2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@tycho.nsa.gov>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul@paul-moore.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 * Copyright (C) 2016 Mellanox Technologies
22 * This program is free software; you can redistribute it and/or modify
23 * it under the terms of the GNU General Public License version 2,
24 * as published by the Free Software Foundation.
27 #include <linux/init.h>
29 #include <linux/kernel.h>
30 #include <linux/tracehook.h>
31 #include <linux/errno.h>
32 #include <linux/sched/signal.h>
33 #include <linux/sched/task.h>
34 #include <linux/lsm_hooks.h>
35 #include <linux/xattr.h>
36 #include <linux/capability.h>
37 #include <linux/unistd.h>
39 #include <linux/mman.h>
40 #include <linux/slab.h>
41 #include <linux/pagemap.h>
42 #include <linux/proc_fs.h>
43 #include <linux/swap.h>
44 #include <linux/spinlock.h>
45 #include <linux/syscalls.h>
46 #include <linux/dcache.h>
47 #include <linux/file.h>
48 #include <linux/fdtable.h>
49 #include <linux/namei.h>
50 #include <linux/mount.h>
51 #include <linux/netfilter_ipv4.h>
52 #include <linux/netfilter_ipv6.h>
53 #include <linux/tty.h>
55 #include <net/ip.h> /* for local_port_range[] */
56 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
57 #include <net/inet_connection_sock.h>
58 #include <net/net_namespace.h>
59 #include <net/netlabel.h>
60 #include <linux/uaccess.h>
61 #include <asm/ioctls.h>
62 #include <linux/atomic.h>
63 #include <linux/bitops.h>
64 #include <linux/interrupt.h>
65 #include <linux/netdevice.h> /* for network interface checks */
66 #include <net/netlink.h>
67 #include <linux/tcp.h>
68 #include <linux/udp.h>
69 #include <linux/dccp.h>
70 #include <linux/quota.h>
71 #include <linux/un.h> /* for Unix socket types */
72 #include <net/af_unix.h> /* for Unix socket types */
73 #include <linux/parser.h>
74 #include <linux/nfs_mount.h>
76 #include <linux/hugetlb.h>
77 #include <linux/personality.h>
78 #include <linux/audit.h>
79 #include <linux/string.h>
80 #include <linux/selinux.h>
81 #include <linux/mutex.h>
82 #include <linux/posix-timers.h>
83 #include <linux/syslog.h>
84 #include <linux/user_namespace.h>
85 #include <linux/export.h>
86 #include <linux/msg.h>
87 #include <linux/shm.h>
100 /* SECMARK reference count */
101 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
103 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
104 int selinux_enforcing;
106 static int __init enforcing_setup(char *str)
108 unsigned long enforcing;
109 if (!kstrtoul(str, 0, &enforcing))
110 selinux_enforcing = enforcing ? 1 : 0;
113 __setup("enforcing=", enforcing_setup);
116 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
117 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
119 static int __init selinux_enabled_setup(char *str)
121 unsigned long enabled;
122 if (!kstrtoul(str, 0, &enabled))
123 selinux_enabled = enabled ? 1 : 0;
126 __setup("selinux=", selinux_enabled_setup);
128 int selinux_enabled = 1;
131 static struct kmem_cache *sel_inode_cache;
132 static struct kmem_cache *file_security_cache;
135 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
138 * This function checks the SECMARK reference counter to see if any SECMARK
139 * targets are currently configured, if the reference counter is greater than
140 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
141 * enabled, false (0) if SECMARK is disabled. If the always_check_network
142 * policy capability is enabled, SECMARK is always considered enabled.
145 static int selinux_secmark_enabled(void)
147 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
151 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
154 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
155 * (1) if any are enabled or false (0) if neither are enabled. If the
156 * always_check_network policy capability is enabled, peer labeling
157 * is always considered enabled.
160 static int selinux_peerlbl_enabled(void)
162 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
165 static int selinux_netcache_avc_callback(u32 event)
167 if (event == AVC_CALLBACK_RESET) {
176 static int selinux_lsm_notifier_avc_callback(u32 event)
178 if (event == AVC_CALLBACK_RESET) {
180 call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
187 * initialise the security for the init task
189 static void cred_init_security(void)
191 struct cred *cred = (struct cred *) current->real_cred;
192 struct task_security_struct *tsec;
194 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
196 panic("SELinux: Failed to initialize initial task.\n");
198 tsec->osid = tsec->sid = SECINITSID_KERNEL;
199 cred->security = tsec;
203 * get the security ID of a set of credentials
205 static inline u32 cred_sid(const struct cred *cred)
207 const struct task_security_struct *tsec;
209 tsec = cred->security;
214 * get the objective security ID of a task
216 static inline u32 task_sid(const struct task_struct *task)
221 sid = cred_sid(__task_cred(task));
226 /* Allocate and free functions for each kind of security blob. */
228 static int inode_alloc_security(struct inode *inode)
230 struct inode_security_struct *isec;
231 u32 sid = current_sid();
233 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
237 spin_lock_init(&isec->lock);
238 INIT_LIST_HEAD(&isec->list);
240 isec->sid = SECINITSID_UNLABELED;
241 isec->sclass = SECCLASS_FILE;
242 isec->task_sid = sid;
243 isec->initialized = LABEL_INVALID;
244 inode->i_security = isec;
249 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
252 * Try reloading inode security labels that have been marked as invalid. The
253 * @may_sleep parameter indicates when sleeping and thus reloading labels is
254 * allowed; when set to false, returns -ECHILD when the label is
255 * invalid. The @opt_dentry parameter should be set to a dentry of the inode;
256 * when no dentry is available, set it to NULL instead.
258 static int __inode_security_revalidate(struct inode *inode,
259 struct dentry *opt_dentry,
262 struct inode_security_struct *isec = inode->i_security;
264 might_sleep_if(may_sleep);
266 if (ss_initialized && isec->initialized != LABEL_INITIALIZED) {
271 * Try reloading the inode security label. This will fail if
272 * @opt_dentry is NULL and no dentry for this inode can be
273 * found; in that case, continue using the old label.
275 inode_doinit_with_dentry(inode, opt_dentry);
280 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
282 return inode->i_security;
285 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
289 error = __inode_security_revalidate(inode, NULL, !rcu);
291 return ERR_PTR(error);
292 return inode->i_security;
296 * Get the security label of an inode.
298 static struct inode_security_struct *inode_security(struct inode *inode)
300 __inode_security_revalidate(inode, NULL, true);
301 return inode->i_security;
304 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
306 struct inode *inode = d_backing_inode(dentry);
308 return inode->i_security;
312 * Get the security label of a dentry's backing inode.
314 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
316 struct inode *inode = d_backing_inode(dentry);
318 __inode_security_revalidate(inode, dentry, true);
319 return inode->i_security;
322 static void inode_free_rcu(struct rcu_head *head)
324 struct inode_security_struct *isec;
326 isec = container_of(head, struct inode_security_struct, rcu);
327 kmem_cache_free(sel_inode_cache, isec);
330 static void inode_free_security(struct inode *inode)
332 struct inode_security_struct *isec = inode->i_security;
333 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
336 * As not all inode security structures are in a list, we check for
337 * empty list outside of the lock to make sure that we won't waste
338 * time taking a lock doing nothing.
340 * The list_del_init() function can be safely called more than once.
341 * It should not be possible for this function to be called with
342 * concurrent list_add(), but for better safety against future changes
343 * in the code, we use list_empty_careful() here.
345 if (!list_empty_careful(&isec->list)) {
346 spin_lock(&sbsec->isec_lock);
347 list_del_init(&isec->list);
348 spin_unlock(&sbsec->isec_lock);
352 * The inode may still be referenced in a path walk and
353 * a call to selinux_inode_permission() can be made
354 * after inode_free_security() is called. Ideally, the VFS
355 * wouldn't do this, but fixing that is a much harder
356 * job. For now, simply free the i_security via RCU, and
357 * leave the current inode->i_security pointer intact.
358 * The inode will be freed after the RCU grace period too.
