1 // SPDX-License-Identifier: GPL-2.0-only
3 * NSA Security-Enhanced Linux (SELinux) security module
5 * This file contains the SELinux hook function implementations.
7 * Authors: Stephen Smalley, <sds@tycho.nsa.gov>
8 * Chris Vance, <cvance@nai.com>
9 * Wayne Salamon, <wsalamon@nai.com>
10 * James Morris <jmorris@redhat.com>
12 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
13 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
14 * Eric Paris <eparis@redhat.com>
15 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
16 * <dgoeddel@trustedcs.com>
17 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
18 * Paul Moore <paul@paul-moore.com>
19 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
20 * Yuichi Nakamura <ynakam@hitachisoft.jp>
21 * Copyright (C) 2016 Mellanox Technologies
24 #include <linux/init.h>
26 #include <linux/kernel.h>
27 #include <linux/tracehook.h>
28 #include <linux/errno.h>
29 #include <linux/sched/signal.h>
30 #include <linux/sched/task.h>
31 #include <linux/lsm_hooks.h>
32 #include <linux/xattr.h>
33 #include <linux/capability.h>
34 #include <linux/unistd.h>
36 #include <linux/mman.h>
37 #include <linux/slab.h>
38 #include <linux/pagemap.h>
39 #include <linux/proc_fs.h>
40 #include <linux/swap.h>
41 #include <linux/spinlock.h>
42 #include <linux/syscalls.h>
43 #include <linux/dcache.h>
44 #include <linux/file.h>
45 #include <linux/fdtable.h>
46 #include <linux/namei.h>
47 #include <linux/mount.h>
48 #include <linux/fs_context.h>
49 #include <linux/fs_parser.h>
50 #include <linux/netfilter_ipv4.h>
51 #include <linux/netfilter_ipv6.h>
52 #include <linux/tty.h>
54 #include <net/ip.h> /* for local_port_range[] */
55 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
56 #include <net/inet_connection_sock.h>
57 #include <net/net_namespace.h>
58 #include <net/netlabel.h>
59 #include <linux/uaccess.h>
60 #include <asm/ioctls.h>
61 #include <linux/atomic.h>
62 #include <linux/bitops.h>
63 #include <linux/interrupt.h>
64 #include <linux/netdevice.h> /* for network interface checks */
65 #include <net/netlink.h>
66 #include <linux/tcp.h>
67 #include <linux/udp.h>
68 #include <linux/dccp.h>
69 #include <linux/sctp.h>
70 #include <net/sctp/structs.h>
71 #include <linux/quota.h>
72 #include <linux/un.h> /* for Unix socket types */
73 #include <net/af_unix.h> /* for Unix socket types */
74 #include <linux/parser.h>
75 #include <linux/nfs_mount.h>
77 #include <linux/hugetlb.h>
78 #include <linux/personality.h>
79 #include <linux/audit.h>
80 #include <linux/string.h>
81 #include <linux/mutex.h>
82 #include <linux/posix-timers.h>
83 #include <linux/syslog.h>
84 #include <linux/user_namespace.h>
85 #include <linux/export.h>
86 #include <linux/msg.h>
87 #include <linux/shm.h>
88 #include <linux/bpf.h>
89 #include <linux/kernfs.h>
90 #include <linux/stringhash.h> /* for hashlen_string() */
91 #include <uapi/linux/mount.h>
92 #include <linux/fsnotify.h>
93 #include <linux/fanotify.h>
102 #include "netlabel.h"
106 struct selinux_state selinux_state;
108 /* SECMARK reference count */
109 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
111 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
112 static int selinux_enforcing_boot;
114 static int __init enforcing_setup(char *str)
116 unsigned long enforcing;
117 if (!kstrtoul(str, 0, &enforcing))
118 selinux_enforcing_boot = enforcing ? 1 : 0;
121 __setup("enforcing=", enforcing_setup);
123 #define selinux_enforcing_boot 1
126 int selinux_enabled __lsm_ro_after_init = 1;
127 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
128 static int __init selinux_enabled_setup(char *str)
130 unsigned long enabled;
131 if (!kstrtoul(str, 0, &enabled))
132 selinux_enabled = enabled ? 1 : 0;
135 __setup("selinux=", selinux_enabled_setup);
138 static unsigned int selinux_checkreqprot_boot =
139 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
141 static int __init checkreqprot_setup(char *str)
143 unsigned long checkreqprot;
145 if (!kstrtoul(str, 0, &checkreqprot))
146 selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
149 __setup("checkreqprot=", checkreqprot_setup);
152 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
155 * This function checks the SECMARK reference counter to see if any SECMARK
156 * targets are currently configured, if the reference counter is greater than
157 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
158 * enabled, false (0) if SECMARK is disabled. If the always_check_network
159 * policy capability is enabled, SECMARK is always considered enabled.
162 static int selinux_secmark_enabled(void)
164 return (selinux_policycap_alwaysnetwork() ||
165 atomic_read(&selinux_secmark_refcount));
169 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
172 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
173 * (1) if any are enabled or false (0) if neither are enabled. If the
174 * always_check_network policy capability is enabled, peer labeling
175 * is always considered enabled.
178 static int selinux_peerlbl_enabled(void)
180 return (selinux_policycap_alwaysnetwork() ||
181 netlbl_enabled() || selinux_xfrm_enabled());
184 static int selinux_netcache_avc_callback(u32 event)
186 if (event == AVC_CALLBACK_RESET) {
195 static int selinux_lsm_notifier_avc_callback(u32 event)
197 if (event == AVC_CALLBACK_RESET) {
199 call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL);
206 * initialise the security for the init task
208 static void cred_init_security(void)
210 struct cred *cred = (struct cred *) current->real_cred;
211 struct task_security_struct *tsec;
213 tsec = selinux_cred(cred);
214 tsec->osid = tsec->sid = SECINITSID_KERNEL;
218 * get the security ID of a set of credentials
220 static inline u32 cred_sid(const struct cred *cred)
222 const struct task_security_struct *tsec;
224 tsec = selinux_cred(cred);
229 * get the objective security ID of a task
231 static inline u32 task_sid(const struct task_struct *task)
236 sid = cred_sid(__task_cred(task));
241 /* Allocate and free functions for each kind of security blob. */
243 static int inode_alloc_security(struct inode *inode)
245 struct inode_security_struct *isec = selinux_inode(inode);
246 u32 sid = current_sid();
248 spin_lock_init(&isec->lock);
249 INIT_LIST_HEAD(&isec->list);
251 isec->sid = SECINITSID_UNLABELED;
252 isec->sclass = SECCLASS_FILE;
253 isec->task_sid = sid;
254 isec->initialized = LABEL_INVALID;
259 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
262 * Try reloading inode security labels that have been marked as invalid. The
263 * @may_sleep parameter indicates when sleeping and thus reloading labels is
264 * allowed; when set to false, returns -ECHILD when the label is
265 * invalid. The @dentry parameter should be set to a dentry of the inode.
267 static int __inode_security_revalidate(struct inode *inode,
268 struct dentry *dentry,
271 struct inode_security_struct *isec = selinux_inode(inode);
273 might_sleep_if(may_sleep);
275 if (selinux_state.initialized &&
276 isec->initialized != LABEL_INITIALIZED) {
281 * Try reloading the inode security label. This will fail if
282 * @opt_dentry is NULL and no dentry for this inode can be
283 * found; in that case, continue using the old label.
285 inode_doinit_with_dentry(inode, dentry);
290 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
292 return selinux_inode(inode);
295 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
299 error = __inode_security_revalidate(inode, NULL, !rcu);
301 return ERR_PTR(error);
302 return selinux_inode(inode);
306 * Get the security label of an inode.
308 static struct inode_security_struct *inode_security(struct inode *inode)
310 __inode_security_revalidate(inode, NULL, true);
311 return selinux_inode(inode);
314 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
316 struct inode *inode = d_backing_inode(dentry);
318 return selinux_inode(inode);
322 * Get the security label of a dentry's backing inode.
324 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
326 struct inode *inode = d_backing_inode(dentry);
328 __inode_security_revalidate(inode, dentry, true);
329 return selinux_inode(inode);
332 static void inode_free_security(struct inode *inode)
334 struct inode_security_struct *isec = selinux_inode(inode);
335 struct superblock_security_struct *sbsec;
339 sbsec = inode->i_sb->s_security;
341 * As not all inode security structures are in a list, we check for
342 * empty list outside of the lock to make sure that we won't waste
343 * time taking a lock doing nothing.
345 * The list_del_init() function can be safely called more than once.
346 * It should not be possible for this function to be called with
347 * concurrent list_add(), but for better safety against future changes
348 * in the code, we use list_empty_careful() here.
350 if (!list_empty_careful(&isec->list)) {
351 spin_lock(&sbsec->isec_lock);
352 list_del_init(&isec->list);
353 spin_unlock(&sbsec->isec_lock);
357 static int file_alloc_security(struct file *file)
359 struct file_security_struct *fsec = selinux_file(file);
360 u32 sid = current_sid();
363 fsec->fown_sid = sid;
368 static int superblock_alloc_security(struct super_block *sb)
370 struct superblock_security_struct *sbsec;
372 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
376 mutex_init(&sbsec->lock);
377 INIT_LIST_HEAD(&sbsec->isec_head);
378 spin_lock_init(&sbsec->isec_lock);
380 sbsec->sid = SECINITSID_UNLABELED;
381 sbsec->def_sid = SECINITSID_FILE;
382 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
383 sb->s_security = sbsec;
388 static void superblock_free_security(struct super_block *sb)
390 struct superblock_security_struct *sbsec = sb->s_security;
391 sb->s_security = NULL;
395 struct selinux_mnt_opts {
396 const char *fscontext, *context, *rootcontext, *defcontext;
399 static void selinux_free_mnt_opts(void *mnt_opts)
401 struct selinux_mnt_opts *opts = mnt_opts;
402 kfree(opts->fscontext);
403 kfree(opts->context);
404 kfree(opts->rootcontext);
405 kfree(opts->defcontext);
409 static inline int inode_doinit(struct inode *inode)
411 return inode_doinit_with_dentry(inode, NULL);
423 #define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg}
433 A(rootcontext, true),
438 static int match_opt_prefix(char *s, int l, char **arg)
442 for (i = 0; i < ARRAY_SIZE(tokens); i++) {
443 size_t len = tokens[i].len;
444 if (len > l || memcmp(s, tokens[i].name, len))
446 if (tokens[i].has_arg) {
447 if (len == l || s[len] != '=')
452 return tokens[i].opt;
457 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
459 static int may_context_mount_sb_relabel(u32 sid,
460 struct superblock_security_struct *sbsec,
461 const struct cred *cred)
463 const struct task_security_struct *tsec = selinux_cred(cred);
466 rc = avc_has_perm(&selinux_state,
467 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
468 FILESYSTEM__RELABELFROM, NULL);
472 rc = avc_has_perm(&selinux_state,
473 tsec->sid, sid, SECCLASS_FILESYSTEM,
474 FILESYSTEM__RELABELTO, NULL);
478 static int may_context_mount_inode_relabel(u32 sid,
479 struct superblock_security_struct *sbsec,
480 const struct cred *cred)
482 const struct task_security_struct *tsec = selinux_cred(cred);
484 rc = avc_has_perm(&selinux_state,
485 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
486 FILESYSTEM__RELABELFROM, NULL);
490 rc = avc_has_perm(&selinux_state,
491 sid, sbsec->sid, SECCLASS_FILESYSTEM,
492 FILESYSTEM__ASSOCIATE, NULL);
496 static int selinux_is_genfs_special_handling(struct super_block *sb)
498 /* Special handling. Genfs but also in-core setxattr handler */
499 return !strcmp(sb->s_type->name, "sysfs") ||
500 !strcmp(sb->s_type->name, "pstore") ||
501 !strcmp(sb->s_type->name, "debugfs") ||
502 !strcmp(sb->s_type->name, "tracefs") ||
503 !strcmp(sb->s_type->name, "rootfs") ||
504 (selinux_policycap_cgroupseclabel() &&
505 (!strcmp(sb->s_type->name, "cgroup") ||
506 !strcmp(sb->s_type->name, "cgroup2")));
509 static int selinux_is_sblabel_mnt(struct super_block *sb)
511 struct superblock_security_struct *sbsec = sb->s_security;
514 * IMPORTANT: Double-check logic in this function when adding a new
515 * SECURITY_FS_USE_* definition!
517 BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7);
519 switch (sbsec->behavior) {
520 case SECURITY_FS_USE_XATTR:
521 case SECURITY_FS_USE_TRANS:
522 case SECURITY_FS_USE_TASK:
523 case SECURITY_FS_USE_NATIVE:
526 case SECURITY_FS_USE_GENFS:
527 return selinux_is_genfs_special_handling(sb);
529 /* Never allow relabeling on context mounts */
530 case SECURITY_FS_USE_MNTPOINT:
531 case SECURITY_FS_USE_NONE:
537 static int sb_finish_set_opts(struct super_block *sb)
539 struct superblock_security_struct *sbsec = sb->s_security;
540 struct dentry *root = sb->s_root;
541 struct inode *root_inode = d_backing_inode(root);
544 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
545 /* Make sure that the xattr handler exists and that no
546 error other than -ENODATA is returned by getxattr on
547 the root directory. -ENODATA is ok, as this may be
548 the first boot of the SELinux kernel before we have
549 assigned xattr values to the filesystem. */
550 if (!(root_inode->i_opflags & IOP_XATTR)) {
551 pr_warn("SELinux: (dev %s, type %s) has no "
552 "xattr support\n", sb->s_id, sb->s_type->name);
557 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
558 if (rc < 0 && rc != -ENODATA) {
559 if (rc == -EOPNOTSUPP)
560 pr_warn("SELinux: (dev %s, type "
561 "%s) has no security xattr handler\n",
562 sb->s_id, sb->s_type->name);
564 pr_warn("SELinux: (dev %s, type "
565 "%s) getxattr errno %d\n", sb->s_id,
566 sb->s_type->name, -rc);
571 sbsec->flags |= SE_SBINITIALIZED;
574 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
575 * leave the flag untouched because sb_clone_mnt_opts might be handing
576 * us a superblock that needs the flag to be cleared.
578 if (selinux_is_sblabel_mnt(sb))
579 sbsec->flags |= SBLABEL_MNT;
581 sbsec->flags &= ~SBLABEL_MNT;
583 /* Initialize the root inode. */
584 rc = inode_doinit_with_dentry(root_inode, root);
586 /* Initialize any other inodes associated with the superblock, e.g.
587 inodes created prior to initial policy load or inodes created
588 during get_sb by a pseudo filesystem that directly
590 spin_lock(&sbsec->isec_lock);
591 while (!list_empty(&sbsec->isec_head)) {
592 struct inode_security_struct *isec =
593 list_first_entry(&sbsec->isec_head,
594 struct inode_security_struct, list);
595 struct inode *inode = isec->inode;
596 list_del_init(&isec->list);
597 spin_unlock(&sbsec->isec_lock);
598 inode = igrab(inode);
600 if (!IS_PRIVATE(inode))
604 spin_lock(&sbsec->isec_lock);
606 spin_unlock(&sbsec->isec_lock);
611 static int bad_option(struct superblock_security_struct *sbsec, char flag,
612 u32 old_sid, u32 new_sid)
614 char mnt_flags = sbsec->flags & SE_MNTMASK;
616 /* check if the old mount command had the same options */
617 if (sbsec->flags & SE_SBINITIALIZED)
618 if (!(sbsec->flags & flag) ||
619 (old_sid != new_sid))
622 /* check if we were passed the same options twice,
623 * aka someone passed context=a,context=b
625 if (!(sbsec->flags & SE_SBINITIALIZED))
626 if (mnt_flags & flag)
631 static int parse_sid(struct super_block *sb, const char *s, u32 *sid)
633 int rc = security_context_str_to_sid(&selinux_state, s,
636 pr_warn("SELinux: security_context_str_to_sid"
637 "(%s) failed for (dev %s, type %s) errno=%d\n",
638 s, sb->s_id, sb->s_type->name, rc);
643 * Allow filesystems with binary mount data to explicitly set mount point
644 * labeling information.
646 static int selinux_set_mnt_opts(struct super_block *sb,
648 unsigned long kern_flags,
649 unsigned long *set_kern_flags)
651 const struct cred *cred = current_cred();
652 struct superblock_security_struct *sbsec = sb->s_security;
653 struct dentry *root = sbsec->sb->s_root;
654 struct selinux_mnt_opts *opts = mnt_opts;
655 struct inode_security_struct *root_isec;
656 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
657 u32 defcontext_sid = 0;
660 mutex_lock(&sbsec->lock);
662 if (!selinux_state.initialized) {
664 /* Defer initialization until selinux_complete_init,
665 after the initial policy is loaded and the security
666 server is ready to handle calls. */
670 pr_warn("SELinux: Unable to set superblock options "
671 "before the security server is initialized\n");
674 if (kern_flags && !set_kern_flags) {
675 /* Specifying internal flags without providing a place to
676 * place the results is not allowed */
682 * Binary mount data FS will come through this function twice. Once
683 * from an explicit call and once from the generic calls from the vfs.
684 * Since the generic VFS calls will not contain any security mount data
685 * we need to skip the double mount verification.
687 * This does open a hole in which we will not notice if the first
688 * mount using this sb set explict options and a second mount using
689 * this sb does not set any security options. (The first options
690 * will be used for both mounts)
692 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
696 root_isec = backing_inode_security_novalidate(root);
699 * parse the mount options, check if they are valid sids.
700 * also check if someone is trying to mount the same sb more
701 * than once with different security options.
704 if (opts->fscontext) {
705 rc = parse_sid(sb, opts->fscontext, &fscontext_sid);
708 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
710 goto out_double_mount;
711 sbsec->flags |= FSCONTEXT_MNT;
714 rc = parse_sid(sb, opts->context, &context_sid);
717 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
719 goto out_double_mount;
720 sbsec->flags |= CONTEXT_MNT;
722 if (opts->rootcontext) {
723 rc = parse_sid(sb, opts->rootcontext, &rootcontext_sid);
726 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
728 goto out_double_mount;
729 sbsec->flags |= ROOTCONTEXT_MNT;
731 if (opts->defcontext) {
732 rc = parse_sid(sb, opts->defcontext, &defcontext_sid);
735 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
737 goto out_double_mount;
738 sbsec->flags |= DEFCONTEXT_MNT;
742 if (sbsec->flags & SE_SBINITIALIZED) {
743 /* previously mounted with options, but not on this attempt? */
744 if ((sbsec->flags & SE_MNTMASK) && !opts)
745 goto out_double_mount;
750 if (strcmp(sb->s_type->name, "proc") == 0)
751 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
753 if (!strcmp(sb->s_type->name, "debugfs") ||
754 !strcmp(sb->s_type->name, "tracefs") ||
755 !strcmp(sb->s_type->name, "pstore"))
756 sbsec->flags |= SE_SBGENFS;
758 if (!strcmp(sb->s_type->name, "sysfs") ||
759 !strcmp(sb->s_type->name, "cgroup") ||
760 !strcmp(sb->s_type->name, "cgroup2"))
761 sbsec->flags |= SE_SBGENFS | SE_SBGENFS_XATTR;
763 if (!sbsec->behavior) {
765 * Determine the labeling behavior to use for this
768 rc = security_fs_use(&selinux_state, sb);
770 pr_warn("%s: security_fs_use(%s) returned %d\n",
771 __func__, sb->s_type->name, rc);
777 * If this is a user namespace mount and the filesystem type is not
778 * explicitly whitelisted, then no contexts are allowed on the command
779 * line and security labels must be ignored.
781 if (sb->s_user_ns != &init_user_ns &&
782 strcmp(sb->s_type->name, "tmpfs") &&
783 strcmp(sb->s_type->name, "ramfs") &&
784 strcmp(sb->s_type->name, "devpts")) {
785 if (context_sid || fscontext_sid || rootcontext_sid ||
790 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
791 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
792 rc = security_transition_sid(&selinux_state,
796 &sbsec->mntpoint_sid);
803 /* sets the context of the superblock for the fs being mounted. */
805 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
809 sbsec->sid = fscontext_sid;
813 * Switch to using mount point labeling behavior.
814 * sets the label used on all file below the mountpoint, and will set
815 * the superblock context if not already set.
