2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@tycho.nsa.gov>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul@paul-moore.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 * Copyright (C) 2016 Mellanox Technologies
22 * This program is free software; you can redistribute it and/or modify
23 * it under the terms of the GNU General Public License version 2,
24 * as published by the Free Software Foundation.
27 #include <linux/init.h>
29 #include <linux/kernel.h>
30 #include <linux/tracehook.h>
31 #include <linux/errno.h>
32 #include <linux/sched/signal.h>
33 #include <linux/sched/task.h>
34 #include <linux/lsm_hooks.h>
35 #include <linux/xattr.h>
36 #include <linux/capability.h>
37 #include <linux/unistd.h>
39 #include <linux/mman.h>
40 #include <linux/slab.h>
41 #include <linux/pagemap.h>
42 #include <linux/proc_fs.h>
43 #include <linux/swap.h>
44 #include <linux/spinlock.h>
45 #include <linux/syscalls.h>
46 #include <linux/dcache.h>
47 #include <linux/file.h>
48 #include <linux/fdtable.h>
49 #include <linux/namei.h>
50 #include <linux/mount.h>
51 #include <linux/netfilter_ipv4.h>
52 #include <linux/netfilter_ipv6.h>
53 #include <linux/tty.h>
55 #include <net/ip.h> /* for local_port_range[] */
56 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
57 #include <net/inet_connection_sock.h>
58 #include <net/net_namespace.h>
59 #include <net/netlabel.h>
60 #include <linux/uaccess.h>
61 #include <asm/ioctls.h>
62 #include <linux/atomic.h>
63 #include <linux/bitops.h>
64 #include <linux/interrupt.h>
65 #include <linux/netdevice.h> /* for network interface checks */
66 #include <net/netlink.h>
67 #include <linux/tcp.h>
68 #include <linux/udp.h>
69 #include <linux/dccp.h>
70 #include <linux/quota.h>
71 #include <linux/un.h> /* for Unix socket types */
72 #include <net/af_unix.h> /* for Unix socket types */
73 #include <linux/parser.h>
74 #include <linux/nfs_mount.h>
76 #include <linux/hugetlb.h>
77 #include <linux/personality.h>
78 #include <linux/audit.h>
79 #include <linux/string.h>
80 #include <linux/selinux.h>
81 #include <linux/mutex.h>
82 #include <linux/posix-timers.h>
83 #include <linux/syslog.h>
84 #include <linux/user_namespace.h>
85 #include <linux/export.h>
86 #include <linux/msg.h>
87 #include <linux/shm.h>
100 /* SECMARK reference count */
101 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
103 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
104 int selinux_enforcing;
106 static int __init enforcing_setup(char *str)
108 unsigned long enforcing;
109 if (!kstrtoul(str, 0, &enforcing))
110 selinux_enforcing = enforcing ? 1 : 0;
113 __setup("enforcing=", enforcing_setup);
116 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
117 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
119 static int __init selinux_enabled_setup(char *str)
121 unsigned long enabled;
122 if (!kstrtoul(str, 0, &enabled))
123 selinux_enabled = enabled ? 1 : 0;
126 __setup("selinux=", selinux_enabled_setup);
128 int selinux_enabled = 1;
131 static struct kmem_cache *sel_inode_cache;
132 static struct kmem_cache *file_security_cache;
135 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
138 * This function checks the SECMARK reference counter to see if any SECMARK
139 * targets are currently configured, if the reference counter is greater than
140 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
141 * enabled, false (0) if SECMARK is disabled. If the always_check_network
142 * policy capability is enabled, SECMARK is always considered enabled.
145 static int selinux_secmark_enabled(void)
147 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
151 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
154 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
155 * (1) if any are enabled or false (0) if neither are enabled. If the
156 * always_check_network policy capability is enabled, peer labeling
157 * is always considered enabled.
160 static int selinux_peerlbl_enabled(void)
162 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
165 static int selinux_netcache_avc_callback(u32 event)
167 if (event == AVC_CALLBACK_RESET) {
176 static int selinux_lsm_notifier_avc_callback(u32 event)
178 if (event == AVC_CALLBACK_RESET) {
180 call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
187 * initialise the security for the init task
189 static void cred_init_security(void)
191 struct cred *cred = (struct cred *) current->real_cred;
192 struct task_security_struct *tsec;
194 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
196 panic("SELinux: Failed to initialize initial task.\n");
198 tsec->osid = tsec->sid = SECINITSID_KERNEL;
199 cred->security = tsec;
203 * get the security ID of a set of credentials
205 static inline u32 cred_sid(const struct cred *cred)
207 const struct task_security_struct *tsec;
209 tsec = cred->security;
214 * get the objective security ID of a task
216 static inline u32 task_sid(const struct task_struct *task)
221 sid = cred_sid(__task_cred(task));
226 /* Allocate and free functions for each kind of security blob. */
228 static int inode_alloc_security(struct inode *inode)
230 struct inode_security_struct *isec;
231 u32 sid = current_sid();
233 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
237 spin_lock_init(&isec->lock);
238 INIT_LIST_HEAD(&isec->list);
240 isec->sid = SECINITSID_UNLABELED;
241 isec->sclass = SECCLASS_FILE;
242 isec->task_sid = sid;
243 isec->initialized = LABEL_INVALID;
244 inode->i_security = isec;
249 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
252 * Try reloading inode security labels that have been marked as invalid. The
253 * @may_sleep parameter indicates when sleeping and thus reloading labels is
254 * allowed; when set to false, returns -ECHILD when the label is
255 * invalid. The @opt_dentry parameter should be set to a dentry of the inode;
256 * when no dentry is available, set it to NULL instead.
258 static int __inode_security_revalidate(struct inode *inode,
259 struct dentry *opt_dentry,
262 struct inode_security_struct *isec = inode->i_security;
264 might_sleep_if(may_sleep);
266 if (ss_initialized && isec->initialized != LABEL_INITIALIZED) {
271 * Try reloading the inode security label. This will fail if
272 * @opt_dentry is NULL and no dentry for this inode can be
273 * found; in that case, continue using the old label.
275 inode_doinit_with_dentry(inode, opt_dentry);
280 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
282 return inode->i_security;
285 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
289 error = __inode_security_revalidate(inode, NULL, !rcu);
291 return ERR_PTR(error);
292 return inode->i_security;
296 * Get the security label of an inode.
298 static struct inode_security_struct *inode_security(struct inode *inode)
300 __inode_security_revalidate(inode, NULL, true);
301 return inode->i_security;
304 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
306 struct inode *inode = d_backing_inode(dentry);
308 return inode->i_security;
312 * Get the security label of a dentry's backing inode.
314 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
316 struct inode *inode = d_backing_inode(dentry);
318 __inode_security_revalidate(inode, dentry, true);
319 return inode->i_security;
322 static void inode_free_rcu(struct rcu_head *head)
324 struct inode_security_struct *isec;
326 isec = container_of(head, struct inode_security_struct, rcu);
327 kmem_cache_free(sel_inode_cache, isec);
330 static void inode_free_security(struct inode *inode)
332 struct inode_security_struct *isec = inode->i_security;
333 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
336 * As not all inode security structures are in a list, we check for
337 * empty list outside of the lock to make sure that we won't waste
338 * time taking a lock doing nothing.
340 * The list_del_init() function can be safely called more than once.
341 * It should not be possible for this function to be called with
342 * concurrent list_add(), but for better safety against future changes
343 * in the code, we use list_empty_careful() here.
345 if (!list_empty_careful(&isec->list)) {
346 spin_lock(&sbsec->isec_lock);
347 list_del_init(&isec->list);
348 spin_unlock(&sbsec->isec_lock);
352 * The inode may still be referenced in a path walk and
353 * a call to selinux_inode_permission() can be made
354 * after inode_free_security() is called. Ideally, the VFS
355 * wouldn't do this, but fixing that is a much harder
356 * job. For now, simply free the i_security via RCU, and
357 * leave the current inode->i_security pointer intact.
358 * The inode will be freed after the RCU grace period too.
360 call_rcu(&isec->rcu, inode_free_rcu);
363 static int file_alloc_security(struct file *file)
365 struct file_security_struct *fsec;
366 u32 sid = current_sid();
368 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
373 fsec->fown_sid = sid;
374 file->f_security = fsec;
379 static void file_free_security(struct file *file)
381 struct file_security_struct *fsec = file->f_security;
382 file->f_security = NULL;
383 kmem_cache_free(file_security_cache, fsec);
386 static int superblock_alloc_security(struct super_block *sb)
388 struct superblock_security_struct *sbsec;
390 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
394 mutex_init(&sbsec->lock);
395 INIT_LIST_HEAD(&sbsec->isec_head);
396 spin_lock_init(&sbsec->isec_lock);
398 sbsec->sid = SECINITSID_UNLABELED;
399 sbsec->def_sid = SECINITSID_FILE;
400 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
401 sb->s_security = sbsec;
406 static void superblock_free_security(struct super_block *sb)
408 struct superblock_security_struct *sbsec = sb->s_security;
409 sb->s_security = NULL;
413 static inline int inode_doinit(struct inode *inode)
415 return inode_doinit_with_dentry(inode, NULL);
424 Opt_labelsupport = 5,
428 #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
430 static const match_table_t tokens = {
431 {Opt_context, CONTEXT_STR "%s"},
432 {Opt_fscontext, FSCONTEXT_STR "%s"},
433 {Opt_defcontext, DEFCONTEXT_STR "%s"},
434 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
435 {Opt_labelsupport, LABELSUPP_STR},
439 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
441 static int may_context_mount_sb_relabel(u32 sid,
442 struct superblock_security_struct *sbsec,
443 const struct cred *cred)
445 const struct task_security_struct *tsec = cred->security;
448 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
449 FILESYSTEM__RELABELFROM, NULL);
453 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
454 FILESYSTEM__RELABELTO, NULL);
458 static int may_context_mount_inode_relabel(u32 sid,
459 struct superblock_security_struct *sbsec,
460 const struct cred *cred)
462 const struct task_security_struct *tsec = cred->security;
464 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
465 FILESYSTEM__RELABELFROM, NULL);
469 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
470 FILESYSTEM__ASSOCIATE, NULL);
474 static int selinux_is_sblabel_mnt(struct super_block *sb)
476 struct superblock_security_struct *sbsec = sb->s_security;
478 return sbsec->behavior == SECURITY_FS_USE_XATTR ||
479 sbsec->behavior == SECURITY_FS_USE_TRANS ||
480 sbsec->behavior == SECURITY_FS_USE_TASK ||
481 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
482 /* Special handling. Genfs but also in-core setxattr handler */
483 !strcmp(sb->s_type->name, "sysfs") ||
484 !strcmp(sb->s_type->name, "pstore") ||
485 !strcmp(sb->s_type->name, "debugfs") ||
486 !strcmp(sb->s_type->name, "tracefs") ||
487 !strcmp(sb->s_type->name, "rootfs") ||
488 (selinux_policycap_cgroupseclabel &&
489 (!strcmp(sb->s_type->name, "cgroup") ||
490 !strcmp(sb->s_type->name, "cgroup2")));
493 static int sb_finish_set_opts(struct super_block *sb)
495 struct superblock_security_struct *sbsec = sb->s_security;
496 struct dentry *root = sb->s_root;
497 struct inode *root_inode = d_backing_inode(root);
500 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
501 /* Make sure that the xattr handler exists and that no
502 error other than -ENODATA is returned by getxattr on
503 the root directory. -ENODATA is ok, as this may be
504 the first boot of the SELinux kernel before we have
505 assigned xattr values to the filesystem. */
506 if (!(root_inode->i_opflags & IOP_XATTR)) {
507 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
508 "xattr support\n", sb->s_id, sb->s_type->name);
513 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
514 if (rc < 0 && rc != -ENODATA) {
515 if (rc == -EOPNOTSUPP)
516 printk(KERN_WARNING "SELinux: (dev %s, type "
517 "%s) has no security xattr handler\n",
518 sb->s_id, sb->s_type->name);
520 printk(KERN_WARNING "SELinux: (dev %s, type "
521 "%s) getxattr errno %d\n", sb->s_id,
522 sb->s_type->name, -rc);
527 sbsec->flags |= SE_SBINITIALIZED;
530 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
531 * leave the flag untouched because sb_clone_mnt_opts might be handing
532 * us a superblock that needs the flag to be cleared.
534 if (selinux_is_sblabel_mnt(sb))
535 sbsec->flags |= SBLABEL_MNT;
537 sbsec->flags &= ~SBLABEL_MNT;
539 /* Initialize the root inode. */
540 rc = inode_doinit_with_dentry(root_inode, root);
542 /* Initialize any other inodes associated with the superblock, e.g.
543 inodes created prior to initial policy load or inodes created
544 during get_sb by a pseudo filesystem that directly
546 spin_lock(&sbsec->isec_lock);
548 if (!list_empty(&sbsec->isec_head)) {
549 struct inode_security_struct *isec =
550 list_entry(sbsec->isec_head.next,
551 struct inode_security_struct, list);
552 struct inode *inode = isec->inode;
553 list_del_init(&isec->list);
554 spin_unlock(&sbsec->isec_lock);
555 inode = igrab(inode);
557 if (!IS_PRIVATE(inode))
561 spin_lock(&sbsec->isec_lock);
564 spin_unlock(&sbsec->isec_lock);
570 * This function should allow an FS to ask what it's mount security
571 * options were so it can use those later for submounts, displaying
572 * mount options, or whatever.
574 static int selinux_get_mnt_opts(const struct super_block *sb,
575 struct security_mnt_opts *opts)
578 struct superblock_security_struct *sbsec = sb->s_security;
579 char *context = NULL;
583 security_init_mnt_opts(opts);
585 if (!(sbsec->flags & SE_SBINITIALIZED))
591 /* make sure we always check enough bits to cover the mask */
592 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
594 tmp = sbsec->flags & SE_MNTMASK;
595 /* count the number of mount options for this sb */
596 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
598 opts->num_mnt_opts++;
601 /* Check if the Label support flag is set */
602 if (sbsec->flags & SBLABEL_MNT)
603 opts->num_mnt_opts++;
605 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
606 if (!opts->mnt_opts) {
611 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
612 if (!opts->mnt_opts_flags) {
618 if (sbsec->flags & FSCONTEXT_MNT) {
619 rc = security_sid_to_context(sbsec->sid, &context, &len);
622 opts->mnt_opts[i] = context;
623 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
625 if (sbsec->flags & CONTEXT_MNT) {
626 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
629 opts->mnt_opts[i] = context;
630 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
632 if (sbsec->flags & DEFCONTEXT_MNT) {
633 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
636 opts->mnt_opts[i] = context;
637 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
639 if (sbsec->flags & ROOTCONTEXT_MNT) {
640 struct dentry *root = sbsec->sb->s_root;
641 struct inode_security_struct *isec = backing_inode_security(root);
643 rc = security_sid_to_context(isec->sid, &context, &len);
646 opts->mnt_opts[i] = context;
647 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
649 if (sbsec->flags & SBLABEL_MNT) {
650 opts->mnt_opts[i] = NULL;
651 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
654 BUG_ON(i != opts->num_mnt_opts);
659 security_free_mnt_opts(opts);
663 static int bad_option(struct superblock_security_struct *sbsec, char flag,
664 u32 old_sid, u32 new_sid)
666 char mnt_flags = sbsec->flags & SE_MNTMASK;
668 /* check if the old mount command had the same options */
669 if (sbsec->flags & SE_SBINITIALIZED)
670 if (!(sbsec->flags & flag) ||
671 (old_sid != new_sid))
674 /* check if we were passed the same options twice,
675 * aka someone passed context=a,context=b
677 if (!(sbsec->flags & SE_SBINITIALIZED))
678 if (mnt_flags & flag)
684 * Allow filesystems with binary mount data to explicitly set mount point
685 * labeling information.
687 static int selinux_set_mnt_opts(struct super_block *sb,
688 struct security_mnt_opts *opts,
689 unsigned long kern_flags,
690 unsigned long *set_kern_flags)
692 const struct cred *cred = current_cred();
694 struct superblock_security_struct *sbsec = sb->s_security;
695 const char *name = sb->s_type->name;
696 struct dentry *root = sbsec->sb->s_root;
697 struct inode_security_struct *root_isec;
698 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
699 u32 defcontext_sid = 0;
700 char **mount_options = opts->mnt_opts;
701 int *flags = opts->mnt_opts_flags;
702 int num_opts = opts->num_mnt_opts;
704 mutex_lock(&sbsec->lock);
706 if (!ss_initialized) {
708 /* Defer initialization until selinux_complete_init,
709 after the initial policy is loaded and the security
710 server is ready to handle calls. */
714 printk(KERN_WARNING "SELinux: Unable to set superblock options "
715 "before the security server is initialized\n");
718 if (kern_flags && !set_kern_flags) {
719 /* Specifying internal flags without providing a place to
720 * place the results is not allowed */
726 * Binary mount data FS will come through this function twice. Once
727 * from an explicit call and once from the generic calls from the vfs.
728 * Since the generic VFS calls will not contain any security mount data
729 * we need to skip the double mount verification.
