2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
20 * Copyright (C) 2016 Mellanox Technologies
22 * This program is free software; you can redistribute it and/or modify
23 * it under the terms of the GNU General Public License version 2,
24 * as published by the Free Software Foundation.
27 #include <linux/init.h>
29 #include <linux/kernel.h>
30 #include <linux/tracehook.h>
31 #include <linux/errno.h>
32 #include <linux/sched/signal.h>
33 #include <linux/sched/task.h>
34 #include <linux/lsm_hooks.h>
35 #include <linux/xattr.h>
36 #include <linux/capability.h>
37 #include <linux/unistd.h>
39 #include <linux/mman.h>
40 #include <linux/slab.h>
41 #include <linux/pagemap.h>
42 #include <linux/proc_fs.h>
43 #include <linux/swap.h>
44 #include <linux/spinlock.h>
45 #include <linux/syscalls.h>
46 #include <linux/dcache.h>
47 #include <linux/file.h>
48 #include <linux/fdtable.h>
49 #include <linux/namei.h>
50 #include <linux/mount.h>
51 #include <linux/netfilter_ipv4.h>
52 #include <linux/netfilter_ipv6.h>
53 #include <linux/tty.h>
55 #include <net/ip.h> /* for local_port_range[] */
56 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
57 #include <net/inet_connection_sock.h>
58 #include <net/net_namespace.h>
59 #include <net/netlabel.h>
60 #include <linux/uaccess.h>
61 #include <asm/ioctls.h>
62 #include <linux/atomic.h>
63 #include <linux/bitops.h>
64 #include <linux/interrupt.h>
65 #include <linux/netdevice.h> /* for network interface checks */
66 #include <net/netlink.h>
67 #include <linux/tcp.h>
68 #include <linux/udp.h>
69 #include <linux/dccp.h>
70 #include <linux/sctp.h>
71 #include <net/sctp/structs.h>
72 #include <linux/quota.h>
73 #include <linux/un.h> /* for Unix socket types */
74 #include <net/af_unix.h> /* for Unix socket types */
75 #include <linux/parser.h>
76 #include <linux/nfs_mount.h>
78 #include <linux/hugetlb.h>
79 #include <linux/personality.h>
80 #include <linux/audit.h>
81 #include <linux/string.h>
82 #include <linux/selinux.h>
83 #include <linux/mutex.h>
84 #include <linux/posix-timers.h>
85 #include <linux/syslog.h>
86 #include <linux/user_namespace.h>
87 #include <linux/export.h>
88 #include <linux/msg.h>
89 #include <linux/shm.h>
90 #include <linux/bpf.h>
103 struct selinux_state selinux_state;
105 /* SECMARK reference count */
106 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
108 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
109 static int selinux_enforcing_boot;
111 static int __init enforcing_setup(char *str)
113 unsigned long enforcing;
114 if (!kstrtoul(str, 0, &enforcing))
115 selinux_enforcing_boot = enforcing ? 1 : 0;
118 __setup("enforcing=", enforcing_setup);
120 #define selinux_enforcing_boot 1
123 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
124 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
126 static int __init selinux_enabled_setup(char *str)
128 unsigned long enabled;
129 if (!kstrtoul(str, 0, &enabled))
130 selinux_enabled = enabled ? 1 : 0;
133 __setup("selinux=", selinux_enabled_setup);
135 int selinux_enabled = 1;
138 static unsigned int selinux_checkreqprot_boot =
139 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
141 static int __init checkreqprot_setup(char *str)
143 unsigned long checkreqprot;
145 if (!kstrtoul(str, 0, &checkreqprot))
146 selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
149 __setup("checkreqprot=", checkreqprot_setup);
151 static struct kmem_cache *sel_inode_cache;
152 static struct kmem_cache *file_security_cache;
155 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
158 * This function checks the SECMARK reference counter to see if any SECMARK
159 * targets are currently configured, if the reference counter is greater than
160 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
161 * enabled, false (0) if SECMARK is disabled. If the always_check_network
162 * policy capability is enabled, SECMARK is always considered enabled.
165 static int selinux_secmark_enabled(void)
167 return (selinux_policycap_alwaysnetwork() ||
168 atomic_read(&selinux_secmark_refcount));
172 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
175 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
176 * (1) if any are enabled or false (0) if neither are enabled. If the
177 * always_check_network policy capability is enabled, peer labeling
178 * is always considered enabled.
181 static int selinux_peerlbl_enabled(void)
183 return (selinux_policycap_alwaysnetwork() ||
184 netlbl_enabled() || selinux_xfrm_enabled());
187 static int selinux_netcache_avc_callback(u32 event)
189 if (event == AVC_CALLBACK_RESET) {
198 static int selinux_lsm_notifier_avc_callback(u32 event)
200 if (event == AVC_CALLBACK_RESET) {
202 call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
209 * initialise the security for the init task
211 static void cred_init_security(void)
213 struct cred *cred = (struct cred *) current->real_cred;
214 struct task_security_struct *tsec;
216 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
218 panic("SELinux: Failed to initialize initial task.\n");
220 tsec->osid = tsec->sid = SECINITSID_KERNEL;
221 cred->security = tsec;
225 * get the security ID of a set of credentials
227 static inline u32 cred_sid(const struct cred *cred)
229 const struct task_security_struct *tsec;
231 tsec = cred->security;
236 * get the objective security ID of a task
238 static inline u32 task_sid(const struct task_struct *task)
243 sid = cred_sid(__task_cred(task));
248 /* Allocate and free functions for each kind of security blob. */
250 static int inode_alloc_security(struct inode *inode)
252 struct inode_security_struct *isec;
253 u32 sid = current_sid();
255 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
259 spin_lock_init(&isec->lock);
260 INIT_LIST_HEAD(&isec->list);
262 isec->sid = SECINITSID_UNLABELED;
263 isec->sclass = SECCLASS_FILE;
264 isec->task_sid = sid;
265 isec->initialized = LABEL_INVALID;
266 inode->i_security = isec;
271 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
274 * Try reloading inode security labels that have been marked as invalid. The
275 * @may_sleep parameter indicates when sleeping and thus reloading labels is
276 * allowed; when set to false, returns -ECHILD when the label is
277 * invalid. The @opt_dentry parameter should be set to a dentry of the inode;
278 * when no dentry is available, set it to NULL instead.
280 static int __inode_security_revalidate(struct inode *inode,
281 struct dentry *opt_dentry,
284 struct inode_security_struct *isec = inode->i_security;
286 might_sleep_if(may_sleep);
288 if (selinux_state.initialized &&
289 isec->initialized != LABEL_INITIALIZED) {
294 * Try reloading the inode security label. This will fail if
295 * @opt_dentry is NULL and no dentry for this inode can be
296 * found; in that case, continue using the old label.
298 inode_doinit_with_dentry(inode, opt_dentry);
303 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
305 return inode->i_security;
308 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
312 error = __inode_security_revalidate(inode, NULL, !rcu);
314 return ERR_PTR(error);
315 return inode->i_security;
319 * Get the security label of an inode.
321 static struct inode_security_struct *inode_security(struct inode *inode)
323 __inode_security_revalidate(inode, NULL, true);
324 return inode->i_security;
327 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
329 struct inode *inode = d_backing_inode(dentry);
331 return inode->i_security;
335 * Get the security label of a dentry's backing inode.
337 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
339 struct inode *inode = d_backing_inode(dentry);
341 __inode_security_revalidate(inode, dentry, true);
342 return inode->i_security;
345 static void inode_free_rcu(struct rcu_head *head)
347 struct inode_security_struct *isec;
349 isec = container_of(head, struct inode_security_struct, rcu);
350 kmem_cache_free(sel_inode_cache, isec);
353 static void inode_free_security(struct inode *inode)
355 struct inode_security_struct *isec = inode->i_security;
356 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
359 * As not all inode security structures are in a list, we check for
360 * empty list outside of the lock to make sure that we won't waste
361 * time taking a lock doing nothing.
363 * The list_del_init() function can be safely called more than once.
364 * It should not be possible for this function to be called with
365 * concurrent list_add(), but for better safety against future changes
366 * in the code, we use list_empty_careful() here.
368 if (!list_empty_careful(&isec->list)) {
369 spin_lock(&sbsec->isec_lock);
370 list_del_init(&isec->list);
371 spin_unlock(&sbsec->isec_lock);
375 * The inode may still be referenced in a path walk and
376 * a call to selinux_inode_permission() can be made
377 * after inode_free_security() is called. Ideally, the VFS
378 * wouldn't do this, but fixing that is a much harder
379 * job. For now, simply free the i_security via RCU, and
380 * leave the current inode->i_security pointer intact.
381 * The inode will be freed after the RCU grace period too.
383 call_rcu(&isec->rcu, inode_free_rcu);
386 static int file_alloc_security(struct file *file)
388 struct file_security_struct *fsec;
389 u32 sid = current_sid();
391 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
396 fsec->fown_sid = sid;
397 file->f_security = fsec;
402 static void file_free_security(struct file *file)
404 struct file_security_struct *fsec = file->f_security;
405 file->f_security = NULL;
406 kmem_cache_free(file_security_cache, fsec);
409 static int superblock_alloc_security(struct super_block *sb)
411 struct superblock_security_struct *sbsec;
413 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
417 mutex_init(&sbsec->lock);
418 INIT_LIST_HEAD(&sbsec->isec_head);
419 spin_lock_init(&sbsec->isec_lock);
421 sbsec->sid = SECINITSID_UNLABELED;
422 sbsec->def_sid = SECINITSID_FILE;
423 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
424 sb->s_security = sbsec;
429 static void superblock_free_security(struct super_block *sb)
431 struct superblock_security_struct *sbsec = sb->s_security;
432 sb->s_security = NULL;
436 static inline int inode_doinit(struct inode *inode)
438 return inode_doinit_with_dentry(inode, NULL);
447 Opt_labelsupport = 5,
451 #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
453 static const match_table_t tokens = {
454 {Opt_context, CONTEXT_STR "%s"},
455 {Opt_fscontext, FSCONTEXT_STR "%s"},
456 {Opt_defcontext, DEFCONTEXT_STR "%s"},
457 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
458 {Opt_labelsupport, LABELSUPP_STR},
462 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
464 static int may_context_mount_sb_relabel(u32 sid,
465 struct superblock_security_struct *sbsec,
466 const struct cred *cred)
468 const struct task_security_struct *tsec = cred->security;
471 rc = avc_has_perm(&selinux_state,
472 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
473 FILESYSTEM__RELABELFROM, NULL);
477 rc = avc_has_perm(&selinux_state,
478 tsec->sid, sid, SECCLASS_FILESYSTEM,
479 FILESYSTEM__RELABELTO, NULL);
483 static int may_context_mount_inode_relabel(u32 sid,
484 struct superblock_security_struct *sbsec,
485 const struct cred *cred)
487 const struct task_security_struct *tsec = cred->security;
489 rc = avc_has_perm(&selinux_state,
490 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
491 FILESYSTEM__RELABELFROM, NULL);
495 rc = avc_has_perm(&selinux_state,
496 sid, sbsec->sid, SECCLASS_FILESYSTEM,
497 FILESYSTEM__ASSOCIATE, NULL);
501 static int selinux_is_sblabel_mnt(struct super_block *sb)
503 struct superblock_security_struct *sbsec = sb->s_security;
505 return sbsec->behavior == SECURITY_FS_USE_XATTR ||
506 sbsec->behavior == SECURITY_FS_USE_TRANS ||
507 sbsec->behavior == SECURITY_FS_USE_TASK ||
508 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
509 /* Special handling. Genfs but also in-core setxattr handler */
510 !strcmp(sb->s_type->name, "sysfs") ||
511 !strcmp(sb->s_type->name, "pstore") ||
512 !strcmp(sb->s_type->name, "debugfs") ||
513 !strcmp(sb->s_type->name, "tracefs") ||
514 !strcmp(sb->s_type->name, "rootfs") ||
515 (selinux_policycap_cgroupseclabel() &&
516 (!strcmp(sb->s_type->name, "cgroup") ||
517 !strcmp(sb->s_type->name, "cgroup2")));
520 static int sb_finish_set_opts(struct super_block *sb)
522 struct superblock_security_struct *sbsec = sb->s_security;
523 struct dentry *root = sb->s_root;
524 struct inode *root_inode = d_backing_inode(root);
527 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
528 /* Make sure that the xattr handler exists and that no
529 error other than -ENODATA is returned by getxattr on
530 the root directory. -ENODATA is ok, as this may be
531 the first boot of the SELinux kernel before we have
532 assigned xattr values to the filesystem. */
533 if (!(root_inode->i_opflags & IOP_XATTR)) {
534 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
535 "xattr support\n", sb->s_id, sb->s_type->name);
540 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
541 if (rc < 0 && rc != -ENODATA) {
542 if (rc == -EOPNOTSUPP)
543 printk(KERN_WARNING "SELinux: (dev %s, type "
544 "%s) has no security xattr handler\n",
545 sb->s_id, sb->s_type->name);
547 printk(KERN_WARNING "SELinux: (dev %s, type "
548 "%s) getxattr errno %d\n", sb->s_id,
549 sb->s_type->name, -rc);
554 sbsec->flags |= SE_SBINITIALIZED;
557 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
558 * leave the flag untouched because sb_clone_mnt_opts might be handing
559 * us a superblock that needs the flag to be cleared.
561 if (selinux_is_sblabel_mnt(sb))
562 sbsec->flags |= SBLABEL_MNT;
564 sbsec->flags &= ~SBLABEL_MNT;
566 /* Initialize the root inode. */
567 rc = inode_doinit_with_dentry(root_inode, root);
569 /* Initialize any other inodes associated with the superblock, e.g.
570 inodes created prior to initial policy load or inodes created
571 during get_sb by a pseudo filesystem that directly
573 spin_lock(&sbsec->isec_lock);
575 if (!list_empty(&sbsec->isec_head)) {
576 struct inode_security_struct *isec =
577 list_entry(sbsec->isec_head.next,
578 struct inode_security_struct, list);
579 struct inode *inode = isec->inode;
580 list_del_init(&isec->list);
581 spin_unlock(&sbsec->isec_lock);
582 inode = igrab(inode);
584 if (!IS_PRIVATE(inode))
588 spin_lock(&sbsec->isec_lock);
591 spin_unlock(&sbsec->isec_lock);
597 * This function should allow an FS to ask what it's mount security
598 * options were so it can use those later for submounts, displaying
599 * mount options, or whatever.
601 static int selinux_get_mnt_opts(const struct super_block *sb,
602 struct security_mnt_opts *opts)
605 struct superblock_security_struct *sbsec = sb->s_security;
606 char *context = NULL;
610 security_init_mnt_opts(opts);
612 if (!(sbsec->flags & SE_SBINITIALIZED))
615 if (!selinux_state.initialized)
618 /* make sure we always check enough bits to cover the mask */
619 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
621 tmp = sbsec->flags & SE_MNTMASK;
622 /* count the number of mount options for this sb */
623 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
625 opts->num_mnt_opts++;
628 /* Check if the Label support flag is set */
629 if (sbsec->flags & SBLABEL_MNT)
630 opts->num_mnt_opts++;
632 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
633 if (!opts->mnt_opts) {
638 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
639 if (!opts->mnt_opts_flags) {
645 if (sbsec->flags & FSCONTEXT_MNT) {
646 rc = security_sid_to_context(&selinux_state, sbsec->sid,
650 opts->mnt_opts[i] = context;
651 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
653 if (sbsec->flags & CONTEXT_MNT) {
654 rc = security_sid_to_context(&selinux_state,
659 opts->mnt_opts[i] = context;
660 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
662 if (sbsec->flags & DEFCONTEXT_MNT) {
663 rc = security_sid_to_context(&selinux_state, sbsec->def_sid,
667 opts->mnt_opts[i] = context;
668 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
670 if (sbsec->flags & ROOTCONTEXT_MNT) {
671 struct dentry *root = sbsec->sb->s_root;
672 struct inode_security_struct *isec = backing_inode_security(root);
674 rc = security_sid_to_context(&selinux_state, isec->sid,
678 opts->mnt_opts[i] = context;
679 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
681 if (sbsec->flags & SBLABEL_MNT) {
682 opts->mnt_opts[i] = NULL;
683 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
686 BUG_ON(i != opts->num_mnt_opts);
691 security_free_mnt_opts(opts);
695 static int bad_option(struct superblock_security_struct *sbsec, char flag,
696 u32 old_sid, u32 new_sid)
698 char mnt_flags = sbsec->flags & SE_MNTMASK;
700 /* check if the old mount command had the same options */
701 if (sbsec->flags & SE_SBINITIALIZED)
702 if (!(sbsec->flags & flag) ||
703 (old_sid != new_sid))
706 /* check if we were passed the same options twice,
707 * aka someone passed context=a,context=b
709 if (!(sbsec->flags & SE_SBINITIALIZED))
710 if (mnt_flags & flag)
716 * Allow filesystems with binary mount data to explicitly set mount point
717 * labeling information.
719 static int selinux_set_mnt_opts(struct super_block *sb,
720 struct security_mnt_opts *opts,
721 unsigned long kern_flags,
722 unsigned long *set_kern_flags)
724 const struct cred *cred = current_cred();
726 struct superblock_security_struct *sbsec = sb->s_security;
727 const char *name = sb->s_type->name;
728 struct dentry *root = sbsec->sb->s_root;
729 struct inode_security_struct *root_isec;
730 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
731 u32 defcontext_sid = 0;
732 char **mount_options = opts->mnt_opts;
733 int *flags = opts->mnt_opts_flags;
734 int num_opts = opts->num_mnt_opts;
736 mutex_lock(&sbsec->lock);
738 if (!selinux_state.initialized) {
740 /* Defer initialization until selinux_complete_init,
741 after the initial policy is loaded and the security
742 server is ready to handle calls. */
746 printk(KERN_WARNING "SELinux: Unable to set superblock options "
747 "before the security server is initialized\n");
750 if (kern_flags && !set_kern_flags) {
751 /* Specifying internal flags without providing a place to
752 * place the results is not allowed */
758 * Binary mount data FS will come through this function twice. Once
759 * from an explicit call and once from the generic calls from the vfs.
760 * Since the generic VFS calls will not contain any security mount data
761 * we need to skip the double mount verification.
763 * This does open a hole in which we will not notice if the first
764 * mount using this sb set explict options and a second mount using
765 * this sb does not set any security options. (The first options
766 * will be used for both mounts)
768 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
772 root_isec = backing_inode_security_novalidate(root);
775 * parse the mount options, check if they are valid sids.
776 * also check if someone is trying to mount the same sb more
777 * than once with different security options.
779 for (i = 0; i < num_opts; i++) {
782 if (flags[i] == SBLABEL_MNT)
784 rc = security_context_str_to_sid(&selinux_state,
785 mount_options[i], &sid,
788 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
789 "(%s) failed for (dev %s, type %s) errno=%d\n",
790 mount_options[i], sb->s_id, name, rc);
797 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
799 goto out_double_mount;
801 sbsec->flags |= FSCONTEXT_MNT;
806 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
808 goto out_double_mount;
810 sbsec->flags |= CONTEXT_MNT;
812 case ROOTCONTEXT_MNT:
813 rootcontext_sid = sid;
815 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
817 goto out_double_mount;
819 sbsec->flags |= ROOTCONTEXT_MNT;
823 defcontext_sid = sid;
825 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
827 goto out_double_mount;
829 sbsec->flags |= DEFCONTEXT_MNT;
838 if (sbsec->flags & SE_SBINITIALIZED) {
839 /* previously mounted with options, but not on this attempt? */
840 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
841 goto out_double_mount;
846 if (strcmp(sb->s_type->name, "proc") == 0)
847 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
849 if (!strcmp(sb->s_type->name, "debugfs") ||
850 !strcmp(sb->s_type->name, "tracefs") ||
851 !strcmp(sb->s_type->name, "sysfs") ||
852 !strcmp(sb->s_type->name, "pstore") ||
853 !strcmp(sb->s_type->name, "cgroup") ||
854 !strcmp(sb->s_type->name, "cgroup2"))
855 sbsec->flags |= SE_SBGENFS;
857 if (!sbsec->behavior) {
859 * Determine the labeling behavior to use for this
862 rc = security_fs_use(&selinux_state, sb);
865 "%s: security_fs_use(%s) returned %d\n",
866 __func__, sb->s_type->name, rc);
872 * If this is a user namespace mount and the filesystem type is not
873 * explicitly whitelisted, then no contexts are allowed on the command
874 * line and security labels must be ignored.
