2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
20 * Copyright (C) 2016 Mellanox Technologies
22 * This program is free software; you can redistribute it and/or modify
23 * it under the terms of the GNU General Public License version 2,
24 * as published by the Free Software Foundation.
27 #include <linux/init.h>
29 #include <linux/kernel.h>
30 #include <linux/tracehook.h>
31 #include <linux/errno.h>
32 #include <linux/sched/signal.h>
33 #include <linux/sched/task.h>
34 #include <linux/lsm_hooks.h>
35 #include <linux/xattr.h>
36 #include <linux/capability.h>
37 #include <linux/unistd.h>
39 #include <linux/mman.h>
40 #include <linux/slab.h>
41 #include <linux/pagemap.h>
42 #include <linux/proc_fs.h>
43 #include <linux/swap.h>
44 #include <linux/spinlock.h>
45 #include <linux/syscalls.h>
46 #include <linux/dcache.h>
47 #include <linux/file.h>
48 #include <linux/fdtable.h>
49 #include <linux/namei.h>
50 #include <linux/mount.h>
51 #include <linux/netfilter_ipv4.h>
52 #include <linux/netfilter_ipv6.h>
53 #include <linux/tty.h>
55 #include <net/ip.h> /* for local_port_range[] */
56 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
57 #include <net/inet_connection_sock.h>
58 #include <net/net_namespace.h>
59 #include <net/netlabel.h>
60 #include <linux/uaccess.h>
61 #include <asm/ioctls.h>
62 #include <linux/atomic.h>
63 #include <linux/bitops.h>
64 #include <linux/interrupt.h>
65 #include <linux/netdevice.h> /* for network interface checks */
66 #include <net/netlink.h>
67 #include <linux/tcp.h>
68 #include <linux/udp.h>
69 #include <linux/dccp.h>
70 #include <linux/sctp.h>
71 #include <net/sctp/structs.h>
72 #include <linux/quota.h>
73 #include <linux/un.h> /* for Unix socket types */
74 #include <net/af_unix.h> /* for Unix socket types */
75 #include <linux/parser.h>
76 #include <linux/nfs_mount.h>
78 #include <linux/hugetlb.h>
79 #include <linux/personality.h>
80 #include <linux/audit.h>
81 #include <linux/string.h>
82 #include <linux/selinux.h>
83 #include <linux/mutex.h>
84 #include <linux/posix-timers.h>
85 #include <linux/syslog.h>
86 #include <linux/user_namespace.h>
87 #include <linux/export.h>
88 #include <linux/msg.h>
89 #include <linux/shm.h>
90 #include <linux/bpf.h>
103 struct selinux_state selinux_state;
105 /* SECMARK reference count */
106 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
108 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
109 static int selinux_enforcing_boot;
111 static int __init enforcing_setup(char *str)
113 unsigned long enforcing;
114 if (!kstrtoul(str, 0, &enforcing))
115 selinux_enforcing_boot = enforcing ? 1 : 0;
118 __setup("enforcing=", enforcing_setup);
120 #define selinux_enforcing_boot 1
123 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
124 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
126 static int __init selinux_enabled_setup(char *str)
128 unsigned long enabled;
129 if (!kstrtoul(str, 0, &enabled))
130 selinux_enabled = enabled ? 1 : 0;
133 __setup("selinux=", selinux_enabled_setup);
135 int selinux_enabled = 1;
138 static unsigned int selinux_checkreqprot_boot =
139 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
141 static int __init checkreqprot_setup(char *str)
143 unsigned long checkreqprot;
145 if (!kstrtoul(str, 0, &checkreqprot))
146 selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
149 __setup("checkreqprot=", checkreqprot_setup);
151 static struct kmem_cache *sel_inode_cache;
152 static struct kmem_cache *file_security_cache;
155 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
158 * This function checks the SECMARK reference counter to see if any SECMARK
159 * targets are currently configured, if the reference counter is greater than
160 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
161 * enabled, false (0) if SECMARK is disabled. If the always_check_network
162 * policy capability is enabled, SECMARK is always considered enabled.
165 static int selinux_secmark_enabled(void)
167 return (selinux_policycap_alwaysnetwork() ||
168 atomic_read(&selinux_secmark_refcount));
172 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
175 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
176 * (1) if any are enabled or false (0) if neither are enabled. If the
177 * always_check_network policy capability is enabled, peer labeling
178 * is always considered enabled.
181 static int selinux_peerlbl_enabled(void)
183 return (selinux_policycap_alwaysnetwork() ||
184 netlbl_enabled() || selinux_xfrm_enabled());
187 static int selinux_netcache_avc_callback(u32 event)
189 if (event == AVC_CALLBACK_RESET) {
198 static int selinux_lsm_notifier_avc_callback(u32 event)
200 if (event == AVC_CALLBACK_RESET) {
202 call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
209 * initialise the security for the init task
211 static void cred_init_security(void)
213 struct cred *cred = (struct cred *) current->real_cred;
214 struct task_security_struct *tsec;
216 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
218 panic("SELinux: Failed to initialize initial task.\n");
220 tsec->osid = tsec->sid = SECINITSID_KERNEL;
221 cred->security = tsec;
225 * get the security ID of a set of credentials
227 static inline u32 cred_sid(const struct cred *cred)
229 const struct task_security_struct *tsec;
231 tsec = cred->security;
236 * get the objective security ID of a task
238 static inline u32 task_sid(const struct task_struct *task)
243 sid = cred_sid(__task_cred(task));
248 /* Allocate and free functions for each kind of security blob. */
250 static int inode_alloc_security(struct inode *inode)
252 struct inode_security_struct *isec;
253 u32 sid = current_sid();
255 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
259 spin_lock_init(&isec->lock);
260 INIT_LIST_HEAD(&isec->list);
262 isec->sid = SECINITSID_UNLABELED;
263 isec->sclass = SECCLASS_FILE;
264 isec->task_sid = sid;
265 isec->initialized = LABEL_INVALID;
266 inode->i_security = isec;
271 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
274 * Try reloading inode security labels that have been marked as invalid. The
275 * @may_sleep parameter indicates when sleeping and thus reloading labels is
276 * allowed; when set to false, returns -ECHILD when the label is
277 * invalid. The @dentry parameter should be set to a dentry of the inode.
279 static int __inode_security_revalidate(struct inode *inode,
280 struct dentry *dentry,
283 struct inode_security_struct *isec = inode->i_security;
285 might_sleep_if(may_sleep);
287 if (selinux_state.initialized &&
288 isec->initialized != LABEL_INITIALIZED) {
293 * Try reloading the inode security label. This will fail if
294 * @opt_dentry is NULL and no dentry for this inode can be
295 * found; in that case, continue using the old label.
297 inode_doinit_with_dentry(inode, dentry);
302 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
304 return inode->i_security;
307 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
311 error = __inode_security_revalidate(inode, NULL, !rcu);
313 return ERR_PTR(error);
314 return inode->i_security;
318 * Get the security label of an inode.
320 static struct inode_security_struct *inode_security(struct inode *inode)
322 __inode_security_revalidate(inode, NULL, true);
323 return inode->i_security;
326 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
328 struct inode *inode = d_backing_inode(dentry);
330 return inode->i_security;
334 * Get the security label of a dentry's backing inode.
336 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
338 struct inode *inode = d_backing_inode(dentry);
340 __inode_security_revalidate(inode, dentry, true);
341 return inode->i_security;
344 static void inode_free_rcu(struct rcu_head *head)
346 struct inode_security_struct *isec;
348 isec = container_of(head, struct inode_security_struct, rcu);
349 kmem_cache_free(sel_inode_cache, isec);
352 static void inode_free_security(struct inode *inode)
354 struct inode_security_struct *isec = inode->i_security;
355 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
358 * As not all inode security structures are in a list, we check for
359 * empty list outside of the lock to make sure that we won't waste
360 * time taking a lock doing nothing.
362 * The list_del_init() function can be safely called more than once.
363 * It should not be possible for this function to be called with
364 * concurrent list_add(), but for better safety against future changes
365 * in the code, we use list_empty_careful() here.
367 if (!list_empty_careful(&isec->list)) {
368 spin_lock(&sbsec->isec_lock);
369 list_del_init(&isec->list);
370 spin_unlock(&sbsec->isec_lock);
374 * The inode may still be referenced in a path walk and
375 * a call to selinux_inode_permission() can be made
376 * after inode_free_security() is called. Ideally, the VFS
377 * wouldn't do this, but fixing that is a much harder
378 * job. For now, simply free the i_security via RCU, and
379 * leave the current inode->i_security pointer intact.
380 * The inode will be freed after the RCU grace period too.
382 call_rcu(&isec->rcu, inode_free_rcu);
385 static int file_alloc_security(struct file *file)
387 struct file_security_struct *fsec;
388 u32 sid = current_sid();
390 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
395 fsec->fown_sid = sid;
396 file->f_security = fsec;
401 static void file_free_security(struct file *file)
403 struct file_security_struct *fsec = file->f_security;
404 file->f_security = NULL;
405 kmem_cache_free(file_security_cache, fsec);
408 static int superblock_alloc_security(struct super_block *sb)
410 struct superblock_security_struct *sbsec;
412 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
416 mutex_init(&sbsec->lock);
417 INIT_LIST_HEAD(&sbsec->isec_head);
418 spin_lock_init(&sbsec->isec_lock);
420 sbsec->sid = SECINITSID_UNLABELED;
421 sbsec->def_sid = SECINITSID_FILE;
422 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
423 sb->s_security = sbsec;
428 static void superblock_free_security(struct super_block *sb)
430 struct superblock_security_struct *sbsec = sb->s_security;
431 sb->s_security = NULL;
435 static inline int inode_doinit(struct inode *inode)
437 return inode_doinit_with_dentry(inode, NULL);
446 Opt_labelsupport = 5,
450 #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
452 static const match_table_t tokens = {
453 {Opt_context, CONTEXT_STR "%s"},
454 {Opt_fscontext, FSCONTEXT_STR "%s"},
455 {Opt_defcontext, DEFCONTEXT_STR "%s"},
456 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
457 {Opt_labelsupport, LABELSUPP_STR},
461 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
463 static int may_context_mount_sb_relabel(u32 sid,
464 struct superblock_security_struct *sbsec,
465 const struct cred *cred)
467 const struct task_security_struct *tsec = cred->security;
470 rc = avc_has_perm(&selinux_state,
471 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
472 FILESYSTEM__RELABELFROM, NULL);
476 rc = avc_has_perm(&selinux_state,
477 tsec->sid, sid, SECCLASS_FILESYSTEM,
478 FILESYSTEM__RELABELTO, NULL);
482 static int may_context_mount_inode_relabel(u32 sid,
483 struct superblock_security_struct *sbsec,
484 const struct cred *cred)
486 const struct task_security_struct *tsec = cred->security;
488 rc = avc_has_perm(&selinux_state,
489 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
490 FILESYSTEM__RELABELFROM, NULL);
494 rc = avc_has_perm(&selinux_state,
495 sid, sbsec->sid, SECCLASS_FILESYSTEM,
496 FILESYSTEM__ASSOCIATE, NULL);
500 static int selinux_is_sblabel_mnt(struct super_block *sb)
502 struct superblock_security_struct *sbsec = sb->s_security;
504 return sbsec->behavior == SECURITY_FS_USE_XATTR ||
505 sbsec->behavior == SECURITY_FS_USE_TRANS ||
506 sbsec->behavior == SECURITY_FS_USE_TASK ||
507 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
508 /* Special handling. Genfs but also in-core setxattr handler */
509 !strcmp(sb->s_type->name, "sysfs") ||
510 !strcmp(sb->s_type->name, "pstore") ||
511 !strcmp(sb->s_type->name, "debugfs") ||
512 !strcmp(sb->s_type->name, "tracefs") ||
513 !strcmp(sb->s_type->name, "rootfs") ||
514 (selinux_policycap_cgroupseclabel() &&
515 (!strcmp(sb->s_type->name, "cgroup") ||
516 !strcmp(sb->s_type->name, "cgroup2")));
519 static int sb_finish_set_opts(struct super_block *sb)
521 struct superblock_security_struct *sbsec = sb->s_security;
522 struct dentry *root = sb->s_root;
523 struct inode *root_inode = d_backing_inode(root);
526 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
527 /* Make sure that the xattr handler exists and that no
528 error other than -ENODATA is returned by getxattr on
529 the root directory. -ENODATA is ok, as this may be
530 the first boot of the SELinux kernel before we have
531 assigned xattr values to the filesystem. */
532 if (!(root_inode->i_opflags & IOP_XATTR)) {
533 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
534 "xattr support\n", sb->s_id, sb->s_type->name);
539 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
540 if (rc < 0 && rc != -ENODATA) {
541 if (rc == -EOPNOTSUPP)
542 printk(KERN_WARNING "SELinux: (dev %s, type "
543 "%s) has no security xattr handler\n",
544 sb->s_id, sb->s_type->name);
546 printk(KERN_WARNING "SELinux: (dev %s, type "
547 "%s) getxattr errno %d\n", sb->s_id,
548 sb->s_type->name, -rc);
553 sbsec->flags |= SE_SBINITIALIZED;
556 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
557 * leave the flag untouched because sb_clone_mnt_opts might be handing
558 * us a superblock that needs the flag to be cleared.
560 if (selinux_is_sblabel_mnt(sb))
561 sbsec->flags |= SBLABEL_MNT;
563 sbsec->flags &= ~SBLABEL_MNT;
565 /* Initialize the root inode. */
566 rc = inode_doinit_with_dentry(root_inode, root);
568 /* Initialize any other inodes associated with the superblock, e.g.
569 inodes created prior to initial policy load or inodes created
570 during get_sb by a pseudo filesystem that directly
572 spin_lock(&sbsec->isec_lock);
574 if (!list_empty(&sbsec->isec_head)) {
575 struct inode_security_struct *isec =
576 list_entry(sbsec->isec_head.next,
577 struct inode_security_struct, list);
578 struct inode *inode = isec->inode;
579 list_del_init(&isec->list);
580 spin_unlock(&sbsec->isec_lock);
581 inode = igrab(inode);
583 if (!IS_PRIVATE(inode))
587 spin_lock(&sbsec->isec_lock);
590 spin_unlock(&sbsec->isec_lock);
596 * This function should allow an FS to ask what it's mount security
597 * options were so it can use those later for submounts, displaying
598 * mount options, or whatever.
600 static int selinux_get_mnt_opts(const struct super_block *sb,
601 struct security_mnt_opts *opts)
604 struct superblock_security_struct *sbsec = sb->s_security;
605 char *context = NULL;
609 security_init_mnt_opts(opts);
611 if (!(sbsec->flags & SE_SBINITIALIZED))
614 if (!selinux_state.initialized)
617 /* make sure we always check enough bits to cover the mask */
618 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
620 tmp = sbsec->flags & SE_MNTMASK;
621 /* count the number of mount options for this sb */
622 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
624 opts->num_mnt_opts++;
627 /* Check if the Label support flag is set */
628 if (sbsec->flags & SBLABEL_MNT)
629 opts->num_mnt_opts++;
631 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
632 if (!opts->mnt_opts) {
637 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
638 if (!opts->mnt_opts_flags) {
644 if (sbsec->flags & FSCONTEXT_MNT) {
645 rc = security_sid_to_context(&selinux_state, sbsec->sid,
649 opts->mnt_opts[i] = context;
650 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
652 if (sbsec->flags & CONTEXT_MNT) {
653 rc = security_sid_to_context(&selinux_state,
658 opts->mnt_opts[i] = context;
659 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
661 if (sbsec->flags & DEFCONTEXT_MNT) {
662 rc = security_sid_to_context(&selinux_state, sbsec->def_sid,
666 opts->mnt_opts[i] = context;
667 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
669 if (sbsec->flags & ROOTCONTEXT_MNT) {
670 struct dentry *root = sbsec->sb->s_root;
671 struct inode_security_struct *isec = backing_inode_security(root);
673 rc = security_sid_to_context(&selinux_state, isec->sid,
677 opts->mnt_opts[i] = context;
678 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
680 if (sbsec->flags & SBLABEL_MNT) {
681 opts->mnt_opts[i] = NULL;
682 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
685 BUG_ON(i != opts->num_mnt_opts);
690 security_free_mnt_opts(opts);
694 static int bad_option(struct superblock_security_struct *sbsec, char flag,
695 u32 old_sid, u32 new_sid)
697 char mnt_flags = sbsec->flags & SE_MNTMASK;
699 /* check if the old mount command had the same options */
700 if (sbsec->flags & SE_SBINITIALIZED)
701 if (!(sbsec->flags & flag) ||
702 (old_sid != new_sid))
705 /* check if we were passed the same options twice,
706 * aka someone passed context=a,context=b
708 if (!(sbsec->flags & SE_SBINITIALIZED))
709 if (mnt_flags & flag)
715 * Allow filesystems with binary mount data to explicitly set mount point
716 * labeling information.
718 static int selinux_set_mnt_opts(struct super_block *sb,
719 struct security_mnt_opts *opts,
720 unsigned long kern_flags,
721 unsigned long *set_kern_flags)
723 const struct cred *cred = current_cred();
725 struct superblock_security_struct *sbsec = sb->s_security;
726 const char *name = sb->s_type->name;
727 struct dentry *root = sbsec->sb->s_root;
728 struct inode_security_struct *root_isec;
729 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
730 u32 defcontext_sid = 0;
731 char **mount_options = opts->mnt_opts;
732 int *flags = opts->mnt_opts_flags;
733 int num_opts = opts->num_mnt_opts;
735 mutex_lock(&sbsec->lock);
737 if (!selinux_state.initialized) {
739 /* Defer initialization until selinux_complete_init,
740 after the initial policy is loaded and the security
741 server is ready to handle calls. */
745 printk(KERN_WARNING "SELinux: Unable to set superblock options "
746 "before the security server is initialized\n");
749 if (kern_flags && !set_kern_flags) {
750 /* Specifying internal flags without providing a place to
751 * place the results is not allowed */
757 * Binary mount data FS will come through this function twice. Once
758 * from an explicit call and once from the generic calls from the vfs.
759 * Since the generic VFS calls will not contain any security mount data
760 * we need to skip the double mount verification.
762 * This does open a hole in which we will not notice if the first
763 * mount using this sb set explict options and a second mount using
764 * this sb does not set any security options. (The first options
765 * will be used for both mounts)
767 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
771 root_isec = backing_inode_security_novalidate(root);
774 * parse the mount options, check if they are valid sids.
775 * also check if someone is trying to mount the same sb more
776 * than once with different security options.
778 for (i = 0; i < num_opts; i++) {
781 if (flags[i] == SBLABEL_MNT)
783 rc = security_context_str_to_sid(&selinux_state,
784 mount_options[i], &sid,
787 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
788 "(%s) failed for (dev %s, type %s) errno=%d\n",
789 mount_options[i], sb->s_id, name, rc);
796 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
798 goto out_double_mount;
800 sbsec->flags |= FSCONTEXT_MNT;
805 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
807 goto out_double_mount;
809 sbsec->flags |= CONTEXT_MNT;
811 case ROOTCONTEXT_MNT:
812 rootcontext_sid = sid;
814 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
816 goto out_double_mount;
818 sbsec->flags |= ROOTCONTEXT_MNT;
822 defcontext_sid = sid;
824 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
826 goto out_double_mount;
828 sbsec->flags |= DEFCONTEXT_MNT;
837 if (sbsec->flags & SE_SBINITIALIZED) {
838 /* previously mounted with options, but not on this attempt? */
839 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
840 goto out_double_mount;
845 if (strcmp(sb->s_type->name, "proc") == 0)
846 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
848 if (!strcmp(sb->s_type->name, "debugfs") ||
849 !strcmp(sb->s_type->name, "tracefs") ||
850 !strcmp(sb->s_type->name, "sysfs") ||
851 !strcmp(sb->s_type->name, "pstore") ||
852 !strcmp(sb->s_type->name, "cgroup") ||
853 !strcmp(sb->s_type->name, "cgroup2"))
854 sbsec->flags |= SE_SBGENFS;
856 if (!sbsec->behavior) {
858 * Determine the labeling behavior to use for this
861 rc = security_fs_use(&selinux_state, sb);
864 "%s: security_fs_use(%s) returned %d\n",
865 __func__, sb->s_type->name, rc);
871 * If this is a user namespace mount and the filesystem type is not
872 * explicitly whitelisted, then no contexts are allowed on the command
873 * line and security labels must be ignored.