817 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
818 sbsec->behavior = SECURITY_FS_USE_NATIVE;
819 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
823 if (!fscontext_sid) {
824 rc = may_context_mount_sb_relabel(context_sid, sbsec,
828 sbsec->sid = context_sid;
830 rc = may_context_mount_inode_relabel(context_sid, sbsec,
835 if (!rootcontext_sid)
836 rootcontext_sid = context_sid;
838 sbsec->mntpoint_sid = context_sid;
839 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
842 if (rootcontext_sid) {
843 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
848 root_isec->sid = rootcontext_sid;
849 root_isec->initialized = LABEL_INITIALIZED;
852 if (defcontext_sid) {
853 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
854 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
856 pr_warn("SELinux: defcontext option is "
857 "invalid for this filesystem type\n");
861 if (defcontext_sid != sbsec->def_sid) {
862 rc = may_context_mount_inode_relabel(defcontext_sid,
868 sbsec->def_sid = defcontext_sid;
872 rc = sb_finish_set_opts(sb);
874 mutex_unlock(&sbsec->lock);
878 pr_warn("SELinux: mount invalid. Same superblock, different "
879 "security settings for (dev %s, type %s)\n", sb->s_id,
884 static int selinux_cmp_sb_context(const struct super_block *oldsb,
885 const struct super_block *newsb)
887 struct superblock_security_struct *old = oldsb->s_security;
888 struct superblock_security_struct *new = newsb->s_security;
889 char oldflags = old->flags & SE_MNTMASK;
890 char newflags = new->flags & SE_MNTMASK;
892 if (oldflags != newflags)
894 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
896 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
898 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
900 if (oldflags & ROOTCONTEXT_MNT) {
901 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
902 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
903 if (oldroot->sid != newroot->sid)
908 pr_warn("SELinux: mount invalid. Same superblock, "
909 "different security settings for (dev %s, "
910 "type %s)\n", newsb->s_id, newsb->s_type->name);
914 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
915 struct super_block *newsb,
916 unsigned long kern_flags,
917 unsigned long *set_kern_flags)
920 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
921 struct superblock_security_struct *newsbsec = newsb->s_security;
923 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
924 int set_context = (oldsbsec->flags & CONTEXT_MNT);
925 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
928 * if the parent was able to be mounted it clearly had no special lsm
929 * mount options. thus we can safely deal with this superblock later
931 if (!selinux_state.initialized)
935 * Specifying internal flags without providing a place to
936 * place the results is not allowed.
938 if (kern_flags && !set_kern_flags)
941 /* how can we clone if the old one wasn't set up?? */
942 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
944 /* if fs is reusing a sb, make sure that the contexts match */
945 if (newsbsec->flags & SE_SBINITIALIZED) {
946 if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context)
947 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
948 return selinux_cmp_sb_context(oldsb, newsb);
951 mutex_lock(&newsbsec->lock);
953 newsbsec->flags = oldsbsec->flags;
955 newsbsec->sid = oldsbsec->sid;
956 newsbsec->def_sid = oldsbsec->def_sid;
957 newsbsec->behavior = oldsbsec->behavior;
959 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
960 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
961 rc = security_fs_use(&selinux_state, newsb);
966 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
967 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
968 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
972 u32 sid = oldsbsec->mntpoint_sid;
976 if (!set_rootcontext) {
977 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
980 newsbsec->mntpoint_sid = sid;
982 if (set_rootcontext) {
983 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
984 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
986 newisec->sid = oldisec->sid;
989 sb_finish_set_opts(newsb);
991 mutex_unlock(&newsbsec->lock);
995 static int selinux_add_opt(int token, const char *s, void **mnt_opts)
997 struct selinux_mnt_opts *opts = *mnt_opts;
998 bool is_alloc_opts = false;
1000 if (token == Opt_seclabel) /* eaten and completely ignored */
1007 opts = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL);
1011 is_alloc_opts = true;
1016 if (opts->context || opts->defcontext)
1021 if (opts->fscontext)
1023 opts->fscontext = s;
1025 case Opt_rootcontext:
1026 if (opts->rootcontext)
1028 opts->rootcontext = s;
1030 case Opt_defcontext:
1031 if (opts->context || opts->defcontext)
1033 opts->defcontext = s;
1038 if (is_alloc_opts) {
1042 pr_warn(SEL_MOUNT_FAIL_MSG);
1046 static int selinux_add_mnt_opt(const char *option, const char *val, int len,
1049 int token = Opt_error;
1052 for (i = 0; i < ARRAY_SIZE(tokens); i++) {
1053 if (strcmp(option, tokens[i].name) == 0) {
1054 token = tokens[i].opt;
1059 if (token == Opt_error)
1062 if (token != Opt_seclabel) {
1063 val = kmemdup_nul(val, len, GFP_KERNEL);
1069 rc = selinux_add_opt(token, val, mnt_opts);
1078 selinux_free_mnt_opts(*mnt_opts);
1084 static int show_sid(struct seq_file *m, u32 sid)
1086 char *context = NULL;
1090 rc = security_sid_to_context(&selinux_state, sid,
1093 bool has_comma = context && strchr(context, ',');
1098 seq_escape(m, context, "\"\n\\");
1106 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1108 struct superblock_security_struct *sbsec = sb->s_security;
1111 if (!(sbsec->flags & SE_SBINITIALIZED))
1114 if (!selinux_state.initialized)
1117 if (sbsec->flags & FSCONTEXT_MNT) {
1119 seq_puts(m, FSCONTEXT_STR);
1120 rc = show_sid(m, sbsec->sid);
1124 if (sbsec->flags & CONTEXT_MNT) {
1126 seq_puts(m, CONTEXT_STR);
1127 rc = show_sid(m, sbsec->mntpoint_sid);
1131 if (sbsec->flags & DEFCONTEXT_MNT) {
1133 seq_puts(m, DEFCONTEXT_STR);
1134 rc = show_sid(m, sbsec->def_sid);
1138 if (sbsec->flags & ROOTCONTEXT_MNT) {
1139 struct dentry *root = sbsec->sb->s_root;
1140 struct inode_security_struct *isec = backing_inode_security(root);
1142 seq_puts(m, ROOTCONTEXT_STR);
1143 rc = show_sid(m, isec->sid);
1147 if (sbsec->flags & SBLABEL_MNT) {
1149 seq_puts(m, SECLABEL_STR);
1154 static inline u16 inode_mode_to_security_class(umode_t mode)
1156 switch (mode & S_IFMT) {
1158 return SECCLASS_SOCK_FILE;
1160 return SECCLASS_LNK_FILE;
1162 return SECCLASS_FILE;
1164 return SECCLASS_BLK_FILE;
1166 return SECCLASS_DIR;
1168 return SECCLASS_CHR_FILE;
1170 return SECCLASS_FIFO_FILE;
1174 return SECCLASS_FILE;
1177 static inline int default_protocol_stream(int protocol)
1179 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1182 static inline int default_protocol_dgram(int protocol)
1184 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1187 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1189 int extsockclass = selinux_policycap_extsockclass();
1195 case SOCK_SEQPACKET:
1196 return SECCLASS_UNIX_STREAM_SOCKET;
1199 return SECCLASS_UNIX_DGRAM_SOCKET;
1206 case SOCK_SEQPACKET:
1207 if (default_protocol_stream(protocol))
1208 return SECCLASS_TCP_SOCKET;
1209 else if (extsockclass && protocol == IPPROTO_SCTP)
1210 return SECCLASS_SCTP_SOCKET;
1212 return SECCLASS_RAWIP_SOCKET;
1214 if (default_protocol_dgram(protocol))
1215 return SECCLASS_UDP_SOCKET;
1216 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1217 protocol == IPPROTO_ICMPV6))
1218 return SECCLASS_ICMP_SOCKET;
1220 return SECCLASS_RAWIP_SOCKET;
1222 return SECCLASS_DCCP_SOCKET;
1224 return SECCLASS_RAWIP_SOCKET;
1230 return SECCLASS_NETLINK_ROUTE_SOCKET;
1231 case NETLINK_SOCK_DIAG:
1232 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1234 return SECCLASS_NETLINK_NFLOG_SOCKET;
1236 return SECCLASS_NETLINK_XFRM_SOCKET;
1237 case NETLINK_SELINUX:
1238 return SECCLASS_NETLINK_SELINUX_SOCKET;
1240 return SECCLASS_NETLINK_ISCSI_SOCKET;
1242 return SECCLASS_NETLINK_AUDIT_SOCKET;
1243 case NETLINK_FIB_LOOKUP:
1244 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1245 case NETLINK_CONNECTOR:
1246 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1247 case NETLINK_NETFILTER:
1248 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1249 case NETLINK_DNRTMSG:
1250 return SECCLASS_NETLINK_DNRT_SOCKET;
1251 case NETLINK_KOBJECT_UEVENT:
1252 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1253 case NETLINK_GENERIC:
1254 return SECCLASS_NETLINK_GENERIC_SOCKET;
1255 case NETLINK_SCSITRANSPORT:
1256 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1258 return SECCLASS_NETLINK_RDMA_SOCKET;
1259 case NETLINK_CRYPTO:
1260 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1262 return SECCLASS_NETLINK_SOCKET;
1265 return SECCLASS_PACKET_SOCKET;
1267 return SECCLASS_KEY_SOCKET;
1269 return SECCLASS_APPLETALK_SOCKET;
1275 return SECCLASS_AX25_SOCKET;
1277 return SECCLASS_IPX_SOCKET;
1279 return SECCLASS_NETROM_SOCKET;
1281 return SECCLASS_ATMPVC_SOCKET;
1283 return SECCLASS_X25_SOCKET;
1285 return SECCLASS_ROSE_SOCKET;
1287 return SECCLASS_DECNET_SOCKET;
1289 return SECCLASS_ATMSVC_SOCKET;
1291 return SECCLASS_RDS_SOCKET;
1293 return SECCLASS_IRDA_SOCKET;
1295 return SECCLASS_PPPOX_SOCKET;
1297 return SECCLASS_LLC_SOCKET;
1299 return SECCLASS_CAN_SOCKET;
1301 return SECCLASS_TIPC_SOCKET;
1303 return SECCLASS_BLUETOOTH_SOCKET;
1305 return SECCLASS_IUCV_SOCKET;
1307 return SECCLASS_RXRPC_SOCKET;
1309 return SECCLASS_ISDN_SOCKET;
1311 return SECCLASS_PHONET_SOCKET;
1313 return SECCLASS_IEEE802154_SOCKET;
1315 return SECCLASS_CAIF_SOCKET;
1317 return SECCLASS_ALG_SOCKET;
1319 return SECCLASS_NFC_SOCKET;
1321 return SECCLASS_VSOCK_SOCKET;
1323 return SECCLASS_KCM_SOCKET;
1325 return SECCLASS_QIPCRTR_SOCKET;
1327 return SECCLASS_SMC_SOCKET;
1329 return SECCLASS_XDP_SOCKET;
1331 #error New address family defined, please update this function.
1336 return SECCLASS_SOCKET;
1339 static int selinux_genfs_get_sid(struct dentry *dentry,
1345 struct super_block *sb = dentry->d_sb;
1346 char *buffer, *path;
1348 buffer = (char *)__get_free_page(GFP_KERNEL);
1352 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1356 if (flags & SE_SBPROC) {
1357 /* each process gets a /proc/PID/ entry. Strip off the
1358 * PID part to get a valid selinux labeling.
1359 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1360 while (path[1] >= '0' && path[1] <= '9') {
1365 rc = security_genfs_sid(&selinux_state, sb->s_type->name,
1367 if (rc == -ENOENT) {
1368 /* No match in policy, mark as unlabeled. */
1369 *sid = SECINITSID_UNLABELED;
1373 free_page((unsigned long)buffer);
1377 static int inode_doinit_use_xattr(struct inode *inode, struct dentry *dentry,
1378 u32 def_sid, u32 *sid)
1380 #define INITCONTEXTLEN 255
1385 len = INITCONTEXTLEN;
1386 context = kmalloc(len + 1, GFP_NOFS);
1390 context[len] = '\0';
1391 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1392 if (rc == -ERANGE) {
1395 /* Need a larger buffer. Query for the right size. */
1396 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1401 context = kmalloc(len + 1, GFP_NOFS);
1405 context[len] = '\0';
1406 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX,
1411 if (rc != -ENODATA) {
1412 pr_warn("SELinux: %s: getxattr returned %d for dev=%s ino=%ld\n",
1413 __func__, -rc, inode->i_sb->s_id, inode->i_ino);
1420 rc = security_context_to_sid_default(&selinux_state, context, rc, sid,
1423 char *dev = inode->i_sb->s_id;
1424 unsigned long ino = inode->i_ino;
1426 if (rc == -EINVAL) {
1427 pr_notice_ratelimited("SELinux: inode=%lu on dev=%s was found to have an invalid context=%s. This indicates you may need to relabel the inode or the filesystem in question.\n",
1430 pr_warn("SELinux: %s: context_to_sid(%s) returned %d for dev=%s ino=%ld\n",
1431 __func__, context, -rc, dev, ino);
1438 /* The inode's security attributes must be initialized before first use. */
1439 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1441 struct superblock_security_struct *sbsec = NULL;
1442 struct inode_security_struct *isec = selinux_inode(inode);
1443 u32 task_sid, sid = 0;
1445 struct dentry *dentry;
1448 if (isec->initialized == LABEL_INITIALIZED)
1451 spin_lock(&isec->lock);
1452 if (isec->initialized == LABEL_INITIALIZED)
1455 if (isec->sclass == SECCLASS_FILE)
1456 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1458 sbsec = inode->i_sb->s_security;
1459 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1460 /* Defer initialization until selinux_complete_init,
1461 after the initial policy is loaded and the security
1462 server is ready to handle calls. */
1463 spin_lock(&sbsec->isec_lock);
1464 if (list_empty(&isec->list))
1465 list_add(&isec->list, &sbsec->isec_head);
1466 spin_unlock(&sbsec->isec_lock);
1470 sclass = isec->sclass;
1471 task_sid = isec->task_sid;
1473 isec->initialized = LABEL_PENDING;
1474 spin_unlock(&isec->lock);
1476 switch (sbsec->behavior) {
1477 case SECURITY_FS_USE_NATIVE:
1479 case SECURITY_FS_USE_XATTR:
1480 if (!(inode->i_opflags & IOP_XATTR)) {
1481 sid = sbsec->def_sid;
1484 /* Need a dentry, since the xattr API requires one.
1485 Life would be simpler if we could just pass the inode. */
1487 /* Called from d_instantiate or d_splice_alias. */
1488 dentry = dget(opt_dentry);
1491 * Called from selinux_complete_init, try to find a dentry.
1492 * Some filesystems really want a connected one, so try
1493 * that first. We could split SECURITY_FS_USE_XATTR in
1494 * two, depending upon that...
1496 dentry = d_find_alias(inode);
1498 dentry = d_find_any_alias(inode);
1502 * this is can be hit on boot when a file is accessed
1503 * before the policy is loaded. When we load policy we
1504 * may find inodes that have no dentry on the
1505 * sbsec->isec_head list. No reason to complain as these
1506 * will get fixed up the next time we go through
1507 * inode_doinit with a dentry, before these inodes could
1508 * be used again by userspace.
1513 rc = inode_doinit_use_xattr(inode, dentry, sbsec->def_sid,
1519 case SECURITY_FS_USE_TASK:
1522 case SECURITY_FS_USE_TRANS:
1523 /* Default to the fs SID. */
1526 /* Try to obtain a transition SID. */
1527 rc = security_transition_sid(&selinux_state, task_sid, sid,
1528 sclass, NULL, &sid);
1532 case SECURITY_FS_USE_MNTPOINT:
1533 sid = sbsec->mntpoint_sid;
1536 /* Default to the fs superblock SID. */
1539 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1540 /* We must have a dentry to determine the label on
1543 /* Called from d_instantiate or
1544 * d_splice_alias. */
1545 dentry = dget(opt_dentry);
1547 /* Called from selinux_complete_init, try to
1548 * find a dentry. Some filesystems really want
1549 * a connected one, so try that first.
1551 dentry = d_find_alias(inode);
1553 dentry = d_find_any_alias(inode);
1556 * This can be hit on boot when a file is accessed
1557 * before the policy is loaded. When we load policy we
1558 * may find inodes that have no dentry on the
1559 * sbsec->isec_head list. No reason to complain as
1560 * these will get fixed up the next time we go through
1561 * inode_doinit() with a dentry, before these inodes
1562 * could be used again by userspace.
1566 rc = selinux_genfs_get_sid(dentry, sclass,
1567 sbsec->flags, &sid);
1573 if ((sbsec->flags & SE_SBGENFS_XATTR) &&
1574 (inode->i_opflags & IOP_XATTR)) {
1575 rc = inode_doinit_use_xattr(inode, dentry,
1588 spin_lock(&isec->lock);
1589 if (isec->initialized == LABEL_PENDING) {
1591 isec->initialized = LABEL_INVALID;
1594 isec->initialized = LABEL_INITIALIZED;
1599 spin_unlock(&isec->lock);
1603 spin_lock(&isec->lock);
1604 if (isec->initialized == LABEL_PENDING) {
1605 isec->initialized = LABEL_INVALID;
1608 spin_unlock(&isec->lock);
1612 /* Convert a Linux signal to an access vector. */
1613 static inline u32 signal_to_av(int sig)
1619 /* Commonly granted from child to parent. */
1620 perm = PROCESS__SIGCHLD;
1623 /* Cannot be caught or ignored */
1624 perm = PROCESS__SIGKILL;
1627 /* Cannot be caught or ignored */
1628 perm = PROCESS__SIGSTOP;
1631 /* All other signals. */
1632 perm = PROCESS__SIGNAL;
1639 #if CAP_LAST_CAP > 63
1640 #error Fix SELinux to handle capabilities > 63.
1643 /* Check whether a task is allowed to use a capability. */
1644 static int cred_has_capability(const struct cred *cred,
1645 int cap, unsigned int opts, bool initns)
1647 struct common_audit_data ad;
1648 struct av_decision avd;
1650 u32 sid = cred_sid(cred);
1651 u32 av = CAP_TO_MASK(cap);
1654 ad.type = LSM_AUDIT_DATA_CAP;
1657 switch (CAP_TO_INDEX(cap)) {
1659 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1662 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1665 pr_err("SELinux: out of range capability %d\n", cap);
1670 rc = avc_has_perm_noaudit(&selinux_state,
1671 sid, sid, sclass, av, 0, &avd);
1672 if (!(opts & CAP_OPT_NOAUDIT)) {
1673 int rc2 = avc_audit(&selinux_state,
1674 sid, sid, sclass, av, &avd, rc, &ad, 0);
1681 /* Check whether a task has a particular permission to an inode.
1682 The 'adp' parameter is optional and allows other audit
1683 data to be passed (e.g. the dentry). */
1684 static int inode_has_perm(const struct cred *cred,
1685 struct inode *inode,
1687 struct common_audit_data *adp)
1689 struct inode_security_struct *isec;
1692 validate_creds(cred);
1694 if (unlikely(IS_PRIVATE(inode)))
1697 sid = cred_sid(cred);
1698 isec = selinux_inode(inode);
1700 return avc_has_perm(&selinux_state,
1701 sid, isec->sid, isec->sclass, perms, adp);
1704 /* Same as inode_has_perm, but pass explicit audit data containing
1705 the dentry to help the auditing code to more easily generate the
1706 pathname if needed. */
1707 static inline int dentry_has_perm(const struct cred *cred,
1708 struct dentry *dentry,
1711 struct inode *inode = d_backing_inode(dentry);
1712 struct common_audit_data ad;
1714 ad.type = LSM_AUDIT_DATA_DENTRY;
1715 ad.u.dentry = dentry;
1716 __inode_security_revalidate(inode, dentry, true);
1717 return inode_has_perm(cred, inode, av, &ad);
1720 /* Same as inode_has_perm, but pass explicit audit data containing
1721 the path to help the auditing code to more easily generate the
1722 pathname if needed. */
1723 static inline int path_has_perm(const struct cred *cred,
1724 const struct path *path,
1727 struct inode *inode = d_backing_inode(path->dentry);
1728 struct common_audit_data ad;
1730 ad.type = LSM_AUDIT_DATA_PATH;
1732 __inode_security_revalidate(inode, path->dentry, true);
1733 return inode_has_perm(cred, inode, av, &ad);
1736 /* Same as path_has_perm, but uses the inode from the file struct. */
1737 static inline int file_path_has_perm(const struct cred *cred,
1741 struct common_audit_data ad;
1743 ad.type = LSM_AUDIT_DATA_FILE;
1745 return inode_has_perm(cred, file_inode(file), av, &ad);
1748 #ifdef CONFIG_BPF_SYSCALL
1749 static int bpf_fd_pass(struct file *file, u32 sid);
1752 /* Check whether a task can use an open file descriptor to
1753 access an inode in a given way. Check access to the
1754 descriptor itself, and then use dentry_has_perm to
1755 check a particular permission to the file.