360 call_rcu(&isec->rcu, inode_free_rcu);
363 static int file_alloc_security(struct file *file)
365 struct file_security_struct *fsec;
366 u32 sid = current_sid();
368 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
373 fsec->fown_sid = sid;
374 file->f_security = fsec;
379 static void file_free_security(struct file *file)
381 struct file_security_struct *fsec = file->f_security;
382 file->f_security = NULL;
383 kmem_cache_free(file_security_cache, fsec);
386 static int superblock_alloc_security(struct super_block *sb)
388 struct superblock_security_struct *sbsec;
390 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
394 mutex_init(&sbsec->lock);
395 INIT_LIST_HEAD(&sbsec->isec_head);
396 spin_lock_init(&sbsec->isec_lock);
398 sbsec->sid = SECINITSID_UNLABELED;
399 sbsec->def_sid = SECINITSID_FILE;
400 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
401 sb->s_security = sbsec;
406 static void superblock_free_security(struct super_block *sb)
408 struct superblock_security_struct *sbsec = sb->s_security;
409 sb->s_security = NULL;
413 static inline int inode_doinit(struct inode *inode)
415 return inode_doinit_with_dentry(inode, NULL);
424 Opt_labelsupport = 5,
428 #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
430 static const match_table_t tokens = {
431 {Opt_context, CONTEXT_STR "%s"},
432 {Opt_fscontext, FSCONTEXT_STR "%s"},
433 {Opt_defcontext, DEFCONTEXT_STR "%s"},
434 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
435 {Opt_labelsupport, LABELSUPP_STR},
439 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
441 static int may_context_mount_sb_relabel(u32 sid,
442 struct superblock_security_struct *sbsec,
443 const struct cred *cred)
445 const struct task_security_struct *tsec = cred->security;
448 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
449 FILESYSTEM__RELABELFROM, NULL);
453 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
454 FILESYSTEM__RELABELTO, NULL);
458 static int may_context_mount_inode_relabel(u32 sid,
459 struct superblock_security_struct *sbsec,
460 const struct cred *cred)
462 const struct task_security_struct *tsec = cred->security;
464 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
465 FILESYSTEM__RELABELFROM, NULL);
469 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
470 FILESYSTEM__ASSOCIATE, NULL);
474 static int selinux_is_sblabel_mnt(struct super_block *sb)
476 struct superblock_security_struct *sbsec = sb->s_security;
478 return sbsec->behavior == SECURITY_FS_USE_XATTR ||
479 sbsec->behavior == SECURITY_FS_USE_TRANS ||
480 sbsec->behavior == SECURITY_FS_USE_TASK ||
481 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
482 /* Special handling. Genfs but also in-core setxattr handler */
483 !strcmp(sb->s_type->name, "sysfs") ||
484 !strcmp(sb->s_type->name, "pstore") ||
485 !strcmp(sb->s_type->name, "debugfs") ||
486 !strcmp(sb->s_type->name, "tracefs") ||
487 !strcmp(sb->s_type->name, "rootfs") ||
488 (selinux_policycap_cgroupseclabel &&
489 (!strcmp(sb->s_type->name, "cgroup") ||
490 !strcmp(sb->s_type->name, "cgroup2")));
493 static int sb_finish_set_opts(struct super_block *sb)
495 struct superblock_security_struct *sbsec = sb->s_security;
496 struct dentry *root = sb->s_root;
497 struct inode *root_inode = d_backing_inode(root);
500 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
501 /* Make sure that the xattr handler exists and that no
502 error other than -ENODATA is returned by getxattr on
503 the root directory. -ENODATA is ok, as this may be
504 the first boot of the SELinux kernel before we have
505 assigned xattr values to the filesystem. */
506 if (!(root_inode->i_opflags & IOP_XATTR)) {
507 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
508 "xattr support\n", sb->s_id, sb->s_type->name);
513 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
514 if (rc < 0 && rc != -ENODATA) {
515 if (rc == -EOPNOTSUPP)
516 printk(KERN_WARNING "SELinux: (dev %s, type "
517 "%s) has no security xattr handler\n",
518 sb->s_id, sb->s_type->name);
520 printk(KERN_WARNING "SELinux: (dev %s, type "
521 "%s) getxattr errno %d\n", sb->s_id,
522 sb->s_type->name, -rc);
527 sbsec->flags |= SE_SBINITIALIZED;
530 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
531 * leave the flag untouched because sb_clone_mnt_opts might be handing
532 * us a superblock that needs the flag to be cleared.
534 if (selinux_is_sblabel_mnt(sb))
535 sbsec->flags |= SBLABEL_MNT;
537 sbsec->flags &= ~SBLABEL_MNT;
539 /* Initialize the root inode. */
540 rc = inode_doinit_with_dentry(root_inode, root);
542 /* Initialize any other inodes associated with the superblock, e.g.
543 inodes created prior to initial policy load or inodes created
544 during get_sb by a pseudo filesystem that directly
546 spin_lock(&sbsec->isec_lock);
548 if (!list_empty(&sbsec->isec_head)) {
549 struct inode_security_struct *isec =
550 list_entry(sbsec->isec_head.next,
551 struct inode_security_struct, list);
552 struct inode *inode = isec->inode;
553 list_del_init(&isec->list);
554 spin_unlock(&sbsec->isec_lock);
555 inode = igrab(inode);
557 if (!IS_PRIVATE(inode))
561 spin_lock(&sbsec->isec_lock);
564 spin_unlock(&sbsec->isec_lock);
570 * This function should allow an FS to ask what it's mount security
571 * options were so it can use those later for submounts, displaying
572 * mount options, or whatever.
574 static int selinux_get_mnt_opts(const struct super_block *sb,
575 struct security_mnt_opts *opts)
578 struct superblock_security_struct *sbsec = sb->s_security;
579 char *context = NULL;
583 security_init_mnt_opts(opts);
585 if (!(sbsec->flags & SE_SBINITIALIZED))
591 /* make sure we always check enough bits to cover the mask */
592 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
594 tmp = sbsec->flags & SE_MNTMASK;
595 /* count the number of mount options for this sb */
596 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
598 opts->num_mnt_opts++;
601 /* Check if the Label support flag is set */
602 if (sbsec->flags & SBLABEL_MNT)
603 opts->num_mnt_opts++;
605 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
606 if (!opts->mnt_opts) {
611 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
612 if (!opts->mnt_opts_flags) {
618 if (sbsec->flags & FSCONTEXT_MNT) {
619 rc = security_sid_to_context(sbsec->sid, &context, &len);
622 opts->mnt_opts[i] = context;
623 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
625 if (sbsec->flags & CONTEXT_MNT) {
626 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
629 opts->mnt_opts[i] = context;
630 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
632 if (sbsec->flags & DEFCONTEXT_MNT) {
633 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
636 opts->mnt_opts[i] = context;
637 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
639 if (sbsec->flags & ROOTCONTEXT_MNT) {
640 struct dentry *root = sbsec->sb->s_root;
641 struct inode_security_struct *isec = backing_inode_security(root);
643 rc = security_sid_to_context(isec->sid, &context, &len);
646 opts->mnt_opts[i] = context;
647 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
649 if (sbsec->flags & SBLABEL_MNT) {
650 opts->mnt_opts[i] = NULL;
651 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
654 BUG_ON(i != opts->num_mnt_opts);
659 security_free_mnt_opts(opts);
663 static int bad_option(struct superblock_security_struct *sbsec, char flag,
664 u32 old_sid, u32 new_sid)
666 char mnt_flags = sbsec->flags & SE_MNTMASK;
668 /* check if the old mount command had the same options */
669 if (sbsec->flags & SE_SBINITIALIZED)
670 if (!(sbsec->flags & flag) ||
671 (old_sid != new_sid))
674 /* check if we were passed the same options twice,
675 * aka someone passed context=a,context=b
677 if (!(sbsec->flags & SE_SBINITIALIZED))
678 if (mnt_flags & flag)
684 * Allow filesystems with binary mount data to explicitly set mount point
685 * labeling information.
687 static int selinux_set_mnt_opts(struct super_block *sb,
688 struct security_mnt_opts *opts,
689 unsigned long kern_flags,
690 unsigned long *set_kern_flags)
692 const struct cred *cred = current_cred();
694 struct superblock_security_struct *sbsec = sb->s_security;
695 const char *name = sb->s_type->name;
696 struct dentry *root = sbsec->sb->s_root;
697 struct inode_security_struct *root_isec;
698 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
699 u32 defcontext_sid = 0;
700 char **mount_options = opts->mnt_opts;
701 int *flags = opts->mnt_opts_flags;
702 int num_opts = opts->num_mnt_opts;
704 mutex_lock(&sbsec->lock);
706 if (!ss_initialized) {
708 /* Defer initialization until selinux_complete_init,
709 after the initial policy is loaded and the security
710 server is ready to handle calls. */
714 printk(KERN_WARNING "SELinux: Unable to set superblock options "
715 "before the security server is initialized\n");
718 if (kern_flags && !set_kern_flags) {
719 /* Specifying internal flags without providing a place to
720 * place the results is not allowed */
726 * Binary mount data FS will come through this function twice. Once
727 * from an explicit call and once from the generic calls from the vfs.