875 if (sb->s_user_ns != &init_user_ns &&
876 strcmp(sb->s_type->name, "tmpfs") &&
877 strcmp(sb->s_type->name, "ramfs") &&
878 strcmp(sb->s_type->name, "devpts")) {
879 if (context_sid || fscontext_sid || rootcontext_sid ||
884 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
885 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
886 rc = security_transition_sid(&selinux_state,
890 &sbsec->mntpoint_sid);
897 /* sets the context of the superblock for the fs being mounted. */
899 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
903 sbsec->sid = fscontext_sid;
907 * Switch to using mount point labeling behavior.
908 * sets the label used on all file below the mountpoint, and will set
909 * the superblock context if not already set.
911 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
912 sbsec->behavior = SECURITY_FS_USE_NATIVE;
913 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
917 if (!fscontext_sid) {
918 rc = may_context_mount_sb_relabel(context_sid, sbsec,
922 sbsec->sid = context_sid;
924 rc = may_context_mount_inode_relabel(context_sid, sbsec,
929 if (!rootcontext_sid)
930 rootcontext_sid = context_sid;
932 sbsec->mntpoint_sid = context_sid;
933 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
936 if (rootcontext_sid) {
937 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
942 root_isec->sid = rootcontext_sid;
943 root_isec->initialized = LABEL_INITIALIZED;
946 if (defcontext_sid) {
947 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
948 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
950 printk(KERN_WARNING "SELinux: defcontext option is "
951 "invalid for this filesystem type\n");
955 if (defcontext_sid != sbsec->def_sid) {
956 rc = may_context_mount_inode_relabel(defcontext_sid,
962 sbsec->def_sid = defcontext_sid;
966 rc = sb_finish_set_opts(sb);
968 mutex_unlock(&sbsec->lock);
972 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
973 "security settings for (dev %s, type %s)\n", sb->s_id, name);
977 static int selinux_cmp_sb_context(const struct super_block *oldsb,
978 const struct super_block *newsb)
980 struct superblock_security_struct *old = oldsb->s_security;
981 struct superblock_security_struct *new = newsb->s_security;
982 char oldflags = old->flags & SE_MNTMASK;
983 char newflags = new->flags & SE_MNTMASK;
985 if (oldflags != newflags)
987 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
989 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
991 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
993 if (oldflags & ROOTCONTEXT_MNT) {
994 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
995 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
996 if (oldroot->sid != newroot->sid)
1001 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
1002 "different security settings for (dev %s, "
1003 "type %s)\n", newsb->s_id, newsb->s_type->name);
1007 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
1008 struct super_block *newsb,
1009 unsigned long kern_flags,
1010 unsigned long *set_kern_flags)
1013 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
1014 struct superblock_security_struct *newsbsec = newsb->s_security;
1016 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
1017 int set_context = (oldsbsec->flags & CONTEXT_MNT);
1018 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1021 * if the parent was able to be mounted it clearly had no special lsm
1022 * mount options. thus we can safely deal with this superblock later
1024 if (!selinux_state.initialized)
1028 * Specifying internal flags without providing a place to
1029 * place the results is not allowed.
1031 if (kern_flags && !set_kern_flags)
1034 /* how can we clone if the old one wasn't set up?? */
1035 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
1037 /* if fs is reusing a sb, make sure that the contexts match */
1038 if (newsbsec->flags & SE_SBINITIALIZED)
1039 return selinux_cmp_sb_context(oldsb, newsb);
1041 mutex_lock(&newsbsec->lock);
1043 newsbsec->flags = oldsbsec->flags;
1045 newsbsec->sid = oldsbsec->sid;
1046 newsbsec->def_sid = oldsbsec->def_sid;
1047 newsbsec->behavior = oldsbsec->behavior;
1049 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
1050 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
1051 rc = security_fs_use(&selinux_state, newsb);
1056 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
1057 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
1058 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
1062 u32 sid = oldsbsec->mntpoint_sid;
1065 newsbsec->sid = sid;
1066 if (!set_rootcontext) {
1067 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1070 newsbsec->mntpoint_sid = sid;
1072 if (set_rootcontext) {
1073 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
1074 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1076 newisec->sid = oldisec->sid;
1079 sb_finish_set_opts(newsb);
1081 mutex_unlock(&newsbsec->lock);
1085 static int selinux_parse_opts_str(char *options,
1086 struct security_mnt_opts *opts)
1089 char *context = NULL, *defcontext = NULL;
1090 char *fscontext = NULL, *rootcontext = NULL;
1091 int rc, num_mnt_opts = 0;
1093 opts->num_mnt_opts = 0;
1095 /* Standard string-based options. */
1096 while ((p = strsep(&options, "|")) != NULL) {
1098 substring_t args[MAX_OPT_ARGS];
1103 token = match_token(p, tokens, args);
1107 if (context || defcontext) {
1109 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1112 context = match_strdup(&args[0]);
1122 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1125 fscontext = match_strdup(&args[0]);
1132 case Opt_rootcontext:
1135 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1138 rootcontext = match_strdup(&args[0]);
1145 case Opt_defcontext:
1146 if (context || defcontext) {
1148 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1151 defcontext = match_strdup(&args[0]);
1157 case Opt_labelsupport:
1161 printk(KERN_WARNING "SELinux: unknown mount option\n");
1168 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
1169 if (!opts->mnt_opts)
1172 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
1174 if (!opts->mnt_opts_flags)
1178 opts->mnt_opts[num_mnt_opts] = fscontext;
1179 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1182 opts->mnt_opts[num_mnt_opts] = context;
1183 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1186 opts->mnt_opts[num_mnt_opts] = rootcontext;
1187 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1190 opts->mnt_opts[num_mnt_opts] = defcontext;
1191 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1194 opts->num_mnt_opts = num_mnt_opts;
1198 security_free_mnt_opts(opts);
1206 * string mount options parsing and call set the sbsec
1208 static int superblock_doinit(struct super_block *sb, void *data)
1211 char *options = data;
1212 struct security_mnt_opts opts;
1214 security_init_mnt_opts(&opts);
1219 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1221 rc = selinux_parse_opts_str(options, &opts);
1226 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1229 security_free_mnt_opts(&opts);
1233 static void selinux_write_opts(struct seq_file *m,
1234 struct security_mnt_opts *opts)
1239 for (i = 0; i < opts->num_mnt_opts; i++) {
1242 if (opts->mnt_opts[i])
1243 has_comma = strchr(opts->mnt_opts[i], ',');
1247 switch (opts->mnt_opts_flags[i]) {
1249 prefix = CONTEXT_STR;
1252 prefix = FSCONTEXT_STR;
1254 case ROOTCONTEXT_MNT:
1255 prefix = ROOTCONTEXT_STR;
1257 case DEFCONTEXT_MNT:
1258 prefix = DEFCONTEXT_STR;
1262 seq_puts(m, LABELSUPP_STR);
1268 /* we need a comma before each option */
1270 seq_puts(m, prefix);
1273 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
1279 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1281 struct security_mnt_opts opts;
1284 rc = selinux_get_mnt_opts(sb, &opts);
1286 /* before policy load we may get EINVAL, don't show anything */
1292 selinux_write_opts(m, &opts);
1294 security_free_mnt_opts(&opts);
1299 static inline u16 inode_mode_to_security_class(umode_t mode)
1301 switch (mode & S_IFMT) {
1303 return SECCLASS_SOCK_FILE;
1305 return SECCLASS_LNK_FILE;
1307 return SECCLASS_FILE;
1309 return SECCLASS_BLK_FILE;
1311 return SECCLASS_DIR;
1313 return SECCLASS_CHR_FILE;
1315 return SECCLASS_FIFO_FILE;
1319 return SECCLASS_FILE;
1322 static inline int default_protocol_stream(int protocol)
1324 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1327 static inline int default_protocol_dgram(int protocol)
1329 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1332 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1334 int extsockclass = selinux_policycap_extsockclass();
1340 case SOCK_SEQPACKET:
1341 return SECCLASS_UNIX_STREAM_SOCKET;
1344 return SECCLASS_UNIX_DGRAM_SOCKET;
1351 case SOCK_SEQPACKET:
1352 if (default_protocol_stream(protocol))
1353 return SECCLASS_TCP_SOCKET;
1354 else if (extsockclass && protocol == IPPROTO_SCTP)
1355 return SECCLASS_SCTP_SOCKET;
1357 return SECCLASS_RAWIP_SOCKET;
1359 if (default_protocol_dgram(protocol))
1360 return SECCLASS_UDP_SOCKET;
1361 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1362 protocol == IPPROTO_ICMPV6))
1363 return SECCLASS_ICMP_SOCKET;
1365 return SECCLASS_RAWIP_SOCKET;
1367 return SECCLASS_DCCP_SOCKET;
1369 return SECCLASS_RAWIP_SOCKET;
1375 return SECCLASS_NETLINK_ROUTE_SOCKET;
1376 case NETLINK_SOCK_DIAG:
1377 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1379 return SECCLASS_NETLINK_NFLOG_SOCKET;
1381 return SECCLASS_NETLINK_XFRM_SOCKET;
1382 case NETLINK_SELINUX:
1383 return SECCLASS_NETLINK_SELINUX_SOCKET;
1385 return SECCLASS_NETLINK_ISCSI_SOCKET;
1387 return SECCLASS_NETLINK_AUDIT_SOCKET;
1388 case NETLINK_FIB_LOOKUP:
1389 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1390 case NETLINK_CONNECTOR:
1391 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1392 case NETLINK_NETFILTER:
1393 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1394 case NETLINK_DNRTMSG:
1395 return SECCLASS_NETLINK_DNRT_SOCKET;
1396 case NETLINK_KOBJECT_UEVENT:
1397 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1398 case NETLINK_GENERIC:
1399 return SECCLASS_NETLINK_GENERIC_SOCKET;
1400 case NETLINK_SCSITRANSPORT:
1401 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1403 return SECCLASS_NETLINK_RDMA_SOCKET;
1404 case NETLINK_CRYPTO:
1405 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1407 return SECCLASS_NETLINK_SOCKET;
1410 return SECCLASS_PACKET_SOCKET;
1412 return SECCLASS_KEY_SOCKET;
1414 return SECCLASS_APPLETALK_SOCKET;
1420 return SECCLASS_AX25_SOCKET;
1422 return SECCLASS_IPX_SOCKET;
1424 return SECCLASS_NETROM_SOCKET;
1426 return SECCLASS_ATMPVC_SOCKET;
1428 return SECCLASS_X25_SOCKET;
1430 return SECCLASS_ROSE_SOCKET;
1432 return SECCLASS_DECNET_SOCKET;
1434 return SECCLASS_ATMSVC_SOCKET;
1436 return SECCLASS_RDS_SOCKET;
1438 return SECCLASS_IRDA_SOCKET;
1440 return SECCLASS_PPPOX_SOCKET;
1442 return SECCLASS_LLC_SOCKET;
1444 return SECCLASS_CAN_SOCKET;
1446 return SECCLASS_TIPC_SOCKET;
1448 return SECCLASS_BLUETOOTH_SOCKET;
1450 return SECCLASS_IUCV_SOCKET;
1452 return SECCLASS_RXRPC_SOCKET;
1454 return SECCLASS_ISDN_SOCKET;
1456 return SECCLASS_PHONET_SOCKET;
1458 return SECCLASS_IEEE802154_SOCKET;
1460 return SECCLASS_CAIF_SOCKET;
1462 return SECCLASS_ALG_SOCKET;
1464 return SECCLASS_NFC_SOCKET;
1466 return SECCLASS_VSOCK_SOCKET;
1468 return SECCLASS_KCM_SOCKET;
1470 return SECCLASS_QIPCRTR_SOCKET;
1472 return SECCLASS_SMC_SOCKET;
1474 return SECCLASS_XDP_SOCKET;
1476 #error New address family defined, please update this function.
1481 return SECCLASS_SOCKET;
1484 static int selinux_genfs_get_sid(struct dentry *dentry,
1490 struct super_block *sb = dentry->d_sb;
1491 char *buffer, *path;
1493 buffer = (char *)__get_free_page(GFP_KERNEL);
1497 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1501 if (flags & SE_SBPROC) {
1502 /* each process gets a /proc/PID/ entry. Strip off the
1503 * PID part to get a valid selinux labeling.
1504 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1505 while (path[1] >= '0' && path[1] <= '9') {
1510 rc = security_genfs_sid(&selinux_state, sb->s_type->name,
1513 free_page((unsigned long)buffer);
1517 /* The inode's security attributes must be initialized before first use. */
1518 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1520 struct superblock_security_struct *sbsec = NULL;
1521 struct inode_security_struct *isec = inode->i_security;
1522 u32 task_sid, sid = 0;
1524 struct dentry *dentry;
1525 #define INITCONTEXTLEN 255
1526 char *context = NULL;
1530 if (isec->initialized == LABEL_INITIALIZED)
1533 spin_lock(&isec->lock);
1534 if (isec->initialized == LABEL_INITIALIZED)
1537 if (isec->sclass == SECCLASS_FILE)
1538 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1540 sbsec = inode->i_sb->s_security;
1541 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1542 /* Defer initialization until selinux_complete_init,
1543 after the initial policy is loaded and the security
1544 server is ready to handle calls. */
1545 spin_lock(&sbsec->isec_lock);
1546 if (list_empty(&isec->list))
1547 list_add(&isec->list, &sbsec->isec_head);
1548 spin_unlock(&sbsec->isec_lock);
1552 sclass = isec->sclass;
1553 task_sid = isec->task_sid;
1555 isec->initialized = LABEL_PENDING;
1556 spin_unlock(&isec->lock);
1558 switch (sbsec->behavior) {
1559 case SECURITY_FS_USE_NATIVE:
1561 case SECURITY_FS_USE_XATTR:
1562 if (!(inode->i_opflags & IOP_XATTR)) {
1563 sid = sbsec->def_sid;
1566 /* Need a dentry, since the xattr API requires one.
1567 Life would be simpler if we could just pass the inode. */
1569 /* Called from d_instantiate or d_splice_alias. */
1570 dentry = dget(opt_dentry);
1573 * Called from selinux_complete_init, try to find a dentry.
1574 * Some filesystems really want a connected one, so try
1575 * that first. We could split SECURITY_FS_USE_XATTR in
1576 * two, depending upon that...
1578 dentry = d_find_alias(inode);
1580 dentry = d_find_any_alias(inode);
1584 * this is can be hit on boot when a file is accessed
1585 * before the policy is loaded. When we load policy we
1586 * may find inodes that have no dentry on the
1587 * sbsec->isec_head list. No reason to complain as these
1588 * will get fixed up the next time we go through
1589 * inode_doinit with a dentry, before these inodes could
1590 * be used again by userspace.
1595 len = INITCONTEXTLEN;
1596 context = kmalloc(len+1, GFP_NOFS);
1602 context[len] = '\0';
1603 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1604 if (rc == -ERANGE) {
1607 /* Need a larger buffer. Query for the right size. */
1608 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1614 context = kmalloc(len+1, GFP_NOFS);
1620 context[len] = '\0';
1621 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1625 if (rc != -ENODATA) {
1626 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1627 "%d for dev=%s ino=%ld\n", __func__,
1628 -rc, inode->i_sb->s_id, inode->i_ino);
1632 /* Map ENODATA to the default file SID */
1633 sid = sbsec->def_sid;
1636 rc = security_context_to_sid_default(&selinux_state,
1641 char *dev = inode->i_sb->s_id;
1642 unsigned long ino = inode->i_ino;
1644 if (rc == -EINVAL) {
1645 if (printk_ratelimit())
1646 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1647 "context=%s. This indicates you may need to relabel the inode or the "
1648 "filesystem in question.\n", ino, dev, context);
1650 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1651 "returned %d for dev=%s ino=%ld\n",
1652 __func__, context, -rc, dev, ino);
1655 /* Leave with the unlabeled SID */
1662 case SECURITY_FS_USE_TASK:
1665 case SECURITY_FS_USE_TRANS:
1666 /* Default to the fs SID. */
1669 /* Try to obtain a transition SID. */
1670 rc = security_transition_sid(&selinux_state, task_sid, sid,
1671 sclass, NULL, &sid);
1675 case SECURITY_FS_USE_MNTPOINT:
1676 sid = sbsec->mntpoint_sid;
1679 /* Default to the fs superblock SID. */
1682 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1683 /* We must have a dentry to determine the label on
1686 /* Called from d_instantiate or
1687 * d_splice_alias. */
1688 dentry = dget(opt_dentry);
1690 /* Called from selinux_complete_init, try to
1691 * find a dentry. Some filesystems really want
1692 * a connected one, so try that first.
1694 dentry = d_find_alias(inode);
1696 dentry = d_find_any_alias(inode);
1699 * This can be hit on boot when a file is accessed
1700 * before the policy is loaded. When we load policy we
1701 * may find inodes that have no dentry on the
1702 * sbsec->isec_head list. No reason to complain as
1703 * these will get fixed up the next time we go through
1704 * inode_doinit() with a dentry, before these inodes
1705 * could be used again by userspace.
1709 rc = selinux_genfs_get_sid(dentry, sclass,
1710 sbsec->flags, &sid);
1719 spin_lock(&isec->lock);
1720 if (isec->initialized == LABEL_PENDING) {
1722 isec->initialized = LABEL_INVALID;
1726 isec->initialized = LABEL_INITIALIZED;
1731 spin_unlock(&isec->lock);
1735 /* Convert a Linux signal to an access vector. */
1736 static inline u32 signal_to_av(int sig)
1742 /* Commonly granted from child to parent. */
1743 perm = PROCESS__SIGCHLD;
1746 /* Cannot be caught or ignored */
1747 perm = PROCESS__SIGKILL;
1750 /* Cannot be caught or ignored */
1751 perm = PROCESS__SIGSTOP;
1754 /* All other signals. */
1755 perm = PROCESS__SIGNAL;
1762 #if CAP_LAST_CAP > 63
1763 #error Fix SELinux to handle capabilities > 63.
1766 /* Check whether a task is allowed to use a capability. */
1767 static int cred_has_capability(const struct cred *cred,
1768 int cap, int audit, bool initns)
1770 struct common_audit_data ad;
1771 struct av_decision avd;
1773 u32 sid = cred_sid(cred);
1774 u32 av = CAP_TO_MASK(cap);
1777 ad.type = LSM_AUDIT_DATA_CAP;
1780 switch (CAP_TO_INDEX(cap)) {
1782 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1785 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1789 "SELinux: out of range capability %d\n", cap);
1794 rc = avc_has_perm_noaudit(&selinux_state,
1795 sid, sid, sclass, av, 0, &avd);
1796 if (audit == SECURITY_CAP_AUDIT) {
1797 int rc2 = avc_audit(&selinux_state,
1798 sid, sid, sclass, av, &avd, rc, &ad, 0);
1805 /* Check whether a task has a particular permission to an inode.
