1 // SPDX-License-Identifier: GPL-2.0-only
3 * Security-Enhanced Linux (SELinux) security module
5 * This file contains the SELinux hook function implementations.
12 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
15 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
17 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
19 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
21 * Copyright (C) 2016 Mellanox Technologies
24 #include <linux/init.h>
26 #include <linux/kernel.h>
27 #include <linux/kernel_read_file.h>
28 #include <linux/errno.h>
29 #include <linux/sched/signal.h>
30 #include <linux/sched/task.h>
31 #include <linux/lsm_hooks.h>
32 #include <linux/xattr.h>
33 #include <linux/capability.h>
34 #include <linux/unistd.h>
36 #include <linux/mman.h>
37 #include <linux/slab.h>
38 #include <linux/pagemap.h>
39 #include <linux/proc_fs.h>
40 #include <linux/swap.h>
41 #include <linux/spinlock.h>
42 #include <linux/syscalls.h>
43 #include <linux/dcache.h>
44 #include <linux/file.h>
45 #include <linux/fdtable.h>
46 #include <linux/namei.h>
47 #include <linux/mount.h>
48 #include <linux/fs_context.h>
49 #include <linux/fs_parser.h>
50 #include <linux/netfilter_ipv4.h>
51 #include <linux/netfilter_ipv6.h>
52 #include <linux/tty.h>
54 #include <net/ip.h> /* for local_port_range[] */
55 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
56 #include <net/inet_connection_sock.h>
57 #include <net/net_namespace.h>
58 #include <net/netlabel.h>
59 #include <linux/uaccess.h>
60 #include <asm/ioctls.h>
61 #include <linux/atomic.h>
62 #include <linux/bitops.h>
63 #include <linux/interrupt.h>
64 #include <linux/netdevice.h> /* for network interface checks */
65 #include <net/netlink.h>
66 #include <linux/tcp.h>
67 #include <linux/udp.h>
68 #include <linux/dccp.h>
69 #include <linux/sctp.h>
70 #include <net/sctp/structs.h>
71 #include <linux/quota.h>
72 #include <linux/un.h> /* for Unix socket types */
73 #include <net/af_unix.h> /* for Unix socket types */
74 #include <linux/parser.h>
75 #include <linux/nfs_mount.h>
77 #include <linux/hugetlb.h>
78 #include <linux/personality.h>
79 #include <linux/audit.h>
80 #include <linux/string.h>
81 #include <linux/mutex.h>
82 #include <linux/posix-timers.h>
83 #include <linux/syslog.h>
84 #include <linux/user_namespace.h>
85 #include <linux/export.h>
86 #include <linux/msg.h>
87 #include <linux/shm.h>
88 #include <linux/bpf.h>
89 #include <linux/kernfs.h>
90 #include <linux/stringhash.h> /* for hashlen_string() */
91 #include <uapi/linux/mount.h>
92 #include <linux/fsnotify.h>
93 #include <linux/fanotify.h>
94 #include <linux/io_uring.h>
95 #include <uapi/linux/lsm.h>
104 #include "netlabel.h"
108 #define SELINUX_INODE_INIT_XATTRS 1
110 struct selinux_state selinux_state;
112 /* SECMARK reference count */
113 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
115 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
116 static int selinux_enforcing_boot __initdata;
118 static int __init enforcing_setup(char *str)
120 unsigned long enforcing;
121 if (!kstrtoul(str, 0, &enforcing))
122 selinux_enforcing_boot = enforcing ? 1 : 0;
125 __setup("enforcing=", enforcing_setup);
127 #define selinux_enforcing_boot 1
130 int selinux_enabled_boot __initdata = 1;
131 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
132 static int __init selinux_enabled_setup(char *str)
134 unsigned long enabled;
135 if (!kstrtoul(str, 0, &enabled))
136 selinux_enabled_boot = enabled ? 1 : 0;
139 __setup("selinux=", selinux_enabled_setup);
142 static int __init checkreqprot_setup(char *str)
144 unsigned long checkreqprot;
146 if (!kstrtoul(str, 0, &checkreqprot)) {
148 pr_err("SELinux: checkreqprot set to 1 via kernel parameter. This is no longer supported.\n");
152 __setup("checkreqprot=", checkreqprot_setup);
155 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
158 * This function checks the SECMARK reference counter to see if any SECMARK
159 * targets are currently configured, if the reference counter is greater than
160 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
161 * enabled, false (0) if SECMARK is disabled. If the always_check_network
162 * policy capability is enabled, SECMARK is always considered enabled.
165 static int selinux_secmark_enabled(void)
167 return (selinux_policycap_alwaysnetwork() ||
168 atomic_read(&selinux_secmark_refcount));
172 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
175 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
176 * (1) if any are enabled or false (0) if neither are enabled. If the
177 * always_check_network policy capability is enabled, peer labeling
178 * is always considered enabled.
181 static int selinux_peerlbl_enabled(void)
183 return (selinux_policycap_alwaysnetwork() ||
184 netlbl_enabled() || selinux_xfrm_enabled());
187 static int selinux_netcache_avc_callback(u32 event)
189 if (event == AVC_CALLBACK_RESET) {
198 static int selinux_lsm_notifier_avc_callback(u32 event)
200 if (event == AVC_CALLBACK_RESET) {
202 call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL);
209 * initialise the security for the init task
211 static void cred_init_security(void)
213 struct task_security_struct *tsec;
215 tsec = selinux_cred(unrcu_pointer(current->real_cred));
216 tsec->osid = tsec->sid = SECINITSID_KERNEL;
220 * get the security ID of a set of credentials
222 static inline u32 cred_sid(const struct cred *cred)
224 const struct task_security_struct *tsec;
226 tsec = selinux_cred(cred);
230 static void __ad_net_init(struct common_audit_data *ad,
231 struct lsm_network_audit *net,
232 int ifindex, struct sock *sk, u16 family)
234 ad->type = LSM_AUDIT_DATA_NET;
236 net->netif = ifindex;
238 net->family = family;
241 static void ad_net_init_from_sk(struct common_audit_data *ad,
242 struct lsm_network_audit *net,
245 __ad_net_init(ad, net, 0, sk, 0);
248 static void ad_net_init_from_iif(struct common_audit_data *ad,
249 struct lsm_network_audit *net,
250 int ifindex, u16 family)
252 __ad_net_init(ad, net, ifindex, NULL, family);
256 * get the objective security ID of a task
258 static inline u32 task_sid_obj(const struct task_struct *task)
263 sid = cred_sid(__task_cred(task));
268 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
271 * Try reloading inode security labels that have been marked as invalid. The
272 * @may_sleep parameter indicates when sleeping and thus reloading labels is
273 * allowed; when set to false, returns -ECHILD when the label is
274 * invalid. The @dentry parameter should be set to a dentry of the inode.
276 static int __inode_security_revalidate(struct inode *inode,
277 struct dentry *dentry,
280 struct inode_security_struct *isec = selinux_inode(inode);
282 might_sleep_if(may_sleep);
284 if (selinux_initialized() &&
285 isec->initialized != LABEL_INITIALIZED) {
290 * Try reloading the inode security label. This will fail if
291 * @opt_dentry is NULL and no dentry for this inode can be
292 * found; in that case, continue using the old label.
294 inode_doinit_with_dentry(inode, dentry);
299 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
301 return selinux_inode(inode);
304 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
308 error = __inode_security_revalidate(inode, NULL, !rcu);
310 return ERR_PTR(error);
311 return selinux_inode(inode);
315 * Get the security label of an inode.
317 static struct inode_security_struct *inode_security(struct inode *inode)
319 __inode_security_revalidate(inode, NULL, true);
320 return selinux_inode(inode);
323 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
325 struct inode *inode = d_backing_inode(dentry);
327 return selinux_inode(inode);
331 * Get the security label of a dentry's backing inode.
333 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
335 struct inode *inode = d_backing_inode(dentry);
337 __inode_security_revalidate(inode, dentry, true);
338 return selinux_inode(inode);
341 static void inode_free_security(struct inode *inode)
343 struct inode_security_struct *isec = selinux_inode(inode);
344 struct superblock_security_struct *sbsec;
348 sbsec = selinux_superblock(inode->i_sb);
350 * As not all inode security structures are in a list, we check for
351 * empty list outside of the lock to make sure that we won't waste
352 * time taking a lock doing nothing.
354 * The list_del_init() function can be safely called more than once.
355 * It should not be possible for this function to be called with
356 * concurrent list_add(), but for better safety against future changes
357 * in the code, we use list_empty_careful() here.
359 if (!list_empty_careful(&isec->list)) {
360 spin_lock(&sbsec->isec_lock);
361 list_del_init(&isec->list);
362 spin_unlock(&sbsec->isec_lock);
366 struct selinux_mnt_opts {
373 static void selinux_free_mnt_opts(void *mnt_opts)
387 #define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg}
388 static const struct {
397 A(rootcontext, true),
402 static int match_opt_prefix(char *s, int l, char **arg)
406 for (i = 0; i < ARRAY_SIZE(tokens); i++) {
407 size_t len = tokens[i].len;
408 if (len > l || memcmp(s, tokens[i].name, len))
410 if (tokens[i].has_arg) {
411 if (len == l || s[len] != '=')
416 return tokens[i].opt;
421 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
423 static int may_context_mount_sb_relabel(u32 sid,
424 struct superblock_security_struct *sbsec,
425 const struct cred *cred)
427 const struct task_security_struct *tsec = selinux_cred(cred);
430 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
431 FILESYSTEM__RELABELFROM, NULL);
435 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
436 FILESYSTEM__RELABELTO, NULL);
440 static int may_context_mount_inode_relabel(u32 sid,
441 struct superblock_security_struct *sbsec,
442 const struct cred *cred)
444 const struct task_security_struct *tsec = selinux_cred(cred);
446 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
447 FILESYSTEM__RELABELFROM, NULL);
451 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
452 FILESYSTEM__ASSOCIATE, NULL);
456 static int selinux_is_genfs_special_handling(struct super_block *sb)
458 /* Special handling. Genfs but also in-core setxattr handler */
459 return !strcmp(sb->s_type->name, "sysfs") ||
460 !strcmp(sb->s_type->name, "pstore") ||
461 !strcmp(sb->s_type->name, "debugfs") ||
462 !strcmp(sb->s_type->name, "tracefs") ||
463 !strcmp(sb->s_type->name, "rootfs") ||
464 (selinux_policycap_cgroupseclabel() &&
465 (!strcmp(sb->s_type->name, "cgroup") ||
466 !strcmp(sb->s_type->name, "cgroup2")));
469 static int selinux_is_sblabel_mnt(struct super_block *sb)
471 struct superblock_security_struct *sbsec = selinux_superblock(sb);
474 * IMPORTANT: Double-check logic in this function when adding a new
475 * SECURITY_FS_USE_* definition!
477 BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7);
479 switch (sbsec->behavior) {
480 case SECURITY_FS_USE_XATTR:
481 case SECURITY_FS_USE_TRANS:
482 case SECURITY_FS_USE_TASK:
483 case SECURITY_FS_USE_NATIVE:
486 case SECURITY_FS_USE_GENFS:
487 return selinux_is_genfs_special_handling(sb);
489 /* Never allow relabeling on context mounts */
490 case SECURITY_FS_USE_MNTPOINT:
491 case SECURITY_FS_USE_NONE:
497 static int sb_check_xattr_support(struct super_block *sb)
499 struct superblock_security_struct *sbsec = selinux_superblock(sb);
500 struct dentry *root = sb->s_root;
501 struct inode *root_inode = d_backing_inode(root);
506 * Make sure that the xattr handler exists and that no
507 * error other than -ENODATA is returned by getxattr on
508 * the root directory. -ENODATA is ok, as this may be
509 * the first boot of the SELinux kernel before we have
510 * assigned xattr values to the filesystem.
512 if (!(root_inode->i_opflags & IOP_XATTR)) {
513 pr_warn("SELinux: (dev %s, type %s) has no xattr support\n",
514 sb->s_id, sb->s_type->name);
518 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
519 if (rc < 0 && rc != -ENODATA) {
520 if (rc == -EOPNOTSUPP) {
521 pr_warn("SELinux: (dev %s, type %s) has no security xattr handler\n",
522 sb->s_id, sb->s_type->name);
525 pr_warn("SELinux: (dev %s, type %s) getxattr errno %d\n",
526 sb->s_id, sb->s_type->name, -rc);
533 /* No xattr support - try to fallback to genfs if possible. */
534 rc = security_genfs_sid(sb->s_type->name, "/",
539 pr_warn("SELinux: (dev %s, type %s) falling back to genfs\n",
540 sb->s_id, sb->s_type->name);
541 sbsec->behavior = SECURITY_FS_USE_GENFS;
546 static int sb_finish_set_opts(struct super_block *sb)
548 struct superblock_security_struct *sbsec = selinux_superblock(sb);
549 struct dentry *root = sb->s_root;
550 struct inode *root_inode = d_backing_inode(root);
553 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
554 rc = sb_check_xattr_support(sb);
559 sbsec->flags |= SE_SBINITIALIZED;
562 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
563 * leave the flag untouched because sb_clone_mnt_opts might be handing
564 * us a superblock that needs the flag to be cleared.
566 if (selinux_is_sblabel_mnt(sb))
567 sbsec->flags |= SBLABEL_MNT;
569 sbsec->flags &= ~SBLABEL_MNT;
571 /* Initialize the root inode. */
572 rc = inode_doinit_with_dentry(root_inode, root);
574 /* Initialize any other inodes associated with the superblock, e.g.
575 inodes created prior to initial policy load or inodes created
576 during get_sb by a pseudo filesystem that directly
578 spin_lock(&sbsec->isec_lock);
579 while (!list_empty(&sbsec->isec_head)) {
580 struct inode_security_struct *isec =
581 list_first_entry(&sbsec->isec_head,
582 struct inode_security_struct, list);
583 struct inode *inode = isec->inode;
584 list_del_init(&isec->list);
585 spin_unlock(&sbsec->isec_lock);
586 inode = igrab(inode);
588 if (!IS_PRIVATE(inode))
589 inode_doinit_with_dentry(inode, NULL);
592 spin_lock(&sbsec->isec_lock);
594 spin_unlock(&sbsec->isec_lock);
598 static int bad_option(struct superblock_security_struct *sbsec, char flag,
599 u32 old_sid, u32 new_sid)
601 char mnt_flags = sbsec->flags & SE_MNTMASK;
603 /* check if the old mount command had the same options */
604 if (sbsec->flags & SE_SBINITIALIZED)
605 if (!(sbsec->flags & flag) ||
606 (old_sid != new_sid))
609 /* check if we were passed the same options twice,
610 * aka someone passed context=a,context=b
612 if (!(sbsec->flags & SE_SBINITIALIZED))
613 if (mnt_flags & flag)
619 * Allow filesystems with binary mount data to explicitly set mount point
620 * labeling information.
622 static int selinux_set_mnt_opts(struct super_block *sb,
624 unsigned long kern_flags,
625 unsigned long *set_kern_flags)
627 const struct cred *cred = current_cred();
628 struct superblock_security_struct *sbsec = selinux_superblock(sb);
629 struct dentry *root = sb->s_root;
630 struct selinux_mnt_opts *opts = mnt_opts;
631 struct inode_security_struct *root_isec;
632 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
633 u32 defcontext_sid = 0;
637 * Specifying internal flags without providing a place to
638 * place the results is not allowed
640 if (kern_flags && !set_kern_flags)
643 mutex_lock(&sbsec->lock);
645 if (!selinux_initialized()) {
647 /* Defer initialization until selinux_complete_init,
648 after the initial policy is loaded and the security
649 server is ready to handle calls. */
650 if (kern_flags & SECURITY_LSM_NATIVE_LABELS) {
651 sbsec->flags |= SE_SBNATIVE;
652 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
657 pr_warn("SELinux: Unable to set superblock options "
658 "before the security server is initialized\n");
663 * Binary mount data FS will come through this function twice. Once
664 * from an explicit call and once from the generic calls from the vfs.
665 * Since the generic VFS calls will not contain any security mount data
666 * we need to skip the double mount verification.
668 * This does open a hole in which we will not notice if the first
669 * mount using this sb set explicit options and a second mount using
670 * this sb does not set any security options. (The first options
671 * will be used for both mounts)
673 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
677 root_isec = backing_inode_security_novalidate(root);
680 * parse the mount options, check if they are valid sids.
681 * also check if someone is trying to mount the same sb more
682 * than once with different security options.
685 if (opts->fscontext_sid) {
686 fscontext_sid = opts->fscontext_sid;
687 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
689 goto out_double_mount;
690 sbsec->flags |= FSCONTEXT_MNT;
692 if (opts->context_sid) {
693 context_sid = opts->context_sid;
694 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
696 goto out_double_mount;
697 sbsec->flags |= CONTEXT_MNT;
699 if (opts->rootcontext_sid) {
700 rootcontext_sid = opts->rootcontext_sid;
701 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
703 goto out_double_mount;
704 sbsec->flags |= ROOTCONTEXT_MNT;
706 if (opts->defcontext_sid) {
707 defcontext_sid = opts->defcontext_sid;
708 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
710 goto out_double_mount;
711 sbsec->flags |= DEFCONTEXT_MNT;
715 if (sbsec->flags & SE_SBINITIALIZED) {
716 /* previously mounted with options, but not on this attempt? */
717 if ((sbsec->flags & SE_MNTMASK) && !opts)
718 goto out_double_mount;
723 if (strcmp(sb->s_type->name, "proc") == 0)
724 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
726 if (!strcmp(sb->s_type->name, "debugfs") ||
727 !strcmp(sb->s_type->name, "tracefs") ||
728 !strcmp(sb->s_type->name, "binder") ||
729 !strcmp(sb->s_type->name, "bpf") ||
730 !strcmp(sb->s_type->name, "pstore") ||
731 !strcmp(sb->s_type->name, "securityfs"))
732 sbsec->flags |= SE_SBGENFS;
734 if (!strcmp(sb->s_type->name, "sysfs") ||
735 !strcmp(sb->s_type->name, "cgroup") ||
736 !strcmp(sb->s_type->name, "cgroup2"))
737 sbsec->flags |= SE_SBGENFS | SE_SBGENFS_XATTR;
739 if (!sbsec->behavior) {
741 * Determine the labeling behavior to use for this
744 rc = security_fs_use(sb);
746 pr_warn("%s: security_fs_use(%s) returned %d\n",
747 __func__, sb->s_type->name, rc);
753 * If this is a user namespace mount and the filesystem type is not
754 * explicitly whitelisted, then no contexts are allowed on the command
755 * line and security labels must be ignored.
757 if (sb->s_user_ns != &init_user_ns &&
758 strcmp(sb->s_type->name, "tmpfs") &&
759 strcmp(sb->s_type->name, "ramfs") &&
760 strcmp(sb->s_type->name, "devpts") &&
761 strcmp(sb->s_type->name, "overlay")) {
762 if (context_sid || fscontext_sid || rootcontext_sid ||
767 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
768 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
769 rc = security_transition_sid(current_sid(),
772 &sbsec->mntpoint_sid);
779 /* sets the context of the superblock for the fs being mounted. */
781 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
785 sbsec->sid = fscontext_sid;
789 * Switch to using mount point labeling behavior.
790 * sets the label used on all file below the mountpoint, and will set
791 * the superblock context if not already set.
793 if (sbsec->flags & SE_SBNATIVE) {
795 * This means we are initializing a superblock that has been
796 * mounted before the SELinux was initialized and the
797 * filesystem requested native labeling. We had already
798 * returned SECURITY_LSM_NATIVE_LABELS in *set_kern_flags
799 * in the original mount attempt, so now we just need to set
800 * the SECURITY_FS_USE_NATIVE behavior.
802 sbsec->behavior = SECURITY_FS_USE_NATIVE;
803 } else if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
804 sbsec->behavior = SECURITY_FS_USE_NATIVE;
805 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
809 if (!fscontext_sid) {
810 rc = may_context_mount_sb_relabel(context_sid, sbsec,
814 sbsec->sid = context_sid;
816 rc = may_context_mount_inode_relabel(context_sid, sbsec,
821 if (!rootcontext_sid)
822 rootcontext_sid = context_sid;
824 sbsec->mntpoint_sid = context_sid;
825 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
828 if (rootcontext_sid) {
829 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
834 root_isec->sid = rootcontext_sid;
835 root_isec->initialized = LABEL_INITIALIZED;
838 if (defcontext_sid) {
839 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
840 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
842 pr_warn("SELinux: defcontext option is "
843 "invalid for this filesystem type\n");
847 if (defcontext_sid != sbsec->def_sid) {
848 rc = may_context_mount_inode_relabel(defcontext_sid,
854 sbsec->def_sid = defcontext_sid;
858 rc = sb_finish_set_opts(sb);
860 mutex_unlock(&sbsec->lock);
864 pr_warn("SELinux: mount invalid. Same superblock, different "
865 "security settings for (dev %s, type %s)\n", sb->s_id,
870 static int selinux_cmp_sb_context(const struct super_block *oldsb,
871 const struct super_block *newsb)
873 struct superblock_security_struct *old = selinux_superblock(oldsb);
874 struct superblock_security_struct *new = selinux_superblock(newsb);
875 char oldflags = old->flags & SE_MNTMASK;
876 char newflags = new->flags & SE_MNTMASK;
878 if (oldflags != newflags)
880 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
882 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
884 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
886 if (oldflags & ROOTCONTEXT_MNT) {
887 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
888 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
889 if (oldroot->sid != newroot->sid)
894 pr_warn("SELinux: mount invalid. Same superblock, "
895 "different security settings for (dev %s, "
896 "type %s)\n", newsb->s_id, newsb->s_type->name);
900 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
901 struct super_block *newsb,
902 unsigned long kern_flags,
903 unsigned long *set_kern_flags)
906 const struct superblock_security_struct *oldsbsec =
907 selinux_superblock(oldsb);
908 struct superblock_security_struct *newsbsec = selinux_superblock(newsb);
910 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
911 int set_context = (oldsbsec->flags & CONTEXT_MNT);
912 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
915 * Specifying internal flags without providing a place to
916 * place the results is not allowed.
