1 // SPDX-License-Identifier: GPL-2.0-only
3 * NSA Security-Enhanced Linux (SELinux) security module
5 * This file contains the SELinux hook function implementations.
12 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
15 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
17 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
19 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
21 * Copyright (C) 2016 Mellanox Technologies
24 #include <linux/init.h>
26 #include <linux/kernel.h>
27 #include <linux/kernel_read_file.h>
28 #include <linux/errno.h>
29 #include <linux/sched/signal.h>
30 #include <linux/sched/task.h>
31 #include <linux/lsm_hooks.h>
32 #include <linux/xattr.h>
33 #include <linux/capability.h>
34 #include <linux/unistd.h>
36 #include <linux/mman.h>
37 #include <linux/slab.h>
38 #include <linux/pagemap.h>
39 #include <linux/proc_fs.h>
40 #include <linux/swap.h>
41 #include <linux/spinlock.h>
42 #include <linux/syscalls.h>
43 #include <linux/dcache.h>
44 #include <linux/file.h>
45 #include <linux/fdtable.h>
46 #include <linux/namei.h>
47 #include <linux/mount.h>
48 #include <linux/fs_context.h>
49 #include <linux/fs_parser.h>
50 #include <linux/netfilter_ipv4.h>
51 #include <linux/netfilter_ipv6.h>
52 #include <linux/tty.h>
54 #include <net/ip.h> /* for local_port_range[] */
55 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
56 #include <net/inet_connection_sock.h>
57 #include <net/net_namespace.h>
58 #include <net/netlabel.h>
59 #include <linux/uaccess.h>
60 #include <asm/ioctls.h>
61 #include <linux/atomic.h>
62 #include <linux/bitops.h>
63 #include <linux/interrupt.h>
64 #include <linux/netdevice.h> /* for network interface checks */
65 #include <net/netlink.h>
66 #include <linux/tcp.h>
67 #include <linux/udp.h>
68 #include <linux/dccp.h>
69 #include <linux/sctp.h>
70 #include <net/sctp/structs.h>
71 #include <linux/quota.h>
72 #include <linux/un.h> /* for Unix socket types */
73 #include <net/af_unix.h> /* for Unix socket types */
74 #include <linux/parser.h>
75 #include <linux/nfs_mount.h>
77 #include <linux/hugetlb.h>
78 #include <linux/personality.h>
79 #include <linux/audit.h>
80 #include <linux/string.h>
81 #include <linux/mutex.h>
82 #include <linux/posix-timers.h>
83 #include <linux/syslog.h>
84 #include <linux/user_namespace.h>
85 #include <linux/export.h>
86 #include <linux/msg.h>
87 #include <linux/shm.h>
88 #include <linux/bpf.h>
89 #include <linux/kernfs.h>
90 #include <linux/stringhash.h> /* for hashlen_string() */
91 #include <uapi/linux/mount.h>
92 #include <linux/fsnotify.h>
93 #include <linux/fanotify.h>
94 #include <linux/io_uring.h>
103 #include "netlabel.h"
107 struct selinux_state selinux_state;
109 /* SECMARK reference count */
110 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
112 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
113 static int selinux_enforcing_boot __initdata;
115 static int __init enforcing_setup(char *str)
117 unsigned long enforcing;
118 if (!kstrtoul(str, 0, &enforcing))
119 selinux_enforcing_boot = enforcing ? 1 : 0;
122 __setup("enforcing=", enforcing_setup);
124 #define selinux_enforcing_boot 1
127 int selinux_enabled_boot __initdata = 1;
128 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
129 static int __init selinux_enabled_setup(char *str)
131 unsigned long enabled;
132 if (!kstrtoul(str, 0, &enabled))
133 selinux_enabled_boot = enabled ? 1 : 0;
136 __setup("selinux=", selinux_enabled_setup);
139 static int __init checkreqprot_setup(char *str)
141 unsigned long checkreqprot;
143 if (!kstrtoul(str, 0, &checkreqprot)) {
145 pr_err("SELinux: checkreqprot set to 1 via kernel parameter. This is no longer supported.\n");
149 __setup("checkreqprot=", checkreqprot_setup);
152 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
155 * This function checks the SECMARK reference counter to see if any SECMARK
156 * targets are currently configured, if the reference counter is greater than
157 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
158 * enabled, false (0) if SECMARK is disabled. If the always_check_network
159 * policy capability is enabled, SECMARK is always considered enabled.
162 static int selinux_secmark_enabled(void)
164 return (selinux_policycap_alwaysnetwork() ||
165 atomic_read(&selinux_secmark_refcount));
169 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
172 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
173 * (1) if any are enabled or false (0) if neither are enabled. If the
174 * always_check_network policy capability is enabled, peer labeling
175 * is always considered enabled.
178 static int selinux_peerlbl_enabled(void)
180 return (selinux_policycap_alwaysnetwork() ||
181 netlbl_enabled() || selinux_xfrm_enabled());
184 static int selinux_netcache_avc_callback(u32 event)
186 if (event == AVC_CALLBACK_RESET) {
195 static int selinux_lsm_notifier_avc_callback(u32 event)
197 if (event == AVC_CALLBACK_RESET) {
199 call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL);
206 * initialise the security for the init task
208 static void cred_init_security(void)
210 struct task_security_struct *tsec;
212 tsec = selinux_cred(unrcu_pointer(current->real_cred));
213 tsec->osid = tsec->sid = SECINITSID_KERNEL;
217 * get the security ID of a set of credentials
219 static inline u32 cred_sid(const struct cred *cred)
221 const struct task_security_struct *tsec;
223 tsec = selinux_cred(cred);
228 * get the objective security ID of a task
230 static inline u32 task_sid_obj(const struct task_struct *task)
235 sid = cred_sid(__task_cred(task));
240 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
243 * Try reloading inode security labels that have been marked as invalid. The
244 * @may_sleep parameter indicates when sleeping and thus reloading labels is
245 * allowed; when set to false, returns -ECHILD when the label is
246 * invalid. The @dentry parameter should be set to a dentry of the inode.
248 static int __inode_security_revalidate(struct inode *inode,
249 struct dentry *dentry,
252 struct inode_security_struct *isec = selinux_inode(inode);
254 might_sleep_if(may_sleep);
256 if (selinux_initialized() &&
257 isec->initialized != LABEL_INITIALIZED) {
262 * Try reloading the inode security label. This will fail if
263 * @opt_dentry is NULL and no dentry for this inode can be
264 * found; in that case, continue using the old label.
266 inode_doinit_with_dentry(inode, dentry);
271 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
273 return selinux_inode(inode);
276 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
280 error = __inode_security_revalidate(inode, NULL, !rcu);
282 return ERR_PTR(error);
283 return selinux_inode(inode);
287 * Get the security label of an inode.
289 static struct inode_security_struct *inode_security(struct inode *inode)
291 __inode_security_revalidate(inode, NULL, true);
292 return selinux_inode(inode);
295 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
297 struct inode *inode = d_backing_inode(dentry);
299 return selinux_inode(inode);
303 * Get the security label of a dentry's backing inode.
305 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
307 struct inode *inode = d_backing_inode(dentry);
309 __inode_security_revalidate(inode, dentry, true);
310 return selinux_inode(inode);
313 static void inode_free_security(struct inode *inode)
315 struct inode_security_struct *isec = selinux_inode(inode);
316 struct superblock_security_struct *sbsec;
320 sbsec = selinux_superblock(inode->i_sb);
322 * As not all inode security structures are in a list, we check for
323 * empty list outside of the lock to make sure that we won't waste
324 * time taking a lock doing nothing.
326 * The list_del_init() function can be safely called more than once.
327 * It should not be possible for this function to be called with
328 * concurrent list_add(), but for better safety against future changes
329 * in the code, we use list_empty_careful() here.
331 if (!list_empty_careful(&isec->list)) {
332 spin_lock(&sbsec->isec_lock);
333 list_del_init(&isec->list);
334 spin_unlock(&sbsec->isec_lock);
338 struct selinux_mnt_opts {
345 static void selinux_free_mnt_opts(void *mnt_opts)
359 #define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg}
369 A(rootcontext, true),
374 static int match_opt_prefix(char *s, int l, char **arg)
378 for (i = 0; i < ARRAY_SIZE(tokens); i++) {
379 size_t len = tokens[i].len;
380 if (len > l || memcmp(s, tokens[i].name, len))
382 if (tokens[i].has_arg) {
383 if (len == l || s[len] != '=')
388 return tokens[i].opt;
393 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
395 static int may_context_mount_sb_relabel(u32 sid,
396 struct superblock_security_struct *sbsec,
397 const struct cred *cred)
399 const struct task_security_struct *tsec = selinux_cred(cred);
402 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
403 FILESYSTEM__RELABELFROM, NULL);
407 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
408 FILESYSTEM__RELABELTO, NULL);
412 static int may_context_mount_inode_relabel(u32 sid,
413 struct superblock_security_struct *sbsec,
414 const struct cred *cred)
416 const struct task_security_struct *tsec = selinux_cred(cred);
418 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
419 FILESYSTEM__RELABELFROM, NULL);
423 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
424 FILESYSTEM__ASSOCIATE, NULL);
428 static int selinux_is_genfs_special_handling(struct super_block *sb)
430 /* Special handling. Genfs but also in-core setxattr handler */
431 return !strcmp(sb->s_type->name, "sysfs") ||
432 !strcmp(sb->s_type->name, "pstore") ||
433 !strcmp(sb->s_type->name, "debugfs") ||
434 !strcmp(sb->s_type->name, "tracefs") ||
435 !strcmp(sb->s_type->name, "rootfs") ||
436 (selinux_policycap_cgroupseclabel() &&
437 (!strcmp(sb->s_type->name, "cgroup") ||
438 !strcmp(sb->s_type->name, "cgroup2")));
441 static int selinux_is_sblabel_mnt(struct super_block *sb)
443 struct superblock_security_struct *sbsec = selinux_superblock(sb);
446 * IMPORTANT: Double-check logic in this function when adding a new
447 * SECURITY_FS_USE_* definition!
449 BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7);
451 switch (sbsec->behavior) {
452 case SECURITY_FS_USE_XATTR:
453 case SECURITY_FS_USE_TRANS:
454 case SECURITY_FS_USE_TASK:
455 case SECURITY_FS_USE_NATIVE:
458 case SECURITY_FS_USE_GENFS:
459 return selinux_is_genfs_special_handling(sb);
461 /* Never allow relabeling on context mounts */
462 case SECURITY_FS_USE_MNTPOINT:
463 case SECURITY_FS_USE_NONE:
469 static int sb_check_xattr_support(struct super_block *sb)
471 struct superblock_security_struct *sbsec = selinux_superblock(sb);
472 struct dentry *root = sb->s_root;
473 struct inode *root_inode = d_backing_inode(root);
478 * Make sure that the xattr handler exists and that no
479 * error other than -ENODATA is returned by getxattr on
480 * the root directory. -ENODATA is ok, as this may be
481 * the first boot of the SELinux kernel before we have
482 * assigned xattr values to the filesystem.
484 if (!(root_inode->i_opflags & IOP_XATTR)) {
485 pr_warn("SELinux: (dev %s, type %s) has no xattr support\n",
486 sb->s_id, sb->s_type->name);
490 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
491 if (rc < 0 && rc != -ENODATA) {
492 if (rc == -EOPNOTSUPP) {
493 pr_warn("SELinux: (dev %s, type %s) has no security xattr handler\n",
494 sb->s_id, sb->s_type->name);
497 pr_warn("SELinux: (dev %s, type %s) getxattr errno %d\n",
498 sb->s_id, sb->s_type->name, -rc);
505 /* No xattr support - try to fallback to genfs if possible. */
506 rc = security_genfs_sid(sb->s_type->name, "/",
511 pr_warn("SELinux: (dev %s, type %s) falling back to genfs\n",
512 sb->s_id, sb->s_type->name);
513 sbsec->behavior = SECURITY_FS_USE_GENFS;
518 static int sb_finish_set_opts(struct super_block *sb)
520 struct superblock_security_struct *sbsec = selinux_superblock(sb);
521 struct dentry *root = sb->s_root;
522 struct inode *root_inode = d_backing_inode(root);
525 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
526 rc = sb_check_xattr_support(sb);
531 sbsec->flags |= SE_SBINITIALIZED;
534 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
535 * leave the flag untouched because sb_clone_mnt_opts might be handing
536 * us a superblock that needs the flag to be cleared.
538 if (selinux_is_sblabel_mnt(sb))
539 sbsec->flags |= SBLABEL_MNT;
541 sbsec->flags &= ~SBLABEL_MNT;
543 /* Initialize the root inode. */
544 rc = inode_doinit_with_dentry(root_inode, root);
546 /* Initialize any other inodes associated with the superblock, e.g.
547 inodes created prior to initial policy load or inodes created
548 during get_sb by a pseudo filesystem that directly
550 spin_lock(&sbsec->isec_lock);
551 while (!list_empty(&sbsec->isec_head)) {
552 struct inode_security_struct *isec =
553 list_first_entry(&sbsec->isec_head,
554 struct inode_security_struct, list);
555 struct inode *inode = isec->inode;
556 list_del_init(&isec->list);
557 spin_unlock(&sbsec->isec_lock);
558 inode = igrab(inode);
560 if (!IS_PRIVATE(inode))
561 inode_doinit_with_dentry(inode, NULL);
564 spin_lock(&sbsec->isec_lock);
566 spin_unlock(&sbsec->isec_lock);
570 static int bad_option(struct superblock_security_struct *sbsec, char flag,
571 u32 old_sid, u32 new_sid)
573 char mnt_flags = sbsec->flags & SE_MNTMASK;
575 /* check if the old mount command had the same options */
576 if (sbsec->flags & SE_SBINITIALIZED)
577 if (!(sbsec->flags & flag) ||
578 (old_sid != new_sid))
581 /* check if we were passed the same options twice,
582 * aka someone passed context=a,context=b
584 if (!(sbsec->flags & SE_SBINITIALIZED))
585 if (mnt_flags & flag)
591 * Allow filesystems with binary mount data to explicitly set mount point
592 * labeling information.
594 static int selinux_set_mnt_opts(struct super_block *sb,
596 unsigned long kern_flags,
597 unsigned long *set_kern_flags)
599 const struct cred *cred = current_cred();
600 struct superblock_security_struct *sbsec = selinux_superblock(sb);
601 struct dentry *root = sb->s_root;
602 struct selinux_mnt_opts *opts = mnt_opts;
603 struct inode_security_struct *root_isec;
604 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
605 u32 defcontext_sid = 0;
608 mutex_lock(&sbsec->lock);
610 if (!selinux_initialized()) {
612 /* Defer initialization until selinux_complete_init,
613 after the initial policy is loaded and the security
614 server is ready to handle calls. */
618 pr_warn("SELinux: Unable to set superblock options "
619 "before the security server is initialized\n");
622 if (kern_flags && !set_kern_flags) {
623 /* Specifying internal flags without providing a place to
624 * place the results is not allowed */
630 * Binary mount data FS will come through this function twice. Once
631 * from an explicit call and once from the generic calls from the vfs.
632 * Since the generic VFS calls will not contain any security mount data
633 * we need to skip the double mount verification.
635 * This does open a hole in which we will not notice if the first
636 * mount using this sb set explicit options and a second mount using
637 * this sb does not set any security options. (The first options
638 * will be used for both mounts)
640 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
644 root_isec = backing_inode_security_novalidate(root);
647 * parse the mount options, check if they are valid sids.
648 * also check if someone is trying to mount the same sb more
649 * than once with different security options.
652 if (opts->fscontext_sid) {
653 fscontext_sid = opts->fscontext_sid;
654 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
656 goto out_double_mount;
657 sbsec->flags |= FSCONTEXT_MNT;
659 if (opts->context_sid) {
660 context_sid = opts->context_sid;
661 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
663 goto out_double_mount;
664 sbsec->flags |= CONTEXT_MNT;
666 if (opts->rootcontext_sid) {
667 rootcontext_sid = opts->rootcontext_sid;
668 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
670 goto out_double_mount;
671 sbsec->flags |= ROOTCONTEXT_MNT;
673 if (opts->defcontext_sid) {
674 defcontext_sid = opts->defcontext_sid;
675 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
677 goto out_double_mount;
678 sbsec->flags |= DEFCONTEXT_MNT;
682 if (sbsec->flags & SE_SBINITIALIZED) {
683 /* previously mounted with options, but not on this attempt? */
684 if ((sbsec->flags & SE_MNTMASK) && !opts)
685 goto out_double_mount;
690 if (strcmp(sb->s_type->name, "proc") == 0)
691 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
693 if (!strcmp(sb->s_type->name, "debugfs") ||
694 !strcmp(sb->s_type->name, "tracefs") ||
695 !strcmp(sb->s_type->name, "binder") ||
696 !strcmp(sb->s_type->name, "bpf") ||
697 !strcmp(sb->s_type->name, "pstore") ||
698 !strcmp(sb->s_type->name, "securityfs"))
699 sbsec->flags |= SE_SBGENFS;
701 if (!strcmp(sb->s_type->name, "sysfs") ||
702 !strcmp(sb->s_type->name, "cgroup") ||
703 !strcmp(sb->s_type->name, "cgroup2"))
704 sbsec->flags |= SE_SBGENFS | SE_SBGENFS_XATTR;
706 if (!sbsec->behavior) {
708 * Determine the labeling behavior to use for this
711 rc = security_fs_use(sb);
713 pr_warn("%s: security_fs_use(%s) returned %d\n",
714 __func__, sb->s_type->name, rc);
720 * If this is a user namespace mount and the filesystem type is not
721 * explicitly whitelisted, then no contexts are allowed on the command
722 * line and security labels must be ignored.
724 if (sb->s_user_ns != &init_user_ns &&
725 strcmp(sb->s_type->name, "tmpfs") &&
726 strcmp(sb->s_type->name, "ramfs") &&
727 strcmp(sb->s_type->name, "devpts") &&
728 strcmp(sb->s_type->name, "overlay")) {
729 if (context_sid || fscontext_sid || rootcontext_sid ||
734 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
735 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
736 rc = security_transition_sid(current_sid(),
739 &sbsec->mntpoint_sid);
746 /* sets the context of the superblock for the fs being mounted. */
748 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
752 sbsec->sid = fscontext_sid;
756 * Switch to using mount point labeling behavior.
757 * sets the label used on all file below the mountpoint, and will set
758 * the superblock context if not already set.
760 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
761 sbsec->behavior = SECURITY_FS_USE_NATIVE;
762 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
766 if (!fscontext_sid) {
767 rc = may_context_mount_sb_relabel(context_sid, sbsec,
771 sbsec->sid = context_sid;
773 rc = may_context_mount_inode_relabel(context_sid, sbsec,
778 if (!rootcontext_sid)
779 rootcontext_sid = context_sid;
781 sbsec->mntpoint_sid = context_sid;
782 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
785 if (rootcontext_sid) {
786 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
791 root_isec->sid = rootcontext_sid;
792 root_isec->initialized = LABEL_INITIALIZED;
795 if (defcontext_sid) {
796 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
797 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
799 pr_warn("SELinux: defcontext option is "
800 "invalid for this filesystem type\n");
804 if (defcontext_sid != sbsec->def_sid) {
805 rc = may_context_mount_inode_relabel(defcontext_sid,
811 sbsec->def_sid = defcontext_sid;
815 rc = sb_finish_set_opts(sb);
817 mutex_unlock(&sbsec->lock);
821 pr_warn("SELinux: mount invalid. Same superblock, different "
822 "security settings for (dev %s, type %s)\n", sb->s_id,
827 static int selinux_cmp_sb_context(const struct super_block *oldsb,
828 const struct super_block *newsb)
830 struct superblock_security_struct *old = selinux_superblock(oldsb);
831 struct superblock_security_struct *new = selinux_superblock(newsb);
832 char oldflags = old->flags & SE_MNTMASK;
833 char newflags = new->flags & SE_MNTMASK;
835 if (oldflags != newflags)
837 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
839 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
841 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
843 if (oldflags & ROOTCONTEXT_MNT) {
844 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
845 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
846 if (oldroot->sid != newroot->sid)
851 pr_warn("SELinux: mount invalid. Same superblock, "
852 "different security settings for (dev %s, "
853 "type %s)\n", newsb->s_id, newsb->s_type->name);
857 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
858 struct super_block *newsb,
859 unsigned long kern_flags,
860 unsigned long *set_kern_flags)
863 const struct superblock_security_struct *oldsbsec =
864 selinux_superblock(oldsb);
865 struct superblock_security_struct *newsbsec = selinux_superblock(newsb);
867 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
868 int set_context = (oldsbsec->flags & CONTEXT_MNT);
869 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
872 * if the parent was able to be mounted it clearly had no special lsm
873 * mount options. thus we can safely deal with this superblock later
875 if (!selinux_initialized())
879 * Specifying internal flags without providing a place to
880 * place the results is not allowed.