731 * This does open a hole in which we will not notice if the first
732 * mount using this sb set explict options and a second mount using
733 * this sb does not set any security options. (The first options
734 * will be used for both mounts)
736 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
740 root_isec = backing_inode_security_novalidate(root);
743 * parse the mount options, check if they are valid sids.
744 * also check if someone is trying to mount the same sb more
745 * than once with different security options.
747 for (i = 0; i < num_opts; i++) {
750 if (flags[i] == SBLABEL_MNT)
752 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
754 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
755 "(%s) failed for (dev %s, type %s) errno=%d\n",
756 mount_options[i], sb->s_id, name, rc);
763 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
765 goto out_double_mount;
767 sbsec->flags |= FSCONTEXT_MNT;
772 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
774 goto out_double_mount;
776 sbsec->flags |= CONTEXT_MNT;
778 case ROOTCONTEXT_MNT:
779 rootcontext_sid = sid;
781 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
783 goto out_double_mount;
785 sbsec->flags |= ROOTCONTEXT_MNT;
789 defcontext_sid = sid;
791 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
793 goto out_double_mount;
795 sbsec->flags |= DEFCONTEXT_MNT;
804 if (sbsec->flags & SE_SBINITIALIZED) {
805 /* previously mounted with options, but not on this attempt? */
806 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
807 goto out_double_mount;
812 if (strcmp(sb->s_type->name, "proc") == 0)
813 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
815 if (!strcmp(sb->s_type->name, "debugfs") ||
816 !strcmp(sb->s_type->name, "tracefs") ||
817 !strcmp(sb->s_type->name, "sysfs") ||
818 !strcmp(sb->s_type->name, "pstore") ||
819 !strcmp(sb->s_type->name, "cgroup") ||
820 !strcmp(sb->s_type->name, "cgroup2"))
821 sbsec->flags |= SE_SBGENFS;
823 if (!sbsec->behavior) {
825 * Determine the labeling behavior to use for this
828 rc = security_fs_use(sb);
831 "%s: security_fs_use(%s) returned %d\n",
832 __func__, sb->s_type->name, rc);
838 * If this is a user namespace mount and the filesystem type is not
839 * explicitly whitelisted, then no contexts are allowed on the command
840 * line and security labels must be ignored.
842 if (sb->s_user_ns != &init_user_ns &&
843 strcmp(sb->s_type->name, "tmpfs") &&
844 strcmp(sb->s_type->name, "ramfs") &&
845 strcmp(sb->s_type->name, "devpts")) {
846 if (context_sid || fscontext_sid || rootcontext_sid ||
851 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
852 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
853 rc = security_transition_sid(current_sid(), current_sid(),
855 &sbsec->mntpoint_sid);
862 /* sets the context of the superblock for the fs being mounted. */
864 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
868 sbsec->sid = fscontext_sid;
872 * Switch to using mount point labeling behavior.
873 * sets the label used on all file below the mountpoint, and will set
874 * the superblock context if not already set.
876 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
877 sbsec->behavior = SECURITY_FS_USE_NATIVE;
878 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
882 if (!fscontext_sid) {
883 rc = may_context_mount_sb_relabel(context_sid, sbsec,
887 sbsec->sid = context_sid;
889 rc = may_context_mount_inode_relabel(context_sid, sbsec,
894 if (!rootcontext_sid)
895 rootcontext_sid = context_sid;
897 sbsec->mntpoint_sid = context_sid;
898 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
901 if (rootcontext_sid) {
902 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
907 root_isec->sid = rootcontext_sid;
908 root_isec->initialized = LABEL_INITIALIZED;
911 if (defcontext_sid) {
912 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
913 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
915 printk(KERN_WARNING "SELinux: defcontext option is "
916 "invalid for this filesystem type\n");
920 if (defcontext_sid != sbsec->def_sid) {
921 rc = may_context_mount_inode_relabel(defcontext_sid,
927 sbsec->def_sid = defcontext_sid;
931 rc = sb_finish_set_opts(sb);
933 mutex_unlock(&sbsec->lock);
937 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
938 "security settings for (dev %s, type %s)\n", sb->s_id, name);
942 static int selinux_cmp_sb_context(const struct super_block *oldsb,
943 const struct super_block *newsb)
945 struct superblock_security_struct *old = oldsb->s_security;
946 struct superblock_security_struct *new = newsb->s_security;
947 char oldflags = old->flags & SE_MNTMASK;
948 char newflags = new->flags & SE_MNTMASK;
950 if (oldflags != newflags)
952 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
954 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
956 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
958 if (oldflags & ROOTCONTEXT_MNT) {
959 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
960 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
961 if (oldroot->sid != newroot->sid)
966 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
967 "different security settings for (dev %s, "
968 "type %s)\n", newsb->s_id, newsb->s_type->name);
972 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
973 struct super_block *newsb,
974 unsigned long kern_flags,
975 unsigned long *set_kern_flags)
978 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
979 struct superblock_security_struct *newsbsec = newsb->s_security;
981 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
982 int set_context = (oldsbsec->flags & CONTEXT_MNT);
983 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
986 * if the parent was able to be mounted it clearly had no special lsm
987 * mount options. thus we can safely deal with this superblock later
993 * Specifying internal flags without providing a place to
994 * place the results is not allowed.
996 if (kern_flags && !set_kern_flags)
999 /* how can we clone if the old one wasn't set up?? */
1000 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
1002 /* if fs is reusing a sb, make sure that the contexts match */
1003 if (newsbsec->flags & SE_SBINITIALIZED)
1004 return selinux_cmp_sb_context(oldsb, newsb);
1006 mutex_lock(&newsbsec->lock);
1008 newsbsec->flags = oldsbsec->flags;
1010 newsbsec->sid = oldsbsec->sid;
1011 newsbsec->def_sid = oldsbsec->def_sid;
1012 newsbsec->behavior = oldsbsec->behavior;
1014 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
1015 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
1016 rc = security_fs_use(newsb);
1021 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
1022 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
1023 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
1027 u32 sid = oldsbsec->mntpoint_sid;
1030 newsbsec->sid = sid;
1031 if (!set_rootcontext) {
1032 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1035 newsbsec->mntpoint_sid = sid;
1037 if (set_rootcontext) {
1038 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
1039 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1041 newisec->sid = oldisec->sid;
1044 sb_finish_set_opts(newsb);
1046 mutex_unlock(&newsbsec->lock);
1050 static int selinux_parse_opts_str(char *options,
1051 struct security_mnt_opts *opts)
1054 char *context = NULL, *defcontext = NULL;
1055 char *fscontext = NULL, *rootcontext = NULL;
1056 int rc, num_mnt_opts = 0;
1058 opts->num_mnt_opts = 0;
1060 /* Standard string-based options. */
1061 while ((p = strsep(&options, "|")) != NULL) {
1063 substring_t args[MAX_OPT_ARGS];
1068 token = match_token(p, tokens, args);
1072 if (context || defcontext) {
1074 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1077 context = match_strdup(&args[0]);
1087 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1090 fscontext = match_strdup(&args[0]);
1097 case Opt_rootcontext:
1100 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1103 rootcontext = match_strdup(&args[0]);
1110 case Opt_defcontext:
1111 if (context || defcontext) {
1113 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1116 defcontext = match_strdup(&args[0]);
1122 case Opt_labelsupport:
1126 printk(KERN_WARNING "SELinux: unknown mount option\n");
1133 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
1134 if (!opts->mnt_opts)
1137 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
1139 if (!opts->mnt_opts_flags)
1143 opts->mnt_opts[num_mnt_opts] = fscontext;
1144 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1147 opts->mnt_opts[num_mnt_opts] = context;
1148 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1151 opts->mnt_opts[num_mnt_opts] = rootcontext;
1152 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1155 opts->mnt_opts[num_mnt_opts] = defcontext;
1156 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1159 opts->num_mnt_opts = num_mnt_opts;
1163 security_free_mnt_opts(opts);
1171 * string mount options parsing and call set the sbsec
1173 static int superblock_doinit(struct super_block *sb, void *data)
1176 char *options = data;
1177 struct security_mnt_opts opts;
1179 security_init_mnt_opts(&opts);
1184 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1186 rc = selinux_parse_opts_str(options, &opts);
1191 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1194 security_free_mnt_opts(&opts);
1198 static void selinux_write_opts(struct seq_file *m,
1199 struct security_mnt_opts *opts)
1204 for (i = 0; i < opts->num_mnt_opts; i++) {
1207 if (opts->mnt_opts[i])
1208 has_comma = strchr(opts->mnt_opts[i], ',');
1212 switch (opts->mnt_opts_flags[i]) {
1214 prefix = CONTEXT_STR;
1217 prefix = FSCONTEXT_STR;
1219 case ROOTCONTEXT_MNT:
1220 prefix = ROOTCONTEXT_STR;
1222 case DEFCONTEXT_MNT:
1223 prefix = DEFCONTEXT_STR;
1227 seq_puts(m, LABELSUPP_STR);
1233 /* we need a comma before each option */
1235 seq_puts(m, prefix);
1238 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
1244 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1246 struct security_mnt_opts opts;
1249 rc = selinux_get_mnt_opts(sb, &opts);
1251 /* before policy load we may get EINVAL, don't show anything */
1257 selinux_write_opts(m, &opts);
1259 security_free_mnt_opts(&opts);
1264 static inline u16 inode_mode_to_security_class(umode_t mode)
1266 switch (mode & S_IFMT) {
1268 return SECCLASS_SOCK_FILE;
1270 return SECCLASS_LNK_FILE;
1272 return SECCLASS_FILE;
1274 return SECCLASS_BLK_FILE;
1276 return SECCLASS_DIR;
1278 return SECCLASS_CHR_FILE;
1280 return SECCLASS_FIFO_FILE;
1284 return SECCLASS_FILE;
1287 static inline int default_protocol_stream(int protocol)
1289 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1292 static inline int default_protocol_dgram(int protocol)
1294 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1297 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1299 int extsockclass = selinux_policycap_extsockclass;
1305 case SOCK_SEQPACKET:
1306 return SECCLASS_UNIX_STREAM_SOCKET;
1309 return SECCLASS_UNIX_DGRAM_SOCKET;
1316 case SOCK_SEQPACKET:
1317 if (default_protocol_stream(protocol))
1318 return SECCLASS_TCP_SOCKET;
1319 else if (extsockclass && protocol == IPPROTO_SCTP)
1320 return SECCLASS_SCTP_SOCKET;
1322 return SECCLASS_RAWIP_SOCKET;
1324 if (default_protocol_dgram(protocol))
1325 return SECCLASS_UDP_SOCKET;
1326 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1327 protocol == IPPROTO_ICMPV6))
1328 return SECCLASS_ICMP_SOCKET;
1330 return SECCLASS_RAWIP_SOCKET;
1332 return SECCLASS_DCCP_SOCKET;
1334 return SECCLASS_RAWIP_SOCKET;
1340 return SECCLASS_NETLINK_ROUTE_SOCKET;
1341 case NETLINK_SOCK_DIAG:
1342 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1344 return SECCLASS_NETLINK_NFLOG_SOCKET;
1346 return SECCLASS_NETLINK_XFRM_SOCKET;
1347 case NETLINK_SELINUX:
1348 return SECCLASS_NETLINK_SELINUX_SOCKET;
1350 return SECCLASS_NETLINK_ISCSI_SOCKET;
1352 return SECCLASS_NETLINK_AUDIT_SOCKET;
1353 case NETLINK_FIB_LOOKUP:
1354 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1355 case NETLINK_CONNECTOR:
1356 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1357 case NETLINK_NETFILTER:
1358 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1359 case NETLINK_DNRTMSG:
1360 return SECCLASS_NETLINK_DNRT_SOCKET;
1361 case NETLINK_KOBJECT_UEVENT:
1362 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1363 case NETLINK_GENERIC:
1364 return SECCLASS_NETLINK_GENERIC_SOCKET;
1365 case NETLINK_SCSITRANSPORT:
1366 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1368 return SECCLASS_NETLINK_RDMA_SOCKET;
1369 case NETLINK_CRYPTO:
1370 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1372 return SECCLASS_NETLINK_SOCKET;
1375 return SECCLASS_PACKET_SOCKET;
1377 return SECCLASS_KEY_SOCKET;
1379 return SECCLASS_APPLETALK_SOCKET;
1385 return SECCLASS_AX25_SOCKET;
1387 return SECCLASS_IPX_SOCKET;
1389 return SECCLASS_NETROM_SOCKET;
1391 return SECCLASS_ATMPVC_SOCKET;
1393 return SECCLASS_X25_SOCKET;
1395 return SECCLASS_ROSE_SOCKET;
1397 return SECCLASS_DECNET_SOCKET;
1399 return SECCLASS_ATMSVC_SOCKET;
1401 return SECCLASS_RDS_SOCKET;
1403 return SECCLASS_IRDA_SOCKET;
1405 return SECCLASS_PPPOX_SOCKET;
1407 return SECCLASS_LLC_SOCKET;
1409 return SECCLASS_CAN_SOCKET;
1411 return SECCLASS_TIPC_SOCKET;
1413 return SECCLASS_BLUETOOTH_SOCKET;
1415 return SECCLASS_IUCV_SOCKET;
1417 return SECCLASS_RXRPC_SOCKET;
1419 return SECCLASS_ISDN_SOCKET;
1421 return SECCLASS_PHONET_SOCKET;
1423 return SECCLASS_IEEE802154_SOCKET;
1425 return SECCLASS_CAIF_SOCKET;
1427 return SECCLASS_ALG_SOCKET;
1429 return SECCLASS_NFC_SOCKET;
1431 return SECCLASS_VSOCK_SOCKET;
1433 return SECCLASS_KCM_SOCKET;
1435 return SECCLASS_QIPCRTR_SOCKET;
1437 return SECCLASS_SMC_SOCKET;
1439 #error New address family defined, please update this function.
1444 return SECCLASS_SOCKET;
1447 static int selinux_genfs_get_sid(struct dentry *dentry,
1453 struct super_block *sb = dentry->d_sb;
1454 char *buffer, *path;
1456 buffer = (char *)__get_free_page(GFP_KERNEL);
1460 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1464 if (flags & SE_SBPROC) {
1465 /* each process gets a /proc/PID/ entry. Strip off the
1466 * PID part to get a valid selinux labeling.
1467 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1468 while (path[1] >= '0' && path[1] <= '9') {
1473 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
1475 free_page((unsigned long)buffer);
1479 /* The inode's security attributes must be initialized before first use. */
1480 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1482 struct superblock_security_struct *sbsec = NULL;
1483 struct inode_security_struct *isec = inode->i_security;
1484 u32 task_sid, sid = 0;
1486 struct dentry *dentry;
1487 #define INITCONTEXTLEN 255
1488 char *context = NULL;
1492 if (isec->initialized == LABEL_INITIALIZED)
1495 spin_lock(&isec->lock);
1496 if (isec->initialized == LABEL_INITIALIZED)
1499 if (isec->sclass == SECCLASS_FILE)
1500 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1502 sbsec = inode->i_sb->s_security;
1503 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1504 /* Defer initialization until selinux_complete_init,
1505 after the initial policy is loaded and the security
1506 server is ready to handle calls. */
1507 spin_lock(&sbsec->isec_lock);
1508 if (list_empty(&isec->list))
1509 list_add(&isec->list, &sbsec->isec_head);
1510 spin_unlock(&sbsec->isec_lock);
1514 sclass = isec->sclass;
1515 task_sid = isec->task_sid;
1517 isec->initialized = LABEL_PENDING;
1518 spin_unlock(&isec->lock);
1520 switch (sbsec->behavior) {
1521 case SECURITY_FS_USE_NATIVE:
1523 case SECURITY_FS_USE_XATTR:
1524 if (!(inode->i_opflags & IOP_XATTR)) {
1525 sid = sbsec->def_sid;
1528 /* Need a dentry, since the xattr API requires one.
1529 Life would be simpler if we could just pass the inode. */
1531 /* Called from d_instantiate or d_splice_alias. */
1532 dentry = dget(opt_dentry);
1534 /* Called from selinux_complete_init, try to find a dentry. */
1535 dentry = d_find_alias(inode);
1539 * this is can be hit on boot when a file is accessed
1540 * before the policy is loaded. When we load policy we
1541 * may find inodes that have no dentry on the
1542 * sbsec->isec_head list. No reason to complain as these
1543 * will get fixed up the next time we go through
1544 * inode_doinit with a dentry, before these inodes could
1545 * be used again by userspace.
