1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * NSA Security-Enhanced Linux (SELinux) security module
4 *
5 * This file contains the SELinux hook function implementations.
6 *
7 * Authors: Stephen Smalley, <sds@tycho.nsa.gov>
8 * Chris Vance, <cvance@nai.com>
9 * Wayne Salamon, <wsalamon@nai.com>
10 * James Morris <jmorris@redhat.com>
11 *
12 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
13 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
14 * Eric Paris <eparis@redhat.com>
15 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
16 * <dgoeddel@trustedcs.com>
17 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
18 * Paul Moore <paul@paul-moore.com>
19 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
20 * Yuichi Nakamura <ynakam@hitachisoft.jp>
21 * Copyright (C) 2016 Mellanox Technologies
22 */
23
24 #include <linux/init.h>
25 #include <linux/kd.h>
26 #include <linux/kernel.h>
27 #include <linux/kernel_read_file.h>
28 #include <linux/tracehook.h>
29 #include <linux/errno.h>
30 #include <linux/sched/signal.h>
31 #include <linux/sched/task.h>
32 #include <linux/lsm_hooks.h>
33 #include <linux/xattr.h>
34 #include <linux/capability.h>
35 #include <linux/unistd.h>
36 #include <linux/mm.h>
37 #include <linux/mman.h>
38 #include <linux/slab.h>
39 #include <linux/pagemap.h>
40 #include <linux/proc_fs.h>
41 #include <linux/swap.h>
42 #include <linux/spinlock.h>
43 #include <linux/syscalls.h>
44 #include <linux/dcache.h>
45 #include <linux/file.h>
46 #include <linux/fdtable.h>
47 #include <linux/namei.h>
48 #include <linux/mount.h>
49 #include <linux/fs_context.h>
50 #include <linux/fs_parser.h>
51 #include <linux/netfilter_ipv4.h>
52 #include <linux/netfilter_ipv6.h>
53 #include <linux/tty.h>
54 #include <net/icmp.h>
55 #include <net/ip.h> /* for local_port_range[] */
56 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
57 #include <net/inet_connection_sock.h>
58 #include <net/net_namespace.h>
59 #include <net/netlabel.h>
60 #include <linux/uaccess.h>
61 #include <asm/ioctls.h>
62 #include <linux/atomic.h>
63 #include <linux/bitops.h>
64 #include <linux/interrupt.h>
65 #include <linux/netdevice.h> /* for network interface checks */
66 #include <net/netlink.h>
67 #include <linux/tcp.h>
68 #include <linux/udp.h>
69 #include <linux/dccp.h>
70 #include <linux/sctp.h>
71 #include <net/sctp/structs.h>
72 #include <linux/quota.h>
73 #include <linux/un.h> /* for Unix socket types */
74 #include <net/af_unix.h> /* for Unix socket types */
75 #include <linux/parser.h>
76 #include <linux/nfs_mount.h>
77 #include <net/ipv6.h>
78 #include <linux/hugetlb.h>
79 #include <linux/personality.h>
80 #include <linux/audit.h>
81 #include <linux/string.h>
82 #include <linux/mutex.h>
83 #include <linux/posix-timers.h>
84 #include <linux/syslog.h>
85 #include <linux/user_namespace.h>
86 #include <linux/export.h>
87 #include <linux/msg.h>
88 #include <linux/shm.h>
89 #include <linux/bpf.h>
90 #include <linux/kernfs.h>
91 #include <linux/stringhash.h> /* for hashlen_string() */
92 #include <uapi/linux/mount.h>
93 #include <linux/fsnotify.h>
94 #include <linux/fanotify.h>
95
96 #include "avc.h"
97 #include "objsec.h"
98 #include "netif.h"
99 #include "netnode.h"
100 #include "netport.h"
101 #include "ibpkey.h"
102 #include "xfrm.h"
103 #include "netlabel.h"
104 #include "audit.h"
105 #include "avc_ss.h"
106
107 struct selinux_state selinux_state;
108
109 /* SECMARK reference count */
110 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
111
112 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
113 static int selinux_enforcing_boot __initdata;
114
115 static int __init enforcing_setup(char *str)
116 {
117 unsigned long enforcing;
118 if (!kstrtoul(str, 0, &enforcing))
119 selinux_enforcing_boot = enforcing ? 1 : 0;
120 return 1;
121 }
122 __setup("enforcing=", enforcing_setup);
123 #else
124 #define selinux_enforcing_boot 1
125 #endif
126
127 int selinux_enabled_boot __initdata = 1;
128 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
129 static int __init selinux_enabled_setup(char *str)
130 {
131 unsigned long enabled;
132 if (!kstrtoul(str, 0, &enabled))
133 selinux_enabled_boot = enabled ? 1 : 0;
134 return 1;
135 }
136 __setup("selinux=", selinux_enabled_setup);
137 #endif
138
139 static unsigned int selinux_checkreqprot_boot =
140 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
141
142 static int __init checkreqprot_setup(char *str)
143 {
144 unsigned long checkreqprot;
145
146 if (!kstrtoul(str, 0, &checkreqprot)) {
147 selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
148 if (checkreqprot)
149 pr_warn("SELinux: checkreqprot set to 1 via kernel parameter. This is deprecated and will be rejected in a future kernel release.\n");
150 }
151 return 1;
152 }
153 __setup("checkreqprot=", checkreqprot_setup);
154
155 /**
156 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
157 *
158 * Description:
159 * This function checks the SECMARK reference counter to see if any SECMARK
160 * targets are currently configured, if the reference counter is greater than
161 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
162 * enabled, false (0) if SECMARK is disabled. If the always_check_network
163 * policy capability is enabled, SECMARK is always considered enabled.
164 *
165 */
166 static int selinux_secmark_enabled(void)
167 {
168 return (selinux_policycap_alwaysnetwork() ||
169 atomic_read(&selinux_secmark_refcount));
170 }
171
172 /**
173 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
174 *
175 * Description:
176 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
177 * (1) if any are enabled or false (0) if neither are enabled. If the
178 * always_check_network policy capability is enabled, peer labeling
179 * is always considered enabled.
180 *
181 */
182 static int selinux_peerlbl_enabled(void)
183 {
184 return (selinux_policycap_alwaysnetwork() ||
185 netlbl_enabled() || selinux_xfrm_enabled());
186 }
187
188 static int selinux_netcache_avc_callback(u32 event)
189 {
190 if (event == AVC_CALLBACK_RESET) {
191 sel_netif_flush();
192 sel_netnode_flush();
193 sel_netport_flush();
194 synchronize_net();
195 }
196 return 0;
197 }
198
199 static int selinux_lsm_notifier_avc_callback(u32 event)
200 {
201 if (event == AVC_CALLBACK_RESET) {
202 sel_ib_pkey_flush();
203 call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL);
204 }
205
206 return 0;
207 }
208
209 /*
210 * initialise the security for the init task
211 */
212 static void cred_init_security(void)
213 {
214 struct cred *cred = (struct cred *) current->real_cred;
215 struct task_security_struct *tsec;
216
217 tsec = selinux_cred(cred);
218 tsec->osid = tsec->sid = SECINITSID_KERNEL;
219 }
220
221 /*
222 * get the security ID of a set of credentials
223 */
224 static inline u32 cred_sid(const struct cred *cred)
225 {
226 const struct task_security_struct *tsec;
227
228 tsec = selinux_cred(cred);
229 return tsec->sid;
230 }
231
232 /*
233 * get the subjective security ID of a task
234 */
235 static inline u32 task_sid_subj(const struct task_struct *task)
236 {
237 u32 sid;
238
239 rcu_read_lock();
240 sid = cred_sid(rcu_dereference(task->cred));
241 rcu_read_unlock();
242 return sid;
243 }
244
245 /*
246 * get the objective security ID of a task
247 */
248 static inline u32 task_sid_obj(const struct task_struct *task)
249 {
250 u32 sid;
251
252 rcu_read_lock();
253 sid = cred_sid(__task_cred(task));
254 rcu_read_unlock();
255 return sid;
256 }
257
258 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
259
260 /*
261 * Try reloading inode security labels that have been marked as invalid. The
262 * @may_sleep parameter indicates when sleeping and thus reloading labels is
263 * allowed; when set to false, returns -ECHILD when the label is
264 * invalid. The @dentry parameter should be set to a dentry of the inode.
265 */
266 static int __inode_security_revalidate(struct inode *inode,
267 struct dentry *dentry,
268 bool may_sleep)
269 {
270 struct inode_security_struct *isec = selinux_inode(inode);
271
272 might_sleep_if(may_sleep);
273
274 if (selinux_initialized(&selinux_state) &&
275 isec->initialized != LABEL_INITIALIZED) {
276 if (!may_sleep)
277 return -ECHILD;
278
279 /*
280 * Try reloading the inode security label. This will fail if
281 * @opt_dentry is NULL and no dentry for this inode can be
282 * found; in that case, continue using the old label.
283 */
284 inode_doinit_with_dentry(inode, dentry);
285 }
286 return 0;
287 }
288
289 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
290 {
291 return selinux_inode(inode);
292 }
293
294 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
295 {
296 int error;
297
298 error = __inode_security_revalidate(inode, NULL, !rcu);
299 if (error)
300 return ERR_PTR(error);
301 return selinux_inode(inode);
302 }
303
304 /*
305 * Get the security label of an inode.
306 */
307 static struct inode_security_struct *inode_security(struct inode *inode)
308 {
309 __inode_security_revalidate(inode, NULL, true);
310 return selinux_inode(inode);
311 }
312
313 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
314 {
315 struct inode *inode = d_backing_inode(dentry);
316
317 return selinux_inode(inode);
318 }
319
320 /*
321 * Get the security label of a dentry's backing inode.
322 */
323 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
324 {
325 struct inode *inode = d_backing_inode(dentry);
326
327 __inode_security_revalidate(inode, dentry, true);
328 return selinux_inode(inode);
329 }
330
331 static void inode_free_security(struct inode *inode)
332 {
333 struct inode_security_struct *isec = selinux_inode(inode);
334 struct superblock_security_struct *sbsec;
335
336 if (!isec)
337 return;
338 sbsec = selinux_superblock(inode->i_sb);
339 /*
340 * As not all inode security structures are in a list, we check for
341 * empty list outside of the lock to make sure that we won't waste
342 * time taking a lock doing nothing.
343 *
344 * The list_del_init() function can be safely called more than once.
345 * It should not be possible for this function to be called with
346 * concurrent list_add(), but for better safety against future changes
347 * in the code, we use list_empty_careful() here.
348 */
349 if (!list_empty_careful(&isec->list)) {
350 spin_lock(&sbsec->isec_lock);
351 list_del_init(&isec->list);
352 spin_unlock(&sbsec->isec_lock);
353 }
354 }
355
356 struct selinux_mnt_opts {
357 const char *fscontext, *context, *rootcontext, *defcontext;
358 u32 fscontext_sid;
359 u32 context_sid;
360 u32 rootcontext_sid;
361 u32 defcontext_sid;
362 };
363
364 static void selinux_free_mnt_opts(void *mnt_opts)
365 {
366 struct selinux_mnt_opts *opts = mnt_opts;
367 kfree(opts->fscontext);
368 kfree(opts->context);
369 kfree(opts->rootcontext);
370 kfree(opts->defcontext);
371 kfree(opts);
372 }
373
374 enum {
375 Opt_error = -1,
376 Opt_context = 0,
377 Opt_defcontext = 1,
378 Opt_fscontext = 2,
379 Opt_rootcontext = 3,
380 Opt_seclabel = 4,
381 };
382
383 #define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg}
384 static struct {
385 const char *name;
386 int len;
387 int opt;
388 bool has_arg;
389 } tokens[] = {
390 A(context, true),
391 A(fscontext, true),
392 A(defcontext, true),
393 A(rootcontext, true),
394 A(seclabel, false),
395 };
396 #undef A
397
398 static int match_opt_prefix(char *s, int l, char **arg)
399 {
400 int i;
401
402 for (i = 0; i < ARRAY_SIZE(tokens); i++) {
403 size_t len = tokens[i].len;
404 if (len > l || memcmp(s, tokens[i].name, len))
405 continue;
406 if (tokens[i].has_arg) {
407 if (len == l || s[len] != '=')
408 continue;
409 *arg = s + len + 1;
410 } else if (len != l)
411 continue;
412 return tokens[i].opt;
413 }
414 return Opt_error;
415 }
416
417 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
418
419 static int may_context_mount_sb_relabel(u32 sid,
420 struct superblock_security_struct *sbsec,
421 const struct cred *cred)
422 {
423 const struct task_security_struct *tsec = selinux_cred(cred);
424 int rc;
425
426 rc = avc_has_perm(&selinux_state,
427 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
428 FILESYSTEM__RELABELFROM, NULL);
429 if (rc)
430 return rc;
431
432 rc = avc_has_perm(&selinux_state,
433 tsec->sid, sid, SECCLASS_FILESYSTEM,
434 FILESYSTEM__RELABELTO, NULL);
435 return rc;
436 }
437
438 static int may_context_mount_inode_relabel(u32 sid,
439 struct superblock_security_struct *sbsec,
440 const struct cred *cred)
441 {
442 const struct task_security_struct *tsec = selinux_cred(cred);
443 int rc;
444 rc = avc_has_perm(&selinux_state,
445 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
446 FILESYSTEM__RELABELFROM, NULL);
447 if (rc)
448 return rc;
449
450 rc = avc_has_perm(&selinux_state,
451 sid, sbsec->sid, SECCLASS_FILESYSTEM,
452 FILESYSTEM__ASSOCIATE, NULL);
453 return rc;
454 }
455
456 static int selinux_is_genfs_special_handling(struct super_block *sb)
457 {
458 /* Special handling. Genfs but also in-core setxattr handler */
459 return !strcmp(sb->s_type->name, "sysfs") ||
460 !strcmp(sb->s_type->name, "pstore") ||
461 !strcmp(sb->s_type->name, "debugfs") ||
462 !strcmp(sb->s_type->name, "tracefs") ||
463 !strcmp(sb->s_type->name, "rootfs") ||
464 (selinux_policycap_cgroupseclabel() &&
465 (!strcmp(sb->s_type->name, "cgroup") ||
466 !strcmp(sb->s_type->name, "cgroup2")));
467 }
468
469 static int selinux_is_sblabel_mnt(struct super_block *sb)
470 {
471 struct superblock_security_struct *sbsec = selinux_superblock(sb);
472
473 /*
474 * IMPORTANT: Double-check logic in this function when adding a new
475 * SECURITY_FS_USE_* definition!
476 */
477 BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7);
478
479 switch (sbsec->behavior) {
480 case SECURITY_FS_USE_XATTR:
481 case SECURITY_FS_USE_TRANS:
482 case SECURITY_FS_USE_TASK:
483 case SECURITY_FS_USE_NATIVE:
484 return 1;
485
486 case SECURITY_FS_USE_GENFS:
487 return selinux_is_genfs_special_handling(sb);
488
489 /* Never allow relabeling on context mounts */
490 case SECURITY_FS_USE_MNTPOINT:
491 case SECURITY_FS_USE_NONE:
492 default:
493 return 0;
494 }
495 }
496
497 static int sb_check_xattr_support(struct super_block *sb)
498 {
499 struct superblock_security_struct *sbsec = selinux_superblock(sb);
500 struct dentry *root = sb->s_root;
501 struct inode *root_inode = d_backing_inode(root);
502 u32 sid;
503 int rc;
504
505 /*
506 * Make sure that the xattr handler exists and that no
507 * error other than -ENODATA is returned by getxattr on
508 * the root directory. -ENODATA is ok, as this may be
509 * the first boot of the SELinux kernel before we have
510 * assigned xattr values to the filesystem.
511 */
512 if (!(root_inode->i_opflags & IOP_XATTR)) {
513 pr_warn("SELinux: (dev %s, type %s) has no xattr support\n",
514 sb->s_id, sb->s_type->name);
515 goto fallback;
516 }
517
518 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
519 if (rc < 0 && rc != -ENODATA) {
520 if (rc == -EOPNOTSUPP) {
521 pr_warn("SELinux: (dev %s, type %s) has no security xattr handler\n",
522 sb->s_id, sb->s_type->name);
523 goto fallback;
524 } else {
525 pr_warn("SELinux: (dev %s, type %s) getxattr errno %d\n",
526 sb->s_id, sb->s_type->name, -rc);
527 return rc;
528 }
529 }
530 return 0;
531
532 fallback:
533 /* No xattr support - try to fallback to genfs if possible. */
534 rc = security_genfs_sid(&selinux_state, sb->s_type->name, "/",
535 SECCLASS_DIR, &sid);
536 if (rc)
537 return -EOPNOTSUPP;
538
539 pr_warn("SELinux: (dev %s, type %s) falling back to genfs\n",
540 sb->s_id, sb->s_type->name);
541 sbsec->behavior = SECURITY_FS_USE_GENFS;
542 sbsec->sid = sid;
543 return 0;
544 }
545
546 static int sb_finish_set_opts(struct super_block *sb)
547 {
548 struct superblock_security_struct *sbsec = selinux_superblock(sb);
549 struct dentry *root = sb->s_root;
550 struct inode *root_inode = d_backing_inode(root);
551 int rc = 0;
552
553 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
554 rc = sb_check_xattr_support(sb);
555 if (rc)
556 return rc;
557 }
558
559 sbsec->flags |= SE_SBINITIALIZED;
560
561 /*
562 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
563 * leave the flag untouched because sb_clone_mnt_opts might be handing
564 * us a superblock that needs the flag to be cleared.
565 */
566 if (selinux_is_sblabel_mnt(sb))
567 sbsec->flags |= SBLABEL_MNT;
568 else
569 sbsec->flags &= ~SBLABEL_MNT;
570
571 /* Initialize the root inode. */
572 rc = inode_doinit_with_dentry(root_inode, root);
573
574 /* Initialize any other inodes associated with the superblock, e.g.
575 inodes created prior to initial policy load or inodes created
576 during get_sb by a pseudo filesystem that directly
577 populates itself. */
578 spin_lock(&sbsec->isec_lock);
579 while (!list_empty(&sbsec->isec_head)) {
580 struct inode_security_struct *isec =
581 list_first_entry(&sbsec->isec_head,
582 struct inode_security_struct, list);
583 struct inode *inode = isec->inode;
584 list_del_init(&isec->list);
585 spin_unlock(&sbsec->isec_lock);
586 inode = igrab(inode);
587 if (inode) {
588 if (!IS_PRIVATE(inode))
589 inode_doinit_with_dentry(inode, NULL);
590 iput(inode);
591 }
592 spin_lock(&sbsec->isec_lock);
593 }
594 spin_unlock(&sbsec->isec_lock);
595 return rc;
596 }
597
598 static int bad_option(struct superblock_security_struct *sbsec, char flag,
599 u32 old_sid, u32 new_sid)
600 {
601 char mnt_flags = sbsec->flags & SE_MNTMASK;
602
603 /* check if the old mount command had the same options */
604 if (sbsec->flags & SE_SBINITIALIZED)
605 if (!(sbsec->flags & flag) ||
606 (old_sid != new_sid))
607 return 1;
608
609 /* check if we were passed the same options twice,
610 * aka someone passed context=a,context=b
611 */
612 if (!(sbsec->flags & SE_SBINITIALIZED))
613 if (mnt_flags & flag)
614 return 1;
615 return 0;
616 }
617
618 static int parse_sid(struct super_block *sb, const char *s, u32 *sid)
619 {
620 int rc = security_context_str_to_sid(&selinux_state, s,
621 sid, GFP_KERNEL);
622 if (rc)
623 pr_warn("SELinux: security_context_str_to_sid"
624 "(%s) failed for (dev %s, type %s) errno=%d\n",
625 s, sb ? sb->s_id : "?", sb ? sb->s_type->name : "?", rc);
626 return rc;
627 }
628
629 /*
630 * Allow filesystems with binary mount data to explicitly set mount point
631 * labeling information.
632 */
633 static int selinux_set_mnt_opts(struct super_block *sb,
634 void *mnt_opts,
635 unsigned long kern_flags,
636 unsigned long *set_kern_flags)
637 {
638 const struct cred *cred = current_cred();
639 struct superblock_security_struct *sbsec = selinux_superblock(sb);
640 struct dentry *root = sb->s_root;
641 struct selinux_mnt_opts *opts = mnt_opts;
642 struct inode_security_struct *root_isec;
643 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
644 u32 defcontext_sid = 0;
645 int rc = 0;
646
647 mutex_lock(&sbsec->lock);
648
649 if (!selinux_initialized(&selinux_state)) {
650 if (!opts) {
651 /* Defer initialization until selinux_complete_init,
652 after the initial policy is loaded and the security
653 server is ready to handle calls. */
654 goto out;
655 }
656 rc = -EINVAL;
657 pr_warn("SELinux: Unable to set superblock options "
658 "before the security server is initialized\n");
659 goto out;
660 }
661 if (kern_flags && !set_kern_flags) {
662 /* Specifying internal flags without providing a place to
663 * place the results is not allowed */
664 rc = -EINVAL;
665 goto out;
666 }
667
668 /*
669 * Binary mount data FS will come through this function twice. Once
670 * from an explicit call and once from the generic calls from the vfs.
671 * Since the generic VFS calls will not contain any security mount data
672 * we need to skip the double mount verification.
673 *
674 * This does open a hole in which we will not notice if the first
675 * mount using this sb set explict options and a second mount using
676 * this sb does not set any security options. (The first options
677 * will be used for both mounts)
678 */
679 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
680 && !opts)
681 goto out;
682
683 root_isec = backing_inode_security_novalidate(root);
684
685 /*
686 * parse the mount options, check if they are valid sids.
687 * also check if someone is trying to mount the same sb more
688 * than once with different security options.
689 */
690 if (opts) {
691 if (opts->fscontext) {
692 rc = parse_sid(sb, opts->fscontext, &fscontext_sid);
693 if (rc)
694 goto out;
695 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
696 fscontext_sid))
697 goto out_double_mount;
698 sbsec->flags |= FSCONTEXT_MNT;
699 }
700 if (opts->context) {
701 rc = parse_sid(sb, opts->context, &context_sid);
702 if (rc)
703 goto out;
704 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
705 context_sid))
706 goto out_double_mount;
707 sbsec->flags |= CONTEXT_MNT;
708 }
709 if (opts->rootcontext) {
710 rc = parse_sid(sb, opts->rootcontext, &rootcontext_sid);
711 if (rc)
712 goto out;
713 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
714 rootcontext_sid))
715 goto out_double_mount;
716 sbsec->flags |= ROOTCONTEXT_MNT;
717 }
718 if (opts->defcontext) {
719 rc = parse_sid(sb, opts->defcontext, &defcontext_sid);
720 if (rc)
721 goto out;
722 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
723 defcontext_sid))
724 goto out_double_mount;
725 sbsec->flags |= DEFCONTEXT_MNT;
726 }
727 }
728
729 if (sbsec->flags & SE_SBINITIALIZED) {
730 /* previously mounted with options, but not on this attempt? */
731 if ((sbsec->flags & SE_MNTMASK) && !opts)
732 goto out_double_mount;
733 rc = 0;
734 goto out;
735 }
736
737 if (strcmp(sb->s_type->name, "proc") == 0)
738 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
739
740 if (!strcmp(sb->s_type->name, "debugfs") ||
741 !strcmp(sb->s_type->name, "tracefs") ||
742 !strcmp(sb->s_type->name, "binder") ||
743 !strcmp(sb->s_type->name, "bpf") ||
744 !strcmp(sb->s_type->name, "pstore") ||
745 !strcmp(sb->s_type->name, "securityfs"))
746 sbsec->flags |= SE_SBGENFS;
747
748 if (!strcmp(sb->s_type->name, "sysfs") ||
749 !strcmp(sb->s_type->name, "cgroup") ||
750 !strcmp(sb->s_type->name, "cgroup2"))
751 sbsec->flags |= SE_SBGENFS | SE_SBGENFS_XATTR;
752
753 if (!sbsec->behavior) {
754 /*
755 * Determine the labeling behavior to use for this
756 * filesystem type.
757 */
758 rc = security_fs_use(&selinux_state, sb);
759 if (rc) {
760 pr_warn("%s: security_fs_use(%s) returned %d\n",
761 __func__, sb->s_type->name, rc);
762 goto out;
763 }
764 }
765
766 /*
767 * If this is a user namespace mount and the filesystem type is not
768 * explicitly whitelisted, then no contexts are allowed on the command
769 * line and security labels must be ignored.
