2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul@paul-moore.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 * Copyright (C) 2016 Mellanox Technologies
22 * This program is free software; you can redistribute it and/or modify
23 * it under the terms of the GNU General Public License version 2,
24 * as published by the Free Software Foundation.
27 #include <linux/init.h>
29 #include <linux/kernel.h>
30 #include <linux/tracehook.h>
31 #include <linux/errno.h>
32 #include <linux/sched/signal.h>
33 #include <linux/sched/task.h>
34 #include <linux/lsm_hooks.h>
35 #include <linux/xattr.h>
36 #include <linux/capability.h>
37 #include <linux/unistd.h>
39 #include <linux/mman.h>
40 #include <linux/slab.h>
41 #include <linux/pagemap.h>
42 #include <linux/proc_fs.h>
43 #include <linux/swap.h>
44 #include <linux/spinlock.h>
45 #include <linux/syscalls.h>
46 #include <linux/dcache.h>
47 #include <linux/file.h>
48 #include <linux/fdtable.h>
49 #include <linux/namei.h>
50 #include <linux/mount.h>
51 #include <linux/netfilter_ipv4.h>
52 #include <linux/netfilter_ipv6.h>
53 #include <linux/tty.h>
55 #include <net/ip.h> /* for local_port_range[] */
56 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
57 #include <net/inet_connection_sock.h>
58 #include <net/net_namespace.h>
59 #include <net/netlabel.h>
60 #include <linux/uaccess.h>
61 #include <asm/ioctls.h>
62 #include <linux/atomic.h>
63 #include <linux/bitops.h>
64 #include <linux/interrupt.h>
65 #include <linux/netdevice.h> /* for network interface checks */
66 #include <net/netlink.h>
67 #include <linux/tcp.h>
68 #include <linux/udp.h>
69 #include <linux/dccp.h>
70 #include <linux/quota.h>
71 #include <linux/un.h> /* for Unix socket types */
72 #include <net/af_unix.h> /* for Unix socket types */
73 #include <linux/parser.h>
74 #include <linux/nfs_mount.h>
76 #include <linux/hugetlb.h>
77 #include <linux/personality.h>
78 #include <linux/audit.h>
79 #include <linux/string.h>
80 #include <linux/selinux.h>
81 #include <linux/mutex.h>
82 #include <linux/posix-timers.h>
83 #include <linux/syslog.h>
84 #include <linux/user_namespace.h>
85 #include <linux/export.h>
86 #include <linux/msg.h>
87 #include <linux/shm.h>
100 /* SECMARK reference count */
101 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
103 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
104 int selinux_enforcing;
106 static int __init enforcing_setup(char *str)
108 unsigned long enforcing;
109 if (!kstrtoul(str, 0, &enforcing))
110 selinux_enforcing = enforcing ? 1 : 0;
113 __setup("enforcing=", enforcing_setup);
116 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
117 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
119 static int __init selinux_enabled_setup(char *str)
121 unsigned long enabled;
122 if (!kstrtoul(str, 0, &enabled))
123 selinux_enabled = enabled ? 1 : 0;
126 __setup("selinux=", selinux_enabled_setup);
128 int selinux_enabled = 1;
131 static struct kmem_cache *sel_inode_cache;
132 static struct kmem_cache *file_security_cache;
135 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
138 * This function checks the SECMARK reference counter to see if any SECMARK
139 * targets are currently configured, if the reference counter is greater than
140 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
141 * enabled, false (0) if SECMARK is disabled. If the always_check_network
142 * policy capability is enabled, SECMARK is always considered enabled.
145 static int selinux_secmark_enabled(void)
147 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
151 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
154 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
155 * (1) if any are enabled or false (0) if neither are enabled. If the
156 * always_check_network policy capability is enabled, peer labeling
157 * is always considered enabled.
160 static int selinux_peerlbl_enabled(void)
162 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
165 static int selinux_netcache_avc_callback(u32 event)
167 if (event == AVC_CALLBACK_RESET) {
176 static int selinux_lsm_notifier_avc_callback(u32 event)
178 if (event == AVC_CALLBACK_RESET) {
180 call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
187 * initialise the security for the init task
189 static void cred_init_security(void)
191 struct cred *cred = (struct cred *) current->real_cred;
192 struct task_security_struct *tsec;
194 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
196 panic("SELinux: Failed to initialize initial task.\n");
198 tsec->osid = tsec->sid = SECINITSID_KERNEL;
199 cred->security = tsec;
203 * get the security ID of a set of credentials
205 static inline u32 cred_sid(const struct cred *cred)
207 const struct task_security_struct *tsec;
209 tsec = cred->security;
214 * get the objective security ID of a task
216 static inline u32 task_sid(const struct task_struct *task)
221 sid = cred_sid(__task_cred(task));
226 /* Allocate and free functions for each kind of security blob. */
228 static int inode_alloc_security(struct inode *inode)
230 struct inode_security_struct *isec;
231 u32 sid = current_sid();
233 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
237 spin_lock_init(&isec->lock);
238 INIT_LIST_HEAD(&isec->list);
240 isec->sid = SECINITSID_UNLABELED;
241 isec->sclass = SECCLASS_FILE;
242 isec->task_sid = sid;
243 isec->initialized = LABEL_INVALID;
244 inode->i_security = isec;
249 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
252 * Try reloading inode security labels that have been marked as invalid. The
253 * @may_sleep parameter indicates when sleeping and thus reloading labels is
254 * allowed; when set to false, returns -ECHILD when the label is
255 * invalid. The @opt_dentry parameter should be set to a dentry of the inode;
256 * when no dentry is available, set it to NULL instead.
258 static int __inode_security_revalidate(struct inode *inode,
259 struct dentry *opt_dentry,
262 struct inode_security_struct *isec = inode->i_security;
264 might_sleep_if(may_sleep);
266 if (ss_initialized && isec->initialized != LABEL_INITIALIZED) {
271 * Try reloading the inode security label. This will fail if
272 * @opt_dentry is NULL and no dentry for this inode can be
273 * found; in that case, continue using the old label.
275 inode_doinit_with_dentry(inode, opt_dentry);
280 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
282 return inode->i_security;
285 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
289 error = __inode_security_revalidate(inode, NULL, !rcu);
291 return ERR_PTR(error);
292 return inode->i_security;
296 * Get the security label of an inode.
298 static struct inode_security_struct *inode_security(struct inode *inode)
300 __inode_security_revalidate(inode, NULL, true);
301 return inode->i_security;
304 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
306 struct inode *inode = d_backing_inode(dentry);
308 return inode->i_security;
312 * Get the security label of a dentry's backing inode.
314 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
316 struct inode *inode = d_backing_inode(dentry);
318 __inode_security_revalidate(inode, dentry, true);
319 return inode->i_security;
322 static void inode_free_rcu(struct rcu_head *head)
324 struct inode_security_struct *isec;
326 isec = container_of(head, struct inode_security_struct, rcu);
327 kmem_cache_free(sel_inode_cache, isec);
330 static void inode_free_security(struct inode *inode)
332 struct inode_security_struct *isec = inode->i_security;
333 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
336 * As not all inode security structures are in a list, we check for
337 * empty list outside of the lock to make sure that we won't waste
338 * time taking a lock doing nothing.
340 * The list_del_init() function can be safely called more than once.
341 * It should not be possible for this function to be called with
342 * concurrent list_add(), but for better safety against future changes
343 * in the code, we use list_empty_careful() here.
345 if (!list_empty_careful(&isec->list)) {
346 spin_lock(&sbsec->isec_lock);
347 list_del_init(&isec->list);
348 spin_unlock(&sbsec->isec_lock);
352 * The inode may still be referenced in a path walk and
353 * a call to selinux_inode_permission() can be made
354 * after inode_free_security() is called. Ideally, the VFS
355 * wouldn't do this, but fixing that is a much harder
356 * job. For now, simply free the i_security via RCU, and
357 * leave the current inode->i_security pointer intact.
358 * The inode will be freed after the RCU grace period too.
360 call_rcu(&isec->rcu, inode_free_rcu);
363 static int file_alloc_security(struct file *file)
365 struct file_security_struct *fsec;
366 u32 sid = current_sid();
368 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
373 fsec->fown_sid = sid;
374 file->f_security = fsec;
379 static void file_free_security(struct file *file)
381 struct file_security_struct *fsec = file->f_security;
382 file->f_security = NULL;
383 kmem_cache_free(file_security_cache, fsec);
386 static int superblock_alloc_security(struct super_block *sb)
388 struct superblock_security_struct *sbsec;
390 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
394 mutex_init(&sbsec->lock);
395 INIT_LIST_HEAD(&sbsec->isec_head);
396 spin_lock_init(&sbsec->isec_lock);
398 sbsec->sid = SECINITSID_UNLABELED;
399 sbsec->def_sid = SECINITSID_FILE;
400 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
401 sb->s_security = sbsec;
406 static void superblock_free_security(struct super_block *sb)
408 struct superblock_security_struct *sbsec = sb->s_security;
409 sb->s_security = NULL;
413 static inline int inode_doinit(struct inode *inode)
415 return inode_doinit_with_dentry(inode, NULL);
424 Opt_labelsupport = 5,
428 #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
430 static const match_table_t tokens = {
431 {Opt_context, CONTEXT_STR "%s"},
432 {Opt_fscontext, FSCONTEXT_STR "%s"},
433 {Opt_defcontext, DEFCONTEXT_STR "%s"},
434 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
435 {Opt_labelsupport, LABELSUPP_STR},
439 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
441 static int may_context_mount_sb_relabel(u32 sid,
442 struct superblock_security_struct *sbsec,
443 const struct cred *cred)
445 const struct task_security_struct *tsec = cred->security;
448 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
449 FILESYSTEM__RELABELFROM, NULL);
453 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
454 FILESYSTEM__RELABELTO, NULL);
458 static int may_context_mount_inode_relabel(u32 sid,
459 struct superblock_security_struct *sbsec,
460 const struct cred *cred)
462 const struct task_security_struct *tsec = cred->security;
464 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
465 FILESYSTEM__RELABELFROM, NULL);
469 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
470 FILESYSTEM__ASSOCIATE, NULL);
474 static int selinux_is_sblabel_mnt(struct super_block *sb)
476 struct superblock_security_struct *sbsec = sb->s_security;
478 return sbsec->behavior == SECURITY_FS_USE_XATTR ||
479 sbsec->behavior == SECURITY_FS_USE_TRANS ||
480 sbsec->behavior == SECURITY_FS_USE_TASK ||
481 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
482 /* Special handling. Genfs but also in-core setxattr handler */
483 !strcmp(sb->s_type->name, "sysfs") ||
484 !strcmp(sb->s_type->name, "pstore") ||
485 !strcmp(sb->s_type->name, "debugfs") ||
486 !strcmp(sb->s_type->name, "tracefs") ||
487 !strcmp(sb->s_type->name, "rootfs") ||
488 (selinux_policycap_cgroupseclabel &&
489 (!strcmp(sb->s_type->name, "cgroup") ||
490 !strcmp(sb->s_type->name, "cgroup2")));
493 static int sb_finish_set_opts(struct super_block *sb)
495 struct superblock_security_struct *sbsec = sb->s_security;
496 struct dentry *root = sb->s_root;
497 struct inode *root_inode = d_backing_inode(root);
500 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
501 /* Make sure that the xattr handler exists and that no
502 error other than -ENODATA is returned by getxattr on
503 the root directory. -ENODATA is ok, as this may be
504 the first boot of the SELinux kernel before we have
505 assigned xattr values to the filesystem. */
506 if (!(root_inode->i_opflags & IOP_XATTR)) {
507 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
508 "xattr support\n", sb->s_id, sb->s_type->name);
513 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
514 if (rc < 0 && rc != -ENODATA) {
515 if (rc == -EOPNOTSUPP)
516 printk(KERN_WARNING "SELinux: (dev %s, type "
517 "%s) has no security xattr handler\n",
518 sb->s_id, sb->s_type->name);
520 printk(KERN_WARNING "SELinux: (dev %s, type "
521 "%s) getxattr errno %d\n", sb->s_id,
522 sb->s_type->name, -rc);
527 sbsec->flags |= SE_SBINITIALIZED;
530 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
531 * leave the flag untouched because sb_clone_mnt_opts might be handing
532 * us a superblock that needs the flag to be cleared.
534 if (selinux_is_sblabel_mnt(sb))
535 sbsec->flags |= SBLABEL_MNT;
537 sbsec->flags &= ~SBLABEL_MNT;
539 /* Initialize the root inode. */
540 rc = inode_doinit_with_dentry(root_inode, root);
542 /* Initialize any other inodes associated with the superblock, e.g.
543 inodes created prior to initial policy load or inodes created
544 during get_sb by a pseudo filesystem that directly
546 spin_lock(&sbsec->isec_lock);
548 if (!list_empty(&sbsec->isec_head)) {
549 struct inode_security_struct *isec =
550 list_entry(sbsec->isec_head.next,
551 struct inode_security_struct, list);
552 struct inode *inode = isec->inode;
553 list_del_init(&isec->list);
554 spin_unlock(&sbsec->isec_lock);
555 inode = igrab(inode);
557 if (!IS_PRIVATE(inode))
561 spin_lock(&sbsec->isec_lock);
564 spin_unlock(&sbsec->isec_lock);
570 * This function should allow an FS to ask what it's mount security
571 * options were so it can use those later for submounts, displaying
572 * mount options, or whatever.
574 static int selinux_get_mnt_opts(const struct super_block *sb,
575 struct security_mnt_opts *opts)
578 struct superblock_security_struct *sbsec = sb->s_security;
579 char *context = NULL;
583 security_init_mnt_opts(opts);
585 if (!(sbsec->flags & SE_SBINITIALIZED))
591 /* make sure we always check enough bits to cover the mask */
592 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
594 tmp = sbsec->flags & SE_MNTMASK;
595 /* count the number of mount options for this sb */
596 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
598 opts->num_mnt_opts++;
601 /* Check if the Label support flag is set */
602 if (sbsec->flags & SBLABEL_MNT)
603 opts->num_mnt_opts++;
605 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
606 if (!opts->mnt_opts) {
611 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
612 if (!opts->mnt_opts_flags) {
618 if (sbsec->flags & FSCONTEXT_MNT) {
619 rc = security_sid_to_context(sbsec->sid, &context, &len);
622 opts->mnt_opts[i] = context;
623 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
625 if (sbsec->flags & CONTEXT_MNT) {
626 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
629 opts->mnt_opts[i] = context;
630 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
632 if (sbsec->flags & DEFCONTEXT_MNT) {
633 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
636 opts->mnt_opts[i] = context;
637 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
639 if (sbsec->flags & ROOTCONTEXT_MNT) {
640 struct dentry *root = sbsec->sb->s_root;
641 struct inode_security_struct *isec = backing_inode_security(root);
643 rc = security_sid_to_context(isec->sid, &context, &len);
646 opts->mnt_opts[i] = context;
647 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
649 if (sbsec->flags & SBLABEL_MNT) {
650 opts->mnt_opts[i] = NULL;
651 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
654 BUG_ON(i != opts->num_mnt_opts);
659 security_free_mnt_opts(opts);
663 static int bad_option(struct superblock_security_struct *sbsec, char flag,
664 u32 old_sid, u32 new_sid)
666 char mnt_flags = sbsec->flags & SE_MNTMASK;
668 /* check if the old mount command had the same options */
669 if (sbsec->flags & SE_SBINITIALIZED)
670 if (!(sbsec->flags & flag) ||
671 (old_sid != new_sid))
674 /* check if we were passed the same options twice,
675 * aka someone passed context=a,context=b
677 if (!(sbsec->flags & SE_SBINITIALIZED))
678 if (mnt_flags & flag)
684 * Allow filesystems with binary mount data to explicitly set mount point
685 * labeling information.
687 static int selinux_set_mnt_opts(struct super_block *sb,
688 struct security_mnt_opts *opts,
689 unsigned long kern_flags,
690 unsigned long *set_kern_flags)
692 const struct cred *cred = current_cred();
694 struct superblock_security_struct *sbsec = sb->s_security;
695 const char *name = sb->s_type->name;
696 struct dentry *root = sbsec->sb->s_root;
697 struct inode_security_struct *root_isec;
698 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
699 u32 defcontext_sid = 0;
700 char **mount_options = opts->mnt_opts;
701 int *flags = opts->mnt_opts_flags;
702 int num_opts = opts->num_mnt_opts;
704 mutex_lock(&sbsec->lock);
706 if (!ss_initialized) {
708 /* Defer initialization until selinux_complete_init,
709 after the initial policy is loaded and the security
710 server is ready to handle calls. */
714 printk(KERN_WARNING "SELinux: Unable to set superblock options "
715 "before the security server is initialized\n");
718 if (kern_flags && !set_kern_flags) {
719 /* Specifying internal flags without providing a place to
720 * place the results is not allowed */
726 * Binary mount data FS will come through this function twice. Once
727 * from an explicit call and once from the generic calls from the vfs.
