2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@tycho.nsa.gov>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul@paul-moore.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 * Copyright (C) 2016 Mellanox Technologies
22 * This program is free software; you can redistribute it and/or modify
23 * it under the terms of the GNU General Public License version 2,
24 * as published by the Free Software Foundation.
27 #include <linux/init.h>
29 #include <linux/kernel.h>
30 #include <linux/tracehook.h>
31 #include <linux/errno.h>
32 #include <linux/sched/signal.h>
33 #include <linux/sched/task.h>
34 #include <linux/lsm_hooks.h>
35 #include <linux/xattr.h>
36 #include <linux/capability.h>
37 #include <linux/unistd.h>
39 #include <linux/mman.h>
40 #include <linux/slab.h>
41 #include <linux/pagemap.h>
42 #include <linux/proc_fs.h>
43 #include <linux/swap.h>
44 #include <linux/spinlock.h>
45 #include <linux/syscalls.h>
46 #include <linux/dcache.h>
47 #include <linux/file.h>
48 #include <linux/fdtable.h>
49 #include <linux/namei.h>
50 #include <linux/mount.h>
51 #include <linux/netfilter_ipv4.h>
52 #include <linux/netfilter_ipv6.h>
53 #include <linux/tty.h>
55 #include <net/ip.h> /* for local_port_range[] */
56 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
57 #include <net/inet_connection_sock.h>
58 #include <net/net_namespace.h>
59 #include <net/netlabel.h>
60 #include <linux/uaccess.h>
61 #include <asm/ioctls.h>
62 #include <linux/atomic.h>
63 #include <linux/bitops.h>
64 #include <linux/interrupt.h>
65 #include <linux/netdevice.h> /* for network interface checks */
66 #include <net/netlink.h>
67 #include <linux/tcp.h>
68 #include <linux/udp.h>
69 #include <linux/dccp.h>
70 #include <linux/sctp.h>
71 #include <net/sctp/structs.h>
72 #include <linux/quota.h>
73 #include <linux/un.h> /* for Unix socket types */
74 #include <net/af_unix.h> /* for Unix socket types */
75 #include <linux/parser.h>
76 #include <linux/nfs_mount.h>
78 #include <linux/hugetlb.h>
79 #include <linux/personality.h>
80 #include <linux/audit.h>
81 #include <linux/string.h>
82 #include <linux/selinux.h>
83 #include <linux/mutex.h>
84 #include <linux/posix-timers.h>
85 #include <linux/syslog.h>
86 #include <linux/user_namespace.h>
87 #include <linux/export.h>
88 #include <linux/msg.h>
89 #include <linux/shm.h>
90 #include <linux/bpf.h>
103 struct selinux_state selinux_state;
105 /* SECMARK reference count */
106 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
108 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
109 static int selinux_enforcing_boot;
111 static int __init enforcing_setup(char *str)
113 unsigned long enforcing;
114 if (!kstrtoul(str, 0, &enforcing))
115 selinux_enforcing_boot = enforcing ? 1 : 0;
118 __setup("enforcing=", enforcing_setup);
120 #define selinux_enforcing_boot 1
123 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
124 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
126 static int __init selinux_enabled_setup(char *str)
128 unsigned long enabled;
129 if (!kstrtoul(str, 0, &enabled))
130 selinux_enabled = enabled ? 1 : 0;
133 __setup("selinux=", selinux_enabled_setup);
135 int selinux_enabled = 1;
138 static unsigned int selinux_checkreqprot_boot =
139 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
141 static int __init checkreqprot_setup(char *str)
143 unsigned long checkreqprot;
145 if (!kstrtoul(str, 0, &checkreqprot))
146 selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
149 __setup("checkreqprot=", checkreqprot_setup);
151 static struct kmem_cache *sel_inode_cache;
152 static struct kmem_cache *file_security_cache;
155 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
158 * This function checks the SECMARK reference counter to see if any SECMARK
159 * targets are currently configured, if the reference counter is greater than
160 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
161 * enabled, false (0) if SECMARK is disabled. If the always_check_network
162 * policy capability is enabled, SECMARK is always considered enabled.
165 static int selinux_secmark_enabled(void)
167 return (selinux_policycap_alwaysnetwork() ||
168 atomic_read(&selinux_secmark_refcount));
172 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
175 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
176 * (1) if any are enabled or false (0) if neither are enabled. If the
177 * always_check_network policy capability is enabled, peer labeling
178 * is always considered enabled.
181 static int selinux_peerlbl_enabled(void)
183 return (selinux_policycap_alwaysnetwork() ||
184 netlbl_enabled() || selinux_xfrm_enabled());
187 static int selinux_netcache_avc_callback(u32 event)
189 if (event == AVC_CALLBACK_RESET) {
198 static int selinux_lsm_notifier_avc_callback(u32 event)
200 if (event == AVC_CALLBACK_RESET) {
202 call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
209 * initialise the security for the init task
211 static void cred_init_security(void)
213 struct cred *cred = (struct cred *) current->real_cred;
214 struct task_security_struct *tsec;
216 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
218 panic("SELinux: Failed to initialize initial task.\n");
220 tsec->osid = tsec->sid = SECINITSID_KERNEL;
221 cred->security = tsec;
225 * get the security ID of a set of credentials
227 static inline u32 cred_sid(const struct cred *cred)
229 const struct task_security_struct *tsec;
231 tsec = cred->security;
236 * get the objective security ID of a task
238 static inline u32 task_sid(const struct task_struct *task)
243 sid = cred_sid(__task_cred(task));
248 /* Allocate and free functions for each kind of security blob. */
250 static int inode_alloc_security(struct inode *inode)
252 struct inode_security_struct *isec;
253 u32 sid = current_sid();
255 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
259 spin_lock_init(&isec->lock);
260 INIT_LIST_HEAD(&isec->list);
262 isec->sid = SECINITSID_UNLABELED;
263 isec->sclass = SECCLASS_FILE;
264 isec->task_sid = sid;
265 isec->initialized = LABEL_INVALID;
266 inode->i_security = isec;
271 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
274 * Try reloading inode security labels that have been marked as invalid. The
275 * @may_sleep parameter indicates when sleeping and thus reloading labels is
276 * allowed; when set to false, returns -ECHILD when the label is
277 * invalid. The @dentry parameter should be set to a dentry of the inode.
279 static int __inode_security_revalidate(struct inode *inode,
280 struct dentry *dentry,
283 struct inode_security_struct *isec = inode->i_security;
285 might_sleep_if(may_sleep);
287 if (selinux_state.initialized &&
288 isec->initialized != LABEL_INITIALIZED) {
293 * Try reloading the inode security label. This will fail if
294 * @opt_dentry is NULL and no dentry for this inode can be
295 * found; in that case, continue using the old label.
297 inode_doinit_with_dentry(inode, dentry);
302 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
304 return inode->i_security;
307 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
311 error = __inode_security_revalidate(inode, NULL, !rcu);
313 return ERR_PTR(error);
314 return inode->i_security;
318 * Get the security label of an inode.
320 static struct inode_security_struct *inode_security(struct inode *inode)
322 __inode_security_revalidate(inode, NULL, true);
323 return inode->i_security;
326 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
328 struct inode *inode = d_backing_inode(dentry);
330 return inode->i_security;
334 * Get the security label of a dentry's backing inode.
336 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
338 struct inode *inode = d_backing_inode(dentry);
340 __inode_security_revalidate(inode, dentry, true);
341 return inode->i_security;
344 static void inode_free_rcu(struct rcu_head *head)
346 struct inode_security_struct *isec;
348 isec = container_of(head, struct inode_security_struct, rcu);
349 kmem_cache_free(sel_inode_cache, isec);
352 static void inode_free_security(struct inode *inode)
354 struct inode_security_struct *isec = inode->i_security;
355 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
358 * As not all inode security structures are in a list, we check for
359 * empty list outside of the lock to make sure that we won't waste
360 * time taking a lock doing nothing.
362 * The list_del_init() function can be safely called more than once.
363 * It should not be possible for this function to be called with
364 * concurrent list_add(), but for better safety against future changes
365 * in the code, we use list_empty_careful() here.
367 if (!list_empty_careful(&isec->list)) {
368 spin_lock(&sbsec->isec_lock);
369 list_del_init(&isec->list);
370 spin_unlock(&sbsec->isec_lock);
374 * The inode may still be referenced in a path walk and
375 * a call to selinux_inode_permission() can be made
376 * after inode_free_security() is called. Ideally, the VFS
377 * wouldn't do this, but fixing that is a much harder
378 * job. For now, simply free the i_security via RCU, and
379 * leave the current inode->i_security pointer intact.
380 * The inode will be freed after the RCU grace period too.
382 call_rcu(&isec->rcu, inode_free_rcu);
385 static int file_alloc_security(struct file *file)
387 struct file_security_struct *fsec;
388 u32 sid = current_sid();
390 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
395 fsec->fown_sid = sid;
396 file->f_security = fsec;
401 static void file_free_security(struct file *file)
403 struct file_security_struct *fsec = file->f_security;
404 file->f_security = NULL;
405 kmem_cache_free(file_security_cache, fsec);
408 static int superblock_alloc_security(struct super_block *sb)
410 struct superblock_security_struct *sbsec;
412 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
416 mutex_init(&sbsec->lock);
417 INIT_LIST_HEAD(&sbsec->isec_head);
418 spin_lock_init(&sbsec->isec_lock);
420 sbsec->sid = SECINITSID_UNLABELED;
421 sbsec->def_sid = SECINITSID_FILE;
422 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
423 sb->s_security = sbsec;
428 static void superblock_free_security(struct super_block *sb)
430 struct superblock_security_struct *sbsec = sb->s_security;
431 sb->s_security = NULL;
435 static inline int inode_doinit(struct inode *inode)
437 return inode_doinit_with_dentry(inode, NULL);
446 Opt_labelsupport = 5,
450 #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
452 static const match_table_t tokens = {
453 {Opt_context, CONTEXT_STR "%s"},
454 {Opt_fscontext, FSCONTEXT_STR "%s"},
455 {Opt_defcontext, DEFCONTEXT_STR "%s"},
456 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
457 {Opt_labelsupport, LABELSUPP_STR},
461 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
463 static int may_context_mount_sb_relabel(u32 sid,
464 struct superblock_security_struct *sbsec,
465 const struct cred *cred)
467 const struct task_security_struct *tsec = cred->security;
470 rc = avc_has_perm(&selinux_state,
471 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
472 FILESYSTEM__RELABELFROM, NULL);
476 rc = avc_has_perm(&selinux_state,
477 tsec->sid, sid, SECCLASS_FILESYSTEM,
478 FILESYSTEM__RELABELTO, NULL);
482 static int may_context_mount_inode_relabel(u32 sid,
483 struct superblock_security_struct *sbsec,
484 const struct cred *cred)
486 const struct task_security_struct *tsec = cred->security;
488 rc = avc_has_perm(&selinux_state,
489 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
490 FILESYSTEM__RELABELFROM, NULL);
494 rc = avc_has_perm(&selinux_state,
495 sid, sbsec->sid, SECCLASS_FILESYSTEM,
496 FILESYSTEM__ASSOCIATE, NULL);
500 static int selinux_is_sblabel_mnt(struct super_block *sb)
502 struct superblock_security_struct *sbsec = sb->s_security;
504 return sbsec->behavior == SECURITY_FS_USE_XATTR ||
505 sbsec->behavior == SECURITY_FS_USE_TRANS ||
506 sbsec->behavior == SECURITY_FS_USE_TASK ||
507 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
508 /* Special handling. Genfs but also in-core setxattr handler */
509 !strcmp(sb->s_type->name, "sysfs") ||
510 !strcmp(sb->s_type->name, "pstore") ||
511 !strcmp(sb->s_type->name, "debugfs") ||
512 !strcmp(sb->s_type->name, "tracefs") ||
513 !strcmp(sb->s_type->name, "rootfs") ||
514 (selinux_policycap_cgroupseclabel() &&
515 (!strcmp(sb->s_type->name, "cgroup") ||
516 !strcmp(sb->s_type->name, "cgroup2")));
519 static int sb_finish_set_opts(struct super_block *sb)
521 struct superblock_security_struct *sbsec = sb->s_security;
522 struct dentry *root = sb->s_root;
523 struct inode *root_inode = d_backing_inode(root);
526 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
527 /* Make sure that the xattr handler exists and that no
528 error other than -ENODATA is returned by getxattr on
529 the root directory. -ENODATA is ok, as this may be
530 the first boot of the SELinux kernel before we have
531 assigned xattr values to the filesystem. */
532 if (!(root_inode->i_opflags & IOP_XATTR)) {
533 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
534 "xattr support\n", sb->s_id, sb->s_type->name);
539 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
540 if (rc < 0 && rc != -ENODATA) {
541 if (rc == -EOPNOTSUPP)
542 printk(KERN_WARNING "SELinux: (dev %s, type "
543 "%s) has no security xattr handler\n",
544 sb->s_id, sb->s_type->name);
546 printk(KERN_WARNING "SELinux: (dev %s, type "
547 "%s) getxattr errno %d\n", sb->s_id,
548 sb->s_type->name, -rc);
553 sbsec->flags |= SE_SBINITIALIZED;
556 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
557 * leave the flag untouched because sb_clone_mnt_opts might be handing
558 * us a superblock that needs the flag to be cleared.
560 if (selinux_is_sblabel_mnt(sb))
561 sbsec->flags |= SBLABEL_MNT;
563 sbsec->flags &= ~SBLABEL_MNT;
565 /* Initialize the root inode. */
566 rc = inode_doinit_with_dentry(root_inode, root);
568 /* Initialize any other inodes associated with the superblock, e.g.
569 inodes created prior to initial policy load or inodes created
570 during get_sb by a pseudo filesystem that directly
572 spin_lock(&sbsec->isec_lock);
574 if (!list_empty(&sbsec->isec_head)) {
575 struct inode_security_struct *isec =
576 list_entry(sbsec->isec_head.next,
577 struct inode_security_struct, list);
578 struct inode *inode = isec->inode;
579 list_del_init(&isec->list);
580 spin_unlock(&sbsec->isec_lock);
581 inode = igrab(inode);
583 if (!IS_PRIVATE(inode))
587 spin_lock(&sbsec->isec_lock);
590 spin_unlock(&sbsec->isec_lock);
596 * This function should allow an FS to ask what it's mount security
597 * options were so it can use those later for submounts, displaying
598 * mount options, or whatever.
600 static int selinux_get_mnt_opts(const struct super_block *sb,
601 struct security_mnt_opts *opts)
604 struct superblock_security_struct *sbsec = sb->s_security;
605 char *context = NULL;
609 security_init_mnt_opts(opts);
611 if (!(sbsec->flags & SE_SBINITIALIZED))
614 if (!selinux_state.initialized)
617 /* make sure we always check enough bits to cover the mask */
618 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
620 tmp = sbsec->flags & SE_MNTMASK;
621 /* count the number of mount options for this sb */
622 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
624 opts->num_mnt_opts++;
627 /* Check if the Label support flag is set */
628 if (sbsec->flags & SBLABEL_MNT)
629 opts->num_mnt_opts++;
631 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
632 if (!opts->mnt_opts) {
637 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
638 if (!opts->mnt_opts_flags) {
644 if (sbsec->flags & FSCONTEXT_MNT) {
645 rc = security_sid_to_context(&selinux_state, sbsec->sid,
649 opts->mnt_opts[i] = context;
650 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
652 if (sbsec->flags & CONTEXT_MNT) {
653 rc = security_sid_to_context(&selinux_state,
658 opts->mnt_opts[i] = context;
659 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
661 if (sbsec->flags & DEFCONTEXT_MNT) {
662 rc = security_sid_to_context(&selinux_state, sbsec->def_sid,
666 opts->mnt_opts[i] = context;
667 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
669 if (sbsec->flags & ROOTCONTEXT_MNT) {
670 struct dentry *root = sbsec->sb->s_root;
671 struct inode_security_struct *isec = backing_inode_security(root);
673 rc = security_sid_to_context(&selinux_state, isec->sid,
677 opts->mnt_opts[i] = context;
678 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
680 if (sbsec->flags & SBLABEL_MNT) {
681 opts->mnt_opts[i] = NULL;
682 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
685 BUG_ON(i != opts->num_mnt_opts);
690 security_free_mnt_opts(opts);
694 static int bad_option(struct superblock_security_struct *sbsec, char flag,
695 u32 old_sid, u32 new_sid)
697 char mnt_flags = sbsec->flags & SE_MNTMASK;
699 /* check if the old mount command had the same options */
700 if (sbsec->flags & SE_SBINITIALIZED)
701 if (!(sbsec->flags & flag) ||
702 (old_sid != new_sid))
705 /* check if we were passed the same options twice,
706 * aka someone passed context=a,context=b
708 if (!(sbsec->flags & SE_SBINITIALIZED))
709 if (mnt_flags & flag)
715 * Allow filesystems with binary mount data to explicitly set mount point
716 * labeling information.
718 static int selinux_set_mnt_opts(struct super_block *sb,
719 struct security_mnt_opts *opts,
720 unsigned long kern_flags,
721 unsigned long *set_kern_flags)
723 const struct cred *cred = current_cred();
725 struct superblock_security_struct *sbsec = sb->s_security;
726 const char *name = sb->s_type->name;
727 struct dentry *root = sbsec->sb->s_root;
728 struct inode_security_struct *root_isec;
729 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
730 u32 defcontext_sid = 0;
731 char **mount_options = opts->mnt_opts;
732 int *flags = opts->mnt_opts_flags;
733 int num_opts = opts->num_mnt_opts;
735 mutex_lock(&sbsec->lock);
737 if (!selinux_state.initialized) {
739 /* Defer initialization until selinux_complete_init,
740 after the initial policy is loaded and the security
741 server is ready to handle calls. */
745 printk(KERN_WARNING "SELinux: Unable to set superblock options "
746 "before the security server is initialized\n");
749 if (kern_flags && !set_kern_flags) {
750 /* Specifying internal flags without providing a place to
751 * place the results is not allowed */
757 * Binary mount data FS will come through this function twice. Once
758 * from an explicit call and once from the generic calls from the vfs.
759 * Since the generic VFS calls will not contain any security mount data
760 * we need to skip the double mount verification.
762 * This does open a hole in which we will not notice if the first
763 * mount using this sb set explict options and a second mount using
764 * this sb does not set any security options. (The first options
765 * will be used for both mounts)
767 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
771 root_isec = backing_inode_security_novalidate(root);
774 * parse the mount options, check if they are valid sids.
775 * also check if someone is trying to mount the same sb more
776 * than once with different security options.
778 for (i = 0; i < num_opts; i++) {
781 if (flags[i] == SBLABEL_MNT)
783 rc = security_context_str_to_sid(&selinux_state,
784 mount_options[i], &sid,
787 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
788 "(%s) failed for (dev %s, type %s) errno=%d\n",
789 mount_options[i], sb->s_id, name, rc);
796 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
798 goto out_double_mount;
800 sbsec->flags |= FSCONTEXT_MNT;
805 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
807 goto out_double_mount;
809 sbsec->flags |= CONTEXT_MNT;
811 case ROOTCONTEXT_MNT:
812 rootcontext_sid = sid;
814 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
816 goto out_double_mount;
818 sbsec->flags |= ROOTCONTEXT_MNT;
822 defcontext_sid = sid;
824 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
826 goto out_double_mount;
828 sbsec->flags |= DEFCONTEXT_MNT;
837 if (sbsec->flags & SE_SBINITIALIZED) {
838 /* previously mounted with options, but not on this attempt? */
839 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
840 goto out_double_mount;
845 if (strcmp(sb->s_type->name, "proc") == 0)
846 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
848 if (!strcmp(sb->s_type->name, "debugfs") ||
849 !strcmp(sb->s_type->name, "tracefs") ||
850 !strcmp(sb->s_type->name, "sysfs") ||
851 !strcmp(sb->s_type->name, "pstore") ||
852 !strcmp(sb->s_type->name, "cgroup") ||
853 !strcmp(sb->s_type->name, "cgroup2"))
854 sbsec->flags |= SE_SBGENFS;
856 if (!sbsec->behavior) {
858 * Determine the labeling behavior to use for this
861 rc = security_fs_use(&selinux_state, sb);
864 "%s: security_fs_use(%s) returned %d\n",
865 __func__, sb->s_type->name, rc);
871 * If this is a user namespace mount and the filesystem type is not
872 * explicitly whitelisted, then no contexts are allowed on the command
873 * line and security labels must be ignored.
