2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@tycho.nsa.gov>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul@paul-moore.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 * Copyright (C) 2016 Mellanox Technologies
22 * This program is free software; you can redistribute it and/or modify
23 * it under the terms of the GNU General Public License version 2,
24 * as published by the Free Software Foundation.
27 #include <linux/init.h>
29 #include <linux/kernel.h>
30 #include <linux/tracehook.h>
31 #include <linux/errno.h>
32 #include <linux/sched/signal.h>
33 #include <linux/sched/task.h>
34 #include <linux/lsm_hooks.h>
35 #include <linux/xattr.h>
36 #include <linux/capability.h>
37 #include <linux/unistd.h>
39 #include <linux/mman.h>
40 #include <linux/slab.h>
41 #include <linux/pagemap.h>
42 #include <linux/proc_fs.h>
43 #include <linux/swap.h>
44 #include <linux/spinlock.h>
45 #include <linux/syscalls.h>
46 #include <linux/dcache.h>
47 #include <linux/file.h>
48 #include <linux/fdtable.h>
49 #include <linux/namei.h>
50 #include <linux/mount.h>
51 #include <linux/netfilter_ipv4.h>
52 #include <linux/netfilter_ipv6.h>
53 #include <linux/tty.h>
55 #include <net/ip.h> /* for local_port_range[] */
56 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
57 #include <net/inet_connection_sock.h>
58 #include <net/net_namespace.h>
59 #include <net/netlabel.h>
60 #include <linux/uaccess.h>
61 #include <asm/ioctls.h>
62 #include <linux/atomic.h>
63 #include <linux/bitops.h>
64 #include <linux/interrupt.h>
65 #include <linux/netdevice.h> /* for network interface checks */
66 #include <net/netlink.h>
67 #include <linux/tcp.h>
68 #include <linux/udp.h>
69 #include <linux/dccp.h>
70 #include <linux/sctp.h>
71 #include <net/sctp/structs.h>
72 #include <linux/quota.h>
73 #include <linux/un.h> /* for Unix socket types */
74 #include <net/af_unix.h> /* for Unix socket types */
75 #include <linux/parser.h>
76 #include <linux/nfs_mount.h>
78 #include <linux/hugetlb.h>
79 #include <linux/personality.h>
80 #include <linux/audit.h>
81 #include <linux/string.h>
82 #include <linux/selinux.h>
83 #include <linux/mutex.h>
84 #include <linux/posix-timers.h>
85 #include <linux/syslog.h>
86 #include <linux/user_namespace.h>
87 #include <linux/export.h>
88 #include <linux/msg.h>
89 #include <linux/shm.h>
90 #include <linux/bpf.h>
103 struct selinux_state selinux_state;
105 /* SECMARK reference count */
106 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
108 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
109 static int selinux_enforcing_boot;
111 static int __init enforcing_setup(char *str)
113 unsigned long enforcing;
114 if (!kstrtoul(str, 0, &enforcing))
115 selinux_enforcing_boot = enforcing ? 1 : 0;
118 __setup("enforcing=", enforcing_setup);
120 #define selinux_enforcing_boot 1
123 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
124 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
126 static int __init selinux_enabled_setup(char *str)
128 unsigned long enabled;
129 if (!kstrtoul(str, 0, &enabled))
130 selinux_enabled = enabled ? 1 : 0;
133 __setup("selinux=", selinux_enabled_setup);
135 int selinux_enabled = 1;
138 static unsigned int selinux_checkreqprot_boot =
139 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
141 static int __init checkreqprot_setup(char *str)
143 unsigned long checkreqprot;
145 if (!kstrtoul(str, 0, &checkreqprot))
146 selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
149 __setup("checkreqprot=", checkreqprot_setup);
151 static struct kmem_cache *sel_inode_cache;
152 static struct kmem_cache *file_security_cache;
155 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
158 * This function checks the SECMARK reference counter to see if any SECMARK
159 * targets are currently configured, if the reference counter is greater than
160 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
161 * enabled, false (0) if SECMARK is disabled. If the always_check_network
162 * policy capability is enabled, SECMARK is always considered enabled.
165 static int selinux_secmark_enabled(void)
167 return (selinux_policycap_alwaysnetwork() ||
168 atomic_read(&selinux_secmark_refcount));
172 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
175 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
176 * (1) if any are enabled or false (0) if neither are enabled. If the
177 * always_check_network policy capability is enabled, peer labeling
178 * is always considered enabled.
181 static int selinux_peerlbl_enabled(void)
183 return (selinux_policycap_alwaysnetwork() ||
184 netlbl_enabled() || selinux_xfrm_enabled());
187 static int selinux_netcache_avc_callback(u32 event)
189 if (event == AVC_CALLBACK_RESET) {
198 static int selinux_lsm_notifier_avc_callback(u32 event)
200 if (event == AVC_CALLBACK_RESET) {
202 call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
209 * initialise the security for the init task
211 static void cred_init_security(void)
213 struct cred *cred = (struct cred *) current->real_cred;
214 struct task_security_struct *tsec;
216 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
218 panic("SELinux: Failed to initialize initial task.\n");
220 tsec->osid = tsec->sid = SECINITSID_KERNEL;
221 cred->security = tsec;
225 * get the security ID of a set of credentials
227 static inline u32 cred_sid(const struct cred *cred)
229 const struct task_security_struct *tsec;
231 tsec = cred->security;
236 * get the objective security ID of a task
238 static inline u32 task_sid(const struct task_struct *task)
243 sid = cred_sid(__task_cred(task));
248 /* Allocate and free functions for each kind of security blob. */
250 static int inode_alloc_security(struct inode *inode)
252 struct inode_security_struct *isec;
253 u32 sid = current_sid();
255 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
259 spin_lock_init(&isec->lock);
260 INIT_LIST_HEAD(&isec->list);
262 isec->sid = SECINITSID_UNLABELED;
263 isec->sclass = SECCLASS_FILE;
264 isec->task_sid = sid;
265 isec->initialized = LABEL_INVALID;
266 inode->i_security = isec;
271 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
274 * Try reloading inode security labels that have been marked as invalid. The
275 * @may_sleep parameter indicates when sleeping and thus reloading labels is
276 * allowed; when set to false, returns -ECHILD when the label is
277 * invalid. The @dentry parameter should be set to a dentry of the inode.
279 static int __inode_security_revalidate(struct inode *inode,
280 struct dentry *dentry,
283 struct inode_security_struct *isec = inode->i_security;
285 might_sleep_if(may_sleep);
287 if (selinux_state.initialized &&
288 isec->initialized != LABEL_INITIALIZED) {
293 * Try reloading the inode security label. This will fail if
294 * @opt_dentry is NULL and no dentry for this inode can be
295 * found; in that case, continue using the old label.
297 inode_doinit_with_dentry(inode, dentry);
302 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
304 return inode->i_security;
307 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
311 error = __inode_security_revalidate(inode, NULL, !rcu);
313 return ERR_PTR(error);
314 return inode->i_security;
318 * Get the security label of an inode.
320 static struct inode_security_struct *inode_security(struct inode *inode)
322 __inode_security_revalidate(inode, NULL, true);
323 return inode->i_security;
326 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
328 struct inode *inode = d_backing_inode(dentry);
330 return inode->i_security;
334 * Get the security label of a dentry's backing inode.
336 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
338 struct inode *inode = d_backing_inode(dentry);
340 __inode_security_revalidate(inode, dentry, true);
341 return inode->i_security;
344 static void inode_free_rcu(struct rcu_head *head)
346 struct inode_security_struct *isec;
348 isec = container_of(head, struct inode_security_struct, rcu);
349 kmem_cache_free(sel_inode_cache, isec);
352 static void inode_free_security(struct inode *inode)
354 struct inode_security_struct *isec = inode->i_security;
355 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
358 * As not all inode security structures are in a list, we check for
359 * empty list outside of the lock to make sure that we won't waste
360 * time taking a lock doing nothing.
362 * The list_del_init() function can be safely called more than once.
363 * It should not be possible for this function to be called with
364 * concurrent list_add(), but for better safety against future changes
365 * in the code, we use list_empty_careful() here.
367 if (!list_empty_careful(&isec->list)) {
368 spin_lock(&sbsec->isec_lock);
369 list_del_init(&isec->list);
370 spin_unlock(&sbsec->isec_lock);
374 * The inode may still be referenced in a path walk and
375 * a call to selinux_inode_permission() can be made
376 * after inode_free_security() is called. Ideally, the VFS
377 * wouldn't do this, but fixing that is a much harder
378 * job. For now, simply free the i_security via RCU, and
379 * leave the current inode->i_security pointer intact.
380 * The inode will be freed after the RCU grace period too.
382 call_rcu(&isec->rcu, inode_free_rcu);
385 static int file_alloc_security(struct file *file)
387 struct file_security_struct *fsec;
388 u32 sid = current_sid();
390 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
395 fsec->fown_sid = sid;
396 file->f_security = fsec;
401 static void file_free_security(struct file *file)
403 struct file_security_struct *fsec = file->f_security;
404 file->f_security = NULL;
405 kmem_cache_free(file_security_cache, fsec);
408 static int superblock_alloc_security(struct super_block *sb)
410 struct superblock_security_struct *sbsec;
412 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
416 mutex_init(&sbsec->lock);
417 INIT_LIST_HEAD(&sbsec->isec_head);
418 spin_lock_init(&sbsec->isec_lock);
420 sbsec->sid = SECINITSID_UNLABELED;
421 sbsec->def_sid = SECINITSID_FILE;
422 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
423 sb->s_security = sbsec;
428 static void superblock_free_security(struct super_block *sb)
430 struct superblock_security_struct *sbsec = sb->s_security;
431 sb->s_security = NULL;
435 static inline int inode_doinit(struct inode *inode)
437 return inode_doinit_with_dentry(inode, NULL);
446 Opt_labelsupport = 5,
450 #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
452 static const match_table_t tokens = {
453 {Opt_context, CONTEXT_STR "%s"},
454 {Opt_fscontext, FSCONTEXT_STR "%s"},
455 {Opt_defcontext, DEFCONTEXT_STR "%s"},
456 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
457 {Opt_labelsupport, LABELSUPP_STR},
461 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
463 static int may_context_mount_sb_relabel(u32 sid,
464 struct superblock_security_struct *sbsec,
465 const struct cred *cred)
467 const struct task_security_struct *tsec = cred->security;
470 rc = avc_has_perm(&selinux_state,
471 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
472 FILESYSTEM__RELABELFROM, NULL);
476 rc = avc_has_perm(&selinux_state,
477 tsec->sid, sid, SECCLASS_FILESYSTEM,
478 FILESYSTEM__RELABELTO, NULL);
482 static int may_context_mount_inode_relabel(u32 sid,
483 struct superblock_security_struct *sbsec,
484 const struct cred *cred)
486 const struct task_security_struct *tsec = cred->security;
488 rc = avc_has_perm(&selinux_state,
489 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
490 FILESYSTEM__RELABELFROM, NULL);
494 rc = avc_has_perm(&selinux_state,
495 sid, sbsec->sid, SECCLASS_FILESYSTEM,
496 FILESYSTEM__ASSOCIATE, NULL);
500 static int selinux_is_genfs_special_handling(struct super_block *sb)
502 /* Special handling. Genfs but also in-core setxattr handler */
503 return !strcmp(sb->s_type->name, "sysfs") ||
504 !strcmp(sb->s_type->name, "pstore") ||
505 !strcmp(sb->s_type->name, "debugfs") ||
506 !strcmp(sb->s_type->name, "tracefs") ||
507 !strcmp(sb->s_type->name, "rootfs") ||
508 (selinux_policycap_cgroupseclabel() &&
509 (!strcmp(sb->s_type->name, "cgroup") ||
510 !strcmp(sb->s_type->name, "cgroup2")));
513 static int selinux_is_sblabel_mnt(struct super_block *sb)
515 struct superblock_security_struct *sbsec = sb->s_security;
518 * IMPORTANT: Double-check logic in this function when adding a new
519 * SECURITY_FS_USE_* definition!
521 BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7);
523 switch (sbsec->behavior) {
524 case SECURITY_FS_USE_XATTR:
525 case SECURITY_FS_USE_TRANS:
526 case SECURITY_FS_USE_TASK:
527 case SECURITY_FS_USE_NATIVE:
530 case SECURITY_FS_USE_GENFS:
531 return selinux_is_genfs_special_handling(sb);
533 /* Never allow relabeling on context mounts */
534 case SECURITY_FS_USE_MNTPOINT:
535 case SECURITY_FS_USE_NONE:
541 static int sb_finish_set_opts(struct super_block *sb)
543 struct superblock_security_struct *sbsec = sb->s_security;
544 struct dentry *root = sb->s_root;
545 struct inode *root_inode = d_backing_inode(root);
548 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
549 /* Make sure that the xattr handler exists and that no
550 error other than -ENODATA is returned by getxattr on
551 the root directory. -ENODATA is ok, as this may be
552 the first boot of the SELinux kernel before we have
553 assigned xattr values to the filesystem. */
554 if (!(root_inode->i_opflags & IOP_XATTR)) {
555 pr_warn("SELinux: (dev %s, type %s) has no "
556 "xattr support\n", sb->s_id, sb->s_type->name);
561 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
562 if (rc < 0 && rc != -ENODATA) {
563 if (rc == -EOPNOTSUPP)
564 pr_warn("SELinux: (dev %s, type "
565 "%s) has no security xattr handler\n",
566 sb->s_id, sb->s_type->name);
568 pr_warn("SELinux: (dev %s, type "
569 "%s) getxattr errno %d\n", sb->s_id,
570 sb->s_type->name, -rc);
575 sbsec->flags |= SE_SBINITIALIZED;
578 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
579 * leave the flag untouched because sb_clone_mnt_opts might be handing
580 * us a superblock that needs the flag to be cleared.
582 if (selinux_is_sblabel_mnt(sb))
583 sbsec->flags |= SBLABEL_MNT;
585 sbsec->flags &= ~SBLABEL_MNT;
587 /* Initialize the root inode. */
588 rc = inode_doinit_with_dentry(root_inode, root);
590 /* Initialize any other inodes associated with the superblock, e.g.
591 inodes created prior to initial policy load or inodes created
592 during get_sb by a pseudo filesystem that directly
594 spin_lock(&sbsec->isec_lock);
596 if (!list_empty(&sbsec->isec_head)) {
597 struct inode_security_struct *isec =
598 list_entry(sbsec->isec_head.next,
599 struct inode_security_struct, list);
600 struct inode *inode = isec->inode;
601 list_del_init(&isec->list);
602 spin_unlock(&sbsec->isec_lock);
603 inode = igrab(inode);
605 if (!IS_PRIVATE(inode))
609 spin_lock(&sbsec->isec_lock);
612 spin_unlock(&sbsec->isec_lock);
618 * This function should allow an FS to ask what it's mount security
619 * options were so it can use those later for submounts, displaying
620 * mount options, or whatever.
622 static int selinux_get_mnt_opts(const struct super_block *sb,
623 struct security_mnt_opts *opts)
626 struct superblock_security_struct *sbsec = sb->s_security;
627 char *context = NULL;
631 security_init_mnt_opts(opts);
633 if (!(sbsec->flags & SE_SBINITIALIZED))
636 if (!selinux_state.initialized)
639 /* make sure we always check enough bits to cover the mask */
640 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
642 tmp = sbsec->flags & SE_MNTMASK;
643 /* count the number of mount options for this sb */
644 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
646 opts->num_mnt_opts++;
649 /* Check if the Label support flag is set */
650 if (sbsec->flags & SBLABEL_MNT)
651 opts->num_mnt_opts++;
653 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
654 if (!opts->mnt_opts) {
659 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
660 if (!opts->mnt_opts_flags) {
666 if (sbsec->flags & FSCONTEXT_MNT) {
667 rc = security_sid_to_context(&selinux_state, sbsec->sid,
671 opts->mnt_opts[i] = context;
672 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
674 if (sbsec->flags & CONTEXT_MNT) {
675 rc = security_sid_to_context(&selinux_state,
680 opts->mnt_opts[i] = context;
681 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
683 if (sbsec->flags & DEFCONTEXT_MNT) {
684 rc = security_sid_to_context(&selinux_state, sbsec->def_sid,
688 opts->mnt_opts[i] = context;
689 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
691 if (sbsec->flags & ROOTCONTEXT_MNT) {
692 struct dentry *root = sbsec->sb->s_root;
693 struct inode_security_struct *isec = backing_inode_security(root);
695 rc = security_sid_to_context(&selinux_state, isec->sid,
699 opts->mnt_opts[i] = context;
700 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
702 if (sbsec->flags & SBLABEL_MNT) {
703 opts->mnt_opts[i] = NULL;
704 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
707 BUG_ON(i != opts->num_mnt_opts);
712 security_free_mnt_opts(opts);
716 static int bad_option(struct superblock_security_struct *sbsec, char flag,
717 u32 old_sid, u32 new_sid)
719 char mnt_flags = sbsec->flags & SE_MNTMASK;
721 /* check if the old mount command had the same options */
722 if (sbsec->flags & SE_SBINITIALIZED)
723 if (!(sbsec->flags & flag) ||
724 (old_sid != new_sid))
727 /* check if we were passed the same options twice,
728 * aka someone passed context=a,context=b
730 if (!(sbsec->flags & SE_SBINITIALIZED))
731 if (mnt_flags & flag)
737 * Allow filesystems with binary mount data to explicitly set mount point
738 * labeling information.
740 static int selinux_set_mnt_opts(struct super_block *sb,
741 struct security_mnt_opts *opts,
742 unsigned long kern_flags,
743 unsigned long *set_kern_flags)
745 const struct cred *cred = current_cred();
747 struct superblock_security_struct *sbsec = sb->s_security;
748 const char *name = sb->s_type->name;
749 struct dentry *root = sbsec->sb->s_root;
750 struct inode_security_struct *root_isec;
751 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
752 u32 defcontext_sid = 0;
753 char **mount_options = opts->mnt_opts;
754 int *flags = opts->mnt_opts_flags;
755 int num_opts = opts->num_mnt_opts;
757 mutex_lock(&sbsec->lock);
759 if (!selinux_state.initialized) {
761 /* Defer initialization until selinux_complete_init,
762 after the initial policy is loaded and the security
763 server is ready to handle calls. */
767 pr_warn("SELinux: Unable to set superblock options "
768 "before the security server is initialized\n");
771 if (kern_flags && !set_kern_flags) {
772 /* Specifying internal flags without providing a place to
773 * place the results is not allowed */
779 * Binary mount data FS will come through this function twice. Once
780 * from an explicit call and once from the generic calls from the vfs.
781 * Since the generic VFS calls will not contain any security mount data
782 * we need to skip the double mount verification.
784 * This does open a hole in which we will not notice if the first
785 * mount using this sb set explict options and a second mount using
786 * this sb does not set any security options. (The first options
787 * will be used for both mounts)
789 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
793 root_isec = backing_inode_security_novalidate(root);
796 * parse the mount options, check if they are valid sids.
797 * also check if someone is trying to mount the same sb more
798 * than once with different security options.
800 for (i = 0; i < num_opts; i++) {
803 if (flags[i] == SBLABEL_MNT)
805 rc = security_context_str_to_sid(&selinux_state,
806 mount_options[i], &sid,
809 pr_warn("SELinux: security_context_str_to_sid"
810 "(%s) failed for (dev %s, type %s) errno=%d\n",
811 mount_options[i], sb->s_id, name, rc);
818 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
820 goto out_double_mount;
822 sbsec->flags |= FSCONTEXT_MNT;
827 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
829 goto out_double_mount;
831 sbsec->flags |= CONTEXT_MNT;
833 case ROOTCONTEXT_MNT:
834 rootcontext_sid = sid;
836 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
838 goto out_double_mount;
840 sbsec->flags |= ROOTCONTEXT_MNT;
844 defcontext_sid = sid;
846 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
848 goto out_double_mount;
850 sbsec->flags |= DEFCONTEXT_MNT;
859 if (sbsec->flags & SE_SBINITIALIZED) {
860 /* previously mounted with options, but not on this attempt? */
861 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
862 goto out_double_mount;
867 if (strcmp(sb->s_type->name, "proc") == 0)
868 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
870 if (!strcmp(sb->s_type->name, "debugfs") ||
871 !strcmp(sb->s_type->name, "tracefs") ||
872 !strcmp(sb->s_type->name, "sysfs") ||
873 !strcmp(sb->s_type->name, "pstore") ||
874 !strcmp(sb->s_type->name, "cgroup") ||
875 !strcmp(sb->s_type->name, "cgroup2"))
876 sbsec->flags |= SE_SBGENFS;
878 if (!sbsec->behavior) {
880 * Determine the labeling behavior to use for this
883 rc = security_fs_use(&selinux_state, sb);
885 pr_warn("%s: security_fs_use(%s) returned %d\n",
886 __func__, sb->s_type->name, rc);
892 * If this is a user namespace mount and the filesystem type is not
893 * explicitly whitelisted, then no contexts are allowed on the command
894 * line and security labels must be ignored.