728 * Since the generic VFS calls will not contain any security mount data
729 * we need to skip the double mount verification.
731 * This does open a hole in which we will not notice if the first
732 * mount using this sb set explict options and a second mount using
733 * this sb does not set any security options. (The first options
734 * will be used for both mounts)
736 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
740 root_isec = backing_inode_security_novalidate(root);
743 * parse the mount options, check if they are valid sids.
744 * also check if someone is trying to mount the same sb more
745 * than once with different security options.
747 for (i = 0; i < num_opts; i++) {
750 if (flags[i] == SBLABEL_MNT)
752 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
754 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
755 "(%s) failed for (dev %s, type %s) errno=%d\n",
756 mount_options[i], sb->s_id, name, rc);
763 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
765 goto out_double_mount;
767 sbsec->flags |= FSCONTEXT_MNT;
772 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
774 goto out_double_mount;
776 sbsec->flags |= CONTEXT_MNT;
778 case ROOTCONTEXT_MNT:
779 rootcontext_sid = sid;
781 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
783 goto out_double_mount;
785 sbsec->flags |= ROOTCONTEXT_MNT;
789 defcontext_sid = sid;
791 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
793 goto out_double_mount;
795 sbsec->flags |= DEFCONTEXT_MNT;
804 if (sbsec->flags & SE_SBINITIALIZED) {
805 /* previously mounted with options, but not on this attempt? */
806 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
807 goto out_double_mount;
812 if (strcmp(sb->s_type->name, "proc") == 0)
813 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
815 if (!strcmp(sb->s_type->name, "debugfs") ||
816 !strcmp(sb->s_type->name, "tracefs") ||
817 !strcmp(sb->s_type->name, "sysfs") ||
818 !strcmp(sb->s_type->name, "pstore"))
819 sbsec->flags |= SE_SBGENFS;
821 if (!sbsec->behavior) {
823 * Determine the labeling behavior to use for this
826 rc = security_fs_use(sb);
829 "%s: security_fs_use(%s) returned %d\n",
830 __func__, sb->s_type->name, rc);
836 * If this is a user namespace mount and the filesystem type is not
837 * explicitly whitelisted, then no contexts are allowed on the command
838 * line and security labels must be ignored.
840 if (sb->s_user_ns != &init_user_ns &&
841 strcmp(sb->s_type->name, "tmpfs") &&
842 strcmp(sb->s_type->name, "ramfs") &&
843 strcmp(sb->s_type->name, "devpts")) {
844 if (context_sid || fscontext_sid || rootcontext_sid ||
849 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
850 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
851 rc = security_transition_sid(current_sid(), current_sid(),
853 &sbsec->mntpoint_sid);
860 /* sets the context of the superblock for the fs being mounted. */
862 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
866 sbsec->sid = fscontext_sid;
870 * Switch to using mount point labeling behavior.
871 * sets the label used on all file below the mountpoint, and will set
872 * the superblock context if not already set.
874 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
875 sbsec->behavior = SECURITY_FS_USE_NATIVE;
876 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
880 if (!fscontext_sid) {
881 rc = may_context_mount_sb_relabel(context_sid, sbsec,
885 sbsec->sid = context_sid;
887 rc = may_context_mount_inode_relabel(context_sid, sbsec,
892 if (!rootcontext_sid)
893 rootcontext_sid = context_sid;
895 sbsec->mntpoint_sid = context_sid;
896 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
899 if (rootcontext_sid) {
900 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
905 root_isec->sid = rootcontext_sid;
906 root_isec->initialized = LABEL_INITIALIZED;
909 if (defcontext_sid) {
910 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
911 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
913 printk(KERN_WARNING "SELinux: defcontext option is "
914 "invalid for this filesystem type\n");
918 if (defcontext_sid != sbsec->def_sid) {
919 rc = may_context_mount_inode_relabel(defcontext_sid,
925 sbsec->def_sid = defcontext_sid;
929 rc = sb_finish_set_opts(sb);
931 mutex_unlock(&sbsec->lock);
935 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
936 "security settings for (dev %s, type %s)\n", sb->s_id, name);
940 static int selinux_cmp_sb_context(const struct super_block *oldsb,
941 const struct super_block *newsb)
943 struct superblock_security_struct *old = oldsb->s_security;
944 struct superblock_security_struct *new = newsb->s_security;
945 char oldflags = old->flags & SE_MNTMASK;
946 char newflags = new->flags & SE_MNTMASK;
948 if (oldflags != newflags)
950 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
952 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
954 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
956 if (oldflags & ROOTCONTEXT_MNT) {
957 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
958 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
959 if (oldroot->sid != newroot->sid)
964 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
965 "different security settings for (dev %s, "
966 "type %s)\n", newsb->s_id, newsb->s_type->name);
970 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
971 struct super_block *newsb,
972 unsigned long kern_flags,
973 unsigned long *set_kern_flags)
976 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
977 struct superblock_security_struct *newsbsec = newsb->s_security;
979 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
980 int set_context = (oldsbsec->flags & CONTEXT_MNT);
981 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
984 * if the parent was able to be mounted it clearly had no special lsm
985 * mount options. thus we can safely deal with this superblock later
991 * Specifying internal flags without providing a place to
992 * place the results is not allowed.
994 if (kern_flags && !set_kern_flags)
997 /* how can we clone if the old one wasn't set up?? */
998 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
1000 /* if fs is reusing a sb, make sure that the contexts match */
1001 if (newsbsec->flags & SE_SBINITIALIZED)
1002 return selinux_cmp_sb_context(oldsb, newsb);
1004 mutex_lock(&newsbsec->lock);
1006 newsbsec->flags = oldsbsec->flags;
1008 newsbsec->sid = oldsbsec->sid;
1009 newsbsec->def_sid = oldsbsec->def_sid;
1010 newsbsec->behavior = oldsbsec->behavior;
1012 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
1013 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
1014 rc = security_fs_use(newsb);
1019 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
1020 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
1021 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
1025 u32 sid = oldsbsec->mntpoint_sid;
1028 newsbsec->sid = sid;
1029 if (!set_rootcontext) {
1030 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1033 newsbsec->mntpoint_sid = sid;
1035 if (set_rootcontext) {
1036 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
1037 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1039 newisec->sid = oldisec->sid;
1042 sb_finish_set_opts(newsb);
1044 mutex_unlock(&newsbsec->lock);
1048 static int selinux_parse_opts_str(char *options,
1049 struct security_mnt_opts *opts)
1052 char *context = NULL, *defcontext = NULL;
1053 char *fscontext = NULL, *rootcontext = NULL;
1054 int rc, num_mnt_opts = 0;
1056 opts->num_mnt_opts = 0;
1058 /* Standard string-based options. */
1059 while ((p = strsep(&options, "|")) != NULL) {
1061 substring_t args[MAX_OPT_ARGS];
1066 token = match_token(p, tokens, args);
1070 if (context || defcontext) {
1072 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1075 context = match_strdup(&args[0]);
1085 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1088 fscontext = match_strdup(&args[0]);
1095 case Opt_rootcontext:
1098 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1101 rootcontext = match_strdup(&args[0]);
1108 case Opt_defcontext:
1109 if (context || defcontext) {
1111 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1114 defcontext = match_strdup(&args[0]);
1120 case Opt_labelsupport:
1124 printk(KERN_WARNING "SELinux: unknown mount option\n");
1131 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
1132 if (!opts->mnt_opts)
1135 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
1137 if (!opts->mnt_opts_flags)
1141 opts->mnt_opts[num_mnt_opts] = fscontext;
1142 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1145 opts->mnt_opts[num_mnt_opts] = context;
1146 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1149 opts->mnt_opts[num_mnt_opts] = rootcontext;
1150 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1153 opts->mnt_opts[num_mnt_opts] = defcontext;
1154 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1157 opts->num_mnt_opts = num_mnt_opts;
1161 security_free_mnt_opts(opts);
1169 * string mount options parsing and call set the sbsec
1171 static int superblock_doinit(struct super_block *sb, void *data)
1174 char *options = data;
1175 struct security_mnt_opts opts;
1177 security_init_mnt_opts(&opts);
1182 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1184 rc = selinux_parse_opts_str(options, &opts);
1189 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1192 security_free_mnt_opts(&opts);
1196 static void selinux_write_opts(struct seq_file *m,
1197 struct security_mnt_opts *opts)
1202 for (i = 0; i < opts->num_mnt_opts; i++) {
1205 if (opts->mnt_opts[i])
1206 has_comma = strchr(opts->mnt_opts[i], ',');
1210 switch (opts->mnt_opts_flags[i]) {
1212 prefix = CONTEXT_STR;
1215 prefix = FSCONTEXT_STR;
1217 case ROOTCONTEXT_MNT:
1218 prefix = ROOTCONTEXT_STR;
1220 case DEFCONTEXT_MNT:
1221 prefix = DEFCONTEXT_STR;
1225 seq_puts(m, LABELSUPP_STR);
1231 /* we need a comma before each option */
1233 seq_puts(m, prefix);
1236 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
1242 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1244 struct security_mnt_opts opts;
1247 rc = selinux_get_mnt_opts(sb, &opts);
1249 /* before policy load we may get EINVAL, don't show anything */
1255 selinux_write_opts(m, &opts);
1257 security_free_mnt_opts(&opts);
1262 static inline u16 inode_mode_to_security_class(umode_t mode)
1264 switch (mode & S_IFMT) {
1266 return SECCLASS_SOCK_FILE;
1268 return SECCLASS_LNK_FILE;
1270 return SECCLASS_FILE;
1272 return SECCLASS_BLK_FILE;
1274 return SECCLASS_DIR;
1276 return SECCLASS_CHR_FILE;
1278 return SECCLASS_FIFO_FILE;
1282 return SECCLASS_FILE;
1285 static inline int default_protocol_stream(int protocol)
1287 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1290 static inline int default_protocol_dgram(int protocol)
1292 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1295 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1297 int extsockclass = selinux_policycap_extsockclass;
1303 case SOCK_SEQPACKET:
1304 return SECCLASS_UNIX_STREAM_SOCKET;
1306 return SECCLASS_UNIX_DGRAM_SOCKET;
1313 case SOCK_SEQPACKET:
1314 if (default_protocol_stream(protocol))
1315 return SECCLASS_TCP_SOCKET;
1316 else if (extsockclass && protocol == IPPROTO_SCTP)
1317 return SECCLASS_SCTP_SOCKET;
1319 return SECCLASS_RAWIP_SOCKET;
1321 if (default_protocol_dgram(protocol))
1322 return SECCLASS_UDP_SOCKET;
1323 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1324 protocol == IPPROTO_ICMPV6))
1325 return SECCLASS_ICMP_SOCKET;
1327 return SECCLASS_RAWIP_SOCKET;
1329 return SECCLASS_DCCP_SOCKET;
1331 return SECCLASS_RAWIP_SOCKET;
1337 return SECCLASS_NETLINK_ROUTE_SOCKET;
1338 case NETLINK_SOCK_DIAG:
1339 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1341 return SECCLASS_NETLINK_NFLOG_SOCKET;
1343 return SECCLASS_NETLINK_XFRM_SOCKET;
1344 case NETLINK_SELINUX:
1345 return SECCLASS_NETLINK_SELINUX_SOCKET;
1347 return SECCLASS_NETLINK_ISCSI_SOCKET;
1349 return SECCLASS_NETLINK_AUDIT_SOCKET;
1350 case NETLINK_FIB_LOOKUP:
1351 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1352 case NETLINK_CONNECTOR:
1353 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1354 case NETLINK_NETFILTER:
1355 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1356 case NETLINK_DNRTMSG:
1357 return SECCLASS_NETLINK_DNRT_SOCKET;
1358 case NETLINK_KOBJECT_UEVENT:
1359 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1360 case NETLINK_GENERIC:
1361 return SECCLASS_NETLINK_GENERIC_SOCKET;
1362 case NETLINK_SCSITRANSPORT:
1363 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1365 return SECCLASS_NETLINK_RDMA_SOCKET;
1366 case NETLINK_CRYPTO:
1367 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1369 return SECCLASS_NETLINK_SOCKET;
1372 return SECCLASS_PACKET_SOCKET;
1374 return SECCLASS_KEY_SOCKET;
1376 return SECCLASS_APPLETALK_SOCKET;
1382 return SECCLASS_AX25_SOCKET;
1384 return SECCLASS_IPX_SOCKET;
1386 return SECCLASS_NETROM_SOCKET;
1388 return SECCLASS_ATMPVC_SOCKET;
1390 return SECCLASS_X25_SOCKET;
1392 return SECCLASS_ROSE_SOCKET;
1394 return SECCLASS_DECNET_SOCKET;
1396 return SECCLASS_ATMSVC_SOCKET;
1398 return SECCLASS_RDS_SOCKET;
1400 return SECCLASS_IRDA_SOCKET;
1402 return SECCLASS_PPPOX_SOCKET;
1404 return SECCLASS_LLC_SOCKET;
1406 return SECCLASS_CAN_SOCKET;
1408 return SECCLASS_TIPC_SOCKET;
1410 return SECCLASS_BLUETOOTH_SOCKET;
1412 return SECCLASS_IUCV_SOCKET;
1414 return SECCLASS_RXRPC_SOCKET;
1416 return SECCLASS_ISDN_SOCKET;
1418 return SECCLASS_PHONET_SOCKET;
1420 return SECCLASS_IEEE802154_SOCKET;
1422 return SECCLASS_CAIF_SOCKET;
1424 return SECCLASS_ALG_SOCKET;
1426 return SECCLASS_NFC_SOCKET;
1428 return SECCLASS_VSOCK_SOCKET;
1430 return SECCLASS_KCM_SOCKET;
1432 return SECCLASS_QIPCRTR_SOCKET;
1434 return SECCLASS_SMC_SOCKET;
1436 #error New address family defined, please update this function.
1441 return SECCLASS_SOCKET;
1444 static int selinux_genfs_get_sid(struct dentry *dentry,
1450 struct super_block *sb = dentry->d_sb;
1451 char *buffer, *path;
1453 buffer = (char *)__get_free_page(GFP_KERNEL);
1457 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1461 if (flags & SE_SBPROC) {
1462 /* each process gets a /proc/PID/ entry. Strip off the
1463 * PID part to get a valid selinux labeling.
1464 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1465 while (path[1] >= '0' && path[1] <= '9') {
1470 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
1472 free_page((unsigned long)buffer);
1476 /* The inode's security attributes must be initialized before first use. */
1477 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1479 struct superblock_security_struct *sbsec = NULL;
1480 struct inode_security_struct *isec = inode->i_security;
1481 u32 task_sid, sid = 0;
1483 struct dentry *dentry;
1484 #define INITCONTEXTLEN 255
1485 char *context = NULL;
1489 if (isec->initialized == LABEL_INITIALIZED)
1492 spin_lock(&isec->lock);
1493 if (isec->initialized == LABEL_INITIALIZED)
1496 if (isec->sclass == SECCLASS_FILE)
1497 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1499 sbsec = inode->i_sb->s_security;
1500 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1501 /* Defer initialization until selinux_complete_init,
1502 after the initial policy is loaded and the security
1503 server is ready to handle calls. */
1504 spin_lock(&sbsec->isec_lock);
1505 if (list_empty(&isec->list))
1506 list_add(&isec->list, &sbsec->isec_head);
1507 spin_unlock(&sbsec->isec_lock);
1511 sclass = isec->sclass;
1512 task_sid = isec->task_sid;
1514 isec->initialized = LABEL_PENDING;
1515 spin_unlock(&isec->lock);
1517 switch (sbsec->behavior) {
1518 case SECURITY_FS_USE_NATIVE:
1520 case SECURITY_FS_USE_XATTR:
1521 if (!(inode->i_opflags & IOP_XATTR)) {
1522 sid = sbsec->def_sid;
1525 /* Need a dentry, since the xattr API requires one.
1526 Life would be simpler if we could just pass the inode. */
1528 /* Called from d_instantiate or d_splice_alias. */
1529 dentry = dget(opt_dentry);
1531 /* Called from selinux_complete_init, try to find a dentry. */
1532 dentry = d_find_alias(inode);
1536 * this is can be hit on boot when a file is accessed
1537 * before the policy is loaded. When we load policy we
1538 * may find inodes that have no dentry on the
1539 * sbsec->isec_head list. No reason to complain as these
1540 * will get fixed up the next time we go through
1541 * inode_doinit with a dentry, before these inodes could
1542 * be used again by userspace.