1550 len = INITCONTEXTLEN;
1551 context = kmalloc(len+1, GFP_NOFS);
1557 context[len] = '\0';
1558 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1559 if (rc == -ERANGE) {
1562 /* Need a larger buffer. Query for the right size. */
1563 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1569 context = kmalloc(len+1, GFP_NOFS);
1575 context[len] = '\0';
1576 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1580 if (rc != -ENODATA) {
1581 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1582 "%d for dev=%s ino=%ld\n", __func__,
1583 -rc, inode->i_sb->s_id, inode->i_ino);
1587 /* Map ENODATA to the default file SID */
1588 sid = sbsec->def_sid;
1591 rc = security_context_to_sid_default(context, rc, &sid,
1595 char *dev = inode->i_sb->s_id;
1596 unsigned long ino = inode->i_ino;
1598 if (rc == -EINVAL) {
1599 if (printk_ratelimit())
1600 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1601 "context=%s. This indicates you may need to relabel the inode or the "
1602 "filesystem in question.\n", ino, dev, context);
1604 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1605 "returned %d for dev=%s ino=%ld\n",
1606 __func__, context, -rc, dev, ino);
1609 /* Leave with the unlabeled SID */
1616 case SECURITY_FS_USE_TASK:
1619 case SECURITY_FS_USE_TRANS:
1620 /* Default to the fs SID. */
1623 /* Try to obtain a transition SID. */
1624 rc = security_transition_sid(task_sid, sid, sclass, NULL, &sid);
1628 case SECURITY_FS_USE_MNTPOINT:
1629 sid = sbsec->mntpoint_sid;
1632 /* Default to the fs superblock SID. */
1635 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1636 /* We must have a dentry to determine the label on
1639 /* Called from d_instantiate or
1640 * d_splice_alias. */
1641 dentry = dget(opt_dentry);
1643 /* Called from selinux_complete_init, try to
1645 dentry = d_find_alias(inode);
1647 * This can be hit on boot when a file is accessed
1648 * before the policy is loaded. When we load policy we
1649 * may find inodes that have no dentry on the
1650 * sbsec->isec_head list. No reason to complain as
1651 * these will get fixed up the next time we go through
1652 * inode_doinit() with a dentry, before these inodes
1653 * could be used again by userspace.
1657 rc = selinux_genfs_get_sid(dentry, sclass,
1658 sbsec->flags, &sid);
1667 spin_lock(&isec->lock);
1668 if (isec->initialized == LABEL_PENDING) {
1670 isec->initialized = LABEL_INVALID;
1674 isec->initialized = LABEL_INITIALIZED;
1679 spin_unlock(&isec->lock);
1683 /* Convert a Linux signal to an access vector. */
1684 static inline u32 signal_to_av(int sig)
1690 /* Commonly granted from child to parent. */
1691 perm = PROCESS__SIGCHLD;
1694 /* Cannot be caught or ignored */
1695 perm = PROCESS__SIGKILL;
1698 /* Cannot be caught or ignored */
1699 perm = PROCESS__SIGSTOP;
1702 /* All other signals. */
1703 perm = PROCESS__SIGNAL;
1710 #if CAP_LAST_CAP > 63
1711 #error Fix SELinux to handle capabilities > 63.
1714 /* Check whether a task is allowed to use a capability. */
1715 static int cred_has_capability(const struct cred *cred,
1716 int cap, int audit, bool initns)
1718 struct common_audit_data ad;
1719 struct av_decision avd;
1721 u32 sid = cred_sid(cred);
1722 u32 av = CAP_TO_MASK(cap);
1725 ad.type = LSM_AUDIT_DATA_CAP;
1728 switch (CAP_TO_INDEX(cap)) {
1730 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1733 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1737 "SELinux: out of range capability %d\n", cap);
1742 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1743 if (audit == SECURITY_CAP_AUDIT) {
1744 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1751 /* Check whether a task has a particular permission to an inode.
1752 The 'adp' parameter is optional and allows other audit
1753 data to be passed (e.g. the dentry). */
1754 static int inode_has_perm(const struct cred *cred,
1755 struct inode *inode,
1757 struct common_audit_data *adp)
1759 struct inode_security_struct *isec;
1762 validate_creds(cred);
1764 if (unlikely(IS_PRIVATE(inode)))
1767 sid = cred_sid(cred);
1768 isec = inode->i_security;
1770 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1773 /* Same as inode_has_perm, but pass explicit audit data containing
1774 the dentry to help the auditing code to more easily generate the
1775 pathname if needed. */
1776 static inline int dentry_has_perm(const struct cred *cred,
1777 struct dentry *dentry,
1780 struct inode *inode = d_backing_inode(dentry);
1781 struct common_audit_data ad;
1783 ad.type = LSM_AUDIT_DATA_DENTRY;
1784 ad.u.dentry = dentry;
1785 __inode_security_revalidate(inode, dentry, true);
1786 return inode_has_perm(cred, inode, av, &ad);
1789 /* Same as inode_has_perm, but pass explicit audit data containing
1790 the path to help the auditing code to more easily generate the
1791 pathname if needed. */
1792 static inline int path_has_perm(const struct cred *cred,
1793 const struct path *path,
1796 struct inode *inode = d_backing_inode(path->dentry);
1797 struct common_audit_data ad;
1799 ad.type = LSM_AUDIT_DATA_PATH;
1801 __inode_security_revalidate(inode, path->dentry, true);
1802 return inode_has_perm(cred, inode, av, &ad);
1805 /* Same as path_has_perm, but uses the inode from the file struct. */
1806 static inline int file_path_has_perm(const struct cred *cred,
1810 struct common_audit_data ad;
1812 ad.type = LSM_AUDIT_DATA_FILE;
1814 return inode_has_perm(cred, file_inode(file), av, &ad);
1817 /* Check whether a task can use an open file descriptor to
1818 access an inode in a given way. Check access to the
1819 descriptor itself, and then use dentry_has_perm to
1820 check a particular permission to the file.
1821 Access to the descriptor is implicitly granted if it
1822 has the same SID as the process. If av is zero, then
1823 access to the file is not checked, e.g. for cases
1824 where only the descriptor is affected like seek. */
1825 static int file_has_perm(const struct cred *cred,
1829 struct file_security_struct *fsec = file->f_security;
1830 struct inode *inode = file_inode(file);
1831 struct common_audit_data ad;
1832 u32 sid = cred_sid(cred);
1835 ad.type = LSM_AUDIT_DATA_FILE;
1838 if (sid != fsec->sid) {
1839 rc = avc_has_perm(sid, fsec->sid,
1847 /* av is zero if only checking access to the descriptor. */
1850 rc = inode_has_perm(cred, inode, av, &ad);
1857 * Determine the label for an inode that might be unioned.
1860 selinux_determine_inode_label(const struct task_security_struct *tsec,
1862 const struct qstr *name, u16 tclass,
1865 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1867 if ((sbsec->flags & SE_SBINITIALIZED) &&
1868 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1869 *_new_isid = sbsec->mntpoint_sid;
1870 } else if ((sbsec->flags & SBLABEL_MNT) &&
1872 *_new_isid = tsec->create_sid;
1874 const struct inode_security_struct *dsec = inode_security(dir);
1875 return security_transition_sid(tsec->sid, dsec->sid, tclass,
1882 /* Check whether a task can create a file. */
1883 static int may_create(struct inode *dir,
1884 struct dentry *dentry,
1887 const struct task_security_struct *tsec = current_security();
1888 struct inode_security_struct *dsec;
1889 struct superblock_security_struct *sbsec;
1891 struct common_audit_data ad;
1894 dsec = inode_security(dir);
1895 sbsec = dir->i_sb->s_security;
1899 ad.type = LSM_AUDIT_DATA_DENTRY;
1900 ad.u.dentry = dentry;
1902 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1903 DIR__ADD_NAME | DIR__SEARCH,
1908 rc = selinux_determine_inode_label(current_security(), dir,
1909 &dentry->d_name, tclass, &newsid);
1913 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1917 return avc_has_perm(newsid, sbsec->sid,
1918 SECCLASS_FILESYSTEM,
1919 FILESYSTEM__ASSOCIATE, &ad);
1923 #define MAY_UNLINK 1
1926 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1927 static int may_link(struct inode *dir,
1928 struct dentry *dentry,
1932 struct inode_security_struct *dsec, *isec;
1933 struct common_audit_data ad;
1934 u32 sid = current_sid();
1938 dsec = inode_security(dir);
1939 isec = backing_inode_security(dentry);
1941 ad.type = LSM_AUDIT_DATA_DENTRY;
1942 ad.u.dentry = dentry;
1945 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1946 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1961 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1966 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1970 static inline int may_rename(struct inode *old_dir,
1971 struct dentry *old_dentry,
1972 struct inode *new_dir,
1973 struct dentry *new_dentry)
1975 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1976 struct common_audit_data ad;
1977 u32 sid = current_sid();
1979 int old_is_dir, new_is_dir;
1982 old_dsec = inode_security(old_dir);
1983 old_isec = backing_inode_security(old_dentry);
1984 old_is_dir = d_is_dir(old_dentry);
1985 new_dsec = inode_security(new_dir);
1987 ad.type = LSM_AUDIT_DATA_DENTRY;
1989 ad.u.dentry = old_dentry;
1990 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1991 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1994 rc = avc_has_perm(sid, old_isec->sid,
1995 old_isec->sclass, FILE__RENAME, &ad);
1998 if (old_is_dir && new_dir != old_dir) {
1999 rc = avc_has_perm(sid, old_isec->sid,
2000 old_isec->sclass, DIR__REPARENT, &ad);
2005 ad.u.dentry = new_dentry;
2006 av = DIR__ADD_NAME | DIR__SEARCH;
2007 if (d_is_positive(new_dentry))
2008 av |= DIR__REMOVE_NAME;
2009 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
2012 if (d_is_positive(new_dentry)) {
2013 new_isec = backing_inode_security(new_dentry);
2014 new_is_dir = d_is_dir(new_dentry);
2015 rc = avc_has_perm(sid, new_isec->sid,
2017 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
2025 /* Check whether a task can perform a filesystem operation. */
2026 static int superblock_has_perm(const struct cred *cred,
2027 struct super_block *sb,
2029 struct common_audit_data *ad)
2031 struct superblock_security_struct *sbsec;
2032 u32 sid = cred_sid(cred);
2034 sbsec = sb->s_security;
2035 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
2038 /* Convert a Linux mode and permission mask to an access vector. */
2039 static inline u32 file_mask_to_av(int mode, int mask)
2043 if (!S_ISDIR(mode)) {
2044 if (mask & MAY_EXEC)
2045 av |= FILE__EXECUTE;
2046 if (mask & MAY_READ)
2049 if (mask & MAY_APPEND)
2051 else if (mask & MAY_WRITE)
2055 if (mask & MAY_EXEC)
2057 if (mask & MAY_WRITE)
2059 if (mask & MAY_READ)
2066 /* Convert a Linux file to an access vector. */
2067 static inline u32 file_to_av(struct file *file)
2071 if (file->f_mode & FMODE_READ)
2073 if (file->f_mode & FMODE_WRITE) {
2074 if (file->f_flags & O_APPEND)
2081 * Special file opened with flags 3 for ioctl-only use.
2090 * Convert a file to an access vector and include the correct open
2093 static inline u32 open_file_to_av(struct file *file)
2095 u32 av = file_to_av(file);
2096 struct inode *inode = file_inode(file);
2098 if (selinux_policycap_openperm && inode->i_sb->s_magic != SOCKFS_MAGIC)
2104 /* Hook functions begin here. */
2106 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2108 u32 mysid = current_sid();
2109 u32 mgrsid = task_sid(mgr);
2111 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
2112 BINDER__SET_CONTEXT_MGR, NULL);
2115 static int selinux_binder_transaction(struct task_struct *from,
2116 struct task_struct *to)
2118 u32 mysid = current_sid();
2119 u32 fromsid = task_sid(from);
2120 u32 tosid = task_sid(to);
2123 if (mysid != fromsid) {
2124 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2125 BINDER__IMPERSONATE, NULL);
2130 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2134 static int selinux_binder_transfer_binder(struct task_struct *from,
2135 struct task_struct *to)
2137 u32 fromsid = task_sid(from);
2138 u32 tosid = task_sid(to);
2140 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2144 static int selinux_binder_transfer_file(struct task_struct *from,
2145 struct task_struct *to,
2148 u32 sid = task_sid(to);
2149 struct file_security_struct *fsec = file->f_security;
2150 struct dentry *dentry = file->f_path.dentry;
2151 struct inode_security_struct *isec;
2152 struct common_audit_data ad;
2155 ad.type = LSM_AUDIT_DATA_PATH;
2156 ad.u.path = file->f_path;
2158 if (sid != fsec->sid) {
2159 rc = avc_has_perm(sid, fsec->sid,
2167 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2170 isec = backing_inode_security(dentry);
2171 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2175 static int selinux_ptrace_access_check(struct task_struct *child,
2178 u32 sid = current_sid();
2179 u32 csid = task_sid(child);
2181 if (mode & PTRACE_MODE_READ)
2182 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2184 return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2187 static int selinux_ptrace_traceme(struct task_struct *parent)
2189 return avc_has_perm(task_sid(parent), current_sid(), SECCLASS_PROCESS,
2190 PROCESS__PTRACE, NULL);
2193 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2194 kernel_cap_t *inheritable, kernel_cap_t *permitted)
2196 return avc_has_perm(current_sid(), task_sid(target), SECCLASS_PROCESS,
2197 PROCESS__GETCAP, NULL);
2200 static int selinux_capset(struct cred *new, const struct cred *old,
2201 const kernel_cap_t *effective,
2202 const kernel_cap_t *inheritable,
2203 const kernel_cap_t *permitted)
2205 return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2206 PROCESS__SETCAP, NULL);
2210 * (This comment used to live with the selinux_task_setuid hook,
2211 * which was removed).
2213 * Since setuid only affects the current process, and since the SELinux
2214 * controls are not based on the Linux identity attributes, SELinux does not
2215 * need to control this operation. However, SELinux does control the use of
2216 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2219 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2222 return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
2225 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2227 const struct cred *cred = current_cred();
2239 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2244 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2247 rc = 0; /* let the kernel handle invalid cmds */
2253 static int selinux_quota_on(struct dentry *dentry)
2255 const struct cred *cred = current_cred();
2257 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2260 static int selinux_syslog(int type)
2263 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2264 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2265 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2266 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2267 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2268 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2269 /* Set level of messages printed to console */
2270 case SYSLOG_ACTION_CONSOLE_LEVEL:
2271 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2272 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2275 /* All other syslog types */
2276 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2277 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2281 * Check that a process has enough memory to allocate a new virtual
2282 * mapping. 0 means there is enough memory for the allocation to
2283 * succeed and -ENOMEM implies there is not.
2285 * Do not audit the selinux permission check, as this is applied to all
2286 * processes that allocate mappings.
2288 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2290 int rc, cap_sys_admin = 0;
2292 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2293 SECURITY_CAP_NOAUDIT, true);
2297 return cap_sys_admin;
2300 /* binprm security operations */
2302 static u32 ptrace_parent_sid(void)
2305 struct task_struct *tracer;
2308 tracer = ptrace_parent(current);
2310 sid = task_sid(tracer);
2316 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2317 const struct task_security_struct *old_tsec,
2318 const struct task_security_struct *new_tsec)
2320 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2321 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2325 if (!nnp && !nosuid)
2326 return 0; /* neither NNP nor nosuid */
2328 if (new_tsec->sid == old_tsec->sid)
2329 return 0; /* No change in credentials */
2332 * If the policy enables the nnp_nosuid_transition policy capability,
2333 * then we permit transitions under NNP or nosuid if the
2334 * policy allows the corresponding permission between
2335 * the old and new contexts.
2337 if (selinux_policycap_nnp_nosuid_transition) {
2340 av |= PROCESS2__NNP_TRANSITION;
2342 av |= PROCESS2__NOSUID_TRANSITION;
2343 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2344 SECCLASS_PROCESS2, av, NULL);
2350 * We also permit NNP or nosuid transitions to bounded SIDs,
2351 * i.e. SIDs that are guaranteed to only be allowed a subset
2352 * of the permissions of the current SID.
2354 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2359 * On failure, preserve the errno values for NNP vs nosuid.
2360 * NNP: Operation not permitted for caller.
2361 * nosuid: Permission denied to file.
