2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
20 * Copyright (C) 2016 Mellanox Technologies
22 * This program is free software; you can redistribute it and/or modify
23 * it under the terms of the GNU General Public License version 2,
24 * as published by the Free Software Foundation.
27 #include <linux/init.h>
29 #include <linux/kernel.h>
30 #include <linux/tracehook.h>
31 #include <linux/errno.h>
32 #include <linux/sched/signal.h>
33 #include <linux/sched/task.h>
34 #include <linux/lsm_hooks.h>
35 #include <linux/xattr.h>
36 #include <linux/capability.h>
37 #include <linux/unistd.h>
39 #include <linux/mman.h>
40 #include <linux/slab.h>
41 #include <linux/pagemap.h>
42 #include <linux/proc_fs.h>
43 #include <linux/swap.h>
44 #include <linux/spinlock.h>
45 #include <linux/syscalls.h>
46 #include <linux/dcache.h>
47 #include <linux/file.h>
48 #include <linux/fdtable.h>
49 #include <linux/namei.h>
50 #include <linux/mount.h>
51 #include <linux/netfilter_ipv4.h>
52 #include <linux/netfilter_ipv6.h>
53 #include <linux/tty.h>
55 #include <net/ip.h> /* for local_port_range[] */
56 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
57 #include <net/inet_connection_sock.h>
58 #include <net/net_namespace.h>
59 #include <net/netlabel.h>
60 #include <linux/uaccess.h>
61 #include <asm/ioctls.h>
62 #include <linux/atomic.h>
63 #include <linux/bitops.h>
64 #include <linux/interrupt.h>
65 #include <linux/netdevice.h> /* for network interface checks */
66 #include <net/netlink.h>
67 #include <linux/tcp.h>
68 #include <linux/udp.h>
69 #include <linux/dccp.h>
70 #include <linux/sctp.h>
71 #include <net/sctp/structs.h>
72 #include <linux/quota.h>
73 #include <linux/un.h> /* for Unix socket types */
74 #include <net/af_unix.h> /* for Unix socket types */
75 #include <linux/parser.h>
76 #include <linux/nfs_mount.h>
78 #include <linux/hugetlb.h>
79 #include <linux/personality.h>
80 #include <linux/audit.h>
81 #include <linux/string.h>
82 #include <linux/selinux.h>
83 #include <linux/mutex.h>
84 #include <linux/posix-timers.h>
85 #include <linux/syslog.h>
86 #include <linux/user_namespace.h>
87 #include <linux/export.h>
88 #include <linux/msg.h>
89 #include <linux/shm.h>
90 #include <linux/bpf.h>
103 struct selinux_state selinux_state;
105 /* SECMARK reference count */
106 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
108 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
109 static int selinux_enforcing_boot;
111 static int __init enforcing_setup(char *str)
113 unsigned long enforcing;
114 if (!kstrtoul(str, 0, &enforcing))
115 selinux_enforcing_boot = enforcing ? 1 : 0;
118 __setup("enforcing=", enforcing_setup);
120 #define selinux_enforcing_boot 1
123 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
124 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
126 static int __init selinux_enabled_setup(char *str)
128 unsigned long enabled;
129 if (!kstrtoul(str, 0, &enabled))
130 selinux_enabled = enabled ? 1 : 0;
133 __setup("selinux=", selinux_enabled_setup);
135 int selinux_enabled = 1;
138 static unsigned int selinux_checkreqprot_boot =
139 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
141 static int __init checkreqprot_setup(char *str)
143 unsigned long checkreqprot;
145 if (!kstrtoul(str, 0, &checkreqprot))
146 selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
149 __setup("checkreqprot=", checkreqprot_setup);
151 static struct kmem_cache *sel_inode_cache;
152 static struct kmem_cache *file_security_cache;
155 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
158 * This function checks the SECMARK reference counter to see if any SECMARK
159 * targets are currently configured, if the reference counter is greater than
160 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
161 * enabled, false (0) if SECMARK is disabled. If the always_check_network
162 * policy capability is enabled, SECMARK is always considered enabled.
165 static int selinux_secmark_enabled(void)
167 return (selinux_policycap_alwaysnetwork() ||
168 atomic_read(&selinux_secmark_refcount));
172 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
175 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
176 * (1) if any are enabled or false (0) if neither are enabled. If the
177 * always_check_network policy capability is enabled, peer labeling
178 * is always considered enabled.
181 static int selinux_peerlbl_enabled(void)
183 return (selinux_policycap_alwaysnetwork() ||
184 netlbl_enabled() || selinux_xfrm_enabled());
187 static int selinux_netcache_avc_callback(u32 event)
189 if (event == AVC_CALLBACK_RESET) {
198 static int selinux_lsm_notifier_avc_callback(u32 event)
200 if (event == AVC_CALLBACK_RESET) {
202 call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
209 * initialise the security for the init task
211 static void cred_init_security(void)
213 struct cred *cred = (struct cred *) current->real_cred;
214 struct task_security_struct *tsec;
216 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
218 panic("SELinux: Failed to initialize initial task.\n");
220 tsec->osid = tsec->sid = SECINITSID_KERNEL;
221 cred->security = tsec;
225 * get the security ID of a set of credentials
227 static inline u32 cred_sid(const struct cred *cred)
229 const struct task_security_struct *tsec;
231 tsec = cred->security;
236 * get the objective security ID of a task
238 static inline u32 task_sid(const struct task_struct *task)
243 sid = cred_sid(__task_cred(task));
248 /* Allocate and free functions for each kind of security blob. */
250 static int inode_alloc_security(struct inode *inode)
252 struct inode_security_struct *isec;
253 u32 sid = current_sid();
255 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
259 spin_lock_init(&isec->lock);
260 INIT_LIST_HEAD(&isec->list);
262 isec->sid = SECINITSID_UNLABELED;
263 isec->sclass = SECCLASS_FILE;
264 isec->task_sid = sid;
265 isec->initialized = LABEL_INVALID;
266 inode->i_security = isec;
271 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
274 * Try reloading inode security labels that have been marked as invalid. The
275 * @may_sleep parameter indicates when sleeping and thus reloading labels is
276 * allowed; when set to false, returns -ECHILD when the label is
277 * invalid. The @opt_dentry parameter should be set to a dentry of the inode;
278 * when no dentry is available, set it to NULL instead.
280 static int __inode_security_revalidate(struct inode *inode,
281 struct dentry *opt_dentry,
284 struct inode_security_struct *isec = inode->i_security;
286 might_sleep_if(may_sleep);
288 if (selinux_state.initialized &&
289 isec->initialized != LABEL_INITIALIZED) {
294 * Try reloading the inode security label. This will fail if
295 * @opt_dentry is NULL and no dentry for this inode can be
296 * found; in that case, continue using the old label.
298 inode_doinit_with_dentry(inode, opt_dentry);
303 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
305 return inode->i_security;
308 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
312 error = __inode_security_revalidate(inode, NULL, !rcu);
314 return ERR_PTR(error);
315 return inode->i_security;
319 * Get the security label of an inode.
321 static struct inode_security_struct *inode_security(struct inode *inode)
323 __inode_security_revalidate(inode, NULL, true);
324 return inode->i_security;
327 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
329 struct inode *inode = d_backing_inode(dentry);
331 return inode->i_security;
335 * Get the security label of a dentry's backing inode.
337 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
339 struct inode *inode = d_backing_inode(dentry);
341 __inode_security_revalidate(inode, dentry, true);
342 return inode->i_security;
345 static void inode_free_rcu(struct rcu_head *head)
347 struct inode_security_struct *isec;
349 isec = container_of(head, struct inode_security_struct, rcu);
350 kmem_cache_free(sel_inode_cache, isec);
353 static void inode_free_security(struct inode *inode)
355 struct inode_security_struct *isec = inode->i_security;
356 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
359 * As not all inode security structures are in a list, we check for
360 * empty list outside of the lock to make sure that we won't waste
361 * time taking a lock doing nothing.
363 * The list_del_init() function can be safely called more than once.
364 * It should not be possible for this function to be called with
365 * concurrent list_add(), but for better safety against future changes
366 * in the code, we use list_empty_careful() here.
368 if (!list_empty_careful(&isec->list)) {
369 spin_lock(&sbsec->isec_lock);
370 list_del_init(&isec->list);
371 spin_unlock(&sbsec->isec_lock);
375 * The inode may still be referenced in a path walk and
376 * a call to selinux_inode_permission() can be made
377 * after inode_free_security() is called. Ideally, the VFS
378 * wouldn't do this, but fixing that is a much harder
379 * job. For now, simply free the i_security via RCU, and
380 * leave the current inode->i_security pointer intact.
381 * The inode will be freed after the RCU grace period too.
383 call_rcu(&isec->rcu, inode_free_rcu);
386 static int file_alloc_security(struct file *file)
388 struct file_security_struct *fsec;
389 u32 sid = current_sid();
391 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
396 fsec->fown_sid = sid;
397 file->f_security = fsec;
402 static void file_free_security(struct file *file)
404 struct file_security_struct *fsec = file->f_security;
405 file->f_security = NULL;
406 kmem_cache_free(file_security_cache, fsec);
409 static int superblock_alloc_security(struct super_block *sb)
411 struct superblock_security_struct *sbsec;
413 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
417 mutex_init(&sbsec->lock);
418 INIT_LIST_HEAD(&sbsec->isec_head);
419 spin_lock_init(&sbsec->isec_lock);
421 sbsec->sid = SECINITSID_UNLABELED;
422 sbsec->def_sid = SECINITSID_FILE;
423 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
424 sb->s_security = sbsec;
429 static void superblock_free_security(struct super_block *sb)
431 struct superblock_security_struct *sbsec = sb->s_security;
432 sb->s_security = NULL;
436 static inline int inode_doinit(struct inode *inode)
438 return inode_doinit_with_dentry(inode, NULL);
447 Opt_labelsupport = 5,
451 #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
453 static const match_table_t tokens = {
454 {Opt_context, CONTEXT_STR "%s"},
455 {Opt_fscontext, FSCONTEXT_STR "%s"},
456 {Opt_defcontext, DEFCONTEXT_STR "%s"},
457 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
458 {Opt_labelsupport, LABELSUPP_STR},
462 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
464 static int may_context_mount_sb_relabel(u32 sid,
465 struct superblock_security_struct *sbsec,
466 const struct cred *cred)
468 const struct task_security_struct *tsec = cred->security;
471 rc = avc_has_perm(&selinux_state,
472 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
473 FILESYSTEM__RELABELFROM, NULL);
477 rc = avc_has_perm(&selinux_state,
478 tsec->sid, sid, SECCLASS_FILESYSTEM,
479 FILESYSTEM__RELABELTO, NULL);
483 static int may_context_mount_inode_relabel(u32 sid,
484 struct superblock_security_struct *sbsec,
485 const struct cred *cred)
487 const struct task_security_struct *tsec = cred->security;
489 rc = avc_has_perm(&selinux_state,
490 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
491 FILESYSTEM__RELABELFROM, NULL);
495 rc = avc_has_perm(&selinux_state,
496 sid, sbsec->sid, SECCLASS_FILESYSTEM,
497 FILESYSTEM__ASSOCIATE, NULL);
501 static int selinux_is_sblabel_mnt(struct super_block *sb)
503 struct superblock_security_struct *sbsec = sb->s_security;
505 return sbsec->behavior == SECURITY_FS_USE_XATTR ||
506 sbsec->behavior == SECURITY_FS_USE_TRANS ||
507 sbsec->behavior == SECURITY_FS_USE_TASK ||
508 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
509 /* Special handling. Genfs but also in-core setxattr handler */
510 !strcmp(sb->s_type->name, "sysfs") ||
511 !strcmp(sb->s_type->name, "pstore") ||
512 !strcmp(sb->s_type->name, "debugfs") ||
513 !strcmp(sb->s_type->name, "tracefs") ||
514 !strcmp(sb->s_type->name, "rootfs") ||
515 (selinux_policycap_cgroupseclabel() &&
516 (!strcmp(sb->s_type->name, "cgroup") ||
517 !strcmp(sb->s_type->name, "cgroup2")));
520 static int sb_finish_set_opts(struct super_block *sb)
522 struct superblock_security_struct *sbsec = sb->s_security;
523 struct dentry *root = sb->s_root;
524 struct inode *root_inode = d_backing_inode(root);
527 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
528 /* Make sure that the xattr handler exists and that no
529 error other than -ENODATA is returned by getxattr on
530 the root directory. -ENODATA is ok, as this may be
531 the first boot of the SELinux kernel before we have
532 assigned xattr values to the filesystem. */
533 if (!(root_inode->i_opflags & IOP_XATTR)) {
534 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
535 "xattr support\n", sb->s_id, sb->s_type->name);
540 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
541 if (rc < 0 && rc != -ENODATA) {
542 if (rc == -EOPNOTSUPP)
543 printk(KERN_WARNING "SELinux: (dev %s, type "
544 "%s) has no security xattr handler\n",
545 sb->s_id, sb->s_type->name);
547 printk(KERN_WARNING "SELinux: (dev %s, type "
548 "%s) getxattr errno %d\n", sb->s_id,
549 sb->s_type->name, -rc);
554 sbsec->flags |= SE_SBINITIALIZED;
557 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
558 * leave the flag untouched because sb_clone_mnt_opts might be handing
559 * us a superblock that needs the flag to be cleared.
561 if (selinux_is_sblabel_mnt(sb))
562 sbsec->flags |= SBLABEL_MNT;
564 sbsec->flags &= ~SBLABEL_MNT;
566 /* Initialize the root inode. */
567 rc = inode_doinit_with_dentry(root_inode, root);
569 /* Initialize any other inodes associated with the superblock, e.g.
570 inodes created prior to initial policy load or inodes created
571 during get_sb by a pseudo filesystem that directly
573 spin_lock(&sbsec->isec_lock);
575 if (!list_empty(&sbsec->isec_head)) {
576 struct inode_security_struct *isec =
577 list_entry(sbsec->isec_head.next,
578 struct inode_security_struct, list);
579 struct inode *inode = isec->inode;
580 list_del_init(&isec->list);
581 spin_unlock(&sbsec->isec_lock);
582 inode = igrab(inode);
584 if (!IS_PRIVATE(inode))
588 spin_lock(&sbsec->isec_lock);
591 spin_unlock(&sbsec->isec_lock);
597 * This function should allow an FS to ask what it's mount security
598 * options were so it can use those later for submounts, displaying
599 * mount options, or whatever.
601 static int selinux_get_mnt_opts(const struct super_block *sb,
602 struct security_mnt_opts *opts)
605 struct superblock_security_struct *sbsec = sb->s_security;
606 char *context = NULL;
610 security_init_mnt_opts(opts);
612 if (!(sbsec->flags & SE_SBINITIALIZED))
615 if (!selinux_state.initialized)
618 /* make sure we always check enough bits to cover the mask */
619 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
621 tmp = sbsec->flags & SE_MNTMASK;
622 /* count the number of mount options for this sb */
623 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
625 opts->num_mnt_opts++;
628 /* Check if the Label support flag is set */
629 if (sbsec->flags & SBLABEL_MNT)
630 opts->num_mnt_opts++;
632 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
633 if (!opts->mnt_opts) {
638 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
639 if (!opts->mnt_opts_flags) {
645 if (sbsec->flags & FSCONTEXT_MNT) {
646 rc = security_sid_to_context(&selinux_state, sbsec->sid,
650 opts->mnt_opts[i] = context;
651 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
653 if (sbsec->flags & CONTEXT_MNT) {
654 rc = security_sid_to_context(&selinux_state,
659 opts->mnt_opts[i] = context;
660 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
662 if (sbsec->flags & DEFCONTEXT_MNT) {
663 rc = security_sid_to_context(&selinux_state, sbsec->def_sid,
667 opts->mnt_opts[i] = context;
668 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
670 if (sbsec->flags & ROOTCONTEXT_MNT) {
671 struct dentry *root = sbsec->sb->s_root;
672 struct inode_security_struct *isec = backing_inode_security(root);
674 rc = security_sid_to_context(&selinux_state, isec->sid,
678 opts->mnt_opts[i] = context;
679 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
681 if (sbsec->flags & SBLABEL_MNT) {
682 opts->mnt_opts[i] = NULL;
683 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
686 BUG_ON(i != opts->num_mnt_opts);
691 security_free_mnt_opts(opts);
695 static int bad_option(struct superblock_security_struct *sbsec, char flag,
696 u32 old_sid, u32 new_sid)
698 char mnt_flags = sbsec->flags & SE_MNTMASK;
700 /* check if the old mount command had the same options */
701 if (sbsec->flags & SE_SBINITIALIZED)
702 if (!(sbsec->flags & flag) ||
703 (old_sid != new_sid))
706 /* check if we were passed the same options twice,
707 * aka someone passed context=a,context=b
709 if (!(sbsec->flags & SE_SBINITIALIZED))
710 if (mnt_flags & flag)
716 * Allow filesystems with binary mount data to explicitly set mount point
717 * labeling information.
719 static int selinux_set_mnt_opts(struct super_block *sb,
720 struct security_mnt_opts *opts,
721 unsigned long kern_flags,
722 unsigned long *set_kern_flags)
724 const struct cred *cred = current_cred();
726 struct superblock_security_struct *sbsec = sb->s_security;
727 const char *name = sb->s_type->name;
728 struct dentry *root = sbsec->sb->s_root;
729 struct inode_security_struct *root_isec;
730 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
731 u32 defcontext_sid = 0;
732 char **mount_options = opts->mnt_opts;
733 int *flags = opts->mnt_opts_flags;
734 int num_opts = opts->num_mnt_opts;
736 mutex_lock(&sbsec->lock);
738 if (!selinux_state.initialized) {
740 /* Defer initialization until selinux_complete_init,
741 after the initial policy is loaded and the security
742 server is ready to handle calls. */
746 printk(KERN_WARNING "SELinux: Unable to set superblock options "
747 "before the security server is initialized\n");
750 if (kern_flags && !set_kern_flags) {
751 /* Specifying internal flags without providing a place to
752 * place the results is not allowed */
758 * Binary mount data FS will come through this function twice. Once
759 * from an explicit call and once from the generic calls from the vfs.
760 * Since the generic VFS calls will not contain any security mount data
761 * we need to skip the double mount verification.
763 * This does open a hole in which we will not notice if the first
764 * mount using this sb set explict options and a second mount using
765 * this sb does not set any security options. (The first options
766 * will be used for both mounts)
768 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
772 root_isec = backing_inode_security_novalidate(root);
775 * parse the mount options, check if they are valid sids.
776 * also check if someone is trying to mount the same sb more
777 * than once with different security options.
779 for (i = 0; i < num_opts; i++) {
782 if (flags[i] == SBLABEL_MNT)
784 rc = security_context_str_to_sid(&selinux_state,
785 mount_options[i], &sid,
788 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
789 "(%s) failed for (dev %s, type %s) errno=%d\n",
790 mount_options[i], sb->s_id, name, rc);
797 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
799 goto out_double_mount;
801 sbsec->flags |= FSCONTEXT_MNT;
806 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
808 goto out_double_mount;
810 sbsec->flags |= CONTEXT_MNT;
812 case ROOTCONTEXT_MNT:
813 rootcontext_sid = sid;
815 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
817 goto out_double_mount;
819 sbsec->flags |= ROOTCONTEXT_MNT;
823 defcontext_sid = sid;
825 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
827 goto out_double_mount;
829 sbsec->flags |= DEFCONTEXT_MNT;
838 if (sbsec->flags & SE_SBINITIALIZED) {
839 /* previously mounted with options, but not on this attempt? */
840 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
841 goto out_double_mount;
846 if (strcmp(sb->s_type->name, "proc") == 0)
847 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
849 if (!strcmp(sb->s_type->name, "debugfs") ||
850 !strcmp(sb->s_type->name, "tracefs") ||
851 !strcmp(sb->s_type->name, "sysfs") ||
852 !strcmp(sb->s_type->name, "pstore") ||
853 !strcmp(sb->s_type->name, "cgroup") ||
854 !strcmp(sb->s_type->name, "cgroup2"))
855 sbsec->flags |= SE_SBGENFS;
857 if (!sbsec->behavior) {
859 * Determine the labeling behavior to use for this
862 rc = security_fs_use(&selinux_state, sb);
865 "%s: security_fs_use(%s) returned %d\n",
866 __func__, sb->s_type->name, rc);
872 * If this is a user namespace mount and the filesystem type is not
873 * explicitly whitelisted, then no contexts are allowed on the command
874 * line and security labels must be ignored.