896 if (sb->s_user_ns != &init_user_ns &&
897 strcmp(sb->s_type->name, "tmpfs") &&
898 strcmp(sb->s_type->name, "ramfs") &&
899 strcmp(sb->s_type->name, "devpts")) {
900 if (context_sid || fscontext_sid || rootcontext_sid ||
905 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
906 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
907 rc = security_transition_sid(&selinux_state,
911 &sbsec->mntpoint_sid);
918 /* sets the context of the superblock for the fs being mounted. */
920 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
924 sbsec->sid = fscontext_sid;
928 * Switch to using mount point labeling behavior.
929 * sets the label used on all file below the mountpoint, and will set
930 * the superblock context if not already set.
932 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
933 sbsec->behavior = SECURITY_FS_USE_NATIVE;
934 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
938 if (!fscontext_sid) {
939 rc = may_context_mount_sb_relabel(context_sid, sbsec,
943 sbsec->sid = context_sid;
945 rc = may_context_mount_inode_relabel(context_sid, sbsec,
950 if (!rootcontext_sid)
951 rootcontext_sid = context_sid;
953 sbsec->mntpoint_sid = context_sid;
954 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
957 if (rootcontext_sid) {
958 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
963 root_isec->sid = rootcontext_sid;
964 root_isec->initialized = LABEL_INITIALIZED;
967 if (defcontext_sid) {
968 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
969 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
971 pr_warn("SELinux: defcontext option is "
972 "invalid for this filesystem type\n");
976 if (defcontext_sid != sbsec->def_sid) {
977 rc = may_context_mount_inode_relabel(defcontext_sid,
983 sbsec->def_sid = defcontext_sid;
987 rc = sb_finish_set_opts(sb);
989 mutex_unlock(&sbsec->lock);
993 pr_warn("SELinux: mount invalid. Same superblock, different "
994 "security settings for (dev %s, type %s)\n", sb->s_id, name);
998 static int selinux_cmp_sb_context(const struct super_block *oldsb,
999 const struct super_block *newsb)
1001 struct superblock_security_struct *old = oldsb->s_security;
1002 struct superblock_security_struct *new = newsb->s_security;
1003 char oldflags = old->flags & SE_MNTMASK;
1004 char newflags = new->flags & SE_MNTMASK;
1006 if (oldflags != newflags)
1008 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
1010 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
1012 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
1014 if (oldflags & ROOTCONTEXT_MNT) {
1015 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
1016 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
1017 if (oldroot->sid != newroot->sid)
1022 pr_warn("SELinux: mount invalid. Same superblock, "
1023 "different security settings for (dev %s, "
1024 "type %s)\n", newsb->s_id, newsb->s_type->name);
1028 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
1029 struct super_block *newsb,
1030 unsigned long kern_flags,
1031 unsigned long *set_kern_flags)
1034 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
1035 struct superblock_security_struct *newsbsec = newsb->s_security;
1037 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
1038 int set_context = (oldsbsec->flags & CONTEXT_MNT);
1039 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1042 * if the parent was able to be mounted it clearly had no special lsm
1043 * mount options. thus we can safely deal with this superblock later
1045 if (!selinux_state.initialized)
1049 * Specifying internal flags without providing a place to
1050 * place the results is not allowed.
1052 if (kern_flags && !set_kern_flags)
1055 /* how can we clone if the old one wasn't set up?? */
1056 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
1058 /* if fs is reusing a sb, make sure that the contexts match */
1059 if (newsbsec->flags & SE_SBINITIALIZED) {
1060 if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context)
1061 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
1062 return selinux_cmp_sb_context(oldsb, newsb);
1065 mutex_lock(&newsbsec->lock);
1067 newsbsec->flags = oldsbsec->flags;
1069 newsbsec->sid = oldsbsec->sid;
1070 newsbsec->def_sid = oldsbsec->def_sid;
1071 newsbsec->behavior = oldsbsec->behavior;
1073 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
1074 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
1075 rc = security_fs_use(&selinux_state, newsb);
1080 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
1081 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
1082 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
1086 u32 sid = oldsbsec->mntpoint_sid;
1089 newsbsec->sid = sid;
1090 if (!set_rootcontext) {
1091 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1094 newsbsec->mntpoint_sid = sid;
1096 if (set_rootcontext) {
1097 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
1098 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1100 newisec->sid = oldisec->sid;
1103 sb_finish_set_opts(newsb);
1105 mutex_unlock(&newsbsec->lock);
1109 static int selinux_parse_opts_str(char *options,
1110 struct security_mnt_opts *opts)
1113 char *context = NULL, *defcontext = NULL;
1114 char *fscontext = NULL, *rootcontext = NULL;
1115 int rc, num_mnt_opts = 0;
1117 opts->num_mnt_opts = 0;
1119 /* Standard string-based options. */
1120 while ((p = strsep(&options, "|")) != NULL) {
1122 substring_t args[MAX_OPT_ARGS];
1127 token = match_token(p, tokens, args);
1131 if (context || defcontext) {
1133 pr_warn(SEL_MOUNT_FAIL_MSG);
1136 context = match_strdup(&args[0]);
1146 pr_warn(SEL_MOUNT_FAIL_MSG);
1149 fscontext = match_strdup(&args[0]);
1156 case Opt_rootcontext:
1159 pr_warn(SEL_MOUNT_FAIL_MSG);
1162 rootcontext = match_strdup(&args[0]);
1169 case Opt_defcontext:
1170 if (context || defcontext) {
1172 pr_warn(SEL_MOUNT_FAIL_MSG);
1175 defcontext = match_strdup(&args[0]);
1181 case Opt_labelsupport:
1185 pr_warn("SELinux: unknown mount option\n");
1192 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
1193 if (!opts->mnt_opts)
1196 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
1198 if (!opts->mnt_opts_flags)
1202 opts->mnt_opts[num_mnt_opts] = fscontext;
1203 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1206 opts->mnt_opts[num_mnt_opts] = context;
1207 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1210 opts->mnt_opts[num_mnt_opts] = rootcontext;
1211 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1214 opts->mnt_opts[num_mnt_opts] = defcontext;
1215 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1218 opts->num_mnt_opts = num_mnt_opts;
1222 security_free_mnt_opts(opts);
1230 * string mount options parsing and call set the sbsec
1232 static int superblock_doinit(struct super_block *sb, void *data)
1235 char *options = data;
1236 struct security_mnt_opts opts;
1238 security_init_mnt_opts(&opts);
1243 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1245 rc = selinux_parse_opts_str(options, &opts);
1250 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1253 security_free_mnt_opts(&opts);
1257 static void selinux_write_opts(struct seq_file *m,
1258 struct security_mnt_opts *opts)
1263 for (i = 0; i < opts->num_mnt_opts; i++) {
1266 if (opts->mnt_opts[i])
1267 has_comma = strchr(opts->mnt_opts[i], ',');
1271 switch (opts->mnt_opts_flags[i]) {
1273 prefix = CONTEXT_STR;
1276 prefix = FSCONTEXT_STR;
1278 case ROOTCONTEXT_MNT:
1279 prefix = ROOTCONTEXT_STR;
1281 case DEFCONTEXT_MNT:
1282 prefix = DEFCONTEXT_STR;
1286 seq_puts(m, LABELSUPP_STR);
1292 /* we need a comma before each option */
1294 seq_puts(m, prefix);
1297 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
1303 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1305 struct security_mnt_opts opts;
1308 rc = selinux_get_mnt_opts(sb, &opts);
1310 /* before policy load we may get EINVAL, don't show anything */
1316 selinux_write_opts(m, &opts);
1318 security_free_mnt_opts(&opts);
1323 static inline u16 inode_mode_to_security_class(umode_t mode)
1325 switch (mode & S_IFMT) {
1327 return SECCLASS_SOCK_FILE;
1329 return SECCLASS_LNK_FILE;
1331 return SECCLASS_FILE;
1333 return SECCLASS_BLK_FILE;
1335 return SECCLASS_DIR;
1337 return SECCLASS_CHR_FILE;
1339 return SECCLASS_FIFO_FILE;
1343 return SECCLASS_FILE;
1346 static inline int default_protocol_stream(int protocol)
1348 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1351 static inline int default_protocol_dgram(int protocol)
1353 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1356 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1358 int extsockclass = selinux_policycap_extsockclass();
1364 case SOCK_SEQPACKET:
1365 return SECCLASS_UNIX_STREAM_SOCKET;
1368 return SECCLASS_UNIX_DGRAM_SOCKET;
1375 case SOCK_SEQPACKET:
1376 if (default_protocol_stream(protocol))
1377 return SECCLASS_TCP_SOCKET;
1378 else if (extsockclass && protocol == IPPROTO_SCTP)
1379 return SECCLASS_SCTP_SOCKET;
1381 return SECCLASS_RAWIP_SOCKET;
1383 if (default_protocol_dgram(protocol))
1384 return SECCLASS_UDP_SOCKET;
1385 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1386 protocol == IPPROTO_ICMPV6))
1387 return SECCLASS_ICMP_SOCKET;
1389 return SECCLASS_RAWIP_SOCKET;
1391 return SECCLASS_DCCP_SOCKET;
1393 return SECCLASS_RAWIP_SOCKET;
1399 return SECCLASS_NETLINK_ROUTE_SOCKET;
1400 case NETLINK_SOCK_DIAG:
1401 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1403 return SECCLASS_NETLINK_NFLOG_SOCKET;
1405 return SECCLASS_NETLINK_XFRM_SOCKET;
1406 case NETLINK_SELINUX:
1407 return SECCLASS_NETLINK_SELINUX_SOCKET;
1409 return SECCLASS_NETLINK_ISCSI_SOCKET;
1411 return SECCLASS_NETLINK_AUDIT_SOCKET;
1412 case NETLINK_FIB_LOOKUP:
1413 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1414 case NETLINK_CONNECTOR:
1415 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1416 case NETLINK_NETFILTER:
1417 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1418 case NETLINK_DNRTMSG:
1419 return SECCLASS_NETLINK_DNRT_SOCKET;
1420 case NETLINK_KOBJECT_UEVENT:
1421 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1422 case NETLINK_GENERIC:
1423 return SECCLASS_NETLINK_GENERIC_SOCKET;
1424 case NETLINK_SCSITRANSPORT:
1425 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1427 return SECCLASS_NETLINK_RDMA_SOCKET;
1428 case NETLINK_CRYPTO:
1429 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1431 return SECCLASS_NETLINK_SOCKET;
1434 return SECCLASS_PACKET_SOCKET;
1436 return SECCLASS_KEY_SOCKET;
1438 return SECCLASS_APPLETALK_SOCKET;
1444 return SECCLASS_AX25_SOCKET;
1446 return SECCLASS_IPX_SOCKET;
1448 return SECCLASS_NETROM_SOCKET;
1450 return SECCLASS_ATMPVC_SOCKET;
1452 return SECCLASS_X25_SOCKET;
1454 return SECCLASS_ROSE_SOCKET;
1456 return SECCLASS_DECNET_SOCKET;
1458 return SECCLASS_ATMSVC_SOCKET;
1460 return SECCLASS_RDS_SOCKET;
1462 return SECCLASS_IRDA_SOCKET;
1464 return SECCLASS_PPPOX_SOCKET;
1466 return SECCLASS_LLC_SOCKET;
1468 return SECCLASS_CAN_SOCKET;
1470 return SECCLASS_TIPC_SOCKET;
1472 return SECCLASS_BLUETOOTH_SOCKET;
1474 return SECCLASS_IUCV_SOCKET;
1476 return SECCLASS_RXRPC_SOCKET;
1478 return SECCLASS_ISDN_SOCKET;
1480 return SECCLASS_PHONET_SOCKET;
1482 return SECCLASS_IEEE802154_SOCKET;
1484 return SECCLASS_CAIF_SOCKET;
1486 return SECCLASS_ALG_SOCKET;
1488 return SECCLASS_NFC_SOCKET;
1490 return SECCLASS_VSOCK_SOCKET;
1492 return SECCLASS_KCM_SOCKET;
1494 return SECCLASS_QIPCRTR_SOCKET;
1496 return SECCLASS_SMC_SOCKET;
1498 return SECCLASS_XDP_SOCKET;
1500 #error New address family defined, please update this function.
1505 return SECCLASS_SOCKET;
1508 static int selinux_genfs_get_sid(struct dentry *dentry,
1514 struct super_block *sb = dentry->d_sb;
1515 char *buffer, *path;
1517 buffer = (char *)__get_free_page(GFP_KERNEL);
1521 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1525 if (flags & SE_SBPROC) {
1526 /* each process gets a /proc/PID/ entry. Strip off the
1527 * PID part to get a valid selinux labeling.
1528 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1529 while (path[1] >= '0' && path[1] <= '9') {
1534 rc = security_genfs_sid(&selinux_state, sb->s_type->name,
1536 if (rc == -ENOENT) {
1537 /* No match in policy, mark as unlabeled. */
1538 *sid = SECINITSID_UNLABELED;
1542 free_page((unsigned long)buffer);
1546 /* The inode's security attributes must be initialized before first use. */
1547 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1549 struct superblock_security_struct *sbsec = NULL;
1550 struct inode_security_struct *isec = inode->i_security;
1551 u32 task_sid, sid = 0;
1553 struct dentry *dentry;
1554 #define INITCONTEXTLEN 255
1555 char *context = NULL;
1559 if (isec->initialized == LABEL_INITIALIZED)
1562 spin_lock(&isec->lock);
1563 if (isec->initialized == LABEL_INITIALIZED)
1566 if (isec->sclass == SECCLASS_FILE)
1567 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1569 sbsec = inode->i_sb->s_security;
1570 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1571 /* Defer initialization until selinux_complete_init,
1572 after the initial policy is loaded and the security
1573 server is ready to handle calls. */
1574 spin_lock(&sbsec->isec_lock);
1575 if (list_empty(&isec->list))
1576 list_add(&isec->list, &sbsec->isec_head);
1577 spin_unlock(&sbsec->isec_lock);
1581 sclass = isec->sclass;
1582 task_sid = isec->task_sid;
1584 isec->initialized = LABEL_PENDING;
1585 spin_unlock(&isec->lock);
1587 switch (sbsec->behavior) {
1588 case SECURITY_FS_USE_NATIVE:
1590 case SECURITY_FS_USE_XATTR:
1591 if (!(inode->i_opflags & IOP_XATTR)) {
1592 sid = sbsec->def_sid;
1595 /* Need a dentry, since the xattr API requires one.
1596 Life would be simpler if we could just pass the inode. */
1598 /* Called from d_instantiate or d_splice_alias. */
1599 dentry = dget(opt_dentry);
1602 * Called from selinux_complete_init, try to find a dentry.
1603 * Some filesystems really want a connected one, so try
1604 * that first. We could split SECURITY_FS_USE_XATTR in
1605 * two, depending upon that...
1607 dentry = d_find_alias(inode);
1609 dentry = d_find_any_alias(inode);
1613 * this is can be hit on boot when a file is accessed
1614 * before the policy is loaded. When we load policy we
1615 * may find inodes that have no dentry on the
1616 * sbsec->isec_head list. No reason to complain as these
1617 * will get fixed up the next time we go through
1618 * inode_doinit with a dentry, before these inodes could
1619 * be used again by userspace.
1624 len = INITCONTEXTLEN;
1625 context = kmalloc(len+1, GFP_NOFS);
1631 context[len] = '\0';
1632 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1633 if (rc == -ERANGE) {
1636 /* Need a larger buffer. Query for the right size. */
1637 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1643 context = kmalloc(len+1, GFP_NOFS);
1649 context[len] = '\0';
1650 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1654 if (rc != -ENODATA) {
1655 pr_warn("SELinux: %s: getxattr returned "
1656 "%d for dev=%s ino=%ld\n", __func__,
1657 -rc, inode->i_sb->s_id, inode->i_ino);
1661 /* Map ENODATA to the default file SID */
1662 sid = sbsec->def_sid;
1665 rc = security_context_to_sid_default(&selinux_state,
1670 char *dev = inode->i_sb->s_id;
1671 unsigned long ino = inode->i_ino;
1673 if (rc == -EINVAL) {
1674 if (printk_ratelimit())
1675 pr_notice("SELinux: inode=%lu on dev=%s was found to have an invalid "
1676 "context=%s. This indicates you may need to relabel the inode or the "
1677 "filesystem in question.\n", ino, dev, context);
1679 pr_warn("SELinux: %s: context_to_sid(%s) "
1680 "returned %d for dev=%s ino=%ld\n",
1681 __func__, context, -rc, dev, ino);
1684 /* Leave with the unlabeled SID */
1691 case SECURITY_FS_USE_TASK:
1694 case SECURITY_FS_USE_TRANS:
1695 /* Default to the fs SID. */
1698 /* Try to obtain a transition SID. */
1699 rc = security_transition_sid(&selinux_state, task_sid, sid,
1700 sclass, NULL, &sid);
1704 case SECURITY_FS_USE_MNTPOINT:
1705 sid = sbsec->mntpoint_sid;
1708 /* Default to the fs superblock SID. */
1711 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1712 /* We must have a dentry to determine the label on
1715 /* Called from d_instantiate or
1716 * d_splice_alias. */
1717 dentry = dget(opt_dentry);
1719 /* Called from selinux_complete_init, try to
1720 * find a dentry. Some filesystems really want
1721 * a connected one, so try that first.
1723 dentry = d_find_alias(inode);
1725 dentry = d_find_any_alias(inode);
1728 * This can be hit on boot when a file is accessed
1729 * before the policy is loaded. When we load policy we
1730 * may find inodes that have no dentry on the
1731 * sbsec->isec_head list. No reason to complain as
1732 * these will get fixed up the next time we go through
1733 * inode_doinit() with a dentry, before these inodes
1734 * could be used again by userspace.
1738 rc = selinux_genfs_get_sid(dentry, sclass,
1739 sbsec->flags, &sid);
1748 spin_lock(&isec->lock);
1749 if (isec->initialized == LABEL_PENDING) {
1751 isec->initialized = LABEL_INVALID;
1754 isec->initialized = LABEL_INITIALIZED;
1759 spin_unlock(&isec->lock);
1763 spin_lock(&isec->lock);
1764 if (isec->initialized == LABEL_PENDING) {
1765 isec->initialized = LABEL_INVALID;
1768 spin_unlock(&isec->lock);
1772 /* Convert a Linux signal to an access vector. */
1773 static inline u32 signal_to_av(int sig)
1779 /* Commonly granted from child to parent. */
1780 perm = PROCESS__SIGCHLD;
1783 /* Cannot be caught or ignored */
1784 perm = PROCESS__SIGKILL;
1787 /* Cannot be caught or ignored */
1788 perm = PROCESS__SIGSTOP;
1791 /* All other signals. */
1792 perm = PROCESS__SIGNAL;
1799 #if CAP_LAST_CAP > 63
1800 #error Fix SELinux to handle capabilities > 63.
1803 /* Check whether a task is allowed to use a capability. */
1804 static int cred_has_capability(const struct cred *cred,
1805 int cap, unsigned int opts, bool initns)
1807 struct common_audit_data ad;
1808 struct av_decision avd;
1810 u32 sid = cred_sid(cred);
1811 u32 av = CAP_TO_MASK(cap);
1814 ad.type = LSM_AUDIT_DATA_CAP;
1817 switch (CAP_TO_INDEX(cap)) {
1819 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1822 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1825 pr_err("SELinux: out of range capability %d\n", cap);
1830 rc = avc_has_perm_noaudit(&selinux_state,
1831 sid, sid, sclass, av, 0, &avd);
1832 if (!(opts & CAP_OPT_NOAUDIT)) {
1833 int rc2 = avc_audit(&selinux_state,
1834 sid, sid, sclass, av, &avd, rc, &ad, 0);
1841 /* Check whether a task has a particular permission to an inode.