1547 len = INITCONTEXTLEN;
1548 context = kmalloc(len+1, GFP_NOFS);
1554 context[len] = '\0';
1555 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1556 if (rc == -ERANGE) {
1559 /* Need a larger buffer. Query for the right size. */
1560 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1566 context = kmalloc(len+1, GFP_NOFS);
1572 context[len] = '\0';
1573 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1577 if (rc != -ENODATA) {
1578 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1579 "%d for dev=%s ino=%ld\n", __func__,
1580 -rc, inode->i_sb->s_id, inode->i_ino);
1584 /* Map ENODATA to the default file SID */
1585 sid = sbsec->def_sid;
1588 rc = security_context_to_sid_default(context, rc, &sid,
1592 char *dev = inode->i_sb->s_id;
1593 unsigned long ino = inode->i_ino;
1595 if (rc == -EINVAL) {
1596 if (printk_ratelimit())
1597 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1598 "context=%s. This indicates you may need to relabel the inode or the "
1599 "filesystem in question.\n", ino, dev, context);
1601 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1602 "returned %d for dev=%s ino=%ld\n",
1603 __func__, context, -rc, dev, ino);
1606 /* Leave with the unlabeled SID */
1613 case SECURITY_FS_USE_TASK:
1616 case SECURITY_FS_USE_TRANS:
1617 /* Default to the fs SID. */
1620 /* Try to obtain a transition SID. */
1621 rc = security_transition_sid(task_sid, sid, sclass, NULL, &sid);
1625 case SECURITY_FS_USE_MNTPOINT:
1626 sid = sbsec->mntpoint_sid;
1629 /* Default to the fs superblock SID. */
1632 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1633 /* We must have a dentry to determine the label on
1636 /* Called from d_instantiate or
1637 * d_splice_alias. */
1638 dentry = dget(opt_dentry);
1640 /* Called from selinux_complete_init, try to
1642 dentry = d_find_alias(inode);
1644 * This can be hit on boot when a file is accessed
1645 * before the policy is loaded. When we load policy we
1646 * may find inodes that have no dentry on the
1647 * sbsec->isec_head list. No reason to complain as
1648 * these will get fixed up the next time we go through
1649 * inode_doinit() with a dentry, before these inodes
1650 * could be used again by userspace.
1654 rc = selinux_genfs_get_sid(dentry, sclass,
1655 sbsec->flags, &sid);
1664 spin_lock(&isec->lock);
1665 if (isec->initialized == LABEL_PENDING) {
1667 isec->initialized = LABEL_INVALID;
1671 isec->initialized = LABEL_INITIALIZED;
1676 spin_unlock(&isec->lock);
1680 /* Convert a Linux signal to an access vector. */
1681 static inline u32 signal_to_av(int sig)
1687 /* Commonly granted from child to parent. */
1688 perm = PROCESS__SIGCHLD;
1691 /* Cannot be caught or ignored */
1692 perm = PROCESS__SIGKILL;
1695 /* Cannot be caught or ignored */
1696 perm = PROCESS__SIGSTOP;
1699 /* All other signals. */
1700 perm = PROCESS__SIGNAL;
1707 #if CAP_LAST_CAP > 63
1708 #error Fix SELinux to handle capabilities > 63.
1711 /* Check whether a task is allowed to use a capability. */
1712 static int cred_has_capability(const struct cred *cred,
1713 int cap, int audit, bool initns)
1715 struct common_audit_data ad;
1716 struct av_decision avd;
1718 u32 sid = cred_sid(cred);
1719 u32 av = CAP_TO_MASK(cap);
1722 ad.type = LSM_AUDIT_DATA_CAP;
1725 switch (CAP_TO_INDEX(cap)) {
1727 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1730 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1734 "SELinux: out of range capability %d\n", cap);
1739 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1740 if (audit == SECURITY_CAP_AUDIT) {
1741 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1748 /* Check whether a task has a particular permission to an inode.
1749 The 'adp' parameter is optional and allows other audit
1750 data to be passed (e.g. the dentry). */
1751 static int inode_has_perm(const struct cred *cred,
1752 struct inode *inode,
1754 struct common_audit_data *adp)
1756 struct inode_security_struct *isec;
1759 validate_creds(cred);
1761 if (unlikely(IS_PRIVATE(inode)))
1764 sid = cred_sid(cred);
1765 isec = inode->i_security;
1767 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1770 /* Same as inode_has_perm, but pass explicit audit data containing
1771 the dentry to help the auditing code to more easily generate the
1772 pathname if needed. */
1773 static inline int dentry_has_perm(const struct cred *cred,
1774 struct dentry *dentry,
1777 struct inode *inode = d_backing_inode(dentry);
1778 struct common_audit_data ad;
1780 ad.type = LSM_AUDIT_DATA_DENTRY;
1781 ad.u.dentry = dentry;
1782 __inode_security_revalidate(inode, dentry, true);
1783 return inode_has_perm(cred, inode, av, &ad);
1786 /* Same as inode_has_perm, but pass explicit audit data containing
1787 the path to help the auditing code to more easily generate the
1788 pathname if needed. */
1789 static inline int path_has_perm(const struct cred *cred,
1790 const struct path *path,
1793 struct inode *inode = d_backing_inode(path->dentry);
1794 struct common_audit_data ad;
1796 ad.type = LSM_AUDIT_DATA_PATH;
1798 __inode_security_revalidate(inode, path->dentry, true);
1799 return inode_has_perm(cred, inode, av, &ad);
1802 /* Same as path_has_perm, but uses the inode from the file struct. */
1803 static inline int file_path_has_perm(const struct cred *cred,
1807 struct common_audit_data ad;
1809 ad.type = LSM_AUDIT_DATA_FILE;
1811 return inode_has_perm(cred, file_inode(file), av, &ad);
1814 /* Check whether a task can use an open file descriptor to
1815 access an inode in a given way. Check access to the
1816 descriptor itself, and then use dentry_has_perm to
1817 check a particular permission to the file.
1818 Access to the descriptor is implicitly granted if it
1819 has the same SID as the process. If av is zero, then
1820 access to the file is not checked, e.g. for cases
1821 where only the descriptor is affected like seek. */
1822 static int file_has_perm(const struct cred *cred,
1826 struct file_security_struct *fsec = file->f_security;
1827 struct inode *inode = file_inode(file);
1828 struct common_audit_data ad;
1829 u32 sid = cred_sid(cred);
1832 ad.type = LSM_AUDIT_DATA_FILE;
1835 if (sid != fsec->sid) {
1836 rc = avc_has_perm(sid, fsec->sid,
1844 /* av is zero if only checking access to the descriptor. */
1847 rc = inode_has_perm(cred, inode, av, &ad);
1854 * Determine the label for an inode that might be unioned.
1857 selinux_determine_inode_label(const struct task_security_struct *tsec,
1859 const struct qstr *name, u16 tclass,
1862 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1864 if ((sbsec->flags & SE_SBINITIALIZED) &&
1865 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1866 *_new_isid = sbsec->mntpoint_sid;
1867 } else if ((sbsec->flags & SBLABEL_MNT) &&
1869 *_new_isid = tsec->create_sid;
1871 const struct inode_security_struct *dsec = inode_security(dir);
1872 return security_transition_sid(tsec->sid, dsec->sid, tclass,
1879 /* Check whether a task can create a file. */
1880 static int may_create(struct inode *dir,
1881 struct dentry *dentry,
1884 const struct task_security_struct *tsec = current_security();
1885 struct inode_security_struct *dsec;
1886 struct superblock_security_struct *sbsec;
1888 struct common_audit_data ad;
1891 dsec = inode_security(dir);
1892 sbsec = dir->i_sb->s_security;
1896 ad.type = LSM_AUDIT_DATA_DENTRY;
1897 ad.u.dentry = dentry;
1899 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1900 DIR__ADD_NAME | DIR__SEARCH,
1905 rc = selinux_determine_inode_label(current_security(), dir,
1906 &dentry->d_name, tclass, &newsid);
1910 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1914 return avc_has_perm(newsid, sbsec->sid,
1915 SECCLASS_FILESYSTEM,
1916 FILESYSTEM__ASSOCIATE, &ad);
1920 #define MAY_UNLINK 1
1923 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1924 static int may_link(struct inode *dir,
1925 struct dentry *dentry,
1929 struct inode_security_struct *dsec, *isec;
1930 struct common_audit_data ad;
1931 u32 sid = current_sid();
1935 dsec = inode_security(dir);
1936 isec = backing_inode_security(dentry);
1938 ad.type = LSM_AUDIT_DATA_DENTRY;
1939 ad.u.dentry = dentry;
1942 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1943 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1958 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1963 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1967 static inline int may_rename(struct inode *old_dir,
1968 struct dentry *old_dentry,
1969 struct inode *new_dir,
1970 struct dentry *new_dentry)
1972 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1973 struct common_audit_data ad;
1974 u32 sid = current_sid();
1976 int old_is_dir, new_is_dir;
1979 old_dsec = inode_security(old_dir);
1980 old_isec = backing_inode_security(old_dentry);
1981 old_is_dir = d_is_dir(old_dentry);
1982 new_dsec = inode_security(new_dir);
1984 ad.type = LSM_AUDIT_DATA_DENTRY;
1986 ad.u.dentry = old_dentry;
1987 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1988 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1991 rc = avc_has_perm(sid, old_isec->sid,
1992 old_isec->sclass, FILE__RENAME, &ad);
1995 if (old_is_dir && new_dir != old_dir) {
1996 rc = avc_has_perm(sid, old_isec->sid,
1997 old_isec->sclass, DIR__REPARENT, &ad);
2002 ad.u.dentry = new_dentry;
2003 av = DIR__ADD_NAME | DIR__SEARCH;
2004 if (d_is_positive(new_dentry))
2005 av |= DIR__REMOVE_NAME;
2006 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
2009 if (d_is_positive(new_dentry)) {
2010 new_isec = backing_inode_security(new_dentry);
2011 new_is_dir = d_is_dir(new_dentry);
2012 rc = avc_has_perm(sid, new_isec->sid,
2014 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
2022 /* Check whether a task can perform a filesystem operation. */
2023 static int superblock_has_perm(const struct cred *cred,
2024 struct super_block *sb,
2026 struct common_audit_data *ad)
2028 struct superblock_security_struct *sbsec;
2029 u32 sid = cred_sid(cred);
2031 sbsec = sb->s_security;
2032 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
2035 /* Convert a Linux mode and permission mask to an access vector. */
2036 static inline u32 file_mask_to_av(int mode, int mask)
2040 if (!S_ISDIR(mode)) {
2041 if (mask & MAY_EXEC)
2042 av |= FILE__EXECUTE;
2043 if (mask & MAY_READ)
2046 if (mask & MAY_APPEND)
2048 else if (mask & MAY_WRITE)
2052 if (mask & MAY_EXEC)
2054 if (mask & MAY_WRITE)
2056 if (mask & MAY_READ)
2063 /* Convert a Linux file to an access vector. */
2064 static inline u32 file_to_av(struct file *file)
2068 if (file->f_mode & FMODE_READ)
2070 if (file->f_mode & FMODE_WRITE) {
2071 if (file->f_flags & O_APPEND)
2078 * Special file opened with flags 3 for ioctl-only use.
2087 * Convert a file to an access vector and include the correct open
2090 static inline u32 open_file_to_av(struct file *file)
2092 u32 av = file_to_av(file);
2093 struct inode *inode = file_inode(file);
2095 if (selinux_policycap_openperm && inode->i_sb->s_magic != SOCKFS_MAGIC)
2101 /* Hook functions begin here. */
2103 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2105 u32 mysid = current_sid();
2106 u32 mgrsid = task_sid(mgr);
2108 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
2109 BINDER__SET_CONTEXT_MGR, NULL);
2112 static int selinux_binder_transaction(struct task_struct *from,
2113 struct task_struct *to)
2115 u32 mysid = current_sid();
2116 u32 fromsid = task_sid(from);
2117 u32 tosid = task_sid(to);
2120 if (mysid != fromsid) {
2121 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2122 BINDER__IMPERSONATE, NULL);
2127 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2131 static int selinux_binder_transfer_binder(struct task_struct *from,
2132 struct task_struct *to)
2134 u32 fromsid = task_sid(from);
2135 u32 tosid = task_sid(to);
2137 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2141 static int selinux_binder_transfer_file(struct task_struct *from,
2142 struct task_struct *to,
2145 u32 sid = task_sid(to);
2146 struct file_security_struct *fsec = file->f_security;
2147 struct dentry *dentry = file->f_path.dentry;
2148 struct inode_security_struct *isec;
2149 struct common_audit_data ad;
2152 ad.type = LSM_AUDIT_DATA_PATH;
2153 ad.u.path = file->f_path;
2155 if (sid != fsec->sid) {
2156 rc = avc_has_perm(sid, fsec->sid,
2164 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2167 isec = backing_inode_security(dentry);
2168 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2172 static int selinux_ptrace_access_check(struct task_struct *child,
2175 u32 sid = current_sid();
2176 u32 csid = task_sid(child);
2178 if (mode & PTRACE_MODE_READ)
2179 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2181 return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2184 static int selinux_ptrace_traceme(struct task_struct *parent)
2186 return avc_has_perm(task_sid(parent), current_sid(), SECCLASS_PROCESS,
2187 PROCESS__PTRACE, NULL);
2190 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2191 kernel_cap_t *inheritable, kernel_cap_t *permitted)
2193 return avc_has_perm(current_sid(), task_sid(target), SECCLASS_PROCESS,
2194 PROCESS__GETCAP, NULL);
2197 static int selinux_capset(struct cred *new, const struct cred *old,
2198 const kernel_cap_t *effective,
2199 const kernel_cap_t *inheritable,
2200 const kernel_cap_t *permitted)
2202 return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2203 PROCESS__SETCAP, NULL);
2207 * (This comment used to live with the selinux_task_setuid hook,
2208 * which was removed).
2210 * Since setuid only affects the current process, and since the SELinux
2211 * controls are not based on the Linux identity attributes, SELinux does not
2212 * need to control this operation. However, SELinux does control the use of
2213 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2216 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2219 return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
2222 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2224 const struct cred *cred = current_cred();
2236 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2241 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2244 rc = 0; /* let the kernel handle invalid cmds */
2250 static int selinux_quota_on(struct dentry *dentry)
2252 const struct cred *cred = current_cred();
2254 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2257 static int selinux_syslog(int type)
2260 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2261 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2262 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2263 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2264 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2265 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2266 /* Set level of messages printed to console */
2267 case SYSLOG_ACTION_CONSOLE_LEVEL:
2268 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2269 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2272 /* All other syslog types */
2273 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2274 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2278 * Check that a process has enough memory to allocate a new virtual
2279 * mapping. 0 means there is enough memory for the allocation to
2280 * succeed and -ENOMEM implies there is not.
2282 * Do not audit the selinux permission check, as this is applied to all
2283 * processes that allocate mappings.
2285 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2287 int rc, cap_sys_admin = 0;
2289 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2290 SECURITY_CAP_NOAUDIT, true);
2294 return cap_sys_admin;
2297 /* binprm security operations */
2299 static u32 ptrace_parent_sid(void)
2302 struct task_struct *tracer;
2305 tracer = ptrace_parent(current);
2307 sid = task_sid(tracer);
2313 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2314 const struct task_security_struct *old_tsec,
2315 const struct task_security_struct *new_tsec)
2317 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2318 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2321 if (!nnp && !nosuid)
2322 return 0; /* neither NNP nor nosuid */
2324 if (new_tsec->sid == old_tsec->sid)
2325 return 0; /* No change in credentials */
2328 * The only transitions we permit under NNP or nosuid
2329 * are transitions to bounded SIDs, i.e. SIDs that are
2330 * guaranteed to only be allowed a subset of the permissions
2331 * of the current SID.
2333 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2336 * On failure, preserve the errno values for NNP vs nosuid.
2337 * NNP: Operation not permitted for caller.
2338 * nosuid: Permission denied to file.
