1 // SPDX-License-Identifier: GPL-2.0-only
3 * NSA Security-Enhanced Linux (SELinux) security module
5 * This file contains the SELinux hook function implementations.
7 * Authors: Stephen Smalley, <sds@tycho.nsa.gov>
8 * Chris Vance, <cvance@nai.com>
9 * Wayne Salamon, <wsalamon@nai.com>
10 * James Morris <jmorris@redhat.com>
12 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
13 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
14 * Eric Paris <eparis@redhat.com>
15 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
16 * <dgoeddel@trustedcs.com>
17 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
18 * Paul Moore <paul@paul-moore.com>
19 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
20 * Yuichi Nakamura <ynakam@hitachisoft.jp>
21 * Copyright (C) 2016 Mellanox Technologies
24 #include <linux/init.h>
26 #include <linux/kernel.h>
27 #include <linux/kernel_read_file.h>
28 #include <linux/errno.h>
29 #include <linux/sched/signal.h>
30 #include <linux/sched/task.h>
31 #include <linux/lsm_hooks.h>
32 #include <linux/xattr.h>
33 #include <linux/capability.h>
34 #include <linux/unistd.h>
36 #include <linux/mman.h>
37 #include <linux/slab.h>
38 #include <linux/pagemap.h>
39 #include <linux/proc_fs.h>
40 #include <linux/swap.h>
41 #include <linux/spinlock.h>
42 #include <linux/syscalls.h>
43 #include <linux/dcache.h>
44 #include <linux/file.h>
45 #include <linux/fdtable.h>
46 #include <linux/namei.h>
47 #include <linux/mount.h>
48 #include <linux/fs_context.h>
49 #include <linux/fs_parser.h>
50 #include <linux/netfilter_ipv4.h>
51 #include <linux/netfilter_ipv6.h>
52 #include <linux/tty.h>
54 #include <net/ip.h> /* for local_port_range[] */
55 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
56 #include <net/inet_connection_sock.h>
57 #include <net/net_namespace.h>
58 #include <net/netlabel.h>
59 #include <linux/uaccess.h>
60 #include <asm/ioctls.h>
61 #include <linux/atomic.h>
62 #include <linux/bitops.h>
63 #include <linux/interrupt.h>
64 #include <linux/netdevice.h> /* for network interface checks */
65 #include <net/netlink.h>
66 #include <linux/tcp.h>
67 #include <linux/udp.h>
68 #include <linux/dccp.h>
69 #include <linux/sctp.h>
70 #include <net/sctp/structs.h>
71 #include <linux/quota.h>
72 #include <linux/un.h> /* for Unix socket types */
73 #include <net/af_unix.h> /* for Unix socket types */
74 #include <linux/parser.h>
75 #include <linux/nfs_mount.h>
77 #include <linux/hugetlb.h>
78 #include <linux/personality.h>
79 #include <linux/audit.h>
80 #include <linux/string.h>
81 #include <linux/mutex.h>
82 #include <linux/posix-timers.h>
83 #include <linux/syslog.h>
84 #include <linux/user_namespace.h>
85 #include <linux/export.h>
86 #include <linux/msg.h>
87 #include <linux/shm.h>
88 #include <linux/bpf.h>
89 #include <linux/kernfs.h>
90 #include <linux/stringhash.h> /* for hashlen_string() */
91 #include <uapi/linux/mount.h>
92 #include <linux/fsnotify.h>
93 #include <linux/fanotify.h>
102 #include "netlabel.h"
106 struct selinux_state selinux_state;
108 /* SECMARK reference count */
109 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
111 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
112 static int selinux_enforcing_boot __initdata;
114 static int __init enforcing_setup(char *str)
116 unsigned long enforcing;
117 if (!kstrtoul(str, 0, &enforcing))
118 selinux_enforcing_boot = enforcing ? 1 : 0;
121 __setup("enforcing=", enforcing_setup);
123 #define selinux_enforcing_boot 1
126 int selinux_enabled_boot __initdata = 1;
127 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
128 static int __init selinux_enabled_setup(char *str)
130 unsigned long enabled;
131 if (!kstrtoul(str, 0, &enabled))
132 selinux_enabled_boot = enabled ? 1 : 0;
135 __setup("selinux=", selinux_enabled_setup);
138 static unsigned int selinux_checkreqprot_boot =
139 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
141 static int __init checkreqprot_setup(char *str)
143 unsigned long checkreqprot;
145 if (!kstrtoul(str, 0, &checkreqprot)) {
146 selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
148 pr_err("SELinux: checkreqprot set to 1 via kernel parameter. This is deprecated and will be rejected in a future kernel release.\n");
152 __setup("checkreqprot=", checkreqprot_setup);
155 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
158 * This function checks the SECMARK reference counter to see if any SECMARK
159 * targets are currently configured, if the reference counter is greater than
160 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
161 * enabled, false (0) if SECMARK is disabled. If the always_check_network
162 * policy capability is enabled, SECMARK is always considered enabled.
165 static int selinux_secmark_enabled(void)
167 return (selinux_policycap_alwaysnetwork() ||
168 atomic_read(&selinux_secmark_refcount));
172 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
175 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
176 * (1) if any are enabled or false (0) if neither are enabled. If the
177 * always_check_network policy capability is enabled, peer labeling
178 * is always considered enabled.
181 static int selinux_peerlbl_enabled(void)
183 return (selinux_policycap_alwaysnetwork() ||
184 netlbl_enabled() || selinux_xfrm_enabled());
187 static int selinux_netcache_avc_callback(u32 event)
189 if (event == AVC_CALLBACK_RESET) {
198 static int selinux_lsm_notifier_avc_callback(u32 event)
200 if (event == AVC_CALLBACK_RESET) {
202 call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL);
209 * initialise the security for the init task
211 static void cred_init_security(void)
213 struct task_security_struct *tsec;
215 tsec = selinux_cred(unrcu_pointer(current->real_cred));
216 tsec->osid = tsec->sid = SECINITSID_KERNEL;
220 * get the security ID of a set of credentials
222 static inline u32 cred_sid(const struct cred *cred)
224 const struct task_security_struct *tsec;
226 tsec = selinux_cred(cred);
231 * get the objective security ID of a task
233 static inline u32 task_sid_obj(const struct task_struct *task)
238 sid = cred_sid(__task_cred(task));
243 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
246 * Try reloading inode security labels that have been marked as invalid. The
247 * @may_sleep parameter indicates when sleeping and thus reloading labels is
248 * allowed; when set to false, returns -ECHILD when the label is
249 * invalid. The @dentry parameter should be set to a dentry of the inode.
251 static int __inode_security_revalidate(struct inode *inode,
252 struct dentry *dentry,
255 struct inode_security_struct *isec = selinux_inode(inode);
257 might_sleep_if(may_sleep);
259 if (selinux_initialized(&selinux_state) &&
260 isec->initialized != LABEL_INITIALIZED) {
265 * Try reloading the inode security label. This will fail if
266 * @opt_dentry is NULL and no dentry for this inode can be
267 * found; in that case, continue using the old label.
269 inode_doinit_with_dentry(inode, dentry);
274 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
276 return selinux_inode(inode);
279 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
283 error = __inode_security_revalidate(inode, NULL, !rcu);
285 return ERR_PTR(error);
286 return selinux_inode(inode);
290 * Get the security label of an inode.
292 static struct inode_security_struct *inode_security(struct inode *inode)
294 __inode_security_revalidate(inode, NULL, true);
295 return selinux_inode(inode);
298 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
300 struct inode *inode = d_backing_inode(dentry);
302 return selinux_inode(inode);
306 * Get the security label of a dentry's backing inode.
308 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
310 struct inode *inode = d_backing_inode(dentry);
312 __inode_security_revalidate(inode, dentry, true);
313 return selinux_inode(inode);
316 static void inode_free_security(struct inode *inode)
318 struct inode_security_struct *isec = selinux_inode(inode);
319 struct superblock_security_struct *sbsec;
323 sbsec = selinux_superblock(inode->i_sb);
325 * As not all inode security structures are in a list, we check for
326 * empty list outside of the lock to make sure that we won't waste
327 * time taking a lock doing nothing.
329 * The list_del_init() function can be safely called more than once.
330 * It should not be possible for this function to be called with
331 * concurrent list_add(), but for better safety against future changes
332 * in the code, we use list_empty_careful() here.
334 if (!list_empty_careful(&isec->list)) {
335 spin_lock(&sbsec->isec_lock);
336 list_del_init(&isec->list);
337 spin_unlock(&sbsec->isec_lock);
341 struct selinux_mnt_opts {
348 static void selinux_free_mnt_opts(void *mnt_opts)
362 #define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg}
372 A(rootcontext, true),
377 static int match_opt_prefix(char *s, int l, char **arg)
381 for (i = 0; i < ARRAY_SIZE(tokens); i++) {
382 size_t len = tokens[i].len;
383 if (len > l || memcmp(s, tokens[i].name, len))
385 if (tokens[i].has_arg) {
386 if (len == l || s[len] != '=')
391 return tokens[i].opt;
396 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
398 static int may_context_mount_sb_relabel(u32 sid,
399 struct superblock_security_struct *sbsec,
400 const struct cred *cred)
402 const struct task_security_struct *tsec = selinux_cred(cred);
405 rc = avc_has_perm(&selinux_state,
406 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
407 FILESYSTEM__RELABELFROM, NULL);
411 rc = avc_has_perm(&selinux_state,
412 tsec->sid, sid, SECCLASS_FILESYSTEM,
413 FILESYSTEM__RELABELTO, NULL);
417 static int may_context_mount_inode_relabel(u32 sid,
418 struct superblock_security_struct *sbsec,
419 const struct cred *cred)
421 const struct task_security_struct *tsec = selinux_cred(cred);
423 rc = avc_has_perm(&selinux_state,
424 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
425 FILESYSTEM__RELABELFROM, NULL);
429 rc = avc_has_perm(&selinux_state,
430 sid, sbsec->sid, SECCLASS_FILESYSTEM,
431 FILESYSTEM__ASSOCIATE, NULL);
435 static int selinux_is_genfs_special_handling(struct super_block *sb)
437 /* Special handling. Genfs but also in-core setxattr handler */
438 return !strcmp(sb->s_type->name, "sysfs") ||
439 !strcmp(sb->s_type->name, "pstore") ||
440 !strcmp(sb->s_type->name, "debugfs") ||
441 !strcmp(sb->s_type->name, "tracefs") ||
442 !strcmp(sb->s_type->name, "rootfs") ||
443 (selinux_policycap_cgroupseclabel() &&
444 (!strcmp(sb->s_type->name, "cgroup") ||
445 !strcmp(sb->s_type->name, "cgroup2")));
448 static int selinux_is_sblabel_mnt(struct super_block *sb)
450 struct superblock_security_struct *sbsec = selinux_superblock(sb);
453 * IMPORTANT: Double-check logic in this function when adding a new
454 * SECURITY_FS_USE_* definition!
456 BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7);
458 switch (sbsec->behavior) {
459 case SECURITY_FS_USE_XATTR:
460 case SECURITY_FS_USE_TRANS:
461 case SECURITY_FS_USE_TASK:
462 case SECURITY_FS_USE_NATIVE:
465 case SECURITY_FS_USE_GENFS:
466 return selinux_is_genfs_special_handling(sb);
468 /* Never allow relabeling on context mounts */
469 case SECURITY_FS_USE_MNTPOINT:
470 case SECURITY_FS_USE_NONE:
476 static int sb_check_xattr_support(struct super_block *sb)
478 struct superblock_security_struct *sbsec = selinux_superblock(sb);
479 struct dentry *root = sb->s_root;
480 struct inode *root_inode = d_backing_inode(root);
485 * Make sure that the xattr handler exists and that no
486 * error other than -ENODATA is returned by getxattr on
487 * the root directory. -ENODATA is ok, as this may be
488 * the first boot of the SELinux kernel before we have
489 * assigned xattr values to the filesystem.
491 if (!(root_inode->i_opflags & IOP_XATTR)) {
492 pr_warn("SELinux: (dev %s, type %s) has no xattr support\n",
493 sb->s_id, sb->s_type->name);
497 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
498 if (rc < 0 && rc != -ENODATA) {
499 if (rc == -EOPNOTSUPP) {
500 pr_warn("SELinux: (dev %s, type %s) has no security xattr handler\n",
501 sb->s_id, sb->s_type->name);
504 pr_warn("SELinux: (dev %s, type %s) getxattr errno %d\n",
505 sb->s_id, sb->s_type->name, -rc);
512 /* No xattr support - try to fallback to genfs if possible. */
513 rc = security_genfs_sid(&selinux_state, sb->s_type->name, "/",
518 pr_warn("SELinux: (dev %s, type %s) falling back to genfs\n",
519 sb->s_id, sb->s_type->name);
520 sbsec->behavior = SECURITY_FS_USE_GENFS;
525 static int sb_finish_set_opts(struct super_block *sb)
527 struct superblock_security_struct *sbsec = selinux_superblock(sb);
528 struct dentry *root = sb->s_root;
529 struct inode *root_inode = d_backing_inode(root);
532 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
533 rc = sb_check_xattr_support(sb);
538 sbsec->flags |= SE_SBINITIALIZED;
541 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
542 * leave the flag untouched because sb_clone_mnt_opts might be handing
543 * us a superblock that needs the flag to be cleared.
545 if (selinux_is_sblabel_mnt(sb))
546 sbsec->flags |= SBLABEL_MNT;
548 sbsec->flags &= ~SBLABEL_MNT;
550 /* Initialize the root inode. */
551 rc = inode_doinit_with_dentry(root_inode, root);
553 /* Initialize any other inodes associated with the superblock, e.g.
554 inodes created prior to initial policy load or inodes created
555 during get_sb by a pseudo filesystem that directly
557 spin_lock(&sbsec->isec_lock);
558 while (!list_empty(&sbsec->isec_head)) {
559 struct inode_security_struct *isec =
560 list_first_entry(&sbsec->isec_head,
561 struct inode_security_struct, list);
562 struct inode *inode = isec->inode;
563 list_del_init(&isec->list);
564 spin_unlock(&sbsec->isec_lock);
565 inode = igrab(inode);
567 if (!IS_PRIVATE(inode))
568 inode_doinit_with_dentry(inode, NULL);
571 spin_lock(&sbsec->isec_lock);
573 spin_unlock(&sbsec->isec_lock);
577 static int bad_option(struct superblock_security_struct *sbsec, char flag,
578 u32 old_sid, u32 new_sid)
580 char mnt_flags = sbsec->flags & SE_MNTMASK;
582 /* check if the old mount command had the same options */
583 if (sbsec->flags & SE_SBINITIALIZED)
584 if (!(sbsec->flags & flag) ||
585 (old_sid != new_sid))
588 /* check if we were passed the same options twice,
589 * aka someone passed context=a,context=b
591 if (!(sbsec->flags & SE_SBINITIALIZED))
592 if (mnt_flags & flag)
598 * Allow filesystems with binary mount data to explicitly set mount point
599 * labeling information.
601 static int selinux_set_mnt_opts(struct super_block *sb,
603 unsigned long kern_flags,
604 unsigned long *set_kern_flags)
606 const struct cred *cred = current_cred();
607 struct superblock_security_struct *sbsec = selinux_superblock(sb);
608 struct dentry *root = sb->s_root;
609 struct selinux_mnt_opts *opts = mnt_opts;
610 struct inode_security_struct *root_isec;
611 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
612 u32 defcontext_sid = 0;
615 mutex_lock(&sbsec->lock);
617 if (!selinux_initialized(&selinux_state)) {
619 /* Defer initialization until selinux_complete_init,
620 after the initial policy is loaded and the security
621 server is ready to handle calls. */
625 pr_warn("SELinux: Unable to set superblock options "
626 "before the security server is initialized\n");
629 if (kern_flags && !set_kern_flags) {
630 /* Specifying internal flags without providing a place to
631 * place the results is not allowed */
637 * Binary mount data FS will come through this function twice. Once
638 * from an explicit call and once from the generic calls from the vfs.
639 * Since the generic VFS calls will not contain any security mount data
640 * we need to skip the double mount verification.
642 * This does open a hole in which we will not notice if the first
643 * mount using this sb set explicit options and a second mount using
644 * this sb does not set any security options. (The first options
645 * will be used for both mounts)
647 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
651 root_isec = backing_inode_security_novalidate(root);
654 * parse the mount options, check if they are valid sids.
655 * also check if someone is trying to mount the same sb more
656 * than once with different security options.
659 if (opts->fscontext_sid) {
660 fscontext_sid = opts->fscontext_sid;
661 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
663 goto out_double_mount;
664 sbsec->flags |= FSCONTEXT_MNT;
666 if (opts->context_sid) {
667 context_sid = opts->context_sid;
668 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
670 goto out_double_mount;
671 sbsec->flags |= CONTEXT_MNT;
673 if (opts->rootcontext_sid) {
674 rootcontext_sid = opts->rootcontext_sid;
675 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
677 goto out_double_mount;
678 sbsec->flags |= ROOTCONTEXT_MNT;
680 if (opts->defcontext_sid) {
681 defcontext_sid = opts->defcontext_sid;
682 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
684 goto out_double_mount;
685 sbsec->flags |= DEFCONTEXT_MNT;
689 if (sbsec->flags & SE_SBINITIALIZED) {
690 /* previously mounted with options, but not on this attempt? */
691 if ((sbsec->flags & SE_MNTMASK) && !opts)
692 goto out_double_mount;
697 if (strcmp(sb->s_type->name, "proc") == 0)
698 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
700 if (!strcmp(sb->s_type->name, "debugfs") ||
701 !strcmp(sb->s_type->name, "tracefs") ||
702 !strcmp(sb->s_type->name, "binder") ||
703 !strcmp(sb->s_type->name, "bpf") ||
704 !strcmp(sb->s_type->name, "pstore") ||
705 !strcmp(sb->s_type->name, "securityfs"))
706 sbsec->flags |= SE_SBGENFS;
708 if (!strcmp(sb->s_type->name, "sysfs") ||
709 !strcmp(sb->s_type->name, "cgroup") ||
710 !strcmp(sb->s_type->name, "cgroup2"))
711 sbsec->flags |= SE_SBGENFS | SE_SBGENFS_XATTR;
713 if (!sbsec->behavior) {
715 * Determine the labeling behavior to use for this
718 rc = security_fs_use(&selinux_state, sb);
720 pr_warn("%s: security_fs_use(%s) returned %d\n",
721 __func__, sb->s_type->name, rc);
727 * If this is a user namespace mount and the filesystem type is not
728 * explicitly whitelisted, then no contexts are allowed on the command
729 * line and security labels must be ignored.
731 if (sb->s_user_ns != &init_user_ns &&
732 strcmp(sb->s_type->name, "tmpfs") &&
733 strcmp(sb->s_type->name, "ramfs") &&
734 strcmp(sb->s_type->name, "devpts") &&
735 strcmp(sb->s_type->name, "overlay")) {
736 if (context_sid || fscontext_sid || rootcontext_sid ||
741 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
742 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
743 rc = security_transition_sid(&selinux_state,
747 &sbsec->mntpoint_sid);
754 /* sets the context of the superblock for the fs being mounted. */
756 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
760 sbsec->sid = fscontext_sid;
764 * Switch to using mount point labeling behavior.
765 * sets the label used on all file below the mountpoint, and will set
766 * the superblock context if not already set.
768 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
769 sbsec->behavior = SECURITY_FS_USE_NATIVE;
770 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
774 if (!fscontext_sid) {
775 rc = may_context_mount_sb_relabel(context_sid, sbsec,
779 sbsec->sid = context_sid;
781 rc = may_context_mount_inode_relabel(context_sid, sbsec,
786 if (!rootcontext_sid)
787 rootcontext_sid = context_sid;
789 sbsec->mntpoint_sid = context_sid;
790 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
793 if (rootcontext_sid) {
794 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
799 root_isec->sid = rootcontext_sid;
800 root_isec->initialized = LABEL_INITIALIZED;
803 if (defcontext_sid) {
804 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
805 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
807 pr_warn("SELinux: defcontext option is "
808 "invalid for this filesystem type\n");
812 if (defcontext_sid != sbsec->def_sid) {
813 rc = may_context_mount_inode_relabel(defcontext_sid,
819 sbsec->def_sid = defcontext_sid;
823 rc = sb_finish_set_opts(sb);
825 mutex_unlock(&sbsec->lock);
829 pr_warn("SELinux: mount invalid. Same superblock, different "
830 "security settings for (dev %s, type %s)\n", sb->s_id,
835 static int selinux_cmp_sb_context(const struct super_block *oldsb,
836 const struct super_block *newsb)
838 struct superblock_security_struct *old = selinux_superblock(oldsb);
839 struct superblock_security_struct *new = selinux_superblock(newsb);
840 char oldflags = old->flags & SE_MNTMASK;
841 char newflags = new->flags & SE_MNTMASK;
843 if (oldflags != newflags)
845 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
847 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
849 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
851 if (oldflags & ROOTCONTEXT_MNT) {
852 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
853 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
854 if (oldroot->sid != newroot->sid)
859 pr_warn("SELinux: mount invalid. Same superblock, "
860 "different security settings for (dev %s, "
861 "type %s)\n", newsb->s_id, newsb->s_type->name);
865 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
866 struct super_block *newsb,
867 unsigned long kern_flags,
868 unsigned long *set_kern_flags)
871 const struct superblock_security_struct *oldsbsec =
872 selinux_superblock(oldsb);
873 struct superblock_security_struct *newsbsec = selinux_superblock(newsb);
875 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
876 int set_context = (oldsbsec->flags & CONTEXT_MNT);
877 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
880 * if the parent was able to be mounted it clearly had no special lsm
881 * mount options. thus we can safely deal with this superblock later
883 if (!selinux_initialized(&selinux_state))
887 * Specifying internal flags without providing a place to
888 * place the results is not allowed.
