2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
20 * Copyright (C) 2016 Mellanox Technologies
22 * This program is free software; you can redistribute it and/or modify
23 * it under the terms of the GNU General Public License version 2,
24 * as published by the Free Software Foundation.
27 #include <linux/init.h>
29 #include <linux/kernel.h>
30 #include <linux/tracehook.h>
31 #include <linux/errno.h>
32 #include <linux/sched/signal.h>
33 #include <linux/sched/task.h>
34 #include <linux/lsm_hooks.h>
35 #include <linux/xattr.h>
36 #include <linux/capability.h>
37 #include <linux/unistd.h>
39 #include <linux/mman.h>
40 #include <linux/slab.h>
41 #include <linux/pagemap.h>
42 #include <linux/proc_fs.h>
43 #include <linux/swap.h>
44 #include <linux/spinlock.h>
45 #include <linux/syscalls.h>
46 #include <linux/dcache.h>
47 #include <linux/file.h>
48 #include <linux/fdtable.h>
49 #include <linux/namei.h>
50 #include <linux/mount.h>
51 #include <linux/netfilter_ipv4.h>
52 #include <linux/netfilter_ipv6.h>
53 #include <linux/tty.h>
55 #include <net/ip.h> /* for local_port_range[] */
56 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
57 #include <net/inet_connection_sock.h>
58 #include <net/net_namespace.h>
59 #include <net/netlabel.h>
60 #include <linux/uaccess.h>
61 #include <asm/ioctls.h>
62 #include <linux/atomic.h>
63 #include <linux/bitops.h>
64 #include <linux/interrupt.h>
65 #include <linux/netdevice.h> /* for network interface checks */
66 #include <net/netlink.h>
67 #include <linux/tcp.h>
68 #include <linux/udp.h>
69 #include <linux/dccp.h>
70 #include <linux/sctp.h>
71 #include <net/sctp/structs.h>
72 #include <linux/quota.h>
73 #include <linux/un.h> /* for Unix socket types */
74 #include <net/af_unix.h> /* for Unix socket types */
75 #include <linux/parser.h>
76 #include <linux/nfs_mount.h>
78 #include <linux/hugetlb.h>
79 #include <linux/personality.h>
80 #include <linux/audit.h>
81 #include <linux/string.h>
82 #include <linux/selinux.h>
83 #include <linux/mutex.h>
84 #include <linux/posix-timers.h>
85 #include <linux/syslog.h>
86 #include <linux/user_namespace.h>
87 #include <linux/export.h>
88 #include <linux/msg.h>
89 #include <linux/shm.h>
90 #include <linux/bpf.h>
103 struct selinux_state selinux_state;
105 /* SECMARK reference count */
106 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
108 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
109 static int selinux_enforcing_boot;
111 static int __init enforcing_setup(char *str)
113 unsigned long enforcing;
114 if (!kstrtoul(str, 0, &enforcing))
115 selinux_enforcing_boot = enforcing ? 1 : 0;
118 __setup("enforcing=", enforcing_setup);
120 #define selinux_enforcing_boot 1
123 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
124 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
126 static int __init selinux_enabled_setup(char *str)
128 unsigned long enabled;
129 if (!kstrtoul(str, 0, &enabled))
130 selinux_enabled = enabled ? 1 : 0;
133 __setup("selinux=", selinux_enabled_setup);
135 int selinux_enabled = 1;
138 static unsigned int selinux_checkreqprot_boot =
139 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
141 static int __init checkreqprot_setup(char *str)
143 unsigned long checkreqprot;
145 if (!kstrtoul(str, 0, &checkreqprot))
146 selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
149 __setup("checkreqprot=", checkreqprot_setup);
151 static struct kmem_cache *sel_inode_cache;
152 static struct kmem_cache *file_security_cache;
155 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
158 * This function checks the SECMARK reference counter to see if any SECMARK
159 * targets are currently configured, if the reference counter is greater than
160 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
161 * enabled, false (0) if SECMARK is disabled. If the always_check_network
162 * policy capability is enabled, SECMARK is always considered enabled.
165 static int selinux_secmark_enabled(void)
167 return (selinux_policycap_alwaysnetwork() ||
168 atomic_read(&selinux_secmark_refcount));
172 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
175 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
176 * (1) if any are enabled or false (0) if neither are enabled. If the
177 * always_check_network policy capability is enabled, peer labeling
178 * is always considered enabled.
181 static int selinux_peerlbl_enabled(void)
183 return (selinux_policycap_alwaysnetwork() ||
184 netlbl_enabled() || selinux_xfrm_enabled());
187 static int selinux_netcache_avc_callback(u32 event)
189 if (event == AVC_CALLBACK_RESET) {
198 static int selinux_lsm_notifier_avc_callback(u32 event)
200 if (event == AVC_CALLBACK_RESET) {
202 call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
209 * initialise the security for the init task
211 static void cred_init_security(void)
213 struct cred *cred = (struct cred *) current->real_cred;
214 struct task_security_struct *tsec;
216 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
218 panic("SELinux: Failed to initialize initial task.\n");
220 tsec->osid = tsec->sid = SECINITSID_KERNEL;
221 cred->security = tsec;
225 * get the security ID of a set of credentials
227 static inline u32 cred_sid(const struct cred *cred)
229 const struct task_security_struct *tsec;
231 tsec = cred->security;
236 * get the objective security ID of a task
238 static inline u32 task_sid(const struct task_struct *task)
243 sid = cred_sid(__task_cred(task));
248 /* Allocate and free functions for each kind of security blob. */
250 static int inode_alloc_security(struct inode *inode)
252 struct inode_security_struct *isec;
253 u32 sid = current_sid();
255 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
259 spin_lock_init(&isec->lock);
260 INIT_LIST_HEAD(&isec->list);
262 isec->sid = SECINITSID_UNLABELED;
263 isec->sclass = SECCLASS_FILE;
264 isec->task_sid = sid;
265 isec->initialized = LABEL_INVALID;
266 inode->i_security = isec;
271 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
274 * Try reloading inode security labels that have been marked as invalid. The
275 * @may_sleep parameter indicates when sleeping and thus reloading labels is
276 * allowed; when set to false, returns -ECHILD when the label is
277 * invalid. The @opt_dentry parameter should be set to a dentry of the inode;
278 * when no dentry is available, set it to NULL instead.
280 static int __inode_security_revalidate(struct inode *inode,
281 struct dentry *opt_dentry,
284 struct inode_security_struct *isec = inode->i_security;
286 might_sleep_if(may_sleep);
288 if (selinux_state.initialized &&
289 isec->initialized != LABEL_INITIALIZED) {
294 * Try reloading the inode security label. This will fail if
295 * @opt_dentry is NULL and no dentry for this inode can be
296 * found; in that case, continue using the old label.
298 inode_doinit_with_dentry(inode, opt_dentry);
303 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
305 return inode->i_security;
308 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
312 error = __inode_security_revalidate(inode, NULL, !rcu);
314 return ERR_PTR(error);
315 return inode->i_security;
319 * Get the security label of an inode.
321 static struct inode_security_struct *inode_security(struct inode *inode)
323 __inode_security_revalidate(inode, NULL, true);
324 return inode->i_security;
327 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
329 struct inode *inode = d_backing_inode(dentry);
331 return inode->i_security;
335 * Get the security label of a dentry's backing inode.
337 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
339 struct inode *inode = d_backing_inode(dentry);
341 __inode_security_revalidate(inode, dentry, true);
342 return inode->i_security;
345 static void inode_free_rcu(struct rcu_head *head)
347 struct inode_security_struct *isec;
349 isec = container_of(head, struct inode_security_struct, rcu);
350 kmem_cache_free(sel_inode_cache, isec);
353 static void inode_free_security(struct inode *inode)
355 struct inode_security_struct *isec = inode->i_security;
356 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
359 * As not all inode security structures are in a list, we check for
360 * empty list outside of the lock to make sure that we won't waste
361 * time taking a lock doing nothing.
363 * The list_del_init() function can be safely called more than once.
364 * It should not be possible for this function to be called with
365 * concurrent list_add(), but for better safety against future changes
366 * in the code, we use list_empty_careful() here.
368 if (!list_empty_careful(&isec->list)) {
369 spin_lock(&sbsec->isec_lock);
370 list_del_init(&isec->list);
371 spin_unlock(&sbsec->isec_lock);
375 * The inode may still be referenced in a path walk and
376 * a call to selinux_inode_permission() can be made
377 * after inode_free_security() is called. Ideally, the VFS
378 * wouldn't do this, but fixing that is a much harder
379 * job. For now, simply free the i_security via RCU, and
380 * leave the current inode->i_security pointer intact.
381 * The inode will be freed after the RCU grace period too.
383 call_rcu(&isec->rcu, inode_free_rcu);
386 static int file_alloc_security(struct file *file)
388 struct file_security_struct *fsec;
389 u32 sid = current_sid();
391 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
396 fsec->fown_sid = sid;
397 file->f_security = fsec;
402 static void file_free_security(struct file *file)
404 struct file_security_struct *fsec = file->f_security;
405 file->f_security = NULL;
406 kmem_cache_free(file_security_cache, fsec);
409 static int superblock_alloc_security(struct super_block *sb)
411 struct superblock_security_struct *sbsec;
413 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
417 mutex_init(&sbsec->lock);
418 INIT_LIST_HEAD(&sbsec->isec_head);
419 spin_lock_init(&sbsec->isec_lock);
421 sbsec->sid = SECINITSID_UNLABELED;
422 sbsec->def_sid = SECINITSID_FILE;
423 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
424 sb->s_security = sbsec;
429 static void superblock_free_security(struct super_block *sb)
431 struct superblock_security_struct *sbsec = sb->s_security;
432 sb->s_security = NULL;
436 static inline int inode_doinit(struct inode *inode)
438 return inode_doinit_with_dentry(inode, NULL);
447 Opt_labelsupport = 5,
451 #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
453 static const match_table_t tokens = {
454 {Opt_context, CONTEXT_STR "%s"},
455 {Opt_fscontext, FSCONTEXT_STR "%s"},
456 {Opt_defcontext, DEFCONTEXT_STR "%s"},
457 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
458 {Opt_labelsupport, LABELSUPP_STR},
462 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
464 static int may_context_mount_sb_relabel(u32 sid,
465 struct superblock_security_struct *sbsec,
466 const struct cred *cred)
468 const struct task_security_struct *tsec = cred->security;
471 rc = avc_has_perm(&selinux_state,
472 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
473 FILESYSTEM__RELABELFROM, NULL);
477 rc = avc_has_perm(&selinux_state,
478 tsec->sid, sid, SECCLASS_FILESYSTEM,
479 FILESYSTEM__RELABELTO, NULL);
483 static int may_context_mount_inode_relabel(u32 sid,
484 struct superblock_security_struct *sbsec,
485 const struct cred *cred)
487 const struct task_security_struct *tsec = cred->security;
489 rc = avc_has_perm(&selinux_state,
490 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
491 FILESYSTEM__RELABELFROM, NULL);
495 rc = avc_has_perm(&selinux_state,
496 sid, sbsec->sid, SECCLASS_FILESYSTEM,
497 FILESYSTEM__ASSOCIATE, NULL);
501 static int selinux_is_sblabel_mnt(struct super_block *sb)
503 struct superblock_security_struct *sbsec = sb->s_security;
505 return sbsec->behavior == SECURITY_FS_USE_XATTR ||
506 sbsec->behavior == SECURITY_FS_USE_TRANS ||
507 sbsec->behavior == SECURITY_FS_USE_TASK ||
508 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
509 /* Special handling. Genfs but also in-core setxattr handler */
510 !strcmp(sb->s_type->name, "sysfs") ||
511 !strcmp(sb->s_type->name, "pstore") ||
512 !strcmp(sb->s_type->name, "debugfs") ||
513 !strcmp(sb->s_type->name, "tracefs") ||
514 !strcmp(sb->s_type->name, "rootfs") ||
515 (selinux_policycap_cgroupseclabel() &&
516 (!strcmp(sb->s_type->name, "cgroup") ||
517 !strcmp(sb->s_type->name, "cgroup2")));
520 static int sb_finish_set_opts(struct super_block *sb)
522 struct superblock_security_struct *sbsec = sb->s_security;
523 struct dentry *root = sb->s_root;
524 struct inode *root_inode = d_backing_inode(root);
527 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
528 /* Make sure that the xattr handler exists and that no
529 error other than -ENODATA is returned by getxattr on
530 the root directory. -ENODATA is ok, as this may be
531 the first boot of the SELinux kernel before we have
532 assigned xattr values to the filesystem. */
533 if (!(root_inode->i_opflags & IOP_XATTR)) {
534 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
535 "xattr support\n", sb->s_id, sb->s_type->name);
540 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
541 if (rc < 0 && rc != -ENODATA) {
542 if (rc == -EOPNOTSUPP)
543 printk(KERN_WARNING "SELinux: (dev %s, type "
544 "%s) has no security xattr handler\n",
545 sb->s_id, sb->s_type->name);
547 printk(KERN_WARNING "SELinux: (dev %s, type "
548 "%s) getxattr errno %d\n", sb->s_id,
549 sb->s_type->name, -rc);
554 sbsec->flags |= SE_SBINITIALIZED;
557 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
558 * leave the flag untouched because sb_clone_mnt_opts might be handing
559 * us a superblock that needs the flag to be cleared.
561 if (selinux_is_sblabel_mnt(sb))
562 sbsec->flags |= SBLABEL_MNT;
564 sbsec->flags &= ~SBLABEL_MNT;
566 /* Initialize the root inode. */
567 rc = inode_doinit_with_dentry(root_inode, root);
569 /* Initialize any other inodes associated with the superblock, e.g.
570 inodes created prior to initial policy load or inodes created
571 during get_sb by a pseudo filesystem that directly
573 spin_lock(&sbsec->isec_lock);
575 if (!list_empty(&sbsec->isec_head)) {
576 struct inode_security_struct *isec =
577 list_entry(sbsec->isec_head.next,
578 struct inode_security_struct, list);
579 struct inode *inode = isec->inode;
580 list_del_init(&isec->list);
581 spin_unlock(&sbsec->isec_lock);
582 inode = igrab(inode);
584 if (!IS_PRIVATE(inode))
588 spin_lock(&sbsec->isec_lock);
591 spin_unlock(&sbsec->isec_lock);
597 * This function should allow an FS to ask what it's mount security
598 * options were so it can use those later for submounts, displaying
599 * mount options, or whatever.
601 static int selinux_get_mnt_opts(const struct super_block *sb,
602 struct security_mnt_opts *opts)
605 struct superblock_security_struct *sbsec = sb->s_security;
606 char *context = NULL;
610 security_init_mnt_opts(opts);
612 if (!(sbsec->flags & SE_SBINITIALIZED))
615 if (!selinux_state.initialized)
618 /* make sure we always check enough bits to cover the mask */
619 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
621 tmp = sbsec->flags & SE_MNTMASK;
622 /* count the number of mount options for this sb */
623 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
625 opts->num_mnt_opts++;
628 /* Check if the Label support flag is set */
629 if (sbsec->flags & SBLABEL_MNT)
630 opts->num_mnt_opts++;
632 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
633 if (!opts->mnt_opts) {
638 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
639 if (!opts->mnt_opts_flags) {
645 if (sbsec->flags & FSCONTEXT_MNT) {
646 rc = security_sid_to_context(&selinux_state, sbsec->sid,
650 opts->mnt_opts[i] = context;
651 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
653 if (sbsec->flags & CONTEXT_MNT) {
654 rc = security_sid_to_context(&selinux_state,
659 opts->mnt_opts[i] = context;
660 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
662 if (sbsec->flags & DEFCONTEXT_MNT) {
663 rc = security_sid_to_context(&selinux_state, sbsec->def_sid,
667 opts->mnt_opts[i] = context;
668 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
670 if (sbsec->flags & ROOTCONTEXT_MNT) {
671 struct dentry *root = sbsec->sb->s_root;
672 struct inode_security_struct *isec = backing_inode_security(root);
674 rc = security_sid_to_context(&selinux_state, isec->sid,
678 opts->mnt_opts[i] = context;
679 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
681 if (sbsec->flags & SBLABEL_MNT) {
682 opts->mnt_opts[i] = NULL;
683 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
686 BUG_ON(i != opts->num_mnt_opts);
691 security_free_mnt_opts(opts);
695 static int bad_option(struct superblock_security_struct *sbsec, char flag,
696 u32 old_sid, u32 new_sid)
698 char mnt_flags = sbsec->flags & SE_MNTMASK;
700 /* check if the old mount command had the same options */
701 if (sbsec->flags & SE_SBINITIALIZED)
702 if (!(sbsec->flags & flag) ||
703 (old_sid != new_sid))
706 /* check if we were passed the same options twice,
707 * aka someone passed context=a,context=b
709 if (!(sbsec->flags & SE_SBINITIALIZED))
710 if (mnt_flags & flag)
716 * Allow filesystems with binary mount data to explicitly set mount point
717 * labeling information.
719 static int selinux_set_mnt_opts(struct super_block *sb,
720 struct security_mnt_opts *opts,
721 unsigned long kern_flags,
722 unsigned long *set_kern_flags)
724 const struct cred *cred = current_cred();
726 struct superblock_security_struct *sbsec = sb->s_security;
727 const char *name = sb->s_type->name;
728 struct dentry *root = sbsec->sb->s_root;
729 struct inode_security_struct *root_isec;
730 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
731 u32 defcontext_sid = 0;
732 char **mount_options = opts->mnt_opts;
733 int *flags = opts->mnt_opts_flags;
734 int num_opts = opts->num_mnt_opts;
736 mutex_lock(&sbsec->lock);
738 if (!selinux_state.initialized) {
740 /* Defer initialization until selinux_complete_init,
741 after the initial policy is loaded and the security
742 server is ready to handle calls. */
746 printk(KERN_WARNING "SELinux: Unable to set superblock options "
747 "before the security server is initialized\n");
750 if (kern_flags && !set_kern_flags) {
751 /* Specifying internal flags without providing a place to
752 * place the results is not allowed */
758 * Binary mount data FS will come through this function twice. Once
759 * from an explicit call and once from the generic calls from the vfs.
760 * Since the generic VFS calls will not contain any security mount data
761 * we need to skip the double mount verification.
763 * This does open a hole in which we will not notice if the first
764 * mount using this sb set explict options and a second mount using
765 * this sb does not set any security options. (The first options
766 * will be used for both mounts)
768 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
772 root_isec = backing_inode_security_novalidate(root);
775 * parse the mount options, check if they are valid sids.
776 * also check if someone is trying to mount the same sb more
777 * than once with different security options.
779 for (i = 0; i < num_opts; i++) {
782 if (flags[i] == SBLABEL_MNT)
784 rc = security_context_str_to_sid(&selinux_state,
785 mount_options[i], &sid,
788 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
789 "(%s) failed for (dev %s, type %s) errno=%d\n",
790 mount_options[i], sb->s_id, name, rc);
797 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
799 goto out_double_mount;
801 sbsec->flags |= FSCONTEXT_MNT;
806 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
808 goto out_double_mount;
810 sbsec->flags |= CONTEXT_MNT;
812 case ROOTCONTEXT_MNT:
813 rootcontext_sid = sid;
815 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
817 goto out_double_mount;
819 sbsec->flags |= ROOTCONTEXT_MNT;
823 defcontext_sid = sid;
825 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
827 goto out_double_mount;
829 sbsec->flags |= DEFCONTEXT_MNT;
838 if (sbsec->flags & SE_SBINITIALIZED) {
839 /* previously mounted with options, but not on this attempt? */
840 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
841 goto out_double_mount;
846 if (strcmp(sb->s_type->name, "proc") == 0)
847 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
849 if (!strcmp(sb->s_type->name, "debugfs") ||
850 !strcmp(sb->s_type->name, "tracefs") ||
851 !strcmp(sb->s_type->name, "sysfs") ||
852 !strcmp(sb->s_type->name, "pstore") ||
853 !strcmp(sb->s_type->name, "cgroup") ||
854 !strcmp(sb->s_type->name, "cgroup2"))
855 sbsec->flags |= SE_SBGENFS;
857 if (!sbsec->behavior) {
859 * Determine the labeling behavior to use for this
862 rc = security_fs_use(&selinux_state, sb);
865 "%s: security_fs_use(%s) returned %d\n",
866 __func__, sb->s_type->name, rc);
872 * If this is a user namespace mount and the filesystem type is not
873 * explicitly whitelisted, then no contexts are allowed on the command
874 * line and security labels must be ignored.