875 if (sb->s_user_ns != &init_user_ns &&
876 strcmp(sb->s_type->name, "tmpfs") &&
877 strcmp(sb->s_type->name, "ramfs") &&
878 strcmp(sb->s_type->name, "devpts")) {
879 if (context_sid || fscontext_sid || rootcontext_sid ||
884 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
885 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
886 rc = security_transition_sid(&selinux_state,
890 &sbsec->mntpoint_sid);
897 /* sets the context of the superblock for the fs being mounted. */
899 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
903 sbsec->sid = fscontext_sid;
907 * Switch to using mount point labeling behavior.
908 * sets the label used on all file below the mountpoint, and will set
909 * the superblock context if not already set.
911 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
912 sbsec->behavior = SECURITY_FS_USE_NATIVE;
913 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
917 if (!fscontext_sid) {
918 rc = may_context_mount_sb_relabel(context_sid, sbsec,
922 sbsec->sid = context_sid;
924 rc = may_context_mount_inode_relabel(context_sid, sbsec,
929 if (!rootcontext_sid)
930 rootcontext_sid = context_sid;
932 sbsec->mntpoint_sid = context_sid;
933 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
936 if (rootcontext_sid) {
937 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
942 root_isec->sid = rootcontext_sid;
943 root_isec->initialized = LABEL_INITIALIZED;
946 if (defcontext_sid) {
947 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
948 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
950 printk(KERN_WARNING "SELinux: defcontext option is "
951 "invalid for this filesystem type\n");
955 if (defcontext_sid != sbsec->def_sid) {
956 rc = may_context_mount_inode_relabel(defcontext_sid,
962 sbsec->def_sid = defcontext_sid;
966 rc = sb_finish_set_opts(sb);
968 mutex_unlock(&sbsec->lock);
972 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
973 "security settings for (dev %s, type %s)\n", sb->s_id, name);
977 static int selinux_cmp_sb_context(const struct super_block *oldsb,
978 const struct super_block *newsb)
980 struct superblock_security_struct *old = oldsb->s_security;
981 struct superblock_security_struct *new = newsb->s_security;
982 char oldflags = old->flags & SE_MNTMASK;
983 char newflags = new->flags & SE_MNTMASK;
985 if (oldflags != newflags)
987 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
989 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
991 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
993 if (oldflags & ROOTCONTEXT_MNT) {
994 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
995 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
996 if (oldroot->sid != newroot->sid)
1001 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
1002 "different security settings for (dev %s, "
1003 "type %s)\n", newsb->s_id, newsb->s_type->name);
1007 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
1008 struct super_block *newsb,
1009 unsigned long kern_flags,
1010 unsigned long *set_kern_flags)
1013 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
1014 struct superblock_security_struct *newsbsec = newsb->s_security;
1016 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
1017 int set_context = (oldsbsec->flags & CONTEXT_MNT);
1018 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1021 * if the parent was able to be mounted it clearly had no special lsm
1022 * mount options. thus we can safely deal with this superblock later
1024 if (!selinux_state.initialized)
1028 * Specifying internal flags without providing a place to
1029 * place the results is not allowed.
1031 if (kern_flags && !set_kern_flags)
1034 /* how can we clone if the old one wasn't set up?? */
1035 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
1037 /* if fs is reusing a sb, make sure that the contexts match */
1038 if (newsbsec->flags & SE_SBINITIALIZED)
1039 return selinux_cmp_sb_context(oldsb, newsb);
1041 mutex_lock(&newsbsec->lock);
1043 newsbsec->flags = oldsbsec->flags;
1045 newsbsec->sid = oldsbsec->sid;
1046 newsbsec->def_sid = oldsbsec->def_sid;
1047 newsbsec->behavior = oldsbsec->behavior;
1049 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
1050 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
1051 rc = security_fs_use(&selinux_state, newsb);
1056 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
1057 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
1058 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
1062 u32 sid = oldsbsec->mntpoint_sid;
1065 newsbsec->sid = sid;
1066 if (!set_rootcontext) {
1067 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1070 newsbsec->mntpoint_sid = sid;
1072 if (set_rootcontext) {
1073 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
1074 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1076 newisec->sid = oldisec->sid;
1079 sb_finish_set_opts(newsb);
1081 mutex_unlock(&newsbsec->lock);
1085 static int selinux_parse_opts_str(char *options,
1086 struct security_mnt_opts *opts)
1089 char *context = NULL, *defcontext = NULL;
1090 char *fscontext = NULL, *rootcontext = NULL;
1091 int rc, num_mnt_opts = 0;
1093 opts->num_mnt_opts = 0;
1095 /* Standard string-based options. */
1096 while ((p = strsep(&options, "|")) != NULL) {
1098 substring_t args[MAX_OPT_ARGS];
1103 token = match_token(p, tokens, args);
1107 if (context || defcontext) {
1109 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1112 context = match_strdup(&args[0]);
1122 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1125 fscontext = match_strdup(&args[0]);
1132 case Opt_rootcontext:
1135 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1138 rootcontext = match_strdup(&args[0]);
1145 case Opt_defcontext:
1146 if (context || defcontext) {
1148 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1151 defcontext = match_strdup(&args[0]);
1157 case Opt_labelsupport:
1161 printk(KERN_WARNING "SELinux: unknown mount option\n");
1168 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
1169 if (!opts->mnt_opts)
1172 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
1174 if (!opts->mnt_opts_flags)
1178 opts->mnt_opts[num_mnt_opts] = fscontext;
1179 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1182 opts->mnt_opts[num_mnt_opts] = context;
1183 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1186 opts->mnt_opts[num_mnt_opts] = rootcontext;
1187 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1190 opts->mnt_opts[num_mnt_opts] = defcontext;
1191 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1194 opts->num_mnt_opts = num_mnt_opts;
1198 security_free_mnt_opts(opts);
1206 * string mount options parsing and call set the sbsec
1208 static int superblock_doinit(struct super_block *sb, void *data)
1211 char *options = data;
1212 struct security_mnt_opts opts;
1214 security_init_mnt_opts(&opts);
1219 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1221 rc = selinux_parse_opts_str(options, &opts);
1226 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1229 security_free_mnt_opts(&opts);
1233 static void selinux_write_opts(struct seq_file *m,
1234 struct security_mnt_opts *opts)
1239 for (i = 0; i < opts->num_mnt_opts; i++) {
1242 if (opts->mnt_opts[i])
1243 has_comma = strchr(opts->mnt_opts[i], ',');
1247 switch (opts->mnt_opts_flags[i]) {
1249 prefix = CONTEXT_STR;
1252 prefix = FSCONTEXT_STR;
1254 case ROOTCONTEXT_MNT:
1255 prefix = ROOTCONTEXT_STR;
1257 case DEFCONTEXT_MNT:
1258 prefix = DEFCONTEXT_STR;
1262 seq_puts(m, LABELSUPP_STR);
1268 /* we need a comma before each option */
1270 seq_puts(m, prefix);
1273 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
1279 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1281 struct security_mnt_opts opts;
1284 rc = selinux_get_mnt_opts(sb, &opts);
1286 /* before policy load we may get EINVAL, don't show anything */
1292 selinux_write_opts(m, &opts);
1294 security_free_mnt_opts(&opts);
1299 static inline u16 inode_mode_to_security_class(umode_t mode)
1301 switch (mode & S_IFMT) {
1303 return SECCLASS_SOCK_FILE;
1305 return SECCLASS_LNK_FILE;
1307 return SECCLASS_FILE;
1309 return SECCLASS_BLK_FILE;
1311 return SECCLASS_DIR;
1313 return SECCLASS_CHR_FILE;
1315 return SECCLASS_FIFO_FILE;
1319 return SECCLASS_FILE;
1322 static inline int default_protocol_stream(int protocol)
1324 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1327 static inline int default_protocol_dgram(int protocol)
1329 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1332 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1334 int extsockclass = selinux_policycap_extsockclass();
1340 case SOCK_SEQPACKET:
1341 return SECCLASS_UNIX_STREAM_SOCKET;
1344 return SECCLASS_UNIX_DGRAM_SOCKET;
1351 case SOCK_SEQPACKET:
1352 if (default_protocol_stream(protocol))
1353 return SECCLASS_TCP_SOCKET;
1354 else if (extsockclass && protocol == IPPROTO_SCTP)
1355 return SECCLASS_SCTP_SOCKET;
1357 return SECCLASS_RAWIP_SOCKET;
1359 if (default_protocol_dgram(protocol))
1360 return SECCLASS_UDP_SOCKET;
1361 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1362 protocol == IPPROTO_ICMPV6))
1363 return SECCLASS_ICMP_SOCKET;
1365 return SECCLASS_RAWIP_SOCKET;
1367 return SECCLASS_DCCP_SOCKET;
1369 return SECCLASS_RAWIP_SOCKET;
1375 return SECCLASS_NETLINK_ROUTE_SOCKET;
1376 case NETLINK_SOCK_DIAG:
1377 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1379 return SECCLASS_NETLINK_NFLOG_SOCKET;
1381 return SECCLASS_NETLINK_XFRM_SOCKET;
1382 case NETLINK_SELINUX:
1383 return SECCLASS_NETLINK_SELINUX_SOCKET;
1385 return SECCLASS_NETLINK_ISCSI_SOCKET;
1387 return SECCLASS_NETLINK_AUDIT_SOCKET;
1388 case NETLINK_FIB_LOOKUP:
1389 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1390 case NETLINK_CONNECTOR:
1391 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1392 case NETLINK_NETFILTER:
1393 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1394 case NETLINK_DNRTMSG:
1395 return SECCLASS_NETLINK_DNRT_SOCKET;
1396 case NETLINK_KOBJECT_UEVENT:
1397 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1398 case NETLINK_GENERIC:
1399 return SECCLASS_NETLINK_GENERIC_SOCKET;
1400 case NETLINK_SCSITRANSPORT:
1401 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1403 return SECCLASS_NETLINK_RDMA_SOCKET;
1404 case NETLINK_CRYPTO:
1405 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1407 return SECCLASS_NETLINK_SOCKET;
1410 return SECCLASS_PACKET_SOCKET;
1412 return SECCLASS_KEY_SOCKET;
1414 return SECCLASS_APPLETALK_SOCKET;
1420 return SECCLASS_AX25_SOCKET;
1422 return SECCLASS_IPX_SOCKET;
1424 return SECCLASS_NETROM_SOCKET;
1426 return SECCLASS_ATMPVC_SOCKET;
1428 return SECCLASS_X25_SOCKET;
1430 return SECCLASS_ROSE_SOCKET;
1432 return SECCLASS_DECNET_SOCKET;
1434 return SECCLASS_ATMSVC_SOCKET;
1436 return SECCLASS_RDS_SOCKET;
1438 return SECCLASS_IRDA_SOCKET;
1440 return SECCLASS_PPPOX_SOCKET;
1442 return SECCLASS_LLC_SOCKET;
1444 return SECCLASS_CAN_SOCKET;
1446 return SECCLASS_TIPC_SOCKET;
1448 return SECCLASS_BLUETOOTH_SOCKET;
1450 return SECCLASS_IUCV_SOCKET;
1452 return SECCLASS_RXRPC_SOCKET;
1454 return SECCLASS_ISDN_SOCKET;
1456 return SECCLASS_PHONET_SOCKET;
1458 return SECCLASS_IEEE802154_SOCKET;
1460 return SECCLASS_CAIF_SOCKET;
1462 return SECCLASS_ALG_SOCKET;
1464 return SECCLASS_NFC_SOCKET;
1466 return SECCLASS_VSOCK_SOCKET;
1468 return SECCLASS_KCM_SOCKET;
1470 return SECCLASS_QIPCRTR_SOCKET;
1472 return SECCLASS_SMC_SOCKET;
1474 return SECCLASS_XDP_SOCKET;
1476 #error New address family defined, please update this function.
1481 return SECCLASS_SOCKET;
1484 static int selinux_genfs_get_sid(struct dentry *dentry,
1490 struct super_block *sb = dentry->d_sb;
1491 char *buffer, *path;
1493 buffer = (char *)__get_free_page(GFP_KERNEL);
1497 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1501 if (flags & SE_SBPROC) {
1502 /* each process gets a /proc/PID/ entry. Strip off the
1503 * PID part to get a valid selinux labeling.
1504 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1505 while (path[1] >= '0' && path[1] <= '9') {
1510 rc = security_genfs_sid(&selinux_state, sb->s_type->name,
1513 free_page((unsigned long)buffer);
1517 /* The inode's security attributes must be initialized before first use. */
1518 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1520 struct superblock_security_struct *sbsec = NULL;
1521 struct inode_security_struct *isec = inode->i_security;
1522 u32 task_sid, sid = 0;
1524 struct dentry *dentry;
1525 #define INITCONTEXTLEN 255
1526 char *context = NULL;
1530 if (isec->initialized == LABEL_INITIALIZED)
1533 spin_lock(&isec->lock);
1534 if (isec->initialized == LABEL_INITIALIZED)
1537 if (isec->sclass == SECCLASS_FILE)
1538 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1540 sbsec = inode->i_sb->s_security;
1541 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1542 /* Defer initialization until selinux_complete_init,
1543 after the initial policy is loaded and the security
1544 server is ready to handle calls. */
1545 spin_lock(&sbsec->isec_lock);
1546 if (list_empty(&isec->list))
1547 list_add(&isec->list, &sbsec->isec_head);
1548 spin_unlock(&sbsec->isec_lock);
1552 sclass = isec->sclass;
1553 task_sid = isec->task_sid;
1555 isec->initialized = LABEL_PENDING;
1556 spin_unlock(&isec->lock);
1558 switch (sbsec->behavior) {
1559 case SECURITY_FS_USE_NATIVE:
1561 case SECURITY_FS_USE_XATTR:
1562 if (!(inode->i_opflags & IOP_XATTR)) {
1563 sid = sbsec->def_sid;
1566 /* Need a dentry, since the xattr API requires one.
1567 Life would be simpler if we could just pass the inode. */
1569 /* Called from d_instantiate or d_splice_alias. */
1570 dentry = dget(opt_dentry);
1573 * Called from selinux_complete_init, try to find a dentry.
1574 * Some filesystems really want a connected one, so try
1575 * that first. We could split SECURITY_FS_USE_XATTR in
1576 * two, depending upon that...
1578 dentry = d_find_alias(inode);
1580 dentry = d_find_any_alias(inode);
1584 * this is can be hit on boot when a file is accessed
1585 * before the policy is loaded. When we load policy we
1586 * may find inodes that have no dentry on the
1587 * sbsec->isec_head list. No reason to complain as these
1588 * will get fixed up the next time we go through
1589 * inode_doinit with a dentry, before these inodes could
1590 * be used again by userspace.
1595 len = INITCONTEXTLEN;
1596 context = kmalloc(len+1, GFP_NOFS);
1602 context[len] = '\0';
1603 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1604 if (rc == -ERANGE) {
1607 /* Need a larger buffer. Query for the right size. */
1608 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1614 context = kmalloc(len+1, GFP_NOFS);
1620 context[len] = '\0';
1621 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1625 if (rc != -ENODATA) {
1626 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1627 "%d for dev=%s ino=%ld\n", __func__,
1628 -rc, inode->i_sb->s_id, inode->i_ino);
1632 /* Map ENODATA to the default file SID */
1633 sid = sbsec->def_sid;
1636 rc = security_context_to_sid_default(&selinux_state,
1641 char *dev = inode->i_sb->s_id;
1642 unsigned long ino = inode->i_ino;
1644 if (rc == -EINVAL) {
1645 if (printk_ratelimit())
1646 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1647 "context=%s. This indicates you may need to relabel the inode or the "
1648 "filesystem in question.\n", ino, dev, context);
1650 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1651 "returned %d for dev=%s ino=%ld\n",
1652 __func__, context, -rc, dev, ino);
1655 /* Leave with the unlabeled SID */
1662 case SECURITY_FS_USE_TASK:
1665 case SECURITY_FS_USE_TRANS:
1666 /* Default to the fs SID. */
1669 /* Try to obtain a transition SID. */
1670 rc = security_transition_sid(&selinux_state, task_sid, sid,
1671 sclass, NULL, &sid);
1675 case SECURITY_FS_USE_MNTPOINT:
1676 sid = sbsec->mntpoint_sid;
1679 /* Default to the fs superblock SID. */
1682 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1683 /* We must have a dentry to determine the label on
1686 /* Called from d_instantiate or
1687 * d_splice_alias. */
1688 dentry = dget(opt_dentry);
1690 /* Called from selinux_complete_init, try to
1691 * find a dentry. Some filesystems really want
1692 * a connected one, so try that first.
1694 dentry = d_find_alias(inode);
1696 dentry = d_find_any_alias(inode);
1699 * This can be hit on boot when a file is accessed
1700 * before the policy is loaded. When we load policy we
1701 * may find inodes that have no dentry on the
1702 * sbsec->isec_head list. No reason to complain as
1703 * these will get fixed up the next time we go through
1704 * inode_doinit() with a dentry, before these inodes
1705 * could be used again by userspace.
1709 rc = selinux_genfs_get_sid(dentry, sclass,
1710 sbsec->flags, &sid);
1719 spin_lock(&isec->lock);
1720 if (isec->initialized == LABEL_PENDING) {
1722 isec->initialized = LABEL_INVALID;
1726 isec->initialized = LABEL_INITIALIZED;
1731 spin_unlock(&isec->lock);
1735 /* Convert a Linux signal to an access vector. */
1736 static inline u32 signal_to_av(int sig)
1742 /* Commonly granted from child to parent. */
1743 perm = PROCESS__SIGCHLD;
1746 /* Cannot be caught or ignored */
1747 perm = PROCESS__SIGKILL;
1750 /* Cannot be caught or ignored */
1751 perm = PROCESS__SIGSTOP;
1754 /* All other signals. */
1755 perm = PROCESS__SIGNAL;
1762 #if CAP_LAST_CAP > 63
1763 #error Fix SELinux to handle capabilities > 63.
1766 /* Check whether a task is allowed to use a capability. */
1767 static int cred_has_capability(const struct cred *cred,
1768 int cap, int audit, bool initns)
1770 struct common_audit_data ad;
1771 struct av_decision avd;
1773 u32 sid = cred_sid(cred);
1774 u32 av = CAP_TO_MASK(cap);
1777 ad.type = LSM_AUDIT_DATA_CAP;
1780 switch (CAP_TO_INDEX(cap)) {
1782 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1785 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1789 "SELinux: out of range capability %d\n", cap);
1794 rc = avc_has_perm_noaudit(&selinux_state,
1795 sid, sid, sclass, av, 0, &avd);
1796 if (audit == SECURITY_CAP_AUDIT) {
1797 int rc2 = avc_audit(&selinux_state,
1798 sid, sid, sclass, av, &avd, rc, &ad, 0);
1805 /* Check whether a task has a particular permission to an inode.
