2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@tycho.nsa.gov>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul@paul-moore.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 * Copyright (C) 2016 Mellanox Technologies
22 * This program is free software; you can redistribute it and/or modify
23 * it under the terms of the GNU General Public License version 2,
24 * as published by the Free Software Foundation.
27 #include <linux/init.h>
29 #include <linux/kernel.h>
30 #include <linux/tracehook.h>
31 #include <linux/errno.h>
32 #include <linux/sched/signal.h>
33 #include <linux/sched/task.h>
34 #include <linux/lsm_hooks.h>
35 #include <linux/xattr.h>
36 #include <linux/capability.h>
37 #include <linux/unistd.h>
39 #include <linux/mman.h>
40 #include <linux/slab.h>
41 #include <linux/pagemap.h>
42 #include <linux/proc_fs.h>
43 #include <linux/swap.h>
44 #include <linux/spinlock.h>
45 #include <linux/syscalls.h>
46 #include <linux/dcache.h>
47 #include <linux/file.h>
48 #include <linux/fdtable.h>
49 #include <linux/namei.h>
50 #include <linux/mount.h>
51 #include <linux/netfilter_ipv4.h>
52 #include <linux/netfilter_ipv6.h>
53 #include <linux/tty.h>
55 #include <net/ip.h> /* for local_port_range[] */
56 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
57 #include <net/inet_connection_sock.h>
58 #include <net/net_namespace.h>
59 #include <net/netlabel.h>
60 #include <linux/uaccess.h>
61 #include <asm/ioctls.h>
62 #include <linux/atomic.h>
63 #include <linux/bitops.h>
64 #include <linux/interrupt.h>
65 #include <linux/netdevice.h> /* for network interface checks */
66 #include <net/netlink.h>
67 #include <linux/tcp.h>
68 #include <linux/udp.h>
69 #include <linux/dccp.h>
70 #include <linux/sctp.h>
71 #include <net/sctp/structs.h>
72 #include <linux/quota.h>
73 #include <linux/un.h> /* for Unix socket types */
74 #include <net/af_unix.h> /* for Unix socket types */
75 #include <linux/parser.h>
76 #include <linux/nfs_mount.h>
78 #include <linux/hugetlb.h>
79 #include <linux/personality.h>
80 #include <linux/audit.h>
81 #include <linux/string.h>
82 #include <linux/selinux.h>
83 #include <linux/mutex.h>
84 #include <linux/posix-timers.h>
85 #include <linux/syslog.h>
86 #include <linux/user_namespace.h>
87 #include <linux/export.h>
88 #include <linux/msg.h>
89 #include <linux/shm.h>
90 #include <linux/bpf.h>
103 struct selinux_state selinux_state;
105 /* SECMARK reference count */
106 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
108 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
109 static int selinux_enforcing_boot;
111 static int __init enforcing_setup(char *str)
113 unsigned long enforcing;
114 if (!kstrtoul(str, 0, &enforcing))
115 selinux_enforcing_boot = enforcing ? 1 : 0;
118 __setup("enforcing=", enforcing_setup);
120 #define selinux_enforcing_boot 1
123 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
124 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
126 static int __init selinux_enabled_setup(char *str)
128 unsigned long enabled;
129 if (!kstrtoul(str, 0, &enabled))
130 selinux_enabled = enabled ? 1 : 0;
133 __setup("selinux=", selinux_enabled_setup);
135 int selinux_enabled = 1;
138 static unsigned int selinux_checkreqprot_boot =
139 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
141 static int __init checkreqprot_setup(char *str)
143 unsigned long checkreqprot;
145 if (!kstrtoul(str, 0, &checkreqprot))
146 selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
149 __setup("checkreqprot=", checkreqprot_setup);
151 static struct kmem_cache *sel_inode_cache;
152 static struct kmem_cache *file_security_cache;
155 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
158 * This function checks the SECMARK reference counter to see if any SECMARK
159 * targets are currently configured, if the reference counter is greater than
160 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
161 * enabled, false (0) if SECMARK is disabled. If the always_check_network
162 * policy capability is enabled, SECMARK is always considered enabled.
165 static int selinux_secmark_enabled(void)
167 return (selinux_policycap_alwaysnetwork() ||
168 atomic_read(&selinux_secmark_refcount));
172 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
175 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
176 * (1) if any are enabled or false (0) if neither are enabled. If the
177 * always_check_network policy capability is enabled, peer labeling
178 * is always considered enabled.
181 static int selinux_peerlbl_enabled(void)
183 return (selinux_policycap_alwaysnetwork() ||
184 netlbl_enabled() || selinux_xfrm_enabled());
187 static int selinux_netcache_avc_callback(u32 event)
189 if (event == AVC_CALLBACK_RESET) {
198 static int selinux_lsm_notifier_avc_callback(u32 event)
200 if (event == AVC_CALLBACK_RESET) {
202 call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
209 * initialise the security for the init task
211 static void cred_init_security(void)
213 struct cred *cred = (struct cred *) current->real_cred;
214 struct task_security_struct *tsec;
216 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
218 panic("SELinux: Failed to initialize initial task.\n");
220 tsec->osid = tsec->sid = SECINITSID_KERNEL;
221 cred->security = tsec;
225 * get the security ID of a set of credentials
227 static inline u32 cred_sid(const struct cred *cred)
229 const struct task_security_struct *tsec;
231 tsec = cred->security;
236 * get the objective security ID of a task
238 static inline u32 task_sid(const struct task_struct *task)
243 sid = cred_sid(__task_cred(task));
248 /* Allocate and free functions for each kind of security blob. */
250 static int inode_alloc_security(struct inode *inode)
252 struct inode_security_struct *isec;
253 u32 sid = current_sid();
255 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
259 spin_lock_init(&isec->lock);
260 INIT_LIST_HEAD(&isec->list);
262 isec->sid = SECINITSID_UNLABELED;
263 isec->sclass = SECCLASS_FILE;
264 isec->task_sid = sid;
265 isec->initialized = LABEL_INVALID;
266 inode->i_security = isec;
271 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
274 * Try reloading inode security labels that have been marked as invalid. The
275 * @may_sleep parameter indicates when sleeping and thus reloading labels is
276 * allowed; when set to false, returns -ECHILD when the label is
277 * invalid. The @dentry parameter should be set to a dentry of the inode.
279 static int __inode_security_revalidate(struct inode *inode,
280 struct dentry *dentry,
283 struct inode_security_struct *isec = inode->i_security;
285 might_sleep_if(may_sleep);
287 if (selinux_state.initialized &&
288 isec->initialized != LABEL_INITIALIZED) {
293 * Try reloading the inode security label. This will fail if
294 * @opt_dentry is NULL and no dentry for this inode can be
295 * found; in that case, continue using the old label.
297 inode_doinit_with_dentry(inode, dentry);
302 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
304 return inode->i_security;
307 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
311 error = __inode_security_revalidate(inode, NULL, !rcu);
313 return ERR_PTR(error);
314 return inode->i_security;
318 * Get the security label of an inode.
320 static struct inode_security_struct *inode_security(struct inode *inode)
322 __inode_security_revalidate(inode, NULL, true);
323 return inode->i_security;
326 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
328 struct inode *inode = d_backing_inode(dentry);
330 return inode->i_security;
334 * Get the security label of a dentry's backing inode.
336 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
338 struct inode *inode = d_backing_inode(dentry);
340 __inode_security_revalidate(inode, dentry, true);
341 return inode->i_security;
344 static void inode_free_rcu(struct rcu_head *head)
346 struct inode_security_struct *isec;
348 isec = container_of(head, struct inode_security_struct, rcu);
349 kmem_cache_free(sel_inode_cache, isec);
352 static void inode_free_security(struct inode *inode)
354 struct inode_security_struct *isec = inode->i_security;
355 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
358 * As not all inode security structures are in a list, we check for
359 * empty list outside of the lock to make sure that we won't waste
360 * time taking a lock doing nothing.
362 * The list_del_init() function can be safely called more than once.
363 * It should not be possible for this function to be called with
364 * concurrent list_add(), but for better safety against future changes
365 * in the code, we use list_empty_careful() here.
367 if (!list_empty_careful(&isec->list)) {
368 spin_lock(&sbsec->isec_lock);
369 list_del_init(&isec->list);
370 spin_unlock(&sbsec->isec_lock);
374 * The inode may still be referenced in a path walk and
375 * a call to selinux_inode_permission() can be made
376 * after inode_free_security() is called. Ideally, the VFS
377 * wouldn't do this, but fixing that is a much harder
378 * job. For now, simply free the i_security via RCU, and
379 * leave the current inode->i_security pointer intact.
380 * The inode will be freed after the RCU grace period too.
382 call_rcu(&isec->rcu, inode_free_rcu);
385 static int file_alloc_security(struct file *file)
387 struct file_security_struct *fsec;
388 u32 sid = current_sid();
390 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
395 fsec->fown_sid = sid;
396 file->f_security = fsec;
401 static void file_free_security(struct file *file)
403 struct file_security_struct *fsec = file->f_security;
404 file->f_security = NULL;
405 kmem_cache_free(file_security_cache, fsec);
408 static int superblock_alloc_security(struct super_block *sb)
410 struct superblock_security_struct *sbsec;
412 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
416 mutex_init(&sbsec->lock);
417 INIT_LIST_HEAD(&sbsec->isec_head);
418 spin_lock_init(&sbsec->isec_lock);
420 sbsec->sid = SECINITSID_UNLABELED;
421 sbsec->def_sid = SECINITSID_FILE;
422 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
423 sb->s_security = sbsec;
428 static void superblock_free_security(struct super_block *sb)
430 struct superblock_security_struct *sbsec = sb->s_security;
431 sb->s_security = NULL;
435 static inline int inode_doinit(struct inode *inode)
437 return inode_doinit_with_dentry(inode, NULL);
446 Opt_labelsupport = 5,
450 #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
452 static const match_table_t tokens = {
453 {Opt_context, CONTEXT_STR "%s"},
454 {Opt_fscontext, FSCONTEXT_STR "%s"},
455 {Opt_defcontext, DEFCONTEXT_STR "%s"},
456 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
457 {Opt_labelsupport, LABELSUPP_STR},
461 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
463 static int may_context_mount_sb_relabel(u32 sid,
464 struct superblock_security_struct *sbsec,
465 const struct cred *cred)
467 const struct task_security_struct *tsec = cred->security;
470 rc = avc_has_perm(&selinux_state,
471 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
472 FILESYSTEM__RELABELFROM, NULL);
476 rc = avc_has_perm(&selinux_state,
477 tsec->sid, sid, SECCLASS_FILESYSTEM,
478 FILESYSTEM__RELABELTO, NULL);
482 static int may_context_mount_inode_relabel(u32 sid,
483 struct superblock_security_struct *sbsec,
484 const struct cred *cred)
486 const struct task_security_struct *tsec = cred->security;
488 rc = avc_has_perm(&selinux_state,
489 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
490 FILESYSTEM__RELABELFROM, NULL);
494 rc = avc_has_perm(&selinux_state,
495 sid, sbsec->sid, SECCLASS_FILESYSTEM,
496 FILESYSTEM__ASSOCIATE, NULL);
500 static int selinux_is_sblabel_mnt(struct super_block *sb)
502 struct superblock_security_struct *sbsec = sb->s_security;
504 return sbsec->behavior == SECURITY_FS_USE_XATTR ||
505 sbsec->behavior == SECURITY_FS_USE_TRANS ||
506 sbsec->behavior == SECURITY_FS_USE_TASK ||
507 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
508 /* Special handling. Genfs but also in-core setxattr handler */
509 !strcmp(sb->s_type->name, "sysfs") ||
510 !strcmp(sb->s_type->name, "pstore") ||
511 !strcmp(sb->s_type->name, "debugfs") ||
512 !strcmp(sb->s_type->name, "tracefs") ||
513 !strcmp(sb->s_type->name, "rootfs") ||
514 (selinux_policycap_cgroupseclabel() &&
515 (!strcmp(sb->s_type->name, "cgroup") ||
516 !strcmp(sb->s_type->name, "cgroup2")));
519 static int sb_finish_set_opts(struct super_block *sb)
521 struct superblock_security_struct *sbsec = sb->s_security;
522 struct dentry *root = sb->s_root;
523 struct inode *root_inode = d_backing_inode(root);
526 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
527 /* Make sure that the xattr handler exists and that no
528 error other than -ENODATA is returned by getxattr on
529 the root directory. -ENODATA is ok, as this may be
530 the first boot of the SELinux kernel before we have
531 assigned xattr values to the filesystem. */
532 if (!(root_inode->i_opflags & IOP_XATTR)) {
533 pr_warn("SELinux: (dev %s, type %s) has no "
534 "xattr support\n", sb->s_id, sb->s_type->name);
539 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
540 if (rc < 0 && rc != -ENODATA) {
541 if (rc == -EOPNOTSUPP)
542 pr_warn("SELinux: (dev %s, type "
543 "%s) has no security xattr handler\n",
544 sb->s_id, sb->s_type->name);
546 pr_warn("SELinux: (dev %s, type "
547 "%s) getxattr errno %d\n", sb->s_id,
548 sb->s_type->name, -rc);
553 sbsec->flags |= SE_SBINITIALIZED;
556 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
557 * leave the flag untouched because sb_clone_mnt_opts might be handing
558 * us a superblock that needs the flag to be cleared.
560 if (selinux_is_sblabel_mnt(sb))
561 sbsec->flags |= SBLABEL_MNT;
563 sbsec->flags &= ~SBLABEL_MNT;
565 /* Initialize the root inode. */
566 rc = inode_doinit_with_dentry(root_inode, root);
568 /* Initialize any other inodes associated with the superblock, e.g.
569 inodes created prior to initial policy load or inodes created
570 during get_sb by a pseudo filesystem that directly
572 spin_lock(&sbsec->isec_lock);
574 if (!list_empty(&sbsec->isec_head)) {
575 struct inode_security_struct *isec =
576 list_entry(sbsec->isec_head.next,
577 struct inode_security_struct, list);
578 struct inode *inode = isec->inode;
579 list_del_init(&isec->list);
580 spin_unlock(&sbsec->isec_lock);
581 inode = igrab(inode);
583 if (!IS_PRIVATE(inode))
587 spin_lock(&sbsec->isec_lock);
590 spin_unlock(&sbsec->isec_lock);
596 * This function should allow an FS to ask what it's mount security
597 * options were so it can use those later for submounts, displaying
598 * mount options, or whatever.
600 static int selinux_get_mnt_opts(const struct super_block *sb,
601 struct security_mnt_opts *opts)
604 struct superblock_security_struct *sbsec = sb->s_security;
605 char *context = NULL;
609 security_init_mnt_opts(opts);
611 if (!(sbsec->flags & SE_SBINITIALIZED))
614 if (!selinux_state.initialized)
617 /* make sure we always check enough bits to cover the mask */
618 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
620 tmp = sbsec->flags & SE_MNTMASK;
621 /* count the number of mount options for this sb */
622 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
624 opts->num_mnt_opts++;
627 /* Check if the Label support flag is set */
628 if (sbsec->flags & SBLABEL_MNT)
629 opts->num_mnt_opts++;
631 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
632 if (!opts->mnt_opts) {
637 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
638 if (!opts->mnt_opts_flags) {
644 if (sbsec->flags & FSCONTEXT_MNT) {
645 rc = security_sid_to_context(&selinux_state, sbsec->sid,
649 opts->mnt_opts[i] = context;
650 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
652 if (sbsec->flags & CONTEXT_MNT) {
653 rc = security_sid_to_context(&selinux_state,
658 opts->mnt_opts[i] = context;
659 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
661 if (sbsec->flags & DEFCONTEXT_MNT) {
662 rc = security_sid_to_context(&selinux_state, sbsec->def_sid,
666 opts->mnt_opts[i] = context;
667 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
669 if (sbsec->flags & ROOTCONTEXT_MNT) {
670 struct dentry *root = sbsec->sb->s_root;
671 struct inode_security_struct *isec = backing_inode_security(root);
673 rc = security_sid_to_context(&selinux_state, isec->sid,
677 opts->mnt_opts[i] = context;
678 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
680 if (sbsec->flags & SBLABEL_MNT) {
681 opts->mnt_opts[i] = NULL;
682 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
685 BUG_ON(i != opts->num_mnt_opts);
690 security_free_mnt_opts(opts);
694 static int bad_option(struct superblock_security_struct *sbsec, char flag,
695 u32 old_sid, u32 new_sid)
697 char mnt_flags = sbsec->flags & SE_MNTMASK;
699 /* check if the old mount command had the same options */
700 if (sbsec->flags & SE_SBINITIALIZED)
701 if (!(sbsec->flags & flag) ||
702 (old_sid != new_sid))
705 /* check if we were passed the same options twice,
706 * aka someone passed context=a,context=b
708 if (!(sbsec->flags & SE_SBINITIALIZED))
709 if (mnt_flags & flag)
715 * Allow filesystems with binary mount data to explicitly set mount point
716 * labeling information.
718 static int selinux_set_mnt_opts(struct super_block *sb,
719 struct security_mnt_opts *opts,
720 unsigned long kern_flags,
721 unsigned long *set_kern_flags)
723 const struct cred *cred = current_cred();
725 struct superblock_security_struct *sbsec = sb->s_security;
726 const char *name = sb->s_type->name;
727 struct dentry *root = sbsec->sb->s_root;
728 struct inode_security_struct *root_isec;
729 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
730 u32 defcontext_sid = 0;
731 char **mount_options = opts->mnt_opts;
732 int *flags = opts->mnt_opts_flags;
733 int num_opts = opts->num_mnt_opts;
735 mutex_lock(&sbsec->lock);
737 if (!selinux_state.initialized) {
739 /* Defer initialization until selinux_complete_init,
740 after the initial policy is loaded and the security
741 server is ready to handle calls. */
745 pr_warn("SELinux: Unable to set superblock options "
746 "before the security server is initialized\n");
749 if (kern_flags && !set_kern_flags) {
750 /* Specifying internal flags without providing a place to
751 * place the results is not allowed */
757 * Binary mount data FS will come through this function twice. Once
758 * from an explicit call and once from the generic calls from the vfs.
759 * Since the generic VFS calls will not contain any security mount data
760 * we need to skip the double mount verification.
762 * This does open a hole in which we will not notice if the first
763 * mount using this sb set explict options and a second mount using
764 * this sb does not set any security options. (The first options
765 * will be used for both mounts)
767 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
771 root_isec = backing_inode_security_novalidate(root);
774 * parse the mount options, check if they are valid sids.
775 * also check if someone is trying to mount the same sb more
776 * than once with different security options.
778 for (i = 0; i < num_opts; i++) {
781 if (flags[i] == SBLABEL_MNT)
783 rc = security_context_str_to_sid(&selinux_state,
784 mount_options[i], &sid,
787 pr_warn("SELinux: security_context_str_to_sid"
788 "(%s) failed for (dev %s, type %s) errno=%d\n",
789 mount_options[i], sb->s_id, name, rc);
796 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
798 goto out_double_mount;
800 sbsec->flags |= FSCONTEXT_MNT;
805 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
807 goto out_double_mount;
809 sbsec->flags |= CONTEXT_MNT;
811 case ROOTCONTEXT_MNT:
812 rootcontext_sid = sid;
814 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
816 goto out_double_mount;
818 sbsec->flags |= ROOTCONTEXT_MNT;
822 defcontext_sid = sid;
824 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
826 goto out_double_mount;
828 sbsec->flags |= DEFCONTEXT_MNT;
837 if (sbsec->flags & SE_SBINITIALIZED) {
838 /* previously mounted with options, but not on this attempt? */
839 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
840 goto out_double_mount;
845 if (strcmp(sb->s_type->name, "proc") == 0)
846 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
848 if (!strcmp(sb->s_type->name, "debugfs") ||
849 !strcmp(sb->s_type->name, "tracefs") ||
850 !strcmp(sb->s_type->name, "sysfs") ||
851 !strcmp(sb->s_type->name, "pstore") ||
852 !strcmp(sb->s_type->name, "cgroup") ||
853 !strcmp(sb->s_type->name, "cgroup2"))
854 sbsec->flags |= SE_SBGENFS;
856 if (!sbsec->behavior) {
858 * Determine the labeling behavior to use for this
861 rc = security_fs_use(&selinux_state, sb);
863 pr_warn("%s: security_fs_use(%s) returned %d\n",
864 __func__, sb->s_type->name, rc);
870 * If this is a user namespace mount and the filesystem type is not
871 * explicitly whitelisted, then no contexts are allowed on the command
872 * line and security labels must be ignored.
