2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@tycho.nsa.gov>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul@paul-moore.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 * Copyright (C) 2016 Mellanox Technologies
22 * This program is free software; you can redistribute it and/or modify
23 * it under the terms of the GNU General Public License version 2,
24 * as published by the Free Software Foundation.
27 #include <linux/init.h>
29 #include <linux/kernel.h>
30 #include <linux/tracehook.h>
31 #include <linux/errno.h>
32 #include <linux/sched/signal.h>
33 #include <linux/sched/task.h>
34 #include <linux/lsm_hooks.h>
35 #include <linux/xattr.h>
36 #include <linux/capability.h>
37 #include <linux/unistd.h>
39 #include <linux/mman.h>
40 #include <linux/slab.h>
41 #include <linux/pagemap.h>
42 #include <linux/proc_fs.h>
43 #include <linux/swap.h>
44 #include <linux/spinlock.h>
45 #include <linux/syscalls.h>
46 #include <linux/dcache.h>
47 #include <linux/file.h>
48 #include <linux/fdtable.h>
49 #include <linux/namei.h>
50 #include <linux/mount.h>
51 #include <linux/netfilter_ipv4.h>
52 #include <linux/netfilter_ipv6.h>
53 #include <linux/tty.h>
55 #include <net/ip.h> /* for local_port_range[] */
56 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
57 #include <net/inet_connection_sock.h>
58 #include <net/net_namespace.h>
59 #include <net/netlabel.h>
60 #include <linux/uaccess.h>
61 #include <asm/ioctls.h>
62 #include <linux/atomic.h>
63 #include <linux/bitops.h>
64 #include <linux/interrupt.h>
65 #include <linux/netdevice.h> /* for network interface checks */
66 #include <net/netlink.h>
67 #include <linux/tcp.h>
68 #include <linux/udp.h>
69 #include <linux/dccp.h>
70 #include <linux/quota.h>
71 #include <linux/un.h> /* for Unix socket types */
72 #include <net/af_unix.h> /* for Unix socket types */
73 #include <linux/parser.h>
74 #include <linux/nfs_mount.h>
76 #include <linux/hugetlb.h>
77 #include <linux/personality.h>
78 #include <linux/audit.h>
79 #include <linux/string.h>
80 #include <linux/selinux.h>
81 #include <linux/mutex.h>
82 #include <linux/posix-timers.h>
83 #include <linux/syslog.h>
84 #include <linux/user_namespace.h>
85 #include <linux/export.h>
86 #include <linux/msg.h>
87 #include <linux/shm.h>
100 /* SECMARK reference count */
101 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
103 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
104 int selinux_enforcing;
106 static int __init enforcing_setup(char *str)
108 unsigned long enforcing;
109 if (!kstrtoul(str, 0, &enforcing))
110 selinux_enforcing = enforcing ? 1 : 0;
113 __setup("enforcing=", enforcing_setup);
116 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
117 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
119 static int __init selinux_enabled_setup(char *str)
121 unsigned long enabled;
122 if (!kstrtoul(str, 0, &enabled))
123 selinux_enabled = enabled ? 1 : 0;
126 __setup("selinux=", selinux_enabled_setup);
128 int selinux_enabled = 1;
131 static struct kmem_cache *sel_inode_cache;
132 static struct kmem_cache *file_security_cache;
135 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
138 * This function checks the SECMARK reference counter to see if any SECMARK
139 * targets are currently configured, if the reference counter is greater than
140 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
141 * enabled, false (0) if SECMARK is disabled. If the always_check_network
142 * policy capability is enabled, SECMARK is always considered enabled.
145 static int selinux_secmark_enabled(void)
147 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
151 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
154 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
155 * (1) if any are enabled or false (0) if neither are enabled. If the
156 * always_check_network policy capability is enabled, peer labeling
157 * is always considered enabled.
160 static int selinux_peerlbl_enabled(void)
162 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
165 static int selinux_netcache_avc_callback(u32 event)
167 if (event == AVC_CALLBACK_RESET) {
176 static int selinux_lsm_notifier_avc_callback(u32 event)
178 if (event == AVC_CALLBACK_RESET) {
180 call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
187 * initialise the security for the init task
189 static void cred_init_security(void)
191 struct cred *cred = (struct cred *) current->real_cred;
192 struct task_security_struct *tsec;
194 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
196 panic("SELinux: Failed to initialize initial task.\n");
198 tsec->osid = tsec->sid = SECINITSID_KERNEL;
199 cred->security = tsec;
203 * get the security ID of a set of credentials
205 static inline u32 cred_sid(const struct cred *cred)
207 const struct task_security_struct *tsec;
209 tsec = cred->security;
214 * get the objective security ID of a task
216 static inline u32 task_sid(const struct task_struct *task)
221 sid = cred_sid(__task_cred(task));
226 /* Allocate and free functions for each kind of security blob. */
228 static int inode_alloc_security(struct inode *inode)
230 struct inode_security_struct *isec;
231 u32 sid = current_sid();
233 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
237 spin_lock_init(&isec->lock);
238 INIT_LIST_HEAD(&isec->list);
240 isec->sid = SECINITSID_UNLABELED;
241 isec->sclass = SECCLASS_FILE;
242 isec->task_sid = sid;
243 isec->initialized = LABEL_INVALID;
244 inode->i_security = isec;
249 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
252 * Try reloading inode security labels that have been marked as invalid. The
253 * @may_sleep parameter indicates when sleeping and thus reloading labels is
254 * allowed; when set to false, returns -ECHILD when the label is
255 * invalid. The @opt_dentry parameter should be set to a dentry of the inode;
256 * when no dentry is available, set it to NULL instead.
258 static int __inode_security_revalidate(struct inode *inode,
259 struct dentry *opt_dentry,
262 struct inode_security_struct *isec = inode->i_security;
264 might_sleep_if(may_sleep);
266 if (ss_initialized && isec->initialized != LABEL_INITIALIZED) {
271 * Try reloading the inode security label. This will fail if
272 * @opt_dentry is NULL and no dentry for this inode can be
273 * found; in that case, continue using the old label.
275 inode_doinit_with_dentry(inode, opt_dentry);
280 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
282 return inode->i_security;
285 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
289 error = __inode_security_revalidate(inode, NULL, !rcu);
291 return ERR_PTR(error);
292 return inode->i_security;
296 * Get the security label of an inode.
298 static struct inode_security_struct *inode_security(struct inode *inode)
300 __inode_security_revalidate(inode, NULL, true);
301 return inode->i_security;
304 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
306 struct inode *inode = d_backing_inode(dentry);
308 return inode->i_security;
312 * Get the security label of a dentry's backing inode.
314 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
316 struct inode *inode = d_backing_inode(dentry);
318 __inode_security_revalidate(inode, dentry, true);
319 return inode->i_security;
322 static void inode_free_rcu(struct rcu_head *head)
324 struct inode_security_struct *isec;
326 isec = container_of(head, struct inode_security_struct, rcu);
327 kmem_cache_free(sel_inode_cache, isec);
330 static void inode_free_security(struct inode *inode)
332 struct inode_security_struct *isec = inode->i_security;
333 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
336 * As not all inode security structures are in a list, we check for
337 * empty list outside of the lock to make sure that we won't waste
338 * time taking a lock doing nothing.
340 * The list_del_init() function can be safely called more than once.
341 * It should not be possible for this function to be called with
342 * concurrent list_add(), but for better safety against future changes
343 * in the code, we use list_empty_careful() here.
345 if (!list_empty_careful(&isec->list)) {
346 spin_lock(&sbsec->isec_lock);
347 list_del_init(&isec->list);
348 spin_unlock(&sbsec->isec_lock);
352 * The inode may still be referenced in a path walk and
353 * a call to selinux_inode_permission() can be made
354 * after inode_free_security() is called. Ideally, the VFS
355 * wouldn't do this, but fixing that is a much harder
356 * job. For now, simply free the i_security via RCU, and
357 * leave the current inode->i_security pointer intact.
358 * The inode will be freed after the RCU grace period too.
360 call_rcu(&isec->rcu, inode_free_rcu);
363 static int file_alloc_security(struct file *file)
365 struct file_security_struct *fsec;
366 u32 sid = current_sid();
368 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
373 fsec->fown_sid = sid;
374 file->f_security = fsec;
379 static void file_free_security(struct file *file)
381 struct file_security_struct *fsec = file->f_security;
382 file->f_security = NULL;
383 kmem_cache_free(file_security_cache, fsec);
386 static int superblock_alloc_security(struct super_block *sb)
388 struct superblock_security_struct *sbsec;
390 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
394 mutex_init(&sbsec->lock);
395 INIT_LIST_HEAD(&sbsec->isec_head);
396 spin_lock_init(&sbsec->isec_lock);
398 sbsec->sid = SECINITSID_UNLABELED;
399 sbsec->def_sid = SECINITSID_FILE;
400 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
401 sb->s_security = sbsec;
406 static void superblock_free_security(struct super_block *sb)
408 struct superblock_security_struct *sbsec = sb->s_security;
409 sb->s_security = NULL;
413 static inline int inode_doinit(struct inode *inode)
415 return inode_doinit_with_dentry(inode, NULL);
424 Opt_labelsupport = 5,
428 #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
430 static const match_table_t tokens = {
431 {Opt_context, CONTEXT_STR "%s"},
432 {Opt_fscontext, FSCONTEXT_STR "%s"},
433 {Opt_defcontext, DEFCONTEXT_STR "%s"},
434 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
435 {Opt_labelsupport, LABELSUPP_STR},
439 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
441 static int may_context_mount_sb_relabel(u32 sid,
442 struct superblock_security_struct *sbsec,
443 const struct cred *cred)
445 const struct task_security_struct *tsec = cred->security;
448 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
449 FILESYSTEM__RELABELFROM, NULL);
453 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
454 FILESYSTEM__RELABELTO, NULL);
458 static int may_context_mount_inode_relabel(u32 sid,
459 struct superblock_security_struct *sbsec,
460 const struct cred *cred)
462 const struct task_security_struct *tsec = cred->security;
464 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
465 FILESYSTEM__RELABELFROM, NULL);
469 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
470 FILESYSTEM__ASSOCIATE, NULL);
474 static int selinux_is_genfs_special_handling(struct super_block *sb)
476 /* Special handling. Genfs but also in-core setxattr handler */
477 return !strcmp(sb->s_type->name, "sysfs") ||
478 !strcmp(sb->s_type->name, "pstore") ||
479 !strcmp(sb->s_type->name, "debugfs") ||
480 !strcmp(sb->s_type->name, "tracefs") ||
481 !strcmp(sb->s_type->name, "rootfs") ||
482 (selinux_policycap_cgroupseclabel &&
483 (!strcmp(sb->s_type->name, "cgroup") ||
484 !strcmp(sb->s_type->name, "cgroup2")));
487 static int selinux_is_sblabel_mnt(struct super_block *sb)
489 struct superblock_security_struct *sbsec = sb->s_security;
492 * IMPORTANT: Double-check logic in this function when adding a new
493 * SECURITY_FS_USE_* definition!
495 BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7);
497 switch (sbsec->behavior) {
498 case SECURITY_FS_USE_XATTR:
499 case SECURITY_FS_USE_TRANS:
500 case SECURITY_FS_USE_TASK:
501 case SECURITY_FS_USE_NATIVE:
504 case SECURITY_FS_USE_GENFS:
505 return selinux_is_genfs_special_handling(sb);
507 /* Never allow relabeling on context mounts */
508 case SECURITY_FS_USE_MNTPOINT:
509 case SECURITY_FS_USE_NONE:
515 static int sb_finish_set_opts(struct super_block *sb)
517 struct superblock_security_struct *sbsec = sb->s_security;
518 struct dentry *root = sb->s_root;
519 struct inode *root_inode = d_backing_inode(root);
522 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
523 /* Make sure that the xattr handler exists and that no
524 error other than -ENODATA is returned by getxattr on
525 the root directory. -ENODATA is ok, as this may be
526 the first boot of the SELinux kernel before we have
527 assigned xattr values to the filesystem. */
528 if (!(root_inode->i_opflags & IOP_XATTR)) {
529 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
530 "xattr support\n", sb->s_id, sb->s_type->name);
535 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
536 if (rc < 0 && rc != -ENODATA) {
537 if (rc == -EOPNOTSUPP)
538 printk(KERN_WARNING "SELinux: (dev %s, type "
539 "%s) has no security xattr handler\n",
540 sb->s_id, sb->s_type->name);
542 printk(KERN_WARNING "SELinux: (dev %s, type "
543 "%s) getxattr errno %d\n", sb->s_id,
544 sb->s_type->name, -rc);
549 sbsec->flags |= SE_SBINITIALIZED;
552 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
553 * leave the flag untouched because sb_clone_mnt_opts might be handing
554 * us a superblock that needs the flag to be cleared.
556 if (selinux_is_sblabel_mnt(sb))
557 sbsec->flags |= SBLABEL_MNT;
559 sbsec->flags &= ~SBLABEL_MNT;
561 /* Initialize the root inode. */
562 rc = inode_doinit_with_dentry(root_inode, root);
564 /* Initialize any other inodes associated with the superblock, e.g.
565 inodes created prior to initial policy load or inodes created
566 during get_sb by a pseudo filesystem that directly
568 spin_lock(&sbsec->isec_lock);
570 if (!list_empty(&sbsec->isec_head)) {
571 struct inode_security_struct *isec =
572 list_entry(sbsec->isec_head.next,
573 struct inode_security_struct, list);
574 struct inode *inode = isec->inode;
575 list_del_init(&isec->list);
576 spin_unlock(&sbsec->isec_lock);
577 inode = igrab(inode);
579 if (!IS_PRIVATE(inode))
583 spin_lock(&sbsec->isec_lock);
586 spin_unlock(&sbsec->isec_lock);
592 * This function should allow an FS to ask what it's mount security
593 * options were so it can use those later for submounts, displaying
594 * mount options, or whatever.
596 static int selinux_get_mnt_opts(const struct super_block *sb,
597 struct security_mnt_opts *opts)
600 struct superblock_security_struct *sbsec = sb->s_security;
601 char *context = NULL;
605 security_init_mnt_opts(opts);
607 if (!(sbsec->flags & SE_SBINITIALIZED))
613 /* make sure we always check enough bits to cover the mask */
614 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
616 tmp = sbsec->flags & SE_MNTMASK;
617 /* count the number of mount options for this sb */
618 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
620 opts->num_mnt_opts++;
623 /* Check if the Label support flag is set */
624 if (sbsec->flags & SBLABEL_MNT)
625 opts->num_mnt_opts++;
627 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
628 if (!opts->mnt_opts) {
633 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
634 if (!opts->mnt_opts_flags) {
640 if (sbsec->flags & FSCONTEXT_MNT) {
641 rc = security_sid_to_context(sbsec->sid, &context, &len);
644 opts->mnt_opts[i] = context;
645 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
647 if (sbsec->flags & CONTEXT_MNT) {
648 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
651 opts->mnt_opts[i] = context;
652 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
654 if (sbsec->flags & DEFCONTEXT_MNT) {
655 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
658 opts->mnt_opts[i] = context;
659 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
661 if (sbsec->flags & ROOTCONTEXT_MNT) {
662 struct dentry *root = sbsec->sb->s_root;
663 struct inode_security_struct *isec = backing_inode_security(root);
665 rc = security_sid_to_context(isec->sid, &context, &len);
668 opts->mnt_opts[i] = context;
669 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
671 if (sbsec->flags & SBLABEL_MNT) {
672 opts->mnt_opts[i] = NULL;
673 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
676 BUG_ON(i != opts->num_mnt_opts);
681 security_free_mnt_opts(opts);
685 static int bad_option(struct superblock_security_struct *sbsec, char flag,
686 u32 old_sid, u32 new_sid)
688 char mnt_flags = sbsec->flags & SE_MNTMASK;
690 /* check if the old mount command had the same options */
691 if (sbsec->flags & SE_SBINITIALIZED)
692 if (!(sbsec->flags & flag) ||
693 (old_sid != new_sid))
696 /* check if we were passed the same options twice,
697 * aka someone passed context=a,context=b
699 if (!(sbsec->flags & SE_SBINITIALIZED))
700 if (mnt_flags & flag)
706 * Allow filesystems with binary mount data to explicitly set mount point
707 * labeling information.
709 static int selinux_set_mnt_opts(struct super_block *sb,
710 struct security_mnt_opts *opts,
711 unsigned long kern_flags,
712 unsigned long *set_kern_flags)
714 const struct cred *cred = current_cred();
716 struct superblock_security_struct *sbsec = sb->s_security;
717 const char *name = sb->s_type->name;
718 struct dentry *root = sbsec->sb->s_root;
719 struct inode_security_struct *root_isec;
720 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
721 u32 defcontext_sid = 0;
722 char **mount_options = opts->mnt_opts;
723 int *flags = opts->mnt_opts_flags;
724 int num_opts = opts->num_mnt_opts;
726 mutex_lock(&sbsec->lock);
728 if (!ss_initialized) {
730 /* Defer initialization until selinux_complete_init,
731 after the initial policy is loaded and the security
732 server is ready to handle calls. */
736 printk(KERN_WARNING "SELinux: Unable to set superblock options "
737 "before the security server is initialized\n");
740 if (kern_flags && !set_kern_flags) {
741 /* Specifying internal flags without providing a place to
742 * place the results is not allowed */
748 * Binary mount data FS will come through this function twice. Once
749 * from an explicit call and once from the generic calls from the vfs.