1756 Access to the descriptor is implicitly granted if it
1757 has the same SID as the process. If av is zero, then
1758 access to the file is not checked, e.g. for cases
1759 where only the descriptor is affected like seek. */
1760 static int file_has_perm(const struct cred *cred,
1764 struct file_security_struct *fsec = selinux_file(file);
1765 struct inode *inode = file_inode(file);
1766 struct common_audit_data ad;
1767 u32 sid = cred_sid(cred);
1770 ad.type = LSM_AUDIT_DATA_FILE;
1773 if (sid != fsec->sid) {
1774 rc = avc_has_perm(&selinux_state,
1783 #ifdef CONFIG_BPF_SYSCALL
1784 rc = bpf_fd_pass(file, cred_sid(cred));
1789 /* av is zero if only checking access to the descriptor. */
1792 rc = inode_has_perm(cred, inode, av, &ad);
1799 * Determine the label for an inode that might be unioned.
1802 selinux_determine_inode_label(const struct task_security_struct *tsec,
1804 const struct qstr *name, u16 tclass,
1807 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1809 if ((sbsec->flags & SE_SBINITIALIZED) &&
1810 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1811 *_new_isid = sbsec->mntpoint_sid;
1812 } else if ((sbsec->flags & SBLABEL_MNT) &&
1814 *_new_isid = tsec->create_sid;
1816 const struct inode_security_struct *dsec = inode_security(dir);
1817 return security_transition_sid(&selinux_state, tsec->sid,
1825 /* Check whether a task can create a file. */
1826 static int may_create(struct inode *dir,
1827 struct dentry *dentry,
1830 const struct task_security_struct *tsec = selinux_cred(current_cred());
1831 struct inode_security_struct *dsec;
1832 struct superblock_security_struct *sbsec;
1834 struct common_audit_data ad;
1837 dsec = inode_security(dir);
1838 sbsec = dir->i_sb->s_security;
1842 ad.type = LSM_AUDIT_DATA_DENTRY;
1843 ad.u.dentry = dentry;
1845 rc = avc_has_perm(&selinux_state,
1846 sid, dsec->sid, SECCLASS_DIR,
1847 DIR__ADD_NAME | DIR__SEARCH,
1852 rc = selinux_determine_inode_label(selinux_cred(current_cred()), dir,
1853 &dentry->d_name, tclass, &newsid);
1857 rc = avc_has_perm(&selinux_state,
1858 sid, newsid, tclass, FILE__CREATE, &ad);
1862 return avc_has_perm(&selinux_state,
1864 SECCLASS_FILESYSTEM,
1865 FILESYSTEM__ASSOCIATE, &ad);
1869 #define MAY_UNLINK 1
1872 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1873 static int may_link(struct inode *dir,
1874 struct dentry *dentry,
1878 struct inode_security_struct *dsec, *isec;
1879 struct common_audit_data ad;
1880 u32 sid = current_sid();
1884 dsec = inode_security(dir);
1885 isec = backing_inode_security(dentry);
1887 ad.type = LSM_AUDIT_DATA_DENTRY;
1888 ad.u.dentry = dentry;
1891 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1892 rc = avc_has_perm(&selinux_state,
1893 sid, dsec->sid, SECCLASS_DIR, av, &ad);
1908 pr_warn("SELinux: %s: unrecognized kind %d\n",
1913 rc = avc_has_perm(&selinux_state,
1914 sid, isec->sid, isec->sclass, av, &ad);
1918 static inline int may_rename(struct inode *old_dir,
1919 struct dentry *old_dentry,
1920 struct inode *new_dir,
1921 struct dentry *new_dentry)
1923 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1924 struct common_audit_data ad;
1925 u32 sid = current_sid();
1927 int old_is_dir, new_is_dir;
1930 old_dsec = inode_security(old_dir);
1931 old_isec = backing_inode_security(old_dentry);
1932 old_is_dir = d_is_dir(old_dentry);
1933 new_dsec = inode_security(new_dir);
1935 ad.type = LSM_AUDIT_DATA_DENTRY;
1937 ad.u.dentry = old_dentry;
1938 rc = avc_has_perm(&selinux_state,
1939 sid, old_dsec->sid, SECCLASS_DIR,
1940 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1943 rc = avc_has_perm(&selinux_state,
1945 old_isec->sclass, FILE__RENAME, &ad);
1948 if (old_is_dir && new_dir != old_dir) {
1949 rc = avc_has_perm(&selinux_state,
1951 old_isec->sclass, DIR__REPARENT, &ad);
1956 ad.u.dentry = new_dentry;
1957 av = DIR__ADD_NAME | DIR__SEARCH;
1958 if (d_is_positive(new_dentry))
1959 av |= DIR__REMOVE_NAME;
1960 rc = avc_has_perm(&selinux_state,
1961 sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1964 if (d_is_positive(new_dentry)) {
1965 new_isec = backing_inode_security(new_dentry);
1966 new_is_dir = d_is_dir(new_dentry);
1967 rc = avc_has_perm(&selinux_state,
1970 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1978 /* Check whether a task can perform a filesystem operation. */
1979 static int superblock_has_perm(const struct cred *cred,
1980 struct super_block *sb,
1982 struct common_audit_data *ad)
1984 struct superblock_security_struct *sbsec;
1985 u32 sid = cred_sid(cred);
1987 sbsec = sb->s_security;
1988 return avc_has_perm(&selinux_state,
1989 sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1992 /* Convert a Linux mode and permission mask to an access vector. */
1993 static inline u32 file_mask_to_av(int mode, int mask)
1997 if (!S_ISDIR(mode)) {
1998 if (mask & MAY_EXEC)
1999 av |= FILE__EXECUTE;
2000 if (mask & MAY_READ)
2003 if (mask & MAY_APPEND)
2005 else if (mask & MAY_WRITE)
2009 if (mask & MAY_EXEC)
2011 if (mask & MAY_WRITE)
2013 if (mask & MAY_READ)
2020 /* Convert a Linux file to an access vector. */
2021 static inline u32 file_to_av(struct file *file)
2025 if (file->f_mode & FMODE_READ)
2027 if (file->f_mode & FMODE_WRITE) {
2028 if (file->f_flags & O_APPEND)
2035 * Special file opened with flags 3 for ioctl-only use.
2044 * Convert a file to an access vector and include the correct open
2047 static inline u32 open_file_to_av(struct file *file)
2049 u32 av = file_to_av(file);
2050 struct inode *inode = file_inode(file);
2052 if (selinux_policycap_openperm() &&
2053 inode->i_sb->s_magic != SOCKFS_MAGIC)
2059 /* Hook functions begin here. */
2061 static int selinux_binder_set_context_mgr(const struct cred *mgr)
2063 return avc_has_perm(&selinux_state,
2064 current_sid(), cred_sid(mgr), SECCLASS_BINDER,
2065 BINDER__SET_CONTEXT_MGR, NULL);
2068 static int selinux_binder_transaction(const struct cred *from,
2069 const struct cred *to)
2071 u32 mysid = current_sid();
2072 u32 fromsid = cred_sid(from);
2073 u32 tosid = cred_sid(to);
2076 if (mysid != fromsid) {
2077 rc = avc_has_perm(&selinux_state,
2078 mysid, fromsid, SECCLASS_BINDER,
2079 BINDER__IMPERSONATE, NULL);
2084 return avc_has_perm(&selinux_state, fromsid, tosid,
2085 SECCLASS_BINDER, BINDER__CALL, NULL);
2088 static int selinux_binder_transfer_binder(const struct cred *from,
2089 const struct cred *to)
2091 return avc_has_perm(&selinux_state,
2092 cred_sid(from), cred_sid(to),
2093 SECCLASS_BINDER, BINDER__TRANSFER,
2097 static int selinux_binder_transfer_file(const struct cred *from,
2098 const struct cred *to,
2101 u32 sid = cred_sid(to);
2102 struct file_security_struct *fsec = selinux_file(file);
2103 struct dentry *dentry = file->f_path.dentry;
2104 struct inode_security_struct *isec;
2105 struct common_audit_data ad;
2108 ad.type = LSM_AUDIT_DATA_PATH;
2109 ad.u.path = file->f_path;
2111 if (sid != fsec->sid) {
2112 rc = avc_has_perm(&selinux_state,
2121 #ifdef CONFIG_BPF_SYSCALL
2122 rc = bpf_fd_pass(file, sid);
2127 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2130 isec = backing_inode_security(dentry);
2131 return avc_has_perm(&selinux_state,
2132 sid, isec->sid, isec->sclass, file_to_av(file),
2136 static int selinux_ptrace_access_check(struct task_struct *child,
2139 u32 sid = current_sid();
2140 u32 csid = task_sid(child);
2142 if (mode & PTRACE_MODE_READ)
2143 return avc_has_perm(&selinux_state,
2144 sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2146 return avc_has_perm(&selinux_state,
2147 sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2150 static int selinux_ptrace_traceme(struct task_struct *parent)
2152 return avc_has_perm(&selinux_state,
2153 task_sid(parent), current_sid(), SECCLASS_PROCESS,
2154 PROCESS__PTRACE, NULL);
2157 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2158 kernel_cap_t *inheritable, kernel_cap_t *permitted)
2160 return avc_has_perm(&selinux_state,
2161 current_sid(), task_sid(target), SECCLASS_PROCESS,
2162 PROCESS__GETCAP, NULL);
2165 static int selinux_capset(struct cred *new, const struct cred *old,
2166 const kernel_cap_t *effective,
2167 const kernel_cap_t *inheritable,
2168 const kernel_cap_t *permitted)
2170 return avc_has_perm(&selinux_state,
2171 cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2172 PROCESS__SETCAP, NULL);
2176 * (This comment used to live with the selinux_task_setuid hook,
2177 * which was removed).
2179 * Since setuid only affects the current process, and since the SELinux
2180 * controls are not based on the Linux identity attributes, SELinux does not
2181 * need to control this operation. However, SELinux does control the use of
2182 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2185 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2186 int cap, unsigned int opts)
2188 return cred_has_capability(cred, cap, opts, ns == &init_user_ns);
2191 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2193 const struct cred *cred = current_cred();
2205 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2210 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2213 rc = 0; /* let the kernel handle invalid cmds */
2219 static int selinux_quota_on(struct dentry *dentry)
2221 const struct cred *cred = current_cred();
2223 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2226 static int selinux_syslog(int type)
2229 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2230 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2231 return avc_has_perm(&selinux_state,
2232 current_sid(), SECINITSID_KERNEL,
2233 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2234 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2235 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2236 /* Set level of messages printed to console */
2237 case SYSLOG_ACTION_CONSOLE_LEVEL:
2238 return avc_has_perm(&selinux_state,
2239 current_sid(), SECINITSID_KERNEL,
2240 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2243 /* All other syslog types */
2244 return avc_has_perm(&selinux_state,
2245 current_sid(), SECINITSID_KERNEL,
2246 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2250 * Check that a process has enough memory to allocate a new virtual
2251 * mapping. 0 means there is enough memory for the allocation to
2252 * succeed and -ENOMEM implies there is not.
2254 * Do not audit the selinux permission check, as this is applied to all
2255 * processes that allocate mappings.
2257 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2259 int rc, cap_sys_admin = 0;
2261 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2262 CAP_OPT_NOAUDIT, true);
2266 return cap_sys_admin;
2269 /* binprm security operations */
2271 static u32 ptrace_parent_sid(void)
2274 struct task_struct *tracer;
2277 tracer = ptrace_parent(current);
2279 sid = task_sid(tracer);
2285 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2286 const struct task_security_struct *old_tsec,
2287 const struct task_security_struct *new_tsec)
2289 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2290 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2294 if (!nnp && !nosuid)
2295 return 0; /* neither NNP nor nosuid */
2297 if (new_tsec->sid == old_tsec->sid)
2298 return 0; /* No change in credentials */
2301 * If the policy enables the nnp_nosuid_transition policy capability,
2302 * then we permit transitions under NNP or nosuid if the
2303 * policy allows the corresponding permission between
2304 * the old and new contexts.
2306 if (selinux_policycap_nnp_nosuid_transition()) {
2309 av |= PROCESS2__NNP_TRANSITION;
2311 av |= PROCESS2__NOSUID_TRANSITION;
2312 rc = avc_has_perm(&selinux_state,
2313 old_tsec->sid, new_tsec->sid,
2314 SECCLASS_PROCESS2, av, NULL);
2320 * We also permit NNP or nosuid transitions to bounded SIDs,
2321 * i.e. SIDs that are guaranteed to only be allowed a subset
2322 * of the permissions of the current SID.
2324 rc = security_bounded_transition(&selinux_state, old_tsec->sid,
2330 * On failure, preserve the errno values for NNP vs nosuid.
2331 * NNP: Operation not permitted for caller.
2332 * nosuid: Permission denied to file.
2339 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2341 const struct task_security_struct *old_tsec;
2342 struct task_security_struct *new_tsec;
2343 struct inode_security_struct *isec;
2344 struct common_audit_data ad;
2345 struct inode *inode = file_inode(bprm->file);
2348 /* SELinux context only depends on initial program or script and not
2349 * the script interpreter */
2350 if (bprm->called_set_creds)
2353 old_tsec = selinux_cred(current_cred());
2354 new_tsec = selinux_cred(bprm->cred);
2355 isec = inode_security(inode);
2357 /* Default to the current task SID. */
2358 new_tsec->sid = old_tsec->sid;
2359 new_tsec->osid = old_tsec->sid;
2361 /* Reset fs, key, and sock SIDs on execve. */
2362 new_tsec->create_sid = 0;
2363 new_tsec->keycreate_sid = 0;
2364 new_tsec->sockcreate_sid = 0;
2366 if (old_tsec->exec_sid) {
2367 new_tsec->sid = old_tsec->exec_sid;
2368 /* Reset exec SID on execve. */
2369 new_tsec->exec_sid = 0;
2371 /* Fail on NNP or nosuid if not an allowed transition. */
2372 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2376 /* Check for a default transition on this program. */
2377 rc = security_transition_sid(&selinux_state, old_tsec->sid,
2378 isec->sid, SECCLASS_PROCESS, NULL,
2384 * Fallback to old SID on NNP or nosuid if not an allowed
2387 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2389 new_tsec->sid = old_tsec->sid;
2392 ad.type = LSM_AUDIT_DATA_FILE;
2393 ad.u.file = bprm->file;
2395 if (new_tsec->sid == old_tsec->sid) {
2396 rc = avc_has_perm(&selinux_state,
2397 old_tsec->sid, isec->sid,
2398 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2402 /* Check permissions for the transition. */
2403 rc = avc_has_perm(&selinux_state,
2404 old_tsec->sid, new_tsec->sid,
2405 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2409 rc = avc_has_perm(&selinux_state,
2410 new_tsec->sid, isec->sid,
2411 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2415 /* Check for shared state */
2416 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2417 rc = avc_has_perm(&selinux_state,
2418 old_tsec->sid, new_tsec->sid,
2419 SECCLASS_PROCESS, PROCESS__SHARE,
2425 /* Make sure that anyone attempting to ptrace over a task that
2426 * changes its SID has the appropriate permit */
2427 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2428 u32 ptsid = ptrace_parent_sid();
2430 rc = avc_has_perm(&selinux_state,
2431 ptsid, new_tsec->sid,
2433 PROCESS__PTRACE, NULL);
2439 /* Clear any possibly unsafe personality bits on exec: */
2440 bprm->per_clear |= PER_CLEAR_ON_SETID;
2442 /* Enable secure mode for SIDs transitions unless
2443 the noatsecure permission is granted between
2444 the two SIDs, i.e. ahp returns 0. */
2445 rc = avc_has_perm(&selinux_state,
2446 old_tsec->sid, new_tsec->sid,
2447 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2449 bprm->secureexec |= !!rc;
2455 static int match_file(const void *p, struct file *file, unsigned fd)
2457 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2460 /* Derived from fs/exec.c:flush_old_files. */
2461 static inline void flush_unauthorized_files(const struct cred *cred,
2462 struct files_struct *files)
2464 struct file *file, *devnull = NULL;
2465 struct tty_struct *tty;
2469 tty = get_current_tty();
2471 spin_lock(&tty->files_lock);
2472 if (!list_empty(&tty->tty_files)) {
2473 struct tty_file_private *file_priv;
2475 /* Revalidate access to controlling tty.
2476 Use file_path_has_perm on the tty path directly
2477 rather than using file_has_perm, as this particular
2478 open file may belong to another process and we are
2479 only interested in the inode-based check here. */
2480 file_priv = list_first_entry(&tty->tty_files,
2481 struct tty_file_private, list);
2482 file = file_priv->file;
2483 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2486 spin_unlock(&tty->files_lock);
2489 /* Reset controlling tty. */
2493 /* Revalidate access to inherited open files. */
2494 n = iterate_fd(files, 0, match_file, cred);
2495 if (!n) /* none found? */
2498 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2499 if (IS_ERR(devnull))
2501 /* replace all the matching ones with this */
2503 replace_fd(n - 1, devnull, 0);
2504 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2510 * Prepare a process for imminent new credential changes due to exec
2512 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2514 struct task_security_struct *new_tsec;
2515 struct rlimit *rlim, *initrlim;
2518 new_tsec = selinux_cred(bprm->cred);
2519 if (new_tsec->sid == new_tsec->osid)
2522 /* Close files for which the new task SID is not authorized. */
2523 flush_unauthorized_files(bprm->cred, current->files);
2525 /* Always clear parent death signal on SID transitions. */
2526 current->pdeath_signal = 0;
2528 /* Check whether the new SID can inherit resource limits from the old
2529 * SID. If not, reset all soft limits to the lower of the current
2530 * task's hard limit and the init task's soft limit.
2532 * Note that the setting of hard limits (even to lower them) can be
2533 * controlled by the setrlimit check. The inclusion of the init task's
2534 * soft limit into the computation is to avoid resetting soft limits
2535 * higher than the default soft limit for cases where the default is
2536 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2538 rc = avc_has_perm(&selinux_state,
2539 new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2540 PROCESS__RLIMITINH, NULL);
2542 /* protect against do_prlimit() */
2544 for (i = 0; i < RLIM_NLIMITS; i++) {
2545 rlim = current->signal->rlim + i;
2546 initrlim = init_task.signal->rlim + i;
2547 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2549 task_unlock(current);
2550 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2551 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2556 * Clean up the process immediately after the installation of new credentials
2559 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2561 const struct task_security_struct *tsec = selinux_cred(current_cred());
2562 struct itimerval itimer;
2572 /* Check whether the new SID can inherit signal state from the old SID.
2573 * If not, clear itimers to avoid subsequent signal generation and
2574 * flush and unblock signals.
2576 * This must occur _after_ the task SID has been updated so that any
2577 * kill done after the flush will be checked against the new SID.