882 if (kern_flags && !set_kern_flags)
885 /* how can we clone if the old one wasn't set up?? */
886 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
888 /* if fs is reusing a sb, make sure that the contexts match */
889 if (newsbsec->flags & SE_SBINITIALIZED) {
890 if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context)
891 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
892 return selinux_cmp_sb_context(oldsb, newsb);
895 mutex_lock(&newsbsec->lock);
897 newsbsec->flags = oldsbsec->flags;
899 newsbsec->sid = oldsbsec->sid;
900 newsbsec->def_sid = oldsbsec->def_sid;
901 newsbsec->behavior = oldsbsec->behavior;
903 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
904 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
905 rc = security_fs_use(newsb);
910 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
911 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
912 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
916 u32 sid = oldsbsec->mntpoint_sid;
920 if (!set_rootcontext) {
921 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
924 newsbsec->mntpoint_sid = sid;
926 if (set_rootcontext) {
927 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
928 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
930 newisec->sid = oldisec->sid;
933 sb_finish_set_opts(newsb);
935 mutex_unlock(&newsbsec->lock);
940 * NOTE: the caller is resposible for freeing the memory even if on error.
942 static int selinux_add_opt(int token, const char *s, void **mnt_opts)
944 struct selinux_mnt_opts *opts = *mnt_opts;
948 if (token == Opt_seclabel)
949 /* eaten and completely ignored */
954 if (!selinux_initialized()) {
955 pr_warn("SELinux: Unable to set superblock options before the security server is initialized\n");
960 opts = kzalloc(sizeof(*opts), GFP_KERNEL);
968 if (opts->context_sid || opts->defcontext_sid)
970 dst_sid = &opts->context_sid;
973 if (opts->fscontext_sid)
975 dst_sid = &opts->fscontext_sid;
977 case Opt_rootcontext:
978 if (opts->rootcontext_sid)
980 dst_sid = &opts->rootcontext_sid;
983 if (opts->context_sid || opts->defcontext_sid)
985 dst_sid = &opts->defcontext_sid;
991 rc = security_context_str_to_sid(s, dst_sid, GFP_KERNEL);
993 pr_warn("SELinux: security_context_str_to_sid (%s) failed with errno=%d\n",
998 pr_warn(SEL_MOUNT_FAIL_MSG);
1002 static int show_sid(struct seq_file *m, u32 sid)
1004 char *context = NULL;
1008 rc = security_sid_to_context(sid, &context, &len);
1010 bool has_comma = strchr(context, ',');
1015 seq_escape(m, context, "\"\n\\");
1023 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1025 struct superblock_security_struct *sbsec = selinux_superblock(sb);
1028 if (!(sbsec->flags & SE_SBINITIALIZED))
1031 if (!selinux_initialized())
1034 if (sbsec->flags & FSCONTEXT_MNT) {
1036 seq_puts(m, FSCONTEXT_STR);
1037 rc = show_sid(m, sbsec->sid);
1041 if (sbsec->flags & CONTEXT_MNT) {
1043 seq_puts(m, CONTEXT_STR);
1044 rc = show_sid(m, sbsec->mntpoint_sid);
1048 if (sbsec->flags & DEFCONTEXT_MNT) {
1050 seq_puts(m, DEFCONTEXT_STR);
1051 rc = show_sid(m, sbsec->def_sid);
1055 if (sbsec->flags & ROOTCONTEXT_MNT) {
1056 struct dentry *root = sb->s_root;
1057 struct inode_security_struct *isec = backing_inode_security(root);
1059 seq_puts(m, ROOTCONTEXT_STR);
1060 rc = show_sid(m, isec->sid);
1064 if (sbsec->flags & SBLABEL_MNT) {
1066 seq_puts(m, SECLABEL_STR);
1071 static inline u16 inode_mode_to_security_class(umode_t mode)
1073 switch (mode & S_IFMT) {
1075 return SECCLASS_SOCK_FILE;
1077 return SECCLASS_LNK_FILE;
1079 return SECCLASS_FILE;
1081 return SECCLASS_BLK_FILE;
1083 return SECCLASS_DIR;
1085 return SECCLASS_CHR_FILE;
1087 return SECCLASS_FIFO_FILE;
1091 return SECCLASS_FILE;
1094 static inline int default_protocol_stream(int protocol)
1096 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP ||
1097 protocol == IPPROTO_MPTCP);
1100 static inline int default_protocol_dgram(int protocol)
1102 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1105 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1107 int extsockclass = selinux_policycap_extsockclass();
1113 case SOCK_SEQPACKET:
1114 return SECCLASS_UNIX_STREAM_SOCKET;
1117 return SECCLASS_UNIX_DGRAM_SOCKET;
1124 case SOCK_SEQPACKET:
1125 if (default_protocol_stream(protocol))
1126 return SECCLASS_TCP_SOCKET;
1127 else if (extsockclass && protocol == IPPROTO_SCTP)
1128 return SECCLASS_SCTP_SOCKET;
1130 return SECCLASS_RAWIP_SOCKET;
1132 if (default_protocol_dgram(protocol))
1133 return SECCLASS_UDP_SOCKET;
1134 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1135 protocol == IPPROTO_ICMPV6))
1136 return SECCLASS_ICMP_SOCKET;
1138 return SECCLASS_RAWIP_SOCKET;
1140 return SECCLASS_DCCP_SOCKET;
1142 return SECCLASS_RAWIP_SOCKET;
1148 return SECCLASS_NETLINK_ROUTE_SOCKET;
1149 case NETLINK_SOCK_DIAG:
1150 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1152 return SECCLASS_NETLINK_NFLOG_SOCKET;
1154 return SECCLASS_NETLINK_XFRM_SOCKET;
1155 case NETLINK_SELINUX:
1156 return SECCLASS_NETLINK_SELINUX_SOCKET;
1158 return SECCLASS_NETLINK_ISCSI_SOCKET;
1160 return SECCLASS_NETLINK_AUDIT_SOCKET;
1161 case NETLINK_FIB_LOOKUP:
1162 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1163 case NETLINK_CONNECTOR:
1164 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1165 case NETLINK_NETFILTER:
1166 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1167 case NETLINK_DNRTMSG:
1168 return SECCLASS_NETLINK_DNRT_SOCKET;
1169 case NETLINK_KOBJECT_UEVENT:
1170 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1171 case NETLINK_GENERIC:
1172 return SECCLASS_NETLINK_GENERIC_SOCKET;
1173 case NETLINK_SCSITRANSPORT:
1174 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1176 return SECCLASS_NETLINK_RDMA_SOCKET;
1177 case NETLINK_CRYPTO:
1178 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1180 return SECCLASS_NETLINK_SOCKET;
1183 return SECCLASS_PACKET_SOCKET;
1185 return SECCLASS_KEY_SOCKET;
1187 return SECCLASS_APPLETALK_SOCKET;
1193 return SECCLASS_AX25_SOCKET;
1195 return SECCLASS_IPX_SOCKET;
1197 return SECCLASS_NETROM_SOCKET;
1199 return SECCLASS_ATMPVC_SOCKET;
1201 return SECCLASS_X25_SOCKET;
1203 return SECCLASS_ROSE_SOCKET;
1205 return SECCLASS_DECNET_SOCKET;
1207 return SECCLASS_ATMSVC_SOCKET;
1209 return SECCLASS_RDS_SOCKET;
1211 return SECCLASS_IRDA_SOCKET;
1213 return SECCLASS_PPPOX_SOCKET;
1215 return SECCLASS_LLC_SOCKET;
1217 return SECCLASS_CAN_SOCKET;
1219 return SECCLASS_TIPC_SOCKET;
1221 return SECCLASS_BLUETOOTH_SOCKET;
1223 return SECCLASS_IUCV_SOCKET;
1225 return SECCLASS_RXRPC_SOCKET;
1227 return SECCLASS_ISDN_SOCKET;
1229 return SECCLASS_PHONET_SOCKET;
1231 return SECCLASS_IEEE802154_SOCKET;
1233 return SECCLASS_CAIF_SOCKET;
1235 return SECCLASS_ALG_SOCKET;
1237 return SECCLASS_NFC_SOCKET;
1239 return SECCLASS_VSOCK_SOCKET;
1241 return SECCLASS_KCM_SOCKET;
1243 return SECCLASS_QIPCRTR_SOCKET;
1245 return SECCLASS_SMC_SOCKET;
1247 return SECCLASS_XDP_SOCKET;
1249 return SECCLASS_MCTP_SOCKET;
1251 #error New address family defined, please update this function.
1256 return SECCLASS_SOCKET;
1259 static int selinux_genfs_get_sid(struct dentry *dentry,
1265 struct super_block *sb = dentry->d_sb;
1266 char *buffer, *path;
1268 buffer = (char *)__get_free_page(GFP_KERNEL);
1272 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1276 if (flags & SE_SBPROC) {
1277 /* each process gets a /proc/PID/ entry. Strip off the
1278 * PID part to get a valid selinux labeling.
1279 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1280 while (path[1] >= '0' && path[1] <= '9') {
1285 rc = security_genfs_sid(sb->s_type->name,
1287 if (rc == -ENOENT) {
1288 /* No match in policy, mark as unlabeled. */
1289 *sid = SECINITSID_UNLABELED;
1293 free_page((unsigned long)buffer);
1297 static int inode_doinit_use_xattr(struct inode *inode, struct dentry *dentry,
1298 u32 def_sid, u32 *sid)
1300 #define INITCONTEXTLEN 255
1305 len = INITCONTEXTLEN;
1306 context = kmalloc(len + 1, GFP_NOFS);
1310 context[len] = '\0';
1311 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1312 if (rc == -ERANGE) {
1315 /* Need a larger buffer. Query for the right size. */
1316 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1321 context = kmalloc(len + 1, GFP_NOFS);
1325 context[len] = '\0';
1326 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX,
1331 if (rc != -ENODATA) {
1332 pr_warn("SELinux: %s: getxattr returned %d for dev=%s ino=%ld\n",
1333 __func__, -rc, inode->i_sb->s_id, inode->i_ino);
1340 rc = security_context_to_sid_default(context, rc, sid,
1343 char *dev = inode->i_sb->s_id;
1344 unsigned long ino = inode->i_ino;
1346 if (rc == -EINVAL) {
1347 pr_notice_ratelimited("SELinux: inode=%lu on dev=%s was found to have an invalid context=%s. This indicates you may need to relabel the inode or the filesystem in question.\n",
1350 pr_warn("SELinux: %s: context_to_sid(%s) returned %d for dev=%s ino=%ld\n",
1351 __func__, context, -rc, dev, ino);
1358 /* The inode's security attributes must be initialized before first use. */
1359 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1361 struct superblock_security_struct *sbsec = NULL;
1362 struct inode_security_struct *isec = selinux_inode(inode);
1363 u32 task_sid, sid = 0;
1365 struct dentry *dentry;
1368 if (isec->initialized == LABEL_INITIALIZED)
1371 spin_lock(&isec->lock);
1372 if (isec->initialized == LABEL_INITIALIZED)
1375 if (isec->sclass == SECCLASS_FILE)
1376 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1378 sbsec = selinux_superblock(inode->i_sb);
1379 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1380 /* Defer initialization until selinux_complete_init,
1381 after the initial policy is loaded and the security
1382 server is ready to handle calls. */
1383 spin_lock(&sbsec->isec_lock);
1384 if (list_empty(&isec->list))
1385 list_add(&isec->list, &sbsec->isec_head);
1386 spin_unlock(&sbsec->isec_lock);
1390 sclass = isec->sclass;
1391 task_sid = isec->task_sid;
1393 isec->initialized = LABEL_PENDING;
1394 spin_unlock(&isec->lock);
1396 switch (sbsec->behavior) {
1397 case SECURITY_FS_USE_NATIVE:
1399 case SECURITY_FS_USE_XATTR:
1400 if (!(inode->i_opflags & IOP_XATTR)) {
1401 sid = sbsec->def_sid;
1404 /* Need a dentry, since the xattr API requires one.
1405 Life would be simpler if we could just pass the inode. */
1407 /* Called from d_instantiate or d_splice_alias. */
1408 dentry = dget(opt_dentry);
1411 * Called from selinux_complete_init, try to find a dentry.
1412 * Some filesystems really want a connected one, so try
1413 * that first. We could split SECURITY_FS_USE_XATTR in
1414 * two, depending upon that...
1416 dentry = d_find_alias(inode);
1418 dentry = d_find_any_alias(inode);
1422 * this is can be hit on boot when a file is accessed
1423 * before the policy is loaded. When we load policy we
1424 * may find inodes that have no dentry on the
1425 * sbsec->isec_head list. No reason to complain as these
1426 * will get fixed up the next time we go through
1427 * inode_doinit with a dentry, before these inodes could
1428 * be used again by userspace.
1433 rc = inode_doinit_use_xattr(inode, dentry, sbsec->def_sid,
1439 case SECURITY_FS_USE_TASK:
1442 case SECURITY_FS_USE_TRANS:
1443 /* Default to the fs SID. */
1446 /* Try to obtain a transition SID. */
1447 rc = security_transition_sid(task_sid, sid,
1448 sclass, NULL, &sid);
1452 case SECURITY_FS_USE_MNTPOINT:
1453 sid = sbsec->mntpoint_sid;
1456 /* Default to the fs superblock SID. */
1459 if ((sbsec->flags & SE_SBGENFS) &&
1460 (!S_ISLNK(inode->i_mode) ||
1461 selinux_policycap_genfs_seclabel_symlinks())) {
1462 /* We must have a dentry to determine the label on
1465 /* Called from d_instantiate or
1466 * d_splice_alias. */
1467 dentry = dget(opt_dentry);
1469 /* Called from selinux_complete_init, try to
1470 * find a dentry. Some filesystems really want
1471 * a connected one, so try that first.
1473 dentry = d_find_alias(inode);
1475 dentry = d_find_any_alias(inode);
1478 * This can be hit on boot when a file is accessed
1479 * before the policy is loaded. When we load policy we
1480 * may find inodes that have no dentry on the
1481 * sbsec->isec_head list. No reason to complain as
1482 * these will get fixed up the next time we go through
1483 * inode_doinit() with a dentry, before these inodes
1484 * could be used again by userspace.
1488 rc = selinux_genfs_get_sid(dentry, sclass,
1489 sbsec->flags, &sid);
1495 if ((sbsec->flags & SE_SBGENFS_XATTR) &&
1496 (inode->i_opflags & IOP_XATTR)) {
1497 rc = inode_doinit_use_xattr(inode, dentry,
1510 spin_lock(&isec->lock);
1511 if (isec->initialized == LABEL_PENDING) {
1513 isec->initialized = LABEL_INVALID;
1516 isec->initialized = LABEL_INITIALIZED;
1521 spin_unlock(&isec->lock);
1525 spin_lock(&isec->lock);
1526 if (isec->initialized == LABEL_PENDING) {
1527 isec->initialized = LABEL_INVALID;
1530 spin_unlock(&isec->lock);
1534 /* Convert a Linux signal to an access vector. */
1535 static inline u32 signal_to_av(int sig)
1541 /* Commonly granted from child to parent. */
1542 perm = PROCESS__SIGCHLD;
1545 /* Cannot be caught or ignored */
1546 perm = PROCESS__SIGKILL;
1549 /* Cannot be caught or ignored */
1550 perm = PROCESS__SIGSTOP;
1553 /* All other signals. */
1554 perm = PROCESS__SIGNAL;
1561 #if CAP_LAST_CAP > 63
1562 #error Fix SELinux to handle capabilities > 63.
1565 /* Check whether a task is allowed to use a capability. */
1566 static int cred_has_capability(const struct cred *cred,
1567 int cap, unsigned int opts, bool initns)
1569 struct common_audit_data ad;
1570 struct av_decision avd;
1572 u32 sid = cred_sid(cred);
1573 u32 av = CAP_TO_MASK(cap);
1576 ad.type = LSM_AUDIT_DATA_CAP;
1579 switch (CAP_TO_INDEX(cap)) {
1581 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1584 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1587 pr_err("SELinux: out of range capability %d\n", cap);
1592 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1593 if (!(opts & CAP_OPT_NOAUDIT)) {
1594 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
1601 /* Check whether a task has a particular permission to an inode.
1602 The 'adp' parameter is optional and allows other audit
1603 data to be passed (e.g. the dentry). */
1604 static int inode_has_perm(const struct cred *cred,
1605 struct inode *inode,
1607 struct common_audit_data *adp)
1609 struct inode_security_struct *isec;
1612 validate_creds(cred);
1614 if (unlikely(IS_PRIVATE(inode)))
1617 sid = cred_sid(cred);
1618 isec = selinux_inode(inode);
1620 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1623 /* Same as inode_has_perm, but pass explicit audit data containing
1624 the dentry to help the auditing code to more easily generate the
1625 pathname if needed. */
1626 static inline int dentry_has_perm(const struct cred *cred,
1627 struct dentry *dentry,
1630 struct inode *inode = d_backing_inode(dentry);
1631 struct common_audit_data ad;
1633 ad.type = LSM_AUDIT_DATA_DENTRY;
1634 ad.u.dentry = dentry;
1635 __inode_security_revalidate(inode, dentry, true);
1636 return inode_has_perm(cred, inode, av, &ad);
1639 /* Same as inode_has_perm, but pass explicit audit data containing
1640 the path to help the auditing code to more easily generate the
1641 pathname if needed. */
1642 static inline int path_has_perm(const struct cred *cred,
1643 const struct path *path,
1646 struct inode *inode = d_backing_inode(path->dentry);
1647 struct common_audit_data ad;
1649 ad.type = LSM_AUDIT_DATA_PATH;
1651 __inode_security_revalidate(inode, path->dentry, true);
1652 return inode_has_perm(cred, inode, av, &ad);
1655 /* Same as path_has_perm, but uses the inode from the file struct. */
1656 static inline int file_path_has_perm(const struct cred *cred,
1660 struct common_audit_data ad;
1662 ad.type = LSM_AUDIT_DATA_FILE;
1664 return inode_has_perm(cred, file_inode(file), av, &ad);
1667 #ifdef CONFIG_BPF_SYSCALL
1668 static int bpf_fd_pass(struct file *file, u32 sid);
1671 /* Check whether a task can use an open file descriptor to
1672 access an inode in a given way. Check access to the
1673 descriptor itself, and then use dentry_has_perm to
1674 check a particular permission to the file.
1675 Access to the descriptor is implicitly granted if it
1676 has the same SID as the process. If av is zero, then
1677 access to the file is not checked, e.g. for cases
1678 where only the descriptor is affected like seek. */
1679 static int file_has_perm(const struct cred *cred,
1683 struct file_security_struct *fsec = selinux_file(file);
1684 struct inode *inode = file_inode(file);
1685 struct common_audit_data ad;
1686 u32 sid = cred_sid(cred);
1689 ad.type = LSM_AUDIT_DATA_FILE;
1692 if (sid != fsec->sid) {
1693 rc = avc_has_perm(sid, fsec->sid,
1701 #ifdef CONFIG_BPF_SYSCALL
1702 rc = bpf_fd_pass(file, cred_sid(cred));
1707 /* av is zero if only checking access to the descriptor. */
1710 rc = inode_has_perm(cred, inode, av, &ad);
1717 * Determine the label for an inode that might be unioned.