874 if (sb->s_user_ns != &init_user_ns &&
875 strcmp(sb->s_type->name, "tmpfs") &&
876 strcmp(sb->s_type->name, "ramfs") &&
877 strcmp(sb->s_type->name, "devpts")) {
878 if (context_sid || fscontext_sid || rootcontext_sid ||
883 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
884 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
885 rc = security_transition_sid(&selinux_state,
889 &sbsec->mntpoint_sid);
896 /* sets the context of the superblock for the fs being mounted. */
898 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
902 sbsec->sid = fscontext_sid;
906 * Switch to using mount point labeling behavior.
907 * sets the label used on all file below the mountpoint, and will set
908 * the superblock context if not already set.
910 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
911 sbsec->behavior = SECURITY_FS_USE_NATIVE;
912 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
916 if (!fscontext_sid) {
917 rc = may_context_mount_sb_relabel(context_sid, sbsec,
921 sbsec->sid = context_sid;
923 rc = may_context_mount_inode_relabel(context_sid, sbsec,
928 if (!rootcontext_sid)
929 rootcontext_sid = context_sid;
931 sbsec->mntpoint_sid = context_sid;
932 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
935 if (rootcontext_sid) {
936 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
941 root_isec->sid = rootcontext_sid;
942 root_isec->initialized = LABEL_INITIALIZED;
945 if (defcontext_sid) {
946 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
947 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
949 pr_warn("SELinux: defcontext option is "
950 "invalid for this filesystem type\n");
954 if (defcontext_sid != sbsec->def_sid) {
955 rc = may_context_mount_inode_relabel(defcontext_sid,
961 sbsec->def_sid = defcontext_sid;
965 rc = sb_finish_set_opts(sb);
967 mutex_unlock(&sbsec->lock);
971 pr_warn("SELinux: mount invalid. Same superblock, different "
972 "security settings for (dev %s, type %s)\n", sb->s_id, name);
976 static int selinux_cmp_sb_context(const struct super_block *oldsb,
977 const struct super_block *newsb)
979 struct superblock_security_struct *old = oldsb->s_security;
980 struct superblock_security_struct *new = newsb->s_security;
981 char oldflags = old->flags & SE_MNTMASK;
982 char newflags = new->flags & SE_MNTMASK;
984 if (oldflags != newflags)
986 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
988 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
990 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
992 if (oldflags & ROOTCONTEXT_MNT) {
993 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
994 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
995 if (oldroot->sid != newroot->sid)
1000 pr_warn("SELinux: mount invalid. Same superblock, "
1001 "different security settings for (dev %s, "
1002 "type %s)\n", newsb->s_id, newsb->s_type->name);
1006 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
1007 struct super_block *newsb,
1008 unsigned long kern_flags,
1009 unsigned long *set_kern_flags)
1012 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
1013 struct superblock_security_struct *newsbsec = newsb->s_security;
1015 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
1016 int set_context = (oldsbsec->flags & CONTEXT_MNT);
1017 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1020 * if the parent was able to be mounted it clearly had no special lsm
1021 * mount options. thus we can safely deal with this superblock later
1023 if (!selinux_state.initialized)
1027 * Specifying internal flags without providing a place to
1028 * place the results is not allowed.
1030 if (kern_flags && !set_kern_flags)
1033 /* how can we clone if the old one wasn't set up?? */
1034 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
1036 /* if fs is reusing a sb, make sure that the contexts match */
1037 if (newsbsec->flags & SE_SBINITIALIZED)
1038 return selinux_cmp_sb_context(oldsb, newsb);
1040 mutex_lock(&newsbsec->lock);
1042 newsbsec->flags = oldsbsec->flags;
1044 newsbsec->sid = oldsbsec->sid;
1045 newsbsec->def_sid = oldsbsec->def_sid;
1046 newsbsec->behavior = oldsbsec->behavior;
1048 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
1049 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
1050 rc = security_fs_use(&selinux_state, newsb);
1055 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
1056 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
1057 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
1061 u32 sid = oldsbsec->mntpoint_sid;
1064 newsbsec->sid = sid;
1065 if (!set_rootcontext) {
1066 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1069 newsbsec->mntpoint_sid = sid;
1071 if (set_rootcontext) {
1072 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
1073 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1075 newisec->sid = oldisec->sid;
1078 sb_finish_set_opts(newsb);
1080 mutex_unlock(&newsbsec->lock);
1084 static int selinux_parse_opts_str(char *options,
1085 struct security_mnt_opts *opts)
1088 char *context = NULL, *defcontext = NULL;
1089 char *fscontext = NULL, *rootcontext = NULL;
1090 int rc, num_mnt_opts = 0;
1092 opts->num_mnt_opts = 0;
1094 /* Standard string-based options. */
1095 while ((p = strsep(&options, "|")) != NULL) {
1097 substring_t args[MAX_OPT_ARGS];
1102 token = match_token(p, tokens, args);
1106 if (context || defcontext) {
1108 pr_warn(SEL_MOUNT_FAIL_MSG);
1111 context = match_strdup(&args[0]);
1121 pr_warn(SEL_MOUNT_FAIL_MSG);
1124 fscontext = match_strdup(&args[0]);
1131 case Opt_rootcontext:
1134 pr_warn(SEL_MOUNT_FAIL_MSG);
1137 rootcontext = match_strdup(&args[0]);
1144 case Opt_defcontext:
1145 if (context || defcontext) {
1147 pr_warn(SEL_MOUNT_FAIL_MSG);
1150 defcontext = match_strdup(&args[0]);
1156 case Opt_labelsupport:
1160 pr_warn("SELinux: unknown mount option\n");
1167 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
1168 if (!opts->mnt_opts)
1171 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
1173 if (!opts->mnt_opts_flags)
1177 opts->mnt_opts[num_mnt_opts] = fscontext;
1178 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1181 opts->mnt_opts[num_mnt_opts] = context;
1182 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1185 opts->mnt_opts[num_mnt_opts] = rootcontext;
1186 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1189 opts->mnt_opts[num_mnt_opts] = defcontext;
1190 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1193 opts->num_mnt_opts = num_mnt_opts;
1197 security_free_mnt_opts(opts);
1205 * string mount options parsing and call set the sbsec
1207 static int superblock_doinit(struct super_block *sb, void *data)
1210 char *options = data;
1211 struct security_mnt_opts opts;
1213 security_init_mnt_opts(&opts);
1218 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1220 rc = selinux_parse_opts_str(options, &opts);
1225 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1228 security_free_mnt_opts(&opts);
1232 static void selinux_write_opts(struct seq_file *m,
1233 struct security_mnt_opts *opts)
1238 for (i = 0; i < opts->num_mnt_opts; i++) {
1241 if (opts->mnt_opts[i])
1242 has_comma = strchr(opts->mnt_opts[i], ',');
1246 switch (opts->mnt_opts_flags[i]) {
1248 prefix = CONTEXT_STR;
1251 prefix = FSCONTEXT_STR;
1253 case ROOTCONTEXT_MNT:
1254 prefix = ROOTCONTEXT_STR;
1256 case DEFCONTEXT_MNT:
1257 prefix = DEFCONTEXT_STR;
1261 seq_puts(m, LABELSUPP_STR);
1267 /* we need a comma before each option */
1269 seq_puts(m, prefix);
1272 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
1278 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1280 struct security_mnt_opts opts;
1283 rc = selinux_get_mnt_opts(sb, &opts);
1285 /* before policy load we may get EINVAL, don't show anything */
1291 selinux_write_opts(m, &opts);
1293 security_free_mnt_opts(&opts);
1298 static inline u16 inode_mode_to_security_class(umode_t mode)
1300 switch (mode & S_IFMT) {
1302 return SECCLASS_SOCK_FILE;
1304 return SECCLASS_LNK_FILE;
1306 return SECCLASS_FILE;
1308 return SECCLASS_BLK_FILE;
1310 return SECCLASS_DIR;
1312 return SECCLASS_CHR_FILE;
1314 return SECCLASS_FIFO_FILE;
1318 return SECCLASS_FILE;
1321 static inline int default_protocol_stream(int protocol)
1323 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1326 static inline int default_protocol_dgram(int protocol)
1328 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1331 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1333 int extsockclass = selinux_policycap_extsockclass();
1339 case SOCK_SEQPACKET:
1340 return SECCLASS_UNIX_STREAM_SOCKET;
1343 return SECCLASS_UNIX_DGRAM_SOCKET;
1350 case SOCK_SEQPACKET:
1351 if (default_protocol_stream(protocol))
1352 return SECCLASS_TCP_SOCKET;
1353 else if (extsockclass && protocol == IPPROTO_SCTP)
1354 return SECCLASS_SCTP_SOCKET;
1356 return SECCLASS_RAWIP_SOCKET;
1358 if (default_protocol_dgram(protocol))
1359 return SECCLASS_UDP_SOCKET;
1360 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1361 protocol == IPPROTO_ICMPV6))
1362 return SECCLASS_ICMP_SOCKET;
1364 return SECCLASS_RAWIP_SOCKET;
1366 return SECCLASS_DCCP_SOCKET;
1368 return SECCLASS_RAWIP_SOCKET;
1374 return SECCLASS_NETLINK_ROUTE_SOCKET;
1375 case NETLINK_SOCK_DIAG:
1376 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1378 return SECCLASS_NETLINK_NFLOG_SOCKET;
1380 return SECCLASS_NETLINK_XFRM_SOCKET;
1381 case NETLINK_SELINUX:
1382 return SECCLASS_NETLINK_SELINUX_SOCKET;
1384 return SECCLASS_NETLINK_ISCSI_SOCKET;
1386 return SECCLASS_NETLINK_AUDIT_SOCKET;
1387 case NETLINK_FIB_LOOKUP:
1388 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1389 case NETLINK_CONNECTOR:
1390 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1391 case NETLINK_NETFILTER:
1392 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1393 case NETLINK_DNRTMSG:
1394 return SECCLASS_NETLINK_DNRT_SOCKET;
1395 case NETLINK_KOBJECT_UEVENT:
1396 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1397 case NETLINK_GENERIC:
1398 return SECCLASS_NETLINK_GENERIC_SOCKET;
1399 case NETLINK_SCSITRANSPORT:
1400 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1402 return SECCLASS_NETLINK_RDMA_SOCKET;
1403 case NETLINK_CRYPTO:
1404 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1406 return SECCLASS_NETLINK_SOCKET;
1409 return SECCLASS_PACKET_SOCKET;
1411 return SECCLASS_KEY_SOCKET;
1413 return SECCLASS_APPLETALK_SOCKET;
1419 return SECCLASS_AX25_SOCKET;
1421 return SECCLASS_IPX_SOCKET;
1423 return SECCLASS_NETROM_SOCKET;
1425 return SECCLASS_ATMPVC_SOCKET;
1427 return SECCLASS_X25_SOCKET;
1429 return SECCLASS_ROSE_SOCKET;
1431 return SECCLASS_DECNET_SOCKET;
1433 return SECCLASS_ATMSVC_SOCKET;
1435 return SECCLASS_RDS_SOCKET;
1437 return SECCLASS_IRDA_SOCKET;
1439 return SECCLASS_PPPOX_SOCKET;
1441 return SECCLASS_LLC_SOCKET;
1443 return SECCLASS_CAN_SOCKET;
1445 return SECCLASS_TIPC_SOCKET;
1447 return SECCLASS_BLUETOOTH_SOCKET;
1449 return SECCLASS_IUCV_SOCKET;
1451 return SECCLASS_RXRPC_SOCKET;
1453 return SECCLASS_ISDN_SOCKET;
1455 return SECCLASS_PHONET_SOCKET;
1457 return SECCLASS_IEEE802154_SOCKET;
1459 return SECCLASS_CAIF_SOCKET;
1461 return SECCLASS_ALG_SOCKET;
1463 return SECCLASS_NFC_SOCKET;
1465 return SECCLASS_VSOCK_SOCKET;
1467 return SECCLASS_KCM_SOCKET;
1469 return SECCLASS_QIPCRTR_SOCKET;
1471 return SECCLASS_SMC_SOCKET;
1473 return SECCLASS_XDP_SOCKET;
1475 #error New address family defined, please update this function.
1480 return SECCLASS_SOCKET;
1483 static int selinux_genfs_get_sid(struct dentry *dentry,
1489 struct super_block *sb = dentry->d_sb;
1490 char *buffer, *path;
1492 buffer = (char *)__get_free_page(GFP_KERNEL);
1496 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1500 if (flags & SE_SBPROC) {
1501 /* each process gets a /proc/PID/ entry. Strip off the
1502 * PID part to get a valid selinux labeling.
1503 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1504 while (path[1] >= '0' && path[1] <= '9') {
1509 rc = security_genfs_sid(&selinux_state, sb->s_type->name,
1511 if (rc == -ENOENT) {
1512 /* No match in policy, mark as unlabeled. */
1513 *sid = SECINITSID_UNLABELED;
1517 free_page((unsigned long)buffer);
1521 /* The inode's security attributes must be initialized before first use. */
1522 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1524 struct superblock_security_struct *sbsec = NULL;
1525 struct inode_security_struct *isec = inode->i_security;
1526 u32 task_sid, sid = 0;
1528 struct dentry *dentry;
1529 #define INITCONTEXTLEN 255
1530 char *context = NULL;
1534 if (isec->initialized == LABEL_INITIALIZED)
1537 spin_lock(&isec->lock);
1538 if (isec->initialized == LABEL_INITIALIZED)
1541 if (isec->sclass == SECCLASS_FILE)
1542 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1544 sbsec = inode->i_sb->s_security;
1545 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1546 /* Defer initialization until selinux_complete_init,
1547 after the initial policy is loaded and the security
1548 server is ready to handle calls. */
1549 spin_lock(&sbsec->isec_lock);
1550 if (list_empty(&isec->list))
1551 list_add(&isec->list, &sbsec->isec_head);
1552 spin_unlock(&sbsec->isec_lock);
1556 sclass = isec->sclass;
1557 task_sid = isec->task_sid;
1559 isec->initialized = LABEL_PENDING;
1560 spin_unlock(&isec->lock);
1562 switch (sbsec->behavior) {
1563 case SECURITY_FS_USE_NATIVE:
1565 case SECURITY_FS_USE_XATTR:
1566 if (!(inode->i_opflags & IOP_XATTR)) {
1567 sid = sbsec->def_sid;
1570 /* Need a dentry, since the xattr API requires one.
1571 Life would be simpler if we could just pass the inode. */
1573 /* Called from d_instantiate or d_splice_alias. */
1574 dentry = dget(opt_dentry);
1577 * Called from selinux_complete_init, try to find a dentry.
1578 * Some filesystems really want a connected one, so try
1579 * that first. We could split SECURITY_FS_USE_XATTR in
1580 * two, depending upon that...
1582 dentry = d_find_alias(inode);
1584 dentry = d_find_any_alias(inode);
1588 * this is can be hit on boot when a file is accessed
1589 * before the policy is loaded. When we load policy we
1590 * may find inodes that have no dentry on the
1591 * sbsec->isec_head list. No reason to complain as these
1592 * will get fixed up the next time we go through
1593 * inode_doinit with a dentry, before these inodes could
1594 * be used again by userspace.
1599 len = INITCONTEXTLEN;
1600 context = kmalloc(len+1, GFP_NOFS);
1606 context[len] = '\0';
1607 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1608 if (rc == -ERANGE) {
1611 /* Need a larger buffer. Query for the right size. */
1612 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1618 context = kmalloc(len+1, GFP_NOFS);
1624 context[len] = '\0';
1625 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1629 if (rc != -ENODATA) {
1630 pr_warn("SELinux: %s: getxattr returned "
1631 "%d for dev=%s ino=%ld\n", __func__,
1632 -rc, inode->i_sb->s_id, inode->i_ino);
1636 /* Map ENODATA to the default file SID */
1637 sid = sbsec->def_sid;
1640 rc = security_context_to_sid_default(&selinux_state,
1645 char *dev = inode->i_sb->s_id;
1646 unsigned long ino = inode->i_ino;
1648 if (rc == -EINVAL) {
1649 if (printk_ratelimit())
1650 pr_notice("SELinux: inode=%lu on dev=%s was found to have an invalid "
1651 "context=%s. This indicates you may need to relabel the inode or the "
1652 "filesystem in question.\n", ino, dev, context);
1654 pr_warn("SELinux: %s: context_to_sid(%s) "
1655 "returned %d for dev=%s ino=%ld\n",
1656 __func__, context, -rc, dev, ino);
1659 /* Leave with the unlabeled SID */
1666 case SECURITY_FS_USE_TASK:
1669 case SECURITY_FS_USE_TRANS:
1670 /* Default to the fs SID. */
1673 /* Try to obtain a transition SID. */
1674 rc = security_transition_sid(&selinux_state, task_sid, sid,
1675 sclass, NULL, &sid);
1679 case SECURITY_FS_USE_MNTPOINT:
1680 sid = sbsec->mntpoint_sid;
1683 /* Default to the fs superblock SID. */
1686 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1687 /* We must have a dentry to determine the label on
1690 /* Called from d_instantiate or
1691 * d_splice_alias. */
1692 dentry = dget(opt_dentry);
1694 /* Called from selinux_complete_init, try to
1695 * find a dentry. Some filesystems really want
1696 * a connected one, so try that first.
1698 dentry = d_find_alias(inode);
1700 dentry = d_find_any_alias(inode);
1703 * This can be hit on boot when a file is accessed
1704 * before the policy is loaded. When we load policy we
1705 * may find inodes that have no dentry on the
1706 * sbsec->isec_head list. No reason to complain as
1707 * these will get fixed up the next time we go through
1708 * inode_doinit() with a dentry, before these inodes
1709 * could be used again by userspace.
1713 rc = selinux_genfs_get_sid(dentry, sclass,
1714 sbsec->flags, &sid);
1723 spin_lock(&isec->lock);
1724 if (isec->initialized == LABEL_PENDING) {
1726 isec->initialized = LABEL_INVALID;
1730 isec->initialized = LABEL_INITIALIZED;
1735 spin_unlock(&isec->lock);
1739 /* Convert a Linux signal to an access vector. */
1740 static inline u32 signal_to_av(int sig)
1746 /* Commonly granted from child to parent. */
1747 perm = PROCESS__SIGCHLD;
1750 /* Cannot be caught or ignored */
1751 perm = PROCESS__SIGKILL;
1754 /* Cannot be caught or ignored */
1755 perm = PROCESS__SIGSTOP;
1758 /* All other signals. */
1759 perm = PROCESS__SIGNAL;
1766 #if CAP_LAST_CAP > 63
1767 #error Fix SELinux to handle capabilities > 63.
1770 /* Check whether a task is allowed to use a capability. */
1771 static int cred_has_capability(const struct cred *cred,
1772 int cap, int audit, bool initns)
1774 struct common_audit_data ad;
1775 struct av_decision avd;
1777 u32 sid = cred_sid(cred);
1778 u32 av = CAP_TO_MASK(cap);
1781 ad.type = LSM_AUDIT_DATA_CAP;
1784 switch (CAP_TO_INDEX(cap)) {
1786 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1789 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1792 pr_err("SELinux: out of range capability %d\n", cap);
1797 rc = avc_has_perm_noaudit(&selinux_state,
1798 sid, sid, sclass, av, 0, &avd);
1799 if (audit == SECURITY_CAP_AUDIT) {
1800 int rc2 = avc_audit(&selinux_state,
1801 sid, sid, sclass, av, &avd, rc, &ad, 0);
1808 /* Check whether a task has a particular permission to an inode.