770 */
771 if (sb->s_user_ns != &init_user_ns &&
772 strcmp(sb->s_type->name, "tmpfs") &&
773 strcmp(sb->s_type->name, "ramfs") &&
774 strcmp(sb->s_type->name, "devpts") &&
775 strcmp(sb->s_type->name, "overlay")) {
776 if (context_sid || fscontext_sid || rootcontext_sid ||
777 defcontext_sid) {
778 rc = -EACCES;
779 goto out;
780 }
781 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
782 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
783 rc = security_transition_sid(&selinux_state,
784 current_sid(),
785 current_sid(),
786 SECCLASS_FILE, NULL,
787 &sbsec->mntpoint_sid);
788 if (rc)
789 goto out;
790 }
791 goto out_set_opts;
792 }
793
794 /* sets the context of the superblock for the fs being mounted. */
795 if (fscontext_sid) {
796 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
797 if (rc)
798 goto out;
799
800 sbsec->sid = fscontext_sid;
801 }
802
803 /*
804 * Switch to using mount point labeling behavior.
805 * sets the label used on all file below the mountpoint, and will set
806 * the superblock context if not already set.
807 */
808 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
809 sbsec->behavior = SECURITY_FS_USE_NATIVE;
810 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
811 }
812
813 if (context_sid) {
814 if (!fscontext_sid) {
815 rc = may_context_mount_sb_relabel(context_sid, sbsec,
816 cred);
817 if (rc)
818 goto out;
819 sbsec->sid = context_sid;
820 } else {
821 rc = may_context_mount_inode_relabel(context_sid, sbsec,
822 cred);
823 if (rc)
824 goto out;
825 }
826 if (!rootcontext_sid)
827 rootcontext_sid = context_sid;
828
829 sbsec->mntpoint_sid = context_sid;
830 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
831 }
832
833 if (rootcontext_sid) {
834 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
835 cred);
836 if (rc)
837 goto out;
838
839 root_isec->sid = rootcontext_sid;
840 root_isec->initialized = LABEL_INITIALIZED;
841 }
842
843 if (defcontext_sid) {
844 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
845 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
846 rc = -EINVAL;
847 pr_warn("SELinux: defcontext option is "
848 "invalid for this filesystem type\n");
849 goto out;
850 }
851
852 if (defcontext_sid != sbsec->def_sid) {
853 rc = may_context_mount_inode_relabel(defcontext_sid,
854 sbsec, cred);
855 if (rc)
856 goto out;
857 }
858
859 sbsec->def_sid = defcontext_sid;
860 }
861
862 out_set_opts:
863 rc = sb_finish_set_opts(sb);
864 out:
865 mutex_unlock(&sbsec->lock);
866 return rc;
867 out_double_mount:
868 rc = -EINVAL;
869 pr_warn("SELinux: mount invalid. Same superblock, different "
870 "security settings for (dev %s, type %s)\n", sb->s_id,
871 sb->s_type->name);
872 goto out;
873 }
874
875 static int selinux_cmp_sb_context(const struct super_block *oldsb,
876 const struct super_block *newsb)
877 {
878 struct superblock_security_struct *old = selinux_superblock(oldsb);
879 struct superblock_security_struct *new = selinux_superblock(newsb);
880 char oldflags = old->flags & SE_MNTMASK;
881 char newflags = new->flags & SE_MNTMASK;
882
883 if (oldflags != newflags)
884 goto mismatch;
885 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
886 goto mismatch;
887 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
888 goto mismatch;
889 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
890 goto mismatch;
891 if (oldflags & ROOTCONTEXT_MNT) {
892 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
893 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
894 if (oldroot->sid != newroot->sid)
895 goto mismatch;
896 }
897 return 0;
898 mismatch:
899 pr_warn("SELinux: mount invalid. Same superblock, "
900 "different security settings for (dev %s, "
901 "type %s)\n", newsb->s_id, newsb->s_type->name);
902 return -EBUSY;
903 }
904
905 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
906 struct super_block *newsb,
907 unsigned long kern_flags,
908 unsigned long *set_kern_flags)
909 {
910 int rc = 0;
911 const struct superblock_security_struct *oldsbsec =
912 selinux_superblock(oldsb);
913 struct superblock_security_struct *newsbsec = selinux_superblock(newsb);
914
915 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
916 int set_context = (oldsbsec->flags & CONTEXT_MNT);
917 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
918
919 /*
920 * if the parent was able to be mounted it clearly had no special lsm
921 * mount options. thus we can safely deal with this superblock later
922 */
923 if (!selinux_initialized(&selinux_state))
924 return 0;
925
926 /*
927 * Specifying internal flags without providing a place to
928 * place the results is not allowed.
929 */
930 if (kern_flags && !set_kern_flags)
931 return -EINVAL;
932
933 /* how can we clone if the old one wasn't set up?? */
934 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
935
936 /* if fs is reusing a sb, make sure that the contexts match */
937 if (newsbsec->flags & SE_SBINITIALIZED) {
938 if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context)
939 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
940 return selinux_cmp_sb_context(oldsb, newsb);
941 }
942
943 mutex_lock(&newsbsec->lock);
944
945 newsbsec->flags = oldsbsec->flags;
946
947 newsbsec->sid = oldsbsec->sid;
948 newsbsec->def_sid = oldsbsec->def_sid;
949 newsbsec->behavior = oldsbsec->behavior;
950
951 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
952 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
953 rc = security_fs_use(&selinux_state, newsb);
954 if (rc)
955 goto out;
956 }
957
958 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
959 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
960 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
961 }
962
963 if (set_context) {
964 u32 sid = oldsbsec->mntpoint_sid;
965
966 if (!set_fscontext)
967 newsbsec->sid = sid;
968 if (!set_rootcontext) {
969 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
970 newisec->sid = sid;
971 }
972 newsbsec->mntpoint_sid = sid;
973 }
974 if (set_rootcontext) {
975 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
976 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
977
978 newisec->sid = oldisec->sid;
979 }
980
981 sb_finish_set_opts(newsb);
982 out:
983 mutex_unlock(&newsbsec->lock);
984 return rc;
985 }
986
987 static int selinux_add_opt(int token, const char *s, void **mnt_opts)
988 {
989 struct selinux_mnt_opts *opts = *mnt_opts;
990 bool is_alloc_opts = false;
991
992 if (token == Opt_seclabel) /* eaten and completely ignored */
993 return 0;
994
995 if (!s)
996 return -ENOMEM;
997
998 if (!opts) {
999 opts = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL);
1000 if (!opts)
1001 return -ENOMEM;
1002 *mnt_opts = opts;
1003 is_alloc_opts = true;
1004 }
1005
1006 switch (token) {
1007 case Opt_context:
1008 if (opts->context || opts->defcontext)
1009 goto Einval;
1010 opts->context = s;
1011 if (selinux_initialized(&selinux_state))
1012 parse_sid(NULL, s, &opts->context_sid);
1013 break;
1014 case Opt_fscontext:
1015 if (opts->fscontext)
1016 goto Einval;
1017 opts->fscontext = s;
1018 if (selinux_initialized(&selinux_state))
1019 parse_sid(NULL, s, &opts->fscontext_sid);
1020 break;
1021 case Opt_rootcontext:
1022 if (opts->rootcontext)
1023 goto Einval;
1024 opts->rootcontext = s;
1025 if (selinux_initialized(&selinux_state))
1026 parse_sid(NULL, s, &opts->rootcontext_sid);
1027 break;
1028 case Opt_defcontext:
1029 if (opts->context || opts->defcontext)
1030 goto Einval;
1031 opts->defcontext = s;
1032 if (selinux_initialized(&selinux_state))
1033 parse_sid(NULL, s, &opts->defcontext_sid);
1034 break;
1035 }
1036 return 0;
1037 Einval:
1038 if (is_alloc_opts) {
1039 kfree(opts);
1040 *mnt_opts = NULL;
1041 }
1042 pr_warn(SEL_MOUNT_FAIL_MSG);
1043 return -EINVAL;
1044 }
1045
1046 static int selinux_add_mnt_opt(const char *option, const char *val, int len,
1047 void **mnt_opts)
1048 {
1049 int token = Opt_error;
1050 int rc, i;
1051
1052 for (i = 0; i < ARRAY_SIZE(tokens); i++) {
1053 if (strcmp(option, tokens[i].name) == 0) {
1054 token = tokens[i].opt;
1055 break;
1056 }
1057 }
1058
1059 if (token == Opt_error)
1060 return -EINVAL;
1061
1062 if (token != Opt_seclabel) {
1063 val = kmemdup_nul(val, len, GFP_KERNEL);
1064 if (!val) {
1065 rc = -ENOMEM;
1066 goto free_opt;
1067 }
1068 }
1069 rc = selinux_add_opt(token, val, mnt_opts);
1070 if (unlikely(rc)) {
1071 kfree(val);
1072 goto free_opt;
1073 }
1074 return rc;
1075
1076 free_opt:
1077 if (*mnt_opts) {
1078 selinux_free_mnt_opts(*mnt_opts);
1079 *mnt_opts = NULL;
1080 }
1081 return rc;
1082 }
1083
1084 static int show_sid(struct seq_file *m, u32 sid)
1085 {
1086 char *context = NULL;
1087 u32 len;
1088 int rc;
1089
1090 rc = security_sid_to_context(&selinux_state, sid,
1091 &context, &len);
1092 if (!rc) {
1093 bool has_comma = context && strchr(context, ',');
1094
1095 seq_putc(m, '=');
1096 if (has_comma)
1097 seq_putc(m, '\"');
1098 seq_escape(m, context, "\"\n\\");
1099 if (has_comma)
1100 seq_putc(m, '\"');
1101 }
1102 kfree(context);
1103 return rc;
1104 }
1105
1106 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1107 {
1108 struct superblock_security_struct *sbsec = selinux_superblock(sb);
1109 int rc;
1110
1111 if (!(sbsec->flags & SE_SBINITIALIZED))
1112 return 0;
1113
1114 if (!selinux_initialized(&selinux_state))
1115 return 0;
1116
1117 if (sbsec->flags & FSCONTEXT_MNT) {
1118 seq_putc(m, ',');
1119 seq_puts(m, FSCONTEXT_STR);
1120 rc = show_sid(m, sbsec->sid);
1121 if (rc)
1122 return rc;
1123 }
1124 if (sbsec->flags & CONTEXT_MNT) {
1125 seq_putc(m, ',');
1126 seq_puts(m, CONTEXT_STR);
1127 rc = show_sid(m, sbsec->mntpoint_sid);
1128 if (rc)
1129 return rc;
1130 }
1131 if (sbsec->flags & DEFCONTEXT_MNT) {
1132 seq_putc(m, ',');
1133 seq_puts(m, DEFCONTEXT_STR);
1134 rc = show_sid(m, sbsec->def_sid);
1135 if (rc)
1136 return rc;
1137 }
1138 if (sbsec->flags & ROOTCONTEXT_MNT) {
1139 struct dentry *root = sb->s_root;
1140 struct inode_security_struct *isec = backing_inode_security(root);
1141 seq_putc(m, ',');
1142 seq_puts(m, ROOTCONTEXT_STR);
1143 rc = show_sid(m, isec->sid);
1144 if (rc)
1145 return rc;
1146 }
1147 if (sbsec->flags & SBLABEL_MNT) {
1148 seq_putc(m, ',');
1149 seq_puts(m, SECLABEL_STR);
1150 }
1151 return 0;
1152 }
1153
1154 static inline u16 inode_mode_to_security_class(umode_t mode)
1155 {
1156 switch (mode & S_IFMT) {
1157 case S_IFSOCK:
1158 return SECCLASS_SOCK_FILE;
1159 case S_IFLNK:
1160 return SECCLASS_LNK_FILE;
1161 case S_IFREG:
1162 return SECCLASS_FILE;
1163 case S_IFBLK:
1164 return SECCLASS_BLK_FILE;
1165 case S_IFDIR:
1166 return SECCLASS_DIR;
1167 case S_IFCHR:
1168 return SECCLASS_CHR_FILE;
1169 case S_IFIFO:
1170 return SECCLASS_FIFO_FILE;
1171
1172 }
1173
1174 return SECCLASS_FILE;
1175 }
1176
1177 static inline int default_protocol_stream(int protocol)
1178 {
1179 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP ||
1180 protocol == IPPROTO_MPTCP);
1181 }
1182
1183 static inline int default_protocol_dgram(int protocol)
1184 {
1185 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1186 }
1187
1188 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1189 {
1190 int extsockclass = selinux_policycap_extsockclass();
1191
1192 switch (family) {
1193 case PF_UNIX:
1194 switch (type) {
1195 case SOCK_STREAM:
1196 case SOCK_SEQPACKET:
1197 return SECCLASS_UNIX_STREAM_SOCKET;
1198 case SOCK_DGRAM:
1199 case SOCK_RAW:
1200 return SECCLASS_UNIX_DGRAM_SOCKET;
1201 }
1202 break;
1203 case PF_INET:
1204 case PF_INET6:
1205 switch (type) {
1206 case SOCK_STREAM:
1207 case SOCK_SEQPACKET:
1208 if (default_protocol_stream(protocol))
1209 return SECCLASS_TCP_SOCKET;
1210 else if (extsockclass && protocol == IPPROTO_SCTP)
1211 return SECCLASS_SCTP_SOCKET;
1212 else
1213 return SECCLASS_RAWIP_SOCKET;
1214 case SOCK_DGRAM:
1215 if (default_protocol_dgram(protocol))
1216 return SECCLASS_UDP_SOCKET;
1217 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1218 protocol == IPPROTO_ICMPV6))
1219 return SECCLASS_ICMP_SOCKET;
1220 else
1221 return SECCLASS_RAWIP_SOCKET;
1222 case SOCK_DCCP:
1223 return SECCLASS_DCCP_SOCKET;
1224 default:
1225 return SECCLASS_RAWIP_SOCKET;
1226 }
1227 break;
1228 case PF_NETLINK:
1229 switch (protocol) {
1230 case NETLINK_ROUTE:
1231 return SECCLASS_NETLINK_ROUTE_SOCKET;
1232 case NETLINK_SOCK_DIAG:
1233 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1234 case NETLINK_NFLOG:
1235 return SECCLASS_NETLINK_NFLOG_SOCKET;
1236 case NETLINK_XFRM:
1237 return SECCLASS_NETLINK_XFRM_SOCKET;
1238 case NETLINK_SELINUX:
1239 return SECCLASS_NETLINK_SELINUX_SOCKET;
1240 case NETLINK_ISCSI:
1241 return SECCLASS_NETLINK_ISCSI_SOCKET;
1242 case NETLINK_AUDIT:
1243 return SECCLASS_NETLINK_AUDIT_SOCKET;
1244 case NETLINK_FIB_LOOKUP:
1245 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1246 case NETLINK_CONNECTOR:
1247 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1248 case NETLINK_NETFILTER:
1249 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1250 case NETLINK_DNRTMSG:
1251 return SECCLASS_NETLINK_DNRT_SOCKET;
1252 case NETLINK_KOBJECT_UEVENT:
1253 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1254 case NETLINK_GENERIC:
1255 return SECCLASS_NETLINK_GENERIC_SOCKET;
1256 case NETLINK_SCSITRANSPORT:
1257 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1258 case NETLINK_RDMA:
1259 return SECCLASS_NETLINK_RDMA_SOCKET;
1260 case NETLINK_CRYPTO:
1261 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1262 default:
1263 return SECCLASS_NETLINK_SOCKET;
1264 }
1265 case PF_PACKET:
1266 return SECCLASS_PACKET_SOCKET;
1267 case PF_KEY:
1268 return SECCLASS_KEY_SOCKET;
1269 case PF_APPLETALK:
1270 return SECCLASS_APPLETALK_SOCKET;
1271 }
1272
1273 if (extsockclass) {
1274 switch (family) {
1275 case PF_AX25:
1276 return SECCLASS_AX25_SOCKET;
1277 case PF_IPX:
1278 return SECCLASS_IPX_SOCKET;
1279 case PF_NETROM:
1280 return SECCLASS_NETROM_SOCKET;
1281 case PF_ATMPVC:
1282 return SECCLASS_ATMPVC_SOCKET;
1283 case PF_X25:
1284 return SECCLASS_X25_SOCKET;
1285 case PF_ROSE:
1286 return SECCLASS_ROSE_SOCKET;
1287 case PF_DECnet:
1288 return SECCLASS_DECNET_SOCKET;
1289 case PF_ATMSVC:
1290 return SECCLASS_ATMSVC_SOCKET;
1291 case PF_RDS:
1292 return SECCLASS_RDS_SOCKET;
1293 case PF_IRDA:
1294 return SECCLASS_IRDA_SOCKET;
1295 case PF_PPPOX:
1296 return SECCLASS_PPPOX_SOCKET;
1297 case PF_LLC:
1298 return SECCLASS_LLC_SOCKET;
1299 case PF_CAN:
1300 return SECCLASS_CAN_SOCKET;
1301 case PF_TIPC:
1302 return SECCLASS_TIPC_SOCKET;
1303 case PF_BLUETOOTH:
1304 return SECCLASS_BLUETOOTH_SOCKET;
1305 case PF_IUCV:
1306 return SECCLASS_IUCV_SOCKET;
1307 case PF_RXRPC:
1308 return SECCLASS_RXRPC_SOCKET;
1309 case PF_ISDN:
1310 return SECCLASS_ISDN_SOCKET;
1311 case PF_PHONET:
1312 return SECCLASS_PHONET_SOCKET;
1313 case PF_IEEE802154:
1314 return SECCLASS_IEEE802154_SOCKET;
1315 case PF_CAIF:
1316 return SECCLASS_CAIF_SOCKET;
1317 case PF_ALG:
1318 return SECCLASS_ALG_SOCKET;
1319 case PF_NFC:
1320 return SECCLASS_NFC_SOCKET;
1321 case PF_VSOCK:
1322 return SECCLASS_VSOCK_SOCKET;
1323 case PF_KCM:
1324 return SECCLASS_KCM_SOCKET;
1325 case PF_QIPCRTR:
1326 return SECCLASS_QIPCRTR_SOCKET;
1327 case PF_SMC:
1328 return SECCLASS_SMC_SOCKET;
1329 case PF_XDP:
1330 return SECCLASS_XDP_SOCKET;
1331 case PF_MCTP:
1332 return SECCLASS_MCTP_SOCKET;
1333 #if PF_MAX > 46
1334 #error New address family defined, please update this function.
1335 #endif
1336 }
1337 }
1338
1339 return SECCLASS_SOCKET;
1340 }
1341
1342 static int selinux_genfs_get_sid(struct dentry *dentry,
1343 u16 tclass,
1344 u16 flags,
1345 u32 *sid)
1346 {
1347 int rc;
1348 struct super_block *sb = dentry->d_sb;
1349 char *buffer, *path;
1350
1351 buffer = (char *)__get_free_page(GFP_KERNEL);
1352 if (!buffer)
1353 return -ENOMEM;
1354
1355 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1356 if (IS_ERR(path))
1357 rc = PTR_ERR(path);
1358 else {
1359 if (flags & SE_SBPROC) {
1360 /* each process gets a /proc/PID/ entry. Strip off the
1361 * PID part to get a valid selinux labeling.
1362 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1363 while (path[1] >= '' && path[1] <= '9') {
1364 path[1] = '/';
1365 path++;
1366 }
1367 }
1368 rc = security_genfs_sid(&selinux_state, sb->s_type->name,
1369 path, tclass, sid);
1370 if (rc == -ENOENT) {
1371 /* No match in policy, mark as unlabeled. */
1372 *sid = SECINITSID_UNLABELED;
1373 rc = 0;
1374 }
1375 }
1376 free_page((unsigned long)buffer);
1377 return rc;
1378 }
1379
1380 static int inode_doinit_use_xattr(struct inode *inode, struct dentry *dentry,
1381 u32 def_sid, u32 *sid)
1382 {
1383 #define INITCONTEXTLEN 255
1384 char *context;
1385 unsigned int len;
1386 int rc;
1387
1388 len = INITCONTEXTLEN;
1389 context = kmalloc(len + 1, GFP_NOFS);
1390 if (!context)
1391 return -ENOMEM;
1392
1393 context[len] = '\0';
1394 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1395 if (rc == -ERANGE) {
1396 kfree(context);
1397
1398 /* Need a larger buffer. Query for the right size. */
1399 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1400 if (rc < 0)
1401 return rc;
1402
1403 len = rc;
1404 context = kmalloc(len + 1, GFP_NOFS);
1405 if (!context)
1406 return -ENOMEM;
1407
1408 context[len] = '\0';
1409 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX,
1410 context, len);
1411 }
1412 if (rc < 0) {
1413 kfree(context);
1414 if (rc != -ENODATA) {
1415 pr_warn("SELinux: %s: getxattr returned %d for dev=%s ino=%ld\n",
1416 __func__, -rc, inode->i_sb->s_id, inode->i_ino);
1417 return rc;
1418 }
1419 *sid = def_sid;
1420 return 0;
1421 }
1422
1423 rc = security_context_to_sid_default(&selinux_state, context, rc, sid,
1424 def_sid, GFP_NOFS);
1425 if (rc) {
1426 char *dev = inode->i_sb->s_id;
1427 unsigned long ino = inode->i_ino;
1428
1429 if (rc == -EINVAL) {
1430 pr_notice_ratelimited("SELinux: inode=%lu on dev=%s was found to have an invalid context=%s. This indicates you may need to relabel the inode or the filesystem in question.\n",
1431 ino, dev, context);
1432 } else {
1433 pr_warn("SELinux: %s: context_to_sid(%s) returned %d for dev=%s ino=%ld\n",
1434 __func__, context, -rc, dev, ino);
1435 }
1436 }
1437 kfree(context);
1438 return 0;
1439 }
1440
1441 /* The inode's security attributes must be initialized before first use. */
1442 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1443 {
1444 struct superblock_security_struct *sbsec = NULL;
1445 struct inode_security_struct *isec = selinux_inode(inode);
1446 u32 task_sid, sid = 0;
1447 u16 sclass;
1448 struct dentry *dentry;
1449 int rc = 0;
1450
1451 if (isec->initialized == LABEL_INITIALIZED)
1452 return 0;
1453
1454 spin_lock(&isec->lock);
1455 if (isec->initialized == LABEL_INITIALIZED)
1456 goto out_unlock;
1457
1458 if (isec->sclass == SECCLASS_FILE)
1459 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1460
1461 sbsec = selinux_superblock(inode->i_sb);
1462 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1463 /* Defer initialization until selinux_complete_init,
1464 after the initial policy is loaded and the security
1465 server is ready to handle calls. */
1466 spin_lock(&sbsec->isec_lock);
1467 if (list_empty(&isec->list))
1468 list_add(&isec->list, &sbsec->isec_head);
1469 spin_unlock(&sbsec->isec_lock);
1470 goto out_unlock;
1471 }
1472
1473 sclass = isec->sclass;
1474 task_sid = isec->task_sid;
1475 sid = isec->sid;
1476 isec->initialized = LABEL_PENDING;
1477 spin_unlock(&isec->lock);
1478
1479 switch (sbsec->behavior) {
1480 case SECURITY_FS_USE_NATIVE:
1481 break;
1482 case SECURITY_FS_USE_XATTR:
1483 if (!(inode->i_opflags & IOP_XATTR)) {
1484 sid = sbsec->def_sid;
1485 break;
1486 }
1487 /* Need a dentry, since the xattr API requires one.
1488 Life would be simpler if we could just pass the inode. */
1489 if (opt_dentry) {
1490 /* Called from d_instantiate or d_splice_alias. */
1491 dentry = dget(opt_dentry);
1492 } else {
1493 /*
1494 * Called from selinux_complete_init, try to find a dentry.
1495 * Some filesystems really want a connected one, so try
1496 * that first. We could split SECURITY_FS_USE_XATTR in
1497 * two, depending upon that...
1498 */
1499 dentry = d_find_alias(inode);
1500 if (!dentry)
1501 dentry = d_find_any_alias(inode);
1502 }
1503 if (!dentry) {
1504 /*
1505 * this is can be hit on boot when a file is accessed
1506 * before the policy is loaded. When we load policy we
1507 * may find inodes that have no dentry on the
1508 * sbsec->isec_head list. No reason to complain as these
1509 * will get fixed up the next time we go through
1510 * inode_doinit with a dentry, before these inodes could
1511 * be used again by userspace.
1512 */
1513 goto out_invalid;
1514 }
1515
1516 rc = inode_doinit_use_xattr(inode, dentry, sbsec->def_sid,
1517 &sid);
1518 dput(dentry);
1519 if (rc)
1520 goto out;
1521 break;
1522 case SECURITY_FS_USE_TASK:
1523 sid = task_sid;
1524 break;
1525 case SECURITY_FS_USE_TRANS:
1526 /* Default to the fs SID. */
1527 sid = sbsec->sid;
1528
1529 /* Try to obtain a transition SID. */
1530 rc = security_transition_sid(&selinux_state, task_sid, sid,
1531 sclass, NULL, &sid);
1532 if (rc)
1533 goto out;
1534 break;
1535 case SECURITY_FS_USE_MNTPOINT:
1536 sid = sbsec->mntpoint_sid;
1537 break;
1538 default:
1539 /* Default to the fs superblock SID. */
1540 sid = sbsec->sid;
1541
1542 if ((sbsec->flags & SE_SBGENFS) &&
1543 (!S_ISLNK(inode->i_mode) ||
1544 selinux_policycap_genfs_seclabel_symlinks())) {
1545 /* We must have a dentry to determine the label on
1546 * procfs inodes */
1547 if (opt_dentry) {
1548 /* Called from d_instantiate or
1549 * d_splice_alias. */
1550 dentry = dget(opt_dentry);
1551 } else {
1552 /* Called from selinux_complete_init, try to
1553 * find a dentry. Some filesystems really want
1554 * a connected one, so try that first.