876 if (sb->s_user_ns != &init_user_ns &&
877 strcmp(sb->s_type->name, "tmpfs") &&
878 strcmp(sb->s_type->name, "ramfs") &&
879 strcmp(sb->s_type->name, "devpts")) {
880 if (context_sid || fscontext_sid || rootcontext_sid ||
885 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
886 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
887 rc = security_transition_sid(&selinux_state,
891 &sbsec->mntpoint_sid);
898 /* sets the context of the superblock for the fs being mounted. */
900 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
904 sbsec->sid = fscontext_sid;
908 * Switch to using mount point labeling behavior.
909 * sets the label used on all file below the mountpoint, and will set
910 * the superblock context if not already set.
912 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
913 sbsec->behavior = SECURITY_FS_USE_NATIVE;
914 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
918 if (!fscontext_sid) {
919 rc = may_context_mount_sb_relabel(context_sid, sbsec,
923 sbsec->sid = context_sid;
925 rc = may_context_mount_inode_relabel(context_sid, sbsec,
930 if (!rootcontext_sid)
931 rootcontext_sid = context_sid;
933 sbsec->mntpoint_sid = context_sid;
934 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
937 if (rootcontext_sid) {
938 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
943 root_isec->sid = rootcontext_sid;
944 root_isec->initialized = LABEL_INITIALIZED;
947 if (defcontext_sid) {
948 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
949 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
951 printk(KERN_WARNING "SELinux: defcontext option is "
952 "invalid for this filesystem type\n");
956 if (defcontext_sid != sbsec->def_sid) {
957 rc = may_context_mount_inode_relabel(defcontext_sid,
963 sbsec->def_sid = defcontext_sid;
967 rc = sb_finish_set_opts(sb);
969 mutex_unlock(&sbsec->lock);
973 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
974 "security settings for (dev %s, type %s)\n", sb->s_id, name);
978 static int selinux_cmp_sb_context(const struct super_block *oldsb,
979 const struct super_block *newsb)
981 struct superblock_security_struct *old = oldsb->s_security;
982 struct superblock_security_struct *new = newsb->s_security;
983 char oldflags = old->flags & SE_MNTMASK;
984 char newflags = new->flags & SE_MNTMASK;
986 if (oldflags != newflags)
988 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
990 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
992 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
994 if (oldflags & ROOTCONTEXT_MNT) {
995 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
996 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
997 if (oldroot->sid != newroot->sid)
1002 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
1003 "different security settings for (dev %s, "
1004 "type %s)\n", newsb->s_id, newsb->s_type->name);
1008 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
1009 struct super_block *newsb,
1010 unsigned long kern_flags,
1011 unsigned long *set_kern_flags)
1014 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
1015 struct superblock_security_struct *newsbsec = newsb->s_security;
1017 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
1018 int set_context = (oldsbsec->flags & CONTEXT_MNT);
1019 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1022 * if the parent was able to be mounted it clearly had no special lsm
1023 * mount options. thus we can safely deal with this superblock later
1025 if (!selinux_state.initialized)
1029 * Specifying internal flags without providing a place to
1030 * place the results is not allowed.
1032 if (kern_flags && !set_kern_flags)
1035 /* how can we clone if the old one wasn't set up?? */
1036 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
1038 /* if fs is reusing a sb, make sure that the contexts match */
1039 if (newsbsec->flags & SE_SBINITIALIZED)
1040 return selinux_cmp_sb_context(oldsb, newsb);
1042 mutex_lock(&newsbsec->lock);
1044 newsbsec->flags = oldsbsec->flags;
1046 newsbsec->sid = oldsbsec->sid;
1047 newsbsec->def_sid = oldsbsec->def_sid;
1048 newsbsec->behavior = oldsbsec->behavior;
1050 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
1051 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
1052 rc = security_fs_use(&selinux_state, newsb);
1057 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
1058 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
1059 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
1063 u32 sid = oldsbsec->mntpoint_sid;
1066 newsbsec->sid = sid;
1067 if (!set_rootcontext) {
1068 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1071 newsbsec->mntpoint_sid = sid;
1073 if (set_rootcontext) {
1074 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
1075 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1077 newisec->sid = oldisec->sid;
1080 sb_finish_set_opts(newsb);
1082 mutex_unlock(&newsbsec->lock);
1086 static int selinux_parse_opts_str(char *options,
1087 struct security_mnt_opts *opts)
1090 char *context = NULL, *defcontext = NULL;
1091 char *fscontext = NULL, *rootcontext = NULL;
1092 int rc, num_mnt_opts = 0;
1094 opts->num_mnt_opts = 0;
1096 /* Standard string-based options. */
1097 while ((p = strsep(&options, "|")) != NULL) {
1099 substring_t args[MAX_OPT_ARGS];
1104 token = match_token(p, tokens, args);
1108 if (context || defcontext) {
1110 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1113 context = match_strdup(&args[0]);
1123 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1126 fscontext = match_strdup(&args[0]);
1133 case Opt_rootcontext:
1136 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1139 rootcontext = match_strdup(&args[0]);
1146 case Opt_defcontext:
1147 if (context || defcontext) {
1149 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1152 defcontext = match_strdup(&args[0]);
1158 case Opt_labelsupport:
1162 printk(KERN_WARNING "SELinux: unknown mount option\n");
1169 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
1170 if (!opts->mnt_opts)
1173 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
1175 if (!opts->mnt_opts_flags)
1179 opts->mnt_opts[num_mnt_opts] = fscontext;
1180 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1183 opts->mnt_opts[num_mnt_opts] = context;
1184 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1187 opts->mnt_opts[num_mnt_opts] = rootcontext;
1188 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1191 opts->mnt_opts[num_mnt_opts] = defcontext;
1192 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1195 opts->num_mnt_opts = num_mnt_opts;
1199 security_free_mnt_opts(opts);
1207 * string mount options parsing and call set the sbsec
1209 static int superblock_doinit(struct super_block *sb, void *data)
1212 char *options = data;
1213 struct security_mnt_opts opts;
1215 security_init_mnt_opts(&opts);
1220 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1222 rc = selinux_parse_opts_str(options, &opts);
1227 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1230 security_free_mnt_opts(&opts);
1234 static void selinux_write_opts(struct seq_file *m,
1235 struct security_mnt_opts *opts)
1240 for (i = 0; i < opts->num_mnt_opts; i++) {
1243 if (opts->mnt_opts[i])
1244 has_comma = strchr(opts->mnt_opts[i], ',');
1248 switch (opts->mnt_opts_flags[i]) {
1250 prefix = CONTEXT_STR;
1253 prefix = FSCONTEXT_STR;
1255 case ROOTCONTEXT_MNT:
1256 prefix = ROOTCONTEXT_STR;
1258 case DEFCONTEXT_MNT:
1259 prefix = DEFCONTEXT_STR;
1263 seq_puts(m, LABELSUPP_STR);
1269 /* we need a comma before each option */
1271 seq_puts(m, prefix);
1274 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
1280 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1282 struct security_mnt_opts opts;
1285 rc = selinux_get_mnt_opts(sb, &opts);
1287 /* before policy load we may get EINVAL, don't show anything */
1293 selinux_write_opts(m, &opts);
1295 security_free_mnt_opts(&opts);
1300 static inline u16 inode_mode_to_security_class(umode_t mode)
1302 switch (mode & S_IFMT) {
1304 return SECCLASS_SOCK_FILE;
1306 return SECCLASS_LNK_FILE;
1308 return SECCLASS_FILE;
1310 return SECCLASS_BLK_FILE;
1312 return SECCLASS_DIR;
1314 return SECCLASS_CHR_FILE;
1316 return SECCLASS_FIFO_FILE;
1320 return SECCLASS_FILE;
1323 static inline int default_protocol_stream(int protocol)
1325 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1328 static inline int default_protocol_dgram(int protocol)
1330 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1333 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1335 int extsockclass = selinux_policycap_extsockclass();
1341 case SOCK_SEQPACKET:
1342 return SECCLASS_UNIX_STREAM_SOCKET;
1345 return SECCLASS_UNIX_DGRAM_SOCKET;
1352 case SOCK_SEQPACKET:
1353 if (default_protocol_stream(protocol))
1354 return SECCLASS_TCP_SOCKET;
1355 else if (extsockclass && protocol == IPPROTO_SCTP)
1356 return SECCLASS_SCTP_SOCKET;
1358 return SECCLASS_RAWIP_SOCKET;
1360 if (default_protocol_dgram(protocol))
1361 return SECCLASS_UDP_SOCKET;
1362 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1363 protocol == IPPROTO_ICMPV6))
1364 return SECCLASS_ICMP_SOCKET;
1366 return SECCLASS_RAWIP_SOCKET;
1368 return SECCLASS_DCCP_SOCKET;
1370 return SECCLASS_RAWIP_SOCKET;
1376 return SECCLASS_NETLINK_ROUTE_SOCKET;
1377 case NETLINK_SOCK_DIAG:
1378 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1380 return SECCLASS_NETLINK_NFLOG_SOCKET;
1382 return SECCLASS_NETLINK_XFRM_SOCKET;
1383 case NETLINK_SELINUX:
1384 return SECCLASS_NETLINK_SELINUX_SOCKET;
1386 return SECCLASS_NETLINK_ISCSI_SOCKET;
1388 return SECCLASS_NETLINK_AUDIT_SOCKET;
1389 case NETLINK_FIB_LOOKUP:
1390 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1391 case NETLINK_CONNECTOR:
1392 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1393 case NETLINK_NETFILTER:
1394 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1395 case NETLINK_DNRTMSG:
1396 return SECCLASS_NETLINK_DNRT_SOCKET;
1397 case NETLINK_KOBJECT_UEVENT:
1398 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1399 case NETLINK_GENERIC:
1400 return SECCLASS_NETLINK_GENERIC_SOCKET;
1401 case NETLINK_SCSITRANSPORT:
1402 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1404 return SECCLASS_NETLINK_RDMA_SOCKET;
1405 case NETLINK_CRYPTO:
1406 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1408 return SECCLASS_NETLINK_SOCKET;
1411 return SECCLASS_PACKET_SOCKET;
1413 return SECCLASS_KEY_SOCKET;
1415 return SECCLASS_APPLETALK_SOCKET;
1421 return SECCLASS_AX25_SOCKET;
1423 return SECCLASS_IPX_SOCKET;
1425 return SECCLASS_NETROM_SOCKET;
1427 return SECCLASS_ATMPVC_SOCKET;
1429 return SECCLASS_X25_SOCKET;
1431 return SECCLASS_ROSE_SOCKET;
1433 return SECCLASS_DECNET_SOCKET;
1435 return SECCLASS_ATMSVC_SOCKET;
1437 return SECCLASS_RDS_SOCKET;
1439 return SECCLASS_IRDA_SOCKET;
1441 return SECCLASS_PPPOX_SOCKET;
1443 return SECCLASS_LLC_SOCKET;
1445 return SECCLASS_CAN_SOCKET;
1447 return SECCLASS_TIPC_SOCKET;
1449 return SECCLASS_BLUETOOTH_SOCKET;
1451 return SECCLASS_IUCV_SOCKET;
1453 return SECCLASS_RXRPC_SOCKET;
1455 return SECCLASS_ISDN_SOCKET;
1457 return SECCLASS_PHONET_SOCKET;
1459 return SECCLASS_IEEE802154_SOCKET;
1461 return SECCLASS_CAIF_SOCKET;
1463 return SECCLASS_ALG_SOCKET;
1465 return SECCLASS_NFC_SOCKET;
1467 return SECCLASS_VSOCK_SOCKET;
1469 return SECCLASS_KCM_SOCKET;
1471 return SECCLASS_QIPCRTR_SOCKET;
1473 return SECCLASS_SMC_SOCKET;
1475 #error New address family defined, please update this function.
1480 return SECCLASS_SOCKET;
1483 static int selinux_genfs_get_sid(struct dentry *dentry,
1489 struct super_block *sb = dentry->d_sb;
1490 char *buffer, *path;
1492 buffer = (char *)__get_free_page(GFP_KERNEL);
1496 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1500 if (flags & SE_SBPROC) {
1501 /* each process gets a /proc/PID/ entry. Strip off the
1502 * PID part to get a valid selinux labeling.
1503 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1504 while (path[1] >= '0' && path[1] <= '9') {
1509 rc = security_genfs_sid(&selinux_state, sb->s_type->name,
1512 free_page((unsigned long)buffer);
1516 /* The inode's security attributes must be initialized before first use. */
1517 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1519 struct superblock_security_struct *sbsec = NULL;
1520 struct inode_security_struct *isec = inode->i_security;
1521 u32 task_sid, sid = 0;
1523 struct dentry *dentry;
1524 #define INITCONTEXTLEN 255
1525 char *context = NULL;
1529 if (isec->initialized == LABEL_INITIALIZED)
1532 spin_lock(&isec->lock);
1533 if (isec->initialized == LABEL_INITIALIZED)
1536 if (isec->sclass == SECCLASS_FILE)
1537 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1539 sbsec = inode->i_sb->s_security;
1540 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1541 /* Defer initialization until selinux_complete_init,
1542 after the initial policy is loaded and the security
1543 server is ready to handle calls. */
1544 spin_lock(&sbsec->isec_lock);
1545 if (list_empty(&isec->list))
1546 list_add(&isec->list, &sbsec->isec_head);
1547 spin_unlock(&sbsec->isec_lock);
1551 sclass = isec->sclass;
1552 task_sid = isec->task_sid;
1554 isec->initialized = LABEL_PENDING;
1555 spin_unlock(&isec->lock);
1557 switch (sbsec->behavior) {
1558 case SECURITY_FS_USE_NATIVE:
1560 case SECURITY_FS_USE_XATTR:
1561 if (!(inode->i_opflags & IOP_XATTR)) {
1562 sid = sbsec->def_sid;
1565 /* Need a dentry, since the xattr API requires one.
1566 Life would be simpler if we could just pass the inode. */
1568 /* Called from d_instantiate or d_splice_alias. */
1569 dentry = dget(opt_dentry);
1572 * Called from selinux_complete_init, try to find a dentry.
1573 * Some filesystems really want a connected one, so try
1574 * that first. We could split SECURITY_FS_USE_XATTR in
1575 * two, depending upon that...
1577 dentry = d_find_alias(inode);
1579 dentry = d_find_any_alias(inode);
1583 * this is can be hit on boot when a file is accessed
1584 * before the policy is loaded. When we load policy we
1585 * may find inodes that have no dentry on the
1586 * sbsec->isec_head list. No reason to complain as these
1587 * will get fixed up the next time we go through
1588 * inode_doinit with a dentry, before these inodes could
1589 * be used again by userspace.
1594 len = INITCONTEXTLEN;
1595 context = kmalloc(len+1, GFP_NOFS);
1601 context[len] = '\0';
1602 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1603 if (rc == -ERANGE) {
1606 /* Need a larger buffer. Query for the right size. */
1607 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1613 context = kmalloc(len+1, GFP_NOFS);
1619 context[len] = '\0';
1620 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1624 if (rc != -ENODATA) {
1625 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1626 "%d for dev=%s ino=%ld\n", __func__,
1627 -rc, inode->i_sb->s_id, inode->i_ino);
1631 /* Map ENODATA to the default file SID */
1632 sid = sbsec->def_sid;
1635 rc = security_context_to_sid_default(&selinux_state,
1640 char *dev = inode->i_sb->s_id;
1641 unsigned long ino = inode->i_ino;
1643 if (rc == -EINVAL) {
1644 if (printk_ratelimit())
1645 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1646 "context=%s. This indicates you may need to relabel the inode or the "
1647 "filesystem in question.\n", ino, dev, context);
1649 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1650 "returned %d for dev=%s ino=%ld\n",
1651 __func__, context, -rc, dev, ino);
1654 /* Leave with the unlabeled SID */
1661 case SECURITY_FS_USE_TASK:
1664 case SECURITY_FS_USE_TRANS:
1665 /* Default to the fs SID. */
1668 /* Try to obtain a transition SID. */
1669 rc = security_transition_sid(&selinux_state, task_sid, sid,
1670 sclass, NULL, &sid);
1674 case SECURITY_FS_USE_MNTPOINT:
1675 sid = sbsec->mntpoint_sid;
1678 /* Default to the fs superblock SID. */
1681 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1682 /* We must have a dentry to determine the label on
1685 /* Called from d_instantiate or
1686 * d_splice_alias. */
1687 dentry = dget(opt_dentry);
1689 /* Called from selinux_complete_init, try to
1690 * find a dentry. Some filesystems really want
1691 * a connected one, so try that first.
1693 dentry = d_find_alias(inode);
1695 dentry = d_find_any_alias(inode);
1698 * This can be hit on boot when a file is accessed
1699 * before the policy is loaded. When we load policy we
1700 * may find inodes that have no dentry on the
1701 * sbsec->isec_head list. No reason to complain as
1702 * these will get fixed up the next time we go through
1703 * inode_doinit() with a dentry, before these inodes
1704 * could be used again by userspace.
1708 rc = selinux_genfs_get_sid(dentry, sclass,
1709 sbsec->flags, &sid);
1718 spin_lock(&isec->lock);
1719 if (isec->initialized == LABEL_PENDING) {
1721 isec->initialized = LABEL_INVALID;
1725 isec->initialized = LABEL_INITIALIZED;
1730 spin_unlock(&isec->lock);
1734 /* Convert a Linux signal to an access vector. */
1735 static inline u32 signal_to_av(int sig)
1741 /* Commonly granted from child to parent. */
1742 perm = PROCESS__SIGCHLD;
1745 /* Cannot be caught or ignored */
1746 perm = PROCESS__SIGKILL;
1749 /* Cannot be caught or ignored */
1750 perm = PROCESS__SIGSTOP;
1753 /* All other signals. */
1754 perm = PROCESS__SIGNAL;
1761 #if CAP_LAST_CAP > 63
1762 #error Fix SELinux to handle capabilities > 63.
1765 /* Check whether a task is allowed to use a capability. */
1766 static int cred_has_capability(const struct cred *cred,
1767 int cap, int audit, bool initns)
1769 struct common_audit_data ad;
1770 struct av_decision avd;
1772 u32 sid = cred_sid(cred);
1773 u32 av = CAP_TO_MASK(cap);
1776 ad.type = LSM_AUDIT_DATA_CAP;
1779 switch (CAP_TO_INDEX(cap)) {
1781 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1784 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1788 "SELinux: out of range capability %d\n", cap);
1793 rc = avc_has_perm_noaudit(&selinux_state,
1794 sid, sid, sclass, av, 0, &avd);
1795 if (audit == SECURITY_CAP_AUDIT) {
1796 int rc2 = avc_audit(&selinux_state,
1797 sid, sid, sclass, av, &avd, rc, &ad, 0);
1804 /* Check whether a task has a particular permission to an inode.