1720 selinux_determine_inode_label(const struct task_security_struct *tsec,
1722 const struct qstr *name, u16 tclass,
1725 const struct superblock_security_struct *sbsec =
1726 selinux_superblock(dir->i_sb);
1728 if ((sbsec->flags & SE_SBINITIALIZED) &&
1729 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1730 *_new_isid = sbsec->mntpoint_sid;
1731 } else if ((sbsec->flags & SBLABEL_MNT) &&
1733 *_new_isid = tsec->create_sid;
1735 const struct inode_security_struct *dsec = inode_security(dir);
1736 return security_transition_sid(tsec->sid,
1744 /* Check whether a task can create a file. */
1745 static int may_create(struct inode *dir,
1746 struct dentry *dentry,
1749 const struct task_security_struct *tsec = selinux_cred(current_cred());
1750 struct inode_security_struct *dsec;
1751 struct superblock_security_struct *sbsec;
1753 struct common_audit_data ad;
1756 dsec = inode_security(dir);
1757 sbsec = selinux_superblock(dir->i_sb);
1761 ad.type = LSM_AUDIT_DATA_DENTRY;
1762 ad.u.dentry = dentry;
1764 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1765 DIR__ADD_NAME | DIR__SEARCH,
1770 rc = selinux_determine_inode_label(tsec, dir, &dentry->d_name, tclass,
1775 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1779 return avc_has_perm(newsid, sbsec->sid,
1780 SECCLASS_FILESYSTEM,
1781 FILESYSTEM__ASSOCIATE, &ad);
1785 #define MAY_UNLINK 1
1788 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1789 static int may_link(struct inode *dir,
1790 struct dentry *dentry,
1794 struct inode_security_struct *dsec, *isec;
1795 struct common_audit_data ad;
1796 u32 sid = current_sid();
1800 dsec = inode_security(dir);
1801 isec = backing_inode_security(dentry);
1803 ad.type = LSM_AUDIT_DATA_DENTRY;
1804 ad.u.dentry = dentry;
1807 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1808 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1823 pr_warn("SELinux: %s: unrecognized kind %d\n",
1828 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1832 static inline int may_rename(struct inode *old_dir,
1833 struct dentry *old_dentry,
1834 struct inode *new_dir,
1835 struct dentry *new_dentry)
1837 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1838 struct common_audit_data ad;
1839 u32 sid = current_sid();
1841 int old_is_dir, new_is_dir;
1844 old_dsec = inode_security(old_dir);
1845 old_isec = backing_inode_security(old_dentry);
1846 old_is_dir = d_is_dir(old_dentry);
1847 new_dsec = inode_security(new_dir);
1849 ad.type = LSM_AUDIT_DATA_DENTRY;
1851 ad.u.dentry = old_dentry;
1852 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1853 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1856 rc = avc_has_perm(sid, old_isec->sid,
1857 old_isec->sclass, FILE__RENAME, &ad);
1860 if (old_is_dir && new_dir != old_dir) {
1861 rc = avc_has_perm(sid, old_isec->sid,
1862 old_isec->sclass, DIR__REPARENT, &ad);
1867 ad.u.dentry = new_dentry;
1868 av = DIR__ADD_NAME | DIR__SEARCH;
1869 if (d_is_positive(new_dentry))
1870 av |= DIR__REMOVE_NAME;
1871 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1874 if (d_is_positive(new_dentry)) {
1875 new_isec = backing_inode_security(new_dentry);
1876 new_is_dir = d_is_dir(new_dentry);
1877 rc = avc_has_perm(sid, new_isec->sid,
1879 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1887 /* Check whether a task can perform a filesystem operation. */
1888 static int superblock_has_perm(const struct cred *cred,
1889 struct super_block *sb,
1891 struct common_audit_data *ad)
1893 struct superblock_security_struct *sbsec;
1894 u32 sid = cred_sid(cred);
1896 sbsec = selinux_superblock(sb);
1897 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1900 /* Convert a Linux mode and permission mask to an access vector. */
1901 static inline u32 file_mask_to_av(int mode, int mask)
1905 if (!S_ISDIR(mode)) {
1906 if (mask & MAY_EXEC)
1907 av |= FILE__EXECUTE;
1908 if (mask & MAY_READ)
1911 if (mask & MAY_APPEND)
1913 else if (mask & MAY_WRITE)
1917 if (mask & MAY_EXEC)
1919 if (mask & MAY_WRITE)
1921 if (mask & MAY_READ)
1928 /* Convert a Linux file to an access vector. */
1929 static inline u32 file_to_av(struct file *file)
1933 if (file->f_mode & FMODE_READ)
1935 if (file->f_mode & FMODE_WRITE) {
1936 if (file->f_flags & O_APPEND)
1943 * Special file opened with flags 3 for ioctl-only use.
1952 * Convert a file to an access vector and include the correct
1955 static inline u32 open_file_to_av(struct file *file)
1957 u32 av = file_to_av(file);
1958 struct inode *inode = file_inode(file);
1960 if (selinux_policycap_openperm() &&
1961 inode->i_sb->s_magic != SOCKFS_MAGIC)
1967 /* Hook functions begin here. */
1969 static int selinux_binder_set_context_mgr(const struct cred *mgr)
1971 return avc_has_perm(current_sid(), cred_sid(mgr), SECCLASS_BINDER,
1972 BINDER__SET_CONTEXT_MGR, NULL);
1975 static int selinux_binder_transaction(const struct cred *from,
1976 const struct cred *to)
1978 u32 mysid = current_sid();
1979 u32 fromsid = cred_sid(from);
1980 u32 tosid = cred_sid(to);
1983 if (mysid != fromsid) {
1984 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
1985 BINDER__IMPERSONATE, NULL);
1990 return avc_has_perm(fromsid, tosid,
1991 SECCLASS_BINDER, BINDER__CALL, NULL);
1994 static int selinux_binder_transfer_binder(const struct cred *from,
1995 const struct cred *to)
1997 return avc_has_perm(cred_sid(from), cred_sid(to),
1998 SECCLASS_BINDER, BINDER__TRANSFER,
2002 static int selinux_binder_transfer_file(const struct cred *from,
2003 const struct cred *to,
2006 u32 sid = cred_sid(to);
2007 struct file_security_struct *fsec = selinux_file(file);
2008 struct dentry *dentry = file->f_path.dentry;
2009 struct inode_security_struct *isec;
2010 struct common_audit_data ad;
2013 ad.type = LSM_AUDIT_DATA_PATH;
2014 ad.u.path = file->f_path;
2016 if (sid != fsec->sid) {
2017 rc = avc_has_perm(sid, fsec->sid,
2025 #ifdef CONFIG_BPF_SYSCALL
2026 rc = bpf_fd_pass(file, sid);
2031 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2034 isec = backing_inode_security(dentry);
2035 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2039 static int selinux_ptrace_access_check(struct task_struct *child,
2042 u32 sid = current_sid();
2043 u32 csid = task_sid_obj(child);
2045 if (mode & PTRACE_MODE_READ)
2046 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ,
2049 return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE,
2053 static int selinux_ptrace_traceme(struct task_struct *parent)
2055 return avc_has_perm(task_sid_obj(parent), task_sid_obj(current),
2056 SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2059 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2060 kernel_cap_t *inheritable, kernel_cap_t *permitted)
2062 return avc_has_perm(current_sid(), task_sid_obj(target),
2063 SECCLASS_PROCESS, PROCESS__GETCAP, NULL);
2066 static int selinux_capset(struct cred *new, const struct cred *old,
2067 const kernel_cap_t *effective,
2068 const kernel_cap_t *inheritable,
2069 const kernel_cap_t *permitted)
2071 return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2072 PROCESS__SETCAP, NULL);
2076 * (This comment used to live with the selinux_task_setuid hook,
2077 * which was removed).
2079 * Since setuid only affects the current process, and since the SELinux
2080 * controls are not based on the Linux identity attributes, SELinux does not
2081 * need to control this operation. However, SELinux does control the use of
2082 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2085 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2086 int cap, unsigned int opts)
2088 return cred_has_capability(cred, cap, opts, ns == &init_user_ns);
2091 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2093 const struct cred *cred = current_cred();
2108 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2116 case Q_XGETNEXTQUOTA:
2117 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2120 rc = 0; /* let the kernel handle invalid cmds */
2126 static int selinux_quota_on(struct dentry *dentry)
2128 const struct cred *cred = current_cred();
2130 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2133 static int selinux_syslog(int type)
2136 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2137 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2138 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2139 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2140 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2141 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2142 /* Set level of messages printed to console */
2143 case SYSLOG_ACTION_CONSOLE_LEVEL:
2144 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2145 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2148 /* All other syslog types */
2149 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2150 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2154 * Check that a process has enough memory to allocate a new virtual
2155 * mapping. 0 means there is enough memory for the allocation to
2156 * succeed and -ENOMEM implies there is not.
2158 * Do not audit the selinux permission check, as this is applied to all
2159 * processes that allocate mappings.
2161 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2163 int rc, cap_sys_admin = 0;
2165 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2166 CAP_OPT_NOAUDIT, true);
2170 return cap_sys_admin;
2173 /* binprm security operations */
2175 static u32 ptrace_parent_sid(void)
2178 struct task_struct *tracer;
2181 tracer = ptrace_parent(current);
2183 sid = task_sid_obj(tracer);
2189 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2190 const struct task_security_struct *old_tsec,
2191 const struct task_security_struct *new_tsec)
2193 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2194 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2198 if (!nnp && !nosuid)
2199 return 0; /* neither NNP nor nosuid */
2201 if (new_tsec->sid == old_tsec->sid)
2202 return 0; /* No change in credentials */
2205 * If the policy enables the nnp_nosuid_transition policy capability,
2206 * then we permit transitions under NNP or nosuid if the
2207 * policy allows the corresponding permission between
2208 * the old and new contexts.
2210 if (selinux_policycap_nnp_nosuid_transition()) {
2213 av |= PROCESS2__NNP_TRANSITION;
2215 av |= PROCESS2__NOSUID_TRANSITION;
2216 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2217 SECCLASS_PROCESS2, av, NULL);
2223 * We also permit NNP or nosuid transitions to bounded SIDs,
2224 * i.e. SIDs that are guaranteed to only be allowed a subset
2225 * of the permissions of the current SID.
2227 rc = security_bounded_transition(old_tsec->sid,
2233 * On failure, preserve the errno values for NNP vs nosuid.
2234 * NNP: Operation not permitted for caller.
2235 * nosuid: Permission denied to file.
2242 static int selinux_bprm_creds_for_exec(struct linux_binprm *bprm)
2244 const struct task_security_struct *old_tsec;
2245 struct task_security_struct *new_tsec;
2246 struct inode_security_struct *isec;
2247 struct common_audit_data ad;
2248 struct inode *inode = file_inode(bprm->file);
2251 /* SELinux context only depends on initial program or script and not
2252 * the script interpreter */
2254 old_tsec = selinux_cred(current_cred());
2255 new_tsec = selinux_cred(bprm->cred);
2256 isec = inode_security(inode);
2258 /* Default to the current task SID. */
2259 new_tsec->sid = old_tsec->sid;
2260 new_tsec->osid = old_tsec->sid;
2262 /* Reset fs, key, and sock SIDs on execve. */
2263 new_tsec->create_sid = 0;
2264 new_tsec->keycreate_sid = 0;
2265 new_tsec->sockcreate_sid = 0;
2267 if (old_tsec->exec_sid) {
2268 new_tsec->sid = old_tsec->exec_sid;
2269 /* Reset exec SID on execve. */
2270 new_tsec->exec_sid = 0;
2272 /* Fail on NNP or nosuid if not an allowed transition. */
2273 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2277 /* Check for a default transition on this program. */
2278 rc = security_transition_sid(old_tsec->sid,
2279 isec->sid, SECCLASS_PROCESS, NULL,
2285 * Fallback to old SID on NNP or nosuid if not an allowed
2288 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2290 new_tsec->sid = old_tsec->sid;
2293 ad.type = LSM_AUDIT_DATA_FILE;
2294 ad.u.file = bprm->file;
2296 if (new_tsec->sid == old_tsec->sid) {
2297 rc = avc_has_perm(old_tsec->sid, isec->sid,
2298 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2302 /* Check permissions for the transition. */
2303 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2304 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2308 rc = avc_has_perm(new_tsec->sid, isec->sid,
2309 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2313 /* Check for shared state */
2314 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2315 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2316 SECCLASS_PROCESS, PROCESS__SHARE,
2322 /* Make sure that anyone attempting to ptrace over a task that
2323 * changes its SID has the appropriate permit */
2324 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2325 u32 ptsid = ptrace_parent_sid();
2327 rc = avc_has_perm(ptsid, new_tsec->sid,
2329 PROCESS__PTRACE, NULL);
2335 /* Clear any possibly unsafe personality bits on exec: */
2336 bprm->per_clear |= PER_CLEAR_ON_SETID;
2338 /* Enable secure mode for SIDs transitions unless
2339 the noatsecure permission is granted between
2340 the two SIDs, i.e. ahp returns 0. */
2341 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2342 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2344 bprm->secureexec |= !!rc;
2350 static int match_file(const void *p, struct file *file, unsigned fd)
2352 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2355 /* Derived from fs/exec.c:flush_old_files. */
2356 static inline void flush_unauthorized_files(const struct cred *cred,
2357 struct files_struct *files)
2359 struct file *file, *devnull = NULL;
2360 struct tty_struct *tty;
2364 tty = get_current_tty();
2366 spin_lock(&tty->files_lock);
2367 if (!list_empty(&tty->tty_files)) {
2368 struct tty_file_private *file_priv;
2370 /* Revalidate access to controlling tty.
2371 Use file_path_has_perm on the tty path directly
2372 rather than using file_has_perm, as this particular
2373 open file may belong to another process and we are
2374 only interested in the inode-based check here. */
2375 file_priv = list_first_entry(&tty->tty_files,
2376 struct tty_file_private, list);
2377 file = file_priv->file;
2378 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2381 spin_unlock(&tty->files_lock);
2384 /* Reset controlling tty. */
2388 /* Revalidate access to inherited open files. */
2389 n = iterate_fd(files, 0, match_file, cred);
2390 if (!n) /* none found? */
2393 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2394 if (IS_ERR(devnull))
2396 /* replace all the matching ones with this */
2398 replace_fd(n - 1, devnull, 0);
2399 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2405 * Prepare a process for imminent new credential changes due to exec
2407 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2409 struct task_security_struct *new_tsec;
2410 struct rlimit *rlim, *initrlim;
2413 new_tsec = selinux_cred(bprm->cred);
2414 if (new_tsec->sid == new_tsec->osid)
2417 /* Close files for which the new task SID is not authorized. */
2418 flush_unauthorized_files(bprm->cred, current->files);
2420 /* Always clear parent death signal on SID transitions. */
2421 current->pdeath_signal = 0;
2423 /* Check whether the new SID can inherit resource limits from the old
2424 * SID. If not, reset all soft limits to the lower of the current
2425 * task's hard limit and the init task's soft limit.
2427 * Note that the setting of hard limits (even to lower them) can be
2428 * controlled by the setrlimit check. The inclusion of the init task's
2429 * soft limit into the computation is to avoid resetting soft limits
2430 * higher than the default soft limit for cases where the default is
2431 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2433 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2434 PROCESS__RLIMITINH, NULL);
2436 /* protect against do_prlimit() */
2438 for (i = 0; i < RLIM_NLIMITS; i++) {
2439 rlim = current->signal->rlim + i;
2440 initrlim = init_task.signal->rlim + i;
2441 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2443 task_unlock(current);
2444 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2445 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2450 * Clean up the process immediately after the installation of new credentials
2453 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2455 const struct task_security_struct *tsec = selinux_cred(current_cred());
2465 /* Check whether the new SID can inherit signal state from the old SID.
2466 * If not, clear itimers to avoid subsequent signal generation and
2467 * flush and unblock signals.
2469 * This must occur _after_ the task SID has been updated so that any
2470 * kill done after the flush will be checked against the new SID.
2472 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2476 spin_lock_irq(&unrcu_pointer(current->sighand)->siglock);
2477 if (!fatal_signal_pending(current)) {
2478 flush_sigqueue(¤t->pending);
2479 flush_sigqueue(¤t->signal->shared_pending);
2480 flush_signal_handlers(current, 1);
2481 sigemptyset(¤t->blocked);
2482 recalc_sigpending();
2484 spin_unlock_irq(&unrcu_pointer(current->sighand)->siglock);
2487 /* Wake up the parent if it is waiting so that it can recheck
2488 * wait permission to the new task SID. */
2489 read_lock(&tasklist_lock);
2490 __wake_up_parent(current, unrcu_pointer(current->real_parent));
2491 read_unlock(&tasklist_lock);
2494 /* superblock security operations */
2496 static int selinux_sb_alloc_security(struct super_block *sb)
2498 struct superblock_security_struct *sbsec = selinux_superblock(sb);
2500 mutex_init(&sbsec->lock);
2501 INIT_LIST_HEAD(&sbsec->isec_head);
2502 spin_lock_init(&sbsec->isec_lock);
2503 sbsec->sid = SECINITSID_UNLABELED;
2504 sbsec->def_sid = SECINITSID_FILE;
2505 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
2510 static inline int opt_len(const char *s)
2512 bool open_quote = false;
2516 for (len = 0; (c = s[len]) != '\0'; len++) {
2518 open_quote = !open_quote;
2519 if (c == ',' && !open_quote)
2525 static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts)
2527 char *from = options;
2533 int len = opt_len(from);
2537 token = match_opt_prefix(from, len, &arg);
2539 if (token != Opt_error) {
2544 for (p = q = arg; p < from + len; p++) {
2549 arg = kmemdup_nul(arg, q - arg, GFP_KERNEL);
2555 rc = selinux_add_opt(token, arg, mnt_opts);
2562 if (!first) { // copy with preceding comma
2567 memmove(to, from, len);
2580 selinux_free_mnt_opts(*mnt_opts);
2586 static int selinux_sb_mnt_opts_compat(struct super_block *sb, void *mnt_opts)
2588 struct selinux_mnt_opts *opts = mnt_opts;
2589 struct superblock_security_struct *sbsec = selinux_superblock(sb);
2592 * Superblock not initialized (i.e. no options) - reject if any
2593 * options specified, otherwise accept.
2595 if (!(sbsec->flags & SE_SBINITIALIZED))
2596 return opts ? 1 : 0;
2599 * Superblock initialized and no options specified - reject if
2600 * superblock has any options set, otherwise accept.