2368 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2370 const struct task_security_struct *old_tsec;
2371 struct task_security_struct *new_tsec;
2372 struct inode_security_struct *isec;
2373 struct common_audit_data ad;
2374 struct inode *inode = file_inode(bprm->file);
2377 /* SELinux context only depends on initial program or script and not
2378 * the script interpreter */
2379 if (bprm->cred_prepared)
2382 old_tsec = current_security();
2383 new_tsec = bprm->cred->security;
2384 isec = inode_security(inode);
2386 /* Default to the current task SID. */
2387 new_tsec->sid = old_tsec->sid;
2388 new_tsec->osid = old_tsec->sid;
2390 /* Reset fs, key, and sock SIDs on execve. */
2391 new_tsec->create_sid = 0;
2392 new_tsec->keycreate_sid = 0;
2393 new_tsec->sockcreate_sid = 0;
2395 if (old_tsec->exec_sid) {
2396 new_tsec->sid = old_tsec->exec_sid;
2397 /* Reset exec SID on execve. */
2398 new_tsec->exec_sid = 0;
2400 /* Fail on NNP or nosuid if not an allowed transition. */
2401 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2405 /* Check for a default transition on this program. */
2406 rc = security_transition_sid(old_tsec->sid, isec->sid,
2407 SECCLASS_PROCESS, NULL,
2413 * Fallback to old SID on NNP or nosuid if not an allowed
2416 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2418 new_tsec->sid = old_tsec->sid;
2421 ad.type = LSM_AUDIT_DATA_FILE;
2422 ad.u.file = bprm->file;
2424 if (new_tsec->sid == old_tsec->sid) {
2425 rc = avc_has_perm(old_tsec->sid, isec->sid,
2426 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2430 /* Check permissions for the transition. */
2431 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2432 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2436 rc = avc_has_perm(new_tsec->sid, isec->sid,
2437 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2441 /* Check for shared state */
2442 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2443 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2444 SECCLASS_PROCESS, PROCESS__SHARE,
2450 /* Make sure that anyone attempting to ptrace over a task that
2451 * changes its SID has the appropriate permit */
2452 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2453 u32 ptsid = ptrace_parent_sid();
2455 rc = avc_has_perm(ptsid, new_tsec->sid,
2457 PROCESS__PTRACE, NULL);
2463 /* Clear any possibly unsafe personality bits on exec: */
2464 bprm->per_clear |= PER_CLEAR_ON_SETID;
2470 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2472 const struct task_security_struct *tsec = current_security();
2480 /* Enable secure mode for SIDs transitions unless
2481 the noatsecure permission is granted between
2482 the two SIDs, i.e. ahp returns 0. */
2483 atsecure = avc_has_perm(osid, sid,
2485 PROCESS__NOATSECURE, NULL);
2491 static int match_file(const void *p, struct file *file, unsigned fd)
2493 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2496 /* Derived from fs/exec.c:flush_old_files. */
2497 static inline void flush_unauthorized_files(const struct cred *cred,
2498 struct files_struct *files)
2500 struct file *file, *devnull = NULL;
2501 struct tty_struct *tty;
2505 tty = get_current_tty();
2507 spin_lock(&tty->files_lock);
2508 if (!list_empty(&tty->tty_files)) {
2509 struct tty_file_private *file_priv;
2511 /* Revalidate access to controlling tty.
2512 Use file_path_has_perm on the tty path directly
2513 rather than using file_has_perm, as this particular
2514 open file may belong to another process and we are
2515 only interested in the inode-based check here. */
2516 file_priv = list_first_entry(&tty->tty_files,
2517 struct tty_file_private, list);
2518 file = file_priv->file;
2519 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2522 spin_unlock(&tty->files_lock);
2525 /* Reset controlling tty. */
2529 /* Revalidate access to inherited open files. */
2530 n = iterate_fd(files, 0, match_file, cred);
2531 if (!n) /* none found? */
2534 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2535 if (IS_ERR(devnull))
2537 /* replace all the matching ones with this */
2539 replace_fd(n - 1, devnull, 0);
2540 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2546 * Prepare a process for imminent new credential changes due to exec
2548 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2550 struct task_security_struct *new_tsec;
2551 struct rlimit *rlim, *initrlim;
2554 new_tsec = bprm->cred->security;
2555 if (new_tsec->sid == new_tsec->osid)
2558 /* Close files for which the new task SID is not authorized. */
2559 flush_unauthorized_files(bprm->cred, current->files);
2561 /* Always clear parent death signal on SID transitions. */
2562 current->pdeath_signal = 0;
2564 /* Check whether the new SID can inherit resource limits from the old
2565 * SID. If not, reset all soft limits to the lower of the current
2566 * task's hard limit and the init task's soft limit.
2568 * Note that the setting of hard limits (even to lower them) can be
2569 * controlled by the setrlimit check. The inclusion of the init task's
2570 * soft limit into the computation is to avoid resetting soft limits
2571 * higher than the default soft limit for cases where the default is
2572 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2574 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2575 PROCESS__RLIMITINH, NULL);
2577 /* protect against do_prlimit() */
2579 for (i = 0; i < RLIM_NLIMITS; i++) {
2580 rlim = current->signal->rlim + i;
2581 initrlim = init_task.signal->rlim + i;
2582 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2584 task_unlock(current);
2585 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2586 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2591 * Clean up the process immediately after the installation of new credentials
2594 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2596 const struct task_security_struct *tsec = current_security();
2597 struct itimerval itimer;
2607 /* Check whether the new SID can inherit signal state from the old SID.
2608 * If not, clear itimers to avoid subsequent signal generation and
2609 * flush and unblock signals.
2611 * This must occur _after_ the task SID has been updated so that any
2612 * kill done after the flush will be checked against the new SID.
2614 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2616 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2617 memset(&itimer, 0, sizeof itimer);
2618 for (i = 0; i < 3; i++)
2619 do_setitimer(i, &itimer, NULL);
2621 spin_lock_irq(¤t->sighand->siglock);
2622 if (!fatal_signal_pending(current)) {
2623 flush_sigqueue(¤t->pending);
2624 flush_sigqueue(¤t->signal->shared_pending);
2625 flush_signal_handlers(current, 1);
2626 sigemptyset(¤t->blocked);
2627 recalc_sigpending();
2629 spin_unlock_irq(¤t->sighand->siglock);
2632 /* Wake up the parent if it is waiting so that it can recheck
2633 * wait permission to the new task SID. */
2634 read_lock(&tasklist_lock);
2635 __wake_up_parent(current, current->real_parent);
2636 read_unlock(&tasklist_lock);
2639 /* superblock security operations */
2641 static int selinux_sb_alloc_security(struct super_block *sb)
2643 return superblock_alloc_security(sb);
2646 static void selinux_sb_free_security(struct super_block *sb)
2648 superblock_free_security(sb);
2651 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2656 return !memcmp(prefix, option, plen);
2659 static inline int selinux_option(char *option, int len)
2661 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2662 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2663 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2664 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2665 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2668 static inline void take_option(char **to, char *from, int *first, int len)
2675 memcpy(*to, from, len);
2679 static inline void take_selinux_option(char **to, char *from, int *first,
2682 int current_size = 0;
2690 while (current_size < len) {
2700 static int selinux_sb_copy_data(char *orig, char *copy)
2702 int fnosec, fsec, rc = 0;
2703 char *in_save, *in_curr, *in_end;
2704 char *sec_curr, *nosec_save, *nosec;
2710 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2718 in_save = in_end = orig;
2722 open_quote = !open_quote;
2723 if ((*in_end == ',' && open_quote == 0) ||
2725 int len = in_end - in_curr;
2727 if (selinux_option(in_curr, len))
2728 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2730 take_option(&nosec, in_curr, &fnosec, len);
2732 in_curr = in_end + 1;
2734 } while (*in_end++);
2736 strcpy(in_save, nosec_save);
2737 free_page((unsigned long)nosec_save);
2742 static int selinux_sb_remount(struct super_block *sb, void *data)
2745 struct security_mnt_opts opts;
2746 char *secdata, **mount_options;
2747 struct superblock_security_struct *sbsec = sb->s_security;
2749 if (!(sbsec->flags & SE_SBINITIALIZED))
2755 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2758 security_init_mnt_opts(&opts);
2759 secdata = alloc_secdata();
2762 rc = selinux_sb_copy_data(data, secdata);
2764 goto out_free_secdata;
2766 rc = selinux_parse_opts_str(secdata, &opts);
2768 goto out_free_secdata;
2770 mount_options = opts.mnt_opts;
2771 flags = opts.mnt_opts_flags;
2773 for (i = 0; i < opts.num_mnt_opts; i++) {
2776 if (flags[i] == SBLABEL_MNT)
2778 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
2780 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
2781 "(%s) failed for (dev %s, type %s) errno=%d\n",
2782 mount_options[i], sb->s_id, sb->s_type->name, rc);
2788 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2789 goto out_bad_option;
2792 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2793 goto out_bad_option;
2795 case ROOTCONTEXT_MNT: {
2796 struct inode_security_struct *root_isec;
2797 root_isec = backing_inode_security(sb->s_root);
2799 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2800 goto out_bad_option;
2803 case DEFCONTEXT_MNT:
2804 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2805 goto out_bad_option;
2814 security_free_mnt_opts(&opts);
2816 free_secdata(secdata);
2819 printk(KERN_WARNING "SELinux: unable to change security options "
2820 "during remount (dev %s, type=%s)\n", sb->s_id,
2825 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2827 const struct cred *cred = current_cred();
2828 struct common_audit_data ad;
2831 rc = superblock_doinit(sb, data);
2835 /* Allow all mounts performed by the kernel */
2836 if (flags & MS_KERNMOUNT)
2839 ad.type = LSM_AUDIT_DATA_DENTRY;
2840 ad.u.dentry = sb->s_root;
2841 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2844 static int selinux_sb_statfs(struct dentry *dentry)
2846 const struct cred *cred = current_cred();
2847 struct common_audit_data ad;
2849 ad.type = LSM_AUDIT_DATA_DENTRY;
2850 ad.u.dentry = dentry->d_sb->s_root;
2851 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2854 static int selinux_mount(const char *dev_name,
2855 const struct path *path,
2857 unsigned long flags,
2860 const struct cred *cred = current_cred();
2862 if (flags & MS_REMOUNT)
2863 return superblock_has_perm(cred, path->dentry->d_sb,
2864 FILESYSTEM__REMOUNT, NULL);
2866 return path_has_perm(cred, path, FILE__MOUNTON);
2869 static int selinux_umount(struct vfsmount *mnt, int flags)
2871 const struct cred *cred = current_cred();
2873 return superblock_has_perm(cred, mnt->mnt_sb,
2874 FILESYSTEM__UNMOUNT, NULL);
2877 /* inode security operations */
2879 static int selinux_inode_alloc_security(struct inode *inode)
2881 return inode_alloc_security(inode);
2884 static void selinux_inode_free_security(struct inode *inode)
2886 inode_free_security(inode);
2889 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2890 const struct qstr *name, void **ctx,
2896 rc = selinux_determine_inode_label(current_security(),
2897 d_inode(dentry->d_parent), name,
2898 inode_mode_to_security_class(mode),
2903 return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2906 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2908 const struct cred *old,
2913 struct task_security_struct *tsec;
2915 rc = selinux_determine_inode_label(old->security,
2916 d_inode(dentry->d_parent), name,
2917 inode_mode_to_security_class(mode),
2922 tsec = new->security;
2923 tsec->create_sid = newsid;
2927 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2928 const struct qstr *qstr,
2930 void **value, size_t *len)
2932 const struct task_security_struct *tsec = current_security();
2933 struct superblock_security_struct *sbsec;
2934 u32 sid, newsid, clen;
2938 sbsec = dir->i_sb->s_security;
2941 newsid = tsec->create_sid;
2943 rc = selinux_determine_inode_label(current_security(),
2945 inode_mode_to_security_class(inode->i_mode),
2950 /* Possibly defer initialization to selinux_complete_init. */
2951 if (sbsec->flags & SE_SBINITIALIZED) {
2952 struct inode_security_struct *isec = inode->i_security;
2953 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2955 isec->initialized = LABEL_INITIALIZED;
2958 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
2962 *name = XATTR_SELINUX_SUFFIX;
2965 rc = security_sid_to_context_force(newsid, &context, &clen);
2975 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2977 return may_create(dir, dentry, SECCLASS_FILE);
2980 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2982 return may_link(dir, old_dentry, MAY_LINK);
2985 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2987 return may_link(dir, dentry, MAY_UNLINK);
2990 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2992 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2995 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2997 return may_create(dir, dentry, SECCLASS_DIR);
3000 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
3002 return may_link(dir, dentry, MAY_RMDIR);
3005 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
3007 return may_create(dir, dentry, inode_mode_to_security_class(mode));
3010 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
3011 struct inode *new_inode, struct dentry *new_dentry)
3013 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
3016 static int selinux_inode_readlink(struct dentry *dentry)
3018 const struct cred *cred = current_cred();
3020 return dentry_has_perm(cred, dentry, FILE__READ);
3023 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3026 const struct cred *cred = current_cred();
3027 struct common_audit_data ad;
3028 struct inode_security_struct *isec;
3031 validate_creds(cred);
3033 ad.type = LSM_AUDIT_DATA_DENTRY;
3034 ad.u.dentry = dentry;
3035 sid = cred_sid(cred);
3036 isec = inode_security_rcu(inode, rcu);
3038 return PTR_ERR(isec);
3040 return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad,
3041 rcu ? MAY_NOT_BLOCK : 0);
3044 static noinline int audit_inode_permission(struct inode *inode,
3045 u32 perms, u32 audited, u32 denied,
3049 struct common_audit_data ad;
3050 struct inode_security_struct *isec = inode->i_security;
3053 ad.type = LSM_AUDIT_DATA_INODE;
3056 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
3057 audited, denied, result, &ad, flags);
3063 static int selinux_inode_permission(struct inode *inode, int mask)
3065 const struct cred *cred = current_cred();
3068 unsigned flags = mask & MAY_NOT_BLOCK;
3069 struct inode_security_struct *isec;
3071 struct av_decision avd;
3073 u32 audited, denied;
3075 from_access = mask & MAY_ACCESS;
3076 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3078 /* No permission to check. Existence test. */
3082 validate_creds(cred);
3084 if (unlikely(IS_PRIVATE(inode)))
3087 perms = file_mask_to_av(inode->i_mode, mask);
3089 sid = cred_sid(cred);
3090 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3092 return PTR_ERR(isec);
3094 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
3095 audited = avc_audit_required(perms, &avd, rc,
3096 from_access ? FILE__AUDIT_ACCESS : 0,
3098 if (likely(!audited))
3101 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
3107 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3109 const struct cred *cred = current_cred();
3110 struct inode *inode = d_backing_inode(dentry);
3111 unsigned int ia_valid = iattr->ia_valid;
3112 __u32 av = FILE__WRITE;
3114 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3115 if (ia_valid & ATTR_FORCE) {
3116 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3122 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3123 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3124 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3126 if (selinux_policycap_openperm &&
3127 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3128 (ia_valid & ATTR_SIZE) &&
3129 !(ia_valid & ATTR_FILE))
3132 return dentry_has_perm(cred, dentry, av);
3135 static int selinux_inode_getattr(const struct path *path)
3137 return path_has_perm(current_cred(), path, FILE__GETATTR);
3140 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
3142 const struct cred *cred = current_cred();
3144 if (!strncmp(name, XATTR_SECURITY_PREFIX,
3145 sizeof XATTR_SECURITY_PREFIX - 1)) {
3146 if (!strcmp(name, XATTR_NAME_CAPS)) {
3147 if (!capable(CAP_SETFCAP))
3149 } else if (!capable(CAP_SYS_ADMIN)) {
3150 /* A different attribute in the security namespace.
3151 Restrict to administrator. */
3156 /* Not an attribute we recognize, so just check the
3157 ordinary setattr permission. */
3158 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3161 static bool has_cap_mac_admin(bool audit)
3163 const struct cred *cred = current_cred();
3164 int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT;
3166 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit))
3168 if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true))
3173 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3174 const void *value, size_t size, int flags)
3176 struct inode *inode = d_backing_inode(dentry);
3177 struct inode_security_struct *isec;
3178 struct superblock_security_struct *sbsec;
3179 struct common_audit_data ad;
3180 u32 newsid, sid = current_sid();
3183 if (strcmp(name, XATTR_NAME_SELINUX))
3184 return selinux_inode_setotherxattr(dentry, name);
3186 sbsec = inode->i_sb->s_security;
3187 if (!(sbsec->flags & SBLABEL_MNT))
3190 if (!inode_owner_or_capable(inode))
3193 ad.type = LSM_AUDIT_DATA_DENTRY;
3194 ad.u.dentry = dentry;
3196 isec = backing_inode_security(dentry);
3197 rc = avc_has_perm(sid, isec->sid, isec->sclass,
3198 FILE__RELABELFROM, &ad);
3202 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3203 if (rc == -EINVAL) {
3204 if (!has_cap_mac_admin(true)) {
3205 struct audit_buffer *ab;
3209 /* We strip a nul only if it is at the end, otherwise the
3210 * context contains a nul and we should audit that */
3213 if (str[size - 1] == '\0')
3214 audit_size = size - 1;
3221 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3222 audit_log_format(ab, "op=setxattr invalid_context=");
3223 audit_log_n_untrustedstring(ab, value, audit_size);
3228 rc = security_context_to_sid_force(value, size, &newsid);
3233 rc = avc_has_perm(sid, newsid, isec->sclass,
3234 FILE__RELABELTO, &ad);
3238 rc = security_validate_transition(isec->sid, newsid, sid,
3243 return avc_has_perm(newsid,
3245 SECCLASS_FILESYSTEM,
3246 FILESYSTEM__ASSOCIATE,
3250 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3251 const void *value, size_t size,
3254 struct inode *inode = d_backing_inode(dentry);
3255 struct inode_security_struct *isec;
3259 if (strcmp(name, XATTR_NAME_SELINUX)) {
3260 /* Not an attribute we recognize, so nothing to do. */
3264 rc = security_context_to_sid_force(value, size, &newsid);
3266 printk(KERN_ERR "SELinux: unable to map context to SID"
3267 "for (%s, %lu), rc=%d\n",
3268 inode->i_sb->s_id, inode->i_ino, -rc);
3272 isec = backing_inode_security(dentry);
3273 spin_lock(&isec->lock);
3274 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3276 isec->initialized = LABEL_INITIALIZED;
3277 spin_unlock(&isec->lock);
3282 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3284 const struct cred *cred = current_cred();
3286 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3289 static int selinux_inode_listxattr(struct dentry *dentry)
3291 const struct cred *cred = current_cred();
3293 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3296 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3298 if (strcmp(name, XATTR_NAME_SELINUX))
3299 return selinux_inode_setotherxattr(dentry, name);
3301 /* No one is allowed to remove a SELinux security label.