1806 The 'adp' parameter is optional and allows other audit
1807 data to be passed (e.g. the dentry). */
1808 static int inode_has_perm(const struct cred *cred,
1809 struct inode *inode,
1811 struct common_audit_data *adp)
1813 struct inode_security_struct *isec;
1816 validate_creds(cred);
1818 if (unlikely(IS_PRIVATE(inode)))
1821 sid = cred_sid(cred);
1822 isec = inode->i_security;
1824 return avc_has_perm(&selinux_state,
1825 sid, isec->sid, isec->sclass, perms, adp);
1828 /* Same as inode_has_perm, but pass explicit audit data containing
1829 the dentry to help the auditing code to more easily generate the
1830 pathname if needed. */
1831 static inline int dentry_has_perm(const struct cred *cred,
1832 struct dentry *dentry,
1835 struct inode *inode = d_backing_inode(dentry);
1836 struct common_audit_data ad;
1838 ad.type = LSM_AUDIT_DATA_DENTRY;
1839 ad.u.dentry = dentry;
1840 __inode_security_revalidate(inode, dentry, true);
1841 return inode_has_perm(cred, inode, av, &ad);
1844 /* Same as inode_has_perm, but pass explicit audit data containing
1845 the path to help the auditing code to more easily generate the
1846 pathname if needed. */
1847 static inline int path_has_perm(const struct cred *cred,
1848 const struct path *path,
1851 struct inode *inode = d_backing_inode(path->dentry);
1852 struct common_audit_data ad;
1854 ad.type = LSM_AUDIT_DATA_PATH;
1856 __inode_security_revalidate(inode, path->dentry, true);
1857 return inode_has_perm(cred, inode, av, &ad);
1860 /* Same as path_has_perm, but uses the inode from the file struct. */
1861 static inline int file_path_has_perm(const struct cred *cred,
1865 struct common_audit_data ad;
1867 ad.type = LSM_AUDIT_DATA_FILE;
1869 return inode_has_perm(cred, file_inode(file), av, &ad);
1872 #ifdef CONFIG_BPF_SYSCALL
1873 static int bpf_fd_pass(struct file *file, u32 sid);
1876 /* Check whether a task can use an open file descriptor to
1877 access an inode in a given way. Check access to the
1878 descriptor itself, and then use dentry_has_perm to
1879 check a particular permission to the file.
1880 Access to the descriptor is implicitly granted if it
1881 has the same SID as the process. If av is zero, then
1882 access to the file is not checked, e.g. for cases
1883 where only the descriptor is affected like seek. */
1884 static int file_has_perm(const struct cred *cred,
1888 struct file_security_struct *fsec = file->f_security;
1889 struct inode *inode = file_inode(file);
1890 struct common_audit_data ad;
1891 u32 sid = cred_sid(cred);
1894 ad.type = LSM_AUDIT_DATA_FILE;
1897 if (sid != fsec->sid) {
1898 rc = avc_has_perm(&selinux_state,
1907 #ifdef CONFIG_BPF_SYSCALL
1908 rc = bpf_fd_pass(file, cred_sid(cred));
1913 /* av is zero if only checking access to the descriptor. */
1916 rc = inode_has_perm(cred, inode, av, &ad);
1923 * Determine the label for an inode that might be unioned.
1926 selinux_determine_inode_label(const struct task_security_struct *tsec,
1928 const struct qstr *name, u16 tclass,
1931 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1933 if ((sbsec->flags & SE_SBINITIALIZED) &&
1934 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1935 *_new_isid = sbsec->mntpoint_sid;
1936 } else if ((sbsec->flags & SBLABEL_MNT) &&
1938 *_new_isid = tsec->create_sid;
1940 const struct inode_security_struct *dsec = inode_security(dir);
1941 return security_transition_sid(&selinux_state, tsec->sid,
1949 /* Check whether a task can create a file. */
1950 static int may_create(struct inode *dir,
1951 struct dentry *dentry,
1954 const struct task_security_struct *tsec = current_security();
1955 struct inode_security_struct *dsec;
1956 struct superblock_security_struct *sbsec;
1958 struct common_audit_data ad;
1961 dsec = inode_security(dir);
1962 sbsec = dir->i_sb->s_security;
1966 ad.type = LSM_AUDIT_DATA_DENTRY;
1967 ad.u.dentry = dentry;
1969 rc = avc_has_perm(&selinux_state,
1970 sid, dsec->sid, SECCLASS_DIR,
1971 DIR__ADD_NAME | DIR__SEARCH,
1976 rc = selinux_determine_inode_label(current_security(), dir,
1977 &dentry->d_name, tclass, &newsid);
1981 rc = avc_has_perm(&selinux_state,
1982 sid, newsid, tclass, FILE__CREATE, &ad);
1986 return avc_has_perm(&selinux_state,
1988 SECCLASS_FILESYSTEM,
1989 FILESYSTEM__ASSOCIATE, &ad);
1993 #define MAY_UNLINK 1
1996 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1997 static int may_link(struct inode *dir,
1998 struct dentry *dentry,
2002 struct inode_security_struct *dsec, *isec;
2003 struct common_audit_data ad;
2004 u32 sid = current_sid();
2008 dsec = inode_security(dir);
2009 isec = backing_inode_security(dentry);
2011 ad.type = LSM_AUDIT_DATA_DENTRY;
2012 ad.u.dentry = dentry;
2015 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
2016 rc = avc_has_perm(&selinux_state,
2017 sid, dsec->sid, SECCLASS_DIR, av, &ad);
2032 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
2037 rc = avc_has_perm(&selinux_state,
2038 sid, isec->sid, isec->sclass, av, &ad);
2042 static inline int may_rename(struct inode *old_dir,
2043 struct dentry *old_dentry,
2044 struct inode *new_dir,
2045 struct dentry *new_dentry)
2047 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2048 struct common_audit_data ad;
2049 u32 sid = current_sid();
2051 int old_is_dir, new_is_dir;
2054 old_dsec = inode_security(old_dir);
2055 old_isec = backing_inode_security(old_dentry);
2056 old_is_dir = d_is_dir(old_dentry);
2057 new_dsec = inode_security(new_dir);
2059 ad.type = LSM_AUDIT_DATA_DENTRY;
2061 ad.u.dentry = old_dentry;
2062 rc = avc_has_perm(&selinux_state,
2063 sid, old_dsec->sid, SECCLASS_DIR,
2064 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
2067 rc = avc_has_perm(&selinux_state,
2069 old_isec->sclass, FILE__RENAME, &ad);
2072 if (old_is_dir && new_dir != old_dir) {
2073 rc = avc_has_perm(&selinux_state,
2075 old_isec->sclass, DIR__REPARENT, &ad);
2080 ad.u.dentry = new_dentry;
2081 av = DIR__ADD_NAME | DIR__SEARCH;
2082 if (d_is_positive(new_dentry))
2083 av |= DIR__REMOVE_NAME;
2084 rc = avc_has_perm(&selinux_state,
2085 sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
2088 if (d_is_positive(new_dentry)) {
2089 new_isec = backing_inode_security(new_dentry);
2090 new_is_dir = d_is_dir(new_dentry);
2091 rc = avc_has_perm(&selinux_state,
2094 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
2102 /* Check whether a task can perform a filesystem operation. */
2103 static int superblock_has_perm(const struct cred *cred,
2104 struct super_block *sb,
2106 struct common_audit_data *ad)
2108 struct superblock_security_struct *sbsec;
2109 u32 sid = cred_sid(cred);
2111 sbsec = sb->s_security;
2112 return avc_has_perm(&selinux_state,
2113 sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
2116 /* Convert a Linux mode and permission mask to an access vector. */
2117 static inline u32 file_mask_to_av(int mode, int mask)
2121 if (!S_ISDIR(mode)) {
2122 if (mask & MAY_EXEC)
2123 av |= FILE__EXECUTE;
2124 if (mask & MAY_READ)
2127 if (mask & MAY_APPEND)
2129 else if (mask & MAY_WRITE)
2133 if (mask & MAY_EXEC)
2135 if (mask & MAY_WRITE)
2137 if (mask & MAY_READ)
2144 /* Convert a Linux file to an access vector. */
2145 static inline u32 file_to_av(struct file *file)
2149 if (file->f_mode & FMODE_READ)
2151 if (file->f_mode & FMODE_WRITE) {
2152 if (file->f_flags & O_APPEND)
2159 * Special file opened with flags 3 for ioctl-only use.
2168 * Convert a file to an access vector and include the correct open
2171 static inline u32 open_file_to_av(struct file *file)
2173 u32 av = file_to_av(file);
2174 struct inode *inode = file_inode(file);
2176 if (selinux_policycap_openperm() &&
2177 inode->i_sb->s_magic != SOCKFS_MAGIC)
2183 /* Hook functions begin here. */
2185 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2187 u32 mysid = current_sid();
2188 u32 mgrsid = task_sid(mgr);
2190 return avc_has_perm(&selinux_state,
2191 mysid, mgrsid, SECCLASS_BINDER,
2192 BINDER__SET_CONTEXT_MGR, NULL);
2195 static int selinux_binder_transaction(struct task_struct *from,
2196 struct task_struct *to)
2198 u32 mysid = current_sid();
2199 u32 fromsid = task_sid(from);
2200 u32 tosid = task_sid(to);
2203 if (mysid != fromsid) {
2204 rc = avc_has_perm(&selinux_state,
2205 mysid, fromsid, SECCLASS_BINDER,
2206 BINDER__IMPERSONATE, NULL);
2211 return avc_has_perm(&selinux_state,
2212 fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2216 static int selinux_binder_transfer_binder(struct task_struct *from,
2217 struct task_struct *to)
2219 u32 fromsid = task_sid(from);
2220 u32 tosid = task_sid(to);
2222 return avc_has_perm(&selinux_state,
2223 fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2227 static int selinux_binder_transfer_file(struct task_struct *from,
2228 struct task_struct *to,
2231 u32 sid = task_sid(to);
2232 struct file_security_struct *fsec = file->f_security;
2233 struct dentry *dentry = file->f_path.dentry;
2234 struct inode_security_struct *isec;
2235 struct common_audit_data ad;
2238 ad.type = LSM_AUDIT_DATA_PATH;
2239 ad.u.path = file->f_path;
2241 if (sid != fsec->sid) {
2242 rc = avc_has_perm(&selinux_state,
2251 #ifdef CONFIG_BPF_SYSCALL
2252 rc = bpf_fd_pass(file, sid);
2257 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2260 isec = backing_inode_security(dentry);
2261 return avc_has_perm(&selinux_state,
2262 sid, isec->sid, isec->sclass, file_to_av(file),
2266 static int selinux_ptrace_access_check(struct task_struct *child,
2269 u32 sid = current_sid();
2270 u32 csid = task_sid(child);
2272 if (mode & PTRACE_MODE_READ)
2273 return avc_has_perm(&selinux_state,
2274 sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2276 return avc_has_perm(&selinux_state,
2277 sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2280 static int selinux_ptrace_traceme(struct task_struct *parent)
2282 return avc_has_perm(&selinux_state,
2283 task_sid(parent), current_sid(), SECCLASS_PROCESS,
2284 PROCESS__PTRACE, NULL);
2287 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2288 kernel_cap_t *inheritable, kernel_cap_t *permitted)
2290 return avc_has_perm(&selinux_state,
2291 current_sid(), task_sid(target), SECCLASS_PROCESS,
2292 PROCESS__GETCAP, NULL);
2295 static int selinux_capset(struct cred *new, const struct cred *old,
2296 const kernel_cap_t *effective,
2297 const kernel_cap_t *inheritable,
2298 const kernel_cap_t *permitted)
2300 return avc_has_perm(&selinux_state,
2301 cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2302 PROCESS__SETCAP, NULL);
2306 * (This comment used to live with the selinux_task_setuid hook,
2307 * which was removed).
2309 * Since setuid only affects the current process, and since the SELinux
2310 * controls are not based on the Linux identity attributes, SELinux does not
2311 * need to control this operation. However, SELinux does control the use of
2312 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2315 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2318 return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
2321 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2323 const struct cred *cred = current_cred();
2335 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2340 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2343 rc = 0; /* let the kernel handle invalid cmds */
2349 static int selinux_quota_on(struct dentry *dentry)
2351 const struct cred *cred = current_cred();
2353 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2356 static int selinux_syslog(int type)
2359 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2360 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2361 return avc_has_perm(&selinux_state,
2362 current_sid(), SECINITSID_KERNEL,
2363 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2364 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2365 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2366 /* Set level of messages printed to console */
2367 case SYSLOG_ACTION_CONSOLE_LEVEL:
2368 return avc_has_perm(&selinux_state,
2369 current_sid(), SECINITSID_KERNEL,
2370 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2373 /* All other syslog types */
2374 return avc_has_perm(&selinux_state,
2375 current_sid(), SECINITSID_KERNEL,
2376 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2380 * Check that a process has enough memory to allocate a new virtual
2381 * mapping. 0 means there is enough memory for the allocation to
2382 * succeed and -ENOMEM implies there is not.
2384 * Do not audit the selinux permission check, as this is applied to all
2385 * processes that allocate mappings.
2387 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2389 int rc, cap_sys_admin = 0;
2391 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2392 SECURITY_CAP_NOAUDIT, true);
2396 return cap_sys_admin;
2399 /* binprm security operations */
2401 static u32 ptrace_parent_sid(void)
2404 struct task_struct *tracer;
2407 tracer = ptrace_parent(current);
2409 sid = task_sid(tracer);
2415 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2416 const struct task_security_struct *old_tsec,
2417 const struct task_security_struct *new_tsec)
2419 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2420 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2424 if (!nnp && !nosuid)
2425 return 0; /* neither NNP nor nosuid */
2427 if (new_tsec->sid == old_tsec->sid)
2428 return 0; /* No change in credentials */
2431 * If the policy enables the nnp_nosuid_transition policy capability,
2432 * then we permit transitions under NNP or nosuid if the
2433 * policy allows the corresponding permission between
2434 * the old and new contexts.
2436 if (selinux_policycap_nnp_nosuid_transition()) {
2439 av |= PROCESS2__NNP_TRANSITION;
2441 av |= PROCESS2__NOSUID_TRANSITION;
2442 rc = avc_has_perm(&selinux_state,
2443 old_tsec->sid, new_tsec->sid,
2444 SECCLASS_PROCESS2, av, NULL);
2450 * We also permit NNP or nosuid transitions to bounded SIDs,
2451 * i.e. SIDs that are guaranteed to only be allowed a subset
2452 * of the permissions of the current SID.
2454 rc = security_bounded_transition(&selinux_state, old_tsec->sid,
2460 * On failure, preserve the errno values for NNP vs nosuid.
2461 * NNP: Operation not permitted for caller.
2462 * nosuid: Permission denied to file.
2469 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2471 const struct task_security_struct *old_tsec;
2472 struct task_security_struct *new_tsec;
2473 struct inode_security_struct *isec;
2474 struct common_audit_data ad;
2475 struct inode *inode = file_inode(bprm->file);
2478 /* SELinux context only depends on initial program or script and not
2479 * the script interpreter */
2480 if (bprm->called_set_creds)
2483 old_tsec = current_security();
2484 new_tsec = bprm->cred->security;
2485 isec = inode_security(inode);
2487 /* Default to the current task SID. */
2488 new_tsec->sid = old_tsec->sid;
2489 new_tsec->osid = old_tsec->sid;
2491 /* Reset fs, key, and sock SIDs on execve. */
2492 new_tsec->create_sid = 0;
2493 new_tsec->keycreate_sid = 0;
2494 new_tsec->sockcreate_sid = 0;
2496 if (old_tsec->exec_sid) {
2497 new_tsec->sid = old_tsec->exec_sid;
2498 /* Reset exec SID on execve. */
2499 new_tsec->exec_sid = 0;
2501 /* Fail on NNP or nosuid if not an allowed transition. */
2502 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2506 /* Check for a default transition on this program. */
2507 rc = security_transition_sid(&selinux_state, old_tsec->sid,
2508 isec->sid, SECCLASS_PROCESS, NULL,
2514 * Fallback to old SID on NNP or nosuid if not an allowed
2517 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2519 new_tsec->sid = old_tsec->sid;
2522 ad.type = LSM_AUDIT_DATA_FILE;
2523 ad.u.file = bprm->file;
2525 if (new_tsec->sid == old_tsec->sid) {
2526 rc = avc_has_perm(&selinux_state,
2527 old_tsec->sid, isec->sid,
2528 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2532 /* Check permissions for the transition. */
2533 rc = avc_has_perm(&selinux_state,
2534 old_tsec->sid, new_tsec->sid,
2535 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2539 rc = avc_has_perm(&selinux_state,
2540 new_tsec->sid, isec->sid,
2541 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2545 /* Check for shared state */
2546 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2547 rc = avc_has_perm(&selinux_state,
2548 old_tsec->sid, new_tsec->sid,
2549 SECCLASS_PROCESS, PROCESS__SHARE,
2555 /* Make sure that anyone attempting to ptrace over a task that
2556 * changes its SID has the appropriate permit */
2557 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2558 u32 ptsid = ptrace_parent_sid();
2560 rc = avc_has_perm(&selinux_state,
2561 ptsid, new_tsec->sid,
2563 PROCESS__PTRACE, NULL);
2569 /* Clear any possibly unsafe personality bits on exec: */
2570 bprm->per_clear |= PER_CLEAR_ON_SETID;
2572 /* Enable secure mode for SIDs transitions unless
2573 the noatsecure permission is granted between
2574 the two SIDs, i.e. ahp returns 0. */
2575 rc = avc_has_perm(&selinux_state,
2576 old_tsec->sid, new_tsec->sid,
2577 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2579 bprm->secureexec |= !!rc;
2585 static int match_file(const void *p, struct file *file, unsigned fd)
2587 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2590 /* Derived from fs/exec.c:flush_old_files. */
2591 static inline void flush_unauthorized_files(const struct cred *cred,
2592 struct files_struct *files)
2594 struct file *file, *devnull = NULL;
2595 struct tty_struct *tty;
2599 tty = get_current_tty();
2601 spin_lock(&tty->files_lock);
2602 if (!list_empty(&tty->tty_files)) {
2603 struct tty_file_private *file_priv;
2605 /* Revalidate access to controlling tty.
2606 Use file_path_has_perm on the tty path directly
2607 rather than using file_has_perm, as this particular
2608 open file may belong to another process and we are
2609 only interested in the inode-based check here. */
2610 file_priv = list_first_entry(&tty->tty_files,
2611 struct tty_file_private, list);
2612 file = file_priv->file;
2613 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2616 spin_unlock(&tty->files_lock);
2619 /* Reset controlling tty. */
2623 /* Revalidate access to inherited open files. */
2624 n = iterate_fd(files, 0, match_file, cred);
2625 if (!n) /* none found? */
2628 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2629 if (IS_ERR(devnull))
2631 /* replace all the matching ones with this */
2633 replace_fd(n - 1, devnull, 0);
2634 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2640 * Prepare a process for imminent new credential changes due to exec
2642 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2644 struct task_security_struct *new_tsec;
2645 struct rlimit *rlim, *initrlim;
2648 new_tsec = bprm->cred->security;
2649 if (new_tsec->sid == new_tsec->osid)
2652 /* Close files for which the new task SID is not authorized. */
2653 flush_unauthorized_files(bprm->cred, current->files);
2655 /* Always clear parent death signal on SID transitions. */
2656 current->pdeath_signal = 0;
2658 /* Check whether the new SID can inherit resource limits from the old
2659 * SID. If not, reset all soft limits to the lower of the current
2660 * task's hard limit and the init task's soft limit.
2662 * Note that the setting of hard limits (even to lower them) can be
2663 * controlled by the setrlimit check. The inclusion of the init task's
2664 * soft limit into the computation is to avoid resetting soft limits
2665 * higher than the default soft limit for cases where the default is
2666 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2668 rc = avc_has_perm(&selinux_state,
2669 new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2670 PROCESS__RLIMITINH, NULL);
2672 /* protect against do_prlimit() */
2674 for (i = 0; i < RLIM_NLIMITS; i++) {
2675 rlim = current->signal->rlim + i;
2676 initrlim = init_task.signal->rlim + i;
2677 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2679 task_unlock(current);
2680 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2681 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2686 * Clean up the process immediately after the installation of new credentials
2689 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2691 const struct task_security_struct *tsec = current_security();
2692 struct itimerval itimer;
2702 /* Check whether the new SID can inherit signal state from the old SID.