1805 The 'adp' parameter is optional and allows other audit
1806 data to be passed (e.g. the dentry). */
1807 static int inode_has_perm(const struct cred *cred,
1808 struct inode *inode,
1810 struct common_audit_data *adp)
1812 struct inode_security_struct *isec;
1815 validate_creds(cred);
1817 if (unlikely(IS_PRIVATE(inode)))
1820 sid = cred_sid(cred);
1821 isec = inode->i_security;
1823 return avc_has_perm(&selinux_state,
1824 sid, isec->sid, isec->sclass, perms, adp);
1827 /* Same as inode_has_perm, but pass explicit audit data containing
1828 the dentry to help the auditing code to more easily generate the
1829 pathname if needed. */
1830 static inline int dentry_has_perm(const struct cred *cred,
1831 struct dentry *dentry,
1834 struct inode *inode = d_backing_inode(dentry);
1835 struct common_audit_data ad;
1837 ad.type = LSM_AUDIT_DATA_DENTRY;
1838 ad.u.dentry = dentry;
1839 __inode_security_revalidate(inode, dentry, true);
1840 return inode_has_perm(cred, inode, av, &ad);
1843 /* Same as inode_has_perm, but pass explicit audit data containing
1844 the path to help the auditing code to more easily generate the
1845 pathname if needed. */
1846 static inline int path_has_perm(const struct cred *cred,
1847 const struct path *path,
1850 struct inode *inode = d_backing_inode(path->dentry);
1851 struct common_audit_data ad;
1853 ad.type = LSM_AUDIT_DATA_PATH;
1855 __inode_security_revalidate(inode, path->dentry, true);
1856 return inode_has_perm(cred, inode, av, &ad);
1859 /* Same as path_has_perm, but uses the inode from the file struct. */
1860 static inline int file_path_has_perm(const struct cred *cred,
1864 struct common_audit_data ad;
1866 ad.type = LSM_AUDIT_DATA_FILE;
1868 return inode_has_perm(cred, file_inode(file), av, &ad);
1871 #ifdef CONFIG_BPF_SYSCALL
1872 static int bpf_fd_pass(struct file *file, u32 sid);
1875 /* Check whether a task can use an open file descriptor to
1876 access an inode in a given way. Check access to the
1877 descriptor itself, and then use dentry_has_perm to
1878 check a particular permission to the file.
1879 Access to the descriptor is implicitly granted if it
1880 has the same SID as the process. If av is zero, then
1881 access to the file is not checked, e.g. for cases
1882 where only the descriptor is affected like seek. */
1883 static int file_has_perm(const struct cred *cred,
1887 struct file_security_struct *fsec = file->f_security;
1888 struct inode *inode = file_inode(file);
1889 struct common_audit_data ad;
1890 u32 sid = cred_sid(cred);
1893 ad.type = LSM_AUDIT_DATA_FILE;
1896 if (sid != fsec->sid) {
1897 rc = avc_has_perm(&selinux_state,
1906 #ifdef CONFIG_BPF_SYSCALL
1907 rc = bpf_fd_pass(file, cred_sid(cred));
1912 /* av is zero if only checking access to the descriptor. */
1915 rc = inode_has_perm(cred, inode, av, &ad);
1922 * Determine the label for an inode that might be unioned.
1925 selinux_determine_inode_label(const struct task_security_struct *tsec,
1927 const struct qstr *name, u16 tclass,
1930 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1932 if ((sbsec->flags & SE_SBINITIALIZED) &&
1933 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1934 *_new_isid = sbsec->mntpoint_sid;
1935 } else if ((sbsec->flags & SBLABEL_MNT) &&
1937 *_new_isid = tsec->create_sid;
1939 const struct inode_security_struct *dsec = inode_security(dir);
1940 return security_transition_sid(&selinux_state, tsec->sid,
1948 /* Check whether a task can create a file. */
1949 static int may_create(struct inode *dir,
1950 struct dentry *dentry,
1953 const struct task_security_struct *tsec = current_security();
1954 struct inode_security_struct *dsec;
1955 struct superblock_security_struct *sbsec;
1957 struct common_audit_data ad;
1960 dsec = inode_security(dir);
1961 sbsec = dir->i_sb->s_security;
1965 ad.type = LSM_AUDIT_DATA_DENTRY;
1966 ad.u.dentry = dentry;
1968 rc = avc_has_perm(&selinux_state,
1969 sid, dsec->sid, SECCLASS_DIR,
1970 DIR__ADD_NAME | DIR__SEARCH,
1975 rc = selinux_determine_inode_label(current_security(), dir,
1976 &dentry->d_name, tclass, &newsid);
1980 rc = avc_has_perm(&selinux_state,
1981 sid, newsid, tclass, FILE__CREATE, &ad);
1985 return avc_has_perm(&selinux_state,
1987 SECCLASS_FILESYSTEM,
1988 FILESYSTEM__ASSOCIATE, &ad);
1992 #define MAY_UNLINK 1
1995 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1996 static int may_link(struct inode *dir,
1997 struct dentry *dentry,
2001 struct inode_security_struct *dsec, *isec;
2002 struct common_audit_data ad;
2003 u32 sid = current_sid();
2007 dsec = inode_security(dir);
2008 isec = backing_inode_security(dentry);
2010 ad.type = LSM_AUDIT_DATA_DENTRY;
2011 ad.u.dentry = dentry;
2014 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
2015 rc = avc_has_perm(&selinux_state,
2016 sid, dsec->sid, SECCLASS_DIR, av, &ad);
2031 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
2036 rc = avc_has_perm(&selinux_state,
2037 sid, isec->sid, isec->sclass, av, &ad);
2041 static inline int may_rename(struct inode *old_dir,
2042 struct dentry *old_dentry,
2043 struct inode *new_dir,
2044 struct dentry *new_dentry)
2046 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2047 struct common_audit_data ad;
2048 u32 sid = current_sid();
2050 int old_is_dir, new_is_dir;
2053 old_dsec = inode_security(old_dir);
2054 old_isec = backing_inode_security(old_dentry);
2055 old_is_dir = d_is_dir(old_dentry);
2056 new_dsec = inode_security(new_dir);
2058 ad.type = LSM_AUDIT_DATA_DENTRY;
2060 ad.u.dentry = old_dentry;
2061 rc = avc_has_perm(&selinux_state,
2062 sid, old_dsec->sid, SECCLASS_DIR,
2063 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
2066 rc = avc_has_perm(&selinux_state,
2068 old_isec->sclass, FILE__RENAME, &ad);
2071 if (old_is_dir && new_dir != old_dir) {
2072 rc = avc_has_perm(&selinux_state,
2074 old_isec->sclass, DIR__REPARENT, &ad);
2079 ad.u.dentry = new_dentry;
2080 av = DIR__ADD_NAME | DIR__SEARCH;
2081 if (d_is_positive(new_dentry))
2082 av |= DIR__REMOVE_NAME;
2083 rc = avc_has_perm(&selinux_state,
2084 sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
2087 if (d_is_positive(new_dentry)) {
2088 new_isec = backing_inode_security(new_dentry);
2089 new_is_dir = d_is_dir(new_dentry);
2090 rc = avc_has_perm(&selinux_state,
2093 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
2101 /* Check whether a task can perform a filesystem operation. */
2102 static int superblock_has_perm(const struct cred *cred,
2103 struct super_block *sb,
2105 struct common_audit_data *ad)
2107 struct superblock_security_struct *sbsec;
2108 u32 sid = cred_sid(cred);
2110 sbsec = sb->s_security;
2111 return avc_has_perm(&selinux_state,
2112 sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
2115 /* Convert a Linux mode and permission mask to an access vector. */
2116 static inline u32 file_mask_to_av(int mode, int mask)
2120 if (!S_ISDIR(mode)) {
2121 if (mask & MAY_EXEC)
2122 av |= FILE__EXECUTE;
2123 if (mask & MAY_READ)
2126 if (mask & MAY_APPEND)
2128 else if (mask & MAY_WRITE)
2132 if (mask & MAY_EXEC)
2134 if (mask & MAY_WRITE)
2136 if (mask & MAY_READ)
2143 /* Convert a Linux file to an access vector. */
2144 static inline u32 file_to_av(struct file *file)
2148 if (file->f_mode & FMODE_READ)
2150 if (file->f_mode & FMODE_WRITE) {
2151 if (file->f_flags & O_APPEND)
2158 * Special file opened with flags 3 for ioctl-only use.
2167 * Convert a file to an access vector and include the correct open
2170 static inline u32 open_file_to_av(struct file *file)
2172 u32 av = file_to_av(file);
2173 struct inode *inode = file_inode(file);
2175 if (selinux_policycap_openperm() &&
2176 inode->i_sb->s_magic != SOCKFS_MAGIC)
2182 /* Hook functions begin here. */
2184 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2186 u32 mysid = current_sid();
2187 u32 mgrsid = task_sid(mgr);
2189 return avc_has_perm(&selinux_state,
2190 mysid, mgrsid, SECCLASS_BINDER,
2191 BINDER__SET_CONTEXT_MGR, NULL);
2194 static int selinux_binder_transaction(struct task_struct *from,
2195 struct task_struct *to)
2197 u32 mysid = current_sid();
2198 u32 fromsid = task_sid(from);
2199 u32 tosid = task_sid(to);
2202 if (mysid != fromsid) {
2203 rc = avc_has_perm(&selinux_state,
2204 mysid, fromsid, SECCLASS_BINDER,
2205 BINDER__IMPERSONATE, NULL);
2210 return avc_has_perm(&selinux_state,
2211 fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2215 static int selinux_binder_transfer_binder(struct task_struct *from,
2216 struct task_struct *to)
2218 u32 fromsid = task_sid(from);
2219 u32 tosid = task_sid(to);
2221 return avc_has_perm(&selinux_state,
2222 fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2226 static int selinux_binder_transfer_file(struct task_struct *from,
2227 struct task_struct *to,
2230 u32 sid = task_sid(to);
2231 struct file_security_struct *fsec = file->f_security;
2232 struct dentry *dentry = file->f_path.dentry;
2233 struct inode_security_struct *isec;
2234 struct common_audit_data ad;
2237 ad.type = LSM_AUDIT_DATA_PATH;
2238 ad.u.path = file->f_path;
2240 if (sid != fsec->sid) {
2241 rc = avc_has_perm(&selinux_state,
2250 #ifdef CONFIG_BPF_SYSCALL
2251 rc = bpf_fd_pass(file, sid);
2256 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2259 isec = backing_inode_security(dentry);
2260 return avc_has_perm(&selinux_state,
2261 sid, isec->sid, isec->sclass, file_to_av(file),
2265 static int selinux_ptrace_access_check(struct task_struct *child,
2268 u32 sid = current_sid();
2269 u32 csid = task_sid(child);
2271 if (mode & PTRACE_MODE_READ)
2272 return avc_has_perm(&selinux_state,
2273 sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2275 return avc_has_perm(&selinux_state,
2276 sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2279 static int selinux_ptrace_traceme(struct task_struct *parent)
2281 return avc_has_perm(&selinux_state,
2282 task_sid(parent), current_sid(), SECCLASS_PROCESS,
2283 PROCESS__PTRACE, NULL);
2286 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2287 kernel_cap_t *inheritable, kernel_cap_t *permitted)
2289 return avc_has_perm(&selinux_state,
2290 current_sid(), task_sid(target), SECCLASS_PROCESS,
2291 PROCESS__GETCAP, NULL);
2294 static int selinux_capset(struct cred *new, const struct cred *old,
2295 const kernel_cap_t *effective,
2296 const kernel_cap_t *inheritable,
2297 const kernel_cap_t *permitted)
2299 return avc_has_perm(&selinux_state,
2300 cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2301 PROCESS__SETCAP, NULL);
2305 * (This comment used to live with the selinux_task_setuid hook,
2306 * which was removed).
2308 * Since setuid only affects the current process, and since the SELinux
2309 * controls are not based on the Linux identity attributes, SELinux does not
2310 * need to control this operation. However, SELinux does control the use of
2311 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2314 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2317 return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
2320 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2322 const struct cred *cred = current_cred();
2334 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2339 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2342 rc = 0; /* let the kernel handle invalid cmds */
2348 static int selinux_quota_on(struct dentry *dentry)
2350 const struct cred *cred = current_cred();
2352 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2355 static int selinux_syslog(int type)
2358 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2359 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2360 return avc_has_perm(&selinux_state,
2361 current_sid(), SECINITSID_KERNEL,
2362 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2363 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2364 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2365 /* Set level of messages printed to console */
2366 case SYSLOG_ACTION_CONSOLE_LEVEL:
2367 return avc_has_perm(&selinux_state,
2368 current_sid(), SECINITSID_KERNEL,
2369 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2372 /* All other syslog types */
2373 return avc_has_perm(&selinux_state,
2374 current_sid(), SECINITSID_KERNEL,
2375 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2379 * Check that a process has enough memory to allocate a new virtual
2380 * mapping. 0 means there is enough memory for the allocation to
2381 * succeed and -ENOMEM implies there is not.
2383 * Do not audit the selinux permission check, as this is applied to all
2384 * processes that allocate mappings.
2386 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2388 int rc, cap_sys_admin = 0;
2390 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2391 SECURITY_CAP_NOAUDIT, true);
2395 return cap_sys_admin;
2398 /* binprm security operations */
2400 static u32 ptrace_parent_sid(void)
2403 struct task_struct *tracer;
2406 tracer = ptrace_parent(current);
2408 sid = task_sid(tracer);
2414 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2415 const struct task_security_struct *old_tsec,
2416 const struct task_security_struct *new_tsec)
2418 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2419 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2423 if (!nnp && !nosuid)
2424 return 0; /* neither NNP nor nosuid */
2426 if (new_tsec->sid == old_tsec->sid)
2427 return 0; /* No change in credentials */
2430 * If the policy enables the nnp_nosuid_transition policy capability,
2431 * then we permit transitions under NNP or nosuid if the
2432 * policy allows the corresponding permission between
2433 * the old and new contexts.
2435 if (selinux_policycap_nnp_nosuid_transition()) {
2438 av |= PROCESS2__NNP_TRANSITION;
2440 av |= PROCESS2__NOSUID_TRANSITION;
2441 rc = avc_has_perm(&selinux_state,
2442 old_tsec->sid, new_tsec->sid,
2443 SECCLASS_PROCESS2, av, NULL);
2449 * We also permit NNP or nosuid transitions to bounded SIDs,
2450 * i.e. SIDs that are guaranteed to only be allowed a subset
2451 * of the permissions of the current SID.
2453 rc = security_bounded_transition(&selinux_state, old_tsec->sid,
2459 * On failure, preserve the errno values for NNP vs nosuid.
2460 * NNP: Operation not permitted for caller.
2461 * nosuid: Permission denied to file.
2468 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2470 const struct task_security_struct *old_tsec;
2471 struct task_security_struct *new_tsec;
2472 struct inode_security_struct *isec;
2473 struct common_audit_data ad;
2474 struct inode *inode = file_inode(bprm->file);
2477 /* SELinux context only depends on initial program or script and not
2478 * the script interpreter */
2479 if (bprm->called_set_creds)
2482 old_tsec = current_security();
2483 new_tsec = bprm->cred->security;
2484 isec = inode_security(inode);
2486 /* Default to the current task SID. */
2487 new_tsec->sid = old_tsec->sid;
2488 new_tsec->osid = old_tsec->sid;
2490 /* Reset fs, key, and sock SIDs on execve. */
2491 new_tsec->create_sid = 0;
2492 new_tsec->keycreate_sid = 0;
2493 new_tsec->sockcreate_sid = 0;
2495 if (old_tsec->exec_sid) {
2496 new_tsec->sid = old_tsec->exec_sid;
2497 /* Reset exec SID on execve. */
2498 new_tsec->exec_sid = 0;
2500 /* Fail on NNP or nosuid if not an allowed transition. */
2501 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2505 /* Check for a default transition on this program. */
2506 rc = security_transition_sid(&selinux_state, old_tsec->sid,
2507 isec->sid, SECCLASS_PROCESS, NULL,
2513 * Fallback to old SID on NNP or nosuid if not an allowed
2516 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2518 new_tsec->sid = old_tsec->sid;
2521 ad.type = LSM_AUDIT_DATA_FILE;
2522 ad.u.file = bprm->file;
2524 if (new_tsec->sid == old_tsec->sid) {
2525 rc = avc_has_perm(&selinux_state,
2526 old_tsec->sid, isec->sid,
2527 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2531 /* Check permissions for the transition. */
2532 rc = avc_has_perm(&selinux_state,
2533 old_tsec->sid, new_tsec->sid,
2534 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2538 rc = avc_has_perm(&selinux_state,
2539 new_tsec->sid, isec->sid,
2540 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2544 /* Check for shared state */
2545 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2546 rc = avc_has_perm(&selinux_state,
2547 old_tsec->sid, new_tsec->sid,
2548 SECCLASS_PROCESS, PROCESS__SHARE,
2554 /* Make sure that anyone attempting to ptrace over a task that
2555 * changes its SID has the appropriate permit */
2556 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2557 u32 ptsid = ptrace_parent_sid();
2559 rc = avc_has_perm(&selinux_state,
2560 ptsid, new_tsec->sid,
2562 PROCESS__PTRACE, NULL);
2568 /* Clear any possibly unsafe personality bits on exec: */
2569 bprm->per_clear |= PER_CLEAR_ON_SETID;
2571 /* Enable secure mode for SIDs transitions unless
2572 the noatsecure permission is granted between
2573 the two SIDs, i.e. ahp returns 0. */
2574 rc = avc_has_perm(&selinux_state,
2575 old_tsec->sid, new_tsec->sid,
2576 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2578 bprm->secureexec |= !!rc;
2584 static int match_file(const void *p, struct file *file, unsigned fd)
2586 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2589 /* Derived from fs/exec.c:flush_old_files. */
2590 static inline void flush_unauthorized_files(const struct cred *cred,
2591 struct files_struct *files)
2593 struct file *file, *devnull = NULL;
2594 struct tty_struct *tty;
2598 tty = get_current_tty();
2600 spin_lock(&tty->files_lock);
2601 if (!list_empty(&tty->tty_files)) {
2602 struct tty_file_private *file_priv;
2604 /* Revalidate access to controlling tty.
2605 Use file_path_has_perm on the tty path directly
2606 rather than using file_has_perm, as this particular
2607 open file may belong to another process and we are
2608 only interested in the inode-based check here. */
2609 file_priv = list_first_entry(&tty->tty_files,
2610 struct tty_file_private, list);
2611 file = file_priv->file;
2612 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2615 spin_unlock(&tty->files_lock);
2618 /* Reset controlling tty. */
2622 /* Revalidate access to inherited open files. */
2623 n = iterate_fd(files, 0, match_file, cred);
2624 if (!n) /* none found? */
2627 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2628 if (IS_ERR(devnull))
2630 /* replace all the matching ones with this */
2632 replace_fd(n - 1, devnull, 0);
2633 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2639 * Prepare a process for imminent new credential changes due to exec
2641 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2643 struct task_security_struct *new_tsec;
2644 struct rlimit *rlim, *initrlim;
2647 new_tsec = bprm->cred->security;
2648 if (new_tsec->sid == new_tsec->osid)
2651 /* Close files for which the new task SID is not authorized. */
2652 flush_unauthorized_files(bprm->cred, current->files);
2654 /* Always clear parent death signal on SID transitions. */
2655 current->pdeath_signal = 0;
2657 /* Check whether the new SID can inherit resource limits from the old
2658 * SID. If not, reset all soft limits to the lower of the current
2659 * task's hard limit and the init task's soft limit.