728 * Since the generic VFS calls will not contain any security mount data
729 * we need to skip the double mount verification.
731 * This does open a hole in which we will not notice if the first
732 * mount using this sb set explict options and a second mount using
733 * this sb does not set any security options. (The first options
734 * will be used for both mounts)
736 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
740 root_isec = backing_inode_security_novalidate(root);
743 * parse the mount options, check if they are valid sids.
744 * also check if someone is trying to mount the same sb more
745 * than once with different security options.
747 for (i = 0; i < num_opts; i++) {
750 if (flags[i] == SBLABEL_MNT)
752 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
754 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
755 "(%s) failed for (dev %s, type %s) errno=%d\n",
756 mount_options[i], sb->s_id, name, rc);
763 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
765 goto out_double_mount;
767 sbsec->flags |= FSCONTEXT_MNT;
772 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
774 goto out_double_mount;
776 sbsec->flags |= CONTEXT_MNT;
778 case ROOTCONTEXT_MNT:
779 rootcontext_sid = sid;
781 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
783 goto out_double_mount;
785 sbsec->flags |= ROOTCONTEXT_MNT;
789 defcontext_sid = sid;
791 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
793 goto out_double_mount;
795 sbsec->flags |= DEFCONTEXT_MNT;
804 if (sbsec->flags & SE_SBINITIALIZED) {
805 /* previously mounted with options, but not on this attempt? */
806 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
807 goto out_double_mount;
812 if (strcmp(sb->s_type->name, "proc") == 0)
813 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
815 if (!strcmp(sb->s_type->name, "debugfs") ||
816 !strcmp(sb->s_type->name, "tracefs") ||
817 !strcmp(sb->s_type->name, "sysfs") ||
818 !strcmp(sb->s_type->name, "pstore") ||
819 !strcmp(sb->s_type->name, "cgroup") ||
820 !strcmp(sb->s_type->name, "cgroup2"))
821 sbsec->flags |= SE_SBGENFS;
823 if (!sbsec->behavior) {
825 * Determine the labeling behavior to use for this
828 rc = security_fs_use(sb);
831 "%s: security_fs_use(%s) returned %d\n",
832 __func__, sb->s_type->name, rc);
838 * If this is a user namespace mount and the filesystem type is not
839 * explicitly whitelisted, then no contexts are allowed on the command
840 * line and security labels must be ignored.
842 if (sb->s_user_ns != &init_user_ns &&
843 strcmp(sb->s_type->name, "tmpfs") &&
844 strcmp(sb->s_type->name, "ramfs") &&
845 strcmp(sb->s_type->name, "devpts")) {
846 if (context_sid || fscontext_sid || rootcontext_sid ||
851 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
852 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
853 rc = security_transition_sid(current_sid(), current_sid(),
855 &sbsec->mntpoint_sid);
862 /* sets the context of the superblock for the fs being mounted. */
864 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
868 sbsec->sid = fscontext_sid;
872 * Switch to using mount point labeling behavior.
873 * sets the label used on all file below the mountpoint, and will set
874 * the superblock context if not already set.
876 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
877 sbsec->behavior = SECURITY_FS_USE_NATIVE;
878 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
882 if (!fscontext_sid) {
883 rc = may_context_mount_sb_relabel(context_sid, sbsec,
887 sbsec->sid = context_sid;
889 rc = may_context_mount_inode_relabel(context_sid, sbsec,
894 if (!rootcontext_sid)
895 rootcontext_sid = context_sid;
897 sbsec->mntpoint_sid = context_sid;
898 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
901 if (rootcontext_sid) {
902 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
907 root_isec->sid = rootcontext_sid;
908 root_isec->initialized = LABEL_INITIALIZED;
911 if (defcontext_sid) {
912 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
913 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
915 printk(KERN_WARNING "SELinux: defcontext option is "
916 "invalid for this filesystem type\n");
920 if (defcontext_sid != sbsec->def_sid) {
921 rc = may_context_mount_inode_relabel(defcontext_sid,
927 sbsec->def_sid = defcontext_sid;
931 rc = sb_finish_set_opts(sb);
933 mutex_unlock(&sbsec->lock);
937 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
938 "security settings for (dev %s, type %s)\n", sb->s_id, name);
942 static int selinux_cmp_sb_context(const struct super_block *oldsb,
943 const struct super_block *newsb)
945 struct superblock_security_struct *old = oldsb->s_security;
946 struct superblock_security_struct *new = newsb->s_security;
947 char oldflags = old->flags & SE_MNTMASK;
948 char newflags = new->flags & SE_MNTMASK;
950 if (oldflags != newflags)
952 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
954 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
956 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
958 if (oldflags & ROOTCONTEXT_MNT) {
959 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
960 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
961 if (oldroot->sid != newroot->sid)
966 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
967 "different security settings for (dev %s, "
968 "type %s)\n", newsb->s_id, newsb->s_type->name);
972 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
973 struct super_block *newsb,
974 unsigned long kern_flags,
975 unsigned long *set_kern_flags)
978 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
979 struct superblock_security_struct *newsbsec = newsb->s_security;
981 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
982 int set_context = (oldsbsec->flags & CONTEXT_MNT);
983 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
986 * if the parent was able to be mounted it clearly had no special lsm
987 * mount options. thus we can safely deal with this superblock later
993 * Specifying internal flags without providing a place to
994 * place the results is not allowed.