2579 rc = avc_has_perm(&selinux_state,
2580 osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2582 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2583 memset(&itimer, 0, sizeof itimer);
2584 for (i = 0; i < 3; i++)
2585 do_setitimer(i, &itimer, NULL);
2587 spin_lock_irq(¤t->sighand->siglock);
2588 if (!fatal_signal_pending(current)) {
2589 flush_sigqueue(¤t->pending);
2590 flush_sigqueue(¤t->signal->shared_pending);
2591 flush_signal_handlers(current, 1);
2592 sigemptyset(¤t->blocked);
2593 recalc_sigpending();
2595 spin_unlock_irq(¤t->sighand->siglock);
2598 /* Wake up the parent if it is waiting so that it can recheck
2599 * wait permission to the new task SID. */
2600 read_lock(&tasklist_lock);
2601 __wake_up_parent(current, current->real_parent);
2602 read_unlock(&tasklist_lock);
2605 /* superblock security operations */
2607 static int selinux_sb_alloc_security(struct super_block *sb)
2609 return superblock_alloc_security(sb);
2612 static void selinux_sb_free_security(struct super_block *sb)
2614 superblock_free_security(sb);
2617 static inline int opt_len(const char *s)
2619 bool open_quote = false;
2623 for (len = 0; (c = s[len]) != '\0'; len++) {
2625 open_quote = !open_quote;
2626 if (c == ',' && !open_quote)
2632 static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts)
2634 char *from = options;
2640 int len = opt_len(from);
2644 token = match_opt_prefix(from, len, &arg);
2646 if (token != Opt_error) {
2651 for (p = q = arg; p < from + len; p++) {
2656 arg = kmemdup_nul(arg, q - arg, GFP_KERNEL);
2662 rc = selinux_add_opt(token, arg, mnt_opts);
2668 if (!first) { // copy with preceding comma
2673 memmove(to, from, len);
2686 selinux_free_mnt_opts(*mnt_opts);
2692 static int selinux_sb_remount(struct super_block *sb, void *mnt_opts)
2694 struct selinux_mnt_opts *opts = mnt_opts;
2695 struct superblock_security_struct *sbsec = sb->s_security;
2699 if (!(sbsec->flags & SE_SBINITIALIZED))
2705 if (opts->fscontext) {
2706 rc = parse_sid(sb, opts->fscontext, &sid);
2709 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2710 goto out_bad_option;
2712 if (opts->context) {
2713 rc = parse_sid(sb, opts->context, &sid);
2716 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2717 goto out_bad_option;
2719 if (opts->rootcontext) {
2720 struct inode_security_struct *root_isec;
2721 root_isec = backing_inode_security(sb->s_root);
2722 rc = parse_sid(sb, opts->rootcontext, &sid);
2725 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2726 goto out_bad_option;
2728 if (opts->defcontext) {
2729 rc = parse_sid(sb, opts->defcontext, &sid);
2732 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2733 goto out_bad_option;
2738 pr_warn("SELinux: unable to change security options "
2739 "during remount (dev %s, type=%s)\n", sb->s_id,
2744 static int selinux_sb_kern_mount(struct super_block *sb)
2746 const struct cred *cred = current_cred();
2747 struct common_audit_data ad;
2749 ad.type = LSM_AUDIT_DATA_DENTRY;
2750 ad.u.dentry = sb->s_root;
2751 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2754 static int selinux_sb_statfs(struct dentry *dentry)
2756 const struct cred *cred = current_cred();
2757 struct common_audit_data ad;
2759 ad.type = LSM_AUDIT_DATA_DENTRY;
2760 ad.u.dentry = dentry->d_sb->s_root;
2761 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2764 static int selinux_mount(const char *dev_name,
2765 const struct path *path,
2767 unsigned long flags,
2770 const struct cred *cred = current_cred();
2772 if (flags & MS_REMOUNT)
2773 return superblock_has_perm(cred, path->dentry->d_sb,
2774 FILESYSTEM__REMOUNT, NULL);
2776 return path_has_perm(cred, path, FILE__MOUNTON);
2779 static int selinux_move_mount(const struct path *from_path,
2780 const struct path *to_path)
2782 const struct cred *cred = current_cred();
2784 return path_has_perm(cred, to_path, FILE__MOUNTON);
2787 static int selinux_umount(struct vfsmount *mnt, int flags)
2789 const struct cred *cred = current_cred();
2791 return superblock_has_perm(cred, mnt->mnt_sb,
2792 FILESYSTEM__UNMOUNT, NULL);
2795 static int selinux_fs_context_dup(struct fs_context *fc,
2796 struct fs_context *src_fc)
2798 const struct selinux_mnt_opts *src = src_fc->security;
2799 struct selinux_mnt_opts *opts;
2804 fc->security = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL);
2808 opts = fc->security;
2810 if (src->fscontext) {
2811 opts->fscontext = kstrdup(src->fscontext, GFP_KERNEL);
2812 if (!opts->fscontext)
2816 opts->context = kstrdup(src->context, GFP_KERNEL);
2820 if (src->rootcontext) {
2821 opts->rootcontext = kstrdup(src->rootcontext, GFP_KERNEL);
2822 if (!opts->rootcontext)
2825 if (src->defcontext) {
2826 opts->defcontext = kstrdup(src->defcontext, GFP_KERNEL);
2827 if (!opts->defcontext)
2833 static const struct fs_parameter_spec selinux_param_specs[] = {
2834 fsparam_string(CONTEXT_STR, Opt_context),
2835 fsparam_string(DEFCONTEXT_STR, Opt_defcontext),
2836 fsparam_string(FSCONTEXT_STR, Opt_fscontext),
2837 fsparam_string(ROOTCONTEXT_STR, Opt_rootcontext),
2838 fsparam_flag (SECLABEL_STR, Opt_seclabel),
2842 static const struct fs_parameter_description selinux_fs_parameters = {
2844 .specs = selinux_param_specs,
2847 static int selinux_fs_context_parse_param(struct fs_context *fc,
2848 struct fs_parameter *param)
2850 struct fs_parse_result result;
2853 opt = fs_parse(fc, &selinux_fs_parameters, param, &result);
2857 rc = selinux_add_opt(opt, param->string, &fc->security);
2859 param->string = NULL;
2864 /* inode security operations */
2866 static int selinux_inode_alloc_security(struct inode *inode)
2868 return inode_alloc_security(inode);
2871 static void selinux_inode_free_security(struct inode *inode)
2873 inode_free_security(inode);
2876 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2877 const struct qstr *name, void **ctx,
2883 rc = selinux_determine_inode_label(selinux_cred(current_cred()),
2884 d_inode(dentry->d_parent), name,
2885 inode_mode_to_security_class(mode),
2890 return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
2894 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2896 const struct cred *old,
2901 struct task_security_struct *tsec;
2903 rc = selinux_determine_inode_label(selinux_cred(old),
2904 d_inode(dentry->d_parent), name,
2905 inode_mode_to_security_class(mode),
2910 tsec = selinux_cred(new);
2911 tsec->create_sid = newsid;
2915 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2916 const struct qstr *qstr,
2918 void **value, size_t *len)
2920 const struct task_security_struct *tsec = selinux_cred(current_cred());
2921 struct superblock_security_struct *sbsec;
2926 sbsec = dir->i_sb->s_security;
2928 newsid = tsec->create_sid;
2930 rc = selinux_determine_inode_label(selinux_cred(current_cred()),
2932 inode_mode_to_security_class(inode->i_mode),
2937 /* Possibly defer initialization to selinux_complete_init. */
2938 if (sbsec->flags & SE_SBINITIALIZED) {
2939 struct inode_security_struct *isec = selinux_inode(inode);
2940 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2942 isec->initialized = LABEL_INITIALIZED;
2945 if (!selinux_state.initialized || !(sbsec->flags & SBLABEL_MNT))
2949 *name = XATTR_SELINUX_SUFFIX;
2952 rc = security_sid_to_context_force(&selinux_state, newsid,
2963 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2965 return may_create(dir, dentry, SECCLASS_FILE);
2968 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2970 return may_link(dir, old_dentry, MAY_LINK);
2973 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2975 return may_link(dir, dentry, MAY_UNLINK);
2978 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2980 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2983 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2985 return may_create(dir, dentry, SECCLASS_DIR);
2988 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2990 return may_link(dir, dentry, MAY_RMDIR);
2993 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2995 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2998 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2999 struct inode *new_inode, struct dentry *new_dentry)
3001 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
3004 static int selinux_inode_readlink(struct dentry *dentry)
3006 const struct cred *cred = current_cred();
3008 return dentry_has_perm(cred, dentry, FILE__READ);
3011 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3014 const struct cred *cred = current_cred();
3015 struct common_audit_data ad;
3016 struct inode_security_struct *isec;
3019 validate_creds(cred);
3021 ad.type = LSM_AUDIT_DATA_DENTRY;
3022 ad.u.dentry = dentry;
3023 sid = cred_sid(cred);
3024 isec = inode_security_rcu(inode, rcu);
3026 return PTR_ERR(isec);
3028 return avc_has_perm_flags(&selinux_state,
3029 sid, isec->sid, isec->sclass, FILE__READ, &ad,
3030 rcu ? MAY_NOT_BLOCK : 0);
3033 static noinline int audit_inode_permission(struct inode *inode,
3034 u32 perms, u32 audited, u32 denied,
3037 struct common_audit_data ad;
3038 struct inode_security_struct *isec = selinux_inode(inode);
3041 ad.type = LSM_AUDIT_DATA_INODE;
3044 rc = slow_avc_audit(&selinux_state,
3045 current_sid(), isec->sid, isec->sclass, perms,
3046 audited, denied, result, &ad);
3052 static int selinux_inode_permission(struct inode *inode, int mask)
3054 const struct cred *cred = current_cred();
3057 unsigned flags = mask & MAY_NOT_BLOCK;
3058 struct inode_security_struct *isec;
3060 struct av_decision avd;
3062 u32 audited, denied;
3064 from_access = mask & MAY_ACCESS;
3065 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3067 /* No permission to check. Existence test. */
3071 validate_creds(cred);
3073 if (unlikely(IS_PRIVATE(inode)))
3076 perms = file_mask_to_av(inode->i_mode, mask);
3078 sid = cred_sid(cred);
3079 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3081 return PTR_ERR(isec);
3083 rc = avc_has_perm_noaudit(&selinux_state,
3084 sid, isec->sid, isec->sclass, perms,
3085 (flags & MAY_NOT_BLOCK) ? AVC_NONBLOCKING : 0,
3087 audited = avc_audit_required(perms, &avd, rc,
3088 from_access ? FILE__AUDIT_ACCESS : 0,
3090 if (likely(!audited))
3093 /* fall back to ref-walk if we have to generate audit */
3094 if (flags & MAY_NOT_BLOCK)
3097 rc2 = audit_inode_permission(inode, perms, audited, denied, rc);
3103 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3105 const struct cred *cred = current_cred();
3106 struct inode *inode = d_backing_inode(dentry);
3107 unsigned int ia_valid = iattr->ia_valid;
3108 __u32 av = FILE__WRITE;
3110 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3111 if (ia_valid & ATTR_FORCE) {
3112 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3118 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3119 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3120 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3122 if (selinux_policycap_openperm() &&
3123 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3124 (ia_valid & ATTR_SIZE) &&
3125 !(ia_valid & ATTR_FILE))
3128 return dentry_has_perm(cred, dentry, av);
3131 static int selinux_inode_getattr(const struct path *path)
3133 return path_has_perm(current_cred(), path, FILE__GETATTR);
3136 static bool has_cap_mac_admin(bool audit)
3138 const struct cred *cred = current_cred();
3139 unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT;
3141 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts))
3143 if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true))
3148 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3149 const void *value, size_t size, int flags)
3151 struct inode *inode = d_backing_inode(dentry);
3152 struct inode_security_struct *isec;
3153 struct superblock_security_struct *sbsec;
3154 struct common_audit_data ad;
3155 u32 newsid, sid = current_sid();
3158 if (strcmp(name, XATTR_NAME_SELINUX)) {
3159 rc = cap_inode_setxattr(dentry, name, value, size, flags);
3163 /* Not an attribute we recognize, so just check the
3164 ordinary setattr permission. */
3165 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3168 if (!selinux_state.initialized)
3169 return (inode_owner_or_capable(inode) ? 0 : -EPERM);
3171 sbsec = inode->i_sb->s_security;
3172 if (!(sbsec->flags & SBLABEL_MNT))
3175 if (!inode_owner_or_capable(inode))
3178 ad.type = LSM_AUDIT_DATA_DENTRY;
3179 ad.u.dentry = dentry;
3181 isec = backing_inode_security(dentry);
3182 rc = avc_has_perm(&selinux_state,
3183 sid, isec->sid, isec->sclass,
3184 FILE__RELABELFROM, &ad);
3188 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3190 if (rc == -EINVAL) {
3191 if (!has_cap_mac_admin(true)) {
3192 struct audit_buffer *ab;
3195 /* We strip a nul only if it is at the end, otherwise the
3196 * context contains a nul and we should audit that */
3198 const char *str = value;
3200 if (str[size - 1] == '\0')
3201 audit_size = size - 1;
3207 ab = audit_log_start(audit_context(),
3208 GFP_ATOMIC, AUDIT_SELINUX_ERR);
3209 audit_log_format(ab, "op=setxattr invalid_context=");
3210 audit_log_n_untrustedstring(ab, value, audit_size);
3215 rc = security_context_to_sid_force(&selinux_state, value,
3221 rc = avc_has_perm(&selinux_state,
3222 sid, newsid, isec->sclass,
3223 FILE__RELABELTO, &ad);
3227 rc = security_validate_transition(&selinux_state, isec->sid, newsid,
3232 return avc_has_perm(&selinux_state,
3235 SECCLASS_FILESYSTEM,
3236 FILESYSTEM__ASSOCIATE,
3240 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3241 const void *value, size_t size,
3244 struct inode *inode = d_backing_inode(dentry);
3245 struct inode_security_struct *isec;
3249 if (strcmp(name, XATTR_NAME_SELINUX)) {
3250 /* Not an attribute we recognize, so nothing to do. */
3254 if (!selinux_state.initialized) {
3255 /* If we haven't even been initialized, then we can't validate
3256 * against a policy, so leave the label as invalid. It may
3257 * resolve to a valid label on the next revalidation try if
3258 * we've since initialized.
3263 rc = security_context_to_sid_force(&selinux_state, value, size,
3266 pr_err("SELinux: unable to map context to SID"
3267 "for (%s, %lu), rc=%d\n",
3268 inode->i_sb->s_id, inode->i_ino, -rc);
3272 isec = backing_inode_security(dentry);
3273 spin_lock(&isec->lock);
3274 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3276 isec->initialized = LABEL_INITIALIZED;
3277 spin_unlock(&isec->lock);
3282 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3284 const struct cred *cred = current_cred();
3286 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3289 static int selinux_inode_listxattr(struct dentry *dentry)
3291 const struct cred *cred = current_cred();
3293 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3296 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3298 if (strcmp(name, XATTR_NAME_SELINUX)) {
3299 int rc = cap_inode_removexattr(dentry, name);
3303 /* Not an attribute we recognize, so just check the
3304 ordinary setattr permission. */
3305 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3308 /* No one is allowed to remove a SELinux security label.
3309 You can change the label, but all data must be labeled. */
3313 static int selinux_path_notify(const struct path *path, u64 mask,
3314 unsigned int obj_type)
3319 struct common_audit_data ad;
3321 ad.type = LSM_AUDIT_DATA_PATH;
3325 * Set permission needed based on the type of mark being set.
3326 * Performs an additional check for sb watches.
3329 case FSNOTIFY_OBJ_TYPE_VFSMOUNT:
3330 perm = FILE__WATCH_MOUNT;
3332 case FSNOTIFY_OBJ_TYPE_SB:
3333 perm = FILE__WATCH_SB;
3334 ret = superblock_has_perm(current_cred(), path->dentry->d_sb,
3335 FILESYSTEM__WATCH, &ad);
3339 case FSNOTIFY_OBJ_TYPE_INODE:
3346 /* blocking watches require the file:watch_with_perm permission */
3347 if (mask & (ALL_FSNOTIFY_PERM_EVENTS))
3348 perm |= FILE__WATCH_WITH_PERM;
3350 /* watches on read-like events need the file:watch_reads permission */
3351 if (mask & (FS_ACCESS | FS_ACCESS_PERM | FS_CLOSE_NOWRITE))
3352 perm |= FILE__WATCH_READS;
3354 return path_has_perm(current_cred(), path, perm);
3358 * Copy the inode security context value to the user.
3360 * Permission check is handled by selinux_inode_getxattr hook.
3362 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
3366 char *context = NULL;
3367 struct inode_security_struct *isec;
3369 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3373 * If the caller has CAP_MAC_ADMIN, then get the raw context
3374 * value even if it is not defined by current policy; otherwise,
3375 * use the in-core value under current policy.
3376 * Use the non-auditing forms of the permission checks since
3377 * getxattr may be called by unprivileged processes commonly
3378 * and lack of permission just means that we fall back to the
3379 * in-core context value, not a denial.
3381 isec = inode_security(inode);
3382 if (has_cap_mac_admin(false))
3383 error = security_sid_to_context_force(&selinux_state,
3384 isec->sid, &context,
3387 error = security_sid_to_context(&selinux_state, isec->sid,
3401 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3402 const void *value, size_t size, int flags)
3404 struct inode_security_struct *isec = inode_security_novalidate(inode);
3405 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
3409 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3412 if (!(sbsec->flags & SBLABEL_MNT))
3415 if (!value || !size)
3418 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3423 spin_lock(&isec->lock);
3424 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3426 isec->initialized = LABEL_INITIALIZED;
3427 spin_unlock(&isec->lock);
3431 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3433 const int len = sizeof(XATTR_NAME_SELINUX);
3434 if (buffer && len <= buffer_size)
3435 memcpy(buffer, XATTR_NAME_SELINUX, len);
3439 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3441 struct inode_security_struct *isec = inode_security_novalidate(inode);
3445 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3448 struct task_security_struct *tsec;
3449 struct cred *new_creds = *new;
3451 if (new_creds == NULL) {
3452 new_creds = prepare_creds();
3457 tsec = selinux_cred(new_creds);
3458 /* Get label from overlay inode and set it in create_sid */
3459 selinux_inode_getsecid(d_inode(src), &sid);
3460 tsec->create_sid = sid;
3465 static int selinux_inode_copy_up_xattr(const char *name)
3467 /* The copy_up hook above sets the initial context on an inode, but we
3468 * don't then want to overwrite it by blindly copying all the lower
3469 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3471 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3472 return 1; /* Discard */
3474 * Any other attribute apart from SELINUX is not claimed, supported
3480 /* kernfs node operations */
3482 static int selinux_kernfs_init_security(struct kernfs_node *kn_dir,
3483 struct kernfs_node *kn)
3485 const struct task_security_struct *tsec = selinux_cred(current_cred());
3486 u32 parent_sid, newsid, clen;
3490 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, NULL, 0);
3497 context = kmalloc(clen, GFP_KERNEL);
3501 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, context, clen);
3507 rc = security_context_to_sid(&selinux_state, context, clen, &parent_sid,
3513 if (tsec->create_sid) {
3514 newsid = tsec->create_sid;
3516 u16 secclass = inode_mode_to_security_class(kn->mode);
3520 q.hash_len = hashlen_string(kn_dir, kn->name);
3522 rc = security_transition_sid(&selinux_state, tsec->sid,
3523 parent_sid, secclass, &q,
3529 rc = security_sid_to_context_force(&selinux_state, newsid,
3534 rc = kernfs_xattr_set(kn, XATTR_NAME_SELINUX, context, clen,
3541 /* file security operations */
3543 static int selinux_revalidate_file_permission(struct file *file, int mask)
3545 const struct cred *cred = current_cred();
3546 struct inode *inode = file_inode(file);
3548 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3549 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3552 return file_has_perm(cred, file,
3553 file_mask_to_av(inode->i_mode, mask));
3556 static int selinux_file_permission(struct file *file, int mask)
3558 struct inode *inode = file_inode(file);
3559 struct file_security_struct *fsec = selinux_file(file);
3560 struct inode_security_struct *isec;
3561 u32 sid = current_sid();
3564 /* No permission to check. Existence test. */
3567 isec = inode_security(inode);
3568 if (sid == fsec->sid && fsec->isid == isec->sid &&
3569 fsec->pseqno == avc_policy_seqno(&selinux_state))
3570 /* No change since file_open check. */
3573 return selinux_revalidate_file_permission(file, mask);
3576 static int selinux_file_alloc_security(struct file *file)
3578 return file_alloc_security(file);
3582 * Check whether a task has the ioctl permission and cmd
3583 * operation to an inode.
3585 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3586 u32 requested, u16 cmd)
3588 struct common_audit_data ad;
3589 struct file_security_struct *fsec = selinux_file(file);
3590 struct inode *inode = file_inode(file);
3591 struct inode_security_struct *isec;
3592 struct lsm_ioctlop_audit ioctl;
3593 u32 ssid = cred_sid(cred);
3595 u8 driver = cmd >> 8;
3596 u8 xperm = cmd & 0xff;
3598 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3601 ad.u.op->path = file->f_path;
3603 if (ssid != fsec->sid) {
3604 rc = avc_has_perm(&selinux_state,
3613 if (unlikely(IS_PRIVATE(inode)))
3616 isec = inode_security(inode);
3617 rc = avc_has_extended_perms(&selinux_state,
3618 ssid, isec->sid, isec->sclass,
3619 requested, driver, xperm, &ad);
3624 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3627 const struct cred *cred = current_cred();
3637 case FS_IOC_GETFLAGS:
3639 case FS_IOC_GETVERSION:
3640 error = file_has_perm(cred, file, FILE__GETATTR);
3643 case FS_IOC_SETFLAGS:
3645 case FS_IOC_SETVERSION:
3646 error = file_has_perm(cred, file, FILE__SETATTR);
3649 /* sys_ioctl() checks */
3653 error = file_has_perm(cred, file, 0);
3658 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3659 CAP_OPT_NONE, true);
3662 /* default case assumes that the command will go
3663 * to the file's ioctl() function.