876 if (sb->s_user_ns != &init_user_ns &&
877 strcmp(sb->s_type->name, "tmpfs") &&
878 strcmp(sb->s_type->name, "ramfs") &&
879 strcmp(sb->s_type->name, "devpts")) {
880 if (context_sid || fscontext_sid || rootcontext_sid ||
885 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
886 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
887 rc = security_transition_sid(&selinux_state,
891 &sbsec->mntpoint_sid);
898 /* sets the context of the superblock for the fs being mounted. */
900 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
904 sbsec->sid = fscontext_sid;
908 * Switch to using mount point labeling behavior.
909 * sets the label used on all file below the mountpoint, and will set
910 * the superblock context if not already set.
912 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
913 sbsec->behavior = SECURITY_FS_USE_NATIVE;
914 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
918 if (!fscontext_sid) {
919 rc = may_context_mount_sb_relabel(context_sid, sbsec,
923 sbsec->sid = context_sid;
925 rc = may_context_mount_inode_relabel(context_sid, sbsec,
930 if (!rootcontext_sid)
931 rootcontext_sid = context_sid;
933 sbsec->mntpoint_sid = context_sid;
934 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
937 if (rootcontext_sid) {
938 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
943 root_isec->sid = rootcontext_sid;
944 root_isec->initialized = LABEL_INITIALIZED;
947 if (defcontext_sid) {
948 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
949 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
951 printk(KERN_WARNING "SELinux: defcontext option is "
952 "invalid for this filesystem type\n");
956 if (defcontext_sid != sbsec->def_sid) {
957 rc = may_context_mount_inode_relabel(defcontext_sid,
963 sbsec->def_sid = defcontext_sid;
967 rc = sb_finish_set_opts(sb);
969 mutex_unlock(&sbsec->lock);
973 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
974 "security settings for (dev %s, type %s)\n", sb->s_id, name);
978 static int selinux_cmp_sb_context(const struct super_block *oldsb,
979 const struct super_block *newsb)
981 struct superblock_security_struct *old = oldsb->s_security;
982 struct superblock_security_struct *new = newsb->s_security;
983 char oldflags = old->flags & SE_MNTMASK;
984 char newflags = new->flags & SE_MNTMASK;
986 if (oldflags != newflags)
988 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
990 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
992 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
994 if (oldflags & ROOTCONTEXT_MNT) {
995 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
996 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
997 if (oldroot->sid != newroot->sid)
1002 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
1003 "different security settings for (dev %s, "
1004 "type %s)\n", newsb->s_id, newsb->s_type->name);
1008 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
1009 struct super_block *newsb,
1010 unsigned long kern_flags,
1011 unsigned long *set_kern_flags)
1014 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
1015 struct superblock_security_struct *newsbsec = newsb->s_security;
1017 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
1018 int set_context = (oldsbsec->flags & CONTEXT_MNT);
1019 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1022 * if the parent was able to be mounted it clearly had no special lsm
1023 * mount options. thus we can safely deal with this superblock later
1025 if (!selinux_state.initialized)
1029 * Specifying internal flags without providing a place to
1030 * place the results is not allowed.
1032 if (kern_flags && !set_kern_flags)
1035 /* how can we clone if the old one wasn't set up?? */
1036 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
1038 /* if fs is reusing a sb, make sure that the contexts match */
1039 if (newsbsec->flags & SE_SBINITIALIZED)
1040 return selinux_cmp_sb_context(oldsb, newsb);
1042 mutex_lock(&newsbsec->lock);
1044 newsbsec->flags = oldsbsec->flags;
1046 newsbsec->sid = oldsbsec->sid;
1047 newsbsec->def_sid = oldsbsec->def_sid;
1048 newsbsec->behavior = oldsbsec->behavior;
1050 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
1051 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
1052 rc = security_fs_use(&selinux_state, newsb);
1057 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
1058 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
1059 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
1063 u32 sid = oldsbsec->mntpoint_sid;
1066 newsbsec->sid = sid;
1067 if (!set_rootcontext) {
1068 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1071 newsbsec->mntpoint_sid = sid;
1073 if (set_rootcontext) {
1074 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
1075 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1077 newisec->sid = oldisec->sid;
1080 sb_finish_set_opts(newsb);
1082 mutex_unlock(&newsbsec->lock);
1086 static int selinux_parse_opts_str(char *options,
1087 struct security_mnt_opts *opts)
1090 char *context = NULL, *defcontext = NULL;
1091 char *fscontext = NULL, *rootcontext = NULL;
1092 int rc, num_mnt_opts = 0;
1094 opts->num_mnt_opts = 0;
1096 /* Standard string-based options. */
1097 while ((p = strsep(&options, "|")) != NULL) {
1099 substring_t args[MAX_OPT_ARGS];
1104 token = match_token(p, tokens, args);
1108 if (context || defcontext) {
1110 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1113 context = match_strdup(&args[0]);
1123 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1126 fscontext = match_strdup(&args[0]);
1133 case Opt_rootcontext:
1136 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1139 rootcontext = match_strdup(&args[0]);
1146 case Opt_defcontext:
1147 if (context || defcontext) {
1149 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1152 defcontext = match_strdup(&args[0]);
1158 case Opt_labelsupport:
1162 printk(KERN_WARNING "SELinux: unknown mount option\n");
1169 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
1170 if (!opts->mnt_opts)
1173 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
1175 if (!opts->mnt_opts_flags)
1179 opts->mnt_opts[num_mnt_opts] = fscontext;
1180 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1183 opts->mnt_opts[num_mnt_opts] = context;
1184 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1187 opts->mnt_opts[num_mnt_opts] = rootcontext;
1188 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1191 opts->mnt_opts[num_mnt_opts] = defcontext;
1192 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1195 opts->num_mnt_opts = num_mnt_opts;
1199 security_free_mnt_opts(opts);
1207 * string mount options parsing and call set the sbsec
1209 static int superblock_doinit(struct super_block *sb, void *data)
1212 char *options = data;
1213 struct security_mnt_opts opts;
1215 security_init_mnt_opts(&opts);
1220 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1222 rc = selinux_parse_opts_str(options, &opts);
1227 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1230 security_free_mnt_opts(&opts);
1234 static void selinux_write_opts(struct seq_file *m,
1235 struct security_mnt_opts *opts)
1240 for (i = 0; i < opts->num_mnt_opts; i++) {
1243 if (opts->mnt_opts[i])
1244 has_comma = strchr(opts->mnt_opts[i], ',');
1248 switch (opts->mnt_opts_flags[i]) {
1250 prefix = CONTEXT_STR;
1253 prefix = FSCONTEXT_STR;
1255 case ROOTCONTEXT_MNT:
1256 prefix = ROOTCONTEXT_STR;
1258 case DEFCONTEXT_MNT:
1259 prefix = DEFCONTEXT_STR;
1263 seq_puts(m, LABELSUPP_STR);
1269 /* we need a comma before each option */
1271 seq_puts(m, prefix);
1274 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
1280 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1282 struct security_mnt_opts opts;
1285 rc = selinux_get_mnt_opts(sb, &opts);
1287 /* before policy load we may get EINVAL, don't show anything */
1293 selinux_write_opts(m, &opts);
1295 security_free_mnt_opts(&opts);
1300 static inline u16 inode_mode_to_security_class(umode_t mode)
1302 switch (mode & S_IFMT) {
1304 return SECCLASS_SOCK_FILE;
1306 return SECCLASS_LNK_FILE;
1308 return SECCLASS_FILE;
1310 return SECCLASS_BLK_FILE;
1312 return SECCLASS_DIR;
1314 return SECCLASS_CHR_FILE;
1316 return SECCLASS_FIFO_FILE;
1320 return SECCLASS_FILE;
1323 static inline int default_protocol_stream(int protocol)
1325 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1328 static inline int default_protocol_dgram(int protocol)
1330 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1333 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1335 int extsockclass = selinux_policycap_extsockclass();
1341 case SOCK_SEQPACKET:
1342 return SECCLASS_UNIX_STREAM_SOCKET;
1345 return SECCLASS_UNIX_DGRAM_SOCKET;
1352 case SOCK_SEQPACKET:
1353 if (default_protocol_stream(protocol))
1354 return SECCLASS_TCP_SOCKET;
1355 else if (extsockclass && protocol == IPPROTO_SCTP)
1356 return SECCLASS_SCTP_SOCKET;
1358 return SECCLASS_RAWIP_SOCKET;
1360 if (default_protocol_dgram(protocol))
1361 return SECCLASS_UDP_SOCKET;
1362 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1363 protocol == IPPROTO_ICMPV6))
1364 return SECCLASS_ICMP_SOCKET;
1366 return SECCLASS_RAWIP_SOCKET;
1368 return SECCLASS_DCCP_SOCKET;
1370 return SECCLASS_RAWIP_SOCKET;
1376 return SECCLASS_NETLINK_ROUTE_SOCKET;
1377 case NETLINK_SOCK_DIAG:
1378 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1380 return SECCLASS_NETLINK_NFLOG_SOCKET;
1382 return SECCLASS_NETLINK_XFRM_SOCKET;
1383 case NETLINK_SELINUX:
1384 return SECCLASS_NETLINK_SELINUX_SOCKET;
1386 return SECCLASS_NETLINK_ISCSI_SOCKET;
1388 return SECCLASS_NETLINK_AUDIT_SOCKET;
1389 case NETLINK_FIB_LOOKUP:
1390 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1391 case NETLINK_CONNECTOR:
1392 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1393 case NETLINK_NETFILTER:
1394 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1395 case NETLINK_DNRTMSG:
1396 return SECCLASS_NETLINK_DNRT_SOCKET;
1397 case NETLINK_KOBJECT_UEVENT:
1398 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1399 case NETLINK_GENERIC:
1400 return SECCLASS_NETLINK_GENERIC_SOCKET;
1401 case NETLINK_SCSITRANSPORT:
1402 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1404 return SECCLASS_NETLINK_RDMA_SOCKET;
1405 case NETLINK_CRYPTO:
1406 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1408 return SECCLASS_NETLINK_SOCKET;
1411 return SECCLASS_PACKET_SOCKET;
1413 return SECCLASS_KEY_SOCKET;
1415 return SECCLASS_APPLETALK_SOCKET;
1421 return SECCLASS_AX25_SOCKET;
1423 return SECCLASS_IPX_SOCKET;
1425 return SECCLASS_NETROM_SOCKET;
1427 return SECCLASS_ATMPVC_SOCKET;
1429 return SECCLASS_X25_SOCKET;
1431 return SECCLASS_ROSE_SOCKET;
1433 return SECCLASS_DECNET_SOCKET;
1435 return SECCLASS_ATMSVC_SOCKET;
1437 return SECCLASS_RDS_SOCKET;
1439 return SECCLASS_IRDA_SOCKET;
1441 return SECCLASS_PPPOX_SOCKET;
1443 return SECCLASS_LLC_SOCKET;
1445 return SECCLASS_CAN_SOCKET;
1447 return SECCLASS_TIPC_SOCKET;
1449 return SECCLASS_BLUETOOTH_SOCKET;
1451 return SECCLASS_IUCV_SOCKET;
1453 return SECCLASS_RXRPC_SOCKET;
1455 return SECCLASS_ISDN_SOCKET;
1457 return SECCLASS_PHONET_SOCKET;
1459 return SECCLASS_IEEE802154_SOCKET;
1461 return SECCLASS_CAIF_SOCKET;
1463 return SECCLASS_ALG_SOCKET;
1465 return SECCLASS_NFC_SOCKET;
1467 return SECCLASS_VSOCK_SOCKET;
1469 return SECCLASS_KCM_SOCKET;
1471 return SECCLASS_QIPCRTR_SOCKET;
1473 return SECCLASS_SMC_SOCKET;
1475 return SECCLASS_XDP_SOCKET;
1477 #error New address family defined, please update this function.
1482 return SECCLASS_SOCKET;
1485 static int selinux_genfs_get_sid(struct dentry *dentry,
1491 struct super_block *sb = dentry->d_sb;
1492 char *buffer, *path;
1494 buffer = (char *)__get_free_page(GFP_KERNEL);
1498 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1502 if (flags & SE_SBPROC) {
1503 /* each process gets a /proc/PID/ entry. Strip off the
1504 * PID part to get a valid selinux labeling.
1505 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1506 while (path[1] >= '0' && path[1] <= '9') {
1511 rc = security_genfs_sid(&selinux_state, sb->s_type->name,
1514 free_page((unsigned long)buffer);
1518 /* The inode's security attributes must be initialized before first use. */
1519 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1521 struct superblock_security_struct *sbsec = NULL;
1522 struct inode_security_struct *isec = inode->i_security;
1523 u32 task_sid, sid = 0;
1525 struct dentry *dentry;
1526 #define INITCONTEXTLEN 255
1527 char *context = NULL;
1531 if (isec->initialized == LABEL_INITIALIZED)
1534 spin_lock(&isec->lock);
1535 if (isec->initialized == LABEL_INITIALIZED)
1538 if (isec->sclass == SECCLASS_FILE)
1539 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1541 sbsec = inode->i_sb->s_security;
1542 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1543 /* Defer initialization until selinux_complete_init,
1544 after the initial policy is loaded and the security
1545 server is ready to handle calls. */
1546 spin_lock(&sbsec->isec_lock);
1547 if (list_empty(&isec->list))
1548 list_add(&isec->list, &sbsec->isec_head);
1549 spin_unlock(&sbsec->isec_lock);
1553 sclass = isec->sclass;
1554 task_sid = isec->task_sid;
1556 isec->initialized = LABEL_PENDING;
1557 spin_unlock(&isec->lock);
1559 switch (sbsec->behavior) {
1560 case SECURITY_FS_USE_NATIVE:
1562 case SECURITY_FS_USE_XATTR:
1563 if (!(inode->i_opflags & IOP_XATTR)) {
1564 sid = sbsec->def_sid;
1567 /* Need a dentry, since the xattr API requires one.
1568 Life would be simpler if we could just pass the inode. */
1570 /* Called from d_instantiate or d_splice_alias. */
1571 dentry = dget(opt_dentry);
1573 /* Called from selinux_complete_init, try to find a dentry. */
1574 dentry = d_find_alias(inode);
1578 * this is can be hit on boot when a file is accessed
1579 * before the policy is loaded. When we load policy we
1580 * may find inodes that have no dentry on the
1581 * sbsec->isec_head list. No reason to complain as these
1582 * will get fixed up the next time we go through
1583 * inode_doinit with a dentry, before these inodes could
1584 * be used again by userspace.
1589 len = INITCONTEXTLEN;
1590 context = kmalloc(len+1, GFP_NOFS);
1596 context[len] = '\0';
1597 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1598 if (rc == -ERANGE) {
1601 /* Need a larger buffer. Query for the right size. */
1602 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1608 context = kmalloc(len+1, GFP_NOFS);
1614 context[len] = '\0';
1615 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1619 if (rc != -ENODATA) {
1620 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1621 "%d for dev=%s ino=%ld\n", __func__,
1622 -rc, inode->i_sb->s_id, inode->i_ino);
1626 /* Map ENODATA to the default file SID */
1627 sid = sbsec->def_sid;
1630 rc = security_context_to_sid_default(&selinux_state,
1635 char *dev = inode->i_sb->s_id;
1636 unsigned long ino = inode->i_ino;
1638 if (rc == -EINVAL) {
1639 if (printk_ratelimit())
1640 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1641 "context=%s. This indicates you may need to relabel the inode or the "
1642 "filesystem in question.\n", ino, dev, context);
1644 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1645 "returned %d for dev=%s ino=%ld\n",
1646 __func__, context, -rc, dev, ino);
1649 /* Leave with the unlabeled SID */
1656 case SECURITY_FS_USE_TASK:
1659 case SECURITY_FS_USE_TRANS:
1660 /* Default to the fs SID. */
1663 /* Try to obtain a transition SID. */
1664 rc = security_transition_sid(&selinux_state, task_sid, sid,
1665 sclass, NULL, &sid);
1669 case SECURITY_FS_USE_MNTPOINT:
1670 sid = sbsec->mntpoint_sid;
1673 /* Default to the fs superblock SID. */
1676 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1677 /* We must have a dentry to determine the label on
1680 /* Called from d_instantiate or
1681 * d_splice_alias. */
1682 dentry = dget(opt_dentry);
1684 /* Called from selinux_complete_init, try to
1686 dentry = d_find_alias(inode);
1688 * This can be hit on boot when a file is accessed
1689 * before the policy is loaded. When we load policy we
1690 * may find inodes that have no dentry on the
1691 * sbsec->isec_head list. No reason to complain as
1692 * these will get fixed up the next time we go through
1693 * inode_doinit() with a dentry, before these inodes
1694 * could be used again by userspace.
1698 rc = selinux_genfs_get_sid(dentry, sclass,
1699 sbsec->flags, &sid);
1708 spin_lock(&isec->lock);
1709 if (isec->initialized == LABEL_PENDING) {
1711 isec->initialized = LABEL_INVALID;
1715 isec->initialized = LABEL_INITIALIZED;
1720 spin_unlock(&isec->lock);
1724 /* Convert a Linux signal to an access vector. */
1725 static inline u32 signal_to_av(int sig)
1731 /* Commonly granted from child to parent. */
1732 perm = PROCESS__SIGCHLD;
1735 /* Cannot be caught or ignored */
1736 perm = PROCESS__SIGKILL;
1739 /* Cannot be caught or ignored */
1740 perm = PROCESS__SIGSTOP;
1743 /* All other signals. */
1744 perm = PROCESS__SIGNAL;
1751 #if CAP_LAST_CAP > 63
1752 #error Fix SELinux to handle capabilities > 63.
1755 /* Check whether a task is allowed to use a capability. */
1756 static int cred_has_capability(const struct cred *cred,
1757 int cap, int audit, bool initns)
1759 struct common_audit_data ad;
1760 struct av_decision avd;
1762 u32 sid = cred_sid(cred);
1763 u32 av = CAP_TO_MASK(cap);
1766 ad.type = LSM_AUDIT_DATA_CAP;
1769 switch (CAP_TO_INDEX(cap)) {
1771 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1774 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1778 "SELinux: out of range capability %d\n", cap);
1783 rc = avc_has_perm_noaudit(&selinux_state,
1784 sid, sid, sclass, av, 0, &avd);
1785 if (audit == SECURITY_CAP_AUDIT) {
1786 int rc2 = avc_audit(&selinux_state,
1787 sid, sid, sclass, av, &avd, rc, &ad, 0);
1794 /* Check whether a task has a particular permission to an inode.