2603 return (sbsec->flags & SE_MNTMASK) ? 1 : 0;
2605 if (opts->fscontext_sid) {
2606 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
2607 opts->fscontext_sid))
2610 if (opts->context_sid) {
2611 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
2615 if (opts->rootcontext_sid) {
2616 struct inode_security_struct *root_isec;
2618 root_isec = backing_inode_security(sb->s_root);
2619 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
2620 opts->rootcontext_sid))
2623 if (opts->defcontext_sid) {
2624 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
2625 opts->defcontext_sid))
2631 static int selinux_sb_remount(struct super_block *sb, void *mnt_opts)
2633 struct selinux_mnt_opts *opts = mnt_opts;
2634 struct superblock_security_struct *sbsec = selinux_superblock(sb);
2636 if (!(sbsec->flags & SE_SBINITIALIZED))
2642 if (opts->fscontext_sid) {
2643 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
2644 opts->fscontext_sid))
2645 goto out_bad_option;
2647 if (opts->context_sid) {
2648 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
2650 goto out_bad_option;
2652 if (opts->rootcontext_sid) {
2653 struct inode_security_struct *root_isec;
2654 root_isec = backing_inode_security(sb->s_root);
2655 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
2656 opts->rootcontext_sid))
2657 goto out_bad_option;
2659 if (opts->defcontext_sid) {
2660 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
2661 opts->defcontext_sid))
2662 goto out_bad_option;
2667 pr_warn("SELinux: unable to change security options "
2668 "during remount (dev %s, type=%s)\n", sb->s_id,
2673 static int selinux_sb_kern_mount(struct super_block *sb)
2675 const struct cred *cred = current_cred();
2676 struct common_audit_data ad;
2678 ad.type = LSM_AUDIT_DATA_DENTRY;
2679 ad.u.dentry = sb->s_root;
2680 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2683 static int selinux_sb_statfs(struct dentry *dentry)
2685 const struct cred *cred = current_cred();
2686 struct common_audit_data ad;
2688 ad.type = LSM_AUDIT_DATA_DENTRY;
2689 ad.u.dentry = dentry->d_sb->s_root;
2690 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2693 static int selinux_mount(const char *dev_name,
2694 const struct path *path,
2696 unsigned long flags,
2699 const struct cred *cred = current_cred();
2701 if (flags & MS_REMOUNT)
2702 return superblock_has_perm(cred, path->dentry->d_sb,
2703 FILESYSTEM__REMOUNT, NULL);
2705 return path_has_perm(cred, path, FILE__MOUNTON);
2708 static int selinux_move_mount(const struct path *from_path,
2709 const struct path *to_path)
2711 const struct cred *cred = current_cred();
2713 return path_has_perm(cred, to_path, FILE__MOUNTON);
2716 static int selinux_umount(struct vfsmount *mnt, int flags)
2718 const struct cred *cred = current_cred();
2720 return superblock_has_perm(cred, mnt->mnt_sb,
2721 FILESYSTEM__UNMOUNT, NULL);
2724 static int selinux_fs_context_dup(struct fs_context *fc,
2725 struct fs_context *src_fc)
2727 const struct selinux_mnt_opts *src = src_fc->security;
2732 fc->security = kmemdup(src, sizeof(*src), GFP_KERNEL);
2733 return fc->security ? 0 : -ENOMEM;
2736 static const struct fs_parameter_spec selinux_fs_parameters[] = {
2737 fsparam_string(CONTEXT_STR, Opt_context),
2738 fsparam_string(DEFCONTEXT_STR, Opt_defcontext),
2739 fsparam_string(FSCONTEXT_STR, Opt_fscontext),
2740 fsparam_string(ROOTCONTEXT_STR, Opt_rootcontext),
2741 fsparam_flag (SECLABEL_STR, Opt_seclabel),
2745 static int selinux_fs_context_parse_param(struct fs_context *fc,
2746 struct fs_parameter *param)
2748 struct fs_parse_result result;
2751 opt = fs_parse(fc, selinux_fs_parameters, param, &result);
2755 return selinux_add_opt(opt, param->string, &fc->security);
2758 /* inode security operations */
2760 static int selinux_inode_alloc_security(struct inode *inode)
2762 struct inode_security_struct *isec = selinux_inode(inode);
2763 u32 sid = current_sid();
2765 spin_lock_init(&isec->lock);
2766 INIT_LIST_HEAD(&isec->list);
2767 isec->inode = inode;
2768 isec->sid = SECINITSID_UNLABELED;
2769 isec->sclass = SECCLASS_FILE;
2770 isec->task_sid = sid;
2771 isec->initialized = LABEL_INVALID;
2776 static void selinux_inode_free_security(struct inode *inode)
2778 inode_free_security(inode);
2781 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2782 const struct qstr *name,
2783 const char **xattr_name, void **ctx,
2789 rc = selinux_determine_inode_label(selinux_cred(current_cred()),
2790 d_inode(dentry->d_parent), name,
2791 inode_mode_to_security_class(mode),
2797 *xattr_name = XATTR_NAME_SELINUX;
2799 return security_sid_to_context(newsid, (char **)ctx,
2803 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2805 const struct cred *old,
2810 struct task_security_struct *tsec;
2812 rc = selinux_determine_inode_label(selinux_cred(old),
2813 d_inode(dentry->d_parent), name,
2814 inode_mode_to_security_class(mode),
2819 tsec = selinux_cred(new);
2820 tsec->create_sid = newsid;
2824 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2825 const struct qstr *qstr,
2827 void **value, size_t *len)
2829 const struct task_security_struct *tsec = selinux_cred(current_cred());
2830 struct superblock_security_struct *sbsec;
2835 sbsec = selinux_superblock(dir->i_sb);
2837 newsid = tsec->create_sid;
2839 rc = selinux_determine_inode_label(tsec, dir, qstr,
2840 inode_mode_to_security_class(inode->i_mode),
2845 /* Possibly defer initialization to selinux_complete_init. */
2846 if (sbsec->flags & SE_SBINITIALIZED) {
2847 struct inode_security_struct *isec = selinux_inode(inode);
2848 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2850 isec->initialized = LABEL_INITIALIZED;
2853 if (!selinux_initialized() ||
2854 !(sbsec->flags & SBLABEL_MNT))
2858 *name = XATTR_SELINUX_SUFFIX;
2861 rc = security_sid_to_context_force(newsid,
2872 static int selinux_inode_init_security_anon(struct inode *inode,
2873 const struct qstr *name,
2874 const struct inode *context_inode)
2876 const struct task_security_struct *tsec = selinux_cred(current_cred());
2877 struct common_audit_data ad;
2878 struct inode_security_struct *isec;
2881 if (unlikely(!selinux_initialized()))
2884 isec = selinux_inode(inode);
2887 * We only get here once per ephemeral inode. The inode has
2888 * been initialized via inode_alloc_security but is otherwise
2892 if (context_inode) {
2893 struct inode_security_struct *context_isec =
2894 selinux_inode(context_inode);
2895 if (context_isec->initialized != LABEL_INITIALIZED) {
2896 pr_err("SELinux: context_inode is not initialized");
2900 isec->sclass = context_isec->sclass;
2901 isec->sid = context_isec->sid;
2903 isec->sclass = SECCLASS_ANON_INODE;
2904 rc = security_transition_sid(
2905 tsec->sid, tsec->sid,
2906 isec->sclass, name, &isec->sid);
2911 isec->initialized = LABEL_INITIALIZED;
2913 * Now that we've initialized security, check whether we're
2914 * allowed to actually create this type of anonymous inode.
2917 ad.type = LSM_AUDIT_DATA_ANONINODE;
2918 ad.u.anonclass = name ? (const char *)name->name : "?";
2920 return avc_has_perm(tsec->sid,
2927 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2929 return may_create(dir, dentry, SECCLASS_FILE);
2932 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2934 return may_link(dir, old_dentry, MAY_LINK);
2937 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2939 return may_link(dir, dentry, MAY_UNLINK);
2942 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2944 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2947 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2949 return may_create(dir, dentry, SECCLASS_DIR);
2952 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2954 return may_link(dir, dentry, MAY_RMDIR);
2957 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2959 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2962 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2963 struct inode *new_inode, struct dentry *new_dentry)
2965 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2968 static int selinux_inode_readlink(struct dentry *dentry)
2970 const struct cred *cred = current_cred();
2972 return dentry_has_perm(cred, dentry, FILE__READ);
2975 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
2978 const struct cred *cred = current_cred();
2979 struct common_audit_data ad;
2980 struct inode_security_struct *isec;
2983 validate_creds(cred);
2985 ad.type = LSM_AUDIT_DATA_DENTRY;
2986 ad.u.dentry = dentry;
2987 sid = cred_sid(cred);
2988 isec = inode_security_rcu(inode, rcu);
2990 return PTR_ERR(isec);
2992 return avc_has_perm(sid, isec->sid, isec->sclass, FILE__READ, &ad);
2995 static noinline int audit_inode_permission(struct inode *inode,
2996 u32 perms, u32 audited, u32 denied,
2999 struct common_audit_data ad;
3000 struct inode_security_struct *isec = selinux_inode(inode);
3002 ad.type = LSM_AUDIT_DATA_INODE;
3005 return slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
3006 audited, denied, result, &ad);
3009 static int selinux_inode_permission(struct inode *inode, int mask)
3011 const struct cred *cred = current_cred();
3014 bool no_block = mask & MAY_NOT_BLOCK;
3015 struct inode_security_struct *isec;
3017 struct av_decision avd;
3019 u32 audited, denied;
3021 from_access = mask & MAY_ACCESS;
3022 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3024 /* No permission to check. Existence test. */
3028 validate_creds(cred);
3030 if (unlikely(IS_PRIVATE(inode)))
3033 perms = file_mask_to_av(inode->i_mode, mask);
3035 sid = cred_sid(cred);
3036 isec = inode_security_rcu(inode, no_block);
3038 return PTR_ERR(isec);
3040 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0,
3042 audited = avc_audit_required(perms, &avd, rc,
3043 from_access ? FILE__AUDIT_ACCESS : 0,
3045 if (likely(!audited))
3048 rc2 = audit_inode_permission(inode, perms, audited, denied, rc);
3054 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3056 const struct cred *cred = current_cred();
3057 struct inode *inode = d_backing_inode(dentry);
3058 unsigned int ia_valid = iattr->ia_valid;
3059 __u32 av = FILE__WRITE;
3061 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3062 if (ia_valid & ATTR_FORCE) {
3063 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3069 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3070 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3071 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3073 if (selinux_policycap_openperm() &&
3074 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3075 (ia_valid & ATTR_SIZE) &&
3076 !(ia_valid & ATTR_FILE))
3079 return dentry_has_perm(cred, dentry, av);
3082 static int selinux_inode_getattr(const struct path *path)
3084 return path_has_perm(current_cred(), path, FILE__GETATTR);
3087 static bool has_cap_mac_admin(bool audit)
3089 const struct cred *cred = current_cred();
3090 unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT;
3092 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts))
3094 if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true))
3099 static int selinux_inode_setxattr(struct mnt_idmap *idmap,
3100 struct dentry *dentry, const char *name,
3101 const void *value, size_t size, int flags)
3103 struct inode *inode = d_backing_inode(dentry);
3104 struct inode_security_struct *isec;
3105 struct superblock_security_struct *sbsec;
3106 struct common_audit_data ad;
3107 u32 newsid, sid = current_sid();
3110 if (strcmp(name, XATTR_NAME_SELINUX)) {
3111 rc = cap_inode_setxattr(dentry, name, value, size, flags);
3115 /* Not an attribute we recognize, so just check the
3116 ordinary setattr permission. */
3117 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3120 if (!selinux_initialized())
3121 return (inode_owner_or_capable(idmap, inode) ? 0 : -EPERM);
3123 sbsec = selinux_superblock(inode->i_sb);
3124 if (!(sbsec->flags & SBLABEL_MNT))
3127 if (!inode_owner_or_capable(idmap, inode))
3130 ad.type = LSM_AUDIT_DATA_DENTRY;
3131 ad.u.dentry = dentry;
3133 isec = backing_inode_security(dentry);
3134 rc = avc_has_perm(sid, isec->sid, isec->sclass,
3135 FILE__RELABELFROM, &ad);
3139 rc = security_context_to_sid(value, size, &newsid,
3141 if (rc == -EINVAL) {
3142 if (!has_cap_mac_admin(true)) {
3143 struct audit_buffer *ab;
3146 /* We strip a nul only if it is at the end, otherwise the
3147 * context contains a nul and we should audit that */
3149 const char *str = value;
3151 if (str[size - 1] == '\0')
3152 audit_size = size - 1;
3158 ab = audit_log_start(audit_context(),
3159 GFP_ATOMIC, AUDIT_SELINUX_ERR);
3162 audit_log_format(ab, "op=setxattr invalid_context=");
3163 audit_log_n_untrustedstring(ab, value, audit_size);
3168 rc = security_context_to_sid_force(value,
3174 rc = avc_has_perm(sid, newsid, isec->sclass,
3175 FILE__RELABELTO, &ad);
3179 rc = security_validate_transition(isec->sid, newsid,
3184 return avc_has_perm(newsid,
3186 SECCLASS_FILESYSTEM,
3187 FILESYSTEM__ASSOCIATE,
3191 static int selinux_inode_set_acl(struct mnt_idmap *idmap,
3192 struct dentry *dentry, const char *acl_name,
3193 struct posix_acl *kacl)
3195 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3198 static int selinux_inode_get_acl(struct mnt_idmap *idmap,
3199 struct dentry *dentry, const char *acl_name)
3201 return dentry_has_perm(current_cred(), dentry, FILE__GETATTR);
3204 static int selinux_inode_remove_acl(struct mnt_idmap *idmap,
3205 struct dentry *dentry, const char *acl_name)
3207 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3210 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3211 const void *value, size_t size,
3214 struct inode *inode = d_backing_inode(dentry);
3215 struct inode_security_struct *isec;
3219 if (strcmp(name, XATTR_NAME_SELINUX)) {
3220 /* Not an attribute we recognize, so nothing to do. */
3224 if (!selinux_initialized()) {
3225 /* If we haven't even been initialized, then we can't validate
3226 * against a policy, so leave the label as invalid. It may
3227 * resolve to a valid label on the next revalidation try if
3228 * we've since initialized.
3233 rc = security_context_to_sid_force(value, size,
3236 pr_err("SELinux: unable to map context to SID"
3237 "for (%s, %lu), rc=%d\n",
3238 inode->i_sb->s_id, inode->i_ino, -rc);
3242 isec = backing_inode_security(dentry);
3243 spin_lock(&isec->lock);
3244 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3246 isec->initialized = LABEL_INITIALIZED;
3247 spin_unlock(&isec->lock);
3250 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3252 const struct cred *cred = current_cred();
3254 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3257 static int selinux_inode_listxattr(struct dentry *dentry)
3259 const struct cred *cred = current_cred();
3261 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3264 static int selinux_inode_removexattr(struct mnt_idmap *idmap,
3265 struct dentry *dentry, const char *name)
3267 if (strcmp(name, XATTR_NAME_SELINUX)) {
3268 int rc = cap_inode_removexattr(idmap, dentry, name);
3272 /* Not an attribute we recognize, so just check the
3273 ordinary setattr permission. */
3274 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3277 if (!selinux_initialized())
3280 /* No one is allowed to remove a SELinux security label.
3281 You can change the label, but all data must be labeled. */
3285 static int selinux_path_notify(const struct path *path, u64 mask,
3286 unsigned int obj_type)
3291 struct common_audit_data ad;
3293 ad.type = LSM_AUDIT_DATA_PATH;
3297 * Set permission needed based on the type of mark being set.
3298 * Performs an additional check for sb watches.
3301 case FSNOTIFY_OBJ_TYPE_VFSMOUNT:
3302 perm = FILE__WATCH_MOUNT;
3304 case FSNOTIFY_OBJ_TYPE_SB:
3305 perm = FILE__WATCH_SB;
3306 ret = superblock_has_perm(current_cred(), path->dentry->d_sb,
3307 FILESYSTEM__WATCH, &ad);
3311 case FSNOTIFY_OBJ_TYPE_INODE:
3318 /* blocking watches require the file:watch_with_perm permission */
3319 if (mask & (ALL_FSNOTIFY_PERM_EVENTS))
3320 perm |= FILE__WATCH_WITH_PERM;
3322 /* watches on read-like events need the file:watch_reads permission */
3323 if (mask & (FS_ACCESS | FS_ACCESS_PERM | FS_CLOSE_NOWRITE))
3324 perm |= FILE__WATCH_READS;
3326 return path_has_perm(current_cred(), path, perm);
3330 * Copy the inode security context value to the user.
3332 * Permission check is handled by selinux_inode_getxattr hook.
3334 static int selinux_inode_getsecurity(struct mnt_idmap *idmap,
3335 struct inode *inode, const char *name,
3336 void **buffer, bool alloc)
3340 char *context = NULL;
3341 struct inode_security_struct *isec;
3344 * If we're not initialized yet, then we can't validate contexts, so
3345 * just let vfs_getxattr fall back to using the on-disk xattr.
3347 if (!selinux_initialized() ||
3348 strcmp(name, XATTR_SELINUX_SUFFIX))
3352 * If the caller has CAP_MAC_ADMIN, then get the raw context
3353 * value even if it is not defined by current policy; otherwise,
3354 * use the in-core value under current policy.
3355 * Use the non-auditing forms of the permission checks since
3356 * getxattr may be called by unprivileged processes commonly
3357 * and lack of permission just means that we fall back to the
3358 * in-core context value, not a denial.
3360 isec = inode_security(inode);
3361 if (has_cap_mac_admin(false))
3362 error = security_sid_to_context_force(isec->sid, &context,
3365 error = security_sid_to_context(isec->sid,
3379 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3380 const void *value, size_t size, int flags)
3382 struct inode_security_struct *isec = inode_security_novalidate(inode);
3383 struct superblock_security_struct *sbsec;
3387 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3390 sbsec = selinux_superblock(inode->i_sb);
3391 if (!(sbsec->flags & SBLABEL_MNT))
3394 if (!value || !size)
3397 rc = security_context_to_sid(value, size, &newsid,
3402 spin_lock(&isec->lock);
3403 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3405 isec->initialized = LABEL_INITIALIZED;
3406 spin_unlock(&isec->lock);
3410 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3412 const int len = sizeof(XATTR_NAME_SELINUX);
3414 if (!selinux_initialized())
3417 if (buffer && len <= buffer_size)
3418 memcpy(buffer, XATTR_NAME_SELINUX, len);
3422 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3424 struct inode_security_struct *isec = inode_security_novalidate(inode);
3428 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3431 struct task_security_struct *tsec;
3432 struct cred *new_creds = *new;
3434 if (new_creds == NULL) {
3435 new_creds = prepare_creds();
3440 tsec = selinux_cred(new_creds);
3441 /* Get label from overlay inode and set it in create_sid */
3442 selinux_inode_getsecid(d_inode(src), &sid);
3443 tsec->create_sid = sid;
3448 static int selinux_inode_copy_up_xattr(const char *name)
3450 /* The copy_up hook above sets the initial context on an inode, but we
3451 * don't then want to overwrite it by blindly copying all the lower
3452 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3454 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3455 return 1; /* Discard */
3457 * Any other attribute apart from SELINUX is not claimed, supported
3463 /* kernfs node operations */
3465 static int selinux_kernfs_init_security(struct kernfs_node *kn_dir,
3466 struct kernfs_node *kn)
3468 const struct task_security_struct *tsec = selinux_cred(current_cred());
3469 u32 parent_sid, newsid, clen;
3473 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, NULL, 0);
3480 context = kmalloc(clen, GFP_KERNEL);
3484 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, context, clen);
3490 rc = security_context_to_sid(context, clen, &parent_sid,
3496 if (tsec->create_sid) {
3497 newsid = tsec->create_sid;
3499 u16 secclass = inode_mode_to_security_class(kn->mode);
3503 q.hash_len = hashlen_string(kn_dir, kn->name);
3505 rc = security_transition_sid(tsec->sid,
3506 parent_sid, secclass, &q,
3512 rc = security_sid_to_context_force(newsid,
3517 rc = kernfs_xattr_set(kn, XATTR_NAME_SELINUX, context, clen,
3524 /* file security operations */
3526 static int selinux_revalidate_file_permission(struct file *file, int mask)
3528 const struct cred *cred = current_cred();
3529 struct inode *inode = file_inode(file);
3531 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3532 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3535 return file_has_perm(cred, file,
3536 file_mask_to_av(inode->i_mode, mask));
3539 static int selinux_file_permission(struct file *file, int mask)
3541 struct inode *inode = file_inode(file);
3542 struct file_security_struct *fsec = selinux_file(file);
3543 struct inode_security_struct *isec;
3544 u32 sid = current_sid();
3547 /* No permission to check. Existence test. */
3550 isec = inode_security(inode);
3551 if (sid == fsec->sid && fsec->isid == isec->sid &&
3552 fsec->pseqno == avc_policy_seqno())
3553 /* No change since file_open check. */
3556 return selinux_revalidate_file_permission(file, mask);
3559 static int selinux_file_alloc_security(struct file *file)
3561 struct file_security_struct *fsec = selinux_file(file);
3562 u32 sid = current_sid();
3565 fsec->fown_sid = sid;
3571 * Check whether a task has the ioctl permission and cmd
3572 * operation to an inode.
3574 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3575 u32 requested, u16 cmd)
3577 struct common_audit_data ad;
3578 struct file_security_struct *fsec = selinux_file(file);
3579 struct inode *inode = file_inode(file);
3580 struct inode_security_struct *isec;
3581 struct lsm_ioctlop_audit ioctl;
3582 u32 ssid = cred_sid(cred);
3584 u8 driver = cmd >> 8;
3585 u8 xperm = cmd & 0xff;
3587 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3590 ad.u.op->path = file->f_path;
3592 if (ssid != fsec->sid) {
3593 rc = avc_has_perm(ssid, fsec->sid,
3601 if (unlikely(IS_PRIVATE(inode)))
3604 isec = inode_security(inode);
3605 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
3606 requested, driver, xperm, &ad);
3611 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3614 const struct cred *cred = current_cred();
3621 case FS_IOC_GETFLAGS:
3622 case FS_IOC_GETVERSION:
3623 error = file_has_perm(cred, file, FILE__GETATTR);
3626 case FS_IOC_SETFLAGS:
3627 case FS_IOC_SETVERSION:
3628 error = file_has_perm(cred, file, FILE__SETATTR);
3631 /* sys_ioctl() checks */
3634 error = file_has_perm(cred, file, 0);
3639 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3640 CAP_OPT_NONE, true);
3645 if (!selinux_policycap_ioctl_skip_cloexec())
3646 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3649 /* default case assumes that the command will go
3650 * to the file's ioctl() function.
3653 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3658 static int default_noexec __ro_after_init;
3660 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3662 const struct cred *cred = current_cred();
3663 u32 sid = cred_sid(cred);
3666 if (default_noexec &&
3667 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3668 (!shared && (prot & PROT_WRITE)))) {
3670 * We are making executable an anonymous mapping or a
3671 * private file mapping that will also be writable.
3672 * This has an additional check.