1555 */
1556 dentry = d_find_alias(inode);
1557 if (!dentry)
1558 dentry = d_find_any_alias(inode);
1559 }
1560 /*
1561 * This can be hit on boot when a file is accessed
1562 * before the policy is loaded. When we load policy we
1563 * may find inodes that have no dentry on the
1564 * sbsec->isec_head list. No reason to complain as
1565 * these will get fixed up the next time we go through
1566 * inode_doinit() with a dentry, before these inodes
1567 * could be used again by userspace.
1568 */
1569 if (!dentry)
1570 goto out_invalid;
1571 rc = selinux_genfs_get_sid(dentry, sclass,
1572 sbsec->flags, &sid);
1573 if (rc) {
1574 dput(dentry);
1575 goto out;
1576 }
1577
1578 if ((sbsec->flags & SE_SBGENFS_XATTR) &&
1579 (inode->i_opflags & IOP_XATTR)) {
1580 rc = inode_doinit_use_xattr(inode, dentry,
1581 sid, &sid);
1582 if (rc) {
1583 dput(dentry);
1584 goto out;
1585 }
1586 }
1587 dput(dentry);
1588 }
1589 break;
1590 }
1591
1592 out:
1593 spin_lock(&isec->lock);
1594 if (isec->initialized == LABEL_PENDING) {
1595 if (rc) {
1596 isec->initialized = LABEL_INVALID;
1597 goto out_unlock;
1598 }
1599 isec->initialized = LABEL_INITIALIZED;
1600 isec->sid = sid;
1601 }
1602
1603 out_unlock:
1604 spin_unlock(&isec->lock);
1605 return rc;
1606
1607 out_invalid:
1608 spin_lock(&isec->lock);
1609 if (isec->initialized == LABEL_PENDING) {
1610 isec->initialized = LABEL_INVALID;
1611 isec->sid = sid;
1612 }
1613 spin_unlock(&isec->lock);
1614 return 0;
1615 }
1616
1617 /* Convert a Linux signal to an access vector. */
1618 static inline u32 signal_to_av(int sig)
1619 {
1620 u32 perm = 0;
1621
1622 switch (sig) {
1623 case SIGCHLD:
1624 /* Commonly granted from child to parent. */
1625 perm = PROCESS__SIGCHLD;
1626 break;
1627 case SIGKILL:
1628 /* Cannot be caught or ignored */
1629 perm = PROCESS__SIGKILL;
1630 break;
1631 case SIGSTOP:
1632 /* Cannot be caught or ignored */
1633 perm = PROCESS__SIGSTOP;
1634 break;
1635 default:
1636 /* All other signals. */
1637 perm = PROCESS__SIGNAL;
1638 break;
1639 }
1640
1641 return perm;
1642 }
1643
1644 #if CAP_LAST_CAP > 63
1645 #error Fix SELinux to handle capabilities > 63.
1646 #endif
1647
1648 /* Check whether a task is allowed to use a capability. */
1649 static int cred_has_capability(const struct cred *cred,
1650 int cap, unsigned int opts, bool initns)
1651 {
1652 struct common_audit_data ad;
1653 struct av_decision avd;
1654 u16 sclass;
1655 u32 sid = cred_sid(cred);
1656 u32 av = CAP_TO_MASK(cap);
1657 int rc;
1658
1659 ad.type = LSM_AUDIT_DATA_CAP;
1660 ad.u.cap = cap;
1661
1662 switch (CAP_TO_INDEX(cap)) {
1663 case 0:
1664 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1665 break;
1666 case 1:
1667 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1668 break;
1669 default:
1670 pr_err("SELinux: out of range capability %d\n", cap);
1671 BUG();
1672 return -EINVAL;
1673 }
1674
1675 rc = avc_has_perm_noaudit(&selinux_state,
1676 sid, sid, sclass, av, 0, &avd);
1677 if (!(opts & CAP_OPT_NOAUDIT)) {
1678 int rc2 = avc_audit(&selinux_state,
1679 sid, sid, sclass, av, &avd, rc, &ad);
1680 if (rc2)
1681 return rc2;
1682 }
1683 return rc;
1684 }
1685
1686 /* Check whether a task has a particular permission to an inode.
1687 The 'adp' parameter is optional and allows other audit
1688 data to be passed (e.g. the dentry). */
1689 static int inode_has_perm(const struct cred *cred,
1690 struct inode *inode,
1691 u32 perms,
1692 struct common_audit_data *adp)
1693 {
1694 struct inode_security_struct *isec;
1695 u32 sid;
1696
1697 validate_creds(cred);
1698
1699 if (unlikely(IS_PRIVATE(inode)))
1700 return 0;
1701
1702 sid = cred_sid(cred);
1703 isec = selinux_inode(inode);
1704
1705 return avc_has_perm(&selinux_state,
1706 sid, isec->sid, isec->sclass, perms, adp);
1707 }
1708
1709 /* Same as inode_has_perm, but pass explicit audit data containing
1710 the dentry to help the auditing code to more easily generate the
1711 pathname if needed. */
1712 static inline int dentry_has_perm(const struct cred *cred,
1713 struct dentry *dentry,
1714 u32 av)
1715 {
1716 struct inode *inode = d_backing_inode(dentry);
1717 struct common_audit_data ad;
1718
1719 ad.type = LSM_AUDIT_DATA_DENTRY;
1720 ad.u.dentry = dentry;
1721 __inode_security_revalidate(inode, dentry, true);
1722 return inode_has_perm(cred, inode, av, &ad);
1723 }
1724
1725 /* Same as inode_has_perm, but pass explicit audit data containing
1726 the path to help the auditing code to more easily generate the
1727 pathname if needed. */
1728 static inline int path_has_perm(const struct cred *cred,
1729 const struct path *path,
1730 u32 av)
1731 {
1732 struct inode *inode = d_backing_inode(path->dentry);
1733 struct common_audit_data ad;
1734
1735 ad.type = LSM_AUDIT_DATA_PATH;
1736 ad.u.path = *path;
1737 __inode_security_revalidate(inode, path->dentry, true);
1738 return inode_has_perm(cred, inode, av, &ad);
1739 }
1740
1741 /* Same as path_has_perm, but uses the inode from the file struct. */
1742 static inline int file_path_has_perm(const struct cred *cred,
1743 struct file *file,
1744 u32 av)
1745 {
1746 struct common_audit_data ad;
1747
1748 ad.type = LSM_AUDIT_DATA_FILE;
1749 ad.u.file = file;
1750 return inode_has_perm(cred, file_inode(file), av, &ad);
1751 }
1752
1753 #ifdef CONFIG_BPF_SYSCALL
1754 static int bpf_fd_pass(struct file *file, u32 sid);
1755 #endif
1756
1757 /* Check whether a task can use an open file descriptor to
1758 access an inode in a given way. Check access to the
1759 descriptor itself, and then use dentry_has_perm to
1760 check a particular permission to the file.
1761 Access to the descriptor is implicitly granted if it
1762 has the same SID as the process. If av is zero, then
1763 access to the file is not checked, e.g. for cases
1764 where only the descriptor is affected like seek. */
1765 static int file_has_perm(const struct cred *cred,
1766 struct file *file,
1767 u32 av)
1768 {
1769 struct file_security_struct *fsec = selinux_file(file);
1770 struct inode *inode = file_inode(file);
1771 struct common_audit_data ad;
1772 u32 sid = cred_sid(cred);
1773 int rc;
1774
1775 ad.type = LSM_AUDIT_DATA_FILE;
1776 ad.u.file = file;
1777
1778 if (sid != fsec->sid) {
1779 rc = avc_has_perm(&selinux_state,
1780 sid, fsec->sid,
1781 SECCLASS_FD,
1782 FD__USE,
1783 &ad);
1784 if (rc)
1785 goto out;
1786 }
1787
1788 #ifdef CONFIG_BPF_SYSCALL
1789 rc = bpf_fd_pass(file, cred_sid(cred));
1790 if (rc)
1791 return rc;
1792 #endif
1793
1794 /* av is zero if only checking access to the descriptor. */
1795 rc = 0;
1796 if (av)
1797 rc = inode_has_perm(cred, inode, av, &ad);
1798
1799 out:
1800 return rc;
1801 }
1802
1803 /*
1804 * Determine the label for an inode that might be unioned.
1805 */
1806 static int
1807 selinux_determine_inode_label(const struct task_security_struct *tsec,
1808 struct inode *dir,
1809 const struct qstr *name, u16 tclass,
1810 u32 *_new_isid)
1811 {
1812 const struct superblock_security_struct *sbsec =
1813 selinux_superblock(dir->i_sb);
1814
1815 if ((sbsec->flags & SE_SBINITIALIZED) &&
1816 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1817 *_new_isid = sbsec->mntpoint_sid;
1818 } else if ((sbsec->flags & SBLABEL_MNT) &&
1819 tsec->create_sid) {
1820 *_new_isid = tsec->create_sid;
1821 } else {
1822 const struct inode_security_struct *dsec = inode_security(dir);
1823 return security_transition_sid(&selinux_state, tsec->sid,
1824 dsec->sid, tclass,
1825 name, _new_isid);
1826 }
1827
1828 return 0;
1829 }
1830
1831 /* Check whether a task can create a file. */
1832 static int may_create(struct inode *dir,
1833 struct dentry *dentry,
1834 u16 tclass)
1835 {
1836 const struct task_security_struct *tsec = selinux_cred(current_cred());
1837 struct inode_security_struct *dsec;
1838 struct superblock_security_struct *sbsec;
1839 u32 sid, newsid;
1840 struct common_audit_data ad;
1841 int rc;
1842
1843 dsec = inode_security(dir);
1844 sbsec = selinux_superblock(dir->i_sb);
1845
1846 sid = tsec->sid;
1847
1848 ad.type = LSM_AUDIT_DATA_DENTRY;
1849 ad.u.dentry = dentry;
1850
1851 rc = avc_has_perm(&selinux_state,
1852 sid, dsec->sid, SECCLASS_DIR,
1853 DIR__ADD_NAME | DIR__SEARCH,
1854 &ad);
1855 if (rc)
1856 return rc;
1857
1858 rc = selinux_determine_inode_label(tsec, dir, &dentry->d_name, tclass,
1859 &newsid);
1860 if (rc)
1861 return rc;
1862
1863 rc = avc_has_perm(&selinux_state,
1864 sid, newsid, tclass, FILE__CREATE, &ad);
1865 if (rc)
1866 return rc;
1867
1868 return avc_has_perm(&selinux_state,
1869 newsid, sbsec->sid,
1870 SECCLASS_FILESYSTEM,
1871 FILESYSTEM__ASSOCIATE, &ad);
1872 }
1873
1874 #define MAY_LINK 0
1875 #define MAY_UNLINK 1
1876 #define MAY_RMDIR 2
1877
1878 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1879 static int may_link(struct inode *dir,
1880 struct dentry *dentry,
1881 int kind)
1882
1883 {
1884 struct inode_security_struct *dsec, *isec;
1885 struct common_audit_data ad;
1886 u32 sid = current_sid();
1887 u32 av;
1888 int rc;
1889
1890 dsec = inode_security(dir);
1891 isec = backing_inode_security(dentry);
1892
1893 ad.type = LSM_AUDIT_DATA_DENTRY;
1894 ad.u.dentry = dentry;
1895
1896 av = DIR__SEARCH;
1897 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1898 rc = avc_has_perm(&selinux_state,
1899 sid, dsec->sid, SECCLASS_DIR, av, &ad);
1900 if (rc)
1901 return rc;
1902
1903 switch (kind) {
1904 case MAY_LINK:
1905 av = FILE__LINK;
1906 break;
1907 case MAY_UNLINK:
1908 av = FILE__UNLINK;
1909 break;
1910 case MAY_RMDIR:
1911 av = DIR__RMDIR;
1912 break;
1913 default:
1914 pr_warn("SELinux: %s: unrecognized kind %d\n",
1915 __func__, kind);
1916 return 0;
1917 }
1918
1919 rc = avc_has_perm(&selinux_state,
1920 sid, isec->sid, isec->sclass, av, &ad);
1921 return rc;
1922 }
1923
1924 static inline int may_rename(struct inode *old_dir,
1925 struct dentry *old_dentry,
1926 struct inode *new_dir,
1927 struct dentry *new_dentry)
1928 {
1929 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1930 struct common_audit_data ad;
1931 u32 sid = current_sid();
1932 u32 av;
1933 int old_is_dir, new_is_dir;
1934 int rc;
1935
1936 old_dsec = inode_security(old_dir);
1937 old_isec = backing_inode_security(old_dentry);
1938 old_is_dir = d_is_dir(old_dentry);
1939 new_dsec = inode_security(new_dir);
1940
1941 ad.type = LSM_AUDIT_DATA_DENTRY;
1942
1943 ad.u.dentry = old_dentry;
1944 rc = avc_has_perm(&selinux_state,
1945 sid, old_dsec->sid, SECCLASS_DIR,
1946 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1947 if (rc)
1948 return rc;
1949 rc = avc_has_perm(&selinux_state,
1950 sid, old_isec->sid,
1951 old_isec->sclass, FILE__RENAME, &ad);
1952 if (rc)
1953 return rc;
1954 if (old_is_dir && new_dir != old_dir) {
1955 rc = avc_has_perm(&selinux_state,
1956 sid, old_isec->sid,
1957 old_isec->sclass, DIR__REPARENT, &ad);
1958 if (rc)
1959 return rc;
1960 }
1961
1962 ad.u.dentry = new_dentry;
1963 av = DIR__ADD_NAME | DIR__SEARCH;
1964 if (d_is_positive(new_dentry))
1965 av |= DIR__REMOVE_NAME;
1966 rc = avc_has_perm(&selinux_state,
1967 sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1968 if (rc)
1969 return rc;
1970 if (d_is_positive(new_dentry)) {
1971 new_isec = backing_inode_security(new_dentry);
1972 new_is_dir = d_is_dir(new_dentry);
1973 rc = avc_has_perm(&selinux_state,
1974 sid, new_isec->sid,
1975 new_isec->sclass,
1976 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1977 if (rc)
1978 return rc;
1979 }
1980
1981 return 0;
1982 }
1983
1984 /* Check whether a task can perform a filesystem operation. */
1985 static int superblock_has_perm(const struct cred *cred,
1986 struct super_block *sb,
1987 u32 perms,
1988 struct common_audit_data *ad)
1989 {
1990 struct superblock_security_struct *sbsec;
1991 u32 sid = cred_sid(cred);
1992
1993 sbsec = selinux_superblock(sb);
1994 return avc_has_perm(&selinux_state,
1995 sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1996 }
1997
1998 /* Convert a Linux mode and permission mask to an access vector. */
1999 static inline u32 file_mask_to_av(int mode, int mask)
2000 {
2001 u32 av = 0;
2002
2003 if (!S_ISDIR(mode)) {
2004 if (mask & MAY_EXEC)
2005 av |= FILE__EXECUTE;
2006 if (mask & MAY_READ)
2007 av |= FILE__READ;
2008
2009 if (mask & MAY_APPEND)
2010 av |= FILE__APPEND;
2011 else if (mask & MAY_WRITE)
2012 av |= FILE__WRITE;
2013
2014 } else {
2015 if (mask & MAY_EXEC)
2016 av |= DIR__SEARCH;
2017 if (mask & MAY_WRITE)
2018 av |= DIR__WRITE;
2019 if (mask & MAY_READ)
2020 av |= DIR__READ;
2021 }
2022
2023 return av;
2024 }
2025
2026 /* Convert a Linux file to an access vector. */
2027 static inline u32 file_to_av(struct file *file)
2028 {
2029 u32 av = 0;
2030
2031 if (file->f_mode & FMODE_READ)
2032 av |= FILE__READ;
2033 if (file->f_mode & FMODE_WRITE) {
2034 if (file->f_flags & O_APPEND)
2035 av |= FILE__APPEND;
2036 else
2037 av |= FILE__WRITE;
2038 }
2039 if (!av) {
2040 /*
2041 * Special file opened with flags 3 for ioctl-only use.
2042 */
2043 av = FILE__IOCTL;
2044 }
2045
2046 return av;
2047 }
2048
2049 /*
2050 * Convert a file to an access vector and include the correct
2051 * open permission.
2052 */
2053 static inline u32 open_file_to_av(struct file *file)
2054 {
2055 u32 av = file_to_av(file);
2056 struct inode *inode = file_inode(file);
2057
2058 if (selinux_policycap_openperm() &&
2059 inode->i_sb->s_magic != SOCKFS_MAGIC)
2060 av |= FILE__OPEN;
2061
2062 return av;
2063 }
2064
2065 /* Hook functions begin here. */
2066
2067 static int selinux_binder_set_context_mgr(const struct cred *mgr)
2068 {
2069 return avc_has_perm(&selinux_state,
2070 current_sid(), cred_sid(mgr), SECCLASS_BINDER,
2071 BINDER__SET_CONTEXT_MGR, NULL);
2072 }
2073
2074 static int selinux_binder_transaction(const struct cred *from,
2075 const struct cred *to)
2076 {
2077 u32 mysid = current_sid();
2078 u32 fromsid = cred_sid(from);
2079 u32 tosid = cred_sid(to);
2080 int rc;
2081
2082 if (mysid != fromsid) {
2083 rc = avc_has_perm(&selinux_state,
2084 mysid, fromsid, SECCLASS_BINDER,
2085 BINDER__IMPERSONATE, NULL);
2086 if (rc)
2087 return rc;
2088 }
2089
2090 return avc_has_perm(&selinux_state, fromsid, tosid,
2091 SECCLASS_BINDER, BINDER__CALL, NULL);
2092 }
2093
2094 static int selinux_binder_transfer_binder(const struct cred *from,
2095 const struct cred *to)
2096 {
2097 return avc_has_perm(&selinux_state,
2098 cred_sid(from), cred_sid(to),
2099 SECCLASS_BINDER, BINDER__TRANSFER,
2100 NULL);
2101 }
2102
2103 static int selinux_binder_transfer_file(const struct cred *from,
2104 const struct cred *to,
2105 struct file *file)
2106 {
2107 u32 sid = cred_sid(to);
2108 struct file_security_struct *fsec = selinux_file(file);
2109 struct dentry *dentry = file->f_path.dentry;
2110 struct inode_security_struct *isec;
2111 struct common_audit_data ad;
2112 int rc;
2113
2114 ad.type = LSM_AUDIT_DATA_PATH;
2115 ad.u.path = file->f_path;
2116
2117 if (sid != fsec->sid) {
2118 rc = avc_has_perm(&selinux_state,
2119 sid, fsec->sid,
2120 SECCLASS_FD,
2121 FD__USE,
2122 &ad);
2123 if (rc)
2124 return rc;
2125 }
2126
2127 #ifdef CONFIG_BPF_SYSCALL
2128 rc = bpf_fd_pass(file, sid);
2129 if (rc)
2130 return rc;
2131 #endif
2132
2133 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2134 return 0;
2135
2136 isec = backing_inode_security(dentry);
2137 return avc_has_perm(&selinux_state,
2138 sid, isec->sid, isec->sclass, file_to_av(file),
2139 &ad);
2140 }
2141
2142 static int selinux_ptrace_access_check(struct task_struct *child,
2143 unsigned int mode)
2144 {
2145 u32 sid = current_sid();
2146 u32 csid = task_sid_obj(child);
2147
2148 if (mode & PTRACE_MODE_READ)
2149 return avc_has_perm(&selinux_state,
2150 sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2151
2152 return avc_has_perm(&selinux_state,
2153 sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2154 }
2155
2156 static int selinux_ptrace_traceme(struct task_struct *parent)
2157 {
2158 return avc_has_perm(&selinux_state,
2159 task_sid_obj(parent), task_sid_obj(current),
2160 SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2161 }
2162
2163 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2164 kernel_cap_t *inheritable, kernel_cap_t *permitted)
2165 {
2166 return avc_has_perm(&selinux_state,
2167 current_sid(), task_sid_obj(target), SECCLASS_PROCESS,
2168 PROCESS__GETCAP, NULL);
2169 }
2170
2171 static int selinux_capset(struct cred *new, const struct cred *old,
2172 const kernel_cap_t *effective,
2173 const kernel_cap_t *inheritable,
2174 const kernel_cap_t *permitted)
2175 {
2176 return avc_has_perm(&selinux_state,
2177 cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2178 PROCESS__SETCAP, NULL);
2179 }
2180
2181 /*
2182 * (This comment used to live with the selinux_task_setuid hook,
2183 * which was removed).
2184 *
2185 * Since setuid only affects the current process, and since the SELinux
2186 * controls are not based on the Linux identity attributes, SELinux does not
2187 * need to control this operation. However, SELinux does control the use of
2188 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2189 */
2190
2191 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2192 int cap, unsigned int opts)
2193 {
2194 return cred_has_capability(cred, cap, opts, ns == &init_user_ns);
2195 }
2196
2197 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2198 {
2199 const struct cred *cred = current_cred();
2200 int rc = 0;
2201
2202 if (!sb)
2203 return 0;
2204
2205 switch (cmds) {
2206 case Q_SYNC:
2207 case Q_QUOTAON:
2208 case Q_QUOTAOFF:
2209 case Q_SETINFO:
2210 case Q_SETQUOTA:
2211 case Q_XQUOTAOFF:
2212 case Q_XQUOTAON:
2213 case Q_XSETQLIM:
2214 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2215 break;
2216 case Q_GETFMT:
2217 case Q_GETINFO:
2218 case Q_GETQUOTA:
2219 case Q_XGETQUOTA:
2220 case Q_XGETQSTAT:
2221 case Q_XGETQSTATV:
2222 case Q_XGETNEXTQUOTA:
2223 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2224 break;
2225 default:
2226 rc = 0; /* let the kernel handle invalid cmds */
2227 break;
2228 }
2229 return rc;
2230 }
2231
2232 static int selinux_quota_on(struct dentry *dentry)
2233 {
2234 const struct cred *cred = current_cred();
2235
2236 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2237 }
2238
2239 static int selinux_syslog(int type)
2240 {
2241 switch (type) {
2242 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2243 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2244 return avc_has_perm(&selinux_state,
2245 current_sid(), SECINITSID_KERNEL,
2246 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2247 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2248 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2249 /* Set level of messages printed to console */
2250 case SYSLOG_ACTION_CONSOLE_LEVEL:
2251 return avc_has_perm(&selinux_state,
2252 current_sid(), SECINITSID_KERNEL,
2253 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2254 NULL);
2255 }
2256 /* All other syslog types */
2257 return avc_has_perm(&selinux_state,
2258 current_sid(), SECINITSID_KERNEL,
2259 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2260 }
2261
2262 /*
2263 * Check that a process has enough memory to allocate a new virtual
2264 * mapping. 0 means there is enough memory for the allocation to
2265 * succeed and -ENOMEM implies there is not.
2266 *
2267 * Do not audit the selinux permission check, as this is applied to all
2268 * processes that allocate mappings.
2269 */
2270 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2271 {
2272 int rc, cap_sys_admin = 0;
2273
2274 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2275 CAP_OPT_NOAUDIT, true);
2276 if (rc == 0)
2277 cap_sys_admin = 1;
2278
2279 return cap_sys_admin;
2280 }
2281
2282 /* binprm security operations */
2283
2284 static u32 ptrace_parent_sid(void)
2285 {
2286 u32 sid = 0;
2287 struct task_struct *tracer;
2288
2289 rcu_read_lock();
2290 tracer = ptrace_parent(current);
2291 if (tracer)
2292 sid = task_sid_obj(tracer);
2293 rcu_read_unlock();
2294
2295 return sid;
2296 }
2297
2298 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2299 const struct task_security_struct *old_tsec,
2300 const struct task_security_struct *new_tsec)
2301 {
2302 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2303 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2304 int rc;
2305 u32 av;
2306
2307 if (!nnp && !nosuid)
2308 return 0; /* neither NNP nor nosuid */
2309
2310 if (new_tsec->sid == old_tsec->sid)
2311 return 0; /* No change in credentials */
2312
2313 /*
2314 * If the policy enables the nnp_nosuid_transition policy capability,
2315 * then we permit transitions under NNP or nosuid if the
2316 * policy allows the corresponding permission between
2317 * the old and new contexts.