1806 The 'adp' parameter is optional and allows other audit
1807 data to be passed (e.g. the dentry). */
1808 static int inode_has_perm(const struct cred *cred,
1809 struct inode *inode,
1811 struct common_audit_data *adp)
1813 struct inode_security_struct *isec;
1816 validate_creds(cred);
1818 if (unlikely(IS_PRIVATE(inode)))
1821 sid = cred_sid(cred);
1822 isec = inode->i_security;
1824 return avc_has_perm(&selinux_state,
1825 sid, isec->sid, isec->sclass, perms, adp);
1828 /* Same as inode_has_perm, but pass explicit audit data containing
1829 the dentry to help the auditing code to more easily generate the
1830 pathname if needed. */
1831 static inline int dentry_has_perm(const struct cred *cred,
1832 struct dentry *dentry,
1835 struct inode *inode = d_backing_inode(dentry);
1836 struct common_audit_data ad;
1838 ad.type = LSM_AUDIT_DATA_DENTRY;
1839 ad.u.dentry = dentry;
1840 __inode_security_revalidate(inode, dentry, true);
1841 return inode_has_perm(cred, inode, av, &ad);
1844 /* Same as inode_has_perm, but pass explicit audit data containing
1845 the path to help the auditing code to more easily generate the
1846 pathname if needed. */
1847 static inline int path_has_perm(const struct cred *cred,
1848 const struct path *path,
1851 struct inode *inode = d_backing_inode(path->dentry);
1852 struct common_audit_data ad;
1854 ad.type = LSM_AUDIT_DATA_PATH;
1856 __inode_security_revalidate(inode, path->dentry, true);
1857 return inode_has_perm(cred, inode, av, &ad);
1860 /* Same as path_has_perm, but uses the inode from the file struct. */
1861 static inline int file_path_has_perm(const struct cred *cred,
1865 struct common_audit_data ad;
1867 ad.type = LSM_AUDIT_DATA_FILE;
1869 return inode_has_perm(cred, file_inode(file), av, &ad);
1872 #ifdef CONFIG_BPF_SYSCALL
1873 static int bpf_fd_pass(struct file *file, u32 sid);
1876 /* Check whether a task can use an open file descriptor to
1877 access an inode in a given way. Check access to the
1878 descriptor itself, and then use dentry_has_perm to
1879 check a particular permission to the file.
1880 Access to the descriptor is implicitly granted if it
1881 has the same SID as the process. If av is zero, then
1882 access to the file is not checked, e.g. for cases
1883 where only the descriptor is affected like seek. */
1884 static int file_has_perm(const struct cred *cred,
1888 struct file_security_struct *fsec = file->f_security;
1889 struct inode *inode = file_inode(file);
1890 struct common_audit_data ad;
1891 u32 sid = cred_sid(cred);
1894 ad.type = LSM_AUDIT_DATA_FILE;
1897 if (sid != fsec->sid) {
1898 rc = avc_has_perm(&selinux_state,
1907 #ifdef CONFIG_BPF_SYSCALL
1908 rc = bpf_fd_pass(file, cred_sid(cred));
1913 /* av is zero if only checking access to the descriptor. */
1916 rc = inode_has_perm(cred, inode, av, &ad);
1923 * Determine the label for an inode that might be unioned.
1926 selinux_determine_inode_label(const struct task_security_struct *tsec,
1928 const struct qstr *name, u16 tclass,
1931 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1933 if ((sbsec->flags & SE_SBINITIALIZED) &&
1934 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1935 *_new_isid = sbsec->mntpoint_sid;
1936 } else if ((sbsec->flags & SBLABEL_MNT) &&
1938 *_new_isid = tsec->create_sid;
1940 const struct inode_security_struct *dsec = inode_security(dir);
1941 return security_transition_sid(&selinux_state, tsec->sid,
1949 /* Check whether a task can create a file. */
1950 static int may_create(struct inode *dir,
1951 struct dentry *dentry,
1954 const struct task_security_struct *tsec = current_security();
1955 struct inode_security_struct *dsec;
1956 struct superblock_security_struct *sbsec;
1958 struct common_audit_data ad;
1961 dsec = inode_security(dir);
1962 sbsec = dir->i_sb->s_security;
1966 ad.type = LSM_AUDIT_DATA_DENTRY;
1967 ad.u.dentry = dentry;
1969 rc = avc_has_perm(&selinux_state,
1970 sid, dsec->sid, SECCLASS_DIR,
1971 DIR__ADD_NAME | DIR__SEARCH,
1976 rc = selinux_determine_inode_label(current_security(), dir,
1977 &dentry->d_name, tclass, &newsid);
1981 rc = avc_has_perm(&selinux_state,
1982 sid, newsid, tclass, FILE__CREATE, &ad);
1986 return avc_has_perm(&selinux_state,
1988 SECCLASS_FILESYSTEM,
1989 FILESYSTEM__ASSOCIATE, &ad);
1993 #define MAY_UNLINK 1
1996 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1997 static int may_link(struct inode *dir,
1998 struct dentry *dentry,
2002 struct inode_security_struct *dsec, *isec;
2003 struct common_audit_data ad;
2004 u32 sid = current_sid();
2008 dsec = inode_security(dir);
2009 isec = backing_inode_security(dentry);
2011 ad.type = LSM_AUDIT_DATA_DENTRY;
2012 ad.u.dentry = dentry;
2015 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
2016 rc = avc_has_perm(&selinux_state,
2017 sid, dsec->sid, SECCLASS_DIR, av, &ad);
2032 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
2037 rc = avc_has_perm(&selinux_state,
2038 sid, isec->sid, isec->sclass, av, &ad);
2042 static inline int may_rename(struct inode *old_dir,
2043 struct dentry *old_dentry,
2044 struct inode *new_dir,
2045 struct dentry *new_dentry)
2047 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2048 struct common_audit_data ad;
2049 u32 sid = current_sid();
2051 int old_is_dir, new_is_dir;
2054 old_dsec = inode_security(old_dir);
2055 old_isec = backing_inode_security(old_dentry);
2056 old_is_dir = d_is_dir(old_dentry);
2057 new_dsec = inode_security(new_dir);
2059 ad.type = LSM_AUDIT_DATA_DENTRY;
2061 ad.u.dentry = old_dentry;
2062 rc = avc_has_perm(&selinux_state,
2063 sid, old_dsec->sid, SECCLASS_DIR,
2064 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
2067 rc = avc_has_perm(&selinux_state,
2069 old_isec->sclass, FILE__RENAME, &ad);
2072 if (old_is_dir && new_dir != old_dir) {
2073 rc = avc_has_perm(&selinux_state,
2075 old_isec->sclass, DIR__REPARENT, &ad);
2080 ad.u.dentry = new_dentry;
2081 av = DIR__ADD_NAME | DIR__SEARCH;
2082 if (d_is_positive(new_dentry))
2083 av |= DIR__REMOVE_NAME;
2084 rc = avc_has_perm(&selinux_state,
2085 sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
2088 if (d_is_positive(new_dentry)) {
2089 new_isec = backing_inode_security(new_dentry);
2090 new_is_dir = d_is_dir(new_dentry);
2091 rc = avc_has_perm(&selinux_state,
2094 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
2102 /* Check whether a task can perform a filesystem operation. */
2103 static int superblock_has_perm(const struct cred *cred,
2104 struct super_block *sb,
2106 struct common_audit_data *ad)
2108 struct superblock_security_struct *sbsec;
2109 u32 sid = cred_sid(cred);
2111 sbsec = sb->s_security;
2112 return avc_has_perm(&selinux_state,
2113 sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
2116 /* Convert a Linux mode and permission mask to an access vector. */
2117 static inline u32 file_mask_to_av(int mode, int mask)
2121 if (!S_ISDIR(mode)) {
2122 if (mask & MAY_EXEC)
2123 av |= FILE__EXECUTE;
2124 if (mask & MAY_READ)
2127 if (mask & MAY_APPEND)
2129 else if (mask & MAY_WRITE)
2133 if (mask & MAY_EXEC)
2135 if (mask & MAY_WRITE)
2137 if (mask & MAY_READ)
2144 /* Convert a Linux file to an access vector. */
2145 static inline u32 file_to_av(struct file *file)
2149 if (file->f_mode & FMODE_READ)
2151 if (file->f_mode & FMODE_WRITE) {
2152 if (file->f_flags & O_APPEND)
2159 * Special file opened with flags 3 for ioctl-only use.
2168 * Convert a file to an access vector and include the correct open
2171 static inline u32 open_file_to_av(struct file *file)
2173 u32 av = file_to_av(file);
2174 struct inode *inode = file_inode(file);
2176 if (selinux_policycap_openperm() &&
2177 inode->i_sb->s_magic != SOCKFS_MAGIC)
2183 /* Hook functions begin here. */
2185 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2187 u32 mysid = current_sid();
2188 u32 mgrsid = task_sid(mgr);
2190 return avc_has_perm(&selinux_state,
2191 mysid, mgrsid, SECCLASS_BINDER,
2192 BINDER__SET_CONTEXT_MGR, NULL);
2195 static int selinux_binder_transaction(struct task_struct *from,
2196 struct task_struct *to)
2198 u32 mysid = current_sid();
2199 u32 fromsid = task_sid(from);
2200 u32 tosid = task_sid(to);
2203 if (mysid != fromsid) {
2204 rc = avc_has_perm(&selinux_state,
2205 mysid, fromsid, SECCLASS_BINDER,
2206 BINDER__IMPERSONATE, NULL);
2211 return avc_has_perm(&selinux_state,
2212 fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2216 static int selinux_binder_transfer_binder(struct task_struct *from,
2217 struct task_struct *to)
2219 u32 fromsid = task_sid(from);
2220 u32 tosid = task_sid(to);
2222 return avc_has_perm(&selinux_state,
2223 fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2227 static int selinux_binder_transfer_file(struct task_struct *from,
2228 struct task_struct *to,
2231 u32 sid = task_sid(to);
2232 struct file_security_struct *fsec = file->f_security;
2233 struct dentry *dentry = file->f_path.dentry;
2234 struct inode_security_struct *isec;
2235 struct common_audit_data ad;
2238 ad.type = LSM_AUDIT_DATA_PATH;
2239 ad.u.path = file->f_path;
2241 if (sid != fsec->sid) {
2242 rc = avc_has_perm(&selinux_state,
2251 #ifdef CONFIG_BPF_SYSCALL
2252 rc = bpf_fd_pass(file, sid);
2257 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2260 isec = backing_inode_security(dentry);
2261 return avc_has_perm(&selinux_state,
2262 sid, isec->sid, isec->sclass, file_to_av(file),
2266 static int selinux_ptrace_access_check(struct task_struct *child,
2269 u32 sid = current_sid();
2270 u32 csid = task_sid(child);
2272 if (mode & PTRACE_MODE_READ)
2273 return avc_has_perm(&selinux_state,
2274 sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2276 return avc_has_perm(&selinux_state,
2277 sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2280 static int selinux_ptrace_traceme(struct task_struct *parent)
2282 return avc_has_perm(&selinux_state,
2283 task_sid(parent), current_sid(), SECCLASS_PROCESS,
2284 PROCESS__PTRACE, NULL);
2287 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2288 kernel_cap_t *inheritable, kernel_cap_t *permitted)
2290 return avc_has_perm(&selinux_state,
2291 current_sid(), task_sid(target), SECCLASS_PROCESS,
2292 PROCESS__GETCAP, NULL);
2295 static int selinux_capset(struct cred *new, const struct cred *old,
2296 const kernel_cap_t *effective,
2297 const kernel_cap_t *inheritable,
2298 const kernel_cap_t *permitted)
2300 return avc_has_perm(&selinux_state,
2301 cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2302 PROCESS__SETCAP, NULL);
2306 * (This comment used to live with the selinux_task_setuid hook,
2307 * which was removed).
2309 * Since setuid only affects the current process, and since the SELinux
2310 * controls are not based on the Linux identity attributes, SELinux does not
2311 * need to control this operation. However, SELinux does control the use of
2312 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2315 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2318 return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
2321 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2323 const struct cred *cred = current_cred();
2335 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2340 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2343 rc = 0; /* let the kernel handle invalid cmds */
2349 static int selinux_quota_on(struct dentry *dentry)
2351 const struct cred *cred = current_cred();
2353 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2356 static int selinux_syslog(int type)
2359 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2360 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2361 return avc_has_perm(&selinux_state,
2362 current_sid(), SECINITSID_KERNEL,
2363 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2364 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2365 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2366 /* Set level of messages printed to console */
2367 case SYSLOG_ACTION_CONSOLE_LEVEL:
2368 return avc_has_perm(&selinux_state,
2369 current_sid(), SECINITSID_KERNEL,
2370 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2373 /* All other syslog types */
2374 return avc_has_perm(&selinux_state,
2375 current_sid(), SECINITSID_KERNEL,
2376 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2380 * Check that a process has enough memory to allocate a new virtual
2381 * mapping. 0 means there is enough memory for the allocation to
2382 * succeed and -ENOMEM implies there is not.
2384 * Do not audit the selinux permission check, as this is applied to all
2385 * processes that allocate mappings.
2387 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2389 int rc, cap_sys_admin = 0;
2391 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2392 SECURITY_CAP_NOAUDIT, true);
2396 return cap_sys_admin;
2399 /* binprm security operations */
2401 static u32 ptrace_parent_sid(void)
2404 struct task_struct *tracer;
2407 tracer = ptrace_parent(current);
2409 sid = task_sid(tracer);
2415 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2416 const struct task_security_struct *old_tsec,
2417 const struct task_security_struct *new_tsec)
2419 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2420 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2424 if (!nnp && !nosuid)
2425 return 0; /* neither NNP nor nosuid */
2427 if (new_tsec->sid == old_tsec->sid)
2428 return 0; /* No change in credentials */
2431 * If the policy enables the nnp_nosuid_transition policy capability,
2432 * then we permit transitions under NNP or nosuid if the
2433 * policy allows the corresponding permission between
2434 * the old and new contexts.
2436 if (selinux_policycap_nnp_nosuid_transition()) {
2439 av |= PROCESS2__NNP_TRANSITION;
2441 av |= PROCESS2__NOSUID_TRANSITION;
2442 rc = avc_has_perm(&selinux_state,
2443 old_tsec->sid, new_tsec->sid,
2444 SECCLASS_PROCESS2, av, NULL);
2450 * We also permit NNP or nosuid transitions to bounded SIDs,
2451 * i.e. SIDs that are guaranteed to only be allowed a subset
2452 * of the permissions of the current SID.
2454 rc = security_bounded_transition(&selinux_state, old_tsec->sid,
2460 * On failure, preserve the errno values for NNP vs nosuid.
2461 * NNP: Operation not permitted for caller.
2462 * nosuid: Permission denied to file.
2469 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2471 const struct task_security_struct *old_tsec;
2472 struct task_security_struct *new_tsec;
2473 struct inode_security_struct *isec;
2474 struct common_audit_data ad;
2475 struct inode *inode = file_inode(bprm->file);
2478 /* SELinux context only depends on initial program or script and not
2479 * the script interpreter */
2480 if (bprm->called_set_creds)
2483 old_tsec = current_security();
2484 new_tsec = bprm->cred->security;
2485 isec = inode_security(inode);
2487 /* Default to the current task SID. */
2488 new_tsec->sid = old_tsec->sid;
2489 new_tsec->osid = old_tsec->sid;
2491 /* Reset fs, key, and sock SIDs on execve. */
2492 new_tsec->create_sid = 0;
2493 new_tsec->keycreate_sid = 0;
2494 new_tsec->sockcreate_sid = 0;
2496 if (old_tsec->exec_sid) {
2497 new_tsec->sid = old_tsec->exec_sid;
2498 /* Reset exec SID on execve. */
2499 new_tsec->exec_sid = 0;
2501 /* Fail on NNP or nosuid if not an allowed transition. */
2502 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2506 /* Check for a default transition on this program. */
2507 rc = security_transition_sid(&selinux_state, old_tsec->sid,
2508 isec->sid, SECCLASS_PROCESS, NULL,
2514 * Fallback to old SID on NNP or nosuid if not an allowed
2517 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2519 new_tsec->sid = old_tsec->sid;
2522 ad.type = LSM_AUDIT_DATA_FILE;
2523 ad.u.file = bprm->file;
2525 if (new_tsec->sid == old_tsec->sid) {
2526 rc = avc_has_perm(&selinux_state,
2527 old_tsec->sid, isec->sid,
2528 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2532 /* Check permissions for the transition. */
2533 rc = avc_has_perm(&selinux_state,
2534 old_tsec->sid, new_tsec->sid,
2535 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2539 rc = avc_has_perm(&selinux_state,
2540 new_tsec->sid, isec->sid,
2541 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2545 /* Check for shared state */
2546 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2547 rc = avc_has_perm(&selinux_state,
2548 old_tsec->sid, new_tsec->sid,
2549 SECCLASS_PROCESS, PROCESS__SHARE,
2555 /* Make sure that anyone attempting to ptrace over a task that
2556 * changes its SID has the appropriate permit */
2557 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2558 u32 ptsid = ptrace_parent_sid();
2560 rc = avc_has_perm(&selinux_state,
2561 ptsid, new_tsec->sid,
2563 PROCESS__PTRACE, NULL);
2569 /* Clear any possibly unsafe personality bits on exec: */
2570 bprm->per_clear |= PER_CLEAR_ON_SETID;
2572 /* Enable secure mode for SIDs transitions unless
2573 the noatsecure permission is granted between
2574 the two SIDs, i.e. ahp returns 0. */
2575 rc = avc_has_perm(&selinux_state,
2576 old_tsec->sid, new_tsec->sid,
2577 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2579 bprm->secureexec |= !!rc;
2585 static int match_file(const void *p, struct file *file, unsigned fd)
2587 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2590 /* Derived from fs/exec.c:flush_old_files. */
2591 static inline void flush_unauthorized_files(const struct cred *cred,
2592 struct files_struct *files)
2594 struct file *file, *devnull = NULL;
2595 struct tty_struct *tty;
2599 tty = get_current_tty();
2601 spin_lock(&tty->files_lock);
2602 if (!list_empty(&tty->tty_files)) {
2603 struct tty_file_private *file_priv;
2605 /* Revalidate access to controlling tty.
2606 Use file_path_has_perm on the tty path directly
2607 rather than using file_has_perm, as this particular
2608 open file may belong to another process and we are
2609 only interested in the inode-based check here. */
2610 file_priv = list_first_entry(&tty->tty_files,
2611 struct tty_file_private, list);
2612 file = file_priv->file;
2613 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2616 spin_unlock(&tty->files_lock);
2619 /* Reset controlling tty. */
2623 /* Revalidate access to inherited open files. */
2624 n = iterate_fd(files, 0, match_file, cred);
2625 if (!n) /* none found? */
2628 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2629 if (IS_ERR(devnull))
2631 /* replace all the matching ones with this */
2633 replace_fd(n - 1, devnull, 0);
2634 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2640 * Prepare a process for imminent new credential changes due to exec
2642 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2644 struct task_security_struct *new_tsec;
2645 struct rlimit *rlim, *initrlim;
2648 new_tsec = bprm->cred->security;
2649 if (new_tsec->sid == new_tsec->osid)
2652 /* Close files for which the new task SID is not authorized. */
2653 flush_unauthorized_files(bprm->cred, current->files);
2655 /* Always clear parent death signal on SID transitions. */
2656 current->pdeath_signal = 0;
2658 /* Check whether the new SID can inherit resource limits from the old
2659 * SID. If not, reset all soft limits to the lower of the current
2660 * task's hard limit and the init task's soft limit.
2662 * Note that the setting of hard limits (even to lower them) can be
2663 * controlled by the setrlimit check. The inclusion of the init task's
2664 * soft limit into the computation is to avoid resetting soft limits
2665 * higher than the default soft limit for cases where the default is
2666 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2668 rc = avc_has_perm(&selinux_state,
2669 new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2670 PROCESS__RLIMITINH, NULL);
2672 /* protect against do_prlimit() */
2674 for (i = 0; i < RLIM_NLIMITS; i++) {
2675 rlim = current->signal->rlim + i;
2676 initrlim = init_task.signal->rlim + i;
2677 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2679 task_unlock(current);
2680 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2681 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2686 * Clean up the process immediately after the installation of new credentials
2689 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2691 const struct task_security_struct *tsec = current_security();
2692 struct itimerval itimer;
2702 /* Check whether the new SID can inherit signal state from the old SID.