2703 * If not, clear itimers to avoid subsequent signal generation and
2704 * flush and unblock signals.
2706 * This must occur _after_ the task SID has been updated so that any
2707 * kill done after the flush will be checked against the new SID.
2709 rc = avc_has_perm(&selinux_state,
2710 osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2712 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2713 memset(&itimer, 0, sizeof itimer);
2714 for (i = 0; i < 3; i++)
2715 do_setitimer(i, &itimer, NULL);
2717 spin_lock_irq(¤t->sighand->siglock);
2718 if (!fatal_signal_pending(current)) {
2719 flush_sigqueue(¤t->pending);
2720 flush_sigqueue(¤t->signal->shared_pending);
2721 flush_signal_handlers(current, 1);
2722 sigemptyset(¤t->blocked);
2723 recalc_sigpending();
2725 spin_unlock_irq(¤t->sighand->siglock);
2728 /* Wake up the parent if it is waiting so that it can recheck
2729 * wait permission to the new task SID. */
2730 read_lock(&tasklist_lock);
2731 __wake_up_parent(current, current->real_parent);
2732 read_unlock(&tasklist_lock);
2735 /* superblock security operations */
2737 static int selinux_sb_alloc_security(struct super_block *sb)
2739 return superblock_alloc_security(sb);
2742 static void selinux_sb_free_security(struct super_block *sb)
2744 superblock_free_security(sb);
2747 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2752 return !memcmp(prefix, option, plen);
2755 static inline int selinux_option(char *option, int len)
2757 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2758 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2759 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2760 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2761 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2764 static inline void take_option(char **to, char *from, int *first, int len)
2771 memcpy(*to, from, len);
2775 static inline void take_selinux_option(char **to, char *from, int *first,
2778 int current_size = 0;
2786 while (current_size < len) {
2796 static int selinux_sb_copy_data(char *orig, char *copy)
2798 int fnosec, fsec, rc = 0;
2799 char *in_save, *in_curr, *in_end;
2800 char *sec_curr, *nosec_save, *nosec;
2806 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2814 in_save = in_end = orig;
2818 open_quote = !open_quote;
2819 if ((*in_end == ',' && open_quote == 0) ||
2821 int len = in_end - in_curr;
2823 if (selinux_option(in_curr, len))
2824 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2826 take_option(&nosec, in_curr, &fnosec, len);
2828 in_curr = in_end + 1;
2830 } while (*in_end++);
2832 strcpy(in_save, nosec_save);
2833 free_page((unsigned long)nosec_save);
2838 static int selinux_sb_remount(struct super_block *sb, void *data)
2841 struct security_mnt_opts opts;
2842 char *secdata, **mount_options;
2843 struct superblock_security_struct *sbsec = sb->s_security;
2845 if (!(sbsec->flags & SE_SBINITIALIZED))
2851 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2854 security_init_mnt_opts(&opts);
2855 secdata = alloc_secdata();
2858 rc = selinux_sb_copy_data(data, secdata);
2860 goto out_free_secdata;
2862 rc = selinux_parse_opts_str(secdata, &opts);
2864 goto out_free_secdata;
2866 mount_options = opts.mnt_opts;
2867 flags = opts.mnt_opts_flags;
2869 for (i = 0; i < opts.num_mnt_opts; i++) {
2872 if (flags[i] == SBLABEL_MNT)
2874 rc = security_context_str_to_sid(&selinux_state,
2875 mount_options[i], &sid,
2878 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
2879 "(%s) failed for (dev %s, type %s) errno=%d\n",
2880 mount_options[i], sb->s_id, sb->s_type->name, rc);
2886 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2887 goto out_bad_option;
2890 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2891 goto out_bad_option;
2893 case ROOTCONTEXT_MNT: {
2894 struct inode_security_struct *root_isec;
2895 root_isec = backing_inode_security(sb->s_root);
2897 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2898 goto out_bad_option;
2901 case DEFCONTEXT_MNT:
2902 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2903 goto out_bad_option;
2912 security_free_mnt_opts(&opts);
2914 free_secdata(secdata);
2917 printk(KERN_WARNING "SELinux: unable to change security options "
2918 "during remount (dev %s, type=%s)\n", sb->s_id,
2923 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2925 const struct cred *cred = current_cred();
2926 struct common_audit_data ad;
2929 rc = superblock_doinit(sb, data);
2933 /* Allow all mounts performed by the kernel */
2934 if (flags & MS_KERNMOUNT)
2937 ad.type = LSM_AUDIT_DATA_DENTRY;
2938 ad.u.dentry = sb->s_root;
2939 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2942 static int selinux_sb_statfs(struct dentry *dentry)
2944 const struct cred *cred = current_cred();
2945 struct common_audit_data ad;
2947 ad.type = LSM_AUDIT_DATA_DENTRY;
2948 ad.u.dentry = dentry->d_sb->s_root;
2949 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2952 static int selinux_mount(const char *dev_name,
2953 const struct path *path,
2955 unsigned long flags,
2958 const struct cred *cred = current_cred();
2960 if (flags & MS_REMOUNT)
2961 return superblock_has_perm(cred, path->dentry->d_sb,
2962 FILESYSTEM__REMOUNT, NULL);
2964 return path_has_perm(cred, path, FILE__MOUNTON);
2967 static int selinux_umount(struct vfsmount *mnt, int flags)
2969 const struct cred *cred = current_cred();
2971 return superblock_has_perm(cred, mnt->mnt_sb,
2972 FILESYSTEM__UNMOUNT, NULL);
2975 /* inode security operations */
2977 static int selinux_inode_alloc_security(struct inode *inode)
2979 return inode_alloc_security(inode);
2982 static void selinux_inode_free_security(struct inode *inode)
2984 inode_free_security(inode);
2987 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2988 const struct qstr *name, void **ctx,
2994 rc = selinux_determine_inode_label(current_security(),
2995 d_inode(dentry->d_parent), name,
2996 inode_mode_to_security_class(mode),
3001 return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
3005 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
3007 const struct cred *old,
3012 struct task_security_struct *tsec;
3014 rc = selinux_determine_inode_label(old->security,
3015 d_inode(dentry->d_parent), name,
3016 inode_mode_to_security_class(mode),
3021 tsec = new->security;
3022 tsec->create_sid = newsid;
3026 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
3027 const struct qstr *qstr,
3029 void **value, size_t *len)
3031 const struct task_security_struct *tsec = current_security();
3032 struct superblock_security_struct *sbsec;
3037 sbsec = dir->i_sb->s_security;
3039 newsid = tsec->create_sid;
3041 rc = selinux_determine_inode_label(current_security(),
3043 inode_mode_to_security_class(inode->i_mode),
3048 /* Possibly defer initialization to selinux_complete_init. */
3049 if (sbsec->flags & SE_SBINITIALIZED) {
3050 struct inode_security_struct *isec = inode->i_security;
3051 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3053 isec->initialized = LABEL_INITIALIZED;
3056 if (!selinux_state.initialized || !(sbsec->flags & SBLABEL_MNT))
3060 *name = XATTR_SELINUX_SUFFIX;
3063 rc = security_sid_to_context_force(&selinux_state, newsid,
3074 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
3076 return may_create(dir, dentry, SECCLASS_FILE);
3079 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
3081 return may_link(dir, old_dentry, MAY_LINK);
3084 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
3086 return may_link(dir, dentry, MAY_UNLINK);
3089 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
3091 return may_create(dir, dentry, SECCLASS_LNK_FILE);
3094 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
3096 return may_create(dir, dentry, SECCLASS_DIR);
3099 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
3101 return may_link(dir, dentry, MAY_RMDIR);
3104 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
3106 return may_create(dir, dentry, inode_mode_to_security_class(mode));
3109 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
3110 struct inode *new_inode, struct dentry *new_dentry)
3112 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
3115 static int selinux_inode_readlink(struct dentry *dentry)
3117 const struct cred *cred = current_cred();
3119 return dentry_has_perm(cred, dentry, FILE__READ);
3122 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3125 const struct cred *cred = current_cred();
3126 struct common_audit_data ad;
3127 struct inode_security_struct *isec;
3130 validate_creds(cred);
3132 ad.type = LSM_AUDIT_DATA_DENTRY;
3133 ad.u.dentry = dentry;
3134 sid = cred_sid(cred);
3135 isec = inode_security_rcu(inode, rcu);
3137 return PTR_ERR(isec);
3139 return avc_has_perm_flags(&selinux_state,
3140 sid, isec->sid, isec->sclass, FILE__READ, &ad,
3141 rcu ? MAY_NOT_BLOCK : 0);
3144 static noinline int audit_inode_permission(struct inode *inode,
3145 u32 perms, u32 audited, u32 denied,
3149 struct common_audit_data ad;
3150 struct inode_security_struct *isec = inode->i_security;
3153 ad.type = LSM_AUDIT_DATA_INODE;
3156 rc = slow_avc_audit(&selinux_state,
3157 current_sid(), isec->sid, isec->sclass, perms,
3158 audited, denied, result, &ad, flags);
3164 static int selinux_inode_permission(struct inode *inode, int mask)
3166 const struct cred *cred = current_cred();
3169 unsigned flags = mask & MAY_NOT_BLOCK;
3170 struct inode_security_struct *isec;
3172 struct av_decision avd;
3174 u32 audited, denied;
3176 from_access = mask & MAY_ACCESS;
3177 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3179 /* No permission to check. Existence test. */
3183 validate_creds(cred);
3185 if (unlikely(IS_PRIVATE(inode)))
3188 perms = file_mask_to_av(inode->i_mode, mask);
3190 sid = cred_sid(cred);
3191 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3193 return PTR_ERR(isec);
3195 rc = avc_has_perm_noaudit(&selinux_state,
3196 sid, isec->sid, isec->sclass, perms, 0, &avd);
3197 audited = avc_audit_required(perms, &avd, rc,
3198 from_access ? FILE__AUDIT_ACCESS : 0,
3200 if (likely(!audited))
3203 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
3209 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3211 const struct cred *cred = current_cred();
3212 struct inode *inode = d_backing_inode(dentry);
3213 unsigned int ia_valid = iattr->ia_valid;
3214 __u32 av = FILE__WRITE;
3216 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3217 if (ia_valid & ATTR_FORCE) {
3218 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3224 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3225 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3226 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3228 if (selinux_policycap_openperm() &&
3229 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3230 (ia_valid & ATTR_SIZE) &&
3231 !(ia_valid & ATTR_FILE))
3234 return dentry_has_perm(cred, dentry, av);
3237 static int selinux_inode_getattr(const struct path *path)
3239 return path_has_perm(current_cred(), path, FILE__GETATTR);
3242 static bool has_cap_mac_admin(bool audit)
3244 const struct cred *cred = current_cred();
3245 int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT;
3247 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit))
3249 if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true))
3254 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3255 const void *value, size_t size, int flags)
3257 struct inode *inode = d_backing_inode(dentry);
3258 struct inode_security_struct *isec;
3259 struct superblock_security_struct *sbsec;
3260 struct common_audit_data ad;
3261 u32 newsid, sid = current_sid();
3264 if (strcmp(name, XATTR_NAME_SELINUX)) {
3265 rc = cap_inode_setxattr(dentry, name, value, size, flags);
3269 /* Not an attribute we recognize, so just check the
3270 ordinary setattr permission. */
3271 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3274 sbsec = inode->i_sb->s_security;
3275 if (!(sbsec->flags & SBLABEL_MNT))
3278 if (!inode_owner_or_capable(inode))
3281 ad.type = LSM_AUDIT_DATA_DENTRY;
3282 ad.u.dentry = dentry;
3284 isec = backing_inode_security(dentry);
3285 rc = avc_has_perm(&selinux_state,
3286 sid, isec->sid, isec->sclass,
3287 FILE__RELABELFROM, &ad);
3291 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3293 if (rc == -EINVAL) {
3294 if (!has_cap_mac_admin(true)) {
3295 struct audit_buffer *ab;
3298 /* We strip a nul only if it is at the end, otherwise the
3299 * context contains a nul and we should audit that */
3301 const char *str = value;
3303 if (str[size - 1] == '\0')
3304 audit_size = size - 1;
3310 ab = audit_log_start(audit_context(),
3311 GFP_ATOMIC, AUDIT_SELINUX_ERR);
3312 audit_log_format(ab, "op=setxattr invalid_context=");
3313 audit_log_n_untrustedstring(ab, value, audit_size);
3318 rc = security_context_to_sid_force(&selinux_state, value,
3324 rc = avc_has_perm(&selinux_state,
3325 sid, newsid, isec->sclass,
3326 FILE__RELABELTO, &ad);
3330 rc = security_validate_transition(&selinux_state, isec->sid, newsid,
3335 return avc_has_perm(&selinux_state,
3338 SECCLASS_FILESYSTEM,
3339 FILESYSTEM__ASSOCIATE,
3343 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3344 const void *value, size_t size,
3347 struct inode *inode = d_backing_inode(dentry);
3348 struct inode_security_struct *isec;
3352 if (strcmp(name, XATTR_NAME_SELINUX)) {
3353 /* Not an attribute we recognize, so nothing to do. */
3357 rc = security_context_to_sid_force(&selinux_state, value, size,
3360 printk(KERN_ERR "SELinux: unable to map context to SID"
3361 "for (%s, %lu), rc=%d\n",
3362 inode->i_sb->s_id, inode->i_ino, -rc);
3366 isec = backing_inode_security(dentry);
3367 spin_lock(&isec->lock);
3368 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3370 isec->initialized = LABEL_INITIALIZED;
3371 spin_unlock(&isec->lock);
3376 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3378 const struct cred *cred = current_cred();
3380 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3383 static int selinux_inode_listxattr(struct dentry *dentry)
3385 const struct cred *cred = current_cred();
3387 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3390 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3392 if (strcmp(name, XATTR_NAME_SELINUX)) {
3393 int rc = cap_inode_removexattr(dentry, name);
3397 /* Not an attribute we recognize, so just check the
3398 ordinary setattr permission. */
3399 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3402 /* No one is allowed to remove a SELinux security label.
3403 You can change the label, but all data must be labeled. */
3408 * Copy the inode security context value to the user.
3410 * Permission check is handled by selinux_inode_getxattr hook.
3412 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
3416 char *context = NULL;
3417 struct inode_security_struct *isec;
3419 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3423 * If the caller has CAP_MAC_ADMIN, then get the raw context
3424 * value even if it is not defined by current policy; otherwise,
3425 * use the in-core value under current policy.
3426 * Use the non-auditing forms of the permission checks since
3427 * getxattr may be called by unprivileged processes commonly
3428 * and lack of permission just means that we fall back to the
3429 * in-core context value, not a denial.
3431 isec = inode_security(inode);
3432 if (has_cap_mac_admin(false))
3433 error = security_sid_to_context_force(&selinux_state,
3434 isec->sid, &context,
3437 error = security_sid_to_context(&selinux_state, isec->sid,
3451 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3452 const void *value, size_t size, int flags)
3454 struct inode_security_struct *isec = inode_security_novalidate(inode);
3458 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3461 if (!value || !size)
3464 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3469 spin_lock(&isec->lock);
3470 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3472 isec->initialized = LABEL_INITIALIZED;
3473 spin_unlock(&isec->lock);
3477 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3479 const int len = sizeof(XATTR_NAME_SELINUX);
3480 if (buffer && len <= buffer_size)
3481 memcpy(buffer, XATTR_NAME_SELINUX, len);
3485 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3487 struct inode_security_struct *isec = inode_security_novalidate(inode);
3491 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3494 struct task_security_struct *tsec;
3495 struct cred *new_creds = *new;
3497 if (new_creds == NULL) {
3498 new_creds = prepare_creds();
3503 tsec = new_creds->security;
3504 /* Get label from overlay inode and set it in create_sid */
3505 selinux_inode_getsecid(d_inode(src), &sid);
3506 tsec->create_sid = sid;
3511 static int selinux_inode_copy_up_xattr(const char *name)
3513 /* The copy_up hook above sets the initial context on an inode, but we
3514 * don't then want to overwrite it by blindly copying all the lower
3515 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3517 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3518 return 1; /* Discard */
3520 * Any other attribute apart from SELINUX is not claimed, supported
3526 /* file security operations */
3528 static int selinux_revalidate_file_permission(struct file *file, int mask)
3530 const struct cred *cred = current_cred();
3531 struct inode *inode = file_inode(file);
3533 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3534 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3537 return file_has_perm(cred, file,
3538 file_mask_to_av(inode->i_mode, mask));
3541 static int selinux_file_permission(struct file *file, int mask)
3543 struct inode *inode = file_inode(file);
3544 struct file_security_struct *fsec = file->f_security;
3545 struct inode_security_struct *isec;
3546 u32 sid = current_sid();
3549 /* No permission to check. Existence test. */
3552 isec = inode_security(inode);
3553 if (sid == fsec->sid && fsec->isid == isec->sid &&
3554 fsec->pseqno == avc_policy_seqno(&selinux_state))
3555 /* No change since file_open check. */
3558 return selinux_revalidate_file_permission(file, mask);
3561 static int selinux_file_alloc_security(struct file *file)
3563 return file_alloc_security(file);
3566 static void selinux_file_free_security(struct file *file)
3568 file_free_security(file);
3572 * Check whether a task has the ioctl permission and cmd
3573 * operation to an inode.
3575 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3576 u32 requested, u16 cmd)
3578 struct common_audit_data ad;
3579 struct file_security_struct *fsec = file->f_security;
3580 struct inode *inode = file_inode(file);
3581 struct inode_security_struct *isec;
3582 struct lsm_ioctlop_audit ioctl;
3583 u32 ssid = cred_sid(cred);
3585 u8 driver = cmd >> 8;
3586 u8 xperm = cmd & 0xff;
3588 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3591 ad.u.op->path = file->f_path;
3593 if (ssid != fsec->sid) {
3594 rc = avc_has_perm(&selinux_state,
3603 if (unlikely(IS_PRIVATE(inode)))
3606 isec = inode_security(inode);
3607 rc = avc_has_extended_perms(&selinux_state,
3608 ssid, isec->sid, isec->sclass,
3609 requested, driver, xperm, &ad);
3614 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3617 const struct cred *cred = current_cred();
3627 case FS_IOC_GETFLAGS:
3629 case FS_IOC_GETVERSION:
3630 error = file_has_perm(cred, file, FILE__GETATTR);
3633 case FS_IOC_SETFLAGS:
3635 case FS_IOC_SETVERSION:
3636 error = file_has_perm(cred, file, FILE__SETATTR);
3639 /* sys_ioctl() checks */
3643 error = file_has_perm(cred, file, 0);
3648 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3649 SECURITY_CAP_AUDIT, true);
3652 /* default case assumes that the command will go
3653 * to the file's ioctl() function.
3656 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3661 static int default_noexec;
3663 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3665 const struct cred *cred = current_cred();
3666 u32 sid = cred_sid(cred);
3669 if (default_noexec &&
3670 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3671 (!shared && (prot & PROT_WRITE)))) {
3673 * We are making executable an anonymous mapping or a
3674 * private file mapping that will also be writable.
3675 * This has an additional check.