2318 */
2319 if (selinux_policycap_nnp_nosuid_transition()) {
2320 av = 0;
2321 if (nnp)
2322 av |= PROCESS2__NNP_TRANSITION;
2323 if (nosuid)
2324 av |= PROCESS2__NOSUID_TRANSITION;
2325 rc = avc_has_perm(&selinux_state,
2326 old_tsec->sid, new_tsec->sid,
2327 SECCLASS_PROCESS2, av, NULL);
2328 if (!rc)
2329 return 0;
2330 }
2331
2332 /*
2333 * We also permit NNP or nosuid transitions to bounded SIDs,
2334 * i.e. SIDs that are guaranteed to only be allowed a subset
2335 * of the permissions of the current SID.
2336 */
2337 rc = security_bounded_transition(&selinux_state, old_tsec->sid,
2338 new_tsec->sid);
2339 if (!rc)
2340 return 0;
2341
2342 /*
2343 * On failure, preserve the errno values for NNP vs nosuid.
2344 * NNP: Operation not permitted for caller.
2345 * nosuid: Permission denied to file.
2346 */
2347 if (nnp)
2348 return -EPERM;
2349 return -EACCES;
2350 }
2351
2352 static int selinux_bprm_creds_for_exec(struct linux_binprm *bprm)
2353 {
2354 const struct task_security_struct *old_tsec;
2355 struct task_security_struct *new_tsec;
2356 struct inode_security_struct *isec;
2357 struct common_audit_data ad;
2358 struct inode *inode = file_inode(bprm->file);
2359 int rc;
2360
2361 /* SELinux context only depends on initial program or script and not
2362 * the script interpreter */
2363
2364 old_tsec = selinux_cred(current_cred());
2365 new_tsec = selinux_cred(bprm->cred);
2366 isec = inode_security(inode);
2367
2368 /* Default to the current task SID. */
2369 new_tsec->sid = old_tsec->sid;
2370 new_tsec->osid = old_tsec->sid;
2371
2372 /* Reset fs, key, and sock SIDs on execve. */
2373 new_tsec->create_sid = 0;
2374 new_tsec->keycreate_sid = 0;
2375 new_tsec->sockcreate_sid = 0;
2376
2377 if (old_tsec->exec_sid) {
2378 new_tsec->sid = old_tsec->exec_sid;
2379 /* Reset exec SID on execve. */
2380 new_tsec->exec_sid = 0;
2381
2382 /* Fail on NNP or nosuid if not an allowed transition. */
2383 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2384 if (rc)
2385 return rc;
2386 } else {
2387 /* Check for a default transition on this program. */
2388 rc = security_transition_sid(&selinux_state, old_tsec->sid,
2389 isec->sid, SECCLASS_PROCESS, NULL,
2390 &new_tsec->sid);
2391 if (rc)
2392 return rc;
2393
2394 /*
2395 * Fallback to old SID on NNP or nosuid if not an allowed
2396 * transition.
2397 */
2398 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2399 if (rc)
2400 new_tsec->sid = old_tsec->sid;
2401 }
2402
2403 ad.type = LSM_AUDIT_DATA_FILE;
2404 ad.u.file = bprm->file;
2405
2406 if (new_tsec->sid == old_tsec->sid) {
2407 rc = avc_has_perm(&selinux_state,
2408 old_tsec->sid, isec->sid,
2409 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2410 if (rc)
2411 return rc;
2412 } else {
2413 /* Check permissions for the transition. */
2414 rc = avc_has_perm(&selinux_state,
2415 old_tsec->sid, new_tsec->sid,
2416 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2417 if (rc)
2418 return rc;
2419
2420 rc = avc_has_perm(&selinux_state,
2421 new_tsec->sid, isec->sid,
2422 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2423 if (rc)
2424 return rc;
2425
2426 /* Check for shared state */
2427 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2428 rc = avc_has_perm(&selinux_state,
2429 old_tsec->sid, new_tsec->sid,
2430 SECCLASS_PROCESS, PROCESS__SHARE,
2431 NULL);
2432 if (rc)
2433 return -EPERM;
2434 }
2435
2436 /* Make sure that anyone attempting to ptrace over a task that
2437 * changes its SID has the appropriate permit */
2438 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2439 u32 ptsid = ptrace_parent_sid();
2440 if (ptsid != 0) {
2441 rc = avc_has_perm(&selinux_state,
2442 ptsid, new_tsec->sid,
2443 SECCLASS_PROCESS,
2444 PROCESS__PTRACE, NULL);
2445 if (rc)
2446 return -EPERM;
2447 }
2448 }
2449
2450 /* Clear any possibly unsafe personality bits on exec: */
2451 bprm->per_clear |= PER_CLEAR_ON_SETID;
2452
2453 /* Enable secure mode for SIDs transitions unless
2454 the noatsecure permission is granted between
2455 the two SIDs, i.e. ahp returns 0. */
2456 rc = avc_has_perm(&selinux_state,
2457 old_tsec->sid, new_tsec->sid,
2458 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2459 NULL);
2460 bprm->secureexec |= !!rc;
2461 }
2462
2463 return 0;
2464 }
2465
2466 static int match_file(const void *p, struct file *file, unsigned fd)
2467 {
2468 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2469 }
2470
2471 /* Derived from fs/exec.c:flush_old_files. */
2472 static inline void flush_unauthorized_files(const struct cred *cred,
2473 struct files_struct *files)
2474 {
2475 struct file *file, *devnull = NULL;
2476 struct tty_struct *tty;
2477 int drop_tty = 0;
2478 unsigned n;
2479
2480 tty = get_current_tty();
2481 if (tty) {
2482 spin_lock(&tty->files_lock);
2483 if (!list_empty(&tty->tty_files)) {
2484 struct tty_file_private *file_priv;
2485
2486 /* Revalidate access to controlling tty.
2487 Use file_path_has_perm on the tty path directly
2488 rather than using file_has_perm, as this particular
2489 open file may belong to another process and we are
2490 only interested in the inode-based check here. */
2491 file_priv = list_first_entry(&tty->tty_files,
2492 struct tty_file_private, list);
2493 file = file_priv->file;
2494 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2495 drop_tty = 1;
2496 }
2497 spin_unlock(&tty->files_lock);
2498 tty_kref_put(tty);
2499 }
2500 /* Reset controlling tty. */
2501 if (drop_tty)
2502 no_tty();
2503
2504 /* Revalidate access to inherited open files. */
2505 n = iterate_fd(files, 0, match_file, cred);
2506 if (!n) /* none found? */
2507 return;
2508
2509 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2510 if (IS_ERR(devnull))
2511 devnull = NULL;
2512 /* replace all the matching ones with this */
2513 do {
2514 replace_fd(n - 1, devnull, 0);
2515 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2516 if (devnull)
2517 fput(devnull);
2518 }
2519
2520 /*
2521 * Prepare a process for imminent new credential changes due to exec
2522 */
2523 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2524 {
2525 struct task_security_struct *new_tsec;
2526 struct rlimit *rlim, *initrlim;
2527 int rc, i;
2528
2529 new_tsec = selinux_cred(bprm->cred);
2530 if (new_tsec->sid == new_tsec->osid)
2531 return;
2532
2533 /* Close files for which the new task SID is not authorized. */
2534 flush_unauthorized_files(bprm->cred, current->files);
2535
2536 /* Always clear parent death signal on SID transitions. */
2537 current->pdeath_signal = 0;
2538
2539 /* Check whether the new SID can inherit resource limits from the old
2540 * SID. If not, reset all soft limits to the lower of the current
2541 * task's hard limit and the init task's soft limit.
2542 *
2543 * Note that the setting of hard limits (even to lower them) can be
2544 * controlled by the setrlimit check. The inclusion of the init task's
2545 * soft limit into the computation is to avoid resetting soft limits
2546 * higher than the default soft limit for cases where the default is
2547 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2548 */
2549 rc = avc_has_perm(&selinux_state,
2550 new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2551 PROCESS__RLIMITINH, NULL);
2552 if (rc) {
2553 /* protect against do_prlimit() */
2554 task_lock(current);
2555 for (i = 0; i < RLIM_NLIMITS; i++) {
2556 rlim = current->signal->rlim + i;
2557 initrlim = init_task.signal->rlim + i;
2558 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2559 }
2560 task_unlock(current);
2561 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2562 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2563 }
2564 }
2565
2566 /*
2567 * Clean up the process immediately after the installation of new credentials
2568 * due to exec
2569 */
2570 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2571 {
2572 const struct task_security_struct *tsec = selinux_cred(current_cred());
2573 u32 osid, sid;
2574 int rc;
2575
2576 osid = tsec->osid;
2577 sid = tsec->sid;
2578
2579 if (sid == osid)
2580 return;
2581
2582 /* Check whether the new SID can inherit signal state from the old SID.
2583 * If not, clear itimers to avoid subsequent signal generation and
2584 * flush and unblock signals.
2585 *
2586 * This must occur _after_ the task SID has been updated so that any
2587 * kill done after the flush will be checked against the new SID.
2588 */
2589 rc = avc_has_perm(&selinux_state,
2590 osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2591 if (rc) {
2592 clear_itimer();
2593
2594 spin_lock_irq(¤t->sighand->siglock);
2595 if (!fatal_signal_pending(current)) {
2596 flush_sigqueue(¤t->pending);
2597 flush_sigqueue(¤t->signal->shared_pending);
2598 flush_signal_handlers(current, 1);
2599 sigemptyset(¤t->blocked);
2600 recalc_sigpending();
2601 }
2602 spin_unlock_irq(¤t->sighand->siglock);
2603 }
2604
2605 /* Wake up the parent if it is waiting so that it can recheck
2606 * wait permission to the new task SID. */
2607 read_lock(&tasklist_lock);
2608 __wake_up_parent(current, current->real_parent);
2609 read_unlock(&tasklist_lock);
2610 }
2611
2612 /* superblock security operations */
2613
2614 static int selinux_sb_alloc_security(struct super_block *sb)
2615 {
2616 struct superblock_security_struct *sbsec = selinux_superblock(sb);
2617
2618 mutex_init(&sbsec->lock);
2619 INIT_LIST_HEAD(&sbsec->isec_head);
2620 spin_lock_init(&sbsec->isec_lock);
2621 sbsec->sid = SECINITSID_UNLABELED;
2622 sbsec->def_sid = SECINITSID_FILE;
2623 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
2624
2625 return 0;
2626 }
2627
2628 static inline int opt_len(const char *s)
2629 {
2630 bool open_quote = false;
2631 int len;
2632 char c;
2633
2634 for (len = 0; (c = s[len]) != '\0'; len++) {
2635 if (c == '"')
2636 open_quote = !open_quote;
2637 if (c == ',' && !open_quote)
2638 break;
2639 }
2640 return len;
2641 }
2642
2643 static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts)
2644 {
2645 char *from = options;
2646 char *to = options;
2647 bool first = true;
2648 int rc;
2649
2650 while (1) {
2651 int len = opt_len(from);
2652 int token;
2653 char *arg = NULL;
2654
2655 token = match_opt_prefix(from, len, &arg);
2656
2657 if (token != Opt_error) {
2658 char *p, *q;
2659
2660 /* strip quotes */
2661 if (arg) {
2662 for (p = q = arg; p < from + len; p++) {
2663 char c = *p;
2664 if (c != '"')
2665 *q++ = c;
2666 }
2667 arg = kmemdup_nul(arg, q - arg, GFP_KERNEL);
2668 if (!arg) {
2669 rc = -ENOMEM;
2670 goto free_opt;
2671 }
2672 }
2673 rc = selinux_add_opt(token, arg, mnt_opts);
2674 if (unlikely(rc)) {
2675 kfree(arg);
2676 goto free_opt;
2677 }
2678 } else {
2679 if (!first) { // copy with preceding comma
2680 from--;
2681 len++;
2682 }
2683 if (to != from)
2684 memmove(to, from, len);
2685 to += len;
2686 first = false;
2687 }
2688 if (!from[len])
2689 break;
2690 from += len + 1;
2691 }
2692 *to = '\0';
2693 return 0;
2694
2695 free_opt:
2696 if (*mnt_opts) {
2697 selinux_free_mnt_opts(*mnt_opts);
2698 *mnt_opts = NULL;
2699 }
2700 return rc;
2701 }
2702
2703 static int selinux_sb_mnt_opts_compat(struct super_block *sb, void *mnt_opts)
2704 {
2705 struct selinux_mnt_opts *opts = mnt_opts;
2706 struct superblock_security_struct *sbsec = selinux_superblock(sb);
2707
2708 /*
2709 * Superblock not initialized (i.e. no options) - reject if any
2710 * options specified, otherwise accept.
2711 */
2712 if (!(sbsec->flags & SE_SBINITIALIZED))
2713 return opts ? 1 : 0;
2714
2715 /*
2716 * Superblock initialized and no options specified - reject if
2717 * superblock has any options set, otherwise accept.
2718 */
2719 if (!opts)
2720 return (sbsec->flags & SE_MNTMASK) ? 1 : 0;
2721
2722 if (opts->fscontext) {
2723 if (opts->fscontext_sid == SECSID_NULL)
2724 return 1;
2725 else if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
2726 opts->fscontext_sid))
2727 return 1;
2728 }
2729 if (opts->context) {
2730 if (opts->context_sid == SECSID_NULL)
2731 return 1;
2732 else if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
2733 opts->context_sid))
2734 return 1;
2735 }
2736 if (opts->rootcontext) {
2737 if (opts->rootcontext_sid == SECSID_NULL)
2738 return 1;
2739 else {
2740 struct inode_security_struct *root_isec;
2741
2742 root_isec = backing_inode_security(sb->s_root);
2743 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
2744 opts->rootcontext_sid))
2745 return 1;
2746 }
2747 }
2748 if (opts->defcontext) {
2749 if (opts->defcontext_sid == SECSID_NULL)
2750 return 1;
2751 else if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
2752 opts->defcontext_sid))
2753 return 1;
2754 }
2755 return 0;
2756 }
2757
2758 static int selinux_sb_remount(struct super_block *sb, void *mnt_opts)
2759 {
2760 struct selinux_mnt_opts *opts = mnt_opts;
2761 struct superblock_security_struct *sbsec = selinux_superblock(sb);
2762 u32 sid;
2763 int rc;
2764
2765 if (!(sbsec->flags & SE_SBINITIALIZED))
2766 return 0;
2767
2768 if (!opts)
2769 return 0;
2770
2771 if (opts->fscontext) {
2772 rc = parse_sid(sb, opts->fscontext, &sid);
2773 if (rc)
2774 return rc;
2775 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2776 goto out_bad_option;
2777 }
2778 if (opts->context) {
2779 rc = parse_sid(sb, opts->context, &sid);
2780 if (rc)
2781 return rc;
2782 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2783 goto out_bad_option;
2784 }
2785 if (opts->rootcontext) {
2786 struct inode_security_struct *root_isec;
2787 root_isec = backing_inode_security(sb->s_root);
2788 rc = parse_sid(sb, opts->rootcontext, &sid);
2789 if (rc)
2790 return rc;
2791 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2792 goto out_bad_option;
2793 }
2794 if (opts->defcontext) {
2795 rc = parse_sid(sb, opts->defcontext, &sid);
2796 if (rc)
2797 return rc;
2798 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2799 goto out_bad_option;
2800 }
2801 return 0;
2802
2803 out_bad_option:
2804 pr_warn("SELinux: unable to change security options "
2805 "during remount (dev %s, type=%s)\n", sb->s_id,
2806 sb->s_type->name);
2807 return -EINVAL;
2808 }
2809
2810 static int selinux_sb_kern_mount(struct super_block *sb)
2811 {
2812 const struct cred *cred = current_cred();
2813 struct common_audit_data ad;
2814
2815 ad.type = LSM_AUDIT_DATA_DENTRY;
2816 ad.u.dentry = sb->s_root;
2817 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2818 }
2819
2820 static int selinux_sb_statfs(struct dentry *dentry)
2821 {
2822 const struct cred *cred = current_cred();
2823 struct common_audit_data ad;
2824
2825 ad.type = LSM_AUDIT_DATA_DENTRY;
2826 ad.u.dentry = dentry->d_sb->s_root;
2827 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2828 }
2829
2830 static int selinux_mount(const char *dev_name,
2831 const struct path *path,
2832 const char *type,
2833 unsigned long flags,
2834 void *data)
2835 {
2836 const struct cred *cred = current_cred();
2837
2838 if (flags & MS_REMOUNT)
2839 return superblock_has_perm(cred, path->dentry->d_sb,
2840 FILESYSTEM__REMOUNT, NULL);
2841 else
2842 return path_has_perm(cred, path, FILE__MOUNTON);
2843 }
2844
2845 static int selinux_move_mount(const struct path *from_path,
2846 const struct path *to_path)
2847 {
2848 const struct cred *cred = current_cred();
2849
2850 return path_has_perm(cred, to_path, FILE__MOUNTON);
2851 }
2852
2853 static int selinux_umount(struct vfsmount *mnt, int flags)
2854 {
2855 const struct cred *cred = current_cred();
2856
2857 return superblock_has_perm(cred, mnt->mnt_sb,
2858 FILESYSTEM__UNMOUNT, NULL);
2859 }
2860
2861 static int selinux_fs_context_dup(struct fs_context *fc,
2862 struct fs_context *src_fc)
2863 {
2864 const struct selinux_mnt_opts *src = src_fc->security;
2865 struct selinux_mnt_opts *opts;
2866
2867 if (!src)
2868 return 0;
2869
2870 fc->security = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL);
2871 if (!fc->security)
2872 return -ENOMEM;
2873
2874 opts = fc->security;
2875
2876 if (src->fscontext) {
2877 opts->fscontext = kstrdup(src->fscontext, GFP_KERNEL);
2878 if (!opts->fscontext)
2879 return -ENOMEM;
2880 }
2881 if (src->context) {
2882 opts->context = kstrdup(src->context, GFP_KERNEL);
2883 if (!opts->context)
2884 return -ENOMEM;
2885 }
2886 if (src->rootcontext) {
2887 opts->rootcontext = kstrdup(src->rootcontext, GFP_KERNEL);
2888 if (!opts->rootcontext)
2889 return -ENOMEM;
2890 }
2891 if (src->defcontext) {
2892 opts->defcontext = kstrdup(src->defcontext, GFP_KERNEL);
2893 if (!opts->defcontext)
2894 return -ENOMEM;
2895 }
2896 return 0;
2897 }
2898
2899 static const struct fs_parameter_spec selinux_fs_parameters[] = {
2900 fsparam_string(CONTEXT_STR, Opt_context),
2901 fsparam_string(DEFCONTEXT_STR, Opt_defcontext),
2902 fsparam_string(FSCONTEXT_STR, Opt_fscontext),
2903 fsparam_string(ROOTCONTEXT_STR, Opt_rootcontext),
2904 fsparam_flag (SECLABEL_STR, Opt_seclabel),
2905 {}
2906 };
2907
2908 static int selinux_fs_context_parse_param(struct fs_context *fc,
2909 struct fs_parameter *param)
2910 {
2911 struct fs_parse_result result;
2912 int opt, rc;
2913
2914 opt = fs_parse(fc, selinux_fs_parameters, param, &result);
2915 if (opt < 0)
2916 return opt;
2917
2918 rc = selinux_add_opt(opt, param->string, &fc->security);
2919 if (!rc)
2920 param->string = NULL;
2921
2922 return rc;
2923 }
2924
2925 /* inode security operations */
2926
2927 static int selinux_inode_alloc_security(struct inode *inode)
2928 {
2929 struct inode_security_struct *isec = selinux_inode(inode);
2930 u32 sid = current_sid();
2931
2932 spin_lock_init(&isec->lock);
2933 INIT_LIST_HEAD(&isec->list);
2934 isec->inode = inode;
2935 isec->sid = SECINITSID_UNLABELED;
2936 isec->sclass = SECCLASS_FILE;
2937 isec->task_sid = sid;
2938 isec->initialized = LABEL_INVALID;
2939
2940 return 0;
2941 }
2942
2943 static void selinux_inode_free_security(struct inode *inode)
2944 {
2945 inode_free_security(inode);
2946 }
2947
2948 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2949 const struct qstr *name,
2950 const char **xattr_name, void **ctx,
2951 u32 *ctxlen)
2952 {
2953 u32 newsid;
2954 int rc;
2955
2956 rc = selinux_determine_inode_label(selinux_cred(current_cred()),
2957 d_inode(dentry->d_parent), name,
2958 inode_mode_to_security_class(mode),
2959 &newsid);
2960 if (rc)
2961 return rc;
2962
2963 if (xattr_name)
2964 *xattr_name = XATTR_NAME_SELINUX;
2965
2966 return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
2967 ctxlen);
2968 }
2969
2970 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2971 struct qstr *name,
2972 const struct cred *old,
2973 struct cred *new)
2974 {
2975 u32 newsid;
2976 int rc;
2977 struct task_security_struct *tsec;
2978
2979 rc = selinux_determine_inode_label(selinux_cred(old),
2980 d_inode(dentry->d_parent), name,
2981 inode_mode_to_security_class(mode),
2982 &newsid);
2983 if (rc)
2984 return rc;
2985
2986 tsec = selinux_cred(new);
2987 tsec->create_sid = newsid;
2988 return 0;
2989 }
2990
2991 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2992 const struct qstr *qstr,
2993 const char **name,
2994 void **value, size_t *len)
2995 {
2996 const struct task_security_struct *tsec = selinux_cred(current_cred());
2997 struct superblock_security_struct *sbsec;
2998 u32 newsid, clen;
2999 int rc;
3000 char *context;
3001
3002 sbsec = selinux_superblock(dir->i_sb);
3003
3004 newsid = tsec->create_sid;
3005
3006 rc = selinux_determine_inode_label(tsec, dir, qstr,
3007 inode_mode_to_security_class(inode->i_mode),
3008 &newsid);
3009 if (rc)
3010 return rc;
3011
3012 /* Possibly defer initialization to selinux_complete_init. */
3013 if (sbsec->flags & SE_SBINITIALIZED) {
3014 struct inode_security_struct *isec = selinux_inode(inode);
3015 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3016 isec->sid = newsid;
3017 isec->initialized = LABEL_INITIALIZED;
3018 }
3019
3020 if (!selinux_initialized(&selinux_state) ||
3021 !(sbsec->flags & SBLABEL_MNT))
3022 return -EOPNOTSUPP;
3023
3024 if (name)
3025 *name = XATTR_SELINUX_SUFFIX;
3026
3027 if (value && len) {
3028 rc = security_sid_to_context_force(&selinux_state, newsid,
3029 &context, &clen);
3030 if (rc)
3031 return rc;
3032 *value = context;
3033 *len = clen;
3034 }
3035
3036 return 0;
3037 }
3038
3039 static int selinux_inode_init_security_anon(struct inode *inode,
3040 const struct qstr *name,
3041 const struct inode *context_inode)
3042 {
3043 const struct task_security_struct *tsec = selinux_cred(current_cred());
3044 struct common_audit_data ad;
3045 struct inode_security_struct *isec;
3046 int rc;
3047
3048 if (unlikely(!selinux_initialized(&selinux_state)))
3049 return 0;
3050
3051 isec = selinux_inode(inode);
3052
3053 /*
3054 * We only get here once per ephemeral inode. The inode has
3055 * been initialized via inode_alloc_security but is otherwise
3056 * untouched.
3057 */
3058
3059 if (context_inode) {
3060 struct inode_security_struct *context_isec =
3061 selinux_inode(context_inode);
3062 if (context_isec->initialized != LABEL_INITIALIZED) {
3063 pr_err("SELinux: context_inode is not initialized");
3064 return -EACCES;
3065 }
3066
3067 isec->sclass = context_isec->sclass;
3068 isec->sid = context_isec->sid;
3069 } else {
3070 isec->sclass = SECCLASS_ANON_INODE;
3071 rc = security_transition_sid(
3072 &selinux_state, tsec->sid, tsec->sid,
3073 isec->sclass, name, &isec->sid);
3074 if (rc)
3075 return rc;
3076 }
3077
3078 isec->initialized = LABEL_INITIALIZED;
3079 /*
3080 * Now that we've initialized security, check whether we're
3081 * allowed to actually create this type of anonymous inode.