1795 The 'adp' parameter is optional and allows other audit
1796 data to be passed (e.g. the dentry). */
1797 static int inode_has_perm(const struct cred *cred,
1798 struct inode *inode,
1800 struct common_audit_data *adp)
1802 struct inode_security_struct *isec;
1805 validate_creds(cred);
1807 if (unlikely(IS_PRIVATE(inode)))
1810 sid = cred_sid(cred);
1811 isec = inode->i_security;
1813 return avc_has_perm(&selinux_state,
1814 sid, isec->sid, isec->sclass, perms, adp);
1817 /* Same as inode_has_perm, but pass explicit audit data containing
1818 the dentry to help the auditing code to more easily generate the
1819 pathname if needed. */
1820 static inline int dentry_has_perm(const struct cred *cred,
1821 struct dentry *dentry,
1824 struct inode *inode = d_backing_inode(dentry);
1825 struct common_audit_data ad;
1827 ad.type = LSM_AUDIT_DATA_DENTRY;
1828 ad.u.dentry = dentry;
1829 __inode_security_revalidate(inode, dentry, true);
1830 return inode_has_perm(cred, inode, av, &ad);
1833 /* Same as inode_has_perm, but pass explicit audit data containing
1834 the path to help the auditing code to more easily generate the
1835 pathname if needed. */
1836 static inline int path_has_perm(const struct cred *cred,
1837 const struct path *path,
1840 struct inode *inode = d_backing_inode(path->dentry);
1841 struct common_audit_data ad;
1843 ad.type = LSM_AUDIT_DATA_PATH;
1845 __inode_security_revalidate(inode, path->dentry, true);
1846 return inode_has_perm(cred, inode, av, &ad);
1849 /* Same as path_has_perm, but uses the inode from the file struct. */
1850 static inline int file_path_has_perm(const struct cred *cred,
1854 struct common_audit_data ad;
1856 ad.type = LSM_AUDIT_DATA_FILE;
1858 return inode_has_perm(cred, file_inode(file), av, &ad);
1861 #ifdef CONFIG_BPF_SYSCALL
1862 static int bpf_fd_pass(struct file *file, u32 sid);
1865 /* Check whether a task can use an open file descriptor to
1866 access an inode in a given way. Check access to the
1867 descriptor itself, and then use dentry_has_perm to
1868 check a particular permission to the file.
1869 Access to the descriptor is implicitly granted if it
1870 has the same SID as the process. If av is zero, then
1871 access to the file is not checked, e.g. for cases
1872 where only the descriptor is affected like seek. */
1873 static int file_has_perm(const struct cred *cred,
1877 struct file_security_struct *fsec = file->f_security;
1878 struct inode *inode = file_inode(file);
1879 struct common_audit_data ad;
1880 u32 sid = cred_sid(cred);
1883 ad.type = LSM_AUDIT_DATA_FILE;
1886 if (sid != fsec->sid) {
1887 rc = avc_has_perm(&selinux_state,
1896 #ifdef CONFIG_BPF_SYSCALL
1897 rc = bpf_fd_pass(file, cred_sid(cred));
1902 /* av is zero if only checking access to the descriptor. */
1905 rc = inode_has_perm(cred, inode, av, &ad);
1912 * Determine the label for an inode that might be unioned.
1915 selinux_determine_inode_label(const struct task_security_struct *tsec,
1917 const struct qstr *name, u16 tclass,
1920 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1922 if ((sbsec->flags & SE_SBINITIALIZED) &&
1923 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1924 *_new_isid = sbsec->mntpoint_sid;
1925 } else if ((sbsec->flags & SBLABEL_MNT) &&
1927 *_new_isid = tsec->create_sid;
1929 const struct inode_security_struct *dsec = inode_security(dir);
1930 return security_transition_sid(&selinux_state, tsec->sid,
1938 /* Check whether a task can create a file. */
1939 static int may_create(struct inode *dir,
1940 struct dentry *dentry,
1943 const struct task_security_struct *tsec = current_security();
1944 struct inode_security_struct *dsec;
1945 struct superblock_security_struct *sbsec;
1947 struct common_audit_data ad;
1950 dsec = inode_security(dir);
1951 sbsec = dir->i_sb->s_security;
1955 ad.type = LSM_AUDIT_DATA_DENTRY;
1956 ad.u.dentry = dentry;
1958 rc = avc_has_perm(&selinux_state,
1959 sid, dsec->sid, SECCLASS_DIR,
1960 DIR__ADD_NAME | DIR__SEARCH,
1965 rc = selinux_determine_inode_label(current_security(), dir,
1966 &dentry->d_name, tclass, &newsid);
1970 rc = avc_has_perm(&selinux_state,
1971 sid, newsid, tclass, FILE__CREATE, &ad);
1975 return avc_has_perm(&selinux_state,
1977 SECCLASS_FILESYSTEM,
1978 FILESYSTEM__ASSOCIATE, &ad);
1982 #define MAY_UNLINK 1
1985 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1986 static int may_link(struct inode *dir,
1987 struct dentry *dentry,
1991 struct inode_security_struct *dsec, *isec;
1992 struct common_audit_data ad;
1993 u32 sid = current_sid();
1997 dsec = inode_security(dir);
1998 isec = backing_inode_security(dentry);
2000 ad.type = LSM_AUDIT_DATA_DENTRY;
2001 ad.u.dentry = dentry;
2004 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
2005 rc = avc_has_perm(&selinux_state,
2006 sid, dsec->sid, SECCLASS_DIR, av, &ad);
2021 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
2026 rc = avc_has_perm(&selinux_state,
2027 sid, isec->sid, isec->sclass, av, &ad);
2031 static inline int may_rename(struct inode *old_dir,
2032 struct dentry *old_dentry,
2033 struct inode *new_dir,
2034 struct dentry *new_dentry)
2036 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2037 struct common_audit_data ad;
2038 u32 sid = current_sid();
2040 int old_is_dir, new_is_dir;
2043 old_dsec = inode_security(old_dir);
2044 old_isec = backing_inode_security(old_dentry);
2045 old_is_dir = d_is_dir(old_dentry);
2046 new_dsec = inode_security(new_dir);
2048 ad.type = LSM_AUDIT_DATA_DENTRY;
2050 ad.u.dentry = old_dentry;
2051 rc = avc_has_perm(&selinux_state,
2052 sid, old_dsec->sid, SECCLASS_DIR,
2053 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
2056 rc = avc_has_perm(&selinux_state,
2058 old_isec->sclass, FILE__RENAME, &ad);
2061 if (old_is_dir && new_dir != old_dir) {
2062 rc = avc_has_perm(&selinux_state,
2064 old_isec->sclass, DIR__REPARENT, &ad);
2069 ad.u.dentry = new_dentry;
2070 av = DIR__ADD_NAME | DIR__SEARCH;
2071 if (d_is_positive(new_dentry))
2072 av |= DIR__REMOVE_NAME;
2073 rc = avc_has_perm(&selinux_state,
2074 sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
2077 if (d_is_positive(new_dentry)) {
2078 new_isec = backing_inode_security(new_dentry);
2079 new_is_dir = d_is_dir(new_dentry);
2080 rc = avc_has_perm(&selinux_state,
2083 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
2091 /* Check whether a task can perform a filesystem operation. */
2092 static int superblock_has_perm(const struct cred *cred,
2093 struct super_block *sb,
2095 struct common_audit_data *ad)
2097 struct superblock_security_struct *sbsec;
2098 u32 sid = cred_sid(cred);
2100 sbsec = sb->s_security;
2101 return avc_has_perm(&selinux_state,
2102 sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
2105 /* Convert a Linux mode and permission mask to an access vector. */
2106 static inline u32 file_mask_to_av(int mode, int mask)
2110 if (!S_ISDIR(mode)) {
2111 if (mask & MAY_EXEC)
2112 av |= FILE__EXECUTE;
2113 if (mask & MAY_READ)
2116 if (mask & MAY_APPEND)
2118 else if (mask & MAY_WRITE)
2122 if (mask & MAY_EXEC)
2124 if (mask & MAY_WRITE)
2126 if (mask & MAY_READ)
2133 /* Convert a Linux file to an access vector. */
2134 static inline u32 file_to_av(struct file *file)
2138 if (file->f_mode & FMODE_READ)
2140 if (file->f_mode & FMODE_WRITE) {
2141 if (file->f_flags & O_APPEND)
2148 * Special file opened with flags 3 for ioctl-only use.
2157 * Convert a file to an access vector and include the correct open
2160 static inline u32 open_file_to_av(struct file *file)
2162 u32 av = file_to_av(file);
2163 struct inode *inode = file_inode(file);
2165 if (selinux_policycap_openperm() &&
2166 inode->i_sb->s_magic != SOCKFS_MAGIC)
2172 /* Hook functions begin here. */
2174 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2176 u32 mysid = current_sid();
2177 u32 mgrsid = task_sid(mgr);
2179 return avc_has_perm(&selinux_state,
2180 mysid, mgrsid, SECCLASS_BINDER,
2181 BINDER__SET_CONTEXT_MGR, NULL);
2184 static int selinux_binder_transaction(struct task_struct *from,
2185 struct task_struct *to)
2187 u32 mysid = current_sid();
2188 u32 fromsid = task_sid(from);
2189 u32 tosid = task_sid(to);
2192 if (mysid != fromsid) {
2193 rc = avc_has_perm(&selinux_state,
2194 mysid, fromsid, SECCLASS_BINDER,
2195 BINDER__IMPERSONATE, NULL);
2200 return avc_has_perm(&selinux_state,
2201 fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2205 static int selinux_binder_transfer_binder(struct task_struct *from,
2206 struct task_struct *to)
2208 u32 fromsid = task_sid(from);
2209 u32 tosid = task_sid(to);
2211 return avc_has_perm(&selinux_state,
2212 fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2216 static int selinux_binder_transfer_file(struct task_struct *from,
2217 struct task_struct *to,
2220 u32 sid = task_sid(to);
2221 struct file_security_struct *fsec = file->f_security;
2222 struct dentry *dentry = file->f_path.dentry;
2223 struct inode_security_struct *isec;
2224 struct common_audit_data ad;
2227 ad.type = LSM_AUDIT_DATA_PATH;
2228 ad.u.path = file->f_path;
2230 if (sid != fsec->sid) {
2231 rc = avc_has_perm(&selinux_state,
2240 #ifdef CONFIG_BPF_SYSCALL
2241 rc = bpf_fd_pass(file, sid);
2246 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2249 isec = backing_inode_security(dentry);
2250 return avc_has_perm(&selinux_state,
2251 sid, isec->sid, isec->sclass, file_to_av(file),
2255 static int selinux_ptrace_access_check(struct task_struct *child,
2258 u32 sid = current_sid();
2259 u32 csid = task_sid(child);
2261 if (mode & PTRACE_MODE_READ)
2262 return avc_has_perm(&selinux_state,
2263 sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2265 return avc_has_perm(&selinux_state,
2266 sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2269 static int selinux_ptrace_traceme(struct task_struct *parent)
2271 return avc_has_perm(&selinux_state,
2272 task_sid(parent), current_sid(), SECCLASS_PROCESS,
2273 PROCESS__PTRACE, NULL);
2276 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2277 kernel_cap_t *inheritable, kernel_cap_t *permitted)
2279 return avc_has_perm(&selinux_state,
2280 current_sid(), task_sid(target), SECCLASS_PROCESS,
2281 PROCESS__GETCAP, NULL);
2284 static int selinux_capset(struct cred *new, const struct cred *old,
2285 const kernel_cap_t *effective,
2286 const kernel_cap_t *inheritable,
2287 const kernel_cap_t *permitted)
2289 return avc_has_perm(&selinux_state,
2290 cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2291 PROCESS__SETCAP, NULL);
2295 * (This comment used to live with the selinux_task_setuid hook,
2296 * which was removed).
2298 * Since setuid only affects the current process, and since the SELinux
2299 * controls are not based on the Linux identity attributes, SELinux does not
2300 * need to control this operation. However, SELinux does control the use of
2301 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2304 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2307 return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
2310 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2312 const struct cred *cred = current_cred();
2324 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2329 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2332 rc = 0; /* let the kernel handle invalid cmds */
2338 static int selinux_quota_on(struct dentry *dentry)
2340 const struct cred *cred = current_cred();
2342 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2345 static int selinux_syslog(int type)
2348 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2349 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2350 return avc_has_perm(&selinux_state,
2351 current_sid(), SECINITSID_KERNEL,
2352 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2353 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2354 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2355 /* Set level of messages printed to console */
2356 case SYSLOG_ACTION_CONSOLE_LEVEL:
2357 return avc_has_perm(&selinux_state,
2358 current_sid(), SECINITSID_KERNEL,
2359 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2362 /* All other syslog types */
2363 return avc_has_perm(&selinux_state,
2364 current_sid(), SECINITSID_KERNEL,
2365 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2369 * Check that a process has enough memory to allocate a new virtual
2370 * mapping. 0 means there is enough memory for the allocation to
2371 * succeed and -ENOMEM implies there is not.
2373 * Do not audit the selinux permission check, as this is applied to all
2374 * processes that allocate mappings.
2376 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2378 int rc, cap_sys_admin = 0;
2380 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2381 SECURITY_CAP_NOAUDIT, true);
2385 return cap_sys_admin;
2388 /* binprm security operations */
2390 static u32 ptrace_parent_sid(void)
2393 struct task_struct *tracer;
2396 tracer = ptrace_parent(current);
2398 sid = task_sid(tracer);
2404 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2405 const struct task_security_struct *old_tsec,
2406 const struct task_security_struct *new_tsec)
2408 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2409 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2413 if (!nnp && !nosuid)
2414 return 0; /* neither NNP nor nosuid */
2416 if (new_tsec->sid == old_tsec->sid)
2417 return 0; /* No change in credentials */
2420 * If the policy enables the nnp_nosuid_transition policy capability,
2421 * then we permit transitions under NNP or nosuid if the
2422 * policy allows the corresponding permission between
2423 * the old and new contexts.
2425 if (selinux_policycap_nnp_nosuid_transition()) {
2428 av |= PROCESS2__NNP_TRANSITION;
2430 av |= PROCESS2__NOSUID_TRANSITION;
2431 rc = avc_has_perm(&selinux_state,
2432 old_tsec->sid, new_tsec->sid,
2433 SECCLASS_PROCESS2, av, NULL);
2439 * We also permit NNP or nosuid transitions to bounded SIDs,
2440 * i.e. SIDs that are guaranteed to only be allowed a subset
2441 * of the permissions of the current SID.
2443 rc = security_bounded_transition(&selinux_state, old_tsec->sid,
2449 * On failure, preserve the errno values for NNP vs nosuid.
2450 * NNP: Operation not permitted for caller.
2451 * nosuid: Permission denied to file.
2458 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2460 const struct task_security_struct *old_tsec;
2461 struct task_security_struct *new_tsec;
2462 struct inode_security_struct *isec;
2463 struct common_audit_data ad;
2464 struct inode *inode = file_inode(bprm->file);
2467 /* SELinux context only depends on initial program or script and not
2468 * the script interpreter */
2469 if (bprm->called_set_creds)
2472 old_tsec = current_security();
2473 new_tsec = bprm->cred->security;
2474 isec = inode_security(inode);
2476 /* Default to the current task SID. */
2477 new_tsec->sid = old_tsec->sid;
2478 new_tsec->osid = old_tsec->sid;
2480 /* Reset fs, key, and sock SIDs on execve. */
2481 new_tsec->create_sid = 0;
2482 new_tsec->keycreate_sid = 0;
2483 new_tsec->sockcreate_sid = 0;
2485 if (old_tsec->exec_sid) {
2486 new_tsec->sid = old_tsec->exec_sid;
2487 /* Reset exec SID on execve. */
2488 new_tsec->exec_sid = 0;
2490 /* Fail on NNP or nosuid if not an allowed transition. */
2491 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2495 /* Check for a default transition on this program. */
2496 rc = security_transition_sid(&selinux_state, old_tsec->sid,
2497 isec->sid, SECCLASS_PROCESS, NULL,
2503 * Fallback to old SID on NNP or nosuid if not an allowed
2506 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2508 new_tsec->sid = old_tsec->sid;
2511 ad.type = LSM_AUDIT_DATA_FILE;
2512 ad.u.file = bprm->file;
2514 if (new_tsec->sid == old_tsec->sid) {
2515 rc = avc_has_perm(&selinux_state,
2516 old_tsec->sid, isec->sid,
2517 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2521 /* Check permissions for the transition. */
2522 rc = avc_has_perm(&selinux_state,
2523 old_tsec->sid, new_tsec->sid,
2524 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2528 rc = avc_has_perm(&selinux_state,
2529 new_tsec->sid, isec->sid,
2530 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2534 /* Check for shared state */
2535 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2536 rc = avc_has_perm(&selinux_state,
2537 old_tsec->sid, new_tsec->sid,
2538 SECCLASS_PROCESS, PROCESS__SHARE,
2544 /* Make sure that anyone attempting to ptrace over a task that
2545 * changes its SID has the appropriate permit */
2546 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2547 u32 ptsid = ptrace_parent_sid();
2549 rc = avc_has_perm(&selinux_state,
2550 ptsid, new_tsec->sid,
2552 PROCESS__PTRACE, NULL);
2558 /* Clear any possibly unsafe personality bits on exec: */
2559 bprm->per_clear |= PER_CLEAR_ON_SETID;
2561 /* Enable secure mode for SIDs transitions unless
2562 the noatsecure permission is granted between
2563 the two SIDs, i.e. ahp returns 0. */
2564 rc = avc_has_perm(&selinux_state,
2565 old_tsec->sid, new_tsec->sid,
2566 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2568 bprm->secureexec |= !!rc;
2574 static int match_file(const void *p, struct file *file, unsigned fd)
2576 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2579 /* Derived from fs/exec.c:flush_old_files. */
2580 static inline void flush_unauthorized_files(const struct cred *cred,
2581 struct files_struct *files)
2583 struct file *file, *devnull = NULL;
2584 struct tty_struct *tty;
2588 tty = get_current_tty();
2590 spin_lock(&tty->files_lock);
2591 if (!list_empty(&tty->tty_files)) {
2592 struct tty_file_private *file_priv;
2594 /* Revalidate access to controlling tty.
2595 Use file_path_has_perm on the tty path directly
2596 rather than using file_has_perm, as this particular
2597 open file may belong to another process and we are
2598 only interested in the inode-based check here. */
2599 file_priv = list_first_entry(&tty->tty_files,
2600 struct tty_file_private, list);
2601 file = file_priv->file;
2602 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2605 spin_unlock(&tty->files_lock);
2608 /* Reset controlling tty. */
2612 /* Revalidate access to inherited open files. */
2613 n = iterate_fd(files, 0, match_file, cred);
2614 if (!n) /* none found? */
2617 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2618 if (IS_ERR(devnull))
2620 /* replace all the matching ones with this */
2622 replace_fd(n - 1, devnull, 0);
2623 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2629 * Prepare a process for imminent new credential changes due to exec
2631 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2633 struct task_security_struct *new_tsec;
2634 struct rlimit *rlim, *initrlim;
2637 new_tsec = bprm->cred->security;
2638 if (new_tsec->sid == new_tsec->osid)
2641 /* Close files for which the new task SID is not authorized. */
2642 flush_unauthorized_files(bprm->cred, current->files);
2644 /* Always clear parent death signal on SID transitions. */
2645 current->pdeath_signal = 0;
2647 /* Check whether the new SID can inherit resource limits from the old
2648 * SID. If not, reset all soft limits to the lower of the current
2649 * task's hard limit and the init task's soft limit.
2651 * Note that the setting of hard limits (even to lower them) can be
2652 * controlled by the setrlimit check. The inclusion of the init task's
2653 * soft limit into the computation is to avoid resetting soft limits
2654 * higher than the default soft limit for cases where the default is
2655 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2657 rc = avc_has_perm(&selinux_state,
2658 new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2659 PROCESS__RLIMITINH, NULL);
2661 /* protect against do_prlimit() */
2663 for (i = 0; i < RLIM_NLIMITS; i++) {
2664 rlim = current->signal->rlim + i;
2665 initrlim = init_task.signal->rlim + i;
2666 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2668 task_unlock(current);
2669 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2670 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2675 * Clean up the process immediately after the installation of new credentials
2678 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2680 const struct task_security_struct *tsec = current_security();
2681 struct itimerval itimer;
2691 /* Check whether the new SID can inherit signal state from the old SID.