2348 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2350 const struct task_security_struct *old_tsec;
2351 struct task_security_struct *new_tsec;
2352 struct inode_security_struct *isec;
2353 struct common_audit_data ad;
2354 struct inode *inode = file_inode(bprm->file);
2357 /* SELinux context only depends on initial program or script and not
2358 * the script interpreter */
2359 if (bprm->called_set_creds)
2362 old_tsec = current_security();
2363 new_tsec = bprm->cred->security;
2364 isec = inode_security(inode);
2366 /* Default to the current task SID. */
2367 new_tsec->sid = old_tsec->sid;
2368 new_tsec->osid = old_tsec->sid;
2370 /* Reset fs, key, and sock SIDs on execve. */
2371 new_tsec->create_sid = 0;
2372 new_tsec->keycreate_sid = 0;
2373 new_tsec->sockcreate_sid = 0;
2375 if (old_tsec->exec_sid) {
2376 new_tsec->sid = old_tsec->exec_sid;
2377 /* Reset exec SID on execve. */
2378 new_tsec->exec_sid = 0;
2380 /* Fail on NNP or nosuid if not an allowed transition. */
2381 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2385 /* Check for a default transition on this program. */
2386 rc = security_transition_sid(old_tsec->sid, isec->sid,
2387 SECCLASS_PROCESS, NULL,
2393 * Fallback to old SID on NNP or nosuid if not an allowed
2396 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2398 new_tsec->sid = old_tsec->sid;
2401 ad.type = LSM_AUDIT_DATA_FILE;
2402 ad.u.file = bprm->file;
2404 if (new_tsec->sid == old_tsec->sid) {
2405 rc = avc_has_perm(old_tsec->sid, isec->sid,
2406 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2410 /* Check permissions for the transition. */
2411 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2412 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2416 rc = avc_has_perm(new_tsec->sid, isec->sid,
2417 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2421 /* Check for shared state */
2422 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2423 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2424 SECCLASS_PROCESS, PROCESS__SHARE,
2430 /* Make sure that anyone attempting to ptrace over a task that
2431 * changes its SID has the appropriate permit */
2432 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2433 u32 ptsid = ptrace_parent_sid();
2435 rc = avc_has_perm(ptsid, new_tsec->sid,
2437 PROCESS__PTRACE, NULL);
2443 /* Clear any possibly unsafe personality bits on exec: */
2444 bprm->per_clear |= PER_CLEAR_ON_SETID;
2446 /* Enable secure mode for SIDs transitions unless
2447 the noatsecure permission is granted between
2448 the two SIDs, i.e. ahp returns 0. */
2449 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2450 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2452 bprm->secureexec |= !!rc;
2458 static int match_file(const void *p, struct file *file, unsigned fd)
2460 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2463 /* Derived from fs/exec.c:flush_old_files. */
2464 static inline void flush_unauthorized_files(const struct cred *cred,
2465 struct files_struct *files)
2467 struct file *file, *devnull = NULL;
2468 struct tty_struct *tty;
2472 tty = get_current_tty();
2474 spin_lock(&tty->files_lock);
2475 if (!list_empty(&tty->tty_files)) {
2476 struct tty_file_private *file_priv;
2478 /* Revalidate access to controlling tty.
2479 Use file_path_has_perm on the tty path directly
2480 rather than using file_has_perm, as this particular
2481 open file may belong to another process and we are
2482 only interested in the inode-based check here. */
2483 file_priv = list_first_entry(&tty->tty_files,
2484 struct tty_file_private, list);
2485 file = file_priv->file;
2486 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2489 spin_unlock(&tty->files_lock);
2492 /* Reset controlling tty. */
2496 /* Revalidate access to inherited open files. */
2497 n = iterate_fd(files, 0, match_file, cred);
2498 if (!n) /* none found? */
2501 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2502 if (IS_ERR(devnull))
2504 /* replace all the matching ones with this */
2506 replace_fd(n - 1, devnull, 0);
2507 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2513 * Prepare a process for imminent new credential changes due to exec
2515 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2517 struct task_security_struct *new_tsec;
2518 struct rlimit *rlim, *initrlim;
2521 new_tsec = bprm->cred->security;
2522 if (new_tsec->sid == new_tsec->osid)
2525 /* Close files for which the new task SID is not authorized. */
2526 flush_unauthorized_files(bprm->cred, current->files);
2528 /* Always clear parent death signal on SID transitions. */
2529 current->pdeath_signal = 0;
2531 /* Check whether the new SID can inherit resource limits from the old
2532 * SID. If not, reset all soft limits to the lower of the current
2533 * task's hard limit and the init task's soft limit.
2535 * Note that the setting of hard limits (even to lower them) can be
2536 * controlled by the setrlimit check. The inclusion of the init task's
2537 * soft limit into the computation is to avoid resetting soft limits
2538 * higher than the default soft limit for cases where the default is
2539 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2541 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2542 PROCESS__RLIMITINH, NULL);
2544 /* protect against do_prlimit() */
2546 for (i = 0; i < RLIM_NLIMITS; i++) {
2547 rlim = current->signal->rlim + i;
2548 initrlim = init_task.signal->rlim + i;
2549 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2551 task_unlock(current);
2552 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2553 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2558 * Clean up the process immediately after the installation of new credentials
2561 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2563 const struct task_security_struct *tsec = current_security();
2564 struct itimerval itimer;
2574 /* Check whether the new SID can inherit signal state from the old SID.
2575 * If not, clear itimers to avoid subsequent signal generation and
2576 * flush and unblock signals.
2578 * This must occur _after_ the task SID has been updated so that any
2579 * kill done after the flush will be checked against the new SID.
2581 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2583 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2584 memset(&itimer, 0, sizeof itimer);
2585 for (i = 0; i < 3; i++)
2586 do_setitimer(i, &itimer, NULL);
2588 spin_lock_irq(¤t->sighand->siglock);
2589 if (!fatal_signal_pending(current)) {
2590 flush_sigqueue(¤t->pending);
2591 flush_sigqueue(¤t->signal->shared_pending);
2592 flush_signal_handlers(current, 1);
2593 sigemptyset(¤t->blocked);
2594 recalc_sigpending();
2596 spin_unlock_irq(¤t->sighand->siglock);
2599 /* Wake up the parent if it is waiting so that it can recheck
2600 * wait permission to the new task SID. */
2601 read_lock(&tasklist_lock);
2602 __wake_up_parent(current, current->real_parent);
2603 read_unlock(&tasklist_lock);
2606 /* superblock security operations */
2608 static int selinux_sb_alloc_security(struct super_block *sb)
2610 return superblock_alloc_security(sb);
2613 static void selinux_sb_free_security(struct super_block *sb)
2615 superblock_free_security(sb);
2618 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2623 return !memcmp(prefix, option, plen);
2626 static inline int selinux_option(char *option, int len)
2628 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2629 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2630 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2631 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2632 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2635 static inline void take_option(char **to, char *from, int *first, int len)
2642 memcpy(*to, from, len);
2646 static inline void take_selinux_option(char **to, char *from, int *first,
2649 int current_size = 0;
2657 while (current_size < len) {
2667 static int selinux_sb_copy_data(char *orig, char *copy)
2669 int fnosec, fsec, rc = 0;
2670 char *in_save, *in_curr, *in_end;
2671 char *sec_curr, *nosec_save, *nosec;
2677 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2685 in_save = in_end = orig;
2689 open_quote = !open_quote;
2690 if ((*in_end == ',' && open_quote == 0) ||
2692 int len = in_end - in_curr;
2694 if (selinux_option(in_curr, len))
2695 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2697 take_option(&nosec, in_curr, &fnosec, len);
2699 in_curr = in_end + 1;
2701 } while (*in_end++);
2703 strcpy(in_save, nosec_save);
2704 free_page((unsigned long)nosec_save);
2709 static int selinux_sb_remount(struct super_block *sb, void *data)
2712 struct security_mnt_opts opts;
2713 char *secdata, **mount_options;
2714 struct superblock_security_struct *sbsec = sb->s_security;
2716 if (!(sbsec->flags & SE_SBINITIALIZED))
2722 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2725 security_init_mnt_opts(&opts);
2726 secdata = alloc_secdata();
2729 rc = selinux_sb_copy_data(data, secdata);
2731 goto out_free_secdata;
2733 rc = selinux_parse_opts_str(secdata, &opts);
2735 goto out_free_secdata;
2737 mount_options = opts.mnt_opts;
2738 flags = opts.mnt_opts_flags;
2740 for (i = 0; i < opts.num_mnt_opts; i++) {
2743 if (flags[i] == SBLABEL_MNT)
2745 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
2747 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
2748 "(%s) failed for (dev %s, type %s) errno=%d\n",
2749 mount_options[i], sb->s_id, sb->s_type->name, rc);
2755 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2756 goto out_bad_option;
2759 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2760 goto out_bad_option;
2762 case ROOTCONTEXT_MNT: {
2763 struct inode_security_struct *root_isec;
2764 root_isec = backing_inode_security(sb->s_root);
2766 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2767 goto out_bad_option;
2770 case DEFCONTEXT_MNT:
2771 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2772 goto out_bad_option;
2781 security_free_mnt_opts(&opts);
2783 free_secdata(secdata);
2786 printk(KERN_WARNING "SELinux: unable to change security options "
2787 "during remount (dev %s, type=%s)\n", sb->s_id,
2792 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2794 const struct cred *cred = current_cred();
2795 struct common_audit_data ad;
2798 rc = superblock_doinit(sb, data);
2802 /* Allow all mounts performed by the kernel */
2803 if (flags & MS_KERNMOUNT)
2806 ad.type = LSM_AUDIT_DATA_DENTRY;
2807 ad.u.dentry = sb->s_root;
2808 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2811 static int selinux_sb_statfs(struct dentry *dentry)
2813 const struct cred *cred = current_cred();
2814 struct common_audit_data ad;
2816 ad.type = LSM_AUDIT_DATA_DENTRY;
2817 ad.u.dentry = dentry->d_sb->s_root;
2818 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2821 static int selinux_mount(const char *dev_name,
2822 const struct path *path,
2824 unsigned long flags,
2827 const struct cred *cred = current_cred();
2829 if (flags & MS_REMOUNT)
2830 return superblock_has_perm(cred, path->dentry->d_sb,
2831 FILESYSTEM__REMOUNT, NULL);
2833 return path_has_perm(cred, path, FILE__MOUNTON);
2836 static int selinux_umount(struct vfsmount *mnt, int flags)
2838 const struct cred *cred = current_cred();
2840 return superblock_has_perm(cred, mnt->mnt_sb,
2841 FILESYSTEM__UNMOUNT, NULL);
2844 /* inode security operations */
2846 static int selinux_inode_alloc_security(struct inode *inode)
2848 return inode_alloc_security(inode);
2851 static void selinux_inode_free_security(struct inode *inode)
2853 inode_free_security(inode);
2856 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2857 const struct qstr *name, void **ctx,
2863 rc = selinux_determine_inode_label(current_security(),
2864 d_inode(dentry->d_parent), name,
2865 inode_mode_to_security_class(mode),
2870 return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2873 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2875 const struct cred *old,
2880 struct task_security_struct *tsec;
2882 rc = selinux_determine_inode_label(old->security,
2883 d_inode(dentry->d_parent), name,
2884 inode_mode_to_security_class(mode),
2889 tsec = new->security;
2890 tsec->create_sid = newsid;
2894 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2895 const struct qstr *qstr,
2897 void **value, size_t *len)
2899 const struct task_security_struct *tsec = current_security();
2900 struct superblock_security_struct *sbsec;
2901 u32 sid, newsid, clen;
2905 sbsec = dir->i_sb->s_security;
2908 newsid = tsec->create_sid;
2910 rc = selinux_determine_inode_label(current_security(),
2912 inode_mode_to_security_class(inode->i_mode),
2917 /* Possibly defer initialization to selinux_complete_init. */
2918 if (sbsec->flags & SE_SBINITIALIZED) {
2919 struct inode_security_struct *isec = inode->i_security;
2920 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2922 isec->initialized = LABEL_INITIALIZED;
2925 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
2929 *name = XATTR_SELINUX_SUFFIX;
2932 rc = security_sid_to_context_force(newsid, &context, &clen);
2942 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2944 return may_create(dir, dentry, SECCLASS_FILE);
2947 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2949 return may_link(dir, old_dentry, MAY_LINK);
2952 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2954 return may_link(dir, dentry, MAY_UNLINK);
2957 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2959 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2962 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2964 return may_create(dir, dentry, SECCLASS_DIR);
2967 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2969 return may_link(dir, dentry, MAY_RMDIR);
2972 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2974 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2977 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2978 struct inode *new_inode, struct dentry *new_dentry)
2980 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2983 static int selinux_inode_readlink(struct dentry *dentry)
2985 const struct cred *cred = current_cred();
2987 return dentry_has_perm(cred, dentry, FILE__READ);
2990 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
2993 const struct cred *cred = current_cred();
2994 struct common_audit_data ad;
2995 struct inode_security_struct *isec;
2998 validate_creds(cred);
3000 ad.type = LSM_AUDIT_DATA_DENTRY;
3001 ad.u.dentry = dentry;
3002 sid = cred_sid(cred);
3003 isec = inode_security_rcu(inode, rcu);
3005 return PTR_ERR(isec);
3007 return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad,
3008 rcu ? MAY_NOT_BLOCK : 0);
3011 static noinline int audit_inode_permission(struct inode *inode,
3012 u32 perms, u32 audited, u32 denied,
3016 struct common_audit_data ad;
3017 struct inode_security_struct *isec = inode->i_security;
3020 ad.type = LSM_AUDIT_DATA_INODE;
3023 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
3024 audited, denied, result, &ad, flags);
3030 static int selinux_inode_permission(struct inode *inode, int mask)
3032 const struct cred *cred = current_cred();
3035 unsigned flags = mask & MAY_NOT_BLOCK;
3036 struct inode_security_struct *isec;
3038 struct av_decision avd;
3040 u32 audited, denied;
3042 from_access = mask & MAY_ACCESS;
3043 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3045 /* No permission to check. Existence test. */
3049 validate_creds(cred);
3051 if (unlikely(IS_PRIVATE(inode)))
3054 perms = file_mask_to_av(inode->i_mode, mask);
3056 sid = cred_sid(cred);
3057 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3059 return PTR_ERR(isec);
3061 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
3062 audited = avc_audit_required(perms, &avd, rc,
3063 from_access ? FILE__AUDIT_ACCESS : 0,
3065 if (likely(!audited))
3068 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
3074 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3076 const struct cred *cred = current_cred();
3077 struct inode *inode = d_backing_inode(dentry);
3078 unsigned int ia_valid = iattr->ia_valid;
3079 __u32 av = FILE__WRITE;
3081 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3082 if (ia_valid & ATTR_FORCE) {
3083 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3089 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3090 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3091 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3093 if (selinux_policycap_openperm &&
3094 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3095 (ia_valid & ATTR_SIZE) &&
3096 !(ia_valid & ATTR_FILE))
3099 return dentry_has_perm(cred, dentry, av);
3102 static int selinux_inode_getattr(const struct path *path)
3104 return path_has_perm(current_cred(), path, FILE__GETATTR);
3107 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
3109 const struct cred *cred = current_cred();
3111 if (!strncmp(name, XATTR_SECURITY_PREFIX,
3112 sizeof XATTR_SECURITY_PREFIX - 1)) {
3113 if (!strcmp(name, XATTR_NAME_CAPS)) {
3114 if (!capable(CAP_SETFCAP))
3116 } else if (!capable(CAP_SYS_ADMIN)) {
3117 /* A different attribute in the security namespace.
3118 Restrict to administrator. */
3123 /* Not an attribute we recognize, so just check the
3124 ordinary setattr permission. */
3125 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3128 static bool has_cap_mac_admin(bool audit)
3130 const struct cred *cred = current_cred();
3131 int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT;
3133 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit))
3135 if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true))
3140 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3141 const void *value, size_t size, int flags)
3143 struct inode *inode = d_backing_inode(dentry);
3144 struct inode_security_struct *isec;
3145 struct superblock_security_struct *sbsec;
3146 struct common_audit_data ad;
3147 u32 newsid, sid = current_sid();
3150 if (strcmp(name, XATTR_NAME_SELINUX))
3151 return selinux_inode_setotherxattr(dentry, name);
3153 sbsec = inode->i_sb->s_security;
3154 if (!(sbsec->flags & SBLABEL_MNT))
3157 if (!inode_owner_or_capable(inode))
3160 ad.type = LSM_AUDIT_DATA_DENTRY;
3161 ad.u.dentry = dentry;
3163 isec = backing_inode_security(dentry);
3164 rc = avc_has_perm(sid, isec->sid, isec->sclass,
3165 FILE__RELABELFROM, &ad);
3169 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3170 if (rc == -EINVAL) {
3171 if (!has_cap_mac_admin(true)) {
3172 struct audit_buffer *ab;
3176 /* We strip a nul only if it is at the end, otherwise the
3177 * context contains a nul and we should audit that */
3180 if (str[size - 1] == '\0')
3181 audit_size = size - 1;
3188 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3189 audit_log_format(ab, "op=setxattr invalid_context=");
3190 audit_log_n_untrustedstring(ab, value, audit_size);
3195 rc = security_context_to_sid_force(value, size, &newsid);
3200 rc = avc_has_perm(sid, newsid, isec->sclass,
3201 FILE__RELABELTO, &ad);
3205 rc = security_validate_transition(isec->sid, newsid, sid,
3210 return avc_has_perm(newsid,
3212 SECCLASS_FILESYSTEM,
3213 FILESYSTEM__ASSOCIATE,
3217 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3218 const void *value, size_t size,
3221 struct inode *inode = d_backing_inode(dentry);
3222 struct inode_security_struct *isec;
3226 if (strcmp(name, XATTR_NAME_SELINUX)) {
3227 /* Not an attribute we recognize, so nothing to do. */
3231 rc = security_context_to_sid_force(value, size, &newsid);
3233 printk(KERN_ERR "SELinux: unable to map context to SID"
3234 "for (%s, %lu), rc=%d\n",
3235 inode->i_sb->s_id, inode->i_ino, -rc);
3239 isec = backing_inode_security(dentry);
3240 spin_lock(&isec->lock);
3241 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3243 isec->initialized = LABEL_INITIALIZED;
3244 spin_unlock(&isec->lock);
3249 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3251 const struct cred *cred = current_cred();
3253 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3256 static int selinux_inode_listxattr(struct dentry *dentry)
3258 const struct cred *cred = current_cred();
3260 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3263 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3265 if (strcmp(name, XATTR_NAME_SELINUX))
3266 return selinux_inode_setotherxattr(dentry, name);
3268 /* No one is allowed to remove a SELinux security label.