3082 */
3083
3084 ad.type = LSM_AUDIT_DATA_INODE;
3085 ad.u.inode = inode;
3086
3087 return avc_has_perm(&selinux_state,
3088 tsec->sid,
3089 isec->sid,
3090 isec->sclass,
3091 FILE__CREATE,
3092 &ad);
3093 }
3094
3095 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
3096 {
3097 return may_create(dir, dentry, SECCLASS_FILE);
3098 }
3099
3100 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
3101 {
3102 return may_link(dir, old_dentry, MAY_LINK);
3103 }
3104
3105 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
3106 {
3107 return may_link(dir, dentry, MAY_UNLINK);
3108 }
3109
3110 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
3111 {
3112 return may_create(dir, dentry, SECCLASS_LNK_FILE);
3113 }
3114
3115 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
3116 {
3117 return may_create(dir, dentry, SECCLASS_DIR);
3118 }
3119
3120 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
3121 {
3122 return may_link(dir, dentry, MAY_RMDIR);
3123 }
3124
3125 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
3126 {
3127 return may_create(dir, dentry, inode_mode_to_security_class(mode));
3128 }
3129
3130 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
3131 struct inode *new_inode, struct dentry *new_dentry)
3132 {
3133 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
3134 }
3135
3136 static int selinux_inode_readlink(struct dentry *dentry)
3137 {
3138 const struct cred *cred = current_cred();
3139
3140 return dentry_has_perm(cred, dentry, FILE__READ);
3141 }
3142
3143 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3144 bool rcu)
3145 {
3146 const struct cred *cred = current_cred();
3147 struct common_audit_data ad;
3148 struct inode_security_struct *isec;
3149 u32 sid;
3150
3151 validate_creds(cred);
3152
3153 ad.type = LSM_AUDIT_DATA_DENTRY;
3154 ad.u.dentry = dentry;
3155 sid = cred_sid(cred);
3156 isec = inode_security_rcu(inode, rcu);
3157 if (IS_ERR(isec))
3158 return PTR_ERR(isec);
3159
3160 return avc_has_perm(&selinux_state,
3161 sid, isec->sid, isec->sclass, FILE__READ, &ad);
3162 }
3163
3164 static noinline int audit_inode_permission(struct inode *inode,
3165 u32 perms, u32 audited, u32 denied,
3166 int result)
3167 {
3168 struct common_audit_data ad;
3169 struct inode_security_struct *isec = selinux_inode(inode);
3170
3171 ad.type = LSM_AUDIT_DATA_INODE;
3172 ad.u.inode = inode;
3173
3174 return slow_avc_audit(&selinux_state,
3175 current_sid(), isec->sid, isec->sclass, perms,
3176 audited, denied, result, &ad);
3177 }
3178
3179 static int selinux_inode_permission(struct inode *inode, int mask)
3180 {
3181 const struct cred *cred = current_cred();
3182 u32 perms;
3183 bool from_access;
3184 bool no_block = mask & MAY_NOT_BLOCK;
3185 struct inode_security_struct *isec;
3186 u32 sid;
3187 struct av_decision avd;
3188 int rc, rc2;
3189 u32 audited, denied;
3190
3191 from_access = mask & MAY_ACCESS;
3192 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3193
3194 /* No permission to check. Existence test. */
3195 if (!mask)
3196 return 0;
3197
3198 validate_creds(cred);
3199
3200 if (unlikely(IS_PRIVATE(inode)))
3201 return 0;
3202
3203 perms = file_mask_to_av(inode->i_mode, mask);
3204
3205 sid = cred_sid(cred);
3206 isec = inode_security_rcu(inode, no_block);
3207 if (IS_ERR(isec))
3208 return PTR_ERR(isec);
3209
3210 rc = avc_has_perm_noaudit(&selinux_state,
3211 sid, isec->sid, isec->sclass, perms, 0,
3212 &avd);
3213 audited = avc_audit_required(perms, &avd, rc,
3214 from_access ? FILE__AUDIT_ACCESS : 0,
3215 &denied);
3216 if (likely(!audited))
3217 return rc;
3218
3219 rc2 = audit_inode_permission(inode, perms, audited, denied, rc);
3220 if (rc2)
3221 return rc2;
3222 return rc;
3223 }
3224
3225 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3226 {
3227 const struct cred *cred = current_cred();
3228 struct inode *inode = d_backing_inode(dentry);
3229 unsigned int ia_valid = iattr->ia_valid;
3230 __u32 av = FILE__WRITE;
3231
3232 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3233 if (ia_valid & ATTR_FORCE) {
3234 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3235 ATTR_FORCE);
3236 if (!ia_valid)
3237 return 0;
3238 }
3239
3240 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3241 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3242 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3243
3244 if (selinux_policycap_openperm() &&
3245 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3246 (ia_valid & ATTR_SIZE) &&
3247 !(ia_valid & ATTR_FILE))
3248 av |= FILE__OPEN;
3249
3250 return dentry_has_perm(cred, dentry, av);
3251 }
3252
3253 static int selinux_inode_getattr(const struct path *path)
3254 {
3255 return path_has_perm(current_cred(), path, FILE__GETATTR);
3256 }
3257
3258 static bool has_cap_mac_admin(bool audit)
3259 {
3260 const struct cred *cred = current_cred();
3261 unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT;
3262
3263 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts))
3264 return false;
3265 if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true))
3266 return false;
3267 return true;
3268 }
3269
3270 static int selinux_inode_setxattr(struct user_namespace *mnt_userns,
3271 struct dentry *dentry, const char *name,
3272 const void *value, size_t size, int flags)
3273 {
3274 struct inode *inode = d_backing_inode(dentry);
3275 struct inode_security_struct *isec;
3276 struct superblock_security_struct *sbsec;
3277 struct common_audit_data ad;
3278 u32 newsid, sid = current_sid();
3279 int rc = 0;
3280
3281 if (strcmp(name, XATTR_NAME_SELINUX)) {
3282 rc = cap_inode_setxattr(dentry, name, value, size, flags);
3283 if (rc)
3284 return rc;
3285
3286 /* Not an attribute we recognize, so just check the
3287 ordinary setattr permission. */
3288 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3289 }
3290
3291 if (!selinux_initialized(&selinux_state))
3292 return (inode_owner_or_capable(mnt_userns, inode) ? 0 : -EPERM);
3293
3294 sbsec = selinux_superblock(inode->i_sb);
3295 if (!(sbsec->flags & SBLABEL_MNT))
3296 return -EOPNOTSUPP;
3297
3298 if (!inode_owner_or_capable(mnt_userns, inode))
3299 return -EPERM;
3300
3301 ad.type = LSM_AUDIT_DATA_DENTRY;
3302 ad.u.dentry = dentry;
3303
3304 isec = backing_inode_security(dentry);
3305 rc = avc_has_perm(&selinux_state,
3306 sid, isec->sid, isec->sclass,
3307 FILE__RELABELFROM, &ad);
3308 if (rc)
3309 return rc;
3310
3311 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3312 GFP_KERNEL);
3313 if (rc == -EINVAL) {
3314 if (!has_cap_mac_admin(true)) {
3315 struct audit_buffer *ab;
3316 size_t audit_size;
3317
3318 /* We strip a nul only if it is at the end, otherwise the
3319 * context contains a nul and we should audit that */
3320 if (value) {
3321 const char *str = value;
3322
3323 if (str[size - 1] == '\0')
3324 audit_size = size - 1;
3325 else
3326 audit_size = size;
3327 } else {
3328 audit_size = 0;
3329 }
3330 ab = audit_log_start(audit_context(),
3331 GFP_ATOMIC, AUDIT_SELINUX_ERR);
3332 if (!ab)
3333 return rc;
3334 audit_log_format(ab, "op=setxattr invalid_context=");
3335 audit_log_n_untrustedstring(ab, value, audit_size);
3336 audit_log_end(ab);
3337
3338 return rc;
3339 }
3340 rc = security_context_to_sid_force(&selinux_state, value,
3341 size, &newsid);
3342 }
3343 if (rc)
3344 return rc;
3345
3346 rc = avc_has_perm(&selinux_state,
3347 sid, newsid, isec->sclass,
3348 FILE__RELABELTO, &ad);
3349 if (rc)
3350 return rc;
3351
3352 rc = security_validate_transition(&selinux_state, isec->sid, newsid,
3353 sid, isec->sclass);
3354 if (rc)
3355 return rc;
3356
3357 return avc_has_perm(&selinux_state,
3358 newsid,
3359 sbsec->sid,
3360 SECCLASS_FILESYSTEM,
3361 FILESYSTEM__ASSOCIATE,
3362 &ad);
3363 }
3364
3365 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3366 const void *value, size_t size,
3367 int flags)
3368 {
3369 struct inode *inode = d_backing_inode(dentry);
3370 struct inode_security_struct *isec;
3371 u32 newsid;
3372 int rc;
3373
3374 if (strcmp(name, XATTR_NAME_SELINUX)) {
3375 /* Not an attribute we recognize, so nothing to do. */
3376 return;
3377 }
3378
3379 if (!selinux_initialized(&selinux_state)) {
3380 /* If we haven't even been initialized, then we can't validate
3381 * against a policy, so leave the label as invalid. It may
3382 * resolve to a valid label on the next revalidation try if
3383 * we've since initialized.
3384 */
3385 return;
3386 }
3387
3388 rc = security_context_to_sid_force(&selinux_state, value, size,
3389 &newsid);
3390 if (rc) {
3391 pr_err("SELinux: unable to map context to SID"
3392 "for (%s, %lu), rc=%d\n",
3393 inode->i_sb->s_id, inode->i_ino, -rc);
3394 return;
3395 }
3396
3397 isec = backing_inode_security(dentry);
3398 spin_lock(&isec->lock);
3399 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3400 isec->sid = newsid;
3401 isec->initialized = LABEL_INITIALIZED;
3402 spin_unlock(&isec->lock);
3403
3404 return;
3405 }
3406
3407 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3408 {
3409 const struct cred *cred = current_cred();
3410
3411 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3412 }
3413
3414 static int selinux_inode_listxattr(struct dentry *dentry)
3415 {
3416 const struct cred *cred = current_cred();
3417
3418 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3419 }
3420
3421 static int selinux_inode_removexattr(struct user_namespace *mnt_userns,
3422 struct dentry *dentry, const char *name)
3423 {
3424 if (strcmp(name, XATTR_NAME_SELINUX)) {
3425 int rc = cap_inode_removexattr(mnt_userns, dentry, name);
3426 if (rc)
3427 return rc;
3428
3429 /* Not an attribute we recognize, so just check the
3430 ordinary setattr permission. */
3431 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3432 }
3433
3434 if (!selinux_initialized(&selinux_state))
3435 return 0;
3436
3437 /* No one is allowed to remove a SELinux security label.
3438 You can change the label, but all data must be labeled. */
3439 return -EACCES;
3440 }
3441
3442 static int selinux_path_notify(const struct path *path, u64 mask,
3443 unsigned int obj_type)
3444 {
3445 int ret;
3446 u32 perm;
3447
3448 struct common_audit_data ad;
3449
3450 ad.type = LSM_AUDIT_DATA_PATH;
3451 ad.u.path = *path;
3452
3453 /*
3454 * Set permission needed based on the type of mark being set.
3455 * Performs an additional check for sb watches.
3456 */
3457 switch (obj_type) {
3458 case FSNOTIFY_OBJ_TYPE_VFSMOUNT:
3459 perm = FILE__WATCH_MOUNT;
3460 break;
3461 case FSNOTIFY_OBJ_TYPE_SB:
3462 perm = FILE__WATCH_SB;
3463 ret = superblock_has_perm(current_cred(), path->dentry->d_sb,
3464 FILESYSTEM__WATCH, &ad);
3465 if (ret)
3466 return ret;
3467 break;
3468 case FSNOTIFY_OBJ_TYPE_INODE:
3469 perm = FILE__WATCH;
3470 break;
3471 default:
3472 return -EINVAL;
3473 }
3474
3475 /* blocking watches require the file:watch_with_perm permission */
3476 if (mask & (ALL_FSNOTIFY_PERM_EVENTS))
3477 perm |= FILE__WATCH_WITH_PERM;
3478
3479 /* watches on read-like events need the file:watch_reads permission */
3480 if (mask & (FS_ACCESS | FS_ACCESS_PERM | FS_CLOSE_NOWRITE))
3481 perm |= FILE__WATCH_READS;
3482
3483 return path_has_perm(current_cred(), path, perm);
3484 }
3485
3486 /*
3487 * Copy the inode security context value to the user.
3488 *
3489 * Permission check is handled by selinux_inode_getxattr hook.
3490 */
3491 static int selinux_inode_getsecurity(struct user_namespace *mnt_userns,
3492 struct inode *inode, const char *name,
3493 void **buffer, bool alloc)
3494 {
3495 u32 size;
3496 int error;
3497 char *context = NULL;
3498 struct inode_security_struct *isec;
3499
3500 /*
3501 * If we're not initialized yet, then we can't validate contexts, so
3502 * just let vfs_getxattr fall back to using the on-disk xattr.
3503 */
3504 if (!selinux_initialized(&selinux_state) ||
3505 strcmp(name, XATTR_SELINUX_SUFFIX))
3506 return -EOPNOTSUPP;
3507
3508 /*
3509 * If the caller has CAP_MAC_ADMIN, then get the raw context
3510 * value even if it is not defined by current policy; otherwise,
3511 * use the in-core value under current policy.
3512 * Use the non-auditing forms of the permission checks since
3513 * getxattr may be called by unprivileged processes commonly
3514 * and lack of permission just means that we fall back to the
3515 * in-core context value, not a denial.
3516 */
3517 isec = inode_security(inode);
3518 if (has_cap_mac_admin(false))
3519 error = security_sid_to_context_force(&selinux_state,
3520 isec->sid, &context,
3521 &size);
3522 else
3523 error = security_sid_to_context(&selinux_state, isec->sid,
3524 &context, &size);
3525 if (error)
3526 return error;
3527 error = size;
3528 if (alloc) {
3529 *buffer = context;
3530 goto out_nofree;
3531 }
3532 kfree(context);
3533 out_nofree:
3534 return error;
3535 }
3536
3537 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3538 const void *value, size_t size, int flags)
3539 {
3540 struct inode_security_struct *isec = inode_security_novalidate(inode);
3541 struct superblock_security_struct *sbsec;
3542 u32 newsid;
3543 int rc;
3544
3545 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3546 return -EOPNOTSUPP;
3547
3548 sbsec = selinux_superblock(inode->i_sb);
3549 if (!(sbsec->flags & SBLABEL_MNT))
3550 return -EOPNOTSUPP;
3551
3552 if (!value || !size)
3553 return -EACCES;
3554
3555 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3556 GFP_KERNEL);
3557 if (rc)
3558 return rc;
3559
3560 spin_lock(&isec->lock);
3561 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3562 isec->sid = newsid;
3563 isec->initialized = LABEL_INITIALIZED;
3564 spin_unlock(&isec->lock);
3565 return 0;
3566 }
3567
3568 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3569 {
3570 const int len = sizeof(XATTR_NAME_SELINUX);
3571
3572 if (!selinux_initialized(&selinux_state))
3573 return 0;
3574
3575 if (buffer && len <= buffer_size)
3576 memcpy(buffer, XATTR_NAME_SELINUX, len);
3577 return len;
3578 }
3579
3580 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3581 {
3582 struct inode_security_struct *isec = inode_security_novalidate(inode);
3583 *secid = isec->sid;
3584 }
3585
3586 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3587 {
3588 u32 sid;
3589 struct task_security_struct *tsec;
3590 struct cred *new_creds = *new;
3591
3592 if (new_creds == NULL) {
3593 new_creds = prepare_creds();
3594 if (!new_creds)
3595 return -ENOMEM;
3596 }
3597
3598 tsec = selinux_cred(new_creds);
3599 /* Get label from overlay inode and set it in create_sid */
3600 selinux_inode_getsecid(d_inode(src), &sid);
3601 tsec->create_sid = sid;
3602 *new = new_creds;
3603 return 0;
3604 }
3605
3606 static int selinux_inode_copy_up_xattr(const char *name)
3607 {
3608 /* The copy_up hook above sets the initial context on an inode, but we
3609 * don't then want to overwrite it by blindly copying all the lower
3610 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3611 */
3612 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3613 return 1; /* Discard */
3614 /*
3615 * Any other attribute apart from SELINUX is not claimed, supported
3616 * by selinux.
3617 */
3618 return -EOPNOTSUPP;
3619 }
3620
3621 /* kernfs node operations */
3622
3623 static int selinux_kernfs_init_security(struct kernfs_node *kn_dir,
3624 struct kernfs_node *kn)
3625 {
3626 const struct task_security_struct *tsec = selinux_cred(current_cred());
3627 u32 parent_sid, newsid, clen;
3628 int rc;
3629 char *context;
3630
3631 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, NULL, 0);
3632 if (rc == -ENODATA)
3633 return 0;
3634 else if (rc < 0)
3635 return rc;
3636
3637 clen = (u32)rc;
3638 context = kmalloc(clen, GFP_KERNEL);
3639 if (!context)
3640 return -ENOMEM;
3641
3642 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, context, clen);
3643 if (rc < 0) {
3644 kfree(context);
3645 return rc;
3646 }
3647
3648 rc = security_context_to_sid(&selinux_state, context, clen, &parent_sid,
3649 GFP_KERNEL);
3650 kfree(context);
3651 if (rc)
3652 return rc;
3653
3654 if (tsec->create_sid) {
3655 newsid = tsec->create_sid;
3656 } else {
3657 u16 secclass = inode_mode_to_security_class(kn->mode);
3658 struct qstr q;
3659
3660 q.name = kn->name;
3661 q.hash_len = hashlen_string(kn_dir, kn->name);
3662
3663 rc = security_transition_sid(&selinux_state, tsec->sid,
3664 parent_sid, secclass, &q,
3665 &newsid);
3666 if (rc)
3667 return rc;
3668 }
3669
3670 rc = security_sid_to_context_force(&selinux_state, newsid,
3671 &context, &clen);
3672 if (rc)
3673 return rc;
3674
3675 rc = kernfs_xattr_set(kn, XATTR_NAME_SELINUX, context, clen,
3676 XATTR_CREATE);
3677 kfree(context);
3678 return rc;
3679 }
3680
3681
3682 /* file security operations */
3683
3684 static int selinux_revalidate_file_permission(struct file *file, int mask)
3685 {
3686 const struct cred *cred = current_cred();
3687 struct inode *inode = file_inode(file);
3688
3689 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3690 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3691 mask |= MAY_APPEND;
3692
3693 return file_has_perm(cred, file,
3694 file_mask_to_av(inode->i_mode, mask));
3695 }
3696
3697 static int selinux_file_permission(struct file *file, int mask)
3698 {
3699 struct inode *inode = file_inode(file);
3700 struct file_security_struct *fsec = selinux_file(file);
3701 struct inode_security_struct *isec;
3702 u32 sid = current_sid();
3703
3704 if (!mask)
3705 /* No permission to check. Existence test. */
3706 return 0;
3707
3708 isec = inode_security(inode);
3709 if (sid == fsec->sid && fsec->isid == isec->sid &&
3710 fsec->pseqno == avc_policy_seqno(&selinux_state))
3711 /* No change since file_open check. */
3712 return 0;
3713
3714 return selinux_revalidate_file_permission(file, mask);
3715 }
3716
3717 static int selinux_file_alloc_security(struct file *file)
3718 {
3719 struct file_security_struct *fsec = selinux_file(file);
3720 u32 sid = current_sid();
3721
3722 fsec->sid = sid;
3723 fsec->fown_sid = sid;
3724
3725 return 0;
3726 }
3727
3728 /*
3729 * Check whether a task has the ioctl permission and cmd
3730 * operation to an inode.
3731 */
3732 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3733 u32 requested, u16 cmd)
3734 {
3735 struct common_audit_data ad;
3736 struct file_security_struct *fsec = selinux_file(file);
3737 struct inode *inode = file_inode(file);
3738 struct inode_security_struct *isec;
3739 struct lsm_ioctlop_audit ioctl;
3740 u32 ssid = cred_sid(cred);
3741 int rc;
3742 u8 driver = cmd >> 8;
3743 u8 xperm = cmd & 0xff;
3744
3745 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3746 ad.u.op = &ioctl;
3747 ad.u.op->cmd = cmd;
3748 ad.u.op->path = file->f_path;
3749
3750 if (ssid != fsec->sid) {
3751 rc = avc_has_perm(&selinux_state,
3752 ssid, fsec->sid,
3753 SECCLASS_FD,
3754 FD__USE,
3755 &ad);
3756 if (rc)
3757 goto out;
3758 }
3759
3760 if (unlikely(IS_PRIVATE(inode)))
3761 return 0;
3762
3763 isec = inode_security(inode);
3764 rc = avc_has_extended_perms(&selinux_state,
3765 ssid, isec->sid, isec->sclass,
3766 requested, driver, xperm, &ad);
3767 out:
3768 return rc;
3769 }
3770
3771 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3772 unsigned long arg)
3773 {
3774 const struct cred *cred = current_cred();
3775 int error = 0;
3776
3777 switch (cmd) {
3778 case FIONREAD:
3779 case FIBMAP:
3780 case FIGETBSZ:
3781 case FS_IOC_GETFLAGS:
3782 case FS_IOC_GETVERSION:
3783 error = file_has_perm(cred, file, FILE__GETATTR);
3784 break;
3785
3786 case FS_IOC_SETFLAGS:
3787 case FS_IOC_SETVERSION:
3788 error = file_has_perm(cred, file, FILE__SETATTR);
3789 break;
3790
3791 /* sys_ioctl() checks */
3792 case FIONBIO:
3793 case FIOASYNC:
3794 error = file_has_perm(cred, file, 0);
3795 break;
3796
3797 case KDSKBENT:
3798 case KDSKBSENT:
3799 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3800 CAP_OPT_NONE, true);
3801 break;
3802
3803 case FIOCLEX:
3804 case FIONCLEX:
3805 if (!selinux_policycap_ioctl_skip_cloexec())
3806 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3807 break;
3808
3809 /* default case assumes that the command will go
3810 * to the file's ioctl() function.
3811 */
3812 default:
3813 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3814 }
3815 return error;
3816 }
3817
3818 static int default_noexec __ro_after_init;
3819
3820 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3821 {
3822 const struct cred *cred = current_cred();
3823 u32 sid = cred_sid(cred);
3824 int rc = 0;
3825
3826 if (default_noexec &&
3827 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3828 (!shared && (prot & PROT_WRITE)))) {
3829 /*
3830 * We are making executable an anonymous mapping or a
3831 * private file mapping that will also be writable.
3832 * This has an additional check.
3833 */
3834 rc = avc_has_perm(&selinux_state,
3835 sid, sid, SECCLASS_PROCESS,
3836 PROCESS__EXECMEM, NULL);
3837 if (rc)
3838 goto error;
3839 }
3840
3841 if (file) {
3842 /* read access is always possible with a mapping */
3843 u32 av = FILE__READ;
3844
3845 /* write access only matters if the mapping is shared */
3846 if (shared && (prot & PROT_WRITE))
3847 av |= FILE__WRITE;
3848
3849 if (prot & PROT_EXEC)
3850 av |= FILE__EXECUTE;
3851
3852 return file_has_perm(cred, file, av);
3853 }
3854
3855 error:
3856 return rc;
3857 }
3858
3859 static int selinux_mmap_addr(unsigned long addr)
3860 {
3861 int rc = 0;
3862
3863 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3864 u32 sid = current_sid();
3865 rc = avc_has_perm(&selinux_state,
3866 sid, sid, SECCLASS_MEMPROTECT,
3867 MEMPROTECT__MMAP_ZERO, NULL);
3868 }
3869
3870 return rc;
3871 }
3872
3873 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3874 unsigned long prot, unsigned long flags)
3875 {
3876 struct common_audit_data ad;
3877 int rc;
3878
3879 if (file) {
3880 ad.type = LSM_AUDIT_DATA_FILE;
3881 ad.u.file = file;
3882 rc = inode_has_perm(current_cred(), file_inode(file),
3883 FILE__MAP, &ad);
3884 if (rc)
3885 return rc;
3886 }
3887
3888 if (checkreqprot_get(&selinux_state))
3889 prot = reqprot;
3890
3891 return file_map_prot_check(file, prot,
3892 (flags & MAP_TYPE) == MAP_SHARED);
3893 }
3894
3895 static int selinux_file_mprotect(struct vm_area_struct *vma,
3896 unsigned long reqprot,
3897 unsigned long prot)
3898 {
3899 const struct cred *cred = current_cred();
3900 u32 sid = cred_sid(cred);
3901
3902 if (checkreqprot_get(&selinux_state))
3903 prot = reqprot;
3904
3905 if (default_noexec &&
3906 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3907 int rc = 0;
3908 if (vma->vm_start >= vma->vm_mm->start_brk &&
3909 vma->vm_end <= vma->vm_mm->brk) {
3910 rc = avc_has_perm(&selinux_state,
3911 sid, sid, SECCLASS_PROCESS,
3912 PROCESS__EXECHEAP, NULL);
3913 } else if (!vma->vm_file &&
3914 ((vma->vm_start <= vma->vm_mm->start_stack &&
3915 vma->vm_end >= vma->vm_mm->start_stack) ||
3916 vma_is_stack_for_current(vma))) {
3917 rc = avc_has_perm(&selinux_state,
3918 sid, sid, SECCLASS_PROCESS,
3919 PROCESS__EXECSTACK, NULL);
3920 } else if (vma->vm_file && vma->anon_vma) {
3921 /*
3922 * We are making executable a file mapping that has
3923 * had some COW done. Since pages might have been
3924 * written, check ability to execute the possibly
3925 * modified content. This typically should only
3926 * occur for text relocations.