1809 The 'adp' parameter is optional and allows other audit
1810 data to be passed (e.g. the dentry). */
1811 static int inode_has_perm(const struct cred *cred,
1812 struct inode *inode,
1814 struct common_audit_data *adp)
1816 struct inode_security_struct *isec;
1819 validate_creds(cred);
1821 if (unlikely(IS_PRIVATE(inode)))
1824 sid = cred_sid(cred);
1825 isec = inode->i_security;
1827 return avc_has_perm(&selinux_state,
1828 sid, isec->sid, isec->sclass, perms, adp);
1831 /* Same as inode_has_perm, but pass explicit audit data containing
1832 the dentry to help the auditing code to more easily generate the
1833 pathname if needed. */
1834 static inline int dentry_has_perm(const struct cred *cred,
1835 struct dentry *dentry,
1838 struct inode *inode = d_backing_inode(dentry);
1839 struct common_audit_data ad;
1841 ad.type = LSM_AUDIT_DATA_DENTRY;
1842 ad.u.dentry = dentry;
1843 __inode_security_revalidate(inode, dentry, true);
1844 return inode_has_perm(cred, inode, av, &ad);
1847 /* Same as inode_has_perm, but pass explicit audit data containing
1848 the path to help the auditing code to more easily generate the
1849 pathname if needed. */
1850 static inline int path_has_perm(const struct cred *cred,
1851 const struct path *path,
1854 struct inode *inode = d_backing_inode(path->dentry);
1855 struct common_audit_data ad;
1857 ad.type = LSM_AUDIT_DATA_PATH;
1859 __inode_security_revalidate(inode, path->dentry, true);
1860 return inode_has_perm(cred, inode, av, &ad);
1863 /* Same as path_has_perm, but uses the inode from the file struct. */
1864 static inline int file_path_has_perm(const struct cred *cred,
1868 struct common_audit_data ad;
1870 ad.type = LSM_AUDIT_DATA_FILE;
1872 return inode_has_perm(cred, file_inode(file), av, &ad);
1875 #ifdef CONFIG_BPF_SYSCALL
1876 static int bpf_fd_pass(struct file *file, u32 sid);
1879 /* Check whether a task can use an open file descriptor to
1880 access an inode in a given way. Check access to the
1881 descriptor itself, and then use dentry_has_perm to
1882 check a particular permission to the file.
1883 Access to the descriptor is implicitly granted if it
1884 has the same SID as the process. If av is zero, then
1885 access to the file is not checked, e.g. for cases
1886 where only the descriptor is affected like seek. */
1887 static int file_has_perm(const struct cred *cred,
1891 struct file_security_struct *fsec = file->f_security;
1892 struct inode *inode = file_inode(file);
1893 struct common_audit_data ad;
1894 u32 sid = cred_sid(cred);
1897 ad.type = LSM_AUDIT_DATA_FILE;
1900 if (sid != fsec->sid) {
1901 rc = avc_has_perm(&selinux_state,
1910 #ifdef CONFIG_BPF_SYSCALL
1911 rc = bpf_fd_pass(file, cred_sid(cred));
1916 /* av is zero if only checking access to the descriptor. */
1919 rc = inode_has_perm(cred, inode, av, &ad);
1926 * Determine the label for an inode that might be unioned.
1929 selinux_determine_inode_label(const struct task_security_struct *tsec,
1931 const struct qstr *name, u16 tclass,
1934 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1936 if ((sbsec->flags & SE_SBINITIALIZED) &&
1937 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1938 *_new_isid = sbsec->mntpoint_sid;
1939 } else if ((sbsec->flags & SBLABEL_MNT) &&
1941 *_new_isid = tsec->create_sid;
1943 const struct inode_security_struct *dsec = inode_security(dir);
1944 return security_transition_sid(&selinux_state, tsec->sid,
1952 /* Check whether a task can create a file. */
1953 static int may_create(struct inode *dir,
1954 struct dentry *dentry,
1957 const struct task_security_struct *tsec = current_security();
1958 struct inode_security_struct *dsec;
1959 struct superblock_security_struct *sbsec;
1961 struct common_audit_data ad;
1964 dsec = inode_security(dir);
1965 sbsec = dir->i_sb->s_security;
1969 ad.type = LSM_AUDIT_DATA_DENTRY;
1970 ad.u.dentry = dentry;
1972 rc = avc_has_perm(&selinux_state,
1973 sid, dsec->sid, SECCLASS_DIR,
1974 DIR__ADD_NAME | DIR__SEARCH,
1979 rc = selinux_determine_inode_label(current_security(), dir,
1980 &dentry->d_name, tclass, &newsid);
1984 rc = avc_has_perm(&selinux_state,
1985 sid, newsid, tclass, FILE__CREATE, &ad);
1989 return avc_has_perm(&selinux_state,
1991 SECCLASS_FILESYSTEM,
1992 FILESYSTEM__ASSOCIATE, &ad);
1996 #define MAY_UNLINK 1
1999 /* Check whether a task can link, unlink, or rmdir a file/directory. */
2000 static int may_link(struct inode *dir,
2001 struct dentry *dentry,
2005 struct inode_security_struct *dsec, *isec;
2006 struct common_audit_data ad;
2007 u32 sid = current_sid();
2011 dsec = inode_security(dir);
2012 isec = backing_inode_security(dentry);
2014 ad.type = LSM_AUDIT_DATA_DENTRY;
2015 ad.u.dentry = dentry;
2018 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
2019 rc = avc_has_perm(&selinux_state,
2020 sid, dsec->sid, SECCLASS_DIR, av, &ad);
2035 pr_warn("SELinux: %s: unrecognized kind %d\n",
2040 rc = avc_has_perm(&selinux_state,
2041 sid, isec->sid, isec->sclass, av, &ad);
2045 static inline int may_rename(struct inode *old_dir,
2046 struct dentry *old_dentry,
2047 struct inode *new_dir,
2048 struct dentry *new_dentry)
2050 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2051 struct common_audit_data ad;
2052 u32 sid = current_sid();
2054 int old_is_dir, new_is_dir;
2057 old_dsec = inode_security(old_dir);
2058 old_isec = backing_inode_security(old_dentry);
2059 old_is_dir = d_is_dir(old_dentry);
2060 new_dsec = inode_security(new_dir);
2062 ad.type = LSM_AUDIT_DATA_DENTRY;
2064 ad.u.dentry = old_dentry;
2065 rc = avc_has_perm(&selinux_state,
2066 sid, old_dsec->sid, SECCLASS_DIR,
2067 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
2070 rc = avc_has_perm(&selinux_state,
2072 old_isec->sclass, FILE__RENAME, &ad);
2075 if (old_is_dir && new_dir != old_dir) {
2076 rc = avc_has_perm(&selinux_state,
2078 old_isec->sclass, DIR__REPARENT, &ad);
2083 ad.u.dentry = new_dentry;
2084 av = DIR__ADD_NAME | DIR__SEARCH;
2085 if (d_is_positive(new_dentry))
2086 av |= DIR__REMOVE_NAME;
2087 rc = avc_has_perm(&selinux_state,
2088 sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
2091 if (d_is_positive(new_dentry)) {
2092 new_isec = backing_inode_security(new_dentry);
2093 new_is_dir = d_is_dir(new_dentry);
2094 rc = avc_has_perm(&selinux_state,
2097 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
2105 /* Check whether a task can perform a filesystem operation. */
2106 static int superblock_has_perm(const struct cred *cred,
2107 struct super_block *sb,
2109 struct common_audit_data *ad)
2111 struct superblock_security_struct *sbsec;
2112 u32 sid = cred_sid(cred);
2114 sbsec = sb->s_security;
2115 return avc_has_perm(&selinux_state,
2116 sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
2119 /* Convert a Linux mode and permission mask to an access vector. */
2120 static inline u32 file_mask_to_av(int mode, int mask)
2124 if (!S_ISDIR(mode)) {
2125 if (mask & MAY_EXEC)
2126 av |= FILE__EXECUTE;
2127 if (mask & MAY_READ)
2130 if (mask & MAY_APPEND)
2132 else if (mask & MAY_WRITE)
2136 if (mask & MAY_EXEC)
2138 if (mask & MAY_WRITE)
2140 if (mask & MAY_READ)
2147 /* Convert a Linux file to an access vector. */
2148 static inline u32 file_to_av(struct file *file)
2152 if (file->f_mode & FMODE_READ)
2154 if (file->f_mode & FMODE_WRITE) {
2155 if (file->f_flags & O_APPEND)
2162 * Special file opened with flags 3 for ioctl-only use.
2171 * Convert a file to an access vector and include the correct open
2174 static inline u32 open_file_to_av(struct file *file)
2176 u32 av = file_to_av(file);
2177 struct inode *inode = file_inode(file);
2179 if (selinux_policycap_openperm() &&
2180 inode->i_sb->s_magic != SOCKFS_MAGIC)
2186 /* Hook functions begin here. */
2188 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2190 u32 mysid = current_sid();
2191 u32 mgrsid = task_sid(mgr);
2193 return avc_has_perm(&selinux_state,
2194 mysid, mgrsid, SECCLASS_BINDER,
2195 BINDER__SET_CONTEXT_MGR, NULL);
2198 static int selinux_binder_transaction(struct task_struct *from,
2199 struct task_struct *to)
2201 u32 mysid = current_sid();
2202 u32 fromsid = task_sid(from);
2203 u32 tosid = task_sid(to);
2206 if (mysid != fromsid) {
2207 rc = avc_has_perm(&selinux_state,
2208 mysid, fromsid, SECCLASS_BINDER,
2209 BINDER__IMPERSONATE, NULL);
2214 return avc_has_perm(&selinux_state,
2215 fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2219 static int selinux_binder_transfer_binder(struct task_struct *from,
2220 struct task_struct *to)
2222 u32 fromsid = task_sid(from);
2223 u32 tosid = task_sid(to);
2225 return avc_has_perm(&selinux_state,
2226 fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2230 static int selinux_binder_transfer_file(struct task_struct *from,
2231 struct task_struct *to,
2234 u32 sid = task_sid(to);
2235 struct file_security_struct *fsec = file->f_security;
2236 struct dentry *dentry = file->f_path.dentry;
2237 struct inode_security_struct *isec;
2238 struct common_audit_data ad;
2241 ad.type = LSM_AUDIT_DATA_PATH;
2242 ad.u.path = file->f_path;
2244 if (sid != fsec->sid) {
2245 rc = avc_has_perm(&selinux_state,
2254 #ifdef CONFIG_BPF_SYSCALL
2255 rc = bpf_fd_pass(file, sid);
2260 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2263 isec = backing_inode_security(dentry);
2264 return avc_has_perm(&selinux_state,
2265 sid, isec->sid, isec->sclass, file_to_av(file),
2269 static int selinux_ptrace_access_check(struct task_struct *child,
2272 u32 sid = current_sid();
2273 u32 csid = task_sid(child);
2275 if (mode & PTRACE_MODE_READ)
2276 return avc_has_perm(&selinux_state,
2277 sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2279 return avc_has_perm(&selinux_state,
2280 sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2283 static int selinux_ptrace_traceme(struct task_struct *parent)
2285 return avc_has_perm(&selinux_state,
2286 task_sid(parent), current_sid(), SECCLASS_PROCESS,
2287 PROCESS__PTRACE, NULL);
2290 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2291 kernel_cap_t *inheritable, kernel_cap_t *permitted)
2293 return avc_has_perm(&selinux_state,
2294 current_sid(), task_sid(target), SECCLASS_PROCESS,
2295 PROCESS__GETCAP, NULL);
2298 static int selinux_capset(struct cred *new, const struct cred *old,
2299 const kernel_cap_t *effective,
2300 const kernel_cap_t *inheritable,
2301 const kernel_cap_t *permitted)
2303 return avc_has_perm(&selinux_state,
2304 cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2305 PROCESS__SETCAP, NULL);
2309 * (This comment used to live with the selinux_task_setuid hook,
2310 * which was removed).
2312 * Since setuid only affects the current process, and since the SELinux
2313 * controls are not based on the Linux identity attributes, SELinux does not
2314 * need to control this operation. However, SELinux does control the use of
2315 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2318 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2321 return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
2324 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2326 const struct cred *cred = current_cred();
2338 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2343 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2346 rc = 0; /* let the kernel handle invalid cmds */
2352 static int selinux_quota_on(struct dentry *dentry)
2354 const struct cred *cred = current_cred();
2356 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2359 static int selinux_syslog(int type)
2362 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2363 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2364 return avc_has_perm(&selinux_state,
2365 current_sid(), SECINITSID_KERNEL,
2366 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2367 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2368 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2369 /* Set level of messages printed to console */
2370 case SYSLOG_ACTION_CONSOLE_LEVEL:
2371 return avc_has_perm(&selinux_state,
2372 current_sid(), SECINITSID_KERNEL,
2373 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2376 /* All other syslog types */
2377 return avc_has_perm(&selinux_state,
2378 current_sid(), SECINITSID_KERNEL,
2379 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2383 * Check that a process has enough memory to allocate a new virtual
2384 * mapping. 0 means there is enough memory for the allocation to
2385 * succeed and -ENOMEM implies there is not.
2387 * Do not audit the selinux permission check, as this is applied to all
2388 * processes that allocate mappings.
2390 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2392 int rc, cap_sys_admin = 0;
2394 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2395 SECURITY_CAP_NOAUDIT, true);
2399 return cap_sys_admin;
2402 /* binprm security operations */
2404 static u32 ptrace_parent_sid(void)
2407 struct task_struct *tracer;
2410 tracer = ptrace_parent(current);
2412 sid = task_sid(tracer);
2418 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2419 const struct task_security_struct *old_tsec,
2420 const struct task_security_struct *new_tsec)
2422 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2423 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2427 if (!nnp && !nosuid)
2428 return 0; /* neither NNP nor nosuid */
2430 if (new_tsec->sid == old_tsec->sid)
2431 return 0; /* No change in credentials */
2434 * If the policy enables the nnp_nosuid_transition policy capability,
2435 * then we permit transitions under NNP or nosuid if the
2436 * policy allows the corresponding permission between
2437 * the old and new contexts.
2439 if (selinux_policycap_nnp_nosuid_transition()) {
2442 av |= PROCESS2__NNP_TRANSITION;
2444 av |= PROCESS2__NOSUID_TRANSITION;
2445 rc = avc_has_perm(&selinux_state,
2446 old_tsec->sid, new_tsec->sid,
2447 SECCLASS_PROCESS2, av, NULL);
2453 * We also permit NNP or nosuid transitions to bounded SIDs,
2454 * i.e. SIDs that are guaranteed to only be allowed a subset
2455 * of the permissions of the current SID.
2457 rc = security_bounded_transition(&selinux_state, old_tsec->sid,
2463 * On failure, preserve the errno values for NNP vs nosuid.
2464 * NNP: Operation not permitted for caller.
2465 * nosuid: Permission denied to file.
2472 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2474 const struct task_security_struct *old_tsec;
2475 struct task_security_struct *new_tsec;
2476 struct inode_security_struct *isec;
2477 struct common_audit_data ad;
2478 struct inode *inode = file_inode(bprm->file);
2481 /* SELinux context only depends on initial program or script and not
2482 * the script interpreter */
2483 if (bprm->called_set_creds)
2486 old_tsec = current_security();
2487 new_tsec = bprm->cred->security;
2488 isec = inode_security(inode);
2490 /* Default to the current task SID. */
2491 new_tsec->sid = old_tsec->sid;
2492 new_tsec->osid = old_tsec->sid;
2494 /* Reset fs, key, and sock SIDs on execve. */
2495 new_tsec->create_sid = 0;
2496 new_tsec->keycreate_sid = 0;
2497 new_tsec->sockcreate_sid = 0;
2499 if (old_tsec->exec_sid) {
2500 new_tsec->sid = old_tsec->exec_sid;
2501 /* Reset exec SID on execve. */
2502 new_tsec->exec_sid = 0;
2504 /* Fail on NNP or nosuid if not an allowed transition. */
2505 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2509 /* Check for a default transition on this program. */
2510 rc = security_transition_sid(&selinux_state, old_tsec->sid,
2511 isec->sid, SECCLASS_PROCESS, NULL,
2517 * Fallback to old SID on NNP or nosuid if not an allowed
2520 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2522 new_tsec->sid = old_tsec->sid;
2525 ad.type = LSM_AUDIT_DATA_FILE;
2526 ad.u.file = bprm->file;
2528 if (new_tsec->sid == old_tsec->sid) {
2529 rc = avc_has_perm(&selinux_state,
2530 old_tsec->sid, isec->sid,
2531 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2535 /* Check permissions for the transition. */
2536 rc = avc_has_perm(&selinux_state,
2537 old_tsec->sid, new_tsec->sid,
2538 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2542 rc = avc_has_perm(&selinux_state,
2543 new_tsec->sid, isec->sid,
2544 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2548 /* Check for shared state */
2549 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2550 rc = avc_has_perm(&selinux_state,
2551 old_tsec->sid, new_tsec->sid,
2552 SECCLASS_PROCESS, PROCESS__SHARE,
2558 /* Make sure that anyone attempting to ptrace over a task that
2559 * changes its SID has the appropriate permit */
2560 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2561 u32 ptsid = ptrace_parent_sid();
2563 rc = avc_has_perm(&selinux_state,
2564 ptsid, new_tsec->sid,
2566 PROCESS__PTRACE, NULL);
2572 /* Clear any possibly unsafe personality bits on exec: */
2573 bprm->per_clear |= PER_CLEAR_ON_SETID;
2575 /* Enable secure mode for SIDs transitions unless
2576 the noatsecure permission is granted between
2577 the two SIDs, i.e. ahp returns 0. */
2578 rc = avc_has_perm(&selinux_state,
2579 old_tsec->sid, new_tsec->sid,
2580 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2582 bprm->secureexec |= !!rc;
2588 static int match_file(const void *p, struct file *file, unsigned fd)
2590 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2593 /* Derived from fs/exec.c:flush_old_files. */
2594 static inline void flush_unauthorized_files(const struct cred *cred,
2595 struct files_struct *files)
2597 struct file *file, *devnull = NULL;
2598 struct tty_struct *tty;
2602 tty = get_current_tty();
2604 spin_lock(&tty->files_lock);
2605 if (!list_empty(&tty->tty_files)) {
2606 struct tty_file_private *file_priv;
2608 /* Revalidate access to controlling tty.
2609 Use file_path_has_perm on the tty path directly
2610 rather than using file_has_perm, as this particular
2611 open file may belong to another process and we are
2612 only interested in the inode-based check here. */
2613 file_priv = list_first_entry(&tty->tty_files,
2614 struct tty_file_private, list);
2615 file = file_priv->file;
2616 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2619 spin_unlock(&tty->files_lock);
2622 /* Reset controlling tty. */
2626 /* Revalidate access to inherited open files. */
2627 n = iterate_fd(files, 0, match_file, cred);
2628 if (!n) /* none found? */
2631 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2632 if (IS_ERR(devnull))
2634 /* replace all the matching ones with this */
2636 replace_fd(n - 1, devnull, 0);
2637 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2643 * Prepare a process for imminent new credential changes due to exec
2645 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2647 struct task_security_struct *new_tsec;
2648 struct rlimit *rlim, *initrlim;
2651 new_tsec = bprm->cred->security;
2652 if (new_tsec->sid == new_tsec->osid)
2655 /* Close files for which the new task SID is not authorized. */
2656 flush_unauthorized_files(bprm->cred, current->files);
2658 /* Always clear parent death signal on SID transitions. */
2659 current->pdeath_signal = 0;
2661 /* Check whether the new SID can inherit resource limits from the old
2662 * SID. If not, reset all soft limits to the lower of the current
2663 * task's hard limit and the init task's soft limit.