996 if (kern_flags && !set_kern_flags)
999 /* how can we clone if the old one wasn't set up?? */
1000 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
1002 /* if fs is reusing a sb, make sure that the contexts match */
1003 if (newsbsec->flags & SE_SBINITIALIZED)
1004 return selinux_cmp_sb_context(oldsb, newsb);
1006 mutex_lock(&newsbsec->lock);
1008 newsbsec->flags = oldsbsec->flags;
1010 newsbsec->sid = oldsbsec->sid;
1011 newsbsec->def_sid = oldsbsec->def_sid;
1012 newsbsec->behavior = oldsbsec->behavior;
1014 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
1015 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
1016 rc = security_fs_use(newsb);
1021 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
1022 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
1023 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
1027 u32 sid = oldsbsec->mntpoint_sid;
1030 newsbsec->sid = sid;
1031 if (!set_rootcontext) {
1032 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1035 newsbsec->mntpoint_sid = sid;
1037 if (set_rootcontext) {
1038 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
1039 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1041 newisec->sid = oldisec->sid;
1044 sb_finish_set_opts(newsb);
1046 mutex_unlock(&newsbsec->lock);
1050 static int selinux_parse_opts_str(char *options,
1051 struct security_mnt_opts *opts)
1054 char *context = NULL, *defcontext = NULL;
1055 char *fscontext = NULL, *rootcontext = NULL;
1056 int rc, num_mnt_opts = 0;
1058 opts->num_mnt_opts = 0;
1060 /* Standard string-based options. */
1061 while ((p = strsep(&options, "|")) != NULL) {
1063 substring_t args[MAX_OPT_ARGS];
1068 token = match_token(p, tokens, args);
1072 if (context || defcontext) {
1074 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1077 context = match_strdup(&args[0]);
1087 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1090 fscontext = match_strdup(&args[0]);
1097 case Opt_rootcontext:
1100 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1103 rootcontext = match_strdup(&args[0]);
1110 case Opt_defcontext:
1111 if (context || defcontext) {
1113 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1116 defcontext = match_strdup(&args[0]);
1122 case Opt_labelsupport:
1126 printk(KERN_WARNING "SELinux: unknown mount option\n");
1133 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
1134 if (!opts->mnt_opts)
1137 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
1139 if (!opts->mnt_opts_flags)
1143 opts->mnt_opts[num_mnt_opts] = fscontext;
1144 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1147 opts->mnt_opts[num_mnt_opts] = context;
1148 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1151 opts->mnt_opts[num_mnt_opts] = rootcontext;
1152 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1155 opts->mnt_opts[num_mnt_opts] = defcontext;
1156 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1159 opts->num_mnt_opts = num_mnt_opts;
1163 security_free_mnt_opts(opts);
1171 * string mount options parsing and call set the sbsec
1173 static int superblock_doinit(struct super_block *sb, void *data)
1176 char *options = data;
1177 struct security_mnt_opts opts;
1179 security_init_mnt_opts(&opts);
1184 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1186 rc = selinux_parse_opts_str(options, &opts);
1191 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1194 security_free_mnt_opts(&opts);
1198 static void selinux_write_opts(struct seq_file *m,
1199 struct security_mnt_opts *opts)
1204 for (i = 0; i < opts->num_mnt_opts; i++) {
1207 if (opts->mnt_opts[i])
1208 has_comma = strchr(opts->mnt_opts[i], ',');
1212 switch (opts->mnt_opts_flags[i]) {
1214 prefix = CONTEXT_STR;
1217 prefix = FSCONTEXT_STR;
1219 case ROOTCONTEXT_MNT:
1220 prefix = ROOTCONTEXT_STR;
1222 case DEFCONTEXT_MNT:
1223 prefix = DEFCONTEXT_STR;
1227 seq_puts(m, LABELSUPP_STR);
1233 /* we need a comma before each option */
1235 seq_puts(m, prefix);
1238 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
1244 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1246 struct security_mnt_opts opts;
1249 rc = selinux_get_mnt_opts(sb, &opts);
1251 /* before policy load we may get EINVAL, don't show anything */
1257 selinux_write_opts(m, &opts);
1259 security_free_mnt_opts(&opts);
1264 static inline u16 inode_mode_to_security_class(umode_t mode)
1266 switch (mode & S_IFMT) {
1268 return SECCLASS_SOCK_FILE;
1270 return SECCLASS_LNK_FILE;
1272 return SECCLASS_FILE;
1274 return SECCLASS_BLK_FILE;
1276 return SECCLASS_DIR;
1278 return SECCLASS_CHR_FILE;
1280 return SECCLASS_FIFO_FILE;
1284 return SECCLASS_FILE;
1287 static inline int default_protocol_stream(int protocol)
1289 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1292 static inline int default_protocol_dgram(int protocol)
1294 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1297 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1299 int extsockclass = selinux_policycap_extsockclass;
1305 case SOCK_SEQPACKET:
1306 return SECCLASS_UNIX_STREAM_SOCKET;
1309 return SECCLASS_UNIX_DGRAM_SOCKET;
1316 case SOCK_SEQPACKET:
1317 if (default_protocol_stream(protocol))
1318 return SECCLASS_TCP_SOCKET;
1319 else if (extsockclass && protocol == IPPROTO_SCTP)
1320 return SECCLASS_SCTP_SOCKET;
1322 return SECCLASS_RAWIP_SOCKET;
1324 if (default_protocol_dgram(protocol))
1325 return SECCLASS_UDP_SOCKET;
1326 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1327 protocol == IPPROTO_ICMPV6))
1328 return SECCLASS_ICMP_SOCKET;
1330 return SECCLASS_RAWIP_SOCKET;
1332 return SECCLASS_DCCP_SOCKET;
1334 return SECCLASS_RAWIP_SOCKET;
1340 return SECCLASS_NETLINK_ROUTE_SOCKET;
1341 case NETLINK_SOCK_DIAG:
1342 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1344 return SECCLASS_NETLINK_NFLOG_SOCKET;
1346 return SECCLASS_NETLINK_XFRM_SOCKET;
1347 case NETLINK_SELINUX:
1348 return SECCLASS_NETLINK_SELINUX_SOCKET;
1350 return SECCLASS_NETLINK_ISCSI_SOCKET;
1352 return SECCLASS_NETLINK_AUDIT_SOCKET;
1353 case NETLINK_FIB_LOOKUP:
1354 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1355 case NETLINK_CONNECTOR:
1356 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1357 case NETLINK_NETFILTER:
1358 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1359 case NETLINK_DNRTMSG:
1360 return SECCLASS_NETLINK_DNRT_SOCKET;
1361 case NETLINK_KOBJECT_UEVENT:
1362 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1363 case NETLINK_GENERIC:
1364 return SECCLASS_NETLINK_GENERIC_SOCKET;
1365 case NETLINK_SCSITRANSPORT:
1366 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1368 return SECCLASS_NETLINK_RDMA_SOCKET;
1369 case NETLINK_CRYPTO:
1370 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1372 return SECCLASS_NETLINK_SOCKET;
1375 return SECCLASS_PACKET_SOCKET;
1377 return SECCLASS_KEY_SOCKET;
1379 return SECCLASS_APPLETALK_SOCKET;
1385 return SECCLASS_AX25_SOCKET;
1387 return SECCLASS_IPX_SOCKET;
1389 return SECCLASS_NETROM_SOCKET;
1391 return SECCLASS_ATMPVC_SOCKET;
1393 return SECCLASS_X25_SOCKET;
1395 return SECCLASS_ROSE_SOCKET;
1397 return SECCLASS_DECNET_SOCKET;
1399 return SECCLASS_ATMSVC_SOCKET;
1401 return SECCLASS_RDS_SOCKET;
1403 return SECCLASS_IRDA_SOCKET;
1405 return SECCLASS_PPPOX_SOCKET;
1407 return SECCLASS_LLC_SOCKET;
1409 return SECCLASS_CAN_SOCKET;
1411 return SECCLASS_TIPC_SOCKET;
1413 return SECCLASS_BLUETOOTH_SOCKET;
1415 return SECCLASS_IUCV_SOCKET;
1417 return SECCLASS_RXRPC_SOCKET;
1419 return SECCLASS_ISDN_SOCKET;
1421 return SECCLASS_PHONET_SOCKET;
1423 return SECCLASS_IEEE802154_SOCKET;
1425 return SECCLASS_CAIF_SOCKET;
1427 return SECCLASS_ALG_SOCKET;
1429 return SECCLASS_NFC_SOCKET;
1431 return SECCLASS_VSOCK_SOCKET;
1433 return SECCLASS_KCM_SOCKET;
1435 return SECCLASS_QIPCRTR_SOCKET;
1437 return SECCLASS_SMC_SOCKET;
1439 #error New address family defined, please update this function.
1444 return SECCLASS_SOCKET;
1447 static int selinux_genfs_get_sid(struct dentry *dentry,
1453 struct super_block *sb = dentry->d_sb;
1454 char *buffer, *path;
1456 buffer = (char *)__get_free_page(GFP_KERNEL);
1460 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1464 if (flags & SE_SBPROC) {
1465 /* each process gets a /proc/PID/ entry. Strip off the
1466 * PID part to get a valid selinux labeling.
1467 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1468 while (path[1] >= '0' && path[1] <= '9') {
1473 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
1475 free_page((unsigned long)buffer);
1479 /* The inode's security attributes must be initialized before first use. */
1480 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1482 struct superblock_security_struct *sbsec = NULL;
1483 struct inode_security_struct *isec = inode->i_security;
1484 u32 task_sid, sid = 0;
1486 struct dentry *dentry;
1487 #define INITCONTEXTLEN 255
1488 char *context = NULL;
1492 if (isec->initialized == LABEL_INITIALIZED)
1495 spin_lock(&isec->lock);
1496 if (isec->initialized == LABEL_INITIALIZED)
1499 if (isec->sclass == SECCLASS_FILE)
1500 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1502 sbsec = inode->i_sb->s_security;
1503 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1504 /* Defer initialization until selinux_complete_init,
1505 after the initial policy is loaded and the security
1506 server is ready to handle calls. */
1507 spin_lock(&sbsec->isec_lock);
1508 if (list_empty(&isec->list))
1509 list_add(&isec->list, &sbsec->isec_head);
1510 spin_unlock(&sbsec->isec_lock);
1514 sclass = isec->sclass;
1515 task_sid = isec->task_sid;
1517 isec->initialized = LABEL_PENDING;
1518 spin_unlock(&isec->lock);
1520 switch (sbsec->behavior) {
1521 case SECURITY_FS_USE_NATIVE:
1523 case SECURITY_FS_USE_XATTR:
1524 if (!(inode->i_opflags & IOP_XATTR)) {
1525 sid = sbsec->def_sid;
1528 /* Need a dentry, since the xattr API requires one.