3677 rc = avc_has_perm(&selinux_state,
3678 sid, sid, SECCLASS_PROCESS,
3679 PROCESS__EXECMEM, NULL);
3685 /* read access is always possible with a mapping */
3686 u32 av = FILE__READ;
3688 /* write access only matters if the mapping is shared */
3689 if (shared && (prot & PROT_WRITE))
3692 if (prot & PROT_EXEC)
3693 av |= FILE__EXECUTE;
3695 return file_has_perm(cred, file, av);
3702 static int selinux_mmap_addr(unsigned long addr)
3706 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3707 u32 sid = current_sid();
3708 rc = avc_has_perm(&selinux_state,
3709 sid, sid, SECCLASS_MEMPROTECT,
3710 MEMPROTECT__MMAP_ZERO, NULL);
3716 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3717 unsigned long prot, unsigned long flags)
3719 struct common_audit_data ad;
3723 ad.type = LSM_AUDIT_DATA_FILE;
3725 rc = inode_has_perm(current_cred(), file_inode(file),
3731 if (selinux_state.checkreqprot)
3734 return file_map_prot_check(file, prot,
3735 (flags & MAP_TYPE) == MAP_SHARED);
3738 static int selinux_file_mprotect(struct vm_area_struct *vma,
3739 unsigned long reqprot,
3742 const struct cred *cred = current_cred();
3743 u32 sid = cred_sid(cred);
3745 if (selinux_state.checkreqprot)
3748 if (default_noexec &&
3749 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3751 if (vma->vm_start >= vma->vm_mm->start_brk &&
3752 vma->vm_end <= vma->vm_mm->brk) {
3753 rc = avc_has_perm(&selinux_state,
3754 sid, sid, SECCLASS_PROCESS,
3755 PROCESS__EXECHEAP, NULL);
3756 } else if (!vma->vm_file &&
3757 ((vma->vm_start <= vma->vm_mm->start_stack &&
3758 vma->vm_end >= vma->vm_mm->start_stack) ||
3759 vma_is_stack_for_current(vma))) {
3760 rc = avc_has_perm(&selinux_state,
3761 sid, sid, SECCLASS_PROCESS,
3762 PROCESS__EXECSTACK, NULL);
3763 } else if (vma->vm_file && vma->anon_vma) {
3765 * We are making executable a file mapping that has
3766 * had some COW done. Since pages might have been
3767 * written, check ability to execute the possibly
3768 * modified content. This typically should only
3769 * occur for text relocations.
3771 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3777 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3780 static int selinux_file_lock(struct file *file, unsigned int cmd)
3782 const struct cred *cred = current_cred();
3784 return file_has_perm(cred, file, FILE__LOCK);
3787 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3790 const struct cred *cred = current_cred();
3795 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3796 err = file_has_perm(cred, file, FILE__WRITE);
3805 case F_GETOWNER_UIDS:
3806 /* Just check FD__USE permission */
3807 err = file_has_perm(cred, file, 0);
3815 #if BITS_PER_LONG == 32
3820 err = file_has_perm(cred, file, FILE__LOCK);
3827 static void selinux_file_set_fowner(struct file *file)
3829 struct file_security_struct *fsec;
3831 fsec = file->f_security;
3832 fsec->fown_sid = current_sid();
3835 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3836 struct fown_struct *fown, int signum)
3839 u32 sid = task_sid(tsk);
3841 struct file_security_struct *fsec;
3843 /* struct fown_struct is never outside the context of a struct file */
3844 file = container_of(fown, struct file, f_owner);
3846 fsec = file->f_security;
3849 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3851 perm = signal_to_av(signum);
3853 return avc_has_perm(&selinux_state,
3854 fsec->fown_sid, sid,
3855 SECCLASS_PROCESS, perm, NULL);
3858 static int selinux_file_receive(struct file *file)
3860 const struct cred *cred = current_cred();
3862 return file_has_perm(cred, file, file_to_av(file));
3865 static int selinux_file_open(struct file *file, const struct cred *cred)
3867 struct file_security_struct *fsec;
3868 struct inode_security_struct *isec;
3870 fsec = file->f_security;
3871 isec = inode_security(file_inode(file));
3873 * Save inode label and policy sequence number
3874 * at open-time so that selinux_file_permission
3875 * can determine whether revalidation is necessary.
3876 * Task label is already saved in the file security
3877 * struct as its SID.
3879 fsec->isid = isec->sid;
3880 fsec->pseqno = avc_policy_seqno(&selinux_state);
3882 * Since the inode label or policy seqno may have changed
3883 * between the selinux_inode_permission check and the saving
3884 * of state above, recheck that access is still permitted.
3885 * Otherwise, access might never be revalidated against the
3886 * new inode label or new policy.
3887 * This check is not redundant - do not remove.
3889 return file_path_has_perm(cred, file, open_file_to_av(file));
3892 /* task security operations */
3894 static int selinux_task_alloc(struct task_struct *task,
3895 unsigned long clone_flags)
3897 u32 sid = current_sid();
3899 return avc_has_perm(&selinux_state,
3900 sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
3904 * allocate the SELinux part of blank credentials
3906 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3908 struct task_security_struct *tsec;
3910 tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3914 cred->security = tsec;
3919 * detach and free the LSM part of a set of credentials
3921 static void selinux_cred_free(struct cred *cred)
3923 struct task_security_struct *tsec = cred->security;
3926 * cred->security == NULL if security_cred_alloc_blank() or
3927 * security_prepare_creds() returned an error.
3929 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3930 cred->security = (void *) 0x7UL;
3935 * prepare a new set of credentials for modification
3937 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3940 const struct task_security_struct *old_tsec;
3941 struct task_security_struct *tsec;
3943 old_tsec = old->security;
3945 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3949 new->security = tsec;
3954 * transfer the SELinux data to a blank set of creds
3956 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3958 const struct task_security_struct *old_tsec = old->security;
3959 struct task_security_struct *tsec = new->security;
3964 static void selinux_cred_getsecid(const struct cred *c, u32 *secid)
3966 *secid = cred_sid(c);
3970 * set the security data for a kernel service
3971 * - all the creation contexts are set to unlabelled
3973 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3975 struct task_security_struct *tsec = new->security;
3976 u32 sid = current_sid();
3979 ret = avc_has_perm(&selinux_state,
3981 SECCLASS_KERNEL_SERVICE,
3982 KERNEL_SERVICE__USE_AS_OVERRIDE,
3986 tsec->create_sid = 0;
3987 tsec->keycreate_sid = 0;
3988 tsec->sockcreate_sid = 0;
3994 * set the file creation context in a security record to the same as the
3995 * objective context of the specified inode
3997 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3999 struct inode_security_struct *isec = inode_security(inode);
4000 struct task_security_struct *tsec = new->security;
4001 u32 sid = current_sid();
4004 ret = avc_has_perm(&selinux_state,
4006 SECCLASS_KERNEL_SERVICE,
4007 KERNEL_SERVICE__CREATE_FILES_AS,
4011 tsec->create_sid = isec->sid;
4015 static int selinux_kernel_module_request(char *kmod_name)
4017 struct common_audit_data ad;
4019 ad.type = LSM_AUDIT_DATA_KMOD;
4020 ad.u.kmod_name = kmod_name;
4022 return avc_has_perm(&selinux_state,
4023 current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
4024 SYSTEM__MODULE_REQUEST, &ad);
4027 static int selinux_kernel_module_from_file(struct file *file)
4029 struct common_audit_data ad;
4030 struct inode_security_struct *isec;
4031 struct file_security_struct *fsec;
4032 u32 sid = current_sid();
4037 return avc_has_perm(&selinux_state,
4038 sid, sid, SECCLASS_SYSTEM,
4039 SYSTEM__MODULE_LOAD, NULL);
4043 ad.type = LSM_AUDIT_DATA_FILE;
4046 fsec = file->f_security;
4047 if (sid != fsec->sid) {
4048 rc = avc_has_perm(&selinux_state,
4049 sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
4054 isec = inode_security(file_inode(file));
4055 return avc_has_perm(&selinux_state,
4056 sid, isec->sid, SECCLASS_SYSTEM,
4057 SYSTEM__MODULE_LOAD, &ad);
4060 static int selinux_kernel_read_file(struct file *file,
4061 enum kernel_read_file_id id)
4066 case READING_MODULE:
4067 rc = selinux_kernel_module_from_file(file);
4076 static int selinux_kernel_load_data(enum kernel_load_data_id id)
4081 case LOADING_MODULE:
4082 rc = selinux_kernel_module_from_file(NULL);
4090 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
4092 return avc_has_perm(&selinux_state,
4093 current_sid(), task_sid(p), SECCLASS_PROCESS,
4094 PROCESS__SETPGID, NULL);
4097 static int selinux_task_getpgid(struct task_struct *p)
4099 return avc_has_perm(&selinux_state,
4100 current_sid(), task_sid(p), SECCLASS_PROCESS,
4101 PROCESS__GETPGID, NULL);
4104 static int selinux_task_getsid(struct task_struct *p)
4106 return avc_has_perm(&selinux_state,
4107 current_sid(), task_sid(p), SECCLASS_PROCESS,
4108 PROCESS__GETSESSION, NULL);
4111 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
4113 *secid = task_sid(p);
4116 static int selinux_task_setnice(struct task_struct *p, int nice)
4118 return avc_has_perm(&selinux_state,
4119 current_sid(), task_sid(p), SECCLASS_PROCESS,
4120 PROCESS__SETSCHED, NULL);
4123 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
4125 return avc_has_perm(&selinux_state,
4126 current_sid(), task_sid(p), SECCLASS_PROCESS,
4127 PROCESS__SETSCHED, NULL);
4130 static int selinux_task_getioprio(struct task_struct *p)
4132 return avc_has_perm(&selinux_state,
4133 current_sid(), task_sid(p), SECCLASS_PROCESS,
4134 PROCESS__GETSCHED, NULL);
4137 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
4144 if (flags & LSM_PRLIMIT_WRITE)
4145 av |= PROCESS__SETRLIMIT;
4146 if (flags & LSM_PRLIMIT_READ)
4147 av |= PROCESS__GETRLIMIT;
4148 return avc_has_perm(&selinux_state,
4149 cred_sid(cred), cred_sid(tcred),
4150 SECCLASS_PROCESS, av, NULL);
4153 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4154 struct rlimit *new_rlim)
4156 struct rlimit *old_rlim = p->signal->rlim + resource;
4158 /* Control the ability to change the hard limit (whether
4159 lowering or raising it), so that the hard limit can
4160 later be used as a safe reset point for the soft limit
4161 upon context transitions. See selinux_bprm_committing_creds. */
4162 if (old_rlim->rlim_max != new_rlim->rlim_max)
4163 return avc_has_perm(&selinux_state,
4164 current_sid(), task_sid(p),
4165 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
4170 static int selinux_task_setscheduler(struct task_struct *p)
4172 return avc_has_perm(&selinux_state,
4173 current_sid(), task_sid(p), SECCLASS_PROCESS,
4174 PROCESS__SETSCHED, NULL);
4177 static int selinux_task_getscheduler(struct task_struct *p)
4179 return avc_has_perm(&selinux_state,
4180 current_sid(), task_sid(p), SECCLASS_PROCESS,
4181 PROCESS__GETSCHED, NULL);
4184 static int selinux_task_movememory(struct task_struct *p)
4186 return avc_has_perm(&selinux_state,
4187 current_sid(), task_sid(p), SECCLASS_PROCESS,
4188 PROCESS__SETSCHED, NULL);
4191 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
4192 int sig, const struct cred *cred)
4198 perm = PROCESS__SIGNULL; /* null signal; existence test */
4200 perm = signal_to_av(sig);
4202 secid = current_sid();
4204 secid = cred_sid(cred);
4205 return avc_has_perm(&selinux_state,
4206 secid, task_sid(p), SECCLASS_PROCESS, perm, NULL);
4209 static void selinux_task_to_inode(struct task_struct *p,
4210 struct inode *inode)
4212 struct inode_security_struct *isec = inode->i_security;
4213 u32 sid = task_sid(p);
4215 spin_lock(&isec->lock);
4216 isec->sclass = inode_mode_to_security_class(inode->i_mode);
4218 isec->initialized = LABEL_INITIALIZED;
4219 spin_unlock(&isec->lock);
4222 /* Returns error only if unable to parse addresses */
4223 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4224 struct common_audit_data *ad, u8 *proto)
4226 int offset, ihlen, ret = -EINVAL;
4227 struct iphdr _iph, *ih;
4229 offset = skb_network_offset(skb);
4230 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
4234 ihlen = ih->ihl * 4;
4235 if (ihlen < sizeof(_iph))
4238 ad->u.net->v4info.saddr = ih->saddr;
4239 ad->u.net->v4info.daddr = ih->daddr;
4243 *proto = ih->protocol;
4245 switch (ih->protocol) {
4247 struct tcphdr _tcph, *th;
4249 if (ntohs(ih->frag_off) & IP_OFFSET)
4253 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4257 ad->u.net->sport = th->source;
4258 ad->u.net->dport = th->dest;
4263 struct udphdr _udph, *uh;
4265 if (ntohs(ih->frag_off) & IP_OFFSET)
4269 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4273 ad->u.net->sport = uh->source;
4274 ad->u.net->dport = uh->dest;
4278 case IPPROTO_DCCP: {
4279 struct dccp_hdr _dccph, *dh;
4281 if (ntohs(ih->frag_off) & IP_OFFSET)
4285 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4289 ad->u.net->sport = dh->dccph_sport;
4290 ad->u.net->dport = dh->dccph_dport;
4294 #if IS_ENABLED(CONFIG_IP_SCTP)
4295 case IPPROTO_SCTP: {
4296 struct sctphdr _sctph, *sh;
4298 if (ntohs(ih->frag_off) & IP_OFFSET)
4302 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4306 ad->u.net->sport = sh->source;
4307 ad->u.net->dport = sh->dest;
4318 #if IS_ENABLED(CONFIG_IPV6)
4320 /* Returns error only if unable to parse addresses */
4321 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4322 struct common_audit_data *ad, u8 *proto)
4325 int ret = -EINVAL, offset;
4326 struct ipv6hdr _ipv6h, *ip6;
4329 offset = skb_network_offset(skb);
4330 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4334 ad->u.net->v6info.saddr = ip6->saddr;
4335 ad->u.net->v6info.daddr = ip6->daddr;
4338 nexthdr = ip6->nexthdr;
4339 offset += sizeof(_ipv6h);
4340 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4349 struct tcphdr _tcph, *th;
4351 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4355 ad->u.net->sport = th->source;
4356 ad->u.net->dport = th->dest;
4361 struct udphdr _udph, *uh;
4363 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4367 ad->u.net->sport = uh->source;
4368 ad->u.net->dport = uh->dest;
4372 case IPPROTO_DCCP: {
4373 struct dccp_hdr _dccph, *dh;
4375 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4379 ad->u.net->sport = dh->dccph_sport;
4380 ad->u.net->dport = dh->dccph_dport;
4384 #if IS_ENABLED(CONFIG_IP_SCTP)
4385 case IPPROTO_SCTP: {
4386 struct sctphdr _sctph, *sh;
4388 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4392 ad->u.net->sport = sh->source;
4393 ad->u.net->dport = sh->dest;
4397 /* includes fragments */
4407 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4408 char **_addrp, int src, u8 *proto)
4413 switch (ad->u.net->family) {
4415 ret = selinux_parse_skb_ipv4(skb, ad, proto);
4418 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4419 &ad->u.net->v4info.daddr);
4422 #if IS_ENABLED(CONFIG_IPV6)
4424 ret = selinux_parse_skb_ipv6(skb, ad, proto);
4427 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4428 &ad->u.net->v6info.daddr);
4438 "SELinux: failure in selinux_parse_skb(),"
4439 " unable to parse packet\n");
4449 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4451 * @family: protocol family
4452 * @sid: the packet's peer label SID
4455 * Check the various different forms of network peer labeling and determine
4456 * the peer label/SID for the packet; most of the magic actually occurs in
4457 * the security server function security_net_peersid_cmp(). The function
4458 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4459 * or -EACCES if @sid is invalid due to inconsistencies with the different
4463 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4470 err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4473 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4477 err = security_net_peersid_resolve(&selinux_state, nlbl_sid,
4478 nlbl_type, xfrm_sid, sid);
4479 if (unlikely(err)) {
4481 "SELinux: failure in selinux_skb_peerlbl_sid(),"
4482 " unable to determine packet's peer label\n");
4490 * selinux_conn_sid - Determine the child socket label for a connection
4491 * @sk_sid: the parent socket's SID
4492 * @skb_sid: the packet's SID
4493 * @conn_sid: the resulting connection SID
4495 * If @skb_sid is valid then the user:role:type information from @sk_sid is
4496 * combined with the MLS information from @skb_sid in order to create
4497 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy
4498 * of @sk_sid. Returns zero on success, negative values on failure.
4501 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4505 if (skb_sid != SECSID_NULL)
4506 err = security_sid_mls_copy(&selinux_state, sk_sid, skb_sid,
4514 /* socket security operations */
4516 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4517 u16 secclass, u32 *socksid)
4519 if (tsec->sockcreate_sid > SECSID_NULL) {
4520 *socksid = tsec->sockcreate_sid;
4524 return security_transition_sid(&selinux_state, tsec->sid, tsec->sid,
4525 secclass, NULL, socksid);
4528 static int sock_has_perm(struct sock *sk, u32 perms)
4530 struct sk_security_struct *sksec = sk->sk_security;
4531 struct common_audit_data ad;
4532 struct lsm_network_audit net = {0,};
4534 if (sksec->sid == SECINITSID_KERNEL)
4537 ad.type = LSM_AUDIT_DATA_NET;
4541 return avc_has_perm(&selinux_state,
4542 current_sid(), sksec->sid, sksec->sclass, perms,
4546 static int selinux_socket_create(int family, int type,
4547 int protocol, int kern)
4549 const struct task_security_struct *tsec = current_security();
4557 secclass = socket_type_to_security_class(family, type, protocol);
4558 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4562 return avc_has_perm(&selinux_state,
4563 tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4566 static int selinux_socket_post_create(struct socket *sock, int family,
4567 int type, int protocol, int kern)
4569 const struct task_security_struct *tsec = current_security();
4570 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4571 struct sk_security_struct *sksec;
4572 u16 sclass = socket_type_to_security_class(family, type, protocol);
4573 u32 sid = SECINITSID_KERNEL;
4577 err = socket_sockcreate_sid(tsec, sclass, &sid);
4582 isec->sclass = sclass;
4584 isec->initialized = LABEL_INITIALIZED;
4587 sksec = sock->sk->sk_security;
4588 sksec->sclass = sclass;
4590 /* Allows detection of the first association on this socket */
4591 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4592 sksec->sctp_assoc_state = SCTP_ASSOC_UNSET;
4594 err = selinux_netlbl_socket_post_create(sock->sk, family);
4600 static int selinux_socket_socketpair(struct socket *socka,
4601 struct socket *sockb)
4603 struct sk_security_struct *sksec_a = socka->sk->sk_security;
4604 struct sk_security_struct *sksec_b = sockb->sk->sk_security;
4606 sksec_a->peer_sid = sksec_b->sid;
4607 sksec_b->peer_sid = sksec_a->sid;
4612 /* Range of port numbers used to automatically bind.