2703 * If not, clear itimers to avoid subsequent signal generation and
2704 * flush and unblock signals.
2706 * This must occur _after_ the task SID has been updated so that any
2707 * kill done after the flush will be checked against the new SID.
2709 rc = avc_has_perm(&selinux_state,
2710 osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2712 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2713 memset(&itimer, 0, sizeof itimer);
2714 for (i = 0; i < 3; i++)
2715 do_setitimer(i, &itimer, NULL);
2717 spin_lock_irq(¤t->sighand->siglock);
2718 if (!fatal_signal_pending(current)) {
2719 flush_sigqueue(¤t->pending);
2720 flush_sigqueue(¤t->signal->shared_pending);
2721 flush_signal_handlers(current, 1);
2722 sigemptyset(¤t->blocked);
2723 recalc_sigpending();
2725 spin_unlock_irq(¤t->sighand->siglock);
2728 /* Wake up the parent if it is waiting so that it can recheck
2729 * wait permission to the new task SID. */
2730 read_lock(&tasklist_lock);
2731 __wake_up_parent(current, current->real_parent);
2732 read_unlock(&tasklist_lock);
2735 /* superblock security operations */
2737 static int selinux_sb_alloc_security(struct super_block *sb)
2739 return superblock_alloc_security(sb);
2742 static void selinux_sb_free_security(struct super_block *sb)
2744 superblock_free_security(sb);
2747 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2752 return !memcmp(prefix, option, plen);
2755 static inline int selinux_option(char *option, int len)
2757 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2758 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2759 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2760 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2761 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2764 static inline void take_option(char **to, char *from, int *first, int len)
2771 memcpy(*to, from, len);
2775 static inline void take_selinux_option(char **to, char *from, int *first,
2778 int current_size = 0;
2786 while (current_size < len) {
2796 static int selinux_sb_copy_data(char *orig, char *copy)
2798 int fnosec, fsec, rc = 0;
2799 char *in_save, *in_curr, *in_end;
2800 char *sec_curr, *nosec_save, *nosec;
2806 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2814 in_save = in_end = orig;
2818 open_quote = !open_quote;
2819 if ((*in_end == ',' && open_quote == 0) ||
2821 int len = in_end - in_curr;
2823 if (selinux_option(in_curr, len))
2824 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2826 take_option(&nosec, in_curr, &fnosec, len);
2828 in_curr = in_end + 1;
2830 } while (*in_end++);
2832 strcpy(in_save, nosec_save);
2833 free_page((unsigned long)nosec_save);
2838 static int selinux_sb_remount(struct super_block *sb, void *data)
2841 struct security_mnt_opts opts;
2842 char *secdata, **mount_options;
2843 struct superblock_security_struct *sbsec = sb->s_security;
2845 if (!(sbsec->flags & SE_SBINITIALIZED))
2851 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2854 security_init_mnt_opts(&opts);
2855 secdata = alloc_secdata();
2858 rc = selinux_sb_copy_data(data, secdata);
2860 goto out_free_secdata;
2862 rc = selinux_parse_opts_str(secdata, &opts);
2864 goto out_free_secdata;
2866 mount_options = opts.mnt_opts;
2867 flags = opts.mnt_opts_flags;
2869 for (i = 0; i < opts.num_mnt_opts; i++) {
2872 if (flags[i] == SBLABEL_MNT)
2874 rc = security_context_str_to_sid(&selinux_state,
2875 mount_options[i], &sid,
2878 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
2879 "(%s) failed for (dev %s, type %s) errno=%d\n",
2880 mount_options[i], sb->s_id, sb->s_type->name, rc);
2886 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2887 goto out_bad_option;
2890 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2891 goto out_bad_option;
2893 case ROOTCONTEXT_MNT: {
2894 struct inode_security_struct *root_isec;
2895 root_isec = backing_inode_security(sb->s_root);
2897 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2898 goto out_bad_option;
2901 case DEFCONTEXT_MNT:
2902 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2903 goto out_bad_option;
2912 security_free_mnt_opts(&opts);
2914 free_secdata(secdata);
2917 printk(KERN_WARNING "SELinux: unable to change security options "
2918 "during remount (dev %s, type=%s)\n", sb->s_id,
2923 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2925 const struct cred *cred = current_cred();
2926 struct common_audit_data ad;
2929 rc = superblock_doinit(sb, data);
2933 /* Allow all mounts performed by the kernel */
2934 if (flags & MS_KERNMOUNT)
2937 ad.type = LSM_AUDIT_DATA_DENTRY;
2938 ad.u.dentry = sb->s_root;
2939 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2942 static int selinux_sb_statfs(struct dentry *dentry)
2944 const struct cred *cred = current_cred();
2945 struct common_audit_data ad;
2947 ad.type = LSM_AUDIT_DATA_DENTRY;
2948 ad.u.dentry = dentry->d_sb->s_root;
2949 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2952 static int selinux_mount(const char *dev_name,
2953 const struct path *path,
2955 unsigned long flags,
2958 const struct cred *cred = current_cred();
2960 if (flags & MS_REMOUNT)
2961 return superblock_has_perm(cred, path->dentry->d_sb,
2962 FILESYSTEM__REMOUNT, NULL);
2964 return path_has_perm(cred, path, FILE__MOUNTON);
2967 static int selinux_umount(struct vfsmount *mnt, int flags)
2969 const struct cred *cred = current_cred();
2971 return superblock_has_perm(cred, mnt->mnt_sb,
2972 FILESYSTEM__UNMOUNT, NULL);
2975 /* inode security operations */
2977 static int selinux_inode_alloc_security(struct inode *inode)
2979 return inode_alloc_security(inode);
2982 static void selinux_inode_free_security(struct inode *inode)
2984 inode_free_security(inode);
2987 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2988 const struct qstr *name, void **ctx,
2994 rc = selinux_determine_inode_label(current_security(),
2995 d_inode(dentry->d_parent), name,
2996 inode_mode_to_security_class(mode),
3001 return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
3005 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
3007 const struct cred *old,
3012 struct task_security_struct *tsec;
3014 rc = selinux_determine_inode_label(old->security,
3015 d_inode(dentry->d_parent), name,
3016 inode_mode_to_security_class(mode),
3021 tsec = new->security;
3022 tsec->create_sid = newsid;
3026 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
3027 const struct qstr *qstr,
3029 void **value, size_t *len)
3031 const struct task_security_struct *tsec = current_security();
3032 struct superblock_security_struct *sbsec;
3037 sbsec = dir->i_sb->s_security;
3039 newsid = tsec->create_sid;
3041 rc = selinux_determine_inode_label(current_security(),
3043 inode_mode_to_security_class(inode->i_mode),
3048 /* Possibly defer initialization to selinux_complete_init. */
3049 if (sbsec->flags & SE_SBINITIALIZED) {
3050 struct inode_security_struct *isec = inode->i_security;
3051 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3053 isec->initialized = LABEL_INITIALIZED;
3056 if (!selinux_state.initialized || !(sbsec->flags & SBLABEL_MNT))
3060 *name = XATTR_SELINUX_SUFFIX;
3063 rc = security_sid_to_context_force(&selinux_state, newsid,
3074 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
3076 return may_create(dir, dentry, SECCLASS_FILE);
3079 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
3081 return may_link(dir, old_dentry, MAY_LINK);
3084 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
3086 return may_link(dir, dentry, MAY_UNLINK);
3089 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
3091 return may_create(dir, dentry, SECCLASS_LNK_FILE);
3094 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
3096 return may_create(dir, dentry, SECCLASS_DIR);
3099 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
3101 return may_link(dir, dentry, MAY_RMDIR);
3104 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
3106 return may_create(dir, dentry, inode_mode_to_security_class(mode));
3109 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
3110 struct inode *new_inode, struct dentry *new_dentry)
3112 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
3115 static int selinux_inode_readlink(struct dentry *dentry)
3117 const struct cred *cred = current_cred();
3119 return dentry_has_perm(cred, dentry, FILE__READ);
3122 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3125 const struct cred *cred = current_cred();
3126 struct common_audit_data ad;
3127 struct inode_security_struct *isec;
3130 validate_creds(cred);
3132 ad.type = LSM_AUDIT_DATA_DENTRY;
3133 ad.u.dentry = dentry;
3134 sid = cred_sid(cred);
3135 isec = inode_security_rcu(inode, rcu);
3137 return PTR_ERR(isec);
3139 return avc_has_perm_flags(&selinux_state,
3140 sid, isec->sid, isec->sclass, FILE__READ, &ad,
3141 rcu ? MAY_NOT_BLOCK : 0);
3144 static noinline int audit_inode_permission(struct inode *inode,
3145 u32 perms, u32 audited, u32 denied,
3149 struct common_audit_data ad;
3150 struct inode_security_struct *isec = inode->i_security;
3153 ad.type = LSM_AUDIT_DATA_INODE;
3156 rc = slow_avc_audit(&selinux_state,
3157 current_sid(), isec->sid, isec->sclass, perms,
3158 audited, denied, result, &ad, flags);
3164 static int selinux_inode_permission(struct inode *inode, int mask)
3166 const struct cred *cred = current_cred();
3169 unsigned flags = mask & MAY_NOT_BLOCK;
3170 struct inode_security_struct *isec;
3172 struct av_decision avd;
3174 u32 audited, denied;
3176 from_access = mask & MAY_ACCESS;
3177 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3179 /* No permission to check. Existence test. */
3183 validate_creds(cred);
3185 if (unlikely(IS_PRIVATE(inode)))
3188 perms = file_mask_to_av(inode->i_mode, mask);
3190 sid = cred_sid(cred);
3191 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3193 return PTR_ERR(isec);
3195 rc = avc_has_perm_noaudit(&selinux_state,
3196 sid, isec->sid, isec->sclass, perms, 0, &avd);
3197 audited = avc_audit_required(perms, &avd, rc,
3198 from_access ? FILE__AUDIT_ACCESS : 0,
3200 if (likely(!audited))
3203 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
3209 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3211 const struct cred *cred = current_cred();
3212 struct inode *inode = d_backing_inode(dentry);
3213 unsigned int ia_valid = iattr->ia_valid;
3214 __u32 av = FILE__WRITE;
3216 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3217 if (ia_valid & ATTR_FORCE) {
3218 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3224 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3225 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3226 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3228 if (selinux_policycap_openperm() &&
3229 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3230 (ia_valid & ATTR_SIZE) &&
3231 !(ia_valid & ATTR_FILE))
3234 return dentry_has_perm(cred, dentry, av);
3237 static int selinux_inode_getattr(const struct path *path)
3239 return path_has_perm(current_cred(), path, FILE__GETATTR);
3242 static bool has_cap_mac_admin(bool audit)
3244 const struct cred *cred = current_cred();
3245 int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT;
3247 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit))
3249 if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true))
3254 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3255 const void *value, size_t size, int flags)
3257 struct inode *inode = d_backing_inode(dentry);
3258 struct inode_security_struct *isec;
3259 struct superblock_security_struct *sbsec;
3260 struct common_audit_data ad;
3261 u32 newsid, sid = current_sid();
3264 if (strcmp(name, XATTR_NAME_SELINUX)) {
3265 rc = cap_inode_setxattr(dentry, name, value, size, flags);
3269 /* Not an attribute we recognize, so just check the
3270 ordinary setattr permission. */
3271 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3274 sbsec = inode->i_sb->s_security;
3275 if (!(sbsec->flags & SBLABEL_MNT))
3278 if (!inode_owner_or_capable(inode))
3281 ad.type = LSM_AUDIT_DATA_DENTRY;
3282 ad.u.dentry = dentry;
3284 isec = backing_inode_security(dentry);
3285 rc = avc_has_perm(&selinux_state,
3286 sid, isec->sid, isec->sclass,
3287 FILE__RELABELFROM, &ad);
3291 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3293 if (rc == -EINVAL) {
3294 if (!has_cap_mac_admin(true)) {
3295 struct audit_buffer *ab;
3298 /* We strip a nul only if it is at the end, otherwise the
3299 * context contains a nul and we should audit that */
3301 const char *str = value;
3303 if (str[size - 1] == '\0')
3304 audit_size = size - 1;
3310 ab = audit_log_start(audit_context(),
3311 GFP_ATOMIC, AUDIT_SELINUX_ERR);
3312 audit_log_format(ab, "op=setxattr invalid_context=");
3313 audit_log_n_untrustedstring(ab, value, audit_size);
3318 rc = security_context_to_sid_force(&selinux_state, value,
3324 rc = avc_has_perm(&selinux_state,
3325 sid, newsid, isec->sclass,
3326 FILE__RELABELTO, &ad);
3330 rc = security_validate_transition(&selinux_state, isec->sid, newsid,
3335 return avc_has_perm(&selinux_state,
3338 SECCLASS_FILESYSTEM,
3339 FILESYSTEM__ASSOCIATE,
3343 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3344 const void *value, size_t size,
3347 struct inode *inode = d_backing_inode(dentry);
3348 struct inode_security_struct *isec;
3352 if (strcmp(name, XATTR_NAME_SELINUX)) {
3353 /* Not an attribute we recognize, so nothing to do. */
3357 rc = security_context_to_sid_force(&selinux_state, value, size,
3360 printk(KERN_ERR "SELinux: unable to map context to SID"
3361 "for (%s, %lu), rc=%d\n",
3362 inode->i_sb->s_id, inode->i_ino, -rc);
3366 isec = backing_inode_security(dentry);
3367 spin_lock(&isec->lock);
3368 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3370 isec->initialized = LABEL_INITIALIZED;
3371 spin_unlock(&isec->lock);
3376 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3378 const struct cred *cred = current_cred();
3380 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3383 static int selinux_inode_listxattr(struct dentry *dentry)
3385 const struct cred *cred = current_cred();
3387 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3390 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3392 if (strcmp(name, XATTR_NAME_SELINUX)) {
3393 int rc = cap_inode_removexattr(dentry, name);
3397 /* Not an attribute we recognize, so just check the
3398 ordinary setattr permission. */
3399 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3402 /* No one is allowed to remove a SELinux security label.
3403 You can change the label, but all data must be labeled. */
3408 * Copy the inode security context value to the user.
3410 * Permission check is handled by selinux_inode_getxattr hook.
3412 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
3416 char *context = NULL;
3417 struct inode_security_struct *isec;
3419 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3423 * If the caller has CAP_MAC_ADMIN, then get the raw context
3424 * value even if it is not defined by current policy; otherwise,
3425 * use the in-core value under current policy.
3426 * Use the non-auditing forms of the permission checks since
3427 * getxattr may be called by unprivileged processes commonly
3428 * and lack of permission just means that we fall back to the
3429 * in-core context value, not a denial.
3431 isec = inode_security(inode);
3432 if (has_cap_mac_admin(false))
3433 error = security_sid_to_context_force(&selinux_state,
3434 isec->sid, &context,
3437 error = security_sid_to_context(&selinux_state, isec->sid,
3451 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3452 const void *value, size_t size, int flags)
3454 struct inode_security_struct *isec = inode_security_novalidate(inode);
3458 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3461 if (!value || !size)
3464 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3469 spin_lock(&isec->lock);
3470 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3472 isec->initialized = LABEL_INITIALIZED;
3473 spin_unlock(&isec->lock);
3477 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3479 const int len = sizeof(XATTR_NAME_SELINUX);
3480 if (buffer && len <= buffer_size)
3481 memcpy(buffer, XATTR_NAME_SELINUX, len);
3485 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3487 struct inode_security_struct *isec = inode_security_novalidate(inode);
3491 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3494 struct task_security_struct *tsec;
3495 struct cred *new_creds = *new;
3497 if (new_creds == NULL) {
3498 new_creds = prepare_creds();
3503 tsec = new_creds->security;
3504 /* Get label from overlay inode and set it in create_sid */
3505 selinux_inode_getsecid(d_inode(src), &sid);
3506 tsec->create_sid = sid;
3511 static int selinux_inode_copy_up_xattr(const char *name)
3513 /* The copy_up hook above sets the initial context on an inode, but we
3514 * don't then want to overwrite it by blindly copying all the lower
3515 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3517 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3518 return 1; /* Discard */
3520 * Any other attribute apart from SELINUX is not claimed, supported
3526 /* file security operations */
3528 static int selinux_revalidate_file_permission(struct file *file, int mask)
3530 const struct cred *cred = current_cred();
3531 struct inode *inode = file_inode(file);
3533 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3534 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3537 return file_has_perm(cred, file,
3538 file_mask_to_av(inode->i_mode, mask));
3541 static int selinux_file_permission(struct file *file, int mask)
3543 struct inode *inode = file_inode(file);
3544 struct file_security_struct *fsec = file->f_security;
3545 struct inode_security_struct *isec;
3546 u32 sid = current_sid();
3549 /* No permission to check. Existence test. */
3552 isec = inode_security(inode);
3553 if (sid == fsec->sid && fsec->isid == isec->sid &&
3554 fsec->pseqno == avc_policy_seqno(&selinux_state))
3555 /* No change since file_open check. */
3558 return selinux_revalidate_file_permission(file, mask);
3561 static int selinux_file_alloc_security(struct file *file)
3563 return file_alloc_security(file);
3566 static void selinux_file_free_security(struct file *file)
3568 file_free_security(file);
3572 * Check whether a task has the ioctl permission and cmd
3573 * operation to an inode.
3575 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3576 u32 requested, u16 cmd)
3578 struct common_audit_data ad;
3579 struct file_security_struct *fsec = file->f_security;
3580 struct inode *inode = file_inode(file);
3581 struct inode_security_struct *isec;
3582 struct lsm_ioctlop_audit ioctl;
3583 u32 ssid = cred_sid(cred);
3585 u8 driver = cmd >> 8;
3586 u8 xperm = cmd & 0xff;
3588 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3591 ad.u.op->path = file->f_path;
3593 if (ssid != fsec->sid) {
3594 rc = avc_has_perm(&selinux_state,
3603 if (unlikely(IS_PRIVATE(inode)))
3606 isec = inode_security(inode);
3607 rc = avc_has_extended_perms(&selinux_state,
3608 ssid, isec->sid, isec->sclass,
3609 requested, driver, xperm, &ad);
3614 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3617 const struct cred *cred = current_cred();
3627 case FS_IOC_GETFLAGS:
3629 case FS_IOC_GETVERSION:
3630 error = file_has_perm(cred, file, FILE__GETATTR);
3633 case FS_IOC_SETFLAGS:
3635 case FS_IOC_SETVERSION:
3636 error = file_has_perm(cred, file, FILE__SETATTR);
3639 /* sys_ioctl() checks */
3643 error = file_has_perm(cred, file, 0);
3648 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3649 SECURITY_CAP_AUDIT, true);
3652 /* default case assumes that the command will go
3653 * to the file's ioctl() function.
3656 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3661 static int default_noexec;
3663 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3665 const struct cred *cred = current_cred();
3666 u32 sid = cred_sid(cred);
3669 if (default_noexec &&
3670 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3671 (!shared && (prot & PROT_WRITE)))) {
3673 * We are making executable an anonymous mapping or a
3674 * private file mapping that will also be writable.
3675 * This has an additional check.
