsid;
3054 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
3055 const struct qstr *qstr,
3057 void **value, size_t *len)
3059 const struct task_security_struct *tsec = current_security();
3060 struct superblock_security_struct *sbsec;
3065 sbsec = dir->i_sb->s_security;
3067 newsid = tsec->create_sid;
3069 rc = selinux_determine_inode_label(current_security(),
3071 inode_mode_to_security_class(inode->i_mode),
3076 /* Possibly defer initialization to selinux_complete_init. */
3077 if (sbsec->flags & SE_SBINITIALIZED) {
3078 struct inode_security_struct *isec = inode->i_security;
3079 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3081 isec->initialized = LABEL_INITIALIZED;
3084 if (!selinux_state.initialized || !(sbsec->flags & SBLABEL_MNT))
3088 *name = XATTR_SELINUX_SUFFIX;
3091 rc = security_sid_to_context_force(&selinux_state, newsid,
3102 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
3104 return may_create(dir, dentry, SECCLASS_FILE);
3107 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
3109 return may_link(dir, old_dentry, MAY_LINK);
3112 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
3114 return may_link(dir, dentry, MAY_UNLINK);
3117 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
3119 return may_create(dir, dentry, SECCLASS_LNK_FILE);
3122 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
3124 return may_create(dir, dentry, SECCLASS_DIR);
3127 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
3129 return may_link(dir, dentry, MAY_RMDIR);
3132 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
3134 return may_create(dir, dentry, inode_mode_to_security_class(mode));
3137 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
3138 struct inode *new_inode, struct dentry *new_dentry)
3140 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
3143 static int selinux_inode_readlink(struct dentry *dentry)
3145 const struct cred *cred = current_cred();
3147 return dentry_has_perm(cred, dentry, FILE__READ);
3150 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3153 const struct cred *cred = current_cred();
3154 struct common_audit_data ad;
3155 struct inode_security_struct *isec;
3158 validate_creds(cred);
3160 ad.type = LSM_AUDIT_DATA_DENTRY;
3161 ad.u.dentry = dentry;
3162 sid = cred_sid(cred);
3163 isec = inode_security_rcu(inode, rcu);
3165 return PTR_ERR(isec);
3167 return avc_has_perm_flags(&selinux_state,
3168 sid, isec->sid, isec->sclass, FILE__READ, &ad,
3169 rcu ? MAY_NOT_BLOCK : 0);
3172 static noinline int audit_inode_permission(struct inode *inode,
3173 u32 perms, u32 audited, u32 denied,
3177 struct common_audit_data ad;
3178 struct inode_security_struct *isec = inode->i_security;
3181 ad.type = LSM_AUDIT_DATA_INODE;
3184 rc = slow_avc_audit(&selinux_state,
3185 current_sid(), isec->sid, isec->sclass, perms,
3186 audited, denied, result, &ad, flags);
3192 static int selinux_inode_permission(struct inode *inode, int mask)
3194 const struct cred *cred = current_cred();
3197 unsigned flags = mask & MAY_NOT_BLOCK;
3198 struct inode_security_struct *isec;
3200 struct av_decision avd;
3202 u32 audited, denied;
3204 from_access = mask & MAY_ACCESS;
3205 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3207 /* No permission to check. Existence test. */
3211 validate_creds(cred);
3213 if (unlikely(IS_PRIVATE(inode)))
3216 perms = file_mask_to_av(inode->i_mode, mask);
3218 sid = cred_sid(cred);
3219 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3221 return PTR_ERR(isec);
3223 rc = avc_has_perm_noaudit(&selinux_state,
3224 sid, isec->sid, isec->sclass, perms,
3225 (flags & MAY_NOT_BLOCK) ? AVC_NONBLOCKING : 0,
3227 audited = avc_audit_required(perms, &avd, rc,
3228 from_access ? FILE__AUDIT_ACCESS : 0,
3230 if (likely(!audited))
3233 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
3239 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3241 const struct cred *cred = current_cred();
3242 struct inode *inode = d_backing_inode(dentry);
3243 unsigned int ia_valid = iattr->ia_valid;
3244 __u32 av = FILE__WRITE;
3246 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3247 if (ia_valid & ATTR_FORCE) {
3248 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3254 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3255 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3256 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3258 if (selinux_policycap_openperm() &&
3259 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3260 (ia_valid & ATTR_SIZE) &&
3261 !(ia_valid & ATTR_FILE))
3264 return dentry_has_perm(cred, dentry, av);
3267 static int selinux_inode_getattr(const struct path *path)
3269 return path_has_perm(current_cred(), path, FILE__GETATTR);
3272 static bool has_cap_mac_admin(bool audit)
3274 const struct cred *cred = current_cred();
3275 unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT;
3277 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts))
3279 if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true))
3284 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3285 const void *value, size_t size, int flags)
3287 struct inode *inode = d_backing_inode(dentry);
3288 struct inode_security_struct *isec;
3289 struct superblock_security_struct *sbsec;
3290 struct common_audit_data ad;
3291 u32 newsid, sid = current_sid();
3294 if (strcmp(name, XATTR_NAME_SELINUX)) {
3295 rc = cap_inode_setxattr(dentry, name, value, size, flags);
3299 /* Not an attribute we recognize, so just check the
3300 ordinary setattr permission. */
3301 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3304 sbsec = inode->i_sb->s_security;
3305 if (!(sbsec->flags & SBLABEL_MNT))
3308 if (!inode_owner_or_capable(inode))
3311 ad.type = LSM_AUDIT_DATA_DENTRY;
3312 ad.u.dentry = dentry;
3314 isec = backing_inode_security(dentry);
3315 rc = avc_has_perm(&selinux_state,
3316 sid, isec->sid, isec->sclass,
3317 FILE__RELABELFROM, &ad);
3321 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3323 if (rc == -EINVAL) {
3324 if (!has_cap_mac_admin(true)) {
3325 struct audit_buffer *ab;
3328 /* We strip a nul only if it is at the end, otherwise the
3329 * context contains a nul and we should audit that */
3331 const char *str = value;
3333 if (str[size - 1] == '\0')
3334 audit_size = size - 1;
3340 ab = audit_log_start(audit_context(),
3341 GFP_ATOMIC, AUDIT_SELINUX_ERR);
3342 audit_log_format(ab, "op=setxattr invalid_context=");
3343 audit_log_n_untrustedstring(ab, value, audit_size);
3348 rc = security_context_to_sid_force(&selinux_state, value,
3354 rc = avc_has_perm(&selinux_state,
3355 sid, newsid, isec->sclass,
3356 FILE__RELABELTO, &ad);
3360 rc = security_validate_transition(&selinux_state, isec->sid, newsid,
3365 return avc_has_perm(&selinux_state,
3368 SECCLASS_FILESYSTEM,
3369 FILESYSTEM__ASSOCIATE,
3373 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3374 const void *value, size_t size,
3377 struct inode *inode = d_backing_inode(dentry);
3378 struct inode_security_struct *isec;
3382 if (strcmp(name, XATTR_NAME_SELINUX)) {
3383 /* Not an attribute we recognize, so nothing to do. */
3387 rc = security_context_to_sid_force(&selinux_state, value, size,
3390 pr_err("SELinux: unable to map context to SID"
3391 "for (%s, %lu), rc=%d\n",
3392 inode->i_sb->s_id, inode->i_ino, -rc);
3396 isec = backing_inode_security(dentry);
3397 spin_lock(&isec->lock);
3398 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3400 isec->initialized = LABEL_INITIALIZED;
3401 spin_unlock(&isec->lock);
3406 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3408 const struct cred *cred = current_cred();
3410 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3413 static int selinux_inode_listxattr(struct dentry *dentry)
3415 const struct cred *cred = current_cred();
3417 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3420 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3422 if (strcmp(name, XATTR_NAME_SELINUX)) {
3423 int rc = cap_inode_removexattr(dentry, name);
3427 /* Not an attribute we recognize, so just check the
3428 ordinary setattr permission. */
3429 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3432 /* No one is allowed to remove a SELinux security label.
3433 You can change the label, but all data must be labeled. */
3438 * Copy the inode security context value to the user.
3440 * Permission check is handled by selinux_inode_getxattr hook.
3442 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
3446 char *context = NULL;
3447 struct inode_security_struct *isec;
3449 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3453 * If the caller has CAP_MAC_ADMIN, then get the raw context
3454 * value even if it is not defined by current policy; otherwise,
3455 * use the in-core value under current policy.
3456 * Use the non-auditing forms of the permission checks since
3457 * getxattr may be called by unprivileged processes commonly
3458 * and lack of permission just means that we fall back to the
3459 * in-core context value, not a denial.
3461 isec = inode_security(inode);
3462 if (has_cap_mac_admin(false))
3463 error = security_sid_to_context_force(&selinux_state,
3464 isec->sid, &context,
3467 error = security_sid_to_context(&selinux_state, isec->sid,
3481 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3482 const void *value, size_t size, int flags)
3484 struct inode_security_struct *isec = inode_security_novalidate(inode);
3485 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
3489 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3492 if (!(sbsec->flags & SBLABEL_MNT))
3495 if (!value || !size)
3498 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3503 spin_lock(&isec->lock);
3504 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3506 isec->initialized = LABEL_INITIALIZED;
3507 spin_unlock(&isec->lock);
3511 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3513 const int len = sizeof(XATTR_NAME_SELINUX);
3514 if (buffer && len <= buffer_size)
3515 memcpy(buffer, XATTR_NAME_SELINUX, len);
3519 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3521 struct inode_security_struct *isec = inode_security_novalidate(inode);
3525 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3528 struct task_security_struct *tsec;
3529 struct cred *new_creds = *new;
3531 if (new_creds == NULL) {
3532 new_creds = prepare_creds();
3537 tsec = new_creds->security;
3538 /* Get label from overlay inode and set it in create_sid */
3539 selinux_inode_getsecid(d_inode(src), &sid);
3540 tsec->create_sid = sid;
3545 static int selinux_inode_copy_up_xattr(const char *name)
3547 /* The copy_up hook above sets the initial context on an inode, but we
3548 * don't then want to overwrite it by blindly copying all the lower
3549 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3551 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3552 return 1; /* Discard */
3554 * Any other attribute apart from SELINUX is not claimed, supported
3560 /* file security operations */
3562 static int selinux_revalidate_file_permission(struct file *file, int mask)
3564 const struct cred *cred = current_cred();
3565 struct inode *inode = file_inode(file);
3567 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3568 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3571 return file_has_perm(cred, file,
3572 file_mask_to_av(inode->i_mode, mask));
3575 static int selinux_file_permission(struct file *file, int mask)
3577 struct inode *inode = file_inode(file);
3578 struct file_security_struct *fsec = file->f_security;
3579 struct inode_security_struct *isec;
3580 u32 sid = current_sid();
3583 /* No permission to check. Existence test. */
3586 isec = inode_security(inode);
3587 if (sid == fsec->sid && fsec->isid == isec->sid &&
3588 fsec->pseqno == avc_policy_seqno(&selinux_state))
3589 /* No change since file_open check. */
3592 return selinux_revalidate_file_permission(file, mask);
3595 static int selinux_file_alloc_security(struct file *file)
3597 return file_alloc_security(file);
3600 static void selinux_file_free_security(struct file *file)
3602 file_free_security(file);
3606 * Check whether a task has the ioctl permission and cmd
3607 * operation to an inode.