1529 Life would be simpler if we could just pass the inode. */
1531 /* Called from d_instantiate or d_splice_alias. */
1532 dentry = dget(opt_dentry);
1534 /* Called from selinux_complete_init, try to find a dentry. */
1535 dentry = d_find_alias(inode);
1539 * this is can be hit on boot when a file is accessed
1540 * before the policy is loaded. When we load policy we
1541 * may find inodes that have no dentry on the
1542 * sbsec->isec_head list. No reason to complain as these
1543 * will get fixed up the next time we go through
1544 * inode_doinit with a dentry, before these inodes could
1545 * be used again by userspace.
1550 len = INITCONTEXTLEN;
1551 context = kmalloc(len+1, GFP_NOFS);
1557 context[len] = '\0';
1558 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1559 if (rc == -ERANGE) {
1562 /* Need a larger buffer. Query for the right size. */
1563 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1569 context = kmalloc(len+1, GFP_NOFS);
1575 context[len] = '\0';
1576 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1580 if (rc != -ENODATA) {
1581 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1582 "%d for dev=%s ino=%ld\n", __func__,
1583 -rc, inode->i_sb->s_id, inode->i_ino);
1587 /* Map ENODATA to the default file SID */
1588 sid = sbsec->def_sid;
1591 rc = security_context_to_sid_default(context, rc, &sid,
1595 char *dev = inode->i_sb->s_id;
1596 unsigned long ino = inode->i_ino;
1598 if (rc == -EINVAL) {
1599 if (printk_ratelimit())
1600 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1601 "context=%s. This indicates you may need to relabel the inode or the "
1602 "filesystem in question.\n", ino, dev, context);
1604 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1605 "returned %d for dev=%s ino=%ld\n",
1606 __func__, context, -rc, dev, ino);
1609 /* Leave with the unlabeled SID */
1616 case SECURITY_FS_USE_TASK:
1619 case SECURITY_FS_USE_TRANS:
1620 /* Default to the fs SID. */
1623 /* Try to obtain a transition SID. */
1624 rc = security_transition_sid(task_sid, sid, sclass, NULL, &sid);
1628 case SECURITY_FS_USE_MNTPOINT:
1629 sid = sbsec->mntpoint_sid;
1632 /* Default to the fs superblock SID. */
1635 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1636 /* We must have a dentry to determine the label on
1639 /* Called from d_instantiate or
1640 * d_splice_alias. */
1641 dentry = dget(opt_dentry);
1643 /* Called from selinux_complete_init, try to
1645 dentry = d_find_alias(inode);
1647 * This can be hit on boot when a file is accessed
1648 * before the policy is loaded. When we load policy we
1649 * may find inodes that have no dentry on the
1650 * sbsec->isec_head list. No reason to complain as
1651 * these will get fixed up the next time we go through
1652 * inode_doinit() with a dentry, before these inodes
1653 * could be used again by userspace.
1657 rc = selinux_genfs_get_sid(dentry, sclass,
1658 sbsec->flags, &sid);
1667 spin_lock(&isec->lock);
1668 if (isec->initialized == LABEL_PENDING) {
1670 isec->initialized = LABEL_INVALID;
1674 isec->initialized = LABEL_INITIALIZED;
1679 spin_unlock(&isec->lock);
1683 /* Convert a Linux signal to an access vector. */
1684 static inline u32 signal_to_av(int sig)
1690 /* Commonly granted from child to parent. */
1691 perm = PROCESS__SIGCHLD;
1694 /* Cannot be caught or ignored */
1695 perm = PROCESS__SIGKILL;
1698 /* Cannot be caught or ignored */
1699 perm = PROCESS__SIGSTOP;
1702 /* All other signals. */
1703 perm = PROCESS__SIGNAL;
1710 #if CAP_LAST_CAP > 63
1711 #error Fix SELinux to handle capabilities > 63.
1714 /* Check whether a task is allowed to use a capability. */
1715 static int cred_has_capability(const struct cred *cred,
1716 int cap, int audit, bool initns)
1718 struct common_audit_data ad;
1719 struct av_decision avd;
1721 u32 sid = cred_sid(cred);
1722 u32 av = CAP_TO_MASK(cap);
1725 ad.type = LSM_AUDIT_DATA_CAP;
1728 switch (CAP_TO_INDEX(cap)) {
1730 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1733 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1737 "SELinux: out of range capability %d\n", cap);
1742 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1743 if (audit == SECURITY_CAP_AUDIT) {
1744 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1751 /* Check whether a task has a particular permission to an inode.
1752 The 'adp' parameter is optional and allows other audit
1753 data to be passed (e.g. the dentry). */
1754 static int inode_has_perm(const struct cred *cred,
1755 struct inode *inode,
1757 struct common_audit_data *adp)
1759 struct inode_security_struct *isec;
1762 validate_creds(cred);
1764 if (unlikely(IS_PRIVATE(inode)))
1767 sid = cred_sid(cred);
1768 isec = inode->i_security;
1770 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1773 /* Same as inode_has_perm, but pass explicit audit data containing
1774 the dentry to help the auditing code to more easily generate the
1775 pathname if needed. */
1776 static inline int dentry_has_perm(const struct cred *cred,
1777 struct dentry *dentry,
1780 struct inode *inode = d_backing_inode(dentry);
1781 struct common_audit_data ad;
1783 ad.type = LSM_AUDIT_DATA_DENTRY;
1784 ad.u.dentry = dentry;
1785 __inode_security_revalidate(inode, dentry, true);
1786 return inode_has_perm(cred, inode, av, &ad);
1789 /* Same as inode_has_perm, but pass explicit audit data containing
1790 the path to help the auditing code to more easily generate the
1791 pathname if needed. */
1792 static inline int path_has_perm(const struct cred *cred,
1793 const struct path *path,
1796 struct inode *inode = d_backing_inode(path->dentry);
1797 struct common_audit_data ad;
1799 ad.type = LSM_AUDIT_DATA_PATH;
1801 __inode_security_revalidate(inode, path->dentry, true);
1802 return inode_has_perm(cred, inode, av, &ad);
1805 /* Same as path_has_perm, but uses the inode from the file struct. */
1806 static inline int file_path_has_perm(const struct cred *cred,
1810 struct common_audit_data ad;
1812 ad.type = LSM_AUDIT_DATA_FILE;
1814 return inode_has_perm(cred, file_inode(file), av, &ad);
1817 /* Check whether a task can use an open file descriptor to
1818 access an inode in a given way. Check access to the
1819 descriptor itself, and then use dentry_has_perm to
1820 check a particular permission to the file.
1821 Access to the descriptor is implicitly granted if it
1822 has the same SID as the process. If av is zero, then
1823 access to the file is not checked, e.g. for cases
1824 where only the descriptor is affected like seek. */
1825 static int file_has_perm(const struct cred *cred,
1829 struct file_security_struct *fsec = file->f_security;
1830 struct inode *inode = file_inode(file);
1831 struct common_audit_data ad;
1832 u32 sid = cred_sid(cred);
1835 ad.type = LSM_AUDIT_DATA_FILE;
1838 if (sid != fsec->sid) {
1839 rc = avc_has_perm(sid, fsec->sid,
1847 /* av is zero if only checking access to the descriptor. */
1850 rc = inode_has_perm(cred, inode, av, &ad);
1857 * Determine the label for an inode that might be unioned.