3677 rc = avc_has_perm(&selinux_state,
3678 sid, sid, SECCLASS_PROCESS,
3679 PROCESS__EXECMEM, NULL);
3685 /* read access is always possible with a mapping */
3686 u32 av = FILE__READ;
3688 /* write access only matters if the mapping is shared */
3689 if (shared && (prot & PROT_WRITE))
3692 if (prot & PROT_EXEC)
3693 av |= FILE__EXECUTE;
3695 return file_has_perm(cred, file, av);
3702 static int selinux_mmap_addr(unsigned long addr)
3706 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3707 u32 sid = current_sid();
3708 rc = avc_has_perm(&selinux_state,
3709 sid, sid, SECCLASS_MEMPROTECT,
3710 MEMPROTECT__MMAP_ZERO, NULL);
3716 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3717 unsigned long prot, unsigned long flags)
3719 struct common_audit_data ad;
3723 ad.type = LSM_AUDIT_DATA_FILE;
3725 rc = inode_has_perm(current_cred(), file_inode(file),
3731 if (selinux_state.checkreqprot)
3734 return file_map_prot_check(file, prot,
3735 (flags & MAP_TYPE) == MAP_SHARED);
3738 static int selinux_file_mprotect(struct vm_area_struct *vma,
3739 unsigned long reqprot,
3742 const struct cred *cred = current_cred();
3743 u32 sid = cred_sid(cred);
3745 if (selinux_state.checkreqprot)
3748 if (default_noexec &&
3749 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3751 if (vma->vm_start >= vma->vm_mm->start_brk &&
3752 vma->vm_end <= vma->vm_mm->brk) {
3753 rc = avc_has_perm(&selinux_state,
3754 sid, sid, SECCLASS_PROCESS,
3755 PROCESS__EXECHEAP, NULL);
3756 } else if (!vma->vm_file &&
3757 ((vma->vm_start <= vma->vm_mm->start_stack &&
3758 vma->vm_end >= vma->vm_mm->start_stack) ||
3759 vma_is_stack_for_current(vma))) {
3760 rc = avc_has_perm(&selinux_state,
3761 sid, sid, SECCLASS_PROCESS,
3762 PROCESS__EXECSTACK, NULL);
3763 } else if (vma->vm_file && vma->anon_vma) {
3765 * We are making executable a file mapping that has
3766 * had some COW done. Since pages might have been
3767 * written, check ability to execute the possibly
3768 * modified content. This typically should only
3769 * occur for text relocations.
3771 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3777 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3780 static int selinux_file_lock(struct file *file, unsigned int cmd)
3782 const struct cred *cred = current_cred();
3784 return file_has_perm(cred, file, FILE__LOCK);
3787 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3790 const struct cred *cred = current_cred();
3795 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3796 err = file_has_perm(cred, file, FILE__WRITE);
3805 case F_GETOWNER_UIDS:
3806 /* Just check FD__USE permission */
3807 err = file_has_perm(cred, file, 0);
3815 #if BITS_PER_LONG == 32
3820 err = file_has_perm(cred, file, FILE__LOCK);
3827 static void selinux_file_set_fowner(struct file *file)
3829 struct file_security_struct *fsec;
3831 fsec = file->f_security;
3832 fsec->fown_sid = current_sid();
3835 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3836 struct fown_struct *fown, int signum)
3839 u32 sid = task_sid(tsk);
3841 struct file_security_struct *fsec;
3843 /* struct fown_struct is never outside the context of a struct file */
3844 file = container_of(fown, struct file, f_owner);
3846 fsec = file->f_security;
3849 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3851 perm = signal_to_av(signum);
3853 return avc_has_perm(&selinux_state,
3854 fsec->fown_sid, sid,
3855 SECCLASS_PROCESS, perm, NULL);
3858 static int selinux_file_receive(struct file *file)
3860 const struct cred *cred = current_cred();
3862 return file_has_perm(cred, file, file_to_av(file));
3865 static int selinux_file_open(struct file *file, const struct cred *cred)
3867 struct file_security_struct *fsec;
3868 struct inode_security_struct *isec;
3870 fsec = file->f_security;
3871 isec = inode_security(file_inode(file));
3873 * Save inode label and policy sequence number
3874 * at open-time so that selinux_file_permission
3875 * can determine whether revalidation is necessary.
3876 * Task label is already saved in the file security
3877 * struct as its SID.
3879 fsec->isid = isec->sid;
3880 fsec->pseqno = avc_policy_seqno(&selinux_state);
3882 * Since the inode label or policy seqno may have changed
3883 * between the selinux_inode_permission check and the saving
3884 * of state above, recheck that access is still permitted.
3885 * Otherwise, access might never be revalidated against the
3886 * new inode label or new policy.
3887 * This check is not redundant - do not remove.
3889 return file_path_has_perm(cred, file, open_file_to_av(file));
3892 /* task security operations */
3894 static int selinux_task_alloc(struct task_struct *task,
3895 unsigned long clone_flags)
3897 u32 sid = current_sid();
3899 return avc_has_perm(&selinux_state,
3900 sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
3904 * allocate the SELinux part of blank credentials
3906 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3908 struct task_security_struct *tsec;
3910 tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3914 cred->security = tsec;
3919 * detach and free the LSM part of a set of credentials
3921 static void selinux_cred_free(struct cred *cred)
3923 struct task_security_struct *tsec = cred->security;
3926 * cred->security == NULL if security_cred_alloc_blank() or
3927 * security_prepare_creds() returned an error.
3929 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3930 cred->security = (void *) 0x7UL;
3935 * prepare a new set of credentials for modification
3937 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3940 const struct task_security_struct *old_tsec;
3941 struct task_security_struct *tsec;
3943 old_tsec = old->security;
3945 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3949 new->security = tsec;
3954 * transfer the SELinux data to a blank set of creds
3956 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3958 const struct task_security_struct *old_tsec = old->security;
3959 struct task_security_struct *tsec = new->security;
3964 static void selinux_cred_getsecid(const struct cred *c, u32 *secid)
3966 *secid = cred_sid(c);
3970 * set the security data for a kernel service
3971 * - all the creation contexts are set to unlabelled
3973 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3975 struct task_security_struct *tsec = new->security;
3976 u32 sid = current_sid();
3979 ret = avc_has_perm(&selinux_state,
3981 SECCLASS_KERNEL_SERVICE,
3982 KERNEL_SERVICE__USE_AS_OVERRIDE,
3986 tsec->create_sid = 0;
3987 tsec->keycreate_sid = 0;
3988 tsec->sockcreate_sid = 0;
3994 * set the file creation context in a security record to the same as the
3995 * objective context of the specified inode
3997 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3999 struct inode_security_struct *isec = inode_security(inode);
4000 struct task_security_struct *tsec = new->security;
4001 u32 sid = current_sid();
4004 ret = avc_has_perm(&selinux_state,
4006 SECCLASS_KERNEL_SERVICE,
4007 KERNEL_SERVICE__CREATE_FILES_AS,
4011 tsec->create_sid = isec->sid;
4015 static int selinux_kernel_module_request(char *kmod_name)
4017 struct common_audit_data ad;
4019 ad.type = LSM_AUDIT_DATA_KMOD;
4020 ad.u.kmod_name = kmod_name;
4022 return avc_has_perm(&selinux_state,
4023 current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
4024 SYSTEM__MODULE_REQUEST, &ad);
4027 static int selinux_kernel_module_from_file(struct file *file)
4029 struct common_audit_data ad;
4030 struct inode_security_struct *isec;
4031 struct file_security_struct *fsec;
4032 u32 sid = current_sid();
4037 return avc_has_perm(&selinux_state,
4038 sid, sid, SECCLASS_SYSTEM,
4039 SYSTEM__MODULE_LOAD, NULL);
4043 ad.type = LSM_AUDIT_DATA_FILE;
4046 fsec = file->f_security;
4047 if (sid != fsec->sid) {
4048 rc = avc_has_perm(&selinux_state,
4049 sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
4054 isec = inode_security(file_inode(file));
4055 return avc_has_perm(&selinux_state,
4056 sid, isec->sid, SECCLASS_SYSTEM,
4057 SYSTEM__MODULE_LOAD, &ad);
4060 static int selinux_kernel_read_file(struct file *file,
4061 enum kernel_read_file_id id)
4066 case READING_MODULE:
4067 rc = selinux_kernel_module_from_file(file);
4076 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
4078 return avc_has_perm(&selinux_state,
4079 current_sid(), task_sid(p), SECCLASS_PROCESS,
4080 PROCESS__SETPGID, NULL);
4083 static int selinux_task_getpgid(struct task_struct *p)
4085 return avc_has_perm(&selinux_state,
4086 current_sid(), task_sid(p), SECCLASS_PROCESS,
4087 PROCESS__GETPGID, NULL);
4090 static int selinux_task_getsid(struct task_struct *p)
4092 return avc_has_perm(&selinux_state,
4093 current_sid(), task_sid(p), SECCLASS_PROCESS,
4094 PROCESS__GETSESSION, NULL);
4097 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
4099 *secid = task_sid(p);
4102 static int selinux_task_setnice(struct task_struct *p, int nice)
4104 return avc_has_perm(&selinux_state,
4105 current_sid(), task_sid(p), SECCLASS_PROCESS,
4106 PROCESS__SETSCHED, NULL);
4109 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
4111 return avc_has_perm(&selinux_state,
4112 current_sid(), task_sid(p), SECCLASS_PROCESS,
4113 PROCESS__SETSCHED, NULL);
4116 static int selinux_task_getioprio(struct task_struct *p)
4118 return avc_has_perm(&selinux_state,
4119 current_sid(), task_sid(p), SECCLASS_PROCESS,
4120 PROCESS__GETSCHED, NULL);
4123 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
4130 if (flags & LSM_PRLIMIT_WRITE)
4131 av |= PROCESS__SETRLIMIT;
4132 if (flags & LSM_PRLIMIT_READ)
4133 av |= PROCESS__GETRLIMIT;
4134 return avc_has_perm(&selinux_state,
4135 cred_sid(cred), cred_sid(tcred),
4136 SECCLASS_PROCESS, av, NULL);
4139 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4140 struct rlimit *new_rlim)
4142 struct rlimit *old_rlim = p->signal->rlim + resource;
4144 /* Control the ability to change the hard limit (whether
4145 lowering or raising it), so that the hard limit can
4146 later be used as a safe reset point for the soft limit
4147 upon context transitions. See selinux_bprm_committing_creds. */
4148 if (old_rlim->rlim_max != new_rlim->rlim_max)
4149 return avc_has_perm(&selinux_state,
4150 current_sid(), task_sid(p),
4151 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
4156 static int selinux_task_setscheduler(struct task_struct *p)
4158 return avc_has_perm(&selinux_state,
4159 current_sid(), task_sid(p), SECCLASS_PROCESS,
4160 PROCESS__SETSCHED, NULL);
4163 static int selinux_task_getscheduler(struct task_struct *p)
4165 return avc_has_perm(&selinux_state,
4166 current_sid(), task_sid(p), SECCLASS_PROCESS,
4167 PROCESS__GETSCHED, NULL);
4170 static int selinux_task_movememory(struct task_struct *p)
4172 return avc_has_perm(&selinux_state,
4173 current_sid(), task_sid(p), SECCLASS_PROCESS,
4174 PROCESS__SETSCHED, NULL);
4177 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
4178 int sig, const struct cred *cred)
4184 perm = PROCESS__SIGNULL; /* null signal; existence test */
4186 perm = signal_to_av(sig);
4188 secid = current_sid();
4190 secid = cred_sid(cred);
4191 return avc_has_perm(&selinux_state,
4192 secid, task_sid(p), SECCLASS_PROCESS, perm, NULL);
4195 static void selinux_task_to_inode(struct task_struct *p,
4196 struct inode *inode)
4198 struct inode_security_struct *isec = inode->i_security;
4199 u32 sid = task_sid(p);
4201 spin_lock(&isec->lock);
4202 isec->sclass = inode_mode_to_security_class(inode->i_mode);
4204 isec->initialized = LABEL_INITIALIZED;
4205 spin_unlock(&isec->lock);
4208 /* Returns error only if unable to parse addresses */
4209 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4210 struct common_audit_data *ad, u8 *proto)
4212 int offset, ihlen, ret = -EINVAL;
4213 struct iphdr _iph, *ih;
4215 offset = skb_network_offset(skb);
4216 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
4220 ihlen = ih->ihl * 4;
4221 if (ihlen < sizeof(_iph))
4224 ad->u.net->v4info.saddr = ih->saddr;
4225 ad->u.net->v4info.daddr = ih->daddr;
4229 *proto = ih->protocol;
4231 switch (ih->protocol) {
4233 struct tcphdr _tcph, *th;
4235 if (ntohs(ih->frag_off) & IP_OFFSET)
4239 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4243 ad->u.net->sport = th->source;
4244 ad->u.net->dport = th->dest;
4249 struct udphdr _udph, *uh;
4251 if (ntohs(ih->frag_off) & IP_OFFSET)
4255 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4259 ad->u.net->sport = uh->source;
4260 ad->u.net->dport = uh->dest;
4264 case IPPROTO_DCCP: {
4265 struct dccp_hdr _dccph, *dh;
4267 if (ntohs(ih->frag_off) & IP_OFFSET)
4271 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4275 ad->u.net->sport = dh->dccph_sport;
4276 ad->u.net->dport = dh->dccph_dport;
4280 #if IS_ENABLED(CONFIG_IP_SCTP)
4281 case IPPROTO_SCTP: {
4282 struct sctphdr _sctph, *sh;
4284 if (ntohs(ih->frag_off) & IP_OFFSET)
4288 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4292 ad->u.net->sport = sh->source;
4293 ad->u.net->dport = sh->dest;
4304 #if IS_ENABLED(CONFIG_IPV6)
4306 /* Returns error only if unable to parse addresses */
4307 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4308 struct common_audit_data *ad, u8 *proto)
4311 int ret = -EINVAL, offset;
4312 struct ipv6hdr _ipv6h, *ip6;
4315 offset = skb_network_offset(skb);
4316 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4320 ad->u.net->v6info.saddr = ip6->saddr;
4321 ad->u.net->v6info.daddr = ip6->daddr;
4324 nexthdr = ip6->nexthdr;
4325 offset += sizeof(_ipv6h);
4326 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4335 struct tcphdr _tcph, *th;
4337 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4341 ad->u.net->sport = th->source;
4342 ad->u.net->dport = th->dest;
4347 struct udphdr _udph, *uh;
4349 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4353 ad->u.net->sport = uh->source;
4354 ad->u.net->dport = uh->dest;
4358 case IPPROTO_DCCP: {
4359 struct dccp_hdr _dccph, *dh;
4361 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4365 ad->u.net->sport = dh->dccph_sport;
4366 ad->u.net->dport = dh->dccph_dport;
4370 #if IS_ENABLED(CONFIG_IP_SCTP)
4371 case IPPROTO_SCTP: {
4372 struct sctphdr _sctph, *sh;
4374 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4378 ad->u.net->sport = sh->source;
4379 ad->u.net->dport = sh->dest;
4383 /* includes fragments */
4393 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4394 char **_addrp, int src, u8 *proto)
4399 switch (ad->u.net->family) {
4401 ret = selinux_parse_skb_ipv4(skb, ad, proto);
4404 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4405 &ad->u.net->v4info.daddr);
4408 #if IS_ENABLED(CONFIG_IPV6)
4410 ret = selinux_parse_skb_ipv6(skb, ad, proto);
4413 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4414 &ad->u.net->v6info.daddr);
4424 "SELinux: failure in selinux_parse_skb(),"
4425 " unable to parse packet\n");
4435 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4437 * @family: protocol family
4438 * @sid: the packet's peer label SID
4441 * Check the various different forms of network peer labeling and determine
4442 * the peer label/SID for the packet; most of the magic actually occurs in
4443 * the security server function security_net_peersid_cmp(). The function
4444 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4445 * or -EACCES if @sid is invalid due to inconsistencies with the different
4449 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4456 err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4459 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4463 err = security_net_peersid_resolve(&selinux_state, nlbl_sid,
4464 nlbl_type, xfrm_sid, sid);
4465 if (unlikely(err)) {
4467 "SELinux: failure in selinux_skb_peerlbl_sid(),"
4468 " unable to determine packet's peer label\n");
4476 * selinux_conn_sid - Determine the child socket label for a connection
4477 * @sk_sid: the parent socket's SID
4478 * @skb_sid: the packet's SID
4479 * @conn_sid: the resulting connection SID
4481 * If @skb_sid is valid then the user:role:type information from @sk_sid is
4482 * combined with the MLS information from @skb_sid in order to create
4483 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy
4484 * of @sk_sid. Returns zero on success, negative values on failure.
4487 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4491 if (skb_sid != SECSID_NULL)
4492 err = security_sid_mls_copy(&selinux_state, sk_sid, skb_sid,
4500 /* socket security operations */
4502 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4503 u16 secclass, u32 *socksid)
4505 if (tsec->sockcreate_sid > SECSID_NULL) {
4506 *socksid = tsec->sockcreate_sid;
4510 return security_transition_sid(&selinux_state, tsec->sid, tsec->sid,
4511 secclass, NULL, socksid);
4514 static int sock_has_perm(struct sock *sk, u32 perms)
4516 struct sk_security_struct *sksec = sk->sk_security;
4517 struct common_audit_data ad;
4518 struct lsm_network_audit net = {0,};
4520 if (sksec->sid == SECINITSID_KERNEL)
4523 ad.type = LSM_AUDIT_DATA_NET;
4527 return avc_has_perm(&selinux_state,
4528 current_sid(), sksec->sid, sksec->sclass, perms,
4532 static int selinux_socket_create(int family, int type,
4533 int protocol, int kern)
4535 const struct task_security_struct *tsec = current_security();
4543 secclass = socket_type_to_security_class(family, type, protocol);
4544 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4548 return avc_has_perm(&selinux_state,
4549 tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4552 static int selinux_socket_post_create(struct socket *sock, int family,
4553 int type, int protocol, int kern)
4555 const struct task_security_struct *tsec = current_security();
4556 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4557 struct sk_security_struct *sksec;
4558 u16 sclass = socket_type_to_security_class(family, type, protocol);
4559 u32 sid = SECINITSID_KERNEL;
4563 err = socket_sockcreate_sid(tsec, sclass, &sid);
4568 isec->sclass = sclass;
4570 isec->initialized = LABEL_INITIALIZED;
4573 sksec = sock->sk->sk_security;
4574 sksec->sclass = sclass;
4576 /* Allows detection of the first association on this socket */
4577 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4578 sksec->sctp_assoc_state = SCTP_ASSOC_UNSET;
4580 err = selinux_netlbl_socket_post_create(sock->sk, family);
4586 static int selinux_socket_socketpair(struct socket *socka,
4587 struct socket *sockb)
4589 struct sk_security_struct *sksec_a = socka->sk->sk_security;
4590 struct sk_security_struct *sksec_b = sockb->sk->sk_security;
4592 sksec_a->peer_sid = sksec_b->sid;
4593 sksec_b->peer_sid = sksec_a->sid;
4598 /* Range of port numbers used to automatically bind.