2661 * Note that the setting of hard limits (even to lower them) can be
2662 * controlled by the setrlimit check. The inclusion of the init task's
2663 * soft limit into the computation is to avoid resetting soft limits
2664 * higher than the default soft limit for cases where the default is
2665 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2667 rc = avc_has_perm(&selinux_state,
2668 new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2669 PROCESS__RLIMITINH, NULL);
2671 /* protect against do_prlimit() */
2673 for (i = 0; i < RLIM_NLIMITS; i++) {
2674 rlim = current->signal->rlim + i;
2675 initrlim = init_task.signal->rlim + i;
2676 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2678 task_unlock(current);
2679 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2680 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2685 * Clean up the process immediately after the installation of new credentials
2688 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2690 const struct task_security_struct *tsec = current_security();
2691 struct itimerval itimer;
2701 /* Check whether the new SID can inherit signal state from the old SID.
2702 * If not, clear itimers to avoid subsequent signal generation and
2703 * flush and unblock signals.
2705 * This must occur _after_ the task SID has been updated so that any
2706 * kill done after the flush will be checked against the new SID.
2708 rc = avc_has_perm(&selinux_state,
2709 osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2711 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2712 memset(&itimer, 0, sizeof itimer);
2713 for (i = 0; i < 3; i++)
2714 do_setitimer(i, &itimer, NULL);
2716 spin_lock_irq(¤t->sighand->siglock);
2717 if (!fatal_signal_pending(current)) {
2718 flush_sigqueue(¤t->pending);
2719 flush_sigqueue(¤t->signal->shared_pending);
2720 flush_signal_handlers(current, 1);
2721 sigemptyset(¤t->blocked);
2722 recalc_sigpending();
2724 spin_unlock_irq(¤t->sighand->siglock);
2727 /* Wake up the parent if it is waiting so that it can recheck
2728 * wait permission to the new task SID. */
2729 read_lock(&tasklist_lock);
2730 __wake_up_parent(current, current->real_parent);
2731 read_unlock(&tasklist_lock);
2734 /* superblock security operations */
2736 static int selinux_sb_alloc_security(struct super_block *sb)
2738 return superblock_alloc_security(sb);
2741 static void selinux_sb_free_security(struct super_block *sb)
2743 superblock_free_security(sb);
2746 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2751 return !memcmp(prefix, option, plen);
2754 static inline int selinux_option(char *option, int len)
2756 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2757 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2758 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2759 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2760 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2763 static inline void take_option(char **to, char *from, int *first, int len)
2770 memcpy(*to, from, len);
2774 static inline void take_selinux_option(char **to, char *from, int *first,
2777 int current_size = 0;
2785 while (current_size < len) {
2795 static int selinux_sb_copy_data(char *orig, char *copy)
2797 int fnosec, fsec, rc = 0;
2798 char *in_save, *in_curr, *in_end;
2799 char *sec_curr, *nosec_save, *nosec;
2805 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2813 in_save = in_end = orig;
2817 open_quote = !open_quote;
2818 if ((*in_end == ',' && open_quote == 0) ||
2820 int len = in_end - in_curr;
2822 if (selinux_option(in_curr, len))
2823 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2825 take_option(&nosec, in_curr, &fnosec, len);
2827 in_curr = in_end + 1;
2829 } while (*in_end++);
2831 strcpy(in_save, nosec_save);
2832 free_page((unsigned long)nosec_save);
2837 static int selinux_sb_remount(struct super_block *sb, void *data)
2840 struct security_mnt_opts opts;
2841 char *secdata, **mount_options;
2842 struct superblock_security_struct *sbsec = sb->s_security;
2844 if (!(sbsec->flags & SE_SBINITIALIZED))
2850 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2853 security_init_mnt_opts(&opts);
2854 secdata = alloc_secdata();
2857 rc = selinux_sb_copy_data(data, secdata);
2859 goto out_free_secdata;
2861 rc = selinux_parse_opts_str(secdata, &opts);
2863 goto out_free_secdata;
2865 mount_options = opts.mnt_opts;
2866 flags = opts.mnt_opts_flags;
2868 for (i = 0; i < opts.num_mnt_opts; i++) {
2871 if (flags[i] == SBLABEL_MNT)
2873 rc = security_context_str_to_sid(&selinux_state,
2874 mount_options[i], &sid,
2877 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
2878 "(%s) failed for (dev %s, type %s) errno=%d\n",
2879 mount_options[i], sb->s_id, sb->s_type->name, rc);
2885 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2886 goto out_bad_option;
2889 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2890 goto out_bad_option;
2892 case ROOTCONTEXT_MNT: {
2893 struct inode_security_struct *root_isec;
2894 root_isec = backing_inode_security(sb->s_root);
2896 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2897 goto out_bad_option;
2900 case DEFCONTEXT_MNT:
2901 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2902 goto out_bad_option;
2911 security_free_mnt_opts(&opts);
2913 free_secdata(secdata);
2916 printk(KERN_WARNING "SELinux: unable to change security options "
2917 "during remount (dev %s, type=%s)\n", sb->s_id,
2922 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2924 const struct cred *cred = current_cred();
2925 struct common_audit_data ad;
2928 rc = superblock_doinit(sb, data);
2932 /* Allow all mounts performed by the kernel */
2933 if (flags & MS_KERNMOUNT)
2936 ad.type = LSM_AUDIT_DATA_DENTRY;
2937 ad.u.dentry = sb->s_root;
2938 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2941 static int selinux_sb_statfs(struct dentry *dentry)
2943 const struct cred *cred = current_cred();
2944 struct common_audit_data ad;
2946 ad.type = LSM_AUDIT_DATA_DENTRY;
2947 ad.u.dentry = dentry->d_sb->s_root;
2948 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2951 static int selinux_mount(const char *dev_name,
2952 const struct path *path,
2954 unsigned long flags,
2957 const struct cred *cred = current_cred();
2959 if (flags & MS_REMOUNT)
2960 return superblock_has_perm(cred, path->dentry->d_sb,
2961 FILESYSTEM__REMOUNT, NULL);
2963 return path_has_perm(cred, path, FILE__MOUNTON);
2966 static int selinux_umount(struct vfsmount *mnt, int flags)
2968 const struct cred *cred = current_cred();
2970 return superblock_has_perm(cred, mnt->mnt_sb,
2971 FILESYSTEM__UNMOUNT, NULL);
2974 /* inode security operations */
2976 static int selinux_inode_alloc_security(struct inode *inode)
2978 return inode_alloc_security(inode);
2981 static void selinux_inode_free_security(struct inode *inode)
2983 inode_free_security(inode);
2986 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2987 const struct qstr *name, void **ctx,
2993 rc = selinux_determine_inode_label(current_security(),
2994 d_inode(dentry->d_parent), name,
2995 inode_mode_to_security_class(mode),
3000 return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
3004 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
3006 const struct cred *old,
3011 struct task_security_struct *tsec;
3013 rc = selinux_determine_inode_label(old->security,
3014 d_inode(dentry->d_parent), name,
3015 inode_mode_to_security_class(mode),
3020 tsec = new->security;
3021 tsec->create_sid = newsid;
3025 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
3026 const struct qstr *qstr,
3028 void **value, size_t *len)
3030 const struct task_security_struct *tsec = current_security();
3031 struct superblock_security_struct *sbsec;
3036 sbsec = dir->i_sb->s_security;
3038 newsid = tsec->create_sid;
3040 rc = selinux_determine_inode_label(current_security(),
3042 inode_mode_to_security_class(inode->i_mode),
3047 /* Possibly defer initialization to selinux_complete_init. */
3048 if (sbsec->flags & SE_SBINITIALIZED) {
3049 struct inode_security_struct *isec = inode->i_security;
3050 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3052 isec->initialized = LABEL_INITIALIZED;
3055 if (!selinux_state.initialized || !(sbsec->flags & SBLABEL_MNT))
3059 *name = XATTR_SELINUX_SUFFIX;
3062 rc = security_sid_to_context_force(&selinux_state, newsid,
3073 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
3075 return may_create(dir, dentry, SECCLASS_FILE);
3078 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
3080 return may_link(dir, old_dentry, MAY_LINK);
3083 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
3085 return may_link(dir, dentry, MAY_UNLINK);
3088 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
3090 return may_create(dir, dentry, SECCLASS_LNK_FILE);
3093 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
3095 return may_create(dir, dentry, SECCLASS_DIR);
3098 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
3100 return may_link(dir, dentry, MAY_RMDIR);
3103 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
3105 return may_create(dir, dentry, inode_mode_to_security_class(mode));
3108 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
3109 struct inode *new_inode, struct dentry *new_dentry)
3111 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
3114 static int selinux_inode_readlink(struct dentry *dentry)
3116 const struct cred *cred = current_cred();
3118 return dentry_has_perm(cred, dentry, FILE__READ);
3121 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3124 const struct cred *cred = current_cred();
3125 struct common_audit_data ad;
3126 struct inode_security_struct *isec;
3129 validate_creds(cred);
3131 ad.type = LSM_AUDIT_DATA_DENTRY;
3132 ad.u.dentry = dentry;
3133 sid = cred_sid(cred);
3134 isec = inode_security_rcu(inode, rcu);
3136 return PTR_ERR(isec);
3138 return avc_has_perm_flags(&selinux_state,
3139 sid, isec->sid, isec->sclass, FILE__READ, &ad,
3140 rcu ? MAY_NOT_BLOCK : 0);
3143 static noinline int audit_inode_permission(struct inode *inode,
3144 u32 perms, u32 audited, u32 denied,
3148 struct common_audit_data ad;
3149 struct inode_security_struct *isec = inode->i_security;
3152 ad.type = LSM_AUDIT_DATA_INODE;
3155 rc = slow_avc_audit(&selinux_state,
3156 current_sid(), isec->sid, isec->sclass, perms,
3157 audited, denied, result, &ad, flags);
3163 static int selinux_inode_permission(struct inode *inode, int mask)
3165 const struct cred *cred = current_cred();
3168 unsigned flags = mask & MAY_NOT_BLOCK;
3169 struct inode_security_struct *isec;
3171 struct av_decision avd;
3173 u32 audited, denied;
3175 from_access = mask & MAY_ACCESS;
3176 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3178 /* No permission to check. Existence test. */
3182 validate_creds(cred);
3184 if (unlikely(IS_PRIVATE(inode)))
3187 perms = file_mask_to_av(inode->i_mode, mask);
3189 sid = cred_sid(cred);
3190 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3192 return PTR_ERR(isec);
3194 rc = avc_has_perm_noaudit(&selinux_state,
3195 sid, isec->sid, isec->sclass, perms, 0, &avd);
3196 audited = avc_audit_required(perms, &avd, rc,
3197 from_access ? FILE__AUDIT_ACCESS : 0,
3199 if (likely(!audited))
3202 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
3208 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3210 const struct cred *cred = current_cred();
3211 struct inode *inode = d_backing_inode(dentry);
3212 unsigned int ia_valid = iattr->ia_valid;
3213 __u32 av = FILE__WRITE;
3215 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3216 if (ia_valid & ATTR_FORCE) {
3217 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3223 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3224 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3225 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3227 if (selinux_policycap_openperm() &&
3228 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3229 (ia_valid & ATTR_SIZE) &&
3230 !(ia_valid & ATTR_FILE))
3233 return dentry_has_perm(cred, dentry, av);
3236 static int selinux_inode_getattr(const struct path *path)
3238 return path_has_perm(current_cred(), path, FILE__GETATTR);
3241 static bool has_cap_mac_admin(bool audit)
3243 const struct cred *cred = current_cred();
3244 int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT;
3246 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit))
3248 if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true))
3253 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3254 const void *value, size_t size, int flags)
3256 struct inode *inode = d_backing_inode(dentry);
3257 struct inode_security_struct *isec;
3258 struct superblock_security_struct *sbsec;
3259 struct common_audit_data ad;
3260 u32 newsid, sid = current_sid();
3263 if (strcmp(name, XATTR_NAME_SELINUX)) {
3264 rc = cap_inode_setxattr(dentry, name, value, size, flags);
3268 /* Not an attribute we recognize, so just check the
3269 ordinary setattr permission. */
3270 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3273 sbsec = inode->i_sb->s_security;
3274 if (!(sbsec->flags & SBLABEL_MNT))
3277 if (!inode_owner_or_capable(inode))
3280 ad.type = LSM_AUDIT_DATA_DENTRY;
3281 ad.u.dentry = dentry;
3283 isec = backing_inode_security(dentry);
3284 rc = avc_has_perm(&selinux_state,
3285 sid, isec->sid, isec->sclass,
3286 FILE__RELABELFROM, &ad);
3290 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3292 if (rc == -EINVAL) {
3293 if (!has_cap_mac_admin(true)) {
3294 struct audit_buffer *ab;
3297 /* We strip a nul only if it is at the end, otherwise the
3298 * context contains a nul and we should audit that */
3300 const char *str = value;
3302 if (str[size - 1] == '\0')
3303 audit_size = size - 1;
3309 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3310 audit_log_format(ab, "op=setxattr invalid_context=");
3311 audit_log_n_untrustedstring(ab, value, audit_size);
3316 rc = security_context_to_sid_force(&selinux_state, value,
3322 rc = avc_has_perm(&selinux_state,
3323 sid, newsid, isec->sclass,
3324 FILE__RELABELTO, &ad);
3328 rc = security_validate_transition(&selinux_state, isec->sid, newsid,
3333 return avc_has_perm(&selinux_state,
3336 SECCLASS_FILESYSTEM,
3337 FILESYSTEM__ASSOCIATE,
3341 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3342 const void *value, size_t size,
3345 struct inode *inode = d_backing_inode(dentry);
3346 struct inode_security_struct *isec;
3350 if (strcmp(name, XATTR_NAME_SELINUX)) {
3351 /* Not an attribute we recognize, so nothing to do. */
3355 rc = security_context_to_sid_force(&selinux_state, value, size,
3358 printk(KERN_ERR "SELinux: unable to map context to SID"
3359 "for (%s, %lu), rc=%d\n",
3360 inode->i_sb->s_id, inode->i_ino, -rc);
3364 isec = backing_inode_security(dentry);
3365 spin_lock(&isec->lock);
3366 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3368 isec->initialized = LABEL_INITIALIZED;
3369 spin_unlock(&isec->lock);
3374 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3376 const struct cred *cred = current_cred();
3378 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3381 static int selinux_inode_listxattr(struct dentry *dentry)
3383 const struct cred *cred = current_cred();
3385 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3388 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3390 if (strcmp(name, XATTR_NAME_SELINUX)) {
3391 int rc = cap_inode_removexattr(dentry, name);
3395 /* Not an attribute we recognize, so just check the
3396 ordinary setattr permission. */
3397 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3400 /* No one is allowed to remove a SELinux security label.
3401 You can change the label, but all data must be labeled. */
3406 * Copy the inode security context value to the user.
3408 * Permission check is handled by selinux_inode_getxattr hook.
3410 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
3414 char *context = NULL;
3415 struct inode_security_struct *isec;
3417 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3421 * If the caller has CAP_MAC_ADMIN, then get the raw context
3422 * value even if it is not defined by current policy; otherwise,
3423 * use the in-core value under current policy.
3424 * Use the non-auditing forms of the permission checks since
3425 * getxattr may be called by unprivileged processes commonly
3426 * and lack of permission just means that we fall back to the
3427 * in-core context value, not a denial.
3429 isec = inode_security(inode);
3430 if (has_cap_mac_admin(false))
3431 error = security_sid_to_context_force(&selinux_state,
3432 isec->sid, &context,
3435 error = security_sid_to_context(&selinux_state, isec->sid,
3449 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3450 const void *value, size_t size, int flags)
3452 struct inode_security_struct *isec = inode_security_novalidate(inode);
3456 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3459 if (!value || !size)
3462 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3467 spin_lock(&isec->lock);
3468 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3470 isec->initialized = LABEL_INITIALIZED;
3471 spin_unlock(&isec->lock);
3475 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3477 const int len = sizeof(XATTR_NAME_SELINUX);
3478 if (buffer && len <= buffer_size)
3479 memcpy(buffer, XATTR_NAME_SELINUX, len);
3483 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3485 struct inode_security_struct *isec = inode_security_novalidate(inode);
3489 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3492 struct task_security_struct *tsec;
3493 struct cred *new_creds = *new;
3495 if (new_creds == NULL) {
3496 new_creds = prepare_creds();
3501 tsec = new_creds->security;
3502 /* Get label from overlay inode and set it in create_sid */
3503 selinux_inode_getsecid(d_inode(src), &sid);
3504 tsec->create_sid = sid;
3509 static int selinux_inode_copy_up_xattr(const char *name)
3511 /* The copy_up hook above sets the initial context on an inode, but we
3512 * don't then want to overwrite it by blindly copying all the lower
3513 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3515 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3516 return 1; /* Discard */
3518 * Any other attribute apart from SELINUX is not claimed, supported
3524 /* file security operations */
3526 static int selinux_revalidate_file_permission(struct file *file, int mask)
3528 const struct cred *cred = current_cred();
3529 struct inode *inode = file_inode(file);
3531 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3532 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3535 return file_has_perm(cred, file,
3536 file_mask_to_av(inode->i_mode, mask));
3539 static int selinux_file_permission(struct file *file, int mask)
3541 struct inode *inode = file_inode(file);
3542 struct file_security_struct *fsec = file->f_security;
3543 struct inode_security_struct *isec;
3544 u32 sid = current_sid();
3547 /* No permission to check. Existence test. */
3550 isec = inode_security(inode);
3551 if (sid == fsec->sid && fsec->isid == isec->sid &&
3552 fsec->pseqno == avc_policy_seqno(&selinux_state))
3553 /* No change since file_open check. */
3556 return selinux_revalidate_file_permission(file, mask);
3559 static int selinux_file_alloc_security(struct file *file)
3561 return file_alloc_security(file);
3564 static void selinux_file_free_security(struct file *file)
3566 file_free_security(file);
3570 * Check whether a task has the ioctl permission and cmd
3571 * operation to an inode.
3573 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3574 u32 requested, u16 cmd)
3576 struct common_audit_data ad;
3577 struct file_security_struct *fsec = file->f_security;
3578 struct inode *inode = file_inode(file);
3579 struct inode_security_struct *isec;
3580 struct lsm_ioctlop_audit ioctl;
3581 u32 ssid = cred_sid(cred);
3583 u8 driver = cmd >> 8;
3584 u8 xperm = cmd & 0xff;
3586 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3589 ad.u.op->path = file->f_path;
3591 if (ssid != fsec->sid) {
3592 rc = avc_has_perm(&selinux_state,
3601 if (unlikely(IS_PRIVATE(inode)))
3604 isec = inode_security(inode);
3605 rc = avc_has_extended_perms(&selinux_state,
3606 ssid, isec->sid, isec->sclass,
3607 requested, driver, xperm, &ad);
3612 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3615 const struct cred *cred = current_cred();
3625 case FS_IOC_GETFLAGS:
3627 case FS_IOC_GETVERSION:
3628 error = file_has_perm(cred, file, FILE__GETATTR);
3631 case FS_IOC_SETFLAGS:
3633 case FS_IOC_SETVERSION:
3634 error = file_has_perm(cred, file, FILE__SETATTR);
3637 /* sys_ioctl() checks */
3641 error = file_has_perm(cred, file, 0);
3646 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3647 SECURITY_CAP_AUDIT, true);
3650 /* default case assumes that the command will go
3651 * to the file's ioctl() function.
3654 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3659 static int default_noexec;
3661 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3663 const struct cred *cred = current_cred();
3664 u32 sid = cred_sid(cred);
3667 if (default_noexec &&
3668 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3669 (!shared && (prot & PROT_WRITE)))) {
3671 * We are making executable an anonymous mapping or a
3672 * private file mapping that will also be writable.
3673 * This has an additional check.