3302 You can change the label, but all data must be labeled. */
3307 * Copy the inode security context value to the user.
3309 * Permission check is handled by selinux_inode_getxattr hook.
3311 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
3315 char *context = NULL;
3316 struct inode_security_struct *isec;
3318 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3322 * If the caller has CAP_MAC_ADMIN, then get the raw context
3323 * value even if it is not defined by current policy; otherwise,
3324 * use the in-core value under current policy.
3325 * Use the non-auditing forms of the permission checks since
3326 * getxattr may be called by unprivileged processes commonly
3327 * and lack of permission just means that we fall back to the
3328 * in-core context value, not a denial.
3330 isec = inode_security(inode);
3331 if (has_cap_mac_admin(false))
3332 error = security_sid_to_context_force(isec->sid, &context,
3335 error = security_sid_to_context(isec->sid, &context, &size);
3348 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3349 const void *value, size_t size, int flags)
3351 struct inode_security_struct *isec = inode_security_novalidate(inode);
3355 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3358 if (!value || !size)
3361 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3365 spin_lock(&isec->lock);
3366 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3368 isec->initialized = LABEL_INITIALIZED;
3369 spin_unlock(&isec->lock);
3373 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3375 const int len = sizeof(XATTR_NAME_SELINUX);
3376 if (buffer && len <= buffer_size)
3377 memcpy(buffer, XATTR_NAME_SELINUX, len);
3381 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3383 struct inode_security_struct *isec = inode_security_novalidate(inode);
3387 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3390 struct task_security_struct *tsec;
3391 struct cred *new_creds = *new;
3393 if (new_creds == NULL) {
3394 new_creds = prepare_creds();
3399 tsec = new_creds->security;
3400 /* Get label from overlay inode and set it in create_sid */
3401 selinux_inode_getsecid(d_inode(src), &sid);
3402 tsec->create_sid = sid;
3407 static int selinux_inode_copy_up_xattr(const char *name)
3409 /* The copy_up hook above sets the initial context on an inode, but we
3410 * don't then want to overwrite it by blindly copying all the lower
3411 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3413 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3414 return 1; /* Discard */
3416 * Any other attribute apart from SELINUX is not claimed, supported
3422 /* file security operations */
3424 static int selinux_revalidate_file_permission(struct file *file, int mask)
3426 const struct cred *cred = current_cred();
3427 struct inode *inode = file_inode(file);
3429 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3430 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3433 return file_has_perm(cred, file,
3434 file_mask_to_av(inode->i_mode, mask));
3437 static int selinux_file_permission(struct file *file, int mask)
3439 struct inode *inode = file_inode(file);
3440 struct file_security_struct *fsec = file->f_security;
3441 struct inode_security_struct *isec;
3442 u32 sid = current_sid();
3445 /* No permission to check. Existence test. */
3448 isec = inode_security(inode);
3449 if (sid == fsec->sid && fsec->isid == isec->sid &&
3450 fsec->pseqno == avc_policy_seqno())
3451 /* No change since file_open check. */
3454 return selinux_revalidate_file_permission(file, mask);
3457 static int selinux_file_alloc_security(struct file *file)
3459 return file_alloc_security(file);
3462 static void selinux_file_free_security(struct file *file)
3464 file_free_security(file);
3468 * Check whether a task has the ioctl permission and cmd
3469 * operation to an inode.
3471 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3472 u32 requested, u16 cmd)
3474 struct common_audit_data ad;
3475 struct file_security_struct *fsec = file->f_security;
3476 struct inode *inode = file_inode(file);
3477 struct inode_security_struct *isec;
3478 struct lsm_ioctlop_audit ioctl;
3479 u32 ssid = cred_sid(cred);
3481 u8 driver = cmd >> 8;
3482 u8 xperm = cmd & 0xff;
3484 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3487 ad.u.op->path = file->f_path;
3489 if (ssid != fsec->sid) {
3490 rc = avc_has_perm(ssid, fsec->sid,
3498 if (unlikely(IS_PRIVATE(inode)))
3501 isec = inode_security(inode);
3502 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
3503 requested, driver, xperm, &ad);
3508 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3511 const struct cred *cred = current_cred();
3521 case FS_IOC_GETFLAGS:
3523 case FS_IOC_GETVERSION:
3524 error = file_has_perm(cred, file, FILE__GETATTR);
3527 case FS_IOC_SETFLAGS:
3529 case FS_IOC_SETVERSION:
3530 error = file_has_perm(cred, file, FILE__SETATTR);
3533 /* sys_ioctl() checks */
3537 error = file_has_perm(cred, file, 0);
3542 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3543 SECURITY_CAP_AUDIT, true);
3546 /* default case assumes that the command will go
3547 * to the file's ioctl() function.
3550 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3555 static int default_noexec;
3557 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3559 const struct cred *cred = current_cred();
3560 u32 sid = cred_sid(cred);
3563 if (default_noexec &&
3564 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3565 (!shared && (prot & PROT_WRITE)))) {
3567 * We are making executable an anonymous mapping or a
3568 * private file mapping that will also be writable.
3569 * This has an additional check.
3571 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3572 PROCESS__EXECMEM, NULL);
3578 /* read access is always possible with a mapping */
3579 u32 av = FILE__READ;
3581 /* write access only matters if the mapping is shared */
3582 if (shared && (prot & PROT_WRITE))
3585 if (prot & PROT_EXEC)
3586 av |= FILE__EXECUTE;
3588 return file_has_perm(cred, file, av);
3595 static int selinux_mmap_addr(unsigned long addr)
3599 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3600 u32 sid = current_sid();
3601 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3602 MEMPROTECT__MMAP_ZERO, NULL);
3608 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3609 unsigned long prot, unsigned long flags)
3611 struct common_audit_data ad;
3615 ad.type = LSM_AUDIT_DATA_FILE;
3617 rc = inode_has_perm(current_cred(), file_inode(file),
3623 if (selinux_checkreqprot)
3626 return file_map_prot_check(file, prot,
3627 (flags & MAP_TYPE) == MAP_SHARED);
3630 static int selinux_file_mprotect(struct vm_area_struct *vma,
3631 unsigned long reqprot,
3634 const struct cred *cred = current_cred();
3635 u32 sid = cred_sid(cred);
3637 if (selinux_checkreqprot)
3640 if (default_noexec &&
3641 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3643 if (vma->vm_start >= vma->vm_mm->start_brk &&
3644 vma->vm_end <= vma->vm_mm->brk) {
3645 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3646 PROCESS__EXECHEAP, NULL);
3647 } else if (!vma->vm_file &&
3648 ((vma->vm_start <= vma->vm_mm->start_stack &&
3649 vma->vm_end >= vma->vm_mm->start_stack) ||
3650 vma_is_stack_for_current(vma))) {
3651 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3652 PROCESS__EXECSTACK, NULL);
3653 } else if (vma->vm_file && vma->anon_vma) {
3655 * We are making executable a file mapping that has
3656 * had some COW done. Since pages might have been
3657 * written, check ability to execute the possibly
3658 * modified content. This typically should only
3659 * occur for text relocations.
3661 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3667 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3670 static int selinux_file_lock(struct file *file, unsigned int cmd)
3672 const struct cred *cred = current_cred();
3674 return file_has_perm(cred, file, FILE__LOCK);
3677 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3680 const struct cred *cred = current_cred();
3685 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3686 err = file_has_perm(cred, file, FILE__WRITE);
3695 case F_GETOWNER_UIDS:
3696 /* Just check FD__USE permission */
3697 err = file_has_perm(cred, file, 0);
3705 #if BITS_PER_LONG == 32
3710 err = file_has_perm(cred, file, FILE__LOCK);
3717 static void selinux_file_set_fowner(struct file *file)
3719 struct file_security_struct *fsec;
3721 fsec = file->f_security;
3722 fsec->fown_sid = current_sid();
3725 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3726 struct fown_struct *fown, int signum)
3729 u32 sid = task_sid(tsk);
3731 struct file_security_struct *fsec;
3733 /* struct fown_struct is never outside the context of a struct file */
3734 file = container_of(fown, struct file, f_owner);
3736 fsec = file->f_security;
3739 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3741 perm = signal_to_av(signum);
3743 return avc_has_perm(fsec->fown_sid, sid,
3744 SECCLASS_PROCESS, perm, NULL);
3747 static int selinux_file_receive(struct file *file)
3749 const struct cred *cred = current_cred();
3751 return file_has_perm(cred, file, file_to_av(file));
3754 static int selinux_file_open(struct file *file, const struct cred *cred)
3756 struct file_security_struct *fsec;
3757 struct inode_security_struct *isec;
3759 fsec = file->f_security;
3760 isec = inode_security(file_inode(file));
3762 * Save inode label and policy sequence number
3763 * at open-time so that selinux_file_permission
3764 * can determine whether revalidation is necessary.
3765 * Task label is already saved in the file security
3766 * struct as its SID.
3768 fsec->isid = isec->sid;
3769 fsec->pseqno = avc_policy_seqno();
3771 * Since the inode label or policy seqno may have changed
3772 * between the selinux_inode_permission check and the saving
3773 * of state above, recheck that access is still permitted.
3774 * Otherwise, access might never be revalidated against the
3775 * new inode label or new policy.
3776 * This check is not redundant - do not remove.
3778 return file_path_has_perm(cred, file, open_file_to_av(file));
3781 /* task security operations */
3783 static int selinux_task_alloc(struct task_struct *task,
3784 unsigned long clone_flags)
3786 u32 sid = current_sid();
3788 return avc_has_perm(sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
3792 * allocate the SELinux part of blank credentials
3794 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3796 struct task_security_struct *tsec;
3798 tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3802 cred->security = tsec;
3807 * detach and free the LSM part of a set of credentials
3809 static void selinux_cred_free(struct cred *cred)
3811 struct task_security_struct *tsec = cred->security;
3814 * cred->security == NULL if security_cred_alloc_blank() or
3815 * security_prepare_creds() returned an error.
3817 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3818 cred->security = (void *) 0x7UL;
3823 * prepare a new set of credentials for modification
3825 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3828 const struct task_security_struct *old_tsec;
3829 struct task_security_struct *tsec;
3831 old_tsec = old->security;
3833 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3837 new->security = tsec;
3842 * transfer the SELinux data to a blank set of creds
3844 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3846 const struct task_security_struct *old_tsec = old->security;
3847 struct task_security_struct *tsec = new->security;
3853 * set the security data for a kernel service
3854 * - all the creation contexts are set to unlabelled
3856 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3858 struct task_security_struct *tsec = new->security;
3859 u32 sid = current_sid();
3862 ret = avc_has_perm(sid, secid,
3863 SECCLASS_KERNEL_SERVICE,
3864 KERNEL_SERVICE__USE_AS_OVERRIDE,
3868 tsec->create_sid = 0;
3869 tsec->keycreate_sid = 0;
3870 tsec->sockcreate_sid = 0;
3876 * set the file creation context in a security record to the same as the
3877 * objective context of the specified inode
3879 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3881 struct inode_security_struct *isec = inode_security(inode);
3882 struct task_security_struct *tsec = new->security;
3883 u32 sid = current_sid();
3886 ret = avc_has_perm(sid, isec->sid,
3887 SECCLASS_KERNEL_SERVICE,
3888 KERNEL_SERVICE__CREATE_FILES_AS,
3892 tsec->create_sid = isec->sid;
3896 static int selinux_kernel_module_request(char *kmod_name)
3898 struct common_audit_data ad;
3900 ad.type = LSM_AUDIT_DATA_KMOD;
3901 ad.u.kmod_name = kmod_name;
3903 return avc_has_perm(current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
3904 SYSTEM__MODULE_REQUEST, &ad);
3907 static int selinux_kernel_module_from_file(struct file *file)
3909 struct common_audit_data ad;
3910 struct inode_security_struct *isec;
3911 struct file_security_struct *fsec;
3912 u32 sid = current_sid();
3917 return avc_has_perm(sid, sid, SECCLASS_SYSTEM,
3918 SYSTEM__MODULE_LOAD, NULL);
3922 ad.type = LSM_AUDIT_DATA_FILE;
3925 fsec = file->f_security;
3926 if (sid != fsec->sid) {
3927 rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
3932 isec = inode_security(file_inode(file));
3933 return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM,
3934 SYSTEM__MODULE_LOAD, &ad);
3937 static int selinux_kernel_read_file(struct file *file,
3938 enum kernel_read_file_id id)
3943 case READING_MODULE:
3944 rc = selinux_kernel_module_from_file(file);
3953 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3955 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3956 PROCESS__SETPGID, NULL);
3959 static int selinux_task_getpgid(struct task_struct *p)
3961 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3962 PROCESS__GETPGID, NULL);
3965 static int selinux_task_getsid(struct task_struct *p)
3967 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3968 PROCESS__GETSESSION, NULL);
3971 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3973 *secid = task_sid(p);
3976 static int selinux_task_setnice(struct task_struct *p, int nice)
3978 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3979 PROCESS__SETSCHED, NULL);
3982 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3984 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3985 PROCESS__SETSCHED, NULL);
3988 static int selinux_task_getioprio(struct task_struct *p)
3990 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3991 PROCESS__GETSCHED, NULL);
3994 int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
4001 if (flags & LSM_PRLIMIT_WRITE)
4002 av |= PROCESS__SETRLIMIT;
4003 if (flags & LSM_PRLIMIT_READ)
4004 av |= PROCESS__GETRLIMIT;
4005 return avc_has_perm(cred_sid(cred), cred_sid(tcred),
4006 SECCLASS_PROCESS, av, NULL);
4009 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4010 struct rlimit *new_rlim)
4012 struct rlimit *old_rlim = p->signal->rlim + resource;
4014 /* Control the ability to change the hard limit (whether
4015 lowering or raising it), so that the hard limit can
4016 later be used as a safe reset point for the soft limit
4017 upon context transitions. See selinux_bprm_committing_creds. */
4018 if (old_rlim->rlim_max != new_rlim->rlim_max)
4019 return avc_has_perm(current_sid(), task_sid(p),
4020 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
4025 static int selinux_task_setscheduler(struct task_struct *p)
4027 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
4028 PROCESS__SETSCHED, NULL);
4031 static int selinux_task_getscheduler(struct task_struct *p)
4033 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
4034 PROCESS__GETSCHED, NULL);
4037 static int selinux_task_movememory(struct task_struct *p)
4039 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
4040 PROCESS__SETSCHED, NULL);
4043 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
4049 perm = PROCESS__SIGNULL; /* null signal; existence test */
4051 perm = signal_to_av(sig);
4053 secid = current_sid();
4054 return avc_has_perm(secid, task_sid(p), SECCLASS_PROCESS, perm, NULL);
4057 static void selinux_task_to_inode(struct task_struct *p,
4058 struct inode *inode)
4060 struct inode_security_struct *isec = inode->i_security;
4061 u32 sid = task_sid(p);
4063 spin_lock(&isec->lock);
4064 isec->sclass = inode_mode_to_security_class(inode->i_mode);
4066 isec->initialized = LABEL_INITIALIZED;
4067 spin_unlock(&isec->lock);
4070 /* Returns error only if unable to parse addresses */
4071 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4072 struct common_audit_data *ad, u8 *proto)
4074 int offset, ihlen, ret = -EINVAL;
4075 struct iphdr _iph, *ih;
4077 offset = skb_network_offset(skb);
4078 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
4082 ihlen = ih->ihl * 4;
4083 if (ihlen < sizeof(_iph))
4086 ad->u.net->v4info.saddr = ih->saddr;
4087 ad->u.net->v4info.daddr = ih->daddr;
4091 *proto = ih->protocol;
4093 switch (ih->protocol) {
4095 struct tcphdr _tcph, *th;
4097 if (ntohs(ih->frag_off) & IP_OFFSET)
4101 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4105 ad->u.net->sport = th->source;
4106 ad->u.net->dport = th->dest;
4111 struct udphdr _udph, *uh;
4113 if (ntohs(ih->frag_off) & IP_OFFSET)
4117 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4121 ad->u.net->sport = uh->source;
4122 ad->u.net->dport = uh->dest;
4126 case IPPROTO_DCCP: {
4127 struct dccp_hdr _dccph, *dh;
4129 if (ntohs(ih->frag_off) & IP_OFFSET)
4133 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4137 ad->u.net->sport = dh->dccph_sport;
4138 ad->u.net->dport = dh->dccph_dport;
4149 #if IS_ENABLED(CONFIG_IPV6)
4151 /* Returns error only if unable to parse addresses */
4152 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4153 struct common_audit_data *ad, u8 *proto)
4156 int ret = -EINVAL, offset;
4157 struct ipv6hdr _ipv6h, *ip6;
4160 offset = skb_network_offset(skb);
4161 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4165 ad->u.net->v6info.saddr = ip6->saddr;
4166 ad->u.net->v6info.daddr = ip6->daddr;
4169 nexthdr = ip6->nexthdr;
4170 offset += sizeof(_ipv6h);
4171 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4180 struct tcphdr _tcph, *th;
4182 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4186 ad->u.net->sport = th->source;
4187 ad->u.net->dport = th->dest;
4192 struct udphdr _udph, *uh;
4194 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4198 ad->u.net->sport = uh->source;
4199 ad->u.net->dport = uh->dest;
4203 case IPPROTO_DCCP: {
4204 struct dccp_hdr _dccph, *dh;
4206 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4210 ad->u.net->sport = dh->dccph_sport;
4211 ad->u.net->dport = dh->dccph_dport;
4215 /* includes fragments */
4225 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4226 char **_addrp, int src, u8 *proto)
4231 switch (ad->u.net->family) {
4233 ret = selinux_parse_skb_ipv4(skb, ad, proto);
4236 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4237 &ad->u.net->v4info.daddr);
4240 #if IS_ENABLED(CONFIG_IPV6)
4242 ret = selinux_parse_skb_ipv6(skb, ad, proto);
4245 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4246 &ad->u.net->v6info.daddr);
4256 "SELinux: failure in selinux_parse_skb(),"
4257 " unable to parse packet\n");
4267 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4269 * @family: protocol family
4270 * @sid: the packet's peer label SID
4273 * Check the various different forms of network peer labeling and determine
4274 * the peer label/SID for the packet; most of the magic actually occurs in
4275 * the security server function security_net_peersid_cmp(). The function
4276 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4277 * or -EACCES if @sid is invalid due to inconsistencies with the different
4281 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4288 err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4291 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4295 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
4296 if (unlikely(err)) {
4298 "SELinux: failure in selinux_skb_peerlbl_sid(),"
4299 " unable to determine packet's peer label\n");
4307 * selinux_conn_sid - Determine the child socket label for a connection
4308 * @sk_sid: the parent socket's SID
4309 * @skb_sid: the packet's SID
4310 * @conn_sid: the resulting connection SID
4312 * If @skb_sid is valid then the user:role:type information from @sk_sid is
4313 * combined with the MLS information from @skb_sid in order to create
4314 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy
4315 * of @sk_sid. Returns zero on success, negative values on failure.