2692 * If not, clear itimers to avoid subsequent signal generation and
2693 * flush and unblock signals.
2695 * This must occur _after_ the task SID has been updated so that any
2696 * kill done after the flush will be checked against the new SID.
2698 rc = avc_has_perm(&selinux_state,
2699 osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2701 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2702 memset(&itimer, 0, sizeof itimer);
2703 for (i = 0; i < 3; i++)
2704 do_setitimer(i, &itimer, NULL);
2706 spin_lock_irq(¤t->sighand->siglock);
2707 if (!fatal_signal_pending(current)) {
2708 flush_sigqueue(¤t->pending);
2709 flush_sigqueue(¤t->signal->shared_pending);
2710 flush_signal_handlers(current, 1);
2711 sigemptyset(¤t->blocked);
2712 recalc_sigpending();
2714 spin_unlock_irq(¤t->sighand->siglock);
2717 /* Wake up the parent if it is waiting so that it can recheck
2718 * wait permission to the new task SID. */
2719 read_lock(&tasklist_lock);
2720 __wake_up_parent(current, current->real_parent);
2721 read_unlock(&tasklist_lock);
2724 /* superblock security operations */
2726 static int selinux_sb_alloc_security(struct super_block *sb)
2728 return superblock_alloc_security(sb);
2731 static void selinux_sb_free_security(struct super_block *sb)
2733 superblock_free_security(sb);
2736 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2741 return !memcmp(prefix, option, plen);
2744 static inline int selinux_option(char *option, int len)
2746 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2747 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2748 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2749 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2750 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2753 static inline void take_option(char **to, char *from, int *first, int len)
2760 memcpy(*to, from, len);
2764 static inline void take_selinux_option(char **to, char *from, int *first,
2767 int current_size = 0;
2775 while (current_size < len) {
2785 static int selinux_sb_copy_data(char *orig, char *copy)
2787 int fnosec, fsec, rc = 0;
2788 char *in_save, *in_curr, *in_end;
2789 char *sec_curr, *nosec_save, *nosec;
2795 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2803 in_save = in_end = orig;
2807 open_quote = !open_quote;
2808 if ((*in_end == ',' && open_quote == 0) ||
2810 int len = in_end - in_curr;
2812 if (selinux_option(in_curr, len))
2813 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2815 take_option(&nosec, in_curr, &fnosec, len);
2817 in_curr = in_end + 1;
2819 } while (*in_end++);
2821 strcpy(in_save, nosec_save);
2822 free_page((unsigned long)nosec_save);
2827 static int selinux_sb_remount(struct super_block *sb, void *data)
2830 struct security_mnt_opts opts;
2831 char *secdata, **mount_options;
2832 struct superblock_security_struct *sbsec = sb->s_security;
2834 if (!(sbsec->flags & SE_SBINITIALIZED))
2840 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2843 security_init_mnt_opts(&opts);
2844 secdata = alloc_secdata();
2847 rc = selinux_sb_copy_data(data, secdata);
2849 goto out_free_secdata;
2851 rc = selinux_parse_opts_str(secdata, &opts);
2853 goto out_free_secdata;
2855 mount_options = opts.mnt_opts;
2856 flags = opts.mnt_opts_flags;
2858 for (i = 0; i < opts.num_mnt_opts; i++) {
2861 if (flags[i] == SBLABEL_MNT)
2863 rc = security_context_str_to_sid(&selinux_state,
2864 mount_options[i], &sid,
2867 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
2868 "(%s) failed for (dev %s, type %s) errno=%d\n",
2869 mount_options[i], sb->s_id, sb->s_type->name, rc);
2875 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2876 goto out_bad_option;
2879 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2880 goto out_bad_option;
2882 case ROOTCONTEXT_MNT: {
2883 struct inode_security_struct *root_isec;
2884 root_isec = backing_inode_security(sb->s_root);
2886 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2887 goto out_bad_option;
2890 case DEFCONTEXT_MNT:
2891 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2892 goto out_bad_option;
2901 security_free_mnt_opts(&opts);
2903 free_secdata(secdata);
2906 printk(KERN_WARNING "SELinux: unable to change security options "
2907 "during remount (dev %s, type=%s)\n", sb->s_id,
2912 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2914 const struct cred *cred = current_cred();
2915 struct common_audit_data ad;
2918 rc = superblock_doinit(sb, data);
2922 /* Allow all mounts performed by the kernel */
2923 if (flags & MS_KERNMOUNT)
2926 ad.type = LSM_AUDIT_DATA_DENTRY;
2927 ad.u.dentry = sb->s_root;
2928 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2931 static int selinux_sb_statfs(struct dentry *dentry)
2933 const struct cred *cred = current_cred();
2934 struct common_audit_data ad;
2936 ad.type = LSM_AUDIT_DATA_DENTRY;
2937 ad.u.dentry = dentry->d_sb->s_root;
2938 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2941 static int selinux_mount(const char *dev_name,
2942 const struct path *path,
2944 unsigned long flags,
2947 const struct cred *cred = current_cred();
2949 if (flags & MS_REMOUNT)
2950 return superblock_has_perm(cred, path->dentry->d_sb,
2951 FILESYSTEM__REMOUNT, NULL);
2953 return path_has_perm(cred, path, FILE__MOUNTON);
2956 static int selinux_umount(struct vfsmount *mnt, int flags)
2958 const struct cred *cred = current_cred();
2960 return superblock_has_perm(cred, mnt->mnt_sb,
2961 FILESYSTEM__UNMOUNT, NULL);
2964 /* inode security operations */
2966 static int selinux_inode_alloc_security(struct inode *inode)
2968 return inode_alloc_security(inode);
2971 static void selinux_inode_free_security(struct inode *inode)
2973 inode_free_security(inode);
2976 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2977 const struct qstr *name, void **ctx,
2983 rc = selinux_determine_inode_label(current_security(),
2984 d_inode(dentry->d_parent), name,
2985 inode_mode_to_security_class(mode),
2990 return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
2994 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2996 const struct cred *old,
3001 struct task_security_struct *tsec;
3003 rc = selinux_determine_inode_label(old->security,
3004 d_inode(dentry->d_parent), name,
3005 inode_mode_to_security_class(mode),
3010 tsec = new->security;
3011 tsec->create_sid = newsid;
3015 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
3016 const struct qstr *qstr,
3018 void **value, size_t *len)
3020 const struct task_security_struct *tsec = current_security();
3021 struct superblock_security_struct *sbsec;
3026 sbsec = dir->i_sb->s_security;
3028 newsid = tsec->create_sid;
3030 rc = selinux_determine_inode_label(current_security(),
3032 inode_mode_to_security_class(inode->i_mode),
3037 /* Possibly defer initialization to selinux_complete_init. */
3038 if (sbsec->flags & SE_SBINITIALIZED) {
3039 struct inode_security_struct *isec = inode->i_security;
3040 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3042 isec->initialized = LABEL_INITIALIZED;
3045 if (!selinux_state.initialized || !(sbsec->flags & SBLABEL_MNT))
3049 *name = XATTR_SELINUX_SUFFIX;
3052 rc = security_sid_to_context_force(&selinux_state, newsid,
3063 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
3065 return may_create(dir, dentry, SECCLASS_FILE);
3068 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
3070 return may_link(dir, old_dentry, MAY_LINK);
3073 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
3075 return may_link(dir, dentry, MAY_UNLINK);
3078 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
3080 return may_create(dir, dentry, SECCLASS_LNK_FILE);
3083 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
3085 return may_create(dir, dentry, SECCLASS_DIR);
3088 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
3090 return may_link(dir, dentry, MAY_RMDIR);
3093 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
3095 return may_create(dir, dentry, inode_mode_to_security_class(mode));
3098 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
3099 struct inode *new_inode, struct dentry *new_dentry)
3101 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
3104 static int selinux_inode_readlink(struct dentry *dentry)
3106 const struct cred *cred = current_cred();
3108 return dentry_has_perm(cred, dentry, FILE__READ);
3111 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3114 const struct cred *cred = current_cred();
3115 struct common_audit_data ad;
3116 struct inode_security_struct *isec;
3119 validate_creds(cred);
3121 ad.type = LSM_AUDIT_DATA_DENTRY;
3122 ad.u.dentry = dentry;
3123 sid = cred_sid(cred);
3124 isec = inode_security_rcu(inode, rcu);
3126 return PTR_ERR(isec);
3128 return avc_has_perm_flags(&selinux_state,
3129 sid, isec->sid, isec->sclass, FILE__READ, &ad,
3130 rcu ? MAY_NOT_BLOCK : 0);
3133 static noinline int audit_inode_permission(struct inode *inode,
3134 u32 perms, u32 audited, u32 denied,
3138 struct common_audit_data ad;
3139 struct inode_security_struct *isec = inode->i_security;
3142 ad.type = LSM_AUDIT_DATA_INODE;
3145 rc = slow_avc_audit(&selinux_state,
3146 current_sid(), isec->sid, isec->sclass, perms,
3147 audited, denied, result, &ad, flags);
3153 static int selinux_inode_permission(struct inode *inode, int mask)
3155 const struct cred *cred = current_cred();
3158 unsigned flags = mask & MAY_NOT_BLOCK;
3159 struct inode_security_struct *isec;
3161 struct av_decision avd;
3163 u32 audited, denied;
3165 from_access = mask & MAY_ACCESS;
3166 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3168 /* No permission to check. Existence test. */
3172 validate_creds(cred);
3174 if (unlikely(IS_PRIVATE(inode)))
3177 perms = file_mask_to_av(inode->i_mode, mask);
3179 sid = cred_sid(cred);
3180 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3182 return PTR_ERR(isec);
3184 rc = avc_has_perm_noaudit(&selinux_state,
3185 sid, isec->sid, isec->sclass, perms, 0, &avd);
3186 audited = avc_audit_required(perms, &avd, rc,
3187 from_access ? FILE__AUDIT_ACCESS : 0,
3189 if (likely(!audited))
3192 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
3198 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3200 const struct cred *cred = current_cred();
3201 struct inode *inode = d_backing_inode(dentry);
3202 unsigned int ia_valid = iattr->ia_valid;
3203 __u32 av = FILE__WRITE;
3205 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3206 if (ia_valid & ATTR_FORCE) {
3207 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3213 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3214 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3215 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3217 if (selinux_policycap_openperm() &&
3218 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3219 (ia_valid & ATTR_SIZE) &&
3220 !(ia_valid & ATTR_FILE))
3223 return dentry_has_perm(cred, dentry, av);
3226 static int selinux_inode_getattr(const struct path *path)
3228 return path_has_perm(current_cred(), path, FILE__GETATTR);
3231 static bool has_cap_mac_admin(bool audit)
3233 const struct cred *cred = current_cred();
3234 int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT;
3236 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit))
3238 if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true))
3243 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3244 const void *value, size_t size, int flags)
3246 struct inode *inode = d_backing_inode(dentry);
3247 struct inode_security_struct *isec;
3248 struct superblock_security_struct *sbsec;
3249 struct common_audit_data ad;
3250 u32 newsid, sid = current_sid();
3253 if (strcmp(name, XATTR_NAME_SELINUX)) {
3254 rc = cap_inode_setxattr(dentry, name, value, size, flags);
3258 /* Not an attribute we recognize, so just check the
3259 ordinary setattr permission. */
3260 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3263 sbsec = inode->i_sb->s_security;
3264 if (!(sbsec->flags & SBLABEL_MNT))
3267 if (!inode_owner_or_capable(inode))
3270 ad.type = LSM_AUDIT_DATA_DENTRY;
3271 ad.u.dentry = dentry;
3273 isec = backing_inode_security(dentry);
3274 rc = avc_has_perm(&selinux_state,
3275 sid, isec->sid, isec->sclass,
3276 FILE__RELABELFROM, &ad);
3280 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3282 if (rc == -EINVAL) {
3283 if (!has_cap_mac_admin(true)) {
3284 struct audit_buffer *ab;
3287 /* We strip a nul only if it is at the end, otherwise the
3288 * context contains a nul and we should audit that */
3290 const char *str = value;
3292 if (str[size - 1] == '\0')
3293 audit_size = size - 1;
3299 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3300 audit_log_format(ab, "op=setxattr invalid_context=");
3301 audit_log_n_untrustedstring(ab, value, audit_size);
3306 rc = security_context_to_sid_force(&selinux_state, value,
3312 rc = avc_has_perm(&selinux_state,
3313 sid, newsid, isec->sclass,
3314 FILE__RELABELTO, &ad);
3318 rc = security_validate_transition(&selinux_state, isec->sid, newsid,
3323 return avc_has_perm(&selinux_state,
3326 SECCLASS_FILESYSTEM,
3327 FILESYSTEM__ASSOCIATE,
3331 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3332 const void *value, size_t size,
3335 struct inode *inode = d_backing_inode(dentry);
3336 struct inode_security_struct *isec;
3340 if (strcmp(name, XATTR_NAME_SELINUX)) {
3341 /* Not an attribute we recognize, so nothing to do. */
3345 rc = security_context_to_sid_force(&selinux_state, value, size,
3348 printk(KERN_ERR "SELinux: unable to map context to SID"
3349 "for (%s, %lu), rc=%d\n",
3350 inode->i_sb->s_id, inode->i_ino, -rc);
3354 isec = backing_inode_security(dentry);
3355 spin_lock(&isec->lock);
3356 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3358 isec->initialized = LABEL_INITIALIZED;
3359 spin_unlock(&isec->lock);
3364 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3366 const struct cred *cred = current_cred();
3368 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3371 static int selinux_inode_listxattr(struct dentry *dentry)
3373 const struct cred *cred = current_cred();
3375 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3378 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3380 if (strcmp(name, XATTR_NAME_SELINUX)) {
3381 int rc = cap_inode_removexattr(dentry, name);
3385 /* Not an attribute we recognize, so just check the
3386 ordinary setattr permission. */
3387 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3390 /* No one is allowed to remove a SELinux security label.
3391 You can change the label, but all data must be labeled. */
3396 * Copy the inode security context value to the user.
3398 * Permission check is handled by selinux_inode_getxattr hook.
3400 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
3404 char *context = NULL;
3405 struct inode_security_struct *isec;
3407 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3411 * If the caller has CAP_MAC_ADMIN, then get the raw context
3412 * value even if it is not defined by current policy; otherwise,
3413 * use the in-core value under current policy.
3414 * Use the non-auditing forms of the permission checks since
3415 * getxattr may be called by unprivileged processes commonly
3416 * and lack of permission just means that we fall back to the
3417 * in-core context value, not a denial.
3419 isec = inode_security(inode);
3420 if (has_cap_mac_admin(false))
3421 error = security_sid_to_context_force(&selinux_state,
3422 isec->sid, &context,
3425 error = security_sid_to_context(&selinux_state, isec->sid,
3439 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3440 const void *value, size_t size, int flags)
3442 struct inode_security_struct *isec = inode_security_novalidate(inode);
3446 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3449 if (!value || !size)
3452 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3457 spin_lock(&isec->lock);
3458 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3460 isec->initialized = LABEL_INITIALIZED;
3461 spin_unlock(&isec->lock);
3465 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3467 const int len = sizeof(XATTR_NAME_SELINUX);
3468 if (buffer && len <= buffer_size)
3469 memcpy(buffer, XATTR_NAME_SELINUX, len);
3473 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3475 struct inode_security_struct *isec = inode_security_novalidate(inode);
3479 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3482 struct task_security_struct *tsec;
3483 struct cred *new_creds = *new;
3485 if (new_creds == NULL) {
3486 new_creds = prepare_creds();
3491 tsec = new_creds->security;
3492 /* Get label from overlay inode and set it in create_sid */
3493 selinux_inode_getsecid(d_inode(src), &sid);
3494 tsec->create_sid = sid;
3499 static int selinux_inode_copy_up_xattr(const char *name)
3501 /* The copy_up hook above sets the initial context on an inode, but we
3502 * don't then want to overwrite it by blindly copying all the lower
3503 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3505 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3506 return 1; /* Discard */
3508 * Any other attribute apart from SELINUX is not claimed, supported
3514 /* file security operations */
3516 static int selinux_revalidate_file_permission(struct file *file, int mask)
3518 const struct cred *cred = current_cred();
3519 struct inode *inode = file_inode(file);
3521 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3522 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3525 return file_has_perm(cred, file,
3526 file_mask_to_av(inode->i_mode, mask));
3529 static int selinux_file_permission(struct file *file, int mask)
3531 struct inode *inode = file_inode(file);
3532 struct file_security_struct *fsec = file->f_security;
3533 struct inode_security_struct *isec;
3534 u32 sid = current_sid();
3537 /* No permission to check. Existence test. */
3540 isec = inode_security(inode);
3541 if (sid == fsec->sid && fsec->isid == isec->sid &&
3542 fsec->pseqno == avc_policy_seqno(&selinux_state))
3543 /* No change since file_open check. */
3546 return selinux_revalidate_file_permission(file, mask);
3549 static int selinux_file_alloc_security(struct file *file)
3551 return file_alloc_security(file);
3554 static void selinux_file_free_security(struct file *file)
3556 file_free_security(file);
3560 * Check whether a task has the ioctl permission and cmd
3561 * operation to an inode.
3563 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3564 u32 requested, u16 cmd)
3566 struct common_audit_data ad;
3567 struct file_security_struct *fsec = file->f_security;
3568 struct inode *inode = file_inode(file);
3569 struct inode_security_struct *isec;
3570 struct lsm_ioctlop_audit ioctl;
3571 u32 ssid = cred_sid(cred);
3573 u8 driver = cmd >> 8;
3574 u8 xperm = cmd & 0xff;
3576 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3579 ad.u.op->path = file->f_path;
3581 if (ssid != fsec->sid) {
3582 rc = avc_has_perm(&selinux_state,
3591 if (unlikely(IS_PRIVATE(inode)))
3594 isec = inode_security(inode);
3595 rc = avc_has_extended_perms(&selinux_state,
3596 ssid, isec->sid, isec->sclass,
3597 requested, driver, xperm, &ad);
3602 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3605 const struct cred *cred = current_cred();
3615 case FS_IOC_GETFLAGS:
3617 case FS_IOC_GETVERSION:
3618 error = file_has_perm(cred, file, FILE__GETATTR);
3621 case FS_IOC_SETFLAGS:
3623 case FS_IOC_SETVERSION:
3624 error = file_has_perm(cred, file, FILE__SETATTR);
3627 /* sys_ioctl() checks */
3631 error = file_has_perm(cred, file, 0);
3636 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3637 SECURITY_CAP_AUDIT, true);
3640 /* default case assumes that the command will go
3641 * to the file's ioctl() function.
3644 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3649 static int default_noexec;
3651 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3653 const struct cred *cred = current_cred();
3654 u32 sid = cred_sid(cred);
3657 if (default_noexec &&
3658 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3659 (!shared && (prot & PROT_WRITE)))) {
3661 * We are making executable an anonymous mapping or a
3662 * private file mapping that will also be writable.
3663 * This has an additional check.