1842 The 'adp' parameter is optional and allows other audit
1843 data to be passed (e.g. the dentry). */
1844 static int inode_has_perm(const struct cred *cred,
1845 struct inode *inode,
1847 struct common_audit_data *adp)
1849 struct inode_security_struct *isec;
1852 validate_creds(cred);
1854 if (unlikely(IS_PRIVATE(inode)))
1857 sid = cred_sid(cred);
1858 isec = inode->i_security;
1860 return avc_has_perm(&selinux_state,
1861 sid, isec->sid, isec->sclass, perms, adp);
1864 /* Same as inode_has_perm, but pass explicit audit data containing
1865 the dentry to help the auditing code to more easily generate the
1866 pathname if needed. */
1867 static inline int dentry_has_perm(const struct cred *cred,
1868 struct dentry *dentry,
1871 struct inode *inode = d_backing_inode(dentry);
1872 struct common_audit_data ad;
1874 ad.type = LSM_AUDIT_DATA_DENTRY;
1875 ad.u.dentry = dentry;
1876 __inode_security_revalidate(inode, dentry, true);
1877 return inode_has_perm(cred, inode, av, &ad);
1880 /* Same as inode_has_perm, but pass explicit audit data containing
1881 the path to help the auditing code to more easily generate the
1882 pathname if needed. */
1883 static inline int path_has_perm(const struct cred *cred,
1884 const struct path *path,
1887 struct inode *inode = d_backing_inode(path->dentry);
1888 struct common_audit_data ad;
1890 ad.type = LSM_AUDIT_DATA_PATH;
1892 __inode_security_revalidate(inode, path->dentry, true);
1893 return inode_has_perm(cred, inode, av, &ad);
1896 /* Same as path_has_perm, but uses the inode from the file struct. */
1897 static inline int file_path_has_perm(const struct cred *cred,
1901 struct common_audit_data ad;
1903 ad.type = LSM_AUDIT_DATA_FILE;
1905 return inode_has_perm(cred, file_inode(file), av, &ad);
1908 #ifdef CONFIG_BPF_SYSCALL
1909 static int bpf_fd_pass(struct file *file, u32 sid);
1912 /* Check whether a task can use an open file descriptor to
1913 access an inode in a given way. Check access to the
1914 descriptor itself, and then use dentry_has_perm to
1915 check a particular permission to the file.
1916 Access to the descriptor is implicitly granted if it
1917 has the same SID as the process. If av is zero, then
1918 access to the file is not checked, e.g. for cases
1919 where only the descriptor is affected like seek. */
1920 static int file_has_perm(const struct cred *cred,
1924 struct file_security_struct *fsec = file->f_security;
1925 struct inode *inode = file_inode(file);
1926 struct common_audit_data ad;
1927 u32 sid = cred_sid(cred);
1930 ad.type = LSM_AUDIT_DATA_FILE;
1933 if (sid != fsec->sid) {
1934 rc = avc_has_perm(&selinux_state,
1943 #ifdef CONFIG_BPF_SYSCALL
1944 rc = bpf_fd_pass(file, cred_sid(cred));
1949 /* av is zero if only checking access to the descriptor. */
1952 rc = inode_has_perm(cred, inode, av, &ad);
1959 * Determine the label for an inode that might be unioned.
1962 selinux_determine_inode_label(const struct task_security_struct *tsec,
1964 const struct qstr *name, u16 tclass,
1967 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1969 if ((sbsec->flags & SE_SBINITIALIZED) &&
1970 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1971 *_new_isid = sbsec->mntpoint_sid;
1972 } else if ((sbsec->flags & SBLABEL_MNT) &&
1974 *_new_isid = tsec->create_sid;
1976 const struct inode_security_struct *dsec = inode_security(dir);
1977 return security_transition_sid(&selinux_state, tsec->sid,
1985 /* Check whether a task can create a file. */
1986 static int may_create(struct inode *dir,
1987 struct dentry *dentry,
1990 const struct task_security_struct *tsec = current_security();
1991 struct inode_security_struct *dsec;
1992 struct superblock_security_struct *sbsec;
1994 struct common_audit_data ad;
1997 dsec = inode_security(dir);
1998 sbsec = dir->i_sb->s_security;
2002 ad.type = LSM_AUDIT_DATA_DENTRY;
2003 ad.u.dentry = dentry;
2005 rc = avc_has_perm(&selinux_state,
2006 sid, dsec->sid, SECCLASS_DIR,
2007 DIR__ADD_NAME | DIR__SEARCH,
2012 rc = selinux_determine_inode_label(current_security(), dir,
2013 &dentry->d_name, tclass, &newsid);
2017 rc = avc_has_perm(&selinux_state,
2018 sid, newsid, tclass, FILE__CREATE, &ad);
2022 return avc_has_perm(&selinux_state,
2024 SECCLASS_FILESYSTEM,
2025 FILESYSTEM__ASSOCIATE, &ad);
2029 #define MAY_UNLINK 1
2032 /* Check whether a task can link, unlink, or rmdir a file/directory. */
2033 static int may_link(struct inode *dir,
2034 struct dentry *dentry,
2038 struct inode_security_struct *dsec, *isec;
2039 struct common_audit_data ad;
2040 u32 sid = current_sid();
2044 dsec = inode_security(dir);
2045 isec = backing_inode_security(dentry);
2047 ad.type = LSM_AUDIT_DATA_DENTRY;
2048 ad.u.dentry = dentry;
2051 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
2052 rc = avc_has_perm(&selinux_state,
2053 sid, dsec->sid, SECCLASS_DIR, av, &ad);
2068 pr_warn("SELinux: %s: unrecognized kind %d\n",
2073 rc = avc_has_perm(&selinux_state,
2074 sid, isec->sid, isec->sclass, av, &ad);
2078 static inline int may_rename(struct inode *old_dir,
2079 struct dentry *old_dentry,
2080 struct inode *new_dir,
2081 struct dentry *new_dentry)
2083 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2084 struct common_audit_data ad;
2085 u32 sid = current_sid();
2087 int old_is_dir, new_is_dir;
2090 old_dsec = inode_security(old_dir);
2091 old_isec = backing_inode_security(old_dentry);
2092 old_is_dir = d_is_dir(old_dentry);
2093 new_dsec = inode_security(new_dir);
2095 ad.type = LSM_AUDIT_DATA_DENTRY;
2097 ad.u.dentry = old_dentry;
2098 rc = avc_has_perm(&selinux_state,
2099 sid, old_dsec->sid, SECCLASS_DIR,
2100 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
2103 rc = avc_has_perm(&selinux_state,
2105 old_isec->sclass, FILE__RENAME, &ad);
2108 if (old_is_dir && new_dir != old_dir) {
2109 rc = avc_has_perm(&selinux_state,
2111 old_isec->sclass, DIR__REPARENT, &ad);
2116 ad.u.dentry = new_dentry;
2117 av = DIR__ADD_NAME | DIR__SEARCH;
2118 if (d_is_positive(new_dentry))
2119 av |= DIR__REMOVE_NAME;
2120 rc = avc_has_perm(&selinux_state,
2121 sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
2124 if (d_is_positive(new_dentry)) {
2125 new_isec = backing_inode_security(new_dentry);
2126 new_is_dir = d_is_dir(new_dentry);
2127 rc = avc_has_perm(&selinux_state,
2130 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
2138 /* Check whether a task can perform a filesystem operation. */
2139 static int superblock_has_perm(const struct cred *cred,
2140 struct super_block *sb,
2142 struct common_audit_data *ad)
2144 struct superblock_security_struct *sbsec;
2145 u32 sid = cred_sid(cred);
2147 sbsec = sb->s_security;
2148 return avc_has_perm(&selinux_state,
2149 sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
2152 /* Convert a Linux mode and permission mask to an access vector. */
2153 static inline u32 file_mask_to_av(int mode, int mask)
2157 if (!S_ISDIR(mode)) {
2158 if (mask & MAY_EXEC)
2159 av |= FILE__EXECUTE;
2160 if (mask & MAY_READ)
2163 if (mask & MAY_APPEND)
2165 else if (mask & MAY_WRITE)
2169 if (mask & MAY_EXEC)
2171 if (mask & MAY_WRITE)
2173 if (mask & MAY_READ)
2180 /* Convert a Linux file to an access vector. */
2181 static inline u32 file_to_av(struct file *file)
2185 if (file->f_mode & FMODE_READ)
2187 if (file->f_mode & FMODE_WRITE) {
2188 if (file->f_flags & O_APPEND)
2195 * Special file opened with flags 3 for ioctl-only use.
2204 * Convert a file to an access vector and include the correct open
2207 static inline u32 open_file_to_av(struct file *file)
2209 u32 av = file_to_av(file);
2210 struct inode *inode = file_inode(file);
2212 if (selinux_policycap_openperm() &&
2213 inode->i_sb->s_magic != SOCKFS_MAGIC)
2219 /* Hook functions begin here. */
2221 static int selinux_binder_set_context_mgr(const struct cred *mgr)
2223 return avc_has_perm(&selinux_state,
2224 current_sid(), cred_sid(mgr), SECCLASS_BINDER,
2225 BINDER__SET_CONTEXT_MGR, NULL);
2228 static int selinux_binder_transaction(const struct cred *from,
2229 const struct cred *to)
2231 u32 mysid = current_sid();
2232 u32 fromsid = cred_sid(from);
2233 u32 tosid = cred_sid(to);
2236 if (mysid != fromsid) {
2237 rc = avc_has_perm(&selinux_state,
2238 mysid, fromsid, SECCLASS_BINDER,
2239 BINDER__IMPERSONATE, NULL);
2244 return avc_has_perm(&selinux_state, fromsid, tosid,
2245 SECCLASS_BINDER, BINDER__CALL, NULL);
2248 static int selinux_binder_transfer_binder(const struct cred *from,
2249 const struct cred *to)
2251 return avc_has_perm(&selinux_state,
2252 cred_sid(from), cred_sid(to),
2253 SECCLASS_BINDER, BINDER__TRANSFER,
2257 static int selinux_binder_transfer_file(const struct cred *from,
2258 const struct cred *to,
2261 u32 sid = cred_sid(to);
2262 struct file_security_struct *fsec = file->f_security;
2263 struct dentry *dentry = file->f_path.dentry;
2264 struct inode_security_struct *isec;
2265 struct common_audit_data ad;
2268 ad.type = LSM_AUDIT_DATA_PATH;
2269 ad.u.path = file->f_path;
2271 if (sid != fsec->sid) {
2272 rc = avc_has_perm(&selinux_state,
2281 #ifdef CONFIG_BPF_SYSCALL
2282 rc = bpf_fd_pass(file, sid);
2287 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2290 isec = backing_inode_security(dentry);
2291 return avc_has_perm(&selinux_state,
2292 sid, isec->sid, isec->sclass, file_to_av(file),
2296 static int selinux_ptrace_access_check(struct task_struct *child,
2299 u32 sid = current_sid();
2300 u32 csid = task_sid(child);
2302 if (mode & PTRACE_MODE_READ)
2303 return avc_has_perm(&selinux_state,
2304 sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2306 return avc_has_perm(&selinux_state,
2307 sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2310 static int selinux_ptrace_traceme(struct task_struct *parent)
2312 return avc_has_perm(&selinux_state,
2313 task_sid(parent), current_sid(), SECCLASS_PROCESS,
2314 PROCESS__PTRACE, NULL);
2317 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2318 kernel_cap_t *inheritable, kernel_cap_t *permitted)
2320 return avc_has_perm(&selinux_state,
2321 current_sid(), task_sid(target), SECCLASS_PROCESS,
2322 PROCESS__GETCAP, NULL);
2325 static int selinux_capset(struct cred *new, const struct cred *old,
2326 const kernel_cap_t *effective,
2327 const kernel_cap_t *inheritable,
2328 const kernel_cap_t *permitted)
2330 return avc_has_perm(&selinux_state,
2331 cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2332 PROCESS__SETCAP, NULL);
2336 * (This comment used to live with the selinux_task_setuid hook,
2337 * which was removed).
2339 * Since setuid only affects the current process, and since the SELinux
2340 * controls are not based on the Linux identity attributes, SELinux does not
2341 * need to control this operation. However, SELinux does control the use of
2342 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2345 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2346 int cap, unsigned int opts)
2348 return cred_has_capability(cred, cap, opts, ns == &init_user_ns);
2351 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2353 const struct cred *cred = current_cred();
2365 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2370 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2373 rc = 0; /* let the kernel handle invalid cmds */
2379 static int selinux_quota_on(struct dentry *dentry)
2381 const struct cred *cred = current_cred();
2383 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2386 static int selinux_syslog(int type)
2389 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2390 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2391 return avc_has_perm(&selinux_state,
2392 current_sid(), SECINITSID_KERNEL,
2393 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2394 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2395 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2396 /* Set level of messages printed to console */
2397 case SYSLOG_ACTION_CONSOLE_LEVEL:
2398 return avc_has_perm(&selinux_state,
2399 current_sid(), SECINITSID_KERNEL,
2400 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2403 /* All other syslog types */
2404 return avc_has_perm(&selinux_state,
2405 current_sid(), SECINITSID_KERNEL,
2406 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2410 * Check that a process has enough memory to allocate a new virtual
2411 * mapping. 0 means there is enough memory for the allocation to
2412 * succeed and -ENOMEM implies there is not.
2414 * Do not audit the selinux permission check, as this is applied to all
2415 * processes that allocate mappings.
2417 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2419 int rc, cap_sys_admin = 0;
2421 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2422 CAP_OPT_NOAUDIT, true);
2426 return cap_sys_admin;
2429 /* binprm security operations */
2431 static u32 ptrace_parent_sid(void)
2434 struct task_struct *tracer;
2437 tracer = ptrace_parent(current);
2439 sid = task_sid(tracer);
2445 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2446 const struct task_security_struct *old_tsec,
2447 const struct task_security_struct *new_tsec)
2449 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2450 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2454 if (!nnp && !nosuid)
2455 return 0; /* neither NNP nor nosuid */
2457 if (new_tsec->sid == old_tsec->sid)
2458 return 0; /* No change in credentials */
2461 * If the policy enables the nnp_nosuid_transition policy capability,
2462 * then we permit transitions under NNP or nosuid if the
2463 * policy allows the corresponding permission between
2464 * the old and new contexts.
2466 if (selinux_policycap_nnp_nosuid_transition()) {
2469 av |= PROCESS2__NNP_TRANSITION;
2471 av |= PROCESS2__NOSUID_TRANSITION;
2472 rc = avc_has_perm(&selinux_state,
2473 old_tsec->sid, new_tsec->sid,
2474 SECCLASS_PROCESS2, av, NULL);
2480 * We also permit NNP or nosuid transitions to bounded SIDs,
2481 * i.e. SIDs that are guaranteed to only be allowed a subset
2482 * of the permissions of the current SID.
2484 rc = security_bounded_transition(&selinux_state, old_tsec->sid,
2490 * On failure, preserve the errno values for NNP vs nosuid.
2491 * NNP: Operation not permitted for caller.
2492 * nosuid: Permission denied to file.
2499 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2501 const struct task_security_struct *old_tsec;
2502 struct task_security_struct *new_tsec;
2503 struct inode_security_struct *isec;
2504 struct common_audit_data ad;
2505 struct inode *inode = file_inode(bprm->file);
2508 /* SELinux context only depends on initial program or script and not
2509 * the script interpreter */
2510 if (bprm->called_set_creds)
2513 old_tsec = current_security();
2514 new_tsec = bprm->cred->security;
2515 isec = inode_security(inode);
2517 /* Default to the current task SID. */
2518 new_tsec->sid = old_tsec->sid;
2519 new_tsec->osid = old_tsec->sid;
2521 /* Reset fs, key, and sock SIDs on execve. */
2522 new_tsec->create_sid = 0;
2523 new_tsec->keycreate_sid = 0;
2524 new_tsec->sockcreate_sid = 0;
2526 if (old_tsec->exec_sid) {
2527 new_tsec->sid = old_tsec->exec_sid;
2528 /* Reset exec SID on execve. */
2529 new_tsec->exec_sid = 0;
2531 /* Fail on NNP or nosuid if not an allowed transition. */
2532 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2536 /* Check for a default transition on this program. */
2537 rc = security_transition_sid(&selinux_state, old_tsec->sid,
2538 isec->sid, SECCLASS_PROCESS, NULL,
2544 * Fallback to old SID on NNP or nosuid if not an allowed
2547 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2549 new_tsec->sid = old_tsec->sid;
2552 ad.type = LSM_AUDIT_DATA_FILE;
2553 ad.u.file = bprm->file;
2555 if (new_tsec->sid == old_tsec->sid) {
2556 rc = avc_has_perm(&selinux_state,
2557 old_tsec->sid, isec->sid,
2558 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2562 /* Check permissions for the transition. */
2563 rc = avc_has_perm(&selinux_state,
2564 old_tsec->sid, new_tsec->sid,
2565 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2569 rc = avc_has_perm(&selinux_state,
2570 new_tsec->sid, isec->sid,
2571 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2575 /* Check for shared state */
2576 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2577 rc = avc_has_perm(&selinux_state,
2578 old_tsec->sid, new_tsec->sid,
2579 SECCLASS_PROCESS, PROCESS__SHARE,
2585 /* Make sure that anyone attempting to ptrace over a task that
2586 * changes its SID has the appropriate permit */
2587 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2588 u32 ptsid = ptrace_parent_sid();
2590 rc = avc_has_perm(&selinux_state,
2591 ptsid, new_tsec->sid,
2593 PROCESS__PTRACE, NULL);
2599 /* Clear any possibly unsafe personality bits on exec: */
2600 bprm->per_clear |= PER_CLEAR_ON_SETID;
2602 /* Enable secure mode for SIDs transitions unless
2603 the noatsecure permission is granted between
2604 the two SIDs, i.e. ahp returns 0. */
2605 rc = avc_has_perm(&selinux_state,
2606 old_tsec->sid, new_tsec->sid,
2607 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2609 bprm->secureexec |= !!rc;
2615 static int match_file(const void *p, struct file *file, unsigned fd)
2617 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2620 /* Derived from fs/exec.c:flush_old_files. */
2621 static inline void flush_unauthorized_files(const struct cred *cred,
2622 struct files_struct *files)
2624 struct file *file, *devnull = NULL;
2625 struct tty_struct *tty;
2629 tty = get_current_tty();
2631 spin_lock(&tty->files_lock);
2632 if (!list_empty(&tty->tty_files)) {
2633 struct tty_file_private *file_priv;
2635 /* Revalidate access to controlling tty.
2636 Use file_path_has_perm on the tty path directly
2637 rather than using file_has_perm, as this particular
2638 open file may belong to another process and we are
2639 only interested in the inode-based check here. */
2640 file_priv = list_first_entry(&tty->tty_files,
2641 struct tty_file_private, list);
2642 file = file_priv->file;
2643 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2646 spin_unlock(&tty->files_lock);
2649 /* Reset controlling tty. */
2653 /* Revalidate access to inherited open files. */
2654 n = iterate_fd(files, 0, match_file, cred);
2655 if (!n) /* none found? */
2658 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2659 if (IS_ERR(devnull))
2661 /* replace all the matching ones with this */
2663 replace_fd(n - 1, devnull, 0);
2664 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2670 * Prepare a process for imminent new credential changes due to exec
2672 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2674 struct task_security_struct *new_tsec;
2675 struct rlimit *rlim, *initrlim;
2678 new_tsec = bprm->cred->security;
2679 if (new_tsec->sid == new_tsec->osid)
2682 /* Close files for which the new task SID is not authorized. */
2683 flush_unauthorized_files(bprm->cred, current->files);
2685 /* Always clear parent death signal on SID transitions. */
2686 current->pdeath_signal = 0;
2688 /* Check whether the new SID can inherit resource limits from the old
2689 * SID. If not, reset all soft limits to the lower of the current
2690 * task's hard limit and the init task's soft limit.
2692 * Note that the setting of hard limits (even to lower them) can be
2693 * controlled by the setrlimit check. The inclusion of the init task's
2694 * soft limit into the computation is to avoid resetting soft limits
2695 * higher than the default soft limit for cases where the default is
2696 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2698 rc = avc_has_perm(&selinux_state,
2699 new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2700 PROCESS__RLIMITINH, NULL);
2702 /* protect against do_prlimit() */
2704 for (i = 0; i < RLIM_NLIMITS; i++) {
2705 rlim = current->signal->rlim + i;
2706 initrlim = init_task.signal->rlim + i;
2707 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2709 task_unlock(current);
2710 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2711 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2716 * Clean up the process immediately after the installation of new credentials
2719 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2721 const struct task_security_struct *tsec = current_security();
2722 struct itimerval itimer;
2732 /* Check whether the new SID can inherit signal state from the old SID.