3675 rc = avc_has_perm(&selinux_state,
3676 sid, sid, SECCLASS_PROCESS,
3677 PROCESS__EXECMEM, NULL);
3683 /* read access is always possible with a mapping */
3684 u32 av = FILE__READ;
3686 /* write access only matters if the mapping is shared */
3687 if (shared && (prot & PROT_WRITE))
3690 if (prot & PROT_EXEC)
3691 av |= FILE__EXECUTE;
3693 return file_has_perm(cred, file, av);
3700 static int selinux_mmap_addr(unsigned long addr)
3704 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3705 u32 sid = current_sid();
3706 rc = avc_has_perm(&selinux_state,
3707 sid, sid, SECCLASS_MEMPROTECT,
3708 MEMPROTECT__MMAP_ZERO, NULL);
3714 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3715 unsigned long prot, unsigned long flags)
3717 struct common_audit_data ad;
3721 ad.type = LSM_AUDIT_DATA_FILE;
3723 rc = inode_has_perm(current_cred(), file_inode(file),
3729 if (selinux_state.checkreqprot)
3732 return file_map_prot_check(file, prot,
3733 (flags & MAP_TYPE) == MAP_SHARED);
3736 static int selinux_file_mprotect(struct vm_area_struct *vma,
3737 unsigned long reqprot,
3740 const struct cred *cred = current_cred();
3741 u32 sid = cred_sid(cred);
3743 if (selinux_state.checkreqprot)
3746 if (default_noexec &&
3747 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3749 if (vma->vm_start >= vma->vm_mm->start_brk &&
3750 vma->vm_end <= vma->vm_mm->brk) {
3751 rc = avc_has_perm(&selinux_state,
3752 sid, sid, SECCLASS_PROCESS,
3753 PROCESS__EXECHEAP, NULL);
3754 } else if (!vma->vm_file &&
3755 ((vma->vm_start <= vma->vm_mm->start_stack &&
3756 vma->vm_end >= vma->vm_mm->start_stack) ||
3757 vma_is_stack_for_current(vma))) {
3758 rc = avc_has_perm(&selinux_state,
3759 sid, sid, SECCLASS_PROCESS,
3760 PROCESS__EXECSTACK, NULL);
3761 } else if (vma->vm_file && vma->anon_vma) {
3763 * We are making executable a file mapping that has
3764 * had some COW done. Since pages might have been
3765 * written, check ability to execute the possibly
3766 * modified content. This typically should only
3767 * occur for text relocations.
3769 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3775 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3778 static int selinux_file_lock(struct file *file, unsigned int cmd)
3780 const struct cred *cred = current_cred();
3782 return file_has_perm(cred, file, FILE__LOCK);
3785 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3788 const struct cred *cred = current_cred();
3793 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3794 err = file_has_perm(cred, file, FILE__WRITE);
3803 case F_GETOWNER_UIDS:
3804 /* Just check FD__USE permission */
3805 err = file_has_perm(cred, file, 0);
3813 #if BITS_PER_LONG == 32
3818 err = file_has_perm(cred, file, FILE__LOCK);
3825 static void selinux_file_set_fowner(struct file *file)
3827 struct file_security_struct *fsec;
3829 fsec = file->f_security;
3830 fsec->fown_sid = current_sid();
3833 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3834 struct fown_struct *fown, int signum)
3837 u32 sid = task_sid(tsk);
3839 struct file_security_struct *fsec;
3841 /* struct fown_struct is never outside the context of a struct file */
3842 file = container_of(fown, struct file, f_owner);
3844 fsec = file->f_security;
3847 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3849 perm = signal_to_av(signum);
3851 return avc_has_perm(&selinux_state,
3852 fsec->fown_sid, sid,
3853 SECCLASS_PROCESS, perm, NULL);
3856 static int selinux_file_receive(struct file *file)
3858 const struct cred *cred = current_cred();
3860 return file_has_perm(cred, file, file_to_av(file));
3863 static int selinux_file_open(struct file *file, const struct cred *cred)
3865 struct file_security_struct *fsec;
3866 struct inode_security_struct *isec;
3868 fsec = file->f_security;
3869 isec = inode_security(file_inode(file));
3871 * Save inode label and policy sequence number
3872 * at open-time so that selinux_file_permission
3873 * can determine whether revalidation is necessary.
3874 * Task label is already saved in the file security
3875 * struct as its SID.
3877 fsec->isid = isec->sid;
3878 fsec->pseqno = avc_policy_seqno(&selinux_state);
3880 * Since the inode label or policy seqno may have changed
3881 * between the selinux_inode_permission check and the saving
3882 * of state above, recheck that access is still permitted.
3883 * Otherwise, access might never be revalidated against the
3884 * new inode label or new policy.
3885 * This check is not redundant - do not remove.
3887 return file_path_has_perm(cred, file, open_file_to_av(file));
3890 /* task security operations */
3892 static int selinux_task_alloc(struct task_struct *task,
3893 unsigned long clone_flags)
3895 u32 sid = current_sid();
3897 return avc_has_perm(&selinux_state,
3898 sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
3902 * allocate the SELinux part of blank credentials
3904 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3906 struct task_security_struct *tsec;
3908 tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3912 cred->security = tsec;
3917 * detach and free the LSM part of a set of credentials
3919 static void selinux_cred_free(struct cred *cred)
3921 struct task_security_struct *tsec = cred->security;
3924 * cred->security == NULL if security_cred_alloc_blank() or
3925 * security_prepare_creds() returned an error.
3927 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3928 cred->security = (void *) 0x7UL;
3933 * prepare a new set of credentials for modification
3935 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3938 const struct task_security_struct *old_tsec;
3939 struct task_security_struct *tsec;
3941 old_tsec = old->security;
3943 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3947 new->security = tsec;
3952 * transfer the SELinux data to a blank set of creds
3954 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3956 const struct task_security_struct *old_tsec = old->security;
3957 struct task_security_struct *tsec = new->security;
3962 static void selinux_cred_getsecid(const struct cred *c, u32 *secid)
3964 *secid = cred_sid(c);
3968 * set the security data for a kernel service
3969 * - all the creation contexts are set to unlabelled
3971 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3973 struct task_security_struct *tsec = new->security;
3974 u32 sid = current_sid();
3977 ret = avc_has_perm(&selinux_state,
3979 SECCLASS_KERNEL_SERVICE,
3980 KERNEL_SERVICE__USE_AS_OVERRIDE,
3984 tsec->create_sid = 0;
3985 tsec->keycreate_sid = 0;
3986 tsec->sockcreate_sid = 0;
3992 * set the file creation context in a security record to the same as the
3993 * objective context of the specified inode
3995 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3997 struct inode_security_struct *isec = inode_security(inode);
3998 struct task_security_struct *tsec = new->security;
3999 u32 sid = current_sid();
4002 ret = avc_has_perm(&selinux_state,
4004 SECCLASS_KERNEL_SERVICE,
4005 KERNEL_SERVICE__CREATE_FILES_AS,
4009 tsec->create_sid = isec->sid;
4013 static int selinux_kernel_module_request(char *kmod_name)
4015 struct common_audit_data ad;
4017 ad.type = LSM_AUDIT_DATA_KMOD;
4018 ad.u.kmod_name = kmod_name;
4020 return avc_has_perm(&selinux_state,
4021 current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
4022 SYSTEM__MODULE_REQUEST, &ad);
4025 static int selinux_kernel_module_from_file(struct file *file)
4027 struct common_audit_data ad;
4028 struct inode_security_struct *isec;
4029 struct file_security_struct *fsec;
4030 u32 sid = current_sid();
4035 return avc_has_perm(&selinux_state,
4036 sid, sid, SECCLASS_SYSTEM,
4037 SYSTEM__MODULE_LOAD, NULL);
4041 ad.type = LSM_AUDIT_DATA_FILE;
4044 fsec = file->f_security;
4045 if (sid != fsec->sid) {
4046 rc = avc_has_perm(&selinux_state,
4047 sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
4052 isec = inode_security(file_inode(file));
4053 return avc_has_perm(&selinux_state,
4054 sid, isec->sid, SECCLASS_SYSTEM,
4055 SYSTEM__MODULE_LOAD, &ad);
4058 static int selinux_kernel_read_file(struct file *file,
4059 enum kernel_read_file_id id)
4064 case READING_MODULE:
4065 rc = selinux_kernel_module_from_file(file);
4074 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
4076 return avc_has_perm(&selinux_state,
4077 current_sid(), task_sid(p), SECCLASS_PROCESS,
4078 PROCESS__SETPGID, NULL);
4081 static int selinux_task_getpgid(struct task_struct *p)
4083 return avc_has_perm(&selinux_state,
4084 current_sid(), task_sid(p), SECCLASS_PROCESS,
4085 PROCESS__GETPGID, NULL);
4088 static int selinux_task_getsid(struct task_struct *p)
4090 return avc_has_perm(&selinux_state,
4091 current_sid(), task_sid(p), SECCLASS_PROCESS,
4092 PROCESS__GETSESSION, NULL);
4095 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
4097 *secid = task_sid(p);
4100 static int selinux_task_setnice(struct task_struct *p, int nice)
4102 return avc_has_perm(&selinux_state,
4103 current_sid(), task_sid(p), SECCLASS_PROCESS,
4104 PROCESS__SETSCHED, NULL);
4107 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
4109 return avc_has_perm(&selinux_state,
4110 current_sid(), task_sid(p), SECCLASS_PROCESS,
4111 PROCESS__SETSCHED, NULL);
4114 static int selinux_task_getioprio(struct task_struct *p)
4116 return avc_has_perm(&selinux_state,
4117 current_sid(), task_sid(p), SECCLASS_PROCESS,
4118 PROCESS__GETSCHED, NULL);
4121 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
4128 if (flags & LSM_PRLIMIT_WRITE)
4129 av |= PROCESS__SETRLIMIT;
4130 if (flags & LSM_PRLIMIT_READ)
4131 av |= PROCESS__GETRLIMIT;
4132 return avc_has_perm(&selinux_state,
4133 cred_sid(cred), cred_sid(tcred),
4134 SECCLASS_PROCESS, av, NULL);
4137 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4138 struct rlimit *new_rlim)
4140 struct rlimit *old_rlim = p->signal->rlim + resource;
4142 /* Control the ability to change the hard limit (whether
4143 lowering or raising it), so that the hard limit can
4144 later be used as a safe reset point for the soft limit
4145 upon context transitions. See selinux_bprm_committing_creds. */
4146 if (old_rlim->rlim_max != new_rlim->rlim_max)
4147 return avc_has_perm(&selinux_state,
4148 current_sid(), task_sid(p),
4149 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
4154 static int selinux_task_setscheduler(struct task_struct *p)
4156 return avc_has_perm(&selinux_state,
4157 current_sid(), task_sid(p), SECCLASS_PROCESS,
4158 PROCESS__SETSCHED, NULL);
4161 static int selinux_task_getscheduler(struct task_struct *p)
4163 return avc_has_perm(&selinux_state,
4164 current_sid(), task_sid(p), SECCLASS_PROCESS,
4165 PROCESS__GETSCHED, NULL);
4168 static int selinux_task_movememory(struct task_struct *p)
4170 return avc_has_perm(&selinux_state,
4171 current_sid(), task_sid(p), SECCLASS_PROCESS,
4172 PROCESS__SETSCHED, NULL);
4175 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
4176 int sig, const struct cred *cred)
4182 perm = PROCESS__SIGNULL; /* null signal; existence test */
4184 perm = signal_to_av(sig);
4186 secid = current_sid();
4188 secid = cred_sid(cred);
4189 return avc_has_perm(&selinux_state,
4190 secid, task_sid(p), SECCLASS_PROCESS, perm, NULL);
4193 static void selinux_task_to_inode(struct task_struct *p,
4194 struct inode *inode)
4196 struct inode_security_struct *isec = inode->i_security;
4197 u32 sid = task_sid(p);
4199 spin_lock(&isec->lock);
4200 isec->sclass = inode_mode_to_security_class(inode->i_mode);
4202 isec->initialized = LABEL_INITIALIZED;
4203 spin_unlock(&isec->lock);
4206 /* Returns error only if unable to parse addresses */
4207 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4208 struct common_audit_data *ad, u8 *proto)
4210 int offset, ihlen, ret = -EINVAL;
4211 struct iphdr _iph, *ih;
4213 offset = skb_network_offset(skb);
4214 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
4218 ihlen = ih->ihl * 4;
4219 if (ihlen < sizeof(_iph))
4222 ad->u.net->v4info.saddr = ih->saddr;
4223 ad->u.net->v4info.daddr = ih->daddr;
4227 *proto = ih->protocol;
4229 switch (ih->protocol) {
4231 struct tcphdr _tcph, *th;
4233 if (ntohs(ih->frag_off) & IP_OFFSET)
4237 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4241 ad->u.net->sport = th->source;
4242 ad->u.net->dport = th->dest;
4247 struct udphdr _udph, *uh;
4249 if (ntohs(ih->frag_off) & IP_OFFSET)
4253 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4257 ad->u.net->sport = uh->source;
4258 ad->u.net->dport = uh->dest;
4262 case IPPROTO_DCCP: {
4263 struct dccp_hdr _dccph, *dh;
4265 if (ntohs(ih->frag_off) & IP_OFFSET)
4269 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4273 ad->u.net->sport = dh->dccph_sport;
4274 ad->u.net->dport = dh->dccph_dport;
4278 #if IS_ENABLED(CONFIG_IP_SCTP)
4279 case IPPROTO_SCTP: {
4280 struct sctphdr _sctph, *sh;
4282 if (ntohs(ih->frag_off) & IP_OFFSET)
4286 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4290 ad->u.net->sport = sh->source;
4291 ad->u.net->dport = sh->dest;
4302 #if IS_ENABLED(CONFIG_IPV6)
4304 /* Returns error only if unable to parse addresses */
4305 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4306 struct common_audit_data *ad, u8 *proto)
4309 int ret = -EINVAL, offset;
4310 struct ipv6hdr _ipv6h, *ip6;
4313 offset = skb_network_offset(skb);
4314 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4318 ad->u.net->v6info.saddr = ip6->saddr;
4319 ad->u.net->v6info.daddr = ip6->daddr;
4322 nexthdr = ip6->nexthdr;
4323 offset += sizeof(_ipv6h);
4324 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4333 struct tcphdr _tcph, *th;
4335 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4339 ad->u.net->sport = th->source;
4340 ad->u.net->dport = th->dest;
4345 struct udphdr _udph, *uh;
4347 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4351 ad->u.net->sport = uh->source;
4352 ad->u.net->dport = uh->dest;
4356 case IPPROTO_DCCP: {
4357 struct dccp_hdr _dccph, *dh;
4359 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4363 ad->u.net->sport = dh->dccph_sport;
4364 ad->u.net->dport = dh->dccph_dport;
4368 #if IS_ENABLED(CONFIG_IP_SCTP)
4369 case IPPROTO_SCTP: {
4370 struct sctphdr _sctph, *sh;
4372 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4376 ad->u.net->sport = sh->source;
4377 ad->u.net->dport = sh->dest;
4381 /* includes fragments */
4391 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4392 char **_addrp, int src, u8 *proto)
4397 switch (ad->u.net->family) {
4399 ret = selinux_parse_skb_ipv4(skb, ad, proto);
4402 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4403 &ad->u.net->v4info.daddr);
4406 #if IS_ENABLED(CONFIG_IPV6)
4408 ret = selinux_parse_skb_ipv6(skb, ad, proto);
4411 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4412 &ad->u.net->v6info.daddr);
4422 "SELinux: failure in selinux_parse_skb(),"
4423 " unable to parse packet\n");
4433 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4435 * @family: protocol family
4436 * @sid: the packet's peer label SID
4439 * Check the various different forms of network peer labeling and determine
4440 * the peer label/SID for the packet; most of the magic actually occurs in
4441 * the security server function security_net_peersid_cmp(). The function
4442 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4443 * or -EACCES if @sid is invalid due to inconsistencies with the different
4447 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4454 err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4457 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4461 err = security_net_peersid_resolve(&selinux_state, nlbl_sid,
4462 nlbl_type, xfrm_sid, sid);
4463 if (unlikely(err)) {
4465 "SELinux: failure in selinux_skb_peerlbl_sid(),"
4466 " unable to determine packet's peer label\n");
4474 * selinux_conn_sid - Determine the child socket label for a connection
4475 * @sk_sid: the parent socket's SID
4476 * @skb_sid: the packet's SID
4477 * @conn_sid: the resulting connection SID
4479 * If @skb_sid is valid then the user:role:type information from @sk_sid is
4480 * combined with the MLS information from @skb_sid in order to create
4481 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy
4482 * of @sk_sid. Returns zero on success, negative values on failure.
4485 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4489 if (skb_sid != SECSID_NULL)
4490 err = security_sid_mls_copy(&selinux_state, sk_sid, skb_sid,
4498 /* socket security operations */
4500 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4501 u16 secclass, u32 *socksid)
4503 if (tsec->sockcreate_sid > SECSID_NULL) {
4504 *socksid = tsec->sockcreate_sid;
4508 return security_transition_sid(&selinux_state, tsec->sid, tsec->sid,
4509 secclass, NULL, socksid);
4512 static int sock_has_perm(struct sock *sk, u32 perms)
4514 struct sk_security_struct *sksec = sk->sk_security;
4515 struct common_audit_data ad;
4516 struct lsm_network_audit net = {0,};
4518 if (sksec->sid == SECINITSID_KERNEL)
4521 ad.type = LSM_AUDIT_DATA_NET;
4525 return avc_has_perm(&selinux_state,
4526 current_sid(), sksec->sid, sksec->sclass, perms,
4530 static int selinux_socket_create(int family, int type,
4531 int protocol, int kern)
4533 const struct task_security_struct *tsec = current_security();
4541 secclass = socket_type_to_security_class(family, type, protocol);
4542 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4546 return avc_has_perm(&selinux_state,
4547 tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4550 static int selinux_socket_post_create(struct socket *sock, int family,
4551 int type, int protocol, int kern)
4553 const struct task_security_struct *tsec = current_security();
4554 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4555 struct sk_security_struct *sksec;
4556 u16 sclass = socket_type_to_security_class(family, type, protocol);
4557 u32 sid = SECINITSID_KERNEL;
4561 err = socket_sockcreate_sid(tsec, sclass, &sid);
4566 isec->sclass = sclass;
4568 isec->initialized = LABEL_INITIALIZED;
4571 sksec = sock->sk->sk_security;
4572 sksec->sclass = sclass;
4574 /* Allows detection of the first association on this socket */
4575 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4576 sksec->sctp_assoc_state = SCTP_ASSOC_UNSET;
4578 err = selinux_netlbl_socket_post_create(sock->sk, family);
4584 /* Range of port numbers used to automatically bind.