890 if (kern_flags && !set_kern_flags)
893 /* how can we clone if the old one wasn't set up?? */
894 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
896 /* if fs is reusing a sb, make sure that the contexts match */
897 if (newsbsec->flags & SE_SBINITIALIZED) {
898 if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context)
899 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
900 return selinux_cmp_sb_context(oldsb, newsb);
903 mutex_lock(&newsbsec->lock);
905 newsbsec->flags = oldsbsec->flags;
907 newsbsec->sid = oldsbsec->sid;
908 newsbsec->def_sid = oldsbsec->def_sid;
909 newsbsec->behavior = oldsbsec->behavior;
911 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
912 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
913 rc = security_fs_use(&selinux_state, newsb);
918 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
919 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
920 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
924 u32 sid = oldsbsec->mntpoint_sid;
928 if (!set_rootcontext) {
929 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
932 newsbsec->mntpoint_sid = sid;
934 if (set_rootcontext) {
935 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
936 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
938 newisec->sid = oldisec->sid;
941 sb_finish_set_opts(newsb);
943 mutex_unlock(&newsbsec->lock);
948 * NOTE: the caller is resposible for freeing the memory even if on error.
950 static int selinux_add_opt(int token, const char *s, void **mnt_opts)
952 struct selinux_mnt_opts *opts = *mnt_opts;
956 if (token == Opt_seclabel)
957 /* eaten and completely ignored */
962 if (!selinux_initialized(&selinux_state)) {
963 pr_warn("SELinux: Unable to set superblock options before the security server is initialized\n");
968 opts = kzalloc(sizeof(*opts), GFP_KERNEL);
976 if (opts->context_sid || opts->defcontext_sid)
978 dst_sid = &opts->context_sid;
981 if (opts->fscontext_sid)
983 dst_sid = &opts->fscontext_sid;
985 case Opt_rootcontext:
986 if (opts->rootcontext_sid)
988 dst_sid = &opts->rootcontext_sid;
991 if (opts->context_sid || opts->defcontext_sid)
993 dst_sid = &opts->defcontext_sid;
999 rc = security_context_str_to_sid(&selinux_state, s, dst_sid, GFP_KERNEL);
1001 pr_warn("SELinux: security_context_str_to_sid (%s) failed with errno=%d\n",
1006 pr_warn(SEL_MOUNT_FAIL_MSG);
1010 static int show_sid(struct seq_file *m, u32 sid)
1012 char *context = NULL;
1016 rc = security_sid_to_context(&selinux_state, sid,
1019 bool has_comma = strchr(context, ',');
1024 seq_escape(m, context, "\"\n\\");
1032 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1034 struct superblock_security_struct *sbsec = selinux_superblock(sb);
1037 if (!(sbsec->flags & SE_SBINITIALIZED))
1040 if (!selinux_initialized(&selinux_state))
1043 if (sbsec->flags & FSCONTEXT_MNT) {
1045 seq_puts(m, FSCONTEXT_STR);
1046 rc = show_sid(m, sbsec->sid);
1050 if (sbsec->flags & CONTEXT_MNT) {
1052 seq_puts(m, CONTEXT_STR);
1053 rc = show_sid(m, sbsec->mntpoint_sid);
1057 if (sbsec->flags & DEFCONTEXT_MNT) {
1059 seq_puts(m, DEFCONTEXT_STR);
1060 rc = show_sid(m, sbsec->def_sid);
1064 if (sbsec->flags & ROOTCONTEXT_MNT) {
1065 struct dentry *root = sb->s_root;
1066 struct inode_security_struct *isec = backing_inode_security(root);
1068 seq_puts(m, ROOTCONTEXT_STR);
1069 rc = show_sid(m, isec->sid);
1073 if (sbsec->flags & SBLABEL_MNT) {
1075 seq_puts(m, SECLABEL_STR);
1080 static inline u16 inode_mode_to_security_class(umode_t mode)
1082 switch (mode & S_IFMT) {
1084 return SECCLASS_SOCK_FILE;
1086 return SECCLASS_LNK_FILE;
1088 return SECCLASS_FILE;
1090 return SECCLASS_BLK_FILE;
1092 return SECCLASS_DIR;
1094 return SECCLASS_CHR_FILE;
1096 return SECCLASS_FIFO_FILE;
1100 return SECCLASS_FILE;
1103 static inline int default_protocol_stream(int protocol)
1105 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP ||
1106 protocol == IPPROTO_MPTCP);
1109 static inline int default_protocol_dgram(int protocol)
1111 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1114 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1116 int extsockclass = selinux_policycap_extsockclass();
1122 case SOCK_SEQPACKET:
1123 return SECCLASS_UNIX_STREAM_SOCKET;
1126 return SECCLASS_UNIX_DGRAM_SOCKET;
1133 case SOCK_SEQPACKET:
1134 if (default_protocol_stream(protocol))
1135 return SECCLASS_TCP_SOCKET;
1136 else if (extsockclass && protocol == IPPROTO_SCTP)
1137 return SECCLASS_SCTP_SOCKET;
1139 return SECCLASS_RAWIP_SOCKET;
1141 if (default_protocol_dgram(protocol))
1142 return SECCLASS_UDP_SOCKET;
1143 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1144 protocol == IPPROTO_ICMPV6))
1145 return SECCLASS_ICMP_SOCKET;
1147 return SECCLASS_RAWIP_SOCKET;
1149 return SECCLASS_DCCP_SOCKET;
1151 return SECCLASS_RAWIP_SOCKET;
1157 return SECCLASS_NETLINK_ROUTE_SOCKET;
1158 case NETLINK_SOCK_DIAG:
1159 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1161 return SECCLASS_NETLINK_NFLOG_SOCKET;
1163 return SECCLASS_NETLINK_XFRM_SOCKET;
1164 case NETLINK_SELINUX:
1165 return SECCLASS_NETLINK_SELINUX_SOCKET;
1167 return SECCLASS_NETLINK_ISCSI_SOCKET;
1169 return SECCLASS_NETLINK_AUDIT_SOCKET;
1170 case NETLINK_FIB_LOOKUP:
1171 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1172 case NETLINK_CONNECTOR:
1173 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1174 case NETLINK_NETFILTER:
1175 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1176 case NETLINK_DNRTMSG:
1177 return SECCLASS_NETLINK_DNRT_SOCKET;
1178 case NETLINK_KOBJECT_UEVENT:
1179 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1180 case NETLINK_GENERIC:
1181 return SECCLASS_NETLINK_GENERIC_SOCKET;
1182 case NETLINK_SCSITRANSPORT:
1183 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1185 return SECCLASS_NETLINK_RDMA_SOCKET;
1186 case NETLINK_CRYPTO:
1187 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1189 return SECCLASS_NETLINK_SOCKET;
1192 return SECCLASS_PACKET_SOCKET;
1194 return SECCLASS_KEY_SOCKET;
1196 return SECCLASS_APPLETALK_SOCKET;
1202 return SECCLASS_AX25_SOCKET;
1204 return SECCLASS_IPX_SOCKET;
1206 return SECCLASS_NETROM_SOCKET;
1208 return SECCLASS_ATMPVC_SOCKET;
1210 return SECCLASS_X25_SOCKET;
1212 return SECCLASS_ROSE_SOCKET;
1214 return SECCLASS_DECNET_SOCKET;
1216 return SECCLASS_ATMSVC_SOCKET;
1218 return SECCLASS_RDS_SOCKET;
1220 return SECCLASS_IRDA_SOCKET;
1222 return SECCLASS_PPPOX_SOCKET;
1224 return SECCLASS_LLC_SOCKET;
1226 return SECCLASS_CAN_SOCKET;
1228 return SECCLASS_TIPC_SOCKET;
1230 return SECCLASS_BLUETOOTH_SOCKET;
1232 return SECCLASS_IUCV_SOCKET;
1234 return SECCLASS_RXRPC_SOCKET;
1236 return SECCLASS_ISDN_SOCKET;
1238 return SECCLASS_PHONET_SOCKET;
1240 return SECCLASS_IEEE802154_SOCKET;
1242 return SECCLASS_CAIF_SOCKET;
1244 return SECCLASS_ALG_SOCKET;
1246 return SECCLASS_NFC_SOCKET;
1248 return SECCLASS_VSOCK_SOCKET;
1250 return SECCLASS_KCM_SOCKET;
1252 return SECCLASS_QIPCRTR_SOCKET;
1254 return SECCLASS_SMC_SOCKET;
1256 return SECCLASS_XDP_SOCKET;
1258 return SECCLASS_MCTP_SOCKET;
1260 #error New address family defined, please update this function.
1265 return SECCLASS_SOCKET;
1268 static int selinux_genfs_get_sid(struct dentry *dentry,
1274 struct super_block *sb = dentry->d_sb;
1275 char *buffer, *path;
1277 buffer = (char *)__get_free_page(GFP_KERNEL);
1281 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1285 if (flags & SE_SBPROC) {
1286 /* each process gets a /proc/PID/ entry. Strip off the
1287 * PID part to get a valid selinux labeling.
1288 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1289 while (path[1] >= '0' && path[1] <= '9') {
1294 rc = security_genfs_sid(&selinux_state, sb->s_type->name,
1296 if (rc == -ENOENT) {
1297 /* No match in policy, mark as unlabeled. */
1298 *sid = SECINITSID_UNLABELED;
1302 free_page((unsigned long)buffer);
1306 static int inode_doinit_use_xattr(struct inode *inode, struct dentry *dentry,
1307 u32 def_sid, u32 *sid)
1309 #define INITCONTEXTLEN 255
1314 len = INITCONTEXTLEN;
1315 context = kmalloc(len + 1, GFP_NOFS);
1319 context[len] = '\0';
1320 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1321 if (rc == -ERANGE) {
1324 /* Need a larger buffer. Query for the right size. */
1325 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1330 context = kmalloc(len + 1, GFP_NOFS);
1334 context[len] = '\0';
1335 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX,
1340 if (rc != -ENODATA) {
1341 pr_warn("SELinux: %s: getxattr returned %d for dev=%s ino=%ld\n",
1342 __func__, -rc, inode->i_sb->s_id, inode->i_ino);
1349 rc = security_context_to_sid_default(&selinux_state, context, rc, sid,
1352 char *dev = inode->i_sb->s_id;
1353 unsigned long ino = inode->i_ino;
1355 if (rc == -EINVAL) {
1356 pr_notice_ratelimited("SELinux: inode=%lu on dev=%s was found to have an invalid context=%s. This indicates you may need to relabel the inode or the filesystem in question.\n",
1359 pr_warn("SELinux: %s: context_to_sid(%s) returned %d for dev=%s ino=%ld\n",
1360 __func__, context, -rc, dev, ino);
1367 /* The inode's security attributes must be initialized before first use. */
1368 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1370 struct superblock_security_struct *sbsec = NULL;
1371 struct inode_security_struct *isec = selinux_inode(inode);
1372 u32 task_sid, sid = 0;
1374 struct dentry *dentry;
1377 if (isec->initialized == LABEL_INITIALIZED)
1380 spin_lock(&isec->lock);
1381 if (isec->initialized == LABEL_INITIALIZED)
1384 if (isec->sclass == SECCLASS_FILE)
1385 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1387 sbsec = selinux_superblock(inode->i_sb);
1388 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1389 /* Defer initialization until selinux_complete_init,
1390 after the initial policy is loaded and the security
1391 server is ready to handle calls. */
1392 spin_lock(&sbsec->isec_lock);
1393 if (list_empty(&isec->list))
1394 list_add(&isec->list, &sbsec->isec_head);
1395 spin_unlock(&sbsec->isec_lock);
1399 sclass = isec->sclass;
1400 task_sid = isec->task_sid;
1402 isec->initialized = LABEL_PENDING;
1403 spin_unlock(&isec->lock);
1405 switch (sbsec->behavior) {
1406 case SECURITY_FS_USE_NATIVE:
1408 case SECURITY_FS_USE_XATTR:
1409 if (!(inode->i_opflags & IOP_XATTR)) {
1410 sid = sbsec->def_sid;
1413 /* Need a dentry, since the xattr API requires one.
1414 Life would be simpler if we could just pass the inode. */
1416 /* Called from d_instantiate or d_splice_alias. */
1417 dentry = dget(opt_dentry);
1420 * Called from selinux_complete_init, try to find a dentry.
1421 * Some filesystems really want a connected one, so try
1422 * that first. We could split SECURITY_FS_USE_XATTR in
1423 * two, depending upon that...
1425 dentry = d_find_alias(inode);
1427 dentry = d_find_any_alias(inode);
1431 * this is can be hit on boot when a file is accessed
1432 * before the policy is loaded. When we load policy we
1433 * may find inodes that have no dentry on the
1434 * sbsec->isec_head list. No reason to complain as these
1435 * will get fixed up the next time we go through
1436 * inode_doinit with a dentry, before these inodes could
1437 * be used again by userspace.
1442 rc = inode_doinit_use_xattr(inode, dentry, sbsec->def_sid,
1448 case SECURITY_FS_USE_TASK:
1451 case SECURITY_FS_USE_TRANS:
1452 /* Default to the fs SID. */
1455 /* Try to obtain a transition SID. */
1456 rc = security_transition_sid(&selinux_state, task_sid, sid,
1457 sclass, NULL, &sid);
1461 case SECURITY_FS_USE_MNTPOINT:
1462 sid = sbsec->mntpoint_sid;
1465 /* Default to the fs superblock SID. */
1468 if ((sbsec->flags & SE_SBGENFS) &&
1469 (!S_ISLNK(inode->i_mode) ||
1470 selinux_policycap_genfs_seclabel_symlinks())) {
1471 /* We must have a dentry to determine the label on
1474 /* Called from d_instantiate or
1475 * d_splice_alias. */
1476 dentry = dget(opt_dentry);
1478 /* Called from selinux_complete_init, try to
1479 * find a dentry. Some filesystems really want
1480 * a connected one, so try that first.
1482 dentry = d_find_alias(inode);
1484 dentry = d_find_any_alias(inode);
1487 * This can be hit on boot when a file is accessed
1488 * before the policy is loaded. When we load policy we
1489 * may find inodes that have no dentry on the
1490 * sbsec->isec_head list. No reason to complain as
1491 * these will get fixed up the next time we go through
1492 * inode_doinit() with a dentry, before these inodes
1493 * could be used again by userspace.
1497 rc = selinux_genfs_get_sid(dentry, sclass,
1498 sbsec->flags, &sid);
1504 if ((sbsec->flags & SE_SBGENFS_XATTR) &&
1505 (inode->i_opflags & IOP_XATTR)) {
1506 rc = inode_doinit_use_xattr(inode, dentry,
1519 spin_lock(&isec->lock);
1520 if (isec->initialized == LABEL_PENDING) {
1522 isec->initialized = LABEL_INVALID;
1525 isec->initialized = LABEL_INITIALIZED;
1530 spin_unlock(&isec->lock);
1534 spin_lock(&isec->lock);
1535 if (isec->initialized == LABEL_PENDING) {
1536 isec->initialized = LABEL_INVALID;
1539 spin_unlock(&isec->lock);
1543 /* Convert a Linux signal to an access vector. */
1544 static inline u32 signal_to_av(int sig)
1550 /* Commonly granted from child to parent. */
1551 perm = PROCESS__SIGCHLD;
1554 /* Cannot be caught or ignored */
1555 perm = PROCESS__SIGKILL;
1558 /* Cannot be caught or ignored */
1559 perm = PROCESS__SIGSTOP;
1562 /* All other signals. */
1563 perm = PROCESS__SIGNAL;
1570 #if CAP_LAST_CAP > 63
1571 #error Fix SELinux to handle capabilities > 63.
1574 /* Check whether a task is allowed to use a capability. */
1575 static int cred_has_capability(const struct cred *cred,
1576 int cap, unsigned int opts, bool initns)
1578 struct common_audit_data ad;
1579 struct av_decision avd;
1581 u32 sid = cred_sid(cred);
1582 u32 av = CAP_TO_MASK(cap);
1585 ad.type = LSM_AUDIT_DATA_CAP;
1588 switch (CAP_TO_INDEX(cap)) {
1590 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1593 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1596 pr_err("SELinux: out of range capability %d\n", cap);
1601 rc = avc_has_perm_noaudit(&selinux_state,
1602 sid, sid, sclass, av, 0, &avd);
1603 if (!(opts & CAP_OPT_NOAUDIT)) {
1604 int rc2 = avc_audit(&selinux_state,
1605 sid, sid, sclass, av, &avd, rc, &ad);
1612 /* Check whether a task has a particular permission to an inode.
1613 The 'adp' parameter is optional and allows other audit
1614 data to be passed (e.g. the dentry). */
1615 static int inode_has_perm(const struct cred *cred,
1616 struct inode *inode,
1618 struct common_audit_data *adp)
1620 struct inode_security_struct *isec;
1623 validate_creds(cred);
1625 if (unlikely(IS_PRIVATE(inode)))
1628 sid = cred_sid(cred);
1629 isec = selinux_inode(inode);
1631 return avc_has_perm(&selinux_state,
1632 sid, isec->sid, isec->sclass, perms, adp);
1635 /* Same as inode_has_perm, but pass explicit audit data containing
1636 the dentry to help the auditing code to more easily generate the
1637 pathname if needed. */
1638 static inline int dentry_has_perm(const struct cred *cred,
1639 struct dentry *dentry,
1642 struct inode *inode = d_backing_inode(dentry);
1643 struct common_audit_data ad;
1645 ad.type = LSM_AUDIT_DATA_DENTRY;
1646 ad.u.dentry = dentry;
1647 __inode_security_revalidate(inode, dentry, true);
1648 return inode_has_perm(cred, inode, av, &ad);
1651 /* Same as inode_has_perm, but pass explicit audit data containing
1652 the path to help the auditing code to more easily generate the
1653 pathname if needed. */
1654 static inline int path_has_perm(const struct cred *cred,
1655 const struct path *path,
1658 struct inode *inode = d_backing_inode(path->dentry);
1659 struct common_audit_data ad;
1661 ad.type = LSM_AUDIT_DATA_PATH;
1663 __inode_security_revalidate(inode, path->dentry, true);
1664 return inode_has_perm(cred, inode, av, &ad);
1667 /* Same as path_has_perm, but uses the inode from the file struct. */
1668 static inline int file_path_has_perm(const struct cred *cred,
1672 struct common_audit_data ad;
1674 ad.type = LSM_AUDIT_DATA_FILE;
1676 return inode_has_perm(cred, file_inode(file), av, &ad);
1679 #ifdef CONFIG_BPF_SYSCALL
1680 static int bpf_fd_pass(struct file *file, u32 sid);
1683 /* Check whether a task can use an open file descriptor to
1684 access an inode in a given way. Check access to the
1685 descriptor itself, and then use dentry_has_perm to
1686 check a particular permission to the file.
1687 Access to the descriptor is implicitly granted if it
1688 has the same SID as the process. If av is zero, then
1689 access to the file is not checked, e.g. for cases
1690 where only the descriptor is affected like seek. */
1691 static int file_has_perm(const struct cred *cred,
1695 struct file_security_struct *fsec = selinux_file(file);
1696 struct inode *inode = file_inode(file);
1697 struct common_audit_data ad;
1698 u32 sid = cred_sid(cred);
1701 ad.type = LSM_AUDIT_DATA_FILE;
1704 if (sid != fsec->sid) {
1705 rc = avc_has_perm(&selinux_state,
1714 #ifdef CONFIG_BPF_SYSCALL
1715 rc = bpf_fd_pass(file, cred_sid(cred));
1720 /* av is zero if only checking access to the descriptor. */
1723 rc = inode_has_perm(cred, inode, av, &ad);
1730 * Determine the label for an inode that might be unioned.