3609 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3610 u32 requested, u16 cmd)
3612 struct common_audit_data ad;
3613 struct file_security_struct *fsec = file->f_security;
3614 struct inode *inode = file_inode(file);
3615 struct inode_security_struct *isec;
3616 struct lsm_ioctlop_audit ioctl;
3617 u32 ssid = cred_sid(cred);
3619 u8 driver = cmd >> 8;
3620 u8 xperm = cmd & 0xff;
3622 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3625 ad.u.op->path = file->f_path;
3627 if (ssid != fsec->sid) {
3628 rc = avc_has_perm(&selinux_state,
3637 if (unlikely(IS_PRIVATE(inode)))
3640 isec = inode_security(inode);
3641 rc = avc_has_extended_perms(&selinux_state,
3642 ssid, isec->sid, isec->sclass,
3643 requested, driver, xperm, &ad);
3648 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3651 const struct cred *cred = current_cred();
3661 case FS_IOC_GETFLAGS:
3663 case FS_IOC_GETVERSION:
3664 error = file_has_perm(cred, file, FILE__GETATTR);
3667 case FS_IOC_SETFLAGS:
3669 case FS_IOC_SETVERSION:
3670 error = file_has_perm(cred, file, FILE__SETATTR);
3673 /* sys_ioctl() checks */
3677 error = file_has_perm(cred, file, 0);
3682 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3683 CAP_OPT_NONE, true);
3686 /* default case assumes that the command will go
3687 * to the file's ioctl() function.
3690 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3695 static int default_noexec;
3697 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3699 const struct cred *cred = current_cred();
3700 u32 sid = cred_sid(cred);
3703 if (default_noexec &&
3704 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3705 (!shared && (prot & PROT_WRITE)))) {
3707 * We are making executable an anonymous mapping or a
3708 * private file mapping that will also be writable.
3709 * This has an additional check.
3711 rc = avc_has_perm(&selinux_state,
3712 sid, sid, SECCLASS_PROCESS,
3713 PROCESS__EXECMEM, NULL);
3719 /* read access is always possible with a mapping */
3720 u32 av = FILE__READ;
3722 /* write access only matters if the mapping is shared */
3723 if (shared && (prot & PROT_WRITE))
3726 if (prot & PROT_EXEC)
3727 av |= FILE__EXECUTE;
3729 return file_has_perm(cred, file, av);
3736 static int selinux_mmap_addr(unsigned long addr)
3740 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3741 u32 sid = current_sid();
3742 rc = avc_has_perm(&selinux_state,
3743 sid, sid, SECCLASS_MEMPROTECT,
3744 MEMPROTECT__MMAP_ZERO, NULL);
3750 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3751 unsigned long prot, unsigned long flags)
3753 struct common_audit_data ad;
3757 ad.type = LSM_AUDIT_DATA_FILE;
3759 rc = inode_has_perm(current_cred(), file_inode(file),
3765 if (selinux_state.checkreqprot)
3768 return file_map_prot_check(file, prot,
3769 (flags & MAP_TYPE) == MAP_SHARED);
3772 static int selinux_file_mprotect(struct vm_area_struct *vma,
3773 unsigned long reqprot,
3776 const struct cred *cred = current_cred();
3777 u32 sid = cred_sid(cred);
3779 if (selinux_state.checkreqprot)
3782 if (default_noexec &&
3783 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3785 if (vma->vm_start >= vma->vm_mm->start_brk &&
3786 vma->vm_end <= vma->vm_mm->brk) {
3787 rc = avc_has_perm(&selinux_state,
3788 sid, sid, SECCLASS_PROCESS,
3789 PROCESS__EXECHEAP, NULL);
3790 } else if (!vma->vm_file &&
3791 ((vma->vm_start <= vma->vm_mm->start_stack &&
3792 vma->vm_end >= vma->vm_mm->start_stack) ||
3793 vma_is_stack_for_current(vma))) {
3794 rc = avc_has_perm(&selinux_state,
3795 sid, sid, SECCLASS_PROCESS,
3796 PROCESS__EXECSTACK, NULL);
3797 } else if (vma->vm_file && vma->anon_vma) {
3799 * We are making executable a file mapping that has
3800 * had some COW done. Since pages might have been
3801 * written, check ability to execute the possibly
3802 * modified content. This typically should only
3803 * occur for text relocations.
3805 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3811 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3814 static int selinux_file_lock(struct file *file, unsigned int cmd)
3816 const struct cred *cred = current_cred();
3818 return file_has_perm(cred, file, FILE__LOCK);
3821 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3824 const struct cred *cred = current_cred();
3829 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3830 err = file_has_perm(cred, file, FILE__WRITE);
3839 case F_GETOWNER_UIDS:
3840 /* Just check FD__USE permission */
3841 err = file_has_perm(cred, file, 0);
3849 #if BITS_PER_LONG == 32
3854 err = file_has_perm(cred, file, FILE__LOCK);
3861 static void selinux_file_set_fowner(struct file *file)
3863 struct file_security_struct *fsec;
3865 fsec = file->f_security;
3866 fsec->fown_sid = current_sid();
3869 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3870 struct fown_struct *fown, int signum)
3873 u32 sid = task_sid(tsk);
3875 struct file_security_struct *fsec;
3877 /* struct fown_struct is never outside the context of a struct file */
3878 file = container_of(fown, struct file, f_owner);
3880 fsec = file->f_security;
3883 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3885 perm = signal_to_av(signum);
3887 return avc_has_perm(&selinux_state,
3888 fsec->fown_sid, sid,
3889 SECCLASS_PROCESS, perm, NULL);
3892 static int selinux_file_receive(struct file *file)
3894 const struct cred *cred = current_cred();
3896 return file_has_perm(cred, file, file_to_av(file));
3899 static int selinux_file_open(struct file *file)
3901 struct file_security_struct *fsec;
3902 struct inode_security_struct *isec;
3904 fsec = file->f_security;
3905 isec = inode_security(file_inode(file));
3907 * Save inode label and policy sequence number
3908 * at open-time so that selinux_file_permission
3909 * can determine whether revalidation is necessary.
3910 * Task label is already saved in the file security
3911 * struct as its SID.
3913 fsec->isid = isec->sid;
3914 fsec->pseqno = avc_policy_seqno(&selinux_state);
3916 * Since the inode label or policy seqno may have changed
3917 * between the selinux_inode_permission check and the saving
3918 * of state above, recheck that access is still permitted.
3919 * Otherwise, access might never be revalidated against the
3920 * new inode label or new policy.
3921 * This check is not redundant - do not remove.
3923 return file_path_has_perm(file->f_cred, file, open_file_to_av(file));
3926 /* task security operations */
3928 static int selinux_task_alloc(struct task_struct *task,
3929 unsigned long clone_flags)
3931 u32 sid = current_sid();
3933 return avc_has_perm(&selinux_state,
3934 sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
3938 * allocate the SELinux part of blank credentials
3940 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3942 struct task_security_struct *tsec;
3944 tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3948 cred->security = tsec;
3953 * detach and free the LSM part of a set of credentials
3955 static void selinux_cred_free(struct cred *cred)
3957 struct task_security_struct *tsec = cred->security;
3960 * cred->security == NULL if security_cred_alloc_blank() or
3961 * security_prepare_creds() returned an error.
3963 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3964 cred->security = (void *) 0x7UL;
3969 * prepare a new set of credentials for modification
3971 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3974 const struct task_security_struct *old_tsec;
3975 struct task_security_struct *tsec;
3977 old_tsec = old->security;
3979 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3983 new->security = tsec;
3988 * transfer the SELinux data to a blank set of creds
3990 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3992 const struct task_security_struct *old_tsec = old->security;
3993 struct task_security_struct *tsec = new->security;
3998 static void selinux_cred_getsecid(const struct cred *c, u32 *secid)
4000 *secid = cred_sid(c);
4004 * set the security data for a kernel service
4005 * - all the creation contexts are set to unlabelled
4007 static int selinux_kernel_act_as(struct cred *new, u32 secid)
4009 struct task_security_struct *tsec = new->security;
4010 u32 sid = current_sid();
4013 ret = avc_has_perm(&selinux_state,
4015 SECCLASS_KERNEL_SERVICE,
4016 KERNEL_SERVICE__USE_AS_OVERRIDE,
4020 tsec->create_sid = 0;
4021 tsec->keycreate_sid = 0;
4022 tsec->sockcreate_sid = 0;
4028 * set the file creation context in a security record to the same as the
4029 * objective context of the specified inode
4031 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
4033 struct inode_security_struct *isec = inode_security(inode);
4034 struct task_security_struct *tsec = new->security;
4035 u32 sid = current_sid();
4038 ret = avc_has_perm(&selinux_state,
4040 SECCLASS_KERNEL_SERVICE,
4041 KERNEL_SERVICE__CREATE_FILES_AS,
4045 tsec->create_sid = isec->sid;
4049 static int selinux_kernel_module_request(char *kmod_name)
4051 struct common_audit_data ad;
4053 ad.type = LSM_AUDIT_DATA_KMOD;
4054 ad.u.kmod_name = kmod_name;
4056 return avc_has_perm(&selinux_state,
4057 current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
4058 SYSTEM__MODULE_REQUEST, &ad);
4061 static int selinux_kernel_module_from_file(struct file *file)
4063 struct common_audit_data ad;
4064 struct inode_security_struct *isec;
4065 struct file_security_struct *fsec;
4066 u32 sid = current_sid();
4071 return avc_has_perm(&selinux_state,
4072 sid, sid, SECCLASS_SYSTEM,
4073 SYSTEM__MODULE_LOAD, NULL);
4077 ad.type = LSM_AUDIT_DATA_FILE;
4080 fsec = file->f_security;
4081 if (sid != fsec->sid) {
4082 rc = avc_has_perm(&selinux_state,
4083 sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
4088 isec = inode_security(file_inode(file));
4089 return avc_has_perm(&selinux_state,
4090 sid, isec->sid, SECCLASS_SYSTEM,
4091 SYSTEM__MODULE_LOAD, &ad);
4094 static int selinux_kernel_read_file(struct file *file,
4095 enum kernel_read_file_id id)
4100 case READING_MODULE:
4101 rc = selinux_kernel_module_from_file(file);
4110 static int selinux_kernel_load_data(enum kernel_load_data_id id)
4115 case LOADING_MODULE:
4116 rc = selinux_kernel_module_from_file(NULL);
4124 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
4126 return avc_has_perm(&selinux_state,
4127 current_sid(), task_sid(p), SECCLASS_PROCESS,
4128 PROCESS__SETPGID, NULL);
4131 static int selinux_task_getpgid(struct task_struct *p)
4133 return avc_has_perm(&selinux_state,
4134 current_sid(), task_sid(p), SECCLASS_PROCESS,
4135 PROCESS__GETPGID, NULL);
4138 static int selinux_task_getsid(struct task_struct *p)
4140 return avc_has_perm(&selinux_state,
4141 current_sid(), task_sid(p), SECCLASS_PROCESS,
4142 PROCESS__GETSESSION, NULL);
4145 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
4147 *secid = task_sid(p);
4150 static int selinux_task_setnice(struct task_struct *p, int nice)
4152 return avc_has_perm(&selinux_state,
4153 current_sid(), task_sid(p), SECCLASS_PROCESS,
4154 PROCESS__SETSCHED, NULL);
4157 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
4159 return avc_has_perm(&selinux_state,
4160 current_sid(), task_sid(p), SECCLASS_PROCESS,
4161 PROCESS__SETSCHED, NULL);
4164 static int selinux_task_getioprio(struct task_struct *p)
4166 return avc_has_perm(&selinux_state,
4167 current_sid(), task_sid(p), SECCLASS_PROCESS,
4168 PROCESS__GETSCHED, NULL);
4171 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
4178 if (flags & LSM_PRLIMIT_WRITE)
4179 av |= PROCESS__SETRLIMIT;
4180 if (flags & LSM_PRLIMIT_READ)
4181 av |= PROCESS__GETRLIMIT;
4182 return avc_has_perm(&selinux_state,
4183 cred_sid(cred), cred_sid(tcred),
4184 SECCLASS_PROCESS, av, NULL);
4187 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4188 struct rlimit *new_rlim)
4190 struct rlimit *old_rlim = p->signal->rlim + resource;
4192 /* Control the ability to change the hard limit (whether
4193 lowering or raising it), so that the hard limit can
4194 later be used as a safe reset point for the soft limit
4195 upon context transitions. See selinux_bprm_committing_creds. */
4196 if (old_rlim->rlim_max != new_rlim->rlim_max)
4197 return avc_has_perm(&selinux_state,
4198 current_sid(), task_sid(p),
4199 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
4204 static int selinux_task_setscheduler(struct task_struct *p)
4206 return avc_has_perm(&selinux_state,
4207 current_sid(), task_sid(p), SECCLASS_PROCESS,