3927 */
3928 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3929 }
3930 if (rc)
3931 return rc;
3932 }
3933
3934 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3935 }
3936
3937 static int selinux_file_lock(struct file *file, unsigned int cmd)
3938 {
3939 const struct cred *cred = current_cred();
3940
3941 return file_has_perm(cred, file, FILE__LOCK);
3942 }
3943
3944 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3945 unsigned long arg)
3946 {
3947 const struct cred *cred = current_cred();
3948 int err = 0;
3949
3950 switch (cmd) {
3951 case F_SETFL:
3952 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3953 err = file_has_perm(cred, file, FILE__WRITE);
3954 break;
3955 }
3956 fallthrough;
3957 case F_SETOWN:
3958 case F_SETSIG:
3959 case F_GETFL:
3960 case F_GETOWN:
3961 case F_GETSIG:
3962 case F_GETOWNER_UIDS:
3963 /* Just check FD__USE permission */
3964 err = file_has_perm(cred, file, 0);
3965 break;
3966 case F_GETLK:
3967 case F_SETLK:
3968 case F_SETLKW:
3969 case F_OFD_GETLK:
3970 case F_OFD_SETLK:
3971 case F_OFD_SETLKW:
3972 #if BITS_PER_LONG == 32
3973 case F_GETLK64:
3974 case F_SETLK64:
3975 case F_SETLKW64:
3976 #endif
3977 err = file_has_perm(cred, file, FILE__LOCK);
3978 break;
3979 }
3980
3981 return err;
3982 }
3983
3984 static void selinux_file_set_fowner(struct file *file)
3985 {
3986 struct file_security_struct *fsec;
3987
3988 fsec = selinux_file(file);
3989 fsec->fown_sid = current_sid();
3990 }
3991
3992 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3993 struct fown_struct *fown, int signum)
3994 {
3995 struct file *file;
3996 u32 sid = task_sid_obj(tsk);
3997 u32 perm;
3998 struct file_security_struct *fsec;
3999
4000 /* struct fown_struct is never outside the context of a struct file */
4001 file = container_of(fown, struct file, f_owner);
4002
4003 fsec = selinux_file(file);
4004
4005 if (!signum)
4006 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
4007 else
4008 perm = signal_to_av(signum);
4009
4010 return avc_has_perm(&selinux_state,
4011 fsec->fown_sid, sid,
4012 SECCLASS_PROCESS, perm, NULL);
4013 }
4014
4015 static int selinux_file_receive(struct file *file)
4016 {
4017 const struct cred *cred = current_cred();
4018
4019 return file_has_perm(cred, file, file_to_av(file));
4020 }
4021
4022 static int selinux_file_open(struct file *file)
4023 {
4024 struct file_security_struct *fsec;
4025 struct inode_security_struct *isec;
4026
4027 fsec = selinux_file(file);
4028 isec = inode_security(file_inode(file));
4029 /*
4030 * Save inode label and policy sequence number
4031 * at open-time so that selinux_file_permission
4032 * can determine whether revalidation is necessary.
4033 * Task label is already saved in the file security
4034 * struct as its SID.
4035 */
4036 fsec->isid = isec->sid;
4037 fsec->pseqno = avc_policy_seqno(&selinux_state);
4038 /*
4039 * Since the inode label or policy seqno may have changed
4040 * between the selinux_inode_permission check and the saving
4041 * of state above, recheck that access is still permitted.
4042 * Otherwise, access might never be revalidated against the
4043 * new inode label or new policy.
4044 * This check is not redundant - do not remove.
4045 */
4046 return file_path_has_perm(file->f_cred, file, open_file_to_av(file));
4047 }
4048
4049 /* task security operations */
4050
4051 static int selinux_task_alloc(struct task_struct *task,
4052 unsigned long clone_flags)
4053 {
4054 u32 sid = current_sid();
4055
4056 return avc_has_perm(&selinux_state,
4057 sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
4058 }
4059
4060 /*
4061 * prepare a new set of credentials for modification
4062 */
4063 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
4064 gfp_t gfp)
4065 {
4066 const struct task_security_struct *old_tsec = selinux_cred(old);
4067 struct task_security_struct *tsec = selinux_cred(new);
4068
4069 *tsec = *old_tsec;
4070 return 0;
4071 }
4072
4073 /*
4074 * transfer the SELinux data to a blank set of creds
4075 */
4076 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
4077 {
4078 const struct task_security_struct *old_tsec = selinux_cred(old);
4079 struct task_security_struct *tsec = selinux_cred(new);
4080
4081 *tsec = *old_tsec;
4082 }
4083
4084 static void selinux_cred_getsecid(const struct cred *c, u32 *secid)
4085 {
4086 *secid = cred_sid(c);
4087 }
4088
4089 /*
4090 * set the security data for a kernel service
4091 * - all the creation contexts are set to unlabelled
4092 */
4093 static int selinux_kernel_act_as(struct cred *new, u32 secid)
4094 {
4095 struct task_security_struct *tsec = selinux_cred(new);
4096 u32 sid = current_sid();
4097 int ret;
4098
4099 ret = avc_has_perm(&selinux_state,
4100 sid, secid,
4101 SECCLASS_KERNEL_SERVICE,
4102 KERNEL_SERVICE__USE_AS_OVERRIDE,
4103 NULL);
4104 if (ret == 0) {
4105 tsec->sid = secid;
4106 tsec->create_sid = 0;
4107 tsec->keycreate_sid = 0;
4108 tsec->sockcreate_sid = 0;
4109 }
4110 return ret;
4111 }
4112
4113 /*
4114 * set the file creation context in a security record to the same as the
4115 * objective context of the specified inode
4116 */
4117 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
4118 {
4119 struct inode_security_struct *isec = inode_security(inode);
4120 struct task_security_struct *tsec = selinux_cred(new);
4121 u32 sid = current_sid();
4122 int ret;
4123
4124 ret = avc_has_perm(&selinux_state,
4125 sid, isec->sid,
4126 SECCLASS_KERNEL_SERVICE,
4127 KERNEL_SERVICE__CREATE_FILES_AS,
4128 NULL);
4129
4130 if (ret == 0)
4131 tsec->create_sid = isec->sid;
4132 return ret;
4133 }
4134
4135 static int selinux_kernel_module_request(char *kmod_name)
4136 {
4137 struct common_audit_data ad;
4138
4139 ad.type = LSM_AUDIT_DATA_KMOD;
4140 ad.u.kmod_name = kmod_name;
4141
4142 return avc_has_perm(&selinux_state,
4143 current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
4144 SYSTEM__MODULE_REQUEST, &ad);
4145 }
4146
4147 static int selinux_kernel_module_from_file(struct file *file)
4148 {
4149 struct common_audit_data ad;
4150 struct inode_security_struct *isec;
4151 struct file_security_struct *fsec;
4152 u32 sid = current_sid();
4153 int rc;
4154
4155 /* init_module */
4156 if (file == NULL)
4157 return avc_has_perm(&selinux_state,
4158 sid, sid, SECCLASS_SYSTEM,
4159 SYSTEM__MODULE_LOAD, NULL);
4160
4161 /* finit_module */
4162
4163 ad.type = LSM_AUDIT_DATA_FILE;
4164 ad.u.file = file;
4165
4166 fsec = selinux_file(file);
4167 if (sid != fsec->sid) {
4168 rc = avc_has_perm(&selinux_state,
4169 sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
4170 if (rc)
4171 return rc;
4172 }
4173
4174 isec = inode_security(file_inode(file));
4175 return avc_has_perm(&selinux_state,
4176 sid, isec->sid, SECCLASS_SYSTEM,
4177 SYSTEM__MODULE_LOAD, &ad);
4178 }
4179
4180 static int selinux_kernel_read_file(struct file *file,
4181 enum kernel_read_file_id id,
4182 bool contents)
4183 {
4184 int rc = 0;
4185
4186 switch (id) {
4187 case READING_MODULE:
4188 rc = selinux_kernel_module_from_file(contents ? file : NULL);
4189 break;
4190 default:
4191 break;
4192 }
4193
4194 return rc;
4195 }
4196
4197 static int selinux_kernel_load_data(enum kernel_load_data_id id, bool contents)
4198 {
4199 int rc = 0;
4200
4201 switch (id) {
4202 case LOADING_MODULE:
4203 rc = selinux_kernel_module_from_file(NULL);
4204 break;
4205 default:
4206 break;
4207 }
4208
4209 return rc;
4210 }
4211
4212 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
4213 {
4214 return avc_has_perm(&selinux_state,
4215 current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4216 PROCESS__SETPGID, NULL);
4217 }
4218
4219 static int selinux_task_getpgid(struct task_struct *p)
4220 {
4221 return avc_has_perm(&selinux_state,
4222 current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4223 PROCESS__GETPGID, NULL);
4224 }
4225
4226 static int selinux_task_getsid(struct task_struct *p)
4227 {
4228 return avc_has_perm(&selinux_state,
4229 current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4230 PROCESS__GETSESSION, NULL);
4231 }
4232
4233 static void selinux_task_getsecid_subj(struct task_struct *p, u32 *secid)
4234 {
4235 *secid = task_sid_subj(p);
4236 }
4237
4238 static void selinux_task_getsecid_obj(struct task_struct *p, u32 *secid)
4239 {
4240 *secid = task_sid_obj(p);
4241 }
4242
4243 static int selinux_task_setnice(struct task_struct *p, int nice)
4244 {
4245 return avc_has_perm(&selinux_state,
4246 current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4247 PROCESS__SETSCHED, NULL);
4248 }
4249
4250 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
4251 {
4252 return avc_has_perm(&selinux_state,
4253 current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4254 PROCESS__SETSCHED, NULL);
4255 }
4256
4257 static int selinux_task_getioprio(struct task_struct *p)
4258 {
4259 return avc_has_perm(&selinux_state,
4260 current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4261 PROCESS__GETSCHED, NULL);
4262 }
4263
4264 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
4265 unsigned int flags)
4266 {
4267 u32 av = 0;
4268
4269 if (!flags)
4270 return 0;
4271 if (flags & LSM_PRLIMIT_WRITE)
4272 av |= PROCESS__SETRLIMIT;
4273 if (flags & LSM_PRLIMIT_READ)
4274 av |= PROCESS__GETRLIMIT;
4275 return avc_has_perm(&selinux_state,
4276 cred_sid(cred), cred_sid(tcred),
4277 SECCLASS_PROCESS, av, NULL);
4278 }
4279
4280 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4281 struct rlimit *new_rlim)
4282 {
4283 struct rlimit *old_rlim = p->signal->rlim + resource;
4284
4285 /* Control the ability to change the hard limit (whether
4286 lowering or raising it), so that the hard limit can
4287 later be used as a safe reset point for the soft limit
4288 upon context transitions. See selinux_bprm_committing_creds. */
4289 if (old_rlim->rlim_max != new_rlim->rlim_max)
4290 return avc_has_perm(&selinux_state,
4291 current_sid(), task_sid_obj(p),
4292 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
4293
4294 return 0;
4295 }
4296
4297 static int selinux_task_setscheduler(struct task_struct *p)
4298 {
4299 return avc_has_perm(&selinux_state,
4300 current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4301 PROCESS__SETSCHED, NULL);
4302 }
4303
4304 static int selinux_task_getscheduler(struct task_struct *p)
4305 {
4306 return avc_has_perm(&selinux_state,
4307 current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4308 PROCESS__GETSCHED, NULL);
4309 }
4310
4311 static int selinux_task_movememory(struct task_struct *p)
4312 {
4313 return avc_has_perm(&selinux_state,
4314 current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4315 PROCESS__SETSCHED, NULL);
4316 }
4317
4318 static int selinux_task_kill(struct task_struct *p, struct kernel_siginfo *info,
4319 int sig, const struct cred *cred)
4320 {
4321 u32 secid;
4322 u32 perm;
4323
4324 if (!sig)
4325 perm = PROCESS__SIGNULL; /* null signal; existence test */
4326 else
4327 perm = signal_to_av(sig);
4328 if (!cred)
4329 secid = current_sid();
4330 else
4331 secid = cred_sid(cred);
4332 return avc_has_perm(&selinux_state,
4333 secid, task_sid_obj(p), SECCLASS_PROCESS, perm, NULL);
4334 }
4335
4336 static void selinux_task_to_inode(struct task_struct *p,
4337 struct inode *inode)
4338 {
4339 struct inode_security_struct *isec = selinux_inode(inode);
4340 u32 sid = task_sid_obj(p);
4341
4342 spin_lock(&isec->lock);
4343 isec->sclass = inode_mode_to_security_class(inode->i_mode);
4344 isec->sid = sid;
4345 isec->initialized = LABEL_INITIALIZED;
4346 spin_unlock(&isec->lock);
4347 }
4348
4349 /* Returns error only if unable to parse addresses */
4350 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4351 struct common_audit_data *ad, u8 *proto)
4352 {
4353 int offset, ihlen, ret = -EINVAL;
4354 struct iphdr _iph, *ih;
4355
4356 offset = skb_network_offset(skb);
4357 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
4358 if (ih == NULL)
4359 goto out;
4360
4361 ihlen = ih->ihl * 4;
4362 if (ihlen < sizeof(_iph))
4363 goto out;
4364
4365 ad->u.net->v4info.saddr = ih->saddr;
4366 ad->u.net->v4info.daddr = ih->daddr;
4367 ret = 0;
4368
4369 if (proto)
4370 *proto = ih->protocol;
4371
4372 switch (ih->protocol) {
4373 case IPPROTO_TCP: {
4374 struct tcphdr _tcph, *th;
4375
4376 if (ntohs(ih->frag_off) & IP_OFFSET)
4377 break;
4378
4379 offset += ihlen;
4380 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4381 if (th == NULL)
4382 break;
4383
4384 ad->u.net->sport = th->source;
4385 ad->u.net->dport = th->dest;
4386 break;
4387 }
4388
4389 case IPPROTO_UDP: {
4390 struct udphdr _udph, *uh;
4391
4392 if (ntohs(ih->frag_off) & IP_OFFSET)
4393 break;
4394
4395 offset += ihlen;
4396 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4397 if (uh == NULL)
4398 break;
4399
4400 ad->u.net->sport = uh->source;
4401 ad->u.net->dport = uh->dest;
4402 break;
4403 }
4404
4405 case IPPROTO_DCCP: {
4406 struct dccp_hdr _dccph, *dh;
4407
4408 if (ntohs(ih->frag_off) & IP_OFFSET)
4409 break;
4410
4411 offset += ihlen;
4412 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4413 if (dh == NULL)
4414 break;
4415
4416 ad->u.net->sport = dh->dccph_sport;
4417 ad->u.net->dport = dh->dccph_dport;
4418 break;
4419 }
4420
4421 #if IS_ENABLED(CONFIG_IP_SCTP)
4422 case IPPROTO_SCTP: {
4423 struct sctphdr _sctph, *sh;
4424
4425 if (ntohs(ih->frag_off) & IP_OFFSET)
4426 break;
4427
4428 offset += ihlen;
4429 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4430 if (sh == NULL)
4431 break;
4432
4433 ad->u.net->sport = sh->source;
4434 ad->u.net->dport = sh->dest;
4435 break;
4436 }
4437 #endif
4438 default:
4439 break;
4440 }
4441 out:
4442 return ret;
4443 }
4444
4445 #if IS_ENABLED(CONFIG_IPV6)
4446
4447 /* Returns error only if unable to parse addresses */
4448 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4449 struct common_audit_data *ad, u8 *proto)
4450 {
4451 u8 nexthdr;
4452 int ret = -EINVAL, offset;
4453 struct ipv6hdr _ipv6h, *ip6;
4454 __be16 frag_off;
4455
4456 offset = skb_network_offset(skb);
4457 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4458 if (ip6 == NULL)
4459 goto out;
4460
4461 ad->u.net->v6info.saddr = ip6->saddr;
4462 ad->u.net->v6info.daddr = ip6->daddr;
4463 ret = 0;
4464
4465 nexthdr = ip6->nexthdr;
4466 offset += sizeof(_ipv6h);
4467 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4468 if (offset < 0)
4469 goto out;
4470
4471 if (proto)
4472 *proto = nexthdr;
4473
4474 switch (nexthdr) {
4475 case IPPROTO_TCP: {
4476 struct tcphdr _tcph, *th;
4477
4478 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4479 if (th == NULL)
4480 break;
4481
4482 ad->u.net->sport = th->source;
4483 ad->u.net->dport = th->dest;
4484 break;
4485 }
4486
4487 case IPPROTO_UDP: {
4488 struct udphdr _udph, *uh;
4489
4490 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4491 if (uh == NULL)
4492 break;
4493
4494 ad->u.net->sport = uh->source;
4495 ad->u.net->dport = uh->dest;
4496 break;
4497 }
4498
4499 case IPPROTO_DCCP: {
4500 struct dccp_hdr _dccph, *dh;
4501
4502 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4503 if (dh == NULL)
4504 break;
4505
4506 ad->u.net->sport = dh->dccph_sport;
4507 ad->u.net->dport = dh->dccph_dport;
4508 break;
4509 }
4510
4511 #if IS_ENABLED(CONFIG_IP_SCTP)
4512 case IPPROTO_SCTP: {
4513 struct sctphdr _sctph, *sh;
4514
4515 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4516 if (sh == NULL)
4517 break;
4518
4519 ad->u.net->sport = sh->source;
4520 ad->u.net->dport = sh->dest;
4521 break;
4522 }
4523 #endif
4524 /* includes fragments */
4525 default:
4526 break;
4527 }
4528 out:
4529 return ret;
4530 }
4531
4532 #endif /* IPV6 */
4533
4534 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4535 char **_addrp, int src, u8 *proto)
4536 {
4537 char *addrp;
4538 int ret;
4539
4540 switch (ad->u.net->family) {
4541 case PF_INET:
4542 ret = selinux_parse_skb_ipv4(skb, ad, proto);
4543 if (ret)
4544 goto parse_error;
4545 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4546 &ad->u.net->v4info.daddr);
4547 goto okay;
4548
4549 #if IS_ENABLED(CONFIG_IPV6)
4550 case PF_INET6:
4551 ret = selinux_parse_skb_ipv6(skb, ad, proto);
4552 if (ret)
4553 goto parse_error;
4554 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4555 &ad->u.net->v6info.daddr);
4556 goto okay;
4557 #endif /* IPV6 */
4558 default:
4559 addrp = NULL;
4560 goto okay;
4561 }
4562
4563 parse_error:
4564 pr_warn(
4565 "SELinux: failure in selinux_parse_skb(),"
4566 " unable to parse packet\n");
4567 return ret;
4568
4569 okay:
4570 if (_addrp)
4571 *_addrp = addrp;
4572 return 0;
4573 }
4574
4575 /**
4576 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4577 * @skb: the packet
4578 * @family: protocol family
4579 * @sid: the packet's peer label SID
4580 *
4581 * Description:
4582 * Check the various different forms of network peer labeling and determine
4583 * the peer label/SID for the packet; most of the magic actually occurs in
4584 * the security server function security_net_peersid_cmp(). The function
4585 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4586 * or -EACCES if @sid is invalid due to inconsistencies with the different
4587 * peer labels.
4588 *
4589 */
4590 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4591 {
4592 int err;
4593 u32 xfrm_sid;
4594 u32 nlbl_sid;
4595 u32 nlbl_type;
4596
4597 err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4598 if (unlikely(err))
4599 return -EACCES;
4600 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4601 if (unlikely(err))
4602 return -EACCES;
4603
4604 err = security_net_peersid_resolve(&selinux_state, nlbl_sid,
4605 nlbl_type, xfrm_sid, sid);
4606 if (unlikely(err)) {
4607 pr_warn(
4608 "SELinux: failure in selinux_skb_peerlbl_sid(),"
4609 " unable to determine packet's peer label\n");
4610 return -EACCES;
4611 }
4612
4613 return 0;
4614 }
4615
4616 /**
4617 * selinux_conn_sid - Determine the child socket label for a connection
4618 * @sk_sid: the parent socket's SID
4619 * @skb_sid: the packet's SID
4620 * @conn_sid: the resulting connection SID
4621 *
4622 * If @skb_sid is valid then the user:role:type information from @sk_sid is
4623 * combined with the MLS information from @skb_sid in order to create
4624 * @conn_sid. If @skb_sid is not valid then @conn_sid is simply a copy
4625 * of @sk_sid. Returns zero on success, negative values on failure.
4626 *
4627 */
4628 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4629 {
4630 int err = 0;
4631
4632 if (skb_sid != SECSID_NULL)
4633 err = security_sid_mls_copy(&selinux_state, sk_sid, skb_sid,
4634 conn_sid);
4635 else
4636 *conn_sid = sk_sid;
4637
4638 return err;
4639 }
4640
4641 /* socket security operations */
4642
4643 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4644 u16 secclass, u32 *socksid)
4645 {
4646 if (tsec->sockcreate_sid > SECSID_NULL) {
4647 *socksid = tsec->sockcreate_sid;
4648 return 0;
4649 }
4650
4651 return security_transition_sid(&selinux_state, tsec->sid, tsec->sid,
4652 secclass, NULL, socksid);
4653 }
4654
4655 static int sock_has_perm(struct sock *sk, u32 perms)
4656 {
4657 struct sk_security_struct *sksec = sk->sk_security;
4658 struct common_audit_data ad;
4659 struct lsm_network_audit net = {0,};
4660
4661 if (sksec->sid == SECINITSID_KERNEL)
4662 return 0;
4663
4664 ad.type = LSM_AUDIT_DATA_NET;
4665 ad.u.net = &net;
4666 ad.u.net->sk = sk;
4667
4668 return avc_has_perm(&selinux_state,
4669 current_sid(), sksec->sid, sksec->sclass, perms,
4670 &ad);
4671 }
4672
4673 static int selinux_socket_create(int family, int type,
4674 int protocol, int kern)
4675 {
4676 const struct task_security_struct *tsec = selinux_cred(current_cred());
4677 u32 newsid;
4678 u16 secclass;
4679 int rc;
4680
4681 if (kern)
4682 return 0;
4683
4684 secclass = socket_type_to_security_class(family, type, protocol);
4685 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4686 if (rc)
4687 return rc;
4688
4689 return avc_has_perm(&selinux_state,
4690 tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4691 }
4692
4693 static int selinux_socket_post_create(struct socket *sock, int family,
4694 int type, int protocol, int kern)
4695 {
4696 const struct task_security_struct *tsec = selinux_cred(current_cred());
4697 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4698 struct sk_security_struct *sksec;
4699 u16 sclass = socket_type_to_security_class(family, type, protocol);
4700 u32 sid = SECINITSID_KERNEL;
4701 int err = 0;
4702
4703 if (!kern) {
4704 err = socket_sockcreate_sid(tsec, sclass, &sid);
4705 if (err)
4706 return err;
4707 }
4708
4709 isec->sclass = sclass;
4710 isec->sid = sid;
4711 isec->initialized = LABEL_INITIALIZED;
4712
4713 if (sock->sk) {
4714 sksec = sock->sk->sk_security;
4715 sksec->sclass = sclass;
4716 sksec->sid = sid;
4717 /* Allows detection of the first association on this socket */
4718 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4719 sksec->sctp_assoc_state = SCTP_ASSOC_UNSET;
4720
4721 err = selinux_netlbl_socket_post_create(sock->sk, family);
4722 }
4723
4724 return err;
4725 }
4726
4727 static int selinux_socket_socketpair(struct socket *socka,
4728 struct socket *sockb)
4729 {
4730 struct sk_security_struct *sksec_a = socka->sk->sk_security;
4731 struct sk_security_struct *sksec_b = sockb->sk->sk_security;
4732
4733 sksec_a->peer_sid = sksec_b->sid;
4734 sksec_b->peer_sid = sksec_a->sid;
4735
4736 return 0;
4737 }
4738
4739 /* Range of port numbers used to automatically bind.