1733 selinux_determine_inode_label(const struct task_security_struct *tsec,
1735 const struct qstr *name, u16 tclass,
1738 const struct superblock_security_struct *sbsec =
1739 selinux_superblock(dir->i_sb);
1741 if ((sbsec->flags & SE_SBINITIALIZED) &&
1742 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1743 *_new_isid = sbsec->mntpoint_sid;
1744 } else if ((sbsec->flags & SBLABEL_MNT) &&
1746 *_new_isid = tsec->create_sid;
1748 const struct inode_security_struct *dsec = inode_security(dir);
1749 return security_transition_sid(&selinux_state, tsec->sid,
1757 /* Check whether a task can create a file. */
1758 static int may_create(struct inode *dir,
1759 struct dentry *dentry,
1762 const struct task_security_struct *tsec = selinux_cred(current_cred());
1763 struct inode_security_struct *dsec;
1764 struct superblock_security_struct *sbsec;
1766 struct common_audit_data ad;
1769 dsec = inode_security(dir);
1770 sbsec = selinux_superblock(dir->i_sb);
1774 ad.type = LSM_AUDIT_DATA_DENTRY;
1775 ad.u.dentry = dentry;
1777 rc = avc_has_perm(&selinux_state,
1778 sid, dsec->sid, SECCLASS_DIR,
1779 DIR__ADD_NAME | DIR__SEARCH,
1784 rc = selinux_determine_inode_label(tsec, dir, &dentry->d_name, tclass,
1789 rc = avc_has_perm(&selinux_state,
1790 sid, newsid, tclass, FILE__CREATE, &ad);
1794 return avc_has_perm(&selinux_state,
1796 SECCLASS_FILESYSTEM,
1797 FILESYSTEM__ASSOCIATE, &ad);
1801 #define MAY_UNLINK 1
1804 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1805 static int may_link(struct inode *dir,
1806 struct dentry *dentry,
1810 struct inode_security_struct *dsec, *isec;
1811 struct common_audit_data ad;
1812 u32 sid = current_sid();
1816 dsec = inode_security(dir);
1817 isec = backing_inode_security(dentry);
1819 ad.type = LSM_AUDIT_DATA_DENTRY;
1820 ad.u.dentry = dentry;
1823 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1824 rc = avc_has_perm(&selinux_state,
1825 sid, dsec->sid, SECCLASS_DIR, av, &ad);
1840 pr_warn("SELinux: %s: unrecognized kind %d\n",
1845 rc = avc_has_perm(&selinux_state,
1846 sid, isec->sid, isec->sclass, av, &ad);
1850 static inline int may_rename(struct inode *old_dir,
1851 struct dentry *old_dentry,
1852 struct inode *new_dir,
1853 struct dentry *new_dentry)
1855 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1856 struct common_audit_data ad;
1857 u32 sid = current_sid();
1859 int old_is_dir, new_is_dir;
1862 old_dsec = inode_security(old_dir);
1863 old_isec = backing_inode_security(old_dentry);
1864 old_is_dir = d_is_dir(old_dentry);
1865 new_dsec = inode_security(new_dir);
1867 ad.type = LSM_AUDIT_DATA_DENTRY;
1869 ad.u.dentry = old_dentry;
1870 rc = avc_has_perm(&selinux_state,
1871 sid, old_dsec->sid, SECCLASS_DIR,
1872 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1875 rc = avc_has_perm(&selinux_state,
1877 old_isec->sclass, FILE__RENAME, &ad);
1880 if (old_is_dir && new_dir != old_dir) {
1881 rc = avc_has_perm(&selinux_state,
1883 old_isec->sclass, DIR__REPARENT, &ad);
1888 ad.u.dentry = new_dentry;
1889 av = DIR__ADD_NAME | DIR__SEARCH;
1890 if (d_is_positive(new_dentry))
1891 av |= DIR__REMOVE_NAME;
1892 rc = avc_has_perm(&selinux_state,
1893 sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1896 if (d_is_positive(new_dentry)) {
1897 new_isec = backing_inode_security(new_dentry);
1898 new_is_dir = d_is_dir(new_dentry);
1899 rc = avc_has_perm(&selinux_state,
1902 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1910 /* Check whether a task can perform a filesystem operation. */
1911 static int superblock_has_perm(const struct cred *cred,
1912 struct super_block *sb,
1914 struct common_audit_data *ad)
1916 struct superblock_security_struct *sbsec;
1917 u32 sid = cred_sid(cred);
1919 sbsec = selinux_superblock(sb);
1920 return avc_has_perm(&selinux_state,
1921 sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1924 /* Convert a Linux mode and permission mask to an access vector. */
1925 static inline u32 file_mask_to_av(int mode, int mask)
1929 if (!S_ISDIR(mode)) {
1930 if (mask & MAY_EXEC)
1931 av |= FILE__EXECUTE;
1932 if (mask & MAY_READ)
1935 if (mask & MAY_APPEND)
1937 else if (mask & MAY_WRITE)
1941 if (mask & MAY_EXEC)
1943 if (mask & MAY_WRITE)
1945 if (mask & MAY_READ)
1952 /* Convert a Linux file to an access vector. */
1953 static inline u32 file_to_av(struct file *file)
1957 if (file->f_mode & FMODE_READ)
1959 if (file->f_mode & FMODE_WRITE) {
1960 if (file->f_flags & O_APPEND)
1967 * Special file opened with flags 3 for ioctl-only use.
1976 * Convert a file to an access vector and include the correct
1979 static inline u32 open_file_to_av(struct file *file)
1981 u32 av = file_to_av(file);
1982 struct inode *inode = file_inode(file);
1984 if (selinux_policycap_openperm() &&
1985 inode->i_sb->s_magic != SOCKFS_MAGIC)
1991 /* Hook functions begin here. */
1993 static int selinux_binder_set_context_mgr(const struct cred *mgr)
1995 return avc_has_perm(&selinux_state,
1996 current_sid(), cred_sid(mgr), SECCLASS_BINDER,
1997 BINDER__SET_CONTEXT_MGR, NULL);
2000 static int selinux_binder_transaction(const struct cred *from,
2001 const struct cred *to)
2003 u32 mysid = current_sid();
2004 u32 fromsid = cred_sid(from);
2005 u32 tosid = cred_sid(to);
2008 if (mysid != fromsid) {
2009 rc = avc_has_perm(&selinux_state,
2010 mysid, fromsid, SECCLASS_BINDER,
2011 BINDER__IMPERSONATE, NULL);
2016 return avc_has_perm(&selinux_state, fromsid, tosid,
2017 SECCLASS_BINDER, BINDER__CALL, NULL);
2020 static int selinux_binder_transfer_binder(const struct cred *from,
2021 const struct cred *to)
2023 return avc_has_perm(&selinux_state,
2024 cred_sid(from), cred_sid(to),
2025 SECCLASS_BINDER, BINDER__TRANSFER,
2029 static int selinux_binder_transfer_file(const struct cred *from,
2030 const struct cred *to,
2033 u32 sid = cred_sid(to);
2034 struct file_security_struct *fsec = selinux_file(file);
2035 struct dentry *dentry = file->f_path.dentry;
2036 struct inode_security_struct *isec;
2037 struct common_audit_data ad;
2040 ad.type = LSM_AUDIT_DATA_PATH;
2041 ad.u.path = file->f_path;
2043 if (sid != fsec->sid) {
2044 rc = avc_has_perm(&selinux_state,
2053 #ifdef CONFIG_BPF_SYSCALL
2054 rc = bpf_fd_pass(file, sid);
2059 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2062 isec = backing_inode_security(dentry);
2063 return avc_has_perm(&selinux_state,
2064 sid, isec->sid, isec->sclass, file_to_av(file),
2068 static int selinux_ptrace_access_check(struct task_struct *child,
2071 u32 sid = current_sid();
2072 u32 csid = task_sid_obj(child);
2074 if (mode & PTRACE_MODE_READ)
2075 return avc_has_perm(&selinux_state,
2076 sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2078 return avc_has_perm(&selinux_state,
2079 sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2082 static int selinux_ptrace_traceme(struct task_struct *parent)
2084 return avc_has_perm(&selinux_state,
2085 task_sid_obj(parent), task_sid_obj(current),
2086 SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2089 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2090 kernel_cap_t *inheritable, kernel_cap_t *permitted)
2092 return avc_has_perm(&selinux_state,
2093 current_sid(), task_sid_obj(target), SECCLASS_PROCESS,
2094 PROCESS__GETCAP, NULL);
2097 static int selinux_capset(struct cred *new, const struct cred *old,
2098 const kernel_cap_t *effective,
2099 const kernel_cap_t *inheritable,
2100 const kernel_cap_t *permitted)
2102 return avc_has_perm(&selinux_state,
2103 cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2104 PROCESS__SETCAP, NULL);
2108 * (This comment used to live with the selinux_task_setuid hook,
2109 * which was removed).
2111 * Since setuid only affects the current process, and since the SELinux
2112 * controls are not based on the Linux identity attributes, SELinux does not
2113 * need to control this operation. However, SELinux does control the use of
2114 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2117 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2118 int cap, unsigned int opts)
2120 return cred_has_capability(cred, cap, opts, ns == &init_user_ns);
2123 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2125 const struct cred *cred = current_cred();
2140 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2148 case Q_XGETNEXTQUOTA:
2149 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2152 rc = 0; /* let the kernel handle invalid cmds */
2158 static int selinux_quota_on(struct dentry *dentry)
2160 const struct cred *cred = current_cred();
2162 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2165 static int selinux_syslog(int type)
2168 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2169 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2170 return avc_has_perm(&selinux_state,
2171 current_sid(), SECINITSID_KERNEL,
2172 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2173 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2174 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2175 /* Set level of messages printed to console */
2176 case SYSLOG_ACTION_CONSOLE_LEVEL:
2177 return avc_has_perm(&selinux_state,
2178 current_sid(), SECINITSID_KERNEL,
2179 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2182 /* All other syslog types */
2183 return avc_has_perm(&selinux_state,
2184 current_sid(), SECINITSID_KERNEL,
2185 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2189 * Check that a process has enough memory to allocate a new virtual
2190 * mapping. 0 means there is enough memory for the allocation to
2191 * succeed and -ENOMEM implies there is not.
2193 * Do not audit the selinux permission check, as this is applied to all
2194 * processes that allocate mappings.
2196 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2198 int rc, cap_sys_admin = 0;
2200 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2201 CAP_OPT_NOAUDIT, true);
2205 return cap_sys_admin;
2208 /* binprm security operations */
2210 static u32 ptrace_parent_sid(void)
2213 struct task_struct *tracer;
2216 tracer = ptrace_parent(current);
2218 sid = task_sid_obj(tracer);
2224 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2225 const struct task_security_struct *old_tsec,
2226 const struct task_security_struct *new_tsec)
2228 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2229 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2233 if (!nnp && !nosuid)
2234 return 0; /* neither NNP nor nosuid */
2236 if (new_tsec->sid == old_tsec->sid)
2237 return 0; /* No change in credentials */
2240 * If the policy enables the nnp_nosuid_transition policy capability,
2241 * then we permit transitions under NNP or nosuid if the
2242 * policy allows the corresponding permission between
2243 * the old and new contexts.
2245 if (selinux_policycap_nnp_nosuid_transition()) {
2248 av |= PROCESS2__NNP_TRANSITION;
2250 av |= PROCESS2__NOSUID_TRANSITION;
2251 rc = avc_has_perm(&selinux_state,
2252 old_tsec->sid, new_tsec->sid,
2253 SECCLASS_PROCESS2, av, NULL);
2259 * We also permit NNP or nosuid transitions to bounded SIDs,
2260 * i.e. SIDs that are guaranteed to only be allowed a subset
2261 * of the permissions of the current SID.
2263 rc = security_bounded_transition(&selinux_state, old_tsec->sid,
2269 * On failure, preserve the errno values for NNP vs nosuid.
2270 * NNP: Operation not permitted for caller.
2271 * nosuid: Permission denied to file.
2278 static int selinux_bprm_creds_for_exec(struct linux_binprm *bprm)
2280 const struct task_security_struct *old_tsec;
2281 struct task_security_struct *new_tsec;
2282 struct inode_security_struct *isec;
2283 struct common_audit_data ad;
2284 struct inode *inode = file_inode(bprm->file);
2287 /* SELinux context only depends on initial program or script and not
2288 * the script interpreter */
2290 old_tsec = selinux_cred(current_cred());
2291 new_tsec = selinux_cred(bprm->cred);
2292 isec = inode_security(inode);
2294 /* Default to the current task SID. */
2295 new_tsec->sid = old_tsec->sid;
2296 new_tsec->osid = old_tsec->sid;
2298 /* Reset fs, key, and sock SIDs on execve. */
2299 new_tsec->create_sid = 0;
2300 new_tsec->keycreate_sid = 0;
2301 new_tsec->sockcreate_sid = 0;
2303 if (old_tsec->exec_sid) {
2304 new_tsec->sid = old_tsec->exec_sid;
2305 /* Reset exec SID on execve. */
2306 new_tsec->exec_sid = 0;
2308 /* Fail on NNP or nosuid if not an allowed transition. */
2309 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2313 /* Check for a default transition on this program. */
2314 rc = security_transition_sid(&selinux_state, old_tsec->sid,
2315 isec->sid, SECCLASS_PROCESS, NULL,
2321 * Fallback to old SID on NNP or nosuid if not an allowed
2324 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2326 new_tsec->sid = old_tsec->sid;
2329 ad.type = LSM_AUDIT_DATA_FILE;
2330 ad.u.file = bprm->file;
2332 if (new_tsec->sid == old_tsec->sid) {
2333 rc = avc_has_perm(&selinux_state,
2334 old_tsec->sid, isec->sid,
2335 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2339 /* Check permissions for the transition. */
2340 rc = avc_has_perm(&selinux_state,
2341 old_tsec->sid, new_tsec->sid,
2342 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2346 rc = avc_has_perm(&selinux_state,
2347 new_tsec->sid, isec->sid,
2348 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2352 /* Check for shared state */
2353 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2354 rc = avc_has_perm(&selinux_state,
2355 old_tsec->sid, new_tsec->sid,
2356 SECCLASS_PROCESS, PROCESS__SHARE,
2362 /* Make sure that anyone attempting to ptrace over a task that
2363 * changes its SID has the appropriate permit */
2364 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2365 u32 ptsid = ptrace_parent_sid();
2367 rc = avc_has_perm(&selinux_state,
2368 ptsid, new_tsec->sid,
2370 PROCESS__PTRACE, NULL);
2376 /* Clear any possibly unsafe personality bits on exec: */
2377 bprm->per_clear |= PER_CLEAR_ON_SETID;
2379 /* Enable secure mode for SIDs transitions unless
2380 the noatsecure permission is granted between
2381 the two SIDs, i.e. ahp returns 0. */
2382 rc = avc_has_perm(&selinux_state,
2383 old_tsec->sid, new_tsec->sid,
2384 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2386 bprm->secureexec |= !!rc;
2392 static int match_file(const void *p, struct file *file, unsigned fd)
2394 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2397 /* Derived from fs/exec.c:flush_old_files. */
2398 static inline void flush_unauthorized_files(const struct cred *cred,
2399 struct files_struct *files)
2401 struct file *file, *devnull = NULL;
2402 struct tty_struct *tty;
2406 tty = get_current_tty();
2408 spin_lock(&tty->files_lock);
2409 if (!list_empty(&tty->tty_files)) {
2410 struct tty_file_private *file_priv;
2412 /* Revalidate access to controlling tty.
2413 Use file_path_has_perm on the tty path directly
2414 rather than using file_has_perm, as this particular
2415 open file may belong to another process and we are
2416 only interested in the inode-based check here. */
2417 file_priv = list_first_entry(&tty->tty_files,
2418 struct tty_file_private, list);
2419 file = file_priv->file;
2420 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2423 spin_unlock(&tty->files_lock);
2426 /* Reset controlling tty. */
2430 /* Revalidate access to inherited open files. */
2431 n = iterate_fd(files, 0, match_file, cred);
2432 if (!n) /* none found? */
2435 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2436 if (IS_ERR(devnull))
2438 /* replace all the matching ones with this */
2440 replace_fd(n - 1, devnull, 0);
2441 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2447 * Prepare a process for imminent new credential changes due to exec
2449 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2451 struct task_security_struct *new_tsec;
2452 struct rlimit *rlim, *initrlim;
2455 new_tsec = selinux_cred(bprm->cred);
2456 if (new_tsec->sid == new_tsec->osid)
2459 /* Close files for which the new task SID is not authorized. */
2460 flush_unauthorized_files(bprm->cred, current->files);
2462 /* Always clear parent death signal on SID transitions. */
2463 current->pdeath_signal = 0;
2465 /* Check whether the new SID can inherit resource limits from the old
2466 * SID. If not, reset all soft limits to the lower of the current
2467 * task's hard limit and the init task's soft limit.
2469 * Note that the setting of hard limits (even to lower them) can be
2470 * controlled by the setrlimit check. The inclusion of the init task's
2471 * soft limit into the computation is to avoid resetting soft limits
2472 * higher than the default soft limit for cases where the default is
2473 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2475 rc = avc_has_perm(&selinux_state,
2476 new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2477 PROCESS__RLIMITINH, NULL);
2479 /* protect against do_prlimit() */
2481 for (i = 0; i < RLIM_NLIMITS; i++) {
2482 rlim = current->signal->rlim + i;
2483 initrlim = init_task.signal->rlim + i;
2484 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2486 task_unlock(current);
2487 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2488 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2493 * Clean up the process immediately after the installation of new credentials
2496 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2498 const struct task_security_struct *tsec = selinux_cred(current_cred());
2508 /* Check whether the new SID can inherit signal state from the old SID.
2509 * If not, clear itimers to avoid subsequent signal generation and
2510 * flush and unblock signals.
2512 * This must occur _after_ the task SID has been updated so that any
2513 * kill done after the flush will be checked against the new SID.
2515 rc = avc_has_perm(&selinux_state,
2516 osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2520 spin_lock_irq(&unrcu_pointer(current->sighand)->siglock);
2521 if (!fatal_signal_pending(current)) {
2522 flush_sigqueue(¤t->pending);
2523 flush_sigqueue(¤t->signal->shared_pending);
2524 flush_signal_handlers(current, 1);
2525 sigemptyset(¤t->blocked);
2526 recalc_sigpending();
2528 spin_unlock_irq(&unrcu_pointer(current->sighand)->siglock);
2531 /* Wake up the parent if it is waiting so that it can recheck
2532 * wait permission to the new task SID. */
2533 read_lock(&tasklist_lock);
2534 __wake_up_parent(current, unrcu_pointer(current->real_parent));
2535 read_unlock(&tasklist_lock);
2538 /* superblock security operations */
2540 static int selinux_sb_alloc_security(struct super_block *sb)
2542 struct superblock_security_struct *sbsec = selinux_superblock(sb);
2544 mutex_init(&sbsec->lock);
2545 INIT_LIST_HEAD(&sbsec->isec_head);
2546 spin_lock_init(&sbsec->isec_lock);
2547 sbsec->sid = SECINITSID_UNLABELED;
2548 sbsec->def_sid = SECINITSID_FILE;
2549 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
2554 static inline int opt_len(const char *s)
2556 bool open_quote = false;
2560 for (len = 0; (c = s[len]) != '\0'; len++) {
2562 open_quote = !open_quote;
2563 if (c == ',' && !open_quote)
2569 static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts)
2571 char *from = options;
2577 int len = opt_len(from);
2581 token = match_opt_prefix(from, len, &arg);
2583 if (token != Opt_error) {
2588 for (p = q = arg; p < from + len; p++) {
2593 arg = kmemdup_nul(arg, q - arg, GFP_KERNEL);
2599 rc = selinux_add_opt(token, arg, mnt_opts);
2606 if (!first) { // copy with preceding comma
2611 memmove(to, from, len);
2624 selinux_free_mnt_opts(*mnt_opts);
2630 static int selinux_sb_mnt_opts_compat(struct super_block *sb, void *mnt_opts)
2632 struct selinux_mnt_opts *opts = mnt_opts;
2633 struct superblock_security_struct *sbsec = selinux_superblock(sb);
2636 * Superblock not initialized (i.e. no options) - reject if any
2637 * options specified, otherwise accept.
2639 if (!(sbsec->flags & SE_SBINITIALIZED))
2640 return opts ? 1 : 0;
2643 * Superblock initialized and no options specified - reject if
2644 * superblock has any options set, otherwise accept.