750 * Since the generic VFS calls will not contain any security mount data
751 * we need to skip the double mount verification.
753 * This does open a hole in which we will not notice if the first
754 * mount using this sb set explict options and a second mount using
755 * this sb does not set any security options. (The first options
756 * will be used for both mounts)
758 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
762 root_isec = backing_inode_security_novalidate(root);
765 * parse the mount options, check if they are valid sids.
766 * also check if someone is trying to mount the same sb more
767 * than once with different security options.
769 for (i = 0; i < num_opts; i++) {
772 if (flags[i] == SBLABEL_MNT)
774 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
776 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
777 "(%s) failed for (dev %s, type %s) errno=%d\n",
778 mount_options[i], sb->s_id, name, rc);
785 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
787 goto out_double_mount;
789 sbsec->flags |= FSCONTEXT_MNT;
794 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
796 goto out_double_mount;
798 sbsec->flags |= CONTEXT_MNT;
800 case ROOTCONTEXT_MNT:
801 rootcontext_sid = sid;
803 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
805 goto out_double_mount;
807 sbsec->flags |= ROOTCONTEXT_MNT;
811 defcontext_sid = sid;
813 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
815 goto out_double_mount;
817 sbsec->flags |= DEFCONTEXT_MNT;
826 if (sbsec->flags & SE_SBINITIALIZED) {
827 /* previously mounted with options, but not on this attempt? */
828 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
829 goto out_double_mount;
834 if (strcmp(sb->s_type->name, "proc") == 0)
835 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
837 if (!strcmp(sb->s_type->name, "debugfs") ||
838 !strcmp(sb->s_type->name, "tracefs") ||
839 !strcmp(sb->s_type->name, "sysfs") ||
840 !strcmp(sb->s_type->name, "pstore") ||
841 !strcmp(sb->s_type->name, "cgroup") ||
842 !strcmp(sb->s_type->name, "cgroup2"))
843 sbsec->flags |= SE_SBGENFS;
845 if (!sbsec->behavior) {
847 * Determine the labeling behavior to use for this
850 rc = security_fs_use(sb);
853 "%s: security_fs_use(%s) returned %d\n",
854 __func__, sb->s_type->name, rc);
860 * If this is a user namespace mount and the filesystem type is not
861 * explicitly whitelisted, then no contexts are allowed on the command
862 * line and security labels must be ignored.
864 if (sb->s_user_ns != &init_user_ns &&
865 strcmp(sb->s_type->name, "tmpfs") &&
866 strcmp(sb->s_type->name, "ramfs") &&
867 strcmp(sb->s_type->name, "devpts")) {
868 if (context_sid || fscontext_sid || rootcontext_sid ||
873 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
874 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
875 rc = security_transition_sid(current_sid(), current_sid(),
877 &sbsec->mntpoint_sid);
884 /* sets the context of the superblock for the fs being mounted. */
886 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
890 sbsec->sid = fscontext_sid;
894 * Switch to using mount point labeling behavior.
895 * sets the label used on all file below the mountpoint, and will set
896 * the superblock context if not already set.
898 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
899 sbsec->behavior = SECURITY_FS_USE_NATIVE;
900 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
904 if (!fscontext_sid) {
905 rc = may_context_mount_sb_relabel(context_sid, sbsec,
909 sbsec->sid = context_sid;
911 rc = may_context_mount_inode_relabel(context_sid, sbsec,
916 if (!rootcontext_sid)
917 rootcontext_sid = context_sid;
919 sbsec->mntpoint_sid = context_sid;
920 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
923 if (rootcontext_sid) {
924 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
929 root_isec->sid = rootcontext_sid;
930 root_isec->initialized = LABEL_INITIALIZED;
933 if (defcontext_sid) {
934 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
935 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
937 printk(KERN_WARNING "SELinux: defcontext option is "
938 "invalid for this filesystem type\n");
942 if (defcontext_sid != sbsec->def_sid) {
943 rc = may_context_mount_inode_relabel(defcontext_sid,
949 sbsec->def_sid = defcontext_sid;
953 rc = sb_finish_set_opts(sb);
955 mutex_unlock(&sbsec->lock);
959 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
960 "security settings for (dev %s, type %s)\n", sb->s_id, name);
964 static int selinux_cmp_sb_context(const struct super_block *oldsb,
965 const struct super_block *newsb)
967 struct superblock_security_struct *old = oldsb->s_security;
968 struct superblock_security_struct *new = newsb->s_security;
969 char oldflags = old->flags & SE_MNTMASK;
970 char newflags = new->flags & SE_MNTMASK;
972 if (oldflags != newflags)
974 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
976 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
978 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
980 if (oldflags & ROOTCONTEXT_MNT) {
981 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
982 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
983 if (oldroot->sid != newroot->sid)
988 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
989 "different security settings for (dev %s, "
990 "type %s)\n", newsb->s_id, newsb->s_type->name);
994 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
995 struct super_block *newsb,
996 unsigned long kern_flags,
997 unsigned long *set_kern_flags)
1000 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
1001 struct superblock_security_struct *newsbsec = newsb->s_security;
1003 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
1004 int set_context = (oldsbsec->flags & CONTEXT_MNT);
1005 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1008 * if the parent was able to be mounted it clearly had no special lsm
1009 * mount options. thus we can safely deal with this superblock later
1011 if (!ss_initialized)
1015 * Specifying internal flags without providing a place to
1016 * place the results is not allowed.
1018 if (kern_flags && !set_kern_flags)
1021 /* how can we clone if the old one wasn't set up?? */
1022 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
1024 /* if fs is reusing a sb, make sure that the contexts match */
1025 if (newsbsec->flags & SE_SBINITIALIZED) {
1026 if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context)
1027 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
1028 return selinux_cmp_sb_context(oldsb, newsb);
1031 mutex_lock(&newsbsec->lock);
1033 newsbsec->flags = oldsbsec->flags;
1035 newsbsec->sid = oldsbsec->sid;
1036 newsbsec->def_sid = oldsbsec->def_sid;
1037 newsbsec->behavior = oldsbsec->behavior;
1039 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
1040 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
1041 rc = security_fs_use(newsb);
1046 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
1047 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
1048 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
1052 u32 sid = oldsbsec->mntpoint_sid;
1055 newsbsec->sid = sid;
1056 if (!set_rootcontext) {
1057 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1060 newsbsec->mntpoint_sid = sid;
1062 if (set_rootcontext) {
1063 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
1064 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1066 newisec->sid = oldisec->sid;
1069 sb_finish_set_opts(newsb);
1071 mutex_unlock(&newsbsec->lock);
1075 static int selinux_parse_opts_str(char *options,
1076 struct security_mnt_opts *opts)
1079 char *context = NULL, *defcontext = NULL;
1080 char *fscontext = NULL, *rootcontext = NULL;
1081 int rc, num_mnt_opts = 0;
1083 opts->num_mnt_opts = 0;
1085 /* Standard string-based options. */
1086 while ((p = strsep(&options, "|")) != NULL) {
1088 substring_t args[MAX_OPT_ARGS];
1093 token = match_token(p, tokens, args);
1097 if (context || defcontext) {
1099 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1102 context = match_strdup(&args[0]);
1112 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1115 fscontext = match_strdup(&args[0]);
1122 case Opt_rootcontext:
1125 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1128 rootcontext = match_strdup(&args[0]);
1135 case Opt_defcontext:
1136 if (context || defcontext) {
1138 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1141 defcontext = match_strdup(&args[0]);
1147 case Opt_labelsupport:
1151 printk(KERN_WARNING "SELinux: unknown mount option\n");
1158 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
1159 if (!opts->mnt_opts)
1162 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
1164 if (!opts->mnt_opts_flags)
1168 opts->mnt_opts[num_mnt_opts] = fscontext;
1169 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1172 opts->mnt_opts[num_mnt_opts] = context;
1173 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1176 opts->mnt_opts[num_mnt_opts] = rootcontext;
1177 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1180 opts->mnt_opts[num_mnt_opts] = defcontext;
1181 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1184 opts->num_mnt_opts = num_mnt_opts;
1188 security_free_mnt_opts(opts);
1196 * string mount options parsing and call set the sbsec
1198 static int superblock_doinit(struct super_block *sb, void *data)
1201 char *options = data;
1202 struct security_mnt_opts opts;
1204 security_init_mnt_opts(&opts);
1209 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1211 rc = selinux_parse_opts_str(options, &opts);
1216 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1219 security_free_mnt_opts(&opts);
1223 static void selinux_write_opts(struct seq_file *m,
1224 struct security_mnt_opts *opts)
1229 for (i = 0; i < opts->num_mnt_opts; i++) {
1232 if (opts->mnt_opts[i])
1233 has_comma = strchr(opts->mnt_opts[i], ',');
1237 switch (opts->mnt_opts_flags[i]) {
1239 prefix = CONTEXT_STR;
1242 prefix = FSCONTEXT_STR;
1244 case ROOTCONTEXT_MNT:
1245 prefix = ROOTCONTEXT_STR;
1247 case DEFCONTEXT_MNT:
1248 prefix = DEFCONTEXT_STR;
1252 seq_puts(m, LABELSUPP_STR);
1258 /* we need a comma before each option */
1260 seq_puts(m, prefix);
1263 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
1269 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1271 struct security_mnt_opts opts;
1274 rc = selinux_get_mnt_opts(sb, &opts);
1276 /* before policy load we may get EINVAL, don't show anything */
1282 selinux_write_opts(m, &opts);
1284 security_free_mnt_opts(&opts);
1289 static inline u16 inode_mode_to_security_class(umode_t mode)
1291 switch (mode & S_IFMT) {
1293 return SECCLASS_SOCK_FILE;
1295 return SECCLASS_LNK_FILE;
1297 return SECCLASS_FILE;
1299 return SECCLASS_BLK_FILE;
1301 return SECCLASS_DIR;
1303 return SECCLASS_CHR_FILE;
1305 return SECCLASS_FIFO_FILE;
1309 return SECCLASS_FILE;
1312 static inline int default_protocol_stream(int protocol)
1314 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1317 static inline int default_protocol_dgram(int protocol)
1319 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1322 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1324 int extsockclass = selinux_policycap_extsockclass;
1330 case SOCK_SEQPACKET:
1331 return SECCLASS_UNIX_STREAM_SOCKET;
1334 return SECCLASS_UNIX_DGRAM_SOCKET;
1341 case SOCK_SEQPACKET:
1342 if (default_protocol_stream(protocol))
1343 return SECCLASS_TCP_SOCKET;
1344 else if (extsockclass && protocol == IPPROTO_SCTP)
1345 return SECCLASS_SCTP_SOCKET;
1347 return SECCLASS_RAWIP_SOCKET;
1349 if (default_protocol_dgram(protocol))
1350 return SECCLASS_UDP_SOCKET;
1351 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1352 protocol == IPPROTO_ICMPV6))
1353 return SECCLASS_ICMP_SOCKET;
1355 return SECCLASS_RAWIP_SOCKET;
1357 return SECCLASS_DCCP_SOCKET;
1359 return SECCLASS_RAWIP_SOCKET;
1365 return SECCLASS_NETLINK_ROUTE_SOCKET;
1366 case NETLINK_SOCK_DIAG:
1367 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1369 return SECCLASS_NETLINK_NFLOG_SOCKET;
1371 return SECCLASS_NETLINK_XFRM_SOCKET;
1372 case NETLINK_SELINUX:
1373 return SECCLASS_NETLINK_SELINUX_SOCKET;
1375 return SECCLASS_NETLINK_ISCSI_SOCKET;
1377 return SECCLASS_NETLINK_AUDIT_SOCKET;
1378 case NETLINK_FIB_LOOKUP:
1379 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1380 case NETLINK_CONNECTOR:
1381 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1382 case NETLINK_NETFILTER:
1383 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1384 case NETLINK_DNRTMSG:
1385 return SECCLASS_NETLINK_DNRT_SOCKET;
1386 case NETLINK_KOBJECT_UEVENT:
1387 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1388 case NETLINK_GENERIC:
1389 return SECCLASS_NETLINK_GENERIC_SOCKET;
1390 case NETLINK_SCSITRANSPORT:
1391 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1393 return SECCLASS_NETLINK_RDMA_SOCKET;
1394 case NETLINK_CRYPTO:
1395 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1397 return SECCLASS_NETLINK_SOCKET;
1400 return SECCLASS_PACKET_SOCKET;
1402 return SECCLASS_KEY_SOCKET;
1404 return SECCLASS_APPLETALK_SOCKET;
1410 return SECCLASS_AX25_SOCKET;
1412 return SECCLASS_IPX_SOCKET;
1414 return SECCLASS_NETROM_SOCKET;
1416 return SECCLASS_ATMPVC_SOCKET;
1418 return SECCLASS_X25_SOCKET;
1420 return SECCLASS_ROSE_SOCKET;
1422 return SECCLASS_DECNET_SOCKET;
1424 return SECCLASS_ATMSVC_SOCKET;
1426 return SECCLASS_RDS_SOCKET;
1428 return SECCLASS_IRDA_SOCKET;
1430 return SECCLASS_PPPOX_SOCKET;
1432 return SECCLASS_LLC_SOCKET;
1434 return SECCLASS_CAN_SOCKET;
1436 return SECCLASS_TIPC_SOCKET;
1438 return SECCLASS_BLUETOOTH_SOCKET;
1440 return SECCLASS_IUCV_SOCKET;
1442 return SECCLASS_RXRPC_SOCKET;
1444 return SECCLASS_ISDN_SOCKET;
1446 return SECCLASS_PHONET_SOCKET;
1448 return SECCLASS_IEEE802154_SOCKET;
1450 return SECCLASS_CAIF_SOCKET;
1452 return SECCLASS_ALG_SOCKET;
1454 return SECCLASS_NFC_SOCKET;
1456 return SECCLASS_VSOCK_SOCKET;
1458 return SECCLASS_KCM_SOCKET;
1460 return SECCLASS_QIPCRTR_SOCKET;
1462 return SECCLASS_SMC_SOCKET;
1464 #error New address family defined, please update this function.
1469 return SECCLASS_SOCKET;
1472 static int selinux_genfs_get_sid(struct dentry *dentry,
1478 struct super_block *sb = dentry->d_sb;
1479 char *buffer, *path;
1481 buffer = (char *)__get_free_page(GFP_KERNEL);
1485 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1489 if (flags & SE_SBPROC) {
1490 /* each process gets a /proc/PID/ entry. Strip off the
1491 * PID part to get a valid selinux labeling.
1492 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1493 while (path[1] >= '0' && path[1] <= '9') {
1498 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
1500 free_page((unsigned long)buffer);
1504 /* The inode's security attributes must be initialized before first use. */
1505 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1507 struct superblock_security_struct *sbsec = NULL;
1508 struct inode_security_struct *isec = inode->i_security;
1509 u32 task_sid, sid = 0;
1511 struct dentry *dentry;
1512 #define INITCONTEXTLEN 255
1513 char *context = NULL;
1517 if (isec->initialized == LABEL_INITIALIZED)
1520 spin_lock(&isec->lock);
1521 if (isec->initialized == LABEL_INITIALIZED)
1524 if (isec->sclass == SECCLASS_FILE)
1525 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1527 sbsec = inode->i_sb->s_security;
1528 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1529 /* Defer initialization until selinux_complete_init,
1530 after the initial policy is loaded and the security
1531 server is ready to handle calls. */
1532 spin_lock(&sbsec->isec_lock);
1533 if (list_empty(&isec->list))
1534 list_add(&isec->list, &sbsec->isec_head);
1535 spin_unlock(&sbsec->isec_lock);
1539 sclass = isec->sclass;
1540 task_sid = isec->task_sid;
1542 isec->initialized = LABEL_PENDING;
1543 spin_unlock(&isec->lock);
1545 switch (sbsec->behavior) {
1546 case SECURITY_FS_USE_NATIVE:
1548 case SECURITY_FS_USE_XATTR:
1549 if (!(inode->i_opflags & IOP_XATTR)) {
1550 sid = sbsec->def_sid;
1553 /* Need a dentry, since the xattr API requires one.
1554 Life would be simpler if we could just pass the inode. */
1556 /* Called from d_instantiate or d_splice_alias. */
1557 dentry = dget(opt_dentry);
1559 /* Called from selinux_complete_init, try to find a dentry. */
1560 dentry = d_find_alias(inode);
1564 * this is can be hit on boot when a file is accessed
1565 * before the policy is loaded. When we load policy we
1566 * may find inodes that have no dentry on the
1567 * sbsec->isec_head list. No reason to complain as these
1568 * will get fixed up the next time we go through
1569 * inode_doinit with a dentry, before these inodes could
1570 * be used again by userspace.