3674 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3675 PROCESS__EXECMEM, NULL);
3681 /* read access is always possible with a mapping */
3682 u32 av = FILE__READ;
3684 /* write access only matters if the mapping is shared */
3685 if (shared && (prot & PROT_WRITE))
3688 if (prot & PROT_EXEC)
3689 av |= FILE__EXECUTE;
3691 return file_has_perm(cred, file, av);
3698 static int selinux_mmap_addr(unsigned long addr)
3702 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3703 u32 sid = current_sid();
3704 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3705 MEMPROTECT__MMAP_ZERO, NULL);
3711 static int selinux_mmap_file(struct file *file,
3712 unsigned long reqprot __always_unused,
3713 unsigned long prot, unsigned long flags)
3715 struct common_audit_data ad;
3719 ad.type = LSM_AUDIT_DATA_FILE;
3721 rc = inode_has_perm(current_cred(), file_inode(file),
3727 return file_map_prot_check(file, prot,
3728 (flags & MAP_TYPE) == MAP_SHARED);
3731 static int selinux_file_mprotect(struct vm_area_struct *vma,
3732 unsigned long reqprot __always_unused,
3735 const struct cred *cred = current_cred();
3736 u32 sid = cred_sid(cred);
3738 if (default_noexec &&
3739 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3741 if (vma->vm_start >= vma->vm_mm->start_brk &&
3742 vma->vm_end <= vma->vm_mm->brk) {
3743 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3744 PROCESS__EXECHEAP, NULL);
3745 } else if (!vma->vm_file &&
3746 ((vma->vm_start <= vma->vm_mm->start_stack &&
3747 vma->vm_end >= vma->vm_mm->start_stack) ||
3748 vma_is_stack_for_current(vma))) {
3749 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3750 PROCESS__EXECSTACK, NULL);
3751 } else if (vma->vm_file && vma->anon_vma) {
3753 * We are making executable a file mapping that has
3754 * had some COW done. Since pages might have been
3755 * written, check ability to execute the possibly
3756 * modified content. This typically should only
3757 * occur for text relocations.
3759 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3765 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3768 static int selinux_file_lock(struct file *file, unsigned int cmd)
3770 const struct cred *cred = current_cred();
3772 return file_has_perm(cred, file, FILE__LOCK);
3775 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3778 const struct cred *cred = current_cred();
3783 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3784 err = file_has_perm(cred, file, FILE__WRITE);
3793 case F_GETOWNER_UIDS:
3794 /* Just check FD__USE permission */
3795 err = file_has_perm(cred, file, 0);
3803 #if BITS_PER_LONG == 32
3808 err = file_has_perm(cred, file, FILE__LOCK);
3815 static void selinux_file_set_fowner(struct file *file)
3817 struct file_security_struct *fsec;
3819 fsec = selinux_file(file);
3820 fsec->fown_sid = current_sid();
3823 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3824 struct fown_struct *fown, int signum)
3827 u32 sid = task_sid_obj(tsk);
3829 struct file_security_struct *fsec;
3831 /* struct fown_struct is never outside the context of a struct file */
3832 file = container_of(fown, struct file, f_owner);
3834 fsec = selinux_file(file);
3837 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3839 perm = signal_to_av(signum);
3841 return avc_has_perm(fsec->fown_sid, sid,
3842 SECCLASS_PROCESS, perm, NULL);
3845 static int selinux_file_receive(struct file *file)
3847 const struct cred *cred = current_cred();
3849 return file_has_perm(cred, file, file_to_av(file));
3852 static int selinux_file_open(struct file *file)
3854 struct file_security_struct *fsec;
3855 struct inode_security_struct *isec;
3857 fsec = selinux_file(file);
3858 isec = inode_security(file_inode(file));
3860 * Save inode label and policy sequence number
3861 * at open-time so that selinux_file_permission
3862 * can determine whether revalidation is necessary.
3863 * Task label is already saved in the file security
3864 * struct as its SID.
3866 fsec->isid = isec->sid;
3867 fsec->pseqno = avc_policy_seqno();
3869 * Since the inode label or policy seqno may have changed
3870 * between the selinux_inode_permission check and the saving
3871 * of state above, recheck that access is still permitted.
3872 * Otherwise, access might never be revalidated against the
3873 * new inode label or new policy.
3874 * This check is not redundant - do not remove.
3876 return file_path_has_perm(file->f_cred, file, open_file_to_av(file));
3879 /* task security operations */
3881 static int selinux_task_alloc(struct task_struct *task,
3882 unsigned long clone_flags)
3884 u32 sid = current_sid();
3886 return avc_has_perm(sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
3890 * prepare a new set of credentials for modification
3892 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3895 const struct task_security_struct *old_tsec = selinux_cred(old);
3896 struct task_security_struct *tsec = selinux_cred(new);
3903 * transfer the SELinux data to a blank set of creds
3905 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3907 const struct task_security_struct *old_tsec = selinux_cred(old);
3908 struct task_security_struct *tsec = selinux_cred(new);
3913 static void selinux_cred_getsecid(const struct cred *c, u32 *secid)
3915 *secid = cred_sid(c);
3919 * set the security data for a kernel service
3920 * - all the creation contexts are set to unlabelled
3922 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3924 struct task_security_struct *tsec = selinux_cred(new);
3925 u32 sid = current_sid();
3928 ret = avc_has_perm(sid, secid,
3929 SECCLASS_KERNEL_SERVICE,
3930 KERNEL_SERVICE__USE_AS_OVERRIDE,
3934 tsec->create_sid = 0;
3935 tsec->keycreate_sid = 0;
3936 tsec->sockcreate_sid = 0;
3942 * set the file creation context in a security record to the same as the
3943 * objective context of the specified inode
3945 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3947 struct inode_security_struct *isec = inode_security(inode);
3948 struct task_security_struct *tsec = selinux_cred(new);
3949 u32 sid = current_sid();
3952 ret = avc_has_perm(sid, isec->sid,
3953 SECCLASS_KERNEL_SERVICE,
3954 KERNEL_SERVICE__CREATE_FILES_AS,
3958 tsec->create_sid = isec->sid;
3962 static int selinux_kernel_module_request(char *kmod_name)
3964 struct common_audit_data ad;
3966 ad.type = LSM_AUDIT_DATA_KMOD;
3967 ad.u.kmod_name = kmod_name;
3969 return avc_has_perm(current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
3970 SYSTEM__MODULE_REQUEST, &ad);
3973 static int selinux_kernel_module_from_file(struct file *file)
3975 struct common_audit_data ad;
3976 struct inode_security_struct *isec;
3977 struct file_security_struct *fsec;
3978 u32 sid = current_sid();
3983 return avc_has_perm(sid, sid, SECCLASS_SYSTEM,
3984 SYSTEM__MODULE_LOAD, NULL);
3988 ad.type = LSM_AUDIT_DATA_FILE;
3991 fsec = selinux_file(file);
3992 if (sid != fsec->sid) {
3993 rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
3998 isec = inode_security(file_inode(file));
3999 return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM,
4000 SYSTEM__MODULE_LOAD, &ad);
4003 static int selinux_kernel_read_file(struct file *file,
4004 enum kernel_read_file_id id,
4010 case READING_MODULE:
4011 rc = selinux_kernel_module_from_file(contents ? file : NULL);
4020 static int selinux_kernel_load_data(enum kernel_load_data_id id, bool contents)
4025 case LOADING_MODULE:
4026 rc = selinux_kernel_module_from_file(NULL);
4035 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
4037 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4038 PROCESS__SETPGID, NULL);
4041 static int selinux_task_getpgid(struct task_struct *p)
4043 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4044 PROCESS__GETPGID, NULL);
4047 static int selinux_task_getsid(struct task_struct *p)
4049 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4050 PROCESS__GETSESSION, NULL);
4053 static void selinux_current_getsecid_subj(u32 *secid)
4055 *secid = current_sid();
4058 static void selinux_task_getsecid_obj(struct task_struct *p, u32 *secid)
4060 *secid = task_sid_obj(p);
4063 static int selinux_task_setnice(struct task_struct *p, int nice)
4065 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4066 PROCESS__SETSCHED, NULL);
4069 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
4071 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4072 PROCESS__SETSCHED, NULL);
4075 static int selinux_task_getioprio(struct task_struct *p)
4077 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4078 PROCESS__GETSCHED, NULL);
4081 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
4088 if (flags & LSM_PRLIMIT_WRITE)
4089 av |= PROCESS__SETRLIMIT;
4090 if (flags & LSM_PRLIMIT_READ)
4091 av |= PROCESS__GETRLIMIT;
4092 return avc_has_perm(cred_sid(cred), cred_sid(tcred),
4093 SECCLASS_PROCESS, av, NULL);
4096 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4097 struct rlimit *new_rlim)
4099 struct rlimit *old_rlim = p->signal->rlim + resource;
4101 /* Control the ability to change the hard limit (whether
4102 lowering or raising it), so that the hard limit can
4103 later be used as a safe reset point for the soft limit
4104 upon context transitions. See selinux_bprm_committing_creds. */
4105 if (old_rlim->rlim_max != new_rlim->rlim_max)
4106 return avc_has_perm(current_sid(), task_sid_obj(p),
4107 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
4112 static int selinux_task_setscheduler(struct task_struct *p)
4114 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4115 PROCESS__SETSCHED, NULL);
4118 static int selinux_task_getscheduler(struct task_struct *p)
4120 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4121 PROCESS__GETSCHED, NULL);
4124 static int selinux_task_movememory(struct task_struct *p)
4126 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4127 PROCESS__SETSCHED, NULL);
4130 static int selinux_task_kill(struct task_struct *p, struct kernel_siginfo *info,
4131 int sig, const struct cred *cred)
4137 perm = PROCESS__SIGNULL; /* null signal; existence test */
4139 perm = signal_to_av(sig);
4141 secid = current_sid();
4143 secid = cred_sid(cred);
4144 return avc_has_perm(secid, task_sid_obj(p), SECCLASS_PROCESS, perm, NULL);
4147 static void selinux_task_to_inode(struct task_struct *p,
4148 struct inode *inode)
4150 struct inode_security_struct *isec = selinux_inode(inode);
4151 u32 sid = task_sid_obj(p);
4153 spin_lock(&isec->lock);
4154 isec->sclass = inode_mode_to_security_class(inode->i_mode);
4156 isec->initialized = LABEL_INITIALIZED;
4157 spin_unlock(&isec->lock);
4160 static int selinux_userns_create(const struct cred *cred)
4162 u32 sid = current_sid();
4164 return avc_has_perm(sid, sid, SECCLASS_USER_NAMESPACE,
4165 USER_NAMESPACE__CREATE, NULL);
4168 /* Returns error only if unable to parse addresses */
4169 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4170 struct common_audit_data *ad, u8 *proto)
4172 int offset, ihlen, ret = -EINVAL;
4173 struct iphdr _iph, *ih;
4175 offset = skb_network_offset(skb);
4176 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
4180 ihlen = ih->ihl * 4;
4181 if (ihlen < sizeof(_iph))
4184 ad->u.net->v4info.saddr = ih->saddr;
4185 ad->u.net->v4info.daddr = ih->daddr;
4189 *proto = ih->protocol;
4191 switch (ih->protocol) {
4193 struct tcphdr _tcph, *th;
4195 if (ntohs(ih->frag_off) & IP_OFFSET)
4199 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4203 ad->u.net->sport = th->source;
4204 ad->u.net->dport = th->dest;
4209 struct udphdr _udph, *uh;
4211 if (ntohs(ih->frag_off) & IP_OFFSET)
4215 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4219 ad->u.net->sport = uh->source;
4220 ad->u.net->dport = uh->dest;
4224 case IPPROTO_DCCP: {
4225 struct dccp_hdr _dccph, *dh;
4227 if (ntohs(ih->frag_off) & IP_OFFSET)
4231 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4235 ad->u.net->sport = dh->dccph_sport;
4236 ad->u.net->dport = dh->dccph_dport;
4240 #if IS_ENABLED(CONFIG_IP_SCTP)
4241 case IPPROTO_SCTP: {
4242 struct sctphdr _sctph, *sh;
4244 if (ntohs(ih->frag_off) & IP_OFFSET)
4248 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4252 ad->u.net->sport = sh->source;
4253 ad->u.net->dport = sh->dest;
4264 #if IS_ENABLED(CONFIG_IPV6)
4266 /* Returns error only if unable to parse addresses */
4267 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4268 struct common_audit_data *ad, u8 *proto)
4271 int ret = -EINVAL, offset;
4272 struct ipv6hdr _ipv6h, *ip6;
4275 offset = skb_network_offset(skb);
4276 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4280 ad->u.net->v6info.saddr = ip6->saddr;
4281 ad->u.net->v6info.daddr = ip6->daddr;
4284 nexthdr = ip6->nexthdr;
4285 offset += sizeof(_ipv6h);
4286 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4295 struct tcphdr _tcph, *th;
4297 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4301 ad->u.net->sport = th->source;
4302 ad->u.net->dport = th->dest;
4307 struct udphdr _udph, *uh;
4309 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4313 ad->u.net->sport = uh->source;
4314 ad->u.net->dport = uh->dest;
4318 case IPPROTO_DCCP: {
4319 struct dccp_hdr _dccph, *dh;
4321 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4325 ad->u.net->sport = dh->dccph_sport;
4326 ad->u.net->dport = dh->dccph_dport;
4330 #if IS_ENABLED(CONFIG_IP_SCTP)
4331 case IPPROTO_SCTP: {
4332 struct sctphdr _sctph, *sh;
4334 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4338 ad->u.net->sport = sh->source;
4339 ad->u.net->dport = sh->dest;
4343 /* includes fragments */
4353 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4354 char **_addrp, int src, u8 *proto)
4359 switch (ad->u.net->family) {
4361 ret = selinux_parse_skb_ipv4(skb, ad, proto);
4364 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4365 &ad->u.net->v4info.daddr);
4368 #if IS_ENABLED(CONFIG_IPV6)
4370 ret = selinux_parse_skb_ipv6(skb, ad, proto);
4373 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4374 &ad->u.net->v6info.daddr);
4384 "SELinux: failure in selinux_parse_skb(),"
4385 " unable to parse packet\n");
4395 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4397 * @family: protocol family
4398 * @sid: the packet's peer label SID
4401 * Check the various different forms of network peer labeling and determine
4402 * the peer label/SID for the packet; most of the magic actually occurs in
4403 * the security server function security_net_peersid_cmp(). The function
4404 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4405 * or -EACCES if @sid is invalid due to inconsistencies with the different
4409 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4416 err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4419 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4423 err = security_net_peersid_resolve(nlbl_sid,
4424 nlbl_type, xfrm_sid, sid);
4425 if (unlikely(err)) {
4427 "SELinux: failure in selinux_skb_peerlbl_sid(),"
4428 " unable to determine packet's peer label\n");
4436 * selinux_conn_sid - Determine the child socket label for a connection
4437 * @sk_sid: the parent socket's SID
4438 * @skb_sid: the packet's SID
4439 * @conn_sid: the resulting connection SID
4441 * If @skb_sid is valid then the user:role:type information from @sk_sid is
4442 * combined with the MLS information from @skb_sid in order to create
4443 * @conn_sid. If @skb_sid is not valid then @conn_sid is simply a copy
4444 * of @sk_sid. Returns zero on success, negative values on failure.
4447 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4451 if (skb_sid != SECSID_NULL)
4452 err = security_sid_mls_copy(sk_sid, skb_sid,
4460 /* socket security operations */
4462 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4463 u16 secclass, u32 *socksid)
4465 if (tsec->sockcreate_sid > SECSID_NULL) {
4466 *socksid = tsec->sockcreate_sid;
4470 return security_transition_sid(tsec->sid, tsec->sid,
4471 secclass, NULL, socksid);
4474 static int sock_has_perm(struct sock *sk, u32 perms)
4476 struct sk_security_struct *sksec = sk->sk_security;
4477 struct common_audit_data ad;
4478 struct lsm_network_audit net = {0,};
4480 if (sksec->sid == SECINITSID_KERNEL)
4483 ad.type = LSM_AUDIT_DATA_NET;
4487 return avc_has_perm(current_sid(), sksec->sid, sksec->sclass, perms,
4491 static int selinux_socket_create(int family, int type,
4492 int protocol, int kern)
4494 const struct task_security_struct *tsec = selinux_cred(current_cred());
4502 secclass = socket_type_to_security_class(family, type, protocol);
4503 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4507 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4510 static int selinux_socket_post_create(struct socket *sock, int family,
4511 int type, int protocol, int kern)
4513 const struct task_security_struct *tsec = selinux_cred(current_cred());
4514 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4515 struct sk_security_struct *sksec;
4516 u16 sclass = socket_type_to_security_class(family, type, protocol);
4517 u32 sid = SECINITSID_KERNEL;
4521 err = socket_sockcreate_sid(tsec, sclass, &sid);
4526 isec->sclass = sclass;
4528 isec->initialized = LABEL_INITIALIZED;
4531 sksec = sock->sk->sk_security;
4532 sksec->sclass = sclass;
4534 /* Allows detection of the first association on this socket */
4535 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4536 sksec->sctp_assoc_state = SCTP_ASSOC_UNSET;
4538 err = selinux_netlbl_socket_post_create(sock->sk, family);
4544 static int selinux_socket_socketpair(struct socket *socka,
4545 struct socket *sockb)
4547 struct sk_security_struct *sksec_a = socka->sk->sk_security;
4548 struct sk_security_struct *sksec_b = sockb->sk->sk_security;
4550 sksec_a->peer_sid = sksec_b->sid;
4551 sksec_b->peer_sid = sksec_a->sid;
4556 /* Range of port numbers used to automatically bind.
4557 Need to determine whether we should perform a name_bind
4558 permission check between the socket and the port number. */
4560 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4562 struct sock *sk = sock->sk;
4563 struct sk_security_struct *sksec = sk->sk_security;
4567 err = sock_has_perm(sk, SOCKET__BIND);
4571 /* If PF_INET or PF_INET6, check name_bind permission for the port. */
4572 family = sk->sk_family;
4573 if (family == PF_INET || family == PF_INET6) {
4575 struct common_audit_data ad;
4576 struct lsm_network_audit net = {0,};
4577 struct sockaddr_in *addr4 = NULL;
4578 struct sockaddr_in6 *addr6 = NULL;
4580 unsigned short snum;
4584 * sctp_bindx(3) calls via selinux_sctp_bind_connect()
4585 * that validates multiple binding addresses. Because of this
4586 * need to check address->sa_family as it is possible to have
4587 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4589 if (addrlen < offsetofend(struct sockaddr, sa_family))
4591 family_sa = address->sa_family;
4592 switch (family_sa) {
4595 if (addrlen < sizeof(struct sockaddr_in))
4597 addr4 = (struct sockaddr_in *)address;
4598 if (family_sa == AF_UNSPEC) {
4599 /* see __inet_bind(), we only want to allow
4600 * AF_UNSPEC if the address is INADDR_ANY
4602 if (addr4->sin_addr.s_addr != htonl(INADDR_ANY))
4604 family_sa = AF_INET;
4606 snum = ntohs(addr4->sin_port);
4607 addrp = (char *)&addr4->sin_addr.s_addr;
4610 if (addrlen < SIN6_LEN_RFC2133)
4612 addr6 = (struct sockaddr_in6 *)address;
4613 snum = ntohs(addr6->sin6_port);
4614 addrp = (char *)&addr6->sin6_addr.s6_addr;
4620 ad.type = LSM_AUDIT_DATA_NET;
4622 ad.u.net->sport = htons(snum);
4623 ad.u.net->family = family_sa;
4628 inet_get_local_port_range(sock_net(sk), &low, &high);
4630 if (inet_port_requires_bind_service(sock_net(sk), snum) ||
4631 snum < low || snum > high) {
4632 err = sel_netport_sid(sk->sk_protocol,
4636 err = avc_has_perm(sksec->sid, sid,
4638 SOCKET__NAME_BIND, &ad);
4644 switch (sksec->sclass) {
4645 case SECCLASS_TCP_SOCKET:
4646 node_perm = TCP_SOCKET__NODE_BIND;
4649 case SECCLASS_UDP_SOCKET:
4650 node_perm = UDP_SOCKET__NODE_BIND;
4653 case SECCLASS_DCCP_SOCKET:
4654 node_perm = DCCP_SOCKET__NODE_BIND;
4657 case SECCLASS_SCTP_SOCKET:
4658 node_perm = SCTP_SOCKET__NODE_BIND;
4662 node_perm = RAWIP_SOCKET__NODE_BIND;
4666 err = sel_netnode_sid(addrp, family_sa, &sid);
4670 if (family_sa == AF_INET)
4671 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4673 ad.u.net->v6info.saddr = addr6->sin6_addr;
4675 err = avc_has_perm(sksec->sid, sid,
4676 sksec->sclass, node_perm, &ad);
4683 /* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */
4684 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4686 return -EAFNOSUPPORT;
4689 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3)
4690 * and sctp_sendmsg(3) as described in Documentation/security/SCTP.rst
4692 static int selinux_socket_connect_helper(struct socket *sock,
4693 struct sockaddr *address, int addrlen)
4695 struct sock *sk = sock->sk;
4696 struct sk_security_struct *sksec = sk->sk_security;
4699 err = sock_has_perm(sk, SOCKET__CONNECT);
4702 if (addrlen < offsetofend(struct sockaddr, sa_family))
4705 /* connect(AF_UNSPEC) has special handling, as it is a documented
4706 * way to disconnect the socket
4708 if (address->sa_family == AF_UNSPEC)
4712 * If a TCP, DCCP or SCTP socket, check name_connect permission
4715 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4716 sksec->sclass == SECCLASS_DCCP_SOCKET ||
4717 sksec->sclass == SECCLASS_SCTP_SOCKET) {
4718 struct common_audit_data ad;
4719 struct lsm_network_audit net = {0,};
4720 struct sockaddr_in *addr4 = NULL;
4721 struct sockaddr_in6 *addr6 = NULL;
4722 unsigned short snum;
4725 /* sctp_connectx(3) calls via selinux_sctp_bind_connect()
4726 * that validates multiple connect addresses. Because of this
4727 * need to check address->sa_family as it is possible to have
4728 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4730 switch (address->sa_family) {
4732 addr4 = (struct sockaddr_in *)address;
4733 if (addrlen < sizeof(struct sockaddr_in))
4735 snum = ntohs(addr4->sin_port);
4738 addr6 = (struct sockaddr_in6 *)address;
4739 if (addrlen < SIN6_LEN_RFC2133)
4741 snum = ntohs(addr6->sin6_port);
4744 /* Note that SCTP services expect -EINVAL, whereas
4745 * others expect -EAFNOSUPPORT.