2733 * If not, clear itimers to avoid subsequent signal generation and
2734 * flush and unblock signals.
2736 * This must occur _after_ the task SID has been updated so that any
2737 * kill done after the flush will be checked against the new SID.
2739 rc = avc_has_perm(&selinux_state,
2740 osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2742 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2743 memset(&itimer, 0, sizeof itimer);
2744 for (i = 0; i < 3; i++)
2745 do_setitimer(i, &itimer, NULL);
2747 spin_lock_irq(¤t->sighand->siglock);
2748 if (!fatal_signal_pending(current)) {
2749 flush_sigqueue(¤t->pending);
2750 flush_sigqueue(¤t->signal->shared_pending);
2751 flush_signal_handlers(current, 1);
2752 sigemptyset(¤t->blocked);
2753 recalc_sigpending();
2755 spin_unlock_irq(¤t->sighand->siglock);
2758 /* Wake up the parent if it is waiting so that it can recheck
2759 * wait permission to the new task SID. */
2760 read_lock(&tasklist_lock);
2761 __wake_up_parent(current, current->real_parent);
2762 read_unlock(&tasklist_lock);
2765 /* superblock security operations */
2767 static int selinux_sb_alloc_security(struct super_block *sb)
2769 return superblock_alloc_security(sb);
2772 static void selinux_sb_free_security(struct super_block *sb)
2774 superblock_free_security(sb);
2777 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2782 return !memcmp(prefix, option, plen);
2785 static inline int selinux_option(char *option, int len)
2787 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2788 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2789 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2790 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2791 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2794 static inline void take_option(char **to, char *from, int *first, int len)
2801 memcpy(*to, from, len);
2805 static inline void take_selinux_option(char **to, char *from, int *first,
2808 int current_size = 0;
2816 while (current_size < len) {
2826 static int selinux_sb_copy_data(char *orig, char *copy)
2828 int fnosec, fsec, rc = 0;
2829 char *in_save, *in_curr, *in_end;
2830 char *sec_curr, *nosec_save, *nosec;
2836 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2844 in_save = in_end = orig;
2848 open_quote = !open_quote;
2849 if ((*in_end == ',' && open_quote == 0) ||
2851 int len = in_end - in_curr;
2853 if (selinux_option(in_curr, len))
2854 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2856 take_option(&nosec, in_curr, &fnosec, len);
2858 in_curr = in_end + 1;
2860 } while (*in_end++);
2862 strcpy(in_save, nosec_save);
2863 free_page((unsigned long)nosec_save);
2868 static int selinux_sb_remount(struct super_block *sb, void *data)
2871 struct security_mnt_opts opts;
2872 char *secdata, **mount_options;
2873 struct superblock_security_struct *sbsec = sb->s_security;
2875 if (!(sbsec->flags & SE_SBINITIALIZED))
2881 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2884 security_init_mnt_opts(&opts);
2885 secdata = alloc_secdata();
2888 rc = selinux_sb_copy_data(data, secdata);
2890 goto out_free_secdata;
2892 rc = selinux_parse_opts_str(secdata, &opts);
2894 goto out_free_secdata;
2896 mount_options = opts.mnt_opts;
2897 flags = opts.mnt_opts_flags;
2899 for (i = 0; i < opts.num_mnt_opts; i++) {
2902 if (flags[i] == SBLABEL_MNT)
2904 rc = security_context_str_to_sid(&selinux_state,
2905 mount_options[i], &sid,
2908 pr_warn("SELinux: security_context_str_to_sid"
2909 "(%s) failed for (dev %s, type %s) errno=%d\n",
2910 mount_options[i], sb->s_id, sb->s_type->name, rc);
2916 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2917 goto out_bad_option;
2920 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2921 goto out_bad_option;
2923 case ROOTCONTEXT_MNT: {
2924 struct inode_security_struct *root_isec;
2925 root_isec = backing_inode_security(sb->s_root);
2927 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2928 goto out_bad_option;
2931 case DEFCONTEXT_MNT:
2932 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2933 goto out_bad_option;
2942 security_free_mnt_opts(&opts);
2944 free_secdata(secdata);
2947 pr_warn("SELinux: unable to change security options "
2948 "during remount (dev %s, type=%s)\n", sb->s_id,
2953 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2955 const struct cred *cred = current_cred();
2956 struct common_audit_data ad;
2959 rc = superblock_doinit(sb, data);
2963 /* Allow all mounts performed by the kernel */
2964 if (flags & (MS_KERNMOUNT | MS_SUBMOUNT))
2967 ad.type = LSM_AUDIT_DATA_DENTRY;
2968 ad.u.dentry = sb->s_root;
2969 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2972 static int selinux_sb_statfs(struct dentry *dentry)
2974 const struct cred *cred = current_cred();
2975 struct common_audit_data ad;
2977 ad.type = LSM_AUDIT_DATA_DENTRY;
2978 ad.u.dentry = dentry->d_sb->s_root;
2979 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2982 static int selinux_mount(const char *dev_name,
2983 const struct path *path,
2985 unsigned long flags,
2988 const struct cred *cred = current_cred();
2990 if (flags & MS_REMOUNT)
2991 return superblock_has_perm(cred, path->dentry->d_sb,
2992 FILESYSTEM__REMOUNT, NULL);
2994 return path_has_perm(cred, path, FILE__MOUNTON);
2997 static int selinux_umount(struct vfsmount *mnt, int flags)
2999 const struct cred *cred = current_cred();
3001 return superblock_has_perm(cred, mnt->mnt_sb,
3002 FILESYSTEM__UNMOUNT, NULL);
3005 /* inode security operations */
3007 static int selinux_inode_alloc_security(struct inode *inode)
3009 return inode_alloc_security(inode);
3012 static void selinux_inode_free_security(struct inode *inode)
3014 inode_free_security(inode);
3017 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
3018 const struct qstr *name, void **ctx,
3024 rc = selinux_determine_inode_label(current_security(),
3025 d_inode(dentry->d_parent), name,
3026 inode_mode_to_security_class(mode),
3031 return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
3035 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
3037 const struct cred *old,
3042 struct task_security_struct *tsec;
3044 rc = selinux_determine_inode_label(old->security,
3045 d_inode(dentry->d_parent), name,
3046 inode_mode_to_security_class(mode),
3051 tsec = new->security;
3052 tsec->create_sid = newsid;
3056 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
3057 const struct qstr *qstr,
3059 void **value, size_t *len)
3061 const struct task_security_struct *tsec = current_security();
3062 struct superblock_security_struct *sbsec;
3067 sbsec = dir->i_sb->s_security;
3069 newsid = tsec->create_sid;
3071 rc = selinux_determine_inode_label(current_security(),
3073 inode_mode_to_security_class(inode->i_mode),
3078 /* Possibly defer initialization to selinux_complete_init. */
3079 if (sbsec->flags & SE_SBINITIALIZED) {
3080 struct inode_security_struct *isec = inode->i_security;
3081 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3083 isec->initialized = LABEL_INITIALIZED;
3086 if (!selinux_state.initialized || !(sbsec->flags & SBLABEL_MNT))
3090 *name = XATTR_SELINUX_SUFFIX;
3093 rc = security_sid_to_context_force(&selinux_state, newsid,
3104 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
3106 return may_create(dir, dentry, SECCLASS_FILE);
3109 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
3111 return may_link(dir, old_dentry, MAY_LINK);
3114 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
3116 return may_link(dir, dentry, MAY_UNLINK);
3119 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
3121 return may_create(dir, dentry, SECCLASS_LNK_FILE);
3124 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
3126 return may_create(dir, dentry, SECCLASS_DIR);
3129 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
3131 return may_link(dir, dentry, MAY_RMDIR);
3134 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
3136 return may_create(dir, dentry, inode_mode_to_security_class(mode));
3139 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
3140 struct inode *new_inode, struct dentry *new_dentry)
3142 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
3145 static int selinux_inode_readlink(struct dentry *dentry)
3147 const struct cred *cred = current_cred();
3149 return dentry_has_perm(cred, dentry, FILE__READ);
3152 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3155 const struct cred *cred = current_cred();
3156 struct common_audit_data ad;
3157 struct inode_security_struct *isec;
3160 validate_creds(cred);
3162 ad.type = LSM_AUDIT_DATA_DENTRY;
3163 ad.u.dentry = dentry;
3164 sid = cred_sid(cred);
3165 isec = inode_security_rcu(inode, rcu);
3167 return PTR_ERR(isec);
3169 return avc_has_perm_flags(&selinux_state,
3170 sid, isec->sid, isec->sclass, FILE__READ, &ad,
3171 rcu ? MAY_NOT_BLOCK : 0);
3174 static noinline int audit_inode_permission(struct inode *inode,
3175 u32 perms, u32 audited, u32 denied,
3178 struct common_audit_data ad;
3179 struct inode_security_struct *isec = inode->i_security;
3182 ad.type = LSM_AUDIT_DATA_INODE;
3185 rc = slow_avc_audit(&selinux_state,
3186 current_sid(), isec->sid, isec->sclass, perms,
3187 audited, denied, result, &ad);
3193 static int selinux_inode_permission(struct inode *inode, int mask)
3195 const struct cred *cred = current_cred();
3198 unsigned flags = mask & MAY_NOT_BLOCK;
3199 struct inode_security_struct *isec;
3201 struct av_decision avd;
3203 u32 audited, denied;
3205 from_access = mask & MAY_ACCESS;
3206 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3208 /* No permission to check. Existence test. */
3212 validate_creds(cred);
3214 if (unlikely(IS_PRIVATE(inode)))
3217 perms = file_mask_to_av(inode->i_mode, mask);
3219 sid = cred_sid(cred);
3220 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3222 return PTR_ERR(isec);
3224 rc = avc_has_perm_noaudit(&selinux_state,
3225 sid, isec->sid, isec->sclass, perms,
3226 (flags & MAY_NOT_BLOCK) ? AVC_NONBLOCKING : 0,
3228 audited = avc_audit_required(perms, &avd, rc,
3229 from_access ? FILE__AUDIT_ACCESS : 0,
3231 if (likely(!audited))
3234 /* fall back to ref-walk if we have to generate audit */
3235 if (flags & MAY_NOT_BLOCK)
3238 rc2 = audit_inode_permission(inode, perms, audited, denied, rc);
3244 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3246 const struct cred *cred = current_cred();
3247 struct inode *inode = d_backing_inode(dentry);
3248 unsigned int ia_valid = iattr->ia_valid;
3249 __u32 av = FILE__WRITE;
3251 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3252 if (ia_valid & ATTR_FORCE) {
3253 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3259 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3260 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3261 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3263 if (selinux_policycap_openperm() &&
3264 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3265 (ia_valid & ATTR_SIZE) &&
3266 !(ia_valid & ATTR_FILE))
3269 return dentry_has_perm(cred, dentry, av);
3272 static int selinux_inode_getattr(const struct path *path)
3274 return path_has_perm(current_cred(), path, FILE__GETATTR);
3277 static bool has_cap_mac_admin(bool audit)
3279 const struct cred *cred = current_cred();
3280 unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT;
3282 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts))
3284 if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true))
3289 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3290 const void *value, size_t size, int flags)
3292 struct inode *inode = d_backing_inode(dentry);
3293 struct inode_security_struct *isec;
3294 struct superblock_security_struct *sbsec;
3295 struct common_audit_data ad;
3296 u32 newsid, sid = current_sid();
3299 if (strcmp(name, XATTR_NAME_SELINUX)) {
3300 rc = cap_inode_setxattr(dentry, name, value, size, flags);
3304 /* Not an attribute we recognize, so just check the
3305 ordinary setattr permission. */
3306 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3309 if (!selinux_state.initialized)
3310 return (inode_owner_or_capable(inode) ? 0 : -EPERM);
3312 sbsec = inode->i_sb->s_security;
3313 if (!(sbsec->flags & SBLABEL_MNT))
3316 if (!inode_owner_or_capable(inode))
3319 ad.type = LSM_AUDIT_DATA_DENTRY;
3320 ad.u.dentry = dentry;
3322 isec = backing_inode_security(dentry);
3323 rc = avc_has_perm(&selinux_state,
3324 sid, isec->sid, isec->sclass,
3325 FILE__RELABELFROM, &ad);
3329 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3331 if (rc == -EINVAL) {
3332 if (!has_cap_mac_admin(true)) {
3333 struct audit_buffer *ab;
3336 /* We strip a nul only if it is at the end, otherwise the
3337 * context contains a nul and we should audit that */
3339 const char *str = value;
3341 if (str[size - 1] == '\0')
3342 audit_size = size - 1;
3348 ab = audit_log_start(audit_context(),
3349 GFP_ATOMIC, AUDIT_SELINUX_ERR);
3350 audit_log_format(ab, "op=setxattr invalid_context=");
3351 audit_log_n_untrustedstring(ab, value, audit_size);
3356 rc = security_context_to_sid_force(&selinux_state, value,
3362 rc = avc_has_perm(&selinux_state,
3363 sid, newsid, isec->sclass,
3364 FILE__RELABELTO, &ad);
3368 rc = security_validate_transition(&selinux_state, isec->sid, newsid,
3373 return avc_has_perm(&selinux_state,
3376 SECCLASS_FILESYSTEM,
3377 FILESYSTEM__ASSOCIATE,
3381 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3382 const void *value, size_t size,
3385 struct inode *inode = d_backing_inode(dentry);
3386 struct inode_security_struct *isec;
3390 if (strcmp(name, XATTR_NAME_SELINUX)) {
3391 /* Not an attribute we recognize, so nothing to do. */
3395 if (!selinux_state.initialized) {
3396 /* If we haven't even been initialized, then we can't validate
3397 * against a policy, so leave the label as invalid. It may
3398 * resolve to a valid label on the next revalidation try if
3399 * we've since initialized.
3404 rc = security_context_to_sid_force(&selinux_state, value, size,
3407 pr_err("SELinux: unable to map context to SID"
3408 "for (%s, %lu), rc=%d\n",
3409 inode->i_sb->s_id, inode->i_ino, -rc);
3413 isec = backing_inode_security(dentry);
3414 spin_lock(&isec->lock);
3415 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3417 isec->initialized = LABEL_INITIALIZED;
3418 spin_unlock(&isec->lock);
3423 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3425 const struct cred *cred = current_cred();
3427 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3430 static int selinux_inode_listxattr(struct dentry *dentry)
3432 const struct cred *cred = current_cred();
3434 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3437 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3439 if (strcmp(name, XATTR_NAME_SELINUX)) {
3440 int rc = cap_inode_removexattr(dentry, name);
3444 /* Not an attribute we recognize, so just check the
3445 ordinary setattr permission. */
3446 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3449 /* No one is allowed to remove a SELinux security label.
3450 You can change the label, but all data must be labeled. */
3455 * Copy the inode security context value to the user.
3457 * Permission check is handled by selinux_inode_getxattr hook.
3459 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
3463 char *context = NULL;
3464 struct inode_security_struct *isec;
3466 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3470 * If the caller has CAP_MAC_ADMIN, then get the raw context
3471 * value even if it is not defined by current policy; otherwise,
3472 * use the in-core value under current policy.
3473 * Use the non-auditing forms of the permission checks since
3474 * getxattr may be called by unprivileged processes commonly
3475 * and lack of permission just means that we fall back to the
3476 * in-core context value, not a denial.
3478 isec = inode_security(inode);
3479 if (has_cap_mac_admin(false))
3480 error = security_sid_to_context_force(&selinux_state,
3481 isec->sid, &context,
3484 error = security_sid_to_context(&selinux_state, isec->sid,
3498 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3499 const void *value, size_t size, int flags)
3501 struct inode_security_struct *isec = inode_security_novalidate(inode);
3502 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
3506 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3509 if (!(sbsec->flags & SBLABEL_MNT))
3512 if (!value || !size)
3515 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3520 spin_lock(&isec->lock);
3521 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3523 isec->initialized = LABEL_INITIALIZED;
3524 spin_unlock(&isec->lock);
3528 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3530 const int len = sizeof(XATTR_NAME_SELINUX);
3531 if (buffer && len <= buffer_size)
3532 memcpy(buffer, XATTR_NAME_SELINUX, len);
3536 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3538 struct inode_security_struct *isec = inode_security_novalidate(inode);
3542 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3545 struct task_security_struct *tsec;
3546 struct cred *new_creds = *new;
3548 if (new_creds == NULL) {
3549 new_creds = prepare_creds();
3554 tsec = new_creds->security;
3555 /* Get label from overlay inode and set it in create_sid */
3556 selinux_inode_getsecid(d_inode(src), &sid);
3557 tsec->create_sid = sid;
3562 static int selinux_inode_copy_up_xattr(const char *name)
3564 /* The copy_up hook above sets the initial context on an inode, but we
3565 * don't then want to overwrite it by blindly copying all the lower
3566 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3568 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3569 return 1; /* Discard */
3571 * Any other attribute apart from SELINUX is not claimed, supported
3577 /* file security operations */
3579 static int selinux_revalidate_file_permission(struct file *file, int mask)
3581 const struct cred *cred = current_cred();
3582 struct inode *inode = file_inode(file);
3584 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3585 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3588 return file_has_perm(cred, file,
3589 file_mask_to_av(inode->i_mode, mask));
3592 static int selinux_file_permission(struct file *file, int mask)
3594 struct inode *inode = file_inode(file);
3595 struct file_security_struct *fsec = file->f_security;
3596 struct inode_security_struct *isec;
3597 u32 sid = current_sid();
3600 /* No permission to check. Existence test. */
3603 isec = inode_security(inode);
3604 if (sid == fsec->sid && fsec->isid == isec->sid &&
3605 fsec->pseqno == avc_policy_seqno(&selinux_state))
3606 /* No change since file_open check. */
3609 return selinux_revalidate_file_permission(file, mask);
3612 static int selinux_file_alloc_security(struct file *file)
3614 return file_alloc_security(file);
3617 static void selinux_file_free_security(struct file *file)
3619 file_free_security(file);
3623 * Check whether a task has the ioctl permission and cmd
3624 * operation to an inode.
3626 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3627 u32 requested, u16 cmd)
3629 struct common_audit_data ad;
3630 struct file_security_struct *fsec = file->f_security;
3631 struct inode *inode = file_inode(file);
3632 struct inode_security_struct *isec;
3633 struct lsm_ioctlop_audit ioctl;
3634 u32 ssid = cred_sid(cred);
3636 u8 driver = cmd >> 8;
3637 u8 xperm = cmd & 0xff;
3639 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3642 ad.u.op->path = file->f_path;
3644 if (ssid != fsec->sid) {
3645 rc = avc_has_perm(&selinux_state,
3654 if (unlikely(IS_PRIVATE(inode)))
3657 isec = inode_security(inode);
3658 rc = avc_has_extended_perms(&selinux_state,
3659 ssid, isec->sid, isec->sclass,
3660 requested, driver, xperm, &ad);
3665 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3668 const struct cred *cred = current_cred();
3678 case FS_IOC_GETFLAGS:
3680 case FS_IOC_GETVERSION:
3681 error = file_has_perm(cred, file, FILE__GETATTR);
3684 case FS_IOC_SETFLAGS:
3686 case FS_IOC_SETVERSION:
3687 error = file_has_perm(cred, file, FILE__SETATTR);
3690 /* sys_ioctl() checks */
3694 error = file_has_perm(cred, file, 0);
3699 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3700 CAP_OPT_NONE, true);
3703 /* default case assumes that the command will go
3704 * to the file's ioctl() function.
3707 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3712 static int default_noexec;
3714 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3716 const struct cred *cred = current_cred();
3717 u32 sid = cred_sid(cred);
3720 if (default_noexec &&
3721 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3722 (!shared && (prot & PROT_WRITE)))) {
3724 * We are making executable an anonymous mapping or a
3725 * private file mapping that will also be writable.
3726 * This has an additional check.