1575 len = INITCONTEXTLEN;
1576 context = kmalloc(len+1, GFP_NOFS);
1582 context[len] = '\0';
1583 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1584 if (rc == -ERANGE) {
1587 /* Need a larger buffer. Query for the right size. */
1588 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1594 context = kmalloc(len+1, GFP_NOFS);
1600 context[len] = '\0';
1601 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1605 if (rc != -ENODATA) {
1606 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1607 "%d for dev=%s ino=%ld\n", __func__,
1608 -rc, inode->i_sb->s_id, inode->i_ino);
1612 /* Map ENODATA to the default file SID */
1613 sid = sbsec->def_sid;
1616 rc = security_context_to_sid_default(context, rc, &sid,
1620 char *dev = inode->i_sb->s_id;
1621 unsigned long ino = inode->i_ino;
1623 if (rc == -EINVAL) {
1624 if (printk_ratelimit())
1625 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1626 "context=%s. This indicates you may need to relabel the inode or the "
1627 "filesystem in question.\n", ino, dev, context);
1629 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1630 "returned %d for dev=%s ino=%ld\n",
1631 __func__, context, -rc, dev, ino);
1634 /* Leave with the unlabeled SID */
1641 case SECURITY_FS_USE_TASK:
1644 case SECURITY_FS_USE_TRANS:
1645 /* Default to the fs SID. */
1648 /* Try to obtain a transition SID. */
1649 rc = security_transition_sid(task_sid, sid, sclass, NULL, &sid);
1653 case SECURITY_FS_USE_MNTPOINT:
1654 sid = sbsec->mntpoint_sid;
1657 /* Default to the fs superblock SID. */
1660 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1661 /* We must have a dentry to determine the label on
1664 /* Called from d_instantiate or
1665 * d_splice_alias. */
1666 dentry = dget(opt_dentry);
1668 /* Called from selinux_complete_init, try to
1670 dentry = d_find_alias(inode);
1672 * This can be hit on boot when a file is accessed
1673 * before the policy is loaded. When we load policy we
1674 * may find inodes that have no dentry on the
1675 * sbsec->isec_head list. No reason to complain as
1676 * these will get fixed up the next time we go through
1677 * inode_doinit() with a dentry, before these inodes
1678 * could be used again by userspace.
1682 rc = selinux_genfs_get_sid(dentry, sclass,
1683 sbsec->flags, &sid);
1692 spin_lock(&isec->lock);
1693 if (isec->initialized == LABEL_PENDING) {
1695 isec->initialized = LABEL_INVALID;
1698 isec->initialized = LABEL_INITIALIZED;
1703 spin_unlock(&isec->lock);
1707 spin_lock(&isec->lock);
1708 if (isec->initialized == LABEL_PENDING) {
1709 isec->initialized = LABEL_INVALID;
1712 spin_unlock(&isec->lock);
1716 /* Convert a Linux signal to an access vector. */
1717 static inline u32 signal_to_av(int sig)
1723 /* Commonly granted from child to parent. */
1724 perm = PROCESS__SIGCHLD;
1727 /* Cannot be caught or ignored */
1728 perm = PROCESS__SIGKILL;
1731 /* Cannot be caught or ignored */
1732 perm = PROCESS__SIGSTOP;
1735 /* All other signals. */
1736 perm = PROCESS__SIGNAL;
1743 #if CAP_LAST_CAP > 63
1744 #error Fix SELinux to handle capabilities > 63.
1747 /* Check whether a task is allowed to use a capability. */
1748 static int cred_has_capability(const struct cred *cred,
1749 int cap, int audit, bool initns)
1751 struct common_audit_data ad;
1752 struct av_decision avd;
1754 u32 sid = cred_sid(cred);
1755 u32 av = CAP_TO_MASK(cap);
1758 ad.type = LSM_AUDIT_DATA_CAP;
1761 switch (CAP_TO_INDEX(cap)) {
1763 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1766 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1770 "SELinux: out of range capability %d\n", cap);
1775 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1776 if (audit == SECURITY_CAP_AUDIT) {
1777 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1784 /* Check whether a task has a particular permission to an inode.
1785 The 'adp' parameter is optional and allows other audit
1786 data to be passed (e.g. the dentry). */
1787 static int inode_has_perm(const struct cred *cred,
1788 struct inode *inode,
1790 struct common_audit_data *adp)
1792 struct inode_security_struct *isec;
1795 validate_creds(cred);
1797 if (unlikely(IS_PRIVATE(inode)))
1800 sid = cred_sid(cred);
1801 isec = inode->i_security;
1803 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1806 /* Same as inode_has_perm, but pass explicit audit data containing
1807 the dentry to help the auditing code to more easily generate the
1808 pathname if needed. */
1809 static inline int dentry_has_perm(const struct cred *cred,
1810 struct dentry *dentry,
1813 struct inode *inode = d_backing_inode(dentry);
1814 struct common_audit_data ad;
1816 ad.type = LSM_AUDIT_DATA_DENTRY;
1817 ad.u.dentry = dentry;
1818 __inode_security_revalidate(inode, dentry, true);
1819 return inode_has_perm(cred, inode, av, &ad);
1822 /* Same as inode_has_perm, but pass explicit audit data containing
1823 the path to help the auditing code to more easily generate the
1824 pathname if needed. */
1825 static inline int path_has_perm(const struct cred *cred,
1826 const struct path *path,
1829 struct inode *inode = d_backing_inode(path->dentry);
1830 struct common_audit_data ad;
1832 ad.type = LSM_AUDIT_DATA_PATH;
1834 __inode_security_revalidate(inode, path->dentry, true);
1835 return inode_has_perm(cred, inode, av, &ad);
1838 /* Same as path_has_perm, but uses the inode from the file struct. */
1839 static inline int file_path_has_perm(const struct cred *cred,
1843 struct common_audit_data ad;
1845 ad.type = LSM_AUDIT_DATA_FILE;
1847 return inode_has_perm(cred, file_inode(file), av, &ad);
1850 /* Check whether a task can use an open file descriptor to
1851 access an inode in a given way. Check access to the
1852 descriptor itself, and then use dentry_has_perm to
1853 check a particular permission to the file.
1854 Access to the descriptor is implicitly granted if it
1855 has the same SID as the process. If av is zero, then
1856 access to the file is not checked, e.g. for cases
1857 where only the descriptor is affected like seek. */
1858 static int file_has_perm(const struct cred *cred,
1862 struct file_security_struct *fsec = file->f_security;
1863 struct inode *inode = file_inode(file);
1864 struct common_audit_data ad;
1865 u32 sid = cred_sid(cred);
1868 ad.type = LSM_AUDIT_DATA_FILE;
1871 if (sid != fsec->sid) {
1872 rc = avc_has_perm(sid, fsec->sid,
1880 /* av is zero if only checking access to the descriptor. */
1883 rc = inode_has_perm(cred, inode, av, &ad);
1890 * Determine the label for an inode that might be unioned.
1893 selinux_determine_inode_label(const struct task_security_struct *tsec,
1895 const struct qstr *name, u16 tclass,
1898 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1900 if ((sbsec->flags & SE_SBINITIALIZED) &&
1901 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1902 *_new_isid = sbsec->mntpoint_sid;
1903 } else if ((sbsec->flags & SBLABEL_MNT) &&
1905 *_new_isid = tsec->create_sid;
1907 const struct inode_security_struct *dsec = inode_security(dir);
1908 return security_transition_sid(tsec->sid, dsec->sid, tclass,
1915 /* Check whether a task can create a file. */
1916 static int may_create(struct inode *dir,
1917 struct dentry *dentry,
1920 const struct task_security_struct *tsec = current_security();
1921 struct inode_security_struct *dsec;
1922 struct superblock_security_struct *sbsec;
1924 struct common_audit_data ad;
1927 dsec = inode_security(dir);
1928 sbsec = dir->i_sb->s_security;
1932 ad.type = LSM_AUDIT_DATA_DENTRY;
1933 ad.u.dentry = dentry;
1935 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1936 DIR__ADD_NAME | DIR__SEARCH,
1941 rc = selinux_determine_inode_label(current_security(), dir,
1942 &dentry->d_name, tclass, &newsid);
1946 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1950 return avc_has_perm(newsid, sbsec->sid,
1951 SECCLASS_FILESYSTEM,
1952 FILESYSTEM__ASSOCIATE, &ad);
1956 #define MAY_UNLINK 1
1959 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1960 static int may_link(struct inode *dir,
1961 struct dentry *dentry,
1965 struct inode_security_struct *dsec, *isec;
1966 struct common_audit_data ad;
1967 u32 sid = current_sid();
1971 dsec = inode_security(dir);
1972 isec = backing_inode_security(dentry);
1974 ad.type = LSM_AUDIT_DATA_DENTRY;
1975 ad.u.dentry = dentry;
1978 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1979 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1994 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1999 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
2003 static inline int may_rename(struct inode *old_dir,
2004 struct dentry *old_dentry,
2005 struct inode *new_dir,
2006 struct dentry *new_dentry)
2008 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2009 struct common_audit_data ad;
2010 u32 sid = current_sid();
2012 int old_is_dir, new_is_dir;
2015 old_dsec = inode_security(old_dir);
2016 old_isec = backing_inode_security(old_dentry);
2017 old_is_dir = d_is_dir(old_dentry);
2018 new_dsec = inode_security(new_dir);
2020 ad.type = LSM_AUDIT_DATA_DENTRY;
2022 ad.u.dentry = old_dentry;
2023 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
2024 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
2027 rc = avc_has_perm(sid, old_isec->sid,
2028 old_isec->sclass, FILE__RENAME, &ad);
2031 if (old_is_dir && new_dir != old_dir) {
2032 rc = avc_has_perm(sid, old_isec->sid,
2033 old_isec->sclass, DIR__REPARENT, &ad);
2038 ad.u.dentry = new_dentry;
2039 av = DIR__ADD_NAME | DIR__SEARCH;
2040 if (d_is_positive(new_dentry))
2041 av |= DIR__REMOVE_NAME;
2042 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
2045 if (d_is_positive(new_dentry)) {
2046 new_isec = backing_inode_security(new_dentry);
2047 new_is_dir = d_is_dir(new_dentry);
2048 rc = avc_has_perm(sid, new_isec->sid,
2050 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
2058 /* Check whether a task can perform a filesystem operation. */
2059 static int superblock_has_perm(const struct cred *cred,
2060 struct super_block *sb,
2062 struct common_audit_data *ad)
2064 struct superblock_security_struct *sbsec;
2065 u32 sid = cred_sid(cred);
2067 sbsec = sb->s_security;
2068 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
2071 /* Convert a Linux mode and permission mask to an access vector. */
2072 static inline u32 file_mask_to_av(int mode, int mask)
2076 if (!S_ISDIR(mode)) {
2077 if (mask & MAY_EXEC)
2078 av |= FILE__EXECUTE;
2079 if (mask & MAY_READ)
2082 if (mask & MAY_APPEND)
2084 else if (mask & MAY_WRITE)
2088 if (mask & MAY_EXEC)
2090 if (mask & MAY_WRITE)
2092 if (mask & MAY_READ)
2099 /* Convert a Linux file to an access vector. */
2100 static inline u32 file_to_av(struct file *file)
2104 if (file->f_mode & FMODE_READ)
2106 if (file->f_mode & FMODE_WRITE) {
2107 if (file->f_flags & O_APPEND)
2114 * Special file opened with flags 3 for ioctl-only use.
2123 * Convert a file to an access vector and include the correct open
2126 static inline u32 open_file_to_av(struct file *file)
2128 u32 av = file_to_av(file);
2129 struct inode *inode = file_inode(file);
2131 if (selinux_policycap_openperm && inode->i_sb->s_magic != SOCKFS_MAGIC)
2137 /* Hook functions begin here. */
2139 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2141 u32 mysid = current_sid();
2142 u32 mgrsid = task_sid(mgr);
2144 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
2145 BINDER__SET_CONTEXT_MGR, NULL);
2148 static int selinux_binder_transaction(struct task_struct *from,
2149 struct task_struct *to)
2151 u32 mysid = current_sid();
2152 u32 fromsid = task_sid(from);
2153 u32 tosid = task_sid(to);
2156 if (mysid != fromsid) {
2157 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2158 BINDER__IMPERSONATE, NULL);
2163 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2167 static int selinux_binder_transfer_binder(struct task_struct *from,
2168 struct task_struct *to)
2170 u32 fromsid = task_sid(from);
2171 u32 tosid = task_sid(to);
2173 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2177 static int selinux_binder_transfer_file(struct task_struct *from,
2178 struct task_struct *to,
2181 u32 sid = task_sid(to);
2182 struct file_security_struct *fsec = file->f_security;
2183 struct dentry *dentry = file->f_path.dentry;
2184 struct inode_security_struct *isec;
2185 struct common_audit_data ad;
2188 ad.type = LSM_AUDIT_DATA_PATH;
2189 ad.u.path = file->f_path;
2191 if (sid != fsec->sid) {
2192 rc = avc_has_perm(sid, fsec->sid,
2200 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2203 isec = backing_inode_security(dentry);
2204 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2208 static int selinux_ptrace_access_check(struct task_struct *child,
2211 u32 sid = current_sid();
2212 u32 csid = task_sid(child);
2214 if (mode & PTRACE_MODE_READ)
2215 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2217 return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2220 static int selinux_ptrace_traceme(struct task_struct *parent)
2222 return avc_has_perm(task_sid(parent), current_sid(), SECCLASS_PROCESS,
2223 PROCESS__PTRACE, NULL);
2226 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2227 kernel_cap_t *inheritable, kernel_cap_t *permitted)
2229 return avc_has_perm(current_sid(), task_sid(target), SECCLASS_PROCESS,
2230 PROCESS__GETCAP, NULL);
2233 static int selinux_capset(struct cred *new, const struct cred *old,
2234 const kernel_cap_t *effective,
2235 const kernel_cap_t *inheritable,
2236 const kernel_cap_t *permitted)
2238 return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2239 PROCESS__SETCAP, NULL);
2243 * (This comment used to live with the selinux_task_setuid hook,
2244 * which was removed).
2246 * Since setuid only affects the current process, and since the SELinux
2247 * controls are not based on the Linux identity attributes, SELinux does not
2248 * need to control this operation. However, SELinux does control the use of
2249 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2252 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2255 return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
2258 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2260 const struct cred *cred = current_cred();
2272 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2277 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2280 rc = 0; /* let the kernel handle invalid cmds */
2286 static int selinux_quota_on(struct dentry *dentry)
2288 const struct cred *cred = current_cred();
2290 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2293 static int selinux_syslog(int type)
2296 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2297 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2298 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2299 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2300 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2301 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2302 /* Set level of messages printed to console */
2303 case SYSLOG_ACTION_CONSOLE_LEVEL:
2304 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2305 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2308 /* All other syslog types */
2309 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2310 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2314 * Check that a process has enough memory to allocate a new virtual
2315 * mapping. 0 means there is enough memory for the allocation to
2316 * succeed and -ENOMEM implies there is not.
2318 * Do not audit the selinux permission check, as this is applied to all
2319 * processes that allocate mappings.
2321 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2323 int rc, cap_sys_admin = 0;
2325 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2326 SECURITY_CAP_NOAUDIT, true);
2330 return cap_sys_admin;
2333 /* binprm security operations */
2335 static u32 ptrace_parent_sid(void)
2338 struct task_struct *tracer;
2341 tracer = ptrace_parent(current);
2343 sid = task_sid(tracer);
2349 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2350 const struct task_security_struct *old_tsec,
2351 const struct task_security_struct *new_tsec)
2353 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2354 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2358 if (!nnp && !nosuid)
2359 return 0; /* neither NNP nor nosuid */
2361 if (new_tsec->sid == old_tsec->sid)
2362 return 0; /* No change in credentials */
2365 * If the policy enables the nnp_nosuid_transition policy capability,
2366 * then we permit transitions under NNP or nosuid if the
2367 * policy allows the corresponding permission between
2368 * the old and new contexts.
2370 if (selinux_policycap_nnp_nosuid_transition) {
2373 av |= PROCESS2__NNP_TRANSITION;
2375 av |= PROCESS2__NOSUID_TRANSITION;
2376 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2377 SECCLASS_PROCESS2, av, NULL);
2383 * We also permit NNP or nosuid transitions to bounded SIDs,
2384 * i.e. SIDs that are guaranteed to only be allowed a subset
2385 * of the permissions of the current SID.
2387 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2392 * On failure, preserve the errno values for NNP vs nosuid.
2393 * NNP: Operation not permitted for caller.
2394 * nosuid: Permission denied to file.