4585 Need to determine whether we should perform a name_bind
4586 permission check between the socket and the port number. */
4588 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4590 struct sock *sk = sock->sk;
4591 struct sk_security_struct *sksec = sk->sk_security;
4595 err = sock_has_perm(sk, SOCKET__BIND);
4599 /* If PF_INET or PF_INET6, check name_bind permission for the port. */
4600 family = sk->sk_family;
4601 if (family == PF_INET || family == PF_INET6) {
4603 struct common_audit_data ad;
4604 struct lsm_network_audit net = {0,};
4605 struct sockaddr_in *addr4 = NULL;
4606 struct sockaddr_in6 *addr6 = NULL;
4607 u16 family_sa = address->sa_family;
4608 unsigned short snum;
4612 * sctp_bindx(3) calls via selinux_sctp_bind_connect()
4613 * that validates multiple binding addresses. Because of this
4614 * need to check address->sa_family as it is possible to have
4615 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4617 switch (family_sa) {
4620 if (addrlen < sizeof(struct sockaddr_in))
4622 addr4 = (struct sockaddr_in *)address;
4623 if (family_sa == AF_UNSPEC) {
4624 /* see __inet_bind(), we only want to allow
4625 * AF_UNSPEC if the address is INADDR_ANY
4627 if (addr4->sin_addr.s_addr != htonl(INADDR_ANY))
4629 family_sa = AF_INET;
4631 snum = ntohs(addr4->sin_port);
4632 addrp = (char *)&addr4->sin_addr.s_addr;
4635 if (addrlen < SIN6_LEN_RFC2133)
4637 addr6 = (struct sockaddr_in6 *)address;
4638 snum = ntohs(addr6->sin6_port);
4639 addrp = (char *)&addr6->sin6_addr.s6_addr;
4645 ad.type = LSM_AUDIT_DATA_NET;
4647 ad.u.net->sport = htons(snum);
4648 ad.u.net->family = family_sa;
4653 inet_get_local_port_range(sock_net(sk), &low, &high);
4655 if (snum < max(inet_prot_sock(sock_net(sk)), low) ||
4657 err = sel_netport_sid(sk->sk_protocol,
4661 err = avc_has_perm(&selinux_state,
4664 SOCKET__NAME_BIND, &ad);
4670 switch (sksec->sclass) {
4671 case SECCLASS_TCP_SOCKET:
4672 node_perm = TCP_SOCKET__NODE_BIND;
4675 case SECCLASS_UDP_SOCKET:
4676 node_perm = UDP_SOCKET__NODE_BIND;
4679 case SECCLASS_DCCP_SOCKET:
4680 node_perm = DCCP_SOCKET__NODE_BIND;
4683 case SECCLASS_SCTP_SOCKET:
4684 node_perm = SCTP_SOCKET__NODE_BIND;
4688 node_perm = RAWIP_SOCKET__NODE_BIND;
4692 err = sel_netnode_sid(addrp, family_sa, &sid);
4696 if (family_sa == AF_INET)
4697 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4699 ad.u.net->v6info.saddr = addr6->sin6_addr;
4701 err = avc_has_perm(&selinux_state,
4703 sksec->sclass, node_perm, &ad);
4710 /* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */
4711 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4713 return -EAFNOSUPPORT;
4716 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3)
4717 * and sctp_sendmsg(3) as described in Documentation/security/LSM-sctp.txt
4719 static int selinux_socket_connect_helper(struct socket *sock,
4720 struct sockaddr *address, int addrlen)
4722 struct sock *sk = sock->sk;
4723 struct sk_security_struct *sksec = sk->sk_security;
4726 err = sock_has_perm(sk, SOCKET__CONNECT);
4731 * If a TCP, DCCP or SCTP socket, check name_connect permission
4734 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4735 sksec->sclass == SECCLASS_DCCP_SOCKET ||
4736 sksec->sclass == SECCLASS_SCTP_SOCKET) {
4737 struct common_audit_data ad;
4738 struct lsm_network_audit net = {0,};
4739 struct sockaddr_in *addr4 = NULL;
4740 struct sockaddr_in6 *addr6 = NULL;
4741 unsigned short snum;
4744 /* sctp_connectx(3) calls via selinux_sctp_bind_connect()
4745 * that validates multiple connect addresses. Because of this
4746 * need to check address->sa_family as it is possible to have
4747 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4749 switch (address->sa_family) {
4751 addr4 = (struct sockaddr_in *)address;
4752 if (addrlen < sizeof(struct sockaddr_in))
4754 snum = ntohs(addr4->sin_port);
4757 addr6 = (struct sockaddr_in6 *)address;
4758 if (addrlen < SIN6_LEN_RFC2133)
4760 snum = ntohs(addr6->sin6_port);
4763 /* Note that SCTP services expect -EINVAL, whereas
4764 * others expect -EAFNOSUPPORT.
4766 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4769 return -EAFNOSUPPORT;
4772 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4776 switch (sksec->sclass) {
4777 case SECCLASS_TCP_SOCKET:
4778 perm = TCP_SOCKET__NAME_CONNECT;
4780 case SECCLASS_DCCP_SOCKET:
4781 perm = DCCP_SOCKET__NAME_CONNECT;
4783 case SECCLASS_SCTP_SOCKET:
4784 perm = SCTP_SOCKET__NAME_CONNECT;
4788 ad.type = LSM_AUDIT_DATA_NET;
4790 ad.u.net->dport = htons(snum);
4791 ad.u.net->family = address->sa_family;
4792 err = avc_has_perm(&selinux_state,
4793 sksec->sid, sid, sksec->sclass, perm, &ad);
4801 /* Supports connect(2), see comments in selinux_socket_connect_helper() */
4802 static int selinux_socket_connect(struct socket *sock,
4803 struct sockaddr *address, int addrlen)
4806 struct sock *sk = sock->sk;
4808 err = selinux_socket_connect_helper(sock, address, addrlen);
4812 return selinux_netlbl_socket_connect(sk, address);
4815 static int selinux_socket_listen(struct socket *sock, int backlog)
4817 return sock_has_perm(sock->sk, SOCKET__LISTEN);
4820 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4823 struct inode_security_struct *isec;
4824 struct inode_security_struct *newisec;
4828 err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
4832 isec = inode_security_novalidate(SOCK_INODE(sock));
4833 spin_lock(&isec->lock);
4834 sclass = isec->sclass;
4836 spin_unlock(&isec->lock);
4838 newisec = inode_security_novalidate(SOCK_INODE(newsock));
4839 newisec->sclass = sclass;
4841 newisec->initialized = LABEL_INITIALIZED;
4846 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4849 return sock_has_perm(sock->sk, SOCKET__WRITE);
4852 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4853 int size, int flags)
4855 return sock_has_perm(sock->sk, SOCKET__READ);
4858 static int selinux_socket_getsockname(struct socket *sock)
4860 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4863 static int selinux_socket_getpeername(struct socket *sock)
4865 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4868 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4872 err = sock_has_perm(sock->sk, SOCKET__SETOPT);
4876 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4879 static int selinux_socket_getsockopt(struct socket *sock, int level,
4882 return sock_has_perm(sock->sk, SOCKET__GETOPT);
4885 static int selinux_socket_shutdown(struct socket *sock, int how)
4887 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
4890 static int selinux_socket_unix_stream_connect(struct sock *sock,
4894 struct sk_security_struct *sksec_sock = sock->sk_security;
4895 struct sk_security_struct *sksec_other = other->sk_security;
4896 struct sk_security_struct *sksec_new = newsk->sk_security;
4897 struct common_audit_data ad;
4898 struct lsm_network_audit net = {0,};
4901 ad.type = LSM_AUDIT_DATA_NET;
4903 ad.u.net->sk = other;
4905 err = avc_has_perm(&selinux_state,
4906 sksec_sock->sid, sksec_other->sid,
4907 sksec_other->sclass,
4908 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4912 /* server child socket */
4913 sksec_new->peer_sid = sksec_sock->sid;
4914 err = security_sid_mls_copy(&selinux_state, sksec_other->sid,
4915 sksec_sock->sid, &sksec_new->sid);
4919 /* connecting socket */
4920 sksec_sock->peer_sid = sksec_new->sid;
4925 static int selinux_socket_unix_may_send(struct socket *sock,
4926 struct socket *other)
4928 struct sk_security_struct *ssec = sock->sk->sk_security;
4929 struct sk_security_struct *osec = other->sk->sk_security;
4930 struct common_audit_data ad;
4931 struct lsm_network_audit net = {0,};
4933 ad.type = LSM_AUDIT_DATA_NET;
4935 ad.u.net->sk = other->sk;
4937 return avc_has_perm(&selinux_state,
4938 ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4942 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4943 char *addrp, u16 family, u32 peer_sid,
4944 struct common_audit_data *ad)
4950 err = sel_netif_sid(ns, ifindex, &if_sid);
4953 err = avc_has_perm(&selinux_state,
4955 SECCLASS_NETIF, NETIF__INGRESS, ad);
4959 err = sel_netnode_sid(addrp, family, &node_sid);
4962 return avc_has_perm(&selinux_state,
4964 SECCLASS_NODE, NODE__RECVFROM, ad);
4967 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4971 struct sk_security_struct *sksec = sk->sk_security;
4972 u32 sk_sid = sksec->sid;
4973 struct common_audit_data ad;
4974 struct lsm_network_audit net = {0,};
4977 ad.type = LSM_AUDIT_DATA_NET;
4979 ad.u.net->netif = skb->skb_iif;
4980 ad.u.net->family = family;
4981 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4985 if (selinux_secmark_enabled()) {
4986 err = avc_has_perm(&selinux_state,
4987 sk_sid, skb->secmark, SECCLASS_PACKET,
4993 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4996 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
5001 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
5004 struct sk_security_struct *sksec = sk->sk_security;
5005 u16 family = sk->sk_family;
5006 u32 sk_sid = sksec->sid;
5007 struct common_audit_data ad;
5008 struct lsm_network_audit net = {0,};
5013 if (family != PF_INET && family != PF_INET6)
5016 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
5017 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5020 /* If any sort of compatibility mode is enabled then handoff processing
5021 * to the selinux_sock_rcv_skb_compat() function to deal with the
5022 * special handling. We do this in an attempt to keep this function
5023 * as fast and as clean as possible. */
5024 if (!selinux_policycap_netpeer())
5025 return selinux_sock_rcv_skb_compat(sk, skb, family);
5027 secmark_active = selinux_secmark_enabled();
5028 peerlbl_active = selinux_peerlbl_enabled();
5029 if (!secmark_active && !peerlbl_active)
5032 ad.type = LSM_AUDIT_DATA_NET;
5034 ad.u.net->netif = skb->skb_iif;
5035 ad.u.net->family = family;
5036 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5040 if (peerlbl_active) {
5043 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
5046 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
5047 addrp, family, peer_sid, &ad);
5049 selinux_netlbl_err(skb, family, err, 0);
5052 err = avc_has_perm(&selinux_state,
5053 sk_sid, peer_sid, SECCLASS_PEER,
5056 selinux_netlbl_err(skb, family, err, 0);
5061 if (secmark_active) {
5062 err = avc_has_perm(&selinux_state,
5063 sk_sid, skb->secmark, SECCLASS_PACKET,
5072 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
5073 int __user *optlen, unsigned len)
5078 struct sk_security_struct *sksec = sock->sk->sk_security;
5079 u32 peer_sid = SECSID_NULL;
5081 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
5082 sksec->sclass == SECCLASS_TCP_SOCKET ||
5083 sksec->sclass == SECCLASS_SCTP_SOCKET)
5084 peer_sid = sksec->peer_sid;
5085 if (peer_sid == SECSID_NULL)
5086 return -ENOPROTOOPT;
5088 err = security_sid_to_context(&selinux_state, peer_sid, &scontext,
5093 if (scontext_len > len) {
5098 if (copy_to_user(optval, scontext, scontext_len))
5102 if (put_user(scontext_len, optlen))
5108 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
5110 u32 peer_secid = SECSID_NULL;
5112 struct inode_security_struct *isec;
5114 if (skb && skb->protocol == htons(ETH_P_IP))
5116 else if (skb && skb->protocol == htons(ETH_P_IPV6))
5119 family = sock->sk->sk_family;
5123 if (sock && family == PF_UNIX) {
5124 isec = inode_security_novalidate(SOCK_INODE(sock));
5125 peer_secid = isec->sid;
5127 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
5130 *secid = peer_secid;
5131 if (peer_secid == SECSID_NULL)
5136 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
5138 struct sk_security_struct *sksec;
5140 sksec = kzalloc(sizeof(*sksec), priority);
5144 sksec->peer_sid = SECINITSID_UNLABELED;
5145 sksec->sid = SECINITSID_UNLABELED;
5146 sksec->sclass = SECCLASS_SOCKET;
5147 selinux_netlbl_sk_security_reset(sksec);
5148 sk->sk_security = sksec;
5153 static void selinux_sk_free_security(struct sock *sk)
5155 struct sk_security_struct *sksec = sk->sk_security;
5157 sk->sk_security = NULL;
5158 selinux_netlbl_sk_security_free(sksec);
5162 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
5164 struct sk_security_struct *sksec = sk->sk_security;
5165 struct sk_security_struct *newsksec = newsk->sk_security;
5167 newsksec->sid = sksec->sid;
5168 newsksec->peer_sid = sksec->peer_sid;
5169 newsksec->sclass = sksec->sclass;
5171 selinux_netlbl_sk_security_reset(newsksec);
5174 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
5177 *secid = SECINITSID_ANY_SOCKET;
5179 struct sk_security_struct *sksec = sk->sk_security;
5181 *secid = sksec->sid;
5185 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
5187 struct inode_security_struct *isec =
5188 inode_security_novalidate(SOCK_INODE(parent));
5189 struct sk_security_struct *sksec = sk->sk_security;
5191 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
5192 sk->sk_family == PF_UNIX)
5193 isec->sid = sksec->sid;
5194 sksec->sclass = isec->sclass;
5197 /* Called whenever SCTP receives an INIT chunk. This happens when an incoming
5198 * connect(2), sctp_connectx(3) or sctp_sendmsg(3) (with no association
5201 static int selinux_sctp_assoc_request(struct sctp_endpoint *ep,
5202 struct sk_buff *skb)
5204 struct sk_security_struct *sksec = ep->base.sk->sk_security;
5205 struct common_audit_data ad;
5206 struct lsm_network_audit net = {0,};
5208 u32 peer_sid = SECINITSID_UNLABELED;
5212 if (!selinux_policycap_extsockclass())
5215 peerlbl_active = selinux_peerlbl_enabled();
5217 if (peerlbl_active) {
5218 /* This will return peer_sid = SECSID_NULL if there are
5219 * no peer labels, see security_net_peersid_resolve().
5221 err = selinux_skb_peerlbl_sid(skb, ep->base.sk->sk_family,
5226 if (peer_sid == SECSID_NULL)
5227 peer_sid = SECINITSID_UNLABELED;
5230 if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) {
5231 sksec->sctp_assoc_state = SCTP_ASSOC_SET;
5233 /* Here as first association on socket. As the peer SID
5234 * was allowed by peer recv (and the netif/node checks),
5235 * then it is approved by policy and used as the primary
5236 * peer SID for getpeercon(3).
5238 sksec->peer_sid = peer_sid;
5239 } else if (sksec->peer_sid != peer_sid) {
5240 /* Other association peer SIDs are checked to enforce
5241 * consistency among the peer SIDs.
5243 ad.type = LSM_AUDIT_DATA_NET;
5245 ad.u.net->sk = ep->base.sk;
5246 err = avc_has_perm(&selinux_state,
5247 sksec->peer_sid, peer_sid, sksec->sclass,
5248 SCTP_SOCKET__ASSOCIATION, &ad);
5253 /* Compute the MLS component for the connection and store
5254 * the information in ep. This will be used by SCTP TCP type
5255 * sockets and peeled off connections as they cause a new
5256 * socket to be generated. selinux_sctp_sk_clone() will then
5257 * plug this into the new socket.
5259 err = selinux_conn_sid(sksec->sid, peer_sid, &conn_sid);
5263 ep->secid = conn_sid;
5264 ep->peer_secid = peer_sid;
5266 /* Set any NetLabel labels including CIPSO/CALIPSO options. */
5267 return selinux_netlbl_sctp_assoc_request(ep, skb);
5270 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting
5271 * based on their @optname.
5273 static int selinux_sctp_bind_connect(struct sock *sk, int optname,
5274 struct sockaddr *address,
5277 int len, err = 0, walk_size = 0;
5279 struct sockaddr *addr;
5280 struct socket *sock;
5282 if (!selinux_policycap_extsockclass())
5285 /* Process one or more addresses that may be IPv4 or IPv6 */
5286 sock = sk->sk_socket;
5289 while (walk_size < addrlen) {
5291 switch (addr->sa_family) {
5294 len = sizeof(struct sockaddr_in);
5297 len = sizeof(struct sockaddr_in6);
5306 case SCTP_PRIMARY_ADDR:
5307 case SCTP_SET_PEER_PRIMARY_ADDR:
5308 case SCTP_SOCKOPT_BINDX_ADD:
5309 err = selinux_socket_bind(sock, addr, len);
5311 /* Connect checks */
5312 case SCTP_SOCKOPT_CONNECTX:
5313 case SCTP_PARAM_SET_PRIMARY:
5314 case SCTP_PARAM_ADD_IP:
5315 case SCTP_SENDMSG_CONNECT:
5316 err = selinux_socket_connect_helper(sock, addr, len);
5320 /* As selinux_sctp_bind_connect() is called by the
5321 * SCTP protocol layer, the socket is already locked,
5322 * therefore selinux_netlbl_socket_connect_locked() is
5323 * is called here. The situations handled are:
5324 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2),
5325 * whenever a new IP address is added or when a new
5326 * primary address is selected.
5327 * Note that an SCTP connect(2) call happens before
5328 * the SCTP protocol layer and is handled via
5329 * selinux_socket_connect().
5331 err = selinux_netlbl_socket_connect_locked(sk, addr);
5345 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */
5346 static void selinux_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk,
5349 struct sk_security_struct *sksec = sk->sk_security;
5350 struct sk_security_struct *newsksec = newsk->sk_security;
5352 /* If policy does not support SECCLASS_SCTP_SOCKET then call
5353 * the non-sctp clone version.
5355 if (!selinux_policycap_extsockclass())
5356 return selinux_sk_clone_security(sk, newsk);
5358 newsksec->sid = ep->secid;
5359 newsksec->peer_sid = ep->peer_secid;
5360 newsksec->sclass = sksec->sclass;
5361 selinux_netlbl_sctp_sk_clone(sk, newsk);
5364 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
5365 struct request_sock *req)
5367 struct sk_security_struct *sksec = sk->sk_security;
5369 u16 family = req->rsk_ops->family;
5373 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
5376 err = selinux_conn_sid(sksec->sid, peersid, &connsid);
5379 req->secid = connsid;
5380 req->peer_secid = peersid;
5382 return selinux_netlbl_inet_conn_request(req, family);
5385 static void selinux_inet_csk_clone(struct sock *newsk,
5386 const struct request_sock *req)
5388 struct sk_security_struct *newsksec = newsk->sk_security;
5390 newsksec->sid = req->secid;
5391 newsksec->peer_sid = req->peer_secid;
5392 /* NOTE: Ideally, we should also get the isec->sid for the
5393 new socket in sync, but we don't have the isec available yet.