876 if (sb->s_user_ns != &init_user_ns &&
877 strcmp(sb->s_type->name, "tmpfs") &&
878 strcmp(sb->s_type->name, "ramfs") &&
879 strcmp(sb->s_type->name, "devpts")) {
880 if (context_sid || fscontext_sid || rootcontext_sid ||
885 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
886 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
887 rc = security_transition_sid(&selinux_state,
891 &sbsec->mntpoint_sid);
898 /* sets the context of the superblock for the fs being mounted. */
900 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
904 sbsec->sid = fscontext_sid;
908 * Switch to using mount point labeling behavior.
909 * sets the label used on all file below the mountpoint, and will set
910 * the superblock context if not already set.
912 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
913 sbsec->behavior = SECURITY_FS_USE_NATIVE;
914 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
918 if (!fscontext_sid) {
919 rc = may_context_mount_sb_relabel(context_sid, sbsec,
923 sbsec->sid = context_sid;
925 rc = may_context_mount_inode_relabel(context_sid, sbsec,
930 if (!rootcontext_sid)
931 rootcontext_sid = context_sid;
933 sbsec->mntpoint_sid = context_sid;
934 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
937 if (rootcontext_sid) {
938 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
943 root_isec->sid = rootcontext_sid;
944 root_isec->initialized = LABEL_INITIALIZED;
947 if (defcontext_sid) {
948 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
949 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
951 printk(KERN_WARNING "SELinux: defcontext option is "
952 "invalid for this filesystem type\n");
956 if (defcontext_sid != sbsec->def_sid) {
957 rc = may_context_mount_inode_relabel(defcontext_sid,
963 sbsec->def_sid = defcontext_sid;
967 rc = sb_finish_set_opts(sb);
969 mutex_unlock(&sbsec->lock);
973 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
974 "security settings for (dev %s, type %s)\n", sb->s_id, name);
978 static int selinux_cmp_sb_context(const struct super_block *oldsb,
979 const struct super_block *newsb)
981 struct superblock_security_struct *old = oldsb->s_security;
982 struct superblock_security_struct *new = newsb->s_security;
983 char oldflags = old->flags & SE_MNTMASK;
984 char newflags = new->flags & SE_MNTMASK;
986 if (oldflags != newflags)
988 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
990 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
992 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
994 if (oldflags & ROOTCONTEXT_MNT) {
995 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
996 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
997 if (oldroot->sid != newroot->sid)
1002 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
1003 "different security settings for (dev %s, "
1004 "type %s)\n", newsb->s_id, newsb->s_type->name);
1008 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
1009 struct super_block *newsb,
1010 unsigned long kern_flags,
1011 unsigned long *set_kern_flags)
1014 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
1015 struct superblock_security_struct *newsbsec = newsb->s_security;
1017 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
1018 int set_context = (oldsbsec->flags & CONTEXT_MNT);
1019 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1022 * if the parent was able to be mounted it clearly had no special lsm
1023 * mount options. thus we can safely deal with this superblock later
1025 if (!selinux_state.initialized)
1029 * Specifying internal flags without providing a place to
1030 * place the results is not allowed.
1032 if (kern_flags && !set_kern_flags)
1035 /* how can we clone if the old one wasn't set up?? */
1036 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
1038 /* if fs is reusing a sb, make sure that the contexts match */
1039 if (newsbsec->flags & SE_SBINITIALIZED)
1040 return selinux_cmp_sb_context(oldsb, newsb);
1042 mutex_lock(&newsbsec->lock);
1044 newsbsec->flags = oldsbsec->flags;
1046 newsbsec->sid = oldsbsec->sid;
1047 newsbsec->def_sid = oldsbsec->def_sid;
1048 newsbsec->behavior = oldsbsec->behavior;
1050 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
1051 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
1052 rc = security_fs_use(&selinux_state, newsb);
1057 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
1058 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
1059 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
1063 u32 sid = oldsbsec->mntpoint_sid;
1066 newsbsec->sid = sid;
1067 if (!set_rootcontext) {
1068 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1071 newsbsec->mntpoint_sid = sid;
1073 if (set_rootcontext) {
1074 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
1075 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1077 newisec->sid = oldisec->sid;
1080 sb_finish_set_opts(newsb);
1082 mutex_unlock(&newsbsec->lock);
1086 static int selinux_parse_opts_str(char *options,
1087 struct security_mnt_opts *opts)
1090 char *context = NULL, *defcontext = NULL;
1091 char *fscontext = NULL, *rootcontext = NULL;
1092 int rc, num_mnt_opts = 0;
1094 opts->num_mnt_opts = 0;
1096 /* Standard string-based options. */
1097 while ((p = strsep(&options, "|")) != NULL) {
1099 substring_t args[MAX_OPT_ARGS];
1104 token = match_token(p, tokens, args);
1108 if (context || defcontext) {
1110 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1113 context = match_strdup(&args[0]);
1123 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1126 fscontext = match_strdup(&args[0]);
1133 case Opt_rootcontext:
1136 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1139 rootcontext = match_strdup(&args[0]);
1146 case Opt_defcontext:
1147 if (context || defcontext) {
1149 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1152 defcontext = match_strdup(&args[0]);
1158 case Opt_labelsupport:
1162 printk(KERN_WARNING "SELinux: unknown mount option\n");
1169 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
1170 if (!opts->mnt_opts)
1173 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
1175 if (!opts->mnt_opts_flags)
1179 opts->mnt_opts[num_mnt_opts] = fscontext;
1180 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1183 opts->mnt_opts[num_mnt_opts] = context;
1184 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1187 opts->mnt_opts[num_mnt_opts] = rootcontext;
1188 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1191 opts->mnt_opts[num_mnt_opts] = defcontext;
1192 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1195 opts->num_mnt_opts = num_mnt_opts;
1199 security_free_mnt_opts(opts);
1207 * string mount options parsing and call set the sbsec
1209 static int superblock_doinit(struct super_block *sb, void *data)
1212 char *options = data;
1213 struct security_mnt_opts opts;
1215 security_init_mnt_opts(&opts);
1220 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1222 rc = selinux_parse_opts_str(options, &opts);
1227 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1230 security_free_mnt_opts(&opts);
1234 static void selinux_write_opts(struct seq_file *m,
1235 struct security_mnt_opts *opts)
1240 for (i = 0; i < opts->num_mnt_opts; i++) {
1243 if (opts->mnt_opts[i])
1244 has_comma = strchr(opts->mnt_opts[i], ',');
1248 switch (opts->mnt_opts_flags[i]) {
1250 prefix = CONTEXT_STR;
1253 prefix = FSCONTEXT_STR;
1255 case ROOTCONTEXT_MNT:
1256 prefix = ROOTCONTEXT_STR;
1258 case DEFCONTEXT_MNT:
1259 prefix = DEFCONTEXT_STR;
1263 seq_puts(m, LABELSUPP_STR);
1269 /* we need a comma before each option */
1271 seq_puts(m, prefix);
1274 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
1280 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1282 struct security_mnt_opts opts;
1285 rc = selinux_get_mnt_opts(sb, &opts);
1287 /* before policy load we may get EINVAL, don't show anything */
1293 selinux_write_opts(m, &opts);
1295 security_free_mnt_opts(&opts);
1300 static inline u16 inode_mode_to_security_class(umode_t mode)
1302 switch (mode & S_IFMT) {
1304 return SECCLASS_SOCK_FILE;
1306 return SECCLASS_LNK_FILE;
1308 return SECCLASS_FILE;
1310 return SECCLASS_BLK_FILE;
1312 return SECCLASS_DIR;
1314 return SECCLASS_CHR_FILE;
1316 return SECCLASS_FIFO_FILE;
1320 return SECCLASS_FILE;
1323 static inline int default_protocol_stream(int protocol)
1325 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1328 static inline int default_protocol_dgram(int protocol)
1330 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1333 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1335 int extsockclass = selinux_policycap_extsockclass();
1341 case SOCK_SEQPACKET:
1342 return SECCLASS_UNIX_STREAM_SOCKET;
1345 return SECCLASS_UNIX_DGRAM_SOCKET;
1352 case SOCK_SEQPACKET:
1353 if (default_protocol_stream(protocol))
1354 return SECCLASS_TCP_SOCKET;
1355 else if (extsockclass && protocol == IPPROTO_SCTP)
1356 return SECCLASS_SCTP_SOCKET;
1358 return SECCLASS_RAWIP_SOCKET;
1360 if (default_protocol_dgram(protocol))
1361 return SECCLASS_UDP_SOCKET;
1362 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1363 protocol == IPPROTO_ICMPV6))
1364 return SECCLASS_ICMP_SOCKET;
1366 return SECCLASS_RAWIP_SOCKET;
1368 return SECCLASS_DCCP_SOCKET;
1370 return SECCLASS_RAWIP_SOCKET;
1376 return SECCLASS_NETLINK_ROUTE_SOCKET;
1377 case NETLINK_SOCK_DIAG:
1378 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1380 return SECCLASS_NETLINK_NFLOG_SOCKET;
1382 return SECCLASS_NETLINK_XFRM_SOCKET;
1383 case NETLINK_SELINUX:
1384 return SECCLASS_NETLINK_SELINUX_SOCKET;
1386 return SECCLASS_NETLINK_ISCSI_SOCKET;
1388 return SECCLASS_NETLINK_AUDIT_SOCKET;
1389 case NETLINK_FIB_LOOKUP:
1390 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1391 case NETLINK_CONNECTOR:
1392 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1393 case NETLINK_NETFILTER:
1394 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1395 case NETLINK_DNRTMSG:
1396 return SECCLASS_NETLINK_DNRT_SOCKET;
1397 case NETLINK_KOBJECT_UEVENT:
1398 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1399 case NETLINK_GENERIC:
1400 return SECCLASS_NETLINK_GENERIC_SOCKET;
1401 case NETLINK_SCSITRANSPORT:
1402 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1404 return SECCLASS_NETLINK_RDMA_SOCKET;
1405 case NETLINK_CRYPTO:
1406 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1408 return SECCLASS_NETLINK_SOCKET;
1411 return SECCLASS_PACKET_SOCKET;
1413 return SECCLASS_KEY_SOCKET;
1415 return SECCLASS_APPLETALK_SOCKET;
1421 return SECCLASS_AX25_SOCKET;
1423 return SECCLASS_IPX_SOCKET;
1425 return SECCLASS_NETROM_SOCKET;
1427 return SECCLASS_ATMPVC_SOCKET;
1429 return SECCLASS_X25_SOCKET;
1431 return SECCLASS_ROSE_SOCKET;
1433 return SECCLASS_DECNET_SOCKET;
1435 return SECCLASS_ATMSVC_SOCKET;
1437 return SECCLASS_RDS_SOCKET;
1439 return SECCLASS_IRDA_SOCKET;
1441 return SECCLASS_PPPOX_SOCKET;
1443 return SECCLASS_LLC_SOCKET;
1445 return SECCLASS_CAN_SOCKET;
1447 return SECCLASS_TIPC_SOCKET;
1449 return SECCLASS_BLUETOOTH_SOCKET;
1451 return SECCLASS_IUCV_SOCKET;
1453 return SECCLASS_RXRPC_SOCKET;
1455 return SECCLASS_ISDN_SOCKET;
1457 return SECCLASS_PHONET_SOCKET;
1459 return SECCLASS_IEEE802154_SOCKET;
1461 return SECCLASS_CAIF_SOCKET;
1463 return SECCLASS_ALG_SOCKET;
1465 return SECCLASS_NFC_SOCKET;
1467 return SECCLASS_VSOCK_SOCKET;
1469 return SECCLASS_KCM_SOCKET;
1471 return SECCLASS_QIPCRTR_SOCKET;
1473 return SECCLASS_SMC_SOCKET;
1475 #error New address family defined, please update this function.
1480 return SECCLASS_SOCKET;
1483 static int selinux_genfs_get_sid(struct dentry *dentry,
1489 struct super_block *sb = dentry->d_sb;
1490 char *buffer, *path;
1492 buffer = (char *)__get_free_page(GFP_KERNEL);
1496 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1500 if (flags & SE_SBPROC) {
1501 /* each process gets a /proc/PID/ entry. Strip off the
1502 * PID part to get a valid selinux labeling.
1503 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1504 while (path[1] >= '0' && path[1] <= '9') {
1509 rc = security_genfs_sid(&selinux_state, sb->s_type->name,
1512 free_page((unsigned long)buffer);
1516 /* The inode's security attributes must be initialized before first use. */
1517 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1519 struct superblock_security_struct *sbsec = NULL;
1520 struct inode_security_struct *isec = inode->i_security;
1521 u32 task_sid, sid = 0;
1523 struct dentry *dentry;
1524 #define INITCONTEXTLEN 255
1525 char *context = NULL;
1529 if (isec->initialized == LABEL_INITIALIZED)
1532 spin_lock(&isec->lock);
1533 if (isec->initialized == LABEL_INITIALIZED)
1536 if (isec->sclass == SECCLASS_FILE)
1537 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1539 sbsec = inode->i_sb->s_security;
1540 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1541 /* Defer initialization until selinux_complete_init,
1542 after the initial policy is loaded and the security
1543 server is ready to handle calls. */
1544 spin_lock(&sbsec->isec_lock);
1545 if (list_empty(&isec->list))
1546 list_add(&isec->list, &sbsec->isec_head);
1547 spin_unlock(&sbsec->isec_lock);
1551 sclass = isec->sclass;
1552 task_sid = isec->task_sid;
1554 isec->initialized = LABEL_PENDING;
1555 spin_unlock(&isec->lock);
1557 switch (sbsec->behavior) {
1558 case SECURITY_FS_USE_NATIVE:
1560 case SECURITY_FS_USE_XATTR:
1561 if (!(inode->i_opflags & IOP_XATTR)) {
1562 sid = sbsec->def_sid;
1565 /* Need a dentry, since the xattr API requires one.
1566 Life would be simpler if we could just pass the inode. */
1568 /* Called from d_instantiate or d_splice_alias. */
1569 dentry = dget(opt_dentry);
1571 /* Called from selinux_complete_init, try to find a dentry. */
1572 dentry = d_find_alias(inode);
1576 * this is can be hit on boot when a file is accessed
1577 * before the policy is loaded. When we load policy we
1578 * may find inodes that have no dentry on the
1579 * sbsec->isec_head list. No reason to complain as these
1580 * will get fixed up the next time we go through
1581 * inode_doinit with a dentry, before these inodes could
1582 * be used again by userspace.
1587 len = INITCONTEXTLEN;
1588 context = kmalloc(len+1, GFP_NOFS);
1594 context[len] = '\0';
1595 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1596 if (rc == -ERANGE) {
1599 /* Need a larger buffer. Query for the right size. */
1600 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1606 context = kmalloc(len+1, GFP_NOFS);
1612 context[len] = '\0';
1613 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1617 if (rc != -ENODATA) {
1618 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1619 "%d for dev=%s ino=%ld\n", __func__,
1620 -rc, inode->i_sb->s_id, inode->i_ino);
1624 /* Map ENODATA to the default file SID */
1625 sid = sbsec->def_sid;
1628 rc = security_context_to_sid_default(&selinux_state,
1633 char *dev = inode->i_sb->s_id;
1634 unsigned long ino = inode->i_ino;
1636 if (rc == -EINVAL) {
1637 if (printk_ratelimit())
1638 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1639 "context=%s. This indicates you may need to relabel the inode or the "
1640 "filesystem in question.\n", ino, dev, context);
1642 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1643 "returned %d for dev=%s ino=%ld\n",
1644 __func__, context, -rc, dev, ino);
1647 /* Leave with the unlabeled SID */
1654 case SECURITY_FS_USE_TASK:
1657 case SECURITY_FS_USE_TRANS:
1658 /* Default to the fs SID. */
1661 /* Try to obtain a transition SID. */
1662 rc = security_transition_sid(&selinux_state, task_sid, sid,
1663 sclass, NULL, &sid);
1667 case SECURITY_FS_USE_MNTPOINT:
1668 sid = sbsec->mntpoint_sid;
1671 /* Default to the fs superblock SID. */
1674 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1675 /* We must have a dentry to determine the label on
1678 /* Called from d_instantiate or
1679 * d_splice_alias. */
1680 dentry = dget(opt_dentry);
1682 /* Called from selinux_complete_init, try to
1684 dentry = d_find_alias(inode);
1686 * This can be hit on boot when a file is accessed
1687 * before the policy is loaded. When we load policy we
1688 * may find inodes that have no dentry on the
1689 * sbsec->isec_head list. No reason to complain as
1690 * these will get fixed up the next time we go through
1691 * inode_doinit() with a dentry, before these inodes
1692 * could be used again by userspace.
1696 rc = selinux_genfs_get_sid(dentry, sclass,
1697 sbsec->flags, &sid);
1706 spin_lock(&isec->lock);
1707 if (isec->initialized == LABEL_PENDING) {
1709 isec->initialized = LABEL_INVALID;
1713 isec->initialized = LABEL_INITIALIZED;
1718 spin_unlock(&isec->lock);
1722 /* Convert a Linux signal to an access vector. */
1723 static inline u32 signal_to_av(int sig)
1729 /* Commonly granted from child to parent. */
1730 perm = PROCESS__SIGCHLD;
1733 /* Cannot be caught or ignored */
1734 perm = PROCESS__SIGKILL;
1737 /* Cannot be caught or ignored */
1738 perm = PROCESS__SIGSTOP;
1741 /* All other signals. */
1742 perm = PROCESS__SIGNAL;
1749 #if CAP_LAST_CAP > 63
1750 #error Fix SELinux to handle capabilities > 63.
1753 /* Check whether a task is allowed to use a capability. */
1754 static int cred_has_capability(const struct cred *cred,
1755 int cap, int audit, bool initns)
1757 struct common_audit_data ad;
1758 struct av_decision avd;
1760 u32 sid = cred_sid(cred);
1761 u32 av = CAP_TO_MASK(cap);
1764 ad.type = LSM_AUDIT_DATA_CAP;
1767 switch (CAP_TO_INDEX(cap)) {
1769 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1772 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1776 "SELinux: out of range capability %d\n", cap);
1781 rc = avc_has_perm_noaudit(&selinux_state,
1782 sid, sid, sclass, av, 0, &avd);
1783 if (audit == SECURITY_CAP_AUDIT) {
1784 int rc2 = avc_audit(&selinux_state,
1785 sid, sid, sclass, av, &avd, rc, &ad, 0);
1792 /* Check whether a task has a particular permission to an inode.