918 if (kern_flags && !set_kern_flags)
921 mutex_lock(&newsbsec->lock);
924 * if the parent was able to be mounted it clearly had no special lsm
925 * mount options. thus we can safely deal with this superblock later
927 if (!selinux_initialized()) {
928 if (kern_flags & SECURITY_LSM_NATIVE_LABELS) {
929 newsbsec->flags |= SE_SBNATIVE;
930 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
935 /* how can we clone if the old one wasn't set up?? */
936 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
938 /* if fs is reusing a sb, make sure that the contexts match */
939 if (newsbsec->flags & SE_SBINITIALIZED) {
940 mutex_unlock(&newsbsec->lock);
941 if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context)
942 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
943 return selinux_cmp_sb_context(oldsb, newsb);
946 newsbsec->flags = oldsbsec->flags;
948 newsbsec->sid = oldsbsec->sid;
949 newsbsec->def_sid = oldsbsec->def_sid;
950 newsbsec->behavior = oldsbsec->behavior;
952 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
953 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
954 rc = security_fs_use(newsb);
959 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
960 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
961 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
965 u32 sid = oldsbsec->mntpoint_sid;
969 if (!set_rootcontext) {
970 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
973 newsbsec->mntpoint_sid = sid;
975 if (set_rootcontext) {
976 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
977 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
979 newisec->sid = oldisec->sid;
982 sb_finish_set_opts(newsb);
984 mutex_unlock(&newsbsec->lock);
989 * NOTE: the caller is responsible for freeing the memory even if on error.
991 static int selinux_add_opt(int token, const char *s, void **mnt_opts)
993 struct selinux_mnt_opts *opts = *mnt_opts;
997 if (token == Opt_seclabel)
998 /* eaten and completely ignored */
1003 if (!selinux_initialized()) {
1004 pr_warn("SELinux: Unable to set superblock options before the security server is initialized\n");
1009 opts = kzalloc(sizeof(*opts), GFP_KERNEL);
1017 if (opts->context_sid || opts->defcontext_sid)
1019 dst_sid = &opts->context_sid;
1022 if (opts->fscontext_sid)
1024 dst_sid = &opts->fscontext_sid;
1026 case Opt_rootcontext:
1027 if (opts->rootcontext_sid)
1029 dst_sid = &opts->rootcontext_sid;
1031 case Opt_defcontext:
1032 if (opts->context_sid || opts->defcontext_sid)
1034 dst_sid = &opts->defcontext_sid;
1040 rc = security_context_str_to_sid(s, dst_sid, GFP_KERNEL);
1042 pr_warn("SELinux: security_context_str_to_sid (%s) failed with errno=%d\n",
1047 pr_warn(SEL_MOUNT_FAIL_MSG);
1051 static int show_sid(struct seq_file *m, u32 sid)
1053 char *context = NULL;
1057 rc = security_sid_to_context(sid, &context, &len);
1059 bool has_comma = strchr(context, ',');
1064 seq_escape(m, context, "\"\n\\");
1072 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1074 struct superblock_security_struct *sbsec = selinux_superblock(sb);
1077 if (!(sbsec->flags & SE_SBINITIALIZED))
1080 if (!selinux_initialized())
1083 if (sbsec->flags & FSCONTEXT_MNT) {
1085 seq_puts(m, FSCONTEXT_STR);
1086 rc = show_sid(m, sbsec->sid);
1090 if (sbsec->flags & CONTEXT_MNT) {
1092 seq_puts(m, CONTEXT_STR);
1093 rc = show_sid(m, sbsec->mntpoint_sid);
1097 if (sbsec->flags & DEFCONTEXT_MNT) {
1099 seq_puts(m, DEFCONTEXT_STR);
1100 rc = show_sid(m, sbsec->def_sid);
1104 if (sbsec->flags & ROOTCONTEXT_MNT) {
1105 struct dentry *root = sb->s_root;
1106 struct inode_security_struct *isec = backing_inode_security(root);
1108 seq_puts(m, ROOTCONTEXT_STR);
1109 rc = show_sid(m, isec->sid);
1113 if (sbsec->flags & SBLABEL_MNT) {
1115 seq_puts(m, SECLABEL_STR);
1120 static inline u16 inode_mode_to_security_class(umode_t mode)
1122 switch (mode & S_IFMT) {
1124 return SECCLASS_SOCK_FILE;
1126 return SECCLASS_LNK_FILE;
1128 return SECCLASS_FILE;
1130 return SECCLASS_BLK_FILE;
1132 return SECCLASS_DIR;
1134 return SECCLASS_CHR_FILE;
1136 return SECCLASS_FIFO_FILE;
1140 return SECCLASS_FILE;
1143 static inline int default_protocol_stream(int protocol)
1145 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP ||
1146 protocol == IPPROTO_MPTCP);
1149 static inline int default_protocol_dgram(int protocol)
1151 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1154 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1156 bool extsockclass = selinux_policycap_extsockclass();
1162 case SOCK_SEQPACKET:
1163 return SECCLASS_UNIX_STREAM_SOCKET;
1166 return SECCLASS_UNIX_DGRAM_SOCKET;
1173 case SOCK_SEQPACKET:
1174 if (default_protocol_stream(protocol))
1175 return SECCLASS_TCP_SOCKET;
1176 else if (extsockclass && protocol == IPPROTO_SCTP)
1177 return SECCLASS_SCTP_SOCKET;
1179 return SECCLASS_RAWIP_SOCKET;
1181 if (default_protocol_dgram(protocol))
1182 return SECCLASS_UDP_SOCKET;
1183 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1184 protocol == IPPROTO_ICMPV6))
1185 return SECCLASS_ICMP_SOCKET;
1187 return SECCLASS_RAWIP_SOCKET;
1189 return SECCLASS_DCCP_SOCKET;
1191 return SECCLASS_RAWIP_SOCKET;
1197 return SECCLASS_NETLINK_ROUTE_SOCKET;
1198 case NETLINK_SOCK_DIAG:
1199 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1201 return SECCLASS_NETLINK_NFLOG_SOCKET;
1203 return SECCLASS_NETLINK_XFRM_SOCKET;
1204 case NETLINK_SELINUX:
1205 return SECCLASS_NETLINK_SELINUX_SOCKET;
1207 return SECCLASS_NETLINK_ISCSI_SOCKET;
1209 return SECCLASS_NETLINK_AUDIT_SOCKET;
1210 case NETLINK_FIB_LOOKUP:
1211 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1212 case NETLINK_CONNECTOR:
1213 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1214 case NETLINK_NETFILTER:
1215 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1216 case NETLINK_DNRTMSG:
1217 return SECCLASS_NETLINK_DNRT_SOCKET;
1218 case NETLINK_KOBJECT_UEVENT:
1219 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1220 case NETLINK_GENERIC:
1221 return SECCLASS_NETLINK_GENERIC_SOCKET;
1222 case NETLINK_SCSITRANSPORT:
1223 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1225 return SECCLASS_NETLINK_RDMA_SOCKET;
1226 case NETLINK_CRYPTO:
1227 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1229 return SECCLASS_NETLINK_SOCKET;
1232 return SECCLASS_PACKET_SOCKET;
1234 return SECCLASS_KEY_SOCKET;
1236 return SECCLASS_APPLETALK_SOCKET;
1242 return SECCLASS_AX25_SOCKET;
1244 return SECCLASS_IPX_SOCKET;
1246 return SECCLASS_NETROM_SOCKET;
1248 return SECCLASS_ATMPVC_SOCKET;
1250 return SECCLASS_X25_SOCKET;
1252 return SECCLASS_ROSE_SOCKET;
1254 return SECCLASS_DECNET_SOCKET;
1256 return SECCLASS_ATMSVC_SOCKET;
1258 return SECCLASS_RDS_SOCKET;
1260 return SECCLASS_IRDA_SOCKET;
1262 return SECCLASS_PPPOX_SOCKET;
1264 return SECCLASS_LLC_SOCKET;
1266 return SECCLASS_CAN_SOCKET;
1268 return SECCLASS_TIPC_SOCKET;
1270 return SECCLASS_BLUETOOTH_SOCKET;
1272 return SECCLASS_IUCV_SOCKET;
1274 return SECCLASS_RXRPC_SOCKET;
1276 return SECCLASS_ISDN_SOCKET;
1278 return SECCLASS_PHONET_SOCKET;
1280 return SECCLASS_IEEE802154_SOCKET;
1282 return SECCLASS_CAIF_SOCKET;
1284 return SECCLASS_ALG_SOCKET;
1286 return SECCLASS_NFC_SOCKET;
1288 return SECCLASS_VSOCK_SOCKET;
1290 return SECCLASS_KCM_SOCKET;
1292 return SECCLASS_QIPCRTR_SOCKET;
1294 return SECCLASS_SMC_SOCKET;
1296 return SECCLASS_XDP_SOCKET;
1298 return SECCLASS_MCTP_SOCKET;
1300 #error New address family defined, please update this function.
1305 return SECCLASS_SOCKET;
1308 static int selinux_genfs_get_sid(struct dentry *dentry,
1314 struct super_block *sb = dentry->d_sb;
1315 char *buffer, *path;
1317 buffer = (char *)__get_free_page(GFP_KERNEL);
1321 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1325 if (flags & SE_SBPROC) {
1326 /* each process gets a /proc/PID/ entry. Strip off the
1327 * PID part to get a valid selinux labeling.
1328 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1329 while (path[1] >= '0' && path[1] <= '9') {
1334 rc = security_genfs_sid(sb->s_type->name,
1336 if (rc == -ENOENT) {
1337 /* No match in policy, mark as unlabeled. */
1338 *sid = SECINITSID_UNLABELED;
1342 free_page((unsigned long)buffer);
1346 static int inode_doinit_use_xattr(struct inode *inode, struct dentry *dentry,
1347 u32 def_sid, u32 *sid)
1349 #define INITCONTEXTLEN 255
1354 len = INITCONTEXTLEN;
1355 context = kmalloc(len + 1, GFP_NOFS);
1359 context[len] = '\0';
1360 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1361 if (rc == -ERANGE) {
1364 /* Need a larger buffer. Query for the right size. */
1365 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1370 context = kmalloc(len + 1, GFP_NOFS);
1374 context[len] = '\0';
1375 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX,
1380 if (rc != -ENODATA) {
1381 pr_warn("SELinux: %s: getxattr returned %d for dev=%s ino=%ld\n",
1382 __func__, -rc, inode->i_sb->s_id, inode->i_ino);
1389 rc = security_context_to_sid_default(context, rc, sid,
1392 char *dev = inode->i_sb->s_id;
1393 unsigned long ino = inode->i_ino;
1395 if (rc == -EINVAL) {
1396 pr_notice_ratelimited("SELinux: inode=%lu on dev=%s was found to have an invalid context=%s. This indicates you may need to relabel the inode or the filesystem in question.\n",
1399 pr_warn("SELinux: %s: context_to_sid(%s) returned %d for dev=%s ino=%ld\n",
1400 __func__, context, -rc, dev, ino);
1407 /* The inode's security attributes must be initialized before first use. */
1408 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1410 struct superblock_security_struct *sbsec = NULL;
1411 struct inode_security_struct *isec = selinux_inode(inode);
1412 u32 task_sid, sid = 0;
1414 struct dentry *dentry;
1417 if (isec->initialized == LABEL_INITIALIZED)
1420 spin_lock(&isec->lock);
1421 if (isec->initialized == LABEL_INITIALIZED)
1424 if (isec->sclass == SECCLASS_FILE)
1425 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1427 sbsec = selinux_superblock(inode->i_sb);
1428 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1429 /* Defer initialization until selinux_complete_init,
1430 after the initial policy is loaded and the security
1431 server is ready to handle calls. */
1432 spin_lock(&sbsec->isec_lock);
1433 if (list_empty(&isec->list))
1434 list_add(&isec->list, &sbsec->isec_head);
1435 spin_unlock(&sbsec->isec_lock);
1439 sclass = isec->sclass;
1440 task_sid = isec->task_sid;
1442 isec->initialized = LABEL_PENDING;
1443 spin_unlock(&isec->lock);
1445 switch (sbsec->behavior) {
1447 * In case of SECURITY_FS_USE_NATIVE we need to re-fetch the labels
1448 * via xattr when called from delayed_superblock_init().
1450 case SECURITY_FS_USE_NATIVE:
1451 case SECURITY_FS_USE_XATTR:
1452 if (!(inode->i_opflags & IOP_XATTR)) {
1453 sid = sbsec->def_sid;
1456 /* Need a dentry, since the xattr API requires one.
1457 Life would be simpler if we could just pass the inode. */
1459 /* Called from d_instantiate or d_splice_alias. */
1460 dentry = dget(opt_dentry);
1463 * Called from selinux_complete_init, try to find a dentry.
1464 * Some filesystems really want a connected one, so try
1465 * that first. We could split SECURITY_FS_USE_XATTR in
1466 * two, depending upon that...
1468 dentry = d_find_alias(inode);
1470 dentry = d_find_any_alias(inode);
1474 * this is can be hit on boot when a file is accessed
1475 * before the policy is loaded. When we load policy we
1476 * may find inodes that have no dentry on the
1477 * sbsec->isec_head list. No reason to complain as these
1478 * will get fixed up the next time we go through
1479 * inode_doinit with a dentry, before these inodes could
1480 * be used again by userspace.
1485 rc = inode_doinit_use_xattr(inode, dentry, sbsec->def_sid,
1491 case SECURITY_FS_USE_TASK:
1494 case SECURITY_FS_USE_TRANS:
1495 /* Default to the fs SID. */
1498 /* Try to obtain a transition SID. */
1499 rc = security_transition_sid(task_sid, sid,
1500 sclass, NULL, &sid);
1504 case SECURITY_FS_USE_MNTPOINT:
1505 sid = sbsec->mntpoint_sid;
1508 /* Default to the fs superblock SID. */
1511 if ((sbsec->flags & SE_SBGENFS) &&
1512 (!S_ISLNK(inode->i_mode) ||
1513 selinux_policycap_genfs_seclabel_symlinks())) {
1514 /* We must have a dentry to determine the label on
1517 /* Called from d_instantiate or
1518 * d_splice_alias. */
1519 dentry = dget(opt_dentry);
1521 /* Called from selinux_complete_init, try to
1522 * find a dentry. Some filesystems really want
1523 * a connected one, so try that first.
1525 dentry = d_find_alias(inode);
1527 dentry = d_find_any_alias(inode);
1530 * This can be hit on boot when a file is accessed
1531 * before the policy is loaded. When we load policy we
1532 * may find inodes that have no dentry on the
1533 * sbsec->isec_head list. No reason to complain as
1534 * these will get fixed up the next time we go through
1535 * inode_doinit() with a dentry, before these inodes
1536 * could be used again by userspace.
1540 rc = selinux_genfs_get_sid(dentry, sclass,
1541 sbsec->flags, &sid);
1547 if ((sbsec->flags & SE_SBGENFS_XATTR) &&
1548 (inode->i_opflags & IOP_XATTR)) {
1549 rc = inode_doinit_use_xattr(inode, dentry,
1562 spin_lock(&isec->lock);
1563 if (isec->initialized == LABEL_PENDING) {
1565 isec->initialized = LABEL_INVALID;
1568 isec->initialized = LABEL_INITIALIZED;
1573 spin_unlock(&isec->lock);
1577 spin_lock(&isec->lock);
1578 if (isec->initialized == LABEL_PENDING) {
1579 isec->initialized = LABEL_INVALID;
1582 spin_unlock(&isec->lock);
1586 /* Convert a Linux signal to an access vector. */
1587 static inline u32 signal_to_av(int sig)
1593 /* Commonly granted from child to parent. */
1594 perm = PROCESS__SIGCHLD;
1597 /* Cannot be caught or ignored */
1598 perm = PROCESS__SIGKILL;
1601 /* Cannot be caught or ignored */
1602 perm = PROCESS__SIGSTOP;
1605 /* All other signals. */
1606 perm = PROCESS__SIGNAL;
1613 #if CAP_LAST_CAP > 63
1614 #error Fix SELinux to handle capabilities > 63.
1617 /* Check whether a task is allowed to use a capability. */
1618 static int cred_has_capability(const struct cred *cred,
1619 int cap, unsigned int opts, bool initns)
1621 struct common_audit_data ad;
1622 struct av_decision avd;
1624 u32 sid = cred_sid(cred);
1625 u32 av = CAP_TO_MASK(cap);
1628 ad.type = LSM_AUDIT_DATA_CAP;
1631 switch (CAP_TO_INDEX(cap)) {
1633 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1636 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1639 pr_err("SELinux: out of range capability %d\n", cap);
1644 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1645 if (!(opts & CAP_OPT_NOAUDIT)) {
1646 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
1653 /* Check whether a task has a particular permission to an inode.
1654 The 'adp' parameter is optional and allows other audit
1655 data to be passed (e.g. the dentry). */
1656 static int inode_has_perm(const struct cred *cred,
1657 struct inode *inode,
1659 struct common_audit_data *adp)
1661 struct inode_security_struct *isec;
1664 if (unlikely(IS_PRIVATE(inode)))
1667 sid = cred_sid(cred);
1668 isec = selinux_inode(inode);
1670 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1673 /* Same as inode_has_perm, but pass explicit audit data containing
1674 the dentry to help the auditing code to more easily generate the
1675 pathname if needed. */
1676 static inline int dentry_has_perm(const struct cred *cred,
1677 struct dentry *dentry,
1680 struct inode *inode = d_backing_inode(dentry);
1681 struct common_audit_data ad;
1683 ad.type = LSM_AUDIT_DATA_DENTRY;
1684 ad.u.dentry = dentry;
1685 __inode_security_revalidate(inode, dentry, true);
1686 return inode_has_perm(cred, inode, av, &ad);
1689 /* Same as inode_has_perm, but pass explicit audit data containing
1690 the path to help the auditing code to more easily generate the
1691 pathname if needed. */
1692 static inline int path_has_perm(const struct cred *cred,
1693 const struct path *path,
1696 struct inode *inode = d_backing_inode(path->dentry);
1697 struct common_audit_data ad;
1699 ad.type = LSM_AUDIT_DATA_PATH;
1701 __inode_security_revalidate(inode, path->dentry, true);
1702 return inode_has_perm(cred, inode, av, &ad);
1705 /* Same as path_has_perm, but uses the inode from the file struct. */
1706 static inline int file_path_has_perm(const struct cred *cred,
1710 struct common_audit_data ad;
1712 ad.type = LSM_AUDIT_DATA_FILE;
1714 return inode_has_perm(cred, file_inode(file), av, &ad);
1717 #ifdef CONFIG_BPF_SYSCALL
1718 static int bpf_fd_pass(const struct file *file, u32 sid);
1721 /* Check whether a task can use an open file descriptor to
1722 access an inode in a given way. Check access to the
1723 descriptor itself, and then use dentry_has_perm to
1724 check a particular permission to the file.
1725 Access to the descriptor is implicitly granted if it
1726 has the same SID as the process. If av is zero, then
1727 access to the file is not checked, e.g. for cases
1728 where only the descriptor is affected like seek. */
1729 static int file_has_perm(const struct cred *cred,
1733 struct file_security_struct *fsec = selinux_file(file);
1734 struct inode *inode = file_inode(file);
1735 struct common_audit_data ad;
1736 u32 sid = cred_sid(cred);
1739 ad.type = LSM_AUDIT_DATA_FILE;
1742 if (sid != fsec->sid) {
1743 rc = avc_has_perm(sid, fsec->sid,
1751 #ifdef CONFIG_BPF_SYSCALL
1752 rc = bpf_fd_pass(file, cred_sid(cred));
1757 /* av is zero if only checking access to the descriptor. */
1760 rc = inode_has_perm(cred, inode, av, &ad);
1767 * Determine the label for an inode that might be unioned.