2647 return (sbsec->flags & SE_MNTMASK) ? 1 : 0;
2649 if (opts->fscontext_sid) {
2650 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
2651 opts->fscontext_sid))
2654 if (opts->context_sid) {
2655 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
2659 if (opts->rootcontext_sid) {
2660 struct inode_security_struct *root_isec;
2662 root_isec = backing_inode_security(sb->s_root);
2663 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
2664 opts->rootcontext_sid))
2667 if (opts->defcontext_sid) {
2668 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
2669 opts->defcontext_sid))
2675 static int selinux_sb_remount(struct super_block *sb, void *mnt_opts)
2677 struct selinux_mnt_opts *opts = mnt_opts;
2678 struct superblock_security_struct *sbsec = selinux_superblock(sb);
2680 if (!(sbsec->flags & SE_SBINITIALIZED))
2686 if (opts->fscontext_sid) {
2687 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
2688 opts->fscontext_sid))
2689 goto out_bad_option;
2691 if (opts->context_sid) {
2692 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
2694 goto out_bad_option;
2696 if (opts->rootcontext_sid) {
2697 struct inode_security_struct *root_isec;
2698 root_isec = backing_inode_security(sb->s_root);
2699 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
2700 opts->rootcontext_sid))
2701 goto out_bad_option;
2703 if (opts->defcontext_sid) {
2704 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
2705 opts->defcontext_sid))
2706 goto out_bad_option;
2711 pr_warn("SELinux: unable to change security options "
2712 "during remount (dev %s, type=%s)\n", sb->s_id,
2717 static int selinux_sb_kern_mount(struct super_block *sb)
2719 const struct cred *cred = current_cred();
2720 struct common_audit_data ad;
2722 ad.type = LSM_AUDIT_DATA_DENTRY;
2723 ad.u.dentry = sb->s_root;
2724 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2727 static int selinux_sb_statfs(struct dentry *dentry)
2729 const struct cred *cred = current_cred();
2730 struct common_audit_data ad;
2732 ad.type = LSM_AUDIT_DATA_DENTRY;
2733 ad.u.dentry = dentry->d_sb->s_root;
2734 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2737 static int selinux_mount(const char *dev_name,
2738 const struct path *path,
2740 unsigned long flags,
2743 const struct cred *cred = current_cred();
2745 if (flags & MS_REMOUNT)
2746 return superblock_has_perm(cred, path->dentry->d_sb,
2747 FILESYSTEM__REMOUNT, NULL);
2749 return path_has_perm(cred, path, FILE__MOUNTON);
2752 static int selinux_move_mount(const struct path *from_path,
2753 const struct path *to_path)
2755 const struct cred *cred = current_cred();
2757 return path_has_perm(cred, to_path, FILE__MOUNTON);
2760 static int selinux_umount(struct vfsmount *mnt, int flags)
2762 const struct cred *cred = current_cred();
2764 return superblock_has_perm(cred, mnt->mnt_sb,
2765 FILESYSTEM__UNMOUNT, NULL);
2768 static int selinux_fs_context_dup(struct fs_context *fc,
2769 struct fs_context *src_fc)
2771 const struct selinux_mnt_opts *src = src_fc->security;
2776 fc->security = kmemdup(src, sizeof(*src), GFP_KERNEL);
2777 return fc->security ? 0 : -ENOMEM;
2780 static const struct fs_parameter_spec selinux_fs_parameters[] = {
2781 fsparam_string(CONTEXT_STR, Opt_context),
2782 fsparam_string(DEFCONTEXT_STR, Opt_defcontext),
2783 fsparam_string(FSCONTEXT_STR, Opt_fscontext),
2784 fsparam_string(ROOTCONTEXT_STR, Opt_rootcontext),
2785 fsparam_flag (SECLABEL_STR, Opt_seclabel),
2789 static int selinux_fs_context_parse_param(struct fs_context *fc,
2790 struct fs_parameter *param)
2792 struct fs_parse_result result;
2795 opt = fs_parse(fc, selinux_fs_parameters, param, &result);
2799 return selinux_add_opt(opt, param->string, &fc->security);
2802 /* inode security operations */
2804 static int selinux_inode_alloc_security(struct inode *inode)
2806 struct inode_security_struct *isec = selinux_inode(inode);
2807 u32 sid = current_sid();
2809 spin_lock_init(&isec->lock);
2810 INIT_LIST_HEAD(&isec->list);
2811 isec->inode = inode;
2812 isec->sid = SECINITSID_UNLABELED;
2813 isec->sclass = SECCLASS_FILE;
2814 isec->task_sid = sid;
2815 isec->initialized = LABEL_INVALID;
2820 static void selinux_inode_free_security(struct inode *inode)
2822 inode_free_security(inode);
2825 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2826 const struct qstr *name,
2827 const char **xattr_name, void **ctx,
2833 rc = selinux_determine_inode_label(selinux_cred(current_cred()),
2834 d_inode(dentry->d_parent), name,
2835 inode_mode_to_security_class(mode),
2841 *xattr_name = XATTR_NAME_SELINUX;
2843 return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
2847 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2849 const struct cred *old,
2854 struct task_security_struct *tsec;
2856 rc = selinux_determine_inode_label(selinux_cred(old),
2857 d_inode(dentry->d_parent), name,
2858 inode_mode_to_security_class(mode),
2863 tsec = selinux_cred(new);
2864 tsec->create_sid = newsid;
2868 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2869 const struct qstr *qstr,
2871 void **value, size_t *len)
2873 const struct task_security_struct *tsec = selinux_cred(current_cred());
2874 struct superblock_security_struct *sbsec;
2879 sbsec = selinux_superblock(dir->i_sb);
2881 newsid = tsec->create_sid;
2883 rc = selinux_determine_inode_label(tsec, dir, qstr,
2884 inode_mode_to_security_class(inode->i_mode),
2889 /* Possibly defer initialization to selinux_complete_init. */
2890 if (sbsec->flags & SE_SBINITIALIZED) {
2891 struct inode_security_struct *isec = selinux_inode(inode);
2892 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2894 isec->initialized = LABEL_INITIALIZED;
2897 if (!selinux_initialized(&selinux_state) ||
2898 !(sbsec->flags & SBLABEL_MNT))
2902 *name = XATTR_SELINUX_SUFFIX;
2905 rc = security_sid_to_context_force(&selinux_state, newsid,
2916 static int selinux_inode_init_security_anon(struct inode *inode,
2917 const struct qstr *name,
2918 const struct inode *context_inode)
2920 const struct task_security_struct *tsec = selinux_cred(current_cred());
2921 struct common_audit_data ad;
2922 struct inode_security_struct *isec;
2925 if (unlikely(!selinux_initialized(&selinux_state)))
2928 isec = selinux_inode(inode);
2931 * We only get here once per ephemeral inode. The inode has
2932 * been initialized via inode_alloc_security but is otherwise
2936 if (context_inode) {
2937 struct inode_security_struct *context_isec =
2938 selinux_inode(context_inode);
2939 if (context_isec->initialized != LABEL_INITIALIZED) {
2940 pr_err("SELinux: context_inode is not initialized");
2944 isec->sclass = context_isec->sclass;
2945 isec->sid = context_isec->sid;
2947 isec->sclass = SECCLASS_ANON_INODE;
2948 rc = security_transition_sid(
2949 &selinux_state, tsec->sid, tsec->sid,
2950 isec->sclass, name, &isec->sid);
2955 isec->initialized = LABEL_INITIALIZED;
2957 * Now that we've initialized security, check whether we're
2958 * allowed to actually create this type of anonymous inode.
2961 ad.type = LSM_AUDIT_DATA_ANONINODE;
2962 ad.u.anonclass = name ? (const char *)name->name : "?";
2964 return avc_has_perm(&selinux_state,
2972 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2974 return may_create(dir, dentry, SECCLASS_FILE);
2977 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2979 return may_link(dir, old_dentry, MAY_LINK);
2982 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2984 return may_link(dir, dentry, MAY_UNLINK);
2987 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2989 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2992 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2994 return may_create(dir, dentry, SECCLASS_DIR);
2997 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2999 return may_link(dir, dentry, MAY_RMDIR);
3002 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
3004 return may_create(dir, dentry, inode_mode_to_security_class(mode));
3007 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
3008 struct inode *new_inode, struct dentry *new_dentry)
3010 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
3013 static int selinux_inode_readlink(struct dentry *dentry)
3015 const struct cred *cred = current_cred();
3017 return dentry_has_perm(cred, dentry, FILE__READ);
3020 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3023 const struct cred *cred = current_cred();
3024 struct common_audit_data ad;
3025 struct inode_security_struct *isec;
3028 validate_creds(cred);
3030 ad.type = LSM_AUDIT_DATA_DENTRY;
3031 ad.u.dentry = dentry;
3032 sid = cred_sid(cred);
3033 isec = inode_security_rcu(inode, rcu);
3035 return PTR_ERR(isec);
3037 return avc_has_perm(&selinux_state,
3038 sid, isec->sid, isec->sclass, FILE__READ, &ad);
3041 static noinline int audit_inode_permission(struct inode *inode,
3042 u32 perms, u32 audited, u32 denied,
3045 struct common_audit_data ad;
3046 struct inode_security_struct *isec = selinux_inode(inode);
3048 ad.type = LSM_AUDIT_DATA_INODE;
3051 return slow_avc_audit(&selinux_state,
3052 current_sid(), isec->sid, isec->sclass, perms,
3053 audited, denied, result, &ad);
3056 static int selinux_inode_permission(struct inode *inode, int mask)
3058 const struct cred *cred = current_cred();
3061 bool no_block = mask & MAY_NOT_BLOCK;
3062 struct inode_security_struct *isec;
3064 struct av_decision avd;
3066 u32 audited, denied;
3068 from_access = mask & MAY_ACCESS;
3069 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3071 /* No permission to check. Existence test. */
3075 validate_creds(cred);
3077 if (unlikely(IS_PRIVATE(inode)))
3080 perms = file_mask_to_av(inode->i_mode, mask);
3082 sid = cred_sid(cred);
3083 isec = inode_security_rcu(inode, no_block);
3085 return PTR_ERR(isec);
3087 rc = avc_has_perm_noaudit(&selinux_state,
3088 sid, isec->sid, isec->sclass, perms, 0,
3090 audited = avc_audit_required(perms, &avd, rc,
3091 from_access ? FILE__AUDIT_ACCESS : 0,
3093 if (likely(!audited))
3096 rc2 = audit_inode_permission(inode, perms, audited, denied, rc);
3102 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3104 const struct cred *cred = current_cred();
3105 struct inode *inode = d_backing_inode(dentry);
3106 unsigned int ia_valid = iattr->ia_valid;
3107 __u32 av = FILE__WRITE;
3109 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3110 if (ia_valid & ATTR_FORCE) {
3111 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3117 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3118 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3119 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3121 if (selinux_policycap_openperm() &&
3122 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3123 (ia_valid & ATTR_SIZE) &&
3124 !(ia_valid & ATTR_FILE))
3127 return dentry_has_perm(cred, dentry, av);
3130 static int selinux_inode_getattr(const struct path *path)
3132 return path_has_perm(current_cred(), path, FILE__GETATTR);
3135 static bool has_cap_mac_admin(bool audit)
3137 const struct cred *cred = current_cred();
3138 unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT;
3140 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts))
3142 if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true))
3147 static int selinux_inode_setxattr(struct user_namespace *mnt_userns,
3148 struct dentry *dentry, const char *name,
3149 const void *value, size_t size, int flags)
3151 struct inode *inode = d_backing_inode(dentry);
3152 struct inode_security_struct *isec;
3153 struct superblock_security_struct *sbsec;
3154 struct common_audit_data ad;
3155 u32 newsid, sid = current_sid();
3158 if (strcmp(name, XATTR_NAME_SELINUX)) {
3159 rc = cap_inode_setxattr(dentry, name, value, size, flags);
3163 /* Not an attribute we recognize, so just check the
3164 ordinary setattr permission. */
3165 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3168 if (!selinux_initialized(&selinux_state))
3169 return (inode_owner_or_capable(mnt_userns, inode) ? 0 : -EPERM);
3171 sbsec = selinux_superblock(inode->i_sb);
3172 if (!(sbsec->flags & SBLABEL_MNT))
3175 if (!inode_owner_or_capable(mnt_userns, inode))
3178 ad.type = LSM_AUDIT_DATA_DENTRY;
3179 ad.u.dentry = dentry;
3181 isec = backing_inode_security(dentry);
3182 rc = avc_has_perm(&selinux_state,
3183 sid, isec->sid, isec->sclass,
3184 FILE__RELABELFROM, &ad);
3188 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3190 if (rc == -EINVAL) {
3191 if (!has_cap_mac_admin(true)) {
3192 struct audit_buffer *ab;
3195 /* We strip a nul only if it is at the end, otherwise the
3196 * context contains a nul and we should audit that */
3198 const char *str = value;
3200 if (str[size - 1] == '\0')
3201 audit_size = size - 1;
3207 ab = audit_log_start(audit_context(),
3208 GFP_ATOMIC, AUDIT_SELINUX_ERR);
3211 audit_log_format(ab, "op=setxattr invalid_context=");
3212 audit_log_n_untrustedstring(ab, value, audit_size);
3217 rc = security_context_to_sid_force(&selinux_state, value,
3223 rc = avc_has_perm(&selinux_state,
3224 sid, newsid, isec->sclass,
3225 FILE__RELABELTO, &ad);
3229 rc = security_validate_transition(&selinux_state, isec->sid, newsid,
3234 return avc_has_perm(&selinux_state,
3237 SECCLASS_FILESYSTEM,
3238 FILESYSTEM__ASSOCIATE,
3242 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3243 const void *value, size_t size,
3246 struct inode *inode = d_backing_inode(dentry);
3247 struct inode_security_struct *isec;
3251 if (strcmp(name, XATTR_NAME_SELINUX)) {
3252 /* Not an attribute we recognize, so nothing to do. */
3256 if (!selinux_initialized(&selinux_state)) {
3257 /* If we haven't even been initialized, then we can't validate
3258 * against a policy, so leave the label as invalid. It may
3259 * resolve to a valid label on the next revalidation try if
3260 * we've since initialized.
3265 rc = security_context_to_sid_force(&selinux_state, value, size,
3268 pr_err("SELinux: unable to map context to SID"
3269 "for (%s, %lu), rc=%d\n",
3270 inode->i_sb->s_id, inode->i_ino, -rc);
3274 isec = backing_inode_security(dentry);
3275 spin_lock(&isec->lock);
3276 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3278 isec->initialized = LABEL_INITIALIZED;
3279 spin_unlock(&isec->lock);
3282 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3284 const struct cred *cred = current_cred();
3286 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3289 static int selinux_inode_listxattr(struct dentry *dentry)
3291 const struct cred *cred = current_cred();
3293 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3296 static int selinux_inode_removexattr(struct user_namespace *mnt_userns,
3297 struct dentry *dentry, const char *name)
3299 if (strcmp(name, XATTR_NAME_SELINUX)) {
3300 int rc = cap_inode_removexattr(mnt_userns, dentry, name);
3304 /* Not an attribute we recognize, so just check the
3305 ordinary setattr permission. */
3306 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3309 if (!selinux_initialized(&selinux_state))
3312 /* No one is allowed to remove a SELinux security label.
3313 You can change the label, but all data must be labeled. */
3317 static int selinux_path_notify(const struct path *path, u64 mask,
3318 unsigned int obj_type)
3323 struct common_audit_data ad;
3325 ad.type = LSM_AUDIT_DATA_PATH;
3329 * Set permission needed based on the type of mark being set.
3330 * Performs an additional check for sb watches.
3333 case FSNOTIFY_OBJ_TYPE_VFSMOUNT:
3334 perm = FILE__WATCH_MOUNT;
3336 case FSNOTIFY_OBJ_TYPE_SB:
3337 perm = FILE__WATCH_SB;
3338 ret = superblock_has_perm(current_cred(), path->dentry->d_sb,
3339 FILESYSTEM__WATCH, &ad);
3343 case FSNOTIFY_OBJ_TYPE_INODE:
3350 /* blocking watches require the file:watch_with_perm permission */
3351 if (mask & (ALL_FSNOTIFY_PERM_EVENTS))
3352 perm |= FILE__WATCH_WITH_PERM;
3354 /* watches on read-like events need the file:watch_reads permission */
3355 if (mask & (FS_ACCESS | FS_ACCESS_PERM | FS_CLOSE_NOWRITE))
3356 perm |= FILE__WATCH_READS;
3358 return path_has_perm(current_cred(), path, perm);
3362 * Copy the inode security context value to the user.
3364 * Permission check is handled by selinux_inode_getxattr hook.
3366 static int selinux_inode_getsecurity(struct user_namespace *mnt_userns,
3367 struct inode *inode, const char *name,
3368 void **buffer, bool alloc)
3372 char *context = NULL;
3373 struct inode_security_struct *isec;
3376 * If we're not initialized yet, then we can't validate contexts, so
3377 * just let vfs_getxattr fall back to using the on-disk xattr.
3379 if (!selinux_initialized(&selinux_state) ||
3380 strcmp(name, XATTR_SELINUX_SUFFIX))
3384 * If the caller has CAP_MAC_ADMIN, then get the raw context
3385 * value even if it is not defined by current policy; otherwise,
3386 * use the in-core value under current policy.
3387 * Use the non-auditing forms of the permission checks since
3388 * getxattr may be called by unprivileged processes commonly
3389 * and lack of permission just means that we fall back to the
3390 * in-core context value, not a denial.
3392 isec = inode_security(inode);
3393 if (has_cap_mac_admin(false))
3394 error = security_sid_to_context_force(&selinux_state,
3395 isec->sid, &context,
3398 error = security_sid_to_context(&selinux_state, isec->sid,
3412 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3413 const void *value, size_t size, int flags)
3415 struct inode_security_struct *isec = inode_security_novalidate(inode);
3416 struct superblock_security_struct *sbsec;
3420 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3423 sbsec = selinux_superblock(inode->i_sb);
3424 if (!(sbsec->flags & SBLABEL_MNT))
3427 if (!value || !size)
3430 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3435 spin_lock(&isec->lock);
3436 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3438 isec->initialized = LABEL_INITIALIZED;
3439 spin_unlock(&isec->lock);
3443 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3445 const int len = sizeof(XATTR_NAME_SELINUX);
3447 if (!selinux_initialized(&selinux_state))
3450 if (buffer && len <= buffer_size)
3451 memcpy(buffer, XATTR_NAME_SELINUX, len);
3455 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3457 struct inode_security_struct *isec = inode_security_novalidate(inode);
3461 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3464 struct task_security_struct *tsec;
3465 struct cred *new_creds = *new;
3467 if (new_creds == NULL) {
3468 new_creds = prepare_creds();
3473 tsec = selinux_cred(new_creds);
3474 /* Get label from overlay inode and set it in create_sid */
3475 selinux_inode_getsecid(d_inode(src), &sid);
3476 tsec->create_sid = sid;
3481 static int selinux_inode_copy_up_xattr(const char *name)
3483 /* The copy_up hook above sets the initial context on an inode, but we
3484 * don't then want to overwrite it by blindly copying all the lower
3485 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3487 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3488 return 1; /* Discard */
3490 * Any other attribute apart from SELINUX is not claimed, supported
3496 /* kernfs node operations */
3498 static int selinux_kernfs_init_security(struct kernfs_node *kn_dir,
3499 struct kernfs_node *kn)
3501 const struct task_security_struct *tsec = selinux_cred(current_cred());
3502 u32 parent_sid, newsid, clen;
3506 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, NULL, 0);
3513 context = kmalloc(clen, GFP_KERNEL);
3517 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, context, clen);
3523 rc = security_context_to_sid(&selinux_state, context, clen, &parent_sid,
3529 if (tsec->create_sid) {
3530 newsid = tsec->create_sid;
3532 u16 secclass = inode_mode_to_security_class(kn->mode);
3536 q.hash_len = hashlen_string(kn_dir, kn->name);
3538 rc = security_transition_sid(&selinux_state, tsec->sid,
3539 parent_sid, secclass, &q,
3545 rc = security_sid_to_context_force(&selinux_state, newsid,
3550 rc = kernfs_xattr_set(kn, XATTR_NAME_SELINUX, context, clen,
3557 /* file security operations */
3559 static int selinux_revalidate_file_permission(struct file *file, int mask)
3561 const struct cred *cred = current_cred();
3562 struct inode *inode = file_inode(file);
3564 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3565 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3568 return file_has_perm(cred, file,
3569 file_mask_to_av(inode->i_mode, mask));
3572 static int selinux_file_permission(struct file *file, int mask)
3574 struct inode *inode = file_inode(file);
3575 struct file_security_struct *fsec = selinux_file(file);
3576 struct inode_security_struct *isec;
3577 u32 sid = current_sid();
3580 /* No permission to check. Existence test. */
3583 isec = inode_security(inode);
3584 if (sid == fsec->sid && fsec->isid == isec->sid &&
3585 fsec->pseqno == avc_policy_seqno(&selinux_state))
3586 /* No change since file_open check. */
3589 return selinux_revalidate_file_permission(file, mask);
3592 static int selinux_file_alloc_security(struct file *file)
3594 struct file_security_struct *fsec = selinux_file(file);
3595 u32 sid = current_sid();
3598 fsec->fown_sid = sid;
3604 * Check whether a task has the ioctl permission and cmd
3605 * operation to an inode.
3607 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3608 u32 requested, u16 cmd)
3610 struct common_audit_data ad;
3611 struct file_security_struct *fsec = selinux_file(file);
3612 struct inode *inode = file_inode(file);
3613 struct inode_security_struct *isec;
3614 struct lsm_ioctlop_audit ioctl;
3615 u32 ssid = cred_sid(cred);
3617 u8 driver = cmd >> 8;
3618 u8 xperm = cmd & 0xff;
3620 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3623 ad.u.op->path = file->f_path;
3625 if (ssid != fsec->sid) {
3626 rc = avc_has_perm(&selinux_state,
3635 if (unlikely(IS_PRIVATE(inode)))
3638 isec = inode_security(inode);
3639 rc = avc_has_extended_perms(&selinux_state,
3640 ssid, isec->sid, isec->sclass,
3641 requested, driver, xperm, &ad);
3646 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3649 const struct cred *cred = current_cred();
3656 case FS_IOC_GETFLAGS:
3657 case FS_IOC_GETVERSION:
3658 error = file_has_perm(cred, file, FILE__GETATTR);
3661 case FS_IOC_SETFLAGS:
3662 case FS_IOC_SETVERSION:
3663 error = file_has_perm(cred, file, FILE__SETATTR);
3666 /* sys_ioctl() checks */
3669 error = file_has_perm(cred, file, 0);
3674 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3675 CAP_OPT_NONE, true);
3680 if (!selinux_policycap_ioctl_skip_cloexec())
3681 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3684 /* default case assumes that the command will go
3685 * to the file's ioctl() function.
3688 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3693 static int default_noexec __ro_after_init;
3695 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3697 const struct cred *cred = current_cred();
3698 u32 sid = cred_sid(cred);
3701 if (default_noexec &&
3702 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3703 (!shared && (prot & PROT_WRITE)))) {
3705 * We are making executable an anonymous mapping or a
3706 * private file mapping that will also be writable.
3707 * This has an additional check.
3709 rc = avc_has_perm(&selinux_state,
3710 sid, sid, SECCLASS_PROCESS,
3711 PROCESS__EXECMEM, NULL);
3717 /* read access is always possible with a mapping */
3718 u32 av = FILE__READ;
3720 /* write access only matters if the mapping is shared */
3721 if (shared && (prot & PROT_WRITE))
3724 if (prot & PROT_EXEC)
3725 av |= FILE__EXECUTE;
3727 return file_has_perm(cred, file, av);
3734 static int selinux_mmap_addr(unsigned long addr)
3738 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3739 u32 sid = current_sid();
3740 rc = avc_has_perm(&selinux_state,
3741 sid, sid, SECCLASS_MEMPROTECT,
3742 MEMPROTECT__MMAP_ZERO, NULL);
3748 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3749 unsigned long prot, unsigned long flags)
3751 struct common_audit_data ad;
3755 ad.type = LSM_AUDIT_DATA_FILE;
3757 rc = inode_has_perm(current_cred(), file_inode(file),
3763 if (checkreqprot_get(&selinux_state))
3766 return file_map_prot_check(file, prot,
3767 (flags & MAP_TYPE) == MAP_SHARED);
3770 static int selinux_file_mprotect(struct vm_area_struct *vma,
3771 unsigned long reqprot,
3774 const struct cred *cred = current_cred();
3775 u32 sid = cred_sid(cred);
3777 if (checkreqprot_get(&selinux_state))
3780 if (default_noexec &&
3781 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3783 if (vma->vm_start >= vma->vm_mm->start_brk &&
3784 vma->vm_end <= vma->vm_mm->brk) {
3785 rc = avc_has_perm(&selinux_state,
3786 sid, sid, SECCLASS_PROCESS,
3787 PROCESS__EXECHEAP, NULL);
3788 } else if (!vma->vm_file &&
3789 ((vma->vm_start <= vma->vm_mm->start_stack &&
3790 vma->vm_end >= vma->vm_mm->start_stack) ||
3791 vma_is_stack_for_current(vma))) {
3792 rc = avc_has_perm(&selinux_state,
3793 sid, sid, SECCLASS_PROCESS,
3794 PROCESS__EXECSTACK, NULL);
3795 } else if (vma->vm_file && vma->anon_vma) {
3797 * We are making executable a file mapping that has
3798 * had some COW done. Since pages might have been
3799 * written, check ability to execute the possibly
3800 * modified content. This typically should only
3801 * occur for text relocations.