4613 Need to determine whether we should perform a name_bind
4614 permission check between the socket and the port number. */
4616 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4618 struct sock *sk = sock->sk;
4619 struct sk_security_struct *sksec = sk->sk_security;
4623 err = sock_has_perm(sk, SOCKET__BIND);
4627 /* If PF_INET or PF_INET6, check name_bind permission for the port. */
4628 family = sk->sk_family;
4629 if (family == PF_INET || family == PF_INET6) {
4631 struct common_audit_data ad;
4632 struct lsm_network_audit net = {0,};
4633 struct sockaddr_in *addr4 = NULL;
4634 struct sockaddr_in6 *addr6 = NULL;
4635 u16 family_sa = address->sa_family;
4636 unsigned short snum;
4640 * sctp_bindx(3) calls via selinux_sctp_bind_connect()
4641 * that validates multiple binding addresses. Because of this
4642 * need to check address->sa_family as it is possible to have
4643 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4645 switch (family_sa) {
4648 if (addrlen < sizeof(struct sockaddr_in))
4650 addr4 = (struct sockaddr_in *)address;
4651 if (family_sa == AF_UNSPEC) {
4652 /* see __inet_bind(), we only want to allow
4653 * AF_UNSPEC if the address is INADDR_ANY
4655 if (addr4->sin_addr.s_addr != htonl(INADDR_ANY))
4657 family_sa = AF_INET;
4659 snum = ntohs(addr4->sin_port);
4660 addrp = (char *)&addr4->sin_addr.s_addr;
4663 if (addrlen < SIN6_LEN_RFC2133)
4665 addr6 = (struct sockaddr_in6 *)address;
4666 snum = ntohs(addr6->sin6_port);
4667 addrp = (char *)&addr6->sin6_addr.s6_addr;
4673 ad.type = LSM_AUDIT_DATA_NET;
4675 ad.u.net->sport = htons(snum);
4676 ad.u.net->family = family_sa;
4681 inet_get_local_port_range(sock_net(sk), &low, &high);
4683 if (snum < max(inet_prot_sock(sock_net(sk)), low) ||
4685 err = sel_netport_sid(sk->sk_protocol,
4689 err = avc_has_perm(&selinux_state,
4692 SOCKET__NAME_BIND, &ad);
4698 switch (sksec->sclass) {
4699 case SECCLASS_TCP_SOCKET:
4700 node_perm = TCP_SOCKET__NODE_BIND;
4703 case SECCLASS_UDP_SOCKET:
4704 node_perm = UDP_SOCKET__NODE_BIND;
4707 case SECCLASS_DCCP_SOCKET:
4708 node_perm = DCCP_SOCKET__NODE_BIND;
4711 case SECCLASS_SCTP_SOCKET:
4712 node_perm = SCTP_SOCKET__NODE_BIND;
4716 node_perm = RAWIP_SOCKET__NODE_BIND;
4720 err = sel_netnode_sid(addrp, family_sa, &sid);
4724 if (family_sa == AF_INET)
4725 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4727 ad.u.net->v6info.saddr = addr6->sin6_addr;
4729 err = avc_has_perm(&selinux_state,
4731 sksec->sclass, node_perm, &ad);
4738 /* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */
4739 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4741 return -EAFNOSUPPORT;
4744 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3)
4745 * and sctp_sendmsg(3) as described in Documentation/security/LSM-sctp.rst
4747 static int selinux_socket_connect_helper(struct socket *sock,
4748 struct sockaddr *address, int addrlen)
4750 struct sock *sk = sock->sk;
4751 struct sk_security_struct *sksec = sk->sk_security;
4754 err = sock_has_perm(sk, SOCKET__CONNECT);
4759 * If a TCP, DCCP or SCTP socket, check name_connect permission
4762 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4763 sksec->sclass == SECCLASS_DCCP_SOCKET ||
4764 sksec->sclass == SECCLASS_SCTP_SOCKET) {
4765 struct common_audit_data ad;
4766 struct lsm_network_audit net = {0,};
4767 struct sockaddr_in *addr4 = NULL;
4768 struct sockaddr_in6 *addr6 = NULL;
4769 unsigned short snum;
4772 /* sctp_connectx(3) calls via selinux_sctp_bind_connect()
4773 * that validates multiple connect addresses. Because of this
4774 * need to check address->sa_family as it is possible to have
4775 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4777 switch (address->sa_family) {
4779 addr4 = (struct sockaddr_in *)address;
4780 if (addrlen < sizeof(struct sockaddr_in))
4782 snum = ntohs(addr4->sin_port);
4785 addr6 = (struct sockaddr_in6 *)address;
4786 if (addrlen < SIN6_LEN_RFC2133)
4788 snum = ntohs(addr6->sin6_port);
4791 /* Note that SCTP services expect -EINVAL, whereas
4792 * others expect -EAFNOSUPPORT.
4794 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4797 return -EAFNOSUPPORT;
4800 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4804 switch (sksec->sclass) {
4805 case SECCLASS_TCP_SOCKET:
4806 perm = TCP_SOCKET__NAME_CONNECT;
4808 case SECCLASS_DCCP_SOCKET:
4809 perm = DCCP_SOCKET__NAME_CONNECT;
4811 case SECCLASS_SCTP_SOCKET:
4812 perm = SCTP_SOCKET__NAME_CONNECT;
4816 ad.type = LSM_AUDIT_DATA_NET;
4818 ad.u.net->dport = htons(snum);
4819 ad.u.net->family = address->sa_family;
4820 err = avc_has_perm(&selinux_state,
4821 sksec->sid, sid, sksec->sclass, perm, &ad);
4829 /* Supports connect(2), see comments in selinux_socket_connect_helper() */
4830 static int selinux_socket_connect(struct socket *sock,
4831 struct sockaddr *address, int addrlen)
4834 struct sock *sk = sock->sk;
4836 err = selinux_socket_connect_helper(sock, address, addrlen);
4840 return selinux_netlbl_socket_connect(sk, address);
4843 static int selinux_socket_listen(struct socket *sock, int backlog)
4845 return sock_has_perm(sock->sk, SOCKET__LISTEN);
4848 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4851 struct inode_security_struct *isec;
4852 struct inode_security_struct *newisec;
4856 err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
4860 isec = inode_security_novalidate(SOCK_INODE(sock));
4861 spin_lock(&isec->lock);
4862 sclass = isec->sclass;
4864 spin_unlock(&isec->lock);
4866 newisec = inode_security_novalidate(SOCK_INODE(newsock));
4867 newisec->sclass = sclass;
4869 newisec->initialized = LABEL_INITIALIZED;
4874 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4877 return sock_has_perm(sock->sk, SOCKET__WRITE);
4880 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4881 int size, int flags)
4883 return sock_has_perm(sock->sk, SOCKET__READ);
4886 static int selinux_socket_getsockname(struct socket *sock)
4888 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4891 static int selinux_socket_getpeername(struct socket *sock)
4893 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4896 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4900 err = sock_has_perm(sock->sk, SOCKET__SETOPT);
4904 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4907 static int selinux_socket_getsockopt(struct socket *sock, int level,
4910 return sock_has_perm(sock->sk, SOCKET__GETOPT);
4913 static int selinux_socket_shutdown(struct socket *sock, int how)
4915 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
4918 static int selinux_socket_unix_stream_connect(struct sock *sock,
4922 struct sk_security_struct *sksec_sock = sock->sk_security;
4923 struct sk_security_struct *sksec_other = other->sk_security;
4924 struct sk_security_struct *sksec_new = newsk->sk_security;
4925 struct common_audit_data ad;
4926 struct lsm_network_audit net = {0,};
4929 ad.type = LSM_AUDIT_DATA_NET;
4931 ad.u.net->sk = other;
4933 err = avc_has_perm(&selinux_state,
4934 sksec_sock->sid, sksec_other->sid,
4935 sksec_other->sclass,
4936 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4940 /* server child socket */
4941 sksec_new->peer_sid = sksec_sock->sid;
4942 err = security_sid_mls_copy(&selinux_state, sksec_other->sid,
4943 sksec_sock->sid, &sksec_new->sid);
4947 /* connecting socket */
4948 sksec_sock->peer_sid = sksec_new->sid;
4953 static int selinux_socket_unix_may_send(struct socket *sock,
4954 struct socket *other)
4956 struct sk_security_struct *ssec = sock->sk->sk_security;
4957 struct sk_security_struct *osec = other->sk->sk_security;
4958 struct common_audit_data ad;
4959 struct lsm_network_audit net = {0,};
4961 ad.type = LSM_AUDIT_DATA_NET;
4963 ad.u.net->sk = other->sk;
4965 return avc_has_perm(&selinux_state,
4966 ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4970 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4971 char *addrp, u16 family, u32 peer_sid,
4972 struct common_audit_data *ad)
4978 err = sel_netif_sid(ns, ifindex, &if_sid);
4981 err = avc_has_perm(&selinux_state,
4983 SECCLASS_NETIF, NETIF__INGRESS, ad);
4987 err = sel_netnode_sid(addrp, family, &node_sid);
4990 return avc_has_perm(&selinux_state,
4992 SECCLASS_NODE, NODE__RECVFROM, ad);
4995 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4999 struct sk_security_struct *sksec = sk->sk_security;
5000 u32 sk_sid = sksec->sid;
5001 struct common_audit_data ad;
5002 struct lsm_network_audit net = {0,};
5005 ad.type = LSM_AUDIT_DATA_NET;
5007 ad.u.net->netif = skb->skb_iif;
5008 ad.u.net->family = family;
5009 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5013 if (selinux_secmark_enabled()) {
5014 err = avc_has_perm(&selinux_state,
5015 sk_sid, skb->secmark, SECCLASS_PACKET,
5021 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
5024 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
5029 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
5032 struct sk_security_struct *sksec = sk->sk_security;
5033 u16 family = sk->sk_family;
5034 u32 sk_sid = sksec->sid;
5035 struct common_audit_data ad;
5036 struct lsm_network_audit net = {0,};
5041 if (family != PF_INET && family != PF_INET6)
5044 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
5045 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5048 /* If any sort of compatibility mode is enabled then handoff processing
5049 * to the selinux_sock_rcv_skb_compat() function to deal with the
5050 * special handling. We do this in an attempt to keep this function
5051 * as fast and as clean as possible. */
5052 if (!selinux_policycap_netpeer())
5053 return selinux_sock_rcv_skb_compat(sk, skb, family);
5055 secmark_active = selinux_secmark_enabled();
5056 peerlbl_active = selinux_peerlbl_enabled();
5057 if (!secmark_active && !peerlbl_active)
5060 ad.type = LSM_AUDIT_DATA_NET;
5062 ad.u.net->netif = skb->skb_iif;
5063 ad.u.net->family = family;
5064 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5068 if (peerlbl_active) {
5071 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
5074 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
5075 addrp, family, peer_sid, &ad);
5077 selinux_netlbl_err(skb, family, err, 0);
5080 err = avc_has_perm(&selinux_state,
5081 sk_sid, peer_sid, SECCLASS_PEER,
5084 selinux_netlbl_err(skb, family, err, 0);
5089 if (secmark_active) {
5090 err = avc_has_perm(&selinux_state,
5091 sk_sid, skb->secmark, SECCLASS_PACKET,
5100 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
5101 int __user *optlen, unsigned len)
5106 struct sk_security_struct *sksec = sock->sk->sk_security;
5107 u32 peer_sid = SECSID_NULL;
5109 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
5110 sksec->sclass == SECCLASS_TCP_SOCKET ||
5111 sksec->sclass == SECCLASS_SCTP_SOCKET)
5112 peer_sid = sksec->peer_sid;
5113 if (peer_sid == SECSID_NULL)
5114 return -ENOPROTOOPT;
5116 err = security_sid_to_context(&selinux_state, peer_sid, &scontext,
5121 if (scontext_len > len) {
5126 if (copy_to_user(optval, scontext, scontext_len))
5130 if (put_user(scontext_len, optlen))
5136 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
5138 u32 peer_secid = SECSID_NULL;
5140 struct inode_security_struct *isec;
5142 if (skb && skb->protocol == htons(ETH_P_IP))
5144 else if (skb && skb->protocol == htons(ETH_P_IPV6))
5147 family = sock->sk->sk_family;
5151 if (sock && family == PF_UNIX) {
5152 isec = inode_security_novalidate(SOCK_INODE(sock));
5153 peer_secid = isec->sid;
5155 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
5158 *secid = peer_secid;
5159 if (peer_secid == SECSID_NULL)
5164 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
5166 struct sk_security_struct *sksec;
5168 sksec = kzalloc(sizeof(*sksec), priority);
5172 sksec->peer_sid = SECINITSID_UNLABELED;
5173 sksec->sid = SECINITSID_UNLABELED;
5174 sksec->sclass = SECCLASS_SOCKET;
5175 selinux_netlbl_sk_security_reset(sksec);
5176 sk->sk_security = sksec;
5181 static void selinux_sk_free_security(struct sock *sk)
5183 struct sk_security_struct *sksec = sk->sk_security;
5185 sk->sk_security = NULL;
5186 selinux_netlbl_sk_security_free(sksec);
5190 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
5192 struct sk_security_struct *sksec = sk->sk_security;
5193 struct sk_security_struct *newsksec = newsk->sk_security;
5195 newsksec->sid = sksec->sid;
5196 newsksec->peer_sid = sksec->peer_sid;
5197 newsksec->sclass = sksec->sclass;
5199 selinux_netlbl_sk_security_reset(newsksec);
5202 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
5205 *secid = SECINITSID_ANY_SOCKET;
5207 struct sk_security_struct *sksec = sk->sk_security;
5209 *secid = sksec->sid;
5213 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
5215 struct inode_security_struct *isec =
5216 inode_security_novalidate(SOCK_INODE(parent));
5217 struct sk_security_struct *sksec = sk->sk_security;
5219 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
5220 sk->sk_family == PF_UNIX)
5221 isec->sid = sksec->sid;
5222 sksec->sclass = isec->sclass;
5225 /* Called whenever SCTP receives an INIT chunk. This happens when an incoming
5226 * connect(2), sctp_connectx(3) or sctp_sendmsg(3) (with no association
5229 static int selinux_sctp_assoc_request(struct sctp_endpoint *ep,
5230 struct sk_buff *skb)
5232 struct sk_security_struct *sksec = ep->base.sk->sk_security;
5233 struct common_audit_data ad;
5234 struct lsm_network_audit net = {0,};
5236 u32 peer_sid = SECINITSID_UNLABELED;
5240 if (!selinux_policycap_extsockclass())
5243 peerlbl_active = selinux_peerlbl_enabled();
5245 if (peerlbl_active) {
5246 /* This will return peer_sid = SECSID_NULL if there are
5247 * no peer labels, see security_net_peersid_resolve().
5249 err = selinux_skb_peerlbl_sid(skb, ep->base.sk->sk_family,
5254 if (peer_sid == SECSID_NULL)
5255 peer_sid = SECINITSID_UNLABELED;
5258 if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) {
5259 sksec->sctp_assoc_state = SCTP_ASSOC_SET;
5261 /* Here as first association on socket. As the peer SID
5262 * was allowed by peer recv (and the netif/node checks),
5263 * then it is approved by policy and used as the primary
5264 * peer SID for getpeercon(3).
5266 sksec->peer_sid = peer_sid;
5267 } else if (sksec->peer_sid != peer_sid) {
5268 /* Other association peer SIDs are checked to enforce
5269 * consistency among the peer SIDs.
5271 ad.type = LSM_AUDIT_DATA_NET;
5273 ad.u.net->sk = ep->base.sk;
5274 err = avc_has_perm(&selinux_state,
5275 sksec->peer_sid, peer_sid, sksec->sclass,
5276 SCTP_SOCKET__ASSOCIATION, &ad);
5281 /* Compute the MLS component for the connection and store
5282 * the information in ep. This will be used by SCTP TCP type
5283 * sockets and peeled off connections as they cause a new
5284 * socket to be generated. selinux_sctp_sk_clone() will then
5285 * plug this into the new socket.
5287 err = selinux_conn_sid(sksec->sid, peer_sid, &conn_sid);
5291 ep->secid = conn_sid;
5292 ep->peer_secid = peer_sid;
5294 /* Set any NetLabel labels including CIPSO/CALIPSO options. */
5295 return selinux_netlbl_sctp_assoc_request(ep, skb);
5298 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting
5299 * based on their @optname.
5301 static int selinux_sctp_bind_connect(struct sock *sk, int optname,
5302 struct sockaddr *address,
5305 int len, err = 0, walk_size = 0;
5307 struct sockaddr *addr;
5308 struct socket *sock;
5310 if (!selinux_policycap_extsockclass())
5313 /* Process one or more addresses that may be IPv4 or IPv6 */
5314 sock = sk->sk_socket;
5317 while (walk_size < addrlen) {
5319 switch (addr->sa_family) {
5322 len = sizeof(struct sockaddr_in);
5325 len = sizeof(struct sockaddr_in6);
5334 case SCTP_PRIMARY_ADDR:
5335 case SCTP_SET_PEER_PRIMARY_ADDR:
5336 case SCTP_SOCKOPT_BINDX_ADD:
5337 err = selinux_socket_bind(sock, addr, len);
5339 /* Connect checks */
5340 case SCTP_SOCKOPT_CONNECTX:
5341 case SCTP_PARAM_SET_PRIMARY:
5342 case SCTP_PARAM_ADD_IP:
5343 case SCTP_SENDMSG_CONNECT:
5344 err = selinux_socket_connect_helper(sock, addr, len);
5348 /* As selinux_sctp_bind_connect() is called by the
5349 * SCTP protocol layer, the socket is already locked,
5350 * therefore selinux_netlbl_socket_connect_locked() is
5351 * is called here. The situations handled are:
5352 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2),
5353 * whenever a new IP address is added or when a new
5354 * primary address is selected.
5355 * Note that an SCTP connect(2) call happens before
5356 * the SCTP protocol layer and is handled via
5357 * selinux_socket_connect().
5359 err = selinux_netlbl_socket_connect_locked(sk, addr);
5373 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */
5374 static void selinux_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk,
5377 struct sk_security_struct *sksec = sk->sk_security;
5378 struct sk_security_struct *newsksec = newsk->sk_security;
5380 /* If policy does not support SECCLASS_SCTP_SOCKET then call
5381 * the non-sctp clone version.
5383 if (!selinux_policycap_extsockclass())
5384 return selinux_sk_clone_security(sk, newsk);
5386 newsksec->sid = ep->secid;
5387 newsksec->peer_sid = ep->peer_secid;
5388 newsksec->sclass = sksec->sclass;
5389 selinux_netlbl_sctp_sk_clone(sk, newsk);
5392 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
5393 struct request_sock *req)
5395 struct sk_security_struct *sksec = sk->sk_security;
5397 u16 family = req->rsk_ops->family;
5401 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
5404 err = selinux_conn_sid(sksec->sid, peersid, &connsid);
5407 req->secid = connsid;
5408 req->peer_secid = peersid;
5410 return selinux_netlbl_inet_conn_request(req, family);
5413 static void selinux_inet_csk_clone(struct sock *newsk,
5414 const struct request_sock *req)
5416 struct sk_security_struct *newsksec = newsk->sk_security;
5418 newsksec->sid = req->secid;
5419 newsksec->peer_sid = req->peer_secid;
5420 /* NOTE: Ideally, we should also get the isec->sid for the
5421 new socket in sync, but we don't have the isec available yet.