1770 selinux_determine_inode_label(const struct task_security_struct *tsec,
1772 const struct qstr *name, u16 tclass,
1775 const struct superblock_security_struct *sbsec =
1776 selinux_superblock(dir->i_sb);
1778 if ((sbsec->flags & SE_SBINITIALIZED) &&
1779 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1780 *_new_isid = sbsec->mntpoint_sid;
1781 } else if ((sbsec->flags & SBLABEL_MNT) &&
1783 *_new_isid = tsec->create_sid;
1785 const struct inode_security_struct *dsec = inode_security(dir);
1786 return security_transition_sid(tsec->sid,
1794 /* Check whether a task can create a file. */
1795 static int may_create(struct inode *dir,
1796 struct dentry *dentry,
1799 const struct task_security_struct *tsec = selinux_cred(current_cred());
1800 struct inode_security_struct *dsec;
1801 struct superblock_security_struct *sbsec;
1803 struct common_audit_data ad;
1806 dsec = inode_security(dir);
1807 sbsec = selinux_superblock(dir->i_sb);
1811 ad.type = LSM_AUDIT_DATA_DENTRY;
1812 ad.u.dentry = dentry;
1814 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1815 DIR__ADD_NAME | DIR__SEARCH,
1820 rc = selinux_determine_inode_label(tsec, dir, &dentry->d_name, tclass,
1825 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1829 return avc_has_perm(newsid, sbsec->sid,
1830 SECCLASS_FILESYSTEM,
1831 FILESYSTEM__ASSOCIATE, &ad);
1835 #define MAY_UNLINK 1
1838 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1839 static int may_link(struct inode *dir,
1840 struct dentry *dentry,
1844 struct inode_security_struct *dsec, *isec;
1845 struct common_audit_data ad;
1846 u32 sid = current_sid();
1850 dsec = inode_security(dir);
1851 isec = backing_inode_security(dentry);
1853 ad.type = LSM_AUDIT_DATA_DENTRY;
1854 ad.u.dentry = dentry;
1857 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1858 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1873 pr_warn("SELinux: %s: unrecognized kind %d\n",
1878 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1882 static inline int may_rename(struct inode *old_dir,
1883 struct dentry *old_dentry,
1884 struct inode *new_dir,
1885 struct dentry *new_dentry)
1887 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1888 struct common_audit_data ad;
1889 u32 sid = current_sid();
1891 int old_is_dir, new_is_dir;
1894 old_dsec = inode_security(old_dir);
1895 old_isec = backing_inode_security(old_dentry);
1896 old_is_dir = d_is_dir(old_dentry);
1897 new_dsec = inode_security(new_dir);
1899 ad.type = LSM_AUDIT_DATA_DENTRY;
1901 ad.u.dentry = old_dentry;
1902 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1903 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1906 rc = avc_has_perm(sid, old_isec->sid,
1907 old_isec->sclass, FILE__RENAME, &ad);
1910 if (old_is_dir && new_dir != old_dir) {
1911 rc = avc_has_perm(sid, old_isec->sid,
1912 old_isec->sclass, DIR__REPARENT, &ad);
1917 ad.u.dentry = new_dentry;
1918 av = DIR__ADD_NAME | DIR__SEARCH;
1919 if (d_is_positive(new_dentry))
1920 av |= DIR__REMOVE_NAME;
1921 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1924 if (d_is_positive(new_dentry)) {
1925 new_isec = backing_inode_security(new_dentry);
1926 new_is_dir = d_is_dir(new_dentry);
1927 rc = avc_has_perm(sid, new_isec->sid,
1929 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1937 /* Check whether a task can perform a filesystem operation. */
1938 static int superblock_has_perm(const struct cred *cred,
1939 const struct super_block *sb,
1941 struct common_audit_data *ad)
1943 struct superblock_security_struct *sbsec;
1944 u32 sid = cred_sid(cred);
1946 sbsec = selinux_superblock(sb);
1947 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1950 /* Convert a Linux mode and permission mask to an access vector. */
1951 static inline u32 file_mask_to_av(int mode, int mask)
1955 if (!S_ISDIR(mode)) {
1956 if (mask & MAY_EXEC)
1957 av |= FILE__EXECUTE;
1958 if (mask & MAY_READ)
1961 if (mask & MAY_APPEND)
1963 else if (mask & MAY_WRITE)
1967 if (mask & MAY_EXEC)
1969 if (mask & MAY_WRITE)
1971 if (mask & MAY_READ)
1978 /* Convert a Linux file to an access vector. */
1979 static inline u32 file_to_av(const struct file *file)
1983 if (file->f_mode & FMODE_READ)
1985 if (file->f_mode & FMODE_WRITE) {
1986 if (file->f_flags & O_APPEND)
1993 * Special file opened with flags 3 for ioctl-only use.
2002 * Convert a file to an access vector and include the correct
2005 static inline u32 open_file_to_av(struct file *file)
2007 u32 av = file_to_av(file);
2008 struct inode *inode = file_inode(file);
2010 if (selinux_policycap_openperm() &&
2011 inode->i_sb->s_magic != SOCKFS_MAGIC)
2017 /* Hook functions begin here. */
2019 static int selinux_binder_set_context_mgr(const struct cred *mgr)
2021 return avc_has_perm(current_sid(), cred_sid(mgr), SECCLASS_BINDER,
2022 BINDER__SET_CONTEXT_MGR, NULL);
2025 static int selinux_binder_transaction(const struct cred *from,
2026 const struct cred *to)
2028 u32 mysid = current_sid();
2029 u32 fromsid = cred_sid(from);
2030 u32 tosid = cred_sid(to);
2033 if (mysid != fromsid) {
2034 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2035 BINDER__IMPERSONATE, NULL);
2040 return avc_has_perm(fromsid, tosid,
2041 SECCLASS_BINDER, BINDER__CALL, NULL);
2044 static int selinux_binder_transfer_binder(const struct cred *from,
2045 const struct cred *to)
2047 return avc_has_perm(cred_sid(from), cred_sid(to),
2048 SECCLASS_BINDER, BINDER__TRANSFER,
2052 static int selinux_binder_transfer_file(const struct cred *from,
2053 const struct cred *to,
2054 const struct file *file)
2056 u32 sid = cred_sid(to);
2057 struct file_security_struct *fsec = selinux_file(file);
2058 struct dentry *dentry = file->f_path.dentry;
2059 struct inode_security_struct *isec;
2060 struct common_audit_data ad;
2063 ad.type = LSM_AUDIT_DATA_PATH;
2064 ad.u.path = file->f_path;
2066 if (sid != fsec->sid) {
2067 rc = avc_has_perm(sid, fsec->sid,
2075 #ifdef CONFIG_BPF_SYSCALL
2076 rc = bpf_fd_pass(file, sid);
2081 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2084 isec = backing_inode_security(dentry);
2085 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2089 static int selinux_ptrace_access_check(struct task_struct *child,
2092 u32 sid = current_sid();
2093 u32 csid = task_sid_obj(child);
2095 if (mode & PTRACE_MODE_READ)
2096 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ,
2099 return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE,
2103 static int selinux_ptrace_traceme(struct task_struct *parent)
2105 return avc_has_perm(task_sid_obj(parent), task_sid_obj(current),
2106 SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2109 static int selinux_capget(const struct task_struct *target, kernel_cap_t *effective,
2110 kernel_cap_t *inheritable, kernel_cap_t *permitted)
2112 return avc_has_perm(current_sid(), task_sid_obj(target),
2113 SECCLASS_PROCESS, PROCESS__GETCAP, NULL);
2116 static int selinux_capset(struct cred *new, const struct cred *old,
2117 const kernel_cap_t *effective,
2118 const kernel_cap_t *inheritable,
2119 const kernel_cap_t *permitted)
2121 return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2122 PROCESS__SETCAP, NULL);
2126 * (This comment used to live with the selinux_task_setuid hook,
2127 * which was removed).
2129 * Since setuid only affects the current process, and since the SELinux
2130 * controls are not based on the Linux identity attributes, SELinux does not
2131 * need to control this operation. However, SELinux does control the use of
2132 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2135 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2136 int cap, unsigned int opts)
2138 return cred_has_capability(cred, cap, opts, ns == &init_user_ns);
2141 static int selinux_quotactl(int cmds, int type, int id, const struct super_block *sb)
2143 const struct cred *cred = current_cred();
2158 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2166 case Q_XGETNEXTQUOTA:
2167 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2170 rc = 0; /* let the kernel handle invalid cmds */
2176 static int selinux_quota_on(struct dentry *dentry)
2178 const struct cred *cred = current_cred();
2180 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2183 static int selinux_syslog(int type)
2186 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2187 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2188 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2189 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2190 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2191 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2192 /* Set level of messages printed to console */
2193 case SYSLOG_ACTION_CONSOLE_LEVEL:
2194 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2195 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2198 /* All other syslog types */
2199 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2200 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2204 * Check that a process has enough memory to allocate a new virtual
2205 * mapping. 0 means there is enough memory for the allocation to
2206 * succeed and -ENOMEM implies there is not.
2208 * Do not audit the selinux permission check, as this is applied to all
2209 * processes that allocate mappings.
2211 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2213 int rc, cap_sys_admin = 0;
2215 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2216 CAP_OPT_NOAUDIT, true);
2220 return cap_sys_admin;
2223 /* binprm security operations */
2225 static u32 ptrace_parent_sid(void)
2228 struct task_struct *tracer;
2231 tracer = ptrace_parent(current);
2233 sid = task_sid_obj(tracer);
2239 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2240 const struct task_security_struct *old_tsec,
2241 const struct task_security_struct *new_tsec)
2243 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2244 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2248 if (!nnp && !nosuid)
2249 return 0; /* neither NNP nor nosuid */
2251 if (new_tsec->sid == old_tsec->sid)
2252 return 0; /* No change in credentials */
2255 * If the policy enables the nnp_nosuid_transition policy capability,
2256 * then we permit transitions under NNP or nosuid if the
2257 * policy allows the corresponding permission between
2258 * the old and new contexts.
2260 if (selinux_policycap_nnp_nosuid_transition()) {
2263 av |= PROCESS2__NNP_TRANSITION;
2265 av |= PROCESS2__NOSUID_TRANSITION;
2266 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2267 SECCLASS_PROCESS2, av, NULL);
2273 * We also permit NNP or nosuid transitions to bounded SIDs,
2274 * i.e. SIDs that are guaranteed to only be allowed a subset
2275 * of the permissions of the current SID.
2277 rc = security_bounded_transition(old_tsec->sid,
2283 * On failure, preserve the errno values for NNP vs nosuid.
2284 * NNP: Operation not permitted for caller.
2285 * nosuid: Permission denied to file.
2292 static int selinux_bprm_creds_for_exec(struct linux_binprm *bprm)
2294 const struct task_security_struct *old_tsec;
2295 struct task_security_struct *new_tsec;
2296 struct inode_security_struct *isec;
2297 struct common_audit_data ad;
2298 struct inode *inode = file_inode(bprm->file);
2301 /* SELinux context only depends on initial program or script and not
2302 * the script interpreter */
2304 old_tsec = selinux_cred(current_cred());
2305 new_tsec = selinux_cred(bprm->cred);
2306 isec = inode_security(inode);
2308 /* Default to the current task SID. */
2309 new_tsec->sid = old_tsec->sid;
2310 new_tsec->osid = old_tsec->sid;
2312 /* Reset fs, key, and sock SIDs on execve. */
2313 new_tsec->create_sid = 0;
2314 new_tsec->keycreate_sid = 0;
2315 new_tsec->sockcreate_sid = 0;
2318 * Before policy is loaded, label any task outside kernel space
2319 * as SECINITSID_INIT, so that any userspace tasks surviving from
2320 * early boot end up with a label different from SECINITSID_KERNEL
2321 * (if the policy chooses to set SECINITSID_INIT != SECINITSID_KERNEL).
2323 if (!selinux_initialized()) {
2324 new_tsec->sid = SECINITSID_INIT;
2325 /* also clear the exec_sid just in case */
2326 new_tsec->exec_sid = 0;
2330 if (old_tsec->exec_sid) {
2331 new_tsec->sid = old_tsec->exec_sid;
2332 /* Reset exec SID on execve. */
2333 new_tsec->exec_sid = 0;
2335 /* Fail on NNP or nosuid if not an allowed transition. */
2336 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2340 /* Check for a default transition on this program. */
2341 rc = security_transition_sid(old_tsec->sid,
2342 isec->sid, SECCLASS_PROCESS, NULL,
2348 * Fallback to old SID on NNP or nosuid if not an allowed
2351 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2353 new_tsec->sid = old_tsec->sid;
2356 ad.type = LSM_AUDIT_DATA_FILE;
2357 ad.u.file = bprm->file;
2359 if (new_tsec->sid == old_tsec->sid) {
2360 rc = avc_has_perm(old_tsec->sid, isec->sid,
2361 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2365 /* Check permissions for the transition. */
2366 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2367 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2371 rc = avc_has_perm(new_tsec->sid, isec->sid,
2372 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2376 /* Check for shared state */
2377 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2378 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2379 SECCLASS_PROCESS, PROCESS__SHARE,
2385 /* Make sure that anyone attempting to ptrace over a task that
2386 * changes its SID has the appropriate permit */
2387 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2388 u32 ptsid = ptrace_parent_sid();
2390 rc = avc_has_perm(ptsid, new_tsec->sid,
2392 PROCESS__PTRACE, NULL);
2398 /* Clear any possibly unsafe personality bits on exec: */
2399 bprm->per_clear |= PER_CLEAR_ON_SETID;
2401 /* Enable secure mode for SIDs transitions unless
2402 the noatsecure permission is granted between
2403 the two SIDs, i.e. ahp returns 0. */
2404 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2405 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2407 bprm->secureexec |= !!rc;
2413 static int match_file(const void *p, struct file *file, unsigned fd)
2415 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2418 /* Derived from fs/exec.c:flush_old_files. */
2419 static inline void flush_unauthorized_files(const struct cred *cred,
2420 struct files_struct *files)
2422 struct file *file, *devnull = NULL;
2423 struct tty_struct *tty;
2427 tty = get_current_tty();
2429 spin_lock(&tty->files_lock);
2430 if (!list_empty(&tty->tty_files)) {
2431 struct tty_file_private *file_priv;
2433 /* Revalidate access to controlling tty.
2434 Use file_path_has_perm on the tty path directly
2435 rather than using file_has_perm, as this particular
2436 open file may belong to another process and we are
2437 only interested in the inode-based check here. */
2438 file_priv = list_first_entry(&tty->tty_files,
2439 struct tty_file_private, list);
2440 file = file_priv->file;
2441 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2444 spin_unlock(&tty->files_lock);
2447 /* Reset controlling tty. */
2451 /* Revalidate access to inherited open files. */
2452 n = iterate_fd(files, 0, match_file, cred);
2453 if (!n) /* none found? */
2456 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2457 if (IS_ERR(devnull))
2459 /* replace all the matching ones with this */
2461 replace_fd(n - 1, devnull, 0);
2462 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2468 * Prepare a process for imminent new credential changes due to exec
2470 static void selinux_bprm_committing_creds(const struct linux_binprm *bprm)
2472 struct task_security_struct *new_tsec;
2473 struct rlimit *rlim, *initrlim;
2476 new_tsec = selinux_cred(bprm->cred);
2477 if (new_tsec->sid == new_tsec->osid)
2480 /* Close files for which the new task SID is not authorized. */
2481 flush_unauthorized_files(bprm->cred, current->files);
2483 /* Always clear parent death signal on SID transitions. */
2484 current->pdeath_signal = 0;
2486 /* Check whether the new SID can inherit resource limits from the old
2487 * SID. If not, reset all soft limits to the lower of the current
2488 * task's hard limit and the init task's soft limit.
2490 * Note that the setting of hard limits (even to lower them) can be
2491 * controlled by the setrlimit check. The inclusion of the init task's
2492 * soft limit into the computation is to avoid resetting soft limits
2493 * higher than the default soft limit for cases where the default is
2494 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2496 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2497 PROCESS__RLIMITINH, NULL);
2499 /* protect against do_prlimit() */
2501 for (i = 0; i < RLIM_NLIMITS; i++) {
2502 rlim = current->signal->rlim + i;
2503 initrlim = init_task.signal->rlim + i;
2504 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2506 task_unlock(current);
2507 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2508 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2513 * Clean up the process immediately after the installation of new credentials
2516 static void selinux_bprm_committed_creds(const struct linux_binprm *bprm)
2518 const struct task_security_struct *tsec = selinux_cred(current_cred());
2528 /* Check whether the new SID can inherit signal state from the old SID.
2529 * If not, clear itimers to avoid subsequent signal generation and
2530 * flush and unblock signals.
2532 * This must occur _after_ the task SID has been updated so that any
2533 * kill done after the flush will be checked against the new SID.
2535 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2539 spin_lock_irq(&unrcu_pointer(current->sighand)->siglock);
2540 if (!fatal_signal_pending(current)) {
2541 flush_sigqueue(¤t->pending);
2542 flush_sigqueue(¤t->signal->shared_pending);
2543 flush_signal_handlers(current, 1);
2544 sigemptyset(¤t->blocked);
2545 recalc_sigpending();
2547 spin_unlock_irq(&unrcu_pointer(current->sighand)->siglock);
2550 /* Wake up the parent if it is waiting so that it can recheck
2551 * wait permission to the new task SID. */
2552 read_lock(&tasklist_lock);
2553 __wake_up_parent(current, unrcu_pointer(current->real_parent));
2554 read_unlock(&tasklist_lock);
2557 /* superblock security operations */
2559 static int selinux_sb_alloc_security(struct super_block *sb)
2561 struct superblock_security_struct *sbsec = selinux_superblock(sb);
2563 mutex_init(&sbsec->lock);
2564 INIT_LIST_HEAD(&sbsec->isec_head);
2565 spin_lock_init(&sbsec->isec_lock);
2566 sbsec->sid = SECINITSID_UNLABELED;
2567 sbsec->def_sid = SECINITSID_FILE;
2568 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
2573 static inline int opt_len(const char *s)
2575 bool open_quote = false;
2579 for (len = 0; (c = s[len]) != '\0'; len++) {
2581 open_quote = !open_quote;
2582 if (c == ',' && !open_quote)
2588 static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts)
2590 char *from = options;
2596 int len = opt_len(from);
2600 token = match_opt_prefix(from, len, &arg);
2602 if (token != Opt_error) {
2607 for (p = q = arg; p < from + len; p++) {
2612 arg = kmemdup_nul(arg, q - arg, GFP_KERNEL);
2618 rc = selinux_add_opt(token, arg, mnt_opts);
2625 if (!first) { // copy with preceding comma
2630 memmove(to, from, len);
2643 selinux_free_mnt_opts(*mnt_opts);
2649 static int selinux_sb_mnt_opts_compat(struct super_block *sb, void *mnt_opts)
2651 struct selinux_mnt_opts *opts = mnt_opts;
2652 struct superblock_security_struct *sbsec = selinux_superblock(sb);
2655 * Superblock not initialized (i.e. no options) - reject if any
2656 * options specified, otherwise accept.
2658 if (!(sbsec->flags & SE_SBINITIALIZED))
2659 return opts ? 1 : 0;
2662 * Superblock initialized and no options specified - reject if
2663 * superblock has any options set, otherwise accept.
2666 return (sbsec->flags & SE_MNTMASK) ? 1 : 0;
2668 if (opts->fscontext_sid) {
2669 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
2670 opts->fscontext_sid))
2673 if (opts->context_sid) {
2674 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
2678 if (opts->rootcontext_sid) {
2679 struct inode_security_struct *root_isec;
2681 root_isec = backing_inode_security(sb->s_root);
2682 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
2683 opts->rootcontext_sid))
2686 if (opts->defcontext_sid) {
2687 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
2688 opts->defcontext_sid))
2694 static int selinux_sb_remount(struct super_block *sb, void *mnt_opts)
2696 struct selinux_mnt_opts *opts = mnt_opts;
2697 struct superblock_security_struct *sbsec = selinux_superblock(sb);
2699 if (!(sbsec->flags & SE_SBINITIALIZED))
2705 if (opts->fscontext_sid) {
2706 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
2707 opts->fscontext_sid))
2708 goto out_bad_option;
2710 if (opts->context_sid) {
2711 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
2713 goto out_bad_option;
2715 if (opts->rootcontext_sid) {
2716 struct inode_security_struct *root_isec;
2717 root_isec = backing_inode_security(sb->s_root);
2718 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
2719 opts->rootcontext_sid))
2720 goto out_bad_option;
2722 if (opts->defcontext_sid) {
2723 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
2724 opts->defcontext_sid))
2725 goto out_bad_option;
2730 pr_warn("SELinux: unable to change security options "
2731 "during remount (dev %s, type=%s)\n", sb->s_id,
2736 static int selinux_sb_kern_mount(const struct super_block *sb)
2738 const struct cred *cred = current_cred();
2739 struct common_audit_data ad;
2741 ad.type = LSM_AUDIT_DATA_DENTRY;
2742 ad.u.dentry = sb->s_root;
2743 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2746 static int selinux_sb_statfs(struct dentry *dentry)
2748 const struct cred *cred = current_cred();
2749 struct common_audit_data ad;
2751 ad.type = LSM_AUDIT_DATA_DENTRY;
2752 ad.u.dentry = dentry->d_sb->s_root;
2753 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2756 static int selinux_mount(const char *dev_name,
2757 const struct path *path,
2759 unsigned long flags,
2762 const struct cred *cred = current_cred();
2764 if (flags & MS_REMOUNT)
2765 return superblock_has_perm(cred, path->dentry->d_sb,
2766 FILESYSTEM__REMOUNT, NULL);
2768 return path_has_perm(cred, path, FILE__MOUNTON);
2771 static int selinux_move_mount(const struct path *from_path,
2772 const struct path *to_path)
2774 const struct cred *cred = current_cred();
2776 return path_has_perm(cred, to_path, FILE__MOUNTON);
2779 static int selinux_umount(struct vfsmount *mnt, int flags)
2781 const struct cred *cred = current_cred();
2783 return superblock_has_perm(cred, mnt->mnt_sb,
2784 FILESYSTEM__UNMOUNT, NULL);
2787 static int selinux_fs_context_submount(struct fs_context *fc,
2788 struct super_block *reference)
2790 const struct superblock_security_struct *sbsec = selinux_superblock(reference);
2791 struct selinux_mnt_opts *opts;
2794 * Ensure that fc->security remains NULL when no options are set
2795 * as expected by selinux_set_mnt_opts().