3269 You can change the label, but all data must be labeled. */
3274 * Copy the inode security context value to the user.
3276 * Permission check is handled by selinux_inode_getxattr hook.
3278 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
3282 char *context = NULL;
3283 struct inode_security_struct *isec;
3285 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3289 * If the caller has CAP_MAC_ADMIN, then get the raw context
3290 * value even if it is not defined by current policy; otherwise,
3291 * use the in-core value under current policy.
3292 * Use the non-auditing forms of the permission checks since
3293 * getxattr may be called by unprivileged processes commonly
3294 * and lack of permission just means that we fall back to the
3295 * in-core context value, not a denial.
3297 isec = inode_security(inode);
3298 if (has_cap_mac_admin(false))
3299 error = security_sid_to_context_force(isec->sid, &context,
3302 error = security_sid_to_context(isec->sid, &context, &size);
3315 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3316 const void *value, size_t size, int flags)
3318 struct inode_security_struct *isec = inode_security_novalidate(inode);
3322 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3325 if (!value || !size)
3328 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3332 spin_lock(&isec->lock);
3333 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3335 isec->initialized = LABEL_INITIALIZED;
3336 spin_unlock(&isec->lock);
3340 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3342 const int len = sizeof(XATTR_NAME_SELINUX);
3343 if (buffer && len <= buffer_size)
3344 memcpy(buffer, XATTR_NAME_SELINUX, len);
3348 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3350 struct inode_security_struct *isec = inode_security_novalidate(inode);
3354 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3357 struct task_security_struct *tsec;
3358 struct cred *new_creds = *new;
3360 if (new_creds == NULL) {
3361 new_creds = prepare_creds();
3366 tsec = new_creds->security;
3367 /* Get label from overlay inode and set it in create_sid */
3368 selinux_inode_getsecid(d_inode(src), &sid);
3369 tsec->create_sid = sid;
3374 static int selinux_inode_copy_up_xattr(const char *name)
3376 /* The copy_up hook above sets the initial context on an inode, but we
3377 * don't then want to overwrite it by blindly copying all the lower
3378 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3380 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3381 return 1; /* Discard */
3383 * Any other attribute apart from SELINUX is not claimed, supported
3389 /* file security operations */
3391 static int selinux_revalidate_file_permission(struct file *file, int mask)
3393 const struct cred *cred = current_cred();
3394 struct inode *inode = file_inode(file);
3396 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3397 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3400 return file_has_perm(cred, file,
3401 file_mask_to_av(inode->i_mode, mask));
3404 static int selinux_file_permission(struct file *file, int mask)
3406 struct inode *inode = file_inode(file);
3407 struct file_security_struct *fsec = file->f_security;
3408 struct inode_security_struct *isec;
3409 u32 sid = current_sid();
3412 /* No permission to check. Existence test. */
3415 isec = inode_security(inode);
3416 if (sid == fsec->sid && fsec->isid == isec->sid &&
3417 fsec->pseqno == avc_policy_seqno())
3418 /* No change since file_open check. */
3421 return selinux_revalidate_file_permission(file, mask);
3424 static int selinux_file_alloc_security(struct file *file)
3426 return file_alloc_security(file);
3429 static void selinux_file_free_security(struct file *file)
3431 file_free_security(file);
3435 * Check whether a task has the ioctl permission and cmd
3436 * operation to an inode.
3438 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3439 u32 requested, u16 cmd)
3441 struct common_audit_data ad;
3442 struct file_security_struct *fsec = file->f_security;
3443 struct inode *inode = file_inode(file);
3444 struct inode_security_struct *isec;
3445 struct lsm_ioctlop_audit ioctl;
3446 u32 ssid = cred_sid(cred);
3448 u8 driver = cmd >> 8;
3449 u8 xperm = cmd & 0xff;
3451 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3454 ad.u.op->path = file->f_path;
3456 if (ssid != fsec->sid) {
3457 rc = avc_has_perm(ssid, fsec->sid,
3465 if (unlikely(IS_PRIVATE(inode)))
3468 isec = inode_security(inode);
3469 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
3470 requested, driver, xperm, &ad);
3475 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3478 const struct cred *cred = current_cred();
3488 case FS_IOC_GETFLAGS:
3490 case FS_IOC_GETVERSION:
3491 error = file_has_perm(cred, file, FILE__GETATTR);
3494 case FS_IOC_SETFLAGS:
3496 case FS_IOC_SETVERSION:
3497 error = file_has_perm(cred, file, FILE__SETATTR);
3500 /* sys_ioctl() checks */
3504 error = file_has_perm(cred, file, 0);
3509 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3510 SECURITY_CAP_AUDIT, true);
3513 /* default case assumes that the command will go
3514 * to the file's ioctl() function.
3517 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3522 static int default_noexec;
3524 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3526 const struct cred *cred = current_cred();
3527 u32 sid = cred_sid(cred);
3530 if (default_noexec &&
3531 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3532 (!shared && (prot & PROT_WRITE)))) {
3534 * We are making executable an anonymous mapping or a
3535 * private file mapping that will also be writable.
3536 * This has an additional check.
3538 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3539 PROCESS__EXECMEM, NULL);
3545 /* read access is always possible with a mapping */
3546 u32 av = FILE__READ;
3548 /* write access only matters if the mapping is shared */
3549 if (shared && (prot & PROT_WRITE))
3552 if (prot & PROT_EXEC)
3553 av |= FILE__EXECUTE;
3555 return file_has_perm(cred, file, av);
3562 static int selinux_mmap_addr(unsigned long addr)
3566 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3567 u32 sid = current_sid();
3568 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3569 MEMPROTECT__MMAP_ZERO, NULL);
3575 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3576 unsigned long prot, unsigned long flags)
3578 struct common_audit_data ad;
3582 ad.type = LSM_AUDIT_DATA_FILE;
3584 rc = inode_has_perm(current_cred(), file_inode(file),
3590 if (selinux_checkreqprot)
3593 return file_map_prot_check(file, prot,
3594 (flags & MAP_TYPE) == MAP_SHARED);
3597 static int selinux_file_mprotect(struct vm_area_struct *vma,
3598 unsigned long reqprot,
3601 const struct cred *cred = current_cred();
3602 u32 sid = cred_sid(cred);
3604 if (selinux_checkreqprot)
3607 if (default_noexec &&
3608 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3610 if (vma->vm_start >= vma->vm_mm->start_brk &&
3611 vma->vm_end <= vma->vm_mm->brk) {
3612 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3613 PROCESS__EXECHEAP, NULL);
3614 } else if (!vma->vm_file &&
3615 ((vma->vm_start <= vma->vm_mm->start_stack &&
3616 vma->vm_end >= vma->vm_mm->start_stack) ||
3617 vma_is_stack_for_current(vma))) {
3618 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3619 PROCESS__EXECSTACK, NULL);
3620 } else if (vma->vm_file && vma->anon_vma) {
3622 * We are making executable a file mapping that has
3623 * had some COW done. Since pages might have been
3624 * written, check ability to execute the possibly
3625 * modified content. This typically should only
3626 * occur for text relocations.
3628 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3634 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3637 static int selinux_file_lock(struct file *file, unsigned int cmd)
3639 const struct cred *cred = current_cred();
3641 return file_has_perm(cred, file, FILE__LOCK);
3644 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3647 const struct cred *cred = current_cred();
3652 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3653 err = file_has_perm(cred, file, FILE__WRITE);
3662 case F_GETOWNER_UIDS:
3663 /* Just check FD__USE permission */
3664 err = file_has_perm(cred, file, 0);
3672 #if BITS_PER_LONG == 32
3677 err = file_has_perm(cred, file, FILE__LOCK);
3684 static void selinux_file_set_fowner(struct file *file)
3686 struct file_security_struct *fsec;
3688 fsec = file->f_security;
3689 fsec->fown_sid = current_sid();
3692 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3693 struct fown_struct *fown, int signum)
3696 u32 sid = task_sid(tsk);
3698 struct file_security_struct *fsec;
3700 /* struct fown_struct is never outside the context of a struct file */
3701 file = container_of(fown, struct file, f_owner);
3703 fsec = file->f_security;
3706 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3708 perm = signal_to_av(signum);
3710 return avc_has_perm(fsec->fown_sid, sid,
3711 SECCLASS_PROCESS, perm, NULL);
3714 static int selinux_file_receive(struct file *file)
3716 const struct cred *cred = current_cred();
3718 return file_has_perm(cred, file, file_to_av(file));
3721 static int selinux_file_open(struct file *file, const struct cred *cred)
3723 struct file_security_struct *fsec;
3724 struct inode_security_struct *isec;
3726 fsec = file->f_security;
3727 isec = inode_security(file_inode(file));
3729 * Save inode label and policy sequence number
3730 * at open-time so that selinux_file_permission
3731 * can determine whether revalidation is necessary.
3732 * Task label is already saved in the file security
3733 * struct as its SID.
3735 fsec->isid = isec->sid;
3736 fsec->pseqno = avc_policy_seqno();
3738 * Since the inode label or policy seqno may have changed
3739 * between the selinux_inode_permission check and the saving
3740 * of state above, recheck that access is still permitted.
3741 * Otherwise, access might never be revalidated against the
3742 * new inode label or new policy.
3743 * This check is not redundant - do not remove.
3745 return file_path_has_perm(cred, file, open_file_to_av(file));
3748 /* task security operations */
3750 static int selinux_task_alloc(struct task_struct *task,
3751 unsigned long clone_flags)
3753 u32 sid = current_sid();
3755 return avc_has_perm(sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
3759 * allocate the SELinux part of blank credentials
3761 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3763 struct task_security_struct *tsec;
3765 tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3769 cred->security = tsec;
3774 * detach and free the LSM part of a set of credentials
3776 static void selinux_cred_free(struct cred *cred)
3778 struct task_security_struct *tsec = cred->security;
3781 * cred->security == NULL if security_cred_alloc_blank() or
3782 * security_prepare_creds() returned an error.
3784 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3785 cred->security = (void *) 0x7UL;
3790 * prepare a new set of credentials for modification
3792 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3795 const struct task_security_struct *old_tsec;
3796 struct task_security_struct *tsec;
3798 old_tsec = old->security;
3800 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3804 new->security = tsec;
3809 * transfer the SELinux data to a blank set of creds
3811 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3813 const struct task_security_struct *old_tsec = old->security;
3814 struct task_security_struct *tsec = new->security;
3820 * set the security data for a kernel service
3821 * - all the creation contexts are set to unlabelled
3823 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3825 struct task_security_struct *tsec = new->security;
3826 u32 sid = current_sid();
3829 ret = avc_has_perm(sid, secid,
3830 SECCLASS_KERNEL_SERVICE,
3831 KERNEL_SERVICE__USE_AS_OVERRIDE,
3835 tsec->create_sid = 0;
3836 tsec->keycreate_sid = 0;
3837 tsec->sockcreate_sid = 0;
3843 * set the file creation context in a security record to the same as the
3844 * objective context of the specified inode
3846 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3848 struct inode_security_struct *isec = inode_security(inode);
3849 struct task_security_struct *tsec = new->security;
3850 u32 sid = current_sid();
3853 ret = avc_has_perm(sid, isec->sid,
3854 SECCLASS_KERNEL_SERVICE,
3855 KERNEL_SERVICE__CREATE_FILES_AS,
3859 tsec->create_sid = isec->sid;
3863 static int selinux_kernel_module_request(char *kmod_name)
3865 struct common_audit_data ad;
3867 ad.type = LSM_AUDIT_DATA_KMOD;
3868 ad.u.kmod_name = kmod_name;
3870 return avc_has_perm(current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
3871 SYSTEM__MODULE_REQUEST, &ad);
3874 static int selinux_kernel_module_from_file(struct file *file)
3876 struct common_audit_data ad;
3877 struct inode_security_struct *isec;
3878 struct file_security_struct *fsec;
3879 u32 sid = current_sid();
3884 return avc_has_perm(sid, sid, SECCLASS_SYSTEM,
3885 SYSTEM__MODULE_LOAD, NULL);
3889 ad.type = LSM_AUDIT_DATA_FILE;
3892 fsec = file->f_security;
3893 if (sid != fsec->sid) {
3894 rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
3899 isec = inode_security(file_inode(file));
3900 return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM,
3901 SYSTEM__MODULE_LOAD, &ad);
3904 static int selinux_kernel_read_file(struct file *file,
3905 enum kernel_read_file_id id)
3910 case READING_MODULE:
3911 rc = selinux_kernel_module_from_file(file);
3920 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3922 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3923 PROCESS__SETPGID, NULL);
3926 static int selinux_task_getpgid(struct task_struct *p)
3928 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3929 PROCESS__GETPGID, NULL);
3932 static int selinux_task_getsid(struct task_struct *p)
3934 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3935 PROCESS__GETSESSION, NULL);
3938 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3940 *secid = task_sid(p);
3943 static int selinux_task_setnice(struct task_struct *p, int nice)
3945 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3946 PROCESS__SETSCHED, NULL);
3949 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3951 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3952 PROCESS__SETSCHED, NULL);
3955 static int selinux_task_getioprio(struct task_struct *p)
3957 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3958 PROCESS__GETSCHED, NULL);
3961 int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
3968 if (flags & LSM_PRLIMIT_WRITE)
3969 av |= PROCESS__SETRLIMIT;
3970 if (flags & LSM_PRLIMIT_READ)
3971 av |= PROCESS__GETRLIMIT;
3972 return avc_has_perm(cred_sid(cred), cred_sid(tcred),
3973 SECCLASS_PROCESS, av, NULL);
3976 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3977 struct rlimit *new_rlim)
3979 struct rlimit *old_rlim = p->signal->rlim + resource;
3981 /* Control the ability to change the hard limit (whether
3982 lowering or raising it), so that the hard limit can
3983 later be used as a safe reset point for the soft limit
3984 upon context transitions. See selinux_bprm_committing_creds. */
3985 if (old_rlim->rlim_max != new_rlim->rlim_max)
3986 return avc_has_perm(current_sid(), task_sid(p),
3987 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
3992 static int selinux_task_setscheduler(struct task_struct *p)
3994 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3995 PROCESS__SETSCHED, NULL);
3998 static int selinux_task_getscheduler(struct task_struct *p)
4000 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
4001 PROCESS__GETSCHED, NULL);
4004 static int selinux_task_movememory(struct task_struct *p)
4006 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
4007 PROCESS__SETSCHED, NULL);
4010 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
4016 perm = PROCESS__SIGNULL; /* null signal; existence test */
4018 perm = signal_to_av(sig);
4020 secid = current_sid();
4021 return avc_has_perm(secid, task_sid(p), SECCLASS_PROCESS, perm, NULL);
4024 static void selinux_task_to_inode(struct task_struct *p,
4025 struct inode *inode)
4027 struct inode_security_struct *isec = inode->i_security;
4028 u32 sid = task_sid(p);
4030 spin_lock(&isec->lock);
4031 isec->sclass = inode_mode_to_security_class(inode->i_mode);
4033 isec->initialized = LABEL_INITIALIZED;
4034 spin_unlock(&isec->lock);
4037 /* Returns error only if unable to parse addresses */
4038 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4039 struct common_audit_data *ad, u8 *proto)
4041 int offset, ihlen, ret = -EINVAL;
4042 struct iphdr _iph, *ih;
4044 offset = skb_network_offset(skb);
4045 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
4049 ihlen = ih->ihl * 4;
4050 if (ihlen < sizeof(_iph))
4053 ad->u.net->v4info.saddr = ih->saddr;
4054 ad->u.net->v4info.daddr = ih->daddr;
4058 *proto = ih->protocol;
4060 switch (ih->protocol) {
4062 struct tcphdr _tcph, *th;
4064 if (ntohs(ih->frag_off) & IP_OFFSET)
4068 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4072 ad->u.net->sport = th->source;
4073 ad->u.net->dport = th->dest;
4078 struct udphdr _udph, *uh;
4080 if (ntohs(ih->frag_off) & IP_OFFSET)
4084 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4088 ad->u.net->sport = uh->source;
4089 ad->u.net->dport = uh->dest;
4093 case IPPROTO_DCCP: {
4094 struct dccp_hdr _dccph, *dh;
4096 if (ntohs(ih->frag_off) & IP_OFFSET)
4100 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4104 ad->u.net->sport = dh->dccph_sport;
4105 ad->u.net->dport = dh->dccph_dport;
4116 #if IS_ENABLED(CONFIG_IPV6)
4118 /* Returns error only if unable to parse addresses */
4119 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4120 struct common_audit_data *ad, u8 *proto)
4123 int ret = -EINVAL, offset;
4124 struct ipv6hdr _ipv6h, *ip6;
4127 offset = skb_network_offset(skb);
4128 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4132 ad->u.net->v6info.saddr = ip6->saddr;
4133 ad->u.net->v6info.daddr = ip6->daddr;
4136 nexthdr = ip6->nexthdr;
4137 offset += sizeof(_ipv6h);
4138 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4147 struct tcphdr _tcph, *th;
4149 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4153 ad->u.net->sport = th->source;
4154 ad->u.net->dport = th->dest;
4159 struct udphdr _udph, *uh;
4161 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4165 ad->u.net->sport = uh->source;
4166 ad->u.net->dport = uh->dest;
4170 case IPPROTO_DCCP: {
4171 struct dccp_hdr _dccph, *dh;
4173 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4177 ad->u.net->sport = dh->dccph_sport;
4178 ad->u.net->dport = dh->dccph_dport;
4182 /* includes fragments */
4192 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4193 char **_addrp, int src, u8 *proto)
4198 switch (ad->u.net->family) {
4200 ret = selinux_parse_skb_ipv4(skb, ad, proto);
4203 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4204 &ad->u.net->v4info.daddr);
4207 #if IS_ENABLED(CONFIG_IPV6)
4209 ret = selinux_parse_skb_ipv6(skb, ad, proto);
4212 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4213 &ad->u.net->v6info.daddr);
4223 "SELinux: failure in selinux_parse_skb(),"
4224 " unable to parse packet\n");
4234 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4236 * @family: protocol family
4237 * @sid: the packet's peer label SID
4240 * Check the various different forms of network peer labeling and determine
4241 * the peer label/SID for the packet; most of the magic actually occurs in
4242 * the security server function security_net_peersid_cmp(). The function
4243 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4244 * or -EACCES if @sid is invalid due to inconsistencies with the different
4248 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4255 err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4258 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4262 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
4263 if (unlikely(err)) {
4265 "SELinux: failure in selinux_skb_peerlbl_sid(),"
4266 " unable to determine packet's peer label\n");
4274 * selinux_conn_sid - Determine the child socket label for a connection
4275 * @sk_sid: the parent socket's SID
4276 * @skb_sid: the packet's SID
4277 * @conn_sid: the resulting connection SID
4279 * If @skb_sid is valid then the user:role:type information from @sk_sid is
4280 * combined with the MLS information from @skb_sid in order to create
4281 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy
4282 * of @sk_sid. Returns zero on success, negative values on failure.