5394 So we will wait until sock_graft to do it, by which
5395 time it will have been created and available. */
5397 /* We don't need to take any sort of lock here as we are the only
5398 * thread with access to newsksec */
5399 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
5402 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
5404 u16 family = sk->sk_family;
5405 struct sk_security_struct *sksec = sk->sk_security;
5407 /* handle mapped IPv4 packets arriving via IPv6 sockets */
5408 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5411 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
5414 static int selinux_secmark_relabel_packet(u32 sid)
5416 const struct task_security_struct *__tsec;
5419 __tsec = current_security();
5422 return avc_has_perm(&selinux_state,
5423 tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO,
5427 static void selinux_secmark_refcount_inc(void)
5429 atomic_inc(&selinux_secmark_refcount);
5432 static void selinux_secmark_refcount_dec(void)
5434 atomic_dec(&selinux_secmark_refcount);
5437 static void selinux_req_classify_flow(const struct request_sock *req,
5440 fl->flowi_secid = req->secid;
5443 static int selinux_tun_dev_alloc_security(void **security)
5445 struct tun_security_struct *tunsec;
5447 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
5450 tunsec->sid = current_sid();
5456 static void selinux_tun_dev_free_security(void *security)
5461 static int selinux_tun_dev_create(void)
5463 u32 sid = current_sid();
5465 /* we aren't taking into account the "sockcreate" SID since the socket
5466 * that is being created here is not a socket in the traditional sense,
5467 * instead it is a private sock, accessible only to the kernel, and
5468 * representing a wide range of network traffic spanning multiple
5469 * connections unlike traditional sockets - check the TUN driver to
5470 * get a better understanding of why this socket is special */
5472 return avc_has_perm(&selinux_state,
5473 sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5477 static int selinux_tun_dev_attach_queue(void *security)
5479 struct tun_security_struct *tunsec = security;
5481 return avc_has_perm(&selinux_state,
5482 current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5483 TUN_SOCKET__ATTACH_QUEUE, NULL);
5486 static int selinux_tun_dev_attach(struct sock *sk, void *security)
5488 struct tun_security_struct *tunsec = security;
5489 struct sk_security_struct *sksec = sk->sk_security;
5491 /* we don't currently perform any NetLabel based labeling here and it
5492 * isn't clear that we would want to do so anyway; while we could apply
5493 * labeling without the support of the TUN user the resulting labeled
5494 * traffic from the other end of the connection would almost certainly
5495 * cause confusion to the TUN user that had no idea network labeling
5496 * protocols were being used */
5498 sksec->sid = tunsec->sid;
5499 sksec->sclass = SECCLASS_TUN_SOCKET;
5504 static int selinux_tun_dev_open(void *security)
5506 struct tun_security_struct *tunsec = security;
5507 u32 sid = current_sid();
5510 err = avc_has_perm(&selinux_state,
5511 sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5512 TUN_SOCKET__RELABELFROM, NULL);
5515 err = avc_has_perm(&selinux_state,
5516 sid, sid, SECCLASS_TUN_SOCKET,
5517 TUN_SOCKET__RELABELTO, NULL);
5525 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
5529 struct nlmsghdr *nlh;
5530 struct sk_security_struct *sksec = sk->sk_security;
5532 if (skb->len < NLMSG_HDRLEN) {
5536 nlh = nlmsg_hdr(skb);
5538 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
5540 if (err == -EINVAL) {
5541 pr_warn_ratelimited("SELinux: unrecognized netlink"
5542 " message: protocol=%hu nlmsg_type=%hu sclass=%s"
5543 " pig=%d comm=%s\n",
5544 sk->sk_protocol, nlh->nlmsg_type,
5545 secclass_map[sksec->sclass - 1].name,
5546 task_pid_nr(current), current->comm);
5547 if (!enforcing_enabled(&selinux_state) ||
5548 security_get_allow_unknown(&selinux_state))
5558 err = sock_has_perm(sk, perm);
5563 #ifdef CONFIG_NETFILTER
5565 static unsigned int selinux_ip_forward(struct sk_buff *skb,
5566 const struct net_device *indev,
5572 struct common_audit_data ad;
5573 struct lsm_network_audit net = {0,};
5578 if (!selinux_policycap_netpeer())
5581 secmark_active = selinux_secmark_enabled();
5582 netlbl_active = netlbl_enabled();
5583 peerlbl_active = selinux_peerlbl_enabled();
5584 if (!secmark_active && !peerlbl_active)
5587 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5590 ad.type = LSM_AUDIT_DATA_NET;
5592 ad.u.net->netif = indev->ifindex;
5593 ad.u.net->family = family;
5594 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5597 if (peerlbl_active) {
5598 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
5599 addrp, family, peer_sid, &ad);
5601 selinux_netlbl_err(skb, family, err, 1);
5607 if (avc_has_perm(&selinux_state,
5608 peer_sid, skb->secmark,
5609 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5613 /* we do this in the FORWARD path and not the POST_ROUTING
5614 * path because we want to make sure we apply the necessary
5615 * labeling before IPsec is applied so we can leverage AH
5617 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5623 static unsigned int selinux_ipv4_forward(void *priv,
5624 struct sk_buff *skb,
5625 const struct nf_hook_state *state)
5627 return selinux_ip_forward(skb, state->in, PF_INET);
5630 #if IS_ENABLED(CONFIG_IPV6)
5631 static unsigned int selinux_ipv6_forward(void *priv,
5632 struct sk_buff *skb,
5633 const struct nf_hook_state *state)
5635 return selinux_ip_forward(skb, state->in, PF_INET6);
5639 static unsigned int selinux_ip_output(struct sk_buff *skb,
5645 if (!netlbl_enabled())
5648 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5649 * because we want to make sure we apply the necessary labeling
5650 * before IPsec is applied so we can leverage AH protection */
5653 struct sk_security_struct *sksec;
5655 if (sk_listener(sk))
5656 /* if the socket is the listening state then this
5657 * packet is a SYN-ACK packet which means it needs to
5658 * be labeled based on the connection/request_sock and
5659 * not the parent socket. unfortunately, we can't
5660 * lookup the request_sock yet as it isn't queued on
5661 * the parent socket until after the SYN-ACK is sent.
5662 * the "solution" is to simply pass the packet as-is
5663 * as any IP option based labeling should be copied
5664 * from the initial connection request (in the IP
5665 * layer). it is far from ideal, but until we get a
5666 * security label in the packet itself this is the
5667 * best we can do. */
5670 /* standard practice, label using the parent socket */
5671 sksec = sk->sk_security;
5674 sid = SECINITSID_KERNEL;
5675 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
5681 static unsigned int selinux_ipv4_output(void *priv,
5682 struct sk_buff *skb,
5683 const struct nf_hook_state *state)
5685 return selinux_ip_output(skb, PF_INET);
5688 #if IS_ENABLED(CONFIG_IPV6)
5689 static unsigned int selinux_ipv6_output(void *priv,
5690 struct sk_buff *skb,
5691 const struct nf_hook_state *state)
5693 return selinux_ip_output(skb, PF_INET6);
5697 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5701 struct sock *sk = skb_to_full_sk(skb);
5702 struct sk_security_struct *sksec;
5703 struct common_audit_data ad;
5704 struct lsm_network_audit net = {0,};
5710 sksec = sk->sk_security;
5712 ad.type = LSM_AUDIT_DATA_NET;
5714 ad.u.net->netif = ifindex;
5715 ad.u.net->family = family;
5716 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
5719 if (selinux_secmark_enabled())
5720 if (avc_has_perm(&selinux_state,
5721 sksec->sid, skb->secmark,
5722 SECCLASS_PACKET, PACKET__SEND, &ad))
5723 return NF_DROP_ERR(-ECONNREFUSED);
5725 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5726 return NF_DROP_ERR(-ECONNREFUSED);
5731 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5732 const struct net_device *outdev,
5737 int ifindex = outdev->ifindex;
5739 struct common_audit_data ad;
5740 struct lsm_network_audit net = {0,};
5745 /* If any sort of compatibility mode is enabled then handoff processing
5746 * to the selinux_ip_postroute_compat() function to deal with the
5747 * special handling. We do this in an attempt to keep this function
5748 * as fast and as clean as possible. */
5749 if (!selinux_policycap_netpeer())
5750 return selinux_ip_postroute_compat(skb, ifindex, family);
5752 secmark_active = selinux_secmark_enabled();
5753 peerlbl_active = selinux_peerlbl_enabled();
5754 if (!secmark_active && !peerlbl_active)
5757 sk = skb_to_full_sk(skb);
5760 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5761 * packet transformation so allow the packet to pass without any checks
5762 * since we'll have another chance to perform access control checks
5763 * when the packet is on it's final way out.
5764 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5765 * is NULL, in this case go ahead and apply access control.
5766 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5767 * TCP listening state we cannot wait until the XFRM processing
5768 * is done as we will miss out on the SA label if we do;
5769 * unfortunately, this means more work, but it is only once per
5771 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5772 !(sk && sk_listener(sk)))
5777 /* Without an associated socket the packet is either coming
5778 * from the kernel or it is being forwarded; check the packet
5779 * to determine which and if the packet is being forwarded
5780 * query the packet directly to determine the security label. */
5782 secmark_perm = PACKET__FORWARD_OUT;
5783 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5786 secmark_perm = PACKET__SEND;
5787 peer_sid = SECINITSID_KERNEL;
5789 } else if (sk_listener(sk)) {
5790 /* Locally generated packet but the associated socket is in the
5791 * listening state which means this is a SYN-ACK packet. In
5792 * this particular case the correct security label is assigned
5793 * to the connection/request_sock but unfortunately we can't
5794 * query the request_sock as it isn't queued on the parent
5795 * socket until after the SYN-ACK packet is sent; the only
5796 * viable choice is to regenerate the label like we do in
5797 * selinux_inet_conn_request(). See also selinux_ip_output()
5798 * for similar problems. */
5800 struct sk_security_struct *sksec;
5802 sksec = sk->sk_security;
5803 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5805 /* At this point, if the returned skb peerlbl is SECSID_NULL
5806 * and the packet has been through at least one XFRM
5807 * transformation then we must be dealing with the "final"
5808 * form of labeled IPsec packet; since we've already applied
5809 * all of our access controls on this packet we can safely
5810 * pass the packet. */
5811 if (skb_sid == SECSID_NULL) {
5814 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5818 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5822 return NF_DROP_ERR(-ECONNREFUSED);
5825 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5827 secmark_perm = PACKET__SEND;
5829 /* Locally generated packet, fetch the security label from the
5830 * associated socket. */
5831 struct sk_security_struct *sksec = sk->sk_security;
5832 peer_sid = sksec->sid;
5833 secmark_perm = PACKET__SEND;
5836 ad.type = LSM_AUDIT_DATA_NET;
5838 ad.u.net->netif = ifindex;
5839 ad.u.net->family = family;
5840 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5844 if (avc_has_perm(&selinux_state,
5845 peer_sid, skb->secmark,
5846 SECCLASS_PACKET, secmark_perm, &ad))
5847 return NF_DROP_ERR(-ECONNREFUSED);
5849 if (peerlbl_active) {
5853 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5855 if (avc_has_perm(&selinux_state,
5857 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5858 return NF_DROP_ERR(-ECONNREFUSED);
5860 if (sel_netnode_sid(addrp, family, &node_sid))
5862 if (avc_has_perm(&selinux_state,
5864 SECCLASS_NODE, NODE__SENDTO, &ad))
5865 return NF_DROP_ERR(-ECONNREFUSED);
5871 static unsigned int selinux_ipv4_postroute(void *priv,
5872 struct sk_buff *skb,
5873 const struct nf_hook_state *state)
5875 return selinux_ip_postroute(skb, state->out, PF_INET);
5878 #if IS_ENABLED(CONFIG_IPV6)
5879 static unsigned int selinux_ipv6_postroute(void *priv,
5880 struct sk_buff *skb,
5881 const struct nf_hook_state *state)
5883 return selinux_ip_postroute(skb, state->out, PF_INET6);
5887 #endif /* CONFIG_NETFILTER */
5889 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5891 return selinux_nlmsg_perm(sk, skb);
5894 static int ipc_alloc_security(struct kern_ipc_perm *perm,
5897 struct ipc_security_struct *isec;
5899 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
5903 isec->sclass = sclass;
5904 isec->sid = current_sid();
5905 perm->security = isec;
5910 static void ipc_free_security(struct kern_ipc_perm *perm)
5912 struct ipc_security_struct *isec = perm->security;
5913 perm->security = NULL;
5917 static int msg_msg_alloc_security(struct msg_msg *msg)
5919 struct msg_security_struct *msec;
5921 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
5925 msec->sid = SECINITSID_UNLABELED;
5926 msg->security = msec;
5931 static void msg_msg_free_security(struct msg_msg *msg)
5933 struct msg_security_struct *msec = msg->security;
5935 msg->security = NULL;
5939 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5942 struct ipc_security_struct *isec;
5943 struct common_audit_data ad;
5944 u32 sid = current_sid();
5946 isec = ipc_perms->security;
5948 ad.type = LSM_AUDIT_DATA_IPC;
5949 ad.u.ipc_id = ipc_perms->key;
5951 return avc_has_perm(&selinux_state,
5952 sid, isec->sid, isec->sclass, perms, &ad);
5955 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5957 return msg_msg_alloc_security(msg);
5960 static void selinux_msg_msg_free_security(struct msg_msg *msg)
5962 msg_msg_free_security(msg);
5965 /* message queue security operations */
5966 static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq)
5968 struct ipc_security_struct *isec;
5969 struct common_audit_data ad;
5970 u32 sid = current_sid();
5973 rc = ipc_alloc_security(msq, SECCLASS_MSGQ);
5977 isec = msq->security;
5979 ad.type = LSM_AUDIT_DATA_IPC;
5980 ad.u.ipc_id = msq->key;
5982 rc = avc_has_perm(&selinux_state,
5983 sid, isec->sid, SECCLASS_MSGQ,
5986 ipc_free_security(msq);
5992 static void selinux_msg_queue_free_security(struct kern_ipc_perm *msq)
5994 ipc_free_security(msq);
5997 static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
5999 struct ipc_security_struct *isec;
6000 struct common_audit_data ad;
6001 u32 sid = current_sid();
6003 isec = msq->security;
6005 ad.type = LSM_AUDIT_DATA_IPC;
6006 ad.u.ipc_id = msq->key;
6008 return avc_has_perm(&selinux_state,
6009 sid, isec->sid, SECCLASS_MSGQ,
6010 MSGQ__ASSOCIATE, &ad);
6013 static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)
6021 /* No specific object, just general system-wide information. */
6022 return avc_has_perm(&selinux_state,
6023 current_sid(), SECINITSID_KERNEL,
6024 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6028 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
6031 perms = MSGQ__SETATTR;
6034 perms = MSGQ__DESTROY;
6040 err = ipc_has_perm(msq, perms);
6044 static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg)
6046 struct ipc_security_struct *isec;
6047 struct msg_security_struct *msec;
6048 struct common_audit_data ad;
6049 u32 sid = current_sid();
6052 isec = msq->security;
6053 msec = msg->security;
6056 * First time through, need to assign label to the message
6058 if (msec->sid == SECINITSID_UNLABELED) {
6060 * Compute new sid based on current process and
6061 * message queue this message will be stored in
6063 rc = security_transition_sid(&selinux_state, sid, isec->sid,
6064 SECCLASS_MSG, NULL, &msec->sid);
6069 ad.type = LSM_AUDIT_DATA_IPC;
6070 ad.u.ipc_id = msq->key;
6072 /* Can this process write to the queue? */
6073 rc = avc_has_perm(&selinux_state,
6074 sid, isec->sid, SECCLASS_MSGQ,
6077 /* Can this process send the message */
6078 rc = avc_has_perm(&selinux_state,
6079 sid, msec->sid, SECCLASS_MSG,
6082 /* Can the message be put in the queue? */
6083 rc = avc_has_perm(&selinux_state,
6084 msec->sid, isec->sid, SECCLASS_MSGQ,
6085 MSGQ__ENQUEUE, &ad);
6090 static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg,
6091 struct task_struct *target,
6092 long type, int mode)
6094 struct ipc_security_struct *isec;
6095 struct msg_security_struct *msec;
6096 struct common_audit_data ad;
6097 u32 sid = task_sid(target);
6100 isec = msq->security;
6101 msec = msg->security;
6103 ad.type = LSM_AUDIT_DATA_IPC;
6104 ad.u.ipc_id = msq->key;
6106 rc = avc_has_perm(&selinux_state,
6108 SECCLASS_MSGQ, MSGQ__READ, &ad);
6110 rc = avc_has_perm(&selinux_state,
6112 SECCLASS_MSG, MSG__RECEIVE, &ad);
6116 /* Shared Memory security operations */
6117 static int selinux_shm_alloc_security(struct kern_ipc_perm *shp)
6119 struct ipc_security_struct *isec;
6120 struct common_audit_data ad;
6121 u32 sid = current_sid();
6124 rc = ipc_alloc_security(shp, SECCLASS_SHM);
6128 isec = shp->security;
6130 ad.type = LSM_AUDIT_DATA_IPC;
6131 ad.u.ipc_id = shp->key;
6133 rc = avc_has_perm(&selinux_state,
6134 sid, isec->sid, SECCLASS_SHM,
6137 ipc_free_security(shp);
6143 static void selinux_shm_free_security(struct kern_ipc_perm *shp)
6145 ipc_free_security(shp);
6148 static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg)
6150 struct ipc_security_struct *isec;
6151 struct common_audit_data ad;
6152 u32 sid = current_sid();
6154 isec = shp->security;
6156 ad.type = LSM_AUDIT_DATA_IPC;
6157 ad.u.ipc_id = shp->key;
6159 return avc_has_perm(&selinux_state,
6160 sid, isec->sid, SECCLASS_SHM,
6161 SHM__ASSOCIATE, &ad);
6164 /* Note, at this point, shp is locked down */
6165 static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd)
6173 /* No specific object, just general system-wide information. */
6174 return avc_has_perm(&selinux_state,
6175 current_sid(), SECINITSID_KERNEL,
6176 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6180 perms = SHM__GETATTR | SHM__ASSOCIATE;
6183 perms = SHM__SETATTR;
6190 perms = SHM__DESTROY;
6196 err = ipc_has_perm(shp, perms);
6200 static int selinux_shm_shmat(struct kern_ipc_perm *shp,
6201 char __user *shmaddr, int shmflg)
6205 if (shmflg & SHM_RDONLY)
6208 perms = SHM__READ | SHM__WRITE;
6210 return ipc_has_perm(shp, perms);
6213 /* Semaphore security operations */
6214 static int selinux_sem_alloc_security(struct kern_ipc_perm *sma)
6216 struct ipc_security_struct *isec;
6217 struct common_audit_data ad;
6218 u32 sid = current_sid();
6221 rc = ipc_alloc_security(sma, SECCLASS_SEM);
6225 isec = sma->security;
6227 ad.type = LSM_AUDIT_DATA_IPC;
6228 ad.u.ipc_id = sma->key;
6230 rc = avc_has_perm(&selinux_state,
6231 sid, isec->sid, SECCLASS_SEM,
6234 ipc_free_security(sma);
6240 static void selinux_sem_free_security(struct kern_ipc_perm *sma)
6242 ipc_free_security(sma);
6245 static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg)
6247 struct ipc_security_struct *isec;
6248 struct common_audit_data ad;
6249 u32 sid = current_sid();
6251 isec = sma->security;
6253 ad.type = LSM_AUDIT_DATA_IPC;
6254 ad.u.ipc_id = sma->key;
6256 return avc_has_perm(&selinux_state,
6257 sid, isec->sid, SECCLASS_SEM,
6258 SEM__ASSOCIATE, &ad);
6261 /* Note, at this point, sma is locked down */
6262 static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd)
6270 /* No specific object, just general system-wide information. */
6271 return avc_has_perm(&selinux_state,
6272 current_sid(), SECINITSID_KERNEL,
6273 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6277 perms = SEM__GETATTR;
6288 perms = SEM__DESTROY;
6291 perms = SEM__SETATTR;
6296 perms = SEM__GETATTR | SEM__ASSOCIATE;
6302 err = ipc_has_perm(sma, perms);
6306 static int selinux_sem_semop(struct kern_ipc_perm *sma,
6307 struct sembuf *sops, unsigned nsops, int alter)
6312 perms = SEM__READ | SEM__WRITE;
6316 return ipc_has_perm(sma, perms);
6319 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
6325 av |= IPC__UNIX_READ;
6327 av |= IPC__UNIX_WRITE;
6332 return ipc_has_perm(ipcp, av);
6335 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
6337 struct ipc_security_struct *isec = ipcp->security;
6341 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
6344 inode_doinit_with_dentry(inode, dentry);
6347 static int selinux_getprocattr(struct task_struct *p,
6348 char *name, char **value)
6350 const struct task_security_struct *__tsec;
6356 __tsec = __task_cred(p)->security;
6359 error = avc_has_perm(&selinux_state,
6360 current_sid(), __tsec->sid,
6361 SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
6366 if (!strcmp(name, "current"))
6368 else if (!strcmp(name, "prev"))
6370 else if (!strcmp(name, "exec"))
6371 sid = __tsec->exec_sid;
6372 else if (!strcmp(name, "fscreate"))
6373 sid = __tsec->create_sid;
6374 else if (!strcmp(name, "keycreate"))
6375 sid = __tsec->keycreate_sid;
6376 else if (!strcmp(name, "sockcreate"))
6377 sid = __tsec->sockcreate_sid;
6387 error = security_sid_to_context(&selinux_state, sid, value, &len);
6397 static int selinux_setprocattr(const char *name, void *value, size_t size)
6399 struct task_security_struct *tsec;
6401 u32 mysid = current_sid(), sid = 0, ptsid;
6406 * Basic control over ability to set these attributes at all.