2797 if (!(sbsec->flags & (FSCONTEXT_MNT|CONTEXT_MNT|DEFCONTEXT_MNT)))
2800 opts = kzalloc(sizeof(*opts), GFP_KERNEL);
2804 if (sbsec->flags & FSCONTEXT_MNT)
2805 opts->fscontext_sid = sbsec->sid;
2806 if (sbsec->flags & CONTEXT_MNT)
2807 opts->context_sid = sbsec->mntpoint_sid;
2808 if (sbsec->flags & DEFCONTEXT_MNT)
2809 opts->defcontext_sid = sbsec->def_sid;
2810 fc->security = opts;
2814 static int selinux_fs_context_dup(struct fs_context *fc,
2815 struct fs_context *src_fc)
2817 const struct selinux_mnt_opts *src = src_fc->security;
2822 fc->security = kmemdup(src, sizeof(*src), GFP_KERNEL);
2823 return fc->security ? 0 : -ENOMEM;
2826 static const struct fs_parameter_spec selinux_fs_parameters[] = {
2827 fsparam_string(CONTEXT_STR, Opt_context),
2828 fsparam_string(DEFCONTEXT_STR, Opt_defcontext),
2829 fsparam_string(FSCONTEXT_STR, Opt_fscontext),
2830 fsparam_string(ROOTCONTEXT_STR, Opt_rootcontext),
2831 fsparam_flag (SECLABEL_STR, Opt_seclabel),
2835 static int selinux_fs_context_parse_param(struct fs_context *fc,
2836 struct fs_parameter *param)
2838 struct fs_parse_result result;
2841 opt = fs_parse(fc, selinux_fs_parameters, param, &result);
2845 return selinux_add_opt(opt, param->string, &fc->security);
2848 /* inode security operations */
2850 static int selinux_inode_alloc_security(struct inode *inode)
2852 struct inode_security_struct *isec = selinux_inode(inode);
2853 u32 sid = current_sid();
2855 spin_lock_init(&isec->lock);
2856 INIT_LIST_HEAD(&isec->list);
2857 isec->inode = inode;
2858 isec->sid = SECINITSID_UNLABELED;
2859 isec->sclass = SECCLASS_FILE;
2860 isec->task_sid = sid;
2861 isec->initialized = LABEL_INVALID;
2866 static void selinux_inode_free_security(struct inode *inode)
2868 inode_free_security(inode);
2871 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2872 const struct qstr *name,
2873 const char **xattr_name, void **ctx,
2879 rc = selinux_determine_inode_label(selinux_cred(current_cred()),
2880 d_inode(dentry->d_parent), name,
2881 inode_mode_to_security_class(mode),
2887 *xattr_name = XATTR_NAME_SELINUX;
2889 return security_sid_to_context(newsid, (char **)ctx,
2893 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2895 const struct cred *old,
2900 struct task_security_struct *tsec;
2902 rc = selinux_determine_inode_label(selinux_cred(old),
2903 d_inode(dentry->d_parent), name,
2904 inode_mode_to_security_class(mode),
2909 tsec = selinux_cred(new);
2910 tsec->create_sid = newsid;
2914 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2915 const struct qstr *qstr,
2916 struct xattr *xattrs, int *xattr_count)
2918 const struct task_security_struct *tsec = selinux_cred(current_cred());
2919 struct superblock_security_struct *sbsec;
2920 struct xattr *xattr = lsm_get_xattr_slot(xattrs, xattr_count);
2925 sbsec = selinux_superblock(dir->i_sb);
2927 newsid = tsec->create_sid;
2929 rc = selinux_determine_inode_label(tsec, dir, qstr,
2930 inode_mode_to_security_class(inode->i_mode),
2935 /* Possibly defer initialization to selinux_complete_init. */
2936 if (sbsec->flags & SE_SBINITIALIZED) {
2937 struct inode_security_struct *isec = selinux_inode(inode);
2938 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2940 isec->initialized = LABEL_INITIALIZED;
2943 if (!selinux_initialized() ||
2944 !(sbsec->flags & SBLABEL_MNT))
2948 rc = security_sid_to_context_force(newsid,
2952 xattr->value = context;
2953 xattr->value_len = clen;
2954 xattr->name = XATTR_SELINUX_SUFFIX;
2960 static int selinux_inode_init_security_anon(struct inode *inode,
2961 const struct qstr *name,
2962 const struct inode *context_inode)
2964 const struct task_security_struct *tsec = selinux_cred(current_cred());
2965 struct common_audit_data ad;
2966 struct inode_security_struct *isec;
2969 if (unlikely(!selinux_initialized()))
2972 isec = selinux_inode(inode);
2975 * We only get here once per ephemeral inode. The inode has
2976 * been initialized via inode_alloc_security but is otherwise
2980 if (context_inode) {
2981 struct inode_security_struct *context_isec =
2982 selinux_inode(context_inode);
2983 if (context_isec->initialized != LABEL_INITIALIZED) {
2984 pr_err("SELinux: context_inode is not initialized\n");
2988 isec->sclass = context_isec->sclass;
2989 isec->sid = context_isec->sid;
2991 isec->sclass = SECCLASS_ANON_INODE;
2992 rc = security_transition_sid(
2993 tsec->sid, tsec->sid,
2994 isec->sclass, name, &isec->sid);
2999 isec->initialized = LABEL_INITIALIZED;
3001 * Now that we've initialized security, check whether we're
3002 * allowed to actually create this type of anonymous inode.
3005 ad.type = LSM_AUDIT_DATA_ANONINODE;
3006 ad.u.anonclass = name ? (const char *)name->name : "?";
3008 return avc_has_perm(tsec->sid,
3015 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
3017 return may_create(dir, dentry, SECCLASS_FILE);
3020 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
3022 return may_link(dir, old_dentry, MAY_LINK);
3025 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
3027 return may_link(dir, dentry, MAY_UNLINK);
3030 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
3032 return may_create(dir, dentry, SECCLASS_LNK_FILE);
3035 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
3037 return may_create(dir, dentry, SECCLASS_DIR);
3040 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
3042 return may_link(dir, dentry, MAY_RMDIR);
3045 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
3047 return may_create(dir, dentry, inode_mode_to_security_class(mode));
3050 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
3051 struct inode *new_inode, struct dentry *new_dentry)
3053 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
3056 static int selinux_inode_readlink(struct dentry *dentry)
3058 const struct cred *cred = current_cred();
3060 return dentry_has_perm(cred, dentry, FILE__READ);
3063 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3066 const struct cred *cred = current_cred();
3067 struct common_audit_data ad;
3068 struct inode_security_struct *isec;
3071 ad.type = LSM_AUDIT_DATA_DENTRY;
3072 ad.u.dentry = dentry;
3073 sid = cred_sid(cred);
3074 isec = inode_security_rcu(inode, rcu);
3076 return PTR_ERR(isec);
3078 return avc_has_perm(sid, isec->sid, isec->sclass, FILE__READ, &ad);
3081 static noinline int audit_inode_permission(struct inode *inode,
3082 u32 perms, u32 audited, u32 denied,
3085 struct common_audit_data ad;
3086 struct inode_security_struct *isec = selinux_inode(inode);
3088 ad.type = LSM_AUDIT_DATA_INODE;
3091 return slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
3092 audited, denied, result, &ad);
3095 static int selinux_inode_permission(struct inode *inode, int mask)
3097 const struct cred *cred = current_cred();
3100 bool no_block = mask & MAY_NOT_BLOCK;
3101 struct inode_security_struct *isec;
3103 struct av_decision avd;
3105 u32 audited, denied;
3107 from_access = mask & MAY_ACCESS;
3108 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3110 /* No permission to check. Existence test. */
3114 if (unlikely(IS_PRIVATE(inode)))
3117 perms = file_mask_to_av(inode->i_mode, mask);
3119 sid = cred_sid(cred);
3120 isec = inode_security_rcu(inode, no_block);
3122 return PTR_ERR(isec);
3124 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0,
3126 audited = avc_audit_required(perms, &avd, rc,
3127 from_access ? FILE__AUDIT_ACCESS : 0,
3129 if (likely(!audited))
3132 rc2 = audit_inode_permission(inode, perms, audited, denied, rc);
3138 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3140 const struct cred *cred = current_cred();
3141 struct inode *inode = d_backing_inode(dentry);
3142 unsigned int ia_valid = iattr->ia_valid;
3143 __u32 av = FILE__WRITE;
3145 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3146 if (ia_valid & ATTR_FORCE) {
3147 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3153 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3154 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3155 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3157 if (selinux_policycap_openperm() &&
3158 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3159 (ia_valid & ATTR_SIZE) &&
3160 !(ia_valid & ATTR_FILE))
3163 return dentry_has_perm(cred, dentry, av);
3166 static int selinux_inode_getattr(const struct path *path)
3168 return path_has_perm(current_cred(), path, FILE__GETATTR);
3171 static bool has_cap_mac_admin(bool audit)
3173 const struct cred *cred = current_cred();
3174 unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT;
3176 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts))
3178 if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true))
3183 static int selinux_inode_setxattr(struct mnt_idmap *idmap,
3184 struct dentry *dentry, const char *name,
3185 const void *value, size_t size, int flags)
3187 struct inode *inode = d_backing_inode(dentry);
3188 struct inode_security_struct *isec;
3189 struct superblock_security_struct *sbsec;
3190 struct common_audit_data ad;
3191 u32 newsid, sid = current_sid();
3194 if (strcmp(name, XATTR_NAME_SELINUX)) {
3195 rc = cap_inode_setxattr(dentry, name, value, size, flags);
3199 /* Not an attribute we recognize, so just check the
3200 ordinary setattr permission. */
3201 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3204 if (!selinux_initialized())
3205 return (inode_owner_or_capable(idmap, inode) ? 0 : -EPERM);
3207 sbsec = selinux_superblock(inode->i_sb);
3208 if (!(sbsec->flags & SBLABEL_MNT))
3211 if (!inode_owner_or_capable(idmap, inode))
3214 ad.type = LSM_AUDIT_DATA_DENTRY;
3215 ad.u.dentry = dentry;
3217 isec = backing_inode_security(dentry);
3218 rc = avc_has_perm(sid, isec->sid, isec->sclass,
3219 FILE__RELABELFROM, &ad);
3223 rc = security_context_to_sid(value, size, &newsid,
3225 if (rc == -EINVAL) {
3226 if (!has_cap_mac_admin(true)) {
3227 struct audit_buffer *ab;
3230 /* We strip a nul only if it is at the end, otherwise the
3231 * context contains a nul and we should audit that */
3233 const char *str = value;
3235 if (str[size - 1] == '\0')
3236 audit_size = size - 1;
3242 ab = audit_log_start(audit_context(),
3243 GFP_ATOMIC, AUDIT_SELINUX_ERR);
3246 audit_log_format(ab, "op=setxattr invalid_context=");
3247 audit_log_n_untrustedstring(ab, value, audit_size);
3252 rc = security_context_to_sid_force(value,
3258 rc = avc_has_perm(sid, newsid, isec->sclass,
3259 FILE__RELABELTO, &ad);
3263 rc = security_validate_transition(isec->sid, newsid,
3268 return avc_has_perm(newsid,
3270 SECCLASS_FILESYSTEM,
3271 FILESYSTEM__ASSOCIATE,
3275 static int selinux_inode_set_acl(struct mnt_idmap *idmap,
3276 struct dentry *dentry, const char *acl_name,
3277 struct posix_acl *kacl)
3279 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3282 static int selinux_inode_get_acl(struct mnt_idmap *idmap,
3283 struct dentry *dentry, const char *acl_name)
3285 return dentry_has_perm(current_cred(), dentry, FILE__GETATTR);
3288 static int selinux_inode_remove_acl(struct mnt_idmap *idmap,
3289 struct dentry *dentry, const char *acl_name)
3291 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3294 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3295 const void *value, size_t size,
3298 struct inode *inode = d_backing_inode(dentry);
3299 struct inode_security_struct *isec;
3303 if (strcmp(name, XATTR_NAME_SELINUX)) {
3304 /* Not an attribute we recognize, so nothing to do. */
3308 if (!selinux_initialized()) {
3309 /* If we haven't even been initialized, then we can't validate
3310 * against a policy, so leave the label as invalid. It may
3311 * resolve to a valid label on the next revalidation try if
3312 * we've since initialized.
3317 rc = security_context_to_sid_force(value, size,
3320 pr_err("SELinux: unable to map context to SID"
3321 "for (%s, %lu), rc=%d\n",
3322 inode->i_sb->s_id, inode->i_ino, -rc);
3326 isec = backing_inode_security(dentry);
3327 spin_lock(&isec->lock);
3328 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3330 isec->initialized = LABEL_INITIALIZED;
3331 spin_unlock(&isec->lock);
3334 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3336 const struct cred *cred = current_cred();
3338 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3341 static int selinux_inode_listxattr(struct dentry *dentry)
3343 const struct cred *cred = current_cred();
3345 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3348 static int selinux_inode_removexattr(struct mnt_idmap *idmap,
3349 struct dentry *dentry, const char *name)
3351 if (strcmp(name, XATTR_NAME_SELINUX)) {
3352 int rc = cap_inode_removexattr(idmap, dentry, name);
3356 /* Not an attribute we recognize, so just check the
3357 ordinary setattr permission. */
3358 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3361 if (!selinux_initialized())
3364 /* No one is allowed to remove a SELinux security label.
3365 You can change the label, but all data must be labeled. */
3369 static int selinux_path_notify(const struct path *path, u64 mask,
3370 unsigned int obj_type)
3375 struct common_audit_data ad;
3377 ad.type = LSM_AUDIT_DATA_PATH;
3381 * Set permission needed based on the type of mark being set.
3382 * Performs an additional check for sb watches.
3385 case FSNOTIFY_OBJ_TYPE_VFSMOUNT:
3386 perm = FILE__WATCH_MOUNT;
3388 case FSNOTIFY_OBJ_TYPE_SB:
3389 perm = FILE__WATCH_SB;
3390 ret = superblock_has_perm(current_cred(), path->dentry->d_sb,
3391 FILESYSTEM__WATCH, &ad);
3395 case FSNOTIFY_OBJ_TYPE_INODE:
3402 /* blocking watches require the file:watch_with_perm permission */
3403 if (mask & (ALL_FSNOTIFY_PERM_EVENTS))
3404 perm |= FILE__WATCH_WITH_PERM;
3406 /* watches on read-like events need the file:watch_reads permission */
3407 if (mask & (FS_ACCESS | FS_ACCESS_PERM | FS_CLOSE_NOWRITE))
3408 perm |= FILE__WATCH_READS;
3410 return path_has_perm(current_cred(), path, perm);
3414 * Copy the inode security context value to the user.
3416 * Permission check is handled by selinux_inode_getxattr hook.
3418 static int selinux_inode_getsecurity(struct mnt_idmap *idmap,
3419 struct inode *inode, const char *name,
3420 void **buffer, bool alloc)
3424 char *context = NULL;
3425 struct inode_security_struct *isec;
3428 * If we're not initialized yet, then we can't validate contexts, so
3429 * just let vfs_getxattr fall back to using the on-disk xattr.
3431 if (!selinux_initialized() ||
3432 strcmp(name, XATTR_SELINUX_SUFFIX))
3436 * If the caller has CAP_MAC_ADMIN, then get the raw context
3437 * value even if it is not defined by current policy; otherwise,
3438 * use the in-core value under current policy.
3439 * Use the non-auditing forms of the permission checks since
3440 * getxattr may be called by unprivileged processes commonly
3441 * and lack of permission just means that we fall back to the
3442 * in-core context value, not a denial.
3444 isec = inode_security(inode);
3445 if (has_cap_mac_admin(false))
3446 error = security_sid_to_context_force(isec->sid, &context,
3449 error = security_sid_to_context(isec->sid,
3463 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3464 const void *value, size_t size, int flags)
3466 struct inode_security_struct *isec = inode_security_novalidate(inode);
3467 struct superblock_security_struct *sbsec;
3471 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3474 sbsec = selinux_superblock(inode->i_sb);
3475 if (!(sbsec->flags & SBLABEL_MNT))
3478 if (!value || !size)
3481 rc = security_context_to_sid(value, size, &newsid,
3486 spin_lock(&isec->lock);
3487 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3489 isec->initialized = LABEL_INITIALIZED;
3490 spin_unlock(&isec->lock);
3494 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3496 const int len = sizeof(XATTR_NAME_SELINUX);
3498 if (!selinux_initialized())
3501 if (buffer && len <= buffer_size)
3502 memcpy(buffer, XATTR_NAME_SELINUX, len);
3506 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3508 struct inode_security_struct *isec = inode_security_novalidate(inode);
3512 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3515 struct task_security_struct *tsec;
3516 struct cred *new_creds = *new;
3518 if (new_creds == NULL) {
3519 new_creds = prepare_creds();
3524 tsec = selinux_cred(new_creds);
3525 /* Get label from overlay inode and set it in create_sid */
3526 selinux_inode_getsecid(d_inode(src), &sid);
3527 tsec->create_sid = sid;
3532 static int selinux_inode_copy_up_xattr(const char *name)
3534 /* The copy_up hook above sets the initial context on an inode, but we
3535 * don't then want to overwrite it by blindly copying all the lower
3536 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3538 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3539 return 1; /* Discard */
3541 * Any other attribute apart from SELINUX is not claimed, supported
3547 /* kernfs node operations */
3549 static int selinux_kernfs_init_security(struct kernfs_node *kn_dir,
3550 struct kernfs_node *kn)
3552 const struct task_security_struct *tsec = selinux_cred(current_cred());
3553 u32 parent_sid, newsid, clen;
3557 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, NULL, 0);
3564 context = kmalloc(clen, GFP_KERNEL);
3568 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, context, clen);
3574 rc = security_context_to_sid(context, clen, &parent_sid,
3580 if (tsec->create_sid) {
3581 newsid = tsec->create_sid;
3583 u16 secclass = inode_mode_to_security_class(kn->mode);
3587 q.hash_len = hashlen_string(kn_dir, kn->name);
3589 rc = security_transition_sid(tsec->sid,
3590 parent_sid, secclass, &q,
3596 rc = security_sid_to_context_force(newsid,
3601 rc = kernfs_xattr_set(kn, XATTR_NAME_SELINUX, context, clen,
3608 /* file security operations */
3610 static int selinux_revalidate_file_permission(struct file *file, int mask)
3612 const struct cred *cred = current_cred();
3613 struct inode *inode = file_inode(file);
3615 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3616 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3619 return file_has_perm(cred, file,
3620 file_mask_to_av(inode->i_mode, mask));
3623 static int selinux_file_permission(struct file *file, int mask)
3625 struct inode *inode = file_inode(file);
3626 struct file_security_struct *fsec = selinux_file(file);
3627 struct inode_security_struct *isec;
3628 u32 sid = current_sid();
3631 /* No permission to check. Existence test. */
3634 isec = inode_security(inode);
3635 if (sid == fsec->sid && fsec->isid == isec->sid &&
3636 fsec->pseqno == avc_policy_seqno())
3637 /* No change since file_open check. */
3640 return selinux_revalidate_file_permission(file, mask);
3643 static int selinux_file_alloc_security(struct file *file)
3645 struct file_security_struct *fsec = selinux_file(file);
3646 u32 sid = current_sid();
3649 fsec->fown_sid = sid;
3655 * Check whether a task has the ioctl permission and cmd
3656 * operation to an inode.
3658 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3659 u32 requested, u16 cmd)
3661 struct common_audit_data ad;
3662 struct file_security_struct *fsec = selinux_file(file);
3663 struct inode *inode = file_inode(file);
3664 struct inode_security_struct *isec;
3665 struct lsm_ioctlop_audit ioctl;
3666 u32 ssid = cred_sid(cred);
3668 u8 driver = cmd >> 8;
3669 u8 xperm = cmd & 0xff;
3671 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3674 ad.u.op->path = file->f_path;
3676 if (ssid != fsec->sid) {
3677 rc = avc_has_perm(ssid, fsec->sid,
3685 if (unlikely(IS_PRIVATE(inode)))
3688 isec = inode_security(inode);
3689 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
3690 requested, driver, xperm, &ad);
3695 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3698 const struct cred *cred = current_cred();
3705 case FS_IOC_GETFLAGS:
3706 case FS_IOC_GETVERSION:
3707 error = file_has_perm(cred, file, FILE__GETATTR);
3710 case FS_IOC_SETFLAGS:
3711 case FS_IOC_SETVERSION:
3712 error = file_has_perm(cred, file, FILE__SETATTR);
3715 /* sys_ioctl() checks */
3718 error = file_has_perm(cred, file, 0);
3723 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3724 CAP_OPT_NONE, true);
3729 if (!selinux_policycap_ioctl_skip_cloexec())
3730 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3733 /* default case assumes that the command will go
3734 * to the file's ioctl() function.
3737 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3742 static int selinux_file_ioctl_compat(struct file *file, unsigned int cmd,
3746 * If we are in a 64-bit kernel running 32-bit userspace, we need to
3747 * make sure we don't compare 32-bit flags to 64-bit flags.
3750 case FS_IOC32_GETFLAGS:
3751 cmd = FS_IOC_GETFLAGS;
3753 case FS_IOC32_SETFLAGS:
3754 cmd = FS_IOC_SETFLAGS;
3756 case FS_IOC32_GETVERSION:
3757 cmd = FS_IOC_GETVERSION;
3759 case FS_IOC32_SETVERSION:
3760 cmd = FS_IOC_SETVERSION;
3766 return selinux_file_ioctl(file, cmd, arg);
3769 static int default_noexec __ro_after_init;
3771 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3773 const struct cred *cred = current_cred();
3774 u32 sid = cred_sid(cred);
3777 if (default_noexec &&
3778 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3779 (!shared && (prot & PROT_WRITE)))) {
3781 * We are making executable an anonymous mapping or a
3782 * private file mapping that will also be writable.