3728 rc = avc_has_perm(&selinux_state,
3729 sid, sid, SECCLASS_PROCESS,
3730 PROCESS__EXECMEM, NULL);
3736 /* read access is always possible with a mapping */
3737 u32 av = FILE__READ;
3739 /* write access only matters if the mapping is shared */
3740 if (shared && (prot & PROT_WRITE))
3743 if (prot & PROT_EXEC)
3744 av |= FILE__EXECUTE;
3746 return file_has_perm(cred, file, av);
3753 static int selinux_mmap_addr(unsigned long addr)
3757 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3758 u32 sid = current_sid();
3759 rc = avc_has_perm(&selinux_state,
3760 sid, sid, SECCLASS_MEMPROTECT,
3761 MEMPROTECT__MMAP_ZERO, NULL);
3767 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3768 unsigned long prot, unsigned long flags)
3770 struct common_audit_data ad;
3774 ad.type = LSM_AUDIT_DATA_FILE;
3776 rc = inode_has_perm(current_cred(), file_inode(file),
3782 if (selinux_state.checkreqprot)
3785 return file_map_prot_check(file, prot,
3786 (flags & MAP_TYPE) == MAP_SHARED);
3789 static int selinux_file_mprotect(struct vm_area_struct *vma,
3790 unsigned long reqprot,
3793 const struct cred *cred = current_cred();
3794 u32 sid = cred_sid(cred);
3796 if (selinux_state.checkreqprot)
3799 if (default_noexec &&
3800 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3802 if (vma->vm_start >= vma->vm_mm->start_brk &&
3803 vma->vm_end <= vma->vm_mm->brk) {
3804 rc = avc_has_perm(&selinux_state,
3805 sid, sid, SECCLASS_PROCESS,
3806 PROCESS__EXECHEAP, NULL);
3807 } else if (!vma->vm_file &&
3808 ((vma->vm_start <= vma->vm_mm->start_stack &&
3809 vma->vm_end >= vma->vm_mm->start_stack) ||
3810 vma_is_stack_for_current(vma))) {
3811 rc = avc_has_perm(&selinux_state,
3812 sid, sid, SECCLASS_PROCESS,
3813 PROCESS__EXECSTACK, NULL);
3814 } else if (vma->vm_file && vma->anon_vma) {
3816 * We are making executable a file mapping that has
3817 * had some COW done. Since pages might have been
3818 * written, check ability to execute the possibly
3819 * modified content. This typically should only
3820 * occur for text relocations.
3822 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3828 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3831 static int selinux_file_lock(struct file *file, unsigned int cmd)
3833 const struct cred *cred = current_cred();
3835 return file_has_perm(cred, file, FILE__LOCK);
3838 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3841 const struct cred *cred = current_cred();
3846 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3847 err = file_has_perm(cred, file, FILE__WRITE);
3856 case F_GETOWNER_UIDS:
3857 /* Just check FD__USE permission */
3858 err = file_has_perm(cred, file, 0);
3866 #if BITS_PER_LONG == 32
3871 err = file_has_perm(cred, file, FILE__LOCK);
3878 static void selinux_file_set_fowner(struct file *file)
3880 struct file_security_struct *fsec;
3882 fsec = file->f_security;
3883 fsec->fown_sid = current_sid();
3886 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3887 struct fown_struct *fown, int signum)
3890 u32 sid = task_sid(tsk);
3892 struct file_security_struct *fsec;
3894 /* struct fown_struct is never outside the context of a struct file */
3895 file = container_of(fown, struct file, f_owner);
3897 fsec = file->f_security;
3900 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3902 perm = signal_to_av(signum);
3904 return avc_has_perm(&selinux_state,
3905 fsec->fown_sid, sid,
3906 SECCLASS_PROCESS, perm, NULL);
3909 static int selinux_file_receive(struct file *file)
3911 const struct cred *cred = current_cred();
3913 return file_has_perm(cred, file, file_to_av(file));
3916 static int selinux_file_open(struct file *file)
3918 struct file_security_struct *fsec;
3919 struct inode_security_struct *isec;
3921 fsec = file->f_security;
3922 isec = inode_security(file_inode(file));
3924 * Save inode label and policy sequence number
3925 * at open-time so that selinux_file_permission
3926 * can determine whether revalidation is necessary.
3927 * Task label is already saved in the file security
3928 * struct as its SID.
3930 fsec->isid = isec->sid;
3931 fsec->pseqno = avc_policy_seqno(&selinux_state);
3933 * Since the inode label or policy seqno may have changed
3934 * between the selinux_inode_permission check and the saving
3935 * of state above, recheck that access is still permitted.
3936 * Otherwise, access might never be revalidated against the
3937 * new inode label or new policy.
3938 * This check is not redundant - do not remove.
3940 return file_path_has_perm(file->f_cred, file, open_file_to_av(file));
3943 /* task security operations */
3945 static int selinux_task_alloc(struct task_struct *task,
3946 unsigned long clone_flags)
3948 u32 sid = current_sid();
3950 return avc_has_perm(&selinux_state,
3951 sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
3955 * allocate the SELinux part of blank credentials
3957 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3959 struct task_security_struct *tsec;
3961 tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3965 cred->security = tsec;
3970 * detach and free the LSM part of a set of credentials
3972 static void selinux_cred_free(struct cred *cred)
3974 struct task_security_struct *tsec = cred->security;
3977 * cred->security == NULL if security_cred_alloc_blank() or
3978 * security_prepare_creds() returned an error.
3980 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3981 cred->security = (void *) 0x7UL;
3986 * prepare a new set of credentials for modification
3988 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3991 const struct task_security_struct *old_tsec;
3992 struct task_security_struct *tsec;
3994 old_tsec = old->security;
3996 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
4000 new->security = tsec;
4005 * transfer the SELinux data to a blank set of creds
4007 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
4009 const struct task_security_struct *old_tsec = old->security;
4010 struct task_security_struct *tsec = new->security;
4015 static void selinux_cred_getsecid(const struct cred *c, u32 *secid)
4017 *secid = cred_sid(c);
4021 * set the security data for a kernel service
4022 * - all the creation contexts are set to unlabelled
4024 static int selinux_kernel_act_as(struct cred *new, u32 secid)
4026 struct task_security_struct *tsec = new->security;
4027 u32 sid = current_sid();
4030 ret = avc_has_perm(&selinux_state,
4032 SECCLASS_KERNEL_SERVICE,
4033 KERNEL_SERVICE__USE_AS_OVERRIDE,
4037 tsec->create_sid = 0;
4038 tsec->keycreate_sid = 0;
4039 tsec->sockcreate_sid = 0;
4045 * set the file creation context in a security record to the same as the
4046 * objective context of the specified inode
4048 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
4050 struct inode_security_struct *isec = inode_security(inode);
4051 struct task_security_struct *tsec = new->security;
4052 u32 sid = current_sid();
4055 ret = avc_has_perm(&selinux_state,
4057 SECCLASS_KERNEL_SERVICE,
4058 KERNEL_SERVICE__CREATE_FILES_AS,
4062 tsec->create_sid = isec->sid;
4066 static int selinux_kernel_module_request(char *kmod_name)
4068 struct common_audit_data ad;
4070 ad.type = LSM_AUDIT_DATA_KMOD;
4071 ad.u.kmod_name = kmod_name;
4073 return avc_has_perm(&selinux_state,
4074 current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
4075 SYSTEM__MODULE_REQUEST, &ad);
4078 static int selinux_kernel_module_from_file(struct file *file)
4080 struct common_audit_data ad;
4081 struct inode_security_struct *isec;
4082 struct file_security_struct *fsec;
4083 u32 sid = current_sid();
4088 return avc_has_perm(&selinux_state,
4089 sid, sid, SECCLASS_SYSTEM,
4090 SYSTEM__MODULE_LOAD, NULL);
4094 ad.type = LSM_AUDIT_DATA_FILE;
4097 fsec = file->f_security;
4098 if (sid != fsec->sid) {
4099 rc = avc_has_perm(&selinux_state,
4100 sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
4105 isec = inode_security(file_inode(file));
4106 return avc_has_perm(&selinux_state,
4107 sid, isec->sid, SECCLASS_SYSTEM,
4108 SYSTEM__MODULE_LOAD, &ad);
4111 static int selinux_kernel_read_file(struct file *file,
4112 enum kernel_read_file_id id)
4117 case READING_MODULE:
4118 rc = selinux_kernel_module_from_file(file);
4127 static int selinux_kernel_load_data(enum kernel_load_data_id id)
4132 case LOADING_MODULE:
4133 rc = selinux_kernel_module_from_file(NULL);
4141 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
4143 return avc_has_perm(&selinux_state,
4144 current_sid(), task_sid(p), SECCLASS_PROCESS,
4145 PROCESS__SETPGID, NULL);
4148 static int selinux_task_getpgid(struct task_struct *p)
4150 return avc_has_perm(&selinux_state,
4151 current_sid(), task_sid(p), SECCLASS_PROCESS,
4152 PROCESS__GETPGID, NULL);
4155 static int selinux_task_getsid(struct task_struct *p)
4157 return avc_has_perm(&selinux_state,
4158 current_sid(), task_sid(p), SECCLASS_PROCESS,
4159 PROCESS__GETSESSION, NULL);
4162 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
4164 *secid = task_sid(p);
4167 static int selinux_task_setnice(struct task_struct *p, int nice)
4169 return avc_has_perm(&selinux_state,
4170 current_sid(), task_sid(p), SECCLASS_PROCESS,
4171 PROCESS__SETSCHED, NULL);
4174 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
4176 return avc_has_perm(&selinux_state,
4177 current_sid(), task_sid(p), SECCLASS_PROCESS,
4178 PROCESS__SETSCHED, NULL);
4181 static int selinux_task_getioprio(struct task_struct *p)
4183 return avc_has_perm(&selinux_state,
4184 current_sid(), task_sid(p), SECCLASS_PROCESS,
4185 PROCESS__GETSCHED, NULL);
4188 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
4195 if (flags & LSM_PRLIMIT_WRITE)
4196 av |= PROCESS__SETRLIMIT;
4197 if (flags & LSM_PRLIMIT_READ)
4198 av |= PROCESS__GETRLIMIT;
4199 return avc_has_perm(&selinux_state,
4200 cred_sid(cred), cred_sid(tcred),
4201 SECCLASS_PROCESS, av, NULL);
4204 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4205 struct rlimit *new_rlim)
4207 struct rlimit *old_rlim = p->signal->rlim + resource;
4209 /* Control the ability to change the hard limit (whether
4210 lowering or raising it), so that the hard limit can
4211 later be used as a safe reset point for the soft limit
4212 upon context transitions. See selinux_bprm_committing_creds. */
4213 if (old_rlim->rlim_max != new_rlim->rlim_max)
4214 return avc_has_perm(&selinux_state,
4215 current_sid(), task_sid(p),
4216 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
4221 static int selinux_task_setscheduler(struct task_struct *p)
4223 return avc_has_perm(&selinux_state,
4224 current_sid(), task_sid(p), SECCLASS_PROCESS,
4225 PROCESS__SETSCHED, NULL);
4228 static int selinux_task_getscheduler(struct task_struct *p)
4230 return avc_has_perm(&selinux_state,
4231 current_sid(), task_sid(p), SECCLASS_PROCESS,
4232 PROCESS__GETSCHED, NULL);
4235 static int selinux_task_movememory(struct task_struct *p)
4237 return avc_has_perm(&selinux_state,
4238 current_sid(), task_sid(p), SECCLASS_PROCESS,
4239 PROCESS__SETSCHED, NULL);
4242 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
4243 int sig, const struct cred *cred)
4249 perm = PROCESS__SIGNULL; /* null signal; existence test */
4251 perm = signal_to_av(sig);
4253 secid = current_sid();
4255 secid = cred_sid(cred);
4256 return avc_has_perm(&selinux_state,
4257 secid, task_sid(p), SECCLASS_PROCESS, perm, NULL);
4260 static void selinux_task_to_inode(struct task_struct *p,
4261 struct inode *inode)
4263 struct inode_security_struct *isec = inode->i_security;
4264 u32 sid = task_sid(p);
4266 spin_lock(&isec->lock);
4267 isec->sclass = inode_mode_to_security_class(inode->i_mode);
4269 isec->initialized = LABEL_INITIALIZED;
4270 spin_unlock(&isec->lock);
4273 /* Returns error only if unable to parse addresses */
4274 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4275 struct common_audit_data *ad, u8 *proto)
4277 int offset, ihlen, ret = -EINVAL;
4278 struct iphdr _iph, *ih;
4280 offset = skb_network_offset(skb);
4281 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
4285 ihlen = ih->ihl * 4;
4286 if (ihlen < sizeof(_iph))
4289 ad->u.net->v4info.saddr = ih->saddr;
4290 ad->u.net->v4info.daddr = ih->daddr;
4294 *proto = ih->protocol;
4296 switch (ih->protocol) {
4298 struct tcphdr _tcph, *th;
4300 if (ntohs(ih->frag_off) & IP_OFFSET)
4304 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4308 ad->u.net->sport = th->source;
4309 ad->u.net->dport = th->dest;
4314 struct udphdr _udph, *uh;
4316 if (ntohs(ih->frag_off) & IP_OFFSET)
4320 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4324 ad->u.net->sport = uh->source;
4325 ad->u.net->dport = uh->dest;
4329 case IPPROTO_DCCP: {
4330 struct dccp_hdr _dccph, *dh;
4332 if (ntohs(ih->frag_off) & IP_OFFSET)
4336 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4340 ad->u.net->sport = dh->dccph_sport;
4341 ad->u.net->dport = dh->dccph_dport;
4345 #if IS_ENABLED(CONFIG_IP_SCTP)
4346 case IPPROTO_SCTP: {
4347 struct sctphdr _sctph, *sh;
4349 if (ntohs(ih->frag_off) & IP_OFFSET)
4353 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4357 ad->u.net->sport = sh->source;
4358 ad->u.net->dport = sh->dest;
4369 #if IS_ENABLED(CONFIG_IPV6)
4371 /* Returns error only if unable to parse addresses */
4372 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4373 struct common_audit_data *ad, u8 *proto)
4376 int ret = -EINVAL, offset;
4377 struct ipv6hdr _ipv6h, *ip6;
4380 offset = skb_network_offset(skb);
4381 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4385 ad->u.net->v6info.saddr = ip6->saddr;
4386 ad->u.net->v6info.daddr = ip6->daddr;
4389 nexthdr = ip6->nexthdr;
4390 offset += sizeof(_ipv6h);
4391 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4400 struct tcphdr _tcph, *th;
4402 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4406 ad->u.net->sport = th->source;
4407 ad->u.net->dport = th->dest;
4412 struct udphdr _udph, *uh;
4414 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4418 ad->u.net->sport = uh->source;
4419 ad->u.net->dport = uh->dest;
4423 case IPPROTO_DCCP: {
4424 struct dccp_hdr _dccph, *dh;
4426 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4430 ad->u.net->sport = dh->dccph_sport;
4431 ad->u.net->dport = dh->dccph_dport;
4435 #if IS_ENABLED(CONFIG_IP_SCTP)
4436 case IPPROTO_SCTP: {
4437 struct sctphdr _sctph, *sh;
4439 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4443 ad->u.net->sport = sh->source;
4444 ad->u.net->dport = sh->dest;
4448 /* includes fragments */
4458 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4459 char **_addrp, int src, u8 *proto)
4464 switch (ad->u.net->family) {
4466 ret = selinux_parse_skb_ipv4(skb, ad, proto);
4469 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4470 &ad->u.net->v4info.daddr);
4473 #if IS_ENABLED(CONFIG_IPV6)
4475 ret = selinux_parse_skb_ipv6(skb, ad, proto);
4478 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4479 &ad->u.net->v6info.daddr);
4489 "SELinux: failure in selinux_parse_skb(),"
4490 " unable to parse packet\n");
4500 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4502 * @family: protocol family
4503 * @sid: the packet's peer label SID
4506 * Check the various different forms of network peer labeling and determine
4507 * the peer label/SID for the packet; most of the magic actually occurs in
4508 * the security server function security_net_peersid_cmp(). The function
4509 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4510 * or -EACCES if @sid is invalid due to inconsistencies with the different
4514 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4521 err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4524 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4528 err = security_net_peersid_resolve(&selinux_state, nlbl_sid,
4529 nlbl_type, xfrm_sid, sid);
4530 if (unlikely(err)) {
4532 "SELinux: failure in selinux_skb_peerlbl_sid(),"
4533 " unable to determine packet's peer label\n");
4541 * selinux_conn_sid - Determine the child socket label for a connection
4542 * @sk_sid: the parent socket's SID
4543 * @skb_sid: the packet's SID
4544 * @conn_sid: the resulting connection SID
4546 * If @skb_sid is valid then the user:role:type information from @sk_sid is
4547 * combined with the MLS information from @skb_sid in order to create
4548 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy
4549 * of @sk_sid. Returns zero on success, negative values on failure.
4552 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4556 if (skb_sid != SECSID_NULL)
4557 err = security_sid_mls_copy(&selinux_state, sk_sid, skb_sid,
4565 /* socket security operations */
4567 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4568 u16 secclass, u32 *socksid)
4570 if (tsec->sockcreate_sid > SECSID_NULL) {
4571 *socksid = tsec->sockcreate_sid;
4575 return security_transition_sid(&selinux_state, tsec->sid, tsec->sid,
4576 secclass, NULL, socksid);
4579 static int sock_has_perm(struct sock *sk, u32 perms)
4581 struct sk_security_struct *sksec = sk->sk_security;
4582 struct common_audit_data ad;
4583 struct lsm_network_audit net = {0,};
4585 if (sksec->sid == SECINITSID_KERNEL)
4588 ad.type = LSM_AUDIT_DATA_NET;
4592 return avc_has_perm(&selinux_state,
4593 current_sid(), sksec->sid, sksec->sclass, perms,
4597 static int selinux_socket_create(int family, int type,
4598 int protocol, int kern)
4600 const struct task_security_struct *tsec = current_security();
4608 secclass = socket_type_to_security_class(family, type, protocol);
4609 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4613 return avc_has_perm(&selinux_state,
4614 tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4617 static int selinux_socket_post_create(struct socket *sock, int family,
4618 int type, int protocol, int kern)
4620 const struct task_security_struct *tsec = current_security();
4621 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4622 struct sk_security_struct *sksec;
4623 u16 sclass = socket_type_to_security_class(family, type, protocol);
4624 u32 sid = SECINITSID_KERNEL;
4628 err = socket_sockcreate_sid(tsec, sclass, &sid);
4633 isec->sclass = sclass;
4635 isec->initialized = LABEL_INITIALIZED;
4638 sksec = sock->sk->sk_security;
4639 sksec->sclass = sclass;
4641 /* Allows detection of the first association on this socket */
4642 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4643 sksec->sctp_assoc_state = SCTP_ASSOC_UNSET;
4645 err = selinux_netlbl_socket_post_create(sock->sk, family);
4651 static int selinux_socket_socketpair(struct socket *socka,
4652 struct socket *sockb)
4654 struct sk_security_struct *sksec_a = socka->sk->sk_security;
4655 struct sk_security_struct *sksec_b = sockb->sk->sk_security;
4657 sksec_a->peer_sid = sksec_b->sid;
4658 sksec_b->peer_sid = sksec_a->sid;
4663 /* Range of port numbers used to automatically bind.