1793 The 'adp' parameter is optional and allows other audit
1794 data to be passed (e.g. the dentry). */
1795 static int inode_has_perm(const struct cred *cred,
1796 struct inode *inode,
1798 struct common_audit_data *adp)
1800 struct inode_security_struct *isec;
1803 validate_creds(cred);
1805 if (unlikely(IS_PRIVATE(inode)))
1808 sid = cred_sid(cred);
1809 isec = inode->i_security;
1811 return avc_has_perm(&selinux_state,
1812 sid, isec->sid, isec->sclass, perms, adp);
1815 /* Same as inode_has_perm, but pass explicit audit data containing
1816 the dentry to help the auditing code to more easily generate the
1817 pathname if needed. */
1818 static inline int dentry_has_perm(const struct cred *cred,
1819 struct dentry *dentry,
1822 struct inode *inode = d_backing_inode(dentry);
1823 struct common_audit_data ad;
1825 ad.type = LSM_AUDIT_DATA_DENTRY;
1826 ad.u.dentry = dentry;
1827 __inode_security_revalidate(inode, dentry, true);
1828 return inode_has_perm(cred, inode, av, &ad);
1831 /* Same as inode_has_perm, but pass explicit audit data containing
1832 the path to help the auditing code to more easily generate the
1833 pathname if needed. */
1834 static inline int path_has_perm(const struct cred *cred,
1835 const struct path *path,
1838 struct inode *inode = d_backing_inode(path->dentry);
1839 struct common_audit_data ad;
1841 ad.type = LSM_AUDIT_DATA_PATH;
1843 __inode_security_revalidate(inode, path->dentry, true);
1844 return inode_has_perm(cred, inode, av, &ad);
1847 /* Same as path_has_perm, but uses the inode from the file struct. */
1848 static inline int file_path_has_perm(const struct cred *cred,
1852 struct common_audit_data ad;
1854 ad.type = LSM_AUDIT_DATA_FILE;
1856 return inode_has_perm(cred, file_inode(file), av, &ad);
1859 #ifdef CONFIG_BPF_SYSCALL
1860 static int bpf_fd_pass(struct file *file, u32 sid);
1863 /* Check whether a task can use an open file descriptor to
1864 access an inode in a given way. Check access to the
1865 descriptor itself, and then use dentry_has_perm to
1866 check a particular permission to the file.
1867 Access to the descriptor is implicitly granted if it
1868 has the same SID as the process. If av is zero, then
1869 access to the file is not checked, e.g. for cases
1870 where only the descriptor is affected like seek. */
1871 static int file_has_perm(const struct cred *cred,
1875 struct file_security_struct *fsec = file->f_security;
1876 struct inode *inode = file_inode(file);
1877 struct common_audit_data ad;
1878 u32 sid = cred_sid(cred);
1881 ad.type = LSM_AUDIT_DATA_FILE;
1884 if (sid != fsec->sid) {
1885 rc = avc_has_perm(&selinux_state,
1894 #ifdef CONFIG_BPF_SYSCALL
1895 rc = bpf_fd_pass(file, cred_sid(cred));
1900 /* av is zero if only checking access to the descriptor. */
1903 rc = inode_has_perm(cred, inode, av, &ad);
1910 * Determine the label for an inode that might be unioned.
1913 selinux_determine_inode_label(const struct task_security_struct *tsec,
1915 const struct qstr *name, u16 tclass,
1918 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1920 if ((sbsec->flags & SE_SBINITIALIZED) &&
1921 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1922 *_new_isid = sbsec->mntpoint_sid;
1923 } else if ((sbsec->flags & SBLABEL_MNT) &&
1925 *_new_isid = tsec->create_sid;
1927 const struct inode_security_struct *dsec = inode_security(dir);
1928 return security_transition_sid(&selinux_state, tsec->sid,
1936 /* Check whether a task can create a file. */
1937 static int may_create(struct inode *dir,
1938 struct dentry *dentry,
1941 const struct task_security_struct *tsec = current_security();
1942 struct inode_security_struct *dsec;
1943 struct superblock_security_struct *sbsec;
1945 struct common_audit_data ad;
1948 dsec = inode_security(dir);
1949 sbsec = dir->i_sb->s_security;
1953 ad.type = LSM_AUDIT_DATA_DENTRY;
1954 ad.u.dentry = dentry;
1956 rc = avc_has_perm(&selinux_state,
1957 sid, dsec->sid, SECCLASS_DIR,
1958 DIR__ADD_NAME | DIR__SEARCH,
1963 rc = selinux_determine_inode_label(current_security(), dir,
1964 &dentry->d_name, tclass, &newsid);
1968 rc = avc_has_perm(&selinux_state,
1969 sid, newsid, tclass, FILE__CREATE, &ad);
1973 return avc_has_perm(&selinux_state,
1975 SECCLASS_FILESYSTEM,
1976 FILESYSTEM__ASSOCIATE, &ad);
1980 #define MAY_UNLINK 1
1983 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1984 static int may_link(struct inode *dir,
1985 struct dentry *dentry,
1989 struct inode_security_struct *dsec, *isec;
1990 struct common_audit_data ad;
1991 u32 sid = current_sid();
1995 dsec = inode_security(dir);
1996 isec = backing_inode_security(dentry);
1998 ad.type = LSM_AUDIT_DATA_DENTRY;
1999 ad.u.dentry = dentry;
2002 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
2003 rc = avc_has_perm(&selinux_state,
2004 sid, dsec->sid, SECCLASS_DIR, av, &ad);
2019 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
2024 rc = avc_has_perm(&selinux_state,
2025 sid, isec->sid, isec->sclass, av, &ad);
2029 static inline int may_rename(struct inode *old_dir,
2030 struct dentry *old_dentry,
2031 struct inode *new_dir,
2032 struct dentry *new_dentry)
2034 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2035 struct common_audit_data ad;
2036 u32 sid = current_sid();
2038 int old_is_dir, new_is_dir;
2041 old_dsec = inode_security(old_dir);
2042 old_isec = backing_inode_security(old_dentry);
2043 old_is_dir = d_is_dir(old_dentry);
2044 new_dsec = inode_security(new_dir);
2046 ad.type = LSM_AUDIT_DATA_DENTRY;
2048 ad.u.dentry = old_dentry;
2049 rc = avc_has_perm(&selinux_state,
2050 sid, old_dsec->sid, SECCLASS_DIR,
2051 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
2054 rc = avc_has_perm(&selinux_state,
2056 old_isec->sclass, FILE__RENAME, &ad);
2059 if (old_is_dir && new_dir != old_dir) {
2060 rc = avc_has_perm(&selinux_state,
2062 old_isec->sclass, DIR__REPARENT, &ad);
2067 ad.u.dentry = new_dentry;
2068 av = DIR__ADD_NAME | DIR__SEARCH;
2069 if (d_is_positive(new_dentry))
2070 av |= DIR__REMOVE_NAME;
2071 rc = avc_has_perm(&selinux_state,
2072 sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
2075 if (d_is_positive(new_dentry)) {
2076 new_isec = backing_inode_security(new_dentry);
2077 new_is_dir = d_is_dir(new_dentry);
2078 rc = avc_has_perm(&selinux_state,
2081 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
2089 /* Check whether a task can perform a filesystem operation. */
2090 static int superblock_has_perm(const struct cred *cred,
2091 struct super_block *sb,
2093 struct common_audit_data *ad)
2095 struct superblock_security_struct *sbsec;
2096 u32 sid = cred_sid(cred);
2098 sbsec = sb->s_security;
2099 return avc_has_perm(&selinux_state,
2100 sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
2103 /* Convert a Linux mode and permission mask to an access vector. */
2104 static inline u32 file_mask_to_av(int mode, int mask)
2108 if (!S_ISDIR(mode)) {
2109 if (mask & MAY_EXEC)
2110 av |= FILE__EXECUTE;
2111 if (mask & MAY_READ)
2114 if (mask & MAY_APPEND)
2116 else if (mask & MAY_WRITE)
2120 if (mask & MAY_EXEC)
2122 if (mask & MAY_WRITE)
2124 if (mask & MAY_READ)
2131 /* Convert a Linux file to an access vector. */
2132 static inline u32 file_to_av(struct file *file)
2136 if (file->f_mode & FMODE_READ)
2138 if (file->f_mode & FMODE_WRITE) {
2139 if (file->f_flags & O_APPEND)
2146 * Special file opened with flags 3 for ioctl-only use.
2155 * Convert a file to an access vector and include the correct open
2158 static inline u32 open_file_to_av(struct file *file)
2160 u32 av = file_to_av(file);
2161 struct inode *inode = file_inode(file);
2163 if (selinux_policycap_openperm() &&
2164 inode->i_sb->s_magic != SOCKFS_MAGIC)
2170 /* Hook functions begin here. */
2172 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2174 u32 mysid = current_sid();
2175 u32 mgrsid = task_sid(mgr);
2177 return avc_has_perm(&selinux_state,
2178 mysid, mgrsid, SECCLASS_BINDER,
2179 BINDER__SET_CONTEXT_MGR, NULL);
2182 static int selinux_binder_transaction(struct task_struct *from,
2183 struct task_struct *to)
2185 u32 mysid = current_sid();
2186 u32 fromsid = task_sid(from);
2187 u32 tosid = task_sid(to);
2190 if (mysid != fromsid) {
2191 rc = avc_has_perm(&selinux_state,
2192 mysid, fromsid, SECCLASS_BINDER,
2193 BINDER__IMPERSONATE, NULL);
2198 return avc_has_perm(&selinux_state,
2199 fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2203 static int selinux_binder_transfer_binder(struct task_struct *from,
2204 struct task_struct *to)
2206 u32 fromsid = task_sid(from);
2207 u32 tosid = task_sid(to);
2209 return avc_has_perm(&selinux_state,
2210 fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2214 static int selinux_binder_transfer_file(struct task_struct *from,
2215 struct task_struct *to,
2218 u32 sid = task_sid(to);
2219 struct file_security_struct *fsec = file->f_security;
2220 struct dentry *dentry = file->f_path.dentry;
2221 struct inode_security_struct *isec;
2222 struct common_audit_data ad;
2225 ad.type = LSM_AUDIT_DATA_PATH;
2226 ad.u.path = file->f_path;
2228 if (sid != fsec->sid) {
2229 rc = avc_has_perm(&selinux_state,
2238 #ifdef CONFIG_BPF_SYSCALL
2239 rc = bpf_fd_pass(file, sid);
2244 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2247 isec = backing_inode_security(dentry);
2248 return avc_has_perm(&selinux_state,
2249 sid, isec->sid, isec->sclass, file_to_av(file),
2253 static int selinux_ptrace_access_check(struct task_struct *child,
2256 u32 sid = current_sid();
2257 u32 csid = task_sid(child);
2259 if (mode & PTRACE_MODE_READ)
2260 return avc_has_perm(&selinux_state,
2261 sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2263 return avc_has_perm(&selinux_state,
2264 sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2267 static int selinux_ptrace_traceme(struct task_struct *parent)
2269 return avc_has_perm(&selinux_state,
2270 task_sid(parent), current_sid(), SECCLASS_PROCESS,
2271 PROCESS__PTRACE, NULL);
2274 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2275 kernel_cap_t *inheritable, kernel_cap_t *permitted)
2277 return avc_has_perm(&selinux_state,
2278 current_sid(), task_sid(target), SECCLASS_PROCESS,
2279 PROCESS__GETCAP, NULL);
2282 static int selinux_capset(struct cred *new, const struct cred *old,
2283 const kernel_cap_t *effective,
2284 const kernel_cap_t *inheritable,
2285 const kernel_cap_t *permitted)
2287 return avc_has_perm(&selinux_state,
2288 cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2289 PROCESS__SETCAP, NULL);
2293 * (This comment used to live with the selinux_task_setuid hook,
2294 * which was removed).
2296 * Since setuid only affects the current process, and since the SELinux
2297 * controls are not based on the Linux identity attributes, SELinux does not
2298 * need to control this operation. However, SELinux does control the use of
2299 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2302 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2305 return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
2308 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2310 const struct cred *cred = current_cred();
2322 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2327 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2330 rc = 0; /* let the kernel handle invalid cmds */
2336 static int selinux_quota_on(struct dentry *dentry)
2338 const struct cred *cred = current_cred();
2340 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2343 static int selinux_syslog(int type)
2346 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2347 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2348 return avc_has_perm(&selinux_state,
2349 current_sid(), SECINITSID_KERNEL,
2350 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2351 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2352 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2353 /* Set level of messages printed to console */
2354 case SYSLOG_ACTION_CONSOLE_LEVEL:
2355 return avc_has_perm(&selinux_state,
2356 current_sid(), SECINITSID_KERNEL,
2357 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2360 /* All other syslog types */
2361 return avc_has_perm(&selinux_state,
2362 current_sid(), SECINITSID_KERNEL,
2363 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2367 * Check that a process has enough memory to allocate a new virtual
2368 * mapping. 0 means there is enough memory for the allocation to
2369 * succeed and -ENOMEM implies there is not.
2371 * Do not audit the selinux permission check, as this is applied to all
2372 * processes that allocate mappings.
2374 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2376 int rc, cap_sys_admin = 0;
2378 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2379 SECURITY_CAP_NOAUDIT, true);
2383 return cap_sys_admin;
2386 /* binprm security operations */
2388 static u32 ptrace_parent_sid(void)
2391 struct task_struct *tracer;
2394 tracer = ptrace_parent(current);
2396 sid = task_sid(tracer);
2402 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2403 const struct task_security_struct *old_tsec,
2404 const struct task_security_struct *new_tsec)
2406 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2407 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2411 if (!nnp && !nosuid)
2412 return 0; /* neither NNP nor nosuid */
2414 if (new_tsec->sid == old_tsec->sid)
2415 return 0; /* No change in credentials */
2418 * If the policy enables the nnp_nosuid_transition policy capability,
2419 * then we permit transitions under NNP or nosuid if the
2420 * policy allows the corresponding permission between
2421 * the old and new contexts.
2423 if (selinux_policycap_nnp_nosuid_transition()) {
2426 av |= PROCESS2__NNP_TRANSITION;
2428 av |= PROCESS2__NOSUID_TRANSITION;
2429 rc = avc_has_perm(&selinux_state,
2430 old_tsec->sid, new_tsec->sid,
2431 SECCLASS_PROCESS2, av, NULL);
2437 * We also permit NNP or nosuid transitions to bounded SIDs,
2438 * i.e. SIDs that are guaranteed to only be allowed a subset
2439 * of the permissions of the current SID.
2441 rc = security_bounded_transition(&selinux_state, old_tsec->sid,
2447 * On failure, preserve the errno values for NNP vs nosuid.
2448 * NNP: Operation not permitted for caller.
2449 * nosuid: Permission denied to file.
2456 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2458 const struct task_security_struct *old_tsec;
2459 struct task_security_struct *new_tsec;
2460 struct inode_security_struct *isec;
2461 struct common_audit_data ad;
2462 struct inode *inode = file_inode(bprm->file);
2465 /* SELinux context only depends on initial program or script and not
2466 * the script interpreter */
2467 if (bprm->called_set_creds)
2470 old_tsec = current_security();
2471 new_tsec = bprm->cred->security;
2472 isec = inode_security(inode);
2474 /* Default to the current task SID. */
2475 new_tsec->sid = old_tsec->sid;
2476 new_tsec->osid = old_tsec->sid;
2478 /* Reset fs, key, and sock SIDs on execve. */
2479 new_tsec->create_sid = 0;
2480 new_tsec->keycreate_sid = 0;
2481 new_tsec->sockcreate_sid = 0;
2483 if (old_tsec->exec_sid) {
2484 new_tsec->sid = old_tsec->exec_sid;
2485 /* Reset exec SID on execve. */
2486 new_tsec->exec_sid = 0;
2488 /* Fail on NNP or nosuid if not an allowed transition. */
2489 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2493 /* Check for a default transition on this program. */
2494 rc = security_transition_sid(&selinux_state, old_tsec->sid,
2495 isec->sid, SECCLASS_PROCESS, NULL,
2501 * Fallback to old SID on NNP or nosuid if not an allowed
2504 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2506 new_tsec->sid = old_tsec->sid;
2509 ad.type = LSM_AUDIT_DATA_FILE;
2510 ad.u.file = bprm->file;
2512 if (new_tsec->sid == old_tsec->sid) {
2513 rc = avc_has_perm(&selinux_state,
2514 old_tsec->sid, isec->sid,
2515 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2519 /* Check permissions for the transition. */
2520 rc = avc_has_perm(&selinux_state,
2521 old_tsec->sid, new_tsec->sid,
2522 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2526 rc = avc_has_perm(&selinux_state,
2527 new_tsec->sid, isec->sid,
2528 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2532 /* Check for shared state */
2533 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2534 rc = avc_has_perm(&selinux_state,
2535 old_tsec->sid, new_tsec->sid,
2536 SECCLASS_PROCESS, PROCESS__SHARE,
2542 /* Make sure that anyone attempting to ptrace over a task that
2543 * changes its SID has the appropriate permit */
2544 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2545 u32 ptsid = ptrace_parent_sid();
2547 rc = avc_has_perm(&selinux_state,
2548 ptsid, new_tsec->sid,
2550 PROCESS__PTRACE, NULL);
2556 /* Clear any possibly unsafe personality bits on exec: */
2557 bprm->per_clear |= PER_CLEAR_ON_SETID;
2559 /* Enable secure mode for SIDs transitions unless
2560 the noatsecure permission is granted between
2561 the two SIDs, i.e. ahp returns 0. */
2562 rc = avc_has_perm(&selinux_state,
2563 old_tsec->sid, new_tsec->sid,
2564 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2566 bprm->secureexec |= !!rc;
2572 static int match_file(const void *p, struct file *file, unsigned fd)
2574 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2577 /* Derived from fs/exec.c:flush_old_files. */
2578 static inline void flush_unauthorized_files(const struct cred *cred,
2579 struct files_struct *files)
2581 struct file *file, *devnull = NULL;
2582 struct tty_struct *tty;
2586 tty = get_current_tty();
2588 spin_lock(&tty->files_lock);
2589 if (!list_empty(&tty->tty_files)) {
2590 struct tty_file_private *file_priv;
2592 /* Revalidate access to controlling tty.
2593 Use file_path_has_perm on the tty path directly
2594 rather than using file_has_perm, as this particular
2595 open file may belong to another process and we are
2596 only interested in the inode-based check here. */
2597 file_priv = list_first_entry(&tty->tty_files,
2598 struct tty_file_private, list);
2599 file = file_priv->file;
2600 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2603 spin_unlock(&tty->files_lock);
2606 /* Reset controlling tty. */
2610 /* Revalidate access to inherited open files. */
2611 n = iterate_fd(files, 0, match_file, cred);
2612 if (!n) /* none found? */
2615 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2616 if (IS_ERR(devnull))
2618 /* replace all the matching ones with this */
2620 replace_fd(n - 1, devnull, 0);
2621 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2627 * Prepare a process for imminent new credential changes due to exec
2629 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2631 struct task_security_struct *new_tsec;
2632 struct rlimit *rlim, *initrlim;
2635 new_tsec = bprm->cred->security;
2636 if (new_tsec->sid == new_tsec->osid)
2639 /* Close files for which the new task SID is not authorized. */
2640 flush_unauthorized_files(bprm->cred, current->files);
2642 /* Always clear parent death signal on SID transitions. */
2643 current->pdeath_signal = 0;
2645 /* Check whether the new SID can inherit resource limits from the old
2646 * SID. If not, reset all soft limits to the lower of the current
2647 * task's hard limit and the init task's soft limit.
2649 * Note that the setting of hard limits (even to lower them) can be
2650 * controlled by the setrlimit check. The inclusion of the init task's
2651 * soft limit into the computation is to avoid resetting soft limits
2652 * higher than the default soft limit for cases where the default is
2653 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2655 rc = avc_has_perm(&selinux_state,
2656 new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2657 PROCESS__RLIMITINH, NULL);
2659 /* protect against do_prlimit() */
2661 for (i = 0; i < RLIM_NLIMITS; i++) {
2662 rlim = current->signal->rlim + i;
2663 initrlim = init_task.signal->rlim + i;
2664 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2666 task_unlock(current);
2667 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2668 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2673 * Clean up the process immediately after the installation of new credentials
2676 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2678 const struct task_security_struct *tsec = current_security();
2679 struct itimerval itimer;
2689 /* Check whether the new SID can inherit signal state from the old SID.