3783 * This has an additional check.
3785 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3786 PROCESS__EXECMEM, NULL);
3792 /* read access is always possible with a mapping */
3793 u32 av = FILE__READ;
3795 /* write access only matters if the mapping is shared */
3796 if (shared && (prot & PROT_WRITE))
3799 if (prot & PROT_EXEC)
3800 av |= FILE__EXECUTE;
3802 return file_has_perm(cred, file, av);
3809 static int selinux_mmap_addr(unsigned long addr)
3813 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3814 u32 sid = current_sid();
3815 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3816 MEMPROTECT__MMAP_ZERO, NULL);
3822 static int selinux_mmap_file(struct file *file,
3823 unsigned long reqprot __always_unused,
3824 unsigned long prot, unsigned long flags)
3826 struct common_audit_data ad;
3830 ad.type = LSM_AUDIT_DATA_FILE;
3832 rc = inode_has_perm(current_cred(), file_inode(file),
3838 return file_map_prot_check(file, prot,
3839 (flags & MAP_TYPE) == MAP_SHARED);
3842 static int selinux_file_mprotect(struct vm_area_struct *vma,
3843 unsigned long reqprot __always_unused,
3846 const struct cred *cred = current_cred();
3847 u32 sid = cred_sid(cred);
3849 if (default_noexec &&
3850 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3852 if (vma_is_initial_heap(vma)) {
3853 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3854 PROCESS__EXECHEAP, NULL);
3855 } else if (!vma->vm_file && (vma_is_initial_stack(vma) ||
3856 vma_is_stack_for_current(vma))) {
3857 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3858 PROCESS__EXECSTACK, NULL);
3859 } else if (vma->vm_file && vma->anon_vma) {
3861 * We are making executable a file mapping that has
3862 * had some COW done. Since pages might have been
3863 * written, check ability to execute the possibly
3864 * modified content. This typically should only
3865 * occur for text relocations.
3867 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3873 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3876 static int selinux_file_lock(struct file *file, unsigned int cmd)
3878 const struct cred *cred = current_cred();
3880 return file_has_perm(cred, file, FILE__LOCK);
3883 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3886 const struct cred *cred = current_cred();
3891 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3892 err = file_has_perm(cred, file, FILE__WRITE);
3901 case F_GETOWNER_UIDS:
3902 /* Just check FD__USE permission */
3903 err = file_has_perm(cred, file, 0);
3911 #if BITS_PER_LONG == 32
3916 err = file_has_perm(cred, file, FILE__LOCK);
3923 static void selinux_file_set_fowner(struct file *file)
3925 struct file_security_struct *fsec;
3927 fsec = selinux_file(file);
3928 fsec->fown_sid = current_sid();
3931 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3932 struct fown_struct *fown, int signum)
3935 u32 sid = task_sid_obj(tsk);
3937 struct file_security_struct *fsec;
3939 /* struct fown_struct is never outside the context of a struct file */
3940 file = container_of(fown, struct file, f_owner);
3942 fsec = selinux_file(file);
3945 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3947 perm = signal_to_av(signum);
3949 return avc_has_perm(fsec->fown_sid, sid,
3950 SECCLASS_PROCESS, perm, NULL);
3953 static int selinux_file_receive(struct file *file)
3955 const struct cred *cred = current_cred();
3957 return file_has_perm(cred, file, file_to_av(file));
3960 static int selinux_file_open(struct file *file)
3962 struct file_security_struct *fsec;
3963 struct inode_security_struct *isec;
3965 fsec = selinux_file(file);
3966 isec = inode_security(file_inode(file));
3968 * Save inode label and policy sequence number
3969 * at open-time so that selinux_file_permission
3970 * can determine whether revalidation is necessary.
3971 * Task label is already saved in the file security
3972 * struct as its SID.
3974 fsec->isid = isec->sid;
3975 fsec->pseqno = avc_policy_seqno();
3977 * Since the inode label or policy seqno may have changed
3978 * between the selinux_inode_permission check and the saving
3979 * of state above, recheck that access is still permitted.
3980 * Otherwise, access might never be revalidated against the
3981 * new inode label or new policy.
3982 * This check is not redundant - do not remove.
3984 return file_path_has_perm(file->f_cred, file, open_file_to_av(file));
3987 /* task security operations */
3989 static int selinux_task_alloc(struct task_struct *task,
3990 unsigned long clone_flags)
3992 u32 sid = current_sid();
3994 return avc_has_perm(sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
3998 * prepare a new set of credentials for modification
4000 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
4003 const struct task_security_struct *old_tsec = selinux_cred(old);
4004 struct task_security_struct *tsec = selinux_cred(new);
4011 * transfer the SELinux data to a blank set of creds
4013 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
4015 const struct task_security_struct *old_tsec = selinux_cred(old);
4016 struct task_security_struct *tsec = selinux_cred(new);
4021 static void selinux_cred_getsecid(const struct cred *c, u32 *secid)
4023 *secid = cred_sid(c);
4027 * set the security data for a kernel service
4028 * - all the creation contexts are set to unlabelled
4030 static int selinux_kernel_act_as(struct cred *new, u32 secid)
4032 struct task_security_struct *tsec = selinux_cred(new);
4033 u32 sid = current_sid();
4036 ret = avc_has_perm(sid, secid,
4037 SECCLASS_KERNEL_SERVICE,
4038 KERNEL_SERVICE__USE_AS_OVERRIDE,
4042 tsec->create_sid = 0;
4043 tsec->keycreate_sid = 0;
4044 tsec->sockcreate_sid = 0;
4050 * set the file creation context in a security record to the same as the
4051 * objective context of the specified inode
4053 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
4055 struct inode_security_struct *isec = inode_security(inode);
4056 struct task_security_struct *tsec = selinux_cred(new);
4057 u32 sid = current_sid();
4060 ret = avc_has_perm(sid, isec->sid,
4061 SECCLASS_KERNEL_SERVICE,
4062 KERNEL_SERVICE__CREATE_FILES_AS,
4066 tsec->create_sid = isec->sid;
4070 static int selinux_kernel_module_request(char *kmod_name)
4072 struct common_audit_data ad;
4074 ad.type = LSM_AUDIT_DATA_KMOD;
4075 ad.u.kmod_name = kmod_name;
4077 return avc_has_perm(current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
4078 SYSTEM__MODULE_REQUEST, &ad);
4081 static int selinux_kernel_module_from_file(struct file *file)
4083 struct common_audit_data ad;
4084 struct inode_security_struct *isec;
4085 struct file_security_struct *fsec;
4086 u32 sid = current_sid();
4091 return avc_has_perm(sid, sid, SECCLASS_SYSTEM,
4092 SYSTEM__MODULE_LOAD, NULL);
4096 ad.type = LSM_AUDIT_DATA_FILE;
4099 fsec = selinux_file(file);
4100 if (sid != fsec->sid) {
4101 rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
4106 isec = inode_security(file_inode(file));
4107 return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM,
4108 SYSTEM__MODULE_LOAD, &ad);
4111 static int selinux_kernel_read_file(struct file *file,
4112 enum kernel_read_file_id id,
4118 case READING_MODULE:
4119 rc = selinux_kernel_module_from_file(contents ? file : NULL);
4128 static int selinux_kernel_load_data(enum kernel_load_data_id id, bool contents)
4133 case LOADING_MODULE:
4134 rc = selinux_kernel_module_from_file(NULL);
4143 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
4145 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4146 PROCESS__SETPGID, NULL);
4149 static int selinux_task_getpgid(struct task_struct *p)
4151 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4152 PROCESS__GETPGID, NULL);
4155 static int selinux_task_getsid(struct task_struct *p)
4157 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4158 PROCESS__GETSESSION, NULL);
4161 static void selinux_current_getsecid_subj(u32 *secid)
4163 *secid = current_sid();
4166 static void selinux_task_getsecid_obj(struct task_struct *p, u32 *secid)
4168 *secid = task_sid_obj(p);
4171 static int selinux_task_setnice(struct task_struct *p, int nice)
4173 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4174 PROCESS__SETSCHED, NULL);
4177 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
4179 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4180 PROCESS__SETSCHED, NULL);
4183 static int selinux_task_getioprio(struct task_struct *p)
4185 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4186 PROCESS__GETSCHED, NULL);
4189 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
4196 if (flags & LSM_PRLIMIT_WRITE)
4197 av |= PROCESS__SETRLIMIT;
4198 if (flags & LSM_PRLIMIT_READ)
4199 av |= PROCESS__GETRLIMIT;
4200 return avc_has_perm(cred_sid(cred), cred_sid(tcred),
4201 SECCLASS_PROCESS, av, NULL);
4204 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4205 struct rlimit *new_rlim)
4207 struct rlimit *old_rlim = p->signal->rlim + resource;
4209 /* Control the ability to change the hard limit (whether
4210 lowering or raising it), so that the hard limit can
4211 later be used as a safe reset point for the soft limit
4212 upon context transitions. See selinux_bprm_committing_creds. */
4213 if (old_rlim->rlim_max != new_rlim->rlim_max)
4214 return avc_has_perm(current_sid(), task_sid_obj(p),
4215 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
4220 static int selinux_task_setscheduler(struct task_struct *p)
4222 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4223 PROCESS__SETSCHED, NULL);
4226 static int selinux_task_getscheduler(struct task_struct *p)
4228 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4229 PROCESS__GETSCHED, NULL);
4232 static int selinux_task_movememory(struct task_struct *p)
4234 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4235 PROCESS__SETSCHED, NULL);
4238 static int selinux_task_kill(struct task_struct *p, struct kernel_siginfo *info,
4239 int sig, const struct cred *cred)
4245 perm = PROCESS__SIGNULL; /* null signal; existence test */
4247 perm = signal_to_av(sig);
4249 secid = current_sid();
4251 secid = cred_sid(cred);
4252 return avc_has_perm(secid, task_sid_obj(p), SECCLASS_PROCESS, perm, NULL);
4255 static void selinux_task_to_inode(struct task_struct *p,
4256 struct inode *inode)
4258 struct inode_security_struct *isec = selinux_inode(inode);
4259 u32 sid = task_sid_obj(p);
4261 spin_lock(&isec->lock);
4262 isec->sclass = inode_mode_to_security_class(inode->i_mode);
4264 isec->initialized = LABEL_INITIALIZED;
4265 spin_unlock(&isec->lock);
4268 static int selinux_userns_create(const struct cred *cred)
4270 u32 sid = current_sid();
4272 return avc_has_perm(sid, sid, SECCLASS_USER_NAMESPACE,
4273 USER_NAMESPACE__CREATE, NULL);
4276 /* Returns error only if unable to parse addresses */
4277 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4278 struct common_audit_data *ad, u8 *proto)
4280 int offset, ihlen, ret = -EINVAL;
4281 struct iphdr _iph, *ih;
4283 offset = skb_network_offset(skb);
4284 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
4288 ihlen = ih->ihl * 4;
4289 if (ihlen < sizeof(_iph))
4292 ad->u.net->v4info.saddr = ih->saddr;
4293 ad->u.net->v4info.daddr = ih->daddr;
4297 *proto = ih->protocol;
4299 switch (ih->protocol) {
4301 struct tcphdr _tcph, *th;
4303 if (ntohs(ih->frag_off) & IP_OFFSET)
4307 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4311 ad->u.net->sport = th->source;
4312 ad->u.net->dport = th->dest;
4317 struct udphdr _udph, *uh;
4319 if (ntohs(ih->frag_off) & IP_OFFSET)
4323 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4327 ad->u.net->sport = uh->source;
4328 ad->u.net->dport = uh->dest;
4332 case IPPROTO_DCCP: {
4333 struct dccp_hdr _dccph, *dh;
4335 if (ntohs(ih->frag_off) & IP_OFFSET)
4339 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4343 ad->u.net->sport = dh->dccph_sport;
4344 ad->u.net->dport = dh->dccph_dport;
4348 #if IS_ENABLED(CONFIG_IP_SCTP)
4349 case IPPROTO_SCTP: {
4350 struct sctphdr _sctph, *sh;
4352 if (ntohs(ih->frag_off) & IP_OFFSET)
4356 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4360 ad->u.net->sport = sh->source;
4361 ad->u.net->dport = sh->dest;
4372 #if IS_ENABLED(CONFIG_IPV6)
4374 /* Returns error only if unable to parse addresses */
4375 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4376 struct common_audit_data *ad, u8 *proto)
4379 int ret = -EINVAL, offset;
4380 struct ipv6hdr _ipv6h, *ip6;
4383 offset = skb_network_offset(skb);
4384 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4388 ad->u.net->v6info.saddr = ip6->saddr;
4389 ad->u.net->v6info.daddr = ip6->daddr;
4392 nexthdr = ip6->nexthdr;
4393 offset += sizeof(_ipv6h);
4394 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4403 struct tcphdr _tcph, *th;
4405 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4409 ad->u.net->sport = th->source;
4410 ad->u.net->dport = th->dest;
4415 struct udphdr _udph, *uh;
4417 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4421 ad->u.net->sport = uh->source;
4422 ad->u.net->dport = uh->dest;
4426 case IPPROTO_DCCP: {
4427 struct dccp_hdr _dccph, *dh;
4429 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4433 ad->u.net->sport = dh->dccph_sport;
4434 ad->u.net->dport = dh->dccph_dport;
4438 #if IS_ENABLED(CONFIG_IP_SCTP)
4439 case IPPROTO_SCTP: {
4440 struct sctphdr _sctph, *sh;
4442 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4446 ad->u.net->sport = sh->source;
4447 ad->u.net->dport = sh->dest;
4451 /* includes fragments */
4461 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4462 char **_addrp, int src, u8 *proto)
4467 switch (ad->u.net->family) {
4469 ret = selinux_parse_skb_ipv4(skb, ad, proto);
4472 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4473 &ad->u.net->v4info.daddr);
4476 #if IS_ENABLED(CONFIG_IPV6)
4478 ret = selinux_parse_skb_ipv6(skb, ad, proto);
4481 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4482 &ad->u.net->v6info.daddr);
4492 "SELinux: failure in selinux_parse_skb(),"
4493 " unable to parse packet\n");
4503 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4505 * @family: protocol family
4506 * @sid: the packet's peer label SID
4509 * Check the various different forms of network peer labeling and determine
4510 * the peer label/SID for the packet; most of the magic actually occurs in
4511 * the security server function security_net_peersid_cmp(). The function
4512 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4513 * or -EACCES if @sid is invalid due to inconsistencies with the different
4517 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4524 err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4527 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4531 err = security_net_peersid_resolve(nlbl_sid,
4532 nlbl_type, xfrm_sid, sid);
4533 if (unlikely(err)) {
4535 "SELinux: failure in selinux_skb_peerlbl_sid(),"
4536 " unable to determine packet's peer label\n");
4544 * selinux_conn_sid - Determine the child socket label for a connection
4545 * @sk_sid: the parent socket's SID
4546 * @skb_sid: the packet's SID
4547 * @conn_sid: the resulting connection SID
4549 * If @skb_sid is valid then the user:role:type information from @sk_sid is
4550 * combined with the MLS information from @skb_sid in order to create
4551 * @conn_sid. If @skb_sid is not valid then @conn_sid is simply a copy
4552 * of @sk_sid. Returns zero on success, negative values on failure.
4555 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4559 if (skb_sid != SECSID_NULL)
4560 err = security_sid_mls_copy(sk_sid, skb_sid,
4568 /* socket security operations */
4570 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4571 u16 secclass, u32 *socksid)
4573 if (tsec->sockcreate_sid > SECSID_NULL) {
4574 *socksid = tsec->sockcreate_sid;
4578 return security_transition_sid(tsec->sid, tsec->sid,
4579 secclass, NULL, socksid);
4582 static int sock_has_perm(struct sock *sk, u32 perms)
4584 struct sk_security_struct *sksec = sk->sk_security;
4585 struct common_audit_data ad;
4586 struct lsm_network_audit net;
4588 if (sksec->sid == SECINITSID_KERNEL)
4592 * Before POLICYDB_CAP_USERSPACE_INITIAL_CONTEXT, sockets that
4593 * inherited the kernel context from early boot used to be skipped
4594 * here, so preserve that behavior unless the capability is set.
4596 * By setting the capability the policy signals that it is ready
4597 * for this quirk to be fixed. Note that sockets created by a kernel
4598 * thread or a usermode helper executed without a transition will
4599 * still be skipped in this check regardless of the policycap
4602 if (!selinux_policycap_userspace_initial_context() &&
4603 sksec->sid == SECINITSID_INIT)
4606 ad_net_init_from_sk(&ad, &net, sk);
4608 return avc_has_perm(current_sid(), sksec->sid, sksec->sclass, perms,
4612 static int selinux_socket_create(int family, int type,
4613 int protocol, int kern)
4615 const struct task_security_struct *tsec = selinux_cred(current_cred());
4623 secclass = socket_type_to_security_class(family, type, protocol);
4624 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4628 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4631 static int selinux_socket_post_create(struct socket *sock, int family,
4632 int type, int protocol, int kern)
4634 const struct task_security_struct *tsec = selinux_cred(current_cred());
4635 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4636 struct sk_security_struct *sksec;
4637 u16 sclass = socket_type_to_security_class(family, type, protocol);
4638 u32 sid = SECINITSID_KERNEL;
4642 err = socket_sockcreate_sid(tsec, sclass, &sid);
4647 isec->sclass = sclass;
4649 isec->initialized = LABEL_INITIALIZED;
4652 sksec = sock->sk->sk_security;
4653 sksec->sclass = sclass;
4655 /* Allows detection of the first association on this socket */
4656 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4657 sksec->sctp_assoc_state = SCTP_ASSOC_UNSET;
4659 err = selinux_netlbl_socket_post_create(sock->sk, family);
4665 static int selinux_socket_socketpair(struct socket *socka,
4666 struct socket *sockb)
4668 struct sk_security_struct *sksec_a = socka->sk->sk_security;
4669 struct sk_security_struct *sksec_b = sockb->sk->sk_security;
4671 sksec_a->peer_sid = sksec_b->sid;
4672 sksec_b->peer_sid = sksec_a->sid;
4677 /* Range of port numbers used to automatically bind.
4678 Need to determine whether we should perform a name_bind
4679 permission check between the socket and the port number. */
4681 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4683 struct sock *sk = sock->sk;
4684 struct sk_security_struct *sksec = sk->sk_security;
4688 err = sock_has_perm(sk, SOCKET__BIND);
4692 /* If PF_INET or PF_INET6, check name_bind permission for the port. */
4693 family = sk->sk_family;
4694 if (family == PF_INET || family == PF_INET6) {
4696 struct common_audit_data ad;
4697 struct lsm_network_audit net = {0,};
4698 struct sockaddr_in *addr4 = NULL;
4699 struct sockaddr_in6 *addr6 = NULL;
4701 unsigned short snum;
4705 * sctp_bindx(3) calls via selinux_sctp_bind_connect()
4706 * that validates multiple binding addresses. Because of this
4707 * need to check address->sa_family as it is possible to have
4708 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4710 if (addrlen < offsetofend(struct sockaddr, sa_family))
4712 family_sa = address->sa_family;
4713 switch (family_sa) {
4716 if (addrlen < sizeof(struct sockaddr_in))
4718 addr4 = (struct sockaddr_in *)address;
4719 if (family_sa == AF_UNSPEC) {
4720 if (family == PF_INET6) {
4721 /* Length check from inet6_bind_sk() */
4722 if (addrlen < SIN6_LEN_RFC2133)
4724 /* Family check from __inet6_bind() */
4727 /* see __inet_bind(), we only want to allow
4728 * AF_UNSPEC if the address is INADDR_ANY
4730 if (addr4->sin_addr.s_addr != htonl(INADDR_ANY))
4732 family_sa = AF_INET;
4734 snum = ntohs(addr4->sin_port);
4735 addrp = (char *)&addr4->sin_addr.s_addr;
4738 if (addrlen < SIN6_LEN_RFC2133)
4740 addr6 = (struct sockaddr_in6 *)address;
4741 snum = ntohs(addr6->sin6_port);
4742 addrp = (char *)&addr6->sin6_addr.s6_addr;
4748 ad.type = LSM_AUDIT_DATA_NET;
4750 ad.u.net->sport = htons(snum);
4751 ad.u.net->family = family_sa;
4756 inet_get_local_port_range(sock_net(sk), &low, &high);
4758 if (inet_port_requires_bind_service(sock_net(sk), snum) ||
4759 snum < low || snum > high) {
4760 err = sel_netport_sid(sk->sk_protocol,
4764 err = avc_has_perm(sksec->sid, sid,
4766 SOCKET__NAME_BIND, &ad);
4772 switch (sksec->sclass) {
4773 case SECCLASS_TCP_SOCKET:
4774 node_perm = TCP_SOCKET__NODE_BIND;
4777 case SECCLASS_UDP_SOCKET:
4778 node_perm = UDP_SOCKET__NODE_BIND;
4781 case SECCLASS_DCCP_SOCKET:
4782 node_perm = DCCP_SOCKET__NODE_BIND;
4785 case SECCLASS_SCTP_SOCKET:
4786 node_perm = SCTP_SOCKET__NODE_BIND;
4790 node_perm = RAWIP_SOCKET__NODE_BIND;
4794 err = sel_netnode_sid(addrp, family_sa, &sid);
4798 if (family_sa == AF_INET)
4799 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4801 ad.u.net->v6info.saddr = addr6->sin6_addr;
4803 err = avc_has_perm(sksec->sid, sid,
4804 sksec->sclass, node_perm, &ad);
4811 /* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */
4812 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4814 return -EAFNOSUPPORT;
4817 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3)
4818 * and sctp_sendmsg(3) as described in Documentation/security/SCTP.rst
4820 static int selinux_socket_connect_helper(struct socket *sock,
4821 struct sockaddr *address, int addrlen)
4823 struct sock *sk = sock->sk;
4824 struct sk_security_struct *sksec = sk->sk_security;
4827 err = sock_has_perm(sk, SOCKET__CONNECT);
4830 if (addrlen < offsetofend(struct sockaddr, sa_family))
4833 /* connect(AF_UNSPEC) has special handling, as it is a documented
4834 * way to disconnect the socket
4836 if (address->sa_family == AF_UNSPEC)
4840 * If a TCP, DCCP or SCTP socket, check name_connect permission
4843 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4844 sksec->sclass == SECCLASS_DCCP_SOCKET ||
4845 sksec->sclass == SECCLASS_SCTP_SOCKET) {
4846 struct common_audit_data ad;
4847 struct lsm_network_audit net = {0,};
4848 struct sockaddr_in *addr4 = NULL;
4849 struct sockaddr_in6 *addr6 = NULL;
4850 unsigned short snum;
4853 /* sctp_connectx(3) calls via selinux_sctp_bind_connect()
4854 * that validates multiple connect addresses. Because of this
4855 * need to check address->sa_family as it is possible to have
4856 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4858 switch (address->sa_family) {
4860 addr4 = (struct sockaddr_in *)address;
4861 if (addrlen < sizeof(struct sockaddr_in))
4863 snum = ntohs(addr4->sin_port);
4866 addr6 = (struct sockaddr_in6 *)address;
4867 if (addrlen < SIN6_LEN_RFC2133)
4869 snum = ntohs(addr6->sin6_port);
4872 /* Note that SCTP services expect -EINVAL, whereas
4873 * others expect -EAFNOSUPPORT.