2401 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2403 const struct task_security_struct *old_tsec;
2404 struct task_security_struct *new_tsec;
2405 struct inode_security_struct *isec;
2406 struct common_audit_data ad;
2407 struct inode *inode = file_inode(bprm->file);
2410 /* SELinux context only depends on initial program or script and not
2411 * the script interpreter */
2412 if (bprm->called_set_creds)
2415 old_tsec = current_security();
2416 new_tsec = bprm->cred->security;
2417 isec = inode_security(inode);
2419 /* Default to the current task SID. */
2420 new_tsec->sid = old_tsec->sid;
2421 new_tsec->osid = old_tsec->sid;
2423 /* Reset fs, key, and sock SIDs on execve. */
2424 new_tsec->create_sid = 0;
2425 new_tsec->keycreate_sid = 0;
2426 new_tsec->sockcreate_sid = 0;
2428 if (old_tsec->exec_sid) {
2429 new_tsec->sid = old_tsec->exec_sid;
2430 /* Reset exec SID on execve. */
2431 new_tsec->exec_sid = 0;
2433 /* Fail on NNP or nosuid if not an allowed transition. */
2434 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2438 /* Check for a default transition on this program. */
2439 rc = security_transition_sid(old_tsec->sid, isec->sid,
2440 SECCLASS_PROCESS, NULL,
2446 * Fallback to old SID on NNP or nosuid if not an allowed
2449 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2451 new_tsec->sid = old_tsec->sid;
2454 ad.type = LSM_AUDIT_DATA_FILE;
2455 ad.u.file = bprm->file;
2457 if (new_tsec->sid == old_tsec->sid) {
2458 rc = avc_has_perm(old_tsec->sid, isec->sid,
2459 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2463 /* Check permissions for the transition. */
2464 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2465 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2469 rc = avc_has_perm(new_tsec->sid, isec->sid,
2470 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2474 /* Check for shared state */
2475 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2476 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2477 SECCLASS_PROCESS, PROCESS__SHARE,
2483 /* Make sure that anyone attempting to ptrace over a task that
2484 * changes its SID has the appropriate permit */
2485 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2486 u32 ptsid = ptrace_parent_sid();
2488 rc = avc_has_perm(ptsid, new_tsec->sid,
2490 PROCESS__PTRACE, NULL);
2496 /* Clear any possibly unsafe personality bits on exec: */
2497 bprm->per_clear |= PER_CLEAR_ON_SETID;
2499 /* Enable secure mode for SIDs transitions unless
2500 the noatsecure permission is granted between
2501 the two SIDs, i.e. ahp returns 0. */
2502 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2503 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2505 bprm->secureexec |= !!rc;
2511 static int match_file(const void *p, struct file *file, unsigned fd)
2513 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2516 /* Derived from fs/exec.c:flush_old_files. */
2517 static inline void flush_unauthorized_files(const struct cred *cred,
2518 struct files_struct *files)
2520 struct file *file, *devnull = NULL;
2521 struct tty_struct *tty;
2525 tty = get_current_tty();
2527 spin_lock(&tty->files_lock);
2528 if (!list_empty(&tty->tty_files)) {
2529 struct tty_file_private *file_priv;
2531 /* Revalidate access to controlling tty.
2532 Use file_path_has_perm on the tty path directly
2533 rather than using file_has_perm, as this particular
2534 open file may belong to another process and we are
2535 only interested in the inode-based check here. */
2536 file_priv = list_first_entry(&tty->tty_files,
2537 struct tty_file_private, list);
2538 file = file_priv->file;
2539 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2542 spin_unlock(&tty->files_lock);
2545 /* Reset controlling tty. */
2549 /* Revalidate access to inherited open files. */
2550 n = iterate_fd(files, 0, match_file, cred);
2551 if (!n) /* none found? */
2554 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2555 if (IS_ERR(devnull))
2557 /* replace all the matching ones with this */
2559 replace_fd(n - 1, devnull, 0);
2560 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2566 * Prepare a process for imminent new credential changes due to exec
2568 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2570 struct task_security_struct *new_tsec;
2571 struct rlimit *rlim, *initrlim;
2574 new_tsec = bprm->cred->security;
2575 if (new_tsec->sid == new_tsec->osid)
2578 /* Close files for which the new task SID is not authorized. */
2579 flush_unauthorized_files(bprm->cred, current->files);
2581 /* Always clear parent death signal on SID transitions. */
2582 current->pdeath_signal = 0;
2584 /* Check whether the new SID can inherit resource limits from the old
2585 * SID. If not, reset all soft limits to the lower of the current
2586 * task's hard limit and the init task's soft limit.
2588 * Note that the setting of hard limits (even to lower them) can be
2589 * controlled by the setrlimit check. The inclusion of the init task's
2590 * soft limit into the computation is to avoid resetting soft limits
2591 * higher than the default soft limit for cases where the default is
2592 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2594 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2595 PROCESS__RLIMITINH, NULL);
2597 /* protect against do_prlimit() */
2599 for (i = 0; i < RLIM_NLIMITS; i++) {
2600 rlim = current->signal->rlim + i;
2601 initrlim = init_task.signal->rlim + i;
2602 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2604 task_unlock(current);
2605 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2606 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2611 * Clean up the process immediately after the installation of new credentials
2614 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2616 const struct task_security_struct *tsec = current_security();
2617 struct itimerval itimer;
2627 /* Check whether the new SID can inherit signal state from the old SID.
2628 * If not, clear itimers to avoid subsequent signal generation and
2629 * flush and unblock signals.
2631 * This must occur _after_ the task SID has been updated so that any
2632 * kill done after the flush will be checked against the new SID.
2634 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2636 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2637 memset(&itimer, 0, sizeof itimer);
2638 for (i = 0; i < 3; i++)
2639 do_setitimer(i, &itimer, NULL);
2641 spin_lock_irq(¤t->sighand->siglock);
2642 if (!fatal_signal_pending(current)) {
2643 flush_sigqueue(¤t->pending);
2644 flush_sigqueue(¤t->signal->shared_pending);
2645 flush_signal_handlers(current, 1);
2646 sigemptyset(¤t->blocked);
2647 recalc_sigpending();
2649 spin_unlock_irq(¤t->sighand->siglock);
2652 /* Wake up the parent if it is waiting so that it can recheck
2653 * wait permission to the new task SID. */
2654 read_lock(&tasklist_lock);
2655 __wake_up_parent(current, current->real_parent);
2656 read_unlock(&tasklist_lock);
2659 /* superblock security operations */
2661 static int selinux_sb_alloc_security(struct super_block *sb)
2663 return superblock_alloc_security(sb);
2666 static void selinux_sb_free_security(struct super_block *sb)
2668 superblock_free_security(sb);
2671 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2676 return !memcmp(prefix, option, plen);
2679 static inline int selinux_option(char *option, int len)
2681 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2682 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2683 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2684 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2685 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2688 static inline void take_option(char **to, char *from, int *first, int len)
2695 memcpy(*to, from, len);
2699 static inline void take_selinux_option(char **to, char *from, int *first,
2702 int current_size = 0;
2710 while (current_size < len) {
2720 static int selinux_sb_copy_data(char *orig, char *copy)
2722 int fnosec, fsec, rc = 0;
2723 char *in_save, *in_curr, *in_end;
2724 char *sec_curr, *nosec_save, *nosec;
2730 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2738 in_save = in_end = orig;
2742 open_quote = !open_quote;
2743 if ((*in_end == ',' && open_quote == 0) ||
2745 int len = in_end - in_curr;
2747 if (selinux_option(in_curr, len))
2748 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2750 take_option(&nosec, in_curr, &fnosec, len);
2752 in_curr = in_end + 1;
2754 } while (*in_end++);
2756 strcpy(in_save, nosec_save);
2757 free_page((unsigned long)nosec_save);
2762 static int selinux_sb_remount(struct super_block *sb, void *data)
2765 struct security_mnt_opts opts;
2766 char *secdata, **mount_options;
2767 struct superblock_security_struct *sbsec = sb->s_security;
2769 if (!(sbsec->flags & SE_SBINITIALIZED))
2775 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2778 security_init_mnt_opts(&opts);
2779 secdata = alloc_secdata();
2782 rc = selinux_sb_copy_data(data, secdata);
2784 goto out_free_secdata;
2786 rc = selinux_parse_opts_str(secdata, &opts);
2788 goto out_free_secdata;
2790 mount_options = opts.mnt_opts;
2791 flags = opts.mnt_opts_flags;
2793 for (i = 0; i < opts.num_mnt_opts; i++) {
2796 if (flags[i] == SBLABEL_MNT)
2798 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
2800 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
2801 "(%s) failed for (dev %s, type %s) errno=%d\n",
2802 mount_options[i], sb->s_id, sb->s_type->name, rc);
2808 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2809 goto out_bad_option;
2812 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2813 goto out_bad_option;
2815 case ROOTCONTEXT_MNT: {
2816 struct inode_security_struct *root_isec;
2817 root_isec = backing_inode_security(sb->s_root);
2819 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2820 goto out_bad_option;
2823 case DEFCONTEXT_MNT:
2824 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2825 goto out_bad_option;
2834 security_free_mnt_opts(&opts);
2836 free_secdata(secdata);
2839 printk(KERN_WARNING "SELinux: unable to change security options "
2840 "during remount (dev %s, type=%s)\n", sb->s_id,
2845 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2847 const struct cred *cred = current_cred();
2848 struct common_audit_data ad;
2851 rc = superblock_doinit(sb, data);
2855 /* Allow all mounts performed by the kernel */
2856 if (flags & (MS_KERNMOUNT | MS_SUBMOUNT))
2859 ad.type = LSM_AUDIT_DATA_DENTRY;
2860 ad.u.dentry = sb->s_root;
2861 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2864 static int selinux_sb_statfs(struct dentry *dentry)
2866 const struct cred *cred = current_cred();
2867 struct common_audit_data ad;
2869 ad.type = LSM_AUDIT_DATA_DENTRY;
2870 ad.u.dentry = dentry->d_sb->s_root;
2871 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2874 static int selinux_mount(const char *dev_name,
2875 const struct path *path,
2877 unsigned long flags,
2880 const struct cred *cred = current_cred();
2882 if (flags & MS_REMOUNT)
2883 return superblock_has_perm(cred, path->dentry->d_sb,
2884 FILESYSTEM__REMOUNT, NULL);
2886 return path_has_perm(cred, path, FILE__MOUNTON);
2889 static int selinux_umount(struct vfsmount *mnt, int flags)
2891 const struct cred *cred = current_cred();
2893 return superblock_has_perm(cred, mnt->mnt_sb,
2894 FILESYSTEM__UNMOUNT, NULL);
2897 /* inode security operations */
2899 static int selinux_inode_alloc_security(struct inode *inode)
2901 return inode_alloc_security(inode);
2904 static void selinux_inode_free_security(struct inode *inode)
2906 inode_free_security(inode);
2909 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2910 const struct qstr *name, void **ctx,
2916 rc = selinux_determine_inode_label(current_security(),
2917 d_inode(dentry->d_parent), name,
2918 inode_mode_to_security_class(mode),
2923 return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2926 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2928 const struct cred *old,
2933 struct task_security_struct *tsec;
2935 rc = selinux_determine_inode_label(old->security,
2936 d_inode(dentry->d_parent), name,
2937 inode_mode_to_security_class(mode),
2942 tsec = new->security;
2943 tsec->create_sid = newsid;
2947 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2948 const struct qstr *qstr,
2950 void **value, size_t *len)
2952 const struct task_security_struct *tsec = current_security();
2953 struct superblock_security_struct *sbsec;
2954 u32 sid, newsid, clen;
2958 sbsec = dir->i_sb->s_security;
2961 newsid = tsec->create_sid;
2963 rc = selinux_determine_inode_label(current_security(),
2965 inode_mode_to_security_class(inode->i_mode),
2970 /* Possibly defer initialization to selinux_complete_init. */
2971 if (sbsec->flags & SE_SBINITIALIZED) {
2972 struct inode_security_struct *isec = inode->i_security;
2973 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2975 isec->initialized = LABEL_INITIALIZED;
2978 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
2982 *name = XATTR_SELINUX_SUFFIX;
2985 rc = security_sid_to_context_force(newsid, &context, &clen);
2995 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2997 return may_create(dir, dentry, SECCLASS_FILE);
3000 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
3002 return may_link(dir, old_dentry, MAY_LINK);
3005 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
3007 return may_link(dir, dentry, MAY_UNLINK);
3010 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
3012 return may_create(dir, dentry, SECCLASS_LNK_FILE);
3015 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
3017 return may_create(dir, dentry, SECCLASS_DIR);
3020 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
3022 return may_link(dir, dentry, MAY_RMDIR);
3025 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
3027 return may_create(dir, dentry, inode_mode_to_security_class(mode));
3030 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
3031 struct inode *new_inode, struct dentry *new_dentry)
3033 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
3036 static int selinux_inode_readlink(struct dentry *dentry)
3038 const struct cred *cred = current_cred();
3040 return dentry_has_perm(cred, dentry, FILE__READ);
3043 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3046 const struct cred *cred = current_cred();
3047 struct common_audit_data ad;
3048 struct inode_security_struct *isec;
3051 validate_creds(cred);
3053 ad.type = LSM_AUDIT_DATA_DENTRY;
3054 ad.u.dentry = dentry;
3055 sid = cred_sid(cred);
3056 isec = inode_security_rcu(inode, rcu);
3058 return PTR_ERR(isec);
3060 return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad,
3061 rcu ? MAY_NOT_BLOCK : 0);
3064 static noinline int audit_inode_permission(struct inode *inode,
3065 u32 perms, u32 audited, u32 denied,
3069 struct common_audit_data ad;
3070 struct inode_security_struct *isec = inode->i_security;
3073 ad.type = LSM_AUDIT_DATA_INODE;
3076 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
3077 audited, denied, result, &ad, flags);
3083 static int selinux_inode_permission(struct inode *inode, int mask)
3085 const struct cred *cred = current_cred();
3088 unsigned flags = mask & MAY_NOT_BLOCK;
3089 struct inode_security_struct *isec;
3091 struct av_decision avd;
3093 u32 audited, denied;
3095 from_access = mask & MAY_ACCESS;
3096 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3098 /* No permission to check. Existence test. */
3102 validate_creds(cred);
3104 if (unlikely(IS_PRIVATE(inode)))
3107 perms = file_mask_to_av(inode->i_mode, mask);
3109 sid = cred_sid(cred);
3110 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3112 return PTR_ERR(isec);
3114 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
3115 audited = avc_audit_required(perms, &avd, rc,
3116 from_access ? FILE__AUDIT_ACCESS : 0,
3118 if (likely(!audited))
3121 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
3127 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3129 const struct cred *cred = current_cred();
3130 struct inode *inode = d_backing_inode(dentry);
3131 unsigned int ia_valid = iattr->ia_valid;
3132 __u32 av = FILE__WRITE;
3134 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3135 if (ia_valid & ATTR_FORCE) {
3136 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3142 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3143 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3144 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3146 if (selinux_policycap_openperm &&
3147 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3148 (ia_valid & ATTR_SIZE) &&
3149 !(ia_valid & ATTR_FILE))
3152 return dentry_has_perm(cred, dentry, av);
3155 static int selinux_inode_getattr(const struct path *path)
3157 return path_has_perm(current_cred(), path, FILE__GETATTR);
3160 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
3162 const struct cred *cred = current_cred();
3164 if (!strncmp(name, XATTR_SECURITY_PREFIX,
3165 sizeof XATTR_SECURITY_PREFIX - 1)) {
3166 if (!strcmp(name, XATTR_NAME_CAPS)) {
3167 if (!capable(CAP_SETFCAP))
3169 } else if (!capable(CAP_SYS_ADMIN)) {
3170 /* A different attribute in the security namespace.
3171 Restrict to administrator. */
3176 /* Not an attribute we recognize, so just check the
3177 ordinary setattr permission. */
3178 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3181 static bool has_cap_mac_admin(bool audit)
3183 const struct cred *cred = current_cred();
3184 int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT;
3186 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit))
3188 if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true))
3193 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3194 const void *value, size_t size, int flags)
3196 struct inode *inode = d_backing_inode(dentry);
3197 struct inode_security_struct *isec;
3198 struct superblock_security_struct *sbsec;
3199 struct common_audit_data ad;
3200 u32 newsid, sid = current_sid();
3203 if (strcmp(name, XATTR_NAME_SELINUX))
3204 return selinux_inode_setotherxattr(dentry, name);
3206 sbsec = inode->i_sb->s_security;
3207 if (!(sbsec->flags & SBLABEL_MNT))
3210 if (!inode_owner_or_capable(inode))
3213 ad.type = LSM_AUDIT_DATA_DENTRY;
3214 ad.u.dentry = dentry;
3216 isec = backing_inode_security(dentry);
3217 rc = avc_has_perm(sid, isec->sid, isec->sclass,
3218 FILE__RELABELFROM, &ad);
3222 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3223 if (rc == -EINVAL) {
3224 if (!has_cap_mac_admin(true)) {
3225 struct audit_buffer *ab;
3229 /* We strip a nul only if it is at the end, otherwise the
3230 * context contains a nul and we should audit that */
3233 if (str[size - 1] == '\0')
3234 audit_size = size - 1;
3241 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3242 audit_log_format(ab, "op=setxattr invalid_context=");
3243 audit_log_n_untrustedstring(ab, value, audit_size);
3248 rc = security_context_to_sid_force(value, size, &newsid);
3253 rc = avc_has_perm(sid, newsid, isec->sclass,
3254 FILE__RELABELTO, &ad);
3258 rc = security_validate_transition(isec->sid, newsid, sid,
3263 return avc_has_perm(newsid,
3265 SECCLASS_FILESYSTEM,
3266 FILESYSTEM__ASSOCIATE,
3270 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3271 const void *value, size_t size,
3274 struct inode *inode = d_backing_inode(dentry);
3275 struct inode_security_struct *isec;
3279 if (strcmp(name, XATTR_NAME_SELINUX)) {
3280 /* Not an attribute we recognize, so nothing to do. */
3284 rc = security_context_to_sid_force(value, size, &newsid);
3286 printk(KERN_ERR "SELinux: unable to map context to SID"
3287 "for (%s, %lu), rc=%d\n",
3288 inode->i_sb->s_id, inode->i_ino, -rc);
3292 isec = backing_inode_security(dentry);
3293 spin_lock(&isec->lock);
3294 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3296 isec->initialized = LABEL_INITIALIZED;
3297 spin_unlock(&isec->lock);
3302 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3304 const struct cred *cred = current_cred();
3306 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3309 static int selinux_inode_listxattr(struct dentry *dentry)
3311 const struct cred *cred = current_cred();
3313 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3316 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3318 if (strcmp(name, XATTR_NAME_SELINUX))
3319 return selinux_inode_setotherxattr(dentry, name);
3321 /* No one is allowed to remove a SELinux security label.