2665 * Note that the setting of hard limits (even to lower them) can be
2666 * controlled by the setrlimit check. The inclusion of the init task's
2667 * soft limit into the computation is to avoid resetting soft limits
2668 * higher than the default soft limit for cases where the default is
2669 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2671 rc = avc_has_perm(&selinux_state,
2672 new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2673 PROCESS__RLIMITINH, NULL);
2675 /* protect against do_prlimit() */
2677 for (i = 0; i < RLIM_NLIMITS; i++) {
2678 rlim = current->signal->rlim + i;
2679 initrlim = init_task.signal->rlim + i;
2680 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2682 task_unlock(current);
2683 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2684 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2689 * Clean up the process immediately after the installation of new credentials
2692 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2694 const struct task_security_struct *tsec = current_security();
2695 struct itimerval itimer;
2705 /* Check whether the new SID can inherit signal state from the old SID.
2706 * If not, clear itimers to avoid subsequent signal generation and
2707 * flush and unblock signals.
2709 * This must occur _after_ the task SID has been updated so that any
2710 * kill done after the flush will be checked against the new SID.
2712 rc = avc_has_perm(&selinux_state,
2713 osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2715 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2716 memset(&itimer, 0, sizeof itimer);
2717 for (i = 0; i < 3; i++)
2718 do_setitimer(i, &itimer, NULL);
2720 spin_lock_irq(¤t->sighand->siglock);
2721 if (!fatal_signal_pending(current)) {
2722 flush_sigqueue(¤t->pending);
2723 flush_sigqueue(¤t->signal->shared_pending);
2724 flush_signal_handlers(current, 1);
2725 sigemptyset(¤t->blocked);
2726 recalc_sigpending();
2728 spin_unlock_irq(¤t->sighand->siglock);
2731 /* Wake up the parent if it is waiting so that it can recheck
2732 * wait permission to the new task SID. */
2733 read_lock(&tasklist_lock);
2734 __wake_up_parent(current, current->real_parent);
2735 read_unlock(&tasklist_lock);
2738 /* superblock security operations */
2740 static int selinux_sb_alloc_security(struct super_block *sb)
2742 return superblock_alloc_security(sb);
2745 static void selinux_sb_free_security(struct super_block *sb)
2747 superblock_free_security(sb);
2750 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2755 return !memcmp(prefix, option, plen);
2758 static inline int selinux_option(char *option, int len)
2760 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2761 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2762 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2763 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2764 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2767 static inline void take_option(char **to, char *from, int *first, int len)
2774 memcpy(*to, from, len);
2778 static inline void take_selinux_option(char **to, char *from, int *first,
2781 int current_size = 0;
2789 while (current_size < len) {
2799 static int selinux_sb_copy_data(char *orig, char *copy)
2801 int fnosec, fsec, rc = 0;
2802 char *in_save, *in_curr, *in_end;
2803 char *sec_curr, *nosec_save, *nosec;
2809 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2817 in_save = in_end = orig;
2821 open_quote = !open_quote;
2822 if ((*in_end == ',' && open_quote == 0) ||
2824 int len = in_end - in_curr;
2826 if (selinux_option(in_curr, len))
2827 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2829 take_option(&nosec, in_curr, &fnosec, len);
2831 in_curr = in_end + 1;
2833 } while (*in_end++);
2835 strcpy(in_save, nosec_save);
2836 free_page((unsigned long)nosec_save);
2841 static int selinux_sb_remount(struct super_block *sb, void *data)
2844 struct security_mnt_opts opts;
2845 char *secdata, **mount_options;
2846 struct superblock_security_struct *sbsec = sb->s_security;
2848 if (!(sbsec->flags & SE_SBINITIALIZED))
2854 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2857 security_init_mnt_opts(&opts);
2858 secdata = alloc_secdata();
2861 rc = selinux_sb_copy_data(data, secdata);
2863 goto out_free_secdata;
2865 rc = selinux_parse_opts_str(secdata, &opts);
2867 goto out_free_secdata;
2869 mount_options = opts.mnt_opts;
2870 flags = opts.mnt_opts_flags;
2872 for (i = 0; i < opts.num_mnt_opts; i++) {
2875 if (flags[i] == SBLABEL_MNT)
2877 rc = security_context_str_to_sid(&selinux_state,
2878 mount_options[i], &sid,
2881 pr_warn("SELinux: security_context_str_to_sid"
2882 "(%s) failed for (dev %s, type %s) errno=%d\n",
2883 mount_options[i], sb->s_id, sb->s_type->name, rc);
2889 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2890 goto out_bad_option;
2893 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2894 goto out_bad_option;
2896 case ROOTCONTEXT_MNT: {
2897 struct inode_security_struct *root_isec;
2898 root_isec = backing_inode_security(sb->s_root);
2900 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2901 goto out_bad_option;
2904 case DEFCONTEXT_MNT:
2905 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2906 goto out_bad_option;
2915 security_free_mnt_opts(&opts);
2917 free_secdata(secdata);
2920 pr_warn("SELinux: unable to change security options "
2921 "during remount (dev %s, type=%s)\n", sb->s_id,
2926 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2928 const struct cred *cred = current_cred();
2929 struct common_audit_data ad;
2932 rc = superblock_doinit(sb, data);
2936 /* Allow all mounts performed by the kernel */
2937 if (flags & MS_KERNMOUNT)
2940 ad.type = LSM_AUDIT_DATA_DENTRY;
2941 ad.u.dentry = sb->s_root;
2942 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2945 static int selinux_sb_statfs(struct dentry *dentry)
2947 const struct cred *cred = current_cred();
2948 struct common_audit_data ad;
2950 ad.type = LSM_AUDIT_DATA_DENTRY;
2951 ad.u.dentry = dentry->d_sb->s_root;
2952 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2955 static int selinux_mount(const char *dev_name,
2956 const struct path *path,
2958 unsigned long flags,
2961 const struct cred *cred = current_cred();
2963 if (flags & MS_REMOUNT)
2964 return superblock_has_perm(cred, path->dentry->d_sb,
2965 FILESYSTEM__REMOUNT, NULL);
2967 return path_has_perm(cred, path, FILE__MOUNTON);
2970 static int selinux_umount(struct vfsmount *mnt, int flags)
2972 const struct cred *cred = current_cred();
2974 return superblock_has_perm(cred, mnt->mnt_sb,
2975 FILESYSTEM__UNMOUNT, NULL);
2978 /* inode security operations */
2980 static int selinux_inode_alloc_security(struct inode *inode)
2982 return inode_alloc_security(inode);
2985 static void selinux_inode_free_security(struct inode *inode)
2987 inode_free_security(inode);
2990 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2991 const struct qstr *name, void **ctx,
2997 rc = selinux_determine_inode_label(current_security(),
2998 d_inode(dentry->d_parent), name,
2999 inode_mode_to_security_class(mode),
3004 return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
3008 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
3010 const struct cred *old,
3015 struct task_security_struct *tsec;
3017 rc = selinux_determine_inode_label(old->security,
3018 d_inode(dentry->d_parent), name,
3019 inode_mode_to_security_class(mode),
3024 tsec = new->security;
3025 tsec->create_sid = newsid;
3029 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
3030 const struct qstr *qstr,
3032 void **value, size_t *len)
3034 const struct task_security_struct *tsec = current_security();
3035 struct superblock_security_struct *sbsec;
3040 sbsec = dir->i_sb->s_security;
3042 newsid = tsec->create_sid;
3044 rc = selinux_determine_inode_label(current_security(),
3046 inode_mode_to_security_class(inode->i_mode),
3051 /* Possibly defer initialization to selinux_complete_init. */
3052 if (sbsec->flags & SE_SBINITIALIZED) {
3053 struct inode_security_struct *isec = inode->i_security;
3054 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3056 isec->initialized = LABEL_INITIALIZED;
3059 if (!selinux_state.initialized || !(sbsec->flags & SBLABEL_MNT))
3063 *name = XATTR_SELINUX_SUFFIX;
3066 rc = security_sid_to_context_force(&selinux_state, newsid,
3077 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
3079 return may_create(dir, dentry, SECCLASS_FILE);
3082 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
3084 return may_link(dir, old_dentry, MAY_LINK);
3087 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
3089 return may_link(dir, dentry, MAY_UNLINK);
3092 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
3094 return may_create(dir, dentry, SECCLASS_LNK_FILE);
3097 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
3099 return may_create(dir, dentry, SECCLASS_DIR);
3102 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
3104 return may_link(dir, dentry, MAY_RMDIR);
3107 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
3109 return may_create(dir, dentry, inode_mode_to_security_class(mode));
3112 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
3113 struct inode *new_inode, struct dentry *new_dentry)
3115 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
3118 static int selinux_inode_readlink(struct dentry *dentry)
3120 const struct cred *cred = current_cred();
3122 return dentry_has_perm(cred, dentry, FILE__READ);
3125 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3128 const struct cred *cred = current_cred();
3129 struct common_audit_data ad;
3130 struct inode_security_struct *isec;
3133 validate_creds(cred);
3135 ad.type = LSM_AUDIT_DATA_DENTRY;
3136 ad.u.dentry = dentry;
3137 sid = cred_sid(cred);
3138 isec = inode_security_rcu(inode, rcu);
3140 return PTR_ERR(isec);
3142 return avc_has_perm_flags(&selinux_state,
3143 sid, isec->sid, isec->sclass, FILE__READ, &ad,
3144 rcu ? MAY_NOT_BLOCK : 0);
3147 static noinline int audit_inode_permission(struct inode *inode,
3148 u32 perms, u32 audited, u32 denied,
3152 struct common_audit_data ad;
3153 struct inode_security_struct *isec = inode->i_security;
3156 ad.type = LSM_AUDIT_DATA_INODE;
3159 rc = slow_avc_audit(&selinux_state,
3160 current_sid(), isec->sid, isec->sclass, perms,
3161 audited, denied, result, &ad, flags);
3167 static int selinux_inode_permission(struct inode *inode, int mask)
3169 const struct cred *cred = current_cred();
3172 unsigned flags = mask & MAY_NOT_BLOCK;
3173 struct inode_security_struct *isec;
3175 struct av_decision avd;
3177 u32 audited, denied;
3179 from_access = mask & MAY_ACCESS;
3180 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3182 /* No permission to check. Existence test. */
3186 validate_creds(cred);
3188 if (unlikely(IS_PRIVATE(inode)))
3191 perms = file_mask_to_av(inode->i_mode, mask);
3193 sid = cred_sid(cred);
3194 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3196 return PTR_ERR(isec);
3198 rc = avc_has_perm_noaudit(&selinux_state,
3199 sid, isec->sid, isec->sclass, perms, 0, &avd);
3200 audited = avc_audit_required(perms, &avd, rc,
3201 from_access ? FILE__AUDIT_ACCESS : 0,
3203 if (likely(!audited))
3206 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
3212 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3214 const struct cred *cred = current_cred();
3215 struct inode *inode = d_backing_inode(dentry);
3216 unsigned int ia_valid = iattr->ia_valid;
3217 __u32 av = FILE__WRITE;
3219 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3220 if (ia_valid & ATTR_FORCE) {
3221 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3227 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3228 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3229 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3231 if (selinux_policycap_openperm() &&
3232 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3233 (ia_valid & ATTR_SIZE) &&
3234 !(ia_valid & ATTR_FILE))
3237 return dentry_has_perm(cred, dentry, av);
3240 static int selinux_inode_getattr(const struct path *path)
3242 return path_has_perm(current_cred(), path, FILE__GETATTR);
3245 static bool has_cap_mac_admin(bool audit)
3247 const struct cred *cred = current_cred();
3248 int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT;
3250 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit))
3252 if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true))
3257 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3258 const void *value, size_t size, int flags)
3260 struct inode *inode = d_backing_inode(dentry);
3261 struct inode_security_struct *isec;
3262 struct superblock_security_struct *sbsec;
3263 struct common_audit_data ad;
3264 u32 newsid, sid = current_sid();
3267 if (strcmp(name, XATTR_NAME_SELINUX)) {
3268 rc = cap_inode_setxattr(dentry, name, value, size, flags);
3272 /* Not an attribute we recognize, so just check the
3273 ordinary setattr permission. */
3274 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3277 sbsec = inode->i_sb->s_security;
3278 if (!(sbsec->flags & SBLABEL_MNT))
3281 if (!inode_owner_or_capable(inode))
3284 ad.type = LSM_AUDIT_DATA_DENTRY;
3285 ad.u.dentry = dentry;
3287 isec = backing_inode_security(dentry);
3288 rc = avc_has_perm(&selinux_state,
3289 sid, isec->sid, isec->sclass,
3290 FILE__RELABELFROM, &ad);
3294 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3296 if (rc == -EINVAL) {
3297 if (!has_cap_mac_admin(true)) {
3298 struct audit_buffer *ab;
3301 /* We strip a nul only if it is at the end, otherwise the
3302 * context contains a nul and we should audit that */
3304 const char *str = value;
3306 if (str[size - 1] == '\0')
3307 audit_size = size - 1;
3313 ab = audit_log_start(audit_context(),
3314 GFP_ATOMIC, AUDIT_SELINUX_ERR);
3315 audit_log_format(ab, "op=setxattr invalid_context=");
3316 audit_log_n_untrustedstring(ab, value, audit_size);
3321 rc = security_context_to_sid_force(&selinux_state, value,
3327 rc = avc_has_perm(&selinux_state,
3328 sid, newsid, isec->sclass,
3329 FILE__RELABELTO, &ad);
3333 rc = security_validate_transition(&selinux_state, isec->sid, newsid,
3338 return avc_has_perm(&selinux_state,
3341 SECCLASS_FILESYSTEM,
3342 FILESYSTEM__ASSOCIATE,
3346 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3347 const void *value, size_t size,
3350 struct inode *inode = d_backing_inode(dentry);
3351 struct inode_security_struct *isec;
3355 if (strcmp(name, XATTR_NAME_SELINUX)) {
3356 /* Not an attribute we recognize, so nothing to do. */
3360 rc = security_context_to_sid_force(&selinux_state, value, size,
3363 pr_err("SELinux: unable to map context to SID"
3364 "for (%s, %lu), rc=%d\n",
3365 inode->i_sb->s_id, inode->i_ino, -rc);
3369 isec = backing_inode_security(dentry);
3370 spin_lock(&isec->lock);
3371 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3373 isec->initialized = LABEL_INITIALIZED;
3374 spin_unlock(&isec->lock);
3379 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3381 const struct cred *cred = current_cred();
3383 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3386 static int selinux_inode_listxattr(struct dentry *dentry)
3388 const struct cred *cred = current_cred();
3390 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3393 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3395 if (strcmp(name, XATTR_NAME_SELINUX)) {
3396 int rc = cap_inode_removexattr(dentry, name);
3400 /* Not an attribute we recognize, so just check the
3401 ordinary setattr permission. */
3402 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3405 /* No one is allowed to remove a SELinux security label.
3406 You can change the label, but all data must be labeled. */
3411 * Copy the inode security context value to the user.
3413 * Permission check is handled by selinux_inode_getxattr hook.
3415 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
3419 char *context = NULL;
3420 struct inode_security_struct *isec;
3422 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3426 * If the caller has CAP_MAC_ADMIN, then get the raw context
3427 * value even if it is not defined by current policy; otherwise,
3428 * use the in-core value under current policy.
3429 * Use the non-auditing forms of the permission checks since
3430 * getxattr may be called by unprivileged processes commonly
3431 * and lack of permission just means that we fall back to the
3432 * in-core context value, not a denial.
3434 isec = inode_security(inode);
3435 if (has_cap_mac_admin(false))
3436 error = security_sid_to_context_force(&selinux_state,
3437 isec->sid, &context,
3440 error = security_sid_to_context(&selinux_state, isec->sid,
3454 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3455 const void *value, size_t size, int flags)
3457 struct inode_security_struct *isec = inode_security_novalidate(inode);
3461 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3464 if (!value || !size)
3467 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3472 spin_lock(&isec->lock);
3473 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3475 isec->initialized = LABEL_INITIALIZED;
3476 spin_unlock(&isec->lock);
3480 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3482 const int len = sizeof(XATTR_NAME_SELINUX);
3483 if (buffer && len <= buffer_size)
3484 memcpy(buffer, XATTR_NAME_SELINUX, len);
3488 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3490 struct inode_security_struct *isec = inode_security_novalidate(inode);
3494 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3497 struct task_security_struct *tsec;
3498 struct cred *new_creds = *new;
3500 if (new_creds == NULL) {
3501 new_creds = prepare_creds();
3506 tsec = new_creds->security;
3507 /* Get label from overlay inode and set it in create_sid */
3508 selinux_inode_getsecid(d_inode(src), &sid);
3509 tsec->create_sid = sid;
3514 static int selinux_inode_copy_up_xattr(const char *name)
3516 /* The copy_up hook above sets the initial context on an inode, but we
3517 * don't then want to overwrite it by blindly copying all the lower
3518 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3520 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3521 return 1; /* Discard */
3523 * Any other attribute apart from SELINUX is not claimed, supported
3529 /* file security operations */
3531 static int selinux_revalidate_file_permission(struct file *file, int mask)
3533 const struct cred *cred = current_cred();
3534 struct inode *inode = file_inode(file);
3536 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3537 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3540 return file_has_perm(cred, file,
3541 file_mask_to_av(inode->i_mode, mask));
3544 static int selinux_file_permission(struct file *file, int mask)
3546 struct inode *inode = file_inode(file);
3547 struct file_security_struct *fsec = file->f_security;
3548 struct inode_security_struct *isec;
3549 u32 sid = current_sid();
3552 /* No permission to check. Existence test. */
3555 isec = inode_security(inode);
3556 if (sid == fsec->sid && fsec->isid == isec->sid &&
3557 fsec->pseqno == avc_policy_seqno(&selinux_state))
3558 /* No change since file_open check. */
3561 return selinux_revalidate_file_permission(file, mask);
3564 static int selinux_file_alloc_security(struct file *file)
3566 return file_alloc_security(file);
3569 static void selinux_file_free_security(struct file *file)
3571 file_free_security(file);
3575 * Check whether a task has the ioctl permission and cmd
3576 * operation to an inode.
3578 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3579 u32 requested, u16 cmd)
3581 struct common_audit_data ad;
3582 struct file_security_struct *fsec = file->f_security;
3583 struct inode *inode = file_inode(file);
3584 struct inode_security_struct *isec;
3585 struct lsm_ioctlop_audit ioctl;
3586 u32 ssid = cred_sid(cred);
3588 u8 driver = cmd >> 8;
3589 u8 xperm = cmd & 0xff;
3591 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3594 ad.u.op->path = file->f_path;
3596 if (ssid != fsec->sid) {
3597 rc = avc_has_perm(&selinux_state,
3606 if (unlikely(IS_PRIVATE(inode)))
3609 isec = inode_security(inode);
3610 rc = avc_has_extended_perms(&selinux_state,
3611 ssid, isec->sid, isec->sclass,
3612 requested, driver, xperm, &ad);
3617 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3620 const struct cred *cred = current_cred();
3630 case FS_IOC_GETFLAGS:
3632 case FS_IOC_GETVERSION:
3633 error = file_has_perm(cred, file, FILE__GETATTR);
3636 case FS_IOC_SETFLAGS:
3638 case FS_IOC_SETVERSION:
3639 error = file_has_perm(cred, file, FILE__SETATTR);
3642 /* sys_ioctl() checks */
3646 error = file_has_perm(cred, file, 0);
3651 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3652 SECURITY_CAP_AUDIT, true);
3655 /* default case assumes that the command will go
3656 * to the file's ioctl() function.
3659 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3664 static int default_noexec;
3666 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3668 const struct cred *cred = current_cred();
3669 u32 sid = cred_sid(cred);
3672 if (default_noexec &&
3673 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3674 (!shared && (prot & PROT_WRITE)))) {
3676 * We are making executable an anonymous mapping or a
3677 * private file mapping that will also be writable.
3678 * This has an additional check.