4285 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4289 if (skb_sid != SECSID_NULL)
4290 err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid);
4297 /* socket security operations */
4299 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4300 u16 secclass, u32 *socksid)
4302 if (tsec->sockcreate_sid > SECSID_NULL) {
4303 *socksid = tsec->sockcreate_sid;
4307 return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
4311 static int sock_has_perm(struct sock *sk, u32 perms)
4313 struct sk_security_struct *sksec = sk->sk_security;
4314 struct common_audit_data ad;
4315 struct lsm_network_audit net = {0,};
4317 if (sksec->sid == SECINITSID_KERNEL)
4320 ad.type = LSM_AUDIT_DATA_NET;
4324 return avc_has_perm(current_sid(), sksec->sid, sksec->sclass, perms,
4328 static int selinux_socket_create(int family, int type,
4329 int protocol, int kern)
4331 const struct task_security_struct *tsec = current_security();
4339 secclass = socket_type_to_security_class(family, type, protocol);
4340 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4344 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4347 static int selinux_socket_post_create(struct socket *sock, int family,
4348 int type, int protocol, int kern)
4350 const struct task_security_struct *tsec = current_security();
4351 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4352 struct sk_security_struct *sksec;
4353 u16 sclass = socket_type_to_security_class(family, type, protocol);
4354 u32 sid = SECINITSID_KERNEL;
4358 err = socket_sockcreate_sid(tsec, sclass, &sid);
4363 isec->sclass = sclass;
4365 isec->initialized = LABEL_INITIALIZED;
4368 sksec = sock->sk->sk_security;
4369 sksec->sclass = sclass;
4371 err = selinux_netlbl_socket_post_create(sock->sk, family);
4377 /* Range of port numbers used to automatically bind.
4378 Need to determine whether we should perform a name_bind
4379 permission check between the socket and the port number. */
4381 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4383 struct sock *sk = sock->sk;
4387 err = sock_has_perm(sk, SOCKET__BIND);
4392 * If PF_INET or PF_INET6, check name_bind permission for the port.
4393 * Multiple address binding for SCTP is not supported yet: we just
4394 * check the first address now.
4396 family = sk->sk_family;
4397 if (family == PF_INET || family == PF_INET6) {
4399 struct sk_security_struct *sksec = sk->sk_security;
4400 struct common_audit_data ad;
4401 struct lsm_network_audit net = {0,};
4402 struct sockaddr_in *addr4 = NULL;
4403 struct sockaddr_in6 *addr6 = NULL;
4404 unsigned short snum;
4407 if (family == PF_INET) {
4408 if (addrlen < sizeof(struct sockaddr_in)) {
4412 addr4 = (struct sockaddr_in *)address;
4413 snum = ntohs(addr4->sin_port);
4414 addrp = (char *)&addr4->sin_addr.s_addr;
4416 if (addrlen < SIN6_LEN_RFC2133) {
4420 addr6 = (struct sockaddr_in6 *)address;
4421 snum = ntohs(addr6->sin6_port);
4422 addrp = (char *)&addr6->sin6_addr.s6_addr;
4428 inet_get_local_port_range(sock_net(sk), &low, &high);
4430 if (snum < max(inet_prot_sock(sock_net(sk)), low) ||
4432 err = sel_netport_sid(sk->sk_protocol,
4436 ad.type = LSM_AUDIT_DATA_NET;
4438 ad.u.net->sport = htons(snum);
4439 ad.u.net->family = family;
4440 err = avc_has_perm(sksec->sid, sid,
4442 SOCKET__NAME_BIND, &ad);
4448 switch (sksec->sclass) {
4449 case SECCLASS_TCP_SOCKET:
4450 node_perm = TCP_SOCKET__NODE_BIND;
4453 case SECCLASS_UDP_SOCKET:
4454 node_perm = UDP_SOCKET__NODE_BIND;
4457 case SECCLASS_DCCP_SOCKET:
4458 node_perm = DCCP_SOCKET__NODE_BIND;
4462 node_perm = RAWIP_SOCKET__NODE_BIND;
4466 err = sel_netnode_sid(addrp, family, &sid);
4470 ad.type = LSM_AUDIT_DATA_NET;
4472 ad.u.net->sport = htons(snum);
4473 ad.u.net->family = family;
4475 if (family == PF_INET)
4476 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4478 ad.u.net->v6info.saddr = addr6->sin6_addr;
4480 err = avc_has_perm(sksec->sid, sid,
4481 sksec->sclass, node_perm, &ad);
4489 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
4491 struct sock *sk = sock->sk;
4492 struct sk_security_struct *sksec = sk->sk_security;
4495 err = sock_has_perm(sk, SOCKET__CONNECT);
4500 * If a TCP or DCCP socket, check name_connect permission for the port.
4502 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4503 sksec->sclass == SECCLASS_DCCP_SOCKET) {
4504 struct common_audit_data ad;
4505 struct lsm_network_audit net = {0,};
4506 struct sockaddr_in *addr4 = NULL;
4507 struct sockaddr_in6 *addr6 = NULL;
4508 unsigned short snum;
4511 if (sk->sk_family == PF_INET) {
4512 addr4 = (struct sockaddr_in *)address;
4513 if (addrlen < sizeof(struct sockaddr_in))
4515 snum = ntohs(addr4->sin_port);
4517 addr6 = (struct sockaddr_in6 *)address;
4518 if (addrlen < SIN6_LEN_RFC2133)
4520 snum = ntohs(addr6->sin6_port);
4523 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4527 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
4528 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
4530 ad.type = LSM_AUDIT_DATA_NET;
4532 ad.u.net->dport = htons(snum);
4533 ad.u.net->family = sk->sk_family;
4534 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
4539 err = selinux_netlbl_socket_connect(sk, address);
4545 static int selinux_socket_listen(struct socket *sock, int backlog)
4547 return sock_has_perm(sock->sk, SOCKET__LISTEN);
4550 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4553 struct inode_security_struct *isec;
4554 struct inode_security_struct *newisec;
4558 err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
4562 isec = inode_security_novalidate(SOCK_INODE(sock));
4563 spin_lock(&isec->lock);
4564 sclass = isec->sclass;
4566 spin_unlock(&isec->lock);
4568 newisec = inode_security_novalidate(SOCK_INODE(newsock));
4569 newisec->sclass = sclass;
4571 newisec->initialized = LABEL_INITIALIZED;
4576 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4579 return sock_has_perm(sock->sk, SOCKET__WRITE);
4582 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4583 int size, int flags)
4585 return sock_has_perm(sock->sk, SOCKET__READ);
4588 static int selinux_socket_getsockname(struct socket *sock)
4590 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4593 static int selinux_socket_getpeername(struct socket *sock)
4595 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4598 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4602 err = sock_has_perm(sock->sk, SOCKET__SETOPT);
4606 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4609 static int selinux_socket_getsockopt(struct socket *sock, int level,
4612 return sock_has_perm(sock->sk, SOCKET__GETOPT);
4615 static int selinux_socket_shutdown(struct socket *sock, int how)
4617 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
4620 static int selinux_socket_unix_stream_connect(struct sock *sock,
4624 struct sk_security_struct *sksec_sock = sock->sk_security;
4625 struct sk_security_struct *sksec_other = other->sk_security;
4626 struct sk_security_struct *sksec_new = newsk->sk_security;
4627 struct common_audit_data ad;
4628 struct lsm_network_audit net = {0,};
4631 ad.type = LSM_AUDIT_DATA_NET;
4633 ad.u.net->sk = other;
4635 err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4636 sksec_other->sclass,
4637 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4641 /* server child socket */
4642 sksec_new->peer_sid = sksec_sock->sid;
4643 err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4648 /* connecting socket */
4649 sksec_sock->peer_sid = sksec_new->sid;
4654 static int selinux_socket_unix_may_send(struct socket *sock,
4655 struct socket *other)
4657 struct sk_security_struct *ssec = sock->sk->sk_security;
4658 struct sk_security_struct *osec = other->sk->sk_security;
4659 struct common_audit_data ad;
4660 struct lsm_network_audit net = {0,};
4662 ad.type = LSM_AUDIT_DATA_NET;
4664 ad.u.net->sk = other->sk;
4666 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4670 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4671 char *addrp, u16 family, u32 peer_sid,
4672 struct common_audit_data *ad)
4678 err = sel_netif_sid(ns, ifindex, &if_sid);
4681 err = avc_has_perm(peer_sid, if_sid,
4682 SECCLASS_NETIF, NETIF__INGRESS, ad);
4686 err = sel_netnode_sid(addrp, family, &node_sid);
4689 return avc_has_perm(peer_sid, node_sid,
4690 SECCLASS_NODE, NODE__RECVFROM, ad);
4693 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4697 struct sk_security_struct *sksec = sk->sk_security;
4698 u32 sk_sid = sksec->sid;
4699 struct common_audit_data ad;
4700 struct lsm_network_audit net = {0,};
4703 ad.type = LSM_AUDIT_DATA_NET;
4705 ad.u.net->netif = skb->skb_iif;
4706 ad.u.net->family = family;
4707 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4711 if (selinux_secmark_enabled()) {
4712 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4718 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4721 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4726 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4729 struct sk_security_struct *sksec = sk->sk_security;
4730 u16 family = sk->sk_family;
4731 u32 sk_sid = sksec->sid;
4732 struct common_audit_data ad;
4733 struct lsm_network_audit net = {0,};
4738 if (family != PF_INET && family != PF_INET6)
4741 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4742 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4745 /* If any sort of compatibility mode is enabled then handoff processing
4746 * to the selinux_sock_rcv_skb_compat() function to deal with the
4747 * special handling. We do this in an attempt to keep this function
4748 * as fast and as clean as possible. */
4749 if (!selinux_policycap_netpeer)
4750 return selinux_sock_rcv_skb_compat(sk, skb, family);
4752 secmark_active = selinux_secmark_enabled();
4753 peerlbl_active = selinux_peerlbl_enabled();
4754 if (!secmark_active && !peerlbl_active)
4757 ad.type = LSM_AUDIT_DATA_NET;
4759 ad.u.net->netif = skb->skb_iif;
4760 ad.u.net->family = family;
4761 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4765 if (peerlbl_active) {
4768 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4771 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
4772 addrp, family, peer_sid, &ad);
4774 selinux_netlbl_err(skb, family, err, 0);
4777 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4780 selinux_netlbl_err(skb, family, err, 0);
4785 if (secmark_active) {
4786 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4795 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4796 int __user *optlen, unsigned len)
4801 struct sk_security_struct *sksec = sock->sk->sk_security;
4802 u32 peer_sid = SECSID_NULL;
4804 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4805 sksec->sclass == SECCLASS_TCP_SOCKET)
4806 peer_sid = sksec->peer_sid;
4807 if (peer_sid == SECSID_NULL)
4808 return -ENOPROTOOPT;
4810 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4814 if (scontext_len > len) {
4819 if (copy_to_user(optval, scontext, scontext_len))
4823 if (put_user(scontext_len, optlen))
4829 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4831 u32 peer_secid = SECSID_NULL;
4833 struct inode_security_struct *isec;
4835 if (skb && skb->protocol == htons(ETH_P_IP))
4837 else if (skb && skb->protocol == htons(ETH_P_IPV6))
4840 family = sock->sk->sk_family;
4844 if (sock && family == PF_UNIX) {
4845 isec = inode_security_novalidate(SOCK_INODE(sock));
4846 peer_secid = isec->sid;
4848 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4851 *secid = peer_secid;
4852 if (peer_secid == SECSID_NULL)
4857 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4859 struct sk_security_struct *sksec;
4861 sksec = kzalloc(sizeof(*sksec), priority);
4865 sksec->peer_sid = SECINITSID_UNLABELED;
4866 sksec->sid = SECINITSID_UNLABELED;
4867 sksec->sclass = SECCLASS_SOCKET;
4868 selinux_netlbl_sk_security_reset(sksec);
4869 sk->sk_security = sksec;
4874 static void selinux_sk_free_security(struct sock *sk)
4876 struct sk_security_struct *sksec = sk->sk_security;
4878 sk->sk_security = NULL;
4879 selinux_netlbl_sk_security_free(sksec);
4883 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4885 struct sk_security_struct *sksec = sk->sk_security;
4886 struct sk_security_struct *newsksec = newsk->sk_security;
4888 newsksec->sid = sksec->sid;
4889 newsksec->peer_sid = sksec->peer_sid;
4890 newsksec->sclass = sksec->sclass;
4892 selinux_netlbl_sk_security_reset(newsksec);
4895 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4898 *secid = SECINITSID_ANY_SOCKET;
4900 struct sk_security_struct *sksec = sk->sk_security;
4902 *secid = sksec->sid;
4906 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4908 struct inode_security_struct *isec =
4909 inode_security_novalidate(SOCK_INODE(parent));
4910 struct sk_security_struct *sksec = sk->sk_security;
4912 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4913 sk->sk_family == PF_UNIX)
4914 isec->sid = sksec->sid;
4915 sksec->sclass = isec->sclass;
4918 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4919 struct request_sock *req)
4921 struct sk_security_struct *sksec = sk->sk_security;
4923 u16 family = req->rsk_ops->family;
4927 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4930 err = selinux_conn_sid(sksec->sid, peersid, &connsid);
4933 req->secid = connsid;
4934 req->peer_secid = peersid;
4936 return selinux_netlbl_inet_conn_request(req, family);
4939 static void selinux_inet_csk_clone(struct sock *newsk,
4940 const struct request_sock *req)
4942 struct sk_security_struct *newsksec = newsk->sk_security;
4944 newsksec->sid = req->secid;
4945 newsksec->peer_sid = req->peer_secid;
4946 /* NOTE: Ideally, we should also get the isec->sid for the
4947 new socket in sync, but we don't have the isec available yet.