1860 selinux_determine_inode_label(const struct task_security_struct *tsec,
1862 const struct qstr *name, u16 tclass,
1865 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1867 if ((sbsec->flags & SE_SBINITIALIZED) &&
1868 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1869 *_new_isid = sbsec->mntpoint_sid;
1870 } else if ((sbsec->flags & SBLABEL_MNT) &&
1872 *_new_isid = tsec->create_sid;
1874 const struct inode_security_struct *dsec = inode_security(dir);
1875 return security_transition_sid(tsec->sid, dsec->sid, tclass,
1882 /* Check whether a task can create a file. */
1883 static int may_create(struct inode *dir,
1884 struct dentry *dentry,
1887 const struct task_security_struct *tsec = current_security();
1888 struct inode_security_struct *dsec;
1889 struct superblock_security_struct *sbsec;
1891 struct common_audit_data ad;
1894 dsec = inode_security(dir);
1895 sbsec = dir->i_sb->s_security;
1899 ad.type = LSM_AUDIT_DATA_DENTRY;
1900 ad.u.dentry = dentry;
1902 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1903 DIR__ADD_NAME | DIR__SEARCH,
1908 rc = selinux_determine_inode_label(current_security(), dir,
1909 &dentry->d_name, tclass, &newsid);
1913 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1917 return avc_has_perm(newsid, sbsec->sid,
1918 SECCLASS_FILESYSTEM,
1919 FILESYSTEM__ASSOCIATE, &ad);
1923 #define MAY_UNLINK 1
1926 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1927 static int may_link(struct inode *dir,
1928 struct dentry *dentry,
1932 struct inode_security_struct *dsec, *isec;
1933 struct common_audit_data ad;
1934 u32 sid = current_sid();
1938 dsec = inode_security(dir);
1939 isec = backing_inode_security(dentry);
1941 ad.type = LSM_AUDIT_DATA_DENTRY;
1942 ad.u.dentry = dentry;
1945 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1946 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1961 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1966 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1970 static inline int may_rename(struct inode *old_dir,
1971 struct dentry *old_dentry,
1972 struct inode *new_dir,
1973 struct dentry *new_dentry)
1975 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1976 struct common_audit_data ad;
1977 u32 sid = current_sid();
1979 int old_is_dir, new_is_dir;
1982 old_dsec = inode_security(old_dir);
1983 old_isec = backing_inode_security(old_dentry);
1984 old_is_dir = d_is_dir(old_dentry);
1985 new_dsec = inode_security(new_dir);
1987 ad.type = LSM_AUDIT_DATA_DENTRY;
1989 ad.u.dentry = old_dentry;
1990 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1991 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1994 rc = avc_has_perm(sid, old_isec->sid,
1995 old_isec->sclass, FILE__RENAME, &ad);
1998 if (old_is_dir && new_dir != old_dir) {
1999 rc = avc_has_perm(sid, old_isec->sid,
2000 old_isec->sclass, DIR__REPARENT, &ad);
2005 ad.u.dentry = new_dentry;
2006 av = DIR__ADD_NAME | DIR__SEARCH;
2007 if (d_is_positive(new_dentry))
2008 av |= DIR__REMOVE_NAME;
2009 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
2012 if (d_is_positive(new_dentry)) {
2013 new_isec = backing_inode_security(new_dentry);
2014 new_is_dir = d_is_dir(new_dentry);
2015 rc = avc_has_perm(sid, new_isec->sid,
2017 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
2025 /* Check whether a task can perform a filesystem operation. */
2026 static int superblock_has_perm(const struct cred *cred,
2027 struct super_block *sb,
2029 struct common_audit_data *ad)
2031 struct superblock_security_struct *sbsec;
2032 u32 sid = cred_sid(cred);
2034 sbsec = sb->s_security;
2035 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
2038 /* Convert a Linux mode and permission mask to an access vector. */
2039 static inline u32 file_mask_to_av(int mode, int mask)
2043 if (!S_ISDIR(mode)) {
2044 if (mask & MAY_EXEC)
2045 av |= FILE__EXECUTE;
2046 if (mask & MAY_READ)
2049 if (mask & MAY_APPEND)
2051 else if (mask & MAY_WRITE)
2055 if (mask & MAY_EXEC)
2057 if (mask & MAY_WRITE)
2059 if (mask & MAY_READ)
2066 /* Convert a Linux file to an access vector. */
2067 static inline u32 file_to_av(struct file *file)
2071 if (file->f_mode & FMODE_READ)
2073 if (file->f_mode & FMODE_WRITE) {
2074 if (file->f_flags & O_APPEND)
2081 * Special file opened with flags 3 for ioctl-only use.
2090 * Convert a file to an access vector and include the correct open
2093 static inline u32 open_file_to_av(struct file *file)
2095 u32 av = file_to_av(file);
2096 struct inode *inode = file_inode(file);
2098 if (selinux_policycap_openperm && inode->i_sb->s_magic != SOCKFS_MAGIC)
2104 /* Hook functions begin here. */
2106 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2108 u32 mysid = current_sid();
2109 u32 mgrsid = task_sid(mgr);
2111 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
2112 BINDER__SET_CONTEXT_MGR, NULL);
2115 static int selinux_binder_transaction(struct task_struct *from,
2116 struct task_struct *to)
2118 u32 mysid = current_sid();
2119 u32 fromsid = task_sid(from);
2120 u32 tosid = task_sid(to);
2123 if (mysid != fromsid) {
2124 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2125 BINDER__IMPERSONATE, NULL);
2130 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2134 static int selinux_binder_transfer_binder(struct task_struct *from,
2135 struct task_struct *to)
2137 u32 fromsid = task_sid(from);
2138 u32 tosid = task_sid(to);
2140 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2144 static int selinux_binder_transfer_file(struct task_struct *from,
2145 struct task_struct *to,
2148 u32 sid = task_sid(to);
2149 struct file_security_struct *fsec = file->f_security;
2150 struct dentry *dentry = file->f_path.dentry;
2151 struct inode_security_struct *isec;
2152 struct common_audit_data ad;
2155 ad.type = LSM_AUDIT_DATA_PATH;
2156 ad.u.path = file->f_path;
2158 if (sid != fsec->sid) {
2159 rc = avc_has_perm(sid, fsec->sid,
2167 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2170 isec = backing_inode_security(dentry);
2171 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2175 static int selinux_ptrace_access_check(struct task_struct *child,
2178 u32 sid = current_sid();
2179 u32 csid = task_sid(child);
2181 if (mode & PTRACE_MODE_READ)
2182 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2184 return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2187 static int selinux_ptrace_traceme(struct task_struct *parent)
2189 return avc_has_perm(task_sid(parent), current_sid(), SECCLASS_PROCESS,
2190 PROCESS__PTRACE, NULL);
2193 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2194 kernel_cap_t *inheritable, kernel_cap_t *permitted)
2196 return avc_has_perm(current_sid(), task_sid(target), SECCLASS_PROCESS,
2197 PROCESS__GETCAP, NULL);
2200 static int selinux_capset(struct cred *new, const struct cred *old,
2201 const kernel_cap_t *effective,
2202 const kernel_cap_t *inheritable,
2203 const kernel_cap_t *permitted)
2205 return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2206 PROCESS__SETCAP, NULL);
2210 * (This comment used to live with the selinux_task_setuid hook,
2211 * which was removed).
2213 * Since setuid only affects the current process, and since the SELinux
2214 * controls are not based on the Linux identity attributes, SELinux does not
2215 * need to control this operation. However, SELinux does control the use of
2216 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2219 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2222 return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
2225 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2227 const struct cred *cred = current_cred();
2239 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2244 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2247 rc = 0; /* let the kernel handle invalid cmds */
2253 static int selinux_quota_on(struct dentry *dentry)
2255 const struct cred *cred = current_cred();
2257 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2260 static int selinux_syslog(int type)
2263 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2264 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2265 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2266 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2267 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2268 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2269 /* Set level of messages printed to console */
2270 case SYSLOG_ACTION_CONSOLE_LEVEL:
2271 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2272 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2275 /* All other syslog types */
2276 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2277 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2281 * Check that a process has enough memory to allocate a new virtual
2282 * mapping. 0 means there is enough memory for the allocation to
2283 * succeed and -ENOMEM implies there is not.
2285 * Do not audit the selinux permission check, as this is applied to all
2286 * processes that allocate mappings.
2288 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2290 int rc, cap_sys_admin = 0;
2292 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2293 SECURITY_CAP_NOAUDIT, true);
2297 return cap_sys_admin;
2300 /* binprm security operations */
2302 static u32 ptrace_parent_sid(void)
2305 struct task_struct *tracer;
2308 tracer = ptrace_parent(current);
2310 sid = task_sid(tracer);
2316 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2317 const struct task_security_struct *old_tsec,
2318 const struct task_security_struct *new_tsec)
2320 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2321 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2325 if (!nnp && !nosuid)
2326 return 0; /* neither NNP nor nosuid */
2328 if (new_tsec->sid == old_tsec->sid)
2329 return 0; /* No change in credentials */
2332 * If the policy enables the nnp_nosuid_transition policy capability,
2333 * then we permit transitions under NNP or nosuid if the
2334 * policy allows the corresponding permission between
2335 * the old and new contexts.