3680 rc = avc_has_perm(&selinux_state,
3681 sid, sid, SECCLASS_PROCESS,
3682 PROCESS__EXECMEM, NULL);
3688 /* read access is always possible with a mapping */
3689 u32 av = FILE__READ;
3691 /* write access only matters if the mapping is shared */
3692 if (shared && (prot & PROT_WRITE))
3695 if (prot & PROT_EXEC)
3696 av |= FILE__EXECUTE;
3698 return file_has_perm(cred, file, av);
3705 static int selinux_mmap_addr(unsigned long addr)
3709 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3710 u32 sid = current_sid();
3711 rc = avc_has_perm(&selinux_state,
3712 sid, sid, SECCLASS_MEMPROTECT,
3713 MEMPROTECT__MMAP_ZERO, NULL);
3719 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3720 unsigned long prot, unsigned long flags)
3722 struct common_audit_data ad;
3726 ad.type = LSM_AUDIT_DATA_FILE;
3728 rc = inode_has_perm(current_cred(), file_inode(file),
3734 if (selinux_state.checkreqprot)
3737 return file_map_prot_check(file, prot,
3738 (flags & MAP_TYPE) == MAP_SHARED);
3741 static int selinux_file_mprotect(struct vm_area_struct *vma,
3742 unsigned long reqprot,
3745 const struct cred *cred = current_cred();
3746 u32 sid = cred_sid(cred);
3748 if (selinux_state.checkreqprot)
3751 if (default_noexec &&
3752 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3754 if (vma->vm_start >= vma->vm_mm->start_brk &&
3755 vma->vm_end <= vma->vm_mm->brk) {
3756 rc = avc_has_perm(&selinux_state,
3757 sid, sid, SECCLASS_PROCESS,
3758 PROCESS__EXECHEAP, NULL);
3759 } else if (!vma->vm_file &&
3760 ((vma->vm_start <= vma->vm_mm->start_stack &&
3761 vma->vm_end >= vma->vm_mm->start_stack) ||
3762 vma_is_stack_for_current(vma))) {
3763 rc = avc_has_perm(&selinux_state,
3764 sid, sid, SECCLASS_PROCESS,
3765 PROCESS__EXECSTACK, NULL);
3766 } else if (vma->vm_file && vma->anon_vma) {
3768 * We are making executable a file mapping that has
3769 * had some COW done. Since pages might have been
3770 * written, check ability to execute the possibly
3771 * modified content. This typically should only
3772 * occur for text relocations.
3774 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3780 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3783 static int selinux_file_lock(struct file *file, unsigned int cmd)
3785 const struct cred *cred = current_cred();
3787 return file_has_perm(cred, file, FILE__LOCK);
3790 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3793 const struct cred *cred = current_cred();
3798 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3799 err = file_has_perm(cred, file, FILE__WRITE);
3808 case F_GETOWNER_UIDS:
3809 /* Just check FD__USE permission */
3810 err = file_has_perm(cred, file, 0);
3818 #if BITS_PER_LONG == 32
3823 err = file_has_perm(cred, file, FILE__LOCK);
3830 static void selinux_file_set_fowner(struct file *file)
3832 struct file_security_struct *fsec;
3834 fsec = file->f_security;
3835 fsec->fown_sid = current_sid();
3838 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3839 struct fown_struct *fown, int signum)
3842 u32 sid = task_sid(tsk);
3844 struct file_security_struct *fsec;
3846 /* struct fown_struct is never outside the context of a struct file */
3847 file = container_of(fown, struct file, f_owner);
3849 fsec = file->f_security;
3852 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3854 perm = signal_to_av(signum);
3856 return avc_has_perm(&selinux_state,
3857 fsec->fown_sid, sid,
3858 SECCLASS_PROCESS, perm, NULL);
3861 static int selinux_file_receive(struct file *file)
3863 const struct cred *cred = current_cred();
3865 return file_has_perm(cred, file, file_to_av(file));
3868 static int selinux_file_open(struct file *file)
3870 struct file_security_struct *fsec;
3871 struct inode_security_struct *isec;
3873 fsec = file->f_security;
3874 isec = inode_security(file_inode(file));
3876 * Save inode label and policy sequence number
3877 * at open-time so that selinux_file_permission
3878 * can determine whether revalidation is necessary.
3879 * Task label is already saved in the file security
3880 * struct as its SID.
3882 fsec->isid = isec->sid;
3883 fsec->pseqno = avc_policy_seqno(&selinux_state);
3885 * Since the inode label or policy seqno may have changed
3886 * between the selinux_inode_permission check and the saving
3887 * of state above, recheck that access is still permitted.
3888 * Otherwise, access might never be revalidated against the
3889 * new inode label or new policy.
3890 * This check is not redundant - do not remove.
3892 return file_path_has_perm(file->f_cred, file, open_file_to_av(file));
3895 /* task security operations */
3897 static int selinux_task_alloc(struct task_struct *task,
3898 unsigned long clone_flags)
3900 u32 sid = current_sid();
3902 return avc_has_perm(&selinux_state,
3903 sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
3907 * allocate the SELinux part of blank credentials
3909 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3911 struct task_security_struct *tsec;
3913 tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3917 cred->security = tsec;
3922 * detach and free the LSM part of a set of credentials
3924 static void selinux_cred_free(struct cred *cred)
3926 struct task_security_struct *tsec = cred->security;
3929 * cred->security == NULL if security_cred_alloc_blank() or
3930 * security_prepare_creds() returned an error.
3932 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3933 cred->security = (void *) 0x7UL;
3938 * prepare a new set of credentials for modification
3940 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3943 const struct task_security_struct *old_tsec;
3944 struct task_security_struct *tsec;
3946 old_tsec = old->security;
3948 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3952 new->security = tsec;
3957 * transfer the SELinux data to a blank set of creds
3959 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3961 const struct task_security_struct *old_tsec = old->security;
3962 struct task_security_struct *tsec = new->security;
3967 static void selinux_cred_getsecid(const struct cred *c, u32 *secid)
3969 *secid = cred_sid(c);
3973 * set the security data for a kernel service
3974 * - all the creation contexts are set to unlabelled
3976 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3978 struct task_security_struct *tsec = new->security;
3979 u32 sid = current_sid();
3982 ret = avc_has_perm(&selinux_state,
3984 SECCLASS_KERNEL_SERVICE,
3985 KERNEL_SERVICE__USE_AS_OVERRIDE,
3989 tsec->create_sid = 0;
3990 tsec->keycreate_sid = 0;
3991 tsec->sockcreate_sid = 0;
3997 * set the file creation context in a security record to the same as the
3998 * objective context of the specified inode
4000 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
4002 struct inode_security_struct *isec = inode_security(inode);
4003 struct task_security_struct *tsec = new->security;
4004 u32 sid = current_sid();
4007 ret = avc_has_perm(&selinux_state,
4009 SECCLASS_KERNEL_SERVICE,
4010 KERNEL_SERVICE__CREATE_FILES_AS,
4014 tsec->create_sid = isec->sid;
4018 static int selinux_kernel_module_request(char *kmod_name)
4020 struct common_audit_data ad;
4022 ad.type = LSM_AUDIT_DATA_KMOD;
4023 ad.u.kmod_name = kmod_name;
4025 return avc_has_perm(&selinux_state,
4026 current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
4027 SYSTEM__MODULE_REQUEST, &ad);
4030 static int selinux_kernel_module_from_file(struct file *file)
4032 struct common_audit_data ad;
4033 struct inode_security_struct *isec;
4034 struct file_security_struct *fsec;
4035 u32 sid = current_sid();
4040 return avc_has_perm(&selinux_state,
4041 sid, sid, SECCLASS_SYSTEM,
4042 SYSTEM__MODULE_LOAD, NULL);
4046 ad.type = LSM_AUDIT_DATA_FILE;
4049 fsec = file->f_security;
4050 if (sid != fsec->sid) {
4051 rc = avc_has_perm(&selinux_state,
4052 sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
4057 isec = inode_security(file_inode(file));
4058 return avc_has_perm(&selinux_state,
4059 sid, isec->sid, SECCLASS_SYSTEM,
4060 SYSTEM__MODULE_LOAD, &ad);
4063 static int selinux_kernel_read_file(struct file *file,
4064 enum kernel_read_file_id id)
4069 case READING_MODULE:
4070 rc = selinux_kernel_module_from_file(file);
4079 static int selinux_kernel_load_data(enum kernel_load_data_id id)
4084 case LOADING_MODULE:
4085 rc = selinux_kernel_module_from_file(NULL);
4093 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
4095 return avc_has_perm(&selinux_state,
4096 current_sid(), task_sid(p), SECCLASS_PROCESS,
4097 PROCESS__SETPGID, NULL);
4100 static int selinux_task_getpgid(struct task_struct *p)
4102 return avc_has_perm(&selinux_state,
4103 current_sid(), task_sid(p), SECCLASS_PROCESS,
4104 PROCESS__GETPGID, NULL);
4107 static int selinux_task_getsid(struct task_struct *p)
4109 return avc_has_perm(&selinux_state,
4110 current_sid(), task_sid(p), SECCLASS_PROCESS,
4111 PROCESS__GETSESSION, NULL);
4114 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
4116 *secid = task_sid(p);
4119 static int selinux_task_setnice(struct task_struct *p, int nice)
4121 return avc_has_perm(&selinux_state,
4122 current_sid(), task_sid(p), SECCLASS_PROCESS,
4123 PROCESS__SETSCHED, NULL);
4126 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
4128 return avc_has_perm(&selinux_state,
4129 current_sid(), task_sid(p), SECCLASS_PROCESS,
4130 PROCESS__SETSCHED, NULL);
4133 static int selinux_task_getioprio(struct task_struct *p)
4135 return avc_has_perm(&selinux_state,
4136 current_sid(), task_sid(p), SECCLASS_PROCESS,
4137 PROCESS__GETSCHED, NULL);
4140 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
4147 if (flags & LSM_PRLIMIT_WRITE)
4148 av |= PROCESS__SETRLIMIT;
4149 if (flags & LSM_PRLIMIT_READ)
4150 av |= PROCESS__GETRLIMIT;
4151 return avc_has_perm(&selinux_state,
4152 cred_sid(cred), cred_sid(tcred),
4153 SECCLASS_PROCESS, av, NULL);
4156 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4157 struct rlimit *new_rlim)
4159 struct rlimit *old_rlim = p->signal->rlim + resource;
4161 /* Control the ability to change the hard limit (whether
4162 lowering or raising it), so that the hard limit can
4163 later be used as a safe reset point for the soft limit
4164 upon context transitions. See selinux_bprm_committing_creds. */
4165 if (old_rlim->rlim_max != new_rlim->rlim_max)
4166 return avc_has_perm(&selinux_state,
4167 current_sid(), task_sid(p),
4168 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
4173 static int selinux_task_setscheduler(struct task_struct *p)
4175 return avc_has_perm(&selinux_state,
4176 current_sid(), task_sid(p), SECCLASS_PROCESS,
4177 PROCESS__SETSCHED, NULL);
4180 static int selinux_task_getscheduler(struct task_struct *p)
4182 return avc_has_perm(&selinux_state,
4183 current_sid(), task_sid(p), SECCLASS_PROCESS,
4184 PROCESS__GETSCHED, NULL);
4187 static int selinux_task_movememory(struct task_struct *p)
4189 return avc_has_perm(&selinux_state,
4190 current_sid(), task_sid(p), SECCLASS_PROCESS,
4191 PROCESS__SETSCHED, NULL);
4194 static int selinux_task_kill(struct task_struct *p, struct kernel_siginfo *info,
4195 int sig, const struct cred *cred)
4201 perm = PROCESS__SIGNULL; /* null signal; existence test */
4203 perm = signal_to_av(sig);
4205 secid = current_sid();
4207 secid = cred_sid(cred);
4208 return avc_has_perm(&selinux_state,
4209 secid, task_sid(p), SECCLASS_PROCESS, perm, NULL);
4212 static void selinux_task_to_inode(struct task_struct *p,
4213 struct inode *inode)
4215 struct inode_security_struct *isec = inode->i_security;
4216 u32 sid = task_sid(p);
4218 spin_lock(&isec->lock);
4219 isec->sclass = inode_mode_to_security_class(inode->i_mode);
4221 isec->initialized = LABEL_INITIALIZED;
4222 spin_unlock(&isec->lock);
4225 /* Returns error only if unable to parse addresses */
4226 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4227 struct common_audit_data *ad, u8 *proto)
4229 int offset, ihlen, ret = -EINVAL;
4230 struct iphdr _iph, *ih;
4232 offset = skb_network_offset(skb);
4233 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
4237 ihlen = ih->ihl * 4;
4238 if (ihlen < sizeof(_iph))
4241 ad->u.net->v4info.saddr = ih->saddr;
4242 ad->u.net->v4info.daddr = ih->daddr;
4246 *proto = ih->protocol;
4248 switch (ih->protocol) {
4250 struct tcphdr _tcph, *th;
4252 if (ntohs(ih->frag_off) & IP_OFFSET)
4256 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4260 ad->u.net->sport = th->source;
4261 ad->u.net->dport = th->dest;
4266 struct udphdr _udph, *uh;
4268 if (ntohs(ih->frag_off) & IP_OFFSET)
4272 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4276 ad->u.net->sport = uh->source;
4277 ad->u.net->dport = uh->dest;
4281 case IPPROTO_DCCP: {
4282 struct dccp_hdr _dccph, *dh;
4284 if (ntohs(ih->frag_off) & IP_OFFSET)
4288 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4292 ad->u.net->sport = dh->dccph_sport;
4293 ad->u.net->dport = dh->dccph_dport;
4297 #if IS_ENABLED(CONFIG_IP_SCTP)
4298 case IPPROTO_SCTP: {
4299 struct sctphdr _sctph, *sh;
4301 if (ntohs(ih->frag_off) & IP_OFFSET)
4305 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4309 ad->u.net->sport = sh->source;
4310 ad->u.net->dport = sh->dest;
4321 #if IS_ENABLED(CONFIG_IPV6)
4323 /* Returns error only if unable to parse addresses */
4324 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4325 struct common_audit_data *ad, u8 *proto)
4328 int ret = -EINVAL, offset;
4329 struct ipv6hdr _ipv6h, *ip6;
4332 offset = skb_network_offset(skb);
4333 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4337 ad->u.net->v6info.saddr = ip6->saddr;
4338 ad->u.net->v6info.daddr = ip6->daddr;
4341 nexthdr = ip6->nexthdr;
4342 offset += sizeof(_ipv6h);
4343 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4352 struct tcphdr _tcph, *th;
4354 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4358 ad->u.net->sport = th->source;
4359 ad->u.net->dport = th->dest;
4364 struct udphdr _udph, *uh;
4366 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4370 ad->u.net->sport = uh->source;
4371 ad->u.net->dport = uh->dest;
4375 case IPPROTO_DCCP: {
4376 struct dccp_hdr _dccph, *dh;
4378 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4382 ad->u.net->sport = dh->dccph_sport;
4383 ad->u.net->dport = dh->dccph_dport;
4387 #if IS_ENABLED(CONFIG_IP_SCTP)
4388 case IPPROTO_SCTP: {
4389 struct sctphdr _sctph, *sh;
4391 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4395 ad->u.net->sport = sh->source;
4396 ad->u.net->dport = sh->dest;
4400 /* includes fragments */
4410 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4411 char **_addrp, int src, u8 *proto)
4416 switch (ad->u.net->family) {
4418 ret = selinux_parse_skb_ipv4(skb, ad, proto);
4421 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4422 &ad->u.net->v4info.daddr);
4425 #if IS_ENABLED(CONFIG_IPV6)
4427 ret = selinux_parse_skb_ipv6(skb, ad, proto);
4430 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4431 &ad->u.net->v6info.daddr);
4441 "SELinux: failure in selinux_parse_skb(),"
4442 " unable to parse packet\n");
4452 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4454 * @family: protocol family
4455 * @sid: the packet's peer label SID
4458 * Check the various different forms of network peer labeling and determine
4459 * the peer label/SID for the packet; most of the magic actually occurs in
4460 * the security server function security_net_peersid_cmp(). The function
4461 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4462 * or -EACCES if @sid is invalid due to inconsistencies with the different
4466 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4473 err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4476 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4480 err = security_net_peersid_resolve(&selinux_state, nlbl_sid,
4481 nlbl_type, xfrm_sid, sid);
4482 if (unlikely(err)) {
4484 "SELinux: failure in selinux_skb_peerlbl_sid(),"
4485 " unable to determine packet's peer label\n");
4493 * selinux_conn_sid - Determine the child socket label for a connection
4494 * @sk_sid: the parent socket's SID
4495 * @skb_sid: the packet's SID
4496 * @conn_sid: the resulting connection SID
4498 * If @skb_sid is valid then the user:role:type information from @sk_sid is
4499 * combined with the MLS information from @skb_sid in order to create
4500 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy
4501 * of @sk_sid. Returns zero on success, negative values on failure.
4504 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4508 if (skb_sid != SECSID_NULL)
4509 err = security_sid_mls_copy(&selinux_state, sk_sid, skb_sid,
4517 /* socket security operations */
4519 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4520 u16 secclass, u32 *socksid)
4522 if (tsec->sockcreate_sid > SECSID_NULL) {
4523 *socksid = tsec->sockcreate_sid;
4527 return security_transition_sid(&selinux_state, tsec->sid, tsec->sid,
4528 secclass, NULL, socksid);
4531 static int sock_has_perm(struct sock *sk, u32 perms)
4533 struct sk_security_struct *sksec = sk->sk_security;
4534 struct common_audit_data ad;
4535 struct lsm_network_audit net = {0,};
4537 if (sksec->sid == SECINITSID_KERNEL)
4540 ad.type = LSM_AUDIT_DATA_NET;
4544 return avc_has_perm(&selinux_state,
4545 current_sid(), sksec->sid, sksec->sclass, perms,
4549 static int selinux_socket_create(int family, int type,
4550 int protocol, int kern)
4552 const struct task_security_struct *tsec = current_security();
4560 secclass = socket_type_to_security_class(family, type, protocol);
4561 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4565 return avc_has_perm(&selinux_state,
4566 tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4569 static int selinux_socket_post_create(struct socket *sock, int family,
4570 int type, int protocol, int kern)
4572 const struct task_security_struct *tsec = current_security();
4573 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4574 struct sk_security_struct *sksec;
4575 u16 sclass = socket_type_to_security_class(family, type, protocol);
4576 u32 sid = SECINITSID_KERNEL;
4580 err = socket_sockcreate_sid(tsec, sclass, &sid);
4585 isec->sclass = sclass;
4587 isec->initialized = LABEL_INITIALIZED;
4590 sksec = sock->sk->sk_security;
4591 sksec->sclass = sclass;
4593 /* Allows detection of the first association on this socket */
4594 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4595 sksec->sctp_assoc_state = SCTP_ASSOC_UNSET;
4597 err = selinux_netlbl_socket_post_create(sock->sk, family);
4603 static int selinux_socket_socketpair(struct socket *socka,
4604 struct socket *sockb)
4606 struct sk_security_struct *sksec_a = socka->sk->sk_security;
4607 struct sk_security_struct *sksec_b = sockb->sk->sk_security;
4609 sksec_a->peer_sid = sksec_b->sid;
4610 sksec_b->peer_sid = sksec_a->sid;
4615 /* Range of port numbers used to automatically bind.