3803 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3809 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3812 static int selinux_file_lock(struct file *file, unsigned int cmd)
3814 const struct cred *cred = current_cred();
3816 return file_has_perm(cred, file, FILE__LOCK);
3819 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3822 const struct cred *cred = current_cred();
3827 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3828 err = file_has_perm(cred, file, FILE__WRITE);
3837 case F_GETOWNER_UIDS:
3838 /* Just check FD__USE permission */
3839 err = file_has_perm(cred, file, 0);
3847 #if BITS_PER_LONG == 32
3852 err = file_has_perm(cred, file, FILE__LOCK);
3859 static void selinux_file_set_fowner(struct file *file)
3861 struct file_security_struct *fsec;
3863 fsec = selinux_file(file);
3864 fsec->fown_sid = current_sid();
3867 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3868 struct fown_struct *fown, int signum)
3871 u32 sid = task_sid_obj(tsk);
3873 struct file_security_struct *fsec;
3875 /* struct fown_struct is never outside the context of a struct file */
3876 file = container_of(fown, struct file, f_owner);
3878 fsec = selinux_file(file);
3881 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3883 perm = signal_to_av(signum);
3885 return avc_has_perm(&selinux_state,
3886 fsec->fown_sid, sid,
3887 SECCLASS_PROCESS, perm, NULL);
3890 static int selinux_file_receive(struct file *file)
3892 const struct cred *cred = current_cred();
3894 return file_has_perm(cred, file, file_to_av(file));
3897 static int selinux_file_open(struct file *file)
3899 struct file_security_struct *fsec;
3900 struct inode_security_struct *isec;
3902 fsec = selinux_file(file);
3903 isec = inode_security(file_inode(file));
3905 * Save inode label and policy sequence number
3906 * at open-time so that selinux_file_permission
3907 * can determine whether revalidation is necessary.
3908 * Task label is already saved in the file security
3909 * struct as its SID.
3911 fsec->isid = isec->sid;
3912 fsec->pseqno = avc_policy_seqno(&selinux_state);
3914 * Since the inode label or policy seqno may have changed
3915 * between the selinux_inode_permission check and the saving
3916 * of state above, recheck that access is still permitted.
3917 * Otherwise, access might never be revalidated against the
3918 * new inode label or new policy.
3919 * This check is not redundant - do not remove.
3921 return file_path_has_perm(file->f_cred, file, open_file_to_av(file));
3924 /* task security operations */
3926 static int selinux_task_alloc(struct task_struct *task,
3927 unsigned long clone_flags)
3929 u32 sid = current_sid();
3931 return avc_has_perm(&selinux_state,
3932 sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
3936 * prepare a new set of credentials for modification
3938 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3941 const struct task_security_struct *old_tsec = selinux_cred(old);
3942 struct task_security_struct *tsec = selinux_cred(new);
3949 * transfer the SELinux data to a blank set of creds
3951 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3953 const struct task_security_struct *old_tsec = selinux_cred(old);
3954 struct task_security_struct *tsec = selinux_cred(new);
3959 static void selinux_cred_getsecid(const struct cred *c, u32 *secid)
3961 *secid = cred_sid(c);
3965 * set the security data for a kernel service
3966 * - all the creation contexts are set to unlabelled
3968 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3970 struct task_security_struct *tsec = selinux_cred(new);
3971 u32 sid = current_sid();
3974 ret = avc_has_perm(&selinux_state,
3976 SECCLASS_KERNEL_SERVICE,
3977 KERNEL_SERVICE__USE_AS_OVERRIDE,
3981 tsec->create_sid = 0;
3982 tsec->keycreate_sid = 0;
3983 tsec->sockcreate_sid = 0;
3989 * set the file creation context in a security record to the same as the
3990 * objective context of the specified inode
3992 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3994 struct inode_security_struct *isec = inode_security(inode);
3995 struct task_security_struct *tsec = selinux_cred(new);
3996 u32 sid = current_sid();
3999 ret = avc_has_perm(&selinux_state,
4001 SECCLASS_KERNEL_SERVICE,
4002 KERNEL_SERVICE__CREATE_FILES_AS,
4006 tsec->create_sid = isec->sid;
4010 static int selinux_kernel_module_request(char *kmod_name)
4012 struct common_audit_data ad;
4014 ad.type = LSM_AUDIT_DATA_KMOD;
4015 ad.u.kmod_name = kmod_name;
4017 return avc_has_perm(&selinux_state,
4018 current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
4019 SYSTEM__MODULE_REQUEST, &ad);
4022 static int selinux_kernel_module_from_file(struct file *file)
4024 struct common_audit_data ad;
4025 struct inode_security_struct *isec;
4026 struct file_security_struct *fsec;
4027 u32 sid = current_sid();
4032 return avc_has_perm(&selinux_state,
4033 sid, sid, SECCLASS_SYSTEM,
4034 SYSTEM__MODULE_LOAD, NULL);
4038 ad.type = LSM_AUDIT_DATA_FILE;
4041 fsec = selinux_file(file);
4042 if (sid != fsec->sid) {
4043 rc = avc_has_perm(&selinux_state,
4044 sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
4049 isec = inode_security(file_inode(file));
4050 return avc_has_perm(&selinux_state,
4051 sid, isec->sid, SECCLASS_SYSTEM,
4052 SYSTEM__MODULE_LOAD, &ad);
4055 static int selinux_kernel_read_file(struct file *file,
4056 enum kernel_read_file_id id,
4062 case READING_MODULE:
4063 rc = selinux_kernel_module_from_file(contents ? file : NULL);
4072 static int selinux_kernel_load_data(enum kernel_load_data_id id, bool contents)
4077 case LOADING_MODULE:
4078 rc = selinux_kernel_module_from_file(NULL);
4087 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
4089 return avc_has_perm(&selinux_state,
4090 current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4091 PROCESS__SETPGID, NULL);
4094 static int selinux_task_getpgid(struct task_struct *p)
4096 return avc_has_perm(&selinux_state,
4097 current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4098 PROCESS__GETPGID, NULL);
4101 static int selinux_task_getsid(struct task_struct *p)
4103 return avc_has_perm(&selinux_state,
4104 current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4105 PROCESS__GETSESSION, NULL);
4108 static void selinux_current_getsecid_subj(u32 *secid)
4110 *secid = current_sid();
4113 static void selinux_task_getsecid_obj(struct task_struct *p, u32 *secid)
4115 *secid = task_sid_obj(p);
4118 static int selinux_task_setnice(struct task_struct *p, int nice)
4120 return avc_has_perm(&selinux_state,
4121 current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4122 PROCESS__SETSCHED, NULL);
4125 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
4127 return avc_has_perm(&selinux_state,
4128 current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4129 PROCESS__SETSCHED, NULL);
4132 static int selinux_task_getioprio(struct task_struct *p)
4134 return avc_has_perm(&selinux_state,
4135 current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4136 PROCESS__GETSCHED, NULL);
4139 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
4146 if (flags & LSM_PRLIMIT_WRITE)
4147 av |= PROCESS__SETRLIMIT;
4148 if (flags & LSM_PRLIMIT_READ)
4149 av |= PROCESS__GETRLIMIT;
4150 return avc_has_perm(&selinux_state,
4151 cred_sid(cred), cred_sid(tcred),
4152 SECCLASS_PROCESS, av, NULL);
4155 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4156 struct rlimit *new_rlim)
4158 struct rlimit *old_rlim = p->signal->rlim + resource;
4160 /* Control the ability to change the hard limit (whether
4161 lowering or raising it), so that the hard limit can
4162 later be used as a safe reset point for the soft limit
4163 upon context transitions. See selinux_bprm_committing_creds. */
4164 if (old_rlim->rlim_max != new_rlim->rlim_max)
4165 return avc_has_perm(&selinux_state,
4166 current_sid(), task_sid_obj(p),
4167 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
4172 static int selinux_task_setscheduler(struct task_struct *p)
4174 return avc_has_perm(&selinux_state,
4175 current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4176 PROCESS__SETSCHED, NULL);
4179 static int selinux_task_getscheduler(struct task_struct *p)
4181 return avc_has_perm(&selinux_state,
4182 current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4183 PROCESS__GETSCHED, NULL);
4186 static int selinux_task_movememory(struct task_struct *p)
4188 return avc_has_perm(&selinux_state,
4189 current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4190 PROCESS__SETSCHED, NULL);
4193 static int selinux_task_kill(struct task_struct *p, struct kernel_siginfo *info,
4194 int sig, const struct cred *cred)
4200 perm = PROCESS__SIGNULL; /* null signal; existence test */
4202 perm = signal_to_av(sig);
4204 secid = current_sid();
4206 secid = cred_sid(cred);
4207 return avc_has_perm(&selinux_state,
4208 secid, task_sid_obj(p), SECCLASS_PROCESS, perm, NULL);
4211 static void selinux_task_to_inode(struct task_struct *p,
4212 struct inode *inode)
4214 struct inode_security_struct *isec = selinux_inode(inode);
4215 u32 sid = task_sid_obj(p);
4217 spin_lock(&isec->lock);
4218 isec->sclass = inode_mode_to_security_class(inode->i_mode);
4220 isec->initialized = LABEL_INITIALIZED;
4221 spin_unlock(&isec->lock);
4224 /* Returns error only if unable to parse addresses */
4225 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4226 struct common_audit_data *ad, u8 *proto)
4228 int offset, ihlen, ret = -EINVAL;
4229 struct iphdr _iph, *ih;
4231 offset = skb_network_offset(skb);
4232 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
4236 ihlen = ih->ihl * 4;
4237 if (ihlen < sizeof(_iph))
4240 ad->u.net->v4info.saddr = ih->saddr;
4241 ad->u.net->v4info.daddr = ih->daddr;
4245 *proto = ih->protocol;
4247 switch (ih->protocol) {
4249 struct tcphdr _tcph, *th;
4251 if (ntohs(ih->frag_off) & IP_OFFSET)
4255 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4259 ad->u.net->sport = th->source;
4260 ad->u.net->dport = th->dest;
4265 struct udphdr _udph, *uh;
4267 if (ntohs(ih->frag_off) & IP_OFFSET)
4271 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4275 ad->u.net->sport = uh->source;
4276 ad->u.net->dport = uh->dest;
4280 case IPPROTO_DCCP: {
4281 struct dccp_hdr _dccph, *dh;
4283 if (ntohs(ih->frag_off) & IP_OFFSET)
4287 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4291 ad->u.net->sport = dh->dccph_sport;
4292 ad->u.net->dport = dh->dccph_dport;
4296 #if IS_ENABLED(CONFIG_IP_SCTP)
4297 case IPPROTO_SCTP: {
4298 struct sctphdr _sctph, *sh;
4300 if (ntohs(ih->frag_off) & IP_OFFSET)
4304 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4308 ad->u.net->sport = sh->source;
4309 ad->u.net->dport = sh->dest;
4320 #if IS_ENABLED(CONFIG_IPV6)
4322 /* Returns error only if unable to parse addresses */
4323 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4324 struct common_audit_data *ad, u8 *proto)
4327 int ret = -EINVAL, offset;
4328 struct ipv6hdr _ipv6h, *ip6;
4331 offset = skb_network_offset(skb);
4332 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4336 ad->u.net->v6info.saddr = ip6->saddr;
4337 ad->u.net->v6info.daddr = ip6->daddr;
4340 nexthdr = ip6->nexthdr;
4341 offset += sizeof(_ipv6h);
4342 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4351 struct tcphdr _tcph, *th;
4353 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4357 ad->u.net->sport = th->source;
4358 ad->u.net->dport = th->dest;
4363 struct udphdr _udph, *uh;
4365 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4369 ad->u.net->sport = uh->source;
4370 ad->u.net->dport = uh->dest;
4374 case IPPROTO_DCCP: {
4375 struct dccp_hdr _dccph, *dh;
4377 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4381 ad->u.net->sport = dh->dccph_sport;
4382 ad->u.net->dport = dh->dccph_dport;
4386 #if IS_ENABLED(CONFIG_IP_SCTP)
4387 case IPPROTO_SCTP: {
4388 struct sctphdr _sctph, *sh;
4390 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4394 ad->u.net->sport = sh->source;
4395 ad->u.net->dport = sh->dest;
4399 /* includes fragments */
4409 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4410 char **_addrp, int src, u8 *proto)
4415 switch (ad->u.net->family) {
4417 ret = selinux_parse_skb_ipv4(skb, ad, proto);
4420 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4421 &ad->u.net->v4info.daddr);
4424 #if IS_ENABLED(CONFIG_IPV6)
4426 ret = selinux_parse_skb_ipv6(skb, ad, proto);
4429 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4430 &ad->u.net->v6info.daddr);
4440 "SELinux: failure in selinux_parse_skb(),"
4441 " unable to parse packet\n");
4451 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4453 * @family: protocol family
4454 * @sid: the packet's peer label SID
4457 * Check the various different forms of network peer labeling and determine
4458 * the peer label/SID for the packet; most of the magic actually occurs in
4459 * the security server function security_net_peersid_cmp(). The function
4460 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4461 * or -EACCES if @sid is invalid due to inconsistencies with the different
4465 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4472 err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4475 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4479 err = security_net_peersid_resolve(&selinux_state, nlbl_sid,
4480 nlbl_type, xfrm_sid, sid);
4481 if (unlikely(err)) {
4483 "SELinux: failure in selinux_skb_peerlbl_sid(),"
4484 " unable to determine packet's peer label\n");
4492 * selinux_conn_sid - Determine the child socket label for a connection
4493 * @sk_sid: the parent socket's SID
4494 * @skb_sid: the packet's SID
4495 * @conn_sid: the resulting connection SID
4497 * If @skb_sid is valid then the user:role:type information from @sk_sid is
4498 * combined with the MLS information from @skb_sid in order to create
4499 * @conn_sid. If @skb_sid is not valid then @conn_sid is simply a copy
4500 * of @sk_sid. Returns zero on success, negative values on failure.
4503 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4507 if (skb_sid != SECSID_NULL)
4508 err = security_sid_mls_copy(&selinux_state, sk_sid, skb_sid,
4516 /* socket security operations */
4518 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4519 u16 secclass, u32 *socksid)
4521 if (tsec->sockcreate_sid > SECSID_NULL) {
4522 *socksid = tsec->sockcreate_sid;
4526 return security_transition_sid(&selinux_state, tsec->sid, tsec->sid,
4527 secclass, NULL, socksid);
4530 static int sock_has_perm(struct sock *sk, u32 perms)
4532 struct sk_security_struct *sksec = sk->sk_security;
4533 struct common_audit_data ad;
4534 struct lsm_network_audit net = {0,};
4536 if (sksec->sid == SECINITSID_KERNEL)
4539 ad.type = LSM_AUDIT_DATA_NET;
4543 return avc_has_perm(&selinux_state,
4544 current_sid(), sksec->sid, sksec->sclass, perms,
4548 static int selinux_socket_create(int family, int type,
4549 int protocol, int kern)
4551 const struct task_security_struct *tsec = selinux_cred(current_cred());
4559 secclass = socket_type_to_security_class(family, type, protocol);
4560 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4564 return avc_has_perm(&selinux_state,
4565 tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4568 static int selinux_socket_post_create(struct socket *sock, int family,
4569 int type, int protocol, int kern)
4571 const struct task_security_struct *tsec = selinux_cred(current_cred());
4572 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4573 struct sk_security_struct *sksec;
4574 u16 sclass = socket_type_to_security_class(family, type, protocol);
4575 u32 sid = SECINITSID_KERNEL;
4579 err = socket_sockcreate_sid(tsec, sclass, &sid);
4584 isec->sclass = sclass;
4586 isec->initialized = LABEL_INITIALIZED;
4589 sksec = sock->sk->sk_security;
4590 sksec->sclass = sclass;
4592 /* Allows detection of the first association on this socket */
4593 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4594 sksec->sctp_assoc_state = SCTP_ASSOC_UNSET;
4596 err = selinux_netlbl_socket_post_create(sock->sk, family);
4602 static int selinux_socket_socketpair(struct socket *socka,
4603 struct socket *sockb)
4605 struct sk_security_struct *sksec_a = socka->sk->sk_security;
4606 struct sk_security_struct *sksec_b = sockb->sk->sk_security;
4608 sksec_a->peer_sid = sksec_b->sid;
4609 sksec_b->peer_sid = sksec_a->sid;
4614 /* Range of port numbers used to automatically bind.
4615 Need to determine whether we should perform a name_bind
4616 permission check between the socket and the port number. */
4618 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4620 struct sock *sk = sock->sk;
4621 struct sk_security_struct *sksec = sk->sk_security;
4625 err = sock_has_perm(sk, SOCKET__BIND);
4629 /* If PF_INET or PF_INET6, check name_bind permission for the port. */
4630 family = sk->sk_family;
4631 if (family == PF_INET || family == PF_INET6) {
4633 struct common_audit_data ad;
4634 struct lsm_network_audit net = {0,};
4635 struct sockaddr_in *addr4 = NULL;
4636 struct sockaddr_in6 *addr6 = NULL;
4638 unsigned short snum;
4642 * sctp_bindx(3) calls via selinux_sctp_bind_connect()
4643 * that validates multiple binding addresses. Because of this
4644 * need to check address->sa_family as it is possible to have
4645 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4647 if (addrlen < offsetofend(struct sockaddr, sa_family))
4649 family_sa = address->sa_family;
4650 switch (family_sa) {
4653 if (addrlen < sizeof(struct sockaddr_in))
4655 addr4 = (struct sockaddr_in *)address;
4656 if (family_sa == AF_UNSPEC) {
4657 /* see __inet_bind(), we only want to allow
4658 * AF_UNSPEC if the address is INADDR_ANY
4660 if (addr4->sin_addr.s_addr != htonl(INADDR_ANY))
4662 family_sa = AF_INET;
4664 snum = ntohs(addr4->sin_port);
4665 addrp = (char *)&addr4->sin_addr.s_addr;
4668 if (addrlen < SIN6_LEN_RFC2133)
4670 addr6 = (struct sockaddr_in6 *)address;
4671 snum = ntohs(addr6->sin6_port);
4672 addrp = (char *)&addr6->sin6_addr.s6_addr;
4678 ad.type = LSM_AUDIT_DATA_NET;
4680 ad.u.net->sport = htons(snum);
4681 ad.u.net->family = family_sa;
4686 inet_get_local_port_range(sock_net(sk), &low, &high);
4688 if (inet_port_requires_bind_service(sock_net(sk), snum) ||
4689 snum < low || snum > high) {
4690 err = sel_netport_sid(sk->sk_protocol,
4694 err = avc_has_perm(&selinux_state,
4697 SOCKET__NAME_BIND, &ad);
4703 switch (sksec->sclass) {
4704 case SECCLASS_TCP_SOCKET:
4705 node_perm = TCP_SOCKET__NODE_BIND;
4708 case SECCLASS_UDP_SOCKET:
4709 node_perm = UDP_SOCKET__NODE_BIND;
4712 case SECCLASS_DCCP_SOCKET:
4713 node_perm = DCCP_SOCKET__NODE_BIND;
4716 case SECCLASS_SCTP_SOCKET:
4717 node_perm = SCTP_SOCKET__NODE_BIND;
4721 node_perm = RAWIP_SOCKET__NODE_BIND;
4725 err = sel_netnode_sid(addrp, family_sa, &sid);
4729 if (family_sa == AF_INET)
4730 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4732 ad.u.net->v6info.saddr = addr6->sin6_addr;
4734 err = avc_has_perm(&selinux_state,
4736 sksec->sclass, node_perm, &ad);
4743 /* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */
4744 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4746 return -EAFNOSUPPORT;
4749 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3)
4750 * and sctp_sendmsg(3) as described in Documentation/security/SCTP.rst
4752 static int selinux_socket_connect_helper(struct socket *sock,
4753 struct sockaddr *address, int addrlen)
4755 struct sock *sk = sock->sk;
4756 struct sk_security_struct *sksec = sk->sk_security;
4759 err = sock_has_perm(sk, SOCKET__CONNECT);
4762 if (addrlen < offsetofend(struct sockaddr, sa_family))
4765 /* connect(AF_UNSPEC) has special handling, as it is a documented
4766 * way to disconnect the socket
4768 if (address->sa_family == AF_UNSPEC)
4772 * If a TCP, DCCP or SCTP socket, check name_connect permission
4775 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4776 sksec->sclass == SECCLASS_DCCP_SOCKET ||
4777 sksec->sclass == SECCLASS_SCTP_SOCKET) {
4778 struct common_audit_data ad;
4779 struct lsm_network_audit net = {0,};
4780 struct sockaddr_in *addr4 = NULL;
4781 struct sockaddr_in6 *addr6 = NULL;
4782 unsigned short snum;
4785 /* sctp_connectx(3) calls via selinux_sctp_bind_connect()
4786 * that validates multiple connect addresses. Because of this
4787 * need to check address->sa_family as it is possible to have
4788 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4790 switch (address->sa_family) {
4792 addr4 = (struct sockaddr_in *)address;
4793 if (addrlen < sizeof(struct sockaddr_in))
4795 snum = ntohs(addr4->sin_port);
4798 addr6 = (struct sockaddr_in6 *)address;
4799 if (addrlen < SIN6_LEN_RFC2133)
4801 snum = ntohs(addr6->sin6_port);
4804 /* Note that SCTP services expect -EINVAL, whereas
4805 * others expect -EAFNOSUPPORT.