3322 You can change the label, but all data must be labeled. */
3327 * Copy the inode security context value to the user.
3329 * Permission check is handled by selinux_inode_getxattr hook.
3331 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
3335 char *context = NULL;
3336 struct inode_security_struct *isec;
3338 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3342 * If the caller has CAP_MAC_ADMIN, then get the raw context
3343 * value even if it is not defined by current policy; otherwise,
3344 * use the in-core value under current policy.
3345 * Use the non-auditing forms of the permission checks since
3346 * getxattr may be called by unprivileged processes commonly
3347 * and lack of permission just means that we fall back to the
3348 * in-core context value, not a denial.
3350 isec = inode_security(inode);
3351 if (has_cap_mac_admin(false))
3352 error = security_sid_to_context_force(isec->sid, &context,
3355 error = security_sid_to_context(isec->sid, &context, &size);
3368 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3369 const void *value, size_t size, int flags)
3371 struct inode_security_struct *isec = inode_security_novalidate(inode);
3372 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
3376 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3379 if (!(sbsec->flags & SBLABEL_MNT))
3382 if (!value || !size)
3385 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3389 spin_lock(&isec->lock);
3390 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3392 isec->initialized = LABEL_INITIALIZED;
3393 spin_unlock(&isec->lock);
3397 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3399 const int len = sizeof(XATTR_NAME_SELINUX);
3400 if (buffer && len <= buffer_size)
3401 memcpy(buffer, XATTR_NAME_SELINUX, len);
3405 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3407 struct inode_security_struct *isec = inode_security_novalidate(inode);
3411 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3414 struct task_security_struct *tsec;
3415 struct cred *new_creds = *new;
3417 if (new_creds == NULL) {
3418 new_creds = prepare_creds();
3423 tsec = new_creds->security;
3424 /* Get label from overlay inode and set it in create_sid */
3425 selinux_inode_getsecid(d_inode(src), &sid);
3426 tsec->create_sid = sid;
3431 static int selinux_inode_copy_up_xattr(const char *name)
3433 /* The copy_up hook above sets the initial context on an inode, but we
3434 * don't then want to overwrite it by blindly copying all the lower
3435 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3437 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3438 return 1; /* Discard */
3440 * Any other attribute apart from SELINUX is not claimed, supported
3446 /* file security operations */
3448 static int selinux_revalidate_file_permission(struct file *file, int mask)
3450 const struct cred *cred = current_cred();
3451 struct inode *inode = file_inode(file);
3453 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3454 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3457 return file_has_perm(cred, file,
3458 file_mask_to_av(inode->i_mode, mask));
3461 static int selinux_file_permission(struct file *file, int mask)
3463 struct inode *inode = file_inode(file);
3464 struct file_security_struct *fsec = file->f_security;
3465 struct inode_security_struct *isec;
3466 u32 sid = current_sid();
3469 /* No permission to check. Existence test. */
3472 isec = inode_security(inode);
3473 if (sid == fsec->sid && fsec->isid == isec->sid &&
3474 fsec->pseqno == avc_policy_seqno())
3475 /* No change since file_open check. */
3478 return selinux_revalidate_file_permission(file, mask);
3481 static int selinux_file_alloc_security(struct file *file)
3483 return file_alloc_security(file);
3486 static void selinux_file_free_security(struct file *file)
3488 file_free_security(file);
3492 * Check whether a task has the ioctl permission and cmd
3493 * operation to an inode.
3495 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3496 u32 requested, u16 cmd)
3498 struct common_audit_data ad;
3499 struct file_security_struct *fsec = file->f_security;
3500 struct inode *inode = file_inode(file);
3501 struct inode_security_struct *isec;
3502 struct lsm_ioctlop_audit ioctl;
3503 u32 ssid = cred_sid(cred);
3505 u8 driver = cmd >> 8;
3506 u8 xperm = cmd & 0xff;
3508 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3511 ad.u.op->path = file->f_path;
3513 if (ssid != fsec->sid) {
3514 rc = avc_has_perm(ssid, fsec->sid,
3522 if (unlikely(IS_PRIVATE(inode)))
3525 isec = inode_security(inode);
3526 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
3527 requested, driver, xperm, &ad);
3532 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3535 const struct cred *cred = current_cred();
3545 case FS_IOC_GETFLAGS:
3547 case FS_IOC_GETVERSION:
3548 error = file_has_perm(cred, file, FILE__GETATTR);
3551 case FS_IOC_SETFLAGS:
3553 case FS_IOC_SETVERSION:
3554 error = file_has_perm(cred, file, FILE__SETATTR);
3557 /* sys_ioctl() checks */
3561 error = file_has_perm(cred, file, 0);
3566 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3567 SECURITY_CAP_AUDIT, true);
3570 /* default case assumes that the command will go
3571 * to the file's ioctl() function.
3574 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3579 static int default_noexec;
3581 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3583 const struct cred *cred = current_cred();
3584 u32 sid = cred_sid(cred);
3587 if (default_noexec &&
3588 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3589 (!shared && (prot & PROT_WRITE)))) {
3591 * We are making executable an anonymous mapping or a
3592 * private file mapping that will also be writable.
3593 * This has an additional check.
3595 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3596 PROCESS__EXECMEM, NULL);
3602 /* read access is always possible with a mapping */
3603 u32 av = FILE__READ;
3605 /* write access only matters if the mapping is shared */
3606 if (shared && (prot & PROT_WRITE))
3609 if (prot & PROT_EXEC)
3610 av |= FILE__EXECUTE;
3612 return file_has_perm(cred, file, av);
3619 static int selinux_mmap_addr(unsigned long addr)
3623 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3624 u32 sid = current_sid();
3625 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3626 MEMPROTECT__MMAP_ZERO, NULL);
3632 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3633 unsigned long prot, unsigned long flags)
3635 struct common_audit_data ad;
3639 ad.type = LSM_AUDIT_DATA_FILE;
3641 rc = inode_has_perm(current_cred(), file_inode(file),
3647 if (selinux_checkreqprot)
3650 return file_map_prot_check(file, prot,
3651 (flags & MAP_TYPE) == MAP_SHARED);
3654 static int selinux_file_mprotect(struct vm_area_struct *vma,
3655 unsigned long reqprot,
3658 const struct cred *cred = current_cred();
3659 u32 sid = cred_sid(cred);
3661 if (selinux_checkreqprot)
3664 if (default_noexec &&
3665 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3667 if (vma->vm_start >= vma->vm_mm->start_brk &&
3668 vma->vm_end <= vma->vm_mm->brk) {
3669 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3670 PROCESS__EXECHEAP, NULL);
3671 } else if (!vma->vm_file &&
3672 ((vma->vm_start <= vma->vm_mm->start_stack &&
3673 vma->vm_end >= vma->vm_mm->start_stack) ||
3674 vma_is_stack_for_current(vma))) {
3675 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3676 PROCESS__EXECSTACK, NULL);
3677 } else if (vma->vm_file && vma->anon_vma) {
3679 * We are making executable a file mapping that has
3680 * had some COW done. Since pages might have been
3681 * written, check ability to execute the possibly
3682 * modified content. This typically should only
3683 * occur for text relocations.
3685 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3691 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3694 static int selinux_file_lock(struct file *file, unsigned int cmd)
3696 const struct cred *cred = current_cred();
3698 return file_has_perm(cred, file, FILE__LOCK);
3701 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3704 const struct cred *cred = current_cred();
3709 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3710 err = file_has_perm(cred, file, FILE__WRITE);
3719 case F_GETOWNER_UIDS:
3720 /* Just check FD__USE permission */
3721 err = file_has_perm(cred, file, 0);
3729 #if BITS_PER_LONG == 32
3734 err = file_has_perm(cred, file, FILE__LOCK);
3741 static void selinux_file_set_fowner(struct file *file)
3743 struct file_security_struct *fsec;
3745 fsec = file->f_security;
3746 fsec->fown_sid = current_sid();
3749 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3750 struct fown_struct *fown, int signum)
3753 u32 sid = task_sid(tsk);
3755 struct file_security_struct *fsec;
3757 /* struct fown_struct is never outside the context of a struct file */
3758 file = container_of(fown, struct file, f_owner);
3760 fsec = file->f_security;
3763 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3765 perm = signal_to_av(signum);
3767 return avc_has_perm(fsec->fown_sid, sid,
3768 SECCLASS_PROCESS, perm, NULL);
3771 static int selinux_file_receive(struct file *file)
3773 const struct cred *cred = current_cred();
3775 return file_has_perm(cred, file, file_to_av(file));
3778 static int selinux_file_open(struct file *file, const struct cred *cred)
3780 struct file_security_struct *fsec;
3781 struct inode_security_struct *isec;
3783 fsec = file->f_security;
3784 isec = inode_security(file_inode(file));
3786 * Save inode label and policy sequence number
3787 * at open-time so that selinux_file_permission
3788 * can determine whether revalidation is necessary.
3789 * Task label is already saved in the file security
3790 * struct as its SID.
3792 fsec->isid = isec->sid;
3793 fsec->pseqno = avc_policy_seqno();
3795 * Since the inode label or policy seqno may have changed
3796 * between the selinux_inode_permission check and the saving
3797 * of state above, recheck that access is still permitted.
3798 * Otherwise, access might never be revalidated against the
3799 * new inode label or new policy.
3800 * This check is not redundant - do not remove.
3802 return file_path_has_perm(cred, file, open_file_to_av(file));
3805 /* task security operations */
3807 static int selinux_task_alloc(struct task_struct *task,
3808 unsigned long clone_flags)
3810 u32 sid = current_sid();
3812 return avc_has_perm(sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
3816 * allocate the SELinux part of blank credentials
3818 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3820 struct task_security_struct *tsec;
3822 tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3826 cred->security = tsec;
3831 * detach and free the LSM part of a set of credentials
3833 static void selinux_cred_free(struct cred *cred)
3835 struct task_security_struct *tsec = cred->security;
3838 * cred->security == NULL if security_cred_alloc_blank() or
3839 * security_prepare_creds() returned an error.
3841 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3842 cred->security = (void *) 0x7UL;
3847 * prepare a new set of credentials for modification
3849 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3852 const struct task_security_struct *old_tsec;
3853 struct task_security_struct *tsec;
3855 old_tsec = old->security;
3857 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3861 new->security = tsec;
3866 * transfer the SELinux data to a blank set of creds
3868 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3870 const struct task_security_struct *old_tsec = old->security;
3871 struct task_security_struct *tsec = new->security;
3877 * set the security data for a kernel service
3878 * - all the creation contexts are set to unlabelled
3880 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3882 struct task_security_struct *tsec = new->security;
3883 u32 sid = current_sid();
3886 ret = avc_has_perm(sid, secid,
3887 SECCLASS_KERNEL_SERVICE,
3888 KERNEL_SERVICE__USE_AS_OVERRIDE,
3892 tsec->create_sid = 0;
3893 tsec->keycreate_sid = 0;
3894 tsec->sockcreate_sid = 0;
3900 * set the file creation context in a security record to the same as the
3901 * objective context of the specified inode
3903 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3905 struct inode_security_struct *isec = inode_security(inode);
3906 struct task_security_struct *tsec = new->security;
3907 u32 sid = current_sid();
3910 ret = avc_has_perm(sid, isec->sid,
3911 SECCLASS_KERNEL_SERVICE,
3912 KERNEL_SERVICE__CREATE_FILES_AS,
3916 tsec->create_sid = isec->sid;
3920 static int selinux_kernel_module_request(char *kmod_name)
3922 struct common_audit_data ad;
3924 ad.type = LSM_AUDIT_DATA_KMOD;
3925 ad.u.kmod_name = kmod_name;
3927 return avc_has_perm(current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
3928 SYSTEM__MODULE_REQUEST, &ad);
3931 static int selinux_kernel_module_from_file(struct file *file)
3933 struct common_audit_data ad;
3934 struct inode_security_struct *isec;
3935 struct file_security_struct *fsec;
3936 u32 sid = current_sid();
3941 return avc_has_perm(sid, sid, SECCLASS_SYSTEM,
3942 SYSTEM__MODULE_LOAD, NULL);
3946 ad.type = LSM_AUDIT_DATA_FILE;
3949 fsec = file->f_security;
3950 if (sid != fsec->sid) {
3951 rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
3956 isec = inode_security(file_inode(file));
3957 return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM,
3958 SYSTEM__MODULE_LOAD, &ad);
3961 static int selinux_kernel_read_file(struct file *file,
3962 enum kernel_read_file_id id)
3967 case READING_MODULE:
3968 rc = selinux_kernel_module_from_file(file);
3977 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3979 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3980 PROCESS__SETPGID, NULL);
3983 static int selinux_task_getpgid(struct task_struct *p)
3985 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3986 PROCESS__GETPGID, NULL);
3989 static int selinux_task_getsid(struct task_struct *p)
3991 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3992 PROCESS__GETSESSION, NULL);
3995 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3997 *secid = task_sid(p);
4000 static int selinux_task_setnice(struct task_struct *p, int nice)
4002 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
4003 PROCESS__SETSCHED, NULL);
4006 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
4008 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
4009 PROCESS__SETSCHED, NULL);
4012 static int selinux_task_getioprio(struct task_struct *p)
4014 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
4015 PROCESS__GETSCHED, NULL);
4018 int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
4025 if (flags & LSM_PRLIMIT_WRITE)
4026 av |= PROCESS__SETRLIMIT;
4027 if (flags & LSM_PRLIMIT_READ)
4028 av |= PROCESS__GETRLIMIT;
4029 return avc_has_perm(cred_sid(cred), cred_sid(tcred),
4030 SECCLASS_PROCESS, av, NULL);
4033 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4034 struct rlimit *new_rlim)
4036 struct rlimit *old_rlim = p->signal->rlim + resource;
4038 /* Control the ability to change the hard limit (whether
4039 lowering or raising it), so that the hard limit can
4040 later be used as a safe reset point for the soft limit
4041 upon context transitions. See selinux_bprm_committing_creds. */
4042 if (old_rlim->rlim_max != new_rlim->rlim_max)
4043 return avc_has_perm(current_sid(), task_sid(p),
4044 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
4049 static int selinux_task_setscheduler(struct task_struct *p)
4051 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
4052 PROCESS__SETSCHED, NULL);
4055 static int selinux_task_getscheduler(struct task_struct *p)
4057 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
4058 PROCESS__GETSCHED, NULL);
4061 static int selinux_task_movememory(struct task_struct *p)
4063 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
4064 PROCESS__SETSCHED, NULL);
4067 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
4073 perm = PROCESS__SIGNULL; /* null signal; existence test */
4075 perm = signal_to_av(sig);
4077 secid = current_sid();
4078 return avc_has_perm(secid, task_sid(p), SECCLASS_PROCESS, perm, NULL);
4081 static void selinux_task_to_inode(struct task_struct *p,
4082 struct inode *inode)
4084 struct inode_security_struct *isec = inode->i_security;
4085 u32 sid = task_sid(p);
4087 spin_lock(&isec->lock);
4088 isec->sclass = inode_mode_to_security_class(inode->i_mode);
4090 isec->initialized = LABEL_INITIALIZED;
4091 spin_unlock(&isec->lock);
4094 /* Returns error only if unable to parse addresses */
4095 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4096 struct common_audit_data *ad, u8 *proto)
4098 int offset, ihlen, ret = -EINVAL;
4099 struct iphdr _iph, *ih;
4101 offset = skb_network_offset(skb);
4102 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
4106 ihlen = ih->ihl * 4;
4107 if (ihlen < sizeof(_iph))
4110 ad->u.net->v4info.saddr = ih->saddr;
4111 ad->u.net->v4info.daddr = ih->daddr;
4115 *proto = ih->protocol;
4117 switch (ih->protocol) {
4119 struct tcphdr _tcph, *th;
4121 if (ntohs(ih->frag_off) & IP_OFFSET)
4125 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4129 ad->u.net->sport = th->source;
4130 ad->u.net->dport = th->dest;
4135 struct udphdr _udph, *uh;
4137 if (ntohs(ih->frag_off) & IP_OFFSET)
4141 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4145 ad->u.net->sport = uh->source;
4146 ad->u.net->dport = uh->dest;
4150 case IPPROTO_DCCP: {
4151 struct dccp_hdr _dccph, *dh;
4153 if (ntohs(ih->frag_off) & IP_OFFSET)
4157 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4161 ad->u.net->sport = dh->dccph_sport;
4162 ad->u.net->dport = dh->dccph_dport;
4173 #if IS_ENABLED(CONFIG_IPV6)
4175 /* Returns error only if unable to parse addresses */
4176 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4177 struct common_audit_data *ad, u8 *proto)
4180 int ret = -EINVAL, offset;
4181 struct ipv6hdr _ipv6h, *ip6;
4184 offset = skb_network_offset(skb);
4185 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4189 ad->u.net->v6info.saddr = ip6->saddr;
4190 ad->u.net->v6info.daddr = ip6->daddr;
4193 nexthdr = ip6->nexthdr;
4194 offset += sizeof(_ipv6h);
4195 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4204 struct tcphdr _tcph, *th;
4206 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4210 ad->u.net->sport = th->source;
4211 ad->u.net->dport = th->dest;
4216 struct udphdr _udph, *uh;
4218 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4222 ad->u.net->sport = uh->source;
4223 ad->u.net->dport = uh->dest;
4227 case IPPROTO_DCCP: {
4228 struct dccp_hdr _dccph, *dh;
4230 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4234 ad->u.net->sport = dh->dccph_sport;
4235 ad->u.net->dport = dh->dccph_dport;
4239 /* includes fragments */
4249 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4250 char **_addrp, int src, u8 *proto)
4255 switch (ad->u.net->family) {
4257 ret = selinux_parse_skb_ipv4(skb, ad, proto);
4260 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4261 &ad->u.net->v4info.daddr);
4264 #if IS_ENABLED(CONFIG_IPV6)
4266 ret = selinux_parse_skb_ipv6(skb, ad, proto);
4269 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4270 &ad->u.net->v6info.daddr);
4280 "SELinux: failure in selinux_parse_skb(),"
4281 " unable to parse packet\n");
4291 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4293 * @family: protocol family
4294 * @sid: the packet's peer label SID
4297 * Check the various different forms of network peer labeling and determine
4298 * the peer label/SID for the packet; most of the magic actually occurs in
4299 * the security server function security_net_peersid_cmp(). The function
4300 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4301 * or -EACCES if @sid is invalid due to inconsistencies with the different
4305 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4312 err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4315 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4319 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
4320 if (unlikely(err)) {
4322 "SELinux: failure in selinux_skb_peerlbl_sid(),"
4323 " unable to determine packet's peer label\n");
4331 * selinux_conn_sid - Determine the child socket label for a connection
4332 * @sk_sid: the parent socket's SID
4333 * @skb_sid: the packet's SID
4334 * @conn_sid: the resulting connection SID
4336 * If @skb_sid is valid then the user:role:type information from @sk_sid is
4337 * combined with the MLS information from @skb_sid in order to create
4338 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy
4339 * of @sk_sid. Returns zero on success, negative values on failure.