4616 Need to determine whether we should perform a name_bind
4617 permission check between the socket and the port number. */
4619 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4621 struct sock *sk = sock->sk;
4622 struct sk_security_struct *sksec = sk->sk_security;
4626 err = sock_has_perm(sk, SOCKET__BIND);
4630 /* If PF_INET or PF_INET6, check name_bind permission for the port. */
4631 family = sk->sk_family;
4632 if (family == PF_INET || family == PF_INET6) {
4634 struct common_audit_data ad;
4635 struct lsm_network_audit net = {0,};
4636 struct sockaddr_in *addr4 = NULL;
4637 struct sockaddr_in6 *addr6 = NULL;
4638 u16 family_sa = address->sa_family;
4639 unsigned short snum;
4643 * sctp_bindx(3) calls via selinux_sctp_bind_connect()
4644 * that validates multiple binding addresses. Because of this
4645 * need to check address->sa_family as it is possible to have
4646 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4648 switch (family_sa) {
4651 if (addrlen < sizeof(struct sockaddr_in))
4653 addr4 = (struct sockaddr_in *)address;
4654 if (family_sa == AF_UNSPEC) {
4655 /* see __inet_bind(), we only want to allow
4656 * AF_UNSPEC if the address is INADDR_ANY
4658 if (addr4->sin_addr.s_addr != htonl(INADDR_ANY))
4660 family_sa = AF_INET;
4662 snum = ntohs(addr4->sin_port);
4663 addrp = (char *)&addr4->sin_addr.s_addr;
4666 if (addrlen < SIN6_LEN_RFC2133)
4668 addr6 = (struct sockaddr_in6 *)address;
4669 snum = ntohs(addr6->sin6_port);
4670 addrp = (char *)&addr6->sin6_addr.s6_addr;
4676 ad.type = LSM_AUDIT_DATA_NET;
4678 ad.u.net->sport = htons(snum);
4679 ad.u.net->family = family_sa;
4684 inet_get_local_port_range(sock_net(sk), &low, &high);
4686 if (snum < max(inet_prot_sock(sock_net(sk)), low) ||
4688 err = sel_netport_sid(sk->sk_protocol,
4692 err = avc_has_perm(&selinux_state,
4695 SOCKET__NAME_BIND, &ad);
4701 switch (sksec->sclass) {
4702 case SECCLASS_TCP_SOCKET:
4703 node_perm = TCP_SOCKET__NODE_BIND;
4706 case SECCLASS_UDP_SOCKET:
4707 node_perm = UDP_SOCKET__NODE_BIND;
4710 case SECCLASS_DCCP_SOCKET:
4711 node_perm = DCCP_SOCKET__NODE_BIND;
4714 case SECCLASS_SCTP_SOCKET:
4715 node_perm = SCTP_SOCKET__NODE_BIND;
4719 node_perm = RAWIP_SOCKET__NODE_BIND;
4723 err = sel_netnode_sid(addrp, family_sa, &sid);
4727 if (family_sa == AF_INET)
4728 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4730 ad.u.net->v6info.saddr = addr6->sin6_addr;
4732 err = avc_has_perm(&selinux_state,
4734 sksec->sclass, node_perm, &ad);
4741 /* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */
4742 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4744 return -EAFNOSUPPORT;
4747 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3)
4748 * and sctp_sendmsg(3) as described in Documentation/security/LSM-sctp.rst
4750 static int selinux_socket_connect_helper(struct socket *sock,
4751 struct sockaddr *address, int addrlen)
4753 struct sock *sk = sock->sk;
4754 struct sk_security_struct *sksec = sk->sk_security;
4757 err = sock_has_perm(sk, SOCKET__CONNECT);
4762 * If a TCP, DCCP or SCTP socket, check name_connect permission
4765 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4766 sksec->sclass == SECCLASS_DCCP_SOCKET ||
4767 sksec->sclass == SECCLASS_SCTP_SOCKET) {
4768 struct common_audit_data ad;
4769 struct lsm_network_audit net = {0,};
4770 struct sockaddr_in *addr4 = NULL;
4771 struct sockaddr_in6 *addr6 = NULL;
4772 unsigned short snum;
4775 /* sctp_connectx(3) calls via selinux_sctp_bind_connect()
4776 * that validates multiple connect addresses. Because of this
4777 * need to check address->sa_family as it is possible to have
4778 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4780 switch (address->sa_family) {
4782 addr4 = (struct sockaddr_in *)address;
4783 if (addrlen < sizeof(struct sockaddr_in))
4785 snum = ntohs(addr4->sin_port);
4788 addr6 = (struct sockaddr_in6 *)address;
4789 if (addrlen < SIN6_LEN_RFC2133)
4791 snum = ntohs(addr6->sin6_port);
4794 /* Note that SCTP services expect -EINVAL, whereas
4795 * others expect -EAFNOSUPPORT.
4797 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4800 return -EAFNOSUPPORT;
4803 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4807 switch (sksec->sclass) {
4808 case SECCLASS_TCP_SOCKET:
4809 perm = TCP_SOCKET__NAME_CONNECT;
4811 case SECCLASS_DCCP_SOCKET:
4812 perm = DCCP_SOCKET__NAME_CONNECT;
4814 case SECCLASS_SCTP_SOCKET:
4815 perm = SCTP_SOCKET__NAME_CONNECT;
4819 ad.type = LSM_AUDIT_DATA_NET;
4821 ad.u.net->dport = htons(snum);
4822 ad.u.net->family = address->sa_family;
4823 err = avc_has_perm(&selinux_state,
4824 sksec->sid, sid, sksec->sclass, perm, &ad);
4832 /* Supports connect(2), see comments in selinux_socket_connect_helper() */
4833 static int selinux_socket_connect(struct socket *sock,
4834 struct sockaddr *address, int addrlen)
4837 struct sock *sk = sock->sk;
4839 err = selinux_socket_connect_helper(sock, address, addrlen);
4843 return selinux_netlbl_socket_connect(sk, address);
4846 static int selinux_socket_listen(struct socket *sock, int backlog)
4848 return sock_has_perm(sock->sk, SOCKET__LISTEN);
4851 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4854 struct inode_security_struct *isec;
4855 struct inode_security_struct *newisec;
4859 err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
4863 isec = inode_security_novalidate(SOCK_INODE(sock));
4864 spin_lock(&isec->lock);
4865 sclass = isec->sclass;
4867 spin_unlock(&isec->lock);
4869 newisec = inode_security_novalidate(SOCK_INODE(newsock));
4870 newisec->sclass = sclass;
4872 newisec->initialized = LABEL_INITIALIZED;
4877 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4880 return sock_has_perm(sock->sk, SOCKET__WRITE);
4883 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4884 int size, int flags)
4886 return sock_has_perm(sock->sk, SOCKET__READ);
4889 static int selinux_socket_getsockname(struct socket *sock)
4891 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4894 static int selinux_socket_getpeername(struct socket *sock)
4896 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4899 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4903 err = sock_has_perm(sock->sk, SOCKET__SETOPT);
4907 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4910 static int selinux_socket_getsockopt(struct socket *sock, int level,
4913 return sock_has_perm(sock->sk, SOCKET__GETOPT);
4916 static int selinux_socket_shutdown(struct socket *sock, int how)
4918 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
4921 static int selinux_socket_unix_stream_connect(struct sock *sock,
4925 struct sk_security_struct *sksec_sock = sock->sk_security;
4926 struct sk_security_struct *sksec_other = other->sk_security;
4927 struct sk_security_struct *sksec_new = newsk->sk_security;
4928 struct common_audit_data ad;
4929 struct lsm_network_audit net = {0,};
4932 ad.type = LSM_AUDIT_DATA_NET;
4934 ad.u.net->sk = other;
4936 err = avc_has_perm(&selinux_state,
4937 sksec_sock->sid, sksec_other->sid,
4938 sksec_other->sclass,
4939 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4943 /* server child socket */
4944 sksec_new->peer_sid = sksec_sock->sid;
4945 err = security_sid_mls_copy(&selinux_state, sksec_other->sid,
4946 sksec_sock->sid, &sksec_new->sid);
4950 /* connecting socket */
4951 sksec_sock->peer_sid = sksec_new->sid;
4956 static int selinux_socket_unix_may_send(struct socket *sock,
4957 struct socket *other)
4959 struct sk_security_struct *ssec = sock->sk->sk_security;
4960 struct sk_security_struct *osec = other->sk->sk_security;
4961 struct common_audit_data ad;
4962 struct lsm_network_audit net = {0,};
4964 ad.type = LSM_AUDIT_DATA_NET;
4966 ad.u.net->sk = other->sk;
4968 return avc_has_perm(&selinux_state,
4969 ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4973 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4974 char *addrp, u16 family, u32 peer_sid,
4975 struct common_audit_data *ad)
4981 err = sel_netif_sid(ns, ifindex, &if_sid);
4984 err = avc_has_perm(&selinux_state,
4986 SECCLASS_NETIF, NETIF__INGRESS, ad);
4990 err = sel_netnode_sid(addrp, family, &node_sid);
4993 return avc_has_perm(&selinux_state,
4995 SECCLASS_NODE, NODE__RECVFROM, ad);
4998 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
5002 struct sk_security_struct *sksec = sk->sk_security;
5003 u32 sk_sid = sksec->sid;
5004 struct common_audit_data ad;
5005 struct lsm_network_audit net = {0,};
5008 ad.type = LSM_AUDIT_DATA_NET;
5010 ad.u.net->netif = skb->skb_iif;
5011 ad.u.net->family = family;
5012 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5016 if (selinux_secmark_enabled()) {
5017 err = avc_has_perm(&selinux_state,
5018 sk_sid, skb->secmark, SECCLASS_PACKET,
5024 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
5027 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
5032 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
5035 struct sk_security_struct *sksec = sk->sk_security;
5036 u16 family = sk->sk_family;
5037 u32 sk_sid = sksec->sid;
5038 struct common_audit_data ad;
5039 struct lsm_network_audit net = {0,};
5044 if (family != PF_INET && family != PF_INET6)
5047 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
5048 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5051 /* If any sort of compatibility mode is enabled then handoff processing
5052 * to the selinux_sock_rcv_skb_compat() function to deal with the
5053 * special handling. We do this in an attempt to keep this function
5054 * as fast and as clean as possible. */
5055 if (!selinux_policycap_netpeer())
5056 return selinux_sock_rcv_skb_compat(sk, skb, family);
5058 secmark_active = selinux_secmark_enabled();
5059 peerlbl_active = selinux_peerlbl_enabled();
5060 if (!secmark_active && !peerlbl_active)
5063 ad.type = LSM_AUDIT_DATA_NET;
5065 ad.u.net->netif = skb->skb_iif;
5066 ad.u.net->family = family;
5067 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5071 if (peerlbl_active) {
5074 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
5077 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
5078 addrp, family, peer_sid, &ad);
5080 selinux_netlbl_err(skb, family, err, 0);
5083 err = avc_has_perm(&selinux_state,
5084 sk_sid, peer_sid, SECCLASS_PEER,
5087 selinux_netlbl_err(skb, family, err, 0);
5092 if (secmark_active) {
5093 err = avc_has_perm(&selinux_state,
5094 sk_sid, skb->secmark, SECCLASS_PACKET,
5103 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
5104 int __user *optlen, unsigned len)
5109 struct sk_security_struct *sksec = sock->sk->sk_security;
5110 u32 peer_sid = SECSID_NULL;
5112 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
5113 sksec->sclass == SECCLASS_TCP_SOCKET ||
5114 sksec->sclass == SECCLASS_SCTP_SOCKET)
5115 peer_sid = sksec->peer_sid;
5116 if (peer_sid == SECSID_NULL)
5117 return -ENOPROTOOPT;
5119 err = security_sid_to_context(&selinux_state, peer_sid, &scontext,
5124 if (scontext_len > len) {
5129 if (copy_to_user(optval, scontext, scontext_len))
5133 if (put_user(scontext_len, optlen))
5139 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
5141 u32 peer_secid = SECSID_NULL;
5143 struct inode_security_struct *isec;
5145 if (skb && skb->protocol == htons(ETH_P_IP))
5147 else if (skb && skb->protocol == htons(ETH_P_IPV6))
5150 family = sock->sk->sk_family;
5154 if (sock && family == PF_UNIX) {
5155 isec = inode_security_novalidate(SOCK_INODE(sock));
5156 peer_secid = isec->sid;
5158 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
5161 *secid = peer_secid;
5162 if (peer_secid == SECSID_NULL)
5167 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
5169 struct sk_security_struct *sksec;
5171 sksec = kzalloc(sizeof(*sksec), priority);
5175 sksec->peer_sid = SECINITSID_UNLABELED;
5176 sksec->sid = SECINITSID_UNLABELED;
5177 sksec->sclass = SECCLASS_SOCKET;
5178 selinux_netlbl_sk_security_reset(sksec);
5179 sk->sk_security = sksec;
5184 static void selinux_sk_free_security(struct sock *sk)
5186 struct sk_security_struct *sksec = sk->sk_security;
5188 sk->sk_security = NULL;
5189 selinux_netlbl_sk_security_free(sksec);
5193 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
5195 struct sk_security_struct *sksec = sk->sk_security;
5196 struct sk_security_struct *newsksec = newsk->sk_security;
5198 newsksec->sid = sksec->sid;
5199 newsksec->peer_sid = sksec->peer_sid;
5200 newsksec->sclass = sksec->sclass;
5202 selinux_netlbl_sk_security_reset(newsksec);
5205 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
5208 *secid = SECINITSID_ANY_SOCKET;
5210 struct sk_security_struct *sksec = sk->sk_security;
5212 *secid = sksec->sid;
5216 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
5218 struct inode_security_struct *isec =
5219 inode_security_novalidate(SOCK_INODE(parent));
5220 struct sk_security_struct *sksec = sk->sk_security;
5222 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
5223 sk->sk_family == PF_UNIX)
5224 isec->sid = sksec->sid;
5225 sksec->sclass = isec->sclass;
5228 /* Called whenever SCTP receives an INIT chunk. This happens when an incoming
5229 * connect(2), sctp_connectx(3) or sctp_sendmsg(3) (with no association
5232 static int selinux_sctp_assoc_request(struct sctp_endpoint *ep,
5233 struct sk_buff *skb)
5235 struct sk_security_struct *sksec = ep->base.sk->sk_security;
5236 struct common_audit_data ad;
5237 struct lsm_network_audit net = {0,};
5239 u32 peer_sid = SECINITSID_UNLABELED;
5243 if (!selinux_policycap_extsockclass())
5246 peerlbl_active = selinux_peerlbl_enabled();
5248 if (peerlbl_active) {
5249 /* This will return peer_sid = SECSID_NULL if there are
5250 * no peer labels, see security_net_peersid_resolve().
5252 err = selinux_skb_peerlbl_sid(skb, ep->base.sk->sk_family,
5257 if (peer_sid == SECSID_NULL)
5258 peer_sid = SECINITSID_UNLABELED;
5261 if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) {
5262 sksec->sctp_assoc_state = SCTP_ASSOC_SET;
5264 /* Here as first association on socket. As the peer SID
5265 * was allowed by peer recv (and the netif/node checks),
5266 * then it is approved by policy and used as the primary
5267 * peer SID for getpeercon(3).
5269 sksec->peer_sid = peer_sid;
5270 } else if (sksec->peer_sid != peer_sid) {
5271 /* Other association peer SIDs are checked to enforce
5272 * consistency among the peer SIDs.
5274 ad.type = LSM_AUDIT_DATA_NET;
5276 ad.u.net->sk = ep->base.sk;
5277 err = avc_has_perm(&selinux_state,
5278 sksec->peer_sid, peer_sid, sksec->sclass,
5279 SCTP_SOCKET__ASSOCIATION, &ad);
5284 /* Compute the MLS component for the connection and store
5285 * the information in ep. This will be used by SCTP TCP type
5286 * sockets and peeled off connections as they cause a new
5287 * socket to be generated. selinux_sctp_sk_clone() will then
5288 * plug this into the new socket.
5290 err = selinux_conn_sid(sksec->sid, peer_sid, &conn_sid);
5294 ep->secid = conn_sid;
5295 ep->peer_secid = peer_sid;
5297 /* Set any NetLabel labels including CIPSO/CALIPSO options. */
5298 return selinux_netlbl_sctp_assoc_request(ep, skb);
5301 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting
5302 * based on their @optname.
5304 static int selinux_sctp_bind_connect(struct sock *sk, int optname,
5305 struct sockaddr *address,
5308 int len, err = 0, walk_size = 0;
5310 struct sockaddr *addr;
5311 struct socket *sock;
5313 if (!selinux_policycap_extsockclass())
5316 /* Process one or more addresses that may be IPv4 or IPv6 */
5317 sock = sk->sk_socket;
5320 while (walk_size < addrlen) {
5322 switch (addr->sa_family) {
5325 len = sizeof(struct sockaddr_in);
5328 len = sizeof(struct sockaddr_in6);
5337 case SCTP_PRIMARY_ADDR:
5338 case SCTP_SET_PEER_PRIMARY_ADDR:
5339 case SCTP_SOCKOPT_BINDX_ADD:
5340 err = selinux_socket_bind(sock, addr, len);
5342 /* Connect checks */
5343 case SCTP_SOCKOPT_CONNECTX:
5344 case SCTP_PARAM_SET_PRIMARY:
5345 case SCTP_PARAM_ADD_IP:
5346 case SCTP_SENDMSG_CONNECT:
5347 err = selinux_socket_connect_helper(sock, addr, len);
5351 /* As selinux_sctp_bind_connect() is called by the
5352 * SCTP protocol layer, the socket is already locked,
5353 * therefore selinux_netlbl_socket_connect_locked() is
5354 * is called here. The situations handled are:
5355 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2),
5356 * whenever a new IP address is added or when a new
5357 * primary address is selected.
5358 * Note that an SCTP connect(2) call happens before
5359 * the SCTP protocol layer and is handled via
5360 * selinux_socket_connect().
5362 err = selinux_netlbl_socket_connect_locked(sk, addr);
5376 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */
5377 static void selinux_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk,
5380 struct sk_security_struct *sksec = sk->sk_security;
5381 struct sk_security_struct *newsksec = newsk->sk_security;
5383 /* If policy does not support SECCLASS_SCTP_SOCKET then call
5384 * the non-sctp clone version.
5386 if (!selinux_policycap_extsockclass())
5387 return selinux_sk_clone_security(sk, newsk);
5389 newsksec->sid = ep->secid;
5390 newsksec->peer_sid = ep->peer_secid;
5391 newsksec->sclass = sksec->sclass;
5392 selinux_netlbl_sctp_sk_clone(sk, newsk);
5395 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
5396 struct request_sock *req)
5398 struct sk_security_struct *sksec = sk->sk_security;
5400 u16 family = req->rsk_ops->family;
5404 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
5407 err = selinux_conn_sid(sksec->sid, peersid, &connsid);
5410 req->secid = connsid;
5411 req->peer_secid = peersid;
5413 return selinux_netlbl_inet_conn_request(req, family);
5416 static void selinux_inet_csk_clone(struct sock *newsk,
5417 const struct request_sock *req)
5419 struct sk_security_struct *newsksec = newsk->sk_security;
5421 newsksec->sid = req->secid;
5422 newsksec->peer_sid = req->peer_secid;
5423 /* NOTE: Ideally, we should also get the isec->sid for the
5424 new socket in sync, but we don't have the isec available yet.