4948 So we will wait until sock_graft to do it, by which
4949 time it will have been created and available. */
4951 /* We don't need to take any sort of lock here as we are the only
4952 * thread with access to newsksec */
4953 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4956 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4958 u16 family = sk->sk_family;
4959 struct sk_security_struct *sksec = sk->sk_security;
4961 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4962 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4965 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4968 static int selinux_secmark_relabel_packet(u32 sid)
4970 const struct task_security_struct *__tsec;
4973 __tsec = current_security();
4976 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4979 static void selinux_secmark_refcount_inc(void)
4981 atomic_inc(&selinux_secmark_refcount);
4984 static void selinux_secmark_refcount_dec(void)
4986 atomic_dec(&selinux_secmark_refcount);
4989 static void selinux_req_classify_flow(const struct request_sock *req,
4992 fl->flowi_secid = req->secid;
4995 static int selinux_tun_dev_alloc_security(void **security)
4997 struct tun_security_struct *tunsec;
4999 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
5002 tunsec->sid = current_sid();
5008 static void selinux_tun_dev_free_security(void *security)
5013 static int selinux_tun_dev_create(void)
5015 u32 sid = current_sid();
5017 /* we aren't taking into account the "sockcreate" SID since the socket
5018 * that is being created here is not a socket in the traditional sense,
5019 * instead it is a private sock, accessible only to the kernel, and
5020 * representing a wide range of network traffic spanning multiple
5021 * connections unlike traditional sockets - check the TUN driver to
5022 * get a better understanding of why this socket is special */
5024 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5028 static int selinux_tun_dev_attach_queue(void *security)
5030 struct tun_security_struct *tunsec = security;
5032 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5033 TUN_SOCKET__ATTACH_QUEUE, NULL);
5036 static int selinux_tun_dev_attach(struct sock *sk, void *security)
5038 struct tun_security_struct *tunsec = security;
5039 struct sk_security_struct *sksec = sk->sk_security;
5041 /* we don't currently perform any NetLabel based labeling here and it
5042 * isn't clear that we would want to do so anyway; while we could apply
5043 * labeling without the support of the TUN user the resulting labeled
5044 * traffic from the other end of the connection would almost certainly
5045 * cause confusion to the TUN user that had no idea network labeling
5046 * protocols were being used */
5048 sksec->sid = tunsec->sid;
5049 sksec->sclass = SECCLASS_TUN_SOCKET;
5054 static int selinux_tun_dev_open(void *security)
5056 struct tun_security_struct *tunsec = security;
5057 u32 sid = current_sid();
5060 err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5061 TUN_SOCKET__RELABELFROM, NULL);
5064 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
5065 TUN_SOCKET__RELABELTO, NULL);
5073 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
5077 struct nlmsghdr *nlh;
5078 struct sk_security_struct *sksec = sk->sk_security;
5080 if (skb->len < NLMSG_HDRLEN) {
5084 nlh = nlmsg_hdr(skb);
5086 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
5088 if (err == -EINVAL) {
5089 pr_warn_ratelimited("SELinux: unrecognized netlink"
5090 " message: protocol=%hu nlmsg_type=%hu sclass=%s"
5091 " pig=%d comm=%s\n",
5092 sk->sk_protocol, nlh->nlmsg_type,
5093 secclass_map[sksec->sclass - 1].name,
5094 task_pid_nr(current), current->comm);
5095 if (!selinux_enforcing || security_get_allow_unknown())
5105 err = sock_has_perm(sk, perm);
5110 #ifdef CONFIG_NETFILTER
5112 static unsigned int selinux_ip_forward(struct sk_buff *skb,
5113 const struct net_device *indev,
5119 struct common_audit_data ad;
5120 struct lsm_network_audit net = {0,};
5125 if (!selinux_policycap_netpeer)
5128 secmark_active = selinux_secmark_enabled();
5129 netlbl_active = netlbl_enabled();
5130 peerlbl_active = selinux_peerlbl_enabled();
5131 if (!secmark_active && !peerlbl_active)
5134 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5137 ad.type = LSM_AUDIT_DATA_NET;
5139 ad.u.net->netif = indev->ifindex;
5140 ad.u.net->family = family;
5141 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5144 if (peerlbl_active) {
5145 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
5146 addrp, family, peer_sid, &ad);
5148 selinux_netlbl_err(skb, family, err, 1);
5154 if (avc_has_perm(peer_sid, skb->secmark,
5155 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5159 /* we do this in the FORWARD path and not the POST_ROUTING
5160 * path because we want to make sure we apply the necessary
5161 * labeling before IPsec is applied so we can leverage AH
5163 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5169 static unsigned int selinux_ipv4_forward(void *priv,
5170 struct sk_buff *skb,
5171 const struct nf_hook_state *state)
5173 return selinux_ip_forward(skb, state->in, PF_INET);
5176 #if IS_ENABLED(CONFIG_IPV6)
5177 static unsigned int selinux_ipv6_forward(void *priv,
5178 struct sk_buff *skb,
5179 const struct nf_hook_state *state)
5181 return selinux_ip_forward(skb, state->in, PF_INET6);
5185 static unsigned int selinux_ip_output(struct sk_buff *skb,
5191 if (!netlbl_enabled())
5194 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5195 * because we want to make sure we apply the necessary labeling
5196 * before IPsec is applied so we can leverage AH protection */
5199 struct sk_security_struct *sksec;
5201 if (sk_listener(sk))
5202 /* if the socket is the listening state then this
5203 * packet is a SYN-ACK packet which means it needs to
5204 * be labeled based on the connection/request_sock and
5205 * not the parent socket. unfortunately, we can't
5206 * lookup the request_sock yet as it isn't queued on
5207 * the parent socket until after the SYN-ACK is sent.
5208 * the "solution" is to simply pass the packet as-is
5209 * as any IP option based labeling should be copied
5210 * from the initial connection request (in the IP
5211 * layer). it is far from ideal, but until we get a
5212 * security label in the packet itself this is the
5213 * best we can do. */
5216 /* standard practice, label using the parent socket */
5217 sksec = sk->sk_security;
5220 sid = SECINITSID_KERNEL;
5221 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
5227 static unsigned int selinux_ipv4_output(void *priv,
5228 struct sk_buff *skb,
5229 const struct nf_hook_state *state)
5231 return selinux_ip_output(skb, PF_INET);
5234 #if IS_ENABLED(CONFIG_IPV6)
5235 static unsigned int selinux_ipv6_output(void *priv,
5236 struct sk_buff *skb,
5237 const struct nf_hook_state *state)
5239 return selinux_ip_output(skb, PF_INET6);
5243 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5247 struct sock *sk = skb_to_full_sk(skb);
5248 struct sk_security_struct *sksec;
5249 struct common_audit_data ad;
5250 struct lsm_network_audit net = {0,};
5256 sksec = sk->sk_security;
5258 ad.type = LSM_AUDIT_DATA_NET;
5260 ad.u.net->netif = ifindex;
5261 ad.u.net->family = family;
5262 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
5265 if (selinux_secmark_enabled())
5266 if (avc_has_perm(sksec->sid, skb->secmark,
5267 SECCLASS_PACKET, PACKET__SEND, &ad))
5268 return NF_DROP_ERR(-ECONNREFUSED);
5270 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5271 return NF_DROP_ERR(-ECONNREFUSED);
5276 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5277 const struct net_device *outdev,
5282 int ifindex = outdev->ifindex;
5284 struct common_audit_data ad;
5285 struct lsm_network_audit net = {0,};
5290 /* If any sort of compatibility mode is enabled then handoff processing
5291 * to the selinux_ip_postroute_compat() function to deal with the
5292 * special handling. We do this in an attempt to keep this function
5293 * as fast and as clean as possible. */
5294 if (!selinux_policycap_netpeer)
5295 return selinux_ip_postroute_compat(skb, ifindex, family);
5297 secmark_active = selinux_secmark_enabled();
5298 peerlbl_active = selinux_peerlbl_enabled();
5299 if (!secmark_active && !peerlbl_active)
5302 sk = skb_to_full_sk(skb);
5305 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5306 * packet transformation so allow the packet to pass without any checks
5307 * since we'll have another chance to perform access control checks
5308 * when the packet is on it's final way out.
5309 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5310 * is NULL, in this case go ahead and apply access control.
5311 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5312 * TCP listening state we cannot wait until the XFRM processing
5313 * is done as we will miss out on the SA label if we do;
5314 * unfortunately, this means more work, but it is only once per
5316 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5317 !(sk && sk_listener(sk)))
5322 /* Without an associated socket the packet is either coming
5323 * from the kernel or it is being forwarded; check the packet
5324 * to determine which and if the packet is being forwarded
5325 * query the packet directly to determine the security label. */
5327 secmark_perm = PACKET__FORWARD_OUT;
5328 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5331 secmark_perm = PACKET__SEND;
5332 peer_sid = SECINITSID_KERNEL;
5334 } else if (sk_listener(sk)) {
5335 /* Locally generated packet but the associated socket is in the
5336 * listening state which means this is a SYN-ACK packet. In
5337 * this particular case the correct security label is assigned
5338 * to the connection/request_sock but unfortunately we can't
5339 * query the request_sock as it isn't queued on the parent
5340 * socket until after the SYN-ACK packet is sent; the only
5341 * viable choice is to regenerate the label like we do in
5342 * selinux_inet_conn_request(). See also selinux_ip_output()
5343 * for similar problems. */
5345 struct sk_security_struct *sksec;
5347 sksec = sk->sk_security;
5348 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5350 /* At this point, if the returned skb peerlbl is SECSID_NULL
5351 * and the packet has been through at least one XFRM
5352 * transformation then we must be dealing with the "final"
5353 * form of labeled IPsec packet; since we've already applied
5354 * all of our access controls on this packet we can safely
5355 * pass the packet. */
5356 if (skb_sid == SECSID_NULL) {
5359 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5363 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5367 return NF_DROP_ERR(-ECONNREFUSED);
5370 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5372 secmark_perm = PACKET__SEND;
5374 /* Locally generated packet, fetch the security label from the
5375 * associated socket. */
5376 struct sk_security_struct *sksec = sk->sk_security;
5377 peer_sid = sksec->sid;
5378 secmark_perm = PACKET__SEND;
5381 ad.type = LSM_AUDIT_DATA_NET;
5383 ad.u.net->netif = ifindex;
5384 ad.u.net->family = family;
5385 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5389 if (avc_has_perm(peer_sid, skb->secmark,
5390 SECCLASS_PACKET, secmark_perm, &ad))
5391 return NF_DROP_ERR(-ECONNREFUSED);
5393 if (peerlbl_active) {
5397 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5399 if (avc_has_perm(peer_sid, if_sid,
5400 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5401 return NF_DROP_ERR(-ECONNREFUSED);
5403 if (sel_netnode_sid(addrp, family, &node_sid))
5405 if (avc_has_perm(peer_sid, node_sid,
5406 SECCLASS_NODE, NODE__SENDTO, &ad))
5407 return NF_DROP_ERR(-ECONNREFUSED);
5413 static unsigned int selinux_ipv4_postroute(void *priv,
5414 struct sk_buff *skb,
5415 const struct nf_hook_state *state)
5417 return selinux_ip_postroute(skb, state->out, PF_INET);
5420 #if IS_ENABLED(CONFIG_IPV6)
5421 static unsigned int selinux_ipv6_postroute(void *priv,
5422 struct sk_buff *skb,
5423 const struct nf_hook_state *state)
5425 return selinux_ip_postroute(skb, state->out, PF_INET6);
5429 #endif /* CONFIG_NETFILTER */
5431 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5433 return selinux_nlmsg_perm(sk, skb);
5436 static int ipc_alloc_security(struct kern_ipc_perm *perm,
5439 struct ipc_security_struct *isec;
5441 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
5445 isec->sclass = sclass;
5446 isec->sid = current_sid();
5447 perm->security = isec;
5452 static void ipc_free_security(struct kern_ipc_perm *perm)
5454 struct ipc_security_struct *isec = perm->security;
5455 perm->security = NULL;
5459 static int msg_msg_alloc_security(struct msg_msg *msg)
5461 struct msg_security_struct *msec;
5463 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
5467 msec->sid = SECINITSID_UNLABELED;
5468 msg->security = msec;
5473 static void msg_msg_free_security(struct msg_msg *msg)
5475 struct msg_security_struct *msec = msg->security;
5477 msg->security = NULL;
5481 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5484 struct ipc_security_struct *isec;
5485 struct common_audit_data ad;
5486 u32 sid = current_sid();
5488 isec = ipc_perms->security;
5490 ad.type = LSM_AUDIT_DATA_IPC;
5491 ad.u.ipc_id = ipc_perms->key;
5493 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
5496 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5498 return msg_msg_alloc_security(msg);
5501 static void selinux_msg_msg_free_security(struct msg_msg *msg)
5503 msg_msg_free_security(msg);
5506 /* message queue security operations */
5507 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
5509 struct ipc_security_struct *isec;
5510 struct common_audit_data ad;
5511 u32 sid = current_sid();
5514 rc = ipc_alloc_security(&msq->q_perm, SECCLASS_MSGQ);
5518 isec = msq->q_perm.security;
5520 ad.type = LSM_AUDIT_DATA_IPC;
5521 ad.u.ipc_id = msq->q_perm.key;
5523 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5526 ipc_free_security(&msq->q_perm);
5532 static void selinux_msg_queue_free_security(struct msg_queue *msq)
5534 ipc_free_security(&msq->q_perm);
5537 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
5539 struct ipc_security_struct *isec;
5540 struct common_audit_data ad;
5541 u32 sid = current_sid();
5543 isec = msq->q_perm.security;
5545 ad.type = LSM_AUDIT_DATA_IPC;
5546 ad.u.ipc_id = msq->q_perm.key;
5548 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5549 MSGQ__ASSOCIATE, &ad);
5552 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
5560 /* No specific object, just general system-wide information. */
5561 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
5562 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5565 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5568 perms = MSGQ__SETATTR;
5571 perms = MSGQ__DESTROY;
5577 err = ipc_has_perm(&msq->q_perm, perms);
5581 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
5583 struct ipc_security_struct *isec;
5584 struct msg_security_struct *msec;
5585 struct common_audit_data ad;
5586 u32 sid = current_sid();
5589 isec = msq->q_perm.security;
5590 msec = msg->security;
5593 * First time through, need to assign label to the message
5595 if (msec->sid == SECINITSID_UNLABELED) {
5597 * Compute new sid based on current process and
5598 * message queue this message will be stored in
5600 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
5606 ad.type = LSM_AUDIT_DATA_IPC;
5607 ad.u.ipc_id = msq->q_perm.key;
5609 /* Can this process write to the queue? */
5610 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5613 /* Can this process send the message */
5614 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
5617 /* Can the message be put in the queue? */
5618 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
5619 MSGQ__ENQUEUE, &ad);
5624 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5625 struct task_struct *target,
5626 long type, int mode)
5628 struct ipc_security_struct *isec;
5629 struct msg_security_struct *msec;
5630 struct common_audit_data ad;
5631 u32 sid = task_sid(target);
5634 isec = msq->q_perm.security;
5635 msec = msg->security;
5637 ad.type = LSM_AUDIT_DATA_IPC;
5638 ad.u.ipc_id = msq->q_perm.key;
5640 rc = avc_has_perm(sid, isec->sid,
5641 SECCLASS_MSGQ, MSGQ__READ, &ad);
5643 rc = avc_has_perm(sid, msec->sid,
5644 SECCLASS_MSG, MSG__RECEIVE, &ad);
5648 /* Shared Memory security operations */
5649 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5651 struct ipc_security_struct *isec;
5652 struct common_audit_data ad;
5653 u32 sid = current_sid();
5656 rc = ipc_alloc_security(&shp->shm_perm, SECCLASS_SHM);
5660 isec = shp->shm_perm.security;
5662 ad.type = LSM_AUDIT_DATA_IPC;
5663 ad.u.ipc_id = shp->shm_perm.key;
5665 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5668 ipc_free_security(&shp->shm_perm);
5674 static void selinux_shm_free_security(struct shmid_kernel *shp)
5676 ipc_free_security(&shp->shm_perm);
5679 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5681 struct ipc_security_struct *isec;
5682 struct common_audit_data ad;
5683 u32 sid = current_sid();
5685 isec = shp->shm_perm.security;
5687 ad.type = LSM_AUDIT_DATA_IPC;
5688 ad.u.ipc_id = shp->shm_perm.key;
5690 return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5691 SHM__ASSOCIATE, &ad);
5694 /* Note, at this point, shp is locked down */
5695 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5703 /* No specific object, just general system-wide information. */
5704 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
5705 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5708 perms = SHM__GETATTR | SHM__ASSOCIATE;
5711 perms = SHM__SETATTR;
5718 perms = SHM__DESTROY;
5724 err = ipc_has_perm(&shp->shm_perm, perms);
5728 static int selinux_shm_shmat(struct shmid_kernel *shp,
5729 char __user *shmaddr, int shmflg)
5733 if (shmflg & SHM_RDONLY)
5736 perms = SHM__READ | SHM__WRITE;
5738 return ipc_has_perm(&shp->shm_perm, perms);
5741 /* Semaphore security operations */
5742 static int selinux_sem_alloc_security(struct sem_array *sma)
5744 struct ipc_security_struct *isec;
5745 struct common_audit_data ad;
5746 u32 sid = current_sid();
5749 rc = ipc_alloc_security(&sma->sem_perm, SECCLASS_SEM);
5753 isec = sma->sem_perm.security;
5755 ad.type = LSM_AUDIT_DATA_IPC;
5756 ad.u.ipc_id = sma->sem_perm.key;
5758 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5761 ipc_free_security(&sma->sem_perm);
5767 static void selinux_sem_free_security(struct sem_array *sma)
5769 ipc_free_security(&sma->sem_perm);
5772 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5774 struct ipc_security_struct *isec;
5775 struct common_audit_data ad;
5776 u32 sid = current_sid();
5778 isec = sma->sem_perm.security;
5780 ad.type = LSM_AUDIT_DATA_IPC;
5781 ad.u.ipc_id = sma->sem_perm.key;
5783 return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5784 SEM__ASSOCIATE, &ad);
5787 /* Note, at this point, sma is locked down */
5788 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5796 /* No specific object, just general system-wide information. */
5797 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
5798 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5802 perms = SEM__GETATTR;
5813 perms = SEM__DESTROY;
5816 perms = SEM__SETATTR;
5820 perms = SEM__GETATTR | SEM__ASSOCIATE;
5826 err = ipc_has_perm(&sma->sem_perm, perms);
5830 static int selinux_sem_semop(struct sem_array *sma,
5831 struct sembuf *sops, unsigned nsops, int alter)
5836 perms = SEM__READ | SEM__WRITE;
5840 return ipc_has_perm(&sma->sem_perm, perms);
5843 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5849 av |= IPC__UNIX_READ;
5851 av |= IPC__UNIX_WRITE;
5856 return ipc_has_perm(ipcp, av);
5859 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5861 struct ipc_security_struct *isec = ipcp->security;
5865 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5868 inode_doinit_with_dentry(inode, dentry);
5871 static int selinux_getprocattr(struct task_struct *p,
5872 char *name, char **value)
5874 const struct task_security_struct *__tsec;
5880 __tsec = __task_cred(p)->security;
5883 error = avc_has_perm(current_sid(), __tsec->sid,
5884 SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
5889 if (!strcmp(name, "current"))
5891 else if (!strcmp(name, "prev"))
5893 else if (!strcmp(name, "exec"))
5894 sid = __tsec->exec_sid;
5895 else if (!strcmp(name, "fscreate"))
5896 sid = __tsec->create_sid;
5897 else if (!strcmp(name, "keycreate"))
5898 sid = __tsec->keycreate_sid;
5899 else if (!strcmp(name, "sockcreate"))
5900 sid = __tsec->sockcreate_sid;
5910 error = security_sid_to_context(sid, value, &len);
5920 static int selinux_setprocattr(const char *name, void *value, size_t size)
5922 struct task_security_struct *tsec;
5924 u32 mysid = current_sid(), sid = 0, ptsid;
5929 * Basic control over ability to set these attributes at all.