3665 rc = avc_has_perm(&selinux_state,
3666 sid, sid, SECCLASS_PROCESS,
3667 PROCESS__EXECMEM, NULL);
3673 /* read access is always possible with a mapping */
3674 u32 av = FILE__READ;
3676 /* write access only matters if the mapping is shared */
3677 if (shared && (prot & PROT_WRITE))
3680 if (prot & PROT_EXEC)
3681 av |= FILE__EXECUTE;
3683 return file_has_perm(cred, file, av);
3690 static int selinux_mmap_addr(unsigned long addr)
3694 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3695 u32 sid = current_sid();
3696 rc = avc_has_perm(&selinux_state,
3697 sid, sid, SECCLASS_MEMPROTECT,
3698 MEMPROTECT__MMAP_ZERO, NULL);
3704 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3705 unsigned long prot, unsigned long flags)
3707 struct common_audit_data ad;
3711 ad.type = LSM_AUDIT_DATA_FILE;
3713 rc = inode_has_perm(current_cred(), file_inode(file),
3719 if (selinux_state.checkreqprot)
3722 return file_map_prot_check(file, prot,
3723 (flags & MAP_TYPE) == MAP_SHARED);
3726 static int selinux_file_mprotect(struct vm_area_struct *vma,
3727 unsigned long reqprot,
3730 const struct cred *cred = current_cred();
3731 u32 sid = cred_sid(cred);
3733 if (selinux_state.checkreqprot)
3736 if (default_noexec &&
3737 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3739 if (vma->vm_start >= vma->vm_mm->start_brk &&
3740 vma->vm_end <= vma->vm_mm->brk) {
3741 rc = avc_has_perm(&selinux_state,
3742 sid, sid, SECCLASS_PROCESS,
3743 PROCESS__EXECHEAP, NULL);
3744 } else if (!vma->vm_file &&
3745 ((vma->vm_start <= vma->vm_mm->start_stack &&
3746 vma->vm_end >= vma->vm_mm->start_stack) ||
3747 vma_is_stack_for_current(vma))) {
3748 rc = avc_has_perm(&selinux_state,
3749 sid, sid, SECCLASS_PROCESS,
3750 PROCESS__EXECSTACK, NULL);
3751 } else if (vma->vm_file && vma->anon_vma) {
3753 * We are making executable a file mapping that has
3754 * had some COW done. Since pages might have been
3755 * written, check ability to execute the possibly
3756 * modified content. This typically should only
3757 * occur for text relocations.
3759 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3765 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3768 static int selinux_file_lock(struct file *file, unsigned int cmd)
3770 const struct cred *cred = current_cred();
3772 return file_has_perm(cred, file, FILE__LOCK);
3775 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3778 const struct cred *cred = current_cred();
3783 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3784 err = file_has_perm(cred, file, FILE__WRITE);
3793 case F_GETOWNER_UIDS:
3794 /* Just check FD__USE permission */
3795 err = file_has_perm(cred, file, 0);
3803 #if BITS_PER_LONG == 32
3808 err = file_has_perm(cred, file, FILE__LOCK);
3815 static void selinux_file_set_fowner(struct file *file)
3817 struct file_security_struct *fsec;
3819 fsec = file->f_security;
3820 fsec->fown_sid = current_sid();
3823 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3824 struct fown_struct *fown, int signum)
3827 u32 sid = task_sid(tsk);
3829 struct file_security_struct *fsec;
3831 /* struct fown_struct is never outside the context of a struct file */
3832 file = container_of(fown, struct file, f_owner);
3834 fsec = file->f_security;
3837 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3839 perm = signal_to_av(signum);
3841 return avc_has_perm(&selinux_state,
3842 fsec->fown_sid, sid,
3843 SECCLASS_PROCESS, perm, NULL);
3846 static int selinux_file_receive(struct file *file)
3848 const struct cred *cred = current_cred();
3850 return file_has_perm(cred, file, file_to_av(file));
3853 static int selinux_file_open(struct file *file, const struct cred *cred)
3855 struct file_security_struct *fsec;
3856 struct inode_security_struct *isec;
3858 fsec = file->f_security;
3859 isec = inode_security(file_inode(file));
3861 * Save inode label and policy sequence number
3862 * at open-time so that selinux_file_permission
3863 * can determine whether revalidation is necessary.
3864 * Task label is already saved in the file security
3865 * struct as its SID.
3867 fsec->isid = isec->sid;
3868 fsec->pseqno = avc_policy_seqno(&selinux_state);
3870 * Since the inode label or policy seqno may have changed
3871 * between the selinux_inode_permission check and the saving
3872 * of state above, recheck that access is still permitted.
3873 * Otherwise, access might never be revalidated against the
3874 * new inode label or new policy.
3875 * This check is not redundant - do not remove.
3877 return file_path_has_perm(cred, file, open_file_to_av(file));
3880 /* task security operations */
3882 static int selinux_task_alloc(struct task_struct *task,
3883 unsigned long clone_flags)
3885 u32 sid = current_sid();
3887 return avc_has_perm(&selinux_state,
3888 sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
3892 * allocate the SELinux part of blank credentials
3894 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3896 struct task_security_struct *tsec;
3898 tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3902 cred->security = tsec;
3907 * detach and free the LSM part of a set of credentials
3909 static void selinux_cred_free(struct cred *cred)
3911 struct task_security_struct *tsec = cred->security;
3914 * cred->security == NULL if security_cred_alloc_blank() or
3915 * security_prepare_creds() returned an error.
3917 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3918 cred->security = (void *) 0x7UL;
3923 * prepare a new set of credentials for modification
3925 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3928 const struct task_security_struct *old_tsec;
3929 struct task_security_struct *tsec;
3931 old_tsec = old->security;
3933 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3937 new->security = tsec;
3942 * transfer the SELinux data to a blank set of creds
3944 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3946 const struct task_security_struct *old_tsec = old->security;
3947 struct task_security_struct *tsec = new->security;
3952 static void selinux_cred_getsecid(const struct cred *c, u32 *secid)
3954 *secid = cred_sid(c);
3958 * set the security data for a kernel service
3959 * - all the creation contexts are set to unlabelled
3961 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3963 struct task_security_struct *tsec = new->security;
3964 u32 sid = current_sid();
3967 ret = avc_has_perm(&selinux_state,
3969 SECCLASS_KERNEL_SERVICE,
3970 KERNEL_SERVICE__USE_AS_OVERRIDE,
3974 tsec->create_sid = 0;
3975 tsec->keycreate_sid = 0;
3976 tsec->sockcreate_sid = 0;
3982 * set the file creation context in a security record to the same as the
3983 * objective context of the specified inode
3985 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3987 struct inode_security_struct *isec = inode_security(inode);
3988 struct task_security_struct *tsec = new->security;
3989 u32 sid = current_sid();
3992 ret = avc_has_perm(&selinux_state,
3994 SECCLASS_KERNEL_SERVICE,
3995 KERNEL_SERVICE__CREATE_FILES_AS,
3999 tsec->create_sid = isec->sid;
4003 static int selinux_kernel_module_request(char *kmod_name)
4005 struct common_audit_data ad;
4007 ad.type = LSM_AUDIT_DATA_KMOD;
4008 ad.u.kmod_name = kmod_name;
4010 return avc_has_perm(&selinux_state,
4011 current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
4012 SYSTEM__MODULE_REQUEST, &ad);
4015 static int selinux_kernel_module_from_file(struct file *file)
4017 struct common_audit_data ad;
4018 struct inode_security_struct *isec;
4019 struct file_security_struct *fsec;
4020 u32 sid = current_sid();
4025 return avc_has_perm(&selinux_state,
4026 sid, sid, SECCLASS_SYSTEM,
4027 SYSTEM__MODULE_LOAD, NULL);
4031 ad.type = LSM_AUDIT_DATA_FILE;
4034 fsec = file->f_security;
4035 if (sid != fsec->sid) {
4036 rc = avc_has_perm(&selinux_state,
4037 sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
4042 isec = inode_security(file_inode(file));
4043 return avc_has_perm(&selinux_state,
4044 sid, isec->sid, SECCLASS_SYSTEM,
4045 SYSTEM__MODULE_LOAD, &ad);
4048 static int selinux_kernel_read_file(struct file *file,
4049 enum kernel_read_file_id id)
4054 case READING_MODULE:
4055 rc = selinux_kernel_module_from_file(file);
4064 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
4066 return avc_has_perm(&selinux_state,
4067 current_sid(), task_sid(p), SECCLASS_PROCESS,
4068 PROCESS__SETPGID, NULL);
4071 static int selinux_task_getpgid(struct task_struct *p)
4073 return avc_has_perm(&selinux_state,
4074 current_sid(), task_sid(p), SECCLASS_PROCESS,
4075 PROCESS__GETPGID, NULL);
4078 static int selinux_task_getsid(struct task_struct *p)
4080 return avc_has_perm(&selinux_state,
4081 current_sid(), task_sid(p), SECCLASS_PROCESS,
4082 PROCESS__GETSESSION, NULL);
4085 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
4087 *secid = task_sid(p);
4090 static int selinux_task_setnice(struct task_struct *p, int nice)
4092 return avc_has_perm(&selinux_state,
4093 current_sid(), task_sid(p), SECCLASS_PROCESS,
4094 PROCESS__SETSCHED, NULL);
4097 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
4099 return avc_has_perm(&selinux_state,
4100 current_sid(), task_sid(p), SECCLASS_PROCESS,
4101 PROCESS__SETSCHED, NULL);
4104 static int selinux_task_getioprio(struct task_struct *p)
4106 return avc_has_perm(&selinux_state,
4107 current_sid(), task_sid(p), SECCLASS_PROCESS,
4108 PROCESS__GETSCHED, NULL);
4111 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
4118 if (flags & LSM_PRLIMIT_WRITE)
4119 av |= PROCESS__SETRLIMIT;
4120 if (flags & LSM_PRLIMIT_READ)
4121 av |= PROCESS__GETRLIMIT;
4122 return avc_has_perm(&selinux_state,
4123 cred_sid(cred), cred_sid(tcred),
4124 SECCLASS_PROCESS, av, NULL);
4127 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4128 struct rlimit *new_rlim)
4130 struct rlimit *old_rlim = p->signal->rlim + resource;
4132 /* Control the ability to change the hard limit (whether
4133 lowering or raising it), so that the hard limit can
4134 later be used as a safe reset point for the soft limit
4135 upon context transitions. See selinux_bprm_committing_creds. */
4136 if (old_rlim->rlim_max != new_rlim->rlim_max)
4137 return avc_has_perm(&selinux_state,
4138 current_sid(), task_sid(p),
4139 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
4144 static int selinux_task_setscheduler(struct task_struct *p)
4146 return avc_has_perm(&selinux_state,
4147 current_sid(), task_sid(p), SECCLASS_PROCESS,
4148 PROCESS__SETSCHED, NULL);
4151 static int selinux_task_getscheduler(struct task_struct *p)
4153 return avc_has_perm(&selinux_state,
4154 current_sid(), task_sid(p), SECCLASS_PROCESS,
4155 PROCESS__GETSCHED, NULL);
4158 static int selinux_task_movememory(struct task_struct *p)
4160 return avc_has_perm(&selinux_state,
4161 current_sid(), task_sid(p), SECCLASS_PROCESS,
4162 PROCESS__SETSCHED, NULL);
4165 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
4166 int sig, const struct cred *cred)
4172 perm = PROCESS__SIGNULL; /* null signal; existence test */
4174 perm = signal_to_av(sig);
4176 secid = current_sid();
4178 secid = cred_sid(cred);
4179 return avc_has_perm(&selinux_state,
4180 secid, task_sid(p), SECCLASS_PROCESS, perm, NULL);
4183 static void selinux_task_to_inode(struct task_struct *p,
4184 struct inode *inode)
4186 struct inode_security_struct *isec = inode->i_security;
4187 u32 sid = task_sid(p);
4189 spin_lock(&isec->lock);
4190 isec->sclass = inode_mode_to_security_class(inode->i_mode);
4192 isec->initialized = LABEL_INITIALIZED;
4193 spin_unlock(&isec->lock);
4196 /* Returns error only if unable to parse addresses */
4197 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4198 struct common_audit_data *ad, u8 *proto)
4200 int offset, ihlen, ret = -EINVAL;
4201 struct iphdr _iph, *ih;
4203 offset = skb_network_offset(skb);
4204 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
4208 ihlen = ih->ihl * 4;
4209 if (ihlen < sizeof(_iph))
4212 ad->u.net->v4info.saddr = ih->saddr;
4213 ad->u.net->v4info.daddr = ih->daddr;
4217 *proto = ih->protocol;
4219 switch (ih->protocol) {
4221 struct tcphdr _tcph, *th;
4223 if (ntohs(ih->frag_off) & IP_OFFSET)
4227 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4231 ad->u.net->sport = th->source;
4232 ad->u.net->dport = th->dest;
4237 struct udphdr _udph, *uh;
4239 if (ntohs(ih->frag_off) & IP_OFFSET)
4243 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4247 ad->u.net->sport = uh->source;
4248 ad->u.net->dport = uh->dest;
4252 case IPPROTO_DCCP: {
4253 struct dccp_hdr _dccph, *dh;
4255 if (ntohs(ih->frag_off) & IP_OFFSET)
4259 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4263 ad->u.net->sport = dh->dccph_sport;
4264 ad->u.net->dport = dh->dccph_dport;
4268 #if IS_ENABLED(CONFIG_IP_SCTP)
4269 case IPPROTO_SCTP: {
4270 struct sctphdr _sctph, *sh;
4272 if (ntohs(ih->frag_off) & IP_OFFSET)
4276 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4280 ad->u.net->sport = sh->source;
4281 ad->u.net->dport = sh->dest;
4292 #if IS_ENABLED(CONFIG_IPV6)
4294 /* Returns error only if unable to parse addresses */
4295 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4296 struct common_audit_data *ad, u8 *proto)
4299 int ret = -EINVAL, offset;
4300 struct ipv6hdr _ipv6h, *ip6;
4303 offset = skb_network_offset(skb);
4304 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4308 ad->u.net->v6info.saddr = ip6->saddr;
4309 ad->u.net->v6info.daddr = ip6->daddr;
4312 nexthdr = ip6->nexthdr;
4313 offset += sizeof(_ipv6h);
4314 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4323 struct tcphdr _tcph, *th;
4325 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4329 ad->u.net->sport = th->source;
4330 ad->u.net->dport = th->dest;
4335 struct udphdr _udph, *uh;
4337 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4341 ad->u.net->sport = uh->source;
4342 ad->u.net->dport = uh->dest;
4346 case IPPROTO_DCCP: {
4347 struct dccp_hdr _dccph, *dh;
4349 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4353 ad->u.net->sport = dh->dccph_sport;
4354 ad->u.net->dport = dh->dccph_dport;
4358 #if IS_ENABLED(CONFIG_IP_SCTP)
4359 case IPPROTO_SCTP: {
4360 struct sctphdr _sctph, *sh;
4362 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4366 ad->u.net->sport = sh->source;
4367 ad->u.net->dport = sh->dest;
4371 /* includes fragments */
4381 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4382 char **_addrp, int src, u8 *proto)
4387 switch (ad->u.net->family) {
4389 ret = selinux_parse_skb_ipv4(skb, ad, proto);
4392 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4393 &ad->u.net->v4info.daddr);
4396 #if IS_ENABLED(CONFIG_IPV6)
4398 ret = selinux_parse_skb_ipv6(skb, ad, proto);
4401 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4402 &ad->u.net->v6info.daddr);
4412 "SELinux: failure in selinux_parse_skb(),"
4413 " unable to parse packet\n");
4423 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4425 * @family: protocol family
4426 * @sid: the packet's peer label SID
4429 * Check the various different forms of network peer labeling and determine
4430 * the peer label/SID for the packet; most of the magic actually occurs in
4431 * the security server function security_net_peersid_cmp(). The function
4432 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4433 * or -EACCES if @sid is invalid due to inconsistencies with the different
4437 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4444 err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4447 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4451 err = security_net_peersid_resolve(&selinux_state, nlbl_sid,
4452 nlbl_type, xfrm_sid, sid);
4453 if (unlikely(err)) {
4455 "SELinux: failure in selinux_skb_peerlbl_sid(),"
4456 " unable to determine packet's peer label\n");
4464 * selinux_conn_sid - Determine the child socket label for a connection
4465 * @sk_sid: the parent socket's SID
4466 * @skb_sid: the packet's SID
4467 * @conn_sid: the resulting connection SID
4469 * If @skb_sid is valid then the user:role:type information from @sk_sid is
4470 * combined with the MLS information from @skb_sid in order to create
4471 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy
4472 * of @sk_sid. Returns zero on success, negative values on failure.
4475 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4479 if (skb_sid != SECSID_NULL)
4480 err = security_sid_mls_copy(&selinux_state, sk_sid, skb_sid,
4488 /* socket security operations */
4490 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4491 u16 secclass, u32 *socksid)
4493 if (tsec->sockcreate_sid > SECSID_NULL) {
4494 *socksid = tsec->sockcreate_sid;
4498 return security_transition_sid(&selinux_state, tsec->sid, tsec->sid,
4499 secclass, NULL, socksid);
4502 static int sock_has_perm(struct sock *sk, u32 perms)
4504 struct sk_security_struct *sksec = sk->sk_security;
4505 struct common_audit_data ad;
4506 struct lsm_network_audit net = {0,};
4508 if (sksec->sid == SECINITSID_KERNEL)
4511 ad.type = LSM_AUDIT_DATA_NET;
4515 return avc_has_perm(&selinux_state,
4516 current_sid(), sksec->sid, sksec->sclass, perms,
4520 static int selinux_socket_create(int family, int type,
4521 int protocol, int kern)
4523 const struct task_security_struct *tsec = current_security();
4531 secclass = socket_type_to_security_class(family, type, protocol);
4532 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4536 return avc_has_perm(&selinux_state,
4537 tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4540 static int selinux_socket_post_create(struct socket *sock, int family,
4541 int type, int protocol, int kern)
4543 const struct task_security_struct *tsec = current_security();
4544 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4545 struct sk_security_struct *sksec;
4546 u16 sclass = socket_type_to_security_class(family, type, protocol);
4547 u32 sid = SECINITSID_KERNEL;
4551 err = socket_sockcreate_sid(tsec, sclass, &sid);
4556 isec->sclass = sclass;
4558 isec->initialized = LABEL_INITIALIZED;
4561 sksec = sock->sk->sk_security;
4562 sksec->sclass = sclass;
4564 /* Allows detection of the first association on this socket */
4565 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4566 sksec->sctp_assoc_state = SCTP_ASSOC_UNSET;
4568 err = selinux_netlbl_socket_post_create(sock->sk, family);
4574 /* Range of port numbers used to automatically bind.
4575 Need to determine whether we should perform a name_bind
4576 permission check between the socket and the port number. */
4578 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4580 struct sock *sk = sock->sk;
4584 err = sock_has_perm(sk, SOCKET__BIND);
4588 /* If PF_INET or PF_INET6, check name_bind permission for the port. */
4589 family = sk->sk_family;
4590 if (family == PF_INET || family == PF_INET6) {
4592 struct sk_security_struct *sksec = sk->sk_security;
4593 struct common_audit_data ad;
4594 struct lsm_network_audit net = {0,};
4595 struct sockaddr_in *addr4 = NULL;
4596 struct sockaddr_in6 *addr6 = NULL;
4597 unsigned short snum;
4601 * sctp_bindx(3) calls via selinux_sctp_bind_connect()
4602 * that validates multiple binding addresses. Because of this
4603 * need to check address->sa_family as it is possible to have
4604 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4606 switch (address->sa_family) {
4608 if (addrlen < sizeof(struct sockaddr_in))
4610 addr4 = (struct sockaddr_in *)address;
4611 snum = ntohs(addr4->sin_port);
4612 addrp = (char *)&addr4->sin_addr.s_addr;
4615 if (addrlen < SIN6_LEN_RFC2133)
4617 addr6 = (struct sockaddr_in6 *)address;
4618 snum = ntohs(addr6->sin6_port);
4619 addrp = (char *)&addr6->sin6_addr.s6_addr;
4622 /* Note that SCTP services expect -EINVAL, whereas
4623 * others expect -EAFNOSUPPORT.