4747 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4750 return -EAFNOSUPPORT;
4753 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4757 switch (sksec->sclass) {
4758 case SECCLASS_TCP_SOCKET:
4759 perm = TCP_SOCKET__NAME_CONNECT;
4761 case SECCLASS_DCCP_SOCKET:
4762 perm = DCCP_SOCKET__NAME_CONNECT;
4764 case SECCLASS_SCTP_SOCKET:
4765 perm = SCTP_SOCKET__NAME_CONNECT;
4769 ad.type = LSM_AUDIT_DATA_NET;
4771 ad.u.net->dport = htons(snum);
4772 ad.u.net->family = address->sa_family;
4773 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
4781 /* Supports connect(2), see comments in selinux_socket_connect_helper() */
4782 static int selinux_socket_connect(struct socket *sock,
4783 struct sockaddr *address, int addrlen)
4786 struct sock *sk = sock->sk;
4788 err = selinux_socket_connect_helper(sock, address, addrlen);
4792 return selinux_netlbl_socket_connect(sk, address);
4795 static int selinux_socket_listen(struct socket *sock, int backlog)
4797 return sock_has_perm(sock->sk, SOCKET__LISTEN);
4800 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4803 struct inode_security_struct *isec;
4804 struct inode_security_struct *newisec;
4808 err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
4812 isec = inode_security_novalidate(SOCK_INODE(sock));
4813 spin_lock(&isec->lock);
4814 sclass = isec->sclass;
4816 spin_unlock(&isec->lock);
4818 newisec = inode_security_novalidate(SOCK_INODE(newsock));
4819 newisec->sclass = sclass;
4821 newisec->initialized = LABEL_INITIALIZED;
4826 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4829 return sock_has_perm(sock->sk, SOCKET__WRITE);
4832 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4833 int size, int flags)
4835 return sock_has_perm(sock->sk, SOCKET__READ);
4838 static int selinux_socket_getsockname(struct socket *sock)
4840 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4843 static int selinux_socket_getpeername(struct socket *sock)
4845 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4848 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4852 err = sock_has_perm(sock->sk, SOCKET__SETOPT);
4856 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4859 static int selinux_socket_getsockopt(struct socket *sock, int level,
4862 return sock_has_perm(sock->sk, SOCKET__GETOPT);
4865 static int selinux_socket_shutdown(struct socket *sock, int how)
4867 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
4870 static int selinux_socket_unix_stream_connect(struct sock *sock,
4874 struct sk_security_struct *sksec_sock = sock->sk_security;
4875 struct sk_security_struct *sksec_other = other->sk_security;
4876 struct sk_security_struct *sksec_new = newsk->sk_security;
4877 struct common_audit_data ad;
4878 struct lsm_network_audit net = {0,};
4881 ad.type = LSM_AUDIT_DATA_NET;
4883 ad.u.net->sk = other;
4885 err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4886 sksec_other->sclass,
4887 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4891 /* server child socket */
4892 sksec_new->peer_sid = sksec_sock->sid;
4893 err = security_sid_mls_copy(sksec_other->sid,
4894 sksec_sock->sid, &sksec_new->sid);
4898 /* connecting socket */
4899 sksec_sock->peer_sid = sksec_new->sid;
4904 static int selinux_socket_unix_may_send(struct socket *sock,
4905 struct socket *other)
4907 struct sk_security_struct *ssec = sock->sk->sk_security;
4908 struct sk_security_struct *osec = other->sk->sk_security;
4909 struct common_audit_data ad;
4910 struct lsm_network_audit net = {0,};
4912 ad.type = LSM_AUDIT_DATA_NET;
4914 ad.u.net->sk = other->sk;
4916 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4920 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4921 char *addrp, u16 family, u32 peer_sid,
4922 struct common_audit_data *ad)
4928 err = sel_netif_sid(ns, ifindex, &if_sid);
4931 err = avc_has_perm(peer_sid, if_sid,
4932 SECCLASS_NETIF, NETIF__INGRESS, ad);
4936 err = sel_netnode_sid(addrp, family, &node_sid);
4939 return avc_has_perm(peer_sid, node_sid,
4940 SECCLASS_NODE, NODE__RECVFROM, ad);
4943 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4947 struct sk_security_struct *sksec = sk->sk_security;
4948 u32 sk_sid = sksec->sid;
4949 struct common_audit_data ad;
4950 struct lsm_network_audit net = {0,};
4953 ad.type = LSM_AUDIT_DATA_NET;
4955 ad.u.net->netif = skb->skb_iif;
4956 ad.u.net->family = family;
4957 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4961 if (selinux_secmark_enabled()) {
4962 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4968 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4971 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4976 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4979 struct sk_security_struct *sksec = sk->sk_security;
4980 u16 family = sk->sk_family;
4981 u32 sk_sid = sksec->sid;
4982 struct common_audit_data ad;
4983 struct lsm_network_audit net = {0,};
4988 if (family != PF_INET && family != PF_INET6)
4991 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4992 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4995 /* If any sort of compatibility mode is enabled then handoff processing
4996 * to the selinux_sock_rcv_skb_compat() function to deal with the
4997 * special handling. We do this in an attempt to keep this function
4998 * as fast and as clean as possible. */
4999 if (!selinux_policycap_netpeer())
5000 return selinux_sock_rcv_skb_compat(sk, skb, family);
5002 secmark_active = selinux_secmark_enabled();
5003 peerlbl_active = selinux_peerlbl_enabled();
5004 if (!secmark_active && !peerlbl_active)
5007 ad.type = LSM_AUDIT_DATA_NET;
5009 ad.u.net->netif = skb->skb_iif;
5010 ad.u.net->family = family;
5011 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5015 if (peerlbl_active) {
5018 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
5021 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
5022 addrp, family, peer_sid, &ad);
5024 selinux_netlbl_err(skb, family, err, 0);
5027 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
5030 selinux_netlbl_err(skb, family, err, 0);
5035 if (secmark_active) {
5036 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
5045 static int selinux_socket_getpeersec_stream(struct socket *sock,
5046 sockptr_t optval, sockptr_t optlen,
5050 char *scontext = NULL;
5052 struct sk_security_struct *sksec = sock->sk->sk_security;
5053 u32 peer_sid = SECSID_NULL;
5055 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
5056 sksec->sclass == SECCLASS_TCP_SOCKET ||
5057 sksec->sclass == SECCLASS_SCTP_SOCKET)
5058 peer_sid = sksec->peer_sid;
5059 if (peer_sid == SECSID_NULL)
5060 return -ENOPROTOOPT;
5062 err = security_sid_to_context(peer_sid, &scontext,
5066 if (scontext_len > len) {
5071 if (copy_to_sockptr(optval, scontext, scontext_len))
5074 if (copy_to_sockptr(optlen, &scontext_len, sizeof(scontext_len)))
5080 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
5082 u32 peer_secid = SECSID_NULL;
5084 struct inode_security_struct *isec;
5086 if (skb && skb->protocol == htons(ETH_P_IP))
5088 else if (skb && skb->protocol == htons(ETH_P_IPV6))
5091 family = sock->sk->sk_family;
5095 if (sock && family == PF_UNIX) {
5096 isec = inode_security_novalidate(SOCK_INODE(sock));
5097 peer_secid = isec->sid;
5099 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
5102 *secid = peer_secid;
5103 if (peer_secid == SECSID_NULL)
5108 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
5110 struct sk_security_struct *sksec;
5112 sksec = kzalloc(sizeof(*sksec), priority);
5116 sksec->peer_sid = SECINITSID_UNLABELED;
5117 sksec->sid = SECINITSID_UNLABELED;
5118 sksec->sclass = SECCLASS_SOCKET;
5119 selinux_netlbl_sk_security_reset(sksec);
5120 sk->sk_security = sksec;
5125 static void selinux_sk_free_security(struct sock *sk)
5127 struct sk_security_struct *sksec = sk->sk_security;
5129 sk->sk_security = NULL;
5130 selinux_netlbl_sk_security_free(sksec);
5134 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
5136 struct sk_security_struct *sksec = sk->sk_security;
5137 struct sk_security_struct *newsksec = newsk->sk_security;
5139 newsksec->sid = sksec->sid;
5140 newsksec->peer_sid = sksec->peer_sid;
5141 newsksec->sclass = sksec->sclass;
5143 selinux_netlbl_sk_security_reset(newsksec);
5146 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
5149 *secid = SECINITSID_ANY_SOCKET;
5151 struct sk_security_struct *sksec = sk->sk_security;
5153 *secid = sksec->sid;
5157 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
5159 struct inode_security_struct *isec =
5160 inode_security_novalidate(SOCK_INODE(parent));
5161 struct sk_security_struct *sksec = sk->sk_security;
5163 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
5164 sk->sk_family == PF_UNIX)
5165 isec->sid = sksec->sid;
5166 sksec->sclass = isec->sclass;
5170 * Determines peer_secid for the asoc and updates socket's peer label
5171 * if it's the first association on the socket.
5173 static int selinux_sctp_process_new_assoc(struct sctp_association *asoc,
5174 struct sk_buff *skb)
5176 struct sock *sk = asoc->base.sk;
5177 u16 family = sk->sk_family;
5178 struct sk_security_struct *sksec = sk->sk_security;
5179 struct common_audit_data ad;
5180 struct lsm_network_audit net = {0,};
5183 /* handle mapped IPv4 packets arriving via IPv6 sockets */
5184 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5187 if (selinux_peerlbl_enabled()) {
5188 asoc->peer_secid = SECSID_NULL;
5190 /* This will return peer_sid = SECSID_NULL if there are
5191 * no peer labels, see security_net_peersid_resolve().
5193 err = selinux_skb_peerlbl_sid(skb, family, &asoc->peer_secid);
5197 if (asoc->peer_secid == SECSID_NULL)
5198 asoc->peer_secid = SECINITSID_UNLABELED;
5200 asoc->peer_secid = SECINITSID_UNLABELED;
5203 if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) {
5204 sksec->sctp_assoc_state = SCTP_ASSOC_SET;
5206 /* Here as first association on socket. As the peer SID
5207 * was allowed by peer recv (and the netif/node checks),
5208 * then it is approved by policy and used as the primary
5209 * peer SID for getpeercon(3).
5211 sksec->peer_sid = asoc->peer_secid;
5212 } else if (sksec->peer_sid != asoc->peer_secid) {
5213 /* Other association peer SIDs are checked to enforce
5214 * consistency among the peer SIDs.
5216 ad.type = LSM_AUDIT_DATA_NET;
5218 ad.u.net->sk = asoc->base.sk;
5219 err = avc_has_perm(sksec->peer_sid, asoc->peer_secid,
5220 sksec->sclass, SCTP_SOCKET__ASSOCIATION,
5228 /* Called whenever SCTP receives an INIT or COOKIE ECHO chunk. This
5229 * happens on an incoming connect(2), sctp_connectx(3) or
5230 * sctp_sendmsg(3) (with no association already present).
5232 static int selinux_sctp_assoc_request(struct sctp_association *asoc,
5233 struct sk_buff *skb)
5235 struct sk_security_struct *sksec = asoc->base.sk->sk_security;
5239 if (!selinux_policycap_extsockclass())
5242 err = selinux_sctp_process_new_assoc(asoc, skb);
5246 /* Compute the MLS component for the connection and store
5247 * the information in asoc. This will be used by SCTP TCP type
5248 * sockets and peeled off connections as they cause a new
5249 * socket to be generated. selinux_sctp_sk_clone() will then
5250 * plug this into the new socket.
5252 err = selinux_conn_sid(sksec->sid, asoc->peer_secid, &conn_sid);
5256 asoc->secid = conn_sid;
5258 /* Set any NetLabel labels including CIPSO/CALIPSO options. */
5259 return selinux_netlbl_sctp_assoc_request(asoc, skb);
5262 /* Called when SCTP receives a COOKIE ACK chunk as the final
5263 * response to an association request (initited by us).
5265 static int selinux_sctp_assoc_established(struct sctp_association *asoc,
5266 struct sk_buff *skb)
5268 struct sk_security_struct *sksec = asoc->base.sk->sk_security;
5270 if (!selinux_policycap_extsockclass())
5273 /* Inherit secid from the parent socket - this will be picked up
5274 * by selinux_sctp_sk_clone() if the association gets peeled off
5275 * into a new socket.
5277 asoc->secid = sksec->sid;
5279 return selinux_sctp_process_new_assoc(asoc, skb);
5282 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting
5283 * based on their @optname.
5285 static int selinux_sctp_bind_connect(struct sock *sk, int optname,
5286 struct sockaddr *address,
5289 int len, err = 0, walk_size = 0;
5291 struct sockaddr *addr;
5292 struct socket *sock;
5294 if (!selinux_policycap_extsockclass())
5297 /* Process one or more addresses that may be IPv4 or IPv6 */
5298 sock = sk->sk_socket;
5301 while (walk_size < addrlen) {
5302 if (walk_size + sizeof(sa_family_t) > addrlen)
5306 switch (addr->sa_family) {
5309 len = sizeof(struct sockaddr_in);
5312 len = sizeof(struct sockaddr_in6);
5318 if (walk_size + len > addrlen)
5324 case SCTP_PRIMARY_ADDR:
5325 case SCTP_SET_PEER_PRIMARY_ADDR:
5326 case SCTP_SOCKOPT_BINDX_ADD:
5327 err = selinux_socket_bind(sock, addr, len);
5329 /* Connect checks */
5330 case SCTP_SOCKOPT_CONNECTX:
5331 case SCTP_PARAM_SET_PRIMARY:
5332 case SCTP_PARAM_ADD_IP:
5333 case SCTP_SENDMSG_CONNECT:
5334 err = selinux_socket_connect_helper(sock, addr, len);
5338 /* As selinux_sctp_bind_connect() is called by the
5339 * SCTP protocol layer, the socket is already locked,
5340 * therefore selinux_netlbl_socket_connect_locked()
5341 * is called here. The situations handled are:
5342 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2),
5343 * whenever a new IP address is added or when a new
5344 * primary address is selected.
5345 * Note that an SCTP connect(2) call happens before
5346 * the SCTP protocol layer and is handled via
5347 * selinux_socket_connect().
5349 err = selinux_netlbl_socket_connect_locked(sk, addr);
5363 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */
5364 static void selinux_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk,
5367 struct sk_security_struct *sksec = sk->sk_security;
5368 struct sk_security_struct *newsksec = newsk->sk_security;
5370 /* If policy does not support SECCLASS_SCTP_SOCKET then call
5371 * the non-sctp clone version.
5373 if (!selinux_policycap_extsockclass())
5374 return selinux_sk_clone_security(sk, newsk);
5376 newsksec->sid = asoc->secid;
5377 newsksec->peer_sid = asoc->peer_secid;
5378 newsksec->sclass = sksec->sclass;
5379 selinux_netlbl_sctp_sk_clone(sk, newsk);
5382 static int selinux_inet_conn_request(const struct sock *sk, struct sk_buff *skb,
5383 struct request_sock *req)
5385 struct sk_security_struct *sksec = sk->sk_security;
5387 u16 family = req->rsk_ops->family;
5391 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
5394 err = selinux_conn_sid(sksec->sid, peersid, &connsid);
5397 req->secid = connsid;
5398 req->peer_secid = peersid;
5400 return selinux_netlbl_inet_conn_request(req, family);
5403 static void selinux_inet_csk_clone(struct sock *newsk,
5404 const struct request_sock *req)
5406 struct sk_security_struct *newsksec = newsk->sk_security;
5408 newsksec->sid = req->secid;
5409 newsksec->peer_sid = req->peer_secid;
5410 /* NOTE: Ideally, we should also get the isec->sid for the
5411 new socket in sync, but we don't have the isec available yet.
5412 So we will wait until sock_graft to do it, by which
5413 time it will have been created and available. */
5415 /* We don't need to take any sort of lock here as we are the only
5416 * thread with access to newsksec */
5417 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
5420 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
5422 u16 family = sk->sk_family;
5423 struct sk_security_struct *sksec = sk->sk_security;
5425 /* handle mapped IPv4 packets arriving via IPv6 sockets */
5426 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5429 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
5432 static int selinux_secmark_relabel_packet(u32 sid)
5434 const struct task_security_struct *__tsec;
5437 __tsec = selinux_cred(current_cred());
5440 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO,
5444 static void selinux_secmark_refcount_inc(void)
5446 atomic_inc(&selinux_secmark_refcount);
5449 static void selinux_secmark_refcount_dec(void)
5451 atomic_dec(&selinux_secmark_refcount);
5454 static void selinux_req_classify_flow(const struct request_sock *req,
5455 struct flowi_common *flic)
5457 flic->flowic_secid = req->secid;
5460 static int selinux_tun_dev_alloc_security(void **security)
5462 struct tun_security_struct *tunsec;
5464 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
5467 tunsec->sid = current_sid();
5473 static void selinux_tun_dev_free_security(void *security)
5478 static int selinux_tun_dev_create(void)
5480 u32 sid = current_sid();
5482 /* we aren't taking into account the "sockcreate" SID since the socket
5483 * that is being created here is not a socket in the traditional sense,
5484 * instead it is a private sock, accessible only to the kernel, and
5485 * representing a wide range of network traffic spanning multiple
5486 * connections unlike traditional sockets - check the TUN driver to
5487 * get a better understanding of why this socket is special */
5489 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5493 static int selinux_tun_dev_attach_queue(void *security)
5495 struct tun_security_struct *tunsec = security;
5497 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5498 TUN_SOCKET__ATTACH_QUEUE, NULL);
5501 static int selinux_tun_dev_attach(struct sock *sk, void *security)
5503 struct tun_security_struct *tunsec = security;
5504 struct sk_security_struct *sksec = sk->sk_security;
5506 /* we don't currently perform any NetLabel based labeling here and it
5507 * isn't clear that we would want to do so anyway; while we could apply
5508 * labeling without the support of the TUN user the resulting labeled
5509 * traffic from the other end of the connection would almost certainly
5510 * cause confusion to the TUN user that had no idea network labeling
5511 * protocols were being used */
5513 sksec->sid = tunsec->sid;
5514 sksec->sclass = SECCLASS_TUN_SOCKET;
5519 static int selinux_tun_dev_open(void *security)
5521 struct tun_security_struct *tunsec = security;
5522 u32 sid = current_sid();
5525 err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5526 TUN_SOCKET__RELABELFROM, NULL);
5529 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
5530 TUN_SOCKET__RELABELTO, NULL);
5538 #ifdef CONFIG_NETFILTER
5540 static unsigned int selinux_ip_forward(void *priv, struct sk_buff *skb,
5541 const struct nf_hook_state *state)
5547 struct common_audit_data ad;
5548 struct lsm_network_audit net = {0,};
5549 int secmark_active, peerlbl_active;
5551 if (!selinux_policycap_netpeer())
5554 secmark_active = selinux_secmark_enabled();
5555 peerlbl_active = selinux_peerlbl_enabled();
5556 if (!secmark_active && !peerlbl_active)
5560 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5563 ifindex = state->in->ifindex;
5564 ad.type = LSM_AUDIT_DATA_NET;
5566 ad.u.net->netif = ifindex;
5567 ad.u.net->family = family;
5568 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5571 if (peerlbl_active) {
5574 err = selinux_inet_sys_rcv_skb(state->net, ifindex,
5575 addrp, family, peer_sid, &ad);
5577 selinux_netlbl_err(skb, family, err, 1);
5583 if (avc_has_perm(peer_sid, skb->secmark,
5584 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5587 if (netlbl_enabled())
5588 /* we do this in the FORWARD path and not the POST_ROUTING
5589 * path because we want to make sure we apply the necessary
5590 * labeling before IPsec is applied so we can leverage AH
5592 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5598 static unsigned int selinux_ip_output(void *priv, struct sk_buff *skb,
5599 const struct nf_hook_state *state)
5604 if (!netlbl_enabled())
5607 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5608 * because we want to make sure we apply the necessary labeling
5609 * before IPsec is applied so we can leverage AH protection */
5612 struct sk_security_struct *sksec;
5614 if (sk_listener(sk))
5615 /* if the socket is the listening state then this
5616 * packet is a SYN-ACK packet which means it needs to
5617 * be labeled based on the connection/request_sock and
5618 * not the parent socket. unfortunately, we can't
5619 * lookup the request_sock yet as it isn't queued on
5620 * the parent socket until after the SYN-ACK is sent.