2337 if (selinux_policycap_nnp_nosuid_transition) {
2340 av |= PROCESS2__NNP_TRANSITION;
2342 av |= PROCESS2__NOSUID_TRANSITION;
2343 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2344 SECCLASS_PROCESS2, av, NULL);
2350 * We also permit NNP or nosuid transitions to bounded SIDs,
2351 * i.e. SIDs that are guaranteed to only be allowed a subset
2352 * of the permissions of the current SID.
2354 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2359 * On failure, preserve the errno values for NNP vs nosuid.
2360 * NNP: Operation not permitted for caller.
2361 * nosuid: Permission denied to file.
2368 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2370 const struct task_security_struct *old_tsec;
2371 struct task_security_struct *new_tsec;
2372 struct inode_security_struct *isec;
2373 struct common_audit_data ad;
2374 struct inode *inode = file_inode(bprm->file);
2377 /* SELinux context only depends on initial program or script and not
2378 * the script interpreter */
2379 if (bprm->called_set_creds)
2382 old_tsec = current_security();
2383 new_tsec = bprm->cred->security;
2384 isec = inode_security(inode);
2386 /* Default to the current task SID. */
2387 new_tsec->sid = old_tsec->sid;
2388 new_tsec->osid = old_tsec->sid;
2390 /* Reset fs, key, and sock SIDs on execve. */
2391 new_tsec->create_sid = 0;
2392 new_tsec->keycreate_sid = 0;
2393 new_tsec->sockcreate_sid = 0;
2395 if (old_tsec->exec_sid) {
2396 new_tsec->sid = old_tsec->exec_sid;
2397 /* Reset exec SID on execve. */
2398 new_tsec->exec_sid = 0;
2400 /* Fail on NNP or nosuid if not an allowed transition. */
2401 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2405 /* Check for a default transition on this program. */
2406 rc = security_transition_sid(old_tsec->sid, isec->sid,
2407 SECCLASS_PROCESS, NULL,
2413 * Fallback to old SID on NNP or nosuid if not an allowed
2416 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2418 new_tsec->sid = old_tsec->sid;
2421 ad.type = LSM_AUDIT_DATA_FILE;
2422 ad.u.file = bprm->file;
2424 if (new_tsec->sid == old_tsec->sid) {
2425 rc = avc_has_perm(old_tsec->sid, isec->sid,
2426 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2430 /* Check permissions for the transition. */
2431 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2432 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2436 rc = avc_has_perm(new_tsec->sid, isec->sid,
2437 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2441 /* Check for shared state */
2442 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2443 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2444 SECCLASS_PROCESS, PROCESS__SHARE,
2450 /* Make sure that anyone attempting to ptrace over a task that
2451 * changes its SID has the appropriate permit */
2452 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2453 u32 ptsid = ptrace_parent_sid();
2455 rc = avc_has_perm(ptsid, new_tsec->sid,
2457 PROCESS__PTRACE, NULL);
2463 /* Clear any possibly unsafe personality bits on exec: */
2464 bprm->per_clear |= PER_CLEAR_ON_SETID;
2466 /* Enable secure mode for SIDs transitions unless
2467 the noatsecure permission is granted between
2468 the two SIDs, i.e. ahp returns 0. */
2469 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2470 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2472 bprm->secureexec |= !!rc;
2478 static int match_file(const void *p, struct file *file, unsigned fd)
2480 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2483 /* Derived from fs/exec.c:flush_old_files. */
2484 static inline void flush_unauthorized_files(const struct cred *cred,
2485 struct files_struct *files)
2487 struct file *file, *devnull = NULL;
2488 struct tty_struct *tty;
2492 tty = get_current_tty();
2494 spin_lock(&tty->files_lock);
2495 if (!list_empty(&tty->tty_files)) {
2496 struct tty_file_private *file_priv;
2498 /* Revalidate access to controlling tty.
2499 Use file_path_has_perm on the tty path directly
2500 rather than using file_has_perm, as this particular
2501 open file may belong to another process and we are
2502 only interested in the inode-based check here. */
2503 file_priv = list_first_entry(&tty->tty_files,
2504 struct tty_file_private, list);
2505 file = file_priv->file;
2506 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2509 spin_unlock(&tty->files_lock);
2512 /* Reset controlling tty. */
2516 /* Revalidate access to inherited open files. */
2517 n = iterate_fd(files, 0, match_file, cred);
2518 if (!n) /* none found? */
2521 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2522 if (IS_ERR(devnull))
2524 /* replace all the matching ones with this */
2526 replace_fd(n - 1, devnull, 0);
2527 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2533 * Prepare a process for imminent new credential changes due to exec
2535 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2537 struct task_security_struct *new_tsec;
2538 struct rlimit *rlim, *initrlim;
2541 new_tsec = bprm->cred->security;
2542 if (new_tsec->sid == new_tsec->osid)
2545 /* Close files for which the new task SID is not authorized. */
2546 flush_unauthorized_files(bprm->cred, current->files);
2548 /* Always clear parent death signal on SID transitions. */
2549 current->pdeath_signal = 0;
2551 /* Check whether the new SID can inherit resource limits from the old
2552 * SID. If not, reset all soft limits to the lower of the current
2553 * task's hard limit and the init task's soft limit.
2555 * Note that the setting of hard limits (even to lower them) can be
2556 * controlled by the setrlimit check. The inclusion of the init task's
2557 * soft limit into the computation is to avoid resetting soft limits
2558 * higher than the default soft limit for cases where the default is
2559 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2561 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2562 PROCESS__RLIMITINH, NULL);
2564 /* protect against do_prlimit() */
2566 for (i = 0; i < RLIM_NLIMITS; i++) {
2567 rlim = current->signal->rlim + i;
2568 initrlim = init_task.signal->rlim + i;
2569 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2571 task_unlock(current);
2572 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2573 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2578 * Clean up the process immediately after the installation of new credentials
2581 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2583 const struct task_security_struct *tsec = current_security();
2584 struct itimerval itimer;
2594 /* Check whether the new SID can inherit signal state from the old SID.
2595 * If not, clear itimers to avoid subsequent signal generation and
2596 * flush and unblock signals.
2598 * This must occur _after_ the task SID has been updated so that any
2599 * kill done after the flush will be checked against the new SID.