2690 * If not, clear itimers to avoid subsequent signal generation and
2691 * flush and unblock signals.
2693 * This must occur _after_ the task SID has been updated so that any
2694 * kill done after the flush will be checked against the new SID.
2696 rc = avc_has_perm(&selinux_state,
2697 osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2699 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2700 memset(&itimer, 0, sizeof itimer);
2701 for (i = 0; i < 3; i++)
2702 do_setitimer(i, &itimer, NULL);
2704 spin_lock_irq(¤t->sighand->siglock);
2705 if (!fatal_signal_pending(current)) {
2706 flush_sigqueue(¤t->pending);
2707 flush_sigqueue(¤t->signal->shared_pending);
2708 flush_signal_handlers(current, 1);
2709 sigemptyset(¤t->blocked);
2710 recalc_sigpending();
2712 spin_unlock_irq(¤t->sighand->siglock);
2715 /* Wake up the parent if it is waiting so that it can recheck
2716 * wait permission to the new task SID. */
2717 read_lock(&tasklist_lock);
2718 __wake_up_parent(current, current->real_parent);
2719 read_unlock(&tasklist_lock);
2722 /* superblock security operations */
2724 static int selinux_sb_alloc_security(struct super_block *sb)
2726 return superblock_alloc_security(sb);
2729 static void selinux_sb_free_security(struct super_block *sb)
2731 superblock_free_security(sb);
2734 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2739 return !memcmp(prefix, option, plen);
2742 static inline int selinux_option(char *option, int len)
2744 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2745 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2746 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2747 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2748 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2751 static inline void take_option(char **to, char *from, int *first, int len)
2758 memcpy(*to, from, len);
2762 static inline void take_selinux_option(char **to, char *from, int *first,
2765 int current_size = 0;
2773 while (current_size < len) {
2783 static int selinux_sb_copy_data(char *orig, char *copy)
2785 int fnosec, fsec, rc = 0;
2786 char *in_save, *in_curr, *in_end;
2787 char *sec_curr, *nosec_save, *nosec;
2793 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2801 in_save = in_end = orig;
2805 open_quote = !open_quote;
2806 if ((*in_end == ',' && open_quote == 0) ||
2808 int len = in_end - in_curr;
2810 if (selinux_option(in_curr, len))
2811 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2813 take_option(&nosec, in_curr, &fnosec, len);
2815 in_curr = in_end + 1;
2817 } while (*in_end++);
2819 strcpy(in_save, nosec_save);
2820 free_page((unsigned long)nosec_save);
2825 static int selinux_sb_remount(struct super_block *sb, void *data)
2828 struct security_mnt_opts opts;
2829 char *secdata, **mount_options;
2830 struct superblock_security_struct *sbsec = sb->s_security;
2832 if (!(sbsec->flags & SE_SBINITIALIZED))
2838 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2841 security_init_mnt_opts(&opts);
2842 secdata = alloc_secdata();
2845 rc = selinux_sb_copy_data(data, secdata);
2847 goto out_free_secdata;
2849 rc = selinux_parse_opts_str(secdata, &opts);
2851 goto out_free_secdata;
2853 mount_options = opts.mnt_opts;
2854 flags = opts.mnt_opts_flags;
2856 for (i = 0; i < opts.num_mnt_opts; i++) {
2859 if (flags[i] == SBLABEL_MNT)
2861 rc = security_context_str_to_sid(&selinux_state,
2862 mount_options[i], &sid,
2865 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
2866 "(%s) failed for (dev %s, type %s) errno=%d\n",
2867 mount_options[i], sb->s_id, sb->s_type->name, rc);
2873 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2874 goto out_bad_option;
2877 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2878 goto out_bad_option;
2880 case ROOTCONTEXT_MNT: {
2881 struct inode_security_struct *root_isec;
2882 root_isec = backing_inode_security(sb->s_root);
2884 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2885 goto out_bad_option;
2888 case DEFCONTEXT_MNT:
2889 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2890 goto out_bad_option;
2899 security_free_mnt_opts(&opts);
2901 free_secdata(secdata);
2904 printk(KERN_WARNING "SELinux: unable to change security options "
2905 "during remount (dev %s, type=%s)\n", sb->s_id,
2910 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2912 const struct cred *cred = current_cred();
2913 struct common_audit_data ad;
2916 rc = superblock_doinit(sb, data);
2920 /* Allow all mounts performed by the kernel */
2921 if (flags & MS_KERNMOUNT)
2924 ad.type = LSM_AUDIT_DATA_DENTRY;
2925 ad.u.dentry = sb->s_root;
2926 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2929 static int selinux_sb_statfs(struct dentry *dentry)
2931 const struct cred *cred = current_cred();
2932 struct common_audit_data ad;
2934 ad.type = LSM_AUDIT_DATA_DENTRY;
2935 ad.u.dentry = dentry->d_sb->s_root;
2936 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2939 static int selinux_mount(const char *dev_name,
2940 const struct path *path,
2942 unsigned long flags,
2945 const struct cred *cred = current_cred();
2947 if (flags & MS_REMOUNT)
2948 return superblock_has_perm(cred, path->dentry->d_sb,
2949 FILESYSTEM__REMOUNT, NULL);
2951 return path_has_perm(cred, path, FILE__MOUNTON);
2954 static int selinux_umount(struct vfsmount *mnt, int flags)
2956 const struct cred *cred = current_cred();
2958 return superblock_has_perm(cred, mnt->mnt_sb,
2959 FILESYSTEM__UNMOUNT, NULL);
2962 /* inode security operations */
2964 static int selinux_inode_alloc_security(struct inode *inode)
2966 return inode_alloc_security(inode);
2969 static void selinux_inode_free_security(struct inode *inode)
2971 inode_free_security(inode);
2974 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2975 const struct qstr *name, void **ctx,
2981 rc = selinux_determine_inode_label(current_security(),
2982 d_inode(dentry->d_parent), name,
2983 inode_mode_to_security_class(mode),
2988 return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
2992 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2994 const struct cred *old,
2999 struct task_security_struct *tsec;
3001 rc = selinux_determine_inode_label(old->security,
3002 d_inode(dentry->d_parent), name,
3003 inode_mode_to_security_class(mode),
3008 tsec = new->security;
3009 tsec->create_sid = newsid;
3013 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
3014 const struct qstr *qstr,
3016 void **value, size_t *len)
3018 const struct task_security_struct *tsec = current_security();
3019 struct superblock_security_struct *sbsec;
3024 sbsec = dir->i_sb->s_security;
3026 newsid = tsec->create_sid;
3028 rc = selinux_determine_inode_label(current_security(),
3030 inode_mode_to_security_class(inode->i_mode),
3035 /* Possibly defer initialization to selinux_complete_init. */
3036 if (sbsec->flags & SE_SBINITIALIZED) {
3037 struct inode_security_struct *isec = inode->i_security;
3038 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3040 isec->initialized = LABEL_INITIALIZED;
3043 if (!selinux_state.initialized || !(sbsec->flags & SBLABEL_MNT))
3047 *name = XATTR_SELINUX_SUFFIX;
3050 rc = security_sid_to_context_force(&selinux_state, newsid,
3061 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
3063 return may_create(dir, dentry, SECCLASS_FILE);
3066 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
3068 return may_link(dir, old_dentry, MAY_LINK);
3071 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
3073 return may_link(dir, dentry, MAY_UNLINK);
3076 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
3078 return may_create(dir, dentry, SECCLASS_LNK_FILE);
3081 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
3083 return may_create(dir, dentry, SECCLASS_DIR);
3086 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
3088 return may_link(dir, dentry, MAY_RMDIR);
3091 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
3093 return may_create(dir, dentry, inode_mode_to_security_class(mode));
3096 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
3097 struct inode *new_inode, struct dentry *new_dentry)
3099 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
3102 static int selinux_inode_readlink(struct dentry *dentry)
3104 const struct cred *cred = current_cred();
3106 return dentry_has_perm(cred, dentry, FILE__READ);
3109 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3112 const struct cred *cred = current_cred();
3113 struct common_audit_data ad;
3114 struct inode_security_struct *isec;
3117 validate_creds(cred);
3119 ad.type = LSM_AUDIT_DATA_DENTRY;
3120 ad.u.dentry = dentry;
3121 sid = cred_sid(cred);
3122 isec = inode_security_rcu(inode, rcu);
3124 return PTR_ERR(isec);
3126 return avc_has_perm_flags(&selinux_state,
3127 sid, isec->sid, isec->sclass, FILE__READ, &ad,
3128 rcu ? MAY_NOT_BLOCK : 0);
3131 static noinline int audit_inode_permission(struct inode *inode,
3132 u32 perms, u32 audited, u32 denied,
3136 struct common_audit_data ad;
3137 struct inode_security_struct *isec = inode->i_security;
3140 ad.type = LSM_AUDIT_DATA_INODE;
3143 rc = slow_avc_audit(&selinux_state,
3144 current_sid(), isec->sid, isec->sclass, perms,
3145 audited, denied, result, &ad, flags);
3151 static int selinux_inode_permission(struct inode *inode, int mask)
3153 const struct cred *cred = current_cred();
3156 unsigned flags = mask & MAY_NOT_BLOCK;
3157 struct inode_security_struct *isec;
3159 struct av_decision avd;
3161 u32 audited, denied;
3163 from_access = mask & MAY_ACCESS;
3164 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3166 /* No permission to check. Existence test. */
3170 validate_creds(cred);
3172 if (unlikely(IS_PRIVATE(inode)))
3175 perms = file_mask_to_av(inode->i_mode, mask);
3177 sid = cred_sid(cred);
3178 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3180 return PTR_ERR(isec);
3182 rc = avc_has_perm_noaudit(&selinux_state,
3183 sid, isec->sid, isec->sclass, perms, 0, &avd);
3184 audited = avc_audit_required(perms, &avd, rc,
3185 from_access ? FILE__AUDIT_ACCESS : 0,
3187 if (likely(!audited))
3190 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
3196 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3198 const struct cred *cred = current_cred();
3199 struct inode *inode = d_backing_inode(dentry);
3200 unsigned int ia_valid = iattr->ia_valid;
3201 __u32 av = FILE__WRITE;
3203 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3204 if (ia_valid & ATTR_FORCE) {
3205 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3211 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3212 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3213 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3215 if (selinux_policycap_openperm() &&
3216 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3217 (ia_valid & ATTR_SIZE) &&
3218 !(ia_valid & ATTR_FILE))
3221 return dentry_has_perm(cred, dentry, av);
3224 static int selinux_inode_getattr(const struct path *path)
3226 return path_has_perm(current_cred(), path, FILE__GETATTR);
3229 static bool has_cap_mac_admin(bool audit)
3231 const struct cred *cred = current_cred();
3232 int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT;
3234 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit))
3236 if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true))
3241 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3242 const void *value, size_t size, int flags)
3244 struct inode *inode = d_backing_inode(dentry);
3245 struct inode_security_struct *isec;
3246 struct superblock_security_struct *sbsec;
3247 struct common_audit_data ad;
3248 u32 newsid, sid = current_sid();
3251 if (strcmp(name, XATTR_NAME_SELINUX)) {
3252 rc = cap_inode_setxattr(dentry, name, value, size, flags);
3256 /* Not an attribute we recognize, so just check the
3257 ordinary setattr permission. */
3258 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3261 sbsec = inode->i_sb->s_security;
3262 if (!(sbsec->flags & SBLABEL_MNT))
3265 if (!inode_owner_or_capable(inode))
3268 ad.type = LSM_AUDIT_DATA_DENTRY;
3269 ad.u.dentry = dentry;
3271 isec = backing_inode_security(dentry);
3272 rc = avc_has_perm(&selinux_state,
3273 sid, isec->sid, isec->sclass,
3274 FILE__RELABELFROM, &ad);
3278 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3280 if (rc == -EINVAL) {
3281 if (!has_cap_mac_admin(true)) {
3282 struct audit_buffer *ab;
3285 /* We strip a nul only if it is at the end, otherwise the
3286 * context contains a nul and we should audit that */
3288 const char *str = value;
3290 if (str[size - 1] == '\0')
3291 audit_size = size - 1;
3297 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3298 audit_log_format(ab, "op=setxattr invalid_context=");
3299 audit_log_n_untrustedstring(ab, value, audit_size);
3304 rc = security_context_to_sid_force(&selinux_state, value,
3310 rc = avc_has_perm(&selinux_state,
3311 sid, newsid, isec->sclass,
3312 FILE__RELABELTO, &ad);
3316 rc = security_validate_transition(&selinux_state, isec->sid, newsid,
3321 return avc_has_perm(&selinux_state,
3324 SECCLASS_FILESYSTEM,
3325 FILESYSTEM__ASSOCIATE,
3329 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3330 const void *value, size_t size,
3333 struct inode *inode = d_backing_inode(dentry);
3334 struct inode_security_struct *isec;
3338 if (strcmp(name, XATTR_NAME_SELINUX)) {
3339 /* Not an attribute we recognize, so nothing to do. */
3343 rc = security_context_to_sid_force(&selinux_state, value, size,
3346 printk(KERN_ERR "SELinux: unable to map context to SID"
3347 "for (%s, %lu), rc=%d\n",
3348 inode->i_sb->s_id, inode->i_ino, -rc);
3352 isec = backing_inode_security(dentry);
3353 spin_lock(&isec->lock);
3354 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3356 isec->initialized = LABEL_INITIALIZED;
3357 spin_unlock(&isec->lock);
3362 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3364 const struct cred *cred = current_cred();
3366 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3369 static int selinux_inode_listxattr(struct dentry *dentry)
3371 const struct cred *cred = current_cred();
3373 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3376 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3378 if (strcmp(name, XATTR_NAME_SELINUX)) {
3379 int rc = cap_inode_removexattr(dentry, name);
3383 /* Not an attribute we recognize, so just check the
3384 ordinary setattr permission. */
3385 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3388 /* No one is allowed to remove a SELinux security label.
3389 You can change the label, but all data must be labeled. */
3394 * Copy the inode security context value to the user.
3396 * Permission check is handled by selinux_inode_getxattr hook.
3398 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
3402 char *context = NULL;
3403 struct inode_security_struct *isec;
3405 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3409 * If the caller has CAP_MAC_ADMIN, then get the raw context
3410 * value even if it is not defined by current policy; otherwise,
3411 * use the in-core value under current policy.
3412 * Use the non-auditing forms of the permission checks since
3413 * getxattr may be called by unprivileged processes commonly
3414 * and lack of permission just means that we fall back to the
3415 * in-core context value, not a denial.
3417 isec = inode_security(inode);
3418 if (has_cap_mac_admin(false))
3419 error = security_sid_to_context_force(&selinux_state,
3420 isec->sid, &context,
3423 error = security_sid_to_context(&selinux_state, isec->sid,
3437 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3438 const void *value, size_t size, int flags)
3440 struct inode_security_struct *isec = inode_security_novalidate(inode);
3444 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3447 if (!value || !size)
3450 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3455 spin_lock(&isec->lock);
3456 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3458 isec->initialized = LABEL_INITIALIZED;
3459 spin_unlock(&isec->lock);
3463 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3465 const int len = sizeof(XATTR_NAME_SELINUX);
3466 if (buffer && len <= buffer_size)
3467 memcpy(buffer, XATTR_NAME_SELINUX, len);
3471 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3473 struct inode_security_struct *isec = inode_security_novalidate(inode);
3477 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3480 struct task_security_struct *tsec;
3481 struct cred *new_creds = *new;
3483 if (new_creds == NULL) {
3484 new_creds = prepare_creds();
3489 tsec = new_creds->security;
3490 /* Get label from overlay inode and set it in create_sid */
3491 selinux_inode_getsecid(d_inode(src), &sid);
3492 tsec->create_sid = sid;
3497 static int selinux_inode_copy_up_xattr(const char *name)
3499 /* The copy_up hook above sets the initial context on an inode, but we
3500 * don't then want to overwrite it by blindly copying all the lower
3501 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3503 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3504 return 1; /* Discard */
3506 * Any other attribute apart from SELINUX is not claimed, supported
3512 /* file security operations */
3514 static int selinux_revalidate_file_permission(struct file *file, int mask)
3516 const struct cred *cred = current_cred();
3517 struct inode *inode = file_inode(file);
3519 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3520 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3523 return file_has_perm(cred, file,
3524 file_mask_to_av(inode->i_mode, mask));
3527 static int selinux_file_permission(struct file *file, int mask)
3529 struct inode *inode = file_inode(file);
3530 struct file_security_struct *fsec = file->f_security;
3531 struct inode_security_struct *isec;
3532 u32 sid = current_sid();
3535 /* No permission to check. Existence test. */
3538 isec = inode_security(inode);
3539 if (sid == fsec->sid && fsec->isid == isec->sid &&
3540 fsec->pseqno == avc_policy_seqno(&selinux_state))
3541 /* No change since file_open check. */
3544 return selinux_revalidate_file_permission(file, mask);
3547 static int selinux_file_alloc_security(struct file *file)
3549 return file_alloc_security(file);
3552 static void selinux_file_free_security(struct file *file)
3554 file_free_security(file);
3558 * Check whether a task has the ioctl permission and cmd
3559 * operation to an inode.
3561 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3562 u32 requested, u16 cmd)
3564 struct common_audit_data ad;
3565 struct file_security_struct *fsec = file->f_security;
3566 struct inode *inode = file_inode(file);
3567 struct inode_security_struct *isec;
3568 struct lsm_ioctlop_audit ioctl;
3569 u32 ssid = cred_sid(cred);
3571 u8 driver = cmd >> 8;
3572 u8 xperm = cmd & 0xff;
3574 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3577 ad.u.op->path = file->f_path;
3579 if (ssid != fsec->sid) {
3580 rc = avc_has_perm(&selinux_state,
3589 if (unlikely(IS_PRIVATE(inode)))
3592 isec = inode_security(inode);
3593 rc = avc_has_extended_perms(&selinux_state,
3594 ssid, isec->sid, isec->sclass,
3595 requested, driver, xperm, &ad);
3600 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3603 const struct cred *cred = current_cred();
3613 case FS_IOC_GETFLAGS:
3615 case FS_IOC_GETVERSION:
3616 error = file_has_perm(cred, file, FILE__GETATTR);
3619 case FS_IOC_SETFLAGS:
3621 case FS_IOC_SETVERSION:
3622 error = file_has_perm(cred, file, FILE__SETATTR);
3625 /* sys_ioctl() checks */
3629 error = file_has_perm(cred, file, 0);
3634 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3635 SECURITY_CAP_AUDIT, true);
3638 /* default case assumes that the command will go
3639 * to the file's ioctl() function.
3642 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3647 static int default_noexec;
3649 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3651 const struct cred *cred = current_cred();
3652 u32 sid = cred_sid(cred);
3655 if (default_noexec &&
3656 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3657 (!shared && (prot & PROT_WRITE)))) {
3659 * We are making executable an anonymous mapping or a
3660 * private file mapping that will also be writable.
3661 * This has an additional check.