5931 if (!strcmp(name, "exec"))
5932 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5933 PROCESS__SETEXEC, NULL);
5934 else if (!strcmp(name, "fscreate"))
5935 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5936 PROCESS__SETFSCREATE, NULL);
5937 else if (!strcmp(name, "keycreate"))
5938 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5939 PROCESS__SETKEYCREATE, NULL);
5940 else if (!strcmp(name, "sockcreate"))
5941 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5942 PROCESS__SETSOCKCREATE, NULL);
5943 else if (!strcmp(name, "current"))
5944 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5945 PROCESS__SETCURRENT, NULL);
5951 /* Obtain a SID for the context, if one was specified. */
5952 if (size && str[0] && str[0] != '\n') {
5953 if (str[size-1] == '\n') {
5957 error = security_context_to_sid(value, size, &sid, GFP_KERNEL);
5958 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5959 if (!has_cap_mac_admin(true)) {
5960 struct audit_buffer *ab;
5963 /* We strip a nul only if it is at the end, otherwise the
5964 * context contains a nul and we should audit that */
5965 if (str[size - 1] == '\0')
5966 audit_size = size - 1;
5969 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
5970 audit_log_format(ab, "op=fscreate invalid_context=");
5971 audit_log_n_untrustedstring(ab, value, audit_size);
5976 error = security_context_to_sid_force(value, size,
5983 new = prepare_creds();
5987 /* Permission checking based on the specified context is
5988 performed during the actual operation (execve,
5989 open/mkdir/...), when we know the full context of the
5990 operation. See selinux_bprm_set_creds for the execve
5991 checks and may_create for the file creation checks. The
5992 operation will then fail if the context is not permitted. */
5993 tsec = new->security;
5994 if (!strcmp(name, "exec")) {
5995 tsec->exec_sid = sid;
5996 } else if (!strcmp(name, "fscreate")) {
5997 tsec->create_sid = sid;
5998 } else if (!strcmp(name, "keycreate")) {
5999 error = avc_has_perm(mysid, sid, SECCLASS_KEY, KEY__CREATE,
6003 tsec->keycreate_sid = sid;
6004 } else if (!strcmp(name, "sockcreate")) {
6005 tsec->sockcreate_sid = sid;
6006 } else if (!strcmp(name, "current")) {
6011 /* Only allow single threaded processes to change context */
6013 if (!current_is_single_threaded()) {
6014 error = security_bounded_transition(tsec->sid, sid);
6019 /* Check permissions for the transition. */
6020 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
6021 PROCESS__DYNTRANSITION, NULL);
6025 /* Check for ptracing, and update the task SID if ok.
6026 Otherwise, leave SID unchanged and fail. */
6027 ptsid = ptrace_parent_sid();
6029 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
6030 PROCESS__PTRACE, NULL);
6049 static int selinux_ismaclabel(const char *name)
6051 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
6054 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
6056 return security_sid_to_context(secid, secdata, seclen);
6059 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
6061 return security_context_to_sid(secdata, seclen, secid, GFP_KERNEL);
6064 static void selinux_release_secctx(char *secdata, u32 seclen)
6069 static void selinux_inode_invalidate_secctx(struct inode *inode)
6071 struct inode_security_struct *isec = inode->i_security;
6073 spin_lock(&isec->lock);
6074 isec->initialized = LABEL_INVALID;
6075 spin_unlock(&isec->lock);
6079 * called with inode->i_mutex locked
6081 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
6083 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
6087 * called with inode->i_mutex locked
6089 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
6091 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
6094 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
6097 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
6106 static int selinux_key_alloc(struct key *k, const struct cred *cred,
6107 unsigned long flags)
6109 const struct task_security_struct *tsec;
6110 struct key_security_struct *ksec;
6112 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
6116 tsec = cred->security;
6117 if (tsec->keycreate_sid)
6118 ksec->sid = tsec->keycreate_sid;
6120 ksec->sid = tsec->sid;
6126 static void selinux_key_free(struct key *k)
6128 struct key_security_struct *ksec = k->security;
6134 static int selinux_key_permission(key_ref_t key_ref,
6135 const struct cred *cred,
6139 struct key_security_struct *ksec;
6142 /* if no specific permissions are requested, we skip the
6143 permission check. No serious, additional covert channels
6144 appear to be created. */
6148 sid = cred_sid(cred);
6150 key = key_ref_to_ptr(key_ref);
6151 ksec = key->security;
6153 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6156 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6158 struct key_security_struct *ksec = key->security;
6159 char *context = NULL;
6163 rc = security_sid_to_context(ksec->sid, &context, &len);
6171 #ifdef CONFIG_SECURITY_INFINIBAND
6172 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6174 struct common_audit_data ad;
6177 struct ib_security_struct *sec = ib_sec;
6178 struct lsm_ibpkey_audit ibpkey;
6180 err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
6184 ad.type = LSM_AUDIT_DATA_IBPKEY;
6185 ibpkey.subnet_prefix = subnet_prefix;
6186 ibpkey.pkey = pkey_val;
6187 ad.u.ibpkey = &ibpkey;
6188 return avc_has_perm(sec->sid, sid,
6189 SECCLASS_INFINIBAND_PKEY,
6190 INFINIBAND_PKEY__ACCESS, &ad);
6193 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6196 struct common_audit_data ad;
6199 struct ib_security_struct *sec = ib_sec;
6200 struct lsm_ibendport_audit ibendport;
6202 err = security_ib_endport_sid(dev_name, port_num, &sid);
6207 ad.type = LSM_AUDIT_DATA_IBENDPORT;
6208 strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name));
6209 ibendport.port = port_num;
6210 ad.u.ibendport = &ibendport;
6211 return avc_has_perm(sec->sid, sid,
6212 SECCLASS_INFINIBAND_ENDPORT,
6213 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
6216 static int selinux_ib_alloc_security(void **ib_sec)
6218 struct ib_security_struct *sec;
6220 sec = kzalloc(sizeof(*sec), GFP_KERNEL);
6223 sec->sid = current_sid();
6229 static void selinux_ib_free_security(void *ib_sec)
6235 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
6236 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
6237 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
6238 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
6239 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
6241 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
6242 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
6243 LSM_HOOK_INIT(capget, selinux_capget),
6244 LSM_HOOK_INIT(capset, selinux_capset),
6245 LSM_HOOK_INIT(capable, selinux_capable),
6246 LSM_HOOK_INIT(quotactl, selinux_quotactl),
6247 LSM_HOOK_INIT(quota_on, selinux_quota_on),
6248 LSM_HOOK_INIT(syslog, selinux_syslog),
6249 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
6251 LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
6253 LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
6254 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
6255 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
6257 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
6258 LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
6259 LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data),
6260 LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
6261 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
6262 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
6263 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
6264 LSM_HOOK_INIT(sb_mount, selinux_mount),
6265 LSM_HOOK_INIT(sb_umount, selinux_umount),
6266 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
6267 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
6268 LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str),
6270 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
6271 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
6273 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
6274 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
6275 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
6276 LSM_HOOK_INIT(inode_create, selinux_inode_create),
6277 LSM_HOOK_INIT(inode_link, selinux_inode_link),
6278 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
6279 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
6280 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
6281 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
6282 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
6283 LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
6284 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
6285 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
6286 LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
6287 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
6288 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
6289 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
6290 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
6291 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
6292 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
6293 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
6294 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
6295 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
6296 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
6297 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
6298 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
6299 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
6301 LSM_HOOK_INIT(file_permission, selinux_file_permission),
6302 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
6303 LSM_HOOK_INIT(file_free_security, selinux_file_free_security),
6304 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
6305 LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
6306 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
6307 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
6308 LSM_HOOK_INIT(file_lock, selinux_file_lock),
6309 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
6310 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
6311 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
6312 LSM_HOOK_INIT(file_receive, selinux_file_receive),
6314 LSM_HOOK_INIT(file_open, selinux_file_open),
6316 LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
6317 LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank),
6318 LSM_HOOK_INIT(cred_free, selinux_cred_free),
6319 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
6320 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
6321 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
6322 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
6323 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
6324 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
6325 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
6326 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
6327 LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
6328 LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
6329 LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
6330 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
6331 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
6332 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
6333 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
6334 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
6335 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
6336 LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
6337 LSM_HOOK_INIT(task_kill, selinux_task_kill),
6338 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
6340 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
6341 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
6343 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
6344 LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security),
6346 LSM_HOOK_INIT(msg_queue_alloc_security,
6347 selinux_msg_queue_alloc_security),
6348 LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security),
6349 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
6350 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
6351 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
6352 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
6354 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
6355 LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security),
6356 LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
6357 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
6358 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
6360 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
6361 LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security),
6362 LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
6363 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
6364 LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
6366 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
6368 LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
6369 LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
6371 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
6372 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
6373 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
6374 LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
6375 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
6376 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
6377 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
6378 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
6380 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
6381 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
6383 LSM_HOOK_INIT(socket_create, selinux_socket_create),
6384 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
6385 LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
6386 LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
6387 LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
6388 LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
6389 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
6390 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
6391 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
6392 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
6393 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
6394 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
6395 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
6396 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
6397 LSM_HOOK_INIT(socket_getpeersec_stream,
6398 selinux_socket_getpeersec_stream),
6399 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
6400 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
6401 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
6402 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
6403 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
6404 LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
6405 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
6406 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
6407 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
6408 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
6409 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
6410 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
6411 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
6412 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
6413 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
6414 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
6415 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
6416 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
6417 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
6418 #ifdef CONFIG_SECURITY_INFINIBAND
6419 LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
6420 LSM_HOOK_INIT(ib_endport_manage_subnet,
6421 selinux_ib_endport_manage_subnet),
6422 LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
6423 LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
6425 #ifdef CONFIG_SECURITY_NETWORK_XFRM
6426 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
6427 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
6428 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
6429 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
6430 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
6431 LSM_HOOK_INIT(xfrm_state_alloc_acquire,
6432 selinux_xfrm_state_alloc_acquire),
6433 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
6434 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
6435 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
6436 LSM_HOOK_INIT(xfrm_state_pol_flow_match,
6437 selinux_xfrm_state_pol_flow_match),
6438 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
6442 LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
6443 LSM_HOOK_INIT(key_free, selinux_key_free),
6444 LSM_HOOK_INIT(key_permission, selinux_key_permission),
6445 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
6449 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
6450 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
6451 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
6452 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
6456 static __init int selinux_init(void)
6458 if (!security_module_enable("selinux")) {
6459 selinux_enabled = 0;
6463 if (!selinux_enabled) {
6464 printk(KERN_INFO "SELinux: Disabled at boot.\n");
6468 printk(KERN_INFO "SELinux: Initializing.\n");
6470 /* Set the security state for the initial task. */
6471 cred_init_security();
6473 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
6475 sel_inode_cache = kmem_cache_create("selinux_inode_security",
6476 sizeof(struct inode_security_struct),
6477 0, SLAB_PANIC, NULL);
6478 file_security_cache = kmem_cache_create("selinux_file_security",
6479 sizeof(struct file_security_struct),
6480 0, SLAB_PANIC, NULL);
6483 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
6485 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
6486 panic("SELinux: Unable to register AVC netcache callback\n");
6488 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
6489 panic("SELinux: Unable to register AVC LSM notifier callback\n");
6491 if (selinux_enforcing)
6492 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
6494 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
6499 static void delayed_superblock_init(struct super_block *sb, void *unused)
6501 superblock_doinit(sb, NULL);
6504 void selinux_complete_init(void)
6506 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
6508 /* Set up any superblocks initialized prior to the policy load. */
6509 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
6510 iterate_supers(delayed_superblock_init, NULL);
6513 /* SELinux requires early initialization in order to label
6514 all processes and objects when they are created. */
6515 security_initcall(selinux_init);
6517 #if defined(CONFIG_NETFILTER)
6519 static const struct nf_hook_ops selinux_nf_ops[] = {
6521 .hook = selinux_ipv4_postroute,
6523 .hooknum = NF_INET_POST_ROUTING,
6524 .priority = NF_IP_PRI_SELINUX_LAST,
6527 .hook = selinux_ipv4_forward,
6529 .hooknum = NF_INET_FORWARD,
6530 .priority = NF_IP_PRI_SELINUX_FIRST,
6533 .hook = selinux_ipv4_output,
6535 .hooknum = NF_INET_LOCAL_OUT,
6536 .priority = NF_IP_PRI_SELINUX_FIRST,
6538 #if IS_ENABLED(CONFIG_IPV6)
6540 .hook = selinux_ipv6_postroute,
6542 .hooknum = NF_INET_POST_ROUTING,
6543 .priority = NF_IP6_PRI_SELINUX_LAST,
6546 .hook = selinux_ipv6_forward,
6548 .hooknum = NF_INET_FORWARD,
6549 .priority = NF_IP6_PRI_SELINUX_FIRST,
6552 .hook = selinux_ipv6_output,
6554 .hooknum = NF_INET_LOCAL_OUT,
6555 .priority = NF_IP6_PRI_SELINUX_FIRST,
6560 static int __net_init selinux_nf_register(struct net *net)
6562 return nf_register_net_hooks(net, selinux_nf_ops,
6563 ARRAY_SIZE(selinux_nf_ops));
6566 static void __net_exit selinux_nf_unregister(struct net *net)
6568 nf_unregister_net_hooks(net, selinux_nf_ops,
6569 ARRAY_SIZE(selinux_nf_ops));
6572 static struct pernet_operations selinux_net_ops = {
6573 .init = selinux_nf_register,
6574 .exit = selinux_nf_unregister,
6577 static int __init selinux_nf_ip_init(void)
6581 if (!selinux_enabled)
6584 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
6586 err = register_pernet_subsys(&selinux_net_ops);
6588 panic("SELinux: register_pernet_subsys: error %d\n", err);
6592 __initcall(selinux_nf_ip_init);
6594 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6595 static void selinux_nf_ip_exit(void)
6597 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
6599 unregister_pernet_subsys(&selinux_net_ops);
6603 #else /* CONFIG_NETFILTER */
6605 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6606 #define selinux_nf_ip_exit()
6609 #endif /* CONFIG_NETFILTER */
6611 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6612 static int selinux_disabled;
6614 int selinux_disable(void)
6616 if (ss_initialized) {
6617 /* Not permitted after initial policy load. */
6621 if (selinux_disabled) {
6622 /* Only do this once. */
6626 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
6628 selinux_disabled = 1;
6629 selinux_enabled = 0;
6631 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
6633 /* Try to destroy the avc node cache */
6636 /* Unregister netfilter hooks. */
6637 selinux_nf_ip_exit();
6639 /* Unregister selinuxfs. */