4318 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4322 if (skb_sid != SECSID_NULL)
4323 err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid);
4330 /* socket security operations */
4332 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4333 u16 secclass, u32 *socksid)
4335 if (tsec->sockcreate_sid > SECSID_NULL) {
4336 *socksid = tsec->sockcreate_sid;
4340 return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
4344 static int sock_has_perm(struct sock *sk, u32 perms)
4346 struct sk_security_struct *sksec = sk->sk_security;
4347 struct common_audit_data ad;
4348 struct lsm_network_audit net = {0,};
4350 if (sksec->sid == SECINITSID_KERNEL)
4353 ad.type = LSM_AUDIT_DATA_NET;
4357 return avc_has_perm(current_sid(), sksec->sid, sksec->sclass, perms,
4361 static int selinux_socket_create(int family, int type,
4362 int protocol, int kern)
4364 const struct task_security_struct *tsec = current_security();
4372 secclass = socket_type_to_security_class(family, type, protocol);
4373 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4377 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4380 static int selinux_socket_post_create(struct socket *sock, int family,
4381 int type, int protocol, int kern)
4383 const struct task_security_struct *tsec = current_security();
4384 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4385 struct sk_security_struct *sksec;
4386 u16 sclass = socket_type_to_security_class(family, type, protocol);
4387 u32 sid = SECINITSID_KERNEL;
4391 err = socket_sockcreate_sid(tsec, sclass, &sid);
4396 isec->sclass = sclass;
4398 isec->initialized = LABEL_INITIALIZED;
4401 sksec = sock->sk->sk_security;
4402 sksec->sclass = sclass;
4404 err = selinux_netlbl_socket_post_create(sock->sk, family);
4410 /* Range of port numbers used to automatically bind.
4411 Need to determine whether we should perform a name_bind
4412 permission check between the socket and the port number. */
4414 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4416 struct sock *sk = sock->sk;
4420 err = sock_has_perm(sk, SOCKET__BIND);
4425 * If PF_INET or PF_INET6, check name_bind permission for the port.
4426 * Multiple address binding for SCTP is not supported yet: we just
4427 * check the first address now.
4429 family = sk->sk_family;
4430 if (family == PF_INET || family == PF_INET6) {
4432 struct sk_security_struct *sksec = sk->sk_security;
4433 struct common_audit_data ad;
4434 struct lsm_network_audit net = {0,};
4435 struct sockaddr_in *addr4 = NULL;
4436 struct sockaddr_in6 *addr6 = NULL;
4437 unsigned short snum;
4440 if (family == PF_INET) {
4441 if (addrlen < sizeof(struct sockaddr_in)) {
4445 addr4 = (struct sockaddr_in *)address;
4446 snum = ntohs(addr4->sin_port);
4447 addrp = (char *)&addr4->sin_addr.s_addr;
4449 if (addrlen < SIN6_LEN_RFC2133) {
4453 addr6 = (struct sockaddr_in6 *)address;
4454 snum = ntohs(addr6->sin6_port);
4455 addrp = (char *)&addr6->sin6_addr.s6_addr;
4461 inet_get_local_port_range(sock_net(sk), &low, &high);
4463 if (snum < max(inet_prot_sock(sock_net(sk)), low) ||
4465 err = sel_netport_sid(sk->sk_protocol,
4469 ad.type = LSM_AUDIT_DATA_NET;
4471 ad.u.net->sport = htons(snum);
4472 ad.u.net->family = family;
4473 err = avc_has_perm(sksec->sid, sid,
4475 SOCKET__NAME_BIND, &ad);
4481 switch (sksec->sclass) {
4482 case SECCLASS_TCP_SOCKET:
4483 node_perm = TCP_SOCKET__NODE_BIND;
4486 case SECCLASS_UDP_SOCKET:
4487 node_perm = UDP_SOCKET__NODE_BIND;
4490 case SECCLASS_DCCP_SOCKET:
4491 node_perm = DCCP_SOCKET__NODE_BIND;
4495 node_perm = RAWIP_SOCKET__NODE_BIND;
4499 err = sel_netnode_sid(addrp, family, &sid);
4503 ad.type = LSM_AUDIT_DATA_NET;
4505 ad.u.net->sport = htons(snum);
4506 ad.u.net->family = family;
4508 if (family == PF_INET)
4509 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4511 ad.u.net->v6info.saddr = addr6->sin6_addr;
4513 err = avc_has_perm(sksec->sid, sid,
4514 sksec->sclass, node_perm, &ad);
4522 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
4524 struct sock *sk = sock->sk;
4525 struct sk_security_struct *sksec = sk->sk_security;
4528 err = sock_has_perm(sk, SOCKET__CONNECT);
4533 * If a TCP or DCCP socket, check name_connect permission for the port.
4535 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4536 sksec->sclass == SECCLASS_DCCP_SOCKET) {
4537 struct common_audit_data ad;
4538 struct lsm_network_audit net = {0,};
4539 struct sockaddr_in *addr4 = NULL;
4540 struct sockaddr_in6 *addr6 = NULL;
4541 unsigned short snum;
4544 if (sk->sk_family == PF_INET) {
4545 addr4 = (struct sockaddr_in *)address;
4546 if (addrlen < sizeof(struct sockaddr_in))
4548 snum = ntohs(addr4->sin_port);
4550 addr6 = (struct sockaddr_in6 *)address;
4551 if (addrlen < SIN6_LEN_RFC2133)
4553 snum = ntohs(addr6->sin6_port);
4556 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4560 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
4561 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
4563 ad.type = LSM_AUDIT_DATA_NET;
4565 ad.u.net->dport = htons(snum);
4566 ad.u.net->family = sk->sk_family;
4567 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
4572 err = selinux_netlbl_socket_connect(sk, address);
4578 static int selinux_socket_listen(struct socket *sock, int backlog)
4580 return sock_has_perm(sock->sk, SOCKET__LISTEN);
4583 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4586 struct inode_security_struct *isec;
4587 struct inode_security_struct *newisec;
4591 err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
4595 isec = inode_security_novalidate(SOCK_INODE(sock));
4596 spin_lock(&isec->lock);
4597 sclass = isec->sclass;
4599 spin_unlock(&isec->lock);
4601 newisec = inode_security_novalidate(SOCK_INODE(newsock));
4602 newisec->sclass = sclass;
4604 newisec->initialized = LABEL_INITIALIZED;
4609 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4612 return sock_has_perm(sock->sk, SOCKET__WRITE);
4615 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4616 int size, int flags)
4618 return sock_has_perm(sock->sk, SOCKET__READ);
4621 static int selinux_socket_getsockname(struct socket *sock)
4623 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4626 static int selinux_socket_getpeername(struct socket *sock)
4628 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4631 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4635 err = sock_has_perm(sock->sk, SOCKET__SETOPT);
4639 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4642 static int selinux_socket_getsockopt(struct socket *sock, int level,
4645 return sock_has_perm(sock->sk, SOCKET__GETOPT);
4648 static int selinux_socket_shutdown(struct socket *sock, int how)
4650 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
4653 static int selinux_socket_unix_stream_connect(struct sock *sock,
4657 struct sk_security_struct *sksec_sock = sock->sk_security;
4658 struct sk_security_struct *sksec_other = other->sk_security;
4659 struct sk_security_struct *sksec_new = newsk->sk_security;
4660 struct common_audit_data ad;
4661 struct lsm_network_audit net = {0,};
4664 ad.type = LSM_AUDIT_DATA_NET;
4666 ad.u.net->sk = other;
4668 err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4669 sksec_other->sclass,
4670 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4674 /* server child socket */
4675 sksec_new->peer_sid = sksec_sock->sid;
4676 err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4681 /* connecting socket */
4682 sksec_sock->peer_sid = sksec_new->sid;
4687 static int selinux_socket_unix_may_send(struct socket *sock,
4688 struct socket *other)
4690 struct sk_security_struct *ssec = sock->sk->sk_security;
4691 struct sk_security_struct *osec = other->sk->sk_security;
4692 struct common_audit_data ad;
4693 struct lsm_network_audit net = {0,};
4695 ad.type = LSM_AUDIT_DATA_NET;
4697 ad.u.net->sk = other->sk;
4699 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4703 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4704 char *addrp, u16 family, u32 peer_sid,
4705 struct common_audit_data *ad)
4711 err = sel_netif_sid(ns, ifindex, &if_sid);
4714 err = avc_has_perm(peer_sid, if_sid,
4715 SECCLASS_NETIF, NETIF__INGRESS, ad);
4719 err = sel_netnode_sid(addrp, family, &node_sid);
4722 return avc_has_perm(peer_sid, node_sid,
4723 SECCLASS_NODE, NODE__RECVFROM, ad);
4726 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4730 struct sk_security_struct *sksec = sk->sk_security;
4731 u32 sk_sid = sksec->sid;
4732 struct common_audit_data ad;
4733 struct lsm_network_audit net = {0,};
4736 ad.type = LSM_AUDIT_DATA_NET;
4738 ad.u.net->netif = skb->skb_iif;
4739 ad.u.net->family = family;
4740 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4744 if (selinux_secmark_enabled()) {
4745 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4751 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4754 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4759 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4762 struct sk_security_struct *sksec = sk->sk_security;
4763 u16 family = sk->sk_family;
4764 u32 sk_sid = sksec->sid;
4765 struct common_audit_data ad;
4766 struct lsm_network_audit net = {0,};
4771 if (family != PF_INET && family != PF_INET6)
4774 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4775 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4778 /* If any sort of compatibility mode is enabled then handoff processing
4779 * to the selinux_sock_rcv_skb_compat() function to deal with the
4780 * special handling. We do this in an attempt to keep this function
4781 * as fast and as clean as possible. */
4782 if (!selinux_policycap_netpeer)
4783 return selinux_sock_rcv_skb_compat(sk, skb, family);
4785 secmark_active = selinux_secmark_enabled();
4786 peerlbl_active = selinux_peerlbl_enabled();
4787 if (!secmark_active && !peerlbl_active)
4790 ad.type = LSM_AUDIT_DATA_NET;
4792 ad.u.net->netif = skb->skb_iif;
4793 ad.u.net->family = family;
4794 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4798 if (peerlbl_active) {
4801 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4804 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
4805 addrp, family, peer_sid, &ad);
4807 selinux_netlbl_err(skb, family, err, 0);
4810 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4813 selinux_netlbl_err(skb, family, err, 0);
4818 if (secmark_active) {
4819 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4828 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4829 int __user *optlen, unsigned len)
4834 struct sk_security_struct *sksec = sock->sk->sk_security;
4835 u32 peer_sid = SECSID_NULL;
4837 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4838 sksec->sclass == SECCLASS_TCP_SOCKET)
4839 peer_sid = sksec->peer_sid;
4840 if (peer_sid == SECSID_NULL)
4841 return -ENOPROTOOPT;
4843 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4847 if (scontext_len > len) {
4852 if (copy_to_user(optval, scontext, scontext_len))
4856 if (put_user(scontext_len, optlen))
4862 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4864 u32 peer_secid = SECSID_NULL;
4866 struct inode_security_struct *isec;
4868 if (skb && skb->protocol == htons(ETH_P_IP))
4870 else if (skb && skb->protocol == htons(ETH_P_IPV6))
4873 family = sock->sk->sk_family;
4877 if (sock && family == PF_UNIX) {
4878 isec = inode_security_novalidate(SOCK_INODE(sock));
4879 peer_secid = isec->sid;
4881 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4884 *secid = peer_secid;
4885 if (peer_secid == SECSID_NULL)
4890 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4892 struct sk_security_struct *sksec;
4894 sksec = kzalloc(sizeof(*sksec), priority);
4898 sksec->peer_sid = SECINITSID_UNLABELED;
4899 sksec->sid = SECINITSID_UNLABELED;
4900 sksec->sclass = SECCLASS_SOCKET;
4901 selinux_netlbl_sk_security_reset(sksec);
4902 sk->sk_security = sksec;
4907 static void selinux_sk_free_security(struct sock *sk)
4909 struct sk_security_struct *sksec = sk->sk_security;
4911 sk->sk_security = NULL;
4912 selinux_netlbl_sk_security_free(sksec);
4916 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4918 struct sk_security_struct *sksec = sk->sk_security;
4919 struct sk_security_struct *newsksec = newsk->sk_security;
4921 newsksec->sid = sksec->sid;
4922 newsksec->peer_sid = sksec->peer_sid;
4923 newsksec->sclass = sksec->sclass;
4925 selinux_netlbl_sk_security_reset(newsksec);
4928 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4931 *secid = SECINITSID_ANY_SOCKET;
4933 struct sk_security_struct *sksec = sk->sk_security;
4935 *secid = sksec->sid;
4939 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4941 struct inode_security_struct *isec =
4942 inode_security_novalidate(SOCK_INODE(parent));
4943 struct sk_security_struct *sksec = sk->sk_security;
4945 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4946 sk->sk_family == PF_UNIX)
4947 isec->sid = sksec->sid;
4948 sksec->sclass = isec->sclass;
4951 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4952 struct request_sock *req)
4954 struct sk_security_struct *sksec = sk->sk_security;
4956 u16 family = req->rsk_ops->family;
4960 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4963 err = selinux_conn_sid(sksec->sid, peersid, &connsid);
4966 req->secid = connsid;
4967 req->peer_secid = peersid;
4969 return selinux_netlbl_inet_conn_request(req, family);
4972 static void selinux_inet_csk_clone(struct sock *newsk,
4973 const struct request_sock *req)
4975 struct sk_security_struct *newsksec = newsk->sk_security;
4977 newsksec->sid = req->secid;
4978 newsksec->peer_sid = req->peer_secid;
4979 /* NOTE: Ideally, we should also get the isec->sid for the
4980 new socket in sync, but we don't have the isec available yet.