2601 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2603 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2604 memset(&itimer, 0, sizeof itimer);
2605 for (i = 0; i < 3; i++)
2606 do_setitimer(i, &itimer, NULL);
2608 spin_lock_irq(¤t->sighand->siglock);
2609 if (!fatal_signal_pending(current)) {
2610 flush_sigqueue(¤t->pending);
2611 flush_sigqueue(¤t->signal->shared_pending);
2612 flush_signal_handlers(current, 1);
2613 sigemptyset(¤t->blocked);
2614 recalc_sigpending();
2616 spin_unlock_irq(¤t->sighand->siglock);
2619 /* Wake up the parent if it is waiting so that it can recheck
2620 * wait permission to the new task SID. */
2621 read_lock(&tasklist_lock);
2622 __wake_up_parent(current, current->real_parent);
2623 read_unlock(&tasklist_lock);
2626 /* superblock security operations */
2628 static int selinux_sb_alloc_security(struct super_block *sb)
2630 return superblock_alloc_security(sb);
2633 static void selinux_sb_free_security(struct super_block *sb)
2635 superblock_free_security(sb);
2638 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2643 return !memcmp(prefix, option, plen);
2646 static inline int selinux_option(char *option, int len)
2648 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2649 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2650 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2651 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2652 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2655 static inline void take_option(char **to, char *from, int *first, int len)
2662 memcpy(*to, from, len);
2666 static inline void take_selinux_option(char **to, char *from, int *first,
2669 int current_size = 0;
2677 while (current_size < len) {
2687 static int selinux_sb_copy_data(char *orig, char *copy)
2689 int fnosec, fsec, rc = 0;
2690 char *in_save, *in_curr, *in_end;
2691 char *sec_curr, *nosec_save, *nosec;
2697 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2705 in_save = in_end = orig;
2709 open_quote = !open_quote;
2710 if ((*in_end == ',' && open_quote == 0) ||
2712 int len = in_end - in_curr;
2714 if (selinux_option(in_curr, len))
2715 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2717 take_option(&nosec, in_curr, &fnosec, len);
2719 in_curr = in_end + 1;
2721 } while (*in_end++);
2723 strcpy(in_save, nosec_save);
2724 free_page((unsigned long)nosec_save);
2729 static int selinux_sb_remount(struct super_block *sb, void *data)
2732 struct security_mnt_opts opts;
2733 char *secdata, **mount_options;
2734 struct superblock_security_struct *sbsec = sb->s_security;
2736 if (!(sbsec->flags & SE_SBINITIALIZED))
2742 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2745 security_init_mnt_opts(&opts);
2746 secdata = alloc_secdata();
2749 rc = selinux_sb_copy_data(data, secdata);
2751 goto out_free_secdata;
2753 rc = selinux_parse_opts_str(secdata, &opts);
2755 goto out_free_secdata;
2757 mount_options = opts.mnt_opts;
2758 flags = opts.mnt_opts_flags;
2760 for (i = 0; i < opts.num_mnt_opts; i++) {
2763 if (flags[i] == SBLABEL_MNT)
2765 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
2767 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
2768 "(%s) failed for (dev %s, type %s) errno=%d\n",
2769 mount_options[i], sb->s_id, sb->s_type->name, rc);
2775 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2776 goto out_bad_option;
2779 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2780 goto out_bad_option;
2782 case ROOTCONTEXT_MNT: {
2783 struct inode_security_struct *root_isec;
2784 root_isec = backing_inode_security(sb->s_root);
2786 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2787 goto out_bad_option;
2790 case DEFCONTEXT_MNT:
2791 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2792 goto out_bad_option;
2801 security_free_mnt_opts(&opts);
2803 free_secdata(secdata);
2806 printk(KERN_WARNING "SELinux: unable to change security options "
2807 "during remount (dev %s, type=%s)\n", sb->s_id,
2812 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2814 const struct cred *cred = current_cred();
2815 struct common_audit_data ad;
2818 rc = superblock_doinit(sb, data);
2822 /* Allow all mounts performed by the kernel */
2823 if (flags & MS_KERNMOUNT)
2826 ad.type = LSM_AUDIT_DATA_DENTRY;
2827 ad.u.dentry = sb->s_root;
2828 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2831 static int selinux_sb_statfs(struct dentry *dentry)
2833 const struct cred *cred = current_cred();
2834 struct common_audit_data ad;
2836 ad.type = LSM_AUDIT_DATA_DENTRY;
2837 ad.u.dentry = dentry->d_sb->s_root;
2838 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2841 static int selinux_mount(const char *dev_name,
2842 const struct path *path,
2844 unsigned long flags,
2847 const struct cred *cred = current_cred();
2849 if (flags & MS_REMOUNT)
2850 return superblock_has_perm(cred, path->dentry->d_sb,
2851 FILESYSTEM__REMOUNT, NULL);
2853 return path_has_perm(cred, path, FILE__MOUNTON);
2856 static int selinux_umount(struct vfsmount *mnt, int flags)
2858 const struct cred *cred = current_cred();
2860 return superblock_has_perm(cred, mnt->mnt_sb,
2861 FILESYSTEM__UNMOUNT, NULL);
2864 /* inode security operations */
2866 static int selinux_inode_alloc_security(struct inode *inode)
2868 return inode_alloc_security(inode);
2871 static void selinux_inode_free_security(struct inode *inode)
2873 inode_free_security(inode);
2876 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2877 const struct qstr *name, void **ctx,
2883 rc = selinux_determine_inode_label(current_security(),
2884 d_inode(dentry->d_parent), name,
2885 inode_mode_to_security_class(mode),
2890 return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2893 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2895 const struct cred *old,
2900 struct task_security_struct *tsec;
2902 rc = selinux_determine_inode_label(old->security,
2903 d_inode(dentry->d_parent), name,
2904 inode_mode_to_security_class(mode),
2909 tsec = new->security;
2910 tsec->create_sid = newsid;
2914 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2915 const struct qstr *qstr,
2917 void **value, size_t *len)
2919 const struct task_security_struct *tsec = current_security();
2920 struct superblock_security_struct *sbsec;
2921 u32 sid, newsid, clen;
2925 sbsec = dir->i_sb->s_security;
2928 newsid = tsec->create_sid;
2930 rc = selinux_determine_inode_label(current_security(),
2932 inode_mode_to_security_class(inode->i_mode),
2937 /* Possibly defer initialization to selinux_complete_init. */
2938 if (sbsec->flags & SE_SBINITIALIZED) {
2939 struct inode_security_struct *isec = inode->i_security;
2940 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2942 isec->initialized = LABEL_INITIALIZED;
2945 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
2949 *name = XATTR_SELINUX_SUFFIX;
2952 rc = security_sid_to_context_force(newsid, &context, &clen);
2962 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2964 return may_create(dir, dentry, SECCLASS_FILE);
2967 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2969 return may_link(dir, old_dentry, MAY_LINK);
2972 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2974 return may_link(dir, dentry, MAY_UNLINK);
2977 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2979 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2982 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2984 return may_create(dir, dentry, SECCLASS_DIR);
2987 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2989 return may_link(dir, dentry, MAY_RMDIR);
2992 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2994 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2997 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2998 struct inode *new_inode, struct dentry *new_dentry)
3000 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
3003 static int selinux_inode_readlink(struct dentry *dentry)
3005 const struct cred *cred = current_cred();
3007 return dentry_has_perm(cred, dentry, FILE__READ);
3010 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3013 const struct cred *cred = current_cred();
3014 struct common_audit_data ad;
3015 struct inode_security_struct *isec;
3018 validate_creds(cred);
3020 ad.type = LSM_AUDIT_DATA_DENTRY;
3021 ad.u.dentry = dentry;
3022 sid = cred_sid(cred);
3023 isec = inode_security_rcu(inode, rcu);
3025 return PTR_ERR(isec);
3027 return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad,
3028 rcu ? MAY_NOT_BLOCK : 0);
3031 static noinline int audit_inode_permission(struct inode *inode,
3032 u32 perms, u32 audited, u32 denied,
3036 struct common_audit_data ad;
3037 struct inode_security_struct *isec = inode->i_security;
3040 ad.type = LSM_AUDIT_DATA_INODE;
3043 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
3044 audited, denied, result, &ad, flags);
3050 static int selinux_inode_permission(struct inode *inode, int mask)
3052 const struct cred *cred = current_cred();
3055 unsigned flags = mask & MAY_NOT_BLOCK;
3056 struct inode_security_struct *isec;
3058 struct av_decision avd;
3060 u32 audited, denied;
3062 from_access = mask & MAY_ACCESS;
3063 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3065 /* No permission to check. Existence test. */
3069 validate_creds(cred);
3071 if (unlikely(IS_PRIVATE(inode)))
3074 perms = file_mask_to_av(inode->i_mode, mask);
3076 sid = cred_sid(cred);
3077 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3079 return PTR_ERR(isec);
3081 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
3082 audited = avc_audit_required(perms, &avd, rc,
3083 from_access ? FILE__AUDIT_ACCESS : 0,
3085 if (likely(!audited))
3088 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
3094 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3096 const struct cred *cred = current_cred();
3097 struct inode *inode = d_backing_inode(dentry);
3098 unsigned int ia_valid = iattr->ia_valid;
3099 __u32 av = FILE__WRITE;
3101 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3102 if (ia_valid & ATTR_FORCE) {
3103 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3109 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3110 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3111 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3113 if (selinux_policycap_openperm &&
3114 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3115 (ia_valid & ATTR_SIZE) &&
3116 !(ia_valid & ATTR_FILE))
3119 return dentry_has_perm(cred, dentry, av);
3122 static int selinux_inode_getattr(const struct path *path)
3124 return path_has_perm(current_cred(), path, FILE__GETATTR);
3127 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
3129 const struct cred *cred = current_cred();
3131 if (!strncmp(name, XATTR_SECURITY_PREFIX,
3132 sizeof XATTR_SECURITY_PREFIX - 1)) {
3133 if (!strcmp(name, XATTR_NAME_CAPS)) {
3134 if (!capable(CAP_SETFCAP))
3136 } else if (!capable(CAP_SYS_ADMIN)) {
3137 /* A different attribute in the security namespace.
3138 Restrict to administrator. */
3143 /* Not an attribute we recognize, so just check the
3144 ordinary setattr permission. */
3145 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3148 static bool has_cap_mac_admin(bool audit)
3150 const struct cred *cred = current_cred();
3151 int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT;
3153 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit))
3155 if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true))
3160 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
git.samba.org / sfrench / cifs-2.6.git / blob