4807 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4810 return -EAFNOSUPPORT;
4813 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4817 switch (sksec->sclass) {
4818 case SECCLASS_TCP_SOCKET:
4819 perm = TCP_SOCKET__NAME_CONNECT;
4821 case SECCLASS_DCCP_SOCKET:
4822 perm = DCCP_SOCKET__NAME_CONNECT;
4824 case SECCLASS_SCTP_SOCKET:
4825 perm = SCTP_SOCKET__NAME_CONNECT;
4829 ad.type = LSM_AUDIT_DATA_NET;
4831 ad.u.net->dport = htons(snum);
4832 ad.u.net->family = address->sa_family;
4833 err = avc_has_perm(&selinux_state,
4834 sksec->sid, sid, sksec->sclass, perm, &ad);
4842 /* Supports connect(2), see comments in selinux_socket_connect_helper() */
4843 static int selinux_socket_connect(struct socket *sock,
4844 struct sockaddr *address, int addrlen)
4847 struct sock *sk = sock->sk;
4849 err = selinux_socket_connect_helper(sock, address, addrlen);
4853 return selinux_netlbl_socket_connect(sk, address);
4856 static int selinux_socket_listen(struct socket *sock, int backlog)
4858 return sock_has_perm(sock->sk, SOCKET__LISTEN);
4861 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4864 struct inode_security_struct *isec;
4865 struct inode_security_struct *newisec;
4869 err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
4873 isec = inode_security_novalidate(SOCK_INODE(sock));
4874 spin_lock(&isec->lock);
4875 sclass = isec->sclass;
4877 spin_unlock(&isec->lock);
4879 newisec = inode_security_novalidate(SOCK_INODE(newsock));
4880 newisec->sclass = sclass;
4882 newisec->initialized = LABEL_INITIALIZED;
4887 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4890 return sock_has_perm(sock->sk, SOCKET__WRITE);
4893 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4894 int size, int flags)
4896 return sock_has_perm(sock->sk, SOCKET__READ);
4899 static int selinux_socket_getsockname(struct socket *sock)
4901 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4904 static int selinux_socket_getpeername(struct socket *sock)
4906 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4909 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4913 err = sock_has_perm(sock->sk, SOCKET__SETOPT);
4917 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4920 static int selinux_socket_getsockopt(struct socket *sock, int level,
4923 return sock_has_perm(sock->sk, SOCKET__GETOPT);
4926 static int selinux_socket_shutdown(struct socket *sock, int how)
4928 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
4931 static int selinux_socket_unix_stream_connect(struct sock *sock,
4935 struct sk_security_struct *sksec_sock = sock->sk_security;
4936 struct sk_security_struct *sksec_other = other->sk_security;
4937 struct sk_security_struct *sksec_new = newsk->sk_security;
4938 struct common_audit_data ad;
4939 struct lsm_network_audit net = {0,};
4942 ad.type = LSM_AUDIT_DATA_NET;
4944 ad.u.net->sk = other;
4946 err = avc_has_perm(&selinux_state,
4947 sksec_sock->sid, sksec_other->sid,
4948 sksec_other->sclass,
4949 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4953 /* server child socket */
4954 sksec_new->peer_sid = sksec_sock->sid;
4955 err = security_sid_mls_copy(&selinux_state, sksec_other->sid,
4956 sksec_sock->sid, &sksec_new->sid);
4960 /* connecting socket */
4961 sksec_sock->peer_sid = sksec_new->sid;
4966 static int selinux_socket_unix_may_send(struct socket *sock,
4967 struct socket *other)
4969 struct sk_security_struct *ssec = sock->sk->sk_security;
4970 struct sk_security_struct *osec = other->sk->sk_security;
4971 struct common_audit_data ad;
4972 struct lsm_network_audit net = {0,};
4974 ad.type = LSM_AUDIT_DATA_NET;
4976 ad.u.net->sk = other->sk;
4978 return avc_has_perm(&selinux_state,
4979 ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4983 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4984 char *addrp, u16 family, u32 peer_sid,
4985 struct common_audit_data *ad)
4991 err = sel_netif_sid(ns, ifindex, &if_sid);
4994 err = avc_has_perm(&selinux_state,
4996 SECCLASS_NETIF, NETIF__INGRESS, ad);
5000 err = sel_netnode_sid(addrp, family, &node_sid);
5003 return avc_has_perm(&selinux_state,
5005 SECCLASS_NODE, NODE__RECVFROM, ad);
5008 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
5012 struct sk_security_struct *sksec = sk->sk_security;
5013 u32 sk_sid = sksec->sid;
5014 struct common_audit_data ad;
5015 struct lsm_network_audit net = {0,};
5018 ad.type = LSM_AUDIT_DATA_NET;
5020 ad.u.net->netif = skb->skb_iif;
5021 ad.u.net->family = family;
5022 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5026 if (selinux_secmark_enabled()) {
5027 err = avc_has_perm(&selinux_state,
5028 sk_sid, skb->secmark, SECCLASS_PACKET,
5034 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
5037 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
5042 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
5045 struct sk_security_struct *sksec = sk->sk_security;
5046 u16 family = sk->sk_family;
5047 u32 sk_sid = sksec->sid;
5048 struct common_audit_data ad;
5049 struct lsm_network_audit net = {0,};
5054 if (family != PF_INET && family != PF_INET6)
5057 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
5058 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5061 /* If any sort of compatibility mode is enabled then handoff processing
5062 * to the selinux_sock_rcv_skb_compat() function to deal with the
5063 * special handling. We do this in an attempt to keep this function
5064 * as fast and as clean as possible. */
5065 if (!selinux_policycap_netpeer())
5066 return selinux_sock_rcv_skb_compat(sk, skb, family);
5068 secmark_active = selinux_secmark_enabled();
5069 peerlbl_active = selinux_peerlbl_enabled();
5070 if (!secmark_active && !peerlbl_active)
5073 ad.type = LSM_AUDIT_DATA_NET;
5075 ad.u.net->netif = skb->skb_iif;
5076 ad.u.net->family = family;
5077 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5081 if (peerlbl_active) {
5084 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
5087 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
5088 addrp, family, peer_sid, &ad);
5090 selinux_netlbl_err(skb, family, err, 0);
5093 err = avc_has_perm(&selinux_state,
5094 sk_sid, peer_sid, SECCLASS_PEER,
5097 selinux_netlbl_err(skb, family, err, 0);
5102 if (secmark_active) {
5103 err = avc_has_perm(&selinux_state,
5104 sk_sid, skb->secmark, SECCLASS_PACKET,
5113 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
5114 int __user *optlen, unsigned len)
5119 struct sk_security_struct *sksec = sock->sk->sk_security;
5120 u32 peer_sid = SECSID_NULL;
5122 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
5123 sksec->sclass == SECCLASS_TCP_SOCKET ||
5124 sksec->sclass == SECCLASS_SCTP_SOCKET)
5125 peer_sid = sksec->peer_sid;
5126 if (peer_sid == SECSID_NULL)
5127 return -ENOPROTOOPT;
5129 err = security_sid_to_context(&selinux_state, peer_sid, &scontext,
5134 if (scontext_len > len) {
5139 if (copy_to_user(optval, scontext, scontext_len))
5143 if (put_user(scontext_len, optlen))
5149 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
5151 u32 peer_secid = SECSID_NULL;
5153 struct inode_security_struct *isec;
5155 if (skb && skb->protocol == htons(ETH_P_IP))
5157 else if (skb && skb->protocol == htons(ETH_P_IPV6))
5160 family = sock->sk->sk_family;
5164 if (sock && family == PF_UNIX) {
5165 isec = inode_security_novalidate(SOCK_INODE(sock));
5166 peer_secid = isec->sid;
5168 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
5171 *secid = peer_secid;
5172 if (peer_secid == SECSID_NULL)
5177 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
5179 struct sk_security_struct *sksec;
5181 sksec = kzalloc(sizeof(*sksec), priority);
5185 sksec->peer_sid = SECINITSID_UNLABELED;
5186 sksec->sid = SECINITSID_UNLABELED;
5187 sksec->sclass = SECCLASS_SOCKET;
5188 selinux_netlbl_sk_security_reset(sksec);
5189 sk->sk_security = sksec;
5194 static void selinux_sk_free_security(struct sock *sk)
5196 struct sk_security_struct *sksec = sk->sk_security;
5198 sk->sk_security = NULL;
5199 selinux_netlbl_sk_security_free(sksec);
5203 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
5205 struct sk_security_struct *sksec = sk->sk_security;
5206 struct sk_security_struct *newsksec = newsk->sk_security;
5208 newsksec->sid = sksec->sid;
5209 newsksec->peer_sid = sksec->peer_sid;
5210 newsksec->sclass = sksec->sclass;
5212 selinux_netlbl_sk_security_reset(newsksec);
5215 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
5218 *secid = SECINITSID_ANY_SOCKET;
5220 struct sk_security_struct *sksec = sk->sk_security;
5222 *secid = sksec->sid;
5226 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
5228 struct inode_security_struct *isec =
5229 inode_security_novalidate(SOCK_INODE(parent));
5230 struct sk_security_struct *sksec = sk->sk_security;
5232 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
5233 sk->sk_family == PF_UNIX)
5234 isec->sid = sksec->sid;
5235 sksec->sclass = isec->sclass;
5239 * Determines peer_secid for the asoc and updates socket's peer label
5240 * if it's the first association on the socket.
5242 static int selinux_sctp_process_new_assoc(struct sctp_association *asoc,
5243 struct sk_buff *skb)
5245 struct sock *sk = asoc->base.sk;
5246 u16 family = sk->sk_family;
5247 struct sk_security_struct *sksec = sk->sk_security;
5248 struct common_audit_data ad;
5249 struct lsm_network_audit net = {0,};
5252 /* handle mapped IPv4 packets arriving via IPv6 sockets */
5253 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5256 if (selinux_peerlbl_enabled()) {
5257 asoc->peer_secid = SECSID_NULL;
5259 /* This will return peer_sid = SECSID_NULL if there are
5260 * no peer labels, see security_net_peersid_resolve().
5262 err = selinux_skb_peerlbl_sid(skb, family, &asoc->peer_secid);
5266 if (asoc->peer_secid == SECSID_NULL)
5267 asoc->peer_secid = SECINITSID_UNLABELED;
5269 asoc->peer_secid = SECINITSID_UNLABELED;
5272 if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) {
5273 sksec->sctp_assoc_state = SCTP_ASSOC_SET;
5275 /* Here as first association on socket. As the peer SID
5276 * was allowed by peer recv (and the netif/node checks),
5277 * then it is approved by policy and used as the primary
5278 * peer SID for getpeercon(3).
5280 sksec->peer_sid = asoc->peer_secid;
5281 } else if (sksec->peer_sid != asoc->peer_secid) {
5282 /* Other association peer SIDs are checked to enforce
5283 * consistency among the peer SIDs.
5285 ad.type = LSM_AUDIT_DATA_NET;
5287 ad.u.net->sk = asoc->base.sk;
5288 err = avc_has_perm(&selinux_state,
5289 sksec->peer_sid, asoc->peer_secid,
5290 sksec->sclass, SCTP_SOCKET__ASSOCIATION,
5298 /* Called whenever SCTP receives an INIT or COOKIE ECHO chunk. This
5299 * happens on an incoming connect(2), sctp_connectx(3) or
5300 * sctp_sendmsg(3) (with no association already present).
5302 static int selinux_sctp_assoc_request(struct sctp_association *asoc,
5303 struct sk_buff *skb)
5305 struct sk_security_struct *sksec = asoc->base.sk->sk_security;
5309 if (!selinux_policycap_extsockclass())
5312 err = selinux_sctp_process_new_assoc(asoc, skb);
5316 /* Compute the MLS component for the connection and store
5317 * the information in asoc. This will be used by SCTP TCP type
5318 * sockets and peeled off connections as they cause a new
5319 * socket to be generated. selinux_sctp_sk_clone() will then
5320 * plug this into the new socket.
5322 err = selinux_conn_sid(sksec->sid, asoc->peer_secid, &conn_sid);
5326 asoc->secid = conn_sid;
5328 /* Set any NetLabel labels including CIPSO/CALIPSO options. */
5329 return selinux_netlbl_sctp_assoc_request(asoc, skb);
5332 /* Called when SCTP receives a COOKIE ACK chunk as the final
5333 * response to an association request (initited by us).
5335 static int selinux_sctp_assoc_established(struct sctp_association *asoc,
5336 struct sk_buff *skb)
5338 struct sk_security_struct *sksec = asoc->base.sk->sk_security;
5340 if (!selinux_policycap_extsockclass())
5343 /* Inherit secid from the parent socket - this will be picked up
5344 * by selinux_sctp_sk_clone() if the association gets peeled off
5345 * into a new socket.
5347 asoc->secid = sksec->sid;
5349 return selinux_sctp_process_new_assoc(asoc, skb);
5352 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting
5353 * based on their @optname.
5355 static int selinux_sctp_bind_connect(struct sock *sk, int optname,
5356 struct sockaddr *address,
5359 int len, err = 0, walk_size = 0;
5361 struct sockaddr *addr;
5362 struct socket *sock;
5364 if (!selinux_policycap_extsockclass())
5367 /* Process one or more addresses that may be IPv4 or IPv6 */
5368 sock = sk->sk_socket;
5371 while (walk_size < addrlen) {
5372 if (walk_size + sizeof(sa_family_t) > addrlen)
5376 switch (addr->sa_family) {
5379 len = sizeof(struct sockaddr_in);
5382 len = sizeof(struct sockaddr_in6);
5388 if (walk_size + len > addrlen)
5394 case SCTP_PRIMARY_ADDR:
5395 case SCTP_SET_PEER_PRIMARY_ADDR:
5396 case SCTP_SOCKOPT_BINDX_ADD:
5397 err = selinux_socket_bind(sock, addr, len);
5399 /* Connect checks */
5400 case SCTP_SOCKOPT_CONNECTX:
5401 case SCTP_PARAM_SET_PRIMARY:
5402 case SCTP_PARAM_ADD_IP:
5403 case SCTP_SENDMSG_CONNECT:
5404 err = selinux_socket_connect_helper(sock, addr, len);
5408 /* As selinux_sctp_bind_connect() is called by the
5409 * SCTP protocol layer, the socket is already locked,
5410 * therefore selinux_netlbl_socket_connect_locked()
5411 * is called here. The situations handled are:
5412 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2),
5413 * whenever a new IP address is added or when a new
5414 * primary address is selected.
5415 * Note that an SCTP connect(2) call happens before
5416 * the SCTP protocol layer and is handled via
5417 * selinux_socket_connect().
5419 err = selinux_netlbl_socket_connect_locked(sk, addr);
5433 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */
5434 static void selinux_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk,
5437 struct sk_security_struct *sksec = sk->sk_security;
5438 struct sk_security_struct *newsksec = newsk->sk_security;
5440 /* If policy does not support SECCLASS_SCTP_SOCKET then call
5441 * the non-sctp clone version.
5443 if (!selinux_policycap_extsockclass())
5444 return selinux_sk_clone_security(sk, newsk);
5446 newsksec->sid = asoc->secid;
5447 newsksec->peer_sid = asoc->peer_secid;
5448 newsksec->sclass = sksec->sclass;
5449 selinux_netlbl_sctp_sk_clone(sk, newsk);
5452 static int selinux_inet_conn_request(const struct sock *sk, struct sk_buff *skb,
5453 struct request_sock *req)
5455 struct sk_security_struct *sksec = sk->sk_security;
5457 u16 family = req->rsk_ops->family;
5461 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
5464 err = selinux_conn_sid(sksec->sid, peersid, &connsid);
5467 req->secid = connsid;
5468 req->peer_secid = peersid;
5470 return selinux_netlbl_inet_conn_request(req, family);
5473 static void selinux_inet_csk_clone(struct sock *newsk,
5474 const struct request_sock *req)
5476 struct sk_security_struct *newsksec = newsk->sk_security;
5478 newsksec->sid = req->secid;
5479 newsksec->peer_sid = req->peer_secid;
5480 /* NOTE: Ideally, we should also get the isec->sid for the
5481 new socket in sync, but we don't have the isec available yet.
5482 So we will wait until sock_graft to do it, by which
5483 time it will have been created and available. */
5485 /* We don't need to take any sort of lock here as we are the only
5486 * thread with access to newsksec */
5487 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
5490 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
5492 u16 family = sk->sk_family;
5493 struct sk_security_struct *sksec = sk->sk_security;
5495 /* handle mapped IPv4 packets arriving via IPv6 sockets */
5496 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5499 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
5502 static int selinux_secmark_relabel_packet(u32 sid)
5504 const struct task_security_struct *__tsec;
5507 __tsec = selinux_cred(current_cred());
5510 return avc_has_perm(&selinux_state,
5511 tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO,
5515 static void selinux_secmark_refcount_inc(void)
5517 atomic_inc(&selinux_secmark_refcount);
5520 static void selinux_secmark_refcount_dec(void)
5522 atomic_dec(&selinux_secmark_refcount);
5525 static void selinux_req_classify_flow(const struct request_sock *req,
5526 struct flowi_common *flic)
5528 flic->flowic_secid = req->secid;
5531 static int selinux_tun_dev_alloc_security(void **security)
5533 struct tun_security_struct *tunsec;
5535 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
5538 tunsec->sid = current_sid();
5544 static void selinux_tun_dev_free_security(void *security)
5549 static int selinux_tun_dev_create(void)
5551 u32 sid = current_sid();
5553 /* we aren't taking into account the "sockcreate" SID since the socket
5554 * that is being created here is not a socket in the traditional sense,
5555 * instead it is a private sock, accessible only to the kernel, and
5556 * representing a wide range of network traffic spanning multiple
5557 * connections unlike traditional sockets - check the TUN driver to
5558 * get a better understanding of why this socket is special */
5560 return avc_has_perm(&selinux_state,
5561 sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5565 static int selinux_tun_dev_attach_queue(void *security)
5567 struct tun_security_struct *tunsec = security;
5569 return avc_has_perm(&selinux_state,
5570 current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5571 TUN_SOCKET__ATTACH_QUEUE, NULL);
5574 static int selinux_tun_dev_attach(struct sock *sk, void *security)
5576 struct tun_security_struct *tunsec = security;
5577 struct sk_security_struct *sksec = sk->sk_security;
5579 /* we don't currently perform any NetLabel based labeling here and it
5580 * isn't clear that we would want to do so anyway; while we could apply
5581 * labeling without the support of the TUN user the resulting labeled
5582 * traffic from the other end of the connection would almost certainly
5583 * cause confusion to the TUN user that had no idea network labeling
5584 * protocols were being used */
5586 sksec->sid = tunsec->sid;
5587 sksec->sclass = SECCLASS_TUN_SOCKET;
5592 static int selinux_tun_dev_open(void *security)
5594 struct tun_security_struct *tunsec = security;
5595 u32 sid = current_sid();
5598 err = avc_has_perm(&selinux_state,
5599 sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5600 TUN_SOCKET__RELABELFROM, NULL);
5603 err = avc_has_perm(&selinux_state,
5604 sid, sid, SECCLASS_TUN_SOCKET,
5605 TUN_SOCKET__RELABELTO, NULL);
5613 #ifdef CONFIG_NETFILTER
5615 static unsigned int selinux_ip_forward(void *priv, struct sk_buff *skb,
5616 const struct nf_hook_state *state)
5622 struct common_audit_data ad;
5623 struct lsm_network_audit net = {0,};
5624 int secmark_active, peerlbl_active;
5626 if (!selinux_policycap_netpeer())
5629 secmark_active = selinux_secmark_enabled();
5630 peerlbl_active = selinux_peerlbl_enabled();
5631 if (!secmark_active && !peerlbl_active)
5635 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5638 ifindex = state->in->ifindex;
5639 ad.type = LSM_AUDIT_DATA_NET;
5641 ad.u.net->netif = ifindex;
5642 ad.u.net->family = family;
5643 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5646 if (peerlbl_active) {
5649 err = selinux_inet_sys_rcv_skb(state->net, ifindex,
5650 addrp, family, peer_sid, &ad);
5652 selinux_netlbl_err(skb, family, err, 1);
5658 if (avc_has_perm(&selinux_state,
5659 peer_sid, skb->secmark,
5660 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5663 if (netlbl_enabled())
5664 /* we do this in the FORWARD path and not the POST_ROUTING
5665 * path because we want to make sure we apply the necessary
5666 * labeling before IPsec is applied so we can leverage AH
5668 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5674 static unsigned int selinux_ip_output(void *priv, struct sk_buff *skb,
5675 const struct nf_hook_state *state)
5680 if (!netlbl_enabled())
5683 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5684 * because we want to make sure we apply the necessary labeling
5685 * before IPsec is applied so we can leverage AH protection */
5688 struct sk_security_struct *sksec;
5690 if (sk_listener(sk))
5691 /* if the socket is the listening state then this
5692 * packet is a SYN-ACK packet which means it needs to
5693 * be labeled based on the connection/request_sock and
5694 * not the parent socket. unfortunately, we can't
5695 * lookup the request_sock yet as it isn't queued on
5696 * the parent socket until after the SYN-ACK is sent.