3666 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3671 static int default_noexec;
3673 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3675 const struct cred *cred = current_cred();
3676 u32 sid = cred_sid(cred);
3679 if (default_noexec &&
3680 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3681 (!shared && (prot & PROT_WRITE)))) {
3683 * We are making executable an anonymous mapping or a
3684 * private file mapping that will also be writable.
3685 * This has an additional check.
3687 rc = avc_has_perm(&selinux_state,
3688 sid, sid, SECCLASS_PROCESS,
3689 PROCESS__EXECMEM, NULL);
3695 /* read access is always possible with a mapping */
3696 u32 av = FILE__READ;
3698 /* write access only matters if the mapping is shared */
3699 if (shared && (prot & PROT_WRITE))
3702 if (prot & PROT_EXEC)
3703 av |= FILE__EXECUTE;
3705 return file_has_perm(cred, file, av);
3712 static int selinux_mmap_addr(unsigned long addr)
3716 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3717 u32 sid = current_sid();
3718 rc = avc_has_perm(&selinux_state,
3719 sid, sid, SECCLASS_MEMPROTECT,
3720 MEMPROTECT__MMAP_ZERO, NULL);
3726 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3727 unsigned long prot, unsigned long flags)
3729 struct common_audit_data ad;
3733 ad.type = LSM_AUDIT_DATA_FILE;
3735 rc = inode_has_perm(current_cred(), file_inode(file),
3741 if (selinux_state.checkreqprot)
3744 return file_map_prot_check(file, prot,
3745 (flags & MAP_TYPE) == MAP_SHARED);
3748 static int selinux_file_mprotect(struct vm_area_struct *vma,
3749 unsigned long reqprot,
3752 const struct cred *cred = current_cred();
3753 u32 sid = cred_sid(cred);
3755 if (selinux_state.checkreqprot)
3758 if (default_noexec &&
3759 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3761 if (vma->vm_start >= vma->vm_mm->start_brk &&
3762 vma->vm_end <= vma->vm_mm->brk) {
3763 rc = avc_has_perm(&selinux_state,
3764 sid, sid, SECCLASS_PROCESS,
3765 PROCESS__EXECHEAP, NULL);
3766 } else if (!vma->vm_file &&
3767 ((vma->vm_start <= vma->vm_mm->start_stack &&
3768 vma->vm_end >= vma->vm_mm->start_stack) ||
3769 vma_is_stack_for_current(vma))) {
3770 rc = avc_has_perm(&selinux_state,
3771 sid, sid, SECCLASS_PROCESS,
3772 PROCESS__EXECSTACK, NULL);
3773 } else if (vma->vm_file && vma->anon_vma) {
3775 * We are making executable a file mapping that has
3776 * had some COW done. Since pages might have been
3777 * written, check ability to execute the possibly
3778 * modified content. This typically should only
3779 * occur for text relocations.
3781 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3787 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3790 static int selinux_file_lock(struct file *file, unsigned int cmd)
3792 const struct cred *cred = current_cred();
3794 return file_has_perm(cred, file, FILE__LOCK);
3797 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3800 const struct cred *cred = current_cred();
3805 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3806 err = file_has_perm(cred, file, FILE__WRITE);
3815 case F_GETOWNER_UIDS:
3816 /* Just check FD__USE permission */
3817 err = file_has_perm(cred, file, 0);
3825 #if BITS_PER_LONG == 32
3830 err = file_has_perm(cred, file, FILE__LOCK);
3837 static void selinux_file_set_fowner(struct file *file)
3839 struct file_security_struct *fsec;
3841 fsec = selinux_file(file);
3842 fsec->fown_sid = current_sid();
3845 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3846 struct fown_struct *fown, int signum)
3849 u32 sid = task_sid(tsk);
3851 struct file_security_struct *fsec;
3853 /* struct fown_struct is never outside the context of a struct file */
3854 file = container_of(fown, struct file, f_owner);
3856 fsec = selinux_file(file);
3859 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3861 perm = signal_to_av(signum);
3863 return avc_has_perm(&selinux_state,
3864 fsec->fown_sid, sid,
3865 SECCLASS_PROCESS, perm, NULL);
3868 static int selinux_file_receive(struct file *file)
3870 const struct cred *cred = current_cred();
3872 return file_has_perm(cred, file, file_to_av(file));
3875 static int selinux_file_open(struct file *file)
3877 struct file_security_struct *fsec;
3878 struct inode_security_struct *isec;
3880 fsec = selinux_file(file);
3881 isec = inode_security(file_inode(file));
3883 * Save inode label and policy sequence number
3884 * at open-time so that selinux_file_permission
3885 * can determine whether revalidation is necessary.
3886 * Task label is already saved in the file security
3887 * struct as its SID.
3889 fsec->isid = isec->sid;
3890 fsec->pseqno = avc_policy_seqno(&selinux_state);
3892 * Since the inode label or policy seqno may have changed
3893 * between the selinux_inode_permission check and the saving
3894 * of state above, recheck that access is still permitted.
3895 * Otherwise, access might never be revalidated against the
3896 * new inode label or new policy.
3897 * This check is not redundant - do not remove.
3899 return file_path_has_perm(file->f_cred, file, open_file_to_av(file));
3902 /* task security operations */
3904 static int selinux_task_alloc(struct task_struct *task,
3905 unsigned long clone_flags)
3907 u32 sid = current_sid();
3909 return avc_has_perm(&selinux_state,
3910 sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
3914 * prepare a new set of credentials for modification
3916 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3919 const struct task_security_struct *old_tsec = selinux_cred(old);
3920 struct task_security_struct *tsec = selinux_cred(new);
3927 * transfer the SELinux data to a blank set of creds
3929 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3931 const struct task_security_struct *old_tsec = selinux_cred(old);
3932 struct task_security_struct *tsec = selinux_cred(new);
3937 static void selinux_cred_getsecid(const struct cred *c, u32 *secid)
3939 *secid = cred_sid(c);
3943 * set the security data for a kernel service
3944 * - all the creation contexts are set to unlabelled
3946 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3948 struct task_security_struct *tsec = selinux_cred(new);
3949 u32 sid = current_sid();
3952 ret = avc_has_perm(&selinux_state,
3954 SECCLASS_KERNEL_SERVICE,
3955 KERNEL_SERVICE__USE_AS_OVERRIDE,
3959 tsec->create_sid = 0;
3960 tsec->keycreate_sid = 0;
3961 tsec->sockcreate_sid = 0;
3967 * set the file creation context in a security record to the same as the
3968 * objective context of the specified inode
3970 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3972 struct inode_security_struct *isec = inode_security(inode);
3973 struct task_security_struct *tsec = selinux_cred(new);
3974 u32 sid = current_sid();
3977 ret = avc_has_perm(&selinux_state,
3979 SECCLASS_KERNEL_SERVICE,
3980 KERNEL_SERVICE__CREATE_FILES_AS,
3984 tsec->create_sid = isec->sid;
3988 static int selinux_kernel_module_request(char *kmod_name)
3990 struct common_audit_data ad;
3992 ad.type = LSM_AUDIT_DATA_KMOD;
3993 ad.u.kmod_name = kmod_name;
3995 return avc_has_perm(&selinux_state,
3996 current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
3997 SYSTEM__MODULE_REQUEST, &ad);
4000 static int selinux_kernel_module_from_file(struct file *file)
4002 struct common_audit_data ad;
4003 struct inode_security_struct *isec;
4004 struct file_security_struct *fsec;
4005 u32 sid = current_sid();
4010 return avc_has_perm(&selinux_state,
4011 sid, sid, SECCLASS_SYSTEM,
4012 SYSTEM__MODULE_LOAD, NULL);
4016 ad.type = LSM_AUDIT_DATA_FILE;
4019 fsec = selinux_file(file);
4020 if (sid != fsec->sid) {
4021 rc = avc_has_perm(&selinux_state,
4022 sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
4027 isec = inode_security(file_inode(file));
4028 return avc_has_perm(&selinux_state,
4029 sid, isec->sid, SECCLASS_SYSTEM,
4030 SYSTEM__MODULE_LOAD, &ad);
4033 static int selinux_kernel_read_file(struct file *file,
4034 enum kernel_read_file_id id)
4039 case READING_MODULE:
4040 rc = selinux_kernel_module_from_file(file);
4049 static int selinux_kernel_load_data(enum kernel_load_data_id id)
4054 case LOADING_MODULE:
4055 rc = selinux_kernel_module_from_file(NULL);
4063 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
4065 return avc_has_perm(&selinux_state,
4066 current_sid(), task_sid(p), SECCLASS_PROCESS,
4067 PROCESS__SETPGID, NULL);
4070 static int selinux_task_getpgid(struct task_struct *p)
4072 return avc_has_perm(&selinux_state,
4073 current_sid(), task_sid(p), SECCLASS_PROCESS,
4074 PROCESS__GETPGID, NULL);
4077 static int selinux_task_getsid(struct task_struct *p)
4079 return avc_has_perm(&selinux_state,
4080 current_sid(), task_sid(p), SECCLASS_PROCESS,
4081 PROCESS__GETSESSION, NULL);
4084 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
4086 *secid = task_sid(p);
4089 static int selinux_task_setnice(struct task_struct *p, int nice)
4091 return avc_has_perm(&selinux_state,
4092 current_sid(), task_sid(p), SECCLASS_PROCESS,
4093 PROCESS__SETSCHED, NULL);
4096 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
4098 return avc_has_perm(&selinux_state,
4099 current_sid(), task_sid(p), SECCLASS_PROCESS,
4100 PROCESS__SETSCHED, NULL);
4103 static int selinux_task_getioprio(struct task_struct *p)
4105 return avc_has_perm(&selinux_state,
4106 current_sid(), task_sid(p), SECCLASS_PROCESS,
4107 PROCESS__GETSCHED, NULL);
4110 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
4117 if (flags & LSM_PRLIMIT_WRITE)
4118 av |= PROCESS__SETRLIMIT;
4119 if (flags & LSM_PRLIMIT_READ)
4120 av |= PROCESS__GETRLIMIT;
4121 return avc_has_perm(&selinux_state,
4122 cred_sid(cred), cred_sid(tcred),
4123 SECCLASS_PROCESS, av, NULL);
4126 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4127 struct rlimit *new_rlim)
4129 struct rlimit *old_rlim = p->signal->rlim + resource;
4131 /* Control the ability to change the hard limit (whether
4132 lowering or raising it), so that the hard limit can
4133 later be used as a safe reset point for the soft limit
4134 upon context transitions. See selinux_bprm_committing_creds. */
4135 if (old_rlim->rlim_max != new_rlim->rlim_max)
4136 return avc_has_perm(&selinux_state,
4137 current_sid(), task_sid(p),
4138 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
4143 static int selinux_task_setscheduler(struct task_struct *p)
4145 return avc_has_perm(&selinux_state,
4146 current_sid(), task_sid(p), SECCLASS_PROCESS,
4147 PROCESS__SETSCHED, NULL);
4150 static int selinux_task_getscheduler(struct task_struct *p)
4152 return avc_has_perm(&selinux_state,
4153 current_sid(), task_sid(p), SECCLASS_PROCESS,
4154 PROCESS__GETSCHED, NULL);
4157 static int selinux_task_movememory(struct task_struct *p)
4159 return avc_has_perm(&selinux_state,
4160 current_sid(), task_sid(p), SECCLASS_PROCESS,
4161 PROCESS__SETSCHED, NULL);
4164 static int selinux_task_kill(struct task_struct *p, struct kernel_siginfo *info,
4165 int sig, const struct cred *cred)
4171 perm = PROCESS__SIGNULL; /* null signal; existence test */
4173 perm = signal_to_av(sig);
4175 secid = current_sid();
4177 secid = cred_sid(cred);
4178 return avc_has_perm(&selinux_state,
4179 secid, task_sid(p), SECCLASS_PROCESS, perm, NULL);
4182 static void selinux_task_to_inode(struct task_struct *p,
4183 struct inode *inode)
4185 struct inode_security_struct *isec = selinux_inode(inode);
4186 u32 sid = task_sid(p);
4188 spin_lock(&isec->lock);
4189 isec->sclass = inode_mode_to_security_class(inode->i_mode);
4191 isec->initialized = LABEL_INITIALIZED;
4192 spin_unlock(&isec->lock);
4195 /* Returns error only if unable to parse addresses */
4196 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4197 struct common_audit_data *ad, u8 *proto)
4199 int offset, ihlen, ret = -EINVAL;
4200 struct iphdr _iph, *ih;
4202 offset = skb_network_offset(skb);
4203 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
4207 ihlen = ih->ihl * 4;
4208 if (ihlen < sizeof(_iph))
4211 ad->u.net->v4info.saddr = ih->saddr;
4212 ad->u.net->v4info.daddr = ih->daddr;
4216 *proto = ih->protocol;
4218 switch (ih->protocol) {
4220 struct tcphdr _tcph, *th;
4222 if (ntohs(ih->frag_off) & IP_OFFSET)
4226 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4230 ad->u.net->sport = th->source;
4231 ad->u.net->dport = th->dest;
4236 struct udphdr _udph, *uh;
4238 if (ntohs(ih->frag_off) & IP_OFFSET)
4242 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4246 ad->u.net->sport = uh->source;
4247 ad->u.net->dport = uh->dest;
4251 case IPPROTO_DCCP: {
4252 struct dccp_hdr _dccph, *dh;
4254 if (ntohs(ih->frag_off) & IP_OFFSET)
4258 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4262 ad->u.net->sport = dh->dccph_sport;
4263 ad->u.net->dport = dh->dccph_dport;
4267 #if IS_ENABLED(CONFIG_IP_SCTP)
4268 case IPPROTO_SCTP: {
4269 struct sctphdr _sctph, *sh;
4271 if (ntohs(ih->frag_off) & IP_OFFSET)
4275 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4279 ad->u.net->sport = sh->source;
4280 ad->u.net->dport = sh->dest;
4291 #if IS_ENABLED(CONFIG_IPV6)
4293 /* Returns error only if unable to parse addresses */
4294 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4295 struct common_audit_data *ad, u8 *proto)
4298 int ret = -EINVAL, offset;
4299 struct ipv6hdr _ipv6h, *ip6;
4302 offset = skb_network_offset(skb);
4303 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4307 ad->u.net->v6info.saddr = ip6->saddr;
4308 ad->u.net->v6info.daddr = ip6->daddr;
4311 nexthdr = ip6->nexthdr;
4312 offset += sizeof(_ipv6h);
4313 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4322 struct tcphdr _tcph, *th;
4324 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4328 ad->u.net->sport = th->source;
4329 ad->u.net->dport = th->dest;
4334 struct udphdr _udph, *uh;
4336 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4340 ad->u.net->sport = uh->source;
4341 ad->u.net->dport = uh->dest;
4345 case IPPROTO_DCCP: {
4346 struct dccp_hdr _dccph, *dh;
4348 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4352 ad->u.net->sport = dh->dccph_sport;
4353 ad->u.net->dport = dh->dccph_dport;
4357 #if IS_ENABLED(CONFIG_IP_SCTP)
4358 case IPPROTO_SCTP: {
4359 struct sctphdr _sctph, *sh;
4361 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4365 ad->u.net->sport = sh->source;
4366 ad->u.net->dport = sh->dest;
4370 /* includes fragments */
4380 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4381 char **_addrp, int src, u8 *proto)
4386 switch (ad->u.net->family) {
4388 ret = selinux_parse_skb_ipv4(skb, ad, proto);
4391 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4392 &ad->u.net->v4info.daddr);
4395 #if IS_ENABLED(CONFIG_IPV6)
4397 ret = selinux_parse_skb_ipv6(skb, ad, proto);
4400 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4401 &ad->u.net->v6info.daddr);
4411 "SELinux: failure in selinux_parse_skb(),"
4412 " unable to parse packet\n");
4422 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4424 * @family: protocol family
4425 * @sid: the packet's peer label SID
4428 * Check the various different forms of network peer labeling and determine
4429 * the peer label/SID for the packet; most of the magic actually occurs in
4430 * the security server function security_net_peersid_cmp(). The function
4431 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4432 * or -EACCES if @sid is invalid due to inconsistencies with the different
4436 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4443 err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4446 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4450 err = security_net_peersid_resolve(&selinux_state, nlbl_sid,
4451 nlbl_type, xfrm_sid, sid);
4452 if (unlikely(err)) {
4454 "SELinux: failure in selinux_skb_peerlbl_sid(),"
4455 " unable to determine packet's peer label\n");
4463 * selinux_conn_sid - Determine the child socket label for a connection
4464 * @sk_sid: the parent socket's SID
4465 * @skb_sid: the packet's SID
4466 * @conn_sid: the resulting connection SID
4468 * If @skb_sid is valid then the user:role:type information from @sk_sid is
4469 * combined with the MLS information from @skb_sid in order to create
4470 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy
4471 * of @sk_sid. Returns zero on success, negative values on failure.
4474 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4478 if (skb_sid != SECSID_NULL)
4479 err = security_sid_mls_copy(&selinux_state, sk_sid, skb_sid,
4487 /* socket security operations */
4489 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4490 u16 secclass, u32 *socksid)
4492 if (tsec->sockcreate_sid > SECSID_NULL) {
4493 *socksid = tsec->sockcreate_sid;
4497 return security_transition_sid(&selinux_state, tsec->sid, tsec->sid,
4498 secclass, NULL, socksid);
4501 static int sock_has_perm(struct sock *sk, u32 perms)
4503 struct sk_security_struct *sksec = sk->sk_security;
4504 struct common_audit_data ad;
4505 struct lsm_network_audit net = {0,};
4507 if (sksec->sid == SECINITSID_KERNEL)
4510 ad.type = LSM_AUDIT_DATA_NET;
4514 return avc_has_perm(&selinux_state,
4515 current_sid(), sksec->sid, sksec->sclass, perms,
4519 static int selinux_socket_create(int family, int type,
4520 int protocol, int kern)
4522 const struct task_security_struct *tsec = selinux_cred(current_cred());
4530 secclass = socket_type_to_security_class(family, type, protocol);
4531 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4535 return avc_has_perm(&selinux_state,
4536 tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4539 static int selinux_socket_post_create(struct socket *sock, int family,
4540 int type, int protocol, int kern)
4542 const struct task_security_struct *tsec = selinux_cred(current_cred());
4543 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4544 struct sk_security_struct *sksec;
4545 u16 sclass = socket_type_to_security_class(family, type, protocol);
4546 u32 sid = SECINITSID_KERNEL;
4550 err = socket_sockcreate_sid(tsec, sclass, &sid);
4555 isec->sclass = sclass;
4557 isec->initialized = LABEL_INITIALIZED;
4560 sksec = sock->sk->sk_security;
4561 sksec->sclass = sclass;
4563 /* Allows detection of the first association on this socket */
4564 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4565 sksec->sctp_assoc_state = SCTP_ASSOC_UNSET;
4567 err = selinux_netlbl_socket_post_create(sock->sk, family);
4573 static int selinux_socket_socketpair(struct socket *socka,
4574 struct socket *sockb)
4576 struct sk_security_struct *sksec_a = socka->sk->sk_security;
4577 struct sk_security_struct *sksec_b = sockb->sk->sk_security;
4579 sksec_a->peer_sid = sksec_b->sid;
4580 sksec_b->peer_sid = sksec_a->sid;
4585 /* Range of port numbers used to automatically bind.