4625 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4628 return -EAFNOSUPPORT;
4634 inet_get_local_port_range(sock_net(sk), &low, &high);
4636 if (snum < max(inet_prot_sock(sock_net(sk)), low) ||
4638 err = sel_netport_sid(sk->sk_protocol,
4642 ad.type = LSM_AUDIT_DATA_NET;
4644 ad.u.net->sport = htons(snum);
4645 ad.u.net->family = family;
4646 err = avc_has_perm(&selinux_state,
4649 SOCKET__NAME_BIND, &ad);
4655 switch (sksec->sclass) {
4656 case SECCLASS_TCP_SOCKET:
4657 node_perm = TCP_SOCKET__NODE_BIND;
4660 case SECCLASS_UDP_SOCKET:
4661 node_perm = UDP_SOCKET__NODE_BIND;
4664 case SECCLASS_DCCP_SOCKET:
4665 node_perm = DCCP_SOCKET__NODE_BIND;
4668 case SECCLASS_SCTP_SOCKET:
4669 node_perm = SCTP_SOCKET__NODE_BIND;
4673 node_perm = RAWIP_SOCKET__NODE_BIND;
4677 err = sel_netnode_sid(addrp, family, &sid);
4681 ad.type = LSM_AUDIT_DATA_NET;
4683 ad.u.net->sport = htons(snum);
4684 ad.u.net->family = family;
4686 if (address->sa_family == AF_INET)
4687 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4689 ad.u.net->v6info.saddr = addr6->sin6_addr;
4691 err = avc_has_perm(&selinux_state,
4693 sksec->sclass, node_perm, &ad);
4701 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3)
4702 * and sctp_sendmsg(3) as described in Documentation/security/LSM-sctp.txt
4704 static int selinux_socket_connect_helper(struct socket *sock,
4705 struct sockaddr *address, int addrlen)
4707 struct sock *sk = sock->sk;
4708 struct sk_security_struct *sksec = sk->sk_security;
4711 err = sock_has_perm(sk, SOCKET__CONNECT);
4716 * If a TCP, DCCP or SCTP socket, check name_connect permission
4719 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4720 sksec->sclass == SECCLASS_DCCP_SOCKET ||
4721 sksec->sclass == SECCLASS_SCTP_SOCKET) {
4722 struct common_audit_data ad;
4723 struct lsm_network_audit net = {0,};
4724 struct sockaddr_in *addr4 = NULL;
4725 struct sockaddr_in6 *addr6 = NULL;
4726 unsigned short snum;
4729 /* sctp_connectx(3) calls via selinux_sctp_bind_connect()
4730 * that validates multiple connect addresses. Because of this
4731 * need to check address->sa_family as it is possible to have
4732 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4734 switch (address->sa_family) {
4736 addr4 = (struct sockaddr_in *)address;
4737 if (addrlen < sizeof(struct sockaddr_in))
4739 snum = ntohs(addr4->sin_port);
4742 addr6 = (struct sockaddr_in6 *)address;
4743 if (addrlen < SIN6_LEN_RFC2133)
4745 snum = ntohs(addr6->sin6_port);
4748 /* Note that SCTP services expect -EINVAL, whereas
4749 * others expect -EAFNOSUPPORT.
4751 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4754 return -EAFNOSUPPORT;
4757 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4761 switch (sksec->sclass) {
4762 case SECCLASS_TCP_SOCKET:
4763 perm = TCP_SOCKET__NAME_CONNECT;
4765 case SECCLASS_DCCP_SOCKET:
4766 perm = DCCP_SOCKET__NAME_CONNECT;
4768 case SECCLASS_SCTP_SOCKET:
4769 perm = SCTP_SOCKET__NAME_CONNECT;
4773 ad.type = LSM_AUDIT_DATA_NET;
4775 ad.u.net->dport = htons(snum);
4776 ad.u.net->family = sk->sk_family;
4777 err = avc_has_perm(&selinux_state,
4778 sksec->sid, sid, sksec->sclass, perm, &ad);
4786 /* Supports connect(2), see comments in selinux_socket_connect_helper() */
4787 static int selinux_socket_connect(struct socket *sock,
4788 struct sockaddr *address, int addrlen)
4791 struct sock *sk = sock->sk;
4793 err = selinux_socket_connect_helper(sock, address, addrlen);
4797 return selinux_netlbl_socket_connect(sk, address);
4800 static int selinux_socket_listen(struct socket *sock, int backlog)
4802 return sock_has_perm(sock->sk, SOCKET__LISTEN);
4805 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4808 struct inode_security_struct *isec;
4809 struct inode_security_struct *newisec;
4813 err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
4817 isec = inode_security_novalidate(SOCK_INODE(sock));
4818 spin_lock(&isec->lock);
4819 sclass = isec->sclass;
4821 spin_unlock(&isec->lock);
4823 newisec = inode_security_novalidate(SOCK_INODE(newsock));
4824 newisec->sclass = sclass;
4826 newisec->initialized = LABEL_INITIALIZED;
4831 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4834 return sock_has_perm(sock->sk, SOCKET__WRITE);
4837 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4838 int size, int flags)
4840 return sock_has_perm(sock->sk, SOCKET__READ);
4843 static int selinux_socket_getsockname(struct socket *sock)
4845 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4848 static int selinux_socket_getpeername(struct socket *sock)
4850 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4853 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4857 err = sock_has_perm(sock->sk, SOCKET__SETOPT);
4861 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4864 static int selinux_socket_getsockopt(struct socket *sock, int level,
4867 return sock_has_perm(sock->sk, SOCKET__GETOPT);
4870 static int selinux_socket_shutdown(struct socket *sock, int how)
4872 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
4875 static int selinux_socket_unix_stream_connect(struct sock *sock,
4879 struct sk_security_struct *sksec_sock = sock->sk_security;
4880 struct sk_security_struct *sksec_other = other->sk_security;
4881 struct sk_security_struct *sksec_new = newsk->sk_security;
4882 struct common_audit_data ad;
4883 struct lsm_network_audit net = {0,};
4886 ad.type = LSM_AUDIT_DATA_NET;
4888 ad.u.net->sk = other;
4890 err = avc_has_perm(&selinux_state,
4891 sksec_sock->sid, sksec_other->sid,
4892 sksec_other->sclass,
4893 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4897 /* server child socket */
4898 sksec_new->peer_sid = sksec_sock->sid;
4899 err = security_sid_mls_copy(&selinux_state, sksec_other->sid,
4900 sksec_sock->sid, &sksec_new->sid);
4904 /* connecting socket */
4905 sksec_sock->peer_sid = sksec_new->sid;
4910 static int selinux_socket_unix_may_send(struct socket *sock,
4911 struct socket *other)
4913 struct sk_security_struct *ssec = sock->sk->sk_security;
4914 struct sk_security_struct *osec = other->sk->sk_security;
4915 struct common_audit_data ad;
4916 struct lsm_network_audit net = {0,};
4918 ad.type = LSM_AUDIT_DATA_NET;
4920 ad.u.net->sk = other->sk;
4922 return avc_has_perm(&selinux_state,
4923 ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4927 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4928 char *addrp, u16 family, u32 peer_sid,
4929 struct common_audit_data *ad)
4935 err = sel_netif_sid(ns, ifindex, &if_sid);
4938 err = avc_has_perm(&selinux_state,
4940 SECCLASS_NETIF, NETIF__INGRESS, ad);
4944 err = sel_netnode_sid(addrp, family, &node_sid);
4947 return avc_has_perm(&selinux_state,
4949 SECCLASS_NODE, NODE__RECVFROM, ad);
4952 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4956 struct sk_security_struct *sksec = sk->sk_security;
4957 u32 sk_sid = sksec->sid;
4958 struct common_audit_data ad;
4959 struct lsm_network_audit net = {0,};
4962 ad.type = LSM_AUDIT_DATA_NET;
4964 ad.u.net->netif = skb->skb_iif;
4965 ad.u.net->family = family;
4966 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4970 if (selinux_secmark_enabled()) {
4971 err = avc_has_perm(&selinux_state,
4972 sk_sid, skb->secmark, SECCLASS_PACKET,
4978 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4981 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4986 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4989 struct sk_security_struct *sksec = sk->sk_security;
4990 u16 family = sk->sk_family;
4991 u32 sk_sid = sksec->sid;
4992 struct common_audit_data ad;
4993 struct lsm_network_audit net = {0,};
4998 if (family != PF_INET && family != PF_INET6)
5001 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
5002 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5005 /* If any sort of compatibility mode is enabled then handoff processing
5006 * to the selinux_sock_rcv_skb_compat() function to deal with the
5007 * special handling. We do this in an attempt to keep this function
5008 * as fast and as clean as possible. */
5009 if (!selinux_policycap_netpeer())
5010 return selinux_sock_rcv_skb_compat(sk, skb, family);
5012 secmark_active = selinux_secmark_enabled();
5013 peerlbl_active = selinux_peerlbl_enabled();
5014 if (!secmark_active && !peerlbl_active)
5017 ad.type = LSM_AUDIT_DATA_NET;
5019 ad.u.net->netif = skb->skb_iif;
5020 ad.u.net->family = family;
5021 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5025 if (peerlbl_active) {
5028 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
5031 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
5032 addrp, family, peer_sid, &ad);
5034 selinux_netlbl_err(skb, family, err, 0);
5037 err = avc_has_perm(&selinux_state,
5038 sk_sid, peer_sid, SECCLASS_PEER,
5041 selinux_netlbl_err(skb, family, err, 0);
5046 if (secmark_active) {
5047 err = avc_has_perm(&selinux_state,
5048 sk_sid, skb->secmark, SECCLASS_PACKET,
5057 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
5058 int __user *optlen, unsigned len)
5063 struct sk_security_struct *sksec = sock->sk->sk_security;
5064 u32 peer_sid = SECSID_NULL;
5066 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
5067 sksec->sclass == SECCLASS_TCP_SOCKET ||
5068 sksec->sclass == SECCLASS_SCTP_SOCKET)
5069 peer_sid = sksec->peer_sid;
5070 if (peer_sid == SECSID_NULL)
5071 return -ENOPROTOOPT;
5073 err = security_sid_to_context(&selinux_state, peer_sid, &scontext,
5078 if (scontext_len > len) {
5083 if (copy_to_user(optval, scontext, scontext_len))
5087 if (put_user(scontext_len, optlen))
5093 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
5095 u32 peer_secid = SECSID_NULL;
5097 struct inode_security_struct *isec;
5099 if (skb && skb->protocol == htons(ETH_P_IP))
5101 else if (skb && skb->protocol == htons(ETH_P_IPV6))
5104 family = sock->sk->sk_family;
5108 if (sock && family == PF_UNIX) {
5109 isec = inode_security_novalidate(SOCK_INODE(sock));
5110 peer_secid = isec->sid;
5112 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
5115 *secid = peer_secid;
5116 if (peer_secid == SECSID_NULL)
5121 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
5123 struct sk_security_struct *sksec;
5125 sksec = kzalloc(sizeof(*sksec), priority);
5129 sksec->peer_sid = SECINITSID_UNLABELED;
5130 sksec->sid = SECINITSID_UNLABELED;
5131 sksec->sclass = SECCLASS_SOCKET;
5132 selinux_netlbl_sk_security_reset(sksec);
5133 sk->sk_security = sksec;
5138 static void selinux_sk_free_security(struct sock *sk)
5140 struct sk_security_struct *sksec = sk->sk_security;
5142 sk->sk_security = NULL;
5143 selinux_netlbl_sk_security_free(sksec);
5147 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
5149 struct sk_security_struct *sksec = sk->sk_security;
5150 struct sk_security_struct *newsksec = newsk->sk_security;
5152 newsksec->sid = sksec->sid;
5153 newsksec->peer_sid = sksec->peer_sid;
5154 newsksec->sclass = sksec->sclass;
5156 selinux_netlbl_sk_security_reset(newsksec);
5159 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
5162 *secid = SECINITSID_ANY_SOCKET;
5164 struct sk_security_struct *sksec = sk->sk_security;
5166 *secid = sksec->sid;
5170 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
5172 struct inode_security_struct *isec =
5173 inode_security_novalidate(SOCK_INODE(parent));
5174 struct sk_security_struct *sksec = sk->sk_security;
5176 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
5177 sk->sk_family == PF_UNIX)
5178 isec->sid = sksec->sid;
5179 sksec->sclass = isec->sclass;
5182 /* Called whenever SCTP receives an INIT chunk. This happens when an incoming
5183 * connect(2), sctp_connectx(3) or sctp_sendmsg(3) (with no association
5186 static int selinux_sctp_assoc_request(struct sctp_endpoint *ep,
5187 struct sk_buff *skb)
5189 struct sk_security_struct *sksec = ep->base.sk->sk_security;
5190 struct common_audit_data ad;
5191 struct lsm_network_audit net = {0,};
5193 u32 peer_sid = SECINITSID_UNLABELED;
5197 if (!selinux_policycap_extsockclass())
5200 peerlbl_active = selinux_peerlbl_enabled();
5202 if (peerlbl_active) {
5203 /* This will return peer_sid = SECSID_NULL if there are
5204 * no peer labels, see security_net_peersid_resolve().
5206 err = selinux_skb_peerlbl_sid(skb, ep->base.sk->sk_family,
5211 if (peer_sid == SECSID_NULL)
5212 peer_sid = SECINITSID_UNLABELED;
5215 if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) {
5216 sksec->sctp_assoc_state = SCTP_ASSOC_SET;
5218 /* Here as first association on socket. As the peer SID
5219 * was allowed by peer recv (and the netif/node checks),
5220 * then it is approved by policy and used as the primary
5221 * peer SID for getpeercon(3).
5223 sksec->peer_sid = peer_sid;
5224 } else if (sksec->peer_sid != peer_sid) {
5225 /* Other association peer SIDs are checked to enforce
5226 * consistency among the peer SIDs.
5228 ad.type = LSM_AUDIT_DATA_NET;
5230 ad.u.net->sk = ep->base.sk;
5231 err = avc_has_perm(&selinux_state,
5232 sksec->peer_sid, peer_sid, sksec->sclass,
5233 SCTP_SOCKET__ASSOCIATION, &ad);
5238 /* Compute the MLS component for the connection and store
5239 * the information in ep. This will be used by SCTP TCP type
5240 * sockets and peeled off connections as they cause a new
5241 * socket to be generated. selinux_sctp_sk_clone() will then
5242 * plug this into the new socket.
5244 err = selinux_conn_sid(sksec->sid, peer_sid, &conn_sid);
5248 ep->secid = conn_sid;
5249 ep->peer_secid = peer_sid;
5251 /* Set any NetLabel labels including CIPSO/CALIPSO options. */
5252 return selinux_netlbl_sctp_assoc_request(ep, skb);
5255 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting
5256 * based on their @optname.
5258 static int selinux_sctp_bind_connect(struct sock *sk, int optname,
5259 struct sockaddr *address,
5262 int len, err = 0, walk_size = 0;
5264 struct sockaddr *addr;
5265 struct socket *sock;
5267 if (!selinux_policycap_extsockclass())
5270 /* Process one or more addresses that may be IPv4 or IPv6 */
5271 sock = sk->sk_socket;
5274 while (walk_size < addrlen) {
5276 switch (addr->sa_family) {
5278 len = sizeof(struct sockaddr_in);
5281 len = sizeof(struct sockaddr_in6);
5284 return -EAFNOSUPPORT;
5290 case SCTP_PRIMARY_ADDR:
5291 case SCTP_SET_PEER_PRIMARY_ADDR:
5292 case SCTP_SOCKOPT_BINDX_ADD:
5293 err = selinux_socket_bind(sock, addr, len);
5295 /* Connect checks */
5296 case SCTP_SOCKOPT_CONNECTX:
5297 case SCTP_PARAM_SET_PRIMARY:
5298 case SCTP_PARAM_ADD_IP:
5299 case SCTP_SENDMSG_CONNECT:
5300 err = selinux_socket_connect_helper(sock, addr, len);
5304 /* As selinux_sctp_bind_connect() is called by the
5305 * SCTP protocol layer, the socket is already locked,
5306 * therefore selinux_netlbl_socket_connect_locked() is
5307 * is called here. The situations handled are:
5308 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2),
5309 * whenever a new IP address is added or when a new
5310 * primary address is selected.
5311 * Note that an SCTP connect(2) call happens before
5312 * the SCTP protocol layer and is handled via
5313 * selinux_socket_connect().
5315 err = selinux_netlbl_socket_connect_locked(sk, addr);
5329 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */
5330 static void selinux_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk,
5333 struct sk_security_struct *sksec = sk->sk_security;
5334 struct sk_security_struct *newsksec = newsk->sk_security;
5336 /* If policy does not support SECCLASS_SCTP_SOCKET then call
5337 * the non-sctp clone version.
5339 if (!selinux_policycap_extsockclass())
5340 return selinux_sk_clone_security(sk, newsk);
5342 newsksec->sid = ep->secid;
5343 newsksec->peer_sid = ep->peer_secid;
5344 newsksec->sclass = sksec->sclass;
5345 selinux_netlbl_sctp_sk_clone(sk, newsk);
5348 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
5349 struct request_sock *req)
5351 struct sk_security_struct *sksec = sk->sk_security;
5353 u16 family = req->rsk_ops->family;
5357 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
5360 err = selinux_conn_sid(sksec->sid, peersid, &connsid);
5363 req->secid = connsid;
5364 req->peer_secid = peersid;
5366 return selinux_netlbl_inet_conn_request(req, family);
5369 static void selinux_inet_csk_clone(struct sock *newsk,
5370 const struct request_sock *req)
5372 struct sk_security_struct *newsksec = newsk->sk_security;
5374 newsksec->sid = req->secid;
5375 newsksec->peer_sid = req->peer_secid;
5376 /* NOTE: Ideally, we should also get the isec->sid for the
5377 new socket in sync, but we don't have the isec available yet.