3663 rc = avc_has_perm(&selinux_state,
3664 sid, sid, SECCLASS_PROCESS,
3665 PROCESS__EXECMEM, NULL);
3671 /* read access is always possible with a mapping */
3672 u32 av = FILE__READ;
3674 /* write access only matters if the mapping is shared */
3675 if (shared && (prot & PROT_WRITE))
3678 if (prot & PROT_EXEC)
3679 av |= FILE__EXECUTE;
3681 return file_has_perm(cred, file, av);
3688 static int selinux_mmap_addr(unsigned long addr)
3692 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3693 u32 sid = current_sid();
3694 rc = avc_has_perm(&selinux_state,
3695 sid, sid, SECCLASS_MEMPROTECT,
3696 MEMPROTECT__MMAP_ZERO, NULL);
3702 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3703 unsigned long prot, unsigned long flags)
3705 struct common_audit_data ad;
3709 ad.type = LSM_AUDIT_DATA_FILE;
3711 rc = inode_has_perm(current_cred(), file_inode(file),
3717 if (selinux_state.checkreqprot)
3720 return file_map_prot_check(file, prot,
3721 (flags & MAP_TYPE) == MAP_SHARED);
3724 static int selinux_file_mprotect(struct vm_area_struct *vma,
3725 unsigned long reqprot,
3728 const struct cred *cred = current_cred();
3729 u32 sid = cred_sid(cred);
3731 if (selinux_state.checkreqprot)
3734 if (default_noexec &&
3735 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3737 if (vma->vm_start >= vma->vm_mm->start_brk &&
3738 vma->vm_end <= vma->vm_mm->brk) {
3739 rc = avc_has_perm(&selinux_state,
3740 sid, sid, SECCLASS_PROCESS,
3741 PROCESS__EXECHEAP, NULL);
3742 } else if (!vma->vm_file &&
3743 ((vma->vm_start <= vma->vm_mm->start_stack &&
3744 vma->vm_end >= vma->vm_mm->start_stack) ||
3745 vma_is_stack_for_current(vma))) {
3746 rc = avc_has_perm(&selinux_state,
3747 sid, sid, SECCLASS_PROCESS,
3748 PROCESS__EXECSTACK, NULL);
3749 } else if (vma->vm_file && vma->anon_vma) {
3751 * We are making executable a file mapping that has
3752 * had some COW done. Since pages might have been
3753 * written, check ability to execute the possibly
3754 * modified content. This typically should only
3755 * occur for text relocations.
3757 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3763 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3766 static int selinux_file_lock(struct file *file, unsigned int cmd)
3768 const struct cred *cred = current_cred();
3770 return file_has_perm(cred, file, FILE__LOCK);
3773 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3776 const struct cred *cred = current_cred();
3781 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3782 err = file_has_perm(cred, file, FILE__WRITE);
3791 case F_GETOWNER_UIDS:
3792 /* Just check FD__USE permission */
3793 err = file_has_perm(cred, file, 0);
3801 #if BITS_PER_LONG == 32
3806 err = file_has_perm(cred, file, FILE__LOCK);
3813 static void selinux_file_set_fowner(struct file *file)
3815 struct file_security_struct *fsec;
3817 fsec = file->f_security;
3818 fsec->fown_sid = current_sid();
3821 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3822 struct fown_struct *fown, int signum)
3825 u32 sid = task_sid(tsk);
3827 struct file_security_struct *fsec;
3829 /* struct fown_struct is never outside the context of a struct file */
3830 file = container_of(fown, struct file, f_owner);
3832 fsec = file->f_security;
3835 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3837 perm = signal_to_av(signum);
3839 return avc_has_perm(&selinux_state,
3840 fsec->fown_sid, sid,
3841 SECCLASS_PROCESS, perm, NULL);
3844 static int selinux_file_receive(struct file *file)
3846 const struct cred *cred = current_cred();
3848 return file_has_perm(cred, file, file_to_av(file));
3851 static int selinux_file_open(struct file *file, const struct cred *cred)
3853 struct file_security_struct *fsec;
3854 struct inode_security_struct *isec;
3856 fsec = file->f_security;
3857 isec = inode_security(file_inode(file));
3859 * Save inode label and policy sequence number
3860 * at open-time so that selinux_file_permission
3861 * can determine whether revalidation is necessary.
3862 * Task label is already saved in the file security
3863 * struct as its SID.
3865 fsec->isid = isec->sid;
3866 fsec->pseqno = avc_policy_seqno(&selinux_state);
3868 * Since the inode label or policy seqno may have changed
3869 * between the selinux_inode_permission check and the saving
3870 * of state above, recheck that access is still permitted.
3871 * Otherwise, access might never be revalidated against the
3872 * new inode label or new policy.
3873 * This check is not redundant - do not remove.
3875 return file_path_has_perm(cred, file, open_file_to_av(file));
3878 /* task security operations */
3880 static int selinux_task_alloc(struct task_struct *task,
3881 unsigned long clone_flags)
3883 u32 sid = current_sid();
3885 return avc_has_perm(&selinux_state,
3886 sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
3890 * allocate the SELinux part of blank credentials
3892 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3894 struct task_security_struct *tsec;
3896 tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3900 cred->security = tsec;
3905 * detach and free the LSM part of a set of credentials
3907 static void selinux_cred_free(struct cred *cred)
3909 struct task_security_struct *tsec = cred->security;
3912 * cred->security == NULL if security_cred_alloc_blank() or
3913 * security_prepare_creds() returned an error.
3915 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3916 cred->security = (void *) 0x7UL;
3921 * prepare a new set of credentials for modification
3923 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3926 const struct task_security_struct *old_tsec;
3927 struct task_security_struct *tsec;
3929 old_tsec = old->security;
3931 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3935 new->security = tsec;
3940 * transfer the SELinux data to a blank set of creds
3942 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3944 const struct task_security_struct *old_tsec = old->security;
3945 struct task_security_struct *tsec = new->security;
3951 * set the security data for a kernel service
3952 * - all the creation contexts are set to unlabelled
3954 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3956 struct task_security_struct *tsec = new->security;
3957 u32 sid = current_sid();
3960 ret = avc_has_perm(&selinux_state,
3962 SECCLASS_KERNEL_SERVICE,
3963 KERNEL_SERVICE__USE_AS_OVERRIDE,
3967 tsec->create_sid = 0;
3968 tsec->keycreate_sid = 0;
3969 tsec->sockcreate_sid = 0;
3975 * set the file creation context in a security record to the same as the
3976 * objective context of the specified inode
3978 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3980 struct inode_security_struct *isec = inode_security(inode);
3981 struct task_security_struct *tsec = new->security;
3982 u32 sid = current_sid();
3985 ret = avc_has_perm(&selinux_state,
3987 SECCLASS_KERNEL_SERVICE,
3988 KERNEL_SERVICE__CREATE_FILES_AS,
3992 tsec->create_sid = isec->sid;
3996 static int selinux_kernel_module_request(char *kmod_name)
3998 struct common_audit_data ad;
4000 ad.type = LSM_AUDIT_DATA_KMOD;
4001 ad.u.kmod_name = kmod_name;
4003 return avc_has_perm(&selinux_state,
4004 current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
4005 SYSTEM__MODULE_REQUEST, &ad);
4008 static int selinux_kernel_module_from_file(struct file *file)
4010 struct common_audit_data ad;
4011 struct inode_security_struct *isec;
4012 struct file_security_struct *fsec;
4013 u32 sid = current_sid();
4018 return avc_has_perm(&selinux_state,
4019 sid, sid, SECCLASS_SYSTEM,
4020 SYSTEM__MODULE_LOAD, NULL);
4024 ad.type = LSM_AUDIT_DATA_FILE;
4027 fsec = file->f_security;
4028 if (sid != fsec->sid) {
4029 rc = avc_has_perm(&selinux_state,
4030 sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
4035 isec = inode_security(file_inode(file));
4036 return avc_has_perm(&selinux_state,
4037 sid, isec->sid, SECCLASS_SYSTEM,
4038 SYSTEM__MODULE_LOAD, &ad);
4041 static int selinux_kernel_read_file(struct file *file,
4042 enum kernel_read_file_id id)
4047 case READING_MODULE:
4048 rc = selinux_kernel_module_from_file(file);
4057 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
4059 return avc_has_perm(&selinux_state,
4060 current_sid(), task_sid(p), SECCLASS_PROCESS,
4061 PROCESS__SETPGID, NULL);
4064 static int selinux_task_getpgid(struct task_struct *p)
4066 return avc_has_perm(&selinux_state,
4067 current_sid(), task_sid(p), SECCLASS_PROCESS,
4068 PROCESS__GETPGID, NULL);
4071 static int selinux_task_getsid(struct task_struct *p)
4073 return avc_has_perm(&selinux_state,
4074 current_sid(), task_sid(p), SECCLASS_PROCESS,
4075 PROCESS__GETSESSION, NULL);
4078 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
4080 *secid = task_sid(p);
4083 static int selinux_task_setnice(struct task_struct *p, int nice)
4085 return avc_has_perm(&selinux_state,
4086 current_sid(), task_sid(p), SECCLASS_PROCESS,
4087 PROCESS__SETSCHED, NULL);
4090 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
4092 return avc_has_perm(&selinux_state,
4093 current_sid(), task_sid(p), SECCLASS_PROCESS,
4094 PROCESS__SETSCHED, NULL);
4097 static int selinux_task_getioprio(struct task_struct *p)
4099 return avc_has_perm(&selinux_state,
4100 current_sid(), task_sid(p), SECCLASS_PROCESS,
4101 PROCESS__GETSCHED, NULL);
4104 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
4111 if (flags & LSM_PRLIMIT_WRITE)
4112 av |= PROCESS__SETRLIMIT;
4113 if (flags & LSM_PRLIMIT_READ)
4114 av |= PROCESS__GETRLIMIT;
4115 return avc_has_perm(&selinux_state,
4116 cred_sid(cred), cred_sid(tcred),
4117 SECCLASS_PROCESS, av, NULL);
4120 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4121 struct rlimit *new_rlim)
4123 struct rlimit *old_rlim = p->signal->rlim + resource;
4125 /* Control the ability to change the hard limit (whether
4126 lowering or raising it), so that the hard limit can
4127 later be used as a safe reset point for the soft limit
4128 upon context transitions. See selinux_bprm_committing_creds. */
4129 if (old_rlim->rlim_max != new_rlim->rlim_max)
4130 return avc_has_perm(&selinux_state,
4131 current_sid(), task_sid(p),
4132 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
4137 static int selinux_task_setscheduler(struct task_struct *p)
4139 return avc_has_perm(&selinux_state,
4140 current_sid(), task_sid(p), SECCLASS_PROCESS,
4141 PROCESS__SETSCHED, NULL);
4144 static int selinux_task_getscheduler(struct task_struct *p)
4146 return avc_has_perm(&selinux_state,
4147 current_sid(), task_sid(p), SECCLASS_PROCESS,
4148 PROCESS__GETSCHED, NULL);
4151 static int selinux_task_movememory(struct task_struct *p)
4153 return avc_has_perm(&selinux_state,
4154 current_sid(), task_sid(p), SECCLASS_PROCESS,
4155 PROCESS__SETSCHED, NULL);
4158 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
4164 perm = PROCESS__SIGNULL; /* null signal; existence test */
4166 perm = signal_to_av(sig);
4168 secid = current_sid();
4169 return avc_has_perm(&selinux_state,
4170 secid, task_sid(p), SECCLASS_PROCESS, perm, NULL);
4173 static void selinux_task_to_inode(struct task_struct *p,
4174 struct inode *inode)
4176 struct inode_security_struct *isec = inode->i_security;
4177 u32 sid = task_sid(p);
4179 spin_lock(&isec->lock);
4180 isec->sclass = inode_mode_to_security_class(inode->i_mode);
4182 isec->initialized = LABEL_INITIALIZED;
4183 spin_unlock(&isec->lock);
4186 /* Returns error only if unable to parse addresses */
4187 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4188 struct common_audit_data *ad, u8 *proto)
4190 int offset, ihlen, ret = -EINVAL;
4191 struct iphdr _iph, *ih;
4193 offset = skb_network_offset(skb);
4194 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
4198 ihlen = ih->ihl * 4;
4199 if (ihlen < sizeof(_iph))
4202 ad->u.net->v4info.saddr = ih->saddr;
4203 ad->u.net->v4info.daddr = ih->daddr;
4207 *proto = ih->protocol;
4209 switch (ih->protocol) {
4211 struct tcphdr _tcph, *th;
4213 if (ntohs(ih->frag_off) & IP_OFFSET)
4217 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4221 ad->u.net->sport = th->source;
4222 ad->u.net->dport = th->dest;
4227 struct udphdr _udph, *uh;
4229 if (ntohs(ih->frag_off) & IP_OFFSET)
4233 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4237 ad->u.net->sport = uh->source;
4238 ad->u.net->dport = uh->dest;
4242 case IPPROTO_DCCP: {
4243 struct dccp_hdr _dccph, *dh;
4245 if (ntohs(ih->frag_off) & IP_OFFSET)
4249 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4253 ad->u.net->sport = dh->dccph_sport;
4254 ad->u.net->dport = dh->dccph_dport;
4258 #if IS_ENABLED(CONFIG_IP_SCTP)
4259 case IPPROTO_SCTP: {
4260 struct sctphdr _sctph, *sh;
4262 if (ntohs(ih->frag_off) & IP_OFFSET)
4266 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4270 ad->u.net->sport = sh->source;
4271 ad->u.net->dport = sh->dest;
4282 #if IS_ENABLED(CONFIG_IPV6)
4284 /* Returns error only if unable to parse addresses */
4285 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4286 struct common_audit_data *ad, u8 *proto)
4289 int ret = -EINVAL, offset;
4290 struct ipv6hdr _ipv6h, *ip6;
4293 offset = skb_network_offset(skb);
4294 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4298 ad->u.net->v6info.saddr = ip6->saddr;
4299 ad->u.net->v6info.daddr = ip6->daddr;
4302 nexthdr = ip6->nexthdr;
4303 offset += sizeof(_ipv6h);
4304 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4313 struct tcphdr _tcph, *th;
4315 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4319 ad->u.net->sport = th->source;
4320 ad->u.net->dport = th->dest;
4325 struct udphdr _udph, *uh;
4327 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4331 ad->u.net->sport = uh->source;
4332 ad->u.net->dport = uh->dest;
4336 case IPPROTO_DCCP: {
4337 struct dccp_hdr _dccph, *dh;
4339 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4343 ad->u.net->sport = dh->dccph_sport;
4344 ad->u.net->dport = dh->dccph_dport;
4348 #if IS_ENABLED(CONFIG_IP_SCTP)
4349 case IPPROTO_SCTP: {
4350 struct sctphdr _sctph, *sh;
4352 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4356 ad->u.net->sport = sh->source;
4357 ad->u.net->dport = sh->dest;
4361 /* includes fragments */
4371 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4372 char **_addrp, int src, u8 *proto)
4377 switch (ad->u.net->family) {
4379 ret = selinux_parse_skb_ipv4(skb, ad, proto);
4382 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4383 &ad->u.net->v4info.daddr);
4386 #if IS_ENABLED(CONFIG_IPV6)
4388 ret = selinux_parse_skb_ipv6(skb, ad, proto);
4391 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4392 &ad->u.net->v6info.daddr);
4402 "SELinux: failure in selinux_parse_skb(),"
4403 " unable to parse packet\n");
4413 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4415 * @family: protocol family
4416 * @sid: the packet's peer label SID
4419 * Check the various different forms of network peer labeling and determine
4420 * the peer label/SID for the packet; most of the magic actually occurs in
4421 * the security server function security_net_peersid_cmp(). The function
4422 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4423 * or -EACCES if @sid is invalid due to inconsistencies with the different
4427 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4434 err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4437 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4441 err = security_net_peersid_resolve(&selinux_state, nlbl_sid,
4442 nlbl_type, xfrm_sid, sid);
4443 if (unlikely(err)) {
4445 "SELinux: failure in selinux_skb_peerlbl_sid(),"
4446 " unable to determine packet's peer label\n");
4454 * selinux_conn_sid - Determine the child socket label for a connection
4455 * @sk_sid: the parent socket's SID
4456 * @skb_sid: the packet's SID
4457 * @conn_sid: the resulting connection SID
4459 * If @skb_sid is valid then the user:role:type information from @sk_sid is
4460 * combined with the MLS information from @skb_sid in order to create
4461 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy
4462 * of @sk_sid. Returns zero on success, negative values on failure.
4465 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4469 if (skb_sid != SECSID_NULL)
4470 err = security_sid_mls_copy(&selinux_state, sk_sid, skb_sid,
4478 /* socket security operations */
4480 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4481 u16 secclass, u32 *socksid)
4483 if (tsec->sockcreate_sid > SECSID_NULL) {
4484 *socksid = tsec->sockcreate_sid;
4488 return security_transition_sid(&selinux_state, tsec->sid, tsec->sid,
4489 secclass, NULL, socksid);
4492 static int sock_has_perm(struct sock *sk, u32 perms)
4494 struct sk_security_struct *sksec = sk->sk_security;
4495 struct common_audit_data ad;
4496 struct lsm_network_audit net = {0,};
4498 if (sksec->sid == SECINITSID_KERNEL)
4501 ad.type = LSM_AUDIT_DATA_NET;
4505 return avc_has_perm(&selinux_state,
4506 current_sid(), sksec->sid, sksec->sclass, perms,
4510 static int selinux_socket_create(int family, int type,
4511 int protocol, int kern)
4513 const struct task_security_struct *tsec = current_security();
4521 secclass = socket_type_to_security_class(family, type, protocol);
4522 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4526 return avc_has_perm(&selinux_state,
4527 tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4530 static int selinux_socket_post_create(struct socket *sock, int family,
4531 int type, int protocol, int kern)
4533 const struct task_security_struct *tsec = current_security();
4534 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4535 struct sk_security_struct *sksec;
4536 u16 sclass = socket_type_to_security_class(family, type, protocol);
4537 u32 sid = SECINITSID_KERNEL;
4541 err = socket_sockcreate_sid(tsec, sclass, &sid);
4546 isec->sclass = sclass;
4548 isec->initialized = LABEL_INITIALIZED;
4551 sksec = sock->sk->sk_security;
4552 sksec->sclass = sclass;
4554 /* Allows detection of the first association on this socket */
4555 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4556 sksec->sctp_assoc_state = SCTP_ASSOC_UNSET;
4558 err = selinux_netlbl_socket_post_create(sock->sk, family);
4564 /* Range of port numbers used to automatically bind.