5697 * the "solution" is to simply pass the packet as-is
5698 * as any IP option based labeling should be copied
5699 * from the initial connection request (in the IP
5700 * layer). it is far from ideal, but until we get a
5701 * security label in the packet itself this is the
5702 * best we can do. */
5705 /* standard practice, label using the parent socket */
5706 sksec = sk->sk_security;
5709 sid = SECINITSID_KERNEL;
5710 if (selinux_netlbl_skbuff_setsid(skb, state->pf, sid) != 0)
5717 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5718 const struct nf_hook_state *state)
5721 struct sk_security_struct *sksec;
5722 struct common_audit_data ad;
5723 struct lsm_network_audit net = {0,};
5726 sk = skb_to_full_sk(skb);
5729 sksec = sk->sk_security;
5731 ad.type = LSM_AUDIT_DATA_NET;
5733 ad.u.net->netif = state->out->ifindex;
5734 ad.u.net->family = state->pf;
5735 if (selinux_parse_skb(skb, &ad, NULL, 0, &proto))
5738 if (selinux_secmark_enabled())
5739 if (avc_has_perm(&selinux_state,
5740 sksec->sid, skb->secmark,
5741 SECCLASS_PACKET, PACKET__SEND, &ad))
5742 return NF_DROP_ERR(-ECONNREFUSED);
5744 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5745 return NF_DROP_ERR(-ECONNREFUSED);
5750 static unsigned int selinux_ip_postroute(void *priv,
5751 struct sk_buff *skb,
5752 const struct nf_hook_state *state)
5759 struct common_audit_data ad;
5760 struct lsm_network_audit net = {0,};
5762 int secmark_active, peerlbl_active;
5764 /* If any sort of compatibility mode is enabled then handoff processing
5765 * to the selinux_ip_postroute_compat() function to deal with the
5766 * special handling. We do this in an attempt to keep this function
5767 * as fast and as clean as possible. */
5768 if (!selinux_policycap_netpeer())
5769 return selinux_ip_postroute_compat(skb, state);
5771 secmark_active = selinux_secmark_enabled();
5772 peerlbl_active = selinux_peerlbl_enabled();
5773 if (!secmark_active && !peerlbl_active)
5776 sk = skb_to_full_sk(skb);
5779 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5780 * packet transformation so allow the packet to pass without any checks
5781 * since we'll have another chance to perform access control checks
5782 * when the packet is on it's final way out.
5783 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5784 * is NULL, in this case go ahead and apply access control.
5785 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5786 * TCP listening state we cannot wait until the XFRM processing
5787 * is done as we will miss out on the SA label if we do;
5788 * unfortunately, this means more work, but it is only once per
5790 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5791 !(sk && sk_listener(sk)))
5797 /* Without an associated socket the packet is either coming
5798 * from the kernel or it is being forwarded; check the packet
5799 * to determine which and if the packet is being forwarded
5800 * query the packet directly to determine the security label. */
5802 secmark_perm = PACKET__FORWARD_OUT;
5803 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5806 secmark_perm = PACKET__SEND;
5807 peer_sid = SECINITSID_KERNEL;
5809 } else if (sk_listener(sk)) {
5810 /* Locally generated packet but the associated socket is in the
5811 * listening state which means this is a SYN-ACK packet. In
5812 * this particular case the correct security label is assigned
5813 * to the connection/request_sock but unfortunately we can't
5814 * query the request_sock as it isn't queued on the parent
5815 * socket until after the SYN-ACK packet is sent; the only
5816 * viable choice is to regenerate the label like we do in
5817 * selinux_inet_conn_request(). See also selinux_ip_output()
5818 * for similar problems. */
5820 struct sk_security_struct *sksec;
5822 sksec = sk->sk_security;
5823 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5825 /* At this point, if the returned skb peerlbl is SECSID_NULL
5826 * and the packet has been through at least one XFRM
5827 * transformation then we must be dealing with the "final"
5828 * form of labeled IPsec packet; since we've already applied
5829 * all of our access controls on this packet we can safely
5830 * pass the packet. */
5831 if (skb_sid == SECSID_NULL) {
5834 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5838 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5842 return NF_DROP_ERR(-ECONNREFUSED);
5845 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5847 secmark_perm = PACKET__SEND;
5849 /* Locally generated packet, fetch the security label from the
5850 * associated socket. */
5851 struct sk_security_struct *sksec = sk->sk_security;
5852 peer_sid = sksec->sid;
5853 secmark_perm = PACKET__SEND;
5856 ifindex = state->out->ifindex;
5857 ad.type = LSM_AUDIT_DATA_NET;
5859 ad.u.net->netif = ifindex;
5860 ad.u.net->family = family;
5861 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5865 if (avc_has_perm(&selinux_state,
5866 peer_sid, skb->secmark,
5867 SECCLASS_PACKET, secmark_perm, &ad))
5868 return NF_DROP_ERR(-ECONNREFUSED);
5870 if (peerlbl_active) {
5874 if (sel_netif_sid(state->net, ifindex, &if_sid))
5876 if (avc_has_perm(&selinux_state,
5878 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5879 return NF_DROP_ERR(-ECONNREFUSED);
5881 if (sel_netnode_sid(addrp, family, &node_sid))
5883 if (avc_has_perm(&selinux_state,
5885 SECCLASS_NODE, NODE__SENDTO, &ad))
5886 return NF_DROP_ERR(-ECONNREFUSED);
5891 #endif /* CONFIG_NETFILTER */
5893 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5896 unsigned int msg_len;
5897 unsigned int data_len = skb->len;
5898 unsigned char *data = skb->data;
5899 struct nlmsghdr *nlh;
5900 struct sk_security_struct *sksec = sk->sk_security;
5901 u16 sclass = sksec->sclass;
5904 while (data_len >= nlmsg_total_size(0)) {
5905 nlh = (struct nlmsghdr *)data;
5907 /* NOTE: the nlmsg_len field isn't reliably set by some netlink
5908 * users which means we can't reject skb's with bogus
5909 * length fields; our solution is to follow what
5910 * netlink_rcv_skb() does and simply skip processing at
5911 * messages with length fields that are clearly junk
5913 if (nlh->nlmsg_len < NLMSG_HDRLEN || nlh->nlmsg_len > data_len)
5916 rc = selinux_nlmsg_lookup(sclass, nlh->nlmsg_type, &perm);
5918 rc = sock_has_perm(sk, perm);
5921 } else if (rc == -EINVAL) {
5922 /* -EINVAL is a missing msg/perm mapping */
5923 pr_warn_ratelimited("SELinux: unrecognized netlink"
5924 " message: protocol=%hu nlmsg_type=%hu sclass=%s"
5925 " pid=%d comm=%s\n",
5926 sk->sk_protocol, nlh->nlmsg_type,
5927 secclass_map[sclass - 1].name,
5928 task_pid_nr(current), current->comm);
5929 if (enforcing_enabled(&selinux_state) &&
5930 !security_get_allow_unknown(&selinux_state))
5933 } else if (rc == -ENOENT) {
5934 /* -ENOENT is a missing socket/class mapping, ignore */
5940 /* move to the next message after applying netlink padding */
5941 msg_len = NLMSG_ALIGN(nlh->nlmsg_len);
5942 if (msg_len >= data_len)
5944 data_len -= msg_len;
5951 static void ipc_init_security(struct ipc_security_struct *isec, u16 sclass)
5953 isec->sclass = sclass;
5954 isec->sid = current_sid();
5957 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5960 struct ipc_security_struct *isec;
5961 struct common_audit_data ad;
5962 u32 sid = current_sid();
5964 isec = selinux_ipc(ipc_perms);
5966 ad.type = LSM_AUDIT_DATA_IPC;
5967 ad.u.ipc_id = ipc_perms->key;
5969 return avc_has_perm(&selinux_state,
5970 sid, isec->sid, isec->sclass, perms, &ad);
5973 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5975 struct msg_security_struct *msec;
5977 msec = selinux_msg_msg(msg);
5978 msec->sid = SECINITSID_UNLABELED;
5983 /* message queue security operations */
5984 static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq)
5986 struct ipc_security_struct *isec;
5987 struct common_audit_data ad;
5988 u32 sid = current_sid();
5991 isec = selinux_ipc(msq);
5992 ipc_init_security(isec, SECCLASS_MSGQ);
5994 ad.type = LSM_AUDIT_DATA_IPC;
5995 ad.u.ipc_id = msq->key;
5997 rc = avc_has_perm(&selinux_state,
5998 sid, isec->sid, SECCLASS_MSGQ,
6003 static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
6005 struct ipc_security_struct *isec;
6006 struct common_audit_data ad;
6007 u32 sid = current_sid();
6009 isec = selinux_ipc(msq);
6011 ad.type = LSM_AUDIT_DATA_IPC;
6012 ad.u.ipc_id = msq->key;
6014 return avc_has_perm(&selinux_state,
6015 sid, isec->sid, SECCLASS_MSGQ,
6016 MSGQ__ASSOCIATE, &ad);
6019 static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)
6027 /* No specific object, just general system-wide information. */
6028 return avc_has_perm(&selinux_state,
6029 current_sid(), SECINITSID_KERNEL,
6030 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6034 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
6037 perms = MSGQ__SETATTR;
6040 perms = MSGQ__DESTROY;
6046 err = ipc_has_perm(msq, perms);
6050 static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg)
6052 struct ipc_security_struct *isec;
6053 struct msg_security_struct *msec;
6054 struct common_audit_data ad;
6055 u32 sid = current_sid();
6058 isec = selinux_ipc(msq);
6059 msec = selinux_msg_msg(msg);
6062 * First time through, need to assign label to the message
6064 if (msec->sid == SECINITSID_UNLABELED) {
6066 * Compute new sid based on current process and
6067 * message queue this message will be stored in
6069 rc = security_transition_sid(&selinux_state, sid, isec->sid,
6070 SECCLASS_MSG, NULL, &msec->sid);
6075 ad.type = LSM_AUDIT_DATA_IPC;
6076 ad.u.ipc_id = msq->key;
6078 /* Can this process write to the queue? */
6079 rc = avc_has_perm(&selinux_state,
6080 sid, isec->sid, SECCLASS_MSGQ,
6083 /* Can this process send the message */
6084 rc = avc_has_perm(&selinux_state,
6085 sid, msec->sid, SECCLASS_MSG,
6088 /* Can the message be put in the queue? */
6089 rc = avc_has_perm(&selinux_state,
6090 msec->sid, isec->sid, SECCLASS_MSGQ,
6091 MSGQ__ENQUEUE, &ad);
6096 static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg,
6097 struct task_struct *target,
6098 long type, int mode)
6100 struct ipc_security_struct *isec;
6101 struct msg_security_struct *msec;
6102 struct common_audit_data ad;
6103 u32 sid = task_sid_obj(target);
6106 isec = selinux_ipc(msq);
6107 msec = selinux_msg_msg(msg);
6109 ad.type = LSM_AUDIT_DATA_IPC;
6110 ad.u.ipc_id = msq->key;
6112 rc = avc_has_perm(&selinux_state,
6114 SECCLASS_MSGQ, MSGQ__READ, &ad);
6116 rc = avc_has_perm(&selinux_state,
6118 SECCLASS_MSG, MSG__RECEIVE, &ad);
6122 /* Shared Memory security operations */
6123 static int selinux_shm_alloc_security(struct kern_ipc_perm *shp)
6125 struct ipc_security_struct *isec;
6126 struct common_audit_data ad;
6127 u32 sid = current_sid();
6130 isec = selinux_ipc(shp);
6131 ipc_init_security(isec, SECCLASS_SHM);
6133 ad.type = LSM_AUDIT_DATA_IPC;
6134 ad.u.ipc_id = shp->key;
6136 rc = avc_has_perm(&selinux_state,
6137 sid, isec->sid, SECCLASS_SHM,
6142 static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg)
6144 struct ipc_security_struct *isec;
6145 struct common_audit_data ad;
6146 u32 sid = current_sid();
6148 isec = selinux_ipc(shp);
6150 ad.type = LSM_AUDIT_DATA_IPC;
6151 ad.u.ipc_id = shp->key;
6153 return avc_has_perm(&selinux_state,
6154 sid, isec->sid, SECCLASS_SHM,
6155 SHM__ASSOCIATE, &ad);
6158 /* Note, at this point, shp is locked down */
6159 static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd)
6167 /* No specific object, just general system-wide information. */
6168 return avc_has_perm(&selinux_state,
6169 current_sid(), SECINITSID_KERNEL,
6170 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6174 perms = SHM__GETATTR | SHM__ASSOCIATE;
6177 perms = SHM__SETATTR;
6184 perms = SHM__DESTROY;
6190 err = ipc_has_perm(shp, perms);
6194 static int selinux_shm_shmat(struct kern_ipc_perm *shp,
6195 char __user *shmaddr, int shmflg)
6199 if (shmflg & SHM_RDONLY)
6202 perms = SHM__READ | SHM__WRITE;
6204 return ipc_has_perm(shp, perms);
6207 /* Semaphore security operations */
6208 static int selinux_sem_alloc_security(struct kern_ipc_perm *sma)
6210 struct ipc_security_struct *isec;
6211 struct common_audit_data ad;
6212 u32 sid = current_sid();
6215 isec = selinux_ipc(sma);
6216 ipc_init_security(isec, SECCLASS_SEM);
6218 ad.type = LSM_AUDIT_DATA_IPC;
6219 ad.u.ipc_id = sma->key;
6221 rc = avc_has_perm(&selinux_state,
6222 sid, isec->sid, SECCLASS_SEM,
6227 static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg)
6229 struct ipc_security_struct *isec;
6230 struct common_audit_data ad;
6231 u32 sid = current_sid();
6233 isec = selinux_ipc(sma);
6235 ad.type = LSM_AUDIT_DATA_IPC;
6236 ad.u.ipc_id = sma->key;
6238 return avc_has_perm(&selinux_state,
6239 sid, isec->sid, SECCLASS_SEM,
6240 SEM__ASSOCIATE, &ad);
6243 /* Note, at this point, sma is locked down */
6244 static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd)
6252 /* No specific object, just general system-wide information. */
6253 return avc_has_perm(&selinux_state,
6254 current_sid(), SECINITSID_KERNEL,
6255 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6259 perms = SEM__GETATTR;
6270 perms = SEM__DESTROY;
6273 perms = SEM__SETATTR;
6278 perms = SEM__GETATTR | SEM__ASSOCIATE;
6284 err = ipc_has_perm(sma, perms);
6288 static int selinux_sem_semop(struct kern_ipc_perm *sma,
6289 struct sembuf *sops, unsigned nsops, int alter)
6294 perms = SEM__READ | SEM__WRITE;
6298 return ipc_has_perm(sma, perms);
6301 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
6307 av |= IPC__UNIX_READ;
6309 av |= IPC__UNIX_WRITE;
6314 return ipc_has_perm(ipcp, av);
6317 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
6319 struct ipc_security_struct *isec = selinux_ipc(ipcp);
6323 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
6326 inode_doinit_with_dentry(inode, dentry);
6329 static int selinux_getprocattr(struct task_struct *p,
6330 char *name, char **value)
6332 const struct task_security_struct *__tsec;
6338 __tsec = selinux_cred(__task_cred(p));
6341 error = avc_has_perm(&selinux_state,
6342 current_sid(), __tsec->sid,
6343 SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
6348 if (!strcmp(name, "current"))
6350 else if (!strcmp(name, "prev"))
6352 else if (!strcmp(name, "exec"))
6353 sid = __tsec->exec_sid;
6354 else if (!strcmp(name, "fscreate"))
6355 sid = __tsec->create_sid;
6356 else if (!strcmp(name, "keycreate"))
6357 sid = __tsec->keycreate_sid;
6358 else if (!strcmp(name, "sockcreate"))
6359 sid = __tsec->sockcreate_sid;
6369 error = security_sid_to_context(&selinux_state, sid, value, &len);
6379 static int selinux_setprocattr(const char *name, void *value, size_t size)
6381 struct task_security_struct *tsec;
6383 u32 mysid = current_sid(), sid = 0, ptsid;
6388 * Basic control over ability to set these attributes at all.
6390 if (!strcmp(name, "exec"))
6391 error = avc_has_perm(&selinux_state,
6392 mysid, mysid, SECCLASS_PROCESS,
6393 PROCESS__SETEXEC, NULL);
6394 else if (!strcmp(name, "fscreate"))
6395 error = avc_has_perm(&selinux_state,
6396 mysid, mysid, SECCLASS_PROCESS,
6397 PROCESS__SETFSCREATE, NULL);
6398 else if (!strcmp(name, "keycreate"))
6399 error = avc_has_perm(&selinux_state,
6400 mysid, mysid, SECCLASS_PROCESS,
6401 PROCESS__SETKEYCREATE, NULL);
6402 else if (!strcmp(name, "sockcreate"))
6403 error = avc_has_perm(&selinux_state,
6404 mysid, mysid, SECCLASS_PROCESS,
6405 PROCESS__SETSOCKCREATE, NULL);
6406 else if (!strcmp(name, "current"))
6407 error = avc_has_perm(&selinux_state,
6408 mysid, mysid, SECCLASS_PROCESS,
6409 PROCESS__SETCURRENT, NULL);
6415 /* Obtain a SID for the context, if one was specified. */
6416 if (size && str[0] && str[0] != '\n') {
6417 if (str[size-1] == '\n') {
6421 error = security_context_to_sid(&selinux_state, value, size,
6423 if (error == -EINVAL && !strcmp(name, "fscreate")) {
6424 if (!has_cap_mac_admin(true)) {
6425 struct audit_buffer *ab;
6428 /* We strip a nul only if it is at the end, otherwise the
6429 * context contains a nul and we should audit that */
6430 if (str[size - 1] == '\0')
6431 audit_size = size - 1;
6434 ab = audit_log_start(audit_context(),
6439 audit_log_format(ab, "op=fscreate invalid_context=");
6440 audit_log_n_untrustedstring(ab, value, audit_size);
6445 error = security_context_to_sid_force(
6453 new = prepare_creds();
6457 /* Permission checking based on the specified context is
6458 performed during the actual operation (execve,
6459 open/mkdir/...), when we know the full context of the
6460 operation. See selinux_bprm_creds_for_exec for the execve
6461 checks and may_create for the file creation checks. The
6462 operation will then fail if the context is not permitted. */
6463 tsec = selinux_cred(new);
6464 if (!strcmp(name, "exec")) {
6465 tsec->exec_sid = sid;
6466 } else if (!strcmp(name, "fscreate")) {
6467 tsec->create_sid = sid;
6468 } else if (!strcmp(name, "keycreate")) {
6470 error = avc_has_perm(&selinux_state, mysid, sid,
6471 SECCLASS_KEY, KEY__CREATE, NULL);
6475 tsec->keycreate_sid = sid;
6476 } else if (!strcmp(name, "sockcreate")) {
6477 tsec->sockcreate_sid = sid;
6478 } else if (!strcmp(name, "current")) {
6483 /* Only allow single threaded processes to change context */
6484 if (!current_is_single_threaded()) {
6485 error = security_bounded_transition(&selinux_state,
6491 /* Check permissions for the transition. */
6492 error = avc_has_perm(&selinux_state,
6493 tsec->sid, sid, SECCLASS_PROCESS,
6494 PROCESS__DYNTRANSITION, NULL);
6498 /* Check for ptracing, and update the task SID if ok.