4664 Need to determine whether we should perform a name_bind
4665 permission check between the socket and the port number. */
4667 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4669 struct sock *sk = sock->sk;
4670 struct sk_security_struct *sksec = sk->sk_security;
4674 err = sock_has_perm(sk, SOCKET__BIND);
4678 /* If PF_INET or PF_INET6, check name_bind permission for the port. */
4679 family = sk->sk_family;
4680 if (family == PF_INET || family == PF_INET6) {
4682 struct common_audit_data ad;
4683 struct lsm_network_audit net = {0,};
4684 struct sockaddr_in *addr4 = NULL;
4685 struct sockaddr_in6 *addr6 = NULL;
4686 u16 family_sa = address->sa_family;
4687 unsigned short snum;
4691 * sctp_bindx(3) calls via selinux_sctp_bind_connect()
4692 * that validates multiple binding addresses. Because of this
4693 * need to check address->sa_family as it is possible to have
4694 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4696 switch (family_sa) {
4699 if (addrlen < sizeof(struct sockaddr_in))
4701 addr4 = (struct sockaddr_in *)address;
4702 if (family_sa == AF_UNSPEC) {
4703 /* see __inet_bind(), we only want to allow
4704 * AF_UNSPEC if the address is INADDR_ANY
4706 if (addr4->sin_addr.s_addr != htonl(INADDR_ANY))
4708 family_sa = AF_INET;
4710 snum = ntohs(addr4->sin_port);
4711 addrp = (char *)&addr4->sin_addr.s_addr;
4714 if (addrlen < SIN6_LEN_RFC2133)
4716 addr6 = (struct sockaddr_in6 *)address;
4717 snum = ntohs(addr6->sin6_port);
4718 addrp = (char *)&addr6->sin6_addr.s6_addr;
4724 ad.type = LSM_AUDIT_DATA_NET;
4726 ad.u.net->sport = htons(snum);
4727 ad.u.net->family = family_sa;
4732 inet_get_local_port_range(sock_net(sk), &low, &high);
4734 if (snum < max(inet_prot_sock(sock_net(sk)), low) ||
4736 err = sel_netport_sid(sk->sk_protocol,
4740 err = avc_has_perm(&selinux_state,
4743 SOCKET__NAME_BIND, &ad);
4749 switch (sksec->sclass) {
4750 case SECCLASS_TCP_SOCKET:
4751 node_perm = TCP_SOCKET__NODE_BIND;
4754 case SECCLASS_UDP_SOCKET:
4755 node_perm = UDP_SOCKET__NODE_BIND;
4758 case SECCLASS_DCCP_SOCKET:
4759 node_perm = DCCP_SOCKET__NODE_BIND;
4762 case SECCLASS_SCTP_SOCKET:
4763 node_perm = SCTP_SOCKET__NODE_BIND;
4767 node_perm = RAWIP_SOCKET__NODE_BIND;
4771 err = sel_netnode_sid(addrp, family_sa, &sid);
4775 if (family_sa == AF_INET)
4776 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4778 ad.u.net->v6info.saddr = addr6->sin6_addr;
4780 err = avc_has_perm(&selinux_state,
4782 sksec->sclass, node_perm, &ad);
4789 /* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */
4790 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4792 return -EAFNOSUPPORT;
4795 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3)
4796 * and sctp_sendmsg(3) as described in Documentation/security/LSM-sctp.rst
4798 static int selinux_socket_connect_helper(struct socket *sock,
4799 struct sockaddr *address, int addrlen)
4801 struct sock *sk = sock->sk;
4802 struct sk_security_struct *sksec = sk->sk_security;
4805 err = sock_has_perm(sk, SOCKET__CONNECT);
4810 * If a TCP, DCCP or SCTP socket, check name_connect permission
4813 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4814 sksec->sclass == SECCLASS_DCCP_SOCKET ||
4815 sksec->sclass == SECCLASS_SCTP_SOCKET) {
4816 struct common_audit_data ad;
4817 struct lsm_network_audit net = {0,};
4818 struct sockaddr_in *addr4 = NULL;
4819 struct sockaddr_in6 *addr6 = NULL;
4820 unsigned short snum = 0;
4823 /* sctp_connectx(3) calls via selinux_sctp_bind_connect()
4824 * that validates multiple connect addresses. Because of this
4825 * need to check address->sa_family as it is possible to have
4826 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4828 switch (address->sa_family) {
4830 addr4 = (struct sockaddr_in *)address;
4831 if (addrlen < sizeof(struct sockaddr_in))
4833 snum = ntohs(addr4->sin_port);
4836 addr6 = (struct sockaddr_in6 *)address;
4837 if (addrlen < SIN6_LEN_RFC2133)
4839 snum = ntohs(addr6->sin6_port);
4842 /* Note that SCTP services expect -EINVAL, whereas
4843 * others must handle this at the protocol level:
4844 * connect(AF_UNSPEC) on a connected socket is
4845 * a documented way disconnect the socket.
4847 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4851 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4855 switch (sksec->sclass) {
4856 case SECCLASS_TCP_SOCKET:
4857 perm = TCP_SOCKET__NAME_CONNECT;
4859 case SECCLASS_DCCP_SOCKET:
4860 perm = DCCP_SOCKET__NAME_CONNECT;
4862 case SECCLASS_SCTP_SOCKET:
4863 perm = SCTP_SOCKET__NAME_CONNECT;
4867 ad.type = LSM_AUDIT_DATA_NET;
4869 ad.u.net->dport = htons(snum);
4870 ad.u.net->family = address->sa_family;
4871 err = avc_has_perm(&selinux_state,
4872 sksec->sid, sid, sksec->sclass, perm, &ad);
4880 /* Supports connect(2), see comments in selinux_socket_connect_helper() */
4881 static int selinux_socket_connect(struct socket *sock,
4882 struct sockaddr *address, int addrlen)
4885 struct sock *sk = sock->sk;
4887 err = selinux_socket_connect_helper(sock, address, addrlen);
4891 return selinux_netlbl_socket_connect(sk, address);
4894 static int selinux_socket_listen(struct socket *sock, int backlog)
4896 return sock_has_perm(sock->sk, SOCKET__LISTEN);
4899 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4902 struct inode_security_struct *isec;
4903 struct inode_security_struct *newisec;
4907 err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
4911 isec = inode_security_novalidate(SOCK_INODE(sock));
4912 spin_lock(&isec->lock);
4913 sclass = isec->sclass;
4915 spin_unlock(&isec->lock);
4917 newisec = inode_security_novalidate(SOCK_INODE(newsock));
4918 newisec->sclass = sclass;
4920 newisec->initialized = LABEL_INITIALIZED;
4925 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4928 return sock_has_perm(sock->sk, SOCKET__WRITE);
4931 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4932 int size, int flags)
4934 return sock_has_perm(sock->sk, SOCKET__READ);
4937 static int selinux_socket_getsockname(struct socket *sock)
4939 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4942 static int selinux_socket_getpeername(struct socket *sock)
4944 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4947 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4951 err = sock_has_perm(sock->sk, SOCKET__SETOPT);
4955 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4958 static int selinux_socket_getsockopt(struct socket *sock, int level,
4961 return sock_has_perm(sock->sk, SOCKET__GETOPT);
4964 static int selinux_socket_shutdown(struct socket *sock, int how)
4966 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
4969 static int selinux_socket_unix_stream_connect(struct sock *sock,
4973 struct sk_security_struct *sksec_sock = sock->sk_security;
4974 struct sk_security_struct *sksec_other = other->sk_security;
4975 struct sk_security_struct *sksec_new = newsk->sk_security;
4976 struct common_audit_data ad;
4977 struct lsm_network_audit net = {0,};
4980 ad.type = LSM_AUDIT_DATA_NET;
4982 ad.u.net->sk = other;
4984 err = avc_has_perm(&selinux_state,
4985 sksec_sock->sid, sksec_other->sid,
4986 sksec_other->sclass,
4987 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4991 /* server child socket */
4992 sksec_new->peer_sid = sksec_sock->sid;
4993 err = security_sid_mls_copy(&selinux_state, sksec_other->sid,
4994 sksec_sock->sid, &sksec_new->sid);
4998 /* connecting socket */
4999 sksec_sock->peer_sid = sksec_new->sid;
5004 static int selinux_socket_unix_may_send(struct socket *sock,
5005 struct socket *other)
5007 struct sk_security_struct *ssec = sock->sk->sk_security;
5008 struct sk_security_struct *osec = other->sk->sk_security;
5009 struct common_audit_data ad;
5010 struct lsm_network_audit net = {0,};
5012 ad.type = LSM_AUDIT_DATA_NET;
5014 ad.u.net->sk = other->sk;
5016 return avc_has_perm(&selinux_state,
5017 ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
5021 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
5022 char *addrp, u16 family, u32 peer_sid,
5023 struct common_audit_data *ad)
5029 err = sel_netif_sid(ns, ifindex, &if_sid);
5032 err = avc_has_perm(&selinux_state,
5034 SECCLASS_NETIF, NETIF__INGRESS, ad);
5038 err = sel_netnode_sid(addrp, family, &node_sid);
5041 return avc_has_perm(&selinux_state,
5043 SECCLASS_NODE, NODE__RECVFROM, ad);
5046 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
5050 struct sk_security_struct *sksec = sk->sk_security;
5051 u32 sk_sid = sksec->sid;
5052 struct common_audit_data ad;
5053 struct lsm_network_audit net = {0,};
5056 ad.type = LSM_AUDIT_DATA_NET;
5058 ad.u.net->netif = skb->skb_iif;
5059 ad.u.net->family = family;
5060 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5064 if (selinux_secmark_enabled()) {
5065 err = avc_has_perm(&selinux_state,
5066 sk_sid, skb->secmark, SECCLASS_PACKET,
5072 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
5075 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
5080 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
5083 struct sk_security_struct *sksec = sk->sk_security;
5084 u16 family = sk->sk_family;
5085 u32 sk_sid = sksec->sid;
5086 struct common_audit_data ad;
5087 struct lsm_network_audit net = {0,};
5092 if (family != PF_INET && family != PF_INET6)
5095 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
5096 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5099 /* If any sort of compatibility mode is enabled then handoff processing
5100 * to the selinux_sock_rcv_skb_compat() function to deal with the
5101 * special handling. We do this in an attempt to keep this function
5102 * as fast and as clean as possible. */
5103 if (!selinux_policycap_netpeer())
5104 return selinux_sock_rcv_skb_compat(sk, skb, family);
5106 secmark_active = selinux_secmark_enabled();
5107 peerlbl_active = selinux_peerlbl_enabled();
5108 if (!secmark_active && !peerlbl_active)
5111 ad.type = LSM_AUDIT_DATA_NET;
5113 ad.u.net->netif = skb->skb_iif;
5114 ad.u.net->family = family;
5115 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5119 if (peerlbl_active) {
5122 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
5125 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
5126 addrp, family, peer_sid, &ad);
5128 selinux_netlbl_err(skb, family, err, 0);
5131 err = avc_has_perm(&selinux_state,
5132 sk_sid, peer_sid, SECCLASS_PEER,
5135 selinux_netlbl_err(skb, family, err, 0);
5140 if (secmark_active) {
5141 err = avc_has_perm(&selinux_state,
5142 sk_sid, skb->secmark, SECCLASS_PACKET,
5151 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
5152 int __user *optlen, unsigned len)
5157 struct sk_security_struct *sksec = sock->sk->sk_security;
5158 u32 peer_sid = SECSID_NULL;
5160 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
5161 sksec->sclass == SECCLASS_TCP_SOCKET ||
5162 sksec->sclass == SECCLASS_SCTP_SOCKET)
5163 peer_sid = sksec->peer_sid;
5164 if (peer_sid == SECSID_NULL)
5165 return -ENOPROTOOPT;
5167 err = security_sid_to_context(&selinux_state, peer_sid, &scontext,
5172 if (scontext_len > len) {
5177 if (copy_to_user(optval, scontext, scontext_len))
5181 if (put_user(scontext_len, optlen))
5187 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
5189 u32 peer_secid = SECSID_NULL;
5191 struct inode_security_struct *isec;
5193 if (skb && skb->protocol == htons(ETH_P_IP))
5195 else if (skb && skb->protocol == htons(ETH_P_IPV6))
5198 family = sock->sk->sk_family;
5202 if (sock && family == PF_UNIX) {
5203 isec = inode_security_novalidate(SOCK_INODE(sock));
5204 peer_secid = isec->sid;
5206 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
5209 *secid = peer_secid;
5210 if (peer_secid == SECSID_NULL)
5215 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
5217 struct sk_security_struct *sksec;
5219 sksec = kzalloc(sizeof(*sksec), priority);
5223 sksec->peer_sid = SECINITSID_UNLABELED;
5224 sksec->sid = SECINITSID_UNLABELED;
5225 sksec->sclass = SECCLASS_SOCKET;
5226 selinux_netlbl_sk_security_reset(sksec);
5227 sk->sk_security = sksec;
5232 static void selinux_sk_free_security(struct sock *sk)
5234 struct sk_security_struct *sksec = sk->sk_security;
5236 sk->sk_security = NULL;
5237 selinux_netlbl_sk_security_free(sksec);
5241 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
5243 struct sk_security_struct *sksec = sk->sk_security;
5244 struct sk_security_struct *newsksec = newsk->sk_security;
5246 newsksec->sid = sksec->sid;
5247 newsksec->peer_sid = sksec->peer_sid;
5248 newsksec->sclass = sksec->sclass;
5250 selinux_netlbl_sk_security_reset(newsksec);
5253 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
5256 *secid = SECINITSID_ANY_SOCKET;
5258 struct sk_security_struct *sksec = sk->sk_security;
5260 *secid = sksec->sid;
5264 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
5266 struct inode_security_struct *isec =
5267 inode_security_novalidate(SOCK_INODE(parent));
5268 struct sk_security_struct *sksec = sk->sk_security;
5270 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
5271 sk->sk_family == PF_UNIX)
5272 isec->sid = sksec->sid;
5273 sksec->sclass = isec->sclass;
5276 /* Called whenever SCTP receives an INIT chunk. This happens when an incoming
5277 * connect(2), sctp_connectx(3) or sctp_sendmsg(3) (with no association
5280 static int selinux_sctp_assoc_request(struct sctp_endpoint *ep,
5281 struct sk_buff *skb)
5283 struct sk_security_struct *sksec = ep->base.sk->sk_security;
5284 struct common_audit_data ad;
5285 struct lsm_network_audit net = {0,};
5287 u32 peer_sid = SECINITSID_UNLABELED;
5291 if (!selinux_policycap_extsockclass())
5294 peerlbl_active = selinux_peerlbl_enabled();
5296 if (peerlbl_active) {
5297 /* This will return peer_sid = SECSID_NULL if there are
5298 * no peer labels, see security_net_peersid_resolve().
5300 err = selinux_skb_peerlbl_sid(skb, ep->base.sk->sk_family,
5305 if (peer_sid == SECSID_NULL)
5306 peer_sid = SECINITSID_UNLABELED;
5309 if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) {
5310 sksec->sctp_assoc_state = SCTP_ASSOC_SET;
5312 /* Here as first association on socket. As the peer SID
5313 * was allowed by peer recv (and the netif/node checks),
5314 * then it is approved by policy and used as the primary
5315 * peer SID for getpeercon(3).
5317 sksec->peer_sid = peer_sid;
5318 } else if (sksec->peer_sid != peer_sid) {
5319 /* Other association peer SIDs are checked to enforce
5320 * consistency among the peer SIDs.
5322 ad.type = LSM_AUDIT_DATA_NET;
5324 ad.u.net->sk = ep->base.sk;
5325 err = avc_has_perm(&selinux_state,
5326 sksec->peer_sid, peer_sid, sksec->sclass,
5327 SCTP_SOCKET__ASSOCIATION, &ad);
5332 /* Compute the MLS component for the connection and store
5333 * the information in ep. This will be used by SCTP TCP type
5334 * sockets and peeled off connections as they cause a new
5335 * socket to be generated. selinux_sctp_sk_clone() will then
5336 * plug this into the new socket.
5338 err = selinux_conn_sid(sksec->sid, peer_sid, &conn_sid);
5342 ep->secid = conn_sid;
5343 ep->peer_secid = peer_sid;
5345 /* Set any NetLabel labels including CIPSO/CALIPSO options. */
5346 return selinux_netlbl_sctp_assoc_request(ep, skb);
5349 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting
5350 * based on their @optname.
5352 static int selinux_sctp_bind_connect(struct sock *sk, int optname,
5353 struct sockaddr *address,
5356 int len, err = 0, walk_size = 0;
5358 struct sockaddr *addr;
5359 struct socket *sock;
5361 if (!selinux_policycap_extsockclass())
5364 /* Process one or more addresses that may be IPv4 or IPv6 */
5365 sock = sk->sk_socket;
5368 while (walk_size < addrlen) {
5369 if (walk_size + sizeof(sa_family_t) > addrlen)
5373 switch (addr->sa_family) {
5376 len = sizeof(struct sockaddr_in);
5379 len = sizeof(struct sockaddr_in6);
5385 if (walk_size + len > addrlen)
5391 case SCTP_PRIMARY_ADDR:
5392 case SCTP_SET_PEER_PRIMARY_ADDR:
5393 case SCTP_SOCKOPT_BINDX_ADD:
5394 err = selinux_socket_bind(sock, addr, len);
5396 /* Connect checks */
5397 case SCTP_SOCKOPT_CONNECTX:
5398 case SCTP_PARAM_SET_PRIMARY:
5399 case SCTP_PARAM_ADD_IP:
5400 case SCTP_SENDMSG_CONNECT:
5401 err = selinux_socket_connect_helper(sock, addr, len);
5405 /* As selinux_sctp_bind_connect() is called by the
5406 * SCTP protocol layer, the socket is already locked,
5407 * therefore selinux_netlbl_socket_connect_locked() is
5408 * is called here. The situations handled are:
5409 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2),
5410 * whenever a new IP address is added or when a new
5411 * primary address is selected.
5412 * Note that an SCTP connect(2) call happens before
5413 * the SCTP protocol layer and is handled via
5414 * selinux_socket_connect().
5416 err = selinux_netlbl_socket_connect_locked(sk, addr);
5430 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */
5431 static void selinux_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk,
5434 struct sk_security_struct *sksec = sk->sk_security;
5435 struct sk_security_struct *newsksec = newsk->sk_security;
5437 /* If policy does not support SECCLASS_SCTP_SOCKET then call
5438 * the non-sctp clone version.
5440 if (!selinux_policycap_extsockclass())
5441 return selinux_sk_clone_security(sk, newsk);
5443 newsksec->sid = ep->secid;
5444 newsksec->peer_sid = ep->peer_secid;
5445 newsksec->sclass = sksec->sclass;
5446 selinux_netlbl_sctp_sk_clone(sk, newsk);
5449 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
5450 struct request_sock *req)
5452 struct sk_security_struct *sksec = sk->sk_security;
5454 u16 family = req->rsk_ops->family;
5458 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
5461 err = selinux_conn_sid(sksec->sid, peersid, &connsid);
5464 req->secid = connsid;
5465 req->peer_secid = peersid;
5467 return selinux_netlbl_inet_conn_request(req, family);
5470 static void selinux_inet_csk_clone(struct sock *newsk,
5471 const struct request_sock *req)
5473 struct sk_security_struct *newsksec = newsk->sk_security;
5475 newsksec->sid = req->secid;
5476 newsksec->peer_sid = req->peer_secid;
5477 /* NOTE: Ideally, we should also get the isec->sid for the
5478 new socket in sync, but we don't have the isec available yet.