5422 So we will wait until sock_graft to do it, by which
5423 time it will have been created and available. */
5425 /* We don't need to take any sort of lock here as we are the only
5426 * thread with access to newsksec */
5427 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
5430 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
5432 u16 family = sk->sk_family;
5433 struct sk_security_struct *sksec = sk->sk_security;
5435 /* handle mapped IPv4 packets arriving via IPv6 sockets */
5436 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5439 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
5442 static int selinux_secmark_relabel_packet(u32 sid)
5444 const struct task_security_struct *__tsec;
5447 __tsec = current_security();
5450 return avc_has_perm(&selinux_state,
5451 tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO,
5455 static void selinux_secmark_refcount_inc(void)
5457 atomic_inc(&selinux_secmark_refcount);
5460 static void selinux_secmark_refcount_dec(void)
5462 atomic_dec(&selinux_secmark_refcount);
5465 static void selinux_req_classify_flow(const struct request_sock *req,
5468 fl->flowi_secid = req->secid;
5471 static int selinux_tun_dev_alloc_security(void **security)
5473 struct tun_security_struct *tunsec;
5475 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
5478 tunsec->sid = current_sid();
5484 static void selinux_tun_dev_free_security(void *security)
5489 static int selinux_tun_dev_create(void)
5491 u32 sid = current_sid();
5493 /* we aren't taking into account the "sockcreate" SID since the socket
5494 * that is being created here is not a socket in the traditional sense,
5495 * instead it is a private sock, accessible only to the kernel, and
5496 * representing a wide range of network traffic spanning multiple
5497 * connections unlike traditional sockets - check the TUN driver to
5498 * get a better understanding of why this socket is special */
5500 return avc_has_perm(&selinux_state,
5501 sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5505 static int selinux_tun_dev_attach_queue(void *security)
5507 struct tun_security_struct *tunsec = security;
5509 return avc_has_perm(&selinux_state,
5510 current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5511 TUN_SOCKET__ATTACH_QUEUE, NULL);
5514 static int selinux_tun_dev_attach(struct sock *sk, void *security)
5516 struct tun_security_struct *tunsec = security;
5517 struct sk_security_struct *sksec = sk->sk_security;
5519 /* we don't currently perform any NetLabel based labeling here and it
5520 * isn't clear that we would want to do so anyway; while we could apply
5521 * labeling without the support of the TUN user the resulting labeled
5522 * traffic from the other end of the connection would almost certainly
5523 * cause confusion to the TUN user that had no idea network labeling
5524 * protocols were being used */
5526 sksec->sid = tunsec->sid;
5527 sksec->sclass = SECCLASS_TUN_SOCKET;
5532 static int selinux_tun_dev_open(void *security)
5534 struct tun_security_struct *tunsec = security;
5535 u32 sid = current_sid();
5538 err = avc_has_perm(&selinux_state,
5539 sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5540 TUN_SOCKET__RELABELFROM, NULL);
5543 err = avc_has_perm(&selinux_state,
5544 sid, sid, SECCLASS_TUN_SOCKET,
5545 TUN_SOCKET__RELABELTO, NULL);
5553 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
5557 struct nlmsghdr *nlh;
5558 struct sk_security_struct *sksec = sk->sk_security;
5560 if (skb->len < NLMSG_HDRLEN) {
5564 nlh = nlmsg_hdr(skb);
5566 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
5568 if (err == -EINVAL) {
5569 pr_warn_ratelimited("SELinux: unrecognized netlink"
5570 " message: protocol=%hu nlmsg_type=%hu sclass=%s"
5571 " pig=%d comm=%s\n",
5572 sk->sk_protocol, nlh->nlmsg_type,
5573 secclass_map[sksec->sclass - 1].name,
5574 task_pid_nr(current), current->comm);
5575 if (!enforcing_enabled(&selinux_state) ||
5576 security_get_allow_unknown(&selinux_state))
5586 err = sock_has_perm(sk, perm);
5591 #ifdef CONFIG_NETFILTER
5593 static unsigned int selinux_ip_forward(struct sk_buff *skb,
5594 const struct net_device *indev,
5600 struct common_audit_data ad;
5601 struct lsm_network_audit net = {0,};
5606 if (!selinux_policycap_netpeer())
5609 secmark_active = selinux_secmark_enabled();
5610 netlbl_active = netlbl_enabled();
5611 peerlbl_active = selinux_peerlbl_enabled();
5612 if (!secmark_active && !peerlbl_active)
5615 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5618 ad.type = LSM_AUDIT_DATA_NET;
5620 ad.u.net->netif = indev->ifindex;
5621 ad.u.net->family = family;
5622 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5625 if (peerlbl_active) {
5626 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
5627 addrp, family, peer_sid, &ad);
5629 selinux_netlbl_err(skb, family, err, 1);
5635 if (avc_has_perm(&selinux_state,
5636 peer_sid, skb->secmark,
5637 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5641 /* we do this in the FORWARD path and not the POST_ROUTING
5642 * path because we want to make sure we apply the necessary
5643 * labeling before IPsec is applied so we can leverage AH
5645 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5651 static unsigned int selinux_ipv4_forward(void *priv,
5652 struct sk_buff *skb,
5653 const struct nf_hook_state *state)
5655 return selinux_ip_forward(skb, state->in, PF_INET);
5658 #if IS_ENABLED(CONFIG_IPV6)
5659 static unsigned int selinux_ipv6_forward(void *priv,
5660 struct sk_buff *skb,
5661 const struct nf_hook_state *state)
5663 return selinux_ip_forward(skb, state->in, PF_INET6);
5667 static unsigned int selinux_ip_output(struct sk_buff *skb,
5673 if (!netlbl_enabled())
5676 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5677 * because we want to make sure we apply the necessary labeling
5678 * before IPsec is applied so we can leverage AH protection */
5681 struct sk_security_struct *sksec;
5683 if (sk_listener(sk))
5684 /* if the socket is the listening state then this
5685 * packet is a SYN-ACK packet which means it needs to
5686 * be labeled based on the connection/request_sock and
5687 * not the parent socket. unfortunately, we can't
5688 * lookup the request_sock yet as it isn't queued on
5689 * the parent socket until after the SYN-ACK is sent.
5690 * the "solution" is to simply pass the packet as-is
5691 * as any IP option based labeling should be copied
5692 * from the initial connection request (in the IP
5693 * layer). it is far from ideal, but until we get a
5694 * security label in the packet itself this is the
5695 * best we can do. */
5698 /* standard practice, label using the parent socket */
5699 sksec = sk->sk_security;
5702 sid = SECINITSID_KERNEL;
5703 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
5709 static unsigned int selinux_ipv4_output(void *priv,
5710 struct sk_buff *skb,
5711 const struct nf_hook_state *state)
5713 return selinux_ip_output(skb, PF_INET);
5716 #if IS_ENABLED(CONFIG_IPV6)
5717 static unsigned int selinux_ipv6_output(void *priv,
5718 struct sk_buff *skb,
5719 const struct nf_hook_state *state)
5721 return selinux_ip_output(skb, PF_INET6);
5725 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5729 struct sock *sk = skb_to_full_sk(skb);
5730 struct sk_security_struct *sksec;
5731 struct common_audit_data ad;
5732 struct lsm_network_audit net = {0,};
5738 sksec = sk->sk_security;
5740 ad.type = LSM_AUDIT_DATA_NET;
5742 ad.u.net->netif = ifindex;
5743 ad.u.net->family = family;
5744 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
5747 if (selinux_secmark_enabled())
5748 if (avc_has_perm(&selinux_state,
5749 sksec->sid, skb->secmark,
5750 SECCLASS_PACKET, PACKET__SEND, &ad))
5751 return NF_DROP_ERR(-ECONNREFUSED);
5753 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5754 return NF_DROP_ERR(-ECONNREFUSED);
5759 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5760 const struct net_device *outdev,
5765 int ifindex = outdev->ifindex;
5767 struct common_audit_data ad;
5768 struct lsm_network_audit net = {0,};
5773 /* If any sort of compatibility mode is enabled then handoff processing
5774 * to the selinux_ip_postroute_compat() function to deal with the
5775 * special handling. We do this in an attempt to keep this function
5776 * as fast and as clean as possible. */
5777 if (!selinux_policycap_netpeer())
5778 return selinux_ip_postroute_compat(skb, ifindex, family);
5780 secmark_active = selinux_secmark_enabled();
5781 peerlbl_active = selinux_peerlbl_enabled();
5782 if (!secmark_active && !peerlbl_active)
5785 sk = skb_to_full_sk(skb);
5788 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5789 * packet transformation so allow the packet to pass without any checks
5790 * since we'll have another chance to perform access control checks
5791 * when the packet is on it's final way out.
5792 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5793 * is NULL, in this case go ahead and apply access control.
5794 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5795 * TCP listening state we cannot wait until the XFRM processing
5796 * is done as we will miss out on the SA label if we do;
5797 * unfortunately, this means more work, but it is only once per
5799 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5800 !(sk && sk_listener(sk)))
5805 /* Without an associated socket the packet is either coming
5806 * from the kernel or it is being forwarded; check the packet
5807 * to determine which and if the packet is being forwarded
5808 * query the packet directly to determine the security label. */
5810 secmark_perm = PACKET__FORWARD_OUT;
5811 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5814 secmark_perm = PACKET__SEND;
5815 peer_sid = SECINITSID_KERNEL;
5817 } else if (sk_listener(sk)) {
5818 /* Locally generated packet but the associated socket is in the
5819 * listening state which means this is a SYN-ACK packet. In
5820 * this particular case the correct security label is assigned
5821 * to the connection/request_sock but unfortunately we can't
5822 * query the request_sock as it isn't queued on the parent
5823 * socket until after the SYN-ACK packet is sent; the only
5824 * viable choice is to regenerate the label like we do in
5825 * selinux_inet_conn_request(). See also selinux_ip_output()
5826 * for similar problems. */
5828 struct sk_security_struct *sksec;
5830 sksec = sk->sk_security;
5831 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5833 /* At this point, if the returned skb peerlbl is SECSID_NULL
5834 * and the packet has been through at least one XFRM
5835 * transformation then we must be dealing with the "final"
5836 * form of labeled IPsec packet; since we've already applied
5837 * all of our access controls on this packet we can safely
5838 * pass the packet. */
5839 if (skb_sid == SECSID_NULL) {
5842 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5846 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5850 return NF_DROP_ERR(-ECONNREFUSED);
5853 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5855 secmark_perm = PACKET__SEND;
5857 /* Locally generated packet, fetch the security label from the
5858 * associated socket. */
5859 struct sk_security_struct *sksec = sk->sk_security;
5860 peer_sid = sksec->sid;
5861 secmark_perm = PACKET__SEND;
5864 ad.type = LSM_AUDIT_DATA_NET;
5866 ad.u.net->netif = ifindex;
5867 ad.u.net->family = family;
5868 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5872 if (avc_has_perm(&selinux_state,
5873 peer_sid, skb->secmark,
5874 SECCLASS_PACKET, secmark_perm, &ad))
5875 return NF_DROP_ERR(-ECONNREFUSED);
5877 if (peerlbl_active) {
5881 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5883 if (avc_has_perm(&selinux_state,
5885 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5886 return NF_DROP_ERR(-ECONNREFUSED);
5888 if (sel_netnode_sid(addrp, family, &node_sid))
5890 if (avc_has_perm(&selinux_state,
5892 SECCLASS_NODE, NODE__SENDTO, &ad))
5893 return NF_DROP_ERR(-ECONNREFUSED);
5899 static unsigned int selinux_ipv4_postroute(void *priv,
5900 struct sk_buff *skb,
5901 const struct nf_hook_state *state)
5903 return selinux_ip_postroute(skb, state->out, PF_INET);
5906 #if IS_ENABLED(CONFIG_IPV6)
5907 static unsigned int selinux_ipv6_postroute(void *priv,
5908 struct sk_buff *skb,
5909 const struct nf_hook_state *state)
5911 return selinux_ip_postroute(skb, state->out, PF_INET6);
5915 #endif /* CONFIG_NETFILTER */
5917 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5919 return selinux_nlmsg_perm(sk, skb);
5922 static int ipc_alloc_security(struct kern_ipc_perm *perm,
5925 struct ipc_security_struct *isec;
5927 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
5931 isec->sclass = sclass;
5932 isec->sid = current_sid();
5933 perm->security = isec;
5938 static void ipc_free_security(struct kern_ipc_perm *perm)
5940 struct ipc_security_struct *isec = perm->security;
5941 perm->security = NULL;
5945 static int msg_msg_alloc_security(struct msg_msg *msg)
5947 struct msg_security_struct *msec;
5949 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
5953 msec->sid = SECINITSID_UNLABELED;
5954 msg->security = msec;
5959 static void msg_msg_free_security(struct msg_msg *msg)
5961 struct msg_security_struct *msec = msg->security;
5963 msg->security = NULL;
5967 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5970 struct ipc_security_struct *isec;
5971 struct common_audit_data ad;
5972 u32 sid = current_sid();
5974 isec = ipc_perms->security;
5976 ad.type = LSM_AUDIT_DATA_IPC;
5977 ad.u.ipc_id = ipc_perms->key;
5979 return avc_has_perm(&selinux_state,
5980 sid, isec->sid, isec->sclass, perms, &ad);
5983 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5985 return msg_msg_alloc_security(msg);
5988 static void selinux_msg_msg_free_security(struct msg_msg *msg)
5990 msg_msg_free_security(msg);
5993 /* message queue security operations */
5994 static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq)
5996 struct ipc_security_struct *isec;
5997 struct common_audit_data ad;
5998 u32 sid = current_sid();
6001 rc = ipc_alloc_security(msq, SECCLASS_MSGQ);
6005 isec = msq->security;
6007 ad.type = LSM_AUDIT_DATA_IPC;
6008 ad.u.ipc_id = msq->key;
6010 rc = avc_has_perm(&selinux_state,
6011 sid, isec->sid, SECCLASS_MSGQ,
6014 ipc_free_security(msq);
6020 static void selinux_msg_queue_free_security(struct kern_ipc_perm *msq)
6022 ipc_free_security(msq);
6025 static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
6027 struct ipc_security_struct *isec;
6028 struct common_audit_data ad;
6029 u32 sid = current_sid();
6031 isec = msq->security;
6033 ad.type = LSM_AUDIT_DATA_IPC;
6034 ad.u.ipc_id = msq->key;
6036 return avc_has_perm(&selinux_state,
6037 sid, isec->sid, SECCLASS_MSGQ,
6038 MSGQ__ASSOCIATE, &ad);
6041 static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)
6049 /* No specific object, just general system-wide information. */
6050 return avc_has_perm(&selinux_state,
6051 current_sid(), SECINITSID_KERNEL,
6052 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6056 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
6059 perms = MSGQ__SETATTR;
6062 perms = MSGQ__DESTROY;
6068 err = ipc_has_perm(msq, perms);
6072 static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg)
6074 struct ipc_security_struct *isec;
6075 struct msg_security_struct *msec;
6076 struct common_audit_data ad;
6077 u32 sid = current_sid();
6080 isec = msq->security;
6081 msec = msg->security;
6084 * First time through, need to assign label to the message
6086 if (msec->sid == SECINITSID_UNLABELED) {
6088 * Compute new sid based on current process and
6089 * message queue this message will be stored in
6091 rc = security_transition_sid(&selinux_state, sid, isec->sid,
6092 SECCLASS_MSG, NULL, &msec->sid);
6097 ad.type = LSM_AUDIT_DATA_IPC;
6098 ad.u.ipc_id = msq->key;
6100 /* Can this process write to the queue? */
6101 rc = avc_has_perm(&selinux_state,
6102 sid, isec->sid, SECCLASS_MSGQ,
6105 /* Can this process send the message */
6106 rc = avc_has_perm(&selinux_state,
6107 sid, msec->sid, SECCLASS_MSG,
6110 /* Can the message be put in the queue? */
6111 rc = avc_has_perm(&selinux_state,
6112 msec->sid, isec->sid, SECCLASS_MSGQ,
6113 MSGQ__ENQUEUE, &ad);
6118 static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg,
6119 struct task_struct *target,
6120 long type, int mode)
6122 struct ipc_security_struct *isec;
6123 struct msg_security_struct *msec;
6124 struct common_audit_data ad;
6125 u32 sid = task_sid(target);
6128 isec = msq->security;
6129 msec = msg->security;
6131 ad.type = LSM_AUDIT_DATA_IPC;
6132 ad.u.ipc_id = msq->key;
6134 rc = avc_has_perm(&selinux_state,
6136 SECCLASS_MSGQ, MSGQ__READ, &ad);
6138 rc = avc_has_perm(&selinux_state,
6140 SECCLASS_MSG, MSG__RECEIVE, &ad);
6144 /* Shared Memory security operations */
6145 static int selinux_shm_alloc_security(struct kern_ipc_perm *shp)
6147 struct ipc_security_struct *isec;
6148 struct common_audit_data ad;
6149 u32 sid = current_sid();
6152 rc = ipc_alloc_security(shp, SECCLASS_SHM);
6156 isec = shp->security;
6158 ad.type = LSM_AUDIT_DATA_IPC;
6159 ad.u.ipc_id = shp->key;
6161 rc = avc_has_perm(&selinux_state,
6162 sid, isec->sid, SECCLASS_SHM,
6165 ipc_free_security(shp);
6171 static void selinux_shm_free_security(struct kern_ipc_perm *shp)
6173 ipc_free_security(shp);
6176 static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg)
6178 struct ipc_security_struct *isec;
6179 struct common_audit_data ad;
6180 u32 sid = current_sid();
6182 isec = shp->security;
6184 ad.type = LSM_AUDIT_DATA_IPC;
6185 ad.u.ipc_id = shp->key;
6187 return avc_has_perm(&selinux_state,
6188 sid, isec->sid, SECCLASS_SHM,
6189 SHM__ASSOCIATE, &ad);
6192 /* Note, at this point, shp is locked down */
6193 static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd)
6201 /* No specific object, just general system-wide information. */
6202 return avc_has_perm(&selinux_state,
6203 current_sid(), SECINITSID_KERNEL,
6204 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6208 perms = SHM__GETATTR | SHM__ASSOCIATE;
6211 perms = SHM__SETATTR;
6218 perms = SHM__DESTROY;
6224 err = ipc_has_perm(shp, perms);
6228 static int selinux_shm_shmat(struct kern_ipc_perm *shp,
6229 char __user *shmaddr, int shmflg)
6233 if (shmflg & SHM_RDONLY)
6236 perms = SHM__READ | SHM__WRITE;
6238 return ipc_has_perm(shp, perms);
6241 /* Semaphore security operations */
6242 static int selinux_sem_alloc_security(struct kern_ipc_perm *sma)
6244 struct ipc_security_struct *isec;
6245 struct common_audit_data ad;
6246 u32 sid = current_sid();
6249 rc = ipc_alloc_security(sma, SECCLASS_SEM);
6253 isec = sma->security;
6255 ad.type = LSM_AUDIT_DATA_IPC;
6256 ad.u.ipc_id = sma->key;
6258 rc = avc_has_perm(&selinux_state,
6259 sid, isec->sid, SECCLASS_SEM,
6262 ipc_free_security(sma);
6268 static void selinux_sem_free_security(struct kern_ipc_perm *sma)
6270 ipc_free_security(sma);
6273 static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg)
6275 struct ipc_security_struct *isec;
6276 struct common_audit_data ad;
6277 u32 sid = current_sid();
6279 isec = sma->security;
6281 ad.type = LSM_AUDIT_DATA_IPC;
6282 ad.u.ipc_id = sma->key;
6284 return avc_has_perm(&selinux_state,
6285 sid, isec->sid, SECCLASS_SEM,
6286 SEM__ASSOCIATE, &ad);
6289 /* Note, at this point, sma is locked down */
6290 static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd)
6298 /* No specific object, just general system-wide information. */
6299 return avc_has_perm(&selinux_state,
6300 current_sid(), SECINITSID_KERNEL,
6301 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6305 perms = SEM__GETATTR;
6316 perms = SEM__DESTROY;
6319 perms = SEM__SETATTR;
6324 perms = SEM__GETATTR | SEM__ASSOCIATE;
6330 err = ipc_has_perm(sma, perms);
6334 static int selinux_sem_semop(struct kern_ipc_perm *sma,
6335 struct sembuf *sops, unsigned nsops, int alter)
6340 perms = SEM__READ | SEM__WRITE;
6344 return ipc_has_perm(sma, perms);
6347 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
6353 av |= IPC__UNIX_READ;
6355 av |= IPC__UNIX_WRITE;
6360 return ipc_has_perm(ipcp, av);
6363 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
6365 struct ipc_security_struct *isec = ipcp->security;
6369 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
6372 inode_doinit_with_dentry(inode, dentry);
6375 static int selinux_getprocattr(struct task_struct *p,
6376 char *name, char **value)
6378 const struct task_security_struct *__tsec;
6384 __tsec = __task_cred(p)->security;
6387 error = avc_has_perm(&selinux_state,
6388 current_sid(), __tsec->sid,
6389 SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
6394 if (!strcmp(name, "current"))
6396 else if (!strcmp(name, "prev"))
6398 else if (!strcmp(name, "exec"))
6399 sid = __tsec->exec_sid;
6400 else if (!strcmp(name, "fscreate"))
6401 sid = __tsec->create_sid;
6402 else if (!strcmp(name, "keycreate"))
6403 sid = __tsec->keycreate_sid;
6404 else if (!strcmp(name, "sockcreate"))
6405 sid = __tsec->sockcreate_sid;
6415 error = security_sid_to_context(&selinux_state, sid, value, &len);
6425 static int selinux_setprocattr(const char *name, void *value, size_t size)
6427 struct task_security_struct *tsec;
6429 u32 mysid = current_sid(), sid = 0, ptsid;
6434 * Basic control over ability to set these attributes at all.