4981 So we will wait until sock_graft to do it, by which
4982 time it will have been created and available. */
4984 /* We don't need to take any sort of lock here as we are the only
4985 * thread with access to newsksec */
4986 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4989 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4991 u16 family = sk->sk_family;
4992 struct sk_security_struct *sksec = sk->sk_security;
4994 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4995 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4998 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
5001 static int selinux_secmark_relabel_packet(u32 sid)
5003 const struct task_security_struct *__tsec;
5006 __tsec = current_security();
5009 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
5012 static void selinux_secmark_refcount_inc(void)
5014 atomic_inc(&selinux_secmark_refcount);
5017 static void selinux_secmark_refcount_dec(void)
5019 atomic_dec(&selinux_secmark_refcount);
5022 static void selinux_req_classify_flow(const struct request_sock *req,
5025 fl->flowi_secid = req->secid;
5028 static int selinux_tun_dev_alloc_security(void **security)
5030 struct tun_security_struct *tunsec;
5032 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
5035 tunsec->sid = current_sid();
5041 static void selinux_tun_dev_free_security(void *security)
5046 static int selinux_tun_dev_create(void)
5048 u32 sid = current_sid();
5050 /* we aren't taking into account the "sockcreate" SID since the socket
5051 * that is being created here is not a socket in the traditional sense,
5052 * instead it is a private sock, accessible only to the kernel, and
5053 * representing a wide range of network traffic spanning multiple
5054 * connections unlike traditional sockets - check the TUN driver to
5055 * get a better understanding of why this socket is special */
5057 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5061 static int selinux_tun_dev_attach_queue(void *security)
5063 struct tun_security_struct *tunsec = security;
5065 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5066 TUN_SOCKET__ATTACH_QUEUE, NULL);
5069 static int selinux_tun_dev_attach(struct sock *sk, void *security)
5071 struct tun_security_struct *tunsec = security;
5072 struct sk_security_struct *sksec = sk->sk_security;
5074 /* we don't currently perform any NetLabel based labeling here and it
5075 * isn't clear that we would want to do so anyway; while we could apply
5076 * labeling without the support of the TUN user the resulting labeled
5077 * traffic from the other end of the connection would almost certainly
5078 * cause confusion to the TUN user that had no idea network labeling
5079 * protocols were being used */
5081 sksec->sid = tunsec->sid;
5082 sksec->sclass = SECCLASS_TUN_SOCKET;
5087 static int selinux_tun_dev_open(void *security)
5089 struct tun_security_struct *tunsec = security;
5090 u32 sid = current_sid();
5093 err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5094 TUN_SOCKET__RELABELFROM, NULL);
5097 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
5098 TUN_SOCKET__RELABELTO, NULL);
5106 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
5110 struct nlmsghdr *nlh;
5111 struct sk_security_struct *sksec = sk->sk_security;
5113 if (skb->len < NLMSG_HDRLEN) {
5117 nlh = nlmsg_hdr(skb);
5119 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
5121 if (err == -EINVAL) {
5122 pr_warn_ratelimited("SELinux: unrecognized netlink"
5123 " message: protocol=%hu nlmsg_type=%hu sclass=%s"
5124 " pig=%d comm=%s\n",
5125 sk->sk_protocol, nlh->nlmsg_type,
5126 secclass_map[sksec->sclass - 1].name,
5127 task_pid_nr(current), current->comm);
5128 if (!selinux_enforcing || security_get_allow_unknown())
5138 err = sock_has_perm(sk, perm);
5143 #ifdef CONFIG_NETFILTER
5145 static unsigned int selinux_ip_forward(struct sk_buff *skb,
5146 const struct net_device *indev,
5152 struct common_audit_data ad;
5153 struct lsm_network_audit net = {0,};
5158 if (!selinux_policycap_netpeer)
5161 secmark_active = selinux_secmark_enabled();
5162 netlbl_active = netlbl_enabled();
5163 peerlbl_active = selinux_peerlbl_enabled();
5164 if (!secmark_active && !peerlbl_active)
5167 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5170 ad.type = LSM_AUDIT_DATA_NET;
5172 ad.u.net->netif = indev->ifindex;
5173 ad.u.net->family = family;
5174 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5177 if (peerlbl_active) {
5178 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
5179 addrp, family, peer_sid, &ad);
5181 selinux_netlbl_err(skb, family, err, 1);
5187 if (avc_has_perm(peer_sid, skb->secmark,
5188 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5192 /* we do this in the FORWARD path and not the POST_ROUTING
5193 * path because we want to make sure we apply the necessary
5194 * labeling before IPsec is applied so we can leverage AH
5196 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5202 static unsigned int selinux_ipv4_forward(void *priv,
5203 struct sk_buff *skb,
5204 const struct nf_hook_state *state)
5206 return selinux_ip_forward(skb, state->in, PF_INET);
5209 #if IS_ENABLED(CONFIG_IPV6)
5210 static unsigned int selinux_ipv6_forward(void *priv,
5211 struct sk_buff *skb,
5212 const struct nf_hook_state *state)
5214 return selinux_ip_forward(skb, state->in, PF_INET6);
5218 static unsigned int selinux_ip_output(struct sk_buff *skb,
5224 if (!netlbl_enabled())
5227 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5228 * because we want to make sure we apply the necessary labeling
5229 * before IPsec is applied so we can leverage AH protection */
5232 struct sk_security_struct *sksec;
5234 if (sk_listener(sk))
5235 /* if the socket is the listening state then this
5236 * packet is a SYN-ACK packet which means it needs to
5237 * be labeled based on the connection/request_sock and
5238 * not the parent socket. unfortunately, we can't
5239 * lookup the request_sock yet as it isn't queued on
5240 * the parent socket until after the SYN-ACK is sent.
5241 * the "solution" is to simply pass the packet as-is
5242 * as any IP option based labeling should be copied
5243 * from the initial connection request (in the IP
5244 * layer). it is far from ideal, but until we get a
5245 * security label in the packet itself this is the
5246 * best we can do. */
5249 /* standard practice, label using the parent socket */
5250 sksec = sk->sk_security;
5253 sid = SECINITSID_KERNEL;
5254 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
5260 static unsigned int selinux_ipv4_output(void *priv,
5261 struct sk_buff *skb,
5262 const struct nf_hook_state *state)
5264 return selinux_ip_output(skb, PF_INET);
5267 #if IS_ENABLED(CONFIG_IPV6)
5268 static unsigned int selinux_ipv6_output(void *priv,
5269 struct sk_buff *skb,
5270 const struct nf_hook_state *state)
5272 return selinux_ip_output(skb, PF_INET6);
5276 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5280 struct sock *sk = skb_to_full_sk(skb);
5281 struct sk_security_struct *sksec;
5282 struct common_audit_data ad;
5283 struct lsm_network_audit net = {0,};
5289 sksec = sk->sk_security;
5291 ad.type = LSM_AUDIT_DATA_NET;
5293 ad.u.net->netif = ifindex;
5294 ad.u.net->family = family;
5295 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
5298 if (selinux_secmark_enabled())
5299 if (avc_has_perm(sksec->sid, skb->secmark,
5300 SECCLASS_PACKET, PACKET__SEND, &ad))
5301 return NF_DROP_ERR(-ECONNREFUSED);
5303 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5304 return NF_DROP_ERR(-ECONNREFUSED);
5309 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5310 const struct net_device *outdev,
5315 int ifindex = outdev->ifindex;
5317 struct common_audit_data ad;
5318 struct lsm_network_audit net = {0,};
5323 /* If any sort of compatibility mode is enabled then handoff processing
5324 * to the selinux_ip_postroute_compat() function to deal with the
5325 * special handling. We do this in an attempt to keep this function
5326 * as fast and as clean as possible. */
5327 if (!selinux_policycap_netpeer)
5328 return selinux_ip_postroute_compat(skb, ifindex, family);
5330 secmark_active = selinux_secmark_enabled();
5331 peerlbl_active = selinux_peerlbl_enabled();
5332 if (!secmark_active && !peerlbl_active)
5335 sk = skb_to_full_sk(skb);
5338 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5339 * packet transformation so allow the packet to pass without any checks
5340 * since we'll have another chance to perform access control checks
5341 * when the packet is on it's final way out.
5342 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5343 * is NULL, in this case go ahead and apply access control.
5344 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5345 * TCP listening state we cannot wait until the XFRM processing
5346 * is done as we will miss out on the SA label if we do;
5347 * unfortunately, this means more work, but it is only once per
5349 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5350 !(sk && sk_listener(sk)))
5355 /* Without an associated socket the packet is either coming
5356 * from the kernel or it is being forwarded; check the packet
5357 * to determine which and if the packet is being forwarded
5358 * query the packet directly to determine the security label. */
5360 secmark_perm = PACKET__FORWARD_OUT;
5361 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5364 secmark_perm = PACKET__SEND;
5365 peer_sid = SECINITSID_KERNEL;
5367 } else if (sk_listener(sk)) {
5368 /* Locally generated packet but the associated socket is in the
5369 * listening state which means this is a SYN-ACK packet. In
5370 * this particular case the correct security label is assigned
5371 * to the connection/request_sock but unfortunately we can't
5372 * query the request_sock as it isn't queued on the parent
5373 * socket until after the SYN-ACK packet is sent; the only
5374 * viable choice is to regenerate the label like we do in
5375 * selinux_inet_conn_request(). See also selinux_ip_output()
5376 * for similar problems. */
5378 struct sk_security_struct *sksec;
5380 sksec = sk->sk_security;
5381 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5383 /* At this point, if the returned skb peerlbl is SECSID_NULL
5384 * and the packet has been through at least one XFRM
5385 * transformation then we must be dealing with the "final"
5386 * form of labeled IPsec packet; since we've already applied
5387 * all of our access controls on this packet we can safely
5388 * pass the packet. */
5389 if (skb_sid == SECSID_NULL) {
5392 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5396 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5400 return NF_DROP_ERR(-ECONNREFUSED);
5403 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5405 secmark_perm = PACKET__SEND;
5407 /* Locally generated packet, fetch the security label from the
5408 * associated socket. */
5409 struct sk_security_struct *sksec = sk->sk_security;
5410 peer_sid = sksec->sid;
5411 secmark_perm = PACKET__SEND;
5414 ad.type = LSM_AUDIT_DATA_NET;
5416 ad.u.net->netif = ifindex;
5417 ad.u.net->family = family;
5418 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5422 if (avc_has_perm(peer_sid, skb->secmark,
5423 SECCLASS_PACKET, secmark_perm, &ad))
5424 return NF_DROP_ERR(-ECONNREFUSED);
5426 if (peerlbl_active) {
5430 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5432 if (avc_has_perm(peer_sid, if_sid,
5433 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5434 return NF_DROP_ERR(-ECONNREFUSED);
5436 if (sel_netnode_sid(addrp, family, &node_sid))
5438 if (avc_has_perm(peer_sid, node_sid,
5439 SECCLASS_NODE, NODE__SENDTO, &ad))
5440 return NF_DROP_ERR(-ECONNREFUSED);
5446 static unsigned int selinux_ipv4_postroute(void *priv,
5447 struct sk_buff *skb,
5448 const struct nf_hook_state *state)
5450 return selinux_ip_postroute(skb, state->out, PF_INET);
5453 #if IS_ENABLED(CONFIG_IPV6)
5454 static unsigned int selinux_ipv6_postroute(void *priv,
5455 struct sk_buff *skb,
5456 const struct nf_hook_state *state)
5458 return selinux_ip_postroute(skb, state->out, PF_INET6);
5462 #endif /* CONFIG_NETFILTER */
5464 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5466 return selinux_nlmsg_perm(sk, skb);
5469 static int ipc_alloc_security(struct kern_ipc_perm *perm,
5472 struct ipc_security_struct *isec;
5474 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
5478 isec->sclass = sclass;
5479 isec->sid = current_sid();
5480 perm->security = isec;
5485 static void ipc_free_security(struct kern_ipc_perm *perm)
5487 struct ipc_security_struct *isec = perm->security;
5488 perm->security = NULL;
5492 static int msg_msg_alloc_security(struct msg_msg *msg)
5494 struct msg_security_struct *msec;
5496 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
5500 msec->sid = SECINITSID_UNLABELED;
5501 msg->security = msec;
5506 static void msg_msg_free_security(struct msg_msg *msg)
5508 struct msg_security_struct *msec = msg->security;
5510 msg->security = NULL;
5514 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5517 struct ipc_security_struct *isec;
5518 struct common_audit_data ad;
5519 u32 sid = current_sid();
5521 isec = ipc_perms->security;
5523 ad.type = LSM_AUDIT_DATA_IPC;
5524 ad.u.ipc_id = ipc_perms->key;
5526 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
5529 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5531 return msg_msg_alloc_security(msg);
5534 static void selinux_msg_msg_free_security(struct msg_msg *msg)
5536 msg_msg_free_security(msg);
5539 /* message queue security operations */
5540 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
5542 struct ipc_security_struct *isec;
5543 struct common_audit_data ad;
5544 u32 sid = current_sid();
5547 rc = ipc_alloc_security(&msq->q_perm, SECCLASS_MSGQ);
5551 isec = msq->q_perm.security;
5553 ad.type = LSM_AUDIT_DATA_IPC;
5554 ad.u.ipc_id = msq->q_perm.key;
5556 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5559 ipc_free_security(&msq->q_perm);
5565 static void selinux_msg_queue_free_security(struct msg_queue *msq)
5567 ipc_free_security(&msq->q_perm);
5570 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
5572 struct ipc_security_struct *isec;
5573 struct common_audit_data ad;
5574 u32 sid = current_sid();
5576 isec = msq->q_perm.security;
5578 ad.type = LSM_AUDIT_DATA_IPC;
5579 ad.u.ipc_id = msq->q_perm.key;
5581 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5582 MSGQ__ASSOCIATE, &ad);
5585 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
5593 /* No specific object, just general system-wide information. */
5594 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
5595 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5598 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5601 perms = MSGQ__SETATTR;
5604 perms = MSGQ__DESTROY;
5610 err = ipc_has_perm(&msq->q_perm, perms);
5614 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
5616 struct ipc_security_struct *isec;
5617 struct msg_security_struct *msec;
5618 struct common_audit_data ad;
5619 u32 sid = current_sid();
5622 isec = msq->q_perm.security;
5623 msec = msg->security;
5626 * First time through, need to assign label to the message
5628 if (msec->sid == SECINITSID_UNLABELED) {
5630 * Compute new sid based on current process and
5631 * message queue this message will be stored in
5633 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
5639 ad.type = LSM_AUDIT_DATA_IPC;
5640 ad.u.ipc_id = msq->q_perm.key;
5642 /* Can this process write to the queue? */
5643 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5646 /* Can this process send the message */
5647 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
5650 /* Can the message be put in the queue? */
5651 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
5652 MSGQ__ENQUEUE, &ad);
5657 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5658 struct task_struct *target,
5659 long type, int mode)
5661 struct ipc_security_struct *isec;
5662 struct msg_security_struct *msec;
5663 struct common_audit_data ad;
5664 u32 sid = task_sid(target);
5667 isec = msq->q_perm.security;
5668 msec = msg->security;
5670 ad.type = LSM_AUDIT_DATA_IPC;
5671 ad.u.ipc_id = msq->q_perm.key;
5673 rc = avc_has_perm(sid, isec->sid,
5674 SECCLASS_MSGQ, MSGQ__READ, &ad);
5676 rc = avc_has_perm(sid, msec->sid,
5677 SECCLASS_MSG, MSG__RECEIVE, &ad);
5681 /* Shared Memory security operations */
5682 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5684 struct ipc_security_struct *isec;
5685 struct common_audit_data ad;
5686 u32 sid = current_sid();
5689 rc = ipc_alloc_security(&shp->shm_perm, SECCLASS_SHM);
5693 isec = shp->shm_perm.security;
5695 ad.type = LSM_AUDIT_DATA_IPC;
5696 ad.u.ipc_id = shp->shm_perm.key;
5698 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5701 ipc_free_security(&shp->shm_perm);
5707 static void selinux_shm_free_security(struct shmid_kernel *shp)
5709 ipc_free_security(&shp->shm_perm);
5712 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5714 struct ipc_security_struct *isec;
5715 struct common_audit_data ad;
5716 u32 sid = current_sid();
5718 isec = shp->shm_perm.security;
5720 ad.type = LSM_AUDIT_DATA_IPC;
5721 ad.u.ipc_id = shp->shm_perm.key;
5723 return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5724 SHM__ASSOCIATE, &ad);
5727 /* Note, at this point, shp is locked down */
5728 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5736 /* No specific object, just general system-wide information. */
5737 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
5738 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5741 perms = SHM__GETATTR | SHM__ASSOCIATE;
5744 perms = SHM__SETATTR;
5751 perms = SHM__DESTROY;
5757 err = ipc_has_perm(&shp->shm_perm, perms);
5761 static int selinux_shm_shmat(struct shmid_kernel *shp,
5762 char __user *shmaddr, int shmflg)
5766 if (shmflg & SHM_RDONLY)
5769 perms = SHM__READ | SHM__WRITE;
5771 return ipc_has_perm(&shp->shm_perm, perms);
5774 /* Semaphore security operations */
5775 static int selinux_sem_alloc_security(struct sem_array *sma)
5777 struct ipc_security_struct *isec;
5778 struct common_audit_data ad;
5779 u32 sid = current_sid();
5782 rc = ipc_alloc_security(&sma->sem_perm, SECCLASS_SEM);
5786 isec = sma->sem_perm.security;
5788 ad.type = LSM_AUDIT_DATA_IPC;
5789 ad.u.ipc_id = sma->sem_perm.key;
5791 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5794 ipc_free_security(&sma->sem_perm);
5800 static void selinux_sem_free_security(struct sem_array *sma)
5802 ipc_free_security(&sma->sem_perm);
5805 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5807 struct ipc_security_struct *isec;
5808 struct common_audit_data ad;
5809 u32 sid = current_sid();
5811 isec = sma->sem_perm.security;
5813 ad.type = LSM_AUDIT_DATA_IPC;
5814 ad.u.ipc_id = sma->sem_perm.key;
5816 return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5817 SEM__ASSOCIATE, &ad);
5820 /* Note, at this point, sma is locked down */
5821 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5829 /* No specific object, just general system-wide information. */
5830 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
5831 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5835 perms = SEM__GETATTR;
5846 perms = SEM__DESTROY;
5849 perms = SEM__SETATTR;
5853 perms = SEM__GETATTR | SEM__ASSOCIATE;
5859 err = ipc_has_perm(&sma->sem_perm, perms);
5863 static int selinux_sem_semop(struct sem_array *sma,
5864 struct sembuf *sops, unsigned nsops, int alter)
5869 perms = SEM__READ | SEM__WRITE;
5873 return ipc_has_perm(&sma->sem_perm, perms);
5876 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5882 av |= IPC__UNIX_READ;
5884 av |= IPC__UNIX_WRITE;
5889 return ipc_has_perm(ipcp, av);
5892 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5894 struct ipc_security_struct *isec = ipcp->security;
5898 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5901 inode_doinit_with_dentry(inode, dentry);
5904 static int selinux_getprocattr(struct task_struct *p,
5905 char *name, char **value)
5907 const struct task_security_struct *__tsec;
5913 __tsec = __task_cred(p)->security;
5916 error = avc_has_perm(current_sid(), __tsec->sid,
5917 SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
5922 if (!strcmp(name, "current"))
5924 else if (!strcmp(name, "prev"))
5926 else if (!strcmp(name, "exec"))
5927 sid = __tsec->exec_sid;
5928 else if (!strcmp(name, "fscreate"))
5929 sid = __tsec->create_sid;
5930 else if (!strcmp(name, "keycreate"))
5931 sid = __tsec->keycreate_sid;
5932 else if (!strcmp(name, "sockcreate"))
5933 sid = __tsec->sockcreate_sid;
5943 error = security_sid_to_context(sid, value, &len);
5953 static int selinux_setprocattr(const char *name, void *value, size_t size)
5955 struct task_security_struct *tsec;
5957 u32 mysid = current_sid(), sid = 0, ptsid;
5962 * Basic control over ability to set these attributes at all.