5479 So we will wait until sock_graft to do it, by which
5480 time it will have been created and available. */
5482 /* We don't need to take any sort of lock here as we are the only
5483 * thread with access to newsksec */
5484 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
5487 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
5489 u16 family = sk->sk_family;
5490 struct sk_security_struct *sksec = sk->sk_security;
5492 /* handle mapped IPv4 packets arriving via IPv6 sockets */
5493 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5496 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
5499 static int selinux_secmark_relabel_packet(u32 sid)
5501 const struct task_security_struct *__tsec;
5504 __tsec = current_security();
5507 return avc_has_perm(&selinux_state,
5508 tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO,
5512 static void selinux_secmark_refcount_inc(void)
5514 atomic_inc(&selinux_secmark_refcount);
5517 static void selinux_secmark_refcount_dec(void)
5519 atomic_dec(&selinux_secmark_refcount);
5522 static void selinux_req_classify_flow(const struct request_sock *req,
5525 fl->flowi_secid = req->secid;
5528 static int selinux_tun_dev_alloc_security(void **security)
5530 struct tun_security_struct *tunsec;
5532 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
5535 tunsec->sid = current_sid();
5541 static void selinux_tun_dev_free_security(void *security)
5546 static int selinux_tun_dev_create(void)
5548 u32 sid = current_sid();
5550 /* we aren't taking into account the "sockcreate" SID since the socket
5551 * that is being created here is not a socket in the traditional sense,
5552 * instead it is a private sock, accessible only to the kernel, and
5553 * representing a wide range of network traffic spanning multiple
5554 * connections unlike traditional sockets - check the TUN driver to
5555 * get a better understanding of why this socket is special */
5557 return avc_has_perm(&selinux_state,
5558 sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5562 static int selinux_tun_dev_attach_queue(void *security)
5564 struct tun_security_struct *tunsec = security;
5566 return avc_has_perm(&selinux_state,
5567 current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5568 TUN_SOCKET__ATTACH_QUEUE, NULL);
5571 static int selinux_tun_dev_attach(struct sock *sk, void *security)
5573 struct tun_security_struct *tunsec = security;
5574 struct sk_security_struct *sksec = sk->sk_security;
5576 /* we don't currently perform any NetLabel based labeling here and it
5577 * isn't clear that we would want to do so anyway; while we could apply
5578 * labeling without the support of the TUN user the resulting labeled
5579 * traffic from the other end of the connection would almost certainly
5580 * cause confusion to the TUN user that had no idea network labeling
5581 * protocols were being used */
5583 sksec->sid = tunsec->sid;
5584 sksec->sclass = SECCLASS_TUN_SOCKET;
5589 static int selinux_tun_dev_open(void *security)
5591 struct tun_security_struct *tunsec = security;
5592 u32 sid = current_sid();
5595 err = avc_has_perm(&selinux_state,
5596 sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5597 TUN_SOCKET__RELABELFROM, NULL);
5600 err = avc_has_perm(&selinux_state,
5601 sid, sid, SECCLASS_TUN_SOCKET,
5602 TUN_SOCKET__RELABELTO, NULL);
5610 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
5613 unsigned int msg_len;
5614 unsigned int data_len = skb->len;
5615 unsigned char *data = skb->data;
5616 struct nlmsghdr *nlh;
5617 struct sk_security_struct *sksec = sk->sk_security;
5618 u16 sclass = sksec->sclass;
5621 while (data_len >= nlmsg_total_size(0)) {
5622 nlh = (struct nlmsghdr *)data;
5624 /* NOTE: the nlmsg_len field isn't reliably set by some netlink
5625 * users which means we can't reject skb's with bogus
5626 * length fields; our solution is to follow what
5627 * netlink_rcv_skb() does and simply skip processing at
5628 * messages with length fields that are clearly junk
5630 if (nlh->nlmsg_len < NLMSG_HDRLEN || nlh->nlmsg_len > data_len)
5633 rc = selinux_nlmsg_lookup(sclass, nlh->nlmsg_type, &perm);
5635 rc = sock_has_perm(sk, perm);
5638 } else if (rc == -EINVAL) {
5639 /* -EINVAL is a missing msg/perm mapping */
5640 pr_warn_ratelimited("SELinux: unrecognized netlink"
5641 " message: protocol=%hu nlmsg_type=%hu sclass=%s"
5642 " pid=%d comm=%s\n",
5643 sk->sk_protocol, nlh->nlmsg_type,
5644 secclass_map[sclass - 1].name,
5645 task_pid_nr(current), current->comm);
5646 if (enforcing_enabled(&selinux_state) &&
5647 !security_get_allow_unknown(&selinux_state))
5650 } else if (rc == -ENOENT) {
5651 /* -ENOENT is a missing socket/class mapping, ignore */
5657 /* move to the next message after applying netlink padding */
5658 msg_len = NLMSG_ALIGN(nlh->nlmsg_len);
5659 if (msg_len >= data_len)
5661 data_len -= msg_len;
5668 #ifdef CONFIG_NETFILTER
5670 static unsigned int selinux_ip_forward(struct sk_buff *skb,
5671 const struct net_device *indev,
5677 struct common_audit_data ad;
5678 struct lsm_network_audit net = {0,};
5683 if (!selinux_policycap_netpeer())
5686 secmark_active = selinux_secmark_enabled();
5687 netlbl_active = netlbl_enabled();
5688 peerlbl_active = selinux_peerlbl_enabled();
5689 if (!secmark_active && !peerlbl_active)
5692 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5695 ad.type = LSM_AUDIT_DATA_NET;
5697 ad.u.net->netif = indev->ifindex;
5698 ad.u.net->family = family;
5699 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5702 if (peerlbl_active) {
5703 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
5704 addrp, family, peer_sid, &ad);
5706 selinux_netlbl_err(skb, family, err, 1);
5712 if (avc_has_perm(&selinux_state,
5713 peer_sid, skb->secmark,
5714 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5718 /* we do this in the FORWARD path and not the POST_ROUTING
5719 * path because we want to make sure we apply the necessary
5720 * labeling before IPsec is applied so we can leverage AH
5722 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5728 static unsigned int selinux_ipv4_forward(void *priv,
5729 struct sk_buff *skb,
5730 const struct nf_hook_state *state)
5732 return selinux_ip_forward(skb, state->in, PF_INET);
5735 #if IS_ENABLED(CONFIG_IPV6)
5736 static unsigned int selinux_ipv6_forward(void *priv,
5737 struct sk_buff *skb,
5738 const struct nf_hook_state *state)
5740 return selinux_ip_forward(skb, state->in, PF_INET6);
5744 static unsigned int selinux_ip_output(struct sk_buff *skb,
5750 if (!netlbl_enabled())
5753 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5754 * because we want to make sure we apply the necessary labeling
5755 * before IPsec is applied so we can leverage AH protection */
5758 struct sk_security_struct *sksec;
5760 if (sk_listener(sk))
5761 /* if the socket is the listening state then this
5762 * packet is a SYN-ACK packet which means it needs to
5763 * be labeled based on the connection/request_sock and
5764 * not the parent socket. unfortunately, we can't
5765 * lookup the request_sock yet as it isn't queued on
5766 * the parent socket until after the SYN-ACK is sent.
5767 * the "solution" is to simply pass the packet as-is
5768 * as any IP option based labeling should be copied
5769 * from the initial connection request (in the IP
5770 * layer). it is far from ideal, but until we get a
5771 * security label in the packet itself this is the
5772 * best we can do. */
5775 /* standard practice, label using the parent socket */
5776 sksec = sk->sk_security;
5779 sid = SECINITSID_KERNEL;
5780 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
5786 static unsigned int selinux_ipv4_output(void *priv,
5787 struct sk_buff *skb,
5788 const struct nf_hook_state *state)
5790 return selinux_ip_output(skb, PF_INET);
5793 #if IS_ENABLED(CONFIG_IPV6)
5794 static unsigned int selinux_ipv6_output(void *priv,
5795 struct sk_buff *skb,
5796 const struct nf_hook_state *state)
5798 return selinux_ip_output(skb, PF_INET6);
5802 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5806 struct sock *sk = skb_to_full_sk(skb);
5807 struct sk_security_struct *sksec;
5808 struct common_audit_data ad;
5809 struct lsm_network_audit net = {0,};
5815 sksec = sk->sk_security;
5817 ad.type = LSM_AUDIT_DATA_NET;
5819 ad.u.net->netif = ifindex;
5820 ad.u.net->family = family;
5821 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
5824 if (selinux_secmark_enabled())
5825 if (avc_has_perm(&selinux_state,
5826 sksec->sid, skb->secmark,
5827 SECCLASS_PACKET, PACKET__SEND, &ad))
5828 return NF_DROP_ERR(-ECONNREFUSED);
5830 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5831 return NF_DROP_ERR(-ECONNREFUSED);
5836 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5837 const struct net_device *outdev,
5842 int ifindex = outdev->ifindex;
5844 struct common_audit_data ad;
5845 struct lsm_network_audit net = {0,};
5850 /* If any sort of compatibility mode is enabled then handoff processing
5851 * to the selinux_ip_postroute_compat() function to deal with the
5852 * special handling. We do this in an attempt to keep this function
5853 * as fast and as clean as possible. */
5854 if (!selinux_policycap_netpeer())
5855 return selinux_ip_postroute_compat(skb, ifindex, family);
5857 secmark_active = selinux_secmark_enabled();
5858 peerlbl_active = selinux_peerlbl_enabled();
5859 if (!secmark_active && !peerlbl_active)
5862 sk = skb_to_full_sk(skb);
5865 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5866 * packet transformation so allow the packet to pass without any checks
5867 * since we'll have another chance to perform access control checks
5868 * when the packet is on it's final way out.
5869 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5870 * is NULL, in this case go ahead and apply access control.
5871 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5872 * TCP listening state we cannot wait until the XFRM processing
5873 * is done as we will miss out on the SA label if we do;
5874 * unfortunately, this means more work, but it is only once per
5876 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5877 !(sk && sk_listener(sk)))
5882 /* Without an associated socket the packet is either coming
5883 * from the kernel or it is being forwarded; check the packet
5884 * to determine which and if the packet is being forwarded
5885 * query the packet directly to determine the security label. */
5887 secmark_perm = PACKET__FORWARD_OUT;
5888 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5891 secmark_perm = PACKET__SEND;
5892 peer_sid = SECINITSID_KERNEL;
5894 } else if (sk_listener(sk)) {
5895 /* Locally generated packet but the associated socket is in the
5896 * listening state which means this is a SYN-ACK packet. In
5897 * this particular case the correct security label is assigned
5898 * to the connection/request_sock but unfortunately we can't
5899 * query the request_sock as it isn't queued on the parent
5900 * socket until after the SYN-ACK packet is sent; the only
5901 * viable choice is to regenerate the label like we do in
5902 * selinux_inet_conn_request(). See also selinux_ip_output()
5903 * for similar problems. */
5905 struct sk_security_struct *sksec;
5907 sksec = sk->sk_security;
5908 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5910 /* At this point, if the returned skb peerlbl is SECSID_NULL
5911 * and the packet has been through at least one XFRM
5912 * transformation then we must be dealing with the "final"
5913 * form of labeled IPsec packet; since we've already applied
5914 * all of our access controls on this packet we can safely
5915 * pass the packet. */
5916 if (skb_sid == SECSID_NULL) {
5919 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5923 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5927 return NF_DROP_ERR(-ECONNREFUSED);
5930 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5932 secmark_perm = PACKET__SEND;
5934 /* Locally generated packet, fetch the security label from the
5935 * associated socket. */
5936 struct sk_security_struct *sksec = sk->sk_security;
5937 peer_sid = sksec->sid;
5938 secmark_perm = PACKET__SEND;
5941 ad.type = LSM_AUDIT_DATA_NET;
5943 ad.u.net->netif = ifindex;
5944 ad.u.net->family = family;
5945 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5949 if (avc_has_perm(&selinux_state,
5950 peer_sid, skb->secmark,
5951 SECCLASS_PACKET, secmark_perm, &ad))
5952 return NF_DROP_ERR(-ECONNREFUSED);
5954 if (peerlbl_active) {
5958 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5960 if (avc_has_perm(&selinux_state,
5962 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5963 return NF_DROP_ERR(-ECONNREFUSED);
5965 if (sel_netnode_sid(addrp, family, &node_sid))
5967 if (avc_has_perm(&selinux_state,
5969 SECCLASS_NODE, NODE__SENDTO, &ad))
5970 return NF_DROP_ERR(-ECONNREFUSED);
5976 static unsigned int selinux_ipv4_postroute(void *priv,
5977 struct sk_buff *skb,
5978 const struct nf_hook_state *state)
5980 return selinux_ip_postroute(skb, state->out, PF_INET);
5983 #if IS_ENABLED(CONFIG_IPV6)
5984 static unsigned int selinux_ipv6_postroute(void *priv,
5985 struct sk_buff *skb,
5986 const struct nf_hook_state *state)
5988 return selinux_ip_postroute(skb, state->out, PF_INET6);
5992 #endif /* CONFIG_NETFILTER */
5994 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5996 return selinux_nlmsg_perm(sk, skb);
5999 static int ipc_alloc_security(struct kern_ipc_perm *perm,
6002 struct ipc_security_struct *isec;
6004 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
6008 isec->sclass = sclass;
6009 isec->sid = current_sid();
6010 perm->security = isec;
6015 static void ipc_free_security(struct kern_ipc_perm *perm)
6017 struct ipc_security_struct *isec = perm->security;
6018 perm->security = NULL;
6022 static int msg_msg_alloc_security(struct msg_msg *msg)
6024 struct msg_security_struct *msec;
6026 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
6030 msec->sid = SECINITSID_UNLABELED;
6031 msg->security = msec;
6036 static void msg_msg_free_security(struct msg_msg *msg)
6038 struct msg_security_struct *msec = msg->security;
6040 msg->security = NULL;
6044 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
6047 struct ipc_security_struct *isec;
6048 struct common_audit_data ad;
6049 u32 sid = current_sid();
6051 isec = ipc_perms->security;
6053 ad.type = LSM_AUDIT_DATA_IPC;
6054 ad.u.ipc_id = ipc_perms->key;
6056 return avc_has_perm(&selinux_state,
6057 sid, isec->sid, isec->sclass, perms, &ad);
6060 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
6062 return msg_msg_alloc_security(msg);
6065 static void selinux_msg_msg_free_security(struct msg_msg *msg)
6067 msg_msg_free_security(msg);
6070 /* message queue security operations */
6071 static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq)
6073 struct ipc_security_struct *isec;
6074 struct common_audit_data ad;
6075 u32 sid = current_sid();
6078 rc = ipc_alloc_security(msq, SECCLASS_MSGQ);
6082 isec = msq->security;
6084 ad.type = LSM_AUDIT_DATA_IPC;
6085 ad.u.ipc_id = msq->key;
6087 rc = avc_has_perm(&selinux_state,
6088 sid, isec->sid, SECCLASS_MSGQ,
6091 ipc_free_security(msq);
6097 static void selinux_msg_queue_free_security(struct kern_ipc_perm *msq)
6099 ipc_free_security(msq);
6102 static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
6104 struct ipc_security_struct *isec;
6105 struct common_audit_data ad;
6106 u32 sid = current_sid();
6108 isec = msq->security;
6110 ad.type = LSM_AUDIT_DATA_IPC;
6111 ad.u.ipc_id = msq->key;
6113 return avc_has_perm(&selinux_state,
6114 sid, isec->sid, SECCLASS_MSGQ,
6115 MSGQ__ASSOCIATE, &ad);
6118 static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)
6126 /* No specific object, just general system-wide information. */
6127 return avc_has_perm(&selinux_state,
6128 current_sid(), SECINITSID_KERNEL,
6129 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6133 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
6136 perms = MSGQ__SETATTR;
6139 perms = MSGQ__DESTROY;
6145 err = ipc_has_perm(msq, perms);
6149 static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg)
6151 struct ipc_security_struct *isec;
6152 struct msg_security_struct *msec;
6153 struct common_audit_data ad;
6154 u32 sid = current_sid();
6157 isec = msq->security;
6158 msec = msg->security;
6161 * First time through, need to assign label to the message
6163 if (msec->sid == SECINITSID_UNLABELED) {
6165 * Compute new sid based on current process and
6166 * message queue this message will be stored in
6168 rc = security_transition_sid(&selinux_state, sid, isec->sid,
6169 SECCLASS_MSG, NULL, &msec->sid);
6174 ad.type = LSM_AUDIT_DATA_IPC;
6175 ad.u.ipc_id = msq->key;
6177 /* Can this process write to the queue? */
6178 rc = avc_has_perm(&selinux_state,
6179 sid, isec->sid, SECCLASS_MSGQ,
6182 /* Can this process send the message */
6183 rc = avc_has_perm(&selinux_state,
6184 sid, msec->sid, SECCLASS_MSG,
6187 /* Can the message be put in the queue? */
6188 rc = avc_has_perm(&selinux_state,
6189 msec->sid, isec->sid, SECCLASS_MSGQ,
6190 MSGQ__ENQUEUE, &ad);
6195 static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg,
6196 struct task_struct *target,
6197 long type, int mode)
6199 struct ipc_security_struct *isec;
6200 struct msg_security_struct *msec;
6201 struct common_audit_data ad;
6202 u32 sid = task_sid(target);
6205 isec = msq->security;
6206 msec = msg->security;
6208 ad.type = LSM_AUDIT_DATA_IPC;
6209 ad.u.ipc_id = msq->key;
6211 rc = avc_has_perm(&selinux_state,
6213 SECCLASS_MSGQ, MSGQ__READ, &ad);
6215 rc = avc_has_perm(&selinux_state,
6217 SECCLASS_MSG, MSG__RECEIVE, &ad);
6221 /* Shared Memory security operations */
6222 static int selinux_shm_alloc_security(struct kern_ipc_perm *shp)
6224 struct ipc_security_struct *isec;
6225 struct common_audit_data ad;
6226 u32 sid = current_sid();
6229 rc = ipc_alloc_security(shp, SECCLASS_SHM);
6233 isec = shp->security;
6235 ad.type = LSM_AUDIT_DATA_IPC;
6236 ad.u.ipc_id = shp->key;
6238 rc = avc_has_perm(&selinux_state,
6239 sid, isec->sid, SECCLASS_SHM,
6242 ipc_free_security(shp);
6248 static void selinux_shm_free_security(struct kern_ipc_perm *shp)
6250 ipc_free_security(shp);
6253 static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg)
6255 struct ipc_security_struct *isec;
6256 struct common_audit_data ad;
6257 u32 sid = current_sid();
6259 isec = shp->security;
6261 ad.type = LSM_AUDIT_DATA_IPC;
6262 ad.u.ipc_id = shp->key;
6264 return avc_has_perm(&selinux_state,
6265 sid, isec->sid, SECCLASS_SHM,
6266 SHM__ASSOCIATE, &ad);
6269 /* Note, at this point, shp is locked down */
6270 static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd)
6278 /* No specific object, just general system-wide information. */
6279 return avc_has_perm(&selinux_state,
6280 current_sid(), SECINITSID_KERNEL,
6281 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6285 perms = SHM__GETATTR | SHM__ASSOCIATE;
6288 perms = SHM__SETATTR;
6295 perms = SHM__DESTROY;
6301 err = ipc_has_perm(shp, perms);
6305 static int selinux_shm_shmat(struct kern_ipc_perm *shp,
6306 char __user *shmaddr, int shmflg)
6310 if (shmflg & SHM_RDONLY)
6313 perms = SHM__READ | SHM__WRITE;
6315 return ipc_has_perm(shp, perms);
6318 /* Semaphore security operations */
6319 static int selinux_sem_alloc_security(struct kern_ipc_perm *sma)
6321 struct ipc_security_struct *isec;
6322 struct common_audit_data ad;
6323 u32 sid = current_sid();
6326 rc = ipc_alloc_security(sma, SECCLASS_SEM);
6330 isec = sma->security;
6332 ad.type = LSM_AUDIT_DATA_IPC;
6333 ad.u.ipc_id = sma->key;
6335 rc = avc_has_perm(&selinux_state,
6336 sid, isec->sid, SECCLASS_SEM,
6339 ipc_free_security(sma);
6345 static void selinux_sem_free_security(struct kern_ipc_perm *sma)
6347 ipc_free_security(sma);
6350 static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg)
6352 struct ipc_security_struct *isec;
6353 struct common_audit_data ad;
6354 u32 sid = current_sid();
6356 isec = sma->security;
6358 ad.type = LSM_AUDIT_DATA_IPC;
6359 ad.u.ipc_id = sma->key;
6361 return avc_has_perm(&selinux_state,
6362 sid, isec->sid, SECCLASS_SEM,
6363 SEM__ASSOCIATE, &ad);
6366 /* Note, at this point, sma is locked down */
6367 static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd)
6375 /* No specific object, just general system-wide information. */
6376 return avc_has_perm(&selinux_state,
6377 current_sid(), SECINITSID_KERNEL,
6378 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6382 perms = SEM__GETATTR;
6393 perms = SEM__DESTROY;
6396 perms = SEM__SETATTR;
6401 perms = SEM__GETATTR | SEM__ASSOCIATE;
6407 err = ipc_has_perm(sma, perms);
6411 static int selinux_sem_semop(struct kern_ipc_perm *sma,
6412 struct sembuf *sops, unsigned nsops, int alter)
6417 perms = SEM__READ | SEM__WRITE;
6421 return ipc_has_perm(sma, perms);
6424 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
6430 av |= IPC__UNIX_READ;
6432 av |= IPC__UNIX_WRITE;
6437 return ipc_has_perm(ipcp, av);
6440 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
6442 struct ipc_security_struct *isec = ipcp->security;
6446 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
6449 inode_doinit_with_dentry(inode, dentry);
6452 static int selinux_getprocattr(struct task_struct *p,
6453 char *name, char **value)
6455 const struct task_security_struct *__tsec;
6461 __tsec = __task_cred(p)->security;
6464 error = avc_has_perm(&selinux_state,
6465 current_sid(), __tsec->sid,
6466 SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
6471 if (!strcmp(name, "current"))
6473 else if (!strcmp(name, "prev"))
6475 else if (!strcmp(name, "exec"))
6476 sid = __tsec->exec_sid;
6477 else if (!strcmp(name, "fscreate"))
6478 sid = __tsec->create_sid;
6479 else if (!strcmp(name, "keycreate"))
6480 sid = __tsec->keycreate_sid;
6481 else if (!strcmp(name, "sockcreate"))
6482 sid = __tsec->sockcreate_sid;
6492 error = security_sid_to_context(&selinux_state, sid, value, &len);
6502 static int selinux_setprocattr(const char *name, void *value, size_t size)
6504 struct task_security_struct *tsec;
6506 u32 mysid = current_sid(), sid = 0, ptsid;
6511 * Basic control over ability to set these attributes at all.