5425 So we will wait until sock_graft to do it, by which
5426 time it will have been created and available. */
5428 /* We don't need to take any sort of lock here as we are the only
5429 * thread with access to newsksec */
5430 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
5433 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
5435 u16 family = sk->sk_family;
5436 struct sk_security_struct *sksec = sk->sk_security;
5438 /* handle mapped IPv4 packets arriving via IPv6 sockets */
5439 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5442 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
5445 static int selinux_secmark_relabel_packet(u32 sid)
5447 const struct task_security_struct *__tsec;
5450 __tsec = current_security();
5453 return avc_has_perm(&selinux_state,
5454 tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO,
5458 static void selinux_secmark_refcount_inc(void)
5460 atomic_inc(&selinux_secmark_refcount);
5463 static void selinux_secmark_refcount_dec(void)
5465 atomic_dec(&selinux_secmark_refcount);
5468 static void selinux_req_classify_flow(const struct request_sock *req,
5471 fl->flowi_secid = req->secid;
5474 static int selinux_tun_dev_alloc_security(void **security)
5476 struct tun_security_struct *tunsec;
5478 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
5481 tunsec->sid = current_sid();
5487 static void selinux_tun_dev_free_security(void *security)
5492 static int selinux_tun_dev_create(void)
5494 u32 sid = current_sid();
5496 /* we aren't taking into account the "sockcreate" SID since the socket
5497 * that is being created here is not a socket in the traditional sense,
5498 * instead it is a private sock, accessible only to the kernel, and
5499 * representing a wide range of network traffic spanning multiple
5500 * connections unlike traditional sockets - check the TUN driver to
5501 * get a better understanding of why this socket is special */
5503 return avc_has_perm(&selinux_state,
5504 sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5508 static int selinux_tun_dev_attach_queue(void *security)
5510 struct tun_security_struct *tunsec = security;
5512 return avc_has_perm(&selinux_state,
5513 current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5514 TUN_SOCKET__ATTACH_QUEUE, NULL);
5517 static int selinux_tun_dev_attach(struct sock *sk, void *security)
5519 struct tun_security_struct *tunsec = security;
5520 struct sk_security_struct *sksec = sk->sk_security;
5522 /* we don't currently perform any NetLabel based labeling here and it
5523 * isn't clear that we would want to do so anyway; while we could apply
5524 * labeling without the support of the TUN user the resulting labeled
5525 * traffic from the other end of the connection would almost certainly
5526 * cause confusion to the TUN user that had no idea network labeling
5527 * protocols were being used */
5529 sksec->sid = tunsec->sid;
5530 sksec->sclass = SECCLASS_TUN_SOCKET;
5535 static int selinux_tun_dev_open(void *security)
5537 struct tun_security_struct *tunsec = security;
5538 u32 sid = current_sid();
5541 err = avc_has_perm(&selinux_state,
5542 sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5543 TUN_SOCKET__RELABELFROM, NULL);
5546 err = avc_has_perm(&selinux_state,
5547 sid, sid, SECCLASS_TUN_SOCKET,
5548 TUN_SOCKET__RELABELTO, NULL);
5556 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
5560 struct nlmsghdr *nlh;
5561 struct sk_security_struct *sksec = sk->sk_security;
5563 if (skb->len < NLMSG_HDRLEN) {
5567 nlh = nlmsg_hdr(skb);
5569 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
5571 if (err == -EINVAL) {
5572 pr_warn_ratelimited("SELinux: unrecognized netlink"
5573 " message: protocol=%hu nlmsg_type=%hu sclass=%s"
5574 " pig=%d comm=%s\n",
5575 sk->sk_protocol, nlh->nlmsg_type,
5576 secclass_map[sksec->sclass - 1].name,
5577 task_pid_nr(current), current->comm);
5578 if (!enforcing_enabled(&selinux_state) ||
5579 security_get_allow_unknown(&selinux_state))
5589 err = sock_has_perm(sk, perm);
5594 #ifdef CONFIG_NETFILTER
5596 static unsigned int selinux_ip_forward(struct sk_buff *skb,
5597 const struct net_device *indev,
5603 struct common_audit_data ad;
5604 struct lsm_network_audit net = {0,};
5609 if (!selinux_policycap_netpeer())
5612 secmark_active = selinux_secmark_enabled();
5613 netlbl_active = netlbl_enabled();
5614 peerlbl_active = selinux_peerlbl_enabled();
5615 if (!secmark_active && !peerlbl_active)
5618 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5621 ad.type = LSM_AUDIT_DATA_NET;
5623 ad.u.net->netif = indev->ifindex;
5624 ad.u.net->family = family;
5625 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5628 if (peerlbl_active) {
5629 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
5630 addrp, family, peer_sid, &ad);
5632 selinux_netlbl_err(skb, family, err, 1);
5638 if (avc_has_perm(&selinux_state,
5639 peer_sid, skb->secmark,
5640 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5644 /* we do this in the FORWARD path and not the POST_ROUTING
5645 * path because we want to make sure we apply the necessary
5646 * labeling before IPsec is applied so we can leverage AH
5648 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5654 static unsigned int selinux_ipv4_forward(void *priv,
5655 struct sk_buff *skb,
5656 const struct nf_hook_state *state)
5658 return selinux_ip_forward(skb, state->in, PF_INET);
5661 #if IS_ENABLED(CONFIG_IPV6)
5662 static unsigned int selinux_ipv6_forward(void *priv,
5663 struct sk_buff *skb,
5664 const struct nf_hook_state *state)
5666 return selinux_ip_forward(skb, state->in, PF_INET6);
5670 static unsigned int selinux_ip_output(struct sk_buff *skb,
5676 if (!netlbl_enabled())
5679 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5680 * because we want to make sure we apply the necessary labeling
5681 * before IPsec is applied so we can leverage AH protection */
5684 struct sk_security_struct *sksec;
5686 if (sk_listener(sk))
5687 /* if the socket is the listening state then this
5688 * packet is a SYN-ACK packet which means it needs to
5689 * be labeled based on the connection/request_sock and
5690 * not the parent socket. unfortunately, we can't
5691 * lookup the request_sock yet as it isn't queued on
5692 * the parent socket until after the SYN-ACK is sent.
5693 * the "solution" is to simply pass the packet as-is
5694 * as any IP option based labeling should be copied
5695 * from the initial connection request (in the IP
5696 * layer). it is far from ideal, but until we get a
5697 * security label in the packet itself this is the
5698 * best we can do. */
5701 /* standard practice, label using the parent socket */
5702 sksec = sk->sk_security;
5705 sid = SECINITSID_KERNEL;
5706 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
5712 static unsigned int selinux_ipv4_output(void *priv,
5713 struct sk_buff *skb,
5714 const struct nf_hook_state *state)
5716 return selinux_ip_output(skb, PF_INET);
5719 #if IS_ENABLED(CONFIG_IPV6)
5720 static unsigned int selinux_ipv6_output(void *priv,
5721 struct sk_buff *skb,
5722 const struct nf_hook_state *state)
5724 return selinux_ip_output(skb, PF_INET6);
5728 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5732 struct sock *sk = skb_to_full_sk(skb);
5733 struct sk_security_struct *sksec;
5734 struct common_audit_data ad;
5735 struct lsm_network_audit net = {0,};
5741 sksec = sk->sk_security;
5743 ad.type = LSM_AUDIT_DATA_NET;
5745 ad.u.net->netif = ifindex;
5746 ad.u.net->family = family;
5747 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
5750 if (selinux_secmark_enabled())
5751 if (avc_has_perm(&selinux_state,
5752 sksec->sid, skb->secmark,
5753 SECCLASS_PACKET, PACKET__SEND, &ad))
5754 return NF_DROP_ERR(-ECONNREFUSED);
5756 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5757 return NF_DROP_ERR(-ECONNREFUSED);
5762 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5763 const struct net_device *outdev,
5768 int ifindex = outdev->ifindex;
5770 struct common_audit_data ad;
5771 struct lsm_network_audit net = {0,};
5776 /* If any sort of compatibility mode is enabled then handoff processing
5777 * to the selinux_ip_postroute_compat() function to deal with the
5778 * special handling. We do this in an attempt to keep this function
5779 * as fast and as clean as possible. */
5780 if (!selinux_policycap_netpeer())
5781 return selinux_ip_postroute_compat(skb, ifindex, family);
5783 secmark_active = selinux_secmark_enabled();
5784 peerlbl_active = selinux_peerlbl_enabled();
5785 if (!secmark_active && !peerlbl_active)
5788 sk = skb_to_full_sk(skb);
5791 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5792 * packet transformation so allow the packet to pass without any checks
5793 * since we'll have another chance to perform access control checks
5794 * when the packet is on it's final way out.
5795 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5796 * is NULL, in this case go ahead and apply access control.
5797 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5798 * TCP listening state we cannot wait until the XFRM processing
5799 * is done as we will miss out on the SA label if we do;
5800 * unfortunately, this means more work, but it is only once per
5802 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5803 !(sk && sk_listener(sk)))
5808 /* Without an associated socket the packet is either coming
5809 * from the kernel or it is being forwarded; check the packet
5810 * to determine which and if the packet is being forwarded
5811 * query the packet directly to determine the security label. */
5813 secmark_perm = PACKET__FORWARD_OUT;
5814 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5817 secmark_perm = PACKET__SEND;
5818 peer_sid = SECINITSID_KERNEL;
5820 } else if (sk_listener(sk)) {
5821 /* Locally generated packet but the associated socket is in the
5822 * listening state which means this is a SYN-ACK packet. In
5823 * this particular case the correct security label is assigned
5824 * to the connection/request_sock but unfortunately we can't
5825 * query the request_sock as it isn't queued on the parent
5826 * socket until after the SYN-ACK packet is sent; the only
5827 * viable choice is to regenerate the label like we do in
5828 * selinux_inet_conn_request(). See also selinux_ip_output()
5829 * for similar problems. */
5831 struct sk_security_struct *sksec;
5833 sksec = sk->sk_security;
5834 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5836 /* At this point, if the returned skb peerlbl is SECSID_NULL
5837 * and the packet has been through at least one XFRM
5838 * transformation then we must be dealing with the "final"
5839 * form of labeled IPsec packet; since we've already applied
5840 * all of our access controls on this packet we can safely
5841 * pass the packet. */
5842 if (skb_sid == SECSID_NULL) {
5845 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5849 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5853 return NF_DROP_ERR(-ECONNREFUSED);
5856 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5858 secmark_perm = PACKET__SEND;
5860 /* Locally generated packet, fetch the security label from the
5861 * associated socket. */
5862 struct sk_security_struct *sksec = sk->sk_security;
5863 peer_sid = sksec->sid;
5864 secmark_perm = PACKET__SEND;
5867 ad.type = LSM_AUDIT_DATA_NET;
5869 ad.u.net->netif = ifindex;
5870 ad.u.net->family = family;
5871 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5875 if (avc_has_perm(&selinux_state,
5876 peer_sid, skb->secmark,
5877 SECCLASS_PACKET, secmark_perm, &ad))
5878 return NF_DROP_ERR(-ECONNREFUSED);
5880 if (peerlbl_active) {
5884 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5886 if (avc_has_perm(&selinux_state,
5888 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5889 return NF_DROP_ERR(-ECONNREFUSED);
5891 if (sel_netnode_sid(addrp, family, &node_sid))
5893 if (avc_has_perm(&selinux_state,
5895 SECCLASS_NODE, NODE__SENDTO, &ad))
5896 return NF_DROP_ERR(-ECONNREFUSED);
5902 static unsigned int selinux_ipv4_postroute(void *priv,
5903 struct sk_buff *skb,
5904 const struct nf_hook_state *state)
5906 return selinux_ip_postroute(skb, state->out, PF_INET);
5909 #if IS_ENABLED(CONFIG_IPV6)
5910 static unsigned int selinux_ipv6_postroute(void *priv,
5911 struct sk_buff *skb,
5912 const struct nf_hook_state *state)
5914 return selinux_ip_postroute(skb, state->out, PF_INET6);
5918 #endif /* CONFIG_NETFILTER */
5920 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5922 return selinux_nlmsg_perm(sk, skb);
5925 static int ipc_alloc_security(struct kern_ipc_perm *perm,
5928 struct ipc_security_struct *isec;
5930 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
5934 isec->sclass = sclass;
5935 isec->sid = current_sid();
5936 perm->security = isec;
5941 static void ipc_free_security(struct kern_ipc_perm *perm)
5943 struct ipc_security_struct *isec = perm->security;
5944 perm->security = NULL;
5948 static int msg_msg_alloc_security(struct msg_msg *msg)
5950 struct msg_security_struct *msec;
5952 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
5956 msec->sid = SECINITSID_UNLABELED;
5957 msg->security = msec;
5962 static void msg_msg_free_security(struct msg_msg *msg)
5964 struct msg_security_struct *msec = msg->security;
5966 msg->security = NULL;
5970 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5973 struct ipc_security_struct *isec;
5974 struct common_audit_data ad;
5975 u32 sid = current_sid();
5977 isec = ipc_perms->security;
5979 ad.type = LSM_AUDIT_DATA_IPC;
5980 ad.u.ipc_id = ipc_perms->key;
5982 return avc_has_perm(&selinux_state,
5983 sid, isec->sid, isec->sclass, perms, &ad);
5986 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5988 return msg_msg_alloc_security(msg);
5991 static void selinux_msg_msg_free_security(struct msg_msg *msg)
5993 msg_msg_free_security(msg);
5996 /* message queue security operations */
5997 static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq)
5999 struct ipc_security_struct *isec;
6000 struct common_audit_data ad;
6001 u32 sid = current_sid();
6004 rc = ipc_alloc_security(msq, SECCLASS_MSGQ);
6008 isec = msq->security;
6010 ad.type = LSM_AUDIT_DATA_IPC;
6011 ad.u.ipc_id = msq->key;
6013 rc = avc_has_perm(&selinux_state,
6014 sid, isec->sid, SECCLASS_MSGQ,
6017 ipc_free_security(msq);
6023 static void selinux_msg_queue_free_security(struct kern_ipc_perm *msq)
6025 ipc_free_security(msq);
6028 static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
6030 struct ipc_security_struct *isec;
6031 struct common_audit_data ad;
6032 u32 sid = current_sid();
6034 isec = msq->security;
6036 ad.type = LSM_AUDIT_DATA_IPC;
6037 ad.u.ipc_id = msq->key;
6039 return avc_has_perm(&selinux_state,
6040 sid, isec->sid, SECCLASS_MSGQ,
6041 MSGQ__ASSOCIATE, &ad);
6044 static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)
6052 /* No specific object, just general system-wide information. */
6053 return avc_has_perm(&selinux_state,
6054 current_sid(), SECINITSID_KERNEL,
6055 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6059 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
6062 perms = MSGQ__SETATTR;
6065 perms = MSGQ__DESTROY;
6071 err = ipc_has_perm(msq, perms);
6075 static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg)
6077 struct ipc_security_struct *isec;
6078 struct msg_security_struct *msec;
6079 struct common_audit_data ad;
6080 u32 sid = current_sid();
6083 isec = msq->security;
6084 msec = msg->security;
6087 * First time through, need to assign label to the message
6089 if (msec->sid == SECINITSID_UNLABELED) {
6091 * Compute new sid based on current process and
6092 * message queue this message will be stored in
6094 rc = security_transition_sid(&selinux_state, sid, isec->sid,
6095 SECCLASS_MSG, NULL, &msec->sid);
6100 ad.type = LSM_AUDIT_DATA_IPC;
6101 ad.u.ipc_id = msq->key;
6103 /* Can this process write to the queue? */
6104 rc = avc_has_perm(&selinux_state,
6105 sid, isec->sid, SECCLASS_MSGQ,
6108 /* Can this process send the message */
6109 rc = avc_has_perm(&selinux_state,
6110 sid, msec->sid, SECCLASS_MSG,
6113 /* Can the message be put in the queue? */
6114 rc = avc_has_perm(&selinux_state,
6115 msec->sid, isec->sid, SECCLASS_MSGQ,
6116 MSGQ__ENQUEUE, &ad);
6121 static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg,
6122 struct task_struct *target,
6123 long type, int mode)
6125 struct ipc_security_struct *isec;
6126 struct msg_security_struct *msec;
6127 struct common_audit_data ad;
6128 u32 sid = task_sid(target);
6131 isec = msq->security;
6132 msec = msg->security;
6134 ad.type = LSM_AUDIT_DATA_IPC;
6135 ad.u.ipc_id = msq->key;
6137 rc = avc_has_perm(&selinux_state,
6139 SECCLASS_MSGQ, MSGQ__READ, &ad);
6141 rc = avc_has_perm(&selinux_state,
6143 SECCLASS_MSG, MSG__RECEIVE, &ad);
6147 /* Shared Memory security operations */
6148 static int selinux_shm_alloc_security(struct kern_ipc_perm *shp)
6150 struct ipc_security_struct *isec;
6151 struct common_audit_data ad;
6152 u32 sid = current_sid();
6155 rc = ipc_alloc_security(shp, SECCLASS_SHM);
6159 isec = shp->security;
6161 ad.type = LSM_AUDIT_DATA_IPC;
6162 ad.u.ipc_id = shp->key;
6164 rc = avc_has_perm(&selinux_state,
6165 sid, isec->sid, SECCLASS_SHM,
6168 ipc_free_security(shp);
6174 static void selinux_shm_free_security(struct kern_ipc_perm *shp)
6176 ipc_free_security(shp);
6179 static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg)
6181 struct ipc_security_struct *isec;
6182 struct common_audit_data ad;
6183 u32 sid = current_sid();
6185 isec = shp->security;
6187 ad.type = LSM_AUDIT_DATA_IPC;
6188 ad.u.ipc_id = shp->key;
6190 return avc_has_perm(&selinux_state,
6191 sid, isec->sid, SECCLASS_SHM,
6192 SHM__ASSOCIATE, &ad);
6195 /* Note, at this point, shp is locked down */
6196 static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd)
6204 /* No specific object, just general system-wide information. */
6205 return avc_has_perm(&selinux_state,
6206 current_sid(), SECINITSID_KERNEL,
6207 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6211 perms = SHM__GETATTR | SHM__ASSOCIATE;
6214 perms = SHM__SETATTR;
6221 perms = SHM__DESTROY;
6227 err = ipc_has_perm(shp, perms);
6231 static int selinux_shm_shmat(struct kern_ipc_perm *shp,
6232 char __user *shmaddr, int shmflg)
6236 if (shmflg & SHM_RDONLY)
6239 perms = SHM__READ | SHM__WRITE;
6241 return ipc_has_perm(shp, perms);
6244 /* Semaphore security operations */
6245 static int selinux_sem_alloc_security(struct kern_ipc_perm *sma)
6247 struct ipc_security_struct *isec;
6248 struct common_audit_data ad;
6249 u32 sid = current_sid();
6252 rc = ipc_alloc_security(sma, SECCLASS_SEM);
6256 isec = sma->security;
6258 ad.type = LSM_AUDIT_DATA_IPC;
6259 ad.u.ipc_id = sma->key;
6261 rc = avc_has_perm(&selinux_state,
6262 sid, isec->sid, SECCLASS_SEM,
6265 ipc_free_security(sma);
6271 static void selinux_sem_free_security(struct kern_ipc_perm *sma)
6273 ipc_free_security(sma);
6276 static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg)
6278 struct ipc_security_struct *isec;
6279 struct common_audit_data ad;
6280 u32 sid = current_sid();
6282 isec = sma->security;
6284 ad.type = LSM_AUDIT_DATA_IPC;
6285 ad.u.ipc_id = sma->key;
6287 return avc_has_perm(&selinux_state,
6288 sid, isec->sid, SECCLASS_SEM,
6289 SEM__ASSOCIATE, &ad);
6292 /* Note, at this point, sma is locked down */
6293 static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd)
6301 /* No specific object, just general system-wide information. */
6302 return avc_has_perm(&selinux_state,
6303 current_sid(), SECINITSID_KERNEL,
6304 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6308 perms = SEM__GETATTR;
6319 perms = SEM__DESTROY;
6322 perms = SEM__SETATTR;
6327 perms = SEM__GETATTR | SEM__ASSOCIATE;
6333 err = ipc_has_perm(sma, perms);
6337 static int selinux_sem_semop(struct kern_ipc_perm *sma,
6338 struct sembuf *sops, unsigned nsops, int alter)
6343 perms = SEM__READ | SEM__WRITE;
6347 return ipc_has_perm(sma, perms);
6350 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
6356 av |= IPC__UNIX_READ;
6358 av |= IPC__UNIX_WRITE;
6363 return ipc_has_perm(ipcp, av);
6366 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
6368 struct ipc_security_struct *isec = ipcp->security;
6372 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
6375 inode_doinit_with_dentry(inode, dentry);
6378 static int selinux_getprocattr(struct task_struct *p,
6379 char *name, char **value)
6381 const struct task_security_struct *__tsec;
6387 __tsec = __task_cred(p)->security;
6390 error = avc_has_perm(&selinux_state,
6391 current_sid(), __tsec->sid,
6392 SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
6397 if (!strcmp(name, "current"))
6399 else if (!strcmp(name, "prev"))
6401 else if (!strcmp(name, "exec"))
6402 sid = __tsec->exec_sid;
6403 else if (!strcmp(name, "fscreate"))
6404 sid = __tsec->create_sid;
6405 else if (!strcmp(name, "keycreate"))
6406 sid = __tsec->keycreate_sid;
6407 else if (!strcmp(name, "sockcreate"))
6408 sid = __tsec->sockcreate_sid;
6418 error = security_sid_to_context(&selinux_state, sid, value, &len);
6428 static int selinux_setprocattr(const char *name, void *value, size_t size)
6430 struct task_security_struct *tsec;
6432 u32 mysid = current_sid(), sid = 0, ptsid;
6437 * Basic control over ability to set these attributes at all.