4599 Need to determine whether we should perform a name_bind
4600 permission check between the socket and the port number. */
4602 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4604 struct sock *sk = sock->sk;
4605 struct sk_security_struct *sksec = sk->sk_security;
4609 err = sock_has_perm(sk, SOCKET__BIND);
4613 /* If PF_INET or PF_INET6, check name_bind permission for the port. */
4614 family = sk->sk_family;
4615 if (family == PF_INET || family == PF_INET6) {
4617 struct common_audit_data ad;
4618 struct lsm_network_audit net = {0,};
4619 struct sockaddr_in *addr4 = NULL;
4620 struct sockaddr_in6 *addr6 = NULL;
4621 u16 family_sa = address->sa_family;
4622 unsigned short snum;
4626 * sctp_bindx(3) calls via selinux_sctp_bind_connect()
4627 * that validates multiple binding addresses. Because of this
4628 * need to check address->sa_family as it is possible to have
4629 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4631 switch (family_sa) {
4634 if (addrlen < sizeof(struct sockaddr_in))
4636 addr4 = (struct sockaddr_in *)address;
4637 if (family_sa == AF_UNSPEC) {
4638 /* see __inet_bind(), we only want to allow
4639 * AF_UNSPEC if the address is INADDR_ANY
4641 if (addr4->sin_addr.s_addr != htonl(INADDR_ANY))
4643 family_sa = AF_INET;
4645 snum = ntohs(addr4->sin_port);
4646 addrp = (char *)&addr4->sin_addr.s_addr;
4649 if (addrlen < SIN6_LEN_RFC2133)
4651 addr6 = (struct sockaddr_in6 *)address;
4652 snum = ntohs(addr6->sin6_port);
4653 addrp = (char *)&addr6->sin6_addr.s6_addr;
4659 ad.type = LSM_AUDIT_DATA_NET;
4661 ad.u.net->sport = htons(snum);
4662 ad.u.net->family = family_sa;
4667 inet_get_local_port_range(sock_net(sk), &low, &high);
4669 if (snum < max(inet_prot_sock(sock_net(sk)), low) ||
4671 err = sel_netport_sid(sk->sk_protocol,
4675 err = avc_has_perm(&selinux_state,
4678 SOCKET__NAME_BIND, &ad);
4684 switch (sksec->sclass) {
4685 case SECCLASS_TCP_SOCKET:
4686 node_perm = TCP_SOCKET__NODE_BIND;
4689 case SECCLASS_UDP_SOCKET:
4690 node_perm = UDP_SOCKET__NODE_BIND;
4693 case SECCLASS_DCCP_SOCKET:
4694 node_perm = DCCP_SOCKET__NODE_BIND;
4697 case SECCLASS_SCTP_SOCKET:
4698 node_perm = SCTP_SOCKET__NODE_BIND;
4702 node_perm = RAWIP_SOCKET__NODE_BIND;
4706 err = sel_netnode_sid(addrp, family_sa, &sid);
4710 if (family_sa == AF_INET)
4711 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4713 ad.u.net->v6info.saddr = addr6->sin6_addr;
4715 err = avc_has_perm(&selinux_state,
4717 sksec->sclass, node_perm, &ad);
4724 /* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */
4725 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4727 return -EAFNOSUPPORT;
4730 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3)
4731 * and sctp_sendmsg(3) as described in Documentation/security/LSM-sctp.rst
4733 static int selinux_socket_connect_helper(struct socket *sock,
4734 struct sockaddr *address, int addrlen)
4736 struct sock *sk = sock->sk;
4737 struct sk_security_struct *sksec = sk->sk_security;
4740 err = sock_has_perm(sk, SOCKET__CONNECT);
4745 * If a TCP, DCCP or SCTP socket, check name_connect permission
4748 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4749 sksec->sclass == SECCLASS_DCCP_SOCKET ||
4750 sksec->sclass == SECCLASS_SCTP_SOCKET) {
4751 struct common_audit_data ad;
4752 struct lsm_network_audit net = {0,};
4753 struct sockaddr_in *addr4 = NULL;
4754 struct sockaddr_in6 *addr6 = NULL;
4755 unsigned short snum;
4758 /* sctp_connectx(3) calls via selinux_sctp_bind_connect()
4759 * that validates multiple connect addresses. Because of this
4760 * need to check address->sa_family as it is possible to have
4761 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4763 switch (address->sa_family) {
4765 addr4 = (struct sockaddr_in *)address;
4766 if (addrlen < sizeof(struct sockaddr_in))
4768 snum = ntohs(addr4->sin_port);
4771 addr6 = (struct sockaddr_in6 *)address;
4772 if (addrlen < SIN6_LEN_RFC2133)
4774 snum = ntohs(addr6->sin6_port);
4777 /* Note that SCTP services expect -EINVAL, whereas
4778 * others expect -EAFNOSUPPORT.
4780 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4783 return -EAFNOSUPPORT;
4786 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4790 switch (sksec->sclass) {
4791 case SECCLASS_TCP_SOCKET:
4792 perm = TCP_SOCKET__NAME_CONNECT;
4794 case SECCLASS_DCCP_SOCKET:
4795 perm = DCCP_SOCKET__NAME_CONNECT;
4797 case SECCLASS_SCTP_SOCKET:
4798 perm = SCTP_SOCKET__NAME_CONNECT;
4802 ad.type = LSM_AUDIT_DATA_NET;
4804 ad.u.net->dport = htons(snum);
4805 ad.u.net->family = address->sa_family;
4806 err = avc_has_perm(&selinux_state,
4807 sksec->sid, sid, sksec->sclass, perm, &ad);
4815 /* Supports connect(2), see comments in selinux_socket_connect_helper() */
4816 static int selinux_socket_connect(struct socket *sock,
4817 struct sockaddr *address, int addrlen)
4820 struct sock *sk = sock->sk;
4822 err = selinux_socket_connect_helper(sock, address, addrlen);
4826 return selinux_netlbl_socket_connect(sk, address);
4829 static int selinux_socket_listen(struct socket *sock, int backlog)
4831 return sock_has_perm(sock->sk, SOCKET__LISTEN);
4834 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4837 struct inode_security_struct *isec;
4838 struct inode_security_struct *newisec;
4842 err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
4846 isec = inode_security_novalidate(SOCK_INODE(sock));
4847 spin_lock(&isec->lock);
4848 sclass = isec->sclass;
4850 spin_unlock(&isec->lock);
4852 newisec = inode_security_novalidate(SOCK_INODE(newsock));
4853 newisec->sclass = sclass;
4855 newisec->initialized = LABEL_INITIALIZED;
4860 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4863 return sock_has_perm(sock->sk, SOCKET__WRITE);
4866 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4867 int size, int flags)
4869 return sock_has_perm(sock->sk, SOCKET__READ);
4872 static int selinux_socket_getsockname(struct socket *sock)
4874 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4877 static int selinux_socket_getpeername(struct socket *sock)
4879 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4882 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4886 err = sock_has_perm(sock->sk, SOCKET__SETOPT);
4890 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4893 static int selinux_socket_getsockopt(struct socket *sock, int level,
4896 return sock_has_perm(sock->sk, SOCKET__GETOPT);
4899 static int selinux_socket_shutdown(struct socket *sock, int how)
4901 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
4904 static int selinux_socket_unix_stream_connect(struct sock *sock,
4908 struct sk_security_struct *sksec_sock = sock->sk_security;
4909 struct sk_security_struct *sksec_other = other->sk_security;
4910 struct sk_security_struct *sksec_new = newsk->sk_security;
4911 struct common_audit_data ad;
4912 struct lsm_network_audit net = {0,};
4915 ad.type = LSM_AUDIT_DATA_NET;
4917 ad.u.net->sk = other;
4919 err = avc_has_perm(&selinux_state,
4920 sksec_sock->sid, sksec_other->sid,
4921 sksec_other->sclass,
4922 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4926 /* server child socket */
4927 sksec_new->peer_sid = sksec_sock->sid;
4928 err = security_sid_mls_copy(&selinux_state, sksec_other->sid,
4929 sksec_sock->sid, &sksec_new->sid);
4933 /* connecting socket */
4934 sksec_sock->peer_sid = sksec_new->sid;
4939 static int selinux_socket_unix_may_send(struct socket *sock,
4940 struct socket *other)
4942 struct sk_security_struct *ssec = sock->sk->sk_security;
4943 struct sk_security_struct *osec = other->sk->sk_security;
4944 struct common_audit_data ad;
4945 struct lsm_network_audit net = {0,};
4947 ad.type = LSM_AUDIT_DATA_NET;
4949 ad.u.net->sk = other->sk;
4951 return avc_has_perm(&selinux_state,
4952 ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4956 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4957 char *addrp, u16 family, u32 peer_sid,
4958 struct common_audit_data *ad)
4964 err = sel_netif_sid(ns, ifindex, &if_sid);
4967 err = avc_has_perm(&selinux_state,
4969 SECCLASS_NETIF, NETIF__INGRESS, ad);
4973 err = sel_netnode_sid(addrp, family, &node_sid);
4976 return avc_has_perm(&selinux_state,
4978 SECCLASS_NODE, NODE__RECVFROM, ad);
4981 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4985 struct sk_security_struct *sksec = sk->sk_security;
4986 u32 sk_sid = sksec->sid;
4987 struct common_audit_data ad;
4988 struct lsm_network_audit net = {0,};
4991 ad.type = LSM_AUDIT_DATA_NET;
4993 ad.u.net->netif = skb->skb_iif;
4994 ad.u.net->family = family;
4995 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4999 if (selinux_secmark_enabled()) {
5000 err = avc_has_perm(&selinux_state,
5001 sk_sid, skb->secmark, SECCLASS_PACKET,
5007 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
5010 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
5015 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
5018 struct sk_security_struct *sksec = sk->sk_security;
5019 u16 family = sk->sk_family;
5020 u32 sk_sid = sksec->sid;
5021 struct common_audit_data ad;
5022 struct lsm_network_audit net = {0,};
5027 if (family != PF_INET && family != PF_INET6)
5030 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
5031 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5034 /* If any sort of compatibility mode is enabled then handoff processing
5035 * to the selinux_sock_rcv_skb_compat() function to deal with the
5036 * special handling. We do this in an attempt to keep this function
5037 * as fast and as clean as possible. */
5038 if (!selinux_policycap_netpeer())
5039 return selinux_sock_rcv_skb_compat(sk, skb, family);
5041 secmark_active = selinux_secmark_enabled();
5042 peerlbl_active = selinux_peerlbl_enabled();
5043 if (!secmark_active && !peerlbl_active)
5046 ad.type = LSM_AUDIT_DATA_NET;
5048 ad.u.net->netif = skb->skb_iif;
5049 ad.u.net->family = family;
5050 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5054 if (peerlbl_active) {
5057 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
5060 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
5061 addrp, family, peer_sid, &ad);
5063 selinux_netlbl_err(skb, family, err, 0);
5066 err = avc_has_perm(&selinux_state,
5067 sk_sid, peer_sid, SECCLASS_PEER,
5070 selinux_netlbl_err(skb, family, err, 0);
5075 if (secmark_active) {
5076 err = avc_has_perm(&selinux_state,
5077 sk_sid, skb->secmark, SECCLASS_PACKET,
5086 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
5087 int __user *optlen, unsigned len)
5092 struct sk_security_struct *sksec = sock->sk->sk_security;
5093 u32 peer_sid = SECSID_NULL;
5095 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
5096 sksec->sclass == SECCLASS_TCP_SOCKET ||
5097 sksec->sclass == SECCLASS_SCTP_SOCKET)
5098 peer_sid = sksec->peer_sid;
5099 if (peer_sid == SECSID_NULL)
5100 return -ENOPROTOOPT;
5102 err = security_sid_to_context(&selinux_state, peer_sid, &scontext,
5107 if (scontext_len > len) {
5112 if (copy_to_user(optval, scontext, scontext_len))
5116 if (put_user(scontext_len, optlen))
5122 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
5124 u32 peer_secid = SECSID_NULL;
5126 struct inode_security_struct *isec;
5128 if (skb && skb->protocol == htons(ETH_P_IP))
5130 else if (skb && skb->protocol == htons(ETH_P_IPV6))
5133 family = sock->sk->sk_family;
5137 if (sock && family == PF_UNIX) {
5138 isec = inode_security_novalidate(SOCK_INODE(sock));
5139 peer_secid = isec->sid;
5141 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
5144 *secid = peer_secid;
5145 if (peer_secid == SECSID_NULL)
5150 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
5152 struct sk_security_struct *sksec;
5154 sksec = kzalloc(sizeof(*sksec), priority);
5158 sksec->peer_sid = SECINITSID_UNLABELED;
5159 sksec->sid = SECINITSID_UNLABELED;
5160 sksec->sclass = SECCLASS_SOCKET;
5161 selinux_netlbl_sk_security_reset(sksec);
5162 sk->sk_security = sksec;
5167 static void selinux_sk_free_security(struct sock *sk)
5169 struct sk_security_struct *sksec = sk->sk_security;
5171 sk->sk_security = NULL;
5172 selinux_netlbl_sk_security_free(sksec);
5176 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
5178 struct sk_security_struct *sksec = sk->sk_security;
5179 struct sk_security_struct *newsksec = newsk->sk_security;
5181 newsksec->sid = sksec->sid;
5182 newsksec->peer_sid = sksec->peer_sid;
5183 newsksec->sclass = sksec->sclass;
5185 selinux_netlbl_sk_security_reset(newsksec);
5188 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
5191 *secid = SECINITSID_ANY_SOCKET;
5193 struct sk_security_struct *sksec = sk->sk_security;
5195 *secid = sksec->sid;
5199 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
5201 struct inode_security_struct *isec =
5202 inode_security_novalidate(SOCK_INODE(parent));
5203 struct sk_security_struct *sksec = sk->sk_security;
5205 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
5206 sk->sk_family == PF_UNIX)
5207 isec->sid = sksec->sid;
5208 sksec->sclass = isec->sclass;
5211 /* Called whenever SCTP receives an INIT chunk. This happens when an incoming
5212 * connect(2), sctp_connectx(3) or sctp_sendmsg(3) (with no association
5215 static int selinux_sctp_assoc_request(struct sctp_endpoint *ep,
5216 struct sk_buff *skb)
5218 struct sk_security_struct *sksec = ep->base.sk->sk_security;
5219 struct common_audit_data ad;
5220 struct lsm_network_audit net = {0,};
5222 u32 peer_sid = SECINITSID_UNLABELED;
5226 if (!selinux_policycap_extsockclass())
5229 peerlbl_active = selinux_peerlbl_enabled();
5231 if (peerlbl_active) {
5232 /* This will return peer_sid = SECSID_NULL if there are
5233 * no peer labels, see security_net_peersid_resolve().
5235 err = selinux_skb_peerlbl_sid(skb, ep->base.sk->sk_family,
5240 if (peer_sid == SECSID_NULL)
5241 peer_sid = SECINITSID_UNLABELED;
5244 if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) {
5245 sksec->sctp_assoc_state = SCTP_ASSOC_SET;
5247 /* Here as first association on socket. As the peer SID
5248 * was allowed by peer recv (and the netif/node checks),
5249 * then it is approved by policy and used as the primary
5250 * peer SID for getpeercon(3).
5252 sksec->peer_sid = peer_sid;
5253 } else if (sksec->peer_sid != peer_sid) {
5254 /* Other association peer SIDs are checked to enforce
5255 * consistency among the peer SIDs.
5257 ad.type = LSM_AUDIT_DATA_NET;
5259 ad.u.net->sk = ep->base.sk;
5260 err = avc_has_perm(&selinux_state,
5261 sksec->peer_sid, peer_sid, sksec->sclass,
5262 SCTP_SOCKET__ASSOCIATION, &ad);
5267 /* Compute the MLS component for the connection and store
5268 * the information in ep. This will be used by SCTP TCP type
5269 * sockets and peeled off connections as they cause a new
5270 * socket to be generated. selinux_sctp_sk_clone() will then
5271 * plug this into the new socket.
5273 err = selinux_conn_sid(sksec->sid, peer_sid, &conn_sid);
5277 ep->secid = conn_sid;
5278 ep->peer_secid = peer_sid;
5280 /* Set any NetLabel labels including CIPSO/CALIPSO options. */
5281 return selinux_netlbl_sctp_assoc_request(ep, skb);
5284 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting
5285 * based on their @optname.
5287 static int selinux_sctp_bind_connect(struct sock *sk, int optname,
5288 struct sockaddr *address,
5291 int len, err = 0, walk_size = 0;
5293 struct sockaddr *addr;
5294 struct socket *sock;
5296 if (!selinux_policycap_extsockclass())
5299 /* Process one or more addresses that may be IPv4 or IPv6 */
5300 sock = sk->sk_socket;
5303 while (walk_size < addrlen) {
5305 switch (addr->sa_family) {
5308 len = sizeof(struct sockaddr_in);
5311 len = sizeof(struct sockaddr_in6);
5320 case SCTP_PRIMARY_ADDR:
5321 case SCTP_SET_PEER_PRIMARY_ADDR:
5322 case SCTP_SOCKOPT_BINDX_ADD:
5323 err = selinux_socket_bind(sock, addr, len);
5325 /* Connect checks */
5326 case SCTP_SOCKOPT_CONNECTX:
5327 case SCTP_PARAM_SET_PRIMARY:
5328 case SCTP_PARAM_ADD_IP:
5329 case SCTP_SENDMSG_CONNECT:
5330 err = selinux_socket_connect_helper(sock, addr, len);
5334 /* As selinux_sctp_bind_connect() is called by the
5335 * SCTP protocol layer, the socket is already locked,
5336 * therefore selinux_netlbl_socket_connect_locked() is
5337 * is called here. The situations handled are:
5338 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2),
5339 * whenever a new IP address is added or when a new
5340 * primary address is selected.
5341 * Note that an SCTP connect(2) call happens before
5342 * the SCTP protocol layer and is handled via
5343 * selinux_socket_connect().
5345 err = selinux_netlbl_socket_connect_locked(sk, addr);
5359 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */
5360 static void selinux_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk,
5363 struct sk_security_struct *sksec = sk->sk_security;
5364 struct sk_security_struct *newsksec = newsk->sk_security;
5366 /* If policy does not support SECCLASS_SCTP_SOCKET then call
5367 * the non-sctp clone version.
5369 if (!selinux_policycap_extsockclass())
5370 return selinux_sk_clone_security(sk, newsk);
5372 newsksec->sid = ep->secid;
5373 newsksec->peer_sid = ep->peer_secid;
5374 newsksec->sclass = sksec->sclass;
5375 selinux_netlbl_sctp_sk_clone(sk, newsk);
5378 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
5379 struct request_sock *req)
5381 struct sk_security_struct *sksec = sk->sk_security;
5383 u16 family = req->rsk_ops->family;
5387 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
5390 err = selinux_conn_sid(sksec->sid, peersid, &connsid);
5393 req->secid = connsid;
5394 req->peer_secid = peersid;
5396 return selinux_netlbl_inet_conn_request(req, family);
5399 static void selinux_inet_csk_clone(struct sock *newsk,
5400 const struct request_sock *req)
5402 struct sk_security_struct *newsksec = newsk->sk_security;
5404 newsksec->sid = req->secid;
5405 newsksec->peer_sid = req->peer_secid;
5406 /* NOTE: Ideally, we should also get the isec->sid for the
5407 new socket in sync, but we don't have the isec available yet.