6513 if (!strcmp(name, "exec"))
6514 error = avc_has_perm(&selinux_state,
6515 mysid, mysid, SECCLASS_PROCESS,
6516 PROCESS__SETEXEC, NULL);
6517 else if (!strcmp(name, "fscreate"))
6518 error = avc_has_perm(&selinux_state,
6519 mysid, mysid, SECCLASS_PROCESS,
6520 PROCESS__SETFSCREATE, NULL);
6521 else if (!strcmp(name, "keycreate"))
6522 error = avc_has_perm(&selinux_state,
6523 mysid, mysid, SECCLASS_PROCESS,
6524 PROCESS__SETKEYCREATE, NULL);
6525 else if (!strcmp(name, "sockcreate"))
6526 error = avc_has_perm(&selinux_state,
6527 mysid, mysid, SECCLASS_PROCESS,
6528 PROCESS__SETSOCKCREATE, NULL);
6529 else if (!strcmp(name, "current"))
6530 error = avc_has_perm(&selinux_state,
6531 mysid, mysid, SECCLASS_PROCESS,
6532 PROCESS__SETCURRENT, NULL);
6538 /* Obtain a SID for the context, if one was specified. */
6539 if (size && str[0] && str[0] != '\n') {
6540 if (str[size-1] == '\n') {
6544 error = security_context_to_sid(&selinux_state, value, size,
6546 if (error == -EINVAL && !strcmp(name, "fscreate")) {
6547 if (!has_cap_mac_admin(true)) {
6548 struct audit_buffer *ab;
6551 /* We strip a nul only if it is at the end, otherwise the
6552 * context contains a nul and we should audit that */
6553 if (str[size - 1] == '\0')
6554 audit_size = size - 1;
6557 ab = audit_log_start(audit_context(),
6560 audit_log_format(ab, "op=fscreate invalid_context=");
6561 audit_log_n_untrustedstring(ab, value, audit_size);
6566 error = security_context_to_sid_force(
6574 new = prepare_creds();
6578 /* Permission checking based on the specified context is
6579 performed during the actual operation (execve,
6580 open/mkdir/...), when we know the full context of the
6581 operation. See selinux_bprm_set_creds for the execve
6582 checks and may_create for the file creation checks. The
6583 operation will then fail if the context is not permitted. */
6584 tsec = new->security;
6585 if (!strcmp(name, "exec")) {
6586 tsec->exec_sid = sid;
6587 } else if (!strcmp(name, "fscreate")) {
6588 tsec->create_sid = sid;
6589 } else if (!strcmp(name, "keycreate")) {
6591 error = avc_has_perm(&selinux_state, mysid, sid,
6592 SECCLASS_KEY, KEY__CREATE, NULL);
6596 tsec->keycreate_sid = sid;
6597 } else if (!strcmp(name, "sockcreate")) {
6598 tsec->sockcreate_sid = sid;
6599 } else if (!strcmp(name, "current")) {
6604 /* Only allow single threaded processes to change context */
6606 if (!current_is_single_threaded()) {
6607 error = security_bounded_transition(&selinux_state,
6613 /* Check permissions for the transition. */
6614 error = avc_has_perm(&selinux_state,
6615 tsec->sid, sid, SECCLASS_PROCESS,
6616 PROCESS__DYNTRANSITION, NULL);
6620 /* Check for ptracing, and update the task SID if ok.
6621 Otherwise, leave SID unchanged and fail. */
6622 ptsid = ptrace_parent_sid();
6624 error = avc_has_perm(&selinux_state,
6625 ptsid, sid, SECCLASS_PROCESS,
6626 PROCESS__PTRACE, NULL);
6645 static int selinux_ismaclabel(const char *name)
6647 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
6650 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
6652 return security_sid_to_context(&selinux_state, secid,
6656 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
6658 return security_context_to_sid(&selinux_state, secdata, seclen,
6662 static void selinux_release_secctx(char *secdata, u32 seclen)
6667 static void selinux_inode_invalidate_secctx(struct inode *inode)
6669 struct inode_security_struct *isec = inode->i_security;
6671 spin_lock(&isec->lock);
6672 isec->initialized = LABEL_INVALID;
6673 spin_unlock(&isec->lock);
6677 * called with inode->i_mutex locked
6679 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
6681 int rc = selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX,
6683 /* Do not return error when suppressing label (SBLABEL_MNT not set). */
6684 return rc == -EOPNOTSUPP ? 0 : rc;
6688 * called with inode->i_mutex locked
6690 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
6692 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
6695 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
6698 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
6707 static int selinux_key_alloc(struct key *k, const struct cred *cred,
6708 unsigned long flags)
6710 const struct task_security_struct *tsec;
6711 struct key_security_struct *ksec;
6713 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
6717 tsec = cred->security;
6718 if (tsec->keycreate_sid)
6719 ksec->sid = tsec->keycreate_sid;
6721 ksec->sid = tsec->sid;
6727 static void selinux_key_free(struct key *k)
6729 struct key_security_struct *ksec = k->security;
6735 static int selinux_key_permission(key_ref_t key_ref,
6736 const struct cred *cred,
6740 struct key_security_struct *ksec;
6743 /* if no specific permissions are requested, we skip the
6744 permission check. No serious, additional covert channels
6745 appear to be created. */
6749 sid = cred_sid(cred);
6751 key = key_ref_to_ptr(key_ref);
6752 ksec = key->security;
6754 return avc_has_perm(&selinux_state,
6755 sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6758 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6760 struct key_security_struct *ksec = key->security;
6761 char *context = NULL;
6765 rc = security_sid_to_context(&selinux_state, ksec->sid,
6774 #ifdef CONFIG_SECURITY_INFINIBAND
6775 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6777 struct common_audit_data ad;
6780 struct ib_security_struct *sec = ib_sec;
6781 struct lsm_ibpkey_audit ibpkey;
6783 err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
6787 ad.type = LSM_AUDIT_DATA_IBPKEY;
6788 ibpkey.subnet_prefix = subnet_prefix;
6789 ibpkey.pkey = pkey_val;
6790 ad.u.ibpkey = &ibpkey;
6791 return avc_has_perm(&selinux_state,
6793 SECCLASS_INFINIBAND_PKEY,
6794 INFINIBAND_PKEY__ACCESS, &ad);
6797 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6800 struct common_audit_data ad;
6803 struct ib_security_struct *sec = ib_sec;
6804 struct lsm_ibendport_audit ibendport;
6806 err = security_ib_endport_sid(&selinux_state, dev_name, port_num,
6812 ad.type = LSM_AUDIT_DATA_IBENDPORT;
6813 strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name));
6814 ibendport.port = port_num;
6815 ad.u.ibendport = &ibendport;
6816 return avc_has_perm(&selinux_state,
6818 SECCLASS_INFINIBAND_ENDPORT,
6819 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
6822 static int selinux_ib_alloc_security(void **ib_sec)
6824 struct ib_security_struct *sec;
6826 sec = kzalloc(sizeof(*sec), GFP_KERNEL);
6829 sec->sid = current_sid();
6835 static void selinux_ib_free_security(void *ib_sec)
6841 #ifdef CONFIG_BPF_SYSCALL
6842 static int selinux_bpf(int cmd, union bpf_attr *attr,
6845 u32 sid = current_sid();
6849 case BPF_MAP_CREATE:
6850 ret = avc_has_perm(&selinux_state,
6851 sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
6855 ret = avc_has_perm(&selinux_state,
6856 sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
6867 static u32 bpf_map_fmode_to_av(fmode_t fmode)
6871 if (fmode & FMODE_READ)
6872 av |= BPF__MAP_READ;
6873 if (fmode & FMODE_WRITE)
6874 av |= BPF__MAP_WRITE;
6878 /* This function will check the file pass through unix socket or binder to see
6879 * if it is a bpf related object. And apply correspinding checks on the bpf
6880 * object based on the type. The bpf maps and programs, not like other files and
6881 * socket, are using a shared anonymous inode inside the kernel as their inode.
6882 * So checking that inode cannot identify if the process have privilege to
6883 * access the bpf object and that's why we have to add this additional check in
6884 * selinux_file_receive and selinux_binder_transfer_files.
6886 static int bpf_fd_pass(struct file *file, u32 sid)
6888 struct bpf_security_struct *bpfsec;
6889 struct bpf_prog *prog;
6890 struct bpf_map *map;
6893 if (file->f_op == &bpf_map_fops) {
6894 map = file->private_data;
6895 bpfsec = map->security;
6896 ret = avc_has_perm(&selinux_state,
6897 sid, bpfsec->sid, SECCLASS_BPF,
6898 bpf_map_fmode_to_av(file->f_mode), NULL);
6901 } else if (file->f_op == &bpf_prog_fops) {
6902 prog = file->private_data;
6903 bpfsec = prog->aux->security;
6904 ret = avc_has_perm(&selinux_state,
6905 sid, bpfsec->sid, SECCLASS_BPF,
6906 BPF__PROG_RUN, NULL);
6913 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)
6915 u32 sid = current_sid();
6916 struct bpf_security_struct *bpfsec;
6918 bpfsec = map->security;
6919 return avc_has_perm(&selinux_state,
6920 sid, bpfsec->sid, SECCLASS_BPF,
6921 bpf_map_fmode_to_av(fmode), NULL);
6924 static int selinux_bpf_prog(struct bpf_prog *prog)
6926 u32 sid = current_sid();
6927 struct bpf_security_struct *bpfsec;
6929 bpfsec = prog->aux->security;
6930 return avc_has_perm(&selinux_state,
6931 sid, bpfsec->sid, SECCLASS_BPF,
6932 BPF__PROG_RUN, NULL);
6935 static int selinux_bpf_map_alloc(struct bpf_map *map)
6937 struct bpf_security_struct *bpfsec;
6939 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6943 bpfsec->sid = current_sid();
6944 map->security = bpfsec;
6949 static void selinux_bpf_map_free(struct bpf_map *map)
6951 struct bpf_security_struct *bpfsec = map->security;
6953 map->security = NULL;
6957 static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux)
6959 struct bpf_security_struct *bpfsec;
6961 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6965 bpfsec->sid = current_sid();
6966 aux->security = bpfsec;
6971 static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
6973 struct bpf_security_struct *bpfsec = aux->security;
6975 aux->security = NULL;
6980 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
6981 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
6982 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
6983 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
6984 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
6986 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
6987 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
6988 LSM_HOOK_INIT(capget, selinux_capget),
6989 LSM_HOOK_INIT(capset, selinux_capset),
6990 LSM_HOOK_INIT(capable, selinux_capable),
6991 LSM_HOOK_INIT(quotactl, selinux_quotactl),
6992 LSM_HOOK_INIT(quota_on, selinux_quota_on),
6993 LSM_HOOK_INIT(syslog, selinux_syslog),
6994 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
6996 LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
6998 LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
6999 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
7000 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
7002 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
7003 LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
7004 LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data),
7005 LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
7006 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
7007 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
7008 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
7009 LSM_HOOK_INIT(sb_mount, selinux_mount),
7010 LSM_HOOK_INIT(sb_umount, selinux_umount),
7011 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
7012 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
7013 LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str),
7015 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
7016 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
7018 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
7019 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
7020 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
7021 LSM_HOOK_INIT(inode_create, selinux_inode_create),
7022 LSM_HOOK_INIT(inode_link, selinux_inode_link),
7023 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
7024 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
7025 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
7026 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
7027 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
7028 LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
7029 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
7030 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
7031 LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
7032 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
7033 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
7034 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
7035 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
7036 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
7037 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
7038 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
7039 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
7040 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
7041 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
7042 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
7043 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
7044 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
7046 LSM_HOOK_INIT(file_permission, selinux_file_permission),
7047 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
7048 LSM_HOOK_INIT(file_free_security, selinux_file_free_security),
7049 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
7050 LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
7051 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
7052 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
7053 LSM_HOOK_INIT(file_lock, selinux_file_lock),
7054 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
7055 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
7056 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
7057 LSM_HOOK_INIT(file_receive, selinux_file_receive),
7059 LSM_HOOK_INIT(file_open, selinux_file_open),
7061 LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
7062 LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank),
7063 LSM_HOOK_INIT(cred_free, selinux_cred_free),
7064 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
7065 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
7066 LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid),
7067 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
7068 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
7069 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
7070 LSM_HOOK_INIT(kernel_load_data, selinux_kernel_load_data),
7071 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
7072 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
7073 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
7074 LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
7075 LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
7076 LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
7077 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
7078 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
7079 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
7080 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
7081 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
7082 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
7083 LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
7084 LSM_HOOK_INIT(task_kill, selinux_task_kill),
7085 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
7087 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
7088 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
7090 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
7091 LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security),
7093 LSM_HOOK_INIT(msg_queue_alloc_security,
7094 selinux_msg_queue_alloc_security),
7095 LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security),
7096 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
7097 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
7098 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
7099 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
7101 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
7102 LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security),
7103 LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
7104 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
7105 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
7107 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
7108 LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security),
7109 LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
7110 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
7111 LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
7113 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
7115 LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
7116 LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
7118 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
7119 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
7120 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
7121 LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
7122 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
7123 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
7124 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
7125 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
7127 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
7128 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
7130 LSM_HOOK_INIT(socket_create, selinux_socket_create),
7131 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
7132 LSM_HOOK_INIT(socket_socketpair, selinux_socket_socketpair),
7133 LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
7134 LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
7135 LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
7136 LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
7137 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
7138 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
7139 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
7140 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
7141 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
7142 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
7143 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
7144 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
7145 LSM_HOOK_INIT(socket_getpeersec_stream,
7146 selinux_socket_getpeersec_stream),
7147 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
7148 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
7149 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
7150 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
7151 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
7152 LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
7153 LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request),
7154 LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone),
7155 LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect),
7156 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
7157 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
7158 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
7159 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
7160 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
7161 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
7162 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
7163 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
7164 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
7165 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
7166 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
7167 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
7168 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
7169 #ifdef CONFIG_SECURITY_INFINIBAND
7170 LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
7171 LSM_HOOK_INIT(ib_endport_manage_subnet,
7172 selinux_ib_endport_manage_subnet),
7173 LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
7174 LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
7176 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7177 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
7178 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
7179 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
7180 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
7181 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
7182 LSM_HOOK_INIT(xfrm_state_alloc_acquire,
7183 selinux_xfrm_state_alloc_acquire),
7184 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
7185 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
7186 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
7187 LSM_HOOK_INIT(xfrm_state_pol_flow_match,
7188 selinux_xfrm_state_pol_flow_match),
7189 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
7193 LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
7194 LSM_HOOK_INIT(key_free, selinux_key_free),
7195 LSM_HOOK_INIT(key_permission, selinux_key_permission),
7196 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
7200 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
7201 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
7202 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
7203 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
7206 #ifdef CONFIG_BPF_SYSCALL
7207 LSM_HOOK_INIT(bpf, selinux_bpf),
7208 LSM_HOOK_INIT(bpf_map, selinux_bpf_map),
7209 LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog),
7210 LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc),
7211 LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc),
7212 LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free),
7213 LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free),
7217 static __init int selinux_init(void)
7219 if (!security_module_enable("selinux")) {
7220 selinux_enabled = 0;
7224 if (!selinux_enabled) {
7225 pr_info("SELinux: Disabled at boot.\n");
7229 pr_info("SELinux: Initializing.\n");
7231 memset(&selinux_state, 0, sizeof(selinux_state));
7232 enforcing_set(&selinux_state, selinux_enforcing_boot);
7233 selinux_state.checkreqprot = selinux_checkreqprot_boot;
7234 selinux_ss_init(&selinux_state.ss);
7235 selinux_avc_init(&selinux_state.avc);
7237 /* Set the security state for the initial task. */
7238 cred_init_security();
7240 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
7242 sel_inode_cache = kmem_cache_create("selinux_inode_security",
7243 sizeof(struct inode_security_struct),
7244 0, SLAB_PANIC, NULL);
7245 file_security_cache = kmem_cache_create("selinux_file_security",
7246 sizeof(struct file_security_struct),
7247 0, SLAB_PANIC, NULL);
7252 ebitmap_cache_init();
7254 hashtab_cache_init();
7256 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
7258 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
7259 panic("SELinux: Unable to register AVC netcache callback\n");
7261 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
7262 panic("SELinux: Unable to register AVC LSM notifier callback\n");
7264 if (selinux_enforcing_boot)
7265 pr_debug("SELinux: Starting in enforcing mode\n");
7267 pr_debug("SELinux: Starting in permissive mode\n");
7272 static void delayed_superblock_init(struct super_block *sb, void *unused)
7274 superblock_doinit(sb, NULL);
7277 void selinux_complete_init(void)
7279 pr_debug("SELinux: Completing initialization.\n");
7281 /* Set up any superblocks initialized prior to the policy load. */
7282 pr_debug("SELinux: Setting up existing superblocks.\n");
7283 iterate_supers(delayed_superblock_init, NULL);
7286 /* SELinux requires early initialization in order to label
7287 all processes and objects when they are created. */
7288 security_initcall(selinux_init);
7290 #if defined(CONFIG_NETFILTER)
7292 static const struct nf_hook_ops selinux_nf_ops[] = {
7294 .hook = selinux_ipv4_postroute,
7296 .hooknum = NF_INET_POST_ROUTING,
7297 .priority = NF_IP_PRI_SELINUX_LAST,
7300 .hook = selinux_ipv4_forward,
7302 .hooknum = NF_INET_FORWARD,
7303 .priority = NF_IP_PRI_SELINUX_FIRST,
7306 .hook = selinux_ipv4_output,
7308 .hooknum = NF_INET_LOCAL_OUT,
7309 .priority = NF_IP_PRI_SELINUX_FIRST,
7311 #if IS_ENABLED(CONFIG_IPV6)
7313 .hook = selinux_ipv6_postroute,
7315 .hooknum = NF_INET_POST_ROUTING,
7316 .priority = NF_IP6_PRI_SELINUX_LAST,
7319 .hook = selinux_ipv6_forward,
7321 .hooknum = NF_INET_FORWARD,
7322 .priority = NF_IP6_PRI_SELINUX_FIRST,
7325 .hook = selinux_ipv6_output,
7327 .hooknum = NF_INET_LOCAL_OUT,
7328 .priority = NF_IP6_PRI_SELINUX_FIRST,
7333 static int __net_init selinux_nf_register(struct net *net)
7335 return nf_register_net_hooks(net, selinux_nf_ops,
7336 ARRAY_SIZE(selinux_nf_ops));
7339 static void __net_exit selinux_nf_unregister(struct net *net)
7341 nf_unregister_net_hooks(net, selinux_nf_ops,
7342 ARRAY_SIZE(selinux_nf_ops));
7345 static struct pernet_operations selinux_net_ops = {
7346 .init = selinux_nf_register,
7347 .exit = selinux_nf_unregister,
7350 static int __init selinux_nf_ip_init(void)
7354 if (!selinux_enabled)
7357 pr_debug("SELinux: Registering netfilter hooks\n");
7359 err = register_pernet_subsys(&selinux_net_ops);
7361 panic("SELinux: register_pernet_subsys: error %d\n", err);
7365 __initcall(selinux_nf_ip_init);
7367 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7368 static void selinux_nf_ip_exit(void)
7370 pr_debug("SELinux: Unregistering netfilter hooks\n");
7372 unregister_pernet_subsys(&selinux_net_ops);
7376 #else /* CONFIG_NETFILTER */
7378 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7379 #define selinux_nf_ip_exit()
7382 #endif /* CONFIG_NETFILTER */
7384 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7385 int selinux_disable(struct selinux_state *state)
7387 if (state->initialized) {
7388 /* Not permitted after initial policy load. */
7392 if (state->disabled) {
7393 /* Only do this once. */
7397 state->disabled = 1;
7399 pr_info("SELinux: Disabled at runtime.\n");
7401 selinux_enabled = 0;
7403 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
7405 /* Try to destroy the avc node cache */
7408 /* Unregister netfilter hooks. */
7409 selinux_nf_ip_exit();
7411 /* Unregister selinuxfs. */