4875 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4878 return -EAFNOSUPPORT;
4881 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4885 switch (sksec->sclass) {
4886 case SECCLASS_TCP_SOCKET:
4887 perm = TCP_SOCKET__NAME_CONNECT;
4889 case SECCLASS_DCCP_SOCKET:
4890 perm = DCCP_SOCKET__NAME_CONNECT;
4892 case SECCLASS_SCTP_SOCKET:
4893 perm = SCTP_SOCKET__NAME_CONNECT;
4897 ad.type = LSM_AUDIT_DATA_NET;
4899 ad.u.net->dport = htons(snum);
4900 ad.u.net->family = address->sa_family;
4901 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
4909 /* Supports connect(2), see comments in selinux_socket_connect_helper() */
4910 static int selinux_socket_connect(struct socket *sock,
4911 struct sockaddr *address, int addrlen)
4914 struct sock *sk = sock->sk;
4916 err = selinux_socket_connect_helper(sock, address, addrlen);
4920 return selinux_netlbl_socket_connect(sk, address);
4923 static int selinux_socket_listen(struct socket *sock, int backlog)
4925 return sock_has_perm(sock->sk, SOCKET__LISTEN);
4928 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4931 struct inode_security_struct *isec;
4932 struct inode_security_struct *newisec;
4936 err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
4940 isec = inode_security_novalidate(SOCK_INODE(sock));
4941 spin_lock(&isec->lock);
4942 sclass = isec->sclass;
4944 spin_unlock(&isec->lock);
4946 newisec = inode_security_novalidate(SOCK_INODE(newsock));
4947 newisec->sclass = sclass;
4949 newisec->initialized = LABEL_INITIALIZED;
4954 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4957 return sock_has_perm(sock->sk, SOCKET__WRITE);
4960 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4961 int size, int flags)
4963 return sock_has_perm(sock->sk, SOCKET__READ);
4966 static int selinux_socket_getsockname(struct socket *sock)
4968 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4971 static int selinux_socket_getpeername(struct socket *sock)
4973 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4976 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4980 err = sock_has_perm(sock->sk, SOCKET__SETOPT);
4984 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4987 static int selinux_socket_getsockopt(struct socket *sock, int level,
4990 return sock_has_perm(sock->sk, SOCKET__GETOPT);
4993 static int selinux_socket_shutdown(struct socket *sock, int how)
4995 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
4998 static int selinux_socket_unix_stream_connect(struct sock *sock,
5002 struct sk_security_struct *sksec_sock = sock->sk_security;
5003 struct sk_security_struct *sksec_other = other->sk_security;
5004 struct sk_security_struct *sksec_new = newsk->sk_security;
5005 struct common_audit_data ad;
5006 struct lsm_network_audit net;
5009 ad_net_init_from_sk(&ad, &net, other);
5011 err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
5012 sksec_other->sclass,
5013 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
5017 /* server child socket */
5018 sksec_new->peer_sid = sksec_sock->sid;
5019 err = security_sid_mls_copy(sksec_other->sid,
5020 sksec_sock->sid, &sksec_new->sid);
5024 /* connecting socket */
5025 sksec_sock->peer_sid = sksec_new->sid;
5030 static int selinux_socket_unix_may_send(struct socket *sock,
5031 struct socket *other)
5033 struct sk_security_struct *ssec = sock->sk->sk_security;
5034 struct sk_security_struct *osec = other->sk->sk_security;
5035 struct common_audit_data ad;
5036 struct lsm_network_audit net;
5038 ad_net_init_from_sk(&ad, &net, other->sk);
5040 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
5044 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
5045 char *addrp, u16 family, u32 peer_sid,
5046 struct common_audit_data *ad)
5052 err = sel_netif_sid(ns, ifindex, &if_sid);
5055 err = avc_has_perm(peer_sid, if_sid,
5056 SECCLASS_NETIF, NETIF__INGRESS, ad);
5060 err = sel_netnode_sid(addrp, family, &node_sid);
5063 return avc_has_perm(peer_sid, node_sid,
5064 SECCLASS_NODE, NODE__RECVFROM, ad);
5067 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
5071 struct sk_security_struct *sksec = sk->sk_security;
5072 u32 sk_sid = sksec->sid;
5073 struct common_audit_data ad;
5074 struct lsm_network_audit net;
5077 ad_net_init_from_iif(&ad, &net, skb->skb_iif, family);
5078 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5082 if (selinux_secmark_enabled()) {
5083 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
5089 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
5092 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
5097 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
5099 int err, peerlbl_active, secmark_active;
5100 struct sk_security_struct *sksec = sk->sk_security;
5101 u16 family = sk->sk_family;
5102 u32 sk_sid = sksec->sid;
5103 struct common_audit_data ad;
5104 struct lsm_network_audit net;
5107 if (family != PF_INET && family != PF_INET6)
5110 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
5111 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5114 /* If any sort of compatibility mode is enabled then handoff processing
5115 * to the selinux_sock_rcv_skb_compat() function to deal with the
5116 * special handling. We do this in an attempt to keep this function
5117 * as fast and as clean as possible. */
5118 if (!selinux_policycap_netpeer())
5119 return selinux_sock_rcv_skb_compat(sk, skb, family);
5121 secmark_active = selinux_secmark_enabled();
5122 peerlbl_active = selinux_peerlbl_enabled();
5123 if (!secmark_active && !peerlbl_active)
5126 ad_net_init_from_iif(&ad, &net, skb->skb_iif, family);
5127 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5131 if (peerlbl_active) {
5134 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
5137 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
5138 addrp, family, peer_sid, &ad);
5140 selinux_netlbl_err(skb, family, err, 0);
5143 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
5146 selinux_netlbl_err(skb, family, err, 0);
5151 if (secmark_active) {
5152 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
5161 static int selinux_socket_getpeersec_stream(struct socket *sock,
5162 sockptr_t optval, sockptr_t optlen,
5166 char *scontext = NULL;
5168 struct sk_security_struct *sksec = sock->sk->sk_security;
5169 u32 peer_sid = SECSID_NULL;
5171 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
5172 sksec->sclass == SECCLASS_TCP_SOCKET ||
5173 sksec->sclass == SECCLASS_SCTP_SOCKET)
5174 peer_sid = sksec->peer_sid;
5175 if (peer_sid == SECSID_NULL)
5176 return -ENOPROTOOPT;
5178 err = security_sid_to_context(peer_sid, &scontext,
5182 if (scontext_len > len) {
5187 if (copy_to_sockptr(optval, scontext, scontext_len))
5190 if (copy_to_sockptr(optlen, &scontext_len, sizeof(scontext_len)))
5196 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
5198 u32 peer_secid = SECSID_NULL;
5200 struct inode_security_struct *isec;
5202 if (skb && skb->protocol == htons(ETH_P_IP))
5204 else if (skb && skb->protocol == htons(ETH_P_IPV6))
5207 family = sock->sk->sk_family;
5211 if (sock && family == PF_UNIX) {
5212 isec = inode_security_novalidate(SOCK_INODE(sock));
5213 peer_secid = isec->sid;
5215 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
5218 *secid = peer_secid;
5219 if (peer_secid == SECSID_NULL)
5224 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
5226 struct sk_security_struct *sksec;
5228 sksec = kzalloc(sizeof(*sksec), priority);
5232 sksec->peer_sid = SECINITSID_UNLABELED;
5233 sksec->sid = SECINITSID_UNLABELED;
5234 sksec->sclass = SECCLASS_SOCKET;
5235 selinux_netlbl_sk_security_reset(sksec);
5236 sk->sk_security = sksec;
5241 static void selinux_sk_free_security(struct sock *sk)
5243 struct sk_security_struct *sksec = sk->sk_security;
5245 sk->sk_security = NULL;
5246 selinux_netlbl_sk_security_free(sksec);
5250 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
5252 struct sk_security_struct *sksec = sk->sk_security;
5253 struct sk_security_struct *newsksec = newsk->sk_security;
5255 newsksec->sid = sksec->sid;
5256 newsksec->peer_sid = sksec->peer_sid;
5257 newsksec->sclass = sksec->sclass;
5259 selinux_netlbl_sk_security_reset(newsksec);
5262 static void selinux_sk_getsecid(const struct sock *sk, u32 *secid)
5265 *secid = SECINITSID_ANY_SOCKET;
5267 const struct sk_security_struct *sksec = sk->sk_security;
5269 *secid = sksec->sid;
5273 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
5275 struct inode_security_struct *isec =
5276 inode_security_novalidate(SOCK_INODE(parent));
5277 struct sk_security_struct *sksec = sk->sk_security;
5279 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
5280 sk->sk_family == PF_UNIX)
5281 isec->sid = sksec->sid;
5282 sksec->sclass = isec->sclass;
5286 * Determines peer_secid for the asoc and updates socket's peer label
5287 * if it's the first association on the socket.
5289 static int selinux_sctp_process_new_assoc(struct sctp_association *asoc,
5290 struct sk_buff *skb)
5292 struct sock *sk = asoc->base.sk;
5293 u16 family = sk->sk_family;
5294 struct sk_security_struct *sksec = sk->sk_security;
5295 struct common_audit_data ad;
5296 struct lsm_network_audit net;
5299 /* handle mapped IPv4 packets arriving via IPv6 sockets */
5300 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5303 if (selinux_peerlbl_enabled()) {
5304 asoc->peer_secid = SECSID_NULL;
5306 /* This will return peer_sid = SECSID_NULL if there are
5307 * no peer labels, see security_net_peersid_resolve().
5309 err = selinux_skb_peerlbl_sid(skb, family, &asoc->peer_secid);
5313 if (asoc->peer_secid == SECSID_NULL)
5314 asoc->peer_secid = SECINITSID_UNLABELED;
5316 asoc->peer_secid = SECINITSID_UNLABELED;
5319 if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) {
5320 sksec->sctp_assoc_state = SCTP_ASSOC_SET;
5322 /* Here as first association on socket. As the peer SID
5323 * was allowed by peer recv (and the netif/node checks),
5324 * then it is approved by policy and used as the primary
5325 * peer SID for getpeercon(3).
5327 sksec->peer_sid = asoc->peer_secid;
5328 } else if (sksec->peer_sid != asoc->peer_secid) {
5329 /* Other association peer SIDs are checked to enforce
5330 * consistency among the peer SIDs.
5332 ad_net_init_from_sk(&ad, &net, asoc->base.sk);
5333 err = avc_has_perm(sksec->peer_sid, asoc->peer_secid,
5334 sksec->sclass, SCTP_SOCKET__ASSOCIATION,
5342 /* Called whenever SCTP receives an INIT or COOKIE ECHO chunk. This
5343 * happens on an incoming connect(2), sctp_connectx(3) or
5344 * sctp_sendmsg(3) (with no association already present).
5346 static int selinux_sctp_assoc_request(struct sctp_association *asoc,
5347 struct sk_buff *skb)
5349 struct sk_security_struct *sksec = asoc->base.sk->sk_security;
5353 if (!selinux_policycap_extsockclass())
5356 err = selinux_sctp_process_new_assoc(asoc, skb);
5360 /* Compute the MLS component for the connection and store
5361 * the information in asoc. This will be used by SCTP TCP type
5362 * sockets and peeled off connections as they cause a new
5363 * socket to be generated. selinux_sctp_sk_clone() will then
5364 * plug this into the new socket.
5366 err = selinux_conn_sid(sksec->sid, asoc->peer_secid, &conn_sid);
5370 asoc->secid = conn_sid;
5372 /* Set any NetLabel labels including CIPSO/CALIPSO options. */
5373 return selinux_netlbl_sctp_assoc_request(asoc, skb);
5376 /* Called when SCTP receives a COOKIE ACK chunk as the final
5377 * response to an association request (initited by us).
5379 static int selinux_sctp_assoc_established(struct sctp_association *asoc,
5380 struct sk_buff *skb)
5382 struct sk_security_struct *sksec = asoc->base.sk->sk_security;
5384 if (!selinux_policycap_extsockclass())
5387 /* Inherit secid from the parent socket - this will be picked up
5388 * by selinux_sctp_sk_clone() if the association gets peeled off
5389 * into a new socket.
5391 asoc->secid = sksec->sid;
5393 return selinux_sctp_process_new_assoc(asoc, skb);
5396 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting
5397 * based on their @optname.
5399 static int selinux_sctp_bind_connect(struct sock *sk, int optname,
5400 struct sockaddr *address,
5403 int len, err = 0, walk_size = 0;
5405 struct sockaddr *addr;
5406 struct socket *sock;
5408 if (!selinux_policycap_extsockclass())
5411 /* Process one or more addresses that may be IPv4 or IPv6 */
5412 sock = sk->sk_socket;
5415 while (walk_size < addrlen) {
5416 if (walk_size + sizeof(sa_family_t) > addrlen)
5420 switch (addr->sa_family) {
5423 len = sizeof(struct sockaddr_in);
5426 len = sizeof(struct sockaddr_in6);
5432 if (walk_size + len > addrlen)
5438 case SCTP_PRIMARY_ADDR:
5439 case SCTP_SET_PEER_PRIMARY_ADDR:
5440 case SCTP_SOCKOPT_BINDX_ADD:
5441 err = selinux_socket_bind(sock, addr, len);
5443 /* Connect checks */
5444 case SCTP_SOCKOPT_CONNECTX:
5445 case SCTP_PARAM_SET_PRIMARY:
5446 case SCTP_PARAM_ADD_IP:
5447 case SCTP_SENDMSG_CONNECT:
5448 err = selinux_socket_connect_helper(sock, addr, len);
5452 /* As selinux_sctp_bind_connect() is called by the
5453 * SCTP protocol layer, the socket is already locked,
5454 * therefore selinux_netlbl_socket_connect_locked()
5455 * is called here. The situations handled are:
5456 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2),
5457 * whenever a new IP address is added or when a new
5458 * primary address is selected.
5459 * Note that an SCTP connect(2) call happens before
5460 * the SCTP protocol layer and is handled via
5461 * selinux_socket_connect().
5463 err = selinux_netlbl_socket_connect_locked(sk, addr);
5477 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */
5478 static void selinux_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk,
5481 struct sk_security_struct *sksec = sk->sk_security;
5482 struct sk_security_struct *newsksec = newsk->sk_security;
5484 /* If policy does not support SECCLASS_SCTP_SOCKET then call
5485 * the non-sctp clone version.
5487 if (!selinux_policycap_extsockclass())
5488 return selinux_sk_clone_security(sk, newsk);
5490 newsksec->sid = asoc->secid;
5491 newsksec->peer_sid = asoc->peer_secid;
5492 newsksec->sclass = sksec->sclass;
5493 selinux_netlbl_sctp_sk_clone(sk, newsk);
5496 static int selinux_mptcp_add_subflow(struct sock *sk, struct sock *ssk)
5498 struct sk_security_struct *ssksec = ssk->sk_security;
5499 struct sk_security_struct *sksec = sk->sk_security;
5501 ssksec->sclass = sksec->sclass;
5502 ssksec->sid = sksec->sid;
5504 /* replace the existing subflow label deleting the existing one
5505 * and re-recreating a new label using the updated context
5507 selinux_netlbl_sk_security_free(ssksec);
5508 return selinux_netlbl_socket_post_create(ssk, ssk->sk_family);
5511 static int selinux_inet_conn_request(const struct sock *sk, struct sk_buff *skb,
5512 struct request_sock *req)
5514 struct sk_security_struct *sksec = sk->sk_security;
5516 u16 family = req->rsk_ops->family;
5520 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
5523 err = selinux_conn_sid(sksec->sid, peersid, &connsid);
5526 req->secid = connsid;
5527 req->peer_secid = peersid;
5529 return selinux_netlbl_inet_conn_request(req, family);
5532 static void selinux_inet_csk_clone(struct sock *newsk,
5533 const struct request_sock *req)
5535 struct sk_security_struct *newsksec = newsk->sk_security;
5537 newsksec->sid = req->secid;
5538 newsksec->peer_sid = req->peer_secid;
5539 /* NOTE: Ideally, we should also get the isec->sid for the
5540 new socket in sync, but we don't have the isec available yet.
5541 So we will wait until sock_graft to do it, by which
5542 time it will have been created and available. */
5544 /* We don't need to take any sort of lock here as we are the only
5545 * thread with access to newsksec */
5546 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
5549 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
5551 u16 family = sk->sk_family;
5552 struct sk_security_struct *sksec = sk->sk_security;
5554 /* handle mapped IPv4 packets arriving via IPv6 sockets */
5555 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5558 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
5561 static int selinux_secmark_relabel_packet(u32 sid)
5563 const struct task_security_struct *tsec;
5566 tsec = selinux_cred(current_cred());
5569 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO,
5573 static void selinux_secmark_refcount_inc(void)
5575 atomic_inc(&selinux_secmark_refcount);
5578 static void selinux_secmark_refcount_dec(void)
5580 atomic_dec(&selinux_secmark_refcount);
5583 static void selinux_req_classify_flow(const struct request_sock *req,
5584 struct flowi_common *flic)
5586 flic->flowic_secid = req->secid;
5589 static int selinux_tun_dev_alloc_security(void **security)
5591 struct tun_security_struct *tunsec;
5593 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
5596 tunsec->sid = current_sid();
5602 static void selinux_tun_dev_free_security(void *security)
5607 static int selinux_tun_dev_create(void)
5609 u32 sid = current_sid();
5611 /* we aren't taking into account the "sockcreate" SID since the socket
5612 * that is being created here is not a socket in the traditional sense,
5613 * instead it is a private sock, accessible only to the kernel, and
5614 * representing a wide range of network traffic spanning multiple
5615 * connections unlike traditional sockets - check the TUN driver to
5616 * get a better understanding of why this socket is special */
5618 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5622 static int selinux_tun_dev_attach_queue(void *security)
5624 struct tun_security_struct *tunsec = security;
5626 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5627 TUN_SOCKET__ATTACH_QUEUE, NULL);
5630 static int selinux_tun_dev_attach(struct sock *sk, void *security)
5632 struct tun_security_struct *tunsec = security;
5633 struct sk_security_struct *sksec = sk->sk_security;
5635 /* we don't currently perform any NetLabel based labeling here and it
5636 * isn't clear that we would want to do so anyway; while we could apply
5637 * labeling without the support of the TUN user the resulting labeled
5638 * traffic from the other end of the connection would almost certainly
5639 * cause confusion to the TUN user that had no idea network labeling
5640 * protocols were being used */
5642 sksec->sid = tunsec->sid;
5643 sksec->sclass = SECCLASS_TUN_SOCKET;
5648 static int selinux_tun_dev_open(void *security)
5650 struct tun_security_struct *tunsec = security;
5651 u32 sid = current_sid();
5654 err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5655 TUN_SOCKET__RELABELFROM, NULL);
5658 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
5659 TUN_SOCKET__RELABELTO, NULL);
5667 #ifdef CONFIG_NETFILTER
5669 static unsigned int selinux_ip_forward(void *priv, struct sk_buff *skb,
5670 const struct nf_hook_state *state)
5676 struct common_audit_data ad;
5677 struct lsm_network_audit net;
5678 int secmark_active, peerlbl_active;
5680 if (!selinux_policycap_netpeer())
5683 secmark_active = selinux_secmark_enabled();
5684 peerlbl_active = selinux_peerlbl_enabled();
5685 if (!secmark_active && !peerlbl_active)
5689 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5692 ifindex = state->in->ifindex;
5693 ad_net_init_from_iif(&ad, &net, ifindex, family);
5694 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5697 if (peerlbl_active) {
5700 err = selinux_inet_sys_rcv_skb(state->net, ifindex,
5701 addrp, family, peer_sid, &ad);
5703 selinux_netlbl_err(skb, family, err, 1);
5709 if (avc_has_perm(peer_sid, skb->secmark,
5710 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5713 if (netlbl_enabled())
5714 /* we do this in the FORWARD path and not the POST_ROUTING
5715 * path because we want to make sure we apply the necessary
5716 * labeling before IPsec is applied so we can leverage AH
5718 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5724 static unsigned int selinux_ip_output(void *priv, struct sk_buff *skb,
5725 const struct nf_hook_state *state)
5730 if (!netlbl_enabled())
5733 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5734 * because we want to make sure we apply the necessary labeling
5735 * before IPsec is applied so we can leverage AH protection */
5738 struct sk_security_struct *sksec;
5740 if (sk_listener(sk))
5741 /* if the socket is the listening state then this
5742 * packet is a SYN-ACK packet which means it needs to
5743 * be labeled based on the connection/request_sock and
5744 * not the parent socket. unfortunately, we can't
5745 * lookup the request_sock yet as it isn't queued on
5746 * the parent socket until after the SYN-ACK is sent.