4740 Need to determine whether we should perform a name_bind
4741 permission check between the socket and the port number. */
4742
4743 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4744 {
4745 struct sock *sk = sock->sk;
4746 struct sk_security_struct *sksec = sk->sk_security;
4747 u16 family;
4748 int err;
4749
4750 err = sock_has_perm(sk, SOCKET__BIND);
4751 if (err)
4752 goto out;
4753
4754 /* If PF_INET or PF_INET6, check name_bind permission for the port. */
4755 family = sk->sk_family;
4756 if (family == PF_INET || family == PF_INET6) {
4757 char *addrp;
4758 struct common_audit_data ad;
4759 struct lsm_network_audit net = {0,};
4760 struct sockaddr_in *addr4 = NULL;
4761 struct sockaddr_in6 *addr6 = NULL;
4762 u16 family_sa;
4763 unsigned short snum;
4764 u32 sid, node_perm;
4765
4766 /*
4767 * sctp_bindx(3) calls via selinux_sctp_bind_connect()
4768 * that validates multiple binding addresses. Because of this
4769 * need to check address->sa_family as it is possible to have
4770 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4771 */
4772 if (addrlen < offsetofend(struct sockaddr, sa_family))
4773 return -EINVAL;
4774 family_sa = address->sa_family;
4775 switch (family_sa) {
4776 case AF_UNSPEC:
4777 case AF_INET:
4778 if (addrlen < sizeof(struct sockaddr_in))
4779 return -EINVAL;
4780 addr4 = (struct sockaddr_in *)address;
4781 if (family_sa == AF_UNSPEC) {
4782 /* see __inet_bind(), we only want to allow
4783 * AF_UNSPEC if the address is INADDR_ANY
4784 */
4785 if (addr4->sin_addr.s_addr != htonl(INADDR_ANY))
4786 goto err_af;
4787 family_sa = AF_INET;
4788 }
4789 snum = ntohs(addr4->sin_port);
4790 addrp = (char *)&addr4->sin_addr.s_addr;
4791 break;
4792 case AF_INET6:
4793 if (addrlen < SIN6_LEN_RFC2133)
4794 return -EINVAL;
4795 addr6 = (struct sockaddr_in6 *)address;
4796 snum = ntohs(addr6->sin6_port);
4797 addrp = (char *)&addr6->sin6_addr.s6_addr;
4798 break;
4799 default:
4800 goto err_af;
4801 }
4802
4803 ad.type = LSM_AUDIT_DATA_NET;
4804 ad.u.net = &net;
4805 ad.u.net->sport = htons(snum);
4806 ad.u.net->family = family_sa;
4807
4808 if (snum) {
4809 int low, high;
4810
4811 inet_get_local_port_range(sock_net(sk), &low, &high);
4812
4813 if (inet_port_requires_bind_service(sock_net(sk), snum) ||
4814 snum < low || snum > high) {
4815 err = sel_netport_sid(sk->sk_protocol,
4816 snum, &sid);
4817 if (err)
4818 goto out;
4819 err = avc_has_perm(&selinux_state,
4820 sksec->sid, sid,
4821 sksec->sclass,
4822 SOCKET__NAME_BIND, &ad);
4823 if (err)
4824 goto out;
4825 }
4826 }
4827
4828 switch (sksec->sclass) {
4829 case SECCLASS_TCP_SOCKET:
4830 node_perm = TCP_SOCKET__NODE_BIND;
4831 break;
4832
4833 case SECCLASS_UDP_SOCKET:
4834 node_perm = UDP_SOCKET__NODE_BIND;
4835 break;
4836
4837 case SECCLASS_DCCP_SOCKET:
4838 node_perm = DCCP_SOCKET__NODE_BIND;
4839 break;
4840
4841 case SECCLASS_SCTP_SOCKET:
4842 node_perm = SCTP_SOCKET__NODE_BIND;
4843 break;
4844
4845 default:
4846 node_perm = RAWIP_SOCKET__NODE_BIND;
4847 break;
4848 }
4849
4850 err = sel_netnode_sid(addrp, family_sa, &sid);
4851 if (err)
4852 goto out;
4853
4854 if (family_sa == AF_INET)
4855 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4856 else
4857 ad.u.net->v6info.saddr = addr6->sin6_addr;
4858
4859 err = avc_has_perm(&selinux_state,
4860 sksec->sid, sid,
4861 sksec->sclass, node_perm, &ad);
4862 if (err)
4863 goto out;
4864 }
4865 out:
4866 return err;
4867 err_af:
4868 /* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */
4869 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4870 return -EINVAL;
4871 return -EAFNOSUPPORT;
4872 }
4873
4874 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3)
4875 * and sctp_sendmsg(3) as described in Documentation/security/SCTP.rst
4876 */
4877 static int selinux_socket_connect_helper(struct socket *sock,
4878 struct sockaddr *address, int addrlen)
4879 {
4880 struct sock *sk = sock->sk;
4881 struct sk_security_struct *sksec = sk->sk_security;
4882 int err;
4883
4884 err = sock_has_perm(sk, SOCKET__CONNECT);
4885 if (err)
4886 return err;
4887 if (addrlen < offsetofend(struct sockaddr, sa_family))
4888 return -EINVAL;
4889
4890 /* connect(AF_UNSPEC) has special handling, as it is a documented
4891 * way to disconnect the socket
4892 */
4893 if (address->sa_family == AF_UNSPEC)
4894 return 0;
4895
4896 /*
4897 * If a TCP, DCCP or SCTP socket, check name_connect permission
4898 * for the port.
4899 */
4900 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4901 sksec->sclass == SECCLASS_DCCP_SOCKET ||
4902 sksec->sclass == SECCLASS_SCTP_SOCKET) {
4903 struct common_audit_data ad;
4904 struct lsm_network_audit net = {0,};
4905 struct sockaddr_in *addr4 = NULL;
4906 struct sockaddr_in6 *addr6 = NULL;
4907 unsigned short snum;
4908 u32 sid, perm;
4909
4910 /* sctp_connectx(3) calls via selinux_sctp_bind_connect()
4911 * that validates multiple connect addresses. Because of this
4912 * need to check address->sa_family as it is possible to have
4913 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4914 */
4915 switch (address->sa_family) {
4916 case AF_INET:
4917 addr4 = (struct sockaddr_in *)address;
4918 if (addrlen < sizeof(struct sockaddr_in))
4919 return -EINVAL;
4920 snum = ntohs(addr4->sin_port);
4921 break;
4922 case AF_INET6:
4923 addr6 = (struct sockaddr_in6 *)address;
4924 if (addrlen < SIN6_LEN_RFC2133)
4925 return -EINVAL;
4926 snum = ntohs(addr6->sin6_port);
4927 break;
4928 default:
4929 /* Note that SCTP services expect -EINVAL, whereas
4930 * others expect -EAFNOSUPPORT.
4931 */
4932 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4933 return -EINVAL;
4934 else
4935 return -EAFNOSUPPORT;
4936 }
4937
4938 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4939 if (err)
4940 return err;
4941
4942 switch (sksec->sclass) {
4943 case SECCLASS_TCP_SOCKET:
4944 perm = TCP_SOCKET__NAME_CONNECT;
4945 break;
4946 case SECCLASS_DCCP_SOCKET:
4947 perm = DCCP_SOCKET__NAME_CONNECT;
4948 break;
4949 case SECCLASS_SCTP_SOCKET:
4950 perm = SCTP_SOCKET__NAME_CONNECT;
4951 break;
4952 }
4953
4954 ad.type = LSM_AUDIT_DATA_NET;
4955 ad.u.net = &net;
4956 ad.u.net->dport = htons(snum);
4957 ad.u.net->family = address->sa_family;
4958 err = avc_has_perm(&selinux_state,
4959 sksec->sid, sid, sksec->sclass, perm, &ad);
4960 if (err)
4961 return err;
4962 }
4963
4964 return 0;
4965 }
4966
4967 /* Supports connect(2), see comments in selinux_socket_connect_helper() */
4968 static int selinux_socket_connect(struct socket *sock,
4969 struct sockaddr *address, int addrlen)
4970 {
4971 int err;
4972 struct sock *sk = sock->sk;
4973
4974 err = selinux_socket_connect_helper(sock, address, addrlen);
4975 if (err)
4976 return err;
4977
4978 return selinux_netlbl_socket_connect(sk, address);
4979 }
4980
4981 static int selinux_socket_listen(struct socket *sock, int backlog)
4982 {
4983 return sock_has_perm(sock->sk, SOCKET__LISTEN);
4984 }
4985
4986 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4987 {
4988 int err;
4989 struct inode_security_struct *isec;
4990 struct inode_security_struct *newisec;
4991 u16 sclass;
4992 u32 sid;
4993
4994 err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
4995 if (err)
4996 return err;
4997
4998 isec = inode_security_novalidate(SOCK_INODE(sock));
4999 spin_lock(&isec->lock);
5000 sclass = isec->sclass;
5001 sid = isec->sid;
5002 spin_unlock(&isec->lock);
5003
5004 newisec = inode_security_novalidate(SOCK_INODE(newsock));
5005 newisec->sclass = sclass;
5006 newisec->sid = sid;
5007 newisec->initialized = LABEL_INITIALIZED;
5008
5009 return 0;
5010 }
5011
5012 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
5013 int size)
5014 {
5015 return sock_has_perm(sock->sk, SOCKET__WRITE);
5016 }
5017
5018 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
5019 int size, int flags)
5020 {
5021 return sock_has_perm(sock->sk, SOCKET__READ);
5022 }
5023
5024 static int selinux_socket_getsockname(struct socket *sock)
5025 {
5026 return sock_has_perm(sock->sk, SOCKET__GETATTR);
5027 }
5028
5029 static int selinux_socket_getpeername(struct socket *sock)
5030 {
5031 return sock_has_perm(sock->sk, SOCKET__GETATTR);
5032 }
5033
5034 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
5035 {
5036 int err;
5037
5038 err = sock_has_perm(sock->sk, SOCKET__SETOPT);
5039 if (err)
5040 return err;
5041
5042 return selinux_netlbl_socket_setsockopt(sock, level, optname);
5043 }
5044
5045 static int selinux_socket_getsockopt(struct socket *sock, int level,
5046 int optname)
5047 {
5048 return sock_has_perm(sock->sk, SOCKET__GETOPT);
5049 }
5050
5051 static int selinux_socket_shutdown(struct socket *sock, int how)
5052 {
5053 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
5054 }
5055
5056 static int selinux_socket_unix_stream_connect(struct sock *sock,
5057 struct sock *other,
5058 struct sock *newsk)
5059 {
5060 struct sk_security_struct *sksec_sock = sock->sk_security;
5061 struct sk_security_struct *sksec_other = other->sk_security;
5062 struct sk_security_struct *sksec_new = newsk->sk_security;
5063 struct common_audit_data ad;
5064 struct lsm_network_audit net = {0,};
5065 int err;
5066
5067 ad.type = LSM_AUDIT_DATA_NET;
5068 ad.u.net = &net;
5069 ad.u.net->sk = other;
5070
5071 err = avc_has_perm(&selinux_state,
5072 sksec_sock->sid, sksec_other->sid,
5073 sksec_other->sclass,
5074 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
5075 if (err)
5076 return err;
5077
5078 /* server child socket */
5079 sksec_new->peer_sid = sksec_sock->sid;
5080 err = security_sid_mls_copy(&selinux_state, sksec_other->sid,
5081 sksec_sock->sid, &sksec_new->sid);
5082 if (err)
5083 return err;
5084
5085 /* connecting socket */
5086 sksec_sock->peer_sid = sksec_new->sid;
5087
5088 return 0;
5089 }
5090
5091 static int selinux_socket_unix_may_send(struct socket *sock,
5092 struct socket *other)
5093 {
5094 struct sk_security_struct *ssec = sock->sk->sk_security;
5095 struct sk_security_struct *osec = other->sk->sk_security;
5096 struct common_audit_data ad;
5097 struct lsm_network_audit net = {0,};
5098
5099 ad.type = LSM_AUDIT_DATA_NET;
5100 ad.u.net = &net;
5101 ad.u.net->sk = other->sk;
5102
5103 return avc_has_perm(&selinux_state,
5104 ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
5105 &ad);
5106 }
5107
5108 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
5109 char *addrp, u16 family, u32 peer_sid,
5110 struct common_audit_data *ad)
5111 {
5112 int err;
5113 u32 if_sid;
5114 u32 node_sid;
5115
5116 err = sel_netif_sid(ns, ifindex, &if_sid);
5117 if (err)
5118 return err;
5119 err = avc_has_perm(&selinux_state,
5120 peer_sid, if_sid,
5121 SECCLASS_NETIF, NETIF__INGRESS, ad);
5122 if (err)
5123 return err;
5124
5125 err = sel_netnode_sid(addrp, family, &node_sid);
5126 if (err)
5127 return err;
5128 return avc_has_perm(&selinux_state,
5129 peer_sid, node_sid,
5130 SECCLASS_NODE, NODE__RECVFROM, ad);
5131 }
5132
5133 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
5134 u16 family)
5135 {
5136 int err = 0;
5137 struct sk_security_struct *sksec = sk->sk_security;
5138 u32 sk_sid = sksec->sid;
5139 struct common_audit_data ad;
5140 struct lsm_network_audit net = {0,};
5141 char *addrp;
5142
5143 ad.type = LSM_AUDIT_DATA_NET;
5144 ad.u.net = &net;
5145 ad.u.net->netif = skb->skb_iif;
5146 ad.u.net->family = family;
5147 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5148 if (err)
5149 return err;
5150
5151 if (selinux_secmark_enabled()) {
5152 err = avc_has_perm(&selinux_state,
5153 sk_sid, skb->secmark, SECCLASS_PACKET,
5154 PACKET__RECV, &ad);
5155 if (err)
5156 return err;
5157 }
5158
5159 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
5160 if (err)
5161 return err;
5162 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
5163
5164 return err;
5165 }
5166
5167 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
5168 {
5169 int err;
5170 struct sk_security_struct *sksec = sk->sk_security;
5171 u16 family = sk->sk_family;
5172 u32 sk_sid = sksec->sid;
5173 struct common_audit_data ad;
5174 struct lsm_network_audit net = {0,};
5175 char *addrp;
5176 u8 secmark_active;
5177 u8 peerlbl_active;
5178
5179 if (family != PF_INET && family != PF_INET6)
5180 return 0;
5181
5182 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
5183 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5184 family = PF_INET;
5185
5186 /* If any sort of compatibility mode is enabled then handoff processing
5187 * to the selinux_sock_rcv_skb_compat() function to deal with the
5188 * special handling. We do this in an attempt to keep this function
5189 * as fast and as clean as possible. */
5190 if (!selinux_policycap_netpeer())
5191 return selinux_sock_rcv_skb_compat(sk, skb, family);
5192
5193 secmark_active = selinux_secmark_enabled();
5194 peerlbl_active = selinux_peerlbl_enabled();
5195 if (!secmark_active && !peerlbl_active)
5196 return 0;
5197
5198 ad.type = LSM_AUDIT_DATA_NET;
5199 ad.u.net = &net;
5200 ad.u.net->netif = skb->skb_iif;
5201 ad.u.net->family = family;
5202 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5203 if (err)
5204 return err;
5205
5206 if (peerlbl_active) {
5207 u32 peer_sid;
5208
5209 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
5210 if (err)
5211 return err;
5212 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
5213 addrp, family, peer_sid, &ad);
5214 if (err) {
5215 selinux_netlbl_err(skb, family, err, 0);
5216 return err;
5217 }
5218 err = avc_has_perm(&selinux_state,
5219 sk_sid, peer_sid, SECCLASS_PEER,
5220 PEER__RECV, &ad);
5221 if (err) {
5222 selinux_netlbl_err(skb, family, err, 0);
5223 return err;
5224 }
5225 }
5226
5227 if (secmark_active) {
5228 err = avc_has_perm(&selinux_state,
5229 sk_sid, skb->secmark, SECCLASS_PACKET,
5230 PACKET__RECV, &ad);
5231 if (err)
5232 return err;
5233 }
5234
5235 return err;
5236 }
5237
5238 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
5239 int __user *optlen, unsigned len)
5240 {
5241 int err = 0;
5242 char *scontext;
5243 u32 scontext_len;
5244 struct sk_security_struct *sksec = sock->sk->sk_security;
5245 u32 peer_sid = SECSID_NULL;
5246
5247 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
5248 sksec->sclass == SECCLASS_TCP_SOCKET ||
5249 sksec->sclass == SECCLASS_SCTP_SOCKET)
5250 peer_sid = sksec->peer_sid;
5251 if (peer_sid == SECSID_NULL)
5252 return -ENOPROTOOPT;
5253
5254 err = security_sid_to_context(&selinux_state, peer_sid, &scontext,
5255 &scontext_len);
5256 if (err)
5257 return err;
5258
5259 if (scontext_len > len) {
5260 err = -ERANGE;
5261 goto out_len;
5262 }
5263
5264 if (copy_to_user(optval, scontext, scontext_len))
5265 err = -EFAULT;
5266
5267 out_len:
5268 if (put_user(scontext_len, optlen))
5269 err = -EFAULT;
5270 kfree(scontext);
5271 return err;
5272 }
5273
5274 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
5275 {
5276 u32 peer_secid = SECSID_NULL;
5277 u16 family;
5278 struct inode_security_struct *isec;
5279
5280 if (skb && skb->protocol == htons(ETH_P_IP))
5281 family = PF_INET;
5282 else if (skb && skb->protocol == htons(ETH_P_IPV6))
5283 family = PF_INET6;
5284 else if (sock)
5285 family = sock->sk->sk_family;
5286 else
5287 goto out;
5288
5289 if (sock && family == PF_UNIX) {
5290 isec = inode_security_novalidate(SOCK_INODE(sock));
5291 peer_secid = isec->sid;
5292 } else if (skb)
5293 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
5294
5295 out:
5296 *secid = peer_secid;
5297 if (peer_secid == SECSID_NULL)
5298 return -EINVAL;
5299 return 0;
5300 }
5301
5302 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
5303 {
5304 struct sk_security_struct *sksec;
5305
5306 sksec = kzalloc(sizeof(*sksec), priority);
5307 if (!sksec)
5308 return -ENOMEM;
5309
5310 sksec->peer_sid = SECINITSID_UNLABELED;
5311 sksec->sid = SECINITSID_UNLABELED;
5312 sksec->sclass = SECCLASS_SOCKET;
5313 selinux_netlbl_sk_security_reset(sksec);
5314 sk->sk_security = sksec;
5315
5316 return 0;
5317 }
5318
5319 static void selinux_sk_free_security(struct sock *sk)
5320 {
5321 struct sk_security_struct *sksec = sk->sk_security;
5322
5323 sk->sk_security = NULL;
5324 selinux_netlbl_sk_security_free(sksec);
5325 kfree(sksec);
5326 }
5327
5328 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
5329 {
5330 struct sk_security_struct *sksec = sk->sk_security;
5331 struct sk_security_struct *newsksec = newsk->sk_security;
5332
5333 newsksec->sid = sksec->sid;
5334 newsksec->peer_sid = sksec->peer_sid;
5335 newsksec->sclass = sksec->sclass;
5336
5337 selinux_netlbl_sk_security_reset(newsksec);
5338 }
5339
5340 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
5341 {
5342 if (!sk)
5343 *secid = SECINITSID_ANY_SOCKET;
5344 else {
5345 struct sk_security_struct *sksec = sk->sk_security;
5346
5347 *secid = sksec->sid;
5348 }
5349 }
5350
5351 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
5352 {
5353 struct inode_security_struct *isec =
5354 inode_security_novalidate(SOCK_INODE(parent));
5355 struct sk_security_struct *sksec = sk->sk_security;
5356
5357 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
5358 sk->sk_family == PF_UNIX)
5359 isec->sid = sksec->sid;
5360 sksec->sclass = isec->sclass;
5361 }
5362
5363 /*
5364 * Determines peer_secid for the asoc and updates socket's peer label
5365 * if it's the first association on the socket.
5366 */
5367 static int selinux_sctp_process_new_assoc(struct sctp_association *asoc,
5368 struct sk_buff *skb)
5369 {
5370 struct sock *sk = asoc->base.sk;
5371 u16 family = sk->sk_family;
5372 struct sk_security_struct *sksec = sk->sk_security;
5373 struct common_audit_data ad;
5374 struct lsm_network_audit net = {0,};
5375 int err;
5376
5377 /* handle mapped IPv4 packets arriving via IPv6 sockets */
5378 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5379 family = PF_INET;
5380
5381 if (selinux_peerlbl_enabled()) {
5382 asoc->peer_secid = SECSID_NULL;
5383
5384 /* This will return peer_sid = SECSID_NULL if there are
5385 * no peer labels, see security_net_peersid_resolve().
5386 */
5387 err = selinux_skb_peerlbl_sid(skb, family, &asoc->peer_secid);
5388 if (err)
5389 return err;
5390
5391 if (asoc->peer_secid == SECSID_NULL)
5392 asoc->peer_secid = SECINITSID_UNLABELED;
5393 } else {
5394 asoc->peer_secid = SECINITSID_UNLABELED;
5395 }
5396
5397 if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) {
5398 sksec->sctp_assoc_state = SCTP_ASSOC_SET;
5399
5400 /* Here as first association on socket. As the peer SID
5401 * was allowed by peer recv (and the netif/node checks),
5402 * then it is approved by policy and used as the primary
5403 * peer SID for getpeercon(3).
5404 */
5405 sksec->peer_sid = asoc->peer_secid;
5406 } else if (sksec->peer_sid != asoc->peer_secid) {
5407 /* Other association peer SIDs are checked to enforce
5408 * consistency among the peer SIDs.
5409 */
5410 ad.type = LSM_AUDIT_DATA_NET;
5411 ad.u.net = &net;
5412 ad.u.net->sk = asoc->base.sk;
5413 err = avc_has_perm(&selinux_state,
5414 sksec->peer_sid, asoc->peer_secid,
5415 sksec->sclass, SCTP_SOCKET__ASSOCIATION,
5416 &ad);
5417 if (err)
5418 return err;
5419 }
5420 return 0;
5421 }
5422
5423 /* Called whenever SCTP receives an INIT or COOKIE ECHO chunk. This
5424 * happens on an incoming connect(2), sctp_connectx(3) or
5425 * sctp_sendmsg(3) (with no association already present).
5426 */
5427 static int selinux_sctp_assoc_request(struct sctp_association *asoc,
5428 struct sk_buff *skb)
5429 {
5430 struct sk_security_struct *sksec = asoc->base.sk->sk_security;
5431 u32 conn_sid;
5432 int err;
5433
5434 if (!selinux_policycap_extsockclass())
5435 return 0;
5436
5437 err = selinux_sctp_process_new_assoc(asoc, skb);
5438 if (err)
5439 return err;
5440
5441 /* Compute the MLS component for the connection and store
5442 * the information in asoc. This will be used by SCTP TCP type
5443 * sockets and peeled off connections as they cause a new
5444 * socket to be generated. selinux_sctp_sk_clone() will then
5445 * plug this into the new socket.
5446 */
5447 err = selinux_conn_sid(sksec->sid, asoc->peer_secid, &conn_sid);
5448 if (err)
5449 return err;
5450
5451 asoc->secid = conn_sid;
5452
5453 /* Set any NetLabel labels including CIPSO/CALIPSO options. */
5454 return selinux_netlbl_sctp_assoc_request(asoc, skb);
5455 }
5456
5457 /* Called when SCTP receives a COOKIE ACK chunk as the final
5458 * response to an association request (initited by us).
5459 */
5460 static int selinux_sctp_assoc_established(struct sctp_association *asoc,
5461 struct sk_buff *skb)
5462 {
5463 struct sk_security_struct *sksec = asoc->base.sk->sk_security;
5464
5465 if (!selinux_policycap_extsockclass())
5466 return 0;
5467
5468 /* Inherit secid from the parent socket - this will be picked up
5469 * by selinux_sctp_sk_clone() if the association gets peeled off
5470 * into a new socket.
5471 */
5472 asoc->secid = sksec->sid;
5473
5474 return selinux_sctp_process_new_assoc(asoc, skb);
5475 }
5476
5477 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting
5478 * based on their @optname.
5479 */
5480 static int selinux_sctp_bind_connect(struct sock *sk, int optname,
5481 struct sockaddr *address,
5482 int addrlen)
5483 {
5484 int len, err = 0, walk_size = 0;
5485 void *addr_buf;
5486 struct sockaddr *addr;
5487 struct socket *sock;
5488
5489 if (!selinux_policycap_extsockclass())
5490 return 0;
5491
5492 /* Process one or more addresses that may be IPv4 or IPv6 */
5493 sock = sk->sk_socket;
5494 addr_buf = address;
5495
5496 while (walk_size < addrlen) {
5497 if (walk_size + sizeof(sa_family_t) > addrlen)
5498 return -EINVAL;
5499
5500 addr = addr_buf;
5501 switch (addr->sa_family) {
5502 case AF_UNSPEC:
5503 case AF_INET:
5504 len = sizeof(struct sockaddr_in);
5505 break;
5506 case AF_INET6:
5507 len = sizeof(struct sockaddr_in6);
5508 break;
5509 default:
5510 return -EINVAL;
5511 }
5512
5513 if (walk_size + len > addrlen)
5514 return -EINVAL;
5515
5516 err = -EINVAL;
5517 switch (optname) {
5518 /* Bind checks */
5519 case SCTP_PRIMARY_ADDR:
5520 case SCTP_SET_PEER_PRIMARY_ADDR:
5521 case SCTP_SOCKOPT_BINDX_ADD:
5522 err = selinux_socket_bind(sock, addr, len);
5523 break;
5524 /* Connect checks */
5525 case SCTP_SOCKOPT_CONNECTX:
5526 case SCTP_PARAM_SET_PRIMARY:
5527 case SCTP_PARAM_ADD_IP:
5528 case SCTP_SENDMSG_CONNECT:
5529 err = selinux_socket_connect_helper(sock, addr, len);
5530 if (err)
5531 return err;
5532
5533 /* As selinux_sctp_bind_connect() is called by the
5534 * SCTP protocol layer, the socket is already locked,
5535 * therefore selinux_netlbl_socket_connect_locked()
5536 * is called here. The situations handled are:
5537 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2),
5538 * whenever a new IP address is added or when a new
5539 * primary address is selected.