5378 So we will wait until sock_graft to do it, by which
5379 time it will have been created and available. */
5381 /* We don't need to take any sort of lock here as we are the only
5382 * thread with access to newsksec */
5383 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
5386 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
5388 u16 family = sk->sk_family;
5389 struct sk_security_struct *sksec = sk->sk_security;
5391 /* handle mapped IPv4 packets arriving via IPv6 sockets */
5392 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5395 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
5398 static int selinux_secmark_relabel_packet(u32 sid)
5400 const struct task_security_struct *__tsec;
5403 __tsec = current_security();
5406 return avc_has_perm(&selinux_state,
5407 tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO,
5411 static void selinux_secmark_refcount_inc(void)
5413 atomic_inc(&selinux_secmark_refcount);
5416 static void selinux_secmark_refcount_dec(void)
5418 atomic_dec(&selinux_secmark_refcount);
5421 static void selinux_req_classify_flow(const struct request_sock *req,
5424 fl->flowi_secid = req->secid;
5427 static int selinux_tun_dev_alloc_security(void **security)
5429 struct tun_security_struct *tunsec;
5431 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
5434 tunsec->sid = current_sid();
5440 static void selinux_tun_dev_free_security(void *security)
5445 static int selinux_tun_dev_create(void)
5447 u32 sid = current_sid();
5449 /* we aren't taking into account the "sockcreate" SID since the socket
5450 * that is being created here is not a socket in the traditional sense,
5451 * instead it is a private sock, accessible only to the kernel, and
5452 * representing a wide range of network traffic spanning multiple
5453 * connections unlike traditional sockets - check the TUN driver to
5454 * get a better understanding of why this socket is special */
5456 return avc_has_perm(&selinux_state,
5457 sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5461 static int selinux_tun_dev_attach_queue(void *security)
5463 struct tun_security_struct *tunsec = security;
5465 return avc_has_perm(&selinux_state,
5466 current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5467 TUN_SOCKET__ATTACH_QUEUE, NULL);
5470 static int selinux_tun_dev_attach(struct sock *sk, void *security)
5472 struct tun_security_struct *tunsec = security;
5473 struct sk_security_struct *sksec = sk->sk_security;
5475 /* we don't currently perform any NetLabel based labeling here and it
5476 * isn't clear that we would want to do so anyway; while we could apply
5477 * labeling without the support of the TUN user the resulting labeled
5478 * traffic from the other end of the connection would almost certainly
5479 * cause confusion to the TUN user that had no idea network labeling
5480 * protocols were being used */
5482 sksec->sid = tunsec->sid;
5483 sksec->sclass = SECCLASS_TUN_SOCKET;
5488 static int selinux_tun_dev_open(void *security)
5490 struct tun_security_struct *tunsec = security;
5491 u32 sid = current_sid();
5494 err = avc_has_perm(&selinux_state,
5495 sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5496 TUN_SOCKET__RELABELFROM, NULL);
5499 err = avc_has_perm(&selinux_state,
5500 sid, sid, SECCLASS_TUN_SOCKET,
5501 TUN_SOCKET__RELABELTO, NULL);
5509 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
5513 struct nlmsghdr *nlh;
5514 struct sk_security_struct *sksec = sk->sk_security;
5516 if (skb->len < NLMSG_HDRLEN) {
5520 nlh = nlmsg_hdr(skb);
5522 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
5524 if (err == -EINVAL) {
5525 pr_warn_ratelimited("SELinux: unrecognized netlink"
5526 " message: protocol=%hu nlmsg_type=%hu sclass=%s"
5527 " pig=%d comm=%s\n",
5528 sk->sk_protocol, nlh->nlmsg_type,
5529 secclass_map[sksec->sclass - 1].name,
5530 task_pid_nr(current), current->comm);
5531 if (!enforcing_enabled(&selinux_state) ||
5532 security_get_allow_unknown(&selinux_state))
5542 err = sock_has_perm(sk, perm);
5547 #ifdef CONFIG_NETFILTER
5549 static unsigned int selinux_ip_forward(struct sk_buff *skb,
5550 const struct net_device *indev,
5556 struct common_audit_data ad;
5557 struct lsm_network_audit net = {0,};
5562 if (!selinux_policycap_netpeer())
5565 secmark_active = selinux_secmark_enabled();
5566 netlbl_active = netlbl_enabled();
5567 peerlbl_active = selinux_peerlbl_enabled();
5568 if (!secmark_active && !peerlbl_active)
5571 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5574 ad.type = LSM_AUDIT_DATA_NET;
5576 ad.u.net->netif = indev->ifindex;
5577 ad.u.net->family = family;
5578 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5581 if (peerlbl_active) {
5582 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
5583 addrp, family, peer_sid, &ad);
5585 selinux_netlbl_err(skb, family, err, 1);
5591 if (avc_has_perm(&selinux_state,
5592 peer_sid, skb->secmark,
5593 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5597 /* we do this in the FORWARD path and not the POST_ROUTING
5598 * path because we want to make sure we apply the necessary
5599 * labeling before IPsec is applied so we can leverage AH
5601 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5607 static unsigned int selinux_ipv4_forward(void *priv,
5608 struct sk_buff *skb,
5609 const struct nf_hook_state *state)
5611 return selinux_ip_forward(skb, state->in, PF_INET);
5614 #if IS_ENABLED(CONFIG_IPV6)
5615 static unsigned int selinux_ipv6_forward(void *priv,
5616 struct sk_buff *skb,
5617 const struct nf_hook_state *state)
5619 return selinux_ip_forward(skb, state->in, PF_INET6);
5623 static unsigned int selinux_ip_output(struct sk_buff *skb,
5629 if (!netlbl_enabled())
5632 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5633 * because we want to make sure we apply the necessary labeling
5634 * before IPsec is applied so we can leverage AH protection */
5637 struct sk_security_struct *sksec;
5639 if (sk_listener(sk))
5640 /* if the socket is the listening state then this
5641 * packet is a SYN-ACK packet which means it needs to
5642 * be labeled based on the connection/request_sock and
5643 * not the parent socket. unfortunately, we can't
5644 * lookup the request_sock yet as it isn't queued on
5645 * the parent socket until after the SYN-ACK is sent.
5646 * the "solution" is to simply pass the packet as-is
5647 * as any IP option based labeling should be copied
5648 * from the initial connection request (in the IP
5649 * layer). it is far from ideal, but until we get a
5650 * security label in the packet itself this is the
5651 * best we can do. */
5654 /* standard practice, label using the parent socket */
5655 sksec = sk->sk_security;
5658 sid = SECINITSID_KERNEL;
5659 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
5665 static unsigned int selinux_ipv4_output(void *priv,
5666 struct sk_buff *skb,
5667 const struct nf_hook_state *state)
5669 return selinux_ip_output(skb, PF_INET);
5672 #if IS_ENABLED(CONFIG_IPV6)
5673 static unsigned int selinux_ipv6_output(void *priv,
5674 struct sk_buff *skb,
5675 const struct nf_hook_state *state)
5677 return selinux_ip_output(skb, PF_INET6);
5681 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5685 struct sock *sk = skb_to_full_sk(skb);
5686 struct sk_security_struct *sksec;
5687 struct common_audit_data ad;
5688 struct lsm_network_audit net = {0,};
5694 sksec = sk->sk_security;
5696 ad.type = LSM_AUDIT_DATA_NET;
5698 ad.u.net->netif = ifindex;
5699 ad.u.net->family = family;
5700 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
5703 if (selinux_secmark_enabled())
5704 if (avc_has_perm(&selinux_state,
5705 sksec->sid, skb->secmark,
5706 SECCLASS_PACKET, PACKET__SEND, &ad))
5707 return NF_DROP_ERR(-ECONNREFUSED);
5709 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5710 return NF_DROP_ERR(-ECONNREFUSED);
5715 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5716 const struct net_device *outdev,
5721 int ifindex = outdev->ifindex;
5723 struct common_audit_data ad;
5724 struct lsm_network_audit net = {0,};
5729 /* If any sort of compatibility mode is enabled then handoff processing
5730 * to the selinux_ip_postroute_compat() function to deal with the
5731 * special handling. We do this in an attempt to keep this function
5732 * as fast and as clean as possible. */
5733 if (!selinux_policycap_netpeer())
5734 return selinux_ip_postroute_compat(skb, ifindex, family);
5736 secmark_active = selinux_secmark_enabled();
5737 peerlbl_active = selinux_peerlbl_enabled();
5738 if (!secmark_active && !peerlbl_active)
5741 sk = skb_to_full_sk(skb);
5744 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5745 * packet transformation so allow the packet to pass without any checks
5746 * since we'll have another chance to perform access control checks
5747 * when the packet is on it's final way out.
5748 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5749 * is NULL, in this case go ahead and apply access control.
5750 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5751 * TCP listening state we cannot wait until the XFRM processing
5752 * is done as we will miss out on the SA label if we do;
5753 * unfortunately, this means more work, but it is only once per
5755 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5756 !(sk && sk_listener(sk)))
5761 /* Without an associated socket the packet is either coming
5762 * from the kernel or it is being forwarded; check the packet
5763 * to determine which and if the packet is being forwarded
5764 * query the packet directly to determine the security label. */
5766 secmark_perm = PACKET__FORWARD_OUT;
5767 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5770 secmark_perm = PACKET__SEND;
5771 peer_sid = SECINITSID_KERNEL;
5773 } else if (sk_listener(sk)) {
5774 /* Locally generated packet but the associated socket is in the
5775 * listening state which means this is a SYN-ACK packet. In
5776 * this particular case the correct security label is assigned
5777 * to the connection/request_sock but unfortunately we can't
5778 * query the request_sock as it isn't queued on the parent
5779 * socket until after the SYN-ACK packet is sent; the only
5780 * viable choice is to regenerate the label like we do in
5781 * selinux_inet_conn_request(). See also selinux_ip_output()
5782 * for similar problems. */
5784 struct sk_security_struct *sksec;
5786 sksec = sk->sk_security;
5787 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5789 /* At this point, if the returned skb peerlbl is SECSID_NULL
5790 * and the packet has been through at least one XFRM
5791 * transformation then we must be dealing with the "final"
5792 * form of labeled IPsec packet; since we've already applied
5793 * all of our access controls on this packet we can safely
5794 * pass the packet. */
5795 if (skb_sid == SECSID_NULL) {
5798 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5802 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5806 return NF_DROP_ERR(-ECONNREFUSED);
5809 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5811 secmark_perm = PACKET__SEND;
5813 /* Locally generated packet, fetch the security label from the
5814 * associated socket. */
5815 struct sk_security_struct *sksec = sk->sk_security;
5816 peer_sid = sksec->sid;
5817 secmark_perm = PACKET__SEND;
5820 ad.type = LSM_AUDIT_DATA_NET;
5822 ad.u.net->netif = ifindex;
5823 ad.u.net->family = family;
5824 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5828 if (avc_has_perm(&selinux_state,
5829 peer_sid, skb->secmark,
5830 SECCLASS_PACKET, secmark_perm, &ad))
5831 return NF_DROP_ERR(-ECONNREFUSED);
5833 if (peerlbl_active) {
5837 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5839 if (avc_has_perm(&selinux_state,
5841 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5842 return NF_DROP_ERR(-ECONNREFUSED);
5844 if (sel_netnode_sid(addrp, family, &node_sid))
5846 if (avc_has_perm(&selinux_state,
5848 SECCLASS_NODE, NODE__SENDTO, &ad))
5849 return NF_DROP_ERR(-ECONNREFUSED);
5855 static unsigned int selinux_ipv4_postroute(void *priv,
5856 struct sk_buff *skb,
5857 const struct nf_hook_state *state)
5859 return selinux_ip_postroute(skb, state->out, PF_INET);
5862 #if IS_ENABLED(CONFIG_IPV6)
5863 static unsigned int selinux_ipv6_postroute(void *priv,
5864 struct sk_buff *skb,
5865 const struct nf_hook_state *state)
5867 return selinux_ip_postroute(skb, state->out, PF_INET6);
5871 #endif /* CONFIG_NETFILTER */
5873 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5875 return selinux_nlmsg_perm(sk, skb);
5878 static int ipc_alloc_security(struct kern_ipc_perm *perm,
5881 struct ipc_security_struct *isec;
5883 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
5887 isec->sclass = sclass;
5888 isec->sid = current_sid();
5889 perm->security = isec;
5894 static void ipc_free_security(struct kern_ipc_perm *perm)
5896 struct ipc_security_struct *isec = perm->security;
5897 perm->security = NULL;
5901 static int msg_msg_alloc_security(struct msg_msg *msg)
5903 struct msg_security_struct *msec;
5905 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
5909 msec->sid = SECINITSID_UNLABELED;
5910 msg->security = msec;
5915 static void msg_msg_free_security(struct msg_msg *msg)
5917 struct msg_security_struct *msec = msg->security;
5919 msg->security = NULL;
5923 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5926 struct ipc_security_struct *isec;
5927 struct common_audit_data ad;
5928 u32 sid = current_sid();
5930 isec = ipc_perms->security;
5932 ad.type = LSM_AUDIT_DATA_IPC;
5933 ad.u.ipc_id = ipc_perms->key;
5935 return avc_has_perm(&selinux_state,
5936 sid, isec->sid, isec->sclass, perms, &ad);
5939 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5941 return msg_msg_alloc_security(msg);
5944 static void selinux_msg_msg_free_security(struct msg_msg *msg)
5946 msg_msg_free_security(msg);
5949 /* message queue security operations */
5950 static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq)
5952 struct ipc_security_struct *isec;
5953 struct common_audit_data ad;
5954 u32 sid = current_sid();
5957 rc = ipc_alloc_security(msq, SECCLASS_MSGQ);
5961 isec = msq->security;
5963 ad.type = LSM_AUDIT_DATA_IPC;
5964 ad.u.ipc_id = msq->key;
5966 rc = avc_has_perm(&selinux_state,
5967 sid, isec->sid, SECCLASS_MSGQ,
5970 ipc_free_security(msq);
5976 static void selinux_msg_queue_free_security(struct kern_ipc_perm *msq)
5978 ipc_free_security(msq);
5981 static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
5983 struct ipc_security_struct *isec;
5984 struct common_audit_data ad;
5985 u32 sid = current_sid();
5987 isec = msq->security;
5989 ad.type = LSM_AUDIT_DATA_IPC;
5990 ad.u.ipc_id = msq->key;
5992 return avc_has_perm(&selinux_state,
5993 sid, isec->sid, SECCLASS_MSGQ,
5994 MSGQ__ASSOCIATE, &ad);
5997 static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)
6005 /* No specific object, just general system-wide information. */
6006 return avc_has_perm(&selinux_state,
6007 current_sid(), SECINITSID_KERNEL,
6008 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6012 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
6015 perms = MSGQ__SETATTR;
6018 perms = MSGQ__DESTROY;
6024 err = ipc_has_perm(msq, perms);
6028 static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg)
6030 struct ipc_security_struct *isec;
6031 struct msg_security_struct *msec;
6032 struct common_audit_data ad;
6033 u32 sid = current_sid();
6036 isec = msq->security;
6037 msec = msg->security;
6040 * First time through, need to assign label to the message
6042 if (msec->sid == SECINITSID_UNLABELED) {
6044 * Compute new sid based on current process and
6045 * message queue this message will be stored in
6047 rc = security_transition_sid(&selinux_state, sid, isec->sid,
6048 SECCLASS_MSG, NULL, &msec->sid);
6053 ad.type = LSM_AUDIT_DATA_IPC;
6054 ad.u.ipc_id = msq->key;
6056 /* Can this process write to the queue? */
6057 rc = avc_has_perm(&selinux_state,
6058 sid, isec->sid, SECCLASS_MSGQ,
6061 /* Can this process send the message */
6062 rc = avc_has_perm(&selinux_state,
6063 sid, msec->sid, SECCLASS_MSG,
6066 /* Can the message be put in the queue? */
6067 rc = avc_has_perm(&selinux_state,
6068 msec->sid, isec->sid, SECCLASS_MSGQ,
6069 MSGQ__ENQUEUE, &ad);
6074 static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg,
6075 struct task_struct *target,
6076 long type, int mode)
6078 struct ipc_security_struct *isec;
6079 struct msg_security_struct *msec;
6080 struct common_audit_data ad;
6081 u32 sid = task_sid(target);
6084 isec = msq->security;
6085 msec = msg->security;
6087 ad.type = LSM_AUDIT_DATA_IPC;
6088 ad.u.ipc_id = msq->key;
6090 rc = avc_has_perm(&selinux_state,
6092 SECCLASS_MSGQ, MSGQ__READ, &ad);
6094 rc = avc_has_perm(&selinux_state,
6096 SECCLASS_MSG, MSG__RECEIVE, &ad);
6100 /* Shared Memory security operations */
6101 static int selinux_shm_alloc_security(struct kern_ipc_perm *shp)
6103 struct ipc_security_struct *isec;
6104 struct common_audit_data ad;
6105 u32 sid = current_sid();
6108 rc = ipc_alloc_security(shp, SECCLASS_SHM);
6112 isec = shp->security;
6114 ad.type = LSM_AUDIT_DATA_IPC;
6115 ad.u.ipc_id = shp->key;
6117 rc = avc_has_perm(&selinux_state,
6118 sid, isec->sid, SECCLASS_SHM,
6121 ipc_free_security(shp);
6127 static void selinux_shm_free_security(struct kern_ipc_perm *shp)
6129 ipc_free_security(shp);
6132 static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg)
6134 struct ipc_security_struct *isec;
6135 struct common_audit_data ad;
6136 u32 sid = current_sid();
6138 isec = shp->security;
6140 ad.type = LSM_AUDIT_DATA_IPC;
6141 ad.u.ipc_id = shp->key;
6143 return avc_has_perm(&selinux_state,
6144 sid, isec->sid, SECCLASS_SHM,
6145 SHM__ASSOCIATE, &ad);
6148 /* Note, at this point, shp is locked down */
6149 static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd)
6157 /* No specific object, just general system-wide information. */
6158 return avc_has_perm(&selinux_state,
6159 current_sid(), SECINITSID_KERNEL,
6160 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6164 perms = SHM__GETATTR | SHM__ASSOCIATE;
6167 perms = SHM__SETATTR;
6174 perms = SHM__DESTROY;
6180 err = ipc_has_perm(shp, perms);
6184 static int selinux_shm_shmat(struct kern_ipc_perm *shp,
6185 char __user *shmaddr, int shmflg)
6189 if (shmflg & SHM_RDONLY)
6192 perms = SHM__READ | SHM__WRITE;
6194 return ipc_has_perm(shp, perms);
6197 /* Semaphore security operations */
6198 static int selinux_sem_alloc_security(struct kern_ipc_perm *sma)
6200 struct ipc_security_struct *isec;
6201 struct common_audit_data ad;
6202 u32 sid = current_sid();
6205 rc = ipc_alloc_security(sma, SECCLASS_SEM);
6209 isec = sma->security;
6211 ad.type = LSM_AUDIT_DATA_IPC;
6212 ad.u.ipc_id = sma->key;
6214 rc = avc_has_perm(&selinux_state,
6215 sid, isec->sid, SECCLASS_SEM,
6218 ipc_free_security(sma);
6224 static void selinux_sem_free_security(struct kern_ipc_perm *sma)
6226 ipc_free_security(sma);
6229 static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg)
6231 struct ipc_security_struct *isec;
6232 struct common_audit_data ad;
6233 u32 sid = current_sid();
6235 isec = sma->security;
6237 ad.type = LSM_AUDIT_DATA_IPC;
6238 ad.u.ipc_id = sma->key;
6240 return avc_has_perm(&selinux_state,
6241 sid, isec->sid, SECCLASS_SEM,
6242 SEM__ASSOCIATE, &ad);
6245 /* Note, at this point, sma is locked down */
6246 static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd)
6254 /* No specific object, just general system-wide information. */
6255 return avc_has_perm(&selinux_state,
6256 current_sid(), SECINITSID_KERNEL,
6257 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6261 perms = SEM__GETATTR;
6272 perms = SEM__DESTROY;
6275 perms = SEM__SETATTR;
6280 perms = SEM__GETATTR | SEM__ASSOCIATE;
6286 err = ipc_has_perm(sma, perms);
6290 static int selinux_sem_semop(struct kern_ipc_perm *sma,
6291 struct sembuf *sops, unsigned nsops, int alter)
6296 perms = SEM__READ | SEM__WRITE;
6300 return ipc_has_perm(sma, perms);
6303 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
6309 av |= IPC__UNIX_READ;
6311 av |= IPC__UNIX_WRITE;
6316 return ipc_has_perm(ipcp, av);
6319 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
6321 struct ipc_security_struct *isec = ipcp->security;
6325 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
6328 inode_doinit_with_dentry(inode, dentry);
6331 static int selinux_getprocattr(struct task_struct *p,
6332 char *name, char **value)
6334 const struct task_security_struct *__tsec;
6340 __tsec = __task_cred(p)->security;
6343 error = avc_has_perm(&selinux_state,
6344 current_sid(), __tsec->sid,
6345 SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
6350 if (!strcmp(name, "current"))
6352 else if (!strcmp(name, "prev"))
6354 else if (!strcmp(name, "exec"))
6355 sid = __tsec->exec_sid;
6356 else if (!strcmp(name, "fscreate"))
6357 sid = __tsec->create_sid;
6358 else if (!strcmp(name, "keycreate"))
6359 sid = __tsec->keycreate_sid;
6360 else if (!strcmp(name, "sockcreate"))
6361 sid = __tsec->sockcreate_sid;
6371 error = security_sid_to_context(&selinux_state, sid, value, &len);
6381 static int selinux_setprocattr(const char *name, void *value, size_t size)
6383 struct task_security_struct *tsec;
6385 u32 mysid = current_sid(), sid = 0, ptsid;
6390 * Basic control over ability to set these attributes at all.