4565 Need to determine whether we should perform a name_bind
4566 permission check between the socket and the port number. */
4568 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4570 struct sock *sk = sock->sk;
4571 struct sk_security_struct *sksec = sk->sk_security;
4575 err = sock_has_perm(sk, SOCKET__BIND);
4579 /* If PF_INET or PF_INET6, check name_bind permission for the port. */
4580 family = sk->sk_family;
4581 if (family == PF_INET || family == PF_INET6) {
4583 struct common_audit_data ad;
4584 struct lsm_network_audit net = {0,};
4585 struct sockaddr_in *addr4 = NULL;
4586 struct sockaddr_in6 *addr6 = NULL;
4587 u16 family_sa = address->sa_family;
4588 unsigned short snum;
4592 * sctp_bindx(3) calls via selinux_sctp_bind_connect()
4593 * that validates multiple binding addresses. Because of this
4594 * need to check address->sa_family as it is possible to have
4595 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4597 switch (family_sa) {
4600 if (addrlen < sizeof(struct sockaddr_in))
4602 addr4 = (struct sockaddr_in *)address;
4603 if (family_sa == AF_UNSPEC) {
4604 /* see __inet_bind(), we only want to allow
4605 * AF_UNSPEC if the address is INADDR_ANY
4607 if (addr4->sin_addr.s_addr != htonl(INADDR_ANY))
4609 family_sa = AF_INET;
4611 snum = ntohs(addr4->sin_port);
4612 addrp = (char *)&addr4->sin_addr.s_addr;
4615 if (addrlen < SIN6_LEN_RFC2133)
4617 addr6 = (struct sockaddr_in6 *)address;
4618 snum = ntohs(addr6->sin6_port);
4619 addrp = (char *)&addr6->sin6_addr.s6_addr;
4628 inet_get_local_port_range(sock_net(sk), &low, &high);
4630 if (snum < max(inet_prot_sock(sock_net(sk)), low) ||
4632 err = sel_netport_sid(sk->sk_protocol,
4636 ad.type = LSM_AUDIT_DATA_NET;
4638 ad.u.net->sport = htons(snum);
4639 ad.u.net->family = family;
4640 err = avc_has_perm(&selinux_state,
4643 SOCKET__NAME_BIND, &ad);
4649 switch (sksec->sclass) {
4650 case SECCLASS_TCP_SOCKET:
4651 node_perm = TCP_SOCKET__NODE_BIND;
4654 case SECCLASS_UDP_SOCKET:
4655 node_perm = UDP_SOCKET__NODE_BIND;
4658 case SECCLASS_DCCP_SOCKET:
4659 node_perm = DCCP_SOCKET__NODE_BIND;
4662 case SECCLASS_SCTP_SOCKET:
4663 node_perm = SCTP_SOCKET__NODE_BIND;
4667 node_perm = RAWIP_SOCKET__NODE_BIND;
4671 err = sel_netnode_sid(addrp, family, &sid);
4675 ad.type = LSM_AUDIT_DATA_NET;
4677 ad.u.net->sport = htons(snum);
4678 ad.u.net->family = family;
4680 if (family_sa == AF_INET)
4681 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4683 ad.u.net->v6info.saddr = addr6->sin6_addr;
4685 err = avc_has_perm(&selinux_state,
4687 sksec->sclass, node_perm, &ad);
4694 /* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */
4695 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4697 return -EAFNOSUPPORT;
4700 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3)
4701 * and sctp_sendmsg(3) as described in Documentation/security/LSM-sctp.txt
4703 static int selinux_socket_connect_helper(struct socket *sock,
4704 struct sockaddr *address, int addrlen)
4706 struct sock *sk = sock->sk;
4707 struct sk_security_struct *sksec = sk->sk_security;
4710 err = sock_has_perm(sk, SOCKET__CONNECT);
4715 * If a TCP, DCCP or SCTP socket, check name_connect permission
4718 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4719 sksec->sclass == SECCLASS_DCCP_SOCKET ||
4720 sksec->sclass == SECCLASS_SCTP_SOCKET) {
4721 struct common_audit_data ad;
4722 struct lsm_network_audit net = {0,};
4723 struct sockaddr_in *addr4 = NULL;
4724 struct sockaddr_in6 *addr6 = NULL;
4725 unsigned short snum;
4728 /* sctp_connectx(3) calls via selinux_sctp_bind_connect()
4729 * that validates multiple connect addresses. Because of this
4730 * need to check address->sa_family as it is possible to have
4731 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4733 switch (address->sa_family) {
4735 addr4 = (struct sockaddr_in *)address;
4736 if (addrlen < sizeof(struct sockaddr_in))
4738 snum = ntohs(addr4->sin_port);
4741 addr6 = (struct sockaddr_in6 *)address;
4742 if (addrlen < SIN6_LEN_RFC2133)
4744 snum = ntohs(addr6->sin6_port);
4747 /* Note that SCTP services expect -EINVAL, whereas
4748 * others expect -EAFNOSUPPORT.
4750 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4753 return -EAFNOSUPPORT;
4756 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4760 switch (sksec->sclass) {
4761 case SECCLASS_TCP_SOCKET:
4762 perm = TCP_SOCKET__NAME_CONNECT;
4764 case SECCLASS_DCCP_SOCKET:
4765 perm = DCCP_SOCKET__NAME_CONNECT;
4767 case SECCLASS_SCTP_SOCKET:
4768 perm = SCTP_SOCKET__NAME_CONNECT;
4772 ad.type = LSM_AUDIT_DATA_NET;
4774 ad.u.net->dport = htons(snum);
4775 ad.u.net->family = sk->sk_family;
4776 err = avc_has_perm(&selinux_state,
4777 sksec->sid, sid, sksec->sclass, perm, &ad);
4785 /* Supports connect(2), see comments in selinux_socket_connect_helper() */
4786 static int selinux_socket_connect(struct socket *sock,
4787 struct sockaddr *address, int addrlen)
4790 struct sock *sk = sock->sk;
4792 err = selinux_socket_connect_helper(sock, address, addrlen);
4796 return selinux_netlbl_socket_connect(sk, address);
4799 static int selinux_socket_listen(struct socket *sock, int backlog)
4801 return sock_has_perm(sock->sk, SOCKET__LISTEN);
4804 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4807 struct inode_security_struct *isec;
4808 struct inode_security_struct *newisec;
4812 err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
4816 isec = inode_security_novalidate(SOCK_INODE(sock));
4817 spin_lock(&isec->lock);
4818 sclass = isec->sclass;
4820 spin_unlock(&isec->lock);
4822 newisec = inode_security_novalidate(SOCK_INODE(newsock));
4823 newisec->sclass = sclass;
4825 newisec->initialized = LABEL_INITIALIZED;
4830 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4833 return sock_has_perm(sock->sk, SOCKET__WRITE);
4836 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4837 int size, int flags)
4839 return sock_has_perm(sock->sk, SOCKET__READ);
4842 static int selinux_socket_getsockname(struct socket *sock)
4844 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4847 static int selinux_socket_getpeername(struct socket *sock)
4849 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4852 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4856 err = sock_has_perm(sock->sk, SOCKET__SETOPT);
4860 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4863 static int selinux_socket_getsockopt(struct socket *sock, int level,
4866 return sock_has_perm(sock->sk, SOCKET__GETOPT);
4869 static int selinux_socket_shutdown(struct socket *sock, int how)
4871 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
4874 static int selinux_socket_unix_stream_connect(struct sock *sock,
4878 struct sk_security_struct *sksec_sock = sock->sk_security;
4879 struct sk_security_struct *sksec_other = other->sk_security;
4880 struct sk_security_struct *sksec_new = newsk->sk_security;
4881 struct common_audit_data ad;
4882 struct lsm_network_audit net = {0,};
4885 ad.type = LSM_AUDIT_DATA_NET;
4887 ad.u.net->sk = other;
4889 err = avc_has_perm(&selinux_state,
4890 sksec_sock->sid, sksec_other->sid,
4891 sksec_other->sclass,
4892 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4896 /* server child socket */
4897 sksec_new->peer_sid = sksec_sock->sid;
4898 err = security_sid_mls_copy(&selinux_state, sksec_other->sid,
4899 sksec_sock->sid, &sksec_new->sid);
4903 /* connecting socket */
4904 sksec_sock->peer_sid = sksec_new->sid;
4909 static int selinux_socket_unix_may_send(struct socket *sock,
4910 struct socket *other)
4912 struct sk_security_struct *ssec = sock->sk->sk_security;
4913 struct sk_security_struct *osec = other->sk->sk_security;
4914 struct common_audit_data ad;
4915 struct lsm_network_audit net = {0,};
4917 ad.type = LSM_AUDIT_DATA_NET;
4919 ad.u.net->sk = other->sk;
4921 return avc_has_perm(&selinux_state,
4922 ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4926 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4927 char *addrp, u16 family, u32 peer_sid,
4928 struct common_audit_data *ad)
4934 err = sel_netif_sid(ns, ifindex, &if_sid);
4937 err = avc_has_perm(&selinux_state,
4939 SECCLASS_NETIF, NETIF__INGRESS, ad);
4943 err = sel_netnode_sid(addrp, family, &node_sid);
4946 return avc_has_perm(&selinux_state,
4948 SECCLASS_NODE, NODE__RECVFROM, ad);
4951 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4955 struct sk_security_struct *sksec = sk->sk_security;
4956 u32 sk_sid = sksec->sid;
4957 struct common_audit_data ad;
4958 struct lsm_network_audit net = {0,};
4961 ad.type = LSM_AUDIT_DATA_NET;
4963 ad.u.net->netif = skb->skb_iif;
4964 ad.u.net->family = family;
4965 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4969 if (selinux_secmark_enabled()) {
4970 err = avc_has_perm(&selinux_state,
4971 sk_sid, skb->secmark, SECCLASS_PACKET,
4977 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4980 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4985 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4988 struct sk_security_struct *sksec = sk->sk_security;
4989 u16 family = sk->sk_family;
4990 u32 sk_sid = sksec->sid;
4991 struct common_audit_data ad;
4992 struct lsm_network_audit net = {0,};
4997 if (family != PF_INET && family != PF_INET6)
5000 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
5001 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5004 /* If any sort of compatibility mode is enabled then handoff processing
5005 * to the selinux_sock_rcv_skb_compat() function to deal with the
5006 * special handling. We do this in an attempt to keep this function
5007 * as fast and as clean as possible. */
5008 if (!selinux_policycap_netpeer())
5009 return selinux_sock_rcv_skb_compat(sk, skb, family);
5011 secmark_active = selinux_secmark_enabled();
5012 peerlbl_active = selinux_peerlbl_enabled();
5013 if (!secmark_active && !peerlbl_active)
5016 ad.type = LSM_AUDIT_DATA_NET;
5018 ad.u.net->netif = skb->skb_iif;
5019 ad.u.net->family = family;
5020 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5024 if (peerlbl_active) {
5027 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
5030 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
5031 addrp, family, peer_sid, &ad);
5033 selinux_netlbl_err(skb, family, err, 0);
5036 err = avc_has_perm(&selinux_state,
5037 sk_sid, peer_sid, SECCLASS_PEER,
5040 selinux_netlbl_err(skb, family, err, 0);
5045 if (secmark_active) {
5046 err = avc_has_perm(&selinux_state,
5047 sk_sid, skb->secmark, SECCLASS_PACKET,
5056 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
5057 int __user *optlen, unsigned len)
5062 struct sk_security_struct *sksec = sock->sk->sk_security;
5063 u32 peer_sid = SECSID_NULL;
5065 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
5066 sksec->sclass == SECCLASS_TCP_SOCKET ||
5067 sksec->sclass == SECCLASS_SCTP_SOCKET)
5068 peer_sid = sksec->peer_sid;
5069 if (peer_sid == SECSID_NULL)
5070 return -ENOPROTOOPT;
5072 err = security_sid_to_context(&selinux_state, peer_sid, &scontext,
5077 if (scontext_len > len) {
5082 if (copy_to_user(optval, scontext, scontext_len))
5086 if (put_user(scontext_len, optlen))
5092 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
5094 u32 peer_secid = SECSID_NULL;
5096 struct inode_security_struct *isec;
5098 if (skb && skb->protocol == htons(ETH_P_IP))
5100 else if (skb && skb->protocol == htons(ETH_P_IPV6))
5103 family = sock->sk->sk_family;
5107 if (sock && family == PF_UNIX) {
5108 isec = inode_security_novalidate(SOCK_INODE(sock));
5109 peer_secid = isec->sid;
5111 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
5114 *secid = peer_secid;
5115 if (peer_secid == SECSID_NULL)
5120 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
5122 struct sk_security_struct *sksec;
5124 sksec = kzalloc(sizeof(*sksec), priority);
5128 sksec->peer_sid = SECINITSID_UNLABELED;
5129 sksec->sid = SECINITSID_UNLABELED;
5130 sksec->sclass = SECCLASS_SOCKET;
5131 selinux_netlbl_sk_security_reset(sksec);
5132 sk->sk_security = sksec;
5137 static void selinux_sk_free_security(struct sock *sk)
5139 struct sk_security_struct *sksec = sk->sk_security;
5141 sk->sk_security = NULL;
5142 selinux_netlbl_sk_security_free(sksec);
5146 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
5148 struct sk_security_struct *sksec = sk->sk_security;
5149 struct sk_security_struct *newsksec = newsk->sk_security;
5151 newsksec->sid = sksec->sid;
5152 newsksec->peer_sid = sksec->peer_sid;
5153 newsksec->sclass = sksec->sclass;
5155 selinux_netlbl_sk_security_reset(newsksec);
5158 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
5161 *secid = SECINITSID_ANY_SOCKET;
5163 struct sk_security_struct *sksec = sk->sk_security;
5165 *secid = sksec->sid;
5169 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
5171 struct inode_security_struct *isec =
5172 inode_security_novalidate(SOCK_INODE(parent));
5173 struct sk_security_struct *sksec = sk->sk_security;
5175 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
5176 sk->sk_family == PF_UNIX)
5177 isec->sid = sksec->sid;
5178 sksec->sclass = isec->sclass;
5181 /* Called whenever SCTP receives an INIT chunk. This happens when an incoming
5182 * connect(2), sctp_connectx(3) or sctp_sendmsg(3) (with no association
5185 static int selinux_sctp_assoc_request(struct sctp_endpoint *ep,
5186 struct sk_buff *skb)
5188 struct sk_security_struct *sksec = ep->base.sk->sk_security;
5189 struct common_audit_data ad;
5190 struct lsm_network_audit net = {0,};
5192 u32 peer_sid = SECINITSID_UNLABELED;
5196 if (!selinux_policycap_extsockclass())
5199 peerlbl_active = selinux_peerlbl_enabled();
5201 if (peerlbl_active) {
5202 /* This will return peer_sid = SECSID_NULL if there are
5203 * no peer labels, see security_net_peersid_resolve().
5205 err = selinux_skb_peerlbl_sid(skb, ep->base.sk->sk_family,
5210 if (peer_sid == SECSID_NULL)
5211 peer_sid = SECINITSID_UNLABELED;
5214 if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) {
5215 sksec->sctp_assoc_state = SCTP_ASSOC_SET;
5217 /* Here as first association on socket. As the peer SID
5218 * was allowed by peer recv (and the netif/node checks),
5219 * then it is approved by policy and used as the primary
5220 * peer SID for getpeercon(3).
5222 sksec->peer_sid = peer_sid;
5223 } else if (sksec->peer_sid != peer_sid) {
5224 /* Other association peer SIDs are checked to enforce
5225 * consistency among the peer SIDs.
5227 ad.type = LSM_AUDIT_DATA_NET;
5229 ad.u.net->sk = ep->base.sk;
5230 err = avc_has_perm(&selinux_state,
5231 sksec->peer_sid, peer_sid, sksec->sclass,
5232 SCTP_SOCKET__ASSOCIATION, &ad);
5237 /* Compute the MLS component for the connection and store
5238 * the information in ep. This will be used by SCTP TCP type
5239 * sockets and peeled off connections as they cause a new
5240 * socket to be generated. selinux_sctp_sk_clone() will then
5241 * plug this into the new socket.
5243 err = selinux_conn_sid(sksec->sid, peer_sid, &conn_sid);
5247 ep->secid = conn_sid;
5248 ep->peer_secid = peer_sid;
5250 /* Set any NetLabel labels including CIPSO/CALIPSO options. */
5251 return selinux_netlbl_sctp_assoc_request(ep, skb);
5254 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting
5255 * based on their @optname.
5257 static int selinux_sctp_bind_connect(struct sock *sk, int optname,
5258 struct sockaddr *address,
5261 int len, err = 0, walk_size = 0;
5263 struct sockaddr *addr;
5264 struct socket *sock;
5266 if (!selinux_policycap_extsockclass())
5269 /* Process one or more addresses that may be IPv4 or IPv6 */
5270 sock = sk->sk_socket;
5273 while (walk_size < addrlen) {
5275 switch (addr->sa_family) {
5277 len = sizeof(struct sockaddr_in);
5280 len = sizeof(struct sockaddr_in6);
5283 return -EAFNOSUPPORT;
5289 case SCTP_PRIMARY_ADDR:
5290 case SCTP_SET_PEER_PRIMARY_ADDR:
5291 case SCTP_SOCKOPT_BINDX_ADD:
5292 err = selinux_socket_bind(sock, addr, len);
5294 /* Connect checks */
5295 case SCTP_SOCKOPT_CONNECTX:
5296 case SCTP_PARAM_SET_PRIMARY:
5297 case SCTP_PARAM_ADD_IP:
5298 case SCTP_SENDMSG_CONNECT:
5299 err = selinux_socket_connect_helper(sock, addr, len);
5303 /* As selinux_sctp_bind_connect() is called by the
5304 * SCTP protocol layer, the socket is already locked,
5305 * therefore selinux_netlbl_socket_connect_locked() is
5306 * is called here. The situations handled are:
5307 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2),
5308 * whenever a new IP address is added or when a new
5309 * primary address is selected.
5310 * Note that an SCTP connect(2) call happens before
5311 * the SCTP protocol layer and is handled via
5312 * selinux_socket_connect().
5314 err = selinux_netlbl_socket_connect_locked(sk, addr);
5328 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */
5329 static void selinux_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk,
5332 struct sk_security_struct *sksec = sk->sk_security;
5333 struct sk_security_struct *newsksec = newsk->sk_security;
5335 /* If policy does not support SECCLASS_SCTP_SOCKET then call
5336 * the non-sctp clone version.
5338 if (!selinux_policycap_extsockclass())
5339 return selinux_sk_clone_security(sk, newsk);
5341 newsksec->sid = ep->secid;
5342 newsksec->peer_sid = ep->peer_secid;
5343 newsksec->sclass = sksec->sclass;
5344 selinux_netlbl_sctp_sk_clone(sk, newsk);
5347 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
5348 struct request_sock *req)
5350 struct sk_security_struct *sksec = sk->sk_security;
5352 u16 family = req->rsk_ops->family;
5356 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
5359 err = selinux_conn_sid(sksec->sid, peersid, &connsid);
5362 req->secid = connsid;
5363 req->peer_secid = peersid;
5365 return selinux_netlbl_inet_conn_request(req, family);
5368 static void selinux_inet_csk_clone(struct sock *newsk,
5369 const struct request_sock *req)
5371 struct sk_security_struct *newsksec = newsk->sk_security;
5373 newsksec->sid = req->secid;
5374 newsksec->peer_sid = req->peer_secid;
5375 /* NOTE: Ideally, we should also get the isec->sid for the
5376 new socket in sync, but we don't have the isec available yet.