5964 if (!strcmp(name, "exec"))
5965 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5966 PROCESS__SETEXEC, NULL);
5967 else if (!strcmp(name, "fscreate"))
5968 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5969 PROCESS__SETFSCREATE, NULL);
5970 else if (!strcmp(name, "keycreate"))
5971 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5972 PROCESS__SETKEYCREATE, NULL);
5973 else if (!strcmp(name, "sockcreate"))
5974 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5975 PROCESS__SETSOCKCREATE, NULL);
5976 else if (!strcmp(name, "current"))
5977 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5978 PROCESS__SETCURRENT, NULL);
5984 /* Obtain a SID for the context, if one was specified. */
5985 if (size && str[0] && str[0] != '\n') {
5986 if (str[size-1] == '\n') {
5990 error = security_context_to_sid(value, size, &sid, GFP_KERNEL);
5991 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5992 if (!has_cap_mac_admin(true)) {
5993 struct audit_buffer *ab;
5996 /* We strip a nul only if it is at the end, otherwise the
5997 * context contains a nul and we should audit that */
5998 if (str[size - 1] == '\0')
5999 audit_size = size - 1;
6002 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
6003 audit_log_format(ab, "op=fscreate invalid_context=");
6004 audit_log_n_untrustedstring(ab, value, audit_size);
6009 error = security_context_to_sid_force(value, size,
6016 new = prepare_creds();
6020 /* Permission checking based on the specified context is
6021 performed during the actual operation (execve,
6022 open/mkdir/...), when we know the full context of the
6023 operation. See selinux_bprm_set_creds for the execve
6024 checks and may_create for the file creation checks. The
6025 operation will then fail if the context is not permitted. */
6026 tsec = new->security;
6027 if (!strcmp(name, "exec")) {
6028 tsec->exec_sid = sid;
6029 } else if (!strcmp(name, "fscreate")) {
6030 tsec->create_sid = sid;
6031 } else if (!strcmp(name, "keycreate")) {
6032 error = avc_has_perm(mysid, sid, SECCLASS_KEY, KEY__CREATE,
6036 tsec->keycreate_sid = sid;
6037 } else if (!strcmp(name, "sockcreate")) {
6038 tsec->sockcreate_sid = sid;
6039 } else if (!strcmp(name, "current")) {
6044 /* Only allow single threaded processes to change context */
6046 if (!current_is_single_threaded()) {
6047 error = security_bounded_transition(tsec->sid, sid);
6052 /* Check permissions for the transition. */
6053 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
6054 PROCESS__DYNTRANSITION, NULL);
6058 /* Check for ptracing, and update the task SID if ok.
6059 Otherwise, leave SID unchanged and fail. */
6060 ptsid = ptrace_parent_sid();
6062 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
6063 PROCESS__PTRACE, NULL);
6082 static int selinux_ismaclabel(const char *name)
6084 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
6087 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
6089 return security_sid_to_context(secid, secdata, seclen);
6092 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
6094 return security_context_to_sid(secdata, seclen, secid, GFP_KERNEL);
6097 static void selinux_release_secctx(char *secdata, u32 seclen)
6102 static void selinux_inode_invalidate_secctx(struct inode *inode)
6104 struct inode_security_struct *isec = inode->i_security;
6106 spin_lock(&isec->lock);
6107 isec->initialized = LABEL_INVALID;
6108 spin_unlock(&isec->lock);
6112 * called with inode->i_mutex locked
6114 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
6116 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
6120 * called with inode->i_mutex locked
6122 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
6124 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
6127 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
6130 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
6139 static int selinux_key_alloc(struct key *k, const struct cred *cred,
6140 unsigned long flags)
6142 const struct task_security_struct *tsec;
6143 struct key_security_struct *ksec;
6145 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
6149 tsec = cred->security;
6150 if (tsec->keycreate_sid)
6151 ksec->sid = tsec->keycreate_sid;
6153 ksec->sid = tsec->sid;
6159 static void selinux_key_free(struct key *k)
6161 struct key_security_struct *ksec = k->security;
6167 static int selinux_key_permission(key_ref_t key_ref,
6168 const struct cred *cred,
6172 struct key_security_struct *ksec;
6175 /* if no specific permissions are requested, we skip the
6176 permission check. No serious, additional covert channels
6177 appear to be created. */
6181 sid = cred_sid(cred);
6183 key = key_ref_to_ptr(key_ref);
6184 ksec = key->security;
6186 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6189 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6191 struct key_security_struct *ksec = key->security;
6192 char *context = NULL;
6196 rc = security_sid_to_context(ksec->sid, &context, &len);
6204 #ifdef CONFIG_SECURITY_INFINIBAND
6205 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6207 struct common_audit_data ad;
6210 struct ib_security_struct *sec = ib_sec;
6211 struct lsm_ibpkey_audit ibpkey;
6213 err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
6217 ad.type = LSM_AUDIT_DATA_IBPKEY;
6218 ibpkey.subnet_prefix = subnet_prefix;
6219 ibpkey.pkey = pkey_val;
6220 ad.u.ibpkey = &ibpkey;
6221 return avc_has_perm(sec->sid, sid,
6222 SECCLASS_INFINIBAND_PKEY,
6223 INFINIBAND_PKEY__ACCESS, &ad);
6226 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6229 struct common_audit_data ad;
6232 struct ib_security_struct *sec = ib_sec;
6233 struct lsm_ibendport_audit ibendport;
6235 err = security_ib_endport_sid(dev_name, port_num, &sid);
6240 ad.type = LSM_AUDIT_DATA_IBENDPORT;
6241 strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name));
6242 ibendport.port = port_num;
6243 ad.u.ibendport = &ibendport;
6244 return avc_has_perm(sec->sid, sid,
6245 SECCLASS_INFINIBAND_ENDPORT,
6246 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
6249 static int selinux_ib_alloc_security(void **ib_sec)
6251 struct ib_security_struct *sec;
6253 sec = kzalloc(sizeof(*sec), GFP_KERNEL);
6256 sec->sid = current_sid();
6262 static void selinux_ib_free_security(void *ib_sec)
6268 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
6269 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
6270 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
6271 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
6272 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
6274 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
6275 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
6276 LSM_HOOK_INIT(capget, selinux_capget),
6277 LSM_HOOK_INIT(capset, selinux_capset),
6278 LSM_HOOK_INIT(capable, selinux_capable),
6279 LSM_HOOK_INIT(quotactl, selinux_quotactl),
6280 LSM_HOOK_INIT(quota_on, selinux_quota_on),
6281 LSM_HOOK_INIT(syslog, selinux_syslog),
6282 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
6284 LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
6286 LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
6287 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
6288 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
6289 LSM_HOOK_INIT(bprm_secureexec, selinux_bprm_secureexec),
6291 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
6292 LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
6293 LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data),
6294 LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
6295 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
6296 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
6297 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
6298 LSM_HOOK_INIT(sb_mount, selinux_mount),
6299 LSM_HOOK_INIT(sb_umount, selinux_umount),
6300 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
6301 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
6302 LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str),
6304 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
6305 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
6307 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
6308 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
6309 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
6310 LSM_HOOK_INIT(inode_create, selinux_inode_create),
6311 LSM_HOOK_INIT(inode_link, selinux_inode_link),
6312 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
6313 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
6314 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
6315 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
6316 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
6317 LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
6318 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
6319 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
6320 LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
6321 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
6322 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
6323 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
6324 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
6325 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
6326 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
6327 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
6328 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
6329 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
6330 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
6331 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
6332 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
6333 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
6335 LSM_HOOK_INIT(file_permission, selinux_file_permission),
6336 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
6337 LSM_HOOK_INIT(file_free_security, selinux_file_free_security),
6338 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
6339 LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
6340 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
6341 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
6342 LSM_HOOK_INIT(file_lock, selinux_file_lock),
6343 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
6344 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
6345 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
6346 LSM_HOOK_INIT(file_receive, selinux_file_receive),
6348 LSM_HOOK_INIT(file_open, selinux_file_open),
6350 LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
6351 LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank),
6352 LSM_HOOK_INIT(cred_free, selinux_cred_free),
6353 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
6354 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
6355 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
6356 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
6357 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
6358 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
6359 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
6360 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
6361 LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
6362 LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
6363 LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
6364 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
6365 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
6366 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
6367 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
6368 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
6369 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
6370 LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
6371 LSM_HOOK_INIT(task_kill, selinux_task_kill),
6372 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
6374 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
6375 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
6377 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
6378 LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security),
6380 LSM_HOOK_INIT(msg_queue_alloc_security,
6381 selinux_msg_queue_alloc_security),
6382 LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security),
6383 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
6384 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
6385 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
6386 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
6388 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
6389 LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security),
6390 LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
6391 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
6392 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
6394 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
6395 LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security),
6396 LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
6397 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
6398 LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
6400 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
6402 LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
6403 LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
6405 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
6406 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
6407 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
6408 LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
6409 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
6410 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
6411 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
6412 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
6414 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
6415 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
6417 LSM_HOOK_INIT(socket_create, selinux_socket_create),
6418 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
6419 LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
6420 LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
6421 LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
6422 LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
6423 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
6424 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
6425 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
6426 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
6427 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
6428 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
6429 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
6430 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
6431 LSM_HOOK_INIT(socket_getpeersec_stream,
6432 selinux_socket_getpeersec_stream),
6433 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
6434 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
6435 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
6436 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
6437 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
6438 LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
6439 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
6440 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
6441 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
6442 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
6443 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
6444 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
6445 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
6446 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
6447 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
6448 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
6449 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
6450 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
6451 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
6452 #ifdef CONFIG_SECURITY_INFINIBAND
6453 LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
6454 LSM_HOOK_INIT(ib_endport_manage_subnet,
6455 selinux_ib_endport_manage_subnet),
6456 LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
6457 LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
6459 #ifdef CONFIG_SECURITY_NETWORK_XFRM
6460 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
6461 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
6462 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
6463 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
6464 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
6465 LSM_HOOK_INIT(xfrm_state_alloc_acquire,
6466 selinux_xfrm_state_alloc_acquire),
6467 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
6468 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
6469 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
6470 LSM_HOOK_INIT(xfrm_state_pol_flow_match,
6471 selinux_xfrm_state_pol_flow_match),
6472 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
6476 LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
6477 LSM_HOOK_INIT(key_free, selinux_key_free),
6478 LSM_HOOK_INIT(key_permission, selinux_key_permission),
6479 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
6483 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
6484 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
6485 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
6486 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
6490 static __init int selinux_init(void)
6492 if (!security_module_enable("selinux")) {
6493 selinux_enabled = 0;
6497 if (!selinux_enabled) {
6498 printk(KERN_INFO "SELinux: Disabled at boot.\n");
6502 printk(KERN_INFO "SELinux: Initializing.\n");
6504 /* Set the security state for the initial task. */
6505 cred_init_security();
6507 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
6509 sel_inode_cache = kmem_cache_create("selinux_inode_security",
6510 sizeof(struct inode_security_struct),
6511 0, SLAB_PANIC, NULL);
6512 file_security_cache = kmem_cache_create("selinux_file_security",
6513 sizeof(struct file_security_struct),
6514 0, SLAB_PANIC, NULL);
6517 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
6519 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
6520 panic("SELinux: Unable to register AVC netcache callback\n");
6522 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
6523 panic("SELinux: Unable to register AVC LSM notifier callback\n");
6525 if (selinux_enforcing)
6526 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
6528 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
6533 static void delayed_superblock_init(struct super_block *sb, void *unused)
6535 superblock_doinit(sb, NULL);
6538 void selinux_complete_init(void)
6540 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
6542 /* Set up any superblocks initialized prior to the policy load. */
6543 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
6544 iterate_supers(delayed_superblock_init, NULL);
6547 /* SELinux requires early initialization in order to label
6548 all processes and objects when they are created. */
6549 security_initcall(selinux_init);
6551 #if defined(CONFIG_NETFILTER)
6553 static struct nf_hook_ops selinux_nf_ops[] = {
6555 .hook = selinux_ipv4_postroute,
6557 .hooknum = NF_INET_POST_ROUTING,
6558 .priority = NF_IP_PRI_SELINUX_LAST,
6561 .hook = selinux_ipv4_forward,
6563 .hooknum = NF_INET_FORWARD,
6564 .priority = NF_IP_PRI_SELINUX_FIRST,
6567 .hook = selinux_ipv4_output,
6569 .hooknum = NF_INET_LOCAL_OUT,
6570 .priority = NF_IP_PRI_SELINUX_FIRST,
6572 #if IS_ENABLED(CONFIG_IPV6)
6574 .hook = selinux_ipv6_postroute,
6576 .hooknum = NF_INET_POST_ROUTING,
6577 .priority = NF_IP6_PRI_SELINUX_LAST,
6580 .hook = selinux_ipv6_forward,
6582 .hooknum = NF_INET_FORWARD,
6583 .priority = NF_IP6_PRI_SELINUX_FIRST,
6586 .hook = selinux_ipv6_output,
6588 .hooknum = NF_INET_LOCAL_OUT,
6589 .priority = NF_IP6_PRI_SELINUX_FIRST,
6594 static int __net_init selinux_nf_register(struct net *net)
6596 return nf_register_net_hooks(net, selinux_nf_ops,
6597 ARRAY_SIZE(selinux_nf_ops));
6600 static void __net_exit selinux_nf_unregister(struct net *net)
6602 nf_unregister_net_hooks(net, selinux_nf_ops,
6603 ARRAY_SIZE(selinux_nf_ops));
6606 static struct pernet_operations selinux_net_ops = {
6607 .init = selinux_nf_register,
6608 .exit = selinux_nf_unregister,
6611 static int __init selinux_nf_ip_init(void)
6615 if (!selinux_enabled)
6618 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
6620 err = register_pernet_subsys(&selinux_net_ops);
6622 panic("SELinux: register_pernet_subsys: error %d\n", err);
6626 __initcall(selinux_nf_ip_init);
6628 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6629 static void selinux_nf_ip_exit(void)
6631 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
6633 unregister_pernet_subsys(&selinux_net_ops);
6637 #else /* CONFIG_NETFILTER */
6639 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6640 #define selinux_nf_ip_exit()
6643 #endif /* CONFIG_NETFILTER */
6645 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6646 static int selinux_disabled;
6648 int selinux_disable(void)
6650 if (ss_initialized) {
6651 /* Not permitted after initial policy load. */
6655 if (selinux_disabled) {
6656 /* Only do this once. */
6660 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
6662 selinux_disabled = 1;
6663 selinux_enabled = 0;
6665 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
6667 /* Try to destroy the avc node cache */
6670 /* Unregister netfilter hooks. */
6671 selinux_nf_ip_exit();
6673 /* Unregister selinuxfs. */