4586 Need to determine whether we should perform a name_bind
4587 permission check between the socket and the port number. */
4589 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4591 struct sock *sk = sock->sk;
4592 struct sk_security_struct *sksec = sk->sk_security;
4596 err = sock_has_perm(sk, SOCKET__BIND);
4600 /* If PF_INET or PF_INET6, check name_bind permission for the port. */
4601 family = sk->sk_family;
4602 if (family == PF_INET || family == PF_INET6) {
4604 struct common_audit_data ad;
4605 struct lsm_network_audit net = {0,};
4606 struct sockaddr_in *addr4 = NULL;
4607 struct sockaddr_in6 *addr6 = NULL;
4609 unsigned short snum;
4613 * sctp_bindx(3) calls via selinux_sctp_bind_connect()
4614 * that validates multiple binding addresses. Because of this
4615 * need to check address->sa_family as it is possible to have
4616 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4618 if (addrlen < offsetofend(struct sockaddr, sa_family))
4620 family_sa = address->sa_family;
4621 switch (family_sa) {
4624 if (addrlen < sizeof(struct sockaddr_in))
4626 addr4 = (struct sockaddr_in *)address;
4627 if (family_sa == AF_UNSPEC) {
4628 /* see __inet_bind(), we only want to allow
4629 * AF_UNSPEC if the address is INADDR_ANY
4631 if (addr4->sin_addr.s_addr != htonl(INADDR_ANY))
4633 family_sa = AF_INET;
4635 snum = ntohs(addr4->sin_port);
4636 addrp = (char *)&addr4->sin_addr.s_addr;
4639 if (addrlen < SIN6_LEN_RFC2133)
4641 addr6 = (struct sockaddr_in6 *)address;
4642 snum = ntohs(addr6->sin6_port);
4643 addrp = (char *)&addr6->sin6_addr.s6_addr;
4649 ad.type = LSM_AUDIT_DATA_NET;
4651 ad.u.net->sport = htons(snum);
4652 ad.u.net->family = family_sa;
4657 inet_get_local_port_range(sock_net(sk), &low, &high);
4659 if (snum < max(inet_prot_sock(sock_net(sk)), low) ||
4661 err = sel_netport_sid(sk->sk_protocol,
4665 err = avc_has_perm(&selinux_state,
4668 SOCKET__NAME_BIND, &ad);
4674 switch (sksec->sclass) {
4675 case SECCLASS_TCP_SOCKET:
4676 node_perm = TCP_SOCKET__NODE_BIND;
4679 case SECCLASS_UDP_SOCKET:
4680 node_perm = UDP_SOCKET__NODE_BIND;
4683 case SECCLASS_DCCP_SOCKET:
4684 node_perm = DCCP_SOCKET__NODE_BIND;
4687 case SECCLASS_SCTP_SOCKET:
4688 node_perm = SCTP_SOCKET__NODE_BIND;
4692 node_perm = RAWIP_SOCKET__NODE_BIND;
4696 err = sel_netnode_sid(addrp, family_sa, &sid);
4700 if (family_sa == AF_INET)
4701 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4703 ad.u.net->v6info.saddr = addr6->sin6_addr;
4705 err = avc_has_perm(&selinux_state,
4707 sksec->sclass, node_perm, &ad);
4714 /* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */
4715 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4717 return -EAFNOSUPPORT;
4720 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3)
4721 * and sctp_sendmsg(3) as described in Documentation/security/SCTP.rst
4723 static int selinux_socket_connect_helper(struct socket *sock,
4724 struct sockaddr *address, int addrlen)
4726 struct sock *sk = sock->sk;
4727 struct sk_security_struct *sksec = sk->sk_security;
4730 err = sock_has_perm(sk, SOCKET__CONNECT);
4733 if (addrlen < offsetofend(struct sockaddr, sa_family))
4736 /* connect(AF_UNSPEC) has special handling, as it is a documented
4737 * way to disconnect the socket
4739 if (address->sa_family == AF_UNSPEC)
4743 * If a TCP, DCCP or SCTP socket, check name_connect permission
4746 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4747 sksec->sclass == SECCLASS_DCCP_SOCKET ||
4748 sksec->sclass == SECCLASS_SCTP_SOCKET) {
4749 struct common_audit_data ad;
4750 struct lsm_network_audit net = {0,};
4751 struct sockaddr_in *addr4 = NULL;
4752 struct sockaddr_in6 *addr6 = NULL;
4753 unsigned short snum;
4756 /* sctp_connectx(3) calls via selinux_sctp_bind_connect()
4757 * that validates multiple connect addresses. Because of this
4758 * need to check address->sa_family as it is possible to have
4759 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4761 switch (address->sa_family) {
4763 addr4 = (struct sockaddr_in *)address;
4764 if (addrlen < sizeof(struct sockaddr_in))
4766 snum = ntohs(addr4->sin_port);
4769 addr6 = (struct sockaddr_in6 *)address;
4770 if (addrlen < SIN6_LEN_RFC2133)
4772 snum = ntohs(addr6->sin6_port);
4775 /* Note that SCTP services expect -EINVAL, whereas
4776 * others expect -EAFNOSUPPORT.
4778 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4781 return -EAFNOSUPPORT;
4784 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4788 switch (sksec->sclass) {
4789 case SECCLASS_TCP_SOCKET:
4790 perm = TCP_SOCKET__NAME_CONNECT;
4792 case SECCLASS_DCCP_SOCKET:
4793 perm = DCCP_SOCKET__NAME_CONNECT;
4795 case SECCLASS_SCTP_SOCKET:
4796 perm = SCTP_SOCKET__NAME_CONNECT;
4800 ad.type = LSM_AUDIT_DATA_NET;
4802 ad.u.net->dport = htons(snum);
4803 ad.u.net->family = address->sa_family;
4804 err = avc_has_perm(&selinux_state,
4805 sksec->sid, sid, sksec->sclass, perm, &ad);
4813 /* Supports connect(2), see comments in selinux_socket_connect_helper() */
4814 static int selinux_socket_connect(struct socket *sock,
4815 struct sockaddr *address, int addrlen)
4818 struct sock *sk = sock->sk;
4820 err = selinux_socket_connect_helper(sock, address, addrlen);
4824 return selinux_netlbl_socket_connect(sk, address);
4827 static int selinux_socket_listen(struct socket *sock, int backlog)
4829 return sock_has_perm(sock->sk, SOCKET__LISTEN);
4832 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4835 struct inode_security_struct *isec;
4836 struct inode_security_struct *newisec;
4840 err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
4844 isec = inode_security_novalidate(SOCK_INODE(sock));
4845 spin_lock(&isec->lock);
4846 sclass = isec->sclass;
4848 spin_unlock(&isec->lock);
4850 newisec = inode_security_novalidate(SOCK_INODE(newsock));
4851 newisec->sclass = sclass;
4853 newisec->initialized = LABEL_INITIALIZED;
4858 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4861 return sock_has_perm(sock->sk, SOCKET__WRITE);
4864 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4865 int size, int flags)
4867 return sock_has_perm(sock->sk, SOCKET__READ);
4870 static int selinux_socket_getsockname(struct socket *sock)
4872 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4875 static int selinux_socket_getpeername(struct socket *sock)
4877 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4880 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4884 err = sock_has_perm(sock->sk, SOCKET__SETOPT);
4888 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4891 static int selinux_socket_getsockopt(struct socket *sock, int level,
4894 return sock_has_perm(sock->sk, SOCKET__GETOPT);
4897 static int selinux_socket_shutdown(struct socket *sock, int how)
4899 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
4902 static int selinux_socket_unix_stream_connect(struct sock *sock,
4906 struct sk_security_struct *sksec_sock = sock->sk_security;
4907 struct sk_security_struct *sksec_other = other->sk_security;
4908 struct sk_security_struct *sksec_new = newsk->sk_security;
4909 struct common_audit_data ad;
4910 struct lsm_network_audit net = {0,};
4913 ad.type = LSM_AUDIT_DATA_NET;
4915 ad.u.net->sk = other;
4917 err = avc_has_perm(&selinux_state,
4918 sksec_sock->sid, sksec_other->sid,
4919 sksec_other->sclass,
4920 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4924 /* server child socket */
4925 sksec_new->peer_sid = sksec_sock->sid;
4926 err = security_sid_mls_copy(&selinux_state, sksec_other->sid,
4927 sksec_sock->sid, &sksec_new->sid);
4931 /* connecting socket */
4932 sksec_sock->peer_sid = sksec_new->sid;
4937 static int selinux_socket_unix_may_send(struct socket *sock,
4938 struct socket *other)
4940 struct sk_security_struct *ssec = sock->sk->sk_security;
4941 struct sk_security_struct *osec = other->sk->sk_security;
4942 struct common_audit_data ad;
4943 struct lsm_network_audit net = {0,};
4945 ad.type = LSM_AUDIT_DATA_NET;
4947 ad.u.net->sk = other->sk;
4949 return avc_has_perm(&selinux_state,
4950 ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4954 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4955 char *addrp, u16 family, u32 peer_sid,
4956 struct common_audit_data *ad)
4962 err = sel_netif_sid(ns, ifindex, &if_sid);
4965 err = avc_has_perm(&selinux_state,
4967 SECCLASS_NETIF, NETIF__INGRESS, ad);
4971 err = sel_netnode_sid(addrp, family, &node_sid);
4974 return avc_has_perm(&selinux_state,
4976 SECCLASS_NODE, NODE__RECVFROM, ad);
4979 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4983 struct sk_security_struct *sksec = sk->sk_security;
4984 u32 sk_sid = sksec->sid;
4985 struct common_audit_data ad;
4986 struct lsm_network_audit net = {0,};
4989 ad.type = LSM_AUDIT_DATA_NET;
4991 ad.u.net->netif = skb->skb_iif;
4992 ad.u.net->family = family;
4993 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4997 if (selinux_secmark_enabled()) {
4998 err = avc_has_perm(&selinux_state,
4999 sk_sid, skb->secmark, SECCLASS_PACKET,
5005 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
5008 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
5013 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
5016 struct sk_security_struct *sksec = sk->sk_security;
5017 u16 family = sk->sk_family;
5018 u32 sk_sid = sksec->sid;
5019 struct common_audit_data ad;
5020 struct lsm_network_audit net = {0,};
5025 if (family != PF_INET && family != PF_INET6)
5028 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
5029 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5032 /* If any sort of compatibility mode is enabled then handoff processing
5033 * to the selinux_sock_rcv_skb_compat() function to deal with the
5034 * special handling. We do this in an attempt to keep this function
5035 * as fast and as clean as possible. */
5036 if (!selinux_policycap_netpeer())
5037 return selinux_sock_rcv_skb_compat(sk, skb, family);
5039 secmark_active = selinux_secmark_enabled();
5040 peerlbl_active = selinux_peerlbl_enabled();
5041 if (!secmark_active && !peerlbl_active)
5044 ad.type = LSM_AUDIT_DATA_NET;
5046 ad.u.net->netif = skb->skb_iif;
5047 ad.u.net->family = family;
5048 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5052 if (peerlbl_active) {
5055 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
5058 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
5059 addrp, family, peer_sid, &ad);
5061 selinux_netlbl_err(skb, family, err, 0);
5064 err = avc_has_perm(&selinux_state,
5065 sk_sid, peer_sid, SECCLASS_PEER,
5068 selinux_netlbl_err(skb, family, err, 0);
5073 if (secmark_active) {
5074 err = avc_has_perm(&selinux_state,
5075 sk_sid, skb->secmark, SECCLASS_PACKET,
5084 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
5085 int __user *optlen, unsigned len)
5090 struct sk_security_struct *sksec = sock->sk->sk_security;
5091 u32 peer_sid = SECSID_NULL;
5093 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
5094 sksec->sclass == SECCLASS_TCP_SOCKET ||
5095 sksec->sclass == SECCLASS_SCTP_SOCKET)
5096 peer_sid = sksec->peer_sid;
5097 if (peer_sid == SECSID_NULL)
5098 return -ENOPROTOOPT;
5100 err = security_sid_to_context(&selinux_state, peer_sid, &scontext,
5105 if (scontext_len > len) {
5110 if (copy_to_user(optval, scontext, scontext_len))
5114 if (put_user(scontext_len, optlen))
5120 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
5122 u32 peer_secid = SECSID_NULL;
5124 struct inode_security_struct *isec;
5126 if (skb && skb->protocol == htons(ETH_P_IP))
5128 else if (skb && skb->protocol == htons(ETH_P_IPV6))
5131 family = sock->sk->sk_family;
5135 if (sock && family == PF_UNIX) {
5136 isec = inode_security_novalidate(SOCK_INODE(sock));
5137 peer_secid = isec->sid;
5139 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
5142 *secid = peer_secid;
5143 if (peer_secid == SECSID_NULL)
5148 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
5150 struct sk_security_struct *sksec;
5152 sksec = kzalloc(sizeof(*sksec), priority);
5156 sksec->peer_sid = SECINITSID_UNLABELED;
5157 sksec->sid = SECINITSID_UNLABELED;
5158 sksec->sclass = SECCLASS_SOCKET;
5159 selinux_netlbl_sk_security_reset(sksec);
5160 sk->sk_security = sksec;
5165 static void selinux_sk_free_security(struct sock *sk)
5167 struct sk_security_struct *sksec = sk->sk_security;
5169 sk->sk_security = NULL;
5170 selinux_netlbl_sk_security_free(sksec);
5174 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
5176 struct sk_security_struct *sksec = sk->sk_security;
5177 struct sk_security_struct *newsksec = newsk->sk_security;
5179 newsksec->sid = sksec->sid;
5180 newsksec->peer_sid = sksec->peer_sid;
5181 newsksec->sclass = sksec->sclass;
5183 selinux_netlbl_sk_security_reset(newsksec);
5186 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
5189 *secid = SECINITSID_ANY_SOCKET;
5191 struct sk_security_struct *sksec = sk->sk_security;
5193 *secid = sksec->sid;
5197 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
5199 struct inode_security_struct *isec =
5200 inode_security_novalidate(SOCK_INODE(parent));
5201 struct sk_security_struct *sksec = sk->sk_security;
5203 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
5204 sk->sk_family == PF_UNIX)
5205 isec->sid = sksec->sid;
5206 sksec->sclass = isec->sclass;
5209 /* Called whenever SCTP receives an INIT chunk. This happens when an incoming
5210 * connect(2), sctp_connectx(3) or sctp_sendmsg(3) (with no association
5213 static int selinux_sctp_assoc_request(struct sctp_endpoint *ep,
5214 struct sk_buff *skb)
5216 struct sk_security_struct *sksec = ep->base.sk->sk_security;
5217 struct common_audit_data ad;
5218 struct lsm_network_audit net = {0,};
5220 u32 peer_sid = SECINITSID_UNLABELED;
5224 if (!selinux_policycap_extsockclass())
5227 peerlbl_active = selinux_peerlbl_enabled();
5229 if (peerlbl_active) {
5230 /* This will return peer_sid = SECSID_NULL if there are
5231 * no peer labels, see security_net_peersid_resolve().
5233 err = selinux_skb_peerlbl_sid(skb, ep->base.sk->sk_family,
5238 if (peer_sid == SECSID_NULL)
5239 peer_sid = SECINITSID_UNLABELED;
5242 if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) {
5243 sksec->sctp_assoc_state = SCTP_ASSOC_SET;
5245 /* Here as first association on socket. As the peer SID
5246 * was allowed by peer recv (and the netif/node checks),
5247 * then it is approved by policy and used as the primary
5248 * peer SID for getpeercon(3).
5250 sksec->peer_sid = peer_sid;
5251 } else if (sksec->peer_sid != peer_sid) {
5252 /* Other association peer SIDs are checked to enforce
5253 * consistency among the peer SIDs.
5255 ad.type = LSM_AUDIT_DATA_NET;
5257 ad.u.net->sk = ep->base.sk;
5258 err = avc_has_perm(&selinux_state,
5259 sksec->peer_sid, peer_sid, sksec->sclass,
5260 SCTP_SOCKET__ASSOCIATION, &ad);
5265 /* Compute the MLS component for the connection and store
5266 * the information in ep. This will be used by SCTP TCP type
5267 * sockets and peeled off connections as they cause a new
5268 * socket to be generated. selinux_sctp_sk_clone() will then
5269 * plug this into the new socket.
5271 err = selinux_conn_sid(sksec->sid, peer_sid, &conn_sid);
5275 ep->secid = conn_sid;
5276 ep->peer_secid = peer_sid;
5278 /* Set any NetLabel labels including CIPSO/CALIPSO options. */
5279 return selinux_netlbl_sctp_assoc_request(ep, skb);
5282 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting
5283 * based on their @optname.
5285 static int selinux_sctp_bind_connect(struct sock *sk, int optname,
5286 struct sockaddr *address,
5289 int len, err = 0, walk_size = 0;
5291 struct sockaddr *addr;
5292 struct socket *sock;
5294 if (!selinux_policycap_extsockclass())
5297 /* Process one or more addresses that may be IPv4 or IPv6 */
5298 sock = sk->sk_socket;
5301 while (walk_size < addrlen) {
5302 if (walk_size + sizeof(sa_family_t) > addrlen)
5306 switch (addr->sa_family) {
5309 len = sizeof(struct sockaddr_in);
5312 len = sizeof(struct sockaddr_in6);
5318 if (walk_size + len > addrlen)
5324 case SCTP_PRIMARY_ADDR:
5325 case SCTP_SET_PEER_PRIMARY_ADDR:
5326 case SCTP_SOCKOPT_BINDX_ADD:
5327 err = selinux_socket_bind(sock, addr, len);
5329 /* Connect checks */
5330 case SCTP_SOCKOPT_CONNECTX:
5331 case SCTP_PARAM_SET_PRIMARY:
5332 case SCTP_PARAM_ADD_IP:
5333 case SCTP_SENDMSG_CONNECT:
5334 err = selinux_socket_connect_helper(sock, addr, len);
5338 /* As selinux_sctp_bind_connect() is called by the
5339 * SCTP protocol layer, the socket is already locked,
5340 * therefore selinux_netlbl_socket_connect_locked() is
5341 * is called here. The situations handled are:
5342 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2),
5343 * whenever a new IP address is added or when a new
5344 * primary address is selected.
5345 * Note that an SCTP connect(2) call happens before
5346 * the SCTP protocol layer and is handled via
5347 * selinux_socket_connect().
5349 err = selinux_netlbl_socket_connect_locked(sk, addr);
5363 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */
5364 static void selinux_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk,
5367 struct sk_security_struct *sksec = sk->sk_security;
5368 struct sk_security_struct *newsksec = newsk->sk_security;
5370 /* If policy does not support SECCLASS_SCTP_SOCKET then call
5371 * the non-sctp clone version.
5373 if (!selinux_policycap_extsockclass())
5374 return selinux_sk_clone_security(sk, newsk);
5376 newsksec->sid = ep->secid;
5377 newsksec->peer_sid = ep->peer_secid;
5378 newsksec->sclass = sksec->sclass;
5379 selinux_netlbl_sctp_sk_clone(sk, newsk);
5382 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
5383 struct request_sock *req)
5385 struct sk_security_struct *sksec = sk->sk_security;
5387 u16 family = req->rsk_ops->family;
5391 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
5394 err = selinux_conn_sid(sksec->sid, peersid, &connsid);
5397 req->secid = connsid;
5398 req->peer_secid = peersid;
5400 return selinux_netlbl_inet_conn_request(req, family);
5403 static void selinux_inet_csk_clone(struct sock *newsk,
5404 const struct request_sock *req)
5406 struct sk_security_struct *newsksec = newsk->sk_security;
5408 newsksec->sid = req->secid;
5409 newsksec->peer_sid = req->peer_secid;
5410 /* NOTE: Ideally, we should also get the isec->sid for the
5411 new socket in sync, but we don't have the isec available yet.