4208 PROCESS__SETSCHED, NULL);
4211 static int selinux_task_getscheduler(struct task_struct *p)
4213 return avc_has_perm(&selinux_state,
4214 current_sid(), task_sid(p), SECCLASS_PROCESS,
4215 PROCESS__GETSCHED, NULL);
4218 static int selinux_task_movememory(struct task_struct *p)
4220 return avc_has_perm(&selinux_state,
4221 current_sid(), task_sid(p), SECCLASS_PROCESS,
4222 PROCESS__SETSCHED, NULL);
4225 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
4226 int sig, const struct cred *cred)
4232 perm = PROCESS__SIGNULL; /* null signal; existence test */
4234 perm = signal_to_av(sig);
4236 secid = current_sid();
4238 secid = cred_sid(cred);
4239 return avc_has_perm(&selinux_state,
4240 secid, task_sid(p), SECCLASS_PROCESS, perm, NULL);
4243 static void selinux_task_to_inode(struct task_struct *p,
4244 struct inode *inode)
4246 struct inode_security_struct *isec = inode->i_security;
4247 u32 sid = task_sid(p);
4249 spin_lock(&isec->lock);
4250 isec->sclass = inode_mode_to_security_class(inode->i_mode);
4252 isec->initialized = LABEL_INITIALIZED;
4253 spin_unlock(&isec->lock);
4256 /* Returns error only if unable to parse addresses */
4257 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4258 struct common_audit_data *ad, u8 *proto)
4260 int offset, ihlen, ret = -EINVAL;
4261 struct iphdr _iph, *ih;
4263 offset = skb_network_offset(skb);
4264 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
4268 ihlen = ih->ihl * 4;
4269 if (ihlen < sizeof(_iph))
4272 ad->u.net->v4info.saddr = ih->saddr;
4273 ad->u.net->v4info.daddr = ih->daddr;
4277 *proto = ih->protocol;
4279 switch (ih->protocol) {
4281 struct tcphdr _tcph, *th;
4283 if (ntohs(ih->frag_off) & IP_OFFSET)
4287 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4291 ad->u.net->sport = th->source;
4292 ad->u.net->dport = th->dest;
4297 struct udphdr _udph, *uh;
4299 if (ntohs(ih->frag_off) & IP_OFFSET)
4303 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4307 ad->u.net->sport = uh->source;
4308 ad->u.net->dport = uh->dest;
4312 case IPPROTO_DCCP: {
4313 struct dccp_hdr _dccph, *dh;
4315 if (ntohs(ih->frag_off) & IP_OFFSET)
4319 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4323 ad->u.net->sport = dh->dccph_sport;
4324 ad->u.net->dport = dh->dccph_dport;
4328 #if IS_ENABLED(CONFIG_IP_SCTP)
4329 case IPPROTO_SCTP: {
4330 struct sctphdr _sctph, *sh;
4332 if (ntohs(ih->frag_off) & IP_OFFSET)
4336 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4340 ad->u.net->sport = sh->source;
4341 ad->u.net->dport = sh->dest;
4352 #if IS_ENABLED(CONFIG_IPV6)
4354 /* Returns error only if unable to parse addresses */
4355 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4356 struct common_audit_data *ad, u8 *proto)
4359 int ret = -EINVAL, offset;
4360 struct ipv6hdr _ipv6h, *ip6;
4363 offset = skb_network_offset(skb);
4364 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4368 ad->u.net->v6info.saddr = ip6->saddr;
4369 ad->u.net->v6info.daddr = ip6->daddr;
4372 nexthdr = ip6->nexthdr;
4373 offset += sizeof(_ipv6h);
4374 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4383 struct tcphdr _tcph, *th;
4385 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4389 ad->u.net->sport = th->source;
4390 ad->u.net->dport = th->dest;
4395 struct udphdr _udph, *uh;
4397 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4401 ad->u.net->sport = uh->source;
4402 ad->u.net->dport = uh->dest;
4406 case IPPROTO_DCCP: {
4407 struct dccp_hdr _dccph, *dh;
4409 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4413 ad->u.net->sport = dh->dccph_sport;
4414 ad->u.net->dport = dh->dccph_dport;
4418 #if IS_ENABLED(CONFIG_IP_SCTP)
4419 case IPPROTO_SCTP: {
4420 struct sctphdr _sctph, *sh;
4422 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4426 ad->u.net->sport = sh->source;
4427 ad->u.net->dport = sh->dest;
4431 /* includes fragments */
4441 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4442 char **_addrp, int src, u8 *proto)
4447 switch (ad->u.net->family) {
4449 ret = selinux_parse_skb_ipv4(skb, ad, proto);
4452 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4453 &ad->u.net->v4info.daddr);
4456 #if IS_ENABLED(CONFIG_IPV6)
4458 ret = selinux_parse_skb_ipv6(skb, ad, proto);
4461 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4462 &ad->u.net->v6info.daddr);
4472 "SELinux: failure in selinux_parse_skb(),"
4473 " unable to parse packet\n");
4483 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4485 * @family: protocol family
4486 * @sid: the packet's peer label SID
4489 * Check the various different forms of network peer labeling and determine
4490 * the peer label/SID for the packet; most of the magic actually occurs in
4491 * the security server function security_net_peersid_cmp(). The function
4492 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4493 * or -EACCES if @sid is invalid due to inconsistencies with the different
4497 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4504 err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4507 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4511 err = security_net_peersid_resolve(&selinux_state, nlbl_sid,
4512 nlbl_type, xfrm_sid, sid);
4513 if (unlikely(err)) {
4515 "SELinux: failure in selinux_skb_peerlbl_sid(),"
4516 " unable to determine packet's peer label\n");
4524 * selinux_conn_sid - Determine the child socket label for a connection
4525 * @sk_sid: the parent socket's SID
4526 * @skb_sid: the packet's SID
4527 * @conn_sid: the resulting connection SID
4529 * If @skb_sid is valid then the user:role:type information from @sk_sid is
4530 * combined with the MLS information from @skb_sid in order to create
4531 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy
4532 * of @sk_sid. Returns zero on success, negative values on failure.
4535 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4539 if (skb_sid != SECSID_NULL)
4540 err = security_sid_mls_copy(&selinux_state, sk_sid, skb_sid,
4548 /* socket security operations */
4550 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4551 u16 secclass, u32 *socksid)
4553 if (tsec->sockcreate_sid > SECSID_NULL) {
4554 *socksid = tsec->sockcreate_sid;
4558 return security_transition_sid(&selinux_state, tsec->sid, tsec->sid,
4559 secclass, NULL, socksid);
4562 static int sock_has_perm(struct sock *sk, u32 perms)
4564 struct sk_security_struct *sksec = sk->sk_security;
4565 struct common_audit_data ad;
4566 struct lsm_network_audit net = {0,};
4568 if (sksec->sid == SECINITSID_KERNEL)
4571 ad.type = LSM_AUDIT_DATA_NET;
4575 return avc_has_perm(&selinux_state,
4576 current_sid(), sksec->sid, sksec->sclass, perms,
4580 static int selinux_socket_create(int family, int type,
4581 int protocol, int kern)
4583 const struct task_security_struct *tsec = current_security();
4591 secclass = socket_type_to_security_class(family, type, protocol);
4592 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4596 return avc_has_perm(&selinux_state,
4597 tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4600 static int selinux_socket_post_create(struct socket *sock, int family,
4601 int type, int protocol, int kern)
4603 const struct task_security_struct *tsec = current_security();
4604 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4605 struct sk_security_struct *sksec;
4606 u16 sclass = socket_type_to_security_class(family, type, protocol);
4607 u32 sid = SECINITSID_KERNEL;
4611 err = socket_sockcreate_sid(tsec, sclass, &sid);
4616 isec->sclass = sclass;
4618 isec->initialized = LABEL_INITIALIZED;
4621 sksec = sock->sk->sk_security;
4622 sksec->sclass = sclass;
4624 /* Allows detection of the first association on this socket */
4625 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4626 sksec->sctp_assoc_state = SCTP_ASSOC_UNSET;
4628 err = selinux_netlbl_socket_post_create(sock->sk, family);
4634 static int selinux_socket_socketpair(struct socket *socka,
4635 struct socket *sockb)
4637 struct sk_security_struct *sksec_a = socka->sk->sk_security;
4638 struct sk_security_struct *sksec_b = sockb->sk->sk_security;
4640 sksec_a->peer_sid = sksec_b->sid;
4641 sksec_b->peer_sid = sksec_a->sid;
4646 /* Range of port numbers used to automatically bind.
4647 Need to determine whether we should perform a name_bind
4648 permission check between the socket and the port number. */
4650 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4652 struct sock *sk = sock->sk;
4653 struct sk_security_struct *sksec = sk->sk_security;
4657 err = sock_has_perm(sk, SOCKET__BIND);
4661 /* If PF_INET or PF_INET6, check name_bind permission for the port. */
4662 family = sk->sk_family;
4663 if (family == PF_INET || family == PF_INET6) {
4665 struct common_audit_data ad;
4666 struct lsm_network_audit net = {0,};
4667 struct sockaddr_in *addr4 = NULL;
4668 struct sockaddr_in6 *addr6 = NULL;
4669 u16 family_sa = address->sa_family;
4670 unsigned short snum;
4674 * sctp_bindx(3) calls via selinux_sctp_bind_connect()
4675 * that validates multiple binding addresses. Because of this
4676 * need to check address->sa_family as it is possible to have
4677 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4679 switch (family_sa) {
4682 if (addrlen < sizeof(struct sockaddr_in))
4684 addr4 = (struct sockaddr_in *)address;
4685 if (family_sa == AF_UNSPEC) {
4686 /* see __inet_bind(), we only want to allow
4687 * AF_UNSPEC if the address is INADDR_ANY
4689 if (addr4->sin_addr.s_addr != htonl(INADDR_ANY))
4691 family_sa = AF_INET;
4693 snum = ntohs(addr4->sin_port);
4694 addrp = (char *)&addr4->sin_addr.s_addr;
4697 if (addrlen < SIN6_LEN_RFC2133)
4699 addr6 = (struct sockaddr_in6 *)address;
4700 snum = ntohs(addr6->sin6_port);
4701 addrp = (char *)&addr6->sin6_addr.s6_addr;
4707 ad.type = LSM_AUDIT_DATA_NET;
4709 ad.u.net->sport = htons(snum);
4710 ad.u.net->family = family_sa;
4715 inet_get_local_port_range(sock_net(sk), &low, &high);
4717 if (snum < max(inet_prot_sock(sock_net(sk)), low) ||
4719 err = sel_netport_sid(sk->sk_protocol,
4723 err = avc_has_perm(&selinux_state,
4726 SOCKET__NAME_BIND, &ad);
4732 switch (sksec->sclass) {
4733 case SECCLASS_TCP_SOCKET:
4734 node_perm = TCP_SOCKET__NODE_BIND;
4737 case SECCLASS_UDP_SOCKET:
4738 node_perm = UDP_SOCKET__NODE_BIND;
4741 case SECCLASS_DCCP_SOCKET:
4742 node_perm = DCCP_SOCKET__NODE_BIND;
4745 case SECCLASS_SCTP_SOCKET:
4746 node_perm = SCTP_SOCKET__NODE_BIND;
4750 node_perm = RAWIP_SOCKET__NODE_BIND;
4754 err = sel_netnode_sid(addrp, family_sa, &sid);
4758 if (family_sa == AF_INET)
4759 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4761 ad.u.net->v6info.saddr = addr6->sin6_addr;
4763 err = avc_has_perm(&selinux_state,
4765 sksec->sclass, node_perm, &ad);
4772 /* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */
4773 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4775 return -EAFNOSUPPORT;
4778 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3)
4779 * and sctp_sendmsg(3) as described in Documentation/security/LSM-sctp.rst
4781 static int selinux_socket_connect_helper(struct socket *sock,
4782 struct sockaddr *address, int addrlen)
4784 struct sock *sk = sock->sk;
4785 struct sk_security_struct *sksec = sk->sk_security;
4788 err = sock_has_perm(sk, SOCKET__CONNECT);
4793 * If a TCP, DCCP or SCTP socket, check name_connect permission
4796 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4797 sksec->sclass == SECCLASS_DCCP_SOCKET ||
4798 sksec->sclass == SECCLASS_SCTP_SOCKET) {
4799 struct common_audit_data ad;
4800 struct lsm_network_audit net = {0,};
4801 struct sockaddr_in *addr4 = NULL;
4802 struct sockaddr_in6 *addr6 = NULL;
4803 unsigned short snum = 0;
4806 /* sctp_connectx(3) calls via selinux_sctp_bind_connect()
4807 * that validates multiple connect addresses. Because of this
4808 * need to check address->sa_family as it is possible to have
4809 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4811 switch (address->sa_family) {
4813 addr4 = (struct sockaddr_in *)address;
4814 if (addrlen < sizeof(struct sockaddr_in))
4816 snum = ntohs(addr4->sin_port);
4819 addr6 = (struct sockaddr_in6 *)address;
4820 if (addrlen < SIN6_LEN_RFC2133)
4822 snum = ntohs(addr6->sin6_port);
4825 /* Note that SCTP services expect -EINVAL, whereas
4826 * others must handle this at the protocol level:
4827 * connect(AF_UNSPEC) on a connected socket is
4828 * a documented way disconnect the socket.