6392 if (!strcmp(name, "exec"))
6393 error = avc_has_perm(&selinux_state,
6394 mysid, mysid, SECCLASS_PROCESS,
6395 PROCESS__SETEXEC, NULL);
6396 else if (!strcmp(name, "fscreate"))
6397 error = avc_has_perm(&selinux_state,
6398 mysid, mysid, SECCLASS_PROCESS,
6399 PROCESS__SETFSCREATE, NULL);
6400 else if (!strcmp(name, "keycreate"))
6401 error = avc_has_perm(&selinux_state,
6402 mysid, mysid, SECCLASS_PROCESS,
6403 PROCESS__SETKEYCREATE, NULL);
6404 else if (!strcmp(name, "sockcreate"))
6405 error = avc_has_perm(&selinux_state,
6406 mysid, mysid, SECCLASS_PROCESS,
6407 PROCESS__SETSOCKCREATE, NULL);
6408 else if (!strcmp(name, "current"))
6409 error = avc_has_perm(&selinux_state,
6410 mysid, mysid, SECCLASS_PROCESS,
6411 PROCESS__SETCURRENT, NULL);
6417 /* Obtain a SID for the context, if one was specified. */
6418 if (size && str[0] && str[0] != '\n') {
6419 if (str[size-1] == '\n') {
6423 error = security_context_to_sid(&selinux_state, value, size,
6425 if (error == -EINVAL && !strcmp(name, "fscreate")) {
6426 if (!has_cap_mac_admin(true)) {
6427 struct audit_buffer *ab;
6430 /* We strip a nul only if it is at the end, otherwise the
6431 * context contains a nul and we should audit that */
6432 if (str[size - 1] == '\0')
6433 audit_size = size - 1;
6436 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
6437 audit_log_format(ab, "op=fscreate invalid_context=");
6438 audit_log_n_untrustedstring(ab, value, audit_size);
6443 error = security_context_to_sid_force(
6451 new = prepare_creds();
6455 /* Permission checking based on the specified context is
6456 performed during the actual operation (execve,
6457 open/mkdir/...), when we know the full context of the
6458 operation. See selinux_bprm_set_creds for the execve
6459 checks and may_create for the file creation checks. The
6460 operation will then fail if the context is not permitted. */
6461 tsec = new->security;
6462 if (!strcmp(name, "exec")) {
6463 tsec->exec_sid = sid;
6464 } else if (!strcmp(name, "fscreate")) {
6465 tsec->create_sid = sid;
6466 } else if (!strcmp(name, "keycreate")) {
6467 error = avc_has_perm(&selinux_state,
6468 mysid, sid, SECCLASS_KEY, KEY__CREATE,
6472 tsec->keycreate_sid = sid;
6473 } else if (!strcmp(name, "sockcreate")) {
6474 tsec->sockcreate_sid = sid;
6475 } else if (!strcmp(name, "current")) {
6480 /* Only allow single threaded processes to change context */
6482 if (!current_is_single_threaded()) {
6483 error = security_bounded_transition(&selinux_state,
6489 /* Check permissions for the transition. */
6490 error = avc_has_perm(&selinux_state,
6491 tsec->sid, sid, SECCLASS_PROCESS,
6492 PROCESS__DYNTRANSITION, NULL);
6496 /* Check for ptracing, and update the task SID if ok.
6497 Otherwise, leave SID unchanged and fail. */
6498 ptsid = ptrace_parent_sid();
6500 error = avc_has_perm(&selinux_state,
6501 ptsid, sid, SECCLASS_PROCESS,
6502 PROCESS__PTRACE, NULL);
6521 static int selinux_ismaclabel(const char *name)
6523 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
6526 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
6528 return security_sid_to_context(&selinux_state, secid,
6532 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
6534 return security_context_to_sid(&selinux_state, secdata, seclen,
6538 static void selinux_release_secctx(char *secdata, u32 seclen)
6543 static void selinux_inode_invalidate_secctx(struct inode *inode)
6545 struct inode_security_struct *isec = inode->i_security;
6547 spin_lock(&isec->lock);
6548 isec->initialized = LABEL_INVALID;
6549 spin_unlock(&isec->lock);
6553 * called with inode->i_mutex locked
6555 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
6557 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
6561 * called with inode->i_mutex locked
6563 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
6565 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
6568 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
6571 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
6580 static int selinux_key_alloc(struct key *k, const struct cred *cred,
6581 unsigned long flags)
6583 const struct task_security_struct *tsec;
6584 struct key_security_struct *ksec;
6586 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
6590 tsec = cred->security;
6591 if (tsec->keycreate_sid)
6592 ksec->sid = tsec->keycreate_sid;
6594 ksec->sid = tsec->sid;
6600 static void selinux_key_free(struct key *k)
6602 struct key_security_struct *ksec = k->security;
6608 static int selinux_key_permission(key_ref_t key_ref,
6609 const struct cred *cred,
6613 struct key_security_struct *ksec;
6616 /* if no specific permissions are requested, we skip the
6617 permission check. No serious, additional covert channels
6618 appear to be created. */
6622 sid = cred_sid(cred);
6624 key = key_ref_to_ptr(key_ref);
6625 ksec = key->security;
6627 return avc_has_perm(&selinux_state,
6628 sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6631 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6633 struct key_security_struct *ksec = key->security;
6634 char *context = NULL;
6638 rc = security_sid_to_context(&selinux_state, ksec->sid,
6647 #ifdef CONFIG_SECURITY_INFINIBAND
6648 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6650 struct common_audit_data ad;
6653 struct ib_security_struct *sec = ib_sec;
6654 struct lsm_ibpkey_audit ibpkey;
6656 err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
6660 ad.type = LSM_AUDIT_DATA_IBPKEY;
6661 ibpkey.subnet_prefix = subnet_prefix;
6662 ibpkey.pkey = pkey_val;
6663 ad.u.ibpkey = &ibpkey;
6664 return avc_has_perm(&selinux_state,
6666 SECCLASS_INFINIBAND_PKEY,
6667 INFINIBAND_PKEY__ACCESS, &ad);
6670 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6673 struct common_audit_data ad;
6676 struct ib_security_struct *sec = ib_sec;
6677 struct lsm_ibendport_audit ibendport;
6679 err = security_ib_endport_sid(&selinux_state, dev_name, port_num,
6685 ad.type = LSM_AUDIT_DATA_IBENDPORT;
6686 strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name));
6687 ibendport.port = port_num;
6688 ad.u.ibendport = &ibendport;
6689 return avc_has_perm(&selinux_state,
6691 SECCLASS_INFINIBAND_ENDPORT,
6692 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
6695 static int selinux_ib_alloc_security(void **ib_sec)
6697 struct ib_security_struct *sec;
6699 sec = kzalloc(sizeof(*sec), GFP_KERNEL);
6702 sec->sid = current_sid();
6708 static void selinux_ib_free_security(void *ib_sec)
6714 #ifdef CONFIG_BPF_SYSCALL
6715 static int selinux_bpf(int cmd, union bpf_attr *attr,
6718 u32 sid = current_sid();
6722 case BPF_MAP_CREATE:
6723 ret = avc_has_perm(&selinux_state,
6724 sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
6728 ret = avc_has_perm(&selinux_state,
6729 sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
6740 static u32 bpf_map_fmode_to_av(fmode_t fmode)
6744 if (fmode & FMODE_READ)
6745 av |= BPF__MAP_READ;
6746 if (fmode & FMODE_WRITE)
6747 av |= BPF__MAP_WRITE;
6751 /* This function will check the file pass through unix socket or binder to see
6752 * if it is a bpf related object. And apply correspinding checks on the bpf
6753 * object based on the type. The bpf maps and programs, not like other files and
6754 * socket, are using a shared anonymous inode inside the kernel as their inode.
6755 * So checking that inode cannot identify if the process have privilege to
6756 * access the bpf object and that's why we have to add this additional check in
6757 * selinux_file_receive and selinux_binder_transfer_files.
6759 static int bpf_fd_pass(struct file *file, u32 sid)
6761 struct bpf_security_struct *bpfsec;
6762 struct bpf_prog *prog;
6763 struct bpf_map *map;
6766 if (file->f_op == &bpf_map_fops) {
6767 map = file->private_data;
6768 bpfsec = map->security;
6769 ret = avc_has_perm(&selinux_state,
6770 sid, bpfsec->sid, SECCLASS_BPF,
6771 bpf_map_fmode_to_av(file->f_mode), NULL);
6774 } else if (file->f_op == &bpf_prog_fops) {
6775 prog = file->private_data;
6776 bpfsec = prog->aux->security;
6777 ret = avc_has_perm(&selinux_state,
6778 sid, bpfsec->sid, SECCLASS_BPF,
6779 BPF__PROG_RUN, NULL);
6786 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)
6788 u32 sid = current_sid();
6789 struct bpf_security_struct *bpfsec;
6791 bpfsec = map->security;
6792 return avc_has_perm(&selinux_state,
6793 sid, bpfsec->sid, SECCLASS_BPF,
6794 bpf_map_fmode_to_av(fmode), NULL);
6797 static int selinux_bpf_prog(struct bpf_prog *prog)
6799 u32 sid = current_sid();
6800 struct bpf_security_struct *bpfsec;
6802 bpfsec = prog->aux->security;
6803 return avc_has_perm(&selinux_state,
6804 sid, bpfsec->sid, SECCLASS_BPF,
6805 BPF__PROG_RUN, NULL);
6808 static int selinux_bpf_map_alloc(struct bpf_map *map)
6810 struct bpf_security_struct *bpfsec;
6812 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6816 bpfsec->sid = current_sid();
6817 map->security = bpfsec;
6822 static void selinux_bpf_map_free(struct bpf_map *map)
6824 struct bpf_security_struct *bpfsec = map->security;
6826 map->security = NULL;
6830 static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux)
6832 struct bpf_security_struct *bpfsec;
6834 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6838 bpfsec->sid = current_sid();
6839 aux->security = bpfsec;
6844 static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
6846 struct bpf_security_struct *bpfsec = aux->security;
6848 aux->security = NULL;
6853 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
6854 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
6855 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
6856 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
6857 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
6859 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
6860 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
6861 LSM_HOOK_INIT(capget, selinux_capget),
6862 LSM_HOOK_INIT(capset, selinux_capset),
6863 LSM_HOOK_INIT(capable, selinux_capable),
6864 LSM_HOOK_INIT(quotactl, selinux_quotactl),
6865 LSM_HOOK_INIT(quota_on, selinux_quota_on),
6866 LSM_HOOK_INIT(syslog, selinux_syslog),
6867 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
6869 LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
6871 LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
6872 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
6873 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
6875 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
6876 LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
6877 LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data),
6878 LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
6879 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
6880 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
6881 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
6882 LSM_HOOK_INIT(sb_mount, selinux_mount),
6883 LSM_HOOK_INIT(sb_umount, selinux_umount),
6884 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
6885 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
6886 LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str),
6888 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
6889 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
6891 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
6892 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
6893 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
6894 LSM_HOOK_INIT(inode_create, selinux_inode_create),
6895 LSM_HOOK_INIT(inode_link, selinux_inode_link),
6896 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
6897 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
6898 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
6899 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
6900 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
6901 LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
6902 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
6903 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
6904 LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
6905 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
6906 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
6907 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
6908 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
6909 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
6910 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
6911 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
6912 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
6913 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
6914 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
6915 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
6916 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
6917 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
6919 LSM_HOOK_INIT(file_permission, selinux_file_permission),
6920 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
6921 LSM_HOOK_INIT(file_free_security, selinux_file_free_security),
6922 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
6923 LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
6924 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
6925 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
6926 LSM_HOOK_INIT(file_lock, selinux_file_lock),
6927 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
6928 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
6929 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
6930 LSM_HOOK_INIT(file_receive, selinux_file_receive),
6932 LSM_HOOK_INIT(file_open, selinux_file_open),
6934 LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
6935 LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank),
6936 LSM_HOOK_INIT(cred_free, selinux_cred_free),
6937 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
6938 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
6939 LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid),
6940 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
6941 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
6942 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
6943 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
6944 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
6945 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
6946 LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
6947 LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
6948 LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
6949 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
6950 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
6951 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
6952 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
6953 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
6954 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
6955 LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
6956 LSM_HOOK_INIT(task_kill, selinux_task_kill),
6957 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
6959 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
6960 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
6962 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
6963 LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security),
6965 LSM_HOOK_INIT(msg_queue_alloc_security,
6966 selinux_msg_queue_alloc_security),
6967 LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security),
6968 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
6969 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
6970 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
6971 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
6973 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
6974 LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security),
6975 LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
6976 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
6977 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
6979 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
6980 LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security),
6981 LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
6982 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
6983 LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
6985 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
6987 LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
6988 LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
6990 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
6991 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
6992 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
6993 LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
6994 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
6995 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
6996 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
6997 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
6999 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
7000 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
7002 LSM_HOOK_INIT(socket_create, selinux_socket_create),
7003 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
7004 LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
7005 LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
7006 LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
7007 LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
7008 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
7009 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
7010 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
7011 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
7012 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
7013 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
7014 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
7015 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
7016 LSM_HOOK_INIT(socket_getpeersec_stream,
7017 selinux_socket_getpeersec_stream),
7018 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
7019 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
7020 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
7021 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
7022 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
7023 LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
7024 LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request),
7025 LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone),
7026 LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect),
7027 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
7028 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
7029 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
7030 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
7031 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
7032 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
7033 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
7034 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
7035 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
7036 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
7037 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
7038 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
7039 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
7040 #ifdef CONFIG_SECURITY_INFINIBAND
7041 LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
7042 LSM_HOOK_INIT(ib_endport_manage_subnet,
7043 selinux_ib_endport_manage_subnet),
7044 LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
7045 LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
7047 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7048 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
7049 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
7050 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
7051 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
7052 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
7053 LSM_HOOK_INIT(xfrm_state_alloc_acquire,
7054 selinux_xfrm_state_alloc_acquire),
7055 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
7056 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
7057 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
7058 LSM_HOOK_INIT(xfrm_state_pol_flow_match,
7059 selinux_xfrm_state_pol_flow_match),
7060 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
7064 LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
7065 LSM_HOOK_INIT(key_free, selinux_key_free),
7066 LSM_HOOK_INIT(key_permission, selinux_key_permission),
7067 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
7071 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
7072 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
7073 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
7074 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
7077 #ifdef CONFIG_BPF_SYSCALL
7078 LSM_HOOK_INIT(bpf, selinux_bpf),
7079 LSM_HOOK_INIT(bpf_map, selinux_bpf_map),
7080 LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog),
7081 LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc),
7082 LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc),
7083 LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free),
7084 LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free),
7088 static __init int selinux_init(void)
7090 if (!security_module_enable("selinux")) {
7091 selinux_enabled = 0;
7095 if (!selinux_enabled) {
7096 printk(KERN_INFO "SELinux: Disabled at boot.\n");
7100 printk(KERN_INFO "SELinux: Initializing.\n");
7102 memset(&selinux_state, 0, sizeof(selinux_state));
7103 enforcing_set(&selinux_state, selinux_enforcing_boot);
7104 selinux_state.checkreqprot = selinux_checkreqprot_boot;
7105 selinux_ss_init(&selinux_state.ss);
7106 selinux_avc_init(&selinux_state.avc);
7108 /* Set the security state for the initial task. */
7109 cred_init_security();
7111 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
7113 sel_inode_cache = kmem_cache_create("selinux_inode_security",
7114 sizeof(struct inode_security_struct),
7115 0, SLAB_PANIC, NULL);
7116 file_security_cache = kmem_cache_create("selinux_file_security",
7117 sizeof(struct file_security_struct),
7118 0, SLAB_PANIC, NULL);
7123 ebitmap_cache_init();
7125 hashtab_cache_init();
7127 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
7129 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
7130 panic("SELinux: Unable to register AVC netcache callback\n");
7132 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
7133 panic("SELinux: Unable to register AVC LSM notifier callback\n");
7135 if (selinux_enforcing_boot)
7136 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
7138 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
7143 static void delayed_superblock_init(struct super_block *sb, void *unused)
7145 superblock_doinit(sb, NULL);
7148 void selinux_complete_init(void)
7150 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
7152 /* Set up any superblocks initialized prior to the policy load. */
7153 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
7154 iterate_supers(delayed_superblock_init, NULL);
7157 /* SELinux requires early initialization in order to label
7158 all processes and objects when they are created. */
7159 security_initcall(selinux_init);
7161 #if defined(CONFIG_NETFILTER)
7163 static const struct nf_hook_ops selinux_nf_ops[] = {
7165 .hook = selinux_ipv4_postroute,
7167 .hooknum = NF_INET_POST_ROUTING,
7168 .priority = NF_IP_PRI_SELINUX_LAST,
7171 .hook = selinux_ipv4_forward,
7173 .hooknum = NF_INET_FORWARD,
7174 .priority = NF_IP_PRI_SELINUX_FIRST,
7177 .hook = selinux_ipv4_output,
7179 .hooknum = NF_INET_LOCAL_OUT,
7180 .priority = NF_IP_PRI_SELINUX_FIRST,
7182 #if IS_ENABLED(CONFIG_IPV6)
7184 .hook = selinux_ipv6_postroute,
7186 .hooknum = NF_INET_POST_ROUTING,
7187 .priority = NF_IP6_PRI_SELINUX_LAST,
7190 .hook = selinux_ipv6_forward,
7192 .hooknum = NF_INET_FORWARD,
7193 .priority = NF_IP6_PRI_SELINUX_FIRST,
7196 .hook = selinux_ipv6_output,
7198 .hooknum = NF_INET_LOCAL_OUT,
7199 .priority = NF_IP6_PRI_SELINUX_FIRST,
7204 static int __net_init selinux_nf_register(struct net *net)
7206 return nf_register_net_hooks(net, selinux_nf_ops,
7207 ARRAY_SIZE(selinux_nf_ops));
7210 static void __net_exit selinux_nf_unregister(struct net *net)
7212 nf_unregister_net_hooks(net, selinux_nf_ops,
7213 ARRAY_SIZE(selinux_nf_ops));
7216 static struct pernet_operations selinux_net_ops = {
7217 .init = selinux_nf_register,
7218 .exit = selinux_nf_unregister,
7221 static int __init selinux_nf_ip_init(void)
7225 if (!selinux_enabled)
7228 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
7230 err = register_pernet_subsys(&selinux_net_ops);
7232 panic("SELinux: register_pernet_subsys: error %d\n", err);
7236 __initcall(selinux_nf_ip_init);
7238 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7239 static void selinux_nf_ip_exit(void)
7241 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
7243 unregister_pernet_subsys(&selinux_net_ops);
7247 #else /* CONFIG_NETFILTER */
7249 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7250 #define selinux_nf_ip_exit()
7253 #endif /* CONFIG_NETFILTER */
7255 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7256 int selinux_disable(struct selinux_state *state)
7258 if (state->initialized) {
7259 /* Not permitted after initial policy load. */
7263 if (state->disabled) {
7264 /* Only do this once. */
7268 state->disabled = 1;
7270 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
7272 selinux_enabled = 0;
7274 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
7276 /* Try to destroy the avc node cache */
7279 /* Unregister netfilter hooks. */
7280 selinux_nf_ip_exit();
7282 /* Unregister selinuxfs. */
projects / linux.git / blob