5412 So we will wait until sock_graft to do it, by which
5413 time it will have been created and available. */
5415 /* We don't need to take any sort of lock here as we are the only
5416 * thread with access to newsksec */
5417 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
5420 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
5422 u16 family = sk->sk_family;
5423 struct sk_security_struct *sksec = sk->sk_security;
5425 /* handle mapped IPv4 packets arriving via IPv6 sockets */
5426 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5429 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
5432 static int selinux_secmark_relabel_packet(u32 sid)
5434 const struct task_security_struct *__tsec;
5437 __tsec = selinux_cred(current_cred());
5440 return avc_has_perm(&selinux_state,
5441 tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO,
5445 static void selinux_secmark_refcount_inc(void)
5447 atomic_inc(&selinux_secmark_refcount);
5450 static void selinux_secmark_refcount_dec(void)
5452 atomic_dec(&selinux_secmark_refcount);
5455 static void selinux_req_classify_flow(const struct request_sock *req,
5458 fl->flowi_secid = req->secid;
5461 static int selinux_tun_dev_alloc_security(void **security)
5463 struct tun_security_struct *tunsec;
5465 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
5468 tunsec->sid = current_sid();
5474 static void selinux_tun_dev_free_security(void *security)
5479 static int selinux_tun_dev_create(void)
5481 u32 sid = current_sid();
5483 /* we aren't taking into account the "sockcreate" SID since the socket
5484 * that is being created here is not a socket in the traditional sense,
5485 * instead it is a private sock, accessible only to the kernel, and
5486 * representing a wide range of network traffic spanning multiple
5487 * connections unlike traditional sockets - check the TUN driver to
5488 * get a better understanding of why this socket is special */
5490 return avc_has_perm(&selinux_state,
5491 sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5495 static int selinux_tun_dev_attach_queue(void *security)
5497 struct tun_security_struct *tunsec = security;
5499 return avc_has_perm(&selinux_state,
5500 current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5501 TUN_SOCKET__ATTACH_QUEUE, NULL);
5504 static int selinux_tun_dev_attach(struct sock *sk, void *security)
5506 struct tun_security_struct *tunsec = security;
5507 struct sk_security_struct *sksec = sk->sk_security;
5509 /* we don't currently perform any NetLabel based labeling here and it
5510 * isn't clear that we would want to do so anyway; while we could apply
5511 * labeling without the support of the TUN user the resulting labeled
5512 * traffic from the other end of the connection would almost certainly
5513 * cause confusion to the TUN user that had no idea network labeling
5514 * protocols were being used */
5516 sksec->sid = tunsec->sid;
5517 sksec->sclass = SECCLASS_TUN_SOCKET;
5522 static int selinux_tun_dev_open(void *security)
5524 struct tun_security_struct *tunsec = security;
5525 u32 sid = current_sid();
5528 err = avc_has_perm(&selinux_state,
5529 sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5530 TUN_SOCKET__RELABELFROM, NULL);
5533 err = avc_has_perm(&selinux_state,
5534 sid, sid, SECCLASS_TUN_SOCKET,
5535 TUN_SOCKET__RELABELTO, NULL);
5543 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
5546 unsigned int msg_len;
5547 unsigned int data_len = skb->len;
5548 unsigned char *data = skb->data;
5549 struct nlmsghdr *nlh;
5550 struct sk_security_struct *sksec = sk->sk_security;
5551 u16 sclass = sksec->sclass;
5554 while (data_len >= nlmsg_total_size(0)) {
5555 nlh = (struct nlmsghdr *)data;
5557 /* NOTE: the nlmsg_len field isn't reliably set by some netlink
5558 * users which means we can't reject skb's with bogus
5559 * length fields; our solution is to follow what
5560 * netlink_rcv_skb() does and simply skip processing at
5561 * messages with length fields that are clearly junk
5563 if (nlh->nlmsg_len < NLMSG_HDRLEN || nlh->nlmsg_len > data_len)
5566 rc = selinux_nlmsg_lookup(sclass, nlh->nlmsg_type, &perm);
5568 rc = sock_has_perm(sk, perm);
5571 } else if (rc == -EINVAL) {
5572 /* -EINVAL is a missing msg/perm mapping */
5573 pr_warn_ratelimited("SELinux: unrecognized netlink"
5574 " message: protocol=%hu nlmsg_type=%hu sclass=%s"
5575 " pid=%d comm=%s\n",
5576 sk->sk_protocol, nlh->nlmsg_type,
5577 secclass_map[sclass - 1].name,
5578 task_pid_nr(current), current->comm);
5579 if (enforcing_enabled(&selinux_state) &&
5580 !security_get_allow_unknown(&selinux_state))
5583 } else if (rc == -ENOENT) {
5584 /* -ENOENT is a missing socket/class mapping, ignore */
5590 /* move to the next message after applying netlink padding */
5591 msg_len = NLMSG_ALIGN(nlh->nlmsg_len);
5592 if (msg_len >= data_len)
5594 data_len -= msg_len;
5601 #ifdef CONFIG_NETFILTER
5603 static unsigned int selinux_ip_forward(struct sk_buff *skb,
5604 const struct net_device *indev,
5610 struct common_audit_data ad;
5611 struct lsm_network_audit net = {0,};
5616 if (!selinux_policycap_netpeer())
5619 secmark_active = selinux_secmark_enabled();
5620 netlbl_active = netlbl_enabled();
5621 peerlbl_active = selinux_peerlbl_enabled();
5622 if (!secmark_active && !peerlbl_active)
5625 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5628 ad.type = LSM_AUDIT_DATA_NET;
5630 ad.u.net->netif = indev->ifindex;
5631 ad.u.net->family = family;
5632 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5635 if (peerlbl_active) {
5636 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
5637 addrp, family, peer_sid, &ad);
5639 selinux_netlbl_err(skb, family, err, 1);
5645 if (avc_has_perm(&selinux_state,
5646 peer_sid, skb->secmark,
5647 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5651 /* we do this in the FORWARD path and not the POST_ROUTING
5652 * path because we want to make sure we apply the necessary
5653 * labeling before IPsec is applied so we can leverage AH
5655 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5661 static unsigned int selinux_ipv4_forward(void *priv,
5662 struct sk_buff *skb,
5663 const struct nf_hook_state *state)
5665 return selinux_ip_forward(skb, state->in, PF_INET);
5668 #if IS_ENABLED(CONFIG_IPV6)
5669 static unsigned int selinux_ipv6_forward(void *priv,
5670 struct sk_buff *skb,
5671 const struct nf_hook_state *state)
5673 return selinux_ip_forward(skb, state->in, PF_INET6);
5677 static unsigned int selinux_ip_output(struct sk_buff *skb,
5683 if (!netlbl_enabled())
5686 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5687 * because we want to make sure we apply the necessary labeling
5688 * before IPsec is applied so we can leverage AH protection */
5691 struct sk_security_struct *sksec;
5693 if (sk_listener(sk))
5694 /* if the socket is the listening state then this
5695 * packet is a SYN-ACK packet which means it needs to
5696 * be labeled based on the connection/request_sock and
5697 * not the parent socket. unfortunately, we can't
5698 * lookup the request_sock yet as it isn't queued on
5699 * the parent socket until after the SYN-ACK is sent.
5700 * the "solution" is to simply pass the packet as-is
5701 * as any IP option based labeling should be copied
5702 * from the initial connection request (in the IP
5703 * layer). it is far from ideal, but until we get a
5704 * security label in the packet itself this is the
5705 * best we can do. */
5708 /* standard practice, label using the parent socket */
5709 sksec = sk->sk_security;
5712 sid = SECINITSID_KERNEL;
5713 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
5719 static unsigned int selinux_ipv4_output(void *priv,
5720 struct sk_buff *skb,
5721 const struct nf_hook_state *state)
5723 return selinux_ip_output(skb, PF_INET);
5726 #if IS_ENABLED(CONFIG_IPV6)
5727 static unsigned int selinux_ipv6_output(void *priv,
5728 struct sk_buff *skb,
5729 const struct nf_hook_state *state)
5731 return selinux_ip_output(skb, PF_INET6);
5735 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5739 struct sock *sk = skb_to_full_sk(skb);
5740 struct sk_security_struct *sksec;
5741 struct common_audit_data ad;
5742 struct lsm_network_audit net = {0,};
5748 sksec = sk->sk_security;
5750 ad.type = LSM_AUDIT_DATA_NET;
5752 ad.u.net->netif = ifindex;
5753 ad.u.net->family = family;
5754 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
5757 if (selinux_secmark_enabled())
5758 if (avc_has_perm(&selinux_state,
5759 sksec->sid, skb->secmark,
5760 SECCLASS_PACKET, PACKET__SEND, &ad))
5761 return NF_DROP_ERR(-ECONNREFUSED);
5763 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5764 return NF_DROP_ERR(-ECONNREFUSED);
5769 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5770 const struct net_device *outdev,
5775 int ifindex = outdev->ifindex;
5777 struct common_audit_data ad;
5778 struct lsm_network_audit net = {0,};
5783 /* If any sort of compatibility mode is enabled then handoff processing
5784 * to the selinux_ip_postroute_compat() function to deal with the
5785 * special handling. We do this in an attempt to keep this function
5786 * as fast and as clean as possible. */
5787 if (!selinux_policycap_netpeer())
5788 return selinux_ip_postroute_compat(skb, ifindex, family);
5790 secmark_active = selinux_secmark_enabled();
5791 peerlbl_active = selinux_peerlbl_enabled();
5792 if (!secmark_active && !peerlbl_active)
5795 sk = skb_to_full_sk(skb);
5798 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5799 * packet transformation so allow the packet to pass without any checks
5800 * since we'll have another chance to perform access control checks
5801 * when the packet is on it's final way out.
5802 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5803 * is NULL, in this case go ahead and apply access control.
5804 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5805 * TCP listening state we cannot wait until the XFRM processing
5806 * is done as we will miss out on the SA label if we do;
5807 * unfortunately, this means more work, but it is only once per
5809 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5810 !(sk && sk_listener(sk)))
5815 /* Without an associated socket the packet is either coming
5816 * from the kernel or it is being forwarded; check the packet
5817 * to determine which and if the packet is being forwarded
5818 * query the packet directly to determine the security label. */
5820 secmark_perm = PACKET__FORWARD_OUT;
5821 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5824 secmark_perm = PACKET__SEND;
5825 peer_sid = SECINITSID_KERNEL;
5827 } else if (sk_listener(sk)) {
5828 /* Locally generated packet but the associated socket is in the
5829 * listening state which means this is a SYN-ACK packet. In
5830 * this particular case the correct security label is assigned
5831 * to the connection/request_sock but unfortunately we can't
5832 * query the request_sock as it isn't queued on the parent
5833 * socket until after the SYN-ACK packet is sent; the only
5834 * viable choice is to regenerate the label like we do in
5835 * selinux_inet_conn_request(). See also selinux_ip_output()
5836 * for similar problems. */
5838 struct sk_security_struct *sksec;
5840 sksec = sk->sk_security;
5841 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5843 /* At this point, if the returned skb peerlbl is SECSID_NULL
5844 * and the packet has been through at least one XFRM
5845 * transformation then we must be dealing with the "final"
5846 * form of labeled IPsec packet; since we've already applied
5847 * all of our access controls on this packet we can safely
5848 * pass the packet. */
5849 if (skb_sid == SECSID_NULL) {
5852 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5856 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5860 return NF_DROP_ERR(-ECONNREFUSED);
5863 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5865 secmark_perm = PACKET__SEND;
5867 /* Locally generated packet, fetch the security label from the
5868 * associated socket. */
5869 struct sk_security_struct *sksec = sk->sk_security;
5870 peer_sid = sksec->sid;
5871 secmark_perm = PACKET__SEND;
5874 ad.type = LSM_AUDIT_DATA_NET;
5876 ad.u.net->netif = ifindex;
5877 ad.u.net->family = family;
5878 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5882 if (avc_has_perm(&selinux_state,
5883 peer_sid, skb->secmark,
5884 SECCLASS_PACKET, secmark_perm, &ad))
5885 return NF_DROP_ERR(-ECONNREFUSED);
5887 if (peerlbl_active) {
5891 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5893 if (avc_has_perm(&selinux_state,
5895 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5896 return NF_DROP_ERR(-ECONNREFUSED);
5898 if (sel_netnode_sid(addrp, family, &node_sid))
5900 if (avc_has_perm(&selinux_state,
5902 SECCLASS_NODE, NODE__SENDTO, &ad))
5903 return NF_DROP_ERR(-ECONNREFUSED);
5909 static unsigned int selinux_ipv4_postroute(void *priv,
5910 struct sk_buff *skb,
5911 const struct nf_hook_state *state)
5913 return selinux_ip_postroute(skb, state->out, PF_INET);
5916 #if IS_ENABLED(CONFIG_IPV6)
5917 static unsigned int selinux_ipv6_postroute(void *priv,
5918 struct sk_buff *skb,
5919 const struct nf_hook_state *state)
5921 return selinux_ip_postroute(skb, state->out, PF_INET6);
5925 #endif /* CONFIG_NETFILTER */
5927 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5929 return selinux_nlmsg_perm(sk, skb);
5932 static void ipc_init_security(struct ipc_security_struct *isec, u16 sclass)
5934 isec->sclass = sclass;
5935 isec->sid = current_sid();
5938 static int msg_msg_alloc_security(struct msg_msg *msg)
5940 struct msg_security_struct *msec;
5942 msec = selinux_msg_msg(msg);
5943 msec->sid = SECINITSID_UNLABELED;
5948 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5951 struct ipc_security_struct *isec;
5952 struct common_audit_data ad;
5953 u32 sid = current_sid();
5955 isec = selinux_ipc(ipc_perms);
5957 ad.type = LSM_AUDIT_DATA_IPC;
5958 ad.u.ipc_id = ipc_perms->key;
5960 return avc_has_perm(&selinux_state,
5961 sid, isec->sid, isec->sclass, perms, &ad);
5964 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5966 return msg_msg_alloc_security(msg);
5969 /* message queue security operations */
5970 static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq)
5972 struct ipc_security_struct *isec;
5973 struct common_audit_data ad;
5974 u32 sid = current_sid();
5977 isec = selinux_ipc(msq);
5978 ipc_init_security(isec, SECCLASS_MSGQ);
5980 ad.type = LSM_AUDIT_DATA_IPC;
5981 ad.u.ipc_id = msq->key;
5983 rc = avc_has_perm(&selinux_state,
5984 sid, isec->sid, SECCLASS_MSGQ,
5989 static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
5991 struct ipc_security_struct *isec;
5992 struct common_audit_data ad;
5993 u32 sid = current_sid();
5995 isec = selinux_ipc(msq);
5997 ad.type = LSM_AUDIT_DATA_IPC;
5998 ad.u.ipc_id = msq->key;
6000 return avc_has_perm(&selinux_state,
6001 sid, isec->sid, SECCLASS_MSGQ,
6002 MSGQ__ASSOCIATE, &ad);
6005 static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)
6013 /* No specific object, just general system-wide information. */
6014 return avc_has_perm(&selinux_state,
6015 current_sid(), SECINITSID_KERNEL,
6016 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6020 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
6023 perms = MSGQ__SETATTR;
6026 perms = MSGQ__DESTROY;
6032 err = ipc_has_perm(msq, perms);
6036 static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg)
6038 struct ipc_security_struct *isec;
6039 struct msg_security_struct *msec;
6040 struct common_audit_data ad;
6041 u32 sid = current_sid();
6044 isec = selinux_ipc(msq);
6045 msec = selinux_msg_msg(msg);
6048 * First time through, need to assign label to the message
6050 if (msec->sid == SECINITSID_UNLABELED) {
6052 * Compute new sid based on current process and
6053 * message queue this message will be stored in
6055 rc = security_transition_sid(&selinux_state, sid, isec->sid,
6056 SECCLASS_MSG, NULL, &msec->sid);
6061 ad.type = LSM_AUDIT_DATA_IPC;
6062 ad.u.ipc_id = msq->key;
6064 /* Can this process write to the queue? */
6065 rc = avc_has_perm(&selinux_state,
6066 sid, isec->sid, SECCLASS_MSGQ,
6069 /* Can this process send the message */
6070 rc = avc_has_perm(&selinux_state,
6071 sid, msec->sid, SECCLASS_MSG,
6074 /* Can the message be put in the queue? */
6075 rc = avc_has_perm(&selinux_state,
6076 msec->sid, isec->sid, SECCLASS_MSGQ,
6077 MSGQ__ENQUEUE, &ad);
6082 static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg,
6083 struct task_struct *target,
6084 long type, int mode)
6086 struct ipc_security_struct *isec;
6087 struct msg_security_struct *msec;
6088 struct common_audit_data ad;
6089 u32 sid = task_sid(target);
6092 isec = selinux_ipc(msq);
6093 msec = selinux_msg_msg(msg);
6095 ad.type = LSM_AUDIT_DATA_IPC;
6096 ad.u.ipc_id = msq->key;
6098 rc = avc_has_perm(&selinux_state,
6100 SECCLASS_MSGQ, MSGQ__READ, &ad);
6102 rc = avc_has_perm(&selinux_state,
6104 SECCLASS_MSG, MSG__RECEIVE, &ad);
6108 /* Shared Memory security operations */
6109 static int selinux_shm_alloc_security(struct kern_ipc_perm *shp)
6111 struct ipc_security_struct *isec;
6112 struct common_audit_data ad;
6113 u32 sid = current_sid();
6116 isec = selinux_ipc(shp);
6117 ipc_init_security(isec, SECCLASS_SHM);
6119 ad.type = LSM_AUDIT_DATA_IPC;
6120 ad.u.ipc_id = shp->key;
6122 rc = avc_has_perm(&selinux_state,
6123 sid, isec->sid, SECCLASS_SHM,
6128 static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg)
6130 struct ipc_security_struct *isec;
6131 struct common_audit_data ad;
6132 u32 sid = current_sid();
6134 isec = selinux_ipc(shp);
6136 ad.type = LSM_AUDIT_DATA_IPC;
6137 ad.u.ipc_id = shp->key;
6139 return avc_has_perm(&selinux_state,
6140 sid, isec->sid, SECCLASS_SHM,
6141 SHM__ASSOCIATE, &ad);
6144 /* Note, at this point, shp is locked down */
6145 static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd)
6153 /* No specific object, just general system-wide information. */
6154 return avc_has_perm(&selinux_state,
6155 current_sid(), SECINITSID_KERNEL,
6156 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6160 perms = SHM__GETATTR | SHM__ASSOCIATE;
6163 perms = SHM__SETATTR;
6170 perms = SHM__DESTROY;
6176 err = ipc_has_perm(shp, perms);
6180 static int selinux_shm_shmat(struct kern_ipc_perm *shp,
6181 char __user *shmaddr, int shmflg)
6185 if (shmflg & SHM_RDONLY)
6188 perms = SHM__READ | SHM__WRITE;
6190 return ipc_has_perm(shp, perms);
6193 /* Semaphore security operations */
6194 static int selinux_sem_alloc_security(struct kern_ipc_perm *sma)
6196 struct ipc_security_struct *isec;
6197 struct common_audit_data ad;
6198 u32 sid = current_sid();
6201 isec = selinux_ipc(sma);
6202 ipc_init_security(isec, SECCLASS_SEM);
6204 ad.type = LSM_AUDIT_DATA_IPC;
6205 ad.u.ipc_id = sma->key;
6207 rc = avc_has_perm(&selinux_state,
6208 sid, isec->sid, SECCLASS_SEM,
6213 static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg)
6215 struct ipc_security_struct *isec;
6216 struct common_audit_data ad;
6217 u32 sid = current_sid();
6219 isec = selinux_ipc(sma);
6221 ad.type = LSM_AUDIT_DATA_IPC;
6222 ad.u.ipc_id = sma->key;
6224 return avc_has_perm(&selinux_state,
6225 sid, isec->sid, SECCLASS_SEM,
6226 SEM__ASSOCIATE, &ad);
6229 /* Note, at this point, sma is locked down */
6230 static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd)
6238 /* No specific object, just general system-wide information. */
6239 return avc_has_perm(&selinux_state,
6240 current_sid(), SECINITSID_KERNEL,
6241 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6245 perms = SEM__GETATTR;
6256 perms = SEM__DESTROY;
6259 perms = SEM__SETATTR;
6264 perms = SEM__GETATTR | SEM__ASSOCIATE;
6270 err = ipc_has_perm(sma, perms);
6274 static int selinux_sem_semop(struct kern_ipc_perm *sma,
6275 struct sembuf *sops, unsigned nsops, int alter)
6280 perms = SEM__READ | SEM__WRITE;
6284 return ipc_has_perm(sma, perms);
6287 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
6293 av |= IPC__UNIX_READ;
6295 av |= IPC__UNIX_WRITE;
6300 return ipc_has_perm(ipcp, av);
6303 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
6305 struct ipc_security_struct *isec = selinux_ipc(ipcp);
6309 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
6312 inode_doinit_with_dentry(inode, dentry);
6315 static int selinux_getprocattr(struct task_struct *p,
6316 char *name, char **value)
6318 const struct task_security_struct *__tsec;
6324 __tsec = selinux_cred(__task_cred(p));
6327 error = avc_has_perm(&selinux_state,
6328 current_sid(), __tsec->sid,
6329 SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
6334 if (!strcmp(name, "current"))
6336 else if (!strcmp(name, "prev"))
6338 else if (!strcmp(name, "exec"))
6339 sid = __tsec->exec_sid;
6340 else if (!strcmp(name, "fscreate"))
6341 sid = __tsec->create_sid;
6342 else if (!strcmp(name, "keycreate"))
6343 sid = __tsec->keycreate_sid;
6344 else if (!strcmp(name, "sockcreate"))
6345 sid = __tsec->sockcreate_sid;
6355 error = security_sid_to_context(&selinux_state, sid, value, &len);
6365 static int selinux_setprocattr(const char *name, void *value, size_t size)
6367 struct task_security_struct *tsec;
6369 u32 mysid = current_sid(), sid = 0, ptsid;
6374 * Basic control over ability to set these attributes at all.