4830 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4834 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4838 switch (sksec->sclass) {
4839 case SECCLASS_TCP_SOCKET:
4840 perm = TCP_SOCKET__NAME_CONNECT;
4842 case SECCLASS_DCCP_SOCKET:
4843 perm = DCCP_SOCKET__NAME_CONNECT;
4845 case SECCLASS_SCTP_SOCKET:
4846 perm = SCTP_SOCKET__NAME_CONNECT;
4850 ad.type = LSM_AUDIT_DATA_NET;
4852 ad.u.net->dport = htons(snum);
4853 ad.u.net->family = address->sa_family;
4854 err = avc_has_perm(&selinux_state,
4855 sksec->sid, sid, sksec->sclass, perm, &ad);
4863 /* Supports connect(2), see comments in selinux_socket_connect_helper() */
4864 static int selinux_socket_connect(struct socket *sock,
4865 struct sockaddr *address, int addrlen)
4868 struct sock *sk = sock->sk;
4870 err = selinux_socket_connect_helper(sock, address, addrlen);
4874 return selinux_netlbl_socket_connect(sk, address);
4877 static int selinux_socket_listen(struct socket *sock, int backlog)
4879 return sock_has_perm(sock->sk, SOCKET__LISTEN);
4882 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4885 struct inode_security_struct *isec;
4886 struct inode_security_struct *newisec;
4890 err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
4894 isec = inode_security_novalidate(SOCK_INODE(sock));
4895 spin_lock(&isec->lock);
4896 sclass = isec->sclass;
4898 spin_unlock(&isec->lock);
4900 newisec = inode_security_novalidate(SOCK_INODE(newsock));
4901 newisec->sclass = sclass;
4903 newisec->initialized = LABEL_INITIALIZED;
4908 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4911 return sock_has_perm(sock->sk, SOCKET__WRITE);
4914 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4915 int size, int flags)
4917 return sock_has_perm(sock->sk, SOCKET__READ);
4920 static int selinux_socket_getsockname(struct socket *sock)
4922 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4925 static int selinux_socket_getpeername(struct socket *sock)
4927 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4930 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4934 err = sock_has_perm(sock->sk, SOCKET__SETOPT);
4938 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4941 static int selinux_socket_getsockopt(struct socket *sock, int level,
4944 return sock_has_perm(sock->sk, SOCKET__GETOPT);
4947 static int selinux_socket_shutdown(struct socket *sock, int how)
4949 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
4952 static int selinux_socket_unix_stream_connect(struct sock *sock,
4956 struct sk_security_struct *sksec_sock = sock->sk_security;
4957 struct sk_security_struct *sksec_other = other->sk_security;
4958 struct sk_security_struct *sksec_new = newsk->sk_security;
4959 struct common_audit_data ad;
4960 struct lsm_network_audit net = {0,};
4963 ad.type = LSM_AUDIT_DATA_NET;
4965 ad.u.net->sk = other;
4967 err = avc_has_perm(&selinux_state,
4968 sksec_sock->sid, sksec_other->sid,
4969 sksec_other->sclass,
4970 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4974 /* server child socket */
4975 sksec_new->peer_sid = sksec_sock->sid;
4976 err = security_sid_mls_copy(&selinux_state, sksec_other->sid,
4977 sksec_sock->sid, &sksec_new->sid);
4981 /* connecting socket */
4982 sksec_sock->peer_sid = sksec_new->sid;
4987 static int selinux_socket_unix_may_send(struct socket *sock,
4988 struct socket *other)
4990 struct sk_security_struct *ssec = sock->sk->sk_security;
4991 struct sk_security_struct *osec = other->sk->sk_security;
4992 struct common_audit_data ad;
4993 struct lsm_network_audit net = {0,};
4995 ad.type = LSM_AUDIT_DATA_NET;
4997 ad.u.net->sk = other->sk;
4999 return avc_has_perm(&selinux_state,
5000 ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
5004 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
5005 char *addrp, u16 family, u32 peer_sid,
5006 struct common_audit_data *ad)
5012 err = sel_netif_sid(ns, ifindex, &if_sid);
5015 err = avc_has_perm(&selinux_state,
5017 SECCLASS_NETIF, NETIF__INGRESS, ad);
5021 err = sel_netnode_sid(addrp, family, &node_sid);
5024 return avc_has_perm(&selinux_state,
5026 SECCLASS_NODE, NODE__RECVFROM, ad);
5029 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
5033 struct sk_security_struct *sksec = sk->sk_security;
5034 u32 sk_sid = sksec->sid;
5035 struct common_audit_data ad;
5036 struct lsm_network_audit net = {0,};
5039 ad.type = LSM_AUDIT_DATA_NET;
5041 ad.u.net->netif = skb->skb_iif;
5042 ad.u.net->family = family;
5043 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5047 if (selinux_secmark_enabled()) {
5048 err = avc_has_perm(&selinux_state,
5049 sk_sid, skb->secmark, SECCLASS_PACKET,
5055 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
5058 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
5063 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
5066 struct sk_security_struct *sksec = sk->sk_security;
5067 u16 family = sk->sk_family;
5068 u32 sk_sid = sksec->sid;
5069 struct common_audit_data ad;
5070 struct lsm_network_audit net = {0,};
5075 if (family != PF_INET && family != PF_INET6)
5078 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
5079 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5082 /* If any sort of compatibility mode is enabled then handoff processing
5083 * to the selinux_sock_rcv_skb_compat() function to deal with the
5084 * special handling. We do this in an attempt to keep this function
5085 * as fast and as clean as possible. */
5086 if (!selinux_policycap_netpeer())
5087 return selinux_sock_rcv_skb_compat(sk, skb, family);
5089 secmark_active = selinux_secmark_enabled();
5090 peerlbl_active = selinux_peerlbl_enabled();
5091 if (!secmark_active && !peerlbl_active)
5094 ad.type = LSM_AUDIT_DATA_NET;
5096 ad.u.net->netif = skb->skb_iif;
5097 ad.u.net->family = family;
5098 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5102 if (peerlbl_active) {
5105 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
5108 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
5109 addrp, family, peer_sid, &ad);
5111 selinux_netlbl_err(skb, family, err, 0);
5114 err = avc_has_perm(&selinux_state,
5115 sk_sid, peer_sid, SECCLASS_PEER,
5118 selinux_netlbl_err(skb, family, err, 0);
5123 if (secmark_active) {
5124 err = avc_has_perm(&selinux_state,
5125 sk_sid, skb->secmark, SECCLASS_PACKET,
5134 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
5135 int __user *optlen, unsigned len)
5140 struct sk_security_struct *sksec = sock->sk->sk_security;
5141 u32 peer_sid = SECSID_NULL;
5143 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
5144 sksec->sclass == SECCLASS_TCP_SOCKET ||
5145 sksec->sclass == SECCLASS_SCTP_SOCKET)
5146 peer_sid = sksec->peer_sid;
5147 if (peer_sid == SECSID_NULL)
5148 return -ENOPROTOOPT;
5150 err = security_sid_to_context(&selinux_state, peer_sid, &scontext,
5155 if (scontext_len > len) {
5160 if (copy_to_user(optval, scontext, scontext_len))
5164 if (put_user(scontext_len, optlen))
5170 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
5172 u32 peer_secid = SECSID_NULL;
5174 struct inode_security_struct *isec;
5176 if (skb && skb->protocol == htons(ETH_P_IP))
5178 else if (skb && skb->protocol == htons(ETH_P_IPV6))
5181 family = sock->sk->sk_family;
5185 if (sock && family == PF_UNIX) {
5186 isec = inode_security_novalidate(SOCK_INODE(sock));
5187 peer_secid = isec->sid;
5189 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
5192 *secid = peer_secid;
5193 if (peer_secid == SECSID_NULL)
5198 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
5200 struct sk_security_struct *sksec;
5202 sksec = kzalloc(sizeof(*sksec), priority);
5206 sksec->peer_sid = SECINITSID_UNLABELED;
5207 sksec->sid = SECINITSID_UNLABELED;
5208 sksec->sclass = SECCLASS_SOCKET;
5209 selinux_netlbl_sk_security_reset(sksec);
5210 sk->sk_security = sksec;
5215 static void selinux_sk_free_security(struct sock *sk)
5217 struct sk_security_struct *sksec = sk->sk_security;
5219 sk->sk_security = NULL;
5220 selinux_netlbl_sk_security_free(sksec);
5224 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
5226 struct sk_security_struct *sksec = sk->sk_security;
5227 struct sk_security_struct *newsksec = newsk->sk_security;
5229 newsksec->sid = sksec->sid;
5230 newsksec->peer_sid = sksec->peer_sid;
5231 newsksec->sclass = sksec->sclass;
5233 selinux_netlbl_sk_security_reset(newsksec);
5236 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
5239 *secid = SECINITSID_ANY_SOCKET;
5241 struct sk_security_struct *sksec = sk->sk_security;
5243 *secid = sksec->sid;
5247 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
5249 struct inode_security_struct *isec =
5250 inode_security_novalidate(SOCK_INODE(parent));
5251 struct sk_security_struct *sksec = sk->sk_security;
5253 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
5254 sk->sk_family == PF_UNIX)
5255 isec->sid = sksec->sid;
5256 sksec->sclass = isec->sclass;
5259 /* Called whenever SCTP receives an INIT chunk. This happens when an incoming
5260 * connect(2), sctp_connectx(3) or sctp_sendmsg(3) (with no association
5263 static int selinux_sctp_assoc_request(struct sctp_endpoint *ep,
5264 struct sk_buff *skb)
5266 struct sk_security_struct *sksec = ep->base.sk->sk_security;
5267 struct common_audit_data ad;
5268 struct lsm_network_audit net = {0,};
5270 u32 peer_sid = SECINITSID_UNLABELED;
5274 if (!selinux_policycap_extsockclass())
5277 peerlbl_active = selinux_peerlbl_enabled();
5279 if (peerlbl_active) {
5280 /* This will return peer_sid = SECSID_NULL if there are
5281 * no peer labels, see security_net_peersid_resolve().