5408 So we will wait until sock_graft to do it, by which
5409 time it will have been created and available. */
5411 /* We don't need to take any sort of lock here as we are the only
5412 * thread with access to newsksec */
5413 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
5416 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
5418 u16 family = sk->sk_family;
5419 struct sk_security_struct *sksec = sk->sk_security;
5421 /* handle mapped IPv4 packets arriving via IPv6 sockets */
5422 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5425 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
5428 static int selinux_secmark_relabel_packet(u32 sid)
5430 const struct task_security_struct *__tsec;
5433 __tsec = current_security();
5436 return avc_has_perm(&selinux_state,
5437 tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO,
5441 static void selinux_secmark_refcount_inc(void)
5443 atomic_inc(&selinux_secmark_refcount);
5446 static void selinux_secmark_refcount_dec(void)
5448 atomic_dec(&selinux_secmark_refcount);
5451 static void selinux_req_classify_flow(const struct request_sock *req,
5454 fl->flowi_secid = req->secid;
5457 static int selinux_tun_dev_alloc_security(void **security)
5459 struct tun_security_struct *tunsec;
5461 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
5464 tunsec->sid = current_sid();
5470 static void selinux_tun_dev_free_security(void *security)
5475 static int selinux_tun_dev_create(void)
5477 u32 sid = current_sid();
5479 /* we aren't taking into account the "sockcreate" SID since the socket
5480 * that is being created here is not a socket in the traditional sense,
5481 * instead it is a private sock, accessible only to the kernel, and
5482 * representing a wide range of network traffic spanning multiple
5483 * connections unlike traditional sockets - check the TUN driver to
5484 * get a better understanding of why this socket is special */
5486 return avc_has_perm(&selinux_state,
5487 sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5491 static int selinux_tun_dev_attach_queue(void *security)
5493 struct tun_security_struct *tunsec = security;
5495 return avc_has_perm(&selinux_state,
5496 current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5497 TUN_SOCKET__ATTACH_QUEUE, NULL);
5500 static int selinux_tun_dev_attach(struct sock *sk, void *security)
5502 struct tun_security_struct *tunsec = security;
5503 struct sk_security_struct *sksec = sk->sk_security;
5505 /* we don't currently perform any NetLabel based labeling here and it
5506 * isn't clear that we would want to do so anyway; while we could apply
5507 * labeling without the support of the TUN user the resulting labeled
5508 * traffic from the other end of the connection would almost certainly
5509 * cause confusion to the TUN user that had no idea network labeling
5510 * protocols were being used */
5512 sksec->sid = tunsec->sid;
5513 sksec->sclass = SECCLASS_TUN_SOCKET;
5518 static int selinux_tun_dev_open(void *security)
5520 struct tun_security_struct *tunsec = security;
5521 u32 sid = current_sid();
5524 err = avc_has_perm(&selinux_state,
5525 sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5526 TUN_SOCKET__RELABELFROM, NULL);
5529 err = avc_has_perm(&selinux_state,
5530 sid, sid, SECCLASS_TUN_SOCKET,
5531 TUN_SOCKET__RELABELTO, NULL);
5539 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
5543 struct nlmsghdr *nlh;
5544 struct sk_security_struct *sksec = sk->sk_security;
5546 if (skb->len < NLMSG_HDRLEN) {
5550 nlh = nlmsg_hdr(skb);
5552 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
5554 if (err == -EINVAL) {
5555 pr_warn_ratelimited("SELinux: unrecognized netlink"
5556 " message: protocol=%hu nlmsg_type=%hu sclass=%s"
5557 " pig=%d comm=%s\n",
5558 sk->sk_protocol, nlh->nlmsg_type,
5559 secclass_map[sksec->sclass - 1].name,
5560 task_pid_nr(current), current->comm);
5561 if (!enforcing_enabled(&selinux_state) ||
5562 security_get_allow_unknown(&selinux_state))
5572 err = sock_has_perm(sk, perm);
5577 #ifdef CONFIG_NETFILTER
5579 static unsigned int selinux_ip_forward(struct sk_buff *skb,
5580 const struct net_device *indev,
5586 struct common_audit_data ad;
5587 struct lsm_network_audit net = {0,};
5592 if (!selinux_policycap_netpeer())
5595 secmark_active = selinux_secmark_enabled();
5596 netlbl_active = netlbl_enabled();
5597 peerlbl_active = selinux_peerlbl_enabled();
5598 if (!secmark_active && !peerlbl_active)
5601 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5604 ad.type = LSM_AUDIT_DATA_NET;
5606 ad.u.net->netif = indev->ifindex;
5607 ad.u.net->family = family;
5608 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5611 if (peerlbl_active) {
5612 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
5613 addrp, family, peer_sid, &ad);
5615 selinux_netlbl_err(skb, family, err, 1);
5621 if (avc_has_perm(&selinux_state,
5622 peer_sid, skb->secmark,
5623 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5627 /* we do this in the FORWARD path and not the POST_ROUTING
5628 * path because we want to make sure we apply the necessary
5629 * labeling before IPsec is applied so we can leverage AH
5631 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5637 static unsigned int selinux_ipv4_forward(void *priv,
5638 struct sk_buff *skb,
5639 const struct nf_hook_state *state)
5641 return selinux_ip_forward(skb, state->in, PF_INET);
5644 #if IS_ENABLED(CONFIG_IPV6)
5645 static unsigned int selinux_ipv6_forward(void *priv,
5646 struct sk_buff *skb,
5647 const struct nf_hook_state *state)
5649 return selinux_ip_forward(skb, state->in, PF_INET6);
5653 static unsigned int selinux_ip_output(struct sk_buff *skb,
5659 if (!netlbl_enabled())
5662 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5663 * because we want to make sure we apply the necessary labeling
5664 * before IPsec is applied so we can leverage AH protection */
5667 struct sk_security_struct *sksec;
5669 if (sk_listener(sk))
5670 /* if the socket is the listening state then this
5671 * packet is a SYN-ACK packet which means it needs to
5672 * be labeled based on the connection/request_sock and
5673 * not the parent socket. unfortunately, we can't
5674 * lookup the request_sock yet as it isn't queued on
5675 * the parent socket until after the SYN-ACK is sent.
5676 * the "solution" is to simply pass the packet as-is
5677 * as any IP option based labeling should be copied
5678 * from the initial connection request (in the IP
5679 * layer). it is far from ideal, but until we get a
5680 * security label in the packet itself this is the
5681 * best we can do. */
5684 /* standard practice, label using the parent socket */
5685 sksec = sk->sk_security;
5688 sid = SECINITSID_KERNEL;
5689 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
5695 static unsigned int selinux_ipv4_output(void *priv,
5696 struct sk_buff *skb,
5697 const struct nf_hook_state *state)
5699 return selinux_ip_output(skb, PF_INET);
5702 #if IS_ENABLED(CONFIG_IPV6)
5703 static unsigned int selinux_ipv6_output(void *priv,
5704 struct sk_buff *skb,
5705 const struct nf_hook_state *state)
5707 return selinux_ip_output(skb, PF_INET6);
5711 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5715 struct sock *sk = skb_to_full_sk(skb);
5716 struct sk_security_struct *sksec;
5717 struct common_audit_data ad;
5718 struct lsm_network_audit net = {0,};
5724 sksec = sk->sk_security;
5726 ad.type = LSM_AUDIT_DATA_NET;
5728 ad.u.net->netif = ifindex;
5729 ad.u.net->family = family;
5730 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
5733 if (selinux_secmark_enabled())
5734 if (avc_has_perm(&selinux_state,
5735 sksec->sid, skb->secmark,
5736 SECCLASS_PACKET, PACKET__SEND, &ad))
5737 return NF_DROP_ERR(-ECONNREFUSED);
5739 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5740 return NF_DROP_ERR(-ECONNREFUSED);
5745 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5746 const struct net_device *outdev,
5751 int ifindex = outdev->ifindex;
5753 struct common_audit_data ad;
5754 struct lsm_network_audit net = {0,};
5759 /* If any sort of compatibility mode is enabled then handoff processing
5760 * to the selinux_ip_postroute_compat() function to deal with the
5761 * special handling. We do this in an attempt to keep this function
5762 * as fast and as clean as possible. */
5763 if (!selinux_policycap_netpeer())
5764 return selinux_ip_postroute_compat(skb, ifindex, family);
5766 secmark_active = selinux_secmark_enabled();
5767 peerlbl_active = selinux_peerlbl_enabled();
5768 if (!secmark_active && !peerlbl_active)
5771 sk = skb_to_full_sk(skb);
5774 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5775 * packet transformation so allow the packet to pass without any checks
5776 * since we'll have another chance to perform access control checks
5777 * when the packet is on it's final way out.
5778 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5779 * is NULL, in this case go ahead and apply access control.
5780 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5781 * TCP listening state we cannot wait until the XFRM processing
5782 * is done as we will miss out on the SA label if we do;
5783 * unfortunately, this means more work, but it is only once per
5785 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5786 !(sk && sk_listener(sk)))
5791 /* Without an associated socket the packet is either coming
5792 * from the kernel or it is being forwarded; check the packet
5793 * to determine which and if the packet is being forwarded
5794 * query the packet directly to determine the security label. */
5796 secmark_perm = PACKET__FORWARD_OUT;
5797 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5800 secmark_perm = PACKET__SEND;
5801 peer_sid = SECINITSID_KERNEL;
5803 } else if (sk_listener(sk)) {
5804 /* Locally generated packet but the associated socket is in the
5805 * listening state which means this is a SYN-ACK packet. In
5806 * this particular case the correct security label is assigned
5807 * to the connection/request_sock but unfortunately we can't
5808 * query the request_sock as it isn't queued on the parent
5809 * socket until after the SYN-ACK packet is sent; the only
5810 * viable choice is to regenerate the label like we do in
5811 * selinux_inet_conn_request(). See also selinux_ip_output()
5812 * for similar problems. */
5814 struct sk_security_struct *sksec;
5816 sksec = sk->sk_security;
5817 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5819 /* At this point, if the returned skb peerlbl is SECSID_NULL
5820 * and the packet has been through at least one XFRM
5821 * transformation then we must be dealing with the "final"
5822 * form of labeled IPsec packet; since we've already applied
5823 * all of our access controls on this packet we can safely
5824 * pass the packet. */
5825 if (skb_sid == SECSID_NULL) {
5828 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5832 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5836 return NF_DROP_ERR(-ECONNREFUSED);
5839 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5841 secmark_perm = PACKET__SEND;
5843 /* Locally generated packet, fetch the security label from the
5844 * associated socket. */
5845 struct sk_security_struct *sksec = sk->sk_security;
5846 peer_sid = sksec->sid;
5847 secmark_perm = PACKET__SEND;
5850 ad.type = LSM_AUDIT_DATA_NET;
5852 ad.u.net->netif = ifindex;
5853 ad.u.net->family = family;
5854 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5858 if (avc_has_perm(&selinux_state,
5859 peer_sid, skb->secmark,
5860 SECCLASS_PACKET, secmark_perm, &ad))
5861 return NF_DROP_ERR(-ECONNREFUSED);
5863 if (peerlbl_active) {
5867 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5869 if (avc_has_perm(&selinux_state,
5871 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5872 return NF_DROP_ERR(-ECONNREFUSED);
5874 if (sel_netnode_sid(addrp, family, &node_sid))
5876 if (avc_has_perm(&selinux_state,
5878 SECCLASS_NODE, NODE__SENDTO, &ad))
5879 return NF_DROP_ERR(-ECONNREFUSED);
5885 static unsigned int selinux_ipv4_postroute(void *priv,
5886 struct sk_buff *skb,
5887 const struct nf_hook_state *state)
5889 return selinux_ip_postroute(skb, state->out, PF_INET);
5892 #if IS_ENABLED(CONFIG_IPV6)
5893 static unsigned int selinux_ipv6_postroute(void *priv,
5894 struct sk_buff *skb,
5895 const struct nf_hook_state *state)
5897 return selinux_ip_postroute(skb, state->out, PF_INET6);
5901 #endif /* CONFIG_NETFILTER */
5903 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5905 return selinux_nlmsg_perm(sk, skb);
5908 static int ipc_alloc_security(struct kern_ipc_perm *perm,
5911 struct ipc_security_struct *isec;
5913 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
5917 isec->sclass = sclass;
5918 isec->sid = current_sid();
5919 perm->security = isec;
5924 static void ipc_free_security(struct kern_ipc_perm *perm)
5926 struct ipc_security_struct *isec = perm->security;
5927 perm->security = NULL;
5931 static int msg_msg_alloc_security(struct msg_msg *msg)
5933 struct msg_security_struct *msec;
5935 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
5939 msec->sid = SECINITSID_UNLABELED;
5940 msg->security = msec;
5945 static void msg_msg_free_security(struct msg_msg *msg)
5947 struct msg_security_struct *msec = msg->security;
5949 msg->security = NULL;
5953 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5956 struct ipc_security_struct *isec;
5957 struct common_audit_data ad;
5958 u32 sid = current_sid();
5960 isec = ipc_perms->security;
5962 ad.type = LSM_AUDIT_DATA_IPC;
5963 ad.u.ipc_id = ipc_perms->key;
5965 return avc_has_perm(&selinux_state,
5966 sid, isec->sid, isec->sclass, perms, &ad);
5969 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5971 return msg_msg_alloc_security(msg);
5974 static void selinux_msg_msg_free_security(struct msg_msg *msg)
5976 msg_msg_free_security(msg);
5979 /* message queue security operations */
5980 static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq)
5982 struct ipc_security_struct *isec;
5983 struct common_audit_data ad;
5984 u32 sid = current_sid();
5987 rc = ipc_alloc_security(msq, SECCLASS_MSGQ);
5991 isec = msq->security;
5993 ad.type = LSM_AUDIT_DATA_IPC;
5994 ad.u.ipc_id = msq->key;
5996 rc = avc_has_perm(&selinux_state,
5997 sid, isec->sid, SECCLASS_MSGQ,
6000 ipc_free_security(msq);
6006 static void selinux_msg_queue_free_security(struct kern_ipc_perm *msq)
6008 ipc_free_security(msq);
6011 static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
6013 struct ipc_security_struct *isec;
6014 struct common_audit_data ad;
6015 u32 sid = current_sid();
6017 isec = msq->security;
6019 ad.type = LSM_AUDIT_DATA_IPC;
6020 ad.u.ipc_id = msq->key;
6022 return avc_has_perm(&selinux_state,
6023 sid, isec->sid, SECCLASS_MSGQ,
6024 MSGQ__ASSOCIATE, &ad);
6027 static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)
6035 /* No specific object, just general system-wide information. */
6036 return avc_has_perm(&selinux_state,
6037 current_sid(), SECINITSID_KERNEL,
6038 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6042 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
6045 perms = MSGQ__SETATTR;
6048 perms = MSGQ__DESTROY;
6054 err = ipc_has_perm(msq, perms);
6058 static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg)
6060 struct ipc_security_struct *isec;
6061 struct msg_security_struct *msec;
6062 struct common_audit_data ad;
6063 u32 sid = current_sid();
6066 isec = msq->security;
6067 msec = msg->security;
6070 * First time through, need to assign label to the message
6072 if (msec->sid == SECINITSID_UNLABELED) {
6074 * Compute new sid based on current process and
6075 * message queue this message will be stored in
6077 rc = security_transition_sid(&selinux_state, sid, isec->sid,
6078 SECCLASS_MSG, NULL, &msec->sid);
6083 ad.type = LSM_AUDIT_DATA_IPC;
6084 ad.u.ipc_id = msq->key;
6086 /* Can this process write to the queue? */
6087 rc = avc_has_perm(&selinux_state,
6088 sid, isec->sid, SECCLASS_MSGQ,
6091 /* Can this process send the message */
6092 rc = avc_has_perm(&selinux_state,
6093 sid, msec->sid, SECCLASS_MSG,
6096 /* Can the message be put in the queue? */
6097 rc = avc_has_perm(&selinux_state,
6098 msec->sid, isec->sid, SECCLASS_MSGQ,
6099 MSGQ__ENQUEUE, &ad);
6104 static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg,
6105 struct task_struct *target,
6106 long type, int mode)
6108 struct ipc_security_struct *isec;
6109 struct msg_security_struct *msec;
6110 struct common_audit_data ad;
6111 u32 sid = task_sid(target);
6114 isec = msq->security;
6115 msec = msg->security;
6117 ad.type = LSM_AUDIT_DATA_IPC;
6118 ad.u.ipc_id = msq->key;
6120 rc = avc_has_perm(&selinux_state,
6122 SECCLASS_MSGQ, MSGQ__READ, &ad);
6124 rc = avc_has_perm(&selinux_state,
6126 SECCLASS_MSG, MSG__RECEIVE, &ad);
6130 /* Shared Memory security operations */
6131 static int selinux_shm_alloc_security(struct kern_ipc_perm *shp)
6133 struct ipc_security_struct *isec;
6134 struct common_audit_data ad;
6135 u32 sid = current_sid();
6138 rc = ipc_alloc_security(shp, SECCLASS_SHM);
6142 isec = shp->security;
6144 ad.type = LSM_AUDIT_DATA_IPC;
6145 ad.u.ipc_id = shp->key;
6147 rc = avc_has_perm(&selinux_state,
6148 sid, isec->sid, SECCLASS_SHM,
6151 ipc_free_security(shp);
6157 static void selinux_shm_free_security(struct kern_ipc_perm *shp)
6159 ipc_free_security(shp);
6162 static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg)
6164 struct ipc_security_struct *isec;
6165 struct common_audit_data ad;
6166 u32 sid = current_sid();
6168 isec = shp->security;
6170 ad.type = LSM_AUDIT_DATA_IPC;
6171 ad.u.ipc_id = shp->key;
6173 return avc_has_perm(&selinux_state,
6174 sid, isec->sid, SECCLASS_SHM,
6175 SHM__ASSOCIATE, &ad);
6178 /* Note, at this point, shp is locked down */
6179 static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd)
6187 /* No specific object, just general system-wide information. */
6188 return avc_has_perm(&selinux_state,
6189 current_sid(), SECINITSID_KERNEL,
6190 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6194 perms = SHM__GETATTR | SHM__ASSOCIATE;
6197 perms = SHM__SETATTR;
6204 perms = SHM__DESTROY;
6210 err = ipc_has_perm(shp, perms);
6214 static int selinux_shm_shmat(struct kern_ipc_perm *shp,
6215 char __user *shmaddr, int shmflg)
6219 if (shmflg & SHM_RDONLY)
6222 perms = SHM__READ | SHM__WRITE;
6224 return ipc_has_perm(shp, perms);
6227 /* Semaphore security operations */
6228 static int selinux_sem_alloc_security(struct kern_ipc_perm *sma)
6230 struct ipc_security_struct *isec;
6231 struct common_audit_data ad;
6232 u32 sid = current_sid();
6235 rc = ipc_alloc_security(sma, SECCLASS_SEM);
6239 isec = sma->security;
6241 ad.type = LSM_AUDIT_DATA_IPC;
6242 ad.u.ipc_id = sma->key;
6244 rc = avc_has_perm(&selinux_state,
6245 sid, isec->sid, SECCLASS_SEM,
6248 ipc_free_security(sma);
6254 static void selinux_sem_free_security(struct kern_ipc_perm *sma)
6256 ipc_free_security(sma);
6259 static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg)
6261 struct ipc_security_struct *isec;
6262 struct common_audit_data ad;
6263 u32 sid = current_sid();
6265 isec = sma->security;
6267 ad.type = LSM_AUDIT_DATA_IPC;
6268 ad.u.ipc_id = sma->key;
6270 return avc_has_perm(&selinux_state,
6271 sid, isec->sid, SECCLASS_SEM,
6272 SEM__ASSOCIATE, &ad);
6275 /* Note, at this point, sma is locked down */
6276 static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd)
6284 /* No specific object, just general system-wide information. */
6285 return avc_has_perm(&selinux_state,
6286 current_sid(), SECINITSID_KERNEL,
6287 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6291 perms = SEM__GETATTR;
6302 perms = SEM__DESTROY;
6305 perms = SEM__SETATTR;
6310 perms = SEM__GETATTR | SEM__ASSOCIATE;
6316 err = ipc_has_perm(sma, perms);
6320 static int selinux_sem_semop(struct kern_ipc_perm *sma,
6321 struct sembuf *sops, unsigned nsops, int alter)
6326 perms = SEM__READ | SEM__WRITE;
6330 return ipc_has_perm(sma, perms);
6333 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
6339 av |= IPC__UNIX_READ;
6341 av |= IPC__UNIX_WRITE;
6346 return ipc_has_perm(ipcp, av);
6349 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
6351 struct ipc_security_struct *isec = ipcp->security;
6355 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
6358 inode_doinit_with_dentry(inode, dentry);
6361 static int selinux_getprocattr(struct task_struct *p,
6362 char *name, char **value)
6364 const struct task_security_struct *__tsec;
6370 __tsec = __task_cred(p)->security;
6373 error = avc_has_perm(&selinux_state,
6374 current_sid(), __tsec->sid,
6375 SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
6380 if (!strcmp(name, "current"))
6382 else if (!strcmp(name, "prev"))
6384 else if (!strcmp(name, "exec"))
6385 sid = __tsec->exec_sid;
6386 else if (!strcmp(name, "fscreate"))
6387 sid = __tsec->create_sid;
6388 else if (!strcmp(name, "keycreate"))
6389 sid = __tsec->keycreate_sid;
6390 else if (!strcmp(name, "sockcreate"))
6391 sid = __tsec->sockcreate_sid;
6401 error = security_sid_to_context(&selinux_state, sid, value, &len);
6411 static int selinux_setprocattr(const char *name, void *value, size_t size)
6413 struct task_security_struct *tsec;
6415 u32 mysid = current_sid(), sid = 0, ptsid;
6420 * Basic control over ability to set these attributes at all.