5540 * Note that an SCTP connect(2) call happens before
5541 * the SCTP protocol layer and is handled via
5542 * selinux_socket_connect().
5543 */
5544 err = selinux_netlbl_socket_connect_locked(sk, addr);
5545 break;
5546 }
5547
5548 if (err)
5549 return err;
5550
5551 addr_buf += len;
5552 walk_size += len;
5553 }
5554
5555 return 0;
5556 }
5557
5558 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */
5559 static void selinux_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk,
5560 struct sock *newsk)
5561 {
5562 struct sk_security_struct *sksec = sk->sk_security;
5563 struct sk_security_struct *newsksec = newsk->sk_security;
5564
5565 /* If policy does not support SECCLASS_SCTP_SOCKET then call
5566 * the non-sctp clone version.
5567 */
5568 if (!selinux_policycap_extsockclass())
5569 return selinux_sk_clone_security(sk, newsk);
5570
5571 newsksec->sid = asoc->secid;
5572 newsksec->peer_sid = asoc->peer_secid;
5573 newsksec->sclass = sksec->sclass;
5574 selinux_netlbl_sctp_sk_clone(sk, newsk);
5575 }
5576
5577 static int selinux_inet_conn_request(const struct sock *sk, struct sk_buff *skb,
5578 struct request_sock *req)
5579 {
5580 struct sk_security_struct *sksec = sk->sk_security;
5581 int err;
5582 u16 family = req->rsk_ops->family;
5583 u32 connsid;
5584 u32 peersid;
5585
5586 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
5587 if (err)
5588 return err;
5589 err = selinux_conn_sid(sksec->sid, peersid, &connsid);
5590 if (err)
5591 return err;
5592 req->secid = connsid;
5593 req->peer_secid = peersid;
5594
5595 return selinux_netlbl_inet_conn_request(req, family);
5596 }
5597
5598 static void selinux_inet_csk_clone(struct sock *newsk,
5599 const struct request_sock *req)
5600 {
5601 struct sk_security_struct *newsksec = newsk->sk_security;
5602
5603 newsksec->sid = req->secid;
5604 newsksec->peer_sid = req->peer_secid;
5605 /* NOTE: Ideally, we should also get the isec->sid for the
5606 new socket in sync, but we don't have the isec available yet.
5607 So we will wait until sock_graft to do it, by which
5608 time it will have been created and available. */
5609
5610 /* We don't need to take any sort of lock here as we are the only
5611 * thread with access to newsksec */
5612 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
5613 }
5614
5615 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
5616 {
5617 u16 family = sk->sk_family;
5618 struct sk_security_struct *sksec = sk->sk_security;
5619
5620 /* handle mapped IPv4 packets arriving via IPv6 sockets */
5621 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5622 family = PF_INET;
5623
5624 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
5625 }
5626
5627 static int selinux_secmark_relabel_packet(u32 sid)
5628 {
5629 const struct task_security_struct *__tsec;
5630 u32 tsid;
5631
5632 __tsec = selinux_cred(current_cred());
5633 tsid = __tsec->sid;
5634
5635 return avc_has_perm(&selinux_state,
5636 tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO,
5637 NULL);
5638 }
5639
5640 static void selinux_secmark_refcount_inc(void)
5641 {
5642 atomic_inc(&selinux_secmark_refcount);
5643 }
5644
5645 static void selinux_secmark_refcount_dec(void)
5646 {
5647 atomic_dec(&selinux_secmark_refcount);
5648 }
5649
5650 static void selinux_req_classify_flow(const struct request_sock *req,
5651 struct flowi_common *flic)
5652 {
5653 flic->flowic_secid = req->secid;
5654 }
5655
5656 static int selinux_tun_dev_alloc_security(void **security)
5657 {
5658 struct tun_security_struct *tunsec;
5659
5660 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
5661 if (!tunsec)
5662 return -ENOMEM;
5663 tunsec->sid = current_sid();
5664
5665 *security = tunsec;
5666 return 0;
5667 }
5668
5669 static void selinux_tun_dev_free_security(void *security)
5670 {
5671 kfree(security);
5672 }
5673
5674 static int selinux_tun_dev_create(void)
5675 {
5676 u32 sid = current_sid();
5677
5678 /* we aren't taking into account the "sockcreate" SID since the socket
5679 * that is being created here is not a socket in the traditional sense,
5680 * instead it is a private sock, accessible only to the kernel, and
5681 * representing a wide range of network traffic spanning multiple
5682 * connections unlike traditional sockets - check the TUN driver to
5683 * get a better understanding of why this socket is special */
5684
5685 return avc_has_perm(&selinux_state,
5686 sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5687 NULL);
5688 }
5689
5690 static int selinux_tun_dev_attach_queue(void *security)
5691 {
5692 struct tun_security_struct *tunsec = security;
5693
5694 return avc_has_perm(&selinux_state,
5695 current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5696 TUN_SOCKET__ATTACH_QUEUE, NULL);
5697 }
5698
5699 static int selinux_tun_dev_attach(struct sock *sk, void *security)
5700 {
5701 struct tun_security_struct *tunsec = security;
5702 struct sk_security_struct *sksec = sk->sk_security;
5703
5704 /* we don't currently perform any NetLabel based labeling here and it
5705 * isn't clear that we would want to do so anyway; while we could apply
5706 * labeling without the support of the TUN user the resulting labeled
5707 * traffic from the other end of the connection would almost certainly
5708 * cause confusion to the TUN user that had no idea network labeling
5709 * protocols were being used */
5710
5711 sksec->sid = tunsec->sid;
5712 sksec->sclass = SECCLASS_TUN_SOCKET;
5713
5714 return 0;
5715 }
5716
5717 static int selinux_tun_dev_open(void *security)
5718 {
5719 struct tun_security_struct *tunsec = security;
5720 u32 sid = current_sid();
5721 int err;
5722
5723 err = avc_has_perm(&selinux_state,
5724 sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5725 TUN_SOCKET__RELABELFROM, NULL);
5726 if (err)
5727 return err;
5728 err = avc_has_perm(&selinux_state,
5729 sid, sid, SECCLASS_TUN_SOCKET,
5730 TUN_SOCKET__RELABELTO, NULL);
5731 if (err)
5732 return err;
5733 tunsec->sid = sid;
5734
5735 return 0;
5736 }
5737
5738 #ifdef CONFIG_NETFILTER
5739
5740 static unsigned int selinux_ip_forward(void *priv, struct sk_buff *skb,
5741 const struct nf_hook_state *state)
5742 {
5743 int ifindex;
5744 u16 family;
5745 char *addrp;
5746 u32 peer_sid;
5747 struct common_audit_data ad;
5748 struct lsm_network_audit net = {0,};
5749 int secmark_active, peerlbl_active;
5750
5751 if (!selinux_policycap_netpeer())
5752 return NF_ACCEPT;
5753
5754 secmark_active = selinux_secmark_enabled();
5755 peerlbl_active = selinux_peerlbl_enabled();
5756 if (!secmark_active && !peerlbl_active)
5757 return NF_ACCEPT;
5758
5759 family = state->pf;
5760 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5761 return NF_DROP;
5762
5763 ifindex = state->in->ifindex;
5764 ad.type = LSM_AUDIT_DATA_NET;
5765 ad.u.net = &net;
5766 ad.u.net->netif = ifindex;
5767 ad.u.net->family = family;
5768 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5769 return NF_DROP;
5770
5771 if (peerlbl_active) {
5772 int err;
5773
5774 err = selinux_inet_sys_rcv_skb(state->net, ifindex,
5775 addrp, family, peer_sid, &ad);
5776 if (err) {
5777 selinux_netlbl_err(skb, family, err, 1);
5778 return NF_DROP;
5779 }
5780 }
5781
5782 if (secmark_active)
5783 if (avc_has_perm(&selinux_state,
5784 peer_sid, skb->secmark,
5785 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5786 return NF_DROP;
5787
5788 if (netlbl_enabled())
5789 /* we do this in the FORWARD path and not the POST_ROUTING
5790 * path because we want to make sure we apply the necessary
5791 * labeling before IPsec is applied so we can leverage AH
5792 * protection */
5793 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5794 return NF_DROP;
5795
5796 return NF_ACCEPT;
5797 }
5798
5799 static unsigned int selinux_ip_output(void *priv, struct sk_buff *skb,
5800 const struct nf_hook_state *state)
5801 {
5802 struct sock *sk;
5803 u32 sid;
5804
5805 if (!netlbl_enabled())
5806 return NF_ACCEPT;
5807
5808 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5809 * because we want to make sure we apply the necessary labeling
5810 * before IPsec is applied so we can leverage AH protection */
5811 sk = skb->sk;
5812 if (sk) {
5813 struct sk_security_struct *sksec;
5814
5815 if (sk_listener(sk))
5816 /* if the socket is the listening state then this
5817 * packet is a SYN-ACK packet which means it needs to
5818 * be labeled based on the connection/request_sock and
5819 * not the parent socket. unfortunately, we can't
5820 * lookup the request_sock yet as it isn't queued on
5821 * the parent socket until after the SYN-ACK is sent.
5822 * the "solution" is to simply pass the packet as-is
5823 * as any IP option based labeling should be copied
5824 * from the initial connection request (in the IP
5825 * layer). it is far from ideal, but until we get a
5826 * security label in the packet itself this is the
5827 * best we can do. */
5828 return NF_ACCEPT;
5829
5830 /* standard practice, label using the parent socket */
5831 sksec = sk->sk_security;
5832 sid = sksec->sid;
5833 } else
5834 sid = SECINITSID_KERNEL;
5835 if (selinux_netlbl_skbuff_setsid(skb, state->pf, sid) != 0)
5836 return NF_DROP;
5837
5838 return NF_ACCEPT;
5839 }
5840
5841
5842 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5843 const struct nf_hook_state *state)
5844 {
5845 struct sock *sk;
5846 struct sk_security_struct *sksec;
5847 struct common_audit_data ad;
5848 struct lsm_network_audit net = {0,};
5849 u8 proto = 0;
5850
5851 sk = skb_to_full_sk(skb);
5852 if (sk == NULL)
5853 return NF_ACCEPT;
5854 sksec = sk->sk_security;
5855
5856 ad.type = LSM_AUDIT_DATA_NET;
5857 ad.u.net = &net;
5858 ad.u.net->netif = state->out->ifindex;
5859 ad.u.net->family = state->pf;
5860 if (selinux_parse_skb(skb, &ad, NULL, 0, &proto))
5861 return NF_DROP;
5862
5863 if (selinux_secmark_enabled())
5864 if (avc_has_perm(&selinux_state,
5865 sksec->sid, skb->secmark,
5866 SECCLASS_PACKET, PACKET__SEND, &ad))
5867 return NF_DROP_ERR(-ECONNREFUSED);
5868
5869 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5870 return NF_DROP_ERR(-ECONNREFUSED);
5871
5872 return NF_ACCEPT;
5873 }
5874
5875 static unsigned int selinux_ip_postroute(void *priv,
5876 struct sk_buff *skb,
5877 const struct nf_hook_state *state)
5878 {
5879 u16 family;
5880 u32 secmark_perm;
5881 u32 peer_sid;
5882 int ifindex;
5883 struct sock *sk;
5884 struct common_audit_data ad;
5885 struct lsm_network_audit net = {0,};
5886 char *addrp;
5887 int secmark_active, peerlbl_active;
5888
5889 /* If any sort of compatibility mode is enabled then handoff processing
5890 * to the selinux_ip_postroute_compat() function to deal with the
5891 * special handling. We do this in an attempt to keep this function
5892 * as fast and as clean as possible. */
5893 if (!selinux_policycap_netpeer())
5894 return selinux_ip_postroute_compat(skb, state);
5895
5896 secmark_active = selinux_secmark_enabled();
5897 peerlbl_active = selinux_peerlbl_enabled();
5898 if (!secmark_active && !peerlbl_active)
5899 return NF_ACCEPT;
5900
5901 sk = skb_to_full_sk(skb);
5902
5903 #ifdef CONFIG_XFRM
5904 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5905 * packet transformation so allow the packet to pass without any checks
5906 * since we'll have another chance to perform access control checks
5907 * when the packet is on it's final way out.
5908 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5909 * is NULL, in this case go ahead and apply access control.
5910 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5911 * TCP listening state we cannot wait until the XFRM processing
5912 * is done as we will miss out on the SA label if we do;
5913 * unfortunately, this means more work, but it is only once per
5914 * connection. */
5915 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5916 !(sk && sk_listener(sk)))
5917 return NF_ACCEPT;
5918 #endif
5919
5920 family = state->pf;
5921 if (sk == NULL) {
5922 /* Without an associated socket the packet is either coming
5923 * from the kernel or it is being forwarded; check the packet
5924 * to determine which and if the packet is being forwarded
5925 * query the packet directly to determine the security label. */
5926 if (skb->skb_iif) {
5927 secmark_perm = PACKET__FORWARD_OUT;
5928 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5929 return NF_DROP;
5930 } else {
5931 secmark_perm = PACKET__SEND;
5932 peer_sid = SECINITSID_KERNEL;
5933 }
5934 } else if (sk_listener(sk)) {
5935 /* Locally generated packet but the associated socket is in the
5936 * listening state which means this is a SYN-ACK packet. In
5937 * this particular case the correct security label is assigned
5938 * to the connection/request_sock but unfortunately we can't
5939 * query the request_sock as it isn't queued on the parent
5940 * socket until after the SYN-ACK packet is sent; the only
5941 * viable choice is to regenerate the label like we do in
5942 * selinux_inet_conn_request(). See also selinux_ip_output()
5943 * for similar problems. */
5944 u32 skb_sid;
5945 struct sk_security_struct *sksec;
5946
5947 sksec = sk->sk_security;
5948 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5949 return NF_DROP;
5950 /* At this point, if the returned skb peerlbl is SECSID_NULL
5951 * and the packet has been through at least one XFRM
5952 * transformation then we must be dealing with the "final"
5953 * form of labeled IPsec packet; since we've already applied
5954 * all of our access controls on this packet we can safely
5955 * pass the packet. */
5956 if (skb_sid == SECSID_NULL) {
5957 switch (family) {
5958 case PF_INET:
5959 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5960 return NF_ACCEPT;
5961 break;
5962 case PF_INET6:
5963 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5964 return NF_ACCEPT;
5965 break;
5966 default:
5967 return NF_DROP_ERR(-ECONNREFUSED);
5968 }
5969 }
5970 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5971 return NF_DROP;
5972 secmark_perm = PACKET__SEND;
5973 } else {
5974 /* Locally generated packet, fetch the security label from the
5975 * associated socket. */
5976 struct sk_security_struct *sksec = sk->sk_security;
5977 peer_sid = sksec->sid;
5978 secmark_perm = PACKET__SEND;
5979 }
5980
5981 ifindex = state->out->ifindex;
5982 ad.type = LSM_AUDIT_DATA_NET;
5983 ad.u.net = &net;
5984 ad.u.net->netif = ifindex;
5985 ad.u.net->family = family;
5986 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5987 return NF_DROP;
5988
5989 if (secmark_active)
5990 if (avc_has_perm(&selinux_state,
5991 peer_sid, skb->secmark,
5992 SECCLASS_PACKET, secmark_perm, &ad))
5993 return NF_DROP_ERR(-ECONNREFUSED);
5994
5995 if (peerlbl_active) {
5996 u32 if_sid;
5997 u32 node_sid;
5998
5999 if (sel_netif_sid(state->net, ifindex, &if_sid))
6000 return NF_DROP;
6001 if (avc_has_perm(&selinux_state,
6002 peer_sid, if_sid,
6003 SECCLASS_NETIF, NETIF__EGRESS, &ad))
6004 return NF_DROP_ERR(-ECONNREFUSED);
6005
6006 if (sel_netnode_sid(addrp, family, &node_sid))
6007 return NF_DROP;
6008 if (avc_has_perm(&selinux_state,
6009 peer_sid, node_sid,
6010 SECCLASS_NODE, NODE__SENDTO, &ad))
6011 return NF_DROP_ERR(-ECONNREFUSED);
6012 }
6013
6014 return NF_ACCEPT;
6015 }
6016 #endif /* CONFIG_NETFILTER */
6017
6018 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
6019 {
6020 int rc = 0;
6021 unsigned int msg_len;
6022 unsigned int data_len = skb->len;
6023 unsigned char *data = skb->data;
6024 struct nlmsghdr *nlh;
6025 struct sk_security_struct *sksec = sk->sk_security;
6026 u16 sclass = sksec->sclass;
6027 u32 perm;
6028
6029 while (data_len >= nlmsg_total_size(0)) {
6030 nlh = (struct nlmsghdr *)data;
6031
6032 /* NOTE: the nlmsg_len field isn't reliably set by some netlink
6033 * users which means we can't reject skb's with bogus
6034 * length fields; our solution is to follow what
6035 * netlink_rcv_skb() does and simply skip processing at
6036 * messages with length fields that are clearly junk
6037 */
6038 if (nlh->nlmsg_len < NLMSG_HDRLEN || nlh->nlmsg_len > data_len)
6039 return 0;
6040
6041 rc = selinux_nlmsg_lookup(sclass, nlh->nlmsg_type, &perm);
6042 if (rc == 0) {
6043 rc = sock_has_perm(sk, perm);
6044 if (rc)
6045 return rc;
6046 } else if (rc == -EINVAL) {
6047 /* -EINVAL is a missing msg/perm mapping */
6048 pr_warn_ratelimited("SELinux: unrecognized netlink"
6049 " message: protocol=%hu nlmsg_type=%hu sclass=%s"
6050 " pid=%d comm=%s\n",
6051 sk->sk_protocol, nlh->nlmsg_type,
6052 secclass_map[sclass - 1].name,
6053 task_pid_nr(current), current->comm);
6054 if (enforcing_enabled(&selinux_state) &&
6055 !security_get_allow_unknown(&selinux_state))
6056 return rc;
6057 rc = 0;
6058 } else if (rc == -ENOENT) {
6059 /* -ENOENT is a missing socket/class mapping, ignore */
6060 rc = 0;
6061 } else {
6062 return rc;
6063 }
6064
6065 /* move to the next message after applying netlink padding */
6066 msg_len = NLMSG_ALIGN(nlh->nlmsg_len);
6067 if (msg_len >= data_len)
6068 return 0;
6069 data_len -= msg_len;
6070 data += msg_len;
6071 }
6072
6073 return rc;
6074 }
6075
6076 static void ipc_init_security(struct ipc_security_struct *isec, u16 sclass)
6077 {
6078 isec->sclass = sclass;
6079 isec->sid = current_sid();
6080 }
6081
6082 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
6083 u32 perms)
6084 {
6085 struct ipc_security_struct *isec;
6086 struct common_audit_data ad;
6087 u32 sid = current_sid();
6088
6089 isec = selinux_ipc(ipc_perms);
6090
6091 ad.type = LSM_AUDIT_DATA_IPC;
6092 ad.u.ipc_id = ipc_perms->key;
6093
6094 return avc_has_perm(&selinux_state,
6095 sid, isec->sid, isec->sclass, perms, &ad);
6096 }
6097
6098 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
6099 {
6100 struct msg_security_struct *msec;
6101
6102 msec = selinux_msg_msg(msg);
6103 msec->sid = SECINITSID_UNLABELED;
6104
6105 return 0;
6106 }
6107
6108 /* message queue security operations */
6109 static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq)
6110 {
6111 struct ipc_security_struct *isec;
6112 struct common_audit_data ad;
6113 u32 sid = current_sid();
6114 int rc;
6115
6116 isec = selinux_ipc(msq);
6117 ipc_init_security(isec, SECCLASS_MSGQ);
6118
6119 ad.type = LSM_AUDIT_DATA_IPC;
6120 ad.u.ipc_id = msq->key;
6121
6122 rc = avc_has_perm(&selinux_state,
6123 sid, isec->sid, SECCLASS_MSGQ,
6124 MSGQ__CREATE, &ad);
6125 return rc;
6126 }
6127
6128 static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
6129 {
6130 struct ipc_security_struct *isec;
6131 struct common_audit_data ad;
6132 u32 sid = current_sid();
6133
6134 isec = selinux_ipc(msq);
6135
6136 ad.type = LSM_AUDIT_DATA_IPC;
6137 ad.u.ipc_id = msq->key;
6138
6139 return avc_has_perm(&selinux_state,
6140 sid, isec->sid, SECCLASS_MSGQ,
6141 MSGQ__ASSOCIATE, &ad);
6142 }
6143
6144 static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)
6145 {
6146 int err;
6147 int perms;
6148
6149 switch (cmd) {
6150 case IPC_INFO:
6151 case MSG_INFO:
6152 /* No specific object, just general system-wide information. */
6153 return avc_has_perm(&selinux_state,
6154 current_sid(), SECINITSID_KERNEL,
6155 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6156 case IPC_STAT:
6157 case MSG_STAT:
6158 case MSG_STAT_ANY:
6159 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
6160 break;
6161 case IPC_SET:
6162 perms = MSGQ__SETATTR;
6163 break;
6164 case IPC_RMID:
6165 perms = MSGQ__DESTROY;
6166 break;
6167 default:
6168 return 0;
6169 }
6170
6171 err = ipc_has_perm(msq, perms);
6172 return err;
6173 }
6174
6175 static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg)
6176 {
6177 struct ipc_security_struct *isec;
6178 struct msg_security_struct *msec;
6179 struct common_audit_data ad;
6180 u32 sid = current_sid();
6181 int rc;
6182
6183 isec = selinux_ipc(msq);
6184 msec = selinux_msg_msg(msg);
6185
6186 /*
6187 * First time through, need to assign label to the message
6188 */
6189 if (msec->sid == SECINITSID_UNLABELED) {
6190 /*
6191 * Compute new sid based on current process and
6192 * message queue this message will be stored in
6193 */
6194 rc = security_transition_sid(&selinux_state, sid, isec->sid,
6195 SECCLASS_MSG, NULL, &msec->sid);
6196 if (rc)
6197 return rc;
6198 }
6199
6200 ad.type = LSM_AUDIT_DATA_IPC;
6201 ad.u.ipc_id = msq->key;
6202
6203 /* Can this process write to the queue? */
6204 rc = avc_has_perm(&selinux_state,
6205 sid, isec->sid, SECCLASS_MSGQ,
6206 MSGQ__WRITE, &ad);
6207 if (!rc)
6208 /* Can this process send the message */
6209 rc = avc_has_perm(&selinux_state,
6210 sid, msec->sid, SECCLASS_MSG,
6211 MSG__SEND, &ad);
6212 if (!rc)
6213 /* Can the message be put in the queue? */
6214 rc = avc_has_perm(&selinux_state,
6215 msec->sid, isec->sid, SECCLASS_MSGQ,
6216 MSGQ__ENQUEUE, &ad);
6217
6218 return rc;
6219 }
6220
6221 static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg,
6222 struct task_struct *target,
6223 long type, int mode)
6224 {
6225 struct ipc_security_struct *isec;
6226 struct msg_security_struct *msec;
6227 struct common_audit_data ad;
6228 u32 sid = task_sid_obj(target);
6229 int rc;
6230
6231 isec = selinux_ipc(msq);
6232 msec = selinux_msg_msg(msg);
6233
6234 ad.type = LSM_AUDIT_DATA_IPC;
6235 ad.u.ipc_id = msq->key;
6236
6237 rc = avc_has_perm(&selinux_state,
6238 sid, isec->sid,
6239 SECCLASS_MSGQ, MSGQ__READ, &ad);
6240 if (!rc)
6241 rc = avc_has_perm(&selinux_state,
6242 sid, msec->sid,
6243 SECCLASS_MSG, MSG__RECEIVE, &ad);
6244 return rc;
6245 }
6246
6247 /* Shared Memory security operations */
6248 static int selinux_shm_alloc_security(struct kern_ipc_perm *shp)
6249 {
6250 struct ipc_security_struct *isec;
6251 struct common_audit_data ad;
6252 u32 sid = current_sid();
6253 int rc;