6499 Otherwise, leave SID unchanged and fail. */
6500 ptsid = ptrace_parent_sid();
6502 error = avc_has_perm(&selinux_state,
6503 ptsid, sid, SECCLASS_PROCESS,
6504 PROCESS__PTRACE, NULL);
6523 static int selinux_ismaclabel(const char *name)
6525 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
6528 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
6530 return security_sid_to_context(&selinux_state, secid,
6534 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
6536 return security_context_to_sid(&selinux_state, secdata, seclen,
6540 static void selinux_release_secctx(char *secdata, u32 seclen)
6545 static void selinux_inode_invalidate_secctx(struct inode *inode)
6547 struct inode_security_struct *isec = selinux_inode(inode);
6549 spin_lock(&isec->lock);
6550 isec->initialized = LABEL_INVALID;
6551 spin_unlock(&isec->lock);
6555 * called with inode->i_mutex locked
6557 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
6559 int rc = selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX,
6561 /* Do not return error when suppressing label (SBLABEL_MNT not set). */
6562 return rc == -EOPNOTSUPP ? 0 : rc;
6566 * called with inode->i_mutex locked
6568 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
6570 return __vfs_setxattr_noperm(&init_user_ns, dentry, XATTR_NAME_SELINUX,
6574 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
6577 len = selinux_inode_getsecurity(&init_user_ns, inode,
6578 XATTR_SELINUX_SUFFIX, ctx, true);
6586 static int selinux_key_alloc(struct key *k, const struct cred *cred,
6587 unsigned long flags)
6589 const struct task_security_struct *tsec;
6590 struct key_security_struct *ksec;
6592 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
6596 tsec = selinux_cred(cred);
6597 if (tsec->keycreate_sid)
6598 ksec->sid = tsec->keycreate_sid;
6600 ksec->sid = tsec->sid;
6606 static void selinux_key_free(struct key *k)
6608 struct key_security_struct *ksec = k->security;
6614 static int selinux_key_permission(key_ref_t key_ref,
6615 const struct cred *cred,
6616 enum key_need_perm need_perm)
6619 struct key_security_struct *ksec;
6622 switch (need_perm) {
6629 case KEY_NEED_WRITE:
6632 case KEY_NEED_SEARCH:
6638 case KEY_NEED_SETATTR:
6639 perm = KEY__SETATTR;
6641 case KEY_NEED_UNLINK:
6642 case KEY_SYSADMIN_OVERRIDE:
6643 case KEY_AUTHTOKEN_OVERRIDE:
6644 case KEY_DEFER_PERM_CHECK:
6652 sid = cred_sid(cred);
6653 key = key_ref_to_ptr(key_ref);
6654 ksec = key->security;
6656 return avc_has_perm(&selinux_state,
6657 sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6660 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6662 struct key_security_struct *ksec = key->security;
6663 char *context = NULL;
6667 rc = security_sid_to_context(&selinux_state, ksec->sid,
6675 #ifdef CONFIG_KEY_NOTIFICATIONS
6676 static int selinux_watch_key(struct key *key)
6678 struct key_security_struct *ksec = key->security;
6679 u32 sid = current_sid();
6681 return avc_has_perm(&selinux_state,
6682 sid, ksec->sid, SECCLASS_KEY, KEY__VIEW, NULL);
6687 #ifdef CONFIG_SECURITY_INFINIBAND
6688 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6690 struct common_audit_data ad;
6693 struct ib_security_struct *sec = ib_sec;
6694 struct lsm_ibpkey_audit ibpkey;
6696 err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
6700 ad.type = LSM_AUDIT_DATA_IBPKEY;
6701 ibpkey.subnet_prefix = subnet_prefix;
6702 ibpkey.pkey = pkey_val;
6703 ad.u.ibpkey = &ibpkey;
6704 return avc_has_perm(&selinux_state,
6706 SECCLASS_INFINIBAND_PKEY,
6707 INFINIBAND_PKEY__ACCESS, &ad);
6710 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6713 struct common_audit_data ad;
6716 struct ib_security_struct *sec = ib_sec;
6717 struct lsm_ibendport_audit ibendport;
6719 err = security_ib_endport_sid(&selinux_state, dev_name, port_num,
6725 ad.type = LSM_AUDIT_DATA_IBENDPORT;
6726 ibendport.dev_name = dev_name;
6727 ibendport.port = port_num;
6728 ad.u.ibendport = &ibendport;
6729 return avc_has_perm(&selinux_state,
6731 SECCLASS_INFINIBAND_ENDPORT,
6732 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
6735 static int selinux_ib_alloc_security(void **ib_sec)
6737 struct ib_security_struct *sec;
6739 sec = kzalloc(sizeof(*sec), GFP_KERNEL);
6742 sec->sid = current_sid();
6748 static void selinux_ib_free_security(void *ib_sec)
6754 #ifdef CONFIG_BPF_SYSCALL
6755 static int selinux_bpf(int cmd, union bpf_attr *attr,
6758 u32 sid = current_sid();
6762 case BPF_MAP_CREATE:
6763 ret = avc_has_perm(&selinux_state,
6764 sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
6768 ret = avc_has_perm(&selinux_state,
6769 sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
6780 static u32 bpf_map_fmode_to_av(fmode_t fmode)
6784 if (fmode & FMODE_READ)
6785 av |= BPF__MAP_READ;
6786 if (fmode & FMODE_WRITE)
6787 av |= BPF__MAP_WRITE;
6791 /* This function will check the file pass through unix socket or binder to see
6792 * if it is a bpf related object. And apply corresponding checks on the bpf
6793 * object based on the type. The bpf maps and programs, not like other files and
6794 * socket, are using a shared anonymous inode inside the kernel as their inode.
6795 * So checking that inode cannot identify if the process have privilege to
6796 * access the bpf object and that's why we have to add this additional check in
6797 * selinux_file_receive and selinux_binder_transfer_files.
6799 static int bpf_fd_pass(struct file *file, u32 sid)
6801 struct bpf_security_struct *bpfsec;
6802 struct bpf_prog *prog;
6803 struct bpf_map *map;
6806 if (file->f_op == &bpf_map_fops) {
6807 map = file->private_data;
6808 bpfsec = map->security;
6809 ret = avc_has_perm(&selinux_state,
6810 sid, bpfsec->sid, SECCLASS_BPF,
6811 bpf_map_fmode_to_av(file->f_mode), NULL);
6814 } else if (file->f_op == &bpf_prog_fops) {
6815 prog = file->private_data;
6816 bpfsec = prog->aux->security;
6817 ret = avc_has_perm(&selinux_state,
6818 sid, bpfsec->sid, SECCLASS_BPF,
6819 BPF__PROG_RUN, NULL);
6826 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)
6828 u32 sid = current_sid();
6829 struct bpf_security_struct *bpfsec;
6831 bpfsec = map->security;
6832 return avc_has_perm(&selinux_state,
6833 sid, bpfsec->sid, SECCLASS_BPF,
6834 bpf_map_fmode_to_av(fmode), NULL);
6837 static int selinux_bpf_prog(struct bpf_prog *prog)
6839 u32 sid = current_sid();
6840 struct bpf_security_struct *bpfsec;
6842 bpfsec = prog->aux->security;
6843 return avc_has_perm(&selinux_state,
6844 sid, bpfsec->sid, SECCLASS_BPF,
6845 BPF__PROG_RUN, NULL);
6848 static int selinux_bpf_map_alloc(struct bpf_map *map)
6850 struct bpf_security_struct *bpfsec;
6852 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6856 bpfsec->sid = current_sid();
6857 map->security = bpfsec;
6862 static void selinux_bpf_map_free(struct bpf_map *map)
6864 struct bpf_security_struct *bpfsec = map->security;
6866 map->security = NULL;
6870 static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux)
6872 struct bpf_security_struct *bpfsec;
6874 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6878 bpfsec->sid = current_sid();
6879 aux->security = bpfsec;
6884 static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
6886 struct bpf_security_struct *bpfsec = aux->security;
6888 aux->security = NULL;
6893 struct lsm_blob_sizes selinux_blob_sizes __lsm_ro_after_init = {
6894 .lbs_cred = sizeof(struct task_security_struct),
6895 .lbs_file = sizeof(struct file_security_struct),
6896 .lbs_inode = sizeof(struct inode_security_struct),
6897 .lbs_ipc = sizeof(struct ipc_security_struct),
6898 .lbs_msg_msg = sizeof(struct msg_security_struct),
6899 .lbs_superblock = sizeof(struct superblock_security_struct),
6902 #ifdef CONFIG_PERF_EVENTS
6903 static int selinux_perf_event_open(struct perf_event_attr *attr, int type)
6905 u32 requested, sid = current_sid();
6907 if (type == PERF_SECURITY_OPEN)
6908 requested = PERF_EVENT__OPEN;
6909 else if (type == PERF_SECURITY_CPU)
6910 requested = PERF_EVENT__CPU;
6911 else if (type == PERF_SECURITY_KERNEL)
6912 requested = PERF_EVENT__KERNEL;
6913 else if (type == PERF_SECURITY_TRACEPOINT)
6914 requested = PERF_EVENT__TRACEPOINT;
6918 return avc_has_perm(&selinux_state, sid, sid, SECCLASS_PERF_EVENT,
6922 static int selinux_perf_event_alloc(struct perf_event *event)
6924 struct perf_event_security_struct *perfsec;
6926 perfsec = kzalloc(sizeof(*perfsec), GFP_KERNEL);
6930 perfsec->sid = current_sid();
6931 event->security = perfsec;
6936 static void selinux_perf_event_free(struct perf_event *event)
6938 struct perf_event_security_struct *perfsec = event->security;
6940 event->security = NULL;
6944 static int selinux_perf_event_read(struct perf_event *event)
6946 struct perf_event_security_struct *perfsec = event->security;
6947 u32 sid = current_sid();
6949 return avc_has_perm(&selinux_state, sid, perfsec->sid,
6950 SECCLASS_PERF_EVENT, PERF_EVENT__READ, NULL);
6953 static int selinux_perf_event_write(struct perf_event *event)
6955 struct perf_event_security_struct *perfsec = event->security;
6956 u32 sid = current_sid();
6958 return avc_has_perm(&selinux_state, sid, perfsec->sid,
6959 SECCLASS_PERF_EVENT, PERF_EVENT__WRITE, NULL);
6963 #ifdef CONFIG_IO_URING
6965 * selinux_uring_override_creds - check the requested cred override
6966 * @new: the target creds
6968 * Check to see if the current task is allowed to override it's credentials
6969 * to service an io_uring operation.
6971 static int selinux_uring_override_creds(const struct cred *new)
6973 return avc_has_perm(&selinux_state, current_sid(), cred_sid(new),
6974 SECCLASS_IO_URING, IO_URING__OVERRIDE_CREDS, NULL);
6978 * selinux_uring_sqpoll - check if a io_uring polling thread can be created
6980 * Check to see if the current task is allowed to create a new io_uring
6981 * kernel polling thread.
6983 static int selinux_uring_sqpoll(void)
6985 int sid = current_sid();
6987 return avc_has_perm(&selinux_state, sid, sid,
6988 SECCLASS_IO_URING, IO_URING__SQPOLL, NULL);
6990 #endif /* CONFIG_IO_URING */
6993 * IMPORTANT NOTE: When adding new hooks, please be careful to keep this order:
6994 * 1. any hooks that don't belong to (2.) or (3.) below,
6995 * 2. hooks that both access structures allocated by other hooks, and allocate
6996 * structures that can be later accessed by other hooks (mostly "cloning"
6998 * 3. hooks that only allocate structures that can be later accessed by other
6999 * hooks ("allocating" hooks).
7001 * Please follow block comment delimiters in the list to keep this order.
7003 * This ordering is needed for SELinux runtime disable to work at least somewhat
7004 * safely. Breaking the ordering rules above might lead to NULL pointer derefs
7005 * when disabling SELinux at runtime.
7007 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
7008 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
7009 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
7010 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
7011 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
7013 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
7014 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
7015 LSM_HOOK_INIT(capget, selinux_capget),
7016 LSM_HOOK_INIT(capset, selinux_capset),
7017 LSM_HOOK_INIT(capable, selinux_capable),
7018 LSM_HOOK_INIT(quotactl, selinux_quotactl),
7019 LSM_HOOK_INIT(quota_on, selinux_quota_on),
7020 LSM_HOOK_INIT(syslog, selinux_syslog),
7021 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
7023 LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
7025 LSM_HOOK_INIT(bprm_creds_for_exec, selinux_bprm_creds_for_exec),
7026 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
7027 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
7029 LSM_HOOK_INIT(sb_free_mnt_opts, selinux_free_mnt_opts),
7030 LSM_HOOK_INIT(sb_mnt_opts_compat, selinux_sb_mnt_opts_compat),
7031 LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
7032 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
7033 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
7034 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
7035 LSM_HOOK_INIT(sb_mount, selinux_mount),
7036 LSM_HOOK_INIT(sb_umount, selinux_umount),
7037 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
7038 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
7040 LSM_HOOK_INIT(move_mount, selinux_move_mount),
7042 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
7043 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
7045 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
7046 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
7047 LSM_HOOK_INIT(inode_init_security_anon, selinux_inode_init_security_anon),
7048 LSM_HOOK_INIT(inode_create, selinux_inode_create),
7049 LSM_HOOK_INIT(inode_link, selinux_inode_link),
7050 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
7051 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
7052 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
7053 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
7054 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
7055 LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
7056 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
7057 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
7058 LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
7059 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
7060 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
7061 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
7062 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
7063 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
7064 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
7065 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
7066 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
7067 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
7068 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
7069 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
7070 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
7071 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
7072 LSM_HOOK_INIT(path_notify, selinux_path_notify),
7074 LSM_HOOK_INIT(kernfs_init_security, selinux_kernfs_init_security),
7076 LSM_HOOK_INIT(file_permission, selinux_file_permission),
7077 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
7078 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
7079 LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
7080 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
7081 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
7082 LSM_HOOK_INIT(file_lock, selinux_file_lock),
7083 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
7084 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
7085 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
7086 LSM_HOOK_INIT(file_receive, selinux_file_receive),
7088 LSM_HOOK_INIT(file_open, selinux_file_open),
7090 LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
7091 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
7092 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
7093 LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid),
7094 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
7095 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
7096 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
7097 LSM_HOOK_INIT(kernel_load_data, selinux_kernel_load_data),
7098 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
7099 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
7100 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
7101 LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
7102 LSM_HOOK_INIT(current_getsecid_subj, selinux_current_getsecid_subj),
7103 LSM_HOOK_INIT(task_getsecid_obj, selinux_task_getsecid_obj),
7104 LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
7105 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
7106 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
7107 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
7108 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
7109 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
7110 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
7111 LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
7112 LSM_HOOK_INIT(task_kill, selinux_task_kill),
7113 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
7115 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
7116 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
7118 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
7119 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
7120 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
7121 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
7123 LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
7124 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
7125 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
7127 LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
7128 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
7129 LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
7131 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
7133 LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
7134 LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
7136 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
7137 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
7138 LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
7139 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
7140 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
7141 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
7143 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
7144 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
7146 LSM_HOOK_INIT(socket_create, selinux_socket_create),
7147 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
7148 LSM_HOOK_INIT(socket_socketpair, selinux_socket_socketpair),
7149 LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
7150 LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
7151 LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
7152 LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
7153 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
7154 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
7155 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
7156 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
7157 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
7158 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
7159 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
7160 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
7161 LSM_HOOK_INIT(socket_getpeersec_stream,
7162 selinux_socket_getpeersec_stream),
7163 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
7164 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
7165 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
7166 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
7167 LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
7168 LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request),
7169 LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone),
7170 LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect),
7171 LSM_HOOK_INIT(sctp_assoc_established, selinux_sctp_assoc_established),
7172 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
7173 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
7174 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
7175 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
7176 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
7177 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
7178 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
7179 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
7180 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
7181 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
7182 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
7183 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
7184 #ifdef CONFIG_SECURITY_INFINIBAND
7185 LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
7186 LSM_HOOK_INIT(ib_endport_manage_subnet,
7187 selinux_ib_endport_manage_subnet),
7188 LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
7190 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7191 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
7192 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
7193 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
7194 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
7195 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
7196 LSM_HOOK_INIT(xfrm_state_pol_flow_match,
7197 selinux_xfrm_state_pol_flow_match),
7198 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
7202 LSM_HOOK_INIT(key_free, selinux_key_free),
7203 LSM_HOOK_INIT(key_permission, selinux_key_permission),
7204 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
7205 #ifdef CONFIG_KEY_NOTIFICATIONS
7206 LSM_HOOK_INIT(watch_key, selinux_watch_key),
7211 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
7212 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
7213 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
7216 #ifdef CONFIG_BPF_SYSCALL
7217 LSM_HOOK_INIT(bpf, selinux_bpf),
7218 LSM_HOOK_INIT(bpf_map, selinux_bpf_map),
7219 LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog),
7220 LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free),
7221 LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free),
7224 #ifdef CONFIG_PERF_EVENTS
7225 LSM_HOOK_INIT(perf_event_open, selinux_perf_event_open),
7226 LSM_HOOK_INIT(perf_event_free, selinux_perf_event_free),
7227 LSM_HOOK_INIT(perf_event_read, selinux_perf_event_read),
7228 LSM_HOOK_INIT(perf_event_write, selinux_perf_event_write),
7231 #ifdef CONFIG_IO_URING
7232 LSM_HOOK_INIT(uring_override_creds, selinux_uring_override_creds),
7233 LSM_HOOK_INIT(uring_sqpoll, selinux_uring_sqpoll),
7237 * PUT "CLONING" (ACCESSING + ALLOCATING) HOOKS HERE
7239 LSM_HOOK_INIT(fs_context_dup, selinux_fs_context_dup),
7240 LSM_HOOK_INIT(fs_context_parse_param, selinux_fs_context_parse_param),
7241 LSM_HOOK_INIT(sb_eat_lsm_opts, selinux_sb_eat_lsm_opts),
7242 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7243 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
7247 * PUT "ALLOCATING" HOOKS HERE
7249 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
7250 LSM_HOOK_INIT(msg_queue_alloc_security,
7251 selinux_msg_queue_alloc_security),
7252 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
7253 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
7254 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
7255 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
7256 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
7257 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
7258 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
7259 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
7260 #ifdef CONFIG_SECURITY_INFINIBAND
7261 LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
7263 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7264 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
7265 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
7266 LSM_HOOK_INIT(xfrm_state_alloc_acquire,
7267 selinux_xfrm_state_alloc_acquire),
7270 LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
7273 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
7275 #ifdef CONFIG_BPF_SYSCALL
7276 LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc),
7277 LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc),
7279 #ifdef CONFIG_PERF_EVENTS
7280 LSM_HOOK_INIT(perf_event_alloc, selinux_perf_event_alloc),
7284 static __init int selinux_init(void)
7286 pr_info("SELinux: Initializing.\n");
7288 memset(&selinux_state, 0, sizeof(selinux_state));
7289 enforcing_set(&selinux_state, selinux_enforcing_boot);
7290 if (CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE)
7291 pr_err("SELinux: CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE is non-zero. This is deprecated and will be rejected in a future kernel release.\n");
7292 checkreqprot_set(&selinux_state, selinux_checkreqprot_boot);
7293 selinux_avc_init(&selinux_state.avc);
7294 mutex_init(&selinux_state.status_lock);
7295 mutex_init(&selinux_state.policy_mutex);
7297 /* Set the security state for the initial task. */
7298 cred_init_security();
7300 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
7306 ebitmap_cache_init();
7308 hashtab_cache_init();
7310 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
7312 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
7313 panic("SELinux: Unable to register AVC netcache callback\n");
7315 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
7316 panic("SELinux: Unable to register AVC LSM notifier callback\n");
7318 if (selinux_enforcing_boot)
7319 pr_debug("SELinux: Starting in enforcing mode\n");
7321 pr_debug("SELinux: Starting in permissive mode\n");
7323 fs_validate_description("selinux", selinux_fs_parameters);
7328 static void delayed_superblock_init(struct super_block *sb, void *unused)
7330 selinux_set_mnt_opts(sb, NULL, 0, NULL);
7333 void selinux_complete_init(void)
7335 pr_debug("SELinux: Completing initialization.\n");
7337 /* Set up any superblocks initialized prior to the policy load. */
7338 pr_debug("SELinux: Setting up existing superblocks.\n");
7339 iterate_supers(delayed_superblock_init, NULL);
7342 /* SELinux requires early initialization in order to label
7343 all processes and objects when they are created. */
7344 DEFINE_LSM(selinux) = {
7346 .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE,
7347 .enabled = &selinux_enabled_boot,
7348 .blobs = &selinux_blob_sizes,
7349 .init = selinux_init,
7352 #if defined(CONFIG_NETFILTER)
7354 static const struct nf_hook_ops selinux_nf_ops[] = {
7356 .hook = selinux_ip_postroute,
7358 .hooknum = NF_INET_POST_ROUTING,
7359 .priority = NF_IP_PRI_SELINUX_LAST,
7362 .hook = selinux_ip_forward,
7364 .hooknum = NF_INET_FORWARD,
7365 .priority = NF_IP_PRI_SELINUX_FIRST,
7368 .hook = selinux_ip_output,
7370 .hooknum = NF_INET_LOCAL_OUT,
7371 .priority = NF_IP_PRI_SELINUX_FIRST,
7373 #if IS_ENABLED(CONFIG_IPV6)
7375 .hook = selinux_ip_postroute,
7377 .hooknum = NF_INET_POST_ROUTING,
7378 .priority = NF_IP6_PRI_SELINUX_LAST,
7381 .hook = selinux_ip_forward,
7383 .hooknum = NF_INET_FORWARD,
7384 .priority = NF_IP6_PRI_SELINUX_FIRST,
7387 .hook = selinux_ip_output,
7389 .hooknum = NF_INET_LOCAL_OUT,
7390 .priority = NF_IP6_PRI_SELINUX_FIRST,
7395 static int __net_init selinux_nf_register(struct net *net)
7397 return nf_register_net_hooks(net, selinux_nf_ops,
7398 ARRAY_SIZE(selinux_nf_ops));
7401 static void __net_exit selinux_nf_unregister(struct net *net)
7403 nf_unregister_net_hooks(net, selinux_nf_ops,
7404 ARRAY_SIZE(selinux_nf_ops));
7407 static struct pernet_operations selinux_net_ops = {
7408 .init = selinux_nf_register,
7409 .exit = selinux_nf_unregister,
7412 static int __init selinux_nf_ip_init(void)
7416 if (!selinux_enabled_boot)
7419 pr_debug("SELinux: Registering netfilter hooks\n");
7421 err = register_pernet_subsys(&selinux_net_ops);
7423 panic("SELinux: register_pernet_subsys: error %d\n", err);
7427 __initcall(selinux_nf_ip_init);
7429 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7430 static void selinux_nf_ip_exit(void)
7432 pr_debug("SELinux: Unregistering netfilter hooks\n");
7434 unregister_pernet_subsys(&selinux_net_ops);
7438 #else /* CONFIG_NETFILTER */
7440 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7441 #define selinux_nf_ip_exit()
7444 #endif /* CONFIG_NETFILTER */
7446 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7447 int selinux_disable(struct selinux_state *state)
7449 if (selinux_initialized(state)) {
7450 /* Not permitted after initial policy load. */
7454 if (selinux_disabled(state)) {
7455 /* Only do this once. */
7459 selinux_mark_disabled(state);
7461 pr_info("SELinux: Disabled at runtime.\n");
7464 * Unregister netfilter hooks.
7465 * Must be done before security_delete_hooks() to avoid breaking
7468 selinux_nf_ip_exit();
7470 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
7472 /* Try to destroy the avc node cache */
7475 /* Unregister selinuxfs. */