5621 * the "solution" is to simply pass the packet as-is
5622 * as any IP option based labeling should be copied
5623 * from the initial connection request (in the IP
5624 * layer). it is far from ideal, but until we get a
5625 * security label in the packet itself this is the
5626 * best we can do. */
5629 /* standard practice, label using the parent socket */
5630 sksec = sk->sk_security;
5633 sid = SECINITSID_KERNEL;
5634 if (selinux_netlbl_skbuff_setsid(skb, state->pf, sid) != 0)
5641 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5642 const struct nf_hook_state *state)
5645 struct sk_security_struct *sksec;
5646 struct common_audit_data ad;
5647 struct lsm_network_audit net = {0,};
5650 sk = skb_to_full_sk(skb);
5653 sksec = sk->sk_security;
5655 ad.type = LSM_AUDIT_DATA_NET;
5657 ad.u.net->netif = state->out->ifindex;
5658 ad.u.net->family = state->pf;
5659 if (selinux_parse_skb(skb, &ad, NULL, 0, &proto))
5662 if (selinux_secmark_enabled())
5663 if (avc_has_perm(sksec->sid, skb->secmark,
5664 SECCLASS_PACKET, PACKET__SEND, &ad))
5665 return NF_DROP_ERR(-ECONNREFUSED);
5667 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5668 return NF_DROP_ERR(-ECONNREFUSED);
5673 static unsigned int selinux_ip_postroute(void *priv,
5674 struct sk_buff *skb,
5675 const struct nf_hook_state *state)
5682 struct common_audit_data ad;
5683 struct lsm_network_audit net = {0,};
5685 int secmark_active, peerlbl_active;
5687 /* If any sort of compatibility mode is enabled then handoff processing
5688 * to the selinux_ip_postroute_compat() function to deal with the
5689 * special handling. We do this in an attempt to keep this function
5690 * as fast and as clean as possible. */
5691 if (!selinux_policycap_netpeer())
5692 return selinux_ip_postroute_compat(skb, state);
5694 secmark_active = selinux_secmark_enabled();
5695 peerlbl_active = selinux_peerlbl_enabled();
5696 if (!secmark_active && !peerlbl_active)
5699 sk = skb_to_full_sk(skb);
5702 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5703 * packet transformation so allow the packet to pass without any checks
5704 * since we'll have another chance to perform access control checks
5705 * when the packet is on it's final way out.
5706 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5707 * is NULL, in this case go ahead and apply access control.
5708 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5709 * TCP listening state we cannot wait until the XFRM processing
5710 * is done as we will miss out on the SA label if we do;
5711 * unfortunately, this means more work, but it is only once per
5713 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5714 !(sk && sk_listener(sk)))
5720 /* Without an associated socket the packet is either coming
5721 * from the kernel or it is being forwarded; check the packet
5722 * to determine which and if the packet is being forwarded
5723 * query the packet directly to determine the security label. */
5725 secmark_perm = PACKET__FORWARD_OUT;
5726 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5729 secmark_perm = PACKET__SEND;
5730 peer_sid = SECINITSID_KERNEL;
5732 } else if (sk_listener(sk)) {
5733 /* Locally generated packet but the associated socket is in the
5734 * listening state which means this is a SYN-ACK packet. In
5735 * this particular case the correct security label is assigned
5736 * to the connection/request_sock but unfortunately we can't
5737 * query the request_sock as it isn't queued on the parent
5738 * socket until after the SYN-ACK packet is sent; the only
5739 * viable choice is to regenerate the label like we do in
5740 * selinux_inet_conn_request(). See also selinux_ip_output()
5741 * for similar problems. */
5743 struct sk_security_struct *sksec;
5745 sksec = sk->sk_security;
5746 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5748 /* At this point, if the returned skb peerlbl is SECSID_NULL
5749 * and the packet has been through at least one XFRM
5750 * transformation then we must be dealing with the "final"
5751 * form of labeled IPsec packet; since we've already applied
5752 * all of our access controls on this packet we can safely
5753 * pass the packet. */
5754 if (skb_sid == SECSID_NULL) {
5757 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5761 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5765 return NF_DROP_ERR(-ECONNREFUSED);
5768 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5770 secmark_perm = PACKET__SEND;
5772 /* Locally generated packet, fetch the security label from the
5773 * associated socket. */
5774 struct sk_security_struct *sksec = sk->sk_security;
5775 peer_sid = sksec->sid;
5776 secmark_perm = PACKET__SEND;
5779 ifindex = state->out->ifindex;
5780 ad.type = LSM_AUDIT_DATA_NET;
5782 ad.u.net->netif = ifindex;
5783 ad.u.net->family = family;
5784 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5788 if (avc_has_perm(peer_sid, skb->secmark,
5789 SECCLASS_PACKET, secmark_perm, &ad))
5790 return NF_DROP_ERR(-ECONNREFUSED);
5792 if (peerlbl_active) {
5796 if (sel_netif_sid(state->net, ifindex, &if_sid))
5798 if (avc_has_perm(peer_sid, if_sid,
5799 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5800 return NF_DROP_ERR(-ECONNREFUSED);
5802 if (sel_netnode_sid(addrp, family, &node_sid))
5804 if (avc_has_perm(peer_sid, node_sid,
5805 SECCLASS_NODE, NODE__SENDTO, &ad))
5806 return NF_DROP_ERR(-ECONNREFUSED);
5811 #endif /* CONFIG_NETFILTER */
5813 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5816 unsigned int msg_len;
5817 unsigned int data_len = skb->len;
5818 unsigned char *data = skb->data;
5819 struct nlmsghdr *nlh;
5820 struct sk_security_struct *sksec = sk->sk_security;
5821 u16 sclass = sksec->sclass;
5824 while (data_len >= nlmsg_total_size(0)) {
5825 nlh = (struct nlmsghdr *)data;
5827 /* NOTE: the nlmsg_len field isn't reliably set by some netlink
5828 * users which means we can't reject skb's with bogus
5829 * length fields; our solution is to follow what
5830 * netlink_rcv_skb() does and simply skip processing at
5831 * messages with length fields that are clearly junk
5833 if (nlh->nlmsg_len < NLMSG_HDRLEN || nlh->nlmsg_len > data_len)
5836 rc = selinux_nlmsg_lookup(sclass, nlh->nlmsg_type, &perm);
5838 rc = sock_has_perm(sk, perm);
5841 } else if (rc == -EINVAL) {
5842 /* -EINVAL is a missing msg/perm mapping */
5843 pr_warn_ratelimited("SELinux: unrecognized netlink"
5844 " message: protocol=%hu nlmsg_type=%hu sclass=%s"
5845 " pid=%d comm=%s\n",
5846 sk->sk_protocol, nlh->nlmsg_type,
5847 secclass_map[sclass - 1].name,
5848 task_pid_nr(current), current->comm);
5849 if (enforcing_enabled() &&
5850 !security_get_allow_unknown())
5853 } else if (rc == -ENOENT) {
5854 /* -ENOENT is a missing socket/class mapping, ignore */
5860 /* move to the next message after applying netlink padding */
5861 msg_len = NLMSG_ALIGN(nlh->nlmsg_len);
5862 if (msg_len >= data_len)
5864 data_len -= msg_len;
5871 static void ipc_init_security(struct ipc_security_struct *isec, u16 sclass)
5873 isec->sclass = sclass;
5874 isec->sid = current_sid();
5877 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5880 struct ipc_security_struct *isec;
5881 struct common_audit_data ad;
5882 u32 sid = current_sid();
5884 isec = selinux_ipc(ipc_perms);
5886 ad.type = LSM_AUDIT_DATA_IPC;
5887 ad.u.ipc_id = ipc_perms->key;
5889 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
5892 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5894 struct msg_security_struct *msec;
5896 msec = selinux_msg_msg(msg);
5897 msec->sid = SECINITSID_UNLABELED;
5902 /* message queue security operations */
5903 static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq)
5905 struct ipc_security_struct *isec;
5906 struct common_audit_data ad;
5907 u32 sid = current_sid();
5909 isec = selinux_ipc(msq);
5910 ipc_init_security(isec, SECCLASS_MSGQ);
5912 ad.type = LSM_AUDIT_DATA_IPC;
5913 ad.u.ipc_id = msq->key;
5915 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5919 static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
5921 struct ipc_security_struct *isec;
5922 struct common_audit_data ad;
5923 u32 sid = current_sid();
5925 isec = selinux_ipc(msq);
5927 ad.type = LSM_AUDIT_DATA_IPC;
5928 ad.u.ipc_id = msq->key;
5930 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5931 MSGQ__ASSOCIATE, &ad);
5934 static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)
5942 /* No specific object, just general system-wide information. */
5943 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
5944 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5948 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5951 perms = MSGQ__SETATTR;
5954 perms = MSGQ__DESTROY;
5960 err = ipc_has_perm(msq, perms);
5964 static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg)
5966 struct ipc_security_struct *isec;
5967 struct msg_security_struct *msec;
5968 struct common_audit_data ad;
5969 u32 sid = current_sid();
5972 isec = selinux_ipc(msq);
5973 msec = selinux_msg_msg(msg);
5976 * First time through, need to assign label to the message
5978 if (msec->sid == SECINITSID_UNLABELED) {
5980 * Compute new sid based on current process and
5981 * message queue this message will be stored in
5983 rc = security_transition_sid(sid, isec->sid,
5984 SECCLASS_MSG, NULL, &msec->sid);
5989 ad.type = LSM_AUDIT_DATA_IPC;
5990 ad.u.ipc_id = msq->key;
5992 /* Can this process write to the queue? */
5993 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5996 /* Can this process send the message */
5997 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
6000 /* Can the message be put in the queue? */
6001 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
6002 MSGQ__ENQUEUE, &ad);
6007 static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg,
6008 struct task_struct *target,
6009 long type, int mode)
6011 struct ipc_security_struct *isec;
6012 struct msg_security_struct *msec;
6013 struct common_audit_data ad;
6014 u32 sid = task_sid_obj(target);
6017 isec = selinux_ipc(msq);
6018 msec = selinux_msg_msg(msg);
6020 ad.type = LSM_AUDIT_DATA_IPC;
6021 ad.u.ipc_id = msq->key;
6023 rc = avc_has_perm(sid, isec->sid,
6024 SECCLASS_MSGQ, MSGQ__READ, &ad);
6026 rc = avc_has_perm(sid, msec->sid,
6027 SECCLASS_MSG, MSG__RECEIVE, &ad);
6031 /* Shared Memory security operations */
6032 static int selinux_shm_alloc_security(struct kern_ipc_perm *shp)
6034 struct ipc_security_struct *isec;
6035 struct common_audit_data ad;
6036 u32 sid = current_sid();
6038 isec = selinux_ipc(shp);
6039 ipc_init_security(isec, SECCLASS_SHM);
6041 ad.type = LSM_AUDIT_DATA_IPC;
6042 ad.u.ipc_id = shp->key;
6044 return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
6048 static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg)
6050 struct ipc_security_struct *isec;
6051 struct common_audit_data ad;
6052 u32 sid = current_sid();
6054 isec = selinux_ipc(shp);
6056 ad.type = LSM_AUDIT_DATA_IPC;
6057 ad.u.ipc_id = shp->key;
6059 return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
6060 SHM__ASSOCIATE, &ad);
6063 /* Note, at this point, shp is locked down */
6064 static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd)
6072 /* No specific object, just general system-wide information. */
6073 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
6074 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6078 perms = SHM__GETATTR | SHM__ASSOCIATE;
6081 perms = SHM__SETATTR;
6088 perms = SHM__DESTROY;
6094 err = ipc_has_perm(shp, perms);
6098 static int selinux_shm_shmat(struct kern_ipc_perm *shp,
6099 char __user *shmaddr, int shmflg)
6103 if (shmflg & SHM_RDONLY)
6106 perms = SHM__READ | SHM__WRITE;
6108 return ipc_has_perm(shp, perms);
6111 /* Semaphore security operations */
6112 static int selinux_sem_alloc_security(struct kern_ipc_perm *sma)
6114 struct ipc_security_struct *isec;
6115 struct common_audit_data ad;
6116 u32 sid = current_sid();
6118 isec = selinux_ipc(sma);
6119 ipc_init_security(isec, SECCLASS_SEM);
6121 ad.type = LSM_AUDIT_DATA_IPC;
6122 ad.u.ipc_id = sma->key;
6124 return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
6128 static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg)
6130 struct ipc_security_struct *isec;
6131 struct common_audit_data ad;
6132 u32 sid = current_sid();
6134 isec = selinux_ipc(sma);
6136 ad.type = LSM_AUDIT_DATA_IPC;
6137 ad.u.ipc_id = sma->key;
6139 return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
6140 SEM__ASSOCIATE, &ad);
6143 /* Note, at this point, sma is locked down */
6144 static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd)
6152 /* No specific object, just general system-wide information. */
6153 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
6154 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6158 perms = SEM__GETATTR;
6169 perms = SEM__DESTROY;
6172 perms = SEM__SETATTR;
6177 perms = SEM__GETATTR | SEM__ASSOCIATE;
6183 err = ipc_has_perm(sma, perms);
6187 static int selinux_sem_semop(struct kern_ipc_perm *sma,
6188 struct sembuf *sops, unsigned nsops, int alter)
6193 perms = SEM__READ | SEM__WRITE;
6197 return ipc_has_perm(sma, perms);
6200 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
6206 av |= IPC__UNIX_READ;
6208 av |= IPC__UNIX_WRITE;
6213 return ipc_has_perm(ipcp, av);
6216 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
6218 struct ipc_security_struct *isec = selinux_ipc(ipcp);
6222 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
6225 inode_doinit_with_dentry(inode, dentry);
6228 static int selinux_getprocattr(struct task_struct *p,
6229 const char *name, char **value)
6231 const struct task_security_struct *__tsec;
6237 __tsec = selinux_cred(__task_cred(p));
6240 error = avc_has_perm(current_sid(), __tsec->sid,
6241 SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
6246 if (!strcmp(name, "current"))
6248 else if (!strcmp(name, "prev"))
6250 else if (!strcmp(name, "exec"))
6251 sid = __tsec->exec_sid;
6252 else if (!strcmp(name, "fscreate"))
6253 sid = __tsec->create_sid;
6254 else if (!strcmp(name, "keycreate"))
6255 sid = __tsec->keycreate_sid;
6256 else if (!strcmp(name, "sockcreate"))
6257 sid = __tsec->sockcreate_sid;
6267 error = security_sid_to_context(sid, value, &len);
6277 static int selinux_setprocattr(const char *name, void *value, size_t size)
6279 struct task_security_struct *tsec;
6281 u32 mysid = current_sid(), sid = 0, ptsid;
6286 * Basic control over ability to set these attributes at all.
6288 if (!strcmp(name, "exec"))
6289 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
6290 PROCESS__SETEXEC, NULL);
6291 else if (!strcmp(name, "fscreate"))
6292 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
6293 PROCESS__SETFSCREATE, NULL);
6294 else if (!strcmp(name, "keycreate"))
6295 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
6296 PROCESS__SETKEYCREATE, NULL);
6297 else if (!strcmp(name, "sockcreate"))
6298 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
6299 PROCESS__SETSOCKCREATE, NULL);
6300 else if (!strcmp(name, "current"))
6301 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
6302 PROCESS__SETCURRENT, NULL);
6308 /* Obtain a SID for the context, if one was specified. */
6309 if (size && str[0] && str[0] != '\n') {
6310 if (str[size-1] == '\n') {
6314 error = security_context_to_sid(value, size,
6316 if (error == -EINVAL && !strcmp(name, "fscreate")) {
6317 if (!has_cap_mac_admin(true)) {
6318 struct audit_buffer *ab;
6321 /* We strip a nul only if it is at the end, otherwise the
6322 * context contains a nul and we should audit that */
6323 if (str[size - 1] == '\0')
6324 audit_size = size - 1;
6327 ab = audit_log_start(audit_context(),
6332 audit_log_format(ab, "op=fscreate invalid_context=");
6333 audit_log_n_untrustedstring(ab, value, audit_size);
6338 error = security_context_to_sid_force(value, size,
6345 new = prepare_creds();
6349 /* Permission checking based on the specified context is
6350 performed during the actual operation (execve,
6351 open/mkdir/...), when we know the full context of the
6352 operation. See selinux_bprm_creds_for_exec for the execve
6353 checks and may_create for the file creation checks. The
6354 operation will then fail if the context is not permitted. */
6355 tsec = selinux_cred(new);
6356 if (!strcmp(name, "exec")) {
6357 tsec->exec_sid = sid;
6358 } else if (!strcmp(name, "fscreate")) {
6359 tsec->create_sid = sid;
6360 } else if (!strcmp(name, "keycreate")) {
6362 error = avc_has_perm(mysid, sid,
6363 SECCLASS_KEY, KEY__CREATE, NULL);
6367 tsec->keycreate_sid = sid;
6368 } else if (!strcmp(name, "sockcreate")) {
6369 tsec->sockcreate_sid = sid;
6370 } else if (!strcmp(name, "current")) {
6375 /* Only allow single threaded processes to change context */
6376 if (!current_is_single_threaded()) {
6377 error = security_bounded_transition(tsec->sid, sid);
6382 /* Check permissions for the transition. */
6383 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
6384 PROCESS__DYNTRANSITION, NULL);
6388 /* Check for ptracing, and update the task SID if ok.