5283 err = selinux_skb_peerlbl_sid(skb, ep->base.sk->sk_family,
5288 if (peer_sid == SECSID_NULL)
5289 peer_sid = SECINITSID_UNLABELED;
5292 if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) {
5293 sksec->sctp_assoc_state = SCTP_ASSOC_SET;
5295 /* Here as first association on socket. As the peer SID
5296 * was allowed by peer recv (and the netif/node checks),
5297 * then it is approved by policy and used as the primary
5298 * peer SID for getpeercon(3).
5300 sksec->peer_sid = peer_sid;
5301 } else if (sksec->peer_sid != peer_sid) {
5302 /* Other association peer SIDs are checked to enforce
5303 * consistency among the peer SIDs.
5305 ad.type = LSM_AUDIT_DATA_NET;
5307 ad.u.net->sk = ep->base.sk;
5308 err = avc_has_perm(&selinux_state,
5309 sksec->peer_sid, peer_sid, sksec->sclass,
5310 SCTP_SOCKET__ASSOCIATION, &ad);
5315 /* Compute the MLS component for the connection and store
5316 * the information in ep. This will be used by SCTP TCP type
5317 * sockets and peeled off connections as they cause a new
5318 * socket to be generated. selinux_sctp_sk_clone() will then
5319 * plug this into the new socket.
5321 err = selinux_conn_sid(sksec->sid, peer_sid, &conn_sid);
5325 ep->secid = conn_sid;
5326 ep->peer_secid = peer_sid;
5328 /* Set any NetLabel labels including CIPSO/CALIPSO options. */
5329 return selinux_netlbl_sctp_assoc_request(ep, skb);
5332 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting
5333 * based on their @optname.
5335 static int selinux_sctp_bind_connect(struct sock *sk, int optname,
5336 struct sockaddr *address,
5339 int len, err = 0, walk_size = 0;
5341 struct sockaddr *addr;
5342 struct socket *sock;
5344 if (!selinux_policycap_extsockclass())
5347 /* Process one or more addresses that may be IPv4 or IPv6 */
5348 sock = sk->sk_socket;
5351 while (walk_size < addrlen) {
5352 if (walk_size + sizeof(sa_family_t) > addrlen)
5356 switch (addr->sa_family) {
5359 len = sizeof(struct sockaddr_in);
5362 len = sizeof(struct sockaddr_in6);
5368 if (walk_size + len > addrlen)
5374 case SCTP_PRIMARY_ADDR:
5375 case SCTP_SET_PEER_PRIMARY_ADDR:
5376 case SCTP_SOCKOPT_BINDX_ADD:
5377 err = selinux_socket_bind(sock, addr, len);
5379 /* Connect checks */
5380 case SCTP_SOCKOPT_CONNECTX:
5381 case SCTP_PARAM_SET_PRIMARY:
5382 case SCTP_PARAM_ADD_IP:
5383 case SCTP_SENDMSG_CONNECT:
5384 err = selinux_socket_connect_helper(sock, addr, len);
5388 /* As selinux_sctp_bind_connect() is called by the
5389 * SCTP protocol layer, the socket is already locked,
5390 * therefore selinux_netlbl_socket_connect_locked() is
5391 * is called here. The situations handled are:
5392 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2),
5393 * whenever a new IP address is added or when a new
5394 * primary address is selected.
5395 * Note that an SCTP connect(2) call happens before
5396 * the SCTP protocol layer and is handled via
5397 * selinux_socket_connect().
5399 err = selinux_netlbl_socket_connect_locked(sk, addr);
5413 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */
5414 static void selinux_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk,
5417 struct sk_security_struct *sksec = sk->sk_security;
5418 struct sk_security_struct *newsksec = newsk->sk_security;
5420 /* If policy does not support SECCLASS_SCTP_SOCKET then call
5421 * the non-sctp clone version.
5423 if (!selinux_policycap_extsockclass())
5424 return selinux_sk_clone_security(sk, newsk);
5426 newsksec->sid = ep->secid;
5427 newsksec->peer_sid = ep->peer_secid;
5428 newsksec->sclass = sksec->sclass;
5429 selinux_netlbl_sctp_sk_clone(sk, newsk);
5432 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
5433 struct request_sock *req)
5435 struct sk_security_struct *sksec = sk->sk_security;
5437 u16 family = req->rsk_ops->family;
5441 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
5444 err = selinux_conn_sid(sksec->sid, peersid, &connsid);
5447 req->secid = connsid;
5448 req->peer_secid = peersid;
5450 return selinux_netlbl_inet_conn_request(req, family);
5453 static void selinux_inet_csk_clone(struct sock *newsk,
5454 const struct request_sock *req)
5456 struct sk_security_struct *newsksec = newsk->sk_security;
5458 newsksec->sid = req->secid;
5459 newsksec->peer_sid = req->peer_secid;
5460 /* NOTE: Ideally, we should also get the isec->sid for the
5461 new socket in sync, but we don't have the isec available yet.
5462 So we will wait until sock_graft to do it, by which
5463 time it will have been created and available. */
5465 /* We don't need to take any sort of lock here as we are the only
5466 * thread with access to newsksec */
5467 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
5470 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
5472 u16 family = sk->sk_family;
5473 struct sk_security_struct *sksec = sk->sk_security;
5475 /* handle mapped IPv4 packets arriving via IPv6 sockets */
5476 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5479 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
5482 static int selinux_secmark_relabel_packet(u32 sid)
5484 const struct task_security_struct *__tsec;
5487 __tsec = current_security();
5490 return avc_has_perm(&selinux_state,
5491 tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO,
5495 static void selinux_secmark_refcount_inc(void)
5497 atomic_inc(&selinux_secmark_refcount);
5500 static void selinux_secmark_refcount_dec(void)
5502 atomic_dec(&selinux_secmark_refcount);
5505 static void selinux_req_classify_flow(const struct request_sock *req,
5508 fl->flowi_secid = req->secid;
5511 static int selinux_tun_dev_alloc_security(void **security)
5513 struct tun_security_struct *tunsec;
5515 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
5518 tunsec->sid = current_sid();
5524 static void selinux_tun_dev_free_security(void *security)
5529 static int selinux_tun_dev_create(void)
5531 u32 sid = current_sid();
5533 /* we aren't taking into account the "sockcreate" SID since the socket
5534 * that is being created here is not a socket in the traditional sense,
5535 * instead it is a private sock, accessible only to the kernel, and
5536 * representing a wide range of network traffic spanning multiple
5537 * connections unlike traditional sockets - check the TUN driver to
5538 * get a better understanding of why this socket is special */
5540 return avc_has_perm(&selinux_state,
5541 sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5545 static int selinux_tun_dev_attach_queue(void *security)
5547 struct tun_security_struct *tunsec = security;
5549 return avc_has_perm(&selinux_state,
5550 current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5551 TUN_SOCKET__ATTACH_QUEUE, NULL);
5554 static int selinux_tun_dev_attach(struct sock *sk, void *security)
5556 struct tun_security_struct *tunsec = security;
5557 struct sk_security_struct *sksec = sk->sk_security;
5559 /* we don't currently perform any NetLabel based labeling here and it
5560 * isn't clear that we would want to do so anyway; while we could apply
5561 * labeling without the support of the TUN user the resulting labeled
5562 * traffic from the other end of the connection would almost certainly
5563 * cause confusion to the TUN user that had no idea network labeling
5564 * protocols were being used */
5566 sksec->sid = tunsec->sid;
5567 sksec->sclass = SECCLASS_TUN_SOCKET;
5572 static int selinux_tun_dev_open(void *security)
5574 struct tun_security_struct *tunsec = security;
5575 u32 sid = current_sid();
5578 err = avc_has_perm(&selinux_state,
5579 sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5580 TUN_SOCKET__RELABELFROM, NULL);
5583 err = avc_has_perm(&selinux_state,
5584 sid, sid, SECCLASS_TUN_SOCKET,
5585 TUN_SOCKET__RELABELTO, NULL);
5593 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
5597 struct nlmsghdr *nlh;
5598 struct sk_security_struct *sksec = sk->sk_security;
5600 if (skb->len < NLMSG_HDRLEN) {
5604 nlh = nlmsg_hdr(skb);
5606 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
5608 if (err == -EINVAL) {
5609 pr_warn_ratelimited("SELinux: unrecognized netlink"
5610 " message: protocol=%hu nlmsg_type=%hu sclass=%s"
5611 " pig=%d comm=%s\n",
5612 sk->sk_protocol, nlh->nlmsg_type,
5613 secclass_map[sksec->sclass - 1].name,
5614 task_pid_nr(current), current->comm);
5615 if (!enforcing_enabled(&selinux_state) ||
5616 security_get_allow_unknown(&selinux_state))
5626 err = sock_has_perm(sk, perm);
5631 #ifdef CONFIG_NETFILTER
5633 static unsigned int selinux_ip_forward(struct sk_buff *skb,
5634 const struct net_device *indev,
5640 struct common_audit_data ad;
5641 struct lsm_network_audit net = {0,};
5646 if (!selinux_policycap_netpeer())
5649 secmark_active = selinux_secmark_enabled();
5650 netlbl_active = netlbl_enabled();
5651 peerlbl_active = selinux_peerlbl_enabled();
5652 if (!secmark_active && !peerlbl_active)
5655 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5658 ad.type = LSM_AUDIT_DATA_NET;
5660 ad.u.net->netif = indev->ifindex;
5661 ad.u.net->family = family;
5662 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5665 if (peerlbl_active) {
5666 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
5667 addrp, family, peer_sid, &ad);
5669 selinux_netlbl_err(skb, family, err, 1);
5675 if (avc_has_perm(&selinux_state,
5676 peer_sid, skb->secmark,
5677 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5681 /* we do this in the FORWARD path and not the POST_ROUTING
5682 * path because we want to make sure we apply the necessary
5683 * labeling before IPsec is applied so we can leverage AH
5685 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5691 static unsigned int selinux_ipv4_forward(void *priv,
5692 struct sk_buff *skb,
5693 const struct nf_hook_state *state)
5695 return selinux_ip_forward(skb, state->in, PF_INET);
5698 #if IS_ENABLED(CONFIG_IPV6)
5699 static unsigned int selinux_ipv6_forward(void *priv,
5700 struct sk_buff *skb,
5701 const struct nf_hook_state *state)
5703 return selinux_ip_forward(skb, state->in, PF_INET6);
5707 static unsigned int selinux_ip_output(struct sk_buff *skb,
5713 if (!netlbl_enabled())
5716 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5717 * because we want to make sure we apply the necessary labeling
5718 * before IPsec is applied so we can leverage AH protection */
5721 struct sk_security_struct *sksec;
5723 if (sk_listener(sk))
5724 /* if the socket is the listening state then this
5725 * packet is a SYN-ACK packet which means it needs to
5726 * be labeled based on the connection/request_sock and
5727 * not the parent socket. unfortunately, we can't
5728 * lookup the request_sock yet as it isn't queued on
5729 * the parent socket until after the SYN-ACK is sent.