6376 if (!strcmp(name, "exec"))
6377 error = avc_has_perm(&selinux_state,
6378 mysid, mysid, SECCLASS_PROCESS,
6379 PROCESS__SETEXEC, NULL);
6380 else if (!strcmp(name, "fscreate"))
6381 error = avc_has_perm(&selinux_state,
6382 mysid, mysid, SECCLASS_PROCESS,
6383 PROCESS__SETFSCREATE, NULL);
6384 else if (!strcmp(name, "keycreate"))
6385 error = avc_has_perm(&selinux_state,
6386 mysid, mysid, SECCLASS_PROCESS,
6387 PROCESS__SETKEYCREATE, NULL);
6388 else if (!strcmp(name, "sockcreate"))
6389 error = avc_has_perm(&selinux_state,
6390 mysid, mysid, SECCLASS_PROCESS,
6391 PROCESS__SETSOCKCREATE, NULL);
6392 else if (!strcmp(name, "current"))
6393 error = avc_has_perm(&selinux_state,
6394 mysid, mysid, SECCLASS_PROCESS,
6395 PROCESS__SETCURRENT, NULL);
6401 /* Obtain a SID for the context, if one was specified. */
6402 if (size && str[0] && str[0] != '\n') {
6403 if (str[size-1] == '\n') {
6407 error = security_context_to_sid(&selinux_state, value, size,
6409 if (error == -EINVAL && !strcmp(name, "fscreate")) {
6410 if (!has_cap_mac_admin(true)) {
6411 struct audit_buffer *ab;
6414 /* We strip a nul only if it is at the end, otherwise the
6415 * context contains a nul and we should audit that */
6416 if (str[size - 1] == '\0')
6417 audit_size = size - 1;
6420 ab = audit_log_start(audit_context(),
6423 audit_log_format(ab, "op=fscreate invalid_context=");
6424 audit_log_n_untrustedstring(ab, value, audit_size);
6429 error = security_context_to_sid_force(
6437 new = prepare_creds();
6441 /* Permission checking based on the specified context is
6442 performed during the actual operation (execve,
6443 open/mkdir/...), when we know the full context of the
6444 operation. See selinux_bprm_set_creds for the execve
6445 checks and may_create for the file creation checks. The
6446 operation will then fail if the context is not permitted. */
6447 tsec = selinux_cred(new);
6448 if (!strcmp(name, "exec")) {
6449 tsec->exec_sid = sid;
6450 } else if (!strcmp(name, "fscreate")) {
6451 tsec->create_sid = sid;
6452 } else if (!strcmp(name, "keycreate")) {
6454 error = avc_has_perm(&selinux_state, mysid, sid,
6455 SECCLASS_KEY, KEY__CREATE, NULL);
6459 tsec->keycreate_sid = sid;
6460 } else if (!strcmp(name, "sockcreate")) {
6461 tsec->sockcreate_sid = sid;
6462 } else if (!strcmp(name, "current")) {
6467 /* Only allow single threaded processes to change context */
6469 if (!current_is_single_threaded()) {
6470 error = security_bounded_transition(&selinux_state,
6476 /* Check permissions for the transition. */
6477 error = avc_has_perm(&selinux_state,
6478 tsec->sid, sid, SECCLASS_PROCESS,
6479 PROCESS__DYNTRANSITION, NULL);
6483 /* Check for ptracing, and update the task SID if ok.
6484 Otherwise, leave SID unchanged and fail. */
6485 ptsid = ptrace_parent_sid();
6487 error = avc_has_perm(&selinux_state,
6488 ptsid, sid, SECCLASS_PROCESS,
6489 PROCESS__PTRACE, NULL);
6508 static int selinux_ismaclabel(const char *name)
6510 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
6513 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
6515 return security_sid_to_context(&selinux_state, secid,
6519 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
6521 return security_context_to_sid(&selinux_state, secdata, seclen,
6525 static void selinux_release_secctx(char *secdata, u32 seclen)
6530 static void selinux_inode_invalidate_secctx(struct inode *inode)
6532 struct inode_security_struct *isec = selinux_inode(inode);
6534 spin_lock(&isec->lock);
6535 isec->initialized = LABEL_INVALID;
6536 spin_unlock(&isec->lock);
6540 * called with inode->i_mutex locked
6542 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
6544 int rc = selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX,
6546 /* Do not return error when suppressing label (SBLABEL_MNT not set). */
6547 return rc == -EOPNOTSUPP ? 0 : rc;
6551 * called with inode->i_mutex locked
6553 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
6555 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
6558 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
6561 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
6570 static int selinux_key_alloc(struct key *k, const struct cred *cred,
6571 unsigned long flags)
6573 const struct task_security_struct *tsec;
6574 struct key_security_struct *ksec;
6576 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
6580 tsec = selinux_cred(cred);
6581 if (tsec->keycreate_sid)
6582 ksec->sid = tsec->keycreate_sid;
6584 ksec->sid = tsec->sid;
6590 static void selinux_key_free(struct key *k)
6592 struct key_security_struct *ksec = k->security;
6598 static int selinux_key_permission(key_ref_t key_ref,
6599 const struct cred *cred,
6603 struct key_security_struct *ksec;
6606 /* if no specific permissions are requested, we skip the
6607 permission check. No serious, additional covert channels
6608 appear to be created. */
6612 sid = cred_sid(cred);
6614 key = key_ref_to_ptr(key_ref);
6615 ksec = key->security;
6617 return avc_has_perm(&selinux_state,
6618 sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6621 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6623 struct key_security_struct *ksec = key->security;
6624 char *context = NULL;
6628 rc = security_sid_to_context(&selinux_state, ksec->sid,
6637 #ifdef CONFIG_SECURITY_INFINIBAND
6638 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6640 struct common_audit_data ad;
6643 struct ib_security_struct *sec = ib_sec;
6644 struct lsm_ibpkey_audit ibpkey;
6646 err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
6650 ad.type = LSM_AUDIT_DATA_IBPKEY;
6651 ibpkey.subnet_prefix = subnet_prefix;
6652 ibpkey.pkey = pkey_val;
6653 ad.u.ibpkey = &ibpkey;
6654 return avc_has_perm(&selinux_state,
6656 SECCLASS_INFINIBAND_PKEY,
6657 INFINIBAND_PKEY__ACCESS, &ad);
6660 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6663 struct common_audit_data ad;
6666 struct ib_security_struct *sec = ib_sec;
6667 struct lsm_ibendport_audit ibendport;
6669 err = security_ib_endport_sid(&selinux_state, dev_name, port_num,
6675 ad.type = LSM_AUDIT_DATA_IBENDPORT;
6676 strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name));
6677 ibendport.port = port_num;
6678 ad.u.ibendport = &ibendport;
6679 return avc_has_perm(&selinux_state,
6681 SECCLASS_INFINIBAND_ENDPORT,
6682 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
6685 static int selinux_ib_alloc_security(void **ib_sec)
6687 struct ib_security_struct *sec;
6689 sec = kzalloc(sizeof(*sec), GFP_KERNEL);
6692 sec->sid = current_sid();
6698 static void selinux_ib_free_security(void *ib_sec)
6704 #ifdef CONFIG_BPF_SYSCALL
6705 static int selinux_bpf(int cmd, union bpf_attr *attr,
6708 u32 sid = current_sid();
6712 case BPF_MAP_CREATE:
6713 ret = avc_has_perm(&selinux_state,
6714 sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
6718 ret = avc_has_perm(&selinux_state,
6719 sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
6730 static u32 bpf_map_fmode_to_av(fmode_t fmode)
6734 if (fmode & FMODE_READ)
6735 av |= BPF__MAP_READ;
6736 if (fmode & FMODE_WRITE)
6737 av |= BPF__MAP_WRITE;
6741 /* This function will check the file pass through unix socket or binder to see
6742 * if it is a bpf related object. And apply correspinding checks on the bpf
6743 * object based on the type. The bpf maps and programs, not like other files and
6744 * socket, are using a shared anonymous inode inside the kernel as their inode.
6745 * So checking that inode cannot identify if the process have privilege to
6746 * access the bpf object and that's why we have to add this additional check in
6747 * selinux_file_receive and selinux_binder_transfer_files.
6749 static int bpf_fd_pass(struct file *file, u32 sid)
6751 struct bpf_security_struct *bpfsec;
6752 struct bpf_prog *prog;
6753 struct bpf_map *map;
6756 if (file->f_op == &bpf_map_fops) {
6757 map = file->private_data;
6758 bpfsec = map->security;
6759 ret = avc_has_perm(&selinux_state,
6760 sid, bpfsec->sid, SECCLASS_BPF,
6761 bpf_map_fmode_to_av(file->f_mode), NULL);
6764 } else if (file->f_op == &bpf_prog_fops) {
6765 prog = file->private_data;
6766 bpfsec = prog->aux->security;
6767 ret = avc_has_perm(&selinux_state,
6768 sid, bpfsec->sid, SECCLASS_BPF,
6769 BPF__PROG_RUN, NULL);
6776 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)
6778 u32 sid = current_sid();
6779 struct bpf_security_struct *bpfsec;
6781 bpfsec = map->security;
6782 return avc_has_perm(&selinux_state,
6783 sid, bpfsec->sid, SECCLASS_BPF,
6784 bpf_map_fmode_to_av(fmode), NULL);
6787 static int selinux_bpf_prog(struct bpf_prog *prog)
6789 u32 sid = current_sid();
6790 struct bpf_security_struct *bpfsec;
6792 bpfsec = prog->aux->security;
6793 return avc_has_perm(&selinux_state,
6794 sid, bpfsec->sid, SECCLASS_BPF,
6795 BPF__PROG_RUN, NULL);
6798 static int selinux_bpf_map_alloc(struct bpf_map *map)
6800 struct bpf_security_struct *bpfsec;
6802 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6806 bpfsec->sid = current_sid();
6807 map->security = bpfsec;
6812 static void selinux_bpf_map_free(struct bpf_map *map)
6814 struct bpf_security_struct *bpfsec = map->security;
6816 map->security = NULL;
6820 static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux)
6822 struct bpf_security_struct *bpfsec;
6824 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6828 bpfsec->sid = current_sid();
6829 aux->security = bpfsec;
6834 static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
6836 struct bpf_security_struct *bpfsec = aux->security;
6838 aux->security = NULL;
6843 struct lsm_blob_sizes selinux_blob_sizes __lsm_ro_after_init = {
6844 .lbs_cred = sizeof(struct task_security_struct),
6845 .lbs_file = sizeof(struct file_security_struct),
6846 .lbs_inode = sizeof(struct inode_security_struct),
6847 .lbs_ipc = sizeof(struct ipc_security_struct),
6848 .lbs_msg_msg = sizeof(struct msg_security_struct),
6851 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
6852 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
6853 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
6854 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
6855 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
6857 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
6858 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
6859 LSM_HOOK_INIT(capget, selinux_capget),
6860 LSM_HOOK_INIT(capset, selinux_capset),
6861 LSM_HOOK_INIT(capable, selinux_capable),
6862 LSM_HOOK_INIT(quotactl, selinux_quotactl),
6863 LSM_HOOK_INIT(quota_on, selinux_quota_on),
6864 LSM_HOOK_INIT(syslog, selinux_syslog),
6865 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
6867 LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
6869 LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
6870 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
6871 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
6873 LSM_HOOK_INIT(fs_context_dup, selinux_fs_context_dup),
6874 LSM_HOOK_INIT(fs_context_parse_param, selinux_fs_context_parse_param),
6876 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
6877 LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
6878 LSM_HOOK_INIT(sb_eat_lsm_opts, selinux_sb_eat_lsm_opts),
6879 LSM_HOOK_INIT(sb_free_mnt_opts, selinux_free_mnt_opts),
6880 LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
6881 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
6882 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
6883 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
6884 LSM_HOOK_INIT(sb_mount, selinux_mount),
6885 LSM_HOOK_INIT(sb_umount, selinux_umount),
6886 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
6887 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
6888 LSM_HOOK_INIT(sb_add_mnt_opt, selinux_add_mnt_opt),
6890 LSM_HOOK_INIT(move_mount, selinux_move_mount),
6892 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
6893 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
6895 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
6896 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
6897 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
6898 LSM_HOOK_INIT(inode_create, selinux_inode_create),
6899 LSM_HOOK_INIT(inode_link, selinux_inode_link),
6900 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
6901 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
6902 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
6903 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
6904 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
6905 LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
6906 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
6907 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
6908 LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
6909 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
6910 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
6911 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
6912 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
6913 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
6914 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
6915 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
6916 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
6917 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
6918 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
6919 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
6920 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
6921 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
6922 LSM_HOOK_INIT(path_notify, selinux_path_notify),
6924 LSM_HOOK_INIT(kernfs_init_security, selinux_kernfs_init_security),
6926 LSM_HOOK_INIT(file_permission, selinux_file_permission),
6927 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
6928 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
6929 LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
6930 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
6931 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
6932 LSM_HOOK_INIT(file_lock, selinux_file_lock),
6933 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
6934 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
6935 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
6936 LSM_HOOK_INIT(file_receive, selinux_file_receive),
6938 LSM_HOOK_INIT(file_open, selinux_file_open),
6940 LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
6941 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
6942 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
6943 LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid),
6944 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
6945 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
6946 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
6947 LSM_HOOK_INIT(kernel_load_data, selinux_kernel_load_data),
6948 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
6949 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
6950 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
6951 LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
6952 LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
6953 LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
6954 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
6955 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
6956 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
6957 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
6958 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
6959 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
6960 LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
6961 LSM_HOOK_INIT(task_kill, selinux_task_kill),
6962 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
6964 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
6965 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
6967 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
6969 LSM_HOOK_INIT(msg_queue_alloc_security,
6970 selinux_msg_queue_alloc_security),
6971 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
6972 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
6973 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
6974 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
6976 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
6977 LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
6978 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
6979 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
6981 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
6982 LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
6983 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
6984 LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
6986 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
6988 LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
6989 LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
6991 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
6992 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
6993 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
6994 LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
6995 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
6996 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
6997 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
6998 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
7000 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
7001 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
7003 LSM_HOOK_INIT(socket_create, selinux_socket_create),
7004 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
7005 LSM_HOOK_INIT(socket_socketpair, selinux_socket_socketpair),
7006 LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
7007 LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
7008 LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
7009 LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
7010 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
7011 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
7012 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
7013 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
7014 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
7015 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
7016 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
7017 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
7018 LSM_HOOK_INIT(socket_getpeersec_stream,
7019 selinux_socket_getpeersec_stream),
7020 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
7021 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
7022 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
7023 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
7024 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
7025 LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
7026 LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request),
7027 LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone),
7028 LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect),
7029 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
7030 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
7031 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
7032 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
7033 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
7034 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
7035 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
7036 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
7037 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
7038 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
7039 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
7040 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
7041 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
7042 #ifdef CONFIG_SECURITY_INFINIBAND
7043 LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
7044 LSM_HOOK_INIT(ib_endport_manage_subnet,
7045 selinux_ib_endport_manage_subnet),
7046 LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
7047 LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
7049 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7050 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
7051 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
7052 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
7053 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
7054 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
7055 LSM_HOOK_INIT(xfrm_state_alloc_acquire,
7056 selinux_xfrm_state_alloc_acquire),
7057 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
7058 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
7059 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
7060 LSM_HOOK_INIT(xfrm_state_pol_flow_match,
7061 selinux_xfrm_state_pol_flow_match),
7062 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
7066 LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
7067 LSM_HOOK_INIT(key_free, selinux_key_free),
7068 LSM_HOOK_INIT(key_permission, selinux_key_permission),
7069 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
7073 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
7074 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
7075 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
7076 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
7079 #ifdef CONFIG_BPF_SYSCALL
7080 LSM_HOOK_INIT(bpf, selinux_bpf),
7081 LSM_HOOK_INIT(bpf_map, selinux_bpf_map),
7082 LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog),
7083 LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc),
7084 LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc),
7085 LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free),
7086 LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free),
7090 static __init int selinux_init(void)
7092 pr_info("SELinux: Initializing.\n");
7094 memset(&selinux_state, 0, sizeof(selinux_state));
7095 enforcing_set(&selinux_state, selinux_enforcing_boot);
7096 selinux_state.checkreqprot = selinux_checkreqprot_boot;
7097 selinux_ss_init(&selinux_state.ss);
7098 selinux_avc_init(&selinux_state.avc);
7100 /* Set the security state for the initial task. */
7101 cred_init_security();
7103 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
7109 ebitmap_cache_init();
7111 hashtab_cache_init();
7113 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
7115 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
7116 panic("SELinux: Unable to register AVC netcache callback\n");
7118 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
7119 panic("SELinux: Unable to register AVC LSM notifier callback\n");
7121 if (selinux_enforcing_boot)
7122 pr_debug("SELinux: Starting in enforcing mode\n");
7124 pr_debug("SELinux: Starting in permissive mode\n");
7126 fs_validate_description(&selinux_fs_parameters);
7131 static void delayed_superblock_init(struct super_block *sb, void *unused)
7133 selinux_set_mnt_opts(sb, NULL, 0, NULL);
7136 void selinux_complete_init(void)
7138 pr_debug("SELinux: Completing initialization.\n");
7140 /* Set up any superblocks initialized prior to the policy load. */
7141 pr_debug("SELinux: Setting up existing superblocks.\n");
7142 iterate_supers(delayed_superblock_init, NULL);
7145 /* SELinux requires early initialization in order to label
7146 all processes and objects when they are created. */
7147 DEFINE_LSM(selinux) = {
7149 .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE,
7150 .enabled = &selinux_enabled,
7151 .blobs = &selinux_blob_sizes,
7152 .init = selinux_init,
7155 #if defined(CONFIG_NETFILTER)
7157 static const struct nf_hook_ops selinux_nf_ops[] = {
7159 .hook = selinux_ipv4_postroute,
7161 .hooknum = NF_INET_POST_ROUTING,
7162 .priority = NF_IP_PRI_SELINUX_LAST,
7165 .hook = selinux_ipv4_forward,
7167 .hooknum = NF_INET_FORWARD,
7168 .priority = NF_IP_PRI_SELINUX_FIRST,
7171 .hook = selinux_ipv4_output,
7173 .hooknum = NF_INET_LOCAL_OUT,
7174 .priority = NF_IP_PRI_SELINUX_FIRST,
7176 #if IS_ENABLED(CONFIG_IPV6)
7178 .hook = selinux_ipv6_postroute,
7180 .hooknum = NF_INET_POST_ROUTING,
7181 .priority = NF_IP6_PRI_SELINUX_LAST,
7184 .hook = selinux_ipv6_forward,
7186 .hooknum = NF_INET_FORWARD,
7187 .priority = NF_IP6_PRI_SELINUX_FIRST,
7190 .hook = selinux_ipv6_output,
7192 .hooknum = NF_INET_LOCAL_OUT,
7193 .priority = NF_IP6_PRI_SELINUX_FIRST,
7198 static int __net_init selinux_nf_register(struct net *net)
7200 return nf_register_net_hooks(net, selinux_nf_ops,
7201 ARRAY_SIZE(selinux_nf_ops));
7204 static void __net_exit selinux_nf_unregister(struct net *net)
7206 nf_unregister_net_hooks(net, selinux_nf_ops,
7207 ARRAY_SIZE(selinux_nf_ops));
7210 static struct pernet_operations selinux_net_ops = {
7211 .init = selinux_nf_register,
7212 .exit = selinux_nf_unregister,
7215 static int __init selinux_nf_ip_init(void)
7219 if (!selinux_enabled)
7222 pr_debug("SELinux: Registering netfilter hooks\n");
7224 err = register_pernet_subsys(&selinux_net_ops);
7226 panic("SELinux: register_pernet_subsys: error %d\n", err);
7230 __initcall(selinux_nf_ip_init);
7232 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7233 static void selinux_nf_ip_exit(void)
7235 pr_debug("SELinux: Unregistering netfilter hooks\n");
7237 unregister_pernet_subsys(&selinux_net_ops);
7241 #else /* CONFIG_NETFILTER */
7243 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7244 #define selinux_nf_ip_exit()
7247 #endif /