6422 if (!strcmp(name, "exec"))
6423 error = avc_has_perm(&selinux_state,
6424 mysid, mysid, SECCLASS_PROCESS,
6425 PROCESS__SETEXEC, NULL);
6426 else if (!strcmp(name, "fscreate"))
6427 error = avc_has_perm(&selinux_state,
6428 mysid, mysid, SECCLASS_PROCESS,
6429 PROCESS__SETFSCREATE, NULL);
6430 else if (!strcmp(name, "keycreate"))
6431 error = avc_has_perm(&selinux_state,
6432 mysid, mysid, SECCLASS_PROCESS,
6433 PROCESS__SETKEYCREATE, NULL);
6434 else if (!strcmp(name, "sockcreate"))
6435 error = avc_has_perm(&selinux_state,
6436 mysid, mysid, SECCLASS_PROCESS,
6437 PROCESS__SETSOCKCREATE, NULL);
6438 else if (!strcmp(name, "current"))
6439 error = avc_has_perm(&selinux_state,
6440 mysid, mysid, SECCLASS_PROCESS,
6441 PROCESS__SETCURRENT, NULL);
6447 /* Obtain a SID for the context, if one was specified. */
6448 if (size && str[0] && str[0] != '\n') {
6449 if (str[size-1] == '\n') {
6453 error = security_context_to_sid(&selinux_state, value, size,
6455 if (error == -EINVAL && !strcmp(name, "fscreate")) {
6456 if (!has_cap_mac_admin(true)) {
6457 struct audit_buffer *ab;
6460 /* We strip a nul only if it is at the end, otherwise the
6461 * context contains a nul and we should audit that */
6462 if (str[size - 1] == '\0')
6463 audit_size = size - 1;
6466 ab = audit_log_start(audit_context(),
6469 audit_log_format(ab, "op=fscreate invalid_context=");
6470 audit_log_n_untrustedstring(ab, value, audit_size);
6475 error = security_context_to_sid_force(
6483 new = prepare_creds();
6487 /* Permission checking based on the specified context is
6488 performed during the actual operation (execve,
6489 open/mkdir/...), when we know the full context of the
6490 operation. See selinux_bprm_set_creds for the execve
6491 checks and may_create for the file creation checks. The
6492 operation will then fail if the context is not permitted. */
6493 tsec = new->security;
6494 if (!strcmp(name, "exec")) {
6495 tsec->exec_sid = sid;
6496 } else if (!strcmp(name, "fscreate")) {
6497 tsec->create_sid = sid;
6498 } else if (!strcmp(name, "keycreate")) {
6499 error = avc_has_perm(&selinux_state,
6500 mysid, sid, SECCLASS_KEY, KEY__CREATE,
6504 tsec->keycreate_sid = sid;
6505 } else if (!strcmp(name, "sockcreate")) {
6506 tsec->sockcreate_sid = sid;
6507 } else if (!strcmp(name, "current")) {
6512 /* Only allow single threaded processes to change context */
6514 if (!current_is_single_threaded()) {
6515 error = security_bounded_transition(&selinux_state,
6521 /* Check permissions for the transition. */
6522 error = avc_has_perm(&selinux_state,
6523 tsec->sid, sid, SECCLASS_PROCESS,
6524 PROCESS__DYNTRANSITION, NULL);
6528 /* Check for ptracing, and update the task SID if ok.
6529 Otherwise, leave SID unchanged and fail. */
6530 ptsid = ptrace_parent_sid();
6532 error = avc_has_perm(&selinux_state,
6533 ptsid, sid, SECCLASS_PROCESS,
6534 PROCESS__PTRACE, NULL);
6553 static int selinux_ismaclabel(const char *name)
6555 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
6558 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
6560 return security_sid_to_context(&selinux_state, secid,
6564 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
6566 return security_context_to_sid(&selinux_state, secdata, seclen,
6570 static void selinux_release_secctx(char *secdata, u32 seclen)
6575 static void selinux_inode_invalidate_secctx(struct inode *inode)
6577 struct inode_security_struct *isec = inode->i_security;
6579 spin_lock(&isec->lock);
6580 isec->initialized = LABEL_INVALID;
6581 spin_unlock(&isec->lock);
6585 * called with inode->i_mutex locked
6587 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
6589 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
6593 * called with inode->i_mutex locked
6595 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
6597 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
6600 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
6603 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
6612 static int selinux_key_alloc(struct key *k, const struct cred *cred,
6613 unsigned long flags)
6615 const struct task_security_struct *tsec;
6616 struct key_security_struct *ksec;
6618 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
6622 tsec = cred->security;
6623 if (tsec->keycreate_sid)
6624 ksec->sid = tsec->keycreate_sid;
6626 ksec->sid = tsec->sid;
6632 static void selinux_key_free(struct key *k)
6634 struct key_security_struct *ksec = k->security;
6640 static int selinux_key_permission(key_ref_t key_ref,
6641 const struct cred *cred,
6645 struct key_security_struct *ksec;
6648 /* if no specific permissions are requested, we skip the
6649 permission check. No serious, additional covert channels
6650 appear to be created. */
6654 sid = cred_sid(cred);
6656 key = key_ref_to_ptr(key_ref);
6657 ksec = key->security;
6659 return avc_has_perm(&selinux_state,
6660 sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6663 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6665 struct key_security_struct *ksec = key->security;
6666 char *context = NULL;
6670 rc = security_sid_to_context(&selinux_state, ksec->sid,
6679 #ifdef CONFIG_SECURITY_INFINIBAND
6680 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6682 struct common_audit_data ad;
6685 struct ib_security_struct *sec = ib_sec;
6686 struct lsm_ibpkey_audit ibpkey;
6688 err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
6692 ad.type = LSM_AUDIT_DATA_IBPKEY;
6693 ibpkey.subnet_prefix = subnet_prefix;
6694 ibpkey.pkey = pkey_val;
6695 ad.u.ibpkey = &ibpkey;
6696 return avc_has_perm(&selinux_state,
6698 SECCLASS_INFINIBAND_PKEY,
6699 INFINIBAND_PKEY__ACCESS, &ad);
6702 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6705 struct common_audit_data ad;
6708 struct ib_security_struct *sec = ib_sec;
6709 struct lsm_ibendport_audit ibendport;
6711 err = security_ib_endport_sid(&selinux_state, dev_name, port_num,
6717 ad.type = LSM_AUDIT_DATA_IBENDPORT;
6718 strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name));
6719 ibendport.port = port_num;
6720 ad.u.ibendport = &ibendport;
6721 return avc_has_perm(&selinux_state,
6723 SECCLASS_INFINIBAND_ENDPORT,
6724 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
6727 static int selinux_ib_alloc_security(void **ib_sec)
6729 struct ib_security_struct *sec;
6731 sec = kzalloc(sizeof(*sec), GFP_KERNEL);
6734 sec->sid = current_sid();
6740 static void selinux_ib_free_security(void *ib_sec)
6746 #ifdef CONFIG_BPF_SYSCALL
6747 static int selinux_bpf(int cmd, union bpf_attr *attr,
6750 u32 sid = current_sid();
6754 case BPF_MAP_CREATE:
6755 ret = avc_has_perm(&selinux_state,
6756 sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
6760 ret = avc_has_perm(&selinux_state,
6761 sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
6772 static u32 bpf_map_fmode_to_av(fmode_t fmode)
6776 if (fmode & FMODE_READ)
6777 av |= BPF__MAP_READ;
6778 if (fmode & FMODE_WRITE)
6779 av |= BPF__MAP_WRITE;
6783 /* This function will check the file pass through unix socket or binder to see
6784 * if it is a bpf related object. And apply correspinding checks on the bpf
6785 * object based on the type. The bpf maps and programs, not like other files and
6786 * socket, are using a shared anonymous inode inside the kernel as their inode.
6787 * So checking that inode cannot identify if the process have privilege to
6788 * access the bpf object and that's why we have to add this additional check in
6789 * selinux_file_receive and selinux_binder_transfer_files.
6791 static int bpf_fd_pass(struct file *file, u32 sid)
6793 struct bpf_security_struct *bpfsec;
6794 struct bpf_prog *prog;
6795 struct bpf_map *map;
6798 if (file->f_op == &bpf_map_fops) {
6799 map = file->private_data;
6800 bpfsec = map->security;
6801 ret = avc_has_perm(&selinux_state,
6802 sid, bpfsec->sid, SECCLASS_BPF,
6803 bpf_map_fmode_to_av(file->f_mode), NULL);
6806 } else if (file->f_op == &bpf_prog_fops) {
6807 prog = file->private_data;
6808 bpfsec = prog->aux->security;
6809 ret = avc_has_perm(&selinux_state,
6810 sid, bpfsec->sid, SECCLASS_BPF,
6811 BPF__PROG_RUN, NULL);
6818 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)
6820 u32 sid = current_sid();
6821 struct bpf_security_struct *bpfsec;
6823 bpfsec = map->security;
6824 return avc_has_perm(&selinux_state,
6825 sid, bpfsec->sid, SECCLASS_BPF,
6826 bpf_map_fmode_to_av(fmode), NULL);
6829 static int selinux_bpf_prog(struct bpf_prog *prog)
6831 u32 sid = current_sid();
6832 struct bpf_security_struct *bpfsec;
6834 bpfsec = prog->aux->security;
6835 return avc_has_perm(&selinux_state,
6836 sid, bpfsec->sid, SECCLASS_BPF,
6837 BPF__PROG_RUN, NULL);
6840 static int selinux_bpf_map_alloc(struct bpf_map *map)
6842 struct bpf_security_struct *bpfsec;
6844 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6848 bpfsec->sid = current_sid();
6849 map->security = bpfsec;
6854 static void selinux_bpf_map_free(struct bpf_map *map)
6856 struct bpf_security_struct *bpfsec = map->security;
6858 map->security = NULL;
6862 static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux)
6864 struct bpf_security_struct *bpfsec;
6866 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6870 bpfsec->sid = current_sid();
6871 aux->security = bpfsec;
6876 static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
6878 struct bpf_security_struct *bpfsec = aux->security;
6880 aux->security = NULL;
6885 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
6886 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
6887 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
6888 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
6889 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
6891 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
6892 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
6893 LSM_HOOK_INIT(capget, selinux_capget),
6894 LSM_HOOK_INIT(capset, selinux_capset),
6895 LSM_HOOK_INIT(capable, selinux_capable),
6896 LSM_HOOK_INIT(quotactl, selinux_quotactl),
6897 LSM_HOOK_INIT(quota_on, selinux_quota_on),
6898 LSM_HOOK_INIT(syslog, selinux_syslog),
6899 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
6901 LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
6903 LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
6904 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
6905 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
6907 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
6908 LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
6909 LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data),
6910 LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
6911 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
6912 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
6913 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
6914 LSM_HOOK_INIT(sb_mount, selinux_mount),
6915 LSM_HOOK_INIT(sb_umount, selinux_umount),
6916 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
6917 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
6918 LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str),
6920 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
6921 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
6923 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
6924 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
6925 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
6926 LSM_HOOK_INIT(inode_create, selinux_inode_create),
6927 LSM_HOOK_INIT(inode_link, selinux_inode_link),
6928 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
6929 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
6930 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
6931 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
6932 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
6933 LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
6934 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
6935 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
6936 LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
6937 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
6938 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
6939 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
6940 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
6941 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
6942 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
6943 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
6944 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
6945 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
6946 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
6947 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
6948 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
6949 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
6951 LSM_HOOK_INIT(file_permission, selinux_file_permission),
6952 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
6953 LSM_HOOK_INIT(file_free_security, selinux_file_free_security),
6954 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
6955 LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
6956 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
6957 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
6958 LSM_HOOK_INIT(file_lock, selinux_file_lock),
6959 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
6960 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
6961 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
6962 LSM_HOOK_INIT(file_receive, selinux_file_receive),
6964 LSM_HOOK_INIT(file_open, selinux_file_open),
6966 LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
6967 LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank),
6968 LSM_HOOK_INIT(cred_free, selinux_cred_free),
6969 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
6970 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
6971 LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid),
6972 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
6973 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
6974 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
6975 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
6976 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
6977 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
6978 LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
6979 LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
6980 LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
6981 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
6982 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
6983 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
6984 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
6985 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
6986 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
6987 LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
6988 LSM_HOOK_INIT(task_kill, selinux_task_kill),
6989 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
6991 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
6992 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
6994 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
6995 LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security),
6997 LSM_HOOK_INIT(msg_queue_alloc_security,
6998 selinux_msg_queue_alloc_security),
6999 LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security),
7000 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
7001 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
7002 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
7003 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
7005 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
7006 LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security),
7007 LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
7008 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
7009 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
7011 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
7012 LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security),
7013 LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
7014 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
7015 LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
7017 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
7019 LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
7020 LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
7022 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
7023 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
7024 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
7025 LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
7026 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
7027 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
7028 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
7029 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
7031 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
7032 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
7034 LSM_HOOK_INIT(socket_create, selinux_socket_create),
7035 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
7036 LSM_HOOK_INIT(socket_socketpair, selinux_socket_socketpair),
7037 LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
7038 LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
7039 LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
7040 LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
7041 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
7042 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
7043 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
7044 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
7045 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
7046 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
7047 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
7048 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
7049 LSM_HOOK_INIT(socket_getpeersec_stream,
7050 selinux_socket_getpeersec_stream),
7051 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
7052 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
7053 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
7054 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
7055 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
7056 LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
7057 LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request),
7058 LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone),
7059 LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect),
7060 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
7061 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
7062 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
7063 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
7064 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
7065 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
7066 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
7067 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
7068 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
7069 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
7070 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
7071 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
7072 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
7073 #ifdef CONFIG_SECURITY_INFINIBAND
7074 LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
7075 LSM_HOOK_INIT(ib_endport_manage_subnet,
7076 selinux_ib_endport_manage_subnet),
7077 LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
7078 LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
7080 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7081 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
7082 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
7083 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
7084 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
7085 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
7086 LSM_HOOK_INIT(xfrm_state_alloc_acquire,
7087 selinux_xfrm_state_alloc_acquire),
7088 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
7089 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
7090 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
7091 LSM_HOOK_INIT(xfrm_state_pol_flow_match,
7092 selinux_xfrm_state_pol_flow_match),
7093 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
7097 LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
7098 LSM_HOOK_INIT(key_free, selinux_key_free),
7099 LSM_HOOK_INIT(key_permission, selinux_key_permission),
7100 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
7104 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
7105 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
7106 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
7107 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
7110 #ifdef CONFIG_BPF_SYSCALL
7111 LSM_HOOK_INIT(bpf, selinux_bpf),
7112 LSM_HOOK_INIT(bpf_map, selinux_bpf_map),
7113 LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog),
7114 LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc),
7115 LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc),
7116 LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free),
7117 LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free),
7121 static __init int selinux_init(void)
7123 if (!security_module_enable("selinux")) {
7124 selinux_enabled = 0;
7128 if (!selinux_enabled) {
7129 printk(KERN_INFO "SELinux: Disabled at boot.\n");
7133 printk(KERN_INFO "SELinux: Initializing.\n");
7135 memset(&selinux_state, 0, sizeof(selinux_state));
7136 enforcing_set(&selinux_state, selinux_enforcing_boot);
7137 selinux_state.checkreqprot = selinux_checkreqprot_boot;
7138 selinux_ss_init(&selinux_state.ss);
7139 selinux_avc_init(&selinux_state.avc);
7141 /* Set the security state for the initial task. */
7142 cred_init_security();
7144 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
7146 sel_inode_cache = kmem_cache_create("selinux_inode_security",
7147 sizeof(struct inode_security_struct),
7148 0, SLAB_PANIC, NULL);
7149 file_security_cache = kmem_cache_create("selinux_file_security",
7150 sizeof(struct file_security_struct),
7151 0, SLAB_PANIC, NULL);
7156 ebitmap_cache_init();
7158 hashtab_cache_init();
7160 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
7162 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
7163 panic("SELinux: Unable to register AVC netcache callback\n");
7165 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
7166 panic("SELinux: Unable to register AVC LSM notifier callback\n");
7168 if (selinux_enforcing_boot)
7169 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
7171 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
7176 static void delayed_superblock_init(struct super_block *sb, void *unused)
7178 superblock_doinit(sb, NULL);
7181 void selinux_complete_init(void)
7183 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
7185 /* Set up any superblocks initialized prior to the policy load. */
7186 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
7187 iterate_supers(delayed_superblock_init, NULL);
7190 /* SELinux requires early initialization in order to label
7191 all processes and objects when they are created. */
7192 security_initcall(selinux_init);
7194 #if defined(CONFIG_NETFILTER)
7196 static const struct nf_hook_ops selinux_nf_ops[] = {
7198 .hook = selinux_ipv4_postroute,
7200 .hooknum = NF_INET_POST_ROUTING,
7201 .priority = NF_IP_PRI_SELINUX_LAST,
7204 .hook = selinux_ipv4_forward,
7206 .hooknum = NF_INET_FORWARD,
7207 .priority = NF_IP_PRI_SELINUX_FIRST,
7210 .hook = selinux_ipv4_output,
7212 .hooknum = NF_INET_LOCAL_OUT,
7213 .priority = NF_IP_PRI_SELINUX_FIRST,
7215 #if IS_ENABLED(CONFIG_IPV6)
7217 .hook = selinux_ipv6_postroute,
7219 .hooknum = NF_INET_POST_ROUTING,
7220 .priority = NF_IP6_PRI_SELINUX_LAST,
7223 .hook = selinux_ipv6_forward,
7225 .hooknum = NF_INET_FORWARD,
7226 .priority = NF_IP6_PRI_SELINUX_FIRST,
7229 .hook = selinux_ipv6_output,
7231 .hooknum = NF_INET_LOCAL_OUT,
7232 .priority = NF_IP6_PRI_SELINUX_FIRST,
7237 static int __net_init selinux_nf_register(struct net *net)
7239 return nf_register_net_hooks(net, selinux_nf_ops,
7240 ARRAY_SIZE(selinux_nf_ops));
7243 static void __net_exit selinux_nf_unregister(struct net *net)
7245 nf_unregister_net_hooks(net, selinux_nf_ops,
7246 ARRAY_SIZE(selinux_nf_ops));
7249 static struct pernet_operations selinux_net_ops = {
7250 .init = selinux_nf_register,
7251 .exit = selinux_nf_unregister,
7254 static int __init selinux_nf_ip_init(void)
7258 if (!selinux_enabled)
7261 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
7263 err = register_pernet_subsys(&selinux_net_ops);
7265 panic("SELinux: register_pernet_subsys: error %d\n", err);
7269 __initcall(selinux_nf_ip_init);
7271 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7272 static void selinux_nf_ip_exit(void)
7274 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
7276 unregister_pernet_subsys(&selinux_net_ops);
7280 #else /* CONFIG_NETFILTER */
7282 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7283 #define selinux_nf_ip_exit()
7286 #endif /* CONFIG_NETFILTER */
7288 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7289 int selinux_disable(struct selinux_state *state)
7291 if (state->initialized) {
7292 /* Not permitted after initial policy load. */
7296 if (state->disabled) {
7297 /* Only do this once. */
7301 state->disabled = 1;
7303 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
7305 selinux_enabled = 0;
7307 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
7309 /* Try to destroy the avc node cache */
7312 /* Unregister netfilter hooks. */
7313 selinux_nf_ip_exit();
7315 /* Unregister selinuxfs. */
git.samba.org / sfrench / cifs-2.6.git / blob