5747 * the "solution" is to simply pass the packet as-is
5748 * as any IP option based labeling should be copied
5749 * from the initial connection request (in the IP
5750 * layer). it is far from ideal, but until we get a
5751 * security label in the packet itself this is the
5752 * best we can do. */
5755 /* standard practice, label using the parent socket */
5756 sksec = sk->sk_security;
5759 sid = SECINITSID_KERNEL;
5760 if (selinux_netlbl_skbuff_setsid(skb, state->pf, sid) != 0)
5767 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5768 const struct nf_hook_state *state)
5771 struct sk_security_struct *sksec;
5772 struct common_audit_data ad;
5773 struct lsm_network_audit net;
5776 sk = skb_to_full_sk(skb);
5779 sksec = sk->sk_security;
5781 ad_net_init_from_iif(&ad, &net, state->out->ifindex, state->pf);
5782 if (selinux_parse_skb(skb, &ad, NULL, 0, &proto))
5785 if (selinux_secmark_enabled())
5786 if (avc_has_perm(sksec->sid, skb->secmark,
5787 SECCLASS_PACKET, PACKET__SEND, &ad))
5788 return NF_DROP_ERR(-ECONNREFUSED);
5790 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5791 return NF_DROP_ERR(-ECONNREFUSED);
5796 static unsigned int selinux_ip_postroute(void *priv,
5797 struct sk_buff *skb,
5798 const struct nf_hook_state *state)
5805 struct common_audit_data ad;
5806 struct lsm_network_audit net;
5808 int secmark_active, peerlbl_active;
5810 /* If any sort of compatibility mode is enabled then handoff processing
5811 * to the selinux_ip_postroute_compat() function to deal with the
5812 * special handling. We do this in an attempt to keep this function
5813 * as fast and as clean as possible. */
5814 if (!selinux_policycap_netpeer())
5815 return selinux_ip_postroute_compat(skb, state);
5817 secmark_active = selinux_secmark_enabled();
5818 peerlbl_active = selinux_peerlbl_enabled();
5819 if (!secmark_active && !peerlbl_active)
5822 sk = skb_to_full_sk(skb);
5825 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5826 * packet transformation so allow the packet to pass without any checks
5827 * since we'll have another chance to perform access control checks
5828 * when the packet is on it's final way out.
5829 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5830 * is NULL, in this case go ahead and apply access control.
5831 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5832 * TCP listening state we cannot wait until the XFRM processing
5833 * is done as we will miss out on the SA label if we do;
5834 * unfortunately, this means more work, but it is only once per
5836 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5837 !(sk && sk_listener(sk)))
5843 /* Without an associated socket the packet is either coming
5844 * from the kernel or it is being forwarded; check the packet
5845 * to determine which and if the packet is being forwarded
5846 * query the packet directly to determine the security label. */
5848 secmark_perm = PACKET__FORWARD_OUT;
5849 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5852 secmark_perm = PACKET__SEND;
5853 peer_sid = SECINITSID_KERNEL;
5855 } else if (sk_listener(sk)) {
5856 /* Locally generated packet but the associated socket is in the
5857 * listening state which means this is a SYN-ACK packet. In
5858 * this particular case the correct security label is assigned
5859 * to the connection/request_sock but unfortunately we can't
5860 * query the request_sock as it isn't queued on the parent
5861 * socket until after the SYN-ACK packet is sent; the only
5862 * viable choice is to regenerate the label like we do in
5863 * selinux_inet_conn_request(). See also selinux_ip_output()
5864 * for similar problems. */
5866 struct sk_security_struct *sksec;
5868 sksec = sk->sk_security;
5869 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5871 /* At this point, if the returned skb peerlbl is SECSID_NULL
5872 * and the packet has been through at least one XFRM
5873 * transformation then we must be dealing with the "final"
5874 * form of labeled IPsec packet; since we've already applied
5875 * all of our access controls on this packet we can safely
5876 * pass the packet. */
5877 if (skb_sid == SECSID_NULL) {
5880 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5884 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5888 return NF_DROP_ERR(-ECONNREFUSED);
5891 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5893 secmark_perm = PACKET__SEND;
5895 /* Locally generated packet, fetch the security label from the
5896 * associated socket. */
5897 struct sk_security_struct *sksec = sk->sk_security;
5898 peer_sid = sksec->sid;
5899 secmark_perm = PACKET__SEND;
5902 ifindex = state->out->ifindex;
5903 ad_net_init_from_iif(&ad, &net, ifindex, family);
5904 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5908 if (avc_has_perm(peer_sid, skb->secmark,
5909 SECCLASS_PACKET, secmark_perm, &ad))
5910 return NF_DROP_ERR(-ECONNREFUSED);
5912 if (peerlbl_active) {
5916 if (sel_netif_sid(state->net, ifindex, &if_sid))
5918 if (avc_has_perm(peer_sid, if_sid,
5919 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5920 return NF_DROP_ERR(-ECONNREFUSED);
5922 if (sel_netnode_sid(addrp, family, &node_sid))
5924 if (avc_has_perm(peer_sid, node_sid,
5925 SECCLASS_NODE, NODE__SENDTO, &ad))
5926 return NF_DROP_ERR(-ECONNREFUSED);
5931 #endif /* CONFIG_NETFILTER */
5933 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5936 unsigned int msg_len;
5937 unsigned int data_len = skb->len;
5938 unsigned char *data = skb->data;
5939 struct nlmsghdr *nlh;
5940 struct sk_security_struct *sksec = sk->sk_security;
5941 u16 sclass = sksec->sclass;
5944 while (data_len >= nlmsg_total_size(0)) {
5945 nlh = (struct nlmsghdr *)data;
5947 /* NOTE: the nlmsg_len field isn't reliably set by some netlink
5948 * users which means we can't reject skb's with bogus
5949 * length fields; our solution is to follow what
5950 * netlink_rcv_skb() does and simply skip processing at
5951 * messages with length fields that are clearly junk
5953 if (nlh->nlmsg_len < NLMSG_HDRLEN || nlh->nlmsg_len > data_len)
5956 rc = selinux_nlmsg_lookup(sclass, nlh->nlmsg_type, &perm);
5958 rc = sock_has_perm(sk, perm);
5961 } else if (rc == -EINVAL) {
5962 /* -EINVAL is a missing msg/perm mapping */
5963 pr_warn_ratelimited("SELinux: unrecognized netlink"
5964 " message: protocol=%hu nlmsg_type=%hu sclass=%s"
5965 " pid=%d comm=%s\n",
5966 sk->sk_protocol, nlh->nlmsg_type,
5967 secclass_map[sclass - 1].name,
5968 task_pid_nr(current), current->comm);
5969 if (enforcing_enabled() &&
5970 !security_get_allow_unknown())
5973 } else if (rc == -ENOENT) {
5974 /* -ENOENT is a missing socket/class mapping, ignore */
5980 /* move to the next message after applying netlink padding */
5981 msg_len = NLMSG_ALIGN(nlh->nlmsg_len);
5982 if (msg_len >= data_len)
5984 data_len -= msg_len;
5991 static void ipc_init_security(struct ipc_security_struct *isec, u16 sclass)
5993 isec->sclass = sclass;
5994 isec->sid = current_sid();
5997 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
6000 struct ipc_security_struct *isec;
6001 struct common_audit_data ad;
6002 u32 sid = current_sid();
6004 isec = selinux_ipc(ipc_perms);
6006 ad.type = LSM_AUDIT_DATA_IPC;
6007 ad.u.ipc_id = ipc_perms->key;
6009 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
6012 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
6014 struct msg_security_struct *msec;
6016 msec = selinux_msg_msg(msg);
6017 msec->sid = SECINITSID_UNLABELED;
6022 /* message queue security operations */
6023 static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq)
6025 struct ipc_security_struct *isec;
6026 struct common_audit_data ad;
6027 u32 sid = current_sid();
6029 isec = selinux_ipc(msq);
6030 ipc_init_security(isec, SECCLASS_MSGQ);
6032 ad.type = LSM_AUDIT_DATA_IPC;
6033 ad.u.ipc_id = msq->key;
6035 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
6039 static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
6041 struct ipc_security_struct *isec;
6042 struct common_audit_data ad;
6043 u32 sid = current_sid();
6045 isec = selinux_ipc(msq);
6047 ad.type = LSM_AUDIT_DATA_IPC;
6048 ad.u.ipc_id = msq->key;
6050 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
6051 MSGQ__ASSOCIATE, &ad);
6054 static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)
6061 /* No specific object, just general system-wide information. */
6062 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
6063 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6067 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
6070 perms = MSGQ__SETATTR;
6073 perms = MSGQ__DESTROY;
6079 return ipc_has_perm(msq, perms);
6082 static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg)
6084 struct ipc_security_struct *isec;
6085 struct msg_security_struct *msec;
6086 struct common_audit_data ad;
6087 u32 sid = current_sid();
6090 isec = selinux_ipc(msq);
6091 msec = selinux_msg_msg(msg);
6094 * First time through, need to assign label to the message
6096 if (msec->sid == SECINITSID_UNLABELED) {
6098 * Compute new sid based on current process and
6099 * message queue this message will be stored in
6101 rc = security_transition_sid(sid, isec->sid,
6102 SECCLASS_MSG, NULL, &msec->sid);
6107 ad.type = LSM_AUDIT_DATA_IPC;
6108 ad.u.ipc_id = msq->key;
6110 /* Can this process write to the queue? */
6111 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
6114 /* Can this process send the message */
6115 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
6118 /* Can the message be put in the queue? */
6119 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
6120 MSGQ__ENQUEUE, &ad);
6125 static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg,
6126 struct task_struct *target,
6127 long type, int mode)
6129 struct ipc_security_struct *isec;
6130 struct msg_security_struct *msec;
6131 struct common_audit_data ad;
6132 u32 sid = task_sid_obj(target);
6135 isec = selinux_ipc(msq);
6136 msec = selinux_msg_msg(msg);
6138 ad.type = LSM_AUDIT_DATA_IPC;
6139 ad.u.ipc_id = msq->key;
6141 rc = avc_has_perm(sid, isec->sid,
6142 SECCLASS_MSGQ, MSGQ__READ, &ad);
6144 rc = avc_has_perm(sid, msec->sid,
6145 SECCLASS_MSG, MSG__RECEIVE, &ad);
6149 /* Shared Memory security operations */
6150 static int selinux_shm_alloc_security(struct kern_ipc_perm *shp)
6152 struct ipc_security_struct *isec;
6153 struct common_audit_data ad;
6154 u32 sid = current_sid();
6156 isec = selinux_ipc(shp);
6157 ipc_init_security(isec, SECCLASS_SHM);
6159 ad.type = LSM_AUDIT_DATA_IPC;
6160 ad.u.ipc_id = shp->key;
6162 return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
6166 static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg)
6168 struct ipc_security_struct *isec;
6169 struct common_audit_data ad;
6170 u32 sid = current_sid();
6172 isec = selinux_ipc(shp);
6174 ad.type = LSM_AUDIT_DATA_IPC;
6175 ad.u.ipc_id = shp->key;
6177 return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
6178 SHM__ASSOCIATE, &ad);
6181 /* Note, at this point, shp is locked down */
6182 static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd)
6189 /* No specific object, just general system-wide information. */
6190 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
6191 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6195 perms = SHM__GETATTR | SHM__ASSOCIATE;
6198 perms = SHM__SETATTR;
6205 perms = SHM__DESTROY;
6211 return ipc_has_perm(shp, perms);
6214 static int selinux_shm_shmat(struct kern_ipc_perm *shp,
6215 char __user *shmaddr, int shmflg)
6219 if (shmflg & SHM_RDONLY)
6222 perms = SHM__READ | SHM__WRITE;
6224 return ipc_has_perm(shp, perms);
6227 /* Semaphore security operations */
6228 static int selinux_sem_alloc_security(struct kern_ipc_perm *sma)
6230 struct ipc_security_struct *isec;
6231 struct common_audit_data ad;
6232 u32 sid = current_sid();
6234 isec = selinux_ipc(sma);
6235 ipc_init_security(isec, SECCLASS_SEM);
6237 ad.type = LSM_AUDIT_DATA_IPC;
6238 ad.u.ipc_id = sma->key;
6240 return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
6244 static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg)
6246 struct ipc_security_struct *isec;
6247 struct common_audit_data ad;
6248 u32 sid = current_sid();
6250 isec = selinux_ipc(sma);
6252 ad.type = LSM_AUDIT_DATA_IPC;
6253 ad.u.ipc_id = sma->key;
6255 return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
6256 SEM__ASSOCIATE, &ad);
6259 /* Note, at this point, sma is locked down */
6260 static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd)
6268 /* No specific object, just general system-wide information. */
6269 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
6270 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6274 perms = SEM__GETATTR;
6285 perms = SEM__DESTROY;
6288 perms = SEM__SETATTR;
6293 perms = SEM__GETATTR | SEM__ASSOCIATE;
6299 err = ipc_has_perm(sma, perms);
6303 static int selinux_sem_semop(struct kern_ipc_perm *sma,
6304 struct sembuf *sops, unsigned nsops, int alter)
6309 perms = SEM__READ | SEM__WRITE;
6313 return ipc_has_perm(sma, perms);
6316 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
6322 av |= IPC__UNIX_READ;
6324 av |= IPC__UNIX_WRITE;
6329 return ipc_has_perm(ipcp, av);
6332 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
6334 struct ipc_security_struct *isec = selinux_ipc(ipcp);
6338 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
6341 inode_doinit_with_dentry(inode, dentry);
6344 static int selinux_lsm_getattr(unsigned int attr, struct task_struct *p,
6347 const struct task_security_struct *__tsec;
6353 __tsec = selinux_cred(__task_cred(p));
6356 error = avc_has_perm(current_sid(), __tsec->sid,
6357 SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
6363 case LSM_ATTR_CURRENT:
6370 sid = __tsec->exec_sid;
6372 case LSM_ATTR_FSCREATE:
6373 sid = __tsec->create_sid;
6375 case LSM_ATTR_KEYCREATE:
6376 sid = __tsec->keycreate_sid;
6378 case LSM_ATTR_SOCKCREATE:
6379 sid = __tsec->sockcreate_sid;
6382 error = -EOPNOTSUPP;
6390 error = security_sid_to_context(sid, value, &len);
6400 static int selinux_lsm_setattr(u64 attr, void *value, size_t size)
6402 struct task_security_struct *tsec;
6404 u32 mysid = current_sid(), sid = 0, ptsid;
6409 * Basic control over ability to set these attributes at all.
6413 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
6414 PROCESS__SETEXEC, NULL);
6416 case LSM_ATTR_FSCREATE:
6417 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
6418 PROCESS__SETFSCREATE, NULL);
6420 case LSM_ATTR_KEYCREATE:
6421 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
6422 PROCESS__SETKEYCREATE, NULL);
6424 case LSM_ATTR_SOCKCREATE:
6425 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
6426 PROCESS__SETSOCKCREATE, NULL);
6428 case LSM_ATTR_CURRENT:
6429 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
6430 PROCESS__SETCURRENT, NULL);
6433 error = -EOPNOTSUPP;
6439 /* Obtain a SID for the context, if one was specified. */
6440 if (size && str[0] && str[0] != '\n') {
6441 if (str[size-1] == '\n') {
6445 error = security_context_to_sid(value, size,
6447 if (error == -EINVAL && attr == LSM_ATTR_FSCREATE) {
6448 if (!has_cap_mac_admin(true)) {
6449 struct audit_buffer *ab;
6452 /* We strip a nul only if it is at the end,
6453 * otherwise the context contains a nul and
6454 * we should audit that */
6455 if (str[size - 1] == '\0')
6456 audit_size = size - 1;
6459 ab = audit_log_start(audit_context(),
6464 audit_log_format(ab, "op=fscreate invalid_context=");
6465 audit_log_n_untrustedstring(ab, value,
6471 error = security_context_to_sid_force(value, size,
6478 new = prepare_creds();
6482 /* Permission checking based on the specified context is
6483 performed during the actual operation (execve,
6484 open/mkdir/...), when we know the full context of the
6485 operation. See selinux_bprm_creds_for_exec for the execve
6486 checks and may_create for the file creation checks. The
6487 operation will then fail if the context is not permitted. */
6488 tsec = selinux_cred(new);
6489 if (attr == LSM_ATTR_EXEC) {
6490 tsec->exec_sid = sid;
6491 } else if (attr == LSM_ATTR_FSCREATE) {
6492 tsec->create_sid = sid;
6493 } else if (attr == LSM_ATTR_KEYCREATE) {
6495 error = avc_has_perm(mysid, sid,
6496 SECCLASS_KEY, KEY__CREATE, NULL);
6500 tsec->keycreate_sid = sid;
6501 } else if (attr == LSM_ATTR_SOCKCREATE) {
6502 tsec->sockcreate_sid = sid;
6503 } else if (attr == LSM_ATTR_CURRENT) {
6508 if (!current_is_single_threaded()) {
6509 error = security_bounded_transition(tsec->sid, sid);
6514 /* Check permissions for the transition. */
6515 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
6516 PROCESS__DYNTRANSITION, NULL);
6520 /* Check for ptracing, and update the task SID if ok.
6521 Otherwise, leave SID unchanged and fail. */
6522 ptsid = ptrace_parent_sid();
6524 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
6525 PROCESS__PTRACE, NULL);
6545 * selinux_getselfattr - Get SELinux current task attributes
6546 * @attr: the requested attribute
6547 * @ctx: buffer to receive the result
6548 * @size: buffer size (input), buffer size used (output)
6551 * Fill the passed user space @ctx with the details of the requested
6554 * Returns the number of attributes on success, an error code otherwise.
6555 * There will only ever be one attribute.