5377 So we will wait until sock_graft to do it, by which
5378 time it will have been created and available. */
5380 /* We don't need to take any sort of lock here as we are the only
5381 * thread with access to newsksec */
5382 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
5385 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
5387 u16 family = sk->sk_family;
5388 struct sk_security_struct *sksec = sk->sk_security;
5390 /* handle mapped IPv4 packets arriving via IPv6 sockets */
5391 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5394 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
5397 static int selinux_secmark_relabel_packet(u32 sid)
5399 const struct task_security_struct *__tsec;
5402 __tsec = current_security();
5405 return avc_has_perm(&selinux_state,
5406 tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO,
5410 static void selinux_secmark_refcount_inc(void)
5412 atomic_inc(&selinux_secmark_refcount);
5415 static void selinux_secmark_refcount_dec(void)
5417 atomic_dec(&selinux_secmark_refcount);
5420 static void selinux_req_classify_flow(const struct request_sock *req,
5423 fl->flowi_secid = req->secid;
5426 static int selinux_tun_dev_alloc_security(void **security)
5428 struct tun_security_struct *tunsec;
5430 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
5433 tunsec->sid = current_sid();
5439 static void selinux_tun_dev_free_security(void *security)
5444 static int selinux_tun_dev_create(void)
5446 u32 sid = current_sid();
5448 /* we aren't taking into account the "sockcreate" SID since the socket
5449 * that is being created here is not a socket in the traditional sense,
5450 * instead it is a private sock, accessible only to the kernel, and
5451 * representing a wide range of network traffic spanning multiple
5452 * connections unlike traditional sockets - check the TUN driver to
5453 * get a better understanding of why this socket is special */
5455 return avc_has_perm(&selinux_state,
5456 sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5460 static int selinux_tun_dev_attach_queue(void *security)
5462 struct tun_security_struct *tunsec = security;
5464 return avc_has_perm(&selinux_state,
5465 current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5466 TUN_SOCKET__ATTACH_QUEUE, NULL);
5469 static int selinux_tun_dev_attach(struct sock *sk, void *security)
5471 struct tun_security_struct *tunsec = security;
5472 struct sk_security_struct *sksec = sk->sk_security;
5474 /* we don't currently perform any NetLabel based labeling here and it
5475 * isn't clear that we would want to do so anyway; while we could apply
5476 * labeling without the support of the TUN user the resulting labeled
5477 * traffic from the other end of the connection would almost certainly
5478 * cause confusion to the TUN user that had no idea network labeling
5479 * protocols were being used */
5481 sksec->sid = tunsec->sid;
5482 sksec->sclass = SECCLASS_TUN_SOCKET;
5487 static int selinux_tun_dev_open(void *security)
5489 struct tun_security_struct *tunsec = security;
5490 u32 sid = current_sid();
5493 err = avc_has_perm(&selinux_state,
5494 sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5495 TUN_SOCKET__RELABELFROM, NULL);
5498 err = avc_has_perm(&selinux_state,
5499 sid, sid, SECCLASS_TUN_SOCKET,
5500 TUN_SOCKET__RELABELTO, NULL);
5508 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
5512 struct nlmsghdr *nlh;
5513 struct sk_security_struct *sksec = sk->sk_security;
5515 if (skb->len < NLMSG_HDRLEN) {
5519 nlh = nlmsg_hdr(skb);
5521 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
5523 if (err == -EINVAL) {
5524 pr_warn_ratelimited("SELinux: unrecognized netlink"
5525 " message: protocol=%hu nlmsg_type=%hu sclass=%s"
5526 " pig=%d comm=%s\n",
5527 sk->sk_protocol, nlh->nlmsg_type,
5528 secclass_map[sksec->sclass - 1].name,
5529 task_pid_nr(current), current->comm);
5530 if (!enforcing_enabled(&selinux_state) ||
5531 security_get_allow_unknown(&selinux_state))
5541 err = sock_has_perm(sk, perm);
5546 #ifdef CONFIG_NETFILTER
5548 static unsigned int selinux_ip_forward(struct sk_buff *skb,
5549 const struct net_device *indev,
5555 struct common_audit_data ad;
5556 struct lsm_network_audit net = {0,};
5561 if (!selinux_policycap_netpeer())
5564 secmark_active = selinux_secmark_enabled();
5565 netlbl_active = netlbl_enabled();
5566 peerlbl_active = selinux_peerlbl_enabled();
5567 if (!secmark_active && !peerlbl_active)
5570 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5573 ad.type = LSM_AUDIT_DATA_NET;
5575 ad.u.net->netif = indev->ifindex;
5576 ad.u.net->family = family;
5577 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5580 if (peerlbl_active) {
5581 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
5582 addrp, family, peer_sid, &ad);
5584 selinux_netlbl_err(skb, family, err, 1);
5590 if (avc_has_perm(&selinux_state,
5591 peer_sid, skb->secmark,
5592 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5596 /* we do this in the FORWARD path and not the POST_ROUTING
5597 * path because we want to make sure we apply the necessary
5598 * labeling before IPsec is applied so we can leverage AH
5600 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5606 static unsigned int selinux_ipv4_forward(void *priv,
5607 struct sk_buff *skb,
5608 const struct nf_hook_state *state)
5610 return selinux_ip_forward(skb, state->in, PF_INET);
5613 #if IS_ENABLED(CONFIG_IPV6)
5614 static unsigned int selinux_ipv6_forward(void *priv,
5615 struct sk_buff *skb,
5616 const struct nf_hook_state *state)
5618 return selinux_ip_forward(skb, state->in, PF_INET6);
5622 static unsigned int selinux_ip_output(struct sk_buff *skb,
5628 if (!netlbl_enabled())
5631 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5632 * because we want to make sure we apply the necessary labeling
5633 * before IPsec is applied so we can leverage AH protection */
5636 struct sk_security_struct *sksec;
5638 if (sk_listener(sk))
5639 /* if the socket is the listening state then this
5640 * packet is a SYN-ACK packet which means it needs to
5641 * be labeled based on the connection/request_sock and
5642 * not the parent socket. unfortunately, we can't
5643 * lookup the request_sock yet as it isn't queued on
5644 * the parent socket until after the SYN-ACK is sent.
5645 * the "solution" is to simply pass the packet as-is
5646 * as any IP option based labeling should be copied
5647 * from the initial connection request (in the IP
5648 * layer). it is far from ideal, but until we get a
5649 * security label in the packet itself this is the
5650 * best we can do. */
5653 /* standard practice, label using the parent socket */
5654 sksec = sk->sk_security;
5657 sid = SECINITSID_KERNEL;
5658 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
5664 static unsigned int selinux_ipv4_output(void *priv,
5665 struct sk_buff *skb,
5666 const struct nf_hook_state *state)
5668 return selinux_ip_output(skb, PF_INET);
5671 #if IS_ENABLED(CONFIG_IPV6)
5672 static unsigned int selinux_ipv6_output(void *priv,
5673 struct sk_buff *skb,
5674 const struct nf_hook_state *state)
5676 return selinux_ip_output(skb, PF_INET6);
5680 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5684 struct sock *sk = skb_to_full_sk(skb);
5685 struct sk_security_struct *sksec;
5686 struct common_audit_data ad;
5687 struct lsm_network_audit net = {0,};
5693 sksec = sk->sk_security;
5695 ad.type = LSM_AUDIT_DATA_NET;
5697 ad.u.net->netif = ifindex;
5698 ad.u.net->family = family;
5699 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
5702 if (selinux_secmark_enabled())
5703 if (avc_has_perm(&selinux_state,
5704 sksec->sid, skb->secmark,
5705 SECCLASS_PACKET, PACKET__SEND, &ad))
5706 return NF_DROP_ERR(-ECONNREFUSED);
5708 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5709 return NF_DROP_ERR(-ECONNREFUSED);
5714 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5715 const struct net_device *outdev,
5720 int ifindex = outdev->ifindex;
5722 struct common_audit_data ad;
5723 struct lsm_network_audit net = {0,};
5728 /* If any sort of compatibility mode is enabled then handoff processing
5729 * to the selinux_ip_postroute_compat() function to deal with the
5730 * special handling. We do this in an attempt to keep this function
5731 * as fast and as clean as possible. */
5732 if (!selinux_policycap_netpeer())
5733 return selinux_ip_postroute_compat(skb, ifindex, family);
5735 secmark_active = selinux_secmark_enabled();
5736 peerlbl_active = selinux_peerlbl_enabled();
5737 if (!secmark_active && !peerlbl_active)
5740 sk = skb_to_full_sk(skb);
5743 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5744 * packet transformation so allow the packet to pass without any checks
5745 * since we'll have another chance to perform access control checks
5746 * when the packet is on it's final way out.
5747 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5748 * is NULL, in this case go ahead and apply access control.
5749 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5750 * TCP listening state we cannot wait until the XFRM processing
5751 * is done as we will miss out on the SA label if we do;
5752 * unfortunately, this means more work, but it is only once per
5754 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5755 !(sk && sk_listener(sk)))
5760 /* Without an associated socket the packet is either coming
5761 * from the kernel or it is being forwarded; check the packet
5762 * to determine which and if the packet is being forwarded
5763 * query the packet directly to determine the security label. */
5765 secmark_perm = PACKET__FORWARD_OUT;
5766 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5769 secmark_perm = PACKET__SEND;
5770 peer_sid = SECINITSID_KERNEL;
5772 } else if (sk_listener(sk)) {
5773 /* Locally generated packet but the associated socket is in the
5774 * listening state which means this is a SYN-ACK packet. In
5775 * this particular case the correct security label is assigned
5776 * to the connection/request_sock but unfortunately we can't
5777 * query the request_sock as it isn't queued on the parent
5778 * socket until after the SYN-ACK packet is sent; the only
5779 * viable choice is to regenerate the label like we do in
5780 * selinux_inet_conn_request(). See also selinux_ip_output()
5781 * for similar problems. */
5783 struct sk_security_struct *sksec;
5785 sksec = sk->sk_security;
5786 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5788 /* At this point, if the returned skb peerlbl is SECSID_NULL
5789 * and the packet has been through at least one XFRM
5790 * transformation then we must be dealing with the "final"
5791 * form of labeled IPsec packet; since we've already applied
5792 * all of our access controls on this packet we can safely
5793 * pass the packet. */
5794 if (skb_sid == SECSID_NULL) {
5797 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5801 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5805 return NF_DROP_ERR(-ECONNREFUSED);
5808 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5810 secmark_perm = PACKET__SEND;
5812 /* Locally generated packet, fetch the security label from the
5813 * associated socket. */
5814 struct sk_security_struct *sksec = sk->sk_security;
5815 peer_sid = sksec->sid;
5816 secmark_perm = PACKET__SEND;
5819 ad.type = LSM_AUDIT_DATA_NET;
5821 ad.u.net->netif = ifindex;
5822 ad.u.net->family = family;
5823 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5827 if (avc_has_perm(&selinux_state,
5828 peer_sid, skb->secmark,
5829 SECCLASS_PACKET, secmark_perm, &ad))
5830 return NF_DROP_ERR(-ECONNREFUSED);
5832 if (peerlbl_active) {
5836 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5838 if (avc_has_perm(&selinux_state,
5840 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5841 return NF_DROP_ERR(-ECONNREFUSED);
5843 if (sel_netnode_sid(addrp, family, &node_sid))
5845 if (avc_has_perm(&selinux_state,
5847 SECCLASS_NODE, NODE__SENDTO, &ad))
5848 return NF_DROP_ERR(-ECONNREFUSED);
5854 static unsigned int selinux_ipv4_postroute(void *priv,
5855 struct sk_buff *skb,
5856 const struct nf_hook_state *state)
5858 return selinux_ip_postroute(skb, state->out, PF_INET);
5861 #if IS_ENABLED(CONFIG_IPV6)
5862 static unsigned int selinux_ipv6_postroute(void *priv,
5863 struct sk_buff *skb,
5864 const struct nf_hook_state *state)
5866 return selinux_ip_postroute(skb, state->out, PF_INET6);
5870 #endif /* CONFIG_NETFILTER */
5872 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5874 return selinux_nlmsg_perm(sk, skb);
5877 static int ipc_alloc_security(struct kern_ipc_perm *perm,
5880 struct ipc_security_struct *isec;
5882 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
5886 isec->sclass = sclass;
5887 isec->sid = current_sid();
5888 perm->security = isec;
5893 static void ipc_free_security(struct kern_ipc_perm *perm)
5895 struct ipc_security_struct *isec = perm->security;
5896 perm->security = NULL;
5900 static int msg_msg_alloc_security(struct msg_msg *msg)
5902 struct msg_security_struct *msec;
5904 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
5908 msec->sid = SECINITSID_UNLABELED;
5909 msg->security = msec;
5914 static void msg_msg_free_security(struct msg_msg *msg)
5916 struct msg_security_struct *msec = msg->security;
5918 msg->security = NULL;
5922 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5925 struct ipc_security_struct *isec;
5926 struct common_audit_data ad;
5927 u32 sid = current_sid();
5929 isec = ipc_perms->security;
5931 ad.type = LSM_AUDIT_DATA_IPC;
5932 ad.u.ipc_id = ipc_perms->key;
5934 return avc_has_perm(&selinux_state,
5935 sid, isec->sid, isec->sclass, perms, &ad);
5938 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5940 return msg_msg_alloc_security(msg);
5943 static void selinux_msg_msg_free_security(struct msg_msg *msg)
5945 msg_msg_free_security(msg);
5948 /* message queue security operations */
5949 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
5951 struct ipc_security_struct *isec;
5952 struct common_audit_data ad;
5953 u32 sid = current_sid();
5956 rc = ipc_alloc_security(&msq->q_perm, SECCLASS_MSGQ);
5960 isec = msq->q_perm.security;
5962 ad.type = LSM_AUDIT_DATA_IPC;
5963 ad.u.ipc_id = msq->q_perm.key;
5965 rc = avc_has_perm(&selinux_state,
5966 sid, isec->sid, SECCLASS_MSGQ,
5969 ipc_free_security(&msq->q_perm);
5975 static void selinux_msg_queue_free_security(struct msg_queue *msq)
5977 ipc_free_security(&msq->q_perm);
5980 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
5982 struct ipc_security_struct *isec;
5983 struct common_audit_data ad;
5984 u32 sid = current_sid();
5986 isec = msq->q_perm.security;
5988 ad.type = LSM_AUDIT_DATA_IPC;
5989 ad.u.ipc_id = msq->q_perm.key;
5991 return avc_has_perm(&selinux_state,
5992 sid, isec->sid, SECCLASS_MSGQ,
5993 MSGQ__ASSOCIATE, &ad);
5996 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
6004 /* No specific object, just general system-wide information. */
6005 return avc_has_perm(&selinux_state,
6006 current_sid(), SECINITSID_KERNEL,
6007 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6010 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
6013 perms = MSGQ__SETATTR;
6016 perms = MSGQ__DESTROY;
6022 err = ipc_has_perm(&msq->q_perm, perms);
6026 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
6028 struct ipc_security_struct *isec;
6029 struct msg_security_struct *msec;
6030 struct common_audit_data ad;
6031 u32 sid = current_sid();
6034 isec = msq->q_perm.security;
6035 msec = msg->security;
6038 * First time through, need to assign label to the message
6040 if (msec->sid == SECINITSID_UNLABELED) {
6042 * Compute new sid based on current process and
6043 * message queue this message will be stored in
6045 rc = security_transition_sid(&selinux_state, sid, isec->sid,
6046 SECCLASS_MSG, NULL, &msec->sid);
6051 ad.type = LSM_AUDIT_DATA_IPC;
6052 ad.u.ipc_id = msq->q_perm.key;
6054 /* Can this process write to the queue? */
6055 rc = avc_has_perm(&selinux_state,
6056 sid, isec->sid, SECCLASS_MSGQ,
6059 /* Can this process send the message */
6060 rc = avc_has_perm(&selinux_state,
6061 sid, msec->sid, SECCLASS_MSG,
6064 /* Can the message be put in the queue? */
6065 rc = avc_has_perm(&selinux_state,
6066 msec->sid, isec->sid, SECCLASS_MSGQ,
6067 MSGQ__ENQUEUE, &ad);
6072 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
6073 struct task_struct *target,
6074 long type, int mode)
6076 struct ipc_security_struct *isec;
6077 struct msg_security_struct *msec;
6078 struct common_audit_data ad;
6079 u32 sid = task_sid(target);
6082 isec = msq->q_perm.security;
6083 msec = msg->security;
6085 ad.type = LSM_AUDIT_DATA_IPC;
6086 ad.u.ipc_id = msq->q_perm.key;
6088 rc = avc_has_perm(&selinux_state,
6090 SECCLASS_MSGQ, MSGQ__READ, &ad);
6092 rc = avc_has_perm(&selinux_state,
6094 SECCLASS_MSG, MSG__RECEIVE, &ad);
6098 /* Shared Memory security operations */
6099 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
6101 struct ipc_security_struct *isec;
6102 struct common_audit_data ad;
6103 u32 sid = current_sid();
6106 rc = ipc_alloc_security(&shp->shm_perm, SECCLASS_SHM);
6110 isec = shp->shm_perm.security;
6112 ad.type = LSM_AUDIT_DATA_IPC;
6113 ad.u.ipc_id = shp->shm_perm.key;
6115 rc = avc_has_perm(&selinux_state,
6116 sid, isec->sid, SECCLASS_SHM,
6119 ipc_free_security(&shp->shm_perm);
6125 static void selinux_shm_free_security(struct shmid_kernel *shp)
6127 ipc_free_security(&shp->shm_perm);
6130 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
6132 struct ipc_security_struct *isec;
6133 struct common_audit_data ad;
6134 u32 sid = current_sid();
6136 isec = shp->shm_perm.security;
6138 ad.type = LSM_AUDIT_DATA_IPC;
6139 ad.u.ipc_id = shp->shm_perm.key;
6141 return avc_has_perm(&selinux_state,
6142 sid, isec->sid, SECCLASS_SHM,
6143 SHM__ASSOCIATE, &ad);
6146 /* Note, at this point, shp is locked down */
6147 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
6155 /* No specific object, just general system-wide information. */
6156 return avc_has_perm(&selinux_state,
6157 current_sid(), SECINITSID_KERNEL,
6158 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6161 perms = SHM__GETATTR | SHM__ASSOCIATE;
6164 perms = SHM__SETATTR;
6171 perms = SHM__DESTROY;
6177 err = ipc_has_perm(&shp->shm_perm, perms);
6181 static int selinux_shm_shmat(struct shmid_kernel *shp,
6182 char __user *shmaddr, int shmflg)
6186 if (shmflg & SHM_RDONLY)
6189 perms = SHM__READ | SHM__WRITE;
6191 return ipc_has_perm(&shp->shm_perm, perms);
6194 /* Semaphore security operations */
6195 static int selinux_sem_alloc_security(struct sem_array *sma)
6197 struct ipc_security_struct *isec;
6198 struct common_audit_data ad;
6199 u32 sid = current_sid();
6202 rc = ipc_alloc_security(&sma->sem_perm, SECCLASS_SEM);
6206 isec = sma->sem_perm.security;
6208 ad.type = LSM_AUDIT_DATA_IPC;
6209 ad.u.ipc_id = sma->sem_perm.key;
6211 rc = avc_has_perm(&selinux_state,
6212 sid, isec->sid, SECCLASS_SEM,
6215 ipc_free_security(&sma->sem_perm);
6221 static void selinux_sem_free_security(struct sem_array *sma)
6223 ipc_free_security(&sma->sem_perm);
6226 static int selinux_sem_associate(struct sem_array *sma, int semflg)
6228 struct ipc_security_struct *isec;
6229 struct common_audit_data ad;
6230 u32 sid = current_sid();
6232 isec = sma->sem_perm.security;
6234 ad.type = LSM_AUDIT_DATA_IPC;
6235 ad.u.ipc_id = sma->sem_perm.key;
6237 return avc_has_perm(&selinux_state,
6238 sid, isec->sid, SECCLASS_SEM,
6239 SEM__ASSOCIATE, &ad);
6242 /* Note, at this point, sma is locked down */
6243 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
6251 /* No specific object, just general system-wide information. */
6252 return avc_has_perm(&selinux_state,
6253 current_sid(), SECINITSID_KERNEL,
6254 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6258 perms = SEM__GETATTR;
6269 perms = SEM__DESTROY;
6272 perms = SEM__SETATTR;
6276 perms = SEM__GETATTR | SEM__ASSOCIATE;
6282 err = ipc_has_perm(&sma->sem_perm, perms);
6286 static int selinux_sem_semop(struct sem_array *sma,
6287 struct sembuf *sops, unsigned nsops, int alter)
6292 perms = SEM__READ | SEM__WRITE;
6296 return ipc_has_perm(&sma->sem_perm, perms);
6299 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
6305 av |= IPC__UNIX_READ;
6307 av |= IPC__UNIX_WRITE;
6312 return ipc_has_perm(ipcp, av);
6315 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
6317 struct ipc_security_struct *isec = ipcp->security;
6321 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
6324 inode_doinit_with_dentry(inode, dentry);
6327 static int selinux_getprocattr(struct task_struct *p,
6328 char *name, char **value)
6330 const struct task_security_struct *__tsec;
6336 __tsec = __task_cred(p)->security;
6339 error = avc_has_perm(&selinux_state,
6340 current_sid(), __tsec->sid,
6341 SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
6346 if (!strcmp(name, "current"))
6348 else if (!strcmp(name, "prev"))
6350 else if (!strcmp(name, "exec"))
6351 sid = __tsec->exec_sid;
6352 else if (!strcmp(name, "fscreate"))
6353 sid = __tsec->create_sid;
6354 else if (!strcmp(name, "keycreate"))
6355 sid = __tsec->keycreate_sid;
6356 else if (!strcmp(name, "sockcreate"))
6357 sid = __tsec->sockcreate_sid;
6367 error = security_sid_to_context(&selinux_state, sid, value, &len);
6377 static int selinux_setprocattr(const char *name, void *value, size_t size)
6379 struct task_security_struct *tsec;
6381 u32 mysid = current_sid(), sid = 0, ptsid;
6386 * Basic control over ability to set these attributes at all.