6408 if (!strcmp(name, "exec"))
6409 error = avc_has_perm(&selinux_state,
6410 mysid, mysid, SECCLASS_PROCESS,
6411 PROCESS__SETEXEC, NULL);
6412 else if (!strcmp(name, "fscreate"))
6413 error = avc_has_perm(&selinux_state,
6414 mysid, mysid, SECCLASS_PROCESS,
6415 PROCESS__SETFSCREATE, NULL);
6416 else if (!strcmp(name, "keycreate"))
6417 error = avc_has_perm(&selinux_state,
6418 mysid, mysid, SECCLASS_PROCESS,
6419 PROCESS__SETKEYCREATE, NULL);
6420 else if (!strcmp(name, "sockcreate"))
6421 error = avc_has_perm(&selinux_state,
6422 mysid, mysid, SECCLASS_PROCESS,
6423 PROCESS__SETSOCKCREATE, NULL);
6424 else if (!strcmp(name, "current"))
6425 error = avc_has_perm(&selinux_state,
6426 mysid, mysid, SECCLASS_PROCESS,
6427 PROCESS__SETCURRENT, NULL);
6433 /* Obtain a SID for the context, if one was specified. */
6434 if (size && str[0] && str[0] != '\n') {
6435 if (str[size-1] == '\n') {
6439 error = security_context_to_sid(&selinux_state, value, size,
6441 if (error == -EINVAL && !strcmp(name, "fscreate")) {
6442 if (!has_cap_mac_admin(true)) {
6443 struct audit_buffer *ab;
6446 /* We strip a nul only if it is at the end, otherwise the
6447 * context contains a nul and we should audit that */
6448 if (str[size - 1] == '\0')
6449 audit_size = size - 1;
6452 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
6453 audit_log_format(ab, "op=fscreate invalid_context=");
6454 audit_log_n_untrustedstring(ab, value, audit_size);
6459 error = security_context_to_sid_force(
6467 new = prepare_creds();
6471 /* Permission checking based on the specified context is
6472 performed during the actual operation (execve,
6473 open/mkdir/...), when we know the full context of the
6474 operation. See selinux_bprm_set_creds for the execve
6475 checks and may_create for the file creation checks. The
6476 operation will then fail if the context is not permitted. */
6477 tsec = new->security;
6478 if (!strcmp(name, "exec")) {
6479 tsec->exec_sid = sid;
6480 } else if (!strcmp(name, "fscreate")) {
6481 tsec->create_sid = sid;
6482 } else if (!strcmp(name, "keycreate")) {
6483 error = avc_has_perm(&selinux_state,
6484 mysid, sid, SECCLASS_KEY, KEY__CREATE,
6488 tsec->keycreate_sid = sid;
6489 } else if (!strcmp(name, "sockcreate")) {
6490 tsec->sockcreate_sid = sid;
6491 } else if (!strcmp(name, "current")) {
6496 /* Only allow single threaded processes to change context */
6498 if (!current_is_single_threaded()) {
6499 error = security_bounded_transition(&selinux_state,
6505 /* Check permissions for the transition. */
6506 error = avc_has_perm(&selinux_state,
6507 tsec->sid, sid, SECCLASS_PROCESS,
6508 PROCESS__DYNTRANSITION, NULL);
6512 /* Check for ptracing, and update the task SID if ok.
6513 Otherwise, leave SID unchanged and fail. */
6514 ptsid = ptrace_parent_sid();
6516 error = avc_has_perm(&selinux_state,
6517 ptsid, sid, SECCLASS_PROCESS,
6518 PROCESS__PTRACE, NULL);
6537 static int selinux_ismaclabel(const char *name)
6539 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
6542 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
6544 return security_sid_to_context(&selinux_state, secid,
6548 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
6550 return security_context_to_sid(&selinux_state, secdata, seclen,
6554 static void selinux_release_secctx(char *secdata, u32 seclen)
6559 static void selinux_inode_invalidate_secctx(struct inode *inode)
6561 struct inode_security_struct *isec = inode->i_security;
6563 spin_lock(&isec->lock);
6564 isec->initialized = LABEL_INVALID;
6565 spin_unlock(&isec->lock);
6569 * called with inode->i_mutex locked
6571 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
6573 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
6577 * called with inode->i_mutex locked
6579 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
6581 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
6584 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
6587 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
6596 static int selinux_key_alloc(struct key *k, const struct cred *cred,
6597 unsigned long flags)
6599 const struct task_security_struct *tsec;
6600 struct key_security_struct *ksec;
6602 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
6606 tsec = cred->security;
6607 if (tsec->keycreate_sid)
6608 ksec->sid = tsec->keycreate_sid;
6610 ksec->sid = tsec->sid;
6616 static void selinux_key_free(struct key *k)
6618 struct key_security_struct *ksec = k->security;
6624 static int selinux_key_permission(key_ref_t key_ref,
6625 const struct cred *cred,
6629 struct key_security_struct *ksec;
6632 /* if no specific permissions are requested, we skip the
6633 permission check. No serious, additional covert channels
6634 appear to be created. */
6638 sid = cred_sid(cred);
6640 key = key_ref_to_ptr(key_ref);
6641 ksec = key->security;
6643 return avc_has_perm(&selinux_state,
6644 sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6647 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6649 struct key_security_struct *ksec = key->security;
6650 char *context = NULL;
6654 rc = security_sid_to_context(&selinux_state, ksec->sid,
6663 #ifdef CONFIG_SECURITY_INFINIBAND
6664 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6666 struct common_audit_data ad;
6669 struct ib_security_struct *sec = ib_sec;
6670 struct lsm_ibpkey_audit ibpkey;
6672 err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
6676 ad.type = LSM_AUDIT_DATA_IBPKEY;
6677 ibpkey.subnet_prefix = subnet_prefix;
6678 ibpkey.pkey = pkey_val;
6679 ad.u.ibpkey = &ibpkey;
6680 return avc_has_perm(&selinux_state,
6682 SECCLASS_INFINIBAND_PKEY,
6683 INFINIBAND_PKEY__ACCESS, &ad);
6686 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6689 struct common_audit_data ad;
6692 struct ib_security_struct *sec = ib_sec;
6693 struct lsm_ibendport_audit ibendport;
6695 err = security_ib_endport_sid(&selinux_state, dev_name, port_num,
6701 ad.type = LSM_AUDIT_DATA_IBENDPORT;
6702 strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name));
6703 ibendport.port = port_num;
6704 ad.u.ibendport = &ibendport;
6705 return avc_has_perm(&selinux_state,
6707 SECCLASS_INFINIBAND_ENDPORT,
6708 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
6711 static int selinux_ib_alloc_security(void **ib_sec)
6713 struct ib_security_struct *sec;
6715 sec = kzalloc(sizeof(*sec), GFP_KERNEL);
6718 sec->sid = current_sid();
6724 static void selinux_ib_free_security(void *ib_sec)
6730 #ifdef CONFIG_BPF_SYSCALL
6731 static int selinux_bpf(int cmd, union bpf_attr *attr,
6734 u32 sid = current_sid();
6738 case BPF_MAP_CREATE:
6739 ret = avc_has_perm(&selinux_state,
6740 sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
6744 ret = avc_has_perm(&selinux_state,
6745 sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
6756 static u32 bpf_map_fmode_to_av(fmode_t fmode)
6760 if (fmode & FMODE_READ)
6761 av |= BPF__MAP_READ;
6762 if (fmode & FMODE_WRITE)
6763 av |= BPF__MAP_WRITE;
6767 /* This function will check the file pass through unix socket or binder to see
6768 * if it is a bpf related object. And apply correspinding checks on the bpf
6769 * object based on the type. The bpf maps and programs, not like other files and
6770 * socket, are using a shared anonymous inode inside the kernel as their inode.
6771 * So checking that inode cannot identify if the process have privilege to
6772 * access the bpf object and that's why we have to add this additional check in
6773 * selinux_file_receive and selinux_binder_transfer_files.
6775 static int bpf_fd_pass(struct file *file, u32 sid)
6777 struct bpf_security_struct *bpfsec;
6778 struct bpf_prog *prog;
6779 struct bpf_map *map;
6782 if (file->f_op == &bpf_map_fops) {
6783 map = file->private_data;
6784 bpfsec = map->security;
6785 ret = avc_has_perm(&selinux_state,
6786 sid, bpfsec->sid, SECCLASS_BPF,
6787 bpf_map_fmode_to_av(file->f_mode), NULL);
6790 } else if (file->f_op == &bpf_prog_fops) {
6791 prog = file->private_data;
6792 bpfsec = prog->aux->security;
6793 ret = avc_has_perm(&selinux_state,
6794 sid, bpfsec->sid, SECCLASS_BPF,
6795 BPF__PROG_RUN, NULL);
6802 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)
6804 u32 sid = current_sid();
6805 struct bpf_security_struct *bpfsec;
6807 bpfsec = map->security;
6808 return avc_has_perm(&selinux_state,
6809 sid, bpfsec->sid, SECCLASS_BPF,
6810 bpf_map_fmode_to_av(fmode), NULL);
6813 static int selinux_bpf_prog(struct bpf_prog *prog)
6815 u32 sid = current_sid();
6816 struct bpf_security_struct *bpfsec;
6818 bpfsec = prog->aux->security;
6819 return avc_has_perm(&selinux_state,
6820 sid, bpfsec->sid, SECCLASS_BPF,
6821 BPF__PROG_RUN, NULL);
6824 static int selinux_bpf_map_alloc(struct bpf_map *map)
6826 struct bpf_security_struct *bpfsec;
6828 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6832 bpfsec->sid = current_sid();
6833 map->security = bpfsec;
6838 static void selinux_bpf_map_free(struct bpf_map *map)
6840 struct bpf_security_struct *bpfsec = map->security;
6842 map->security = NULL;
6846 static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux)
6848 struct bpf_security_struct *bpfsec;
6850 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6854 bpfsec->sid = current_sid();
6855 aux->security = bpfsec;
6860 static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
6862 struct bpf_security_struct *bpfsec = aux->security;
6864 aux->security = NULL;
6869 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
6870 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
6871 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
6872 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
6873 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
6875 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
6876 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
6877 LSM_HOOK_INIT(capget, selinux_capget),
6878 LSM_HOOK_INIT(capset, selinux_capset),
6879 LSM_HOOK_INIT(capable, selinux_capable),
6880 LSM_HOOK_INIT(quotactl, selinux_quotactl),
6881 LSM_HOOK_INIT(quota_on, selinux_quota_on),
6882 LSM_HOOK_INIT(syslog, selinux_syslog),
6883 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
6885 LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
6887 LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
6888 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
6889 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
6891 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
6892 LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
6893 LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data),
6894 LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
6895 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
6896 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
6897 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
6898 LSM_HOOK_INIT(sb_mount, selinux_mount),
6899 LSM_HOOK_INIT(sb_umount, selinux_umount),
6900 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
6901 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
6902 LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str),
6904 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
6905 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
6907 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
6908 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
6909 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
6910 LSM_HOOK_INIT(inode_create, selinux_inode_create),
6911 LSM_HOOK_INIT(inode_link, selinux_inode_link),
6912 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
6913 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
6914 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
6915 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
6916 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
6917 LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
6918 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
6919 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
6920 LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
6921 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
6922 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
6923 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
6924 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
6925 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
6926 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
6927 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
6928 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
6929 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
6930 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
6931 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
6932 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
6933 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
6935 LSM_HOOK_INIT(file_permission, selinux_file_permission),
6936 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
6937 LSM_HOOK_INIT(file_free_security, selinux_file_free_security),
6938 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
6939 LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
6940 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
6941 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
6942 LSM_HOOK_INIT(file_lock, selinux_file_lock),
6943 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
6944 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
6945 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
6946 LSM_HOOK_INIT(file_receive, selinux_file_receive),
6948 LSM_HOOK_INIT(file_open, selinux_file_open),
6950 LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
6951 LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank),
6952 LSM_HOOK_INIT(cred_free, selinux_cred_free),
6953 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
6954 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
6955 LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid),
6956 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
6957 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
6958 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
6959 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
6960 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
6961 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
6962 LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
6963 LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
6964 LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
6965 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
6966 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
6967 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
6968 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
6969 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
6970 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
6971 LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
6972 LSM_HOOK_INIT(task_kill, selinux_task_kill),
6973 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
6975 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
6976 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
6978 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
6979 LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security),
6981 LSM_HOOK_INIT(msg_queue_alloc_security,
6982 selinux_msg_queue_alloc_security),
6983 LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security),
6984 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
6985 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
6986 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
6987 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
6989 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
6990 LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security),
6991 LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
6992 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
6993 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
6995 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
6996 LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security),
6997 LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
6998 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
6999 LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
7001 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
7003 LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
7004 LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
7006 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
7007 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
7008 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
7009 LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
7010 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
7011 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
7012 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
7013 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
7015 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
7016 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
7018 LSM_HOOK_INIT(socket_create, selinux_socket_create),
7019 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
7020 LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
7021 LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
7022 LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
7023 LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
7024 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
7025 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
7026 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
7027 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
7028 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
7029 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
7030 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
7031 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
7032 LSM_HOOK_INIT(socket_getpeersec_stream,
7033 selinux_socket_getpeersec_stream),
7034 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
7035 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
7036 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
7037 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
7038 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
7039 LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
7040 LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request),
7041 LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone),
7042 LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect),
7043 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
7044 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
7045 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
7046 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
7047 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
7048 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
7049 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
7050 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
7051 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
7052 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
7053 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
7054 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
7055 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
7056 #ifdef CONFIG_SECURITY_INFINIBAND
7057 LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
7058 LSM_HOOK_INIT(ib_endport_manage_subnet,
7059 selinux_ib_endport_manage_subnet),
7060 LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
7061 LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
7063 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7064 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
7065 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
7066 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
7067 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
7068 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
7069 LSM_HOOK_INIT(xfrm_state_alloc_acquire,
7070 selinux_xfrm_state_alloc_acquire),
7071 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
7072 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
7073 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
7074 LSM_HOOK_INIT(xfrm_state_pol_flow_match,
7075 selinux_xfrm_state_pol_flow_match),
7076 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
7080 LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
7081 LSM_HOOK_INIT(key_free, selinux_key_free),
7082 LSM_HOOK_INIT(key_permission, selinux_key_permission),
7083 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
7087 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
7088 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
7089 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
7090 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
7093 #ifdef CONFIG_BPF_SYSCALL
7094 LSM_HOOK_INIT(bpf, selinux_bpf),
7095 LSM_HOOK_INIT(bpf_map, selinux_bpf_map),
7096 LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog),
7097 LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc),
7098 LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc),
7099 LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free),
7100 LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free),
7104 static __init int selinux_init(void)
7106 if (!security_module_enable("selinux")) {
7107 selinux_enabled = 0;
7111 if (!selinux_enabled) {
7112 printk(KERN_INFO "SELinux: Disabled at boot.\n");
7116 printk(KERN_INFO "SELinux: Initializing.\n");
7118 memset(&selinux_state, 0, sizeof(selinux_state));
7119 enforcing_set(&selinux_state, selinux_enforcing_boot);
7120 selinux_state.checkreqprot = selinux_checkreqprot_boot;
7121 selinux_ss_init(&selinux_state.ss);
7122 selinux_avc_init(&selinux_state.avc);
7124 /* Set the security state for the initial task. */
7125 cred_init_security();
7127 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
7129 sel_inode_cache = kmem_cache_create("selinux_inode_security",
7130 sizeof(struct inode_security_struct),
7131 0, SLAB_PANIC, NULL);
7132 file_security_cache = kmem_cache_create("selinux_file_security",
7133 sizeof(struct file_security_struct),
7134 0, SLAB_PANIC, NULL);
7139 ebitmap_cache_init();
7141 hashtab_cache_init();
7143 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
7145 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
7146 panic("SELinux: Unable to register AVC netcache callback\n");
7148 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
7149 panic("SELinux: Unable to register AVC LSM notifier callback\n");
7151 if (selinux_enforcing_boot)
7152 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
7154 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
7159 static void delayed_superblock_init(struct super_block *sb, void *unused)
7161 superblock_doinit(sb, NULL);
7164 void selinux_complete_init(void)
7166 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
7168 /* Set up any superblocks initialized prior to the policy load. */
7169 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
7170 iterate_supers(delayed_superblock_init, NULL);
7173 /* SELinux requires early initialization in order to label
7174 all processes and objects when they are created. */
7175 security_initcall(selinux_init);
7177 #if defined(CONFIG_NETFILTER)
7179 static const struct nf_hook_ops selinux_nf_ops[] = {
7181 .hook = selinux_ipv4_postroute,
7183 .hooknum = NF_INET_POST_ROUTING,
7184 .priority = NF_IP_PRI_SELINUX_LAST,
7187 .hook = selinux_ipv4_forward,
7189 .hooknum = NF_INET_FORWARD,
7190 .priority = NF_IP_PRI_SELINUX_FIRST,
7193 .hook = selinux_ipv4_output,
7195 .hooknum = NF_INET_LOCAL_OUT,
7196 .priority = NF_IP_PRI_SELINUX_FIRST,
7198 #if IS_ENABLED(CONFIG_IPV6)
7200 .hook = selinux_ipv6_postroute,
7202 .hooknum = NF_INET_POST_ROUTING,
7203 .priority = NF_IP6_PRI_SELINUX_LAST,
7206 .hook = selinux_ipv6_forward,
7208 .hooknum = NF_INET_FORWARD,
7209 .priority = NF_IP6_PRI_SELINUX_FIRST,
7212 .hook = selinux_ipv6_output,
7214 .hooknum = NF_INET_LOCAL_OUT,
7215 .priority = NF_IP6_PRI_SELINUX_FIRST,
7220 static int __net_init selinux_nf_register(struct net *net)
7222 return nf_register_net_hooks(net, selinux_nf_ops,
7223 ARRAY_SIZE(selinux_nf_ops));
7226 static void __net_exit selinux_nf_unregister(struct net *net)
7228 nf_unregister_net_hooks(net, selinux_nf_ops,
7229 ARRAY_SIZE(selinux_nf_ops));
7232 static struct pernet_operations selinux_net_ops = {
7233 .init = selinux_nf_register,
7234 .exit = selinux_nf_unregister,
7237 static int __init selinux_nf_ip_init(void)
7241 if (!selinux_enabled)
7244 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
7246 err = register_pernet_subsys(&selinux_net_ops);
7248 panic("SELinux: register_pernet_subsys: error %d\n", err);
7252 __initcall(selinux_nf_ip_init);
7254 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7255 static void selinux_nf_ip_exit(void)
7257 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
7259 unregister_pernet_subsys(&selinux_net_ops);
7263 #else /* CONFIG_NETFILTER */
7265 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7266 #define selinux_nf_ip_exit()
7269 #endif /* CONFIG_NETFILTER */
7271 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7272 int selinux_disable(struct selinux_state *state)
7274 if (state->initialized) {
7275 /* Not permitted after initial policy load. */
7279 if (state->disabled) {
7280 /* Only do this once. */
7284 state->disabled = 1;
7286 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
7288 selinux_enabled = 0;
7290 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
7292 /* Try to destroy the avc node cache */
7295 /* Unregister netfilter hooks. */
7296 selinux_nf_ip_exit();
7298 /* Unregister selinuxfs. */
projects / linux.git / blob