4342 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4346 if (skb_sid != SECSID_NULL)
4347 err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid);
4354 /* socket security operations */
4356 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4357 u16 secclass, u32 *socksid)
4359 if (tsec->sockcreate_sid > SECSID_NULL) {
4360 *socksid = tsec->sockcreate_sid;
4364 return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
4368 static int sock_has_perm(struct sock *sk, u32 perms)
4370 struct sk_security_struct *sksec = sk->sk_security;
4371 struct common_audit_data ad;
4372 struct lsm_network_audit net = {0,};
4374 if (sksec->sid == SECINITSID_KERNEL)
4377 ad.type = LSM_AUDIT_DATA_NET;
4381 return avc_has_perm(current_sid(), sksec->sid, sksec->sclass, perms,
4385 static int selinux_socket_create(int family, int type,
4386 int protocol, int kern)
4388 const struct task_security_struct *tsec = current_security();
4396 secclass = socket_type_to_security_class(family, type, protocol);
4397 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4401 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4404 static int selinux_socket_post_create(struct socket *sock, int family,
4405 int type, int protocol, int kern)
4407 const struct task_security_struct *tsec = current_security();
4408 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4409 struct sk_security_struct *sksec;
4410 u16 sclass = socket_type_to_security_class(family, type, protocol);
4411 u32 sid = SECINITSID_KERNEL;
4415 err = socket_sockcreate_sid(tsec, sclass, &sid);
4420 isec->sclass = sclass;
4422 isec->initialized = LABEL_INITIALIZED;
4425 sksec = sock->sk->sk_security;
4426 sksec->sclass = sclass;
4428 err = selinux_netlbl_socket_post_create(sock->sk, family);
4434 /* Range of port numbers used to automatically bind.
4435 Need to determine whether we should perform a name_bind
4436 permission check between the socket and the port number. */
4438 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4440 struct sock *sk = sock->sk;
4444 err = sock_has_perm(sk, SOCKET__BIND);
4449 * If PF_INET or PF_INET6, check name_bind permission for the port.
4450 * Multiple address binding for SCTP is not supported yet: we just
4451 * check the first address now.
4453 family = sk->sk_family;
4454 if (family == PF_INET || family == PF_INET6) {
4456 struct sk_security_struct *sksec = sk->sk_security;
4457 struct common_audit_data ad;
4458 struct lsm_network_audit net = {0,};
4459 struct sockaddr_in *addr4 = NULL;
4460 struct sockaddr_in6 *addr6 = NULL;
4461 unsigned short snum;
4464 if (family == PF_INET) {
4465 if (addrlen < sizeof(struct sockaddr_in)) {
4469 addr4 = (struct sockaddr_in *)address;
4470 snum = ntohs(addr4->sin_port);
4471 addrp = (char *)&addr4->sin_addr.s_addr;
4473 if (addrlen < SIN6_LEN_RFC2133) {
4477 addr6 = (struct sockaddr_in6 *)address;
4478 snum = ntohs(addr6->sin6_port);
4479 addrp = (char *)&addr6->sin6_addr.s6_addr;
4485 inet_get_local_port_range(sock_net(sk), &low, &high);
4487 if (snum < max(inet_prot_sock(sock_net(sk)), low) ||
4489 err = sel_netport_sid(sk->sk_protocol,
4493 ad.type = LSM_AUDIT_DATA_NET;
4495 ad.u.net->sport = htons(snum);
4496 ad.u.net->family = family;
4497 err = avc_has_perm(sksec->sid, sid,
4499 SOCKET__NAME_BIND, &ad);
4505 switch (sksec->sclass) {
4506 case SECCLASS_TCP_SOCKET:
4507 node_perm = TCP_SOCKET__NODE_BIND;
4510 case SECCLASS_UDP_SOCKET:
4511 node_perm = UDP_SOCKET__NODE_BIND;
4514 case SECCLASS_DCCP_SOCKET:
4515 node_perm = DCCP_SOCKET__NODE_BIND;
4519 node_perm = RAWIP_SOCKET__NODE_BIND;
4523 err = sel_netnode_sid(addrp, family, &sid);
4527 ad.type = LSM_AUDIT_DATA_NET;
4529 ad.u.net->sport = htons(snum);
4530 ad.u.net->family = family;
4532 if (family == PF_INET)
4533 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4535 ad.u.net->v6info.saddr = addr6->sin6_addr;
4537 err = avc_has_perm(sksec->sid, sid,
4538 sksec->sclass, node_perm, &ad);
4546 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
4548 struct sock *sk = sock->sk;
4549 struct sk_security_struct *sksec = sk->sk_security;
4552 err = sock_has_perm(sk, SOCKET__CONNECT);
4557 * If a TCP or DCCP socket, check name_connect permission for the port.
4559 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4560 sksec->sclass == SECCLASS_DCCP_SOCKET) {
4561 struct common_audit_data ad;
4562 struct lsm_network_audit net = {0,};
4563 struct sockaddr_in *addr4 = NULL;
4564 struct sockaddr_in6 *addr6 = NULL;
4565 unsigned short snum;
4568 if (sk->sk_family == PF_INET) {
4569 addr4 = (struct sockaddr_in *)address;
4570 if (addrlen < sizeof(struct sockaddr_in))
4572 snum = ntohs(addr4->sin_port);
4574 addr6 = (struct sockaddr_in6 *)address;
4575 if (addrlen < SIN6_LEN_RFC2133)
4577 snum = ntohs(addr6->sin6_port);
4580 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4584 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
4585 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
4587 ad.type = LSM_AUDIT_DATA_NET;
4589 ad.u.net->dport = htons(snum);
4590 ad.u.net->family = sk->sk_family;
4591 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
4596 err = selinux_netlbl_socket_connect(sk, address);
4602 static int selinux_socket_listen(struct socket *sock, int backlog)
4604 return sock_has_perm(sock->sk, SOCKET__LISTEN);
4607 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4610 struct inode_security_struct *isec;
4611 struct inode_security_struct *newisec;
4615 err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
4619 isec = inode_security_novalidate(SOCK_INODE(sock));
4620 spin_lock(&isec->lock);
4621 sclass = isec->sclass;
4623 spin_unlock(&isec->lock);
4625 newisec = inode_security_novalidate(SOCK_INODE(newsock));
4626 newisec->sclass = sclass;
4628 newisec->initialized = LABEL_INITIALIZED;
4633 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4636 return sock_has_perm(sock->sk, SOCKET__WRITE);
4639 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4640 int size, int flags)
4642 return sock_has_perm(sock->sk, SOCKET__READ);
4645 static int selinux_socket_getsockname(struct socket *sock)
4647 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4650 static int selinux_socket_getpeername(struct socket *sock)
4652 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4655 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4659 err = sock_has_perm(sock->sk, SOCKET__SETOPT);
4663 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4666 static int selinux_socket_getsockopt(struct socket *sock, int level,
4669 return sock_has_perm(sock->sk, SOCKET__GETOPT);
4672 static int selinux_socket_shutdown(struct socket *sock, int how)
4674 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
4677 static int selinux_socket_unix_stream_connect(struct sock *sock,
4681 struct sk_security_struct *sksec_sock = sock->sk_security;
4682 struct sk_security_struct *sksec_other = other->sk_security;
4683 struct sk_security_struct *sksec_new = newsk->sk_security;
4684 struct common_audit_data ad;
4685 struct lsm_network_audit net = {0,};
4688 ad.type = LSM_AUDIT_DATA_NET;
4690 ad.u.net->sk = other;
4692 err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4693 sksec_other->sclass,
4694 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4698 /* server child socket */
4699 sksec_new->peer_sid = sksec_sock->sid;
4700 err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4705 /* connecting socket */
4706 sksec_sock->peer_sid = sksec_new->sid;
4711 static int selinux_socket_unix_may_send(struct socket *sock,
4712 struct socket *other)
4714 struct sk_security_struct *ssec = sock->sk->sk_security;
4715 struct sk_security_struct *osec = other->sk->sk_security;
4716 struct common_audit_data ad;
4717 struct lsm_network_audit net = {0,};
4719 ad.type = LSM_AUDIT_DATA_NET;
4721 ad.u.net->sk = other->sk;
4723 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4727 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4728 char *addrp, u16 family, u32 peer_sid,
4729 struct common_audit_data *ad)
4735 err = sel_netif_sid(ns, ifindex, &if_sid);
4738 err = avc_has_perm(peer_sid, if_sid,
4739 SECCLASS_NETIF, NETIF__INGRESS, ad);
4743 err = sel_netnode_sid(addrp, family, &node_sid);
4746 return avc_has_perm(peer_sid, node_sid,
4747 SECCLASS_NODE, NODE__RECVFROM, ad);
4750 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4754 struct sk_security_struct *sksec = sk->sk_security;
4755 u32 sk_sid = sksec->sid;
4756 struct common_audit_data ad;
4757 struct lsm_network_audit net = {0,};
4760 ad.type = LSM_AUDIT_DATA_NET;
4762 ad.u.net->netif = skb->skb_iif;
4763 ad.u.net->family = family;
4764 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4768 if (selinux_secmark_enabled()) {
4769 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4775 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4778 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4783 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4786 struct sk_security_struct *sksec = sk->sk_security;
4787 u16 family = sk->sk_family;
4788 u32 sk_sid = sksec->sid;
4789 struct common_audit_data ad;
4790 struct lsm_network_audit net = {0,};
4795 if (family != PF_INET && family != PF_INET6)
4798 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4799 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4802 /* If any sort of compatibility mode is enabled then handoff processing
4803 * to the selinux_sock_rcv_skb_compat() function to deal with the
4804 * special handling. We do this in an attempt to keep this function
4805 * as fast and as clean as possible. */
4806 if (!selinux_policycap_netpeer)
4807 return selinux_sock_rcv_skb_compat(sk, skb, family);
4809 secmark_active = selinux_secmark_enabled();
4810 peerlbl_active = selinux_peerlbl_enabled();
4811 if (!secmark_active && !peerlbl_active)
4814 ad.type = LSM_AUDIT_DATA_NET;
4816 ad.u.net->netif = skb->skb_iif;
4817 ad.u.net->family = family;
4818 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4822 if (peerlbl_active) {
4825 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4828 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
4829 addrp, family, peer_sid, &ad);
4831 selinux_netlbl_err(skb, family, err, 0);
4834 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4837 selinux_netlbl_err(skb, family, err, 0);
4842 if (secmark_active) {
4843 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4852 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4853 int __user *optlen, unsigned len)
4858 struct sk_security_struct *sksec = sock->sk->sk_security;
4859 u32 peer_sid = SECSID_NULL;
4861 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4862 sksec->sclass == SECCLASS_TCP_SOCKET)
4863 peer_sid = sksec->peer_sid;
4864 if (peer_sid == SECSID_NULL)
4865 return -ENOPROTOOPT;
4867 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4871 if (scontext_len > len) {
4876 if (copy_to_user(optval, scontext, scontext_len))
4880 if (put_user(scontext_len, optlen))
4886 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4888 u32 peer_secid = SECSID_NULL;
4890 struct inode_security_struct *isec;
4892 if (skb && skb->protocol == htons(ETH_P_IP))
4894 else if (skb && skb->protocol == htons(ETH_P_IPV6))
4897 family = sock->sk->sk_family;
4901 if (sock && family == PF_UNIX) {
4902 isec = inode_security_novalidate(SOCK_INODE(sock));
4903 peer_secid = isec->sid;
4905 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4908 *secid = peer_secid;
4909 if (peer_secid == SECSID_NULL)
4914 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4916 struct sk_security_struct *sksec;
4918 sksec = kzalloc(sizeof(*sksec), priority);
4922 sksec->peer_sid = SECINITSID_UNLABELED;
4923 sksec->sid = SECINITSID_UNLABELED;
4924 sksec->sclass = SECCLASS_SOCKET;
4925 selinux_netlbl_sk_security_reset(sksec);
4926 sk->sk_security = sksec;
4931 static void selinux_sk_free_security(struct sock *sk)
4933 struct sk_security_struct *sksec = sk->sk_security;
4935 sk->sk_security = NULL;
4936 selinux_netlbl_sk_security_free(sksec);
4940 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4942 struct sk_security_struct *sksec = sk->sk_security;
4943 struct sk_security_struct *newsksec = newsk->sk_security;
4945 newsksec->sid = sksec->sid;
4946 newsksec->peer_sid = sksec->peer_sid;
4947 newsksec->sclass = sksec->sclass;
4949 selinux_netlbl_sk_security_reset(newsksec);
4952 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4955 *secid = SECINITSID_ANY_SOCKET;
4957 struct sk_security_struct *sksec = sk->sk_security;
4959 *secid = sksec->sid;
4963 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4965 struct inode_security_struct *isec =
4966 inode_security_novalidate(SOCK_INODE(parent));
4967 struct sk_security_struct *sksec = sk->sk_security;
4969 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4970 sk->sk_family == PF_UNIX)
4971 isec->sid = sksec->sid;
4972 sksec->sclass = isec->sclass;
4975 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4976 struct request_sock *req)
4978 struct sk_security_struct *sksec = sk->sk_security;
4980 u16 family = req->rsk_ops->family;
4984 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4987 err = selinux_conn_sid(sksec->sid, peersid, &connsid);
4990 req->secid = connsid;
4991 req->peer_secid = peersid;
4993 return selinux_netlbl_inet_conn_request(req, family);
4996 static void selinux_inet_csk_clone(struct sock *newsk,
4997 const struct request_sock *req)
4999 struct sk_security_struct *newsksec = newsk->sk_security;
5001 newsksec->sid = req->secid;
5002 newsksec->peer_sid = req->peer_secid;
5003 /* NOTE: Ideally, we should also get the isec->sid for the
5004 new socket in sync, but we don't have the isec available yet.