6436 if (!strcmp(name, "exec"))
6437 error = avc_has_perm(&selinux_state,
6438 mysid, mysid, SECCLASS_PROCESS,
6439 PROCESS__SETEXEC, NULL);
6440 else if (!strcmp(name, "fscreate"))
6441 error = avc_has_perm(&selinux_state,
6442 mysid, mysid, SECCLASS_PROCESS,
6443 PROCESS__SETFSCREATE, NULL);
6444 else if (!strcmp(name, "keycreate"))
6445 error = avc_has_perm(&selinux_state,
6446 mysid, mysid, SECCLASS_PROCESS,
6447 PROCESS__SETKEYCREATE, NULL);
6448 else if (!strcmp(name, "sockcreate"))
6449 error = avc_has_perm(&selinux_state,
6450 mysid, mysid, SECCLASS_PROCESS,
6451 PROCESS__SETSOCKCREATE, NULL);
6452 else if (!strcmp(name, "current"))
6453 error = avc_has_perm(&selinux_state,
6454 mysid, mysid, SECCLASS_PROCESS,
6455 PROCESS__SETCURRENT, NULL);
6461 /* Obtain a SID for the context, if one was specified. */
6462 if (size && str[0] && str[0] != '\n') {
6463 if (str[size-1] == '\n') {
6467 error = security_context_to_sid(&selinux_state, value, size,
6469 if (error == -EINVAL && !strcmp(name, "fscreate")) {
6470 if (!has_cap_mac_admin(true)) {
6471 struct audit_buffer *ab;
6474 /* We strip a nul only if it is at the end, otherwise the
6475 * context contains a nul and we should audit that */
6476 if (str[size - 1] == '\0')
6477 audit_size = size - 1;
6480 ab = audit_log_start(audit_context(),
6483 audit_log_format(ab, "op=fscreate invalid_context=");
6484 audit_log_n_untrustedstring(ab, value, audit_size);
6489 error = security_context_to_sid_force(
6497 new = prepare_creds();
6501 /* Permission checking based on the specified context is
6502 performed during the actual operation (execve,
6503 open/mkdir/...), when we know the full context of the
6504 operation. See selinux_bprm_set_creds for the execve
6505 checks and may_create for the file creation checks. The
6506 operation will then fail if the context is not permitted. */
6507 tsec = new->security;
6508 if (!strcmp(name, "exec")) {
6509 tsec->exec_sid = sid;
6510 } else if (!strcmp(name, "fscreate")) {
6511 tsec->create_sid = sid;
6512 } else if (!strcmp(name, "keycreate")) {
6513 error = avc_has_perm(&selinux_state,
6514 mysid, sid, SECCLASS_KEY, KEY__CREATE,
6518 tsec->keycreate_sid = sid;
6519 } else if (!strcmp(name, "sockcreate")) {
6520 tsec->sockcreate_sid = sid;
6521 } else if (!strcmp(name, "current")) {
6526 /* Only allow single threaded processes to change context */
6528 if (!current_is_single_threaded()) {
6529 error = security_bounded_transition(&selinux_state,
6535 /* Check permissions for the transition. */
6536 error = avc_has_perm(&selinux_state,
6537 tsec->sid, sid, SECCLASS_PROCESS,
6538 PROCESS__DYNTRANSITION, NULL);
6542 /* Check for ptracing, and update the task SID if ok.
6543 Otherwise, leave SID unchanged and fail. */
6544 ptsid = ptrace_parent_sid();
6546 error = avc_has_perm(&selinux_state,
6547 ptsid, sid, SECCLASS_PROCESS,
6548 PROCESS__PTRACE, NULL);
6567 static int selinux_ismaclabel(const char *name)
6569 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
6572 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
6574 return security_sid_to_context(&selinux_state, secid,
6578 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
6580 return security_context_to_sid(&selinux_state, secdata, seclen,
6584 static void selinux_release_secctx(char *secdata, u32 seclen)
6589 static void selinux_inode_invalidate_secctx(struct inode *inode)
6591 struct inode_security_struct *isec = inode->i_security;
6593 spin_lock(&isec->lock);
6594 isec->initialized = LABEL_INVALID;
6595 spin_unlock(&isec->lock);
6599 * called with inode->i_mutex locked
6601 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
6603 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
6607 * called with inode->i_mutex locked
6609 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
6611 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
6614 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
6617 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
6626 static int selinux_key_alloc(struct key *k, const struct cred *cred,
6627 unsigned long flags)
6629 const struct task_security_struct *tsec;
6630 struct key_security_struct *ksec;
6632 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
6636 tsec = cred->security;
6637 if (tsec->keycreate_sid)
6638 ksec->sid = tsec->keycreate_sid;
6640 ksec->sid = tsec->sid;
6646 static void selinux_key_free(struct key *k)
6648 struct key_security_struct *ksec = k->security;
6654 static int selinux_key_permission(key_ref_t key_ref,
6655 const struct cred *cred,
6659 struct key_security_struct *ksec;
6662 /* if no specific permissions are requested, we skip the
6663 permission check. No serious, additional covert channels
6664 appear to be created. */
6668 sid = cred_sid(cred);
6670 key = key_ref_to_ptr(key_ref);
6671 ksec = key->security;
6673 return avc_has_perm(&selinux_state,
6674 sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6677 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6679 struct key_security_struct *ksec = key->security;
6680 char *context = NULL;
6684 rc = security_sid_to_context(&selinux_state, ksec->sid,
6693 #ifdef CONFIG_SECURITY_INFINIBAND
6694 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6696 struct common_audit_data ad;
6699 struct ib_security_struct *sec = ib_sec;
6700 struct lsm_ibpkey_audit ibpkey;
6702 err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
6706 ad.type = LSM_AUDIT_DATA_IBPKEY;
6707 ibpkey.subnet_prefix = subnet_prefix;
6708 ibpkey.pkey = pkey_val;
6709 ad.u.ibpkey = &ibpkey;
6710 return avc_has_perm(&selinux_state,
6712 SECCLASS_INFINIBAND_PKEY,
6713 INFINIBAND_PKEY__ACCESS, &ad);
6716 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6719 struct common_audit_data ad;
6722 struct ib_security_struct *sec = ib_sec;
6723 struct lsm_ibendport_audit ibendport;
6725 err = security_ib_endport_sid(&selinux_state, dev_name, port_num,
6731 ad.type = LSM_AUDIT_DATA_IBENDPORT;
6732 strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name));
6733 ibendport.port = port_num;
6734 ad.u.ibendport = &ibendport;
6735 return avc_has_perm(&selinux_state,
6737 SECCLASS_INFINIBAND_ENDPORT,
6738 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
6741 static int selinux_ib_alloc_security(void **ib_sec)
6743 struct ib_security_struct *sec;
6745 sec = kzalloc(sizeof(*sec), GFP_KERNEL);
6748 sec->sid = current_sid();
6754 static void selinux_ib_free_security(void *ib_sec)
6760 #ifdef CONFIG_BPF_SYSCALL
6761 static int selinux_bpf(int cmd, union bpf_attr *attr,
6764 u32 sid = current_sid();
6768 case BPF_MAP_CREATE:
6769 ret = avc_has_perm(&selinux_state,
6770 sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
6774 ret = avc_has_perm(&selinux_state,
6775 sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
6786 static u32 bpf_map_fmode_to_av(fmode_t fmode)
6790 if (fmode & FMODE_READ)
6791 av |= BPF__MAP_READ;
6792 if (fmode & FMODE_WRITE)
6793 av |= BPF__MAP_WRITE;
6797 /* This function will check the file pass through unix socket or binder to see
6798 * if it is a bpf related object. And apply correspinding checks on the bpf
6799 * object based on the type. The bpf maps and programs, not like other files and
6800 * socket, are using a shared anonymous inode inside the kernel as their inode.
6801 * So checking that inode cannot identify if the process have privilege to
6802 * access the bpf object and that's why we have to add this additional check in
6803 * selinux_file_receive and selinux_binder_transfer_files.
6805 static int bpf_fd_pass(struct file *file, u32 sid)
6807 struct bpf_security_struct *bpfsec;
6808 struct bpf_prog *prog;
6809 struct bpf_map *map;
6812 if (file->f_op == &bpf_map_fops) {
6813 map = file->private_data;
6814 bpfsec = map->security;
6815 ret = avc_has_perm(&selinux_state,
6816 sid, bpfsec->sid, SECCLASS_BPF,
6817 bpf_map_fmode_to_av(file->f_mode), NULL);
6820 } else if (file->f_op == &bpf_prog_fops) {
6821 prog = file->private_data;
6822 bpfsec = prog->aux->security;
6823 ret = avc_has_perm(&selinux_state,
6824 sid, bpfsec->sid, SECCLASS_BPF,
6825 BPF__PROG_RUN, NULL);
6832 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)
6834 u32 sid = current_sid();
6835 struct bpf_security_struct *bpfsec;
6837 bpfsec = map->security;
6838 return avc_has_perm(&selinux_state,
6839 sid, bpfsec->sid, SECCLASS_BPF,
6840 bpf_map_fmode_to_av(fmode), NULL);
6843 static int selinux_bpf_prog(struct bpf_prog *prog)
6845 u32 sid = current_sid();
6846 struct bpf_security_struct *bpfsec;
6848 bpfsec = prog->aux->security;
6849 return avc_has_perm(&selinux_state,
6850 sid, bpfsec->sid, SECCLASS_BPF,
6851 BPF__PROG_RUN, NULL);
6854 static int selinux_bpf_map_alloc(struct bpf_map *map)
6856 struct bpf_security_struct *bpfsec;
6858 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6862 bpfsec->sid = current_sid();
6863 map->security = bpfsec;
6868 static void selinux_bpf_map_free(struct bpf_map *map)
6870 struct bpf_security_struct *bpfsec = map->security;
6872 map->security = NULL;
6876 static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux)
6878 struct bpf_security_struct *bpfsec;
6880 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6884 bpfsec->sid = current_sid();
6885 aux->security = bpfsec;
6890 static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
6892 struct bpf_security_struct *bpfsec = aux->security;
6894 aux->security = NULL;
6899 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
6900 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
6901 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
6902 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
6903 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
6905 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
6906 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
6907 LSM_HOOK_INIT(capget, selinux_capget),
6908 LSM_HOOK_INIT(capset, selinux_capset),
6909 LSM_HOOK_INIT(capable, selinux_capable),
6910 LSM_HOOK_INIT(quotactl, selinux_quotactl),
6911 LSM_HOOK_INIT(quota_on, selinux_quota_on),
6912 LSM_HOOK_INIT(syslog, selinux_syslog),
6913 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
6915 LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
6917 LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
6918 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
6919 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
6921 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
6922 LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
6923 LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data),
6924 LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
6925 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
6926 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
6927 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
6928 LSM_HOOK_INIT(sb_mount, selinux_mount),
6929 LSM_HOOK_INIT(sb_umount, selinux_umount),
6930 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
6931 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
6932 LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str),
6934 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
6935 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
6937 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
6938 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
6939 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
6940 LSM_HOOK_INIT(inode_create, selinux_inode_create),
6941 LSM_HOOK_INIT(inode_link, selinux_inode_link),
6942 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
6943 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
6944 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
6945 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
6946 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
6947 LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
6948 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
6949 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
6950 LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
6951 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
6952 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
6953 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
6954 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
6955 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
6956 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
6957 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
6958 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
6959 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
6960 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
6961 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
6962 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
6963 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
6965 LSM_HOOK_INIT(file_permission, selinux_file_permission),
6966 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
6967 LSM_HOOK_INIT(file_free_security, selinux_file_free_security),
6968 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
6969 LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
6970 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
6971 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
6972 LSM_HOOK_INIT(file_lock, selinux_file_lock),
6973 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
6974 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
6975 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
6976 LSM_HOOK_INIT(file_receive, selinux_file_receive),
6978 LSM_HOOK_INIT(file_open, selinux_file_open),
6980 LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
6981 LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank),
6982 LSM_HOOK_INIT(cred_free, selinux_cred_free),
6983 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
6984 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
6985 LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid),
6986 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
6987 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
6988 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
6989 LSM_HOOK_INIT(kernel_load_data, selinux_kernel_load_data),
6990 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
6991 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
6992 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
6993 LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
6994 LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
6995 LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
6996 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
6997 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
6998 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
6999 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
7000 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
7001 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
7002 LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
7003 LSM_HOOK_INIT(task_kill, selinux_task_kill),
7004 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
7006 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
7007 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
7009 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
7010 LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security),
7012 LSM_HOOK_INIT(msg_queue_alloc_security,
7013 selinux_msg_queue_alloc_security),
7014 LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security),
7015 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
7016 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
7017 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
7018 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
7020 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
7021 LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security),
7022 LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
7023 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
7024 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
7026 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
7027 LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security),
7028 LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
7029 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
7030 LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
7032 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
7034 LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
7035 LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
7037 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
7038 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
7039 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
7040 LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
7041 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
7042 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
7043 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
7044 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
7046 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
7047 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
7049 LSM_HOOK_INIT(socket_create, selinux_socket_create),
7050 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
7051 LSM_HOOK_INIT(socket_socketpair, selinux_socket_socketpair),
7052 LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
7053 LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
7054 LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
7055 LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
7056 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
7057 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
7058 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
7059 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
7060 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
7061 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
7062 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
7063 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
7064 LSM_HOOK_INIT(socket_getpeersec_stream,
7065 selinux_socket_getpeersec_stream),
7066 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
7067 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
7068 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
7069 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
7070 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
7071 LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
7072 LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request),
7073 LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone),
7074 LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect),
7075 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
7076 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
7077 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
7078 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
7079 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
7080 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
7081 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
7082 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
7083 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
7084 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
7085 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
7086 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
7087 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
7088 #ifdef CONFIG_SECURITY_INFINIBAND
7089 LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
7090 LSM_HOOK_INIT(ib_endport_manage_subnet,
7091 selinux_ib_endport_manage_subnet),
7092 LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
7093 LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
7095 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7096 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
7097 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
7098 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
7099 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
7100 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
7101 LSM_HOOK_INIT(xfrm_state_alloc_acquire,
7102 selinux_xfrm_state_alloc_acquire),
7103 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
7104 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
7105 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
7106 LSM_HOOK_INIT(xfrm_state_pol_flow_match,
7107 selinux_xfrm_state_pol_flow_match),
7108 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
7112 LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
7113 LSM_HOOK_INIT(key_free, selinux_key_free),
7114 LSM_HOOK_INIT(key_permission, selinux_key_permission),
7115 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
7119 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
7120 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
7121 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
7122 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
7125 #ifdef CONFIG_BPF_SYSCALL
7126 LSM_HOOK_INIT(bpf, selinux_bpf),
7127 LSM_HOOK_INIT(bpf_map, selinux_bpf_map),
7128 LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog),
7129 LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc),
7130 LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc),
7131 LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free),
7132 LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free),
7136 static __init int selinux_init(void)
7138 if (!security_module_enable("selinux")) {
7139 selinux_enabled = 0;
7143 if (!selinux_enabled) {
7144 printk(KERN_INFO "SELinux: Disabled at boot.\n");
7148 printk(KERN_INFO "SELinux: Initializing.\n");
7150 memset(&selinux_state, 0, sizeof(selinux_state));
7151 enforcing_set(&selinux_state, selinux_enforcing_boot);
7152 selinux_state.checkreqprot = selinux_checkreqprot_boot;
7153 selinux_ss_init(&selinux_state.ss);
7154 selinux_avc_init(&selinux_state.avc);
7156 /* Set the security state for the initial task. */
7157 cred_init_security();
7159 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
7161 sel_inode_cache = kmem_cache_create("selinux_inode_security",
7162 sizeof(struct inode_security_struct),
7163 0, SLAB_PANIC, NULL);
7164 file_security_cache = kmem_cache_create("selinux_file_security",
7165 sizeof(struct file_security_struct),
7166 0, SLAB_PANIC, NULL);
7171 ebitmap_cache_init();
7173 hashtab_cache_init();
7175 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
7177 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
7178 panic("SELinux: Unable to register AVC netcache callback\n");
7180 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
7181 panic("SELinux: Unable to register AVC LSM notifier callback\n");
7183 if (selinux_enforcing_boot)
7184 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
7186 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
7191 static void delayed_superblock_init(struct super_block *sb, void *unused)
7193 superblock_doinit(sb, NULL);
7196 void selinux_complete_init(void)
7198 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
7200 /* Set up any superblocks initialized prior to the policy load. */
7201 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
7202 iterate_supers(delayed_superblock_init, NULL);
7205 /* SELinux requires early initialization in order to label
7206 all processes and objects when they are created. */
7207 security_initcall(selinux_init);
7209 #if defined(CONFIG_NETFILTER)
7211 static const struct nf_hook_ops selinux_nf_ops[] = {
7213 .hook = selinux_ipv4_postroute,
7215 .hooknum = NF_INET_POST_ROUTING,
7216 .priority = NF_IP_PRI_SELINUX_LAST,
7219 .hook = selinux_ipv4_forward,
7221 .hooknum = NF_INET_FORWARD,
7222 .priority = NF_IP_PRI_SELINUX_FIRST,
7225 .hook = selinux_ipv4_output,
7227 .hooknum = NF_INET_LOCAL_OUT,
7228 .priority = NF_IP_PRI_SELINUX_FIRST,
7230 #if IS_ENABLED(CONFIG_IPV6)
7232 .hook = selinux_ipv6_postroute,
7234 .hooknum = NF_INET_POST_ROUTING,
7235 .priority = NF_IP6_PRI_SELINUX_LAST,
7238 .hook = selinux_ipv6_forward,
7240 .hooknum = NF_INET_FORWARD,
7241 .priority = NF_IP6_PRI_SELINUX_FIRST,
7244 .hook = selinux_ipv6_output,
7246 .hooknum = NF_INET_LOCAL_OUT,
7247 .priority = NF_IP6_PRI_SELINUX_FIRST,
7252 static int __net_init selinux_nf_register(struct net *net)
7254 return nf_register_net_hooks(net, selinux_nf_ops,
7255 ARRAY_SIZE(selinux_nf_ops));
7258 static void __net_exit selinux_nf_unregister(struct net *net)
7260 nf_unregister_net_hooks(net, selinux_nf_ops,
7261 ARRAY_SIZE(selinux_nf_ops));
7264 static struct pernet_operations selinux_net_ops = {
7265 .init = selinux_nf_register,
7266 .exit = selinux_nf_unregister,
7269 static int __init selinux_nf_ip_init(void)
7273 if (!selinux_enabled)
7276 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
7278 err = register_pernet_subsys(&selinux_net_ops);
7280 panic("SELinux: register_pernet_subsys: error %d\n", err);
7284 __initcall(selinux_nf_ip_init);
7286 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7287 static void selinux_nf_ip_exit(void)
7289 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
7291 unregister_pernet_subsys(&selinux_net_ops);
7295 #else /* CONFIG_NETFILTER */
7297 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7298 #define selinux_nf_ip_exit()
7301 #endif /* CONFIG_NETFILTER */
7303 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7304 int selinux_disable(struct selinux_state *state)
7306 if (state->initialized) {
7307 /* Not permitted after initial policy load. */
7311 if (state->disabled) {
7312 /* Only do this once. */
7316 state->disabled = 1;
7318 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
7320 selinux_enabled = 0;
7322 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
7324 /* Try to destroy the avc node cache */
7327 /* Unregister netfilter hooks. */
7328 selinux_nf_ip_exit();
7330 /* Unregister selinuxfs. */
projects / linux.git / blob