6388 if (!strcmp(name, "exec"))
6389 error = avc_has_perm(&selinux_state,
6390 mysid, mysid, SECCLASS_PROCESS,
6391 PROCESS__SETEXEC, NULL);
6392 else if (!strcmp(name, "fscreate"))
6393 error = avc_has_perm(&selinux_state,
6394 mysid, mysid, SECCLASS_PROCESS,
6395 PROCESS__SETFSCREATE, NULL);
6396 else if (!strcmp(name, "keycreate"))
6397 error = avc_has_perm(&selinux_state,
6398 mysid, mysid, SECCLASS_PROCESS,
6399 PROCESS__SETKEYCREATE, NULL);
6400 else if (!strcmp(name, "sockcreate"))
6401 error = avc_has_perm(&selinux_state,
6402 mysid, mysid, SECCLASS_PROCESS,
6403 PROCESS__SETSOCKCREATE, NULL);
6404 else if (!strcmp(name, "current"))
6405 error = avc_has_perm(&selinux_state,
6406 mysid, mysid, SECCLASS_PROCESS,
6407 PROCESS__SETCURRENT, NULL);
6413 /* Obtain a SID for the context, if one was specified. */
6414 if (size && str[0] && str[0] != '\n') {
6415 if (str[size-1] == '\n') {
6419 error = security_context_to_sid(&selinux_state, value, size,
6421 if (error == -EINVAL && !strcmp(name, "fscreate")) {
6422 if (!has_cap_mac_admin(true)) {
6423 struct audit_buffer *ab;
6426 /* We strip a nul only if it is at the end, otherwise the
6427 * context contains a nul and we should audit that */
6428 if (str[size - 1] == '\0')
6429 audit_size = size - 1;
6432 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
6433 audit_log_format(ab, "op=fscreate invalid_context=");
6434 audit_log_n_untrustedstring(ab, value, audit_size);
6439 error = security_context_to_sid_force(
6447 new = prepare_creds();
6451 /* Permission checking based on the specified context is
6452 performed during the actual operation (execve,
6453 open/mkdir/...), when we know the full context of the
6454 operation. See selinux_bprm_set_creds for the execve
6455 checks and may_create for the file creation checks. The
6456 operation will then fail if the context is not permitted. */
6457 tsec = new->security;
6458 if (!strcmp(name, "exec")) {
6459 tsec->exec_sid = sid;
6460 } else if (!strcmp(name, "fscreate")) {
6461 tsec->create_sid = sid;
6462 } else if (!strcmp(name, "keycreate")) {
6463 error = avc_has_perm(&selinux_state,
6464 mysid, sid, SECCLASS_KEY, KEY__CREATE,
6468 tsec->keycreate_sid = sid;
6469 } else if (!strcmp(name, "sockcreate")) {
6470 tsec->sockcreate_sid = sid;
6471 } else if (!strcmp(name, "current")) {
6476 /* Only allow single threaded processes to change context */
6478 if (!current_is_single_threaded()) {
6479 error = security_bounded_transition(&selinux_state,
6485 /* Check permissions for the transition. */
6486 error = avc_has_perm(&selinux_state,
6487 tsec->sid, sid, SECCLASS_PROCESS,
6488 PROCESS__DYNTRANSITION, NULL);
6492 /* Check for ptracing, and update the task SID if ok.
6493 Otherwise, leave SID unchanged and fail. */
6494 ptsid = ptrace_parent_sid();
6496 error = avc_has_perm(&selinux_state,
6497 ptsid, sid, SECCLASS_PROCESS,
6498 PROCESS__PTRACE, NULL);
6517 static int selinux_ismaclabel(const char *name)
6519 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
6522 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
6524 return security_sid_to_context(&selinux_state, secid,
6528 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
6530 return security_context_to_sid(&selinux_state, secdata, seclen,
6534 static void selinux_release_secctx(char *secdata, u32 seclen)
6539 static void selinux_inode_invalidate_secctx(struct inode *inode)
6541 struct inode_security_struct *isec = inode->i_security;
6543 spin_lock(&isec->lock);
6544 isec->initialized = LABEL_INVALID;
6545 spin_unlock(&isec->lock);
6549 * called with inode->i_mutex locked
6551 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
6553 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
6557 * called with inode->i_mutex locked
6559 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
6561 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
6564 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
6567 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
6576 static int selinux_key_alloc(struct key *k, const struct cred *cred,
6577 unsigned long flags)
6579 const struct task_security_struct *tsec;
6580 struct key_security_struct *ksec;
6582 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
6586 tsec = cred->security;
6587 if (tsec->keycreate_sid)
6588 ksec->sid = tsec->keycreate_sid;
6590 ksec->sid = tsec->sid;
6596 static void selinux_key_free(struct key *k)
6598 struct key_security_struct *ksec = k->security;
6604 static int selinux_key_permission(key_ref_t key_ref,
6605 const struct cred *cred,
6609 struct key_security_struct *ksec;
6612 /* if no specific permissions are requested, we skip the
6613 permission check. No serious, additional covert channels
6614 appear to be created. */
6618 sid = cred_sid(cred);
6620 key = key_ref_to_ptr(key_ref);
6621 ksec = key->security;
6623 return avc_has_perm(&selinux_state,
6624 sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6627 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6629 struct key_security_struct *ksec = key->security;
6630 char *context = NULL;
6634 rc = security_sid_to_context(&selinux_state, ksec->sid,
6643 #ifdef CONFIG_SECURITY_INFINIBAND
6644 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6646 struct common_audit_data ad;
6649 struct ib_security_struct *sec = ib_sec;
6650 struct lsm_ibpkey_audit ibpkey;
6652 err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
6656 ad.type = LSM_AUDIT_DATA_IBPKEY;
6657 ibpkey.subnet_prefix = subnet_prefix;
6658 ibpkey.pkey = pkey_val;
6659 ad.u.ibpkey = &ibpkey;
6660 return avc_has_perm(&selinux_state,
6662 SECCLASS_INFINIBAND_PKEY,
6663 INFINIBAND_PKEY__ACCESS, &ad);
6666 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6669 struct common_audit_data ad;
6672 struct ib_security_struct *sec = ib_sec;
6673 struct lsm_ibendport_audit ibendport;
6675 err = security_ib_endport_sid(&selinux_state, dev_name, port_num,
6681 ad.type = LSM_AUDIT_DATA_IBENDPORT;
6682 strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name));
6683 ibendport.port = port_num;
6684 ad.u.ibendport = &ibendport;
6685 return avc_has_perm(&selinux_state,
6687 SECCLASS_INFINIBAND_ENDPORT,
6688 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
6691 static int selinux_ib_alloc_security(void **ib_sec)
6693 struct ib_security_struct *sec;
6695 sec = kzalloc(sizeof(*sec), GFP_KERNEL);
6698 sec->sid = current_sid();
6704 static void selinux_ib_free_security(void *ib_sec)
6710 #ifdef CONFIG_BPF_SYSCALL
6711 static int selinux_bpf(int cmd, union bpf_attr *attr,
6714 u32 sid = current_sid();
6718 case BPF_MAP_CREATE:
6719 ret = avc_has_perm(&selinux_state,
6720 sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
6724 ret = avc_has_perm(&selinux_state,
6725 sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
6736 static u32 bpf_map_fmode_to_av(fmode_t fmode)
6740 if (fmode & FMODE_READ)
6741 av |= BPF__MAP_READ;
6742 if (fmode & FMODE_WRITE)
6743 av |= BPF__MAP_WRITE;
6747 /* This function will check the file pass through unix socket or binder to see
6748 * if it is a bpf related object. And apply correspinding checks on the bpf
6749 * object based on the type. The bpf maps and programs, not like other files and
6750 * socket, are using a shared anonymous inode inside the kernel as their inode.
6751 * So checking that inode cannot identify if the process have privilege to
6752 * access the bpf object and that's why we have to add this additional check in
6753 * selinux_file_receive and selinux_binder_transfer_files.
6755 static int bpf_fd_pass(struct file *file, u32 sid)
6757 struct bpf_security_struct *bpfsec;
6758 struct bpf_prog *prog;
6759 struct bpf_map *map;
6762 if (file->f_op == &bpf_map_fops) {
6763 map = file->private_data;
6764 bpfsec = map->security;
6765 ret = avc_has_perm(&selinux_state,
6766 sid, bpfsec->sid, SECCLASS_BPF,
6767 bpf_map_fmode_to_av(file->f_mode), NULL);
6770 } else if (file->f_op == &bpf_prog_fops) {
6771 prog = file->private_data;
6772 bpfsec = prog->aux->security;
6773 ret = avc_has_perm(&selinux_state,
6774 sid, bpfsec->sid, SECCLASS_BPF,
6775 BPF__PROG_RUN, NULL);
6782 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)
6784 u32 sid = current_sid();
6785 struct bpf_security_struct *bpfsec;
6787 bpfsec = map->security;
6788 return avc_has_perm(&selinux_state,
6789 sid, bpfsec->sid, SECCLASS_BPF,
6790 bpf_map_fmode_to_av(fmode), NULL);
6793 static int selinux_bpf_prog(struct bpf_prog *prog)
6795 u32 sid = current_sid();
6796 struct bpf_security_struct *bpfsec;
6798 bpfsec = prog->aux->security;
6799 return avc_has_perm(&selinux_state,
6800 sid, bpfsec->sid, SECCLASS_BPF,
6801 BPF__PROG_RUN, NULL);
6804 static int selinux_bpf_map_alloc(struct bpf_map *map)
6806 struct bpf_security_struct *bpfsec;
6808 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6812 bpfsec->sid = current_sid();
6813 map->security = bpfsec;
6818 static void selinux_bpf_map_free(struct bpf_map *map)
6820 struct bpf_security_struct *bpfsec = map->security;
6822 map->security = NULL;
6826 static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux)
6828 struct bpf_security_struct *bpfsec;
6830 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6834 bpfsec->sid = current_sid();
6835 aux->security = bpfsec;
6840 static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
6842 struct bpf_security_struct *bpfsec = aux->security;
6844 aux->security = NULL;
6849 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
6850 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
6851 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
6852 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
6853 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
6855 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
6856 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
6857 LSM_HOOK_INIT(capget, selinux_capget),
6858 LSM_HOOK_INIT(capset, selinux_capset),
6859 LSM_HOOK_INIT(capable, selinux_capable),
6860 LSM_HOOK_INIT(quotactl, selinux_quotactl),
6861 LSM_HOOK_INIT(quota_on, selinux_quota_on),
6862 LSM_HOOK_INIT(syslog, selinux_syslog),
6863 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
6865 LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
6867 LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
6868 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
6869 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
6871 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
6872 LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
6873 LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data),
6874 LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
6875 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
6876 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
6877 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
6878 LSM_HOOK_INIT(sb_mount, selinux_mount),
6879 LSM_HOOK_INIT(sb_umount, selinux_umount),
6880 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
6881 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
6882 LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str),
6884 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
6885 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
6887 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
6888 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
6889 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
6890 LSM_HOOK_INIT(inode_create, selinux_inode_create),
6891 LSM_HOOK_INIT(inode_link, selinux_inode_link),
6892 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
6893 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
6894 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
6895 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
6896 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
6897 LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
6898 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
6899 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
6900 LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
6901 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
6902 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
6903 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
6904 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
6905 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
6906 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
6907 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
6908 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
6909 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
6910 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
6911 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
6912 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
6913 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
6915 LSM_HOOK_INIT(file_permission, selinux_file_permission),
6916 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
6917 LSM_HOOK_INIT(file_free_security, selinux_file_free_security),
6918 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
6919 LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
6920 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
6921 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
6922 LSM_HOOK_INIT(file_lock, selinux_file_lock),
6923 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
6924 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
6925 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
6926 LSM_HOOK_INIT(file_receive, selinux_file_receive),
6928 LSM_HOOK_INIT(file_open, selinux_file_open),
6930 LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
6931 LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank),
6932 LSM_HOOK_INIT(cred_free, selinux_cred_free),
6933 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
6934 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
6935 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
6936 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
6937 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
6938 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
6939 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
6940 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
6941 LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
6942 LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
6943 LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
6944 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
6945 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
6946 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
6947 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
6948 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
6949 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
6950 LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
6951 LSM_HOOK_INIT(task_kill, selinux_task_kill),
6952 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
6954 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
6955 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
6957 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
6958 LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security),
6960 LSM_HOOK_INIT(msg_queue_alloc_security,
6961 selinux_msg_queue_alloc_security),
6962 LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security),
6963 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
6964 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
6965 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
6966 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
6968 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
6969 LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security),
6970 LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
6971 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
6972 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
6974 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
6975 LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security),
6976 LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
6977 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
6978 LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
6980 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
6982 LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
6983 LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
6985 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
6986 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
6987 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
6988 LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
6989 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
6990 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
6991 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
6992 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
6994 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
6995 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
6997 LSM_HOOK_INIT(socket_create, selinux_socket_create),
6998 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
6999 LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
7000 LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
7001 LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
7002 LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
7003 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
7004 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
7005 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
7006 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
7007 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
7008 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
7009 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
7010 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
7011 LSM_HOOK_INIT(socket_getpeersec_stream,
7012 selinux_socket_getpeersec_stream),
7013 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
7014 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
7015 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
7016 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
7017 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
7018 LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
7019 LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request),
7020 LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone),
7021 LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect),
7022 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
7023 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
7024 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
7025 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
7026 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
7027 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
7028 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
7029 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
7030 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
7031 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
7032 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
7033 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
7034 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
7035 #ifdef CONFIG_SECURITY_INFINIBAND
7036 LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
7037 LSM_HOOK_INIT(ib_endport_manage_subnet,
7038 selinux_ib_endport_manage_subnet),
7039 LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
7040 LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
7042 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7043 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
7044 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
7045 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
7046 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
7047 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
7048 LSM_HOOK_INIT(xfrm_state_alloc_acquire,
7049 selinux_xfrm_state_alloc_acquire),
7050 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
7051 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
7052 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
7053 LSM_HOOK_INIT(xfrm_state_pol_flow_match,
7054 selinux_xfrm_state_pol_flow_match),
7055 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
7059 LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
7060 LSM_HOOK_INIT(key_free, selinux_key_free),
7061 LSM_HOOK_INIT(key_permission, selinux_key_permission),
7062 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
7066 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
7067 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
7068 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
7069 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
7072 #ifdef CONFIG_BPF_SYSCALL
7073 LSM_HOOK_INIT(bpf, selinux_bpf),
7074 LSM_HOOK_INIT(bpf_map, selinux_bpf_map),
7075 LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog),
7076 LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc),
7077 LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc),
7078 LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free),
7079 LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free),
7083 static __init int selinux_init(void)
7085 if (!security_module_enable("selinux")) {
7086 selinux_enabled = 0;
7090 if (!selinux_enabled) {
7091 printk(KERN_INFO "SELinux: Disabled at boot.\n");
7095 printk(KERN_INFO "SELinux: Initializing.\n");
7097 memset(&selinux_state, 0, sizeof(selinux_state));
7098 enforcing_set(&selinux_state, selinux_enforcing_boot);
7099 selinux_state.checkreqprot = selinux_checkreqprot_boot;
7100 selinux_ss_init(&selinux_state.ss);
7101 selinux_avc_init(&selinux_state.avc);
7103 /* Set the security state for the initial task. */
7104 cred_init_security();
7106 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
7108 sel_inode_cache = kmem_cache_create("selinux_inode_security",
7109 sizeof(struct inode_security_struct),
7110 0, SLAB_PANIC, NULL);
7111 file_security_cache = kmem_cache_create("selinux_file_security",
7112 sizeof(struct file_security_struct),
7113 0, SLAB_PANIC, NULL);
7118 ebitmap_cache_init();
7120 hashtab_cache_init();
7122 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
7124 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
7125 panic("SELinux: Unable to register AVC netcache callback\n");
7127 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
7128 panic("SELinux: Unable to register AVC LSM notifier callback\n");
7130 if (selinux_enforcing_boot)
7131 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
7133 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
7138 static void delayed_superblock_init(struct super_block *sb, void *unused)
7140 superblock_doinit(sb, NULL);
7143 void selinux_complete_init(void)
7145 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
7147 /* Set up any superblocks initialized prior to the policy load. */
7148 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
7149 iterate_supers(delayed_superblock_init, NULL);
7152 /* SELinux requires early initialization in order to label
7153 all processes and objects when they are created. */
7154 security_initcall(selinux_init);
7156 #if defined(CONFIG_NETFILTER)
7158 static const struct nf_hook_ops selinux_nf_ops[] = {
7160 .hook = selinux_ipv4_postroute,
7162 .hooknum = NF_INET_POST_ROUTING,
7163 .priority = NF_IP_PRI_SELINUX_LAST,
7166 .hook = selinux_ipv4_forward,
7168 .hooknum = NF_INET_FORWARD,
7169 .priority = NF_IP_PRI_SELINUX_FIRST,
7172 .hook = selinux_ipv4_output,
7174 .hooknum = NF_INET_LOCAL_OUT,
7175 .priority = NF_IP_PRI_SELINUX_FIRST,
7177 #if IS_ENABLED(CONFIG_IPV6)
7179 .hook = selinux_ipv6_postroute,
7181 .hooknum = NF_INET_POST_ROUTING,
7182 .priority = NF_IP6_PRI_SELINUX_LAST,
7185 .hook = selinux_ipv6_forward,
7187 .hooknum = NF_INET_FORWARD,
7188 .priority = NF_IP6_PRI_SELINUX_FIRST,
7191 .hook = selinux_ipv6_output,
7193 .hooknum = NF_INET_LOCAL_OUT,
7194 .priority = NF_IP6_PRI_SELINUX_FIRST,
7199 static int __net_init selinux_nf_register(struct net *net)
7201 return nf_register_net_hooks(net, selinux_nf_ops,
7202 ARRAY_SIZE(selinux_nf_ops));
7205 static void __net_exit selinux_nf_unregister(struct net *net)
7207 nf_unregister_net_hooks(net, selinux_nf_ops,
7208 ARRAY_SIZE(selinux_nf_ops));
7211 static struct pernet_operations selinux_net_ops = {
7212 .init = selinux_nf_register,
7213 .exit = selinux_nf_unregister,
7216 static int __init selinux_nf_ip_init(void)
7220 if (!selinux_enabled)
7223 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
7225 err = register_pernet_subsys(&selinux_net_ops);
7227 panic("SELinux: register_pernet_subsys: error %d\n", err);
7231 __initcall(selinux_nf_ip_init);
7233 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7234 static void selinux_nf_ip_exit(void)
7236 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
7238 unregister_pernet_subsys(&selinux_net_ops);
7242 #else /* CONFIG_NETFILTER */
7244 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7245 #define selinux_nf_ip_exit()
7248 #endif /* CONFIG_NETFILTER */
7250 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7251 int selinux_disable(struct selinux_state *state)
7253 if (state->initialized) {
7254 /* Not permitted after initial policy load. */
7258 if (state->disabled) {
7259 /* Only do this once. */
7263 state->disabled = 1;
7265 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
7267 selinux_enabled = 0;
7269 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
7271 /* Try to destroy the avc node cache */
7274 /* Unregister netfilter hooks. */
7275 selinux_nf_ip_exit();
7277 /* Unregister selinuxfs. */
projects / linux.git / blob