5730 * the "solution" is to simply pass the packet as-is
5731 * as any IP option based labeling should be copied
5732 * from the initial connection request (in the IP
5733 * layer). it is far from ideal, but until we get a
5734 * security label in the packet itself this is the
5735 * best we can do. */
5738 /* standard practice, label using the parent socket */
5739 sksec = sk->sk_security;
5742 sid = SECINITSID_KERNEL;
5743 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
5749 static unsigned int selinux_ipv4_output(void *priv,
5750 struct sk_buff *skb,
5751 const struct nf_hook_state *state)
5753 return selinux_ip_output(skb, PF_INET);
5756 #if IS_ENABLED(CONFIG_IPV6)
5757 static unsigned int selinux_ipv6_output(void *priv,
5758 struct sk_buff *skb,
5759 const struct nf_hook_state *state)
5761 return selinux_ip_output(skb, PF_INET6);
5765 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5769 struct sock *sk = skb_to_full_sk(skb);
5770 struct sk_security_struct *sksec;
5771 struct common_audit_data ad;
5772 struct lsm_network_audit net = {0,};
5778 sksec = sk->sk_security;
5780 ad.type = LSM_AUDIT_DATA_NET;
5782 ad.u.net->netif = ifindex;
5783 ad.u.net->family = family;
5784 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
5787 if (selinux_secmark_enabled())
5788 if (avc_has_perm(&selinux_state,
5789 sksec->sid, skb->secmark,
5790 SECCLASS_PACKET, PACKET__SEND, &ad))
5791 return NF_DROP_ERR(-ECONNREFUSED);
5793 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5794 return NF_DROP_ERR(-ECONNREFUSED);
5799 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5800 const struct net_device *outdev,
5805 int ifindex = outdev->ifindex;
5807 struct common_audit_data ad;
5808 struct lsm_network_audit net = {0,};
5813 /* If any sort of compatibility mode is enabled then handoff processing
5814 * to the selinux_ip_postroute_compat() function to deal with the
5815 * special handling. We do this in an attempt to keep this function
5816 * as fast and as clean as possible. */
5817 if (!selinux_policycap_netpeer())
5818 return selinux_ip_postroute_compat(skb, ifindex, family);
5820 secmark_active = selinux_secmark_enabled();
5821 peerlbl_active = selinux_peerlbl_enabled();
5822 if (!secmark_active && !peerlbl_active)
5825 sk = skb_to_full_sk(skb);
5828 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5829 * packet transformation so allow the packet to pass without any checks
5830 * since we'll have another chance to perform access control checks
5831 * when the packet is on it's final way out.
5832 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5833 * is NULL, in this case go ahead and apply access control.
5834 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5835 * TCP listening state we cannot wait until the XFRM processing
5836 * is done as we will miss out on the SA label if we do;
5837 * unfortunately, this means more work, but it is only once per
5839 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5840 !(sk && sk_listener(sk)))
5845 /* Without an associated socket the packet is either coming
5846 * from the kernel or it is being forwarded; check the packet
5847 * to determine which and if the packet is being forwarded
5848 * query the packet directly to determine the security label. */
5850 secmark_perm = PACKET__FORWARD_OUT;
5851 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5854 secmark_perm = PACKET__SEND;
5855 peer_sid = SECINITSID_KERNEL;
5857 } else if (sk_listener(sk)) {
5858 /* Locally generated packet but the associated socket is in the
5859 * listening state which means this is a SYN-ACK packet. In
5860 * this particular case the correct security label is assigned
5861 * to the connection/request_sock but unfortunately we can't
5862 * query the request_sock as it isn't queued on the parent
5863 * socket until after the SYN-ACK packet is sent; the only
5864 * viable choice is to regenerate the label like we do in
5865 * selinux_inet_conn_request(). See also selinux_ip_output()
5866 * for similar problems. */
5868 struct sk_security_struct *sksec;
5870 sksec = sk->sk_security;
5871 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5873 /* At this point, if the returned skb peerlbl is SECSID_NULL
5874 * and the packet has been through at least one XFRM
5875 * transformation then we must be dealing with the "final"
5876 * form of labeled IPsec packet; since we've already applied
5877 * all of our access controls on this packet we can safely
5878 * pass the packet. */
5879 if (skb_sid == SECSID_NULL) {
5882 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5886 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5890 return NF_DROP_ERR(-ECONNREFUSED);
5893 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5895 secmark_perm = PACKET__SEND;
5897 /* Locally generated packet, fetch the security label from the
5898 * associated socket. */
5899 struct sk_security_struct *sksec = sk->sk_security;
5900 peer_sid = sksec->sid;
5901 secmark_perm = PACKET__SEND;
5904 ad.type = LSM_AUDIT_DATA_NET;
5906 ad.u.net->netif = ifindex;
5907 ad.u.net->family = family;
5908 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5912 if (avc_has_perm(&selinux_state,
5913 peer_sid, skb->secmark,
5914 SECCLASS_PACKET, secmark_perm, &ad))
5915 return NF_DROP_ERR(-ECONNREFUSED);
5917 if (peerlbl_active) {
5921 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5923 if (avc_has_perm(&selinux_state,
5925 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5926 return NF_DROP_ERR(-ECONNREFUSED);
5928 if (sel_netnode_sid(addrp, family, &node_sid))
5930 if (avc_has_perm(&selinux_state,
5932 SECCLASS_NODE, NODE__SENDTO, &ad))
5933 return NF_DROP_ERR(-ECONNREFUSED);
5939 static unsigned int selinux_ipv4_postroute(void *priv,
5940 struct sk_buff *skb,
5941 const struct nf_hook_state *state)
5943 return selinux_ip_postroute(skb, state->out, PF_INET);
5946 #if IS_ENABLED(CONFIG_IPV6)
5947 static unsigned int selinux_ipv6_postroute(void *priv,
5948 struct sk_buff *skb,
5949 const struct nf_hook_state *state)
5951 return selinux_ip_postroute(skb, state->out, PF_INET6);
5955 #endif /* CONFIG_NETFILTER */
5957 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5959 return selinux_nlmsg_perm(sk, skb);
5962 static int ipc_alloc_security(struct kern_ipc_perm *perm,
5965 struct ipc_security_struct *isec;
5967 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
5971 isec->sclass = sclass;
5972 isec->sid = current_sid();
5973 perm->security = isec;
5978 static void ipc_free_security(struct kern_ipc_perm *perm)
5980 struct ipc_security_struct *isec = perm->security;
5981 perm->security = NULL;
5985 static int msg_msg_alloc_security(struct msg_msg *msg)
5987 struct msg_security_struct *msec;
5989 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
5993 msec->sid = SECINITSID_UNLABELED;
5994 msg->security = msec;
5999 static void msg_msg_free_security(struct msg_msg *msg)
6001 struct msg_security_struct *msec = msg->security;
6003 msg->security = NULL;
6007 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
6010 struct ipc_security_struct *isec;
6011 struct common_audit_data ad;
6012 u32 sid = current_sid();
6014 isec = ipc_perms->security;
6016 ad.type = LSM_AUDIT_DATA_IPC;
6017 ad.u.ipc_id = ipc_perms->key;
6019 return avc_has_perm(&selinux_state,
6020 sid, isec->sid, isec->sclass, perms, &ad);
6023 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
6025 return msg_msg_alloc_security(msg);
6028 static void selinux_msg_msg_free_security(struct msg_msg *msg)
6030 msg_msg_free_security(msg);
6033 /* message queue security operations */
6034 static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq)
6036 struct ipc_security_struct *isec;
6037 struct common_audit_data ad;
6038 u32 sid = current_sid();
6041 rc = ipc_alloc_security(msq, SECCLASS_MSGQ);
6045 isec = msq->security;
6047 ad.type = LSM_AUDIT_DATA_IPC;
6048 ad.u.ipc_id = msq->key;
6050 rc = avc_has_perm(&selinux_state,
6051 sid, isec->sid, SECCLASS_MSGQ,
6054 ipc_free_security(msq);
6060 static void selinux_msg_queue_free_security(struct kern_ipc_perm *msq)
6062 ipc_free_security(msq);
6065 static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
6067 struct ipc_security_struct *isec;
6068 struct common_audit_data ad;
6069 u32 sid = current_sid();
6071 isec = msq->security;
6073 ad.type = LSM_AUDIT_DATA_IPC;
6074 ad.u.ipc_id = msq->key;
6076 return avc_has_perm(&selinux_state,
6077 sid, isec->sid, SECCLASS_MSGQ,
6078 MSGQ__ASSOCIATE, &ad);
6081 static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)
6089 /* No specific object, just general system-wide information. */
6090 return avc_has_perm(&selinux_state,
6091 current_sid(), SECINITSID_KERNEL,
6092 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6096 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
6099 perms = MSGQ__SETATTR;
6102 perms = MSGQ__DESTROY;
6108 err = ipc_has_perm(msq, perms);
6112 static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg)
6114 struct ipc_security_struct *isec;
6115 struct msg_security_struct *msec;
6116 struct common_audit_data ad;
6117 u32 sid = current_sid();
6120 isec = msq->security;
6121 msec = msg->security;
6124 * First time through, need to assign label to the message
6126 if (msec->sid == SECINITSID_UNLABELED) {
6128 * Compute new sid based on current process and
6129 * message queue this message will be stored in
6131 rc = security_transition_sid(&selinux_state, sid, isec->sid,
6132 SECCLASS_MSG, NULL, &msec->sid);
6137 ad.type = LSM_AUDIT_DATA_IPC;
6138 ad.u.ipc_id = msq->key;
6140 /* Can this process write to the queue? */
6141 rc = avc_has_perm(&selinux_state,
6142 sid, isec->sid, SECCLASS_MSGQ,
6145 /* Can this process send the message */
6146 rc = avc_has_perm(&selinux_state,
6147 sid, msec->sid, SECCLASS_MSG,
6150 /* Can the message be put in the queue? */
6151 rc = avc_has_perm(&selinux_state,
6152 msec->sid, isec->sid, SECCLASS_MSGQ,
6153 MSGQ__ENQUEUE, &ad);
6158 static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg,
6159 struct task_struct *target,
6160 long type, int mode)
6162 struct ipc_security_struct *isec;
6163 struct msg_security_struct *msec;
6164 struct common_audit_data ad;
6165 u32 sid = task_sid(target);
6168 isec = msq->security;
6169 msec = msg->security;
6171 ad.type = LSM_AUDIT_DATA_IPC;
6172 ad.u.ipc_id = msq->key;
6174 rc = avc_has_perm(&selinux_state,
6176 SECCLASS_MSGQ, MSGQ__READ, &ad);
6178 rc = avc_has_perm(&selinux_state,
6180 SECCLASS_MSG, MSG__RECEIVE, &ad);
6184 /* Shared Memory security operations */
6185 static int selinux_shm_alloc_security(struct kern_ipc_perm *shp)
6187 struct ipc_security_struct *isec;
6188 struct common_audit_data ad;
6189 u32 sid = current_sid();
6192 rc = ipc_alloc_security(shp, SECCLASS_SHM);
6196 isec = shp->security;
6198 ad.type = LSM_AUDIT_DATA_IPC;
6199 ad.u.ipc_id = shp->key;
6201 rc = avc_has_perm(&selinux_state,
6202 sid, isec->sid, SECCLASS_SHM,
6205 ipc_free_security(shp);
6211 static void selinux_shm_free_security(struct kern_ipc_perm *shp)
6213 ipc_free_security(shp);
6216 static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg)
6218 struct ipc_security_struct *isec;
6219 struct common_audit_data ad;
6220 u32 sid = current_sid();
6222 isec = shp->security;
6224 ad.type = LSM_AUDIT_DATA_IPC;
6225 ad.u.ipc_id = shp->key;
6227 return avc_has_perm(&selinux_state,
6228 sid, isec->sid, SECCLASS_SHM,
6229 SHM__ASSOCIATE, &ad);
6232 /* Note, at this point, shp is locked down */
6233 static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd)
6241 /* No specific object, just general system-wide information. */
6242 return avc_has_perm(&selinux_state,
6243 current_sid(), SECINITSID_KERNEL,
6244 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6248 perms = SHM__GETATTR | SHM__ASSOCIATE;
6251 perms = SHM__SETATTR;
6258 perms = SHM__DESTROY;
6264 err = ipc_has_perm(shp, perms);
6268 static int selinux_shm_shmat(struct kern_ipc_perm *shp,
6269 char __user *shmaddr, int shmflg)
6273 if (shmflg & SHM_RDONLY)
6276 perms = SHM__READ | SHM__WRITE;
6278 return ipc_has_perm(shp, perms);
6281 /* Semaphore security operations */
6282 static int selinux_sem_alloc_security(struct kern_ipc_perm *sma)
6284 struct ipc_security_struct *isec;
6285 struct common_audit_data ad;
6286 u32 sid = current_sid();
6289 rc = ipc_alloc_security(sma, SECCLASS_SEM);
6293 isec = sma->security;
6295 ad.type = LSM_AUDIT_DATA_IPC;
6296 ad.u.ipc_id = sma->key;
6298 rc = avc_has_perm(&selinux_state,
6299 sid, isec->sid, SECCLASS_SEM,
6302 ipc_free_security(sma);
6308 static void selinux_sem_free_security(struct kern_ipc_perm *sma)
6310 ipc_free_security(sma);
6313 static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg)
6315 struct ipc_security_struct *isec;
6316 struct common_audit_data ad;
6317 u32 sid = current_sid();
6319 isec = sma->security;
6321 ad.type = LSM_AUDIT_DATA_IPC;
6322 ad.u.ipc_id = sma->key;
6324 return avc_has_perm(&selinux_state,
6325 sid, isec->sid, SECCLASS_SEM,
6326 SEM__ASSOCIATE, &ad);
6329 /* Note, at this point, sma is locked down */
6330 static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd)
6338 /* No specific object, just general system-wide information. */
6339 return avc_has_perm(&selinux_state,
6340 current_sid(), SECINITSID_KERNEL,
6341 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6345 perms = SEM__GETATTR;
6356 perms = SEM__DESTROY;
6359 perms = SEM__SETATTR;
6364 perms = SEM__GETATTR | SEM__ASSOCIATE;
6370 err = ipc_has_perm(sma, perms);
6374 static int selinux_sem_semop(struct kern_ipc_perm *sma,
6375 struct sembuf *sops, unsigned nsops, int alter)
6380 perms = SEM__READ | SEM__WRITE;
6384 return ipc_has_perm(sma, perms);
6387 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
6393 av |= IPC__UNIX_READ;
6395 av |= IPC__UNIX_WRITE;
6400 return ipc_has_perm(ipcp, av);
6403 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
6405 struct ipc_security_struct *isec = ipcp->security;
6409 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
6412 inode_doinit_with_dentry(inode, dentry);
6415 static int selinux_getprocattr(struct task_struct *p,
6416 char *name, char **value)
6418 const struct task_security_struct *__tsec;
6424 __tsec = __task_cred(p)->security;
6427 error = avc_has_perm(&selinux_state,
6428 current_sid(), __tsec->sid,
6429 SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
6434 if (!strcmp(name, "current"))
6436 else if (!strcmp(name, "prev"))
6438 else if (!strcmp(name, "exec"))
6439 sid = __tsec->exec_sid;
6440 else if (!strcmp(name, "fscreate"))
6441 sid = __tsec->create_sid;
6442 else if (!strcmp(name, "keycreate"))
6443 sid = __tsec->keycreate_sid;
6444 else if (!strcmp(name, "sockcreate"))
6445 sid = __tsec->sockcreate_sid;
6455 error = security_sid_to_context(&selinux_state, sid, value, &len);
6465 static int selinux_setprocattr(const char *name, void *value, size_t size)
6467 struct task_security_struct *tsec;
6469 u32 mysid = current_sid(), sid = 0, ptsid;
6474 * Basic control over ability to set these attributes at all.