5005 So we will wait until sock_graft to do it, by which
5006 time it will have been created and available. */
5008 /* We don't need to take any sort of lock here as we are the only
5009 * thread with access to newsksec */
5010 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
5013 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
5015 u16 family = sk->sk_family;
5016 struct sk_security_struct *sksec = sk->sk_security;
5018 /* handle mapped IPv4 packets arriving via IPv6 sockets */
5019 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5022 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
5025 static int selinux_secmark_relabel_packet(u32 sid)
5027 const struct task_security_struct *__tsec;
5030 __tsec = current_security();
5033 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
5036 static void selinux_secmark_refcount_inc(void)
5038 atomic_inc(&selinux_secmark_refcount);
5041 static void selinux_secmark_refcount_dec(void)
5043 atomic_dec(&selinux_secmark_refcount);
5046 static void selinux_req_classify_flow(const struct request_sock *req,
5049 fl->flowi_secid = req->secid;
5052 static int selinux_tun_dev_alloc_security(void **security)
5054 struct tun_security_struct *tunsec;
5056 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
5059 tunsec->sid = current_sid();
5065 static void selinux_tun_dev_free_security(void *security)
5070 static int selinux_tun_dev_create(void)
5072 u32 sid = current_sid();
5074 /* we aren't taking into account the "sockcreate" SID since the socket
5075 * that is being created here is not a socket in the traditional sense,
5076 * instead it is a private sock, accessible only to the kernel, and
5077 * representing a wide range of network traffic spanning multiple
5078 * connections unlike traditional sockets - check the TUN driver to
5079 * get a better understanding of why this socket is special */
5081 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5085 static int selinux_tun_dev_attach_queue(void *security)
5087 struct tun_security_struct *tunsec = security;
5089 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5090 TUN_SOCKET__ATTACH_QUEUE, NULL);
5093 static int selinux_tun_dev_attach(struct sock *sk, void *security)
5095 struct tun_security_struct *tunsec = security;
5096 struct sk_security_struct *sksec = sk->sk_security;
5098 /* we don't currently perform any NetLabel based labeling here and it
5099 * isn't clear that we would want to do so anyway; while we could apply
5100 * labeling without the support of the TUN user the resulting labeled
5101 * traffic from the other end of the connection would almost certainly
5102 * cause confusion to the TUN user that had no idea network labeling
5103 * protocols were being used */
5105 sksec->sid = tunsec->sid;
5106 sksec->sclass = SECCLASS_TUN_SOCKET;
5111 static int selinux_tun_dev_open(void *security)
5113 struct tun_security_struct *tunsec = security;
5114 u32 sid = current_sid();
5117 err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5118 TUN_SOCKET__RELABELFROM, NULL);
5121 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
5122 TUN_SOCKET__RELABELTO, NULL);
5130 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
5133 unsigned int msg_len;
5134 unsigned int data_len = skb->len;
5135 unsigned char *data = skb->data;
5136 struct nlmsghdr *nlh;
5137 struct sk_security_struct *sksec = sk->sk_security;
5138 u16 sclass = sksec->sclass;
5141 while (data_len >= nlmsg_total_size(0)) {
5142 nlh = (struct nlmsghdr *)data;
5144 /* NOTE: the nlmsg_len field isn't reliably set by some netlink
5145 * users which means we can't reject skb's with bogus
5146 * length fields; our solution is to follow what
5147 * netlink_rcv_skb() does and simply skip processing at
5148 * messages with length fields that are clearly junk
5150 if (nlh->nlmsg_len < NLMSG_HDRLEN || nlh->nlmsg_len > data_len)
5153 rc = selinux_nlmsg_lookup(sclass, nlh->nlmsg_type, &perm);
5155 rc = sock_has_perm(sk, perm);
5158 } else if (rc == -EINVAL) {
5159 /* -EINVAL is a missing msg/perm mapping */
5160 pr_warn_ratelimited("SELinux: unrecognized netlink"
5161 " message: protocol=%hu nlmsg_type=%hu sclass=%s"
5162 " pid=%d comm=%s\n",
5163 sk->sk_protocol, nlh->nlmsg_type,
5164 secclass_map[sclass - 1].name,
5165 task_pid_nr(current), current->comm);
5166 if (selinux_enforcing && !security_get_allow_unknown())
5169 } else if (rc == -ENOENT) {
5170 /* -ENOENT is a missing socket/class mapping, ignore */
5176 /* move to the next message after applying netlink padding */
5177 msg_len = NLMSG_ALIGN(nlh->nlmsg_len);
5178 if (msg_len >= data_len)
5180 data_len -= msg_len;
5187 #ifdef CONFIG_NETFILTER
5189 static unsigned int selinux_ip_forward(struct sk_buff *skb,
5190 const struct net_device *indev,
5196 struct common_audit_data ad;
5197 struct lsm_network_audit net = {0,};
5202 if (!selinux_policycap_netpeer)
5205 secmark_active = selinux_secmark_enabled();
5206 netlbl_active = netlbl_enabled();
5207 peerlbl_active = selinux_peerlbl_enabled();
5208 if (!secmark_active && !peerlbl_active)
5211 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5214 ad.type = LSM_AUDIT_DATA_NET;
5216 ad.u.net->netif = indev->ifindex;
5217 ad.u.net->family = family;
5218 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5221 if (peerlbl_active) {
5222 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
5223 addrp, family, peer_sid, &ad);
5225 selinux_netlbl_err(skb, family, err, 1);
5231 if (avc_has_perm(peer_sid, skb->secmark,
5232 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5236 /* we do this in the FORWARD path and not the POST_ROUTING
5237 * path because we want to make sure we apply the necessary
5238 * labeling before IPsec is applied so we can leverage AH
5240 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5246 static unsigned int selinux_ipv4_forward(void *priv,
5247 struct sk_buff *skb,
5248 const struct nf_hook_state *state)
5250 return selinux_ip_forward(skb, state->in, PF_INET);
5253 #if IS_ENABLED(CONFIG_IPV6)
5254 static unsigned int selinux_ipv6_forward(void *priv,
5255 struct sk_buff *skb,
5256 const struct nf_hook_state *state)
5258 return selinux_ip_forward(skb, state->in, PF_INET6);
5262 static unsigned int selinux_ip_output(struct sk_buff *skb,
5268 if (!netlbl_enabled())
5271 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5272 * because we want to make sure we apply the necessary labeling
5273 * before IPsec is applied so we can leverage AH protection */
5276 struct sk_security_struct *sksec;
5278 if (sk_listener(sk))
5279 /* if the socket is the listening state then this
5280 * packet is a SYN-ACK packet which means it needs to
5281 * be labeled based on the connection/request_sock and
5282 * not the parent socket. unfortunately, we can't
5283 * lookup the request_sock yet as it isn't queued on
5284 * the parent socket until after the SYN-ACK is sent.
5285 * the "solution" is to simply pass the packet as-is
5286 * as any IP option based labeling should be copied
5287 * from the initial connection request (in the IP
5288 * layer). it is far from ideal, but until we get a
5289 * security label in the packet itself this is the
5290 * best we can do. */
5293 /* standard practice, label using the parent socket */
5294 sksec = sk->sk_security;
5297 sid = SECINITSID_KERNEL;
5298 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
5304 static unsigned int selinux_ipv4_output(void *priv,
5305 struct sk_buff *skb,
5306 const struct nf_hook_state *state)
5308 return selinux_ip_output(skb, PF_INET);
5311 #if IS_ENABLED(CONFIG_IPV6)
5312 static unsigned int selinux_ipv6_output(void *priv,
5313 struct sk_buff *skb,
5314 const struct nf_hook_state *state)
5316 return selinux_ip_output(skb, PF_INET6);
5320 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5324 struct sock *sk = skb_to_full_sk(skb);
5325 struct sk_security_struct *sksec;
5326 struct common_audit_data ad;
5327 struct lsm_network_audit net = {0,};
5333 sksec = sk->sk_security;
5335 ad.type = LSM_AUDIT_DATA_NET;
5337 ad.u.net->netif = ifindex;
5338 ad.u.net->family = family;
5339 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
5342 if (selinux_secmark_enabled())
5343 if (avc_has_perm(sksec->sid, skb->secmark,
5344 SECCLASS_PACKET, PACKET__SEND, &ad))
5345 return NF_DROP_ERR(-ECONNREFUSED);
5347 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5348 return NF_DROP_ERR(-ECONNREFUSED);
5353 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5354 const struct net_device *outdev,
5359 int ifindex = outdev->ifindex;
5361 struct common_audit_data ad;
5362 struct lsm_network_audit net = {0,};
5367 /* If any sort of compatibility mode is enabled then handoff processing
5368 * to the selinux_ip_postroute_compat() function to deal with the
5369 * special handling. We do this in an attempt to keep this function
5370 * as fast and as clean as possible. */
5371 if (!selinux_policycap_netpeer)
5372 return selinux_ip_postroute_compat(skb, ifindex, family);
5374 secmark_active = selinux_secmark_enabled();
5375 peerlbl_active = selinux_peerlbl_enabled();
5376 if (!secmark_active && !peerlbl_active)
5379 sk = skb_to_full_sk(skb);
5382 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5383 * packet transformation so allow the packet to pass without any checks
5384 * since we'll have another chance to perform access control checks
5385 * when the packet is on it's final way out.
5386 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5387 * is NULL, in this case go ahead and apply access control.
5388 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5389 * TCP listening state we cannot wait until the XFRM processing
5390 * is done as we will miss out on the SA label if we do;
5391 * unfortunately, this means more work, but it is only once per
5393 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5394 !(sk && sk_listener(sk)))
5399 /* Without an associated socket the packet is either coming
5400 * from the kernel or it is being forwarded; check the packet
5401 * to determine which and if the packet is being forwarded
5402 * query the packet directly to determine the security label. */
5404 secmark_perm = PACKET__FORWARD_OUT;
5405 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5408 secmark_perm = PACKET__SEND;
5409 peer_sid = SECINITSID_KERNEL;
5411 } else if (sk_listener(sk)) {
5412 /* Locally generated packet but the associated socket is in the
5413 * listening state which means this is a SYN-ACK packet. In
5414 * this particular case the correct security label is assigned
5415 * to the connection/request_sock but unfortunately we can't
5416 * query the request_sock as it isn't queued on the parent
5417 * socket until after the SYN-ACK packet is sent; the only
5418 * viable choice is to regenerate the label like we do in
5419 * selinux_inet_conn_request(). See also selinux_ip_output()
5420 * for similar problems. */
5422 struct sk_security_struct *sksec;
5424 sksec = sk->sk_security;
5425 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5427 /* At this point, if the returned skb peerlbl is SECSID_NULL
5428 * and the packet has been through at least one XFRM
5429 * transformation then we must be dealing with the "final"
5430 * form of labeled IPsec packet; since we've already applied
5431 * all of our access controls on this packet we can safely
5432 * pass the packet. */
5433 if (skb_sid == SECSID_NULL) {
5436 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5440 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5444 return NF_DROP_ERR(-ECONNREFUSED);
5447 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5449 secmark_perm = PACKET__SEND;
5451 /* Locally generated packet, fetch the security label from the
5452 * associated socket. */
5453 struct sk_security_struct *sksec = sk->sk_security;
5454 peer_sid = sksec->sid;
5455 secmark_perm = PACKET__SEND;
5458 ad.type = LSM_AUDIT_DATA_NET;
5460 ad.u.net->netif = ifindex;
5461 ad.u.net->family = family;
5462 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5466 if (avc_has_perm(peer_sid, skb->secmark,
5467 SECCLASS_PACKET, secmark_perm, &ad))
5468 return NF_DROP_ERR(-ECONNREFUSED);
5470 if (peerlbl_active) {
5474 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5476 if (avc_has_perm(peer_sid, if_sid,
5477 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5478 return NF_DROP_ERR(-ECONNREFUSED);
5480 if (sel_netnode_sid(addrp, family, &node_sid))
5482 if (avc_has_perm(peer_sid, node_sid,
5483 SECCLASS_NODE, NODE__SENDTO, &ad))
5484 return NF_DROP_ERR(-ECONNREFUSED);
5490 static unsigned int selinux_ipv4_postroute(void *priv,
5491 struct sk_buff *skb,
5492 const struct nf_hook_state *state)
5494 return selinux_ip_postroute(skb, state->out, PF_INET);
5497 #if IS_ENABLED(CONFIG_IPV6)
5498 static unsigned int selinux_ipv6_postroute(void *priv,
5499 struct sk_buff *skb,
5500 const struct nf_hook_state *state)
5502 return selinux_ip_postroute(skb, state->out, PF_INET6);
5506 #endif /* CONFIG_NETFILTER */
5508 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5510 return selinux_nlmsg_perm(sk, skb);
5513 static int ipc_alloc_security(struct kern_ipc_perm *perm,
5516 struct ipc_security_struct *isec;
5518 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
5522 isec->sclass = sclass;
5523 isec->sid = current_sid();
5524 perm->security = isec;
5529 static void ipc_free_security(struct kern_ipc_perm *perm)
5531 struct ipc_security_struct *isec = perm->security;
5532 perm->security = NULL;
5536 static int msg_msg_alloc_security(struct msg_msg *msg)
5538 struct msg_security_struct *msec;
5540 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
5544 msec->sid = SECINITSID_UNLABELED;
5545 msg->security = msec;
5550 static void msg_msg_free_security(struct msg_msg *msg)
5552 struct msg_security_struct *msec = msg->security;
5554 msg->security = NULL;
5558 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5561 struct ipc_security_struct *isec;
5562 struct common_audit_data ad;
5563 u32 sid = current_sid();
5565 isec = ipc_perms->security;
5567 ad.type = LSM_AUDIT_DATA_IPC;
5568 ad.u.ipc_id = ipc_perms->key;
5570 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
5573 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5575 return msg_msg_alloc_security(msg);
5578 static void selinux_msg_msg_free_security(struct msg_msg *msg)
5580 msg_msg_free_security(msg);
5583 /* message queue security operations */
5584 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
5586 struct ipc_security_struct *isec;
5587 struct common_audit_data ad;
5588 u32 sid = current_sid();
5591 rc = ipc_alloc_security(&msq->q_perm, SECCLASS_MSGQ);
5595 isec = msq->q_perm.security;
5597 ad.type = LSM_AUDIT_DATA_IPC;
5598 ad.u.ipc_id = msq->q_perm.key;
5600 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5603 ipc_free_security(&msq->q_perm);
5609 static void selinux_msg_queue_free_security(struct msg_queue *msq)
5611 ipc_free_security(&msq->q_perm);
5614 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
5616 struct ipc_security_struct *isec;
5617 struct common_audit_data ad;
5618 u32 sid = current_sid();
5620 isec = msq->q_perm.security;
5622 ad.type = LSM_AUDIT_DATA_IPC;
5623 ad.u.ipc_id = msq->q_perm.key;
5625 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5626 MSGQ__ASSOCIATE, &ad);
5629 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
5637 /* No specific object, just general system-wide information. */
5638 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
5639 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5642 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5645 perms = MSGQ__SETATTR;
5648 perms = MSGQ__DESTROY;
5654 err = ipc_has_perm(&msq->q_perm, perms);
5658 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
5660 struct ipc_security_struct *isec;
5661 struct msg_security_struct *msec;
5662 struct common_audit_data ad;
5663 u32 sid = current_sid();
5666 isec = msq->q_perm.security;
5667 msec = msg->security;
5670 * First time through, need to assign label to the message
5672 if (msec->sid == SECINITSID_UNLABELED) {
5674 * Compute new sid based on current process and
5675 * message queue this message will be stored in
5677 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
5683 ad.type = LSM_AUDIT_DATA_IPC;
5684 ad.u.ipc_id = msq->q_perm.key;
5686 /* Can this process write to the queue? */
5687 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5690 /* Can this process send the message */
5691 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
5694 /* Can the message be put in the queue? */
5695 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
5696 MSGQ__ENQUEUE, &ad);
5701 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5702 struct task_struct *target,
5703 long type, int mode)
5705 struct ipc_security_struct *isec;
5706 struct msg_security_struct *msec;
5707 struct common_audit_data ad;
5708 u32 sid = task_sid(target);
5711 isec = msq->q_perm.security;
5712 msec = msg->security;
5714 ad.type = LSM_AUDIT_DATA_IPC;
5715 ad.u.ipc_id = msq->q_perm.key;
5717 rc = avc_has_perm(sid, isec->sid,
5718 SECCLASS_MSGQ, MSGQ__READ, &ad);
5720 rc = avc_has_perm(sid, msec->sid,
5721 SECCLASS_MSG, MSG__RECEIVE, &ad);
5725 /* Shared Memory security operations */
5726 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5728 struct ipc_security_struct *isec;
5729 struct common_audit_data ad;
5730 u32 sid = current_sid();
5733 rc = ipc_alloc_security(&shp->shm_perm, SECCLASS_SHM);
5737 isec = shp->shm_perm.security;
5739 ad.type = LSM_AUDIT_DATA_IPC;
5740 ad.u.ipc_id = shp->shm_perm.key;
5742 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5745 ipc_free_security(&shp->shm_perm);
5751 static void selinux_shm_free_security(struct shmid_kernel *shp)
5753 ipc_free_security(&shp->shm_perm);
5756 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5758 struct ipc_security_struct *isec;
5759 struct common_audit_data ad;
5760 u32 sid = current_sid();
5762 isec = shp->shm_perm.security;
5764 ad.type = LSM_AUDIT_DATA_IPC;
5765 ad.u.ipc_id = shp->shm_perm.key;
5767 return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5768 SHM__ASSOCIATE, &ad);
5771 /* Note, at this point, shp is locked down */
5772 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5780 /* No specific object, just general system-wide information. */
5781 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
5782 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5785 perms = SHM__GETATTR | SHM__ASSOCIATE;
5788 perms = SHM__SETATTR;
5795 perms = SHM__DESTROY;
5801 err = ipc_has_perm(&shp->shm_perm, perms);
5805 static int selinux_shm_shmat(struct shmid_kernel *shp,
5806 char __user *shmaddr, int shmflg)
5810 if (shmflg & SHM_RDONLY)
5813 perms = SHM__READ | SHM__WRITE;
5815 return ipc_has_perm(&shp->shm_perm, perms);
5818 /* Semaphore security operations */
5819 static int selinux_sem_alloc_security(struct sem_array *sma)
5821 struct ipc_security_struct *isec;
5822 struct common_audit_data ad;
5823 u32 sid = current_sid();
5826 rc = ipc_alloc_security(&sma->sem_perm, SECCLASS_SEM);
5830 isec = sma->sem_perm.security;
5832 ad.type = LSM_AUDIT_DATA_IPC;
5833 ad.u.ipc_id = sma->sem_perm.key;
5835 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5838 ipc_free_security(&sma->sem_perm);
5844 static void selinux_sem_free_security(struct sem_array *sma)
5846 ipc_free_security(&sma->sem_perm);
5849 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5851 struct ipc_security_struct *isec;
5852 struct common_audit_data ad;
5853 u32 sid = current_sid();
5855 isec = sma->sem_perm.security;
5857 ad.type = LSM_AUDIT_DATA_IPC;
5858 ad.u.ipc_id = sma->sem_perm.key;
5860 return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5861 SEM__ASSOCIATE, &ad);
5864 /* Note, at this point, sma is locked down */
5865 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5873 /* No specific object, just general system-wide information. */
5874 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
5875 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5879 perms = SEM__GETATTR;
5890 perms = SEM__DESTROY;
5893 perms = SEM__SETATTR;
5897 perms = SEM__GETATTR | SEM__ASSOCIATE;
5903 err = ipc_has_perm(&sma->sem_perm, perms);
5907 static int selinux_sem_semop(struct sem_array *sma,
5908 struct sembuf *sops, unsigned nsops, int alter)
5913 perms = SEM__READ | SEM__WRITE;
5917 return ipc_has_perm(&sma->sem_perm, perms);
5920 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5926 av |= IPC__UNIX_READ;
5928 av |= IPC__UNIX_WRITE;
5933 return ipc_has_perm(ipcp, av);
5936 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5938 struct ipc_security_struct *isec = ipcp->security;
5942 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5945 inode_doinit_with_dentry(inode, dentry);
5948 static int selinux_getprocattr(struct task_struct *p,
5949 char *name, char **value)
5951 const struct task_security_struct *__tsec;
5957 __tsec = __task_cred(p)->security;
5960 error = avc_has_perm(current_sid(), __tsec->sid,
5961 SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
5966 if (!strcmp(name, "current"))
5968 else if (!strcmp(name, "prev"))
5970 else if (!strcmp(name, "exec"))
5971 sid = __tsec->exec_sid;
5972 else if (!strcmp(name, "fscreate"))
5973 sid = __tsec->create_sid;
5974 else if (!strcmp(name, "keycreate"))
5975 sid = __tsec->keycreate_sid;
5976 else if (!strcmp(name, "sockcreate"))
5977 sid = __tsec->sockcreate_sid;
5987 error = security_sid_to_context(sid, value, &len);
5997 static int selinux_setprocattr(const char *name, void *value, size_t size)
5999 struct task_security_struct *tsec;
6001 u32 mysid = current_sid(), sid = 0, ptsid;
6006 * Basic control over ability to set these attributes at all.