6389 Otherwise, leave SID unchanged and fail. */
6390 ptsid = ptrace_parent_sid();
6392 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
6393 PROCESS__PTRACE, NULL);
6412 static int selinux_ismaclabel(const char *name)
6414 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
6417 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
6419 return security_sid_to_context(secid,
6423 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
6425 return security_context_to_sid(secdata, seclen,
6429 static void selinux_release_secctx(char *secdata, u32 seclen)
6434 static void selinux_inode_invalidate_secctx(struct inode *inode)
6436 struct inode_security_struct *isec = selinux_inode(inode);
6438 spin_lock(&isec->lock);
6439 isec->initialized = LABEL_INVALID;
6440 spin_unlock(&isec->lock);
6444 * called with inode->i_mutex locked
6446 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
6448 int rc = selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX,
6450 /* Do not return error when suppressing label (SBLABEL_MNT not set). */
6451 return rc == -EOPNOTSUPP ? 0 : rc;
6455 * called with inode->i_mutex locked
6457 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
6459 return __vfs_setxattr_noperm(&nop_mnt_idmap, dentry, XATTR_NAME_SELINUX,
6463 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
6466 len = selinux_inode_getsecurity(&nop_mnt_idmap, inode,
6467 XATTR_SELINUX_SUFFIX, ctx, true);
6475 static int selinux_key_alloc(struct key *k, const struct cred *cred,
6476 unsigned long flags)
6478 const struct task_security_struct *tsec;
6479 struct key_security_struct *ksec;
6481 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
6485 tsec = selinux_cred(cred);
6486 if (tsec->keycreate_sid)
6487 ksec->sid = tsec->keycreate_sid;
6489 ksec->sid = tsec->sid;
6495 static void selinux_key_free(struct key *k)
6497 struct key_security_struct *ksec = k->security;
6503 static int selinux_key_permission(key_ref_t key_ref,
6504 const struct cred *cred,
6505 enum key_need_perm need_perm)
6508 struct key_security_struct *ksec;
6511 switch (need_perm) {
6518 case KEY_NEED_WRITE:
6521 case KEY_NEED_SEARCH:
6527 case KEY_NEED_SETATTR:
6528 perm = KEY__SETATTR;
6530 case KEY_NEED_UNLINK:
6531 case KEY_SYSADMIN_OVERRIDE:
6532 case KEY_AUTHTOKEN_OVERRIDE:
6533 case KEY_DEFER_PERM_CHECK:
6541 sid = cred_sid(cred);
6542 key = key_ref_to_ptr(key_ref);
6543 ksec = key->security;
6545 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6548 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6550 struct key_security_struct *ksec = key->security;
6551 char *context = NULL;
6555 rc = security_sid_to_context(ksec->sid,
6563 #ifdef CONFIG_KEY_NOTIFICATIONS
6564 static int selinux_watch_key(struct key *key)
6566 struct key_security_struct *ksec = key->security;
6567 u32 sid = current_sid();
6569 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, KEY__VIEW, NULL);
6574 #ifdef CONFIG_SECURITY_INFINIBAND
6575 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6577 struct common_audit_data ad;
6580 struct ib_security_struct *sec = ib_sec;
6581 struct lsm_ibpkey_audit ibpkey;
6583 err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
6587 ad.type = LSM_AUDIT_DATA_IBPKEY;
6588 ibpkey.subnet_prefix = subnet_prefix;
6589 ibpkey.pkey = pkey_val;
6590 ad.u.ibpkey = &ibpkey;
6591 return avc_has_perm(sec->sid, sid,
6592 SECCLASS_INFINIBAND_PKEY,
6593 INFINIBAND_PKEY__ACCESS, &ad);
6596 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6599 struct common_audit_data ad;
6602 struct ib_security_struct *sec = ib_sec;
6603 struct lsm_ibendport_audit ibendport;
6605 err = security_ib_endport_sid(dev_name, port_num,
6611 ad.type = LSM_AUDIT_DATA_IBENDPORT;
6612 ibendport.dev_name = dev_name;
6613 ibendport.port = port_num;
6614 ad.u.ibendport = &ibendport;
6615 return avc_has_perm(sec->sid, sid,
6616 SECCLASS_INFINIBAND_ENDPORT,
6617 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
6620 static int selinux_ib_alloc_security(void **ib_sec)
6622 struct ib_security_struct *sec;
6624 sec = kzalloc(sizeof(*sec), GFP_KERNEL);
6627 sec->sid = current_sid();
6633 static void selinux_ib_free_security(void *ib_sec)
6639 #ifdef CONFIG_BPF_SYSCALL
6640 static int selinux_bpf(int cmd, union bpf_attr *attr,
6643 u32 sid = current_sid();
6647 case BPF_MAP_CREATE:
6648 ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
6652 ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
6663 static u32 bpf_map_fmode_to_av(fmode_t fmode)
6667 if (fmode & FMODE_READ)
6668 av |= BPF__MAP_READ;
6669 if (fmode & FMODE_WRITE)
6670 av |= BPF__MAP_WRITE;
6674 /* This function will check the file pass through unix socket or binder to see
6675 * if it is a bpf related object. And apply corresponding checks on the bpf
6676 * object based on the type. The bpf maps and programs, not like other files and
6677 * socket, are using a shared anonymous inode inside the kernel as their inode.
6678 * So checking that inode cannot identify if the process have privilege to
6679 * access the bpf object and that's why we have to add this additional check in
6680 * selinux_file_receive and selinux_binder_transfer_files.
6682 static int bpf_fd_pass(struct file *file, u32 sid)
6684 struct bpf_security_struct *bpfsec;
6685 struct bpf_prog *prog;
6686 struct bpf_map *map;
6689 if (file->f_op == &bpf_map_fops) {
6690 map = file->private_data;
6691 bpfsec = map->security;
6692 ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
6693 bpf_map_fmode_to_av(file->f_mode), NULL);
6696 } else if (file->f_op == &bpf_prog_fops) {
6697 prog = file->private_data;
6698 bpfsec = prog->aux->security;
6699 ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
6700 BPF__PROG_RUN, NULL);
6707 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)
6709 u32 sid = current_sid();
6710 struct bpf_security_struct *bpfsec;
6712 bpfsec = map->security;
6713 return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
6714 bpf_map_fmode_to_av(fmode), NULL);
6717 static int selinux_bpf_prog(struct bpf_prog *prog)
6719 u32 sid = current_sid();
6720 struct bpf_security_struct *bpfsec;
6722 bpfsec = prog->aux->security;
6723 return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
6724 BPF__PROG_RUN, NULL);
6727 static int selinux_bpf_map_alloc(struct bpf_map *map)
6729 struct bpf_security_struct *bpfsec;
6731 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6735 bpfsec->sid = current_sid();
6736 map->security = bpfsec;
6741 static void selinux_bpf_map_free(struct bpf_map *map)
6743 struct bpf_security_struct *bpfsec = map->security;
6745 map->security = NULL;
6749 static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux)
6751 struct bpf_security_struct *bpfsec;
6753 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6757 bpfsec->sid = current_sid();
6758 aux->security = bpfsec;
6763 static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
6765 struct bpf_security_struct *bpfsec = aux->security;
6767 aux->security = NULL;
6772 struct lsm_blob_sizes selinux_blob_sizes __ro_after_init = {
6773 .lbs_cred = sizeof(struct task_security_struct),
6774 .lbs_file = sizeof(struct file_security_struct),
6775 .lbs_inode = sizeof(struct inode_security_struct),
6776 .lbs_ipc = sizeof(struct ipc_security_struct),
6777 .lbs_msg_msg = sizeof(struct msg_security_struct),
6778 .lbs_superblock = sizeof(struct superblock_security_struct),
6781 #ifdef CONFIG_PERF_EVENTS
6782 static int selinux_perf_event_open(struct perf_event_attr *attr, int type)
6784 u32 requested, sid = current_sid();
6786 if (type == PERF_SECURITY_OPEN)
6787 requested = PERF_EVENT__OPEN;
6788 else if (type == PERF_SECURITY_CPU)
6789 requested = PERF_EVENT__CPU;
6790 else if (type == PERF_SECURITY_KERNEL)
6791 requested = PERF_EVENT__KERNEL;
6792 else if (type == PERF_SECURITY_TRACEPOINT)
6793 requested = PERF_EVENT__TRACEPOINT;
6797 return avc_has_perm(sid, sid, SECCLASS_PERF_EVENT,
6801 static int selinux_perf_event_alloc(struct perf_event *event)
6803 struct perf_event_security_struct *perfsec;
6805 perfsec = kzalloc(sizeof(*perfsec), GFP_KERNEL);
6809 perfsec->sid = current_sid();
6810 event->security = perfsec;
6815 static void selinux_perf_event_free(struct perf_event *event)
6817 struct perf_event_security_struct *perfsec = event->security;
6819 event->security = NULL;
6823 static int selinux_perf_event_read(struct perf_event *event)
6825 struct perf_event_security_struct *perfsec = event->security;
6826 u32 sid = current_sid();
6828 return avc_has_perm(sid, perfsec->sid,
6829 SECCLASS_PERF_EVENT, PERF_EVENT__READ, NULL);
6832 static int selinux_perf_event_write(struct perf_event *event)
6834 struct perf_event_security_struct *perfsec = event->security;
6835 u32 sid = current_sid();
6837 return avc_has_perm(sid, perfsec->sid,
6838 SECCLASS_PERF_EVENT, PERF_EVENT__WRITE, NULL);
6842 #ifdef CONFIG_IO_URING
6844 * selinux_uring_override_creds - check the requested cred override
6845 * @new: the target creds
6847 * Check to see if the current task is allowed to override it's credentials
6848 * to service an io_uring operation.
6850 static int selinux_uring_override_creds(const struct cred *new)
6852 return avc_has_perm(current_sid(), cred_sid(new),
6853 SECCLASS_IO_URING, IO_URING__OVERRIDE_CREDS, NULL);
6857 * selinux_uring_sqpoll - check if a io_uring polling thread can be created
6859 * Check to see if the current task is allowed to create a new io_uring
6860 * kernel polling thread.
6862 static int selinux_uring_sqpoll(void)
6864 int sid = current_sid();
6866 return avc_has_perm(sid, sid,
6867 SECCLASS_IO_URING, IO_URING__SQPOLL, NULL);
6871 * selinux_uring_cmd - check if IORING_OP_URING_CMD is allowed
6872 * @ioucmd: the io_uring command structure
6874 * Check to see if the current domain is allowed to execute an
6875 * IORING_OP_URING_CMD against the device/file specified in @ioucmd.
6878 static int selinux_uring_cmd(struct io_uring_cmd *ioucmd)
6880 struct file *file = ioucmd->file;
6881 struct inode *inode = file_inode(file);
6882 struct inode_security_struct *isec = selinux_inode(inode);
6883 struct common_audit_data ad;
6885 ad.type = LSM_AUDIT_DATA_FILE;
6888 return avc_has_perm(current_sid(), isec->sid,
6889 SECCLASS_IO_URING, IO_URING__CMD, &ad);
6891 #endif /* CONFIG_IO_URING */
6894 * IMPORTANT NOTE: When adding new hooks, please be careful to keep this order:
6895 * 1. any hooks that don't belong to (2.) or (3.) below,
6896 * 2. hooks that both access structures allocated by other hooks, and allocate
6897 * structures that can be later accessed by other hooks (mostly "cloning"
6899 * 3. hooks that only allocate structures that can be later accessed by other
6900 * hooks ("allocating" hooks).
6902 * Please follow block comment delimiters in the list to keep this order.
6904 * This ordering is needed for SELinux runtime disable to work at least somewhat
6905 * safely. Breaking the ordering rules above might lead to NULL pointer derefs
6906 * when disabling SELinux at runtime.
6908 static struct security_hook_list selinux_hooks[] __ro_after_init = {
6909 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
6910 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
6911 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
6912 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
6914 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
6915 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
6916 LSM_HOOK_INIT(capget, selinux_capget),
6917 LSM_HOOK_INIT(capset, selinux_capset),
6918 LSM_HOOK_INIT(capable, selinux_capable),
6919 LSM_HOOK_INIT(quotactl, selinux_quotactl),
6920 LSM_HOOK_INIT(quota_on, selinux_quota_on),
6921 LSM_HOOK_INIT(syslog, selinux_syslog),
6922 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
6924 LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
6926 LSM_HOOK_INIT(bprm_creds_for_exec, selinux_bprm_creds_for_exec),
6927 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
6928 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
6930 LSM_HOOK_INIT(sb_free_mnt_opts, selinux_free_mnt_opts),
6931 LSM_HOOK_INIT(sb_mnt_opts_compat, selinux_sb_mnt_opts_compat),
6932 LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
6933 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
6934 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
6935 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
6936 LSM_HOOK_INIT(sb_mount, selinux_mount),
6937 LSM_HOOK_INIT(sb_umount, selinux_umount),
6938 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
6939 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
6941 LSM_HOOK_INIT(move_mount, selinux_move_mount),
6943 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
6944 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
6946 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
6947 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
6948 LSM_HOOK_INIT(inode_init_security_anon, selinux_inode_init_security_anon),
6949 LSM_HOOK_INIT(inode_create, selinux_inode_create),
6950 LSM_HOOK_INIT(inode_link, selinux_inode_link),
6951 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
6952 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
6953 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
6954 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
6955 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
6956 LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
6957 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
6958 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
6959 LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
6960 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
6961 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
6962 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
6963 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
6964 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
6965 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
6966 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
6967 LSM_HOOK_INIT(inode_set_acl, selinux_inode_set_acl),
6968 LSM_HOOK_INIT(inode_get_acl, selinux_inode_get_acl),
6969 LSM_HOOK_INIT(inode_remove_acl, selinux_inode_remove_acl),
6970 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
6971 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
6972 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
6973 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
6974 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
6975 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
6976 LSM_HOOK_INIT(path_notify, selinux_path_notify),
6978 LSM_HOOK_INIT(kernfs_init_security, selinux_kernfs_init_security),
6980 LSM_HOOK_INIT(file_permission, selinux_file_permission),
6981 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
6982 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
6983 LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
6984 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
6985 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
6986 LSM_HOOK_INIT(file_lock, selinux_file_lock),
6987 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
6988 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
6989 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
6990 LSM_HOOK_INIT(file_receive, selinux_file_receive),
6992 LSM_HOOK_INIT(file_open, selinux_file_open),
6994 LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
6995 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
6996 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
6997 LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid),
6998 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
6999 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
7000 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
7001 LSM_HOOK_INIT(kernel_load_data, selinux_kernel_load_data),
7002 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
7003 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
7004 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
7005 LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
7006 LSM_HOOK_INIT(current_getsecid_subj, selinux_current_getsecid_subj),
7007 LSM_HOOK_INIT(task_getsecid_obj, selinux_task_getsecid_obj),
7008 LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
7009 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
7010 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
7011 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
7012 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
7013 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
7014 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
7015 LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
7016 LSM_HOOK_INIT(task_kill, selinux_task_kill),
7017 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
7018 LSM_HOOK_INIT(userns_create, selinux_userns_create),
7020 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
7021 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
7023 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
7024 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
7025 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
7026 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
7028 LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
7029 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
7030 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
7032 LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
7033 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
7034 LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
7036 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
7038 LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
7039 LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
7041 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
7042 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
7043 LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
7044 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
7045 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
7046 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
7048 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
7049 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
7051 LSM_HOOK_INIT(socket_create, selinux_socket_create),
7052 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
7053 LSM_HOOK_INIT(socket_socketpair, selinux_socket_socketpair),
7054 LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
7055 LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
7056 LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
7057 LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
7058 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
7059 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
7060 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
7061 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
7062 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
7063 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
7064 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
7065 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
7066 LSM_HOOK_INIT(socket_getpeersec_stream,
7067 selinux_socket_getpeersec_stream),
7068 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
7069 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
7070 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
7071 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
7072 LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
7073 LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request),
7074 LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone),
7075 LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect),
7076 LSM_HOOK_INIT(sctp_assoc_established, selinux_sctp_assoc_established),
7077 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
7078 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
7079 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
7080 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
7081 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
7082 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
7083 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
7084 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
7085 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
7086 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
7087 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
7088 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
7089 #ifdef CONFIG_SECURITY_INFINIBAND
7090 LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
7091 LSM_HOOK_INIT(ib_endport_manage_subnet,
7092 selinux_ib_endport_manage_subnet),
7093 LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
7095 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7096 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
7097 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
7098 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
7099 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
7100 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
7101 LSM_HOOK_INIT(xfrm_state_pol_flow_match,
7102 selinux_xfrm_state_pol_flow_match),
7103 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
7107 LSM_HOOK_INIT(key_free, selinux_key_free),
7108 LSM_HOOK_INIT(key_permission, selinux_key_permission),
7109 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
7110 #ifdef CONFIG_KEY_NOTIFICATIONS
7111 LSM_HOOK_INIT(watch_key, selinux_watch_key),
7116 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
7117 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
7118 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
7121 #ifdef CONFIG_BPF_SYSCALL
7122 LSM_HOOK_INIT(bpf, selinux_bpf),
7123 LSM_HOOK_INIT(bpf_map, selinux_bpf_map),
7124 LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog),
7125 LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free),
7126 LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free),
7129 #ifdef CONFIG_PERF_EVENTS
7130 LSM_HOOK_INIT(perf_event_open, selinux_perf_event_open),
7131 LSM_HOOK_INIT(perf_event_free, selinux_perf_event_free),
7132 LSM_HOOK_INIT(perf_event_read, selinux_perf_event_read),
7133 LSM_HOOK_INIT(perf_event_write, selinux_perf_event_write),
7136 #ifdef CONFIG_IO_URING
7137 LSM_HOOK_INIT(uring_override_creds, selinux_uring_override_creds),
7138 LSM_HOOK_INIT(uring_sqpoll, selinux_uring_sqpoll),
7139 LSM_HOOK_INIT(uring_cmd, selinux_uring_cmd),
7143 * PUT "CLONING" (ACCESSING + ALLOCATING) HOOKS HERE
7145 LSM_HOOK_INIT(fs_context_dup, selinux_fs_context_dup),
7146 LSM_HOOK_INIT(fs_context_parse_param, selinux_fs_context_parse_param),
7147 LSM_HOOK_INIT(sb_eat_lsm_opts, selinux_sb_eat_lsm_opts),
7148 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7149 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
7153 * PUT "ALLOCATING" HOOKS HERE
7155 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
7156 LSM_HOOK_INIT(msg_queue_alloc_security,
7157 selinux_msg_queue_alloc_security),
7158 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
7159 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
7160 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
7161 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
7162 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
7163 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
7164 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
7165 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
7166 #ifdef CONFIG_SECURITY_INFINIBAND
7167 LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
7169 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7170 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
7171 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
7172 LSM_HOOK_INIT(xfrm_state_alloc_acquire,
7173 selinux_xfrm_state_alloc_acquire),
7176 LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
7179 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
7181 #ifdef CONFIG_BPF_SYSCALL
7182 LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc),
7183 LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc),
7185 #ifdef CONFIG_PERF_EVENTS
7186 LSM_HOOK_INIT(perf_event_alloc, selinux_perf_event_alloc),
7190 static __init int selinux_init(void)
7192 pr_info("SELinux: Initializing.\n");
7194 memset(&selinux_state, 0, sizeof(selinux_state));
7195 enforcing_set(selinux_enforcing_boot);
7197 mutex_init(&selinux_state.status_lock);
7198 mutex_init(&selinux_state.policy_mutex);
7200 /* Set the security state for the initial task. */
7201 cred_init_security();
7203 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
7209 ebitmap_cache_init();
7211 hashtab_cache_init();
7213 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
7215 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
7216 panic("SELinux: Unable to register AVC netcache callback\n");
7218 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
7219 panic("SELinux: Unable to register AVC LSM notifier callback\n");
7221 if (selinux_enforcing_boot)
7222 pr_debug("SELinux: Starting in enforcing mode\n");
7224 pr_debug("SELinux: Starting in permissive mode\n");
7226 fs_validate_description("selinux", selinux_fs_parameters);
7231 static void delayed_superblock_init(struct super_block *sb, void *unused)
7233 selinux_set_mnt_opts(sb, NULL, 0, NULL);
7236 void selinux_complete_init(void)
7238 pr_debug("SELinux: Completing initialization.\n");
7240 /* Set up any superblocks initialized prior to the policy load. */
7241 pr_debug("SELinux: Setting up existing superblocks.\n");
7242 iterate_supers(delayed_superblock_init, NULL);
7245 /* SELinux requires early initialization in order to label
7246 all processes and objects when they are created. */
7247 DEFINE_LSM(selinux) = {
7249 .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE,
7250 .enabled = &selinux_enabled_boot,
7251 .blobs = &selinux_blob_sizes,
7252 .init = selinux_init,
7255 #if defined(CONFIG_NETFILTER)
7256 static const struct nf_hook_ops selinux_nf_ops[] = {
7258 .hook = selinux_ip_postroute,
7260 .hooknum = NF_INET_POST_ROUTING,
7261 .priority = NF_IP_PRI_SELINUX_LAST,
7264 .hook = selinux_ip_forward,
7266 .hooknum = NF_INET_FORWARD,
7267 .priority = NF_IP_PRI_SELINUX_FIRST,
7270 .hook = selinux_ip_output,
7272 .hooknum = NF_INET_LOCAL_OUT,
7273 .priority = NF_IP_PRI_SELINUX_FIRST,
7275 #if IS_ENABLED(CONFIG_IPV6)
7277 .hook = selinux_ip_postroute,
7279 .hooknum = NF_INET_POST_ROUTING,
7280 .priority = NF_IP6_PRI_SELINUX_LAST,
7283 .hook = selinux_ip_forward,
7285 .hooknum = NF_INET_FORWARD,
7286 .priority = NF_IP6_PRI_SELINUX_FIRST,
7289 .hook = selinux_ip_output,
7291 .hooknum = NF_INET_LOCAL_OUT,
7292 .priority = NF_IP6_PRI_SELINUX_FIRST,
7297 static int __net_init selinux_nf_register(struct net *net)
7299 return nf_register_net_hooks(net, selinux_nf_ops,
7300 ARRAY_SIZE(selinux_nf_ops));
7303 static void __net_exit selinux_nf_unregister(struct net *net)
7305 nf_unregister_net_hooks(net, selinux_nf_ops,
7306 ARRAY_SIZE(selinux_nf_ops));
7309 static struct pernet_operations selinux_net_ops = {
7310 .init = selinux_nf_register,
7311 .exit = selinux_nf_unregister,
7314 static int __init selinux_nf_ip_init(void)
7318 if (!selinux_enabled_boot)
7321 pr_debug("SELinux: Registering netfilter hooks\n");
7323 err = register_pernet_subsys(&selinux_net_ops);
7325 panic("SELinux: register_pernet_subsys: error %d\n", err);
7329 __initcall(selinux_nf_ip_init);
7330 #endif /* CONFIG_NETFILTER */
projects / linux.git / blob