6476 if (!strcmp(name, "exec"))
6477 error = avc_has_perm(&selinux_state,
6478 mysid, mysid, SECCLASS_PROCESS,
6479 PROCESS__SETEXEC, NULL);
6480 else if (!strcmp(name, "fscreate"))
6481 error = avc_has_perm(&selinux_state,
6482 mysid, mysid, SECCLASS_PROCESS,
6483 PROCESS__SETFSCREATE, NULL);
6484 else if (!strcmp(name, "keycreate"))
6485 error = avc_has_perm(&selinux_state,
6486 mysid, mysid, SECCLASS_PROCESS,
6487 PROCESS__SETKEYCREATE, NULL);
6488 else if (!strcmp(name, "sockcreate"))
6489 error = avc_has_perm(&selinux_state,
6490 mysid, mysid, SECCLASS_PROCESS,
6491 PROCESS__SETSOCKCREATE, NULL);
6492 else if (!strcmp(name, "current"))
6493 error = avc_has_perm(&selinux_state,
6494 mysid, mysid, SECCLASS_PROCESS,
6495 PROCESS__SETCURRENT, NULL);
6501 /* Obtain a SID for the context, if one was specified. */
6502 if (size && str[0] && str[0] != '\n') {
6503 if (str[size-1] == '\n') {
6507 error = security_context_to_sid(&selinux_state, value, size,
6509 if (error == -EINVAL && !strcmp(name, "fscreate")) {
6510 if (!has_cap_mac_admin(true)) {
6511 struct audit_buffer *ab;
6514 /* We strip a nul only if it is at the end, otherwise the
6515 * context contains a nul and we should audit that */
6516 if (str[size - 1] == '\0')
6517 audit_size = size - 1;
6520 ab = audit_log_start(audit_context(),
6523 audit_log_format(ab, "op=fscreate invalid_context=");
6524 audit_log_n_untrustedstring(ab, value, audit_size);
6529 error = security_context_to_sid_force(
6537 new = prepare_creds();
6541 /* Permission checking based on the specified context is
6542 performed during the actual operation (execve,
6543 open/mkdir/...), when we know the full context of the
6544 operation. See selinux_bprm_set_creds for the execve
6545 checks and may_create for the file creation checks. The
6546 operation will then fail if the context is not permitted. */
6547 tsec = new->security;
6548 if (!strcmp(name, "exec")) {
6549 tsec->exec_sid = sid;
6550 } else if (!strcmp(name, "fscreate")) {
6551 tsec->create_sid = sid;
6552 } else if (!strcmp(name, "keycreate")) {
6554 error = avc_has_perm(&selinux_state, mysid, sid,
6555 SECCLASS_KEY, KEY__CREATE, NULL);
6559 tsec->keycreate_sid = sid;
6560 } else if (!strcmp(name, "sockcreate")) {
6561 tsec->sockcreate_sid = sid;
6562 } else if (!strcmp(name, "current")) {
6567 /* Only allow single threaded processes to change context */
6569 if (!current_is_single_threaded()) {
6570 error = security_bounded_transition(&selinux_state,
6576 /* Check permissions for the transition. */
6577 error = avc_has_perm(&selinux_state,
6578 tsec->sid, sid, SECCLASS_PROCESS,
6579 PROCESS__DYNTRANSITION, NULL);
6583 /* Check for ptracing, and update the task SID if ok.
6584 Otherwise, leave SID unchanged and fail. */
6585 ptsid = ptrace_parent_sid();
6587 error = avc_has_perm(&selinux_state,
6588 ptsid, sid, SECCLASS_PROCESS,
6589 PROCESS__PTRACE, NULL);
6608 static int selinux_ismaclabel(const char *name)
6610 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
6613 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
6615 return security_sid_to_context(&selinux_state, secid,
6619 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
6621 return security_context_to_sid(&selinux_state, secdata, seclen,
6625 static void selinux_release_secctx(char *secdata, u32 seclen)
6630 static void selinux_inode_invalidate_secctx(struct inode *inode)
6632 struct inode_security_struct *isec = inode->i_security;
6634 spin_lock(&isec->lock);
6635 isec->initialized = LABEL_INVALID;
6636 spin_unlock(&isec->lock);
6640 * called with inode->i_mutex locked
6642 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
6644 int rc = selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX,
6646 /* Do not return error when suppressing label (SBLABEL_MNT not set). */
6647 return rc == -EOPNOTSUPP ? 0 : rc;
6651 * called with inode->i_mutex locked
6653 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
6655 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
6658 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
6661 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
6670 static int selinux_key_alloc(struct key *k, const struct cred *cred,
6671 unsigned long flags)
6673 const struct task_security_struct *tsec;
6674 struct key_security_struct *ksec;
6676 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
6680 tsec = cred->security;
6681 if (tsec->keycreate_sid)
6682 ksec->sid = tsec->keycreate_sid;
6684 ksec->sid = tsec->sid;
6690 static void selinux_key_free(struct key *k)
6692 struct key_security_struct *ksec = k->security;
6698 static int selinux_key_permission(key_ref_t key_ref,
6699 const struct cred *cred,
6703 struct key_security_struct *ksec;
6706 /* if no specific permissions are requested, we skip the
6707 permission check. No serious, additional covert channels
6708 appear to be created. */
6712 sid = cred_sid(cred);
6714 key = key_ref_to_ptr(key_ref);
6715 ksec = key->security;
6717 return avc_has_perm(&selinux_state,
6718 sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6721 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6723 struct key_security_struct *ksec = key->security;
6724 char *context = NULL;
6728 rc = security_sid_to_context(&selinux_state, ksec->sid,
6737 #ifdef CONFIG_SECURITY_INFINIBAND
6738 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6740 struct common_audit_data ad;
6743 struct ib_security_struct *sec = ib_sec;
6744 struct lsm_ibpkey_audit ibpkey;
6746 err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
6750 ad.type = LSM_AUDIT_DATA_IBPKEY;
6751 ibpkey.subnet_prefix = subnet_prefix;
6752 ibpkey.pkey = pkey_val;
6753 ad.u.ibpkey = &ibpkey;
6754 return avc_has_perm(&selinux_state,
6756 SECCLASS_INFINIBAND_PKEY,
6757 INFINIBAND_PKEY__ACCESS, &ad);
6760 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6763 struct common_audit_data ad;
6766 struct ib_security_struct *sec = ib_sec;
6767 struct lsm_ibendport_audit ibendport;
6769 err = security_ib_endport_sid(&selinux_state, dev_name, port_num,
6775 ad.type = LSM_AUDIT_DATA_IBENDPORT;
6776 strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name));
6777 ibendport.port = port_num;
6778 ad.u.ibendport = &ibendport;
6779 return avc_has_perm(&selinux_state,
6781 SECCLASS_INFINIBAND_ENDPORT,
6782 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
6785 static int selinux_ib_alloc_security(void **ib_sec)
6787 struct ib_security_struct *sec;
6789 sec = kzalloc(sizeof(*sec), GFP_KERNEL);
6792 sec->sid = current_sid();
6798 static void selinux_ib_free_security(void *ib_sec)
6804 #ifdef CONFIG_BPF_SYSCALL
6805 static int selinux_bpf(int cmd, union bpf_attr *attr,
6808 u32 sid = current_sid();
6812 case BPF_MAP_CREATE:
6813 ret = avc_has_perm(&selinux_state,
6814 sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
6818 ret = avc_has_perm(&selinux_state,
6819 sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
6830 static u32 bpf_map_fmode_to_av(fmode_t fmode)
6834 if (fmode & FMODE_READ)
6835 av |= BPF__MAP_READ;
6836 if (fmode & FMODE_WRITE)
6837 av |= BPF__MAP_WRITE;
6841 /* This function will check the file pass through unix socket or binder to see
6842 * if it is a bpf related object. And apply correspinding checks on the bpf
6843 * object based on the type. The bpf maps and programs, not like other files and
6844 * socket, are using a shared anonymous inode inside the kernel as their inode.
6845 * So checking that inode cannot identify if the process have privilege to
6846 * access the bpf object and that's why we have to add this additional check in
6847 * selinux_file_receive and selinux_binder_transfer_files.