6557 static int selinux_getselfattr(unsigned int attr, struct lsm_ctx __user *ctx,
6558 size_t *size, u32 flags)
6564 val_len = selinux_lsm_getattr(attr, current, &val);
6567 rc = lsm_fill_user_ctx(ctx, size, val, val_len, LSM_ID_SELINUX, 0);
6569 return (!rc ? 1 : rc);
6572 static int selinux_setselfattr(unsigned int attr, struct lsm_ctx *ctx,
6573 size_t size, u32 flags)
6577 rc = selinux_lsm_setattr(attr, ctx->ctx, ctx->ctx_len);
6583 static int selinux_getprocattr(struct task_struct *p,
6584 const char *name, char **value)
6586 unsigned int attr = lsm_name_to_attr(name);
6590 rc = selinux_lsm_getattr(attr, p, value);
6591 if (rc != -EOPNOTSUPP)
6598 static int selinux_setprocattr(const char *name, void *value, size_t size)
6600 int attr = lsm_name_to_attr(name);
6603 return selinux_lsm_setattr(attr, value, size);
6607 static int selinux_ismaclabel(const char *name)
6609 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
6612 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
6614 return security_sid_to_context(secid,
6618 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
6620 return security_context_to_sid(secdata, seclen,
6624 static void selinux_release_secctx(char *secdata, u32 seclen)
6629 static void selinux_inode_invalidate_secctx(struct inode *inode)
6631 struct inode_security_struct *isec = selinux_inode(inode);
6633 spin_lock(&isec->lock);
6634 isec->initialized = LABEL_INVALID;
6635 spin_unlock(&isec->lock);
6639 * called with inode->i_mutex locked
6641 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
6643 int rc = selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX,
6645 /* Do not return error when suppressing label (SBLABEL_MNT not set). */
6646 return rc == -EOPNOTSUPP ? 0 : rc;
6650 * called with inode->i_mutex locked
6652 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
6654 return __vfs_setxattr_noperm(&nop_mnt_idmap, dentry, XATTR_NAME_SELINUX,
6658 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
6661 len = selinux_inode_getsecurity(&nop_mnt_idmap, inode,
6662 XATTR_SELINUX_SUFFIX, ctx, true);
6670 static int selinux_key_alloc(struct key *k, const struct cred *cred,
6671 unsigned long flags)
6673 const struct task_security_struct *tsec;
6674 struct key_security_struct *ksec;
6676 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
6680 tsec = selinux_cred(cred);
6681 if (tsec->keycreate_sid)
6682 ksec->sid = tsec->keycreate_sid;
6684 ksec->sid = tsec->sid;
6690 static void selinux_key_free(struct key *k)
6692 struct key_security_struct *ksec = k->security;
6698 static int selinux_key_permission(key_ref_t key_ref,
6699 const struct cred *cred,
6700 enum key_need_perm need_perm)
6703 struct key_security_struct *ksec;
6706 switch (need_perm) {
6713 case KEY_NEED_WRITE:
6716 case KEY_NEED_SEARCH:
6722 case KEY_NEED_SETATTR:
6723 perm = KEY__SETATTR;
6725 case KEY_NEED_UNLINK:
6726 case KEY_SYSADMIN_OVERRIDE:
6727 case KEY_AUTHTOKEN_OVERRIDE:
6728 case KEY_DEFER_PERM_CHECK:
6736 sid = cred_sid(cred);
6737 key = key_ref_to_ptr(key_ref);
6738 ksec = key->security;
6740 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6743 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6745 struct key_security_struct *ksec = key->security;
6746 char *context = NULL;
6750 rc = security_sid_to_context(ksec->sid,
6758 #ifdef CONFIG_KEY_NOTIFICATIONS
6759 static int selinux_watch_key(struct key *key)
6761 struct key_security_struct *ksec = key->security;
6762 u32 sid = current_sid();
6764 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, KEY__VIEW, NULL);
6769 #ifdef CONFIG_SECURITY_INFINIBAND
6770 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6772 struct common_audit_data ad;
6775 struct ib_security_struct *sec = ib_sec;
6776 struct lsm_ibpkey_audit ibpkey;
6778 err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
6782 ad.type = LSM_AUDIT_DATA_IBPKEY;
6783 ibpkey.subnet_prefix = subnet_prefix;
6784 ibpkey.pkey = pkey_val;
6785 ad.u.ibpkey = &ibpkey;
6786 return avc_has_perm(sec->sid, sid,
6787 SECCLASS_INFINIBAND_PKEY,
6788 INFINIBAND_PKEY__ACCESS, &ad);
6791 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6794 struct common_audit_data ad;
6797 struct ib_security_struct *sec = ib_sec;
6798 struct lsm_ibendport_audit ibendport;
6800 err = security_ib_endport_sid(dev_name, port_num,
6806 ad.type = LSM_AUDIT_DATA_IBENDPORT;
6807 ibendport.dev_name = dev_name;
6808 ibendport.port = port_num;
6809 ad.u.ibendport = &ibendport;
6810 return avc_has_perm(sec->sid, sid,
6811 SECCLASS_INFINIBAND_ENDPORT,
6812 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
6815 static int selinux_ib_alloc_security(void **ib_sec)
6817 struct ib_security_struct *sec;
6819 sec = kzalloc(sizeof(*sec), GFP_KERNEL);
6822 sec->sid = current_sid();
6828 static void selinux_ib_free_security(void *ib_sec)
6834 #ifdef CONFIG_BPF_SYSCALL
6835 static int selinux_bpf(int cmd, union bpf_attr *attr,
6838 u32 sid = current_sid();
6842 case BPF_MAP_CREATE:
6843 ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
6847 ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
6858 static u32 bpf_map_fmode_to_av(fmode_t fmode)
6862 if (fmode & FMODE_READ)
6863 av |= BPF__MAP_READ;
6864 if (fmode & FMODE_WRITE)
6865 av |= BPF__MAP_WRITE;
6869 /* This function will check the file pass through unix socket or binder to see
6870 * if it is a bpf related object. And apply corresponding checks on the bpf
6871 * object based on the type. The bpf maps and programs, not like other files and
6872 * socket, are using a shared anonymous inode inside the kernel as their inode.
6873 * So checking that inode cannot identify if the process have privilege to
6874 * access the bpf object and that's why we have to add this additional check in
6875 * selinux_file_receive and selinux_binder_transfer_files.
6877 static int bpf_fd_pass(const struct file *file, u32 sid)
6879 struct bpf_security_struct *bpfsec;
6880 struct bpf_prog *prog;
6881 struct bpf_map *map;
6884 if (file->f_op == &bpf_map_fops) {
6885 map = file->private_data;
6886 bpfsec = map->security;
6887 ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
6888 bpf_map_fmode_to_av(file->f_mode), NULL);
6891 } else if (file->f_op == &bpf_prog_fops) {
6892 prog = file->private_data;
6893 bpfsec = prog->aux->security;
6894 ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
6895 BPF__PROG_RUN, NULL);
6902 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)
6904 u32 sid = current_sid();
6905 struct bpf_security_struct *bpfsec;
6907 bpfsec = map->security;
6908 return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
6909 bpf_map_fmode_to_av(fmode), NULL);
6912 static int selinux_bpf_prog(struct bpf_prog *prog)
6914 u32 sid = current_sid();
6915 struct bpf_security_struct *bpfsec;
6917 bpfsec = prog->aux->security;
6918 return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
6919 BPF__PROG_RUN, NULL);
6922 static int selinux_bpf_map_alloc(struct bpf_map *map)
6924 struct bpf_security_struct *bpfsec;
6926 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6930 bpfsec->sid = current_sid();
6931 map->security = bpfsec;
6936 static void selinux_bpf_map_free(struct bpf_map *map)
6938 struct bpf_security_struct *bpfsec = map->security;
6940 map->security = NULL;
6944 static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux)
6946 struct bpf_security_struct *bpfsec;
6948 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6952 bpfsec->sid = current_sid();
6953 aux->security = bpfsec;
6958 static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
6960 struct bpf_security_struct *bpfsec = aux->security;
6962 aux->security = NULL;
6967 struct lsm_blob_sizes selinux_blob_sizes __ro_after_init = {
6968 .lbs_cred = sizeof(struct task_security_struct),
6969 .lbs_file = sizeof(struct file_security_struct),
6970 .lbs_inode = sizeof(struct inode_security_struct),
6971 .lbs_ipc = sizeof(struct ipc_security_struct),
6972 .lbs_msg_msg = sizeof(struct msg_security_struct),
6973 .lbs_superblock = sizeof(struct superblock_security_struct),
6974 .lbs_xattr_count = SELINUX_INODE_INIT_XATTRS,
6977 #ifdef CONFIG_PERF_EVENTS
6978 static int selinux_perf_event_open(struct perf_event_attr *attr, int type)
6980 u32 requested, sid = current_sid();
6982 if (type == PERF_SECURITY_OPEN)
6983 requested = PERF_EVENT__OPEN;
6984 else if (type == PERF_SECURITY_CPU)
6985 requested = PERF_EVENT__CPU;
6986 else if (type == PERF_SECURITY_KERNEL)
6987 requested = PERF_EVENT__KERNEL;
6988 else if (type == PERF_SECURITY_TRACEPOINT)
6989 requested = PERF_EVENT__TRACEPOINT;
6993 return avc_has_perm(sid, sid, SECCLASS_PERF_EVENT,
6997 static int selinux_perf_event_alloc(struct perf_event *event)
6999 struct perf_event_security_struct *perfsec;
7001 perfsec = kzalloc(sizeof(*perfsec), GFP_KERNEL);
7005 perfsec->sid = current_sid();
7006 event->security = perfsec;
7011 static void selinux_perf_event_free(struct perf_event *event)
7013 struct perf_event_security_struct *perfsec = event->security;
7015 event->security = NULL;
7019 static int selinux_perf_event_read(struct perf_event *event)
7021 struct perf_event_security_struct *perfsec = event->security;
7022 u32 sid = current_sid();
7024 return avc_has_perm(sid, perfsec->sid,
7025 SECCLASS_PERF_EVENT, PERF_EVENT__READ, NULL);
7028 static int selinux_perf_event_write(struct perf_event *event)
7030 struct perf_event_security_struct *perfsec = event->security;
7031 u32 sid = current_sid();
7033 return avc_has_perm(sid, perfsec->sid,
7034 SECCLASS_PERF_EVENT, PERF_EVENT__WRITE, NULL);
7038 #ifdef CONFIG_IO_URING
7040 * selinux_uring_override_creds - check the requested cred override
7041 * @new: the target creds
7043 * Check to see if the current task is allowed to override it's credentials
7044 * to service an io_uring operation.
7046 static int selinux_uring_override_creds(const struct cred *new)
7048 return avc_has_perm(current_sid(), cred_sid(new),
7049 SECCLASS_IO_URING, IO_URING__OVERRIDE_CREDS, NULL);
7053 * selinux_uring_sqpoll - check if a io_uring polling thread can be created
7055 * Check to see if the current task is allowed to create a new io_uring
7056 * kernel polling thread.
7058 static int selinux_uring_sqpoll(void)
7060 u32 sid = current_sid();
7062 return avc_has_perm(sid, sid,
7063 SECCLASS_IO_URING, IO_URING__SQPOLL, NULL);
7067 * selinux_uring_cmd - check if IORING_OP_URING_CMD is allowed
7068 * @ioucmd: the io_uring command structure
7070 * Check to see if the current domain is allowed to execute an
7071 * IORING_OP_URING_CMD against the device/file specified in @ioucmd.
7074 static int selinux_uring_cmd(struct io_uring_cmd *ioucmd)
7076 struct file *file = ioucmd->file;
7077 struct inode *inode = file_inode(file);
7078 struct inode_security_struct *isec = selinux_inode(inode);
7079 struct common_audit_data ad;
7081 ad.type = LSM_AUDIT_DATA_FILE;
7084 return avc_has_perm(current_sid(), isec->sid,
7085 SECCLASS_IO_URING, IO_URING__CMD, &ad);
7087 #endif /* CONFIG_IO_URING */
7089 static const struct lsm_id selinux_lsmid = {
7091 .id = LSM_ID_SELINUX,
7095 * IMPORTANT NOTE: When adding new hooks, please be careful to keep this order:
7096 * 1. any hooks that don't belong to (2.) or (3.) below,
7097 * 2. hooks that both access structures allocated by other hooks, and allocate
7098 * structures that can be later accessed by other hooks (mostly "cloning"
7100 * 3. hooks that only allocate structures that can be later accessed by other
7101 * hooks ("allocating" hooks).
7103 * Please follow block comment delimiters in the list to keep this order.
7105 static struct security_hook_list selinux_hooks[] __ro_after_init = {
7106 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
7107 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
7108 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
7109 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
7111 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
7112 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
7113 LSM_HOOK_INIT(capget, selinux_capget),
7114 LSM_HOOK_INIT(capset, selinux_capset),
7115 LSM_HOOK_INIT(capable, selinux_capable),
7116 LSM_HOOK_INIT(quotactl, selinux_quotactl),
7117 LSM_HOOK_INIT(quota_on, selinux_quota_on),
7118 LSM_HOOK_INIT(syslog, selinux_syslog),
7119 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
7121 LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
7123 LSM_HOOK_INIT(bprm_creds_for_exec, selinux_bprm_creds_for_exec),
7124 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
7125 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
7127 LSM_HOOK_INIT(sb_free_mnt_opts, selinux_free_mnt_opts),
7128 LSM_HOOK_INIT(sb_mnt_opts_compat, selinux_sb_mnt_opts_compat),
7129 LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
7130 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
7131 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
7132 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
7133 LSM_HOOK_INIT(sb_mount, selinux_mount),
7134 LSM_HOOK_INIT(sb_umount, selinux_umount),
7135 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
7136 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
7138 LSM_HOOK_INIT(move_mount, selinux_move_mount),
7140 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
7141 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
7143 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
7144 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
7145 LSM_HOOK_INIT(inode_init_security_anon, selinux_inode_init_security_anon),
7146 LSM_HOOK_INIT(inode_create, selinux_inode_create),
7147 LSM_HOOK_INIT(inode_link, selinux_inode_link),
7148 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
7149 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
7150 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
7151 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
7152 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
7153 LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
7154 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
7155 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
7156 LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
7157 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
7158 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
7159 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
7160 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
7161 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
7162 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
7163 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
7164 LSM_HOOK_INIT(inode_set_acl, selinux_inode_set_acl),
7165 LSM_HOOK_INIT(inode_get_acl, selinux_inode_get_acl),
7166 LSM_HOOK_INIT(inode_remove_acl, selinux_inode_remove_acl),
7167 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
7168 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
7169 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
7170 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
7171 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
7172 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
7173 LSM_HOOK_INIT(path_notify, selinux_path_notify),
7175 LSM_HOOK_INIT(kernfs_init_security, selinux_kernfs_init_security),
7177 LSM_HOOK_INIT(file_permission, selinux_file_permission),
7178 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
7179 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
7180 LSM_HOOK_INIT(file_ioctl_compat, selinux_file_ioctl_compat),
7181 LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
7182 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
7183 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
7184 LSM_HOOK_INIT(file_lock, selinux_file_lock),
7185 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
7186 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
7187 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
7188 LSM_HOOK_INIT(file_receive, selinux_file_receive),
7190 LSM_HOOK_INIT(file_open, selinux_file_open),
7192 LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
7193 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
7194 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
7195 LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid),
7196 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
7197 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
7198 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
7199 LSM_HOOK_INIT(kernel_load_data, selinux_kernel_load_data),
7200 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
7201 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
7202 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
7203 LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
7204 LSM_HOOK_INIT(current_getsecid_subj, selinux_current_getsecid_subj),
7205 LSM_HOOK_INIT(task_getsecid_obj, selinux_task_getsecid_obj),
7206 LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
7207 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
7208 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
7209 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
7210 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
7211 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
7212 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
7213 LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
7214 LSM_HOOK_INIT(task_kill, selinux_task_kill),
7215 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
7216 LSM_HOOK_INIT(userns_create, selinux_userns_create),
7218 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
7219 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
7221 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
7222 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
7223 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
7224 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
7226 LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
7227 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
7228 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
7230 LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
7231 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
7232 LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
7234 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
7236 LSM_HOOK_INIT(getselfattr, selinux_getselfattr),
7237 LSM_HOOK_INIT(setselfattr, selinux_setselfattr),
7238 LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
7239 LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
7241 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
7242 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
7243 LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
7244 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
7245 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
7246 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
7248 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
7249 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
7251 LSM_HOOK_INIT(socket_create, selinux_socket_create),
7252 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
7253 LSM_HOOK_INIT(socket_socketpair, selinux_socket_socketpair),
7254 LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
7255 LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
7256 LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
7257 LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
7258 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
7259 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
7260 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
7261 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
7262 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
7263 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
7264 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
7265 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
7266 LSM_HOOK_INIT(socket_getpeersec_stream,
7267 selinux_socket_getpeersec_stream),
7268 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
7269 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
7270 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
7271 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
7272 LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
7273 LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request),
7274 LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone),
7275 LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect),
7276 LSM_HOOK_INIT(sctp_assoc_established, selinux_sctp_assoc_established),
7277 LSM_HOOK_INIT(mptcp_add_subflow, selinux_mptcp_add_subflow),
7278 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
7279 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
7280 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
7281 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
7282 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
7283 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
7284 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
7285 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
7286 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
7287 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
7288 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
7289 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
7290 #ifdef CONFIG_SECURITY_INFINIBAND
7291 LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
7292 LSM_HOOK_INIT(ib_endport_manage_subnet,
7293 selinux_ib_endport_manage_subnet),
7294 LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
7296 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7297 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
7298 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
7299 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
7300 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
7301 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
7302 LSM_HOOK_INIT(xfrm_state_pol_flow_match,
7303 selinux_xfrm_state_pol_flow_match),
7304 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
7308 LSM_HOOK_INIT(key_free, selinux_key_free),
7309 LSM_HOOK_INIT(key_permission, selinux_key_permission),
7310 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
7311 #ifdef CONFIG_KEY_NOTIFICATIONS
7312 LSM_HOOK_INIT(watch_key, selinux_watch_key),
7317 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
7318 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
7319 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
7322 #ifdef CONFIG_BPF_SYSCALL
7323 LSM_HOOK_INIT(bpf, selinux_bpf),
7324 LSM_HOOK_INIT(bpf_map, selinux_bpf_map),
7325 LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog),
7326 LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free),
7327 LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free),
7330 #ifdef CONFIG_PERF_EVENTS
7331 LSM_HOOK_INIT(perf_event_open, selinux_perf_event_open),
7332 LSM_HOOK_INIT(perf_event_free, selinux_perf_event_free),
7333 LSM_HOOK_INIT(perf_event_read, selinux_perf_event_read),
7334 LSM_HOOK_INIT(perf_event_write, selinux_perf_event_write),
7337 #ifdef CONFIG_IO_URING
7338 LSM_HOOK_INIT(uring_override_creds, selinux_uring_override_creds),
7339 LSM_HOOK_INIT(uring_sqpoll, selinux_uring_sqpoll),
7340 LSM_HOOK_INIT(uring_cmd, selinux_uring_cmd),
7344 * PUT "CLONING" (ACCESSING + ALLOCATING) HOOKS HERE
7346 LSM_HOOK_INIT(fs_context_submount, selinux_fs_context_submount),
7347 LSM_HOOK_INIT(fs_context_dup, selinux_fs_context_dup),
7348 LSM_HOOK_INIT(fs_context_parse_param, selinux_fs_context_parse_param),
7349 LSM_HOOK_INIT(sb_eat_lsm_opts, selinux_sb_eat_lsm_opts),
7350 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7351 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
7355 * PUT "ALLOCATING" HOOKS HERE
7357 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
7358 LSM_HOOK_INIT(msg_queue_alloc_security,
7359 selinux_msg_queue_alloc_security),
7360 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
7361 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
7362 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
7363 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
7364 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
7365 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
7366 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
7367 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
7368 #ifdef CONFIG_SECURITY_INFINIBAND
7369 LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
7371 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7372 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
7373 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
7374 LSM_HOOK_INIT(xfrm_state_alloc_acquire,
7375 selinux_xfrm_state_alloc_acquire),
7378 LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
7381 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
7383 #ifdef CONFIG_BPF_SYSCALL
7384 LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc),
7385 LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc),
7387 #ifdef CONFIG_PERF_EVENTS
7388 LSM_HOOK_INIT(perf_event_alloc, selinux_perf_event_alloc),
7392 static __init int selinux_init(void)
7394 pr_info("SELinux: Initializing.\n");
7396 memset(&selinux_state, 0, sizeof(selinux_state));
7397 enforcing_set(selinux_enforcing_boot);
7399 mutex_init(&selinux_state.status_lock);
7400 mutex_init(&selinux_state.policy_mutex);
7402 /* Set the security state for the initial task. */
7403 cred_init_security();
7405 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
7406 if (!default_noexec)
7407 pr_notice("SELinux: virtual memory is executable by default\n");
7413 ebitmap_cache_init();
7415 hashtab_cache_init();
7417 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks),
7420 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
7421 panic("SELinux: Unable to register AVC netcache callback\n");
7423 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
7424 panic("SELinux: Unable to register AVC LSM notifier callback\n");
7426 if (selinux_enforcing_boot)
7427 pr_debug("SELinux: Starting in enforcing mode\n");
7429 pr_debug("SELinux: Starting in permissive mode\n");
7431 fs_validate_description("selinux", selinux_fs_parameters);
7436 static void delayed_superblock_init(struct super_block *sb, void *unused)
7438 selinux_set_mnt_opts(sb, NULL, 0, NULL);
7441 void selinux_complete_init(void)
7443 pr_debug("SELinux: Completing initialization.\n");
7445 /* Set up any superblocks initialized prior to the policy load. */
7446 pr_debug("SELinux: Setting up existing superblocks.\n");
7447 iterate_supers(delayed_superblock_init, NULL);
7450 /* SELinux requires early initialization in order to label
7451 all processes and objects when they are created. */
7452 DEFINE_LSM(selinux) = {
7454 .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE,
7455 .enabled = &selinux_enabled_boot,
7456 .blobs = &selinux_blob_sizes,
7457 .init = selinux_init,
7460 #if defined(CONFIG_NETFILTER)
7461 static const struct nf_hook_ops selinux_nf_ops[] = {
7463 .hook = selinux_ip_postroute,
7465 .hooknum = NF_INET_POST_ROUTING,
7466 .priority = NF_IP_PRI_SELINUX_LAST,
7469 .hook = selinux_ip_forward,
7471 .hooknum = NF_INET_FORWARD,
7472 .priority = NF_IP_PRI_SELINUX_FIRST,
7475 .hook = selinux_ip_output,
7477 .hooknum = NF_INET_LOCAL_OUT,
7478 .priority = NF_IP_PRI_SELINUX_FIRST,
7480 #if IS_ENABLED(CONFIG_IPV6)
7482 .hook = selinux_ip_postroute,
7484 .hooknum = NF_INET_POST_ROUTING,
7485 .priority = NF_IP6_PRI_SELINUX_LAST,
7488 .hook = selinux_ip_forward,
7490 .hooknum = NF_INET_FORWARD,
7491 .priority = NF_IP6_PRI_SELINUX_FIRST,
7494 .hook = selinux_ip_output,
7496 .hooknum = NF_INET_LOCAL_OUT,
7497 .priority = NF_IP6_PRI_SELINUX_FIRST,
7502 static int __net_init selinux_nf_register(struct net *net)
7504 return nf_register_net_hooks(net, selinux_nf_ops,
7505 ARRAY_SIZE(selinux_nf_ops));
7508 static void __net_exit selinux_nf_unregister(struct net *net)
7510 nf_unregister_net_hooks(net, selinux_nf_ops,
7511 ARRAY_SIZE(selinux_nf_ops));
7514 static struct pernet_operations selinux_net_ops = {
7515 .init = selinux_nf_register,
7516 .exit = selinux_nf_unregister,
7519 static int __init selinux_nf_ip_init(void)
7523 if (!selinux_enabled_boot)
7526 pr_debug("SELinux: Registering netfilter hooks\n");
7528 err = register_pernet_subsys(&selinux_net_ops);
7530 panic("SELinux: register_pernet_subsys: error %d\n", err);
7534 __initcall(selinux_nf_ip_init);
7535 #endif /* CONFIG_NETFILTER */
projects / J-linux.git / blob