6439 if (!strcmp(name, "exec"))
6440 error = avc_has_perm(&selinux_state,
6441 mysid, mysid, SECCLASS_PROCESS,
6442 PROCESS__SETEXEC, NULL);
6443 else if (!strcmp(name, "fscreate"))
6444 error = avc_has_perm(&selinux_state,
6445 mysid, mysid, SECCLASS_PROCESS,
6446 PROCESS__SETFSCREATE, NULL);
6447 else if (!strcmp(name, "keycreate"))
6448 error = avc_has_perm(&selinux_state,
6449 mysid, mysid, SECCLASS_PROCESS,
6450 PROCESS__SETKEYCREATE, NULL);
6451 else if (!strcmp(name, "sockcreate"))
6452 error = avc_has_perm(&selinux_state,
6453 mysid, mysid, SECCLASS_PROCESS,
6454 PROCESS__SETSOCKCREATE, NULL);
6455 else if (!strcmp(name, "current"))
6456 error = avc_has_perm(&selinux_state,
6457 mysid, mysid, SECCLASS_PROCESS,
6458 PROCESS__SETCURRENT, NULL);
6464 /* Obtain a SID for the context, if one was specified. */
6465 if (size && str[0] && str[0] != '\n') {
6466 if (str[size-1] == '\n') {
6470 error = security_context_to_sid(&selinux_state, value, size,
6472 if (error == -EINVAL && !strcmp(name, "fscreate")) {
6473 if (!has_cap_mac_admin(true)) {
6474 struct audit_buffer *ab;
6477 /* We strip a nul only if it is at the end, otherwise the
6478 * context contains a nul and we should audit that */
6479 if (str[size - 1] == '\0')
6480 audit_size = size - 1;
6483 ab = audit_log_start(audit_context(),
6486 audit_log_format(ab, "op=fscreate invalid_context=");
6487 audit_log_n_untrustedstring(ab, value, audit_size);
6492 error = security_context_to_sid_force(
6500 new = prepare_creds();
6504 /* Permission checking based on the specified context is
6505 performed during the actual operation (execve,
6506 open/mkdir/...), when we know the full context of the
6507 operation. See selinux_bprm_set_creds for the execve
6508 checks and may_create for the file creation checks. The
6509 operation will then fail if the context is not permitted. */
6510 tsec = new->security;
6511 if (!strcmp(name, "exec")) {
6512 tsec->exec_sid = sid;
6513 } else if (!strcmp(name, "fscreate")) {
6514 tsec->create_sid = sid;
6515 } else if (!strcmp(name, "keycreate")) {
6516 error = avc_has_perm(&selinux_state,
6517 mysid, sid, SECCLASS_KEY, KEY__CREATE,
6521 tsec->keycreate_sid = sid;
6522 } else if (!strcmp(name, "sockcreate")) {
6523 tsec->sockcreate_sid = sid;
6524 } else if (!strcmp(name, "current")) {
6529 /* Only allow single threaded processes to change context */
6531 if (!current_is_single_threaded()) {
6532 error = security_bounded_transition(&selinux_state,
6538 /* Check permissions for the transition. */
6539 error = avc_has_perm(&selinux_state,
6540 tsec->sid, sid, SECCLASS_PROCESS,
6541 PROCESS__DYNTRANSITION, NULL);
6545 /* Check for ptracing, and update the task SID if ok.
6546 Otherwise, leave SID unchanged and fail. */
6547 ptsid = ptrace_parent_sid();
6549 error = avc_has_perm(&selinux_state,
6550 ptsid, sid, SECCLASS_PROCESS,
6551 PROCESS__PTRACE, NULL);
6570 static int selinux_ismaclabel(const char *name)
6572 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
6575 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
6577 return security_sid_to_context(&selinux_state, secid,
6581 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
6583 return security_context_to_sid(&selinux_state, secdata, seclen,
6587 static void selinux_release_secctx(char *secdata, u32 seclen)
6592 static void selinux_inode_invalidate_secctx(struct inode *inode)
6594 struct inode_security_struct *isec = inode->i_security;
6596 spin_lock(&isec->lock);
6597 isec->initialized = LABEL_INVALID;
6598 spin_unlock(&isec->lock);
6602 * called with inode->i_mutex locked
6604 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
6606 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
6610 * called with inode->i_mutex locked
6612 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
6614 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
6617 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
6620 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
6629 static int selinux_key_alloc(struct key *k, const struct cred *cred,
6630 unsigned long flags)
6632 const struct task_security_struct *tsec;
6633 struct key_security_struct *ksec;
6635 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
6639 tsec = cred->security;
6640 if (tsec->keycreate_sid)
6641 ksec->sid = tsec->keycreate_sid;
6643 ksec->sid = tsec->sid;
6649 static void selinux_key_free(struct key *k)
6651 struct key_security_struct *ksec = k->security;
6657 static int selinux_key_permission(key_ref_t key_ref,
6658 const struct cred *cred,
6662 struct key_security_struct *ksec;
6665 /* if no specific permissions are requested, we skip the
6666 permission check. No serious, additional covert channels
6667 appear to be created. */
6671 sid = cred_sid(cred);
6673 key = key_ref_to_ptr(key_ref);
6674 ksec = key->security;
6676 return avc_has_perm(&selinux_state,
6677 sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6680 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6682 struct key_security_struct *ksec = key->security;
6683 char *context = NULL;
6687 rc = security_sid_to_context(&selinux_state, ksec->sid,
6696 #ifdef CONFIG_SECURITY_INFINIBAND
6697 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6699 struct common_audit_data ad;
6702 struct ib_security_struct *sec = ib_sec;
6703 struct lsm_ibpkey_audit ibpkey;
6705 err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
6709 ad.type = LSM_AUDIT_DATA_IBPKEY;
6710 ibpkey.subnet_prefix = subnet_prefix;
6711 ibpkey.pkey = pkey_val;
6712 ad.u.ibpkey = &ibpkey;
6713 return avc_has_perm(&selinux_state,
6715 SECCLASS_INFINIBAND_PKEY,
6716 INFINIBAND_PKEY__ACCESS, &ad);
6719 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6722 struct common_audit_data ad;
6725 struct ib_security_struct *sec = ib_sec;
6726 struct lsm_ibendport_audit ibendport;
6728 err = security_ib_endport_sid(&selinux_state, dev_name, port_num,
6734 ad.type = LSM_AUDIT_DATA_IBENDPORT;
6735 strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name));
6736 ibendport.port = port_num;
6737 ad.u.ibendport = &ibendport;
6738 return avc_has_perm(&selinux_state,
6740 SECCLASS_INFINIBAND_ENDPORT,
6741 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
6744 static int selinux_ib_alloc_security(void **ib_sec)
6746 struct ib_security_struct *sec;
6748 sec = kzalloc(sizeof(*sec), GFP_KERNEL);
6751 sec->sid = current_sid();
6757 static void selinux_ib_free_security(void *ib_sec)
6763 #ifdef CONFIG_BPF_SYSCALL
6764 static int selinux_bpf(int cmd, union bpf_attr *attr,
6767 u32 sid = current_sid();
6771 case BPF_MAP_CREATE:
6772 ret = avc_has_perm(&selinux_state,
6773 sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
6777 ret = avc_has_perm(&selinux_state,
6778 sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
6789 static u32 bpf_map_fmode_to_av(fmode_t fmode)
6793 if (fmode & FMODE_READ)
6794 av |= BPF__MAP_READ;
6795 if (fmode & FMODE_WRITE)
6796 av |= BPF__MAP_WRITE;
6800 /* This function will check the file pass through unix socket or binder to see
6801 * if it is a bpf related object. And apply correspinding checks on the bpf
6802 * object based on the type. The bpf maps and programs, not like other files and
6803 * socket, are using a shared anonymous inode inside the kernel as their inode.
6804 * So checking that inode cannot identify if the process have privilege to
6805 * access the bpf object and that's why we have to add this additional check in
6806 * selinux_file_receive and selinux_binder_transfer_files.
6808 static int bpf_fd_pass(struct file *file, u32 sid)
6810 struct bpf_security_struct *bpfsec;
6811 struct bpf_prog *prog;
6812 struct bpf_map *map;
6815 if (file->f_op == &bpf_map_fops) {
6816 map = file->private_data;
6817 bpfsec = map->security;
6818 ret = avc_has_perm(&selinux_state,
6819 sid, bpfsec->sid, SECCLASS_BPF,
6820 bpf_map_fmode_to_av(file->f_mode), NULL);
6823 } else if (file->f_op == &bpf_prog_fops) {
6824 prog = file->private_data;
6825 bpfsec = prog->aux->security;
6826 ret = avc_has_perm(&selinux_state,
6827 sid, bpfsec->sid, SECCLASS_BPF,
6828 BPF__PROG_RUN, NULL);
6835 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)
6837 u32 sid = current_sid();
6838 struct bpf_security_struct *bpfsec;
6840 bpfsec = map->security;
6841 return avc_has_perm(&selinux_state,
6842 sid, bpfsec->sid, SECCLASS_BPF,
6843 bpf_map_fmode_to_av(fmode), NULL);
6846 static int selinux_bpf_prog(struct bpf_prog *prog)
6848 u32 sid = current_sid();
6849 struct bpf_security_struct *bpfsec;
6851 bpfsec = prog->aux->security;
6852 return avc_has_perm(&selinux_state,
6853 sid, bpfsec->sid, SECCLASS_BPF,
6854 BPF__PROG_RUN, NULL);
6857 static int selinux_bpf_map_alloc(struct bpf_map *map)
6859 struct bpf_security_struct *bpfsec;
6861 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6865 bpfsec->sid = current_sid();
6866 map->security = bpfsec;
6871 static void selinux_bpf_map_free(struct bpf_map *map)
6873 struct bpf_security_struct *bpfsec = map->security;
6875 map->security = NULL;
6879 static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux)
6881 struct bpf_security_struct *bpfsec;
6883 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6887 bpfsec->sid = current_sid();
6888 aux->security = bpfsec;
6893 static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
6895 struct bpf_security_struct *bpfsec = aux->security;
6897 aux->security = NULL;
6902 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
6903 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
6904 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
6905 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
6906 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
6908 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
6909 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
6910 LSM_HOOK_INIT(capget, selinux_capget),
6911 LSM_HOOK_INIT(capset, selinux_capset),
6912 LSM_HOOK_INIT(capable, selinux_capable),
6913 LSM_HOOK_INIT(quotactl, selinux_quotactl),
6914 LSM_HOOK_INIT(quota_on, selinux_quota_on),
6915 LSM_HOOK_INIT(syslog, selinux_syslog),
6916 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
6918 LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
6920 LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
6921 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
6922 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
6924 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
6925 LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
6926 LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data),
6927 LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
6928 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
6929 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
6930 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
6931 LSM_HOOK_INIT(sb_mount, selinux_mount),
6932 LSM_HOOK_INIT(sb_umount, selinux_umount),
6933 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
6934 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
6935 LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str),
6937 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
6938 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
6940 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
6941 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
6942 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
6943 LSM_HOOK_INIT(inode_create, selinux_inode_create),
6944 LSM_HOOK_INIT(inode_link, selinux_inode_link),
6945 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
6946 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
6947 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
6948 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
6949 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
6950 LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
6951 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
6952 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
6953 LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
6954 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
6955 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
6956 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
6957 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
6958 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
6959 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
6960 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
6961 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
6962 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
6963 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
6964 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
6965 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
6966 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
6968 LSM_HOOK_INIT(file_permission, selinux_file_permission),
6969 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
6970 LSM_HOOK_INIT(file_free_security, selinux_file_free_security),
6971 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
6972 LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
6973 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
6974 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
6975 LSM_HOOK_INIT(file_lock, selinux_file_lock),
6976 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
6977 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
6978 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
6979 LSM_HOOK_INIT(file_receive, selinux_file_receive),
6981 LSM_HOOK_INIT(file_open, selinux_file_open),
6983 LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
6984 LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank),
6985 LSM_HOOK_INIT(cred_free, selinux_cred_free),
6986 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
6987 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
6988 LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid),
6989 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
6990 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
6991 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
6992 LSM_HOOK_INIT(kernel_load_data, selinux_kernel_load_data),
6993 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
6994 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
6995 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
6996 LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
6997 LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
6998 LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
6999 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
7000 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
7001 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
7002 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
7003 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
7004 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
7005 LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
7006 LSM_HOOK_INIT(task_kill, selinux_task_kill),
7007 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
7009 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
7010 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
7012 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
7013 LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security),
7015 LSM_HOOK_INIT(msg_queue_alloc_security,
7016 selinux_msg_queue_alloc_security),
7017 LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security),
7018 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
7019 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
7020 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
7021 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
7023 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
7024 LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security),
7025 LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
7026 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
7027 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
7029 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
7030 LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security),
7031 LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
7032 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
7033 LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
7035 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
7037 LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
7038 LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
7040 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
7041 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
7042 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
7043 LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
7044 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
7045 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
7046 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
7047 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
7049 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
7050 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
7052 LSM_HOOK_INIT(socket_create, selinux_socket_create),
7053 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
7054 LSM_HOOK_INIT(socket_socketpair, selinux_socket_socketpair),
7055 LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
7056 LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
7057 LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
7058 LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
7059 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
7060 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
7061 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
7062 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
7063 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
7064 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
7065 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
7066 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
7067 LSM_HOOK_INIT(socket_getpeersec_stream,
7068 selinux_socket_getpeersec_stream),
7069 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
7070 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
7071 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
7072 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
7073 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
7074 LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
7075 LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request),
7076 LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone),
7077 LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect),
7078 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
7079 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
7080 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
7081 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
7082 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
7083 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
7084 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
7085 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
7086 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
7087 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
7088 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
7089 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
7090 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
7091 #ifdef CONFIG_SECURITY_INFINIBAND
7092 LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
7093 LSM_HOOK_INIT(ib_endport_manage_subnet,
7094 selinux_ib_endport_manage_subnet),
7095 LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
7096 LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
7098 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7099 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
7100 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
7101 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
7102 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
7103 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
7104 LSM_HOOK_INIT(xfrm_state_alloc_acquire,
7105 selinux_xfrm_state_alloc_acquire),
7106 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
7107 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
7108 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
7109 LSM_HOOK_INIT(xfrm_state_pol_flow_match,
7110 selinux_xfrm_state_pol_flow_match),
7111 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
7115 LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
7116 LSM_HOOK_INIT(key_free, selinux_key_free),
7117 LSM_HOOK_INIT(key_permission, selinux_key_permission),
7118 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
7122 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
7123 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
7124 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
7125 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
7128 #ifdef CONFIG_BPF_SYSCALL
7129 LSM_HOOK_INIT(bpf, selinux_bpf),
7130 LSM_HOOK_INIT(bpf_map, selinux_bpf_map),
7131 LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog),
7132 LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc),
7133 LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc),
7134 LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free),
7135 LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free),
7139 static __init int selinux_init(void)
7141 if (!security_module_enable("selinux")) {
7142 selinux_enabled = 0;
7146 if (!selinux_enabled) {
7147 pr_info("SELinux: Disabled at boot.\n");
7151 pr_info("SELinux: Initializing.\n");
7153 memset(&selinux_state, 0, sizeof(selinux_state));
7154 enforcing_set(&selinux_state, selinux_enforcing_boot);
7155 selinux_state.checkreqprot = selinux_checkreqprot_boot;
7156 selinux_ss_init(&selinux_state.ss);
7157 selinux_avc_init(&selinux_state.avc);
7159 /* Set the security state for the initial task. */
7160 cred_init_security();
7162 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
7164 sel_inode_cache = kmem_cache_create("selinux_inode_security",
7165 sizeof(struct inode_security_struct),
7166 0, SLAB_PANIC, NULL);
7167 file_security_cache = kmem_cache_create("selinux_file_security",
7168 sizeof(struct file_security_struct),
7169 0, SLAB_PANIC, NULL);
7174 ebitmap_cache_init();
7176 hashtab_cache_init();
7178 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
7180 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
7181 panic("SELinux: Unable to register AVC netcache callback\n");
7183 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
7184 panic("SELinux: Unable to register AVC LSM notifier callback\n");
7186 if (selinux_enforcing_boot)
7187 pr_debug("SELinux: Starting in enforcing mode\n");
7189 pr_debug("SELinux: Starting in permissive mode\n");
7194 static void delayed_superblock_init(struct super_block *sb, void *unused)
7196 superblock_doinit(sb, NULL);
7199 void selinux_complete_init(void)
7201 pr_debug("SELinux: Completing initialization.\n");
7203 /* Set up any superblocks initialized prior to the policy load. */
7204 pr_debug("SELinux: Setting up existing superblocks.\n");
7205 iterate_supers(delayed_superblock_init, NULL);
7208 /* SELinux requires early initialization in order to label
7209 all processes and objects when they are created. */
7210 DEFINE_LSM(selinux) = {
7212 .init = selinux_init,
7215 #if defined(CONFIG_NETFILTER)
7217 static const struct nf_hook_ops selinux_nf_ops[] = {
7219 .hook = selinux_ipv4_postroute,
7221 .hooknum = NF_INET_POST_ROUTING,
7222 .priority = NF_IP_PRI_SELINUX_LAST,
7225 .hook = selinux_ipv4_forward,
7227 .hooknum = NF_INET_FORWARD,
7228 .priority = NF_IP_PRI_SELINUX_FIRST,
7231 .hook = selinux_ipv4_output,
7233 .hooknum = NF_INET_LOCAL_OUT,
7234 .priority = NF_IP_PRI_SELINUX_FIRST,
7236 #if IS_ENABLED(CONFIG_IPV6)
7238 .hook = selinux_ipv6_postroute,
7240 .hooknum = NF_INET_POST_ROUTING,
7241 .priority = NF_IP6_PRI_SELINUX_LAST,
7244 .hook = selinux_ipv6_forward,
7246 .hooknum = NF_INET_FORWARD,
7247 .priority = NF_IP6_PRI_SELINUX_FIRST,
7250 .hook = selinux_ipv6_output,
7252 .hooknum = NF_INET_LOCAL_OUT,
7253 .priority = NF_IP6_PRI_SELINUX_FIRST,
7258 static int __net_init selinux_nf_register(struct net *net)
7260 return nf_register_net_hooks(net, selinux_nf_ops,
7261 ARRAY_SIZE(selinux_nf_ops));
7264 static void __net_exit selinux_nf_unregister(struct net *net)
7266 nf_unregister_net_hooks(net, selinux_nf_ops,
7267 ARRAY_SIZE(selinux_nf_ops));
7270 static struct pernet_operations selinux_net_ops = {
7271 .init = selinux_nf_register,
7272 .exit = selinux_nf_unregister,
7275 static int __init selinux_nf_ip_init(void)
7279 if (!selinux_enabled)
7282 pr_debug("SELinux: Registering netfilter hooks\n");
7284 err = register_pernet_subsys(&selinux_net_ops);
7286 panic("SELinux: register_pernet_subsys: error %d\n", err);
7290 __initcall(selinux_nf_ip_init);
7292 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7293 static void selinux_nf_ip_exit(void)
7295 pr_debug("SELinux: Unregistering netfilter hooks\n");
7297 unregister_pernet_subsys(&selinux_net_ops);
7301 #else /* CONFIG_NETFILTER */
7303 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7304 #define selinux_nf_ip_exit()
7307 #endif /* CONFIG_NETFILTER */
7309 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7310 int selinux_disable(struct selinux_state *state)
7312 if (state->initialized) {
7313 /* Not permitted after initial policy load. */
7317 if (state->disabled) {
7318 /* Only do this once. */
7322 state->disabled = 1;
7324 pr_info("SELinux: Disabled at runtime.\n");
7326 selinux_enabled = 0;
7328 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
7330 /* Try to destroy the avc node cache */
7333 /* Unregister netfilter hooks. */
7334 selinux_nf_ip_exit();
7336 /* Unregister selinuxfs. */
git.samba.org / sfrench / cifs-2.6.git / blob