6008 if (!strcmp(name, "exec"))
6009 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
6010 PROCESS__SETEXEC, NULL);
6011 else if (!strcmp(name, "fscreate"))
6012 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
6013 PROCESS__SETFSCREATE, NULL);
6014 else if (!strcmp(name, "keycreate"))
6015 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
6016 PROCESS__SETKEYCREATE, NULL);
6017 else if (!strcmp(name, "sockcreate"))
6018 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
6019 PROCESS__SETSOCKCREATE, NULL);
6020 else if (!strcmp(name, "current"))
6021 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
6022 PROCESS__SETCURRENT, NULL);
6028 /* Obtain a SID for the context, if one was specified. */
6029 if (size && str[0] && str[0] != '\n') {
6030 if (str[size-1] == '\n') {
6034 error = security_context_to_sid(value, size, &sid, GFP_KERNEL);
6035 if (error == -EINVAL && !strcmp(name, "fscreate")) {
6036 if (!has_cap_mac_admin(true)) {
6037 struct audit_buffer *ab;
6040 /* We strip a nul only if it is at the end, otherwise the
6041 * context contains a nul and we should audit that */
6042 if (str[size - 1] == '\0')
6043 audit_size = size - 1;
6046 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
6047 audit_log_format(ab, "op=fscreate invalid_context=");
6048 audit_log_n_untrustedstring(ab, value, audit_size);
6053 error = security_context_to_sid_force(value, size,
6060 new = prepare_creds();
6064 /* Permission checking based on the specified context is
6065 performed during the actual operation (execve,
6066 open/mkdir/...), when we know the full context of the
6067 operation. See selinux_bprm_set_creds for the execve
6068 checks and may_create for the file creation checks. The
6069 operation will then fail if the context is not permitted. */
6070 tsec = new->security;
6071 if (!strcmp(name, "exec")) {
6072 tsec->exec_sid = sid;
6073 } else if (!strcmp(name, "fscreate")) {
6074 tsec->create_sid = sid;
6075 } else if (!strcmp(name, "keycreate")) {
6076 error = avc_has_perm(mysid, sid, SECCLASS_KEY, KEY__CREATE,
6080 tsec->keycreate_sid = sid;
6081 } else if (!strcmp(name, "sockcreate")) {
6082 tsec->sockcreate_sid = sid;
6083 } else if (!strcmp(name, "current")) {
6088 /* Only allow single threaded processes to change context */
6090 if (!current_is_single_threaded()) {
6091 error = security_bounded_transition(tsec->sid, sid);
6096 /* Check permissions for the transition. */
6097 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
6098 PROCESS__DYNTRANSITION, NULL);
6102 /* Check for ptracing, and update the task SID if ok.
6103 Otherwise, leave SID unchanged and fail. */
6104 ptsid = ptrace_parent_sid();
6106 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
6107 PROCESS__PTRACE, NULL);
6126 static int selinux_ismaclabel(const char *name)
6128 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
6131 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
6133 return security_sid_to_context(secid, secdata, seclen);
6136 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
6138 return security_context_to_sid(secdata, seclen, secid, GFP_KERNEL);
6141 static void selinux_release_secctx(char *secdata, u32 seclen)
6146 static void selinux_inode_invalidate_secctx(struct inode *inode)
6148 struct inode_security_struct *isec = inode->i_security;
6150 spin_lock(&isec->lock);
6151 isec->initialized = LABEL_INVALID;
6152 spin_unlock(&isec->lock);
6156 * called with inode->i_mutex locked
6158 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
6160 int rc = selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX,
6162 /* Do not return error when suppressing label (SBLABEL_MNT not set). */
6163 return rc == -EOPNOTSUPP ? 0 : rc;
6167 * called with inode->i_mutex locked
6169 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
6171 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
6174 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
6177 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
6186 static int selinux_key_alloc(struct key *k, const struct cred *cred,
6187 unsigned long flags)
6189 const struct task_security_struct *tsec;
6190 struct key_security_struct *ksec;
6192 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
6196 tsec = cred->security;
6197 if (tsec->keycreate_sid)
6198 ksec->sid = tsec->keycreate_sid;
6200 ksec->sid = tsec->sid;
6206 static void selinux_key_free(struct key *k)
6208 struct key_security_struct *ksec = k->security;
6214 static int selinux_key_permission(key_ref_t key_ref,
6215 const struct cred *cred,
6219 struct key_security_struct *ksec;
6222 /* if no specific permissions are requested, we skip the
6223 permission check. No serious, additional covert channels
6224 appear to be created. */
6228 sid = cred_sid(cred);
6230 key = key_ref_to_ptr(key_ref);
6231 ksec = key->security;
6233 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6236 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6238 struct key_security_struct *ksec = key->security;
6239 char *context = NULL;
6243 rc = security_sid_to_context(ksec->sid, &context, &len);
6251 #ifdef CONFIG_SECURITY_INFINIBAND
6252 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6254 struct common_audit_data ad;
6257 struct ib_security_struct *sec = ib_sec;
6258 struct lsm_ibpkey_audit ibpkey;
6260 err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
6264 ad.type = LSM_AUDIT_DATA_IBPKEY;
6265 ibpkey.subnet_prefix = subnet_prefix;
6266 ibpkey.pkey = pkey_val;
6267 ad.u.ibpkey = &ibpkey;
6268 return avc_has_perm(sec->sid, sid,
6269 SECCLASS_INFINIBAND_PKEY,
6270 INFINIBAND_PKEY__ACCESS, &ad);
6273 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6276 struct common_audit_data ad;
6279 struct ib_security_struct *sec = ib_sec;
6280 struct lsm_ibendport_audit ibendport;
6282 err = security_ib_endport_sid(dev_name, port_num, &sid);
6287 ad.type = LSM_AUDIT_DATA_IBENDPORT;
6288 strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name));
6289 ibendport.port = port_num;
6290 ad.u.ibendport = &ibendport;
6291 return avc_has_perm(sec->sid, sid,
6292 SECCLASS_INFINIBAND_ENDPORT,
6293 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
6296 static int selinux_ib_alloc_security(void **ib_sec)
6298 struct ib_security_struct *sec;
6300 sec = kzalloc(sizeof(*sec), GFP_KERNEL);
6303 sec->sid = current_sid();
6309 static void selinux_ib_free_security(void *ib_sec)
6315 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
6316 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
6317 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
6318 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
6319 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
6321 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
6322 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
6323 LSM_HOOK_INIT(capget, selinux_capget),
6324 LSM_HOOK_INIT(capset, selinux_capset),
6325 LSM_HOOK_INIT(capable, selinux_capable),
6326 LSM_HOOK_INIT(quotactl, selinux_quotactl),
6327 LSM_HOOK_INIT(quota_on, selinux_quota_on),
6328 LSM_HOOK_INIT(syslog, selinux_syslog),
6329 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
6331 LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
6333 LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
6334 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
6335 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
6337 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
6338 LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
6339 LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data),
6340 LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
6341 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
6342 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
6343 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
6344 LSM_HOOK_INIT(sb_mount, selinux_mount),
6345 LSM_HOOK_INIT(sb_umount, selinux_umount),
6346 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
6347 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
6348 LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str),
6350 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
6351 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
6353 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
6354 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
6355 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
6356 LSM_HOOK_INIT(inode_create, selinux_inode_create),
6357 LSM_HOOK_INIT(inode_link, selinux_inode_link),
6358 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
6359 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
6360 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
6361 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
6362 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
6363 LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
6364 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
6365 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
6366 LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
6367 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
6368 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
6369 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
6370 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
6371 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
6372 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
6373 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
6374 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
6375 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
6376 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
6377 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
6378 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
6379 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
6381 LSM_HOOK_INIT(file_permission, selinux_file_permission),
6382 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
6383 LSM_HOOK_INIT(file_free_security, selinux_file_free_security),
6384 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
6385 LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
6386 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
6387 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
6388 LSM_HOOK_INIT(file_lock, selinux_file_lock),
6389 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
6390 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
6391 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
6392 LSM_HOOK_INIT(file_receive, selinux_file_receive),
6394 LSM_HOOK_INIT(file_open, selinux_file_open),
6396 LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
6397 LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank),
6398 LSM_HOOK_INIT(cred_free, selinux_cred_free),
6399 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
6400 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
6401 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
6402 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
6403 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
6404 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
6405 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
6406 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
6407 LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
6408 LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
6409 LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
6410 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
6411 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
6412 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
6413 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
6414 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
6415 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
6416 LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
6417 LSM_HOOK_INIT(task_kill, selinux_task_kill),
6418 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
6420 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
6421 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
6423 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
6424 LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security),
6426 LSM_HOOK_INIT(msg_queue_alloc_security,
6427 selinux_msg_queue_alloc_security),
6428 LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security),
6429 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
6430 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
6431 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
6432 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
6434 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
6435 LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security),
6436 LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
6437 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
6438 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
6440 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
6441 LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security),
6442 LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
6443 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
6444 LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
6446 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
6448 LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
6449 LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
6451 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
6452 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
6453 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
6454 LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
6455 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
6456 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
6457 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
6458 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
6460 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
6461 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
6463 LSM_HOOK_INIT(socket_create, selinux_socket_create),
6464 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
6465 LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
6466 LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
6467 LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
6468 LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
6469 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
6470 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
6471 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
6472 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
6473 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
6474 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
6475 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
6476 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
6477 LSM_HOOK_INIT(socket_getpeersec_stream,
6478 selinux_socket_getpeersec_stream),
6479 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
6480 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
6481 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
6482 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
6483 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
6484 LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
6485 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
6486 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
6487 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
6488 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
6489 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
6490 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
6491 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
6492 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
6493 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
6494 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
6495 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
6496 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
6497 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
6498 #ifdef CONFIG_SECURITY_INFINIBAND
6499 LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
6500 LSM_HOOK_INIT(ib_endport_manage_subnet,
6501 selinux_ib_endport_manage_subnet),
6502 LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
6503 LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
6505 #ifdef CONFIG_SECURITY_NETWORK_XFRM
6506 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
6507 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
6508 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
6509 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
6510 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
6511 LSM_HOOK_INIT(xfrm_state_alloc_acquire,
6512 selinux_xfrm_state_alloc_acquire),
6513 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
6514 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
6515 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
6516 LSM_HOOK_INIT(xfrm_state_pol_flow_match,
6517 selinux_xfrm_state_pol_flow_match),
6518 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
6522 LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
6523 LSM_HOOK_INIT(key_free, selinux_key_free),
6524 LSM_HOOK_INIT(key_permission, selinux_key_permission),
6525 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
6529 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
6530 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
6531 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
6532 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
6536 static __init int selinux_init(void)
6538 if (!security_module_enable("selinux")) {
6539 selinux_enabled = 0;
6543 if (!selinux_enabled) {
6544 printk(KERN_INFO "SELinux: Disabled at boot.\n");
6548 printk(KERN_INFO "SELinux: Initializing.\n");
6550 /* Set the security state for the initial task. */
6551 cred_init_security();
6553 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
6555 sel_inode_cache = kmem_cache_create("selinux_inode_security",
6556 sizeof(struct inode_security_struct),
6557 0, SLAB_PANIC, NULL);
6558 file_security_cache = kmem_cache_create("selinux_file_security",
6559 sizeof(struct file_security_struct),
6560 0, SLAB_PANIC, NULL);
6563 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
6565 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
6566 panic("SELinux: Unable to register AVC netcache callback\n");
6568 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
6569 panic("SELinux: Unable to register AVC LSM notifier callback\n");
6571 if (selinux_enforcing)
6572 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
6574 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
6579 static void delayed_superblock_init(struct super_block *sb, void *unused)
6581 superblock_doinit(sb, NULL);
6584 void selinux_complete_init(void)
6586 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
6588 /* Set up any superblocks initialized prior to the policy load. */
6589 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
6590 iterate_supers(delayed_superblock_init, NULL);
6593 /* SELinux requires early initialization in order to label
6594 all processes and objects when they are created. */
6595 security_initcall(selinux_init);
6597 #if defined(CONFIG_NETFILTER)
6599 static const struct nf_hook_ops selinux_nf_ops[] = {
6601 .hook = selinux_ipv4_postroute,
6603 .hooknum = NF_INET_POST_ROUTING,
6604 .priority = NF_IP_PRI_SELINUX_LAST,
6607 .hook = selinux_ipv4_forward,
6609 .hooknum = NF_INET_FORWARD,
6610 .priority = NF_IP_PRI_SELINUX_FIRST,
6613 .hook = selinux_ipv4_output,
6615 .hooknum = NF_INET_LOCAL_OUT,
6616 .priority = NF_IP_PRI_SELINUX_FIRST,
6618 #if IS_ENABLED(CONFIG_IPV6)
6620 .hook = selinux_ipv6_postroute,
6622 .hooknum = NF_INET_POST_ROUTING,
6623 .priority = NF_IP6_PRI_SELINUX_LAST,
6626 .hook = selinux_ipv6_forward,
6628 .hooknum = NF_INET_FORWARD,
6629 .priority = NF_IP6_PRI_SELINUX_FIRST,
6632 .hook = selinux_ipv6_output,
6634 .hooknum = NF_INET_LOCAL_OUT,
6635 .priority = NF_IP6_PRI_SELINUX_FIRST,
6640 static int __net_init selinux_nf_register(struct net *net)
6642 return nf_register_net_hooks(net, selinux_nf_ops,
6643 ARRAY_SIZE(selinux_nf_ops));
6646 static void __net_exit selinux_nf_unregister(struct net *net)
6648 nf_unregister_net_hooks(net, selinux_nf_ops,
6649 ARRAY_SIZE(selinux_nf_ops));
6652 static struct pernet_operations selinux_net_ops = {
6653 .init = selinux_nf_register,
6654 .exit = selinux_nf_unregister,
6657 static int __init selinux_nf_ip_init(void)
6661 if (!selinux_enabled)
6664 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
6666 err = register_pernet_subsys(&selinux_net_ops);
6668 panic("SELinux: register_pernet_subsys: error %d\n", err);
6672 __initcall(selinux_nf_ip_init);
6674 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6675 static void selinux_nf_ip_exit(void)
6677 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
6679 unregister_pernet_subsys(&selinux_net_ops);
6683 #else /* CONFIG_NETFILTER */
6685 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6686 #define selinux_nf_ip_exit()
6689 #endif /* CONFIG_NETFILTER */
6691 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6692 static int selinux_disabled;
6694 int selinux_disable(void)
6696 if (ss_initialized) {
6697 /* Not permitted after initial policy load. */
6701 if (selinux_disabled) {
6702 /* Only do this once. */
6706 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
6708 selinux_disabled = 1;
6709 selinux_enabled = 0;
6711 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
6713 /* Try to destroy the avc node cache */
6716 /* Unregister netfilter hooks. */
6717 selinux_nf_ip_exit();
6719 /* Unregister selinuxfs. */