6849 static int bpf_fd_pass(struct file *file, u32 sid)
6851 struct bpf_security_struct *bpfsec;
6852 struct bpf_prog *prog;
6853 struct bpf_map *map;
6856 if (file->f_op == &bpf_map_fops) {
6857 map = file->private_data;
6858 bpfsec = map->security;
6859 ret = avc_has_perm(&selinux_state,
6860 sid, bpfsec->sid, SECCLASS_BPF,
6861 bpf_map_fmode_to_av(file->f_mode), NULL);
6864 } else if (file->f_op == &bpf_prog_fops) {
6865 prog = file->private_data;
6866 bpfsec = prog->aux->security;
6867 ret = avc_has_perm(&selinux_state,
6868 sid, bpfsec->sid, SECCLASS_BPF,
6869 BPF__PROG_RUN, NULL);
6876 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)
6878 u32 sid = current_sid();
6879 struct bpf_security_struct *bpfsec;
6881 bpfsec = map->security;
6882 return avc_has_perm(&selinux_state,
6883 sid, bpfsec->sid, SECCLASS_BPF,
6884 bpf_map_fmode_to_av(fmode), NULL);
6887 static int selinux_bpf_prog(struct bpf_prog *prog)
6889 u32 sid = current_sid();
6890 struct bpf_security_struct *bpfsec;
6892 bpfsec = prog->aux->security;
6893 return avc_has_perm(&selinux_state,
6894 sid, bpfsec->sid, SECCLASS_BPF,
6895 BPF__PROG_RUN, NULL);
6898 static int selinux_bpf_map_alloc(struct bpf_map *map)
6900 struct bpf_security_struct *bpfsec;
6902 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6906 bpfsec->sid = current_sid();
6907 map->security = bpfsec;
6912 static void selinux_bpf_map_free(struct bpf_map *map)
6914 struct bpf_security_struct *bpfsec = map->security;
6916 map->security = NULL;
6920 static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux)
6922 struct bpf_security_struct *bpfsec;
6924 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6928 bpfsec->sid = current_sid();
6929 aux->security = bpfsec;
6934 static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
6936 struct bpf_security_struct *bpfsec = aux->security;
6938 aux->security = NULL;
6943 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
6944 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
6945 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
6946 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
6947 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
6949 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
6950 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
6951 LSM_HOOK_INIT(capget, selinux_capget),
6952 LSM_HOOK_INIT(capset, selinux_capset),
6953 LSM_HOOK_INIT(capable, selinux_capable),
6954 LSM_HOOK_INIT(quotactl, selinux_quotactl),
6955 LSM_HOOK_INIT(quota_on, selinux_quota_on),
6956 LSM_HOOK_INIT(syslog, selinux_syslog),
6957 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
6959 LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
6961 LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
6962 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
6963 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
6965 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
6966 LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
6967 LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data),
6968 LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
6969 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
6970 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
6971 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
6972 LSM_HOOK_INIT(sb_mount, selinux_mount),
6973 LSM_HOOK_INIT(sb_umount, selinux_umount),
6974 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
6975 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
6976 LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str),
6978 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
6979 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
6981 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
6982 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
6983 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
6984 LSM_HOOK_INIT(inode_create, selinux_inode_create),
6985 LSM_HOOK_INIT(inode_link, selinux_inode_link),
6986 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
6987 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
6988 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
6989 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
6990 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
6991 LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
6992 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
6993 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
6994 LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
6995 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
6996 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
6997 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
6998 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
6999 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
7000 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
7001 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
7002 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
7003 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
7004 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
7005 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
7006 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
7007 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
7009 LSM_HOOK_INIT(file_permission, selinux_file_permission),
7010 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
7011 LSM_HOOK_INIT(file_free_security, selinux_file_free_security),
7012 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
7013 LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
7014 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
7015 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
7016 LSM_HOOK_INIT(file_lock, selinux_file_lock),
7017 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
7018 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
7019 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
7020 LSM_HOOK_INIT(file_receive, selinux_file_receive),
7022 LSM_HOOK_INIT(file_open, selinux_file_open),
7024 LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
7025 LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank),
7026 LSM_HOOK_INIT(cred_free, selinux_cred_free),
7027 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
7028 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
7029 LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid),
7030 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
7031 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
7032 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
7033 LSM_HOOK_INIT(kernel_load_data, selinux_kernel_load_data),
7034 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
7035 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
7036 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
7037 LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
7038 LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
7039 LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
7040 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
7041 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
7042 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
7043 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
7044 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
7045 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
7046 LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
7047 LSM_HOOK_INIT(task_kill, selinux_task_kill),
7048 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
7050 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
7051 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
7053 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
7054 LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security),
7056 LSM_HOOK_INIT(msg_queue_alloc_security,
7057 selinux_msg_queue_alloc_security),
7058 LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security),
7059 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
7060 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
7061 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
7062 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
7064 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
7065 LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security),
7066 LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
7067 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
7068 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
7070 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
7071 LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security),
7072 LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
7073 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
7074 LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
7076 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
7078 LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
7079 LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
7081 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
7082 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
7083 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
7084 LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
7085 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
7086 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
7087 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
7088 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
7090 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
7091 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
7093 LSM_HOOK_INIT(socket_create, selinux_socket_create),
7094 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
7095 LSM_HOOK_INIT(socket_socketpair, selinux_socket_socketpair),
7096 LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
7097 LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
7098 LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
7099 LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
7100 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
7101 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
7102 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
7103 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
7104 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
7105 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
7106 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
7107 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
7108 LSM_HOOK_INIT(socket_getpeersec_stream,
7109 selinux_socket_getpeersec_stream),
7110 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
7111 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
7112 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
7113 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
7114 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
7115 LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
7116 LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request),
7117 LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone),
7118 LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect),
7119 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
7120 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
7121 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
7122 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
7123 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
7124 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
7125 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
7126 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
7127 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
7128 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
7129 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
7130 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
7131 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
7132 #ifdef CONFIG_SECURITY_INFINIBAND
7133 LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
7134 LSM_HOOK_INIT(ib_endport_manage_subnet,
7135 selinux_ib_endport_manage_subnet),
7136 LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
7137 LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
7139 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7140 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
7141 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
7142 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
7143 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
7144 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
7145 LSM_HOOK_INIT(xfrm_state_alloc_acquire,
7146 selinux_xfrm_state_alloc_acquire),
7147 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
7148 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
7149 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
7150 LSM_HOOK_INIT(xfrm_state_pol_flow_match,
7151 selinux_xfrm_state_pol_flow_match),
7152 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
7156 LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
7157 LSM_HOOK_INIT(key_free, selinux_key_free),
7158 LSM_HOOK_INIT(key_permission, selinux_key_permission),
7159 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
7163 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
7164 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
7165 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
7166 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
7169 #ifdef CONFIG_BPF_SYSCALL
7170 LSM_HOOK_INIT(bpf, selinux_bpf),
7171 LSM_HOOK_INIT(bpf_map, selinux_bpf_map),
7172 LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog),
7173 LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc),
7174 LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc),
7175 LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free),
7176 LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free),
7180 static __init int selinux_init(void)
7182 if (!security_module_enable("selinux")) {
7183 selinux_enabled = 0;
7187 if (!selinux_enabled) {
7188 pr_info("SELinux: Disabled at boot.\n");
7192 pr_info("SELinux: Initializing.\n");
7194 memset(&selinux_state, 0, sizeof(selinux_state));
7195 enforcing_set(&selinux_state, selinux_enforcing_boot);
7196 selinux_state.checkreqprot = selinux_checkreqprot_boot;
7197 selinux_ss_init(&selinux_state.ss);
7198 selinux_avc_init(&selinux_state.avc);
7200 /* Set the security state for the initial task. */
7201 cred_init_security();
7203 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
7205 sel_inode_cache = kmem_cache_create("selinux_inode_security",
7206 sizeof(struct inode_security_struct),
7207 0, SLAB_PANIC, NULL);
7208 file_security_cache = kmem_cache_create("selinux_file_security",
7209 sizeof(struct file_security_struct),
7210 0, SLAB_PANIC, NULL);
7215 ebitmap_cache_init();
7217 hashtab_cache_init();
7219 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
7221 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
7222 panic("SELinux: Unable to register AVC netcache callback\n");
7224 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
7225 panic("SELinux: Unable to register AVC LSM notifier callback\n");
7227 if (selinux_enforcing_boot)
7228 pr_debug("SELinux: Starting in enforcing mode\n");
7230 pr_debug("SELinux: Starting in permissive mode\n");
7235 static void delayed_superblock_init(struct super_block *sb, void *unused)
7237 superblock_doinit(sb, NULL);
7240 void selinux_complete_init(void)
7242 pr_debug("SELinux: Completing initialization.\n");
7244 /* Set up any superblocks initialized prior to the policy load. */
7245 pr_debug("SELinux: Setting up existing superblocks.\n");
7246 iterate_supers(delayed_superblock_init, NULL);
7249 /* SELinux requires early initialization in order to label
7250 all processes and objects when they are created. */
7251 security_initcall(selinux_init);
7253 #if defined(CONFIG_NETFILTER)
7255 static const struct nf_hook_ops selinux_nf_ops[] = {
7257 .hook = selinux_ipv4_postroute,
7259 .hooknum = NF_INET_POST_ROUTING,
7260 .priority = NF_IP_PRI_SELINUX_LAST,
7263 .hook = selinux_ipv4_forward,
7265 .hooknum = NF_INET_FORWARD,
7266 .priority = NF_IP_PRI_SELINUX_FIRST,
7269 .hook = selinux_ipv4_output,
7271 .hooknum = NF_INET_LOCAL_OUT,
7272 .priority = NF_IP_PRI_SELINUX_FIRST,
7274 #if IS_ENABLED(CONFIG_IPV6)
7276 .hook = selinux_ipv6_postroute,
7278 .hooknum = NF_INET_POST_ROUTING,
7279 .priority = NF_IP6_PRI_SELINUX_LAST,
7282 .hook = selinux_ipv6_forward,
7284 .hooknum = NF_INET_FORWARD,
7285 .priority = NF_IP6_PRI_SELINUX_FIRST,
7288 .hook = selinux_ipv6_output,
7290 .hooknum = NF_INET_LOCAL_OUT,
7291 .priority = NF_IP6_PRI_SELINUX_FIRST,
7296 static int __net_init selinux_nf_register(struct net *net)
7298 return nf_register_net_hooks(net, selinux_nf_ops,
7299 ARRAY_SIZE(selinux_nf_ops));
7302 static void __net_exit selinux_nf_unregister(struct net *net)
7304 nf_unregister_net_hooks(net, selinux_nf_ops,
7305 ARRAY_SIZE(selinux_nf_ops));
7308 static struct pernet_operations selinux_net_ops = {
7309 .init = selinux_nf_register,
7310 .exit = selinux_nf_unregister,
7313 static int __init selinux_nf_ip_init(void)
7317 if (!selinux_enabled)
7320 pr_debug("SELinux: Registering netfilter hooks\n");
7322 err = register_pernet_subsys(&selinux_net_ops);
7324 panic("SELinux: register_pernet_subsys: error %d\n", err);
7328 __initcall(selinux_nf_ip_init);
7330 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7331 static void selinux_nf_ip_exit(void)
7333 pr_debug("SELinux: Unregistering netfilter hooks\n");
7335 unregister_pernet_subsys(&selinux_net_ops);
7339 #else /* CONFIG_NETFILTER */
7341 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7342 #define selinux_nf_ip_exit()
7345 #endif /* CONFIG_NETFILTER */
7347 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7348 int selinux_disable(struct selinux_state *state)
7350 if (state->initialized) {
7351 /* Not permitted after initial policy load. */
7355 if (state->disabled) {
7356 /* Only do this once. */
7360 state->disabled = 1;
7362 pr_info("SELinux: Disabled at runtime.\n");
7364 selinux_enabled = 0;
7366 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
7368 /* Try to destroy the avc node cache */
7371 /* Unregister netfilter hooks. */
7372 selinux_nf_ip_exit();
7374 /* Unregister selinuxfs. */
projects / platform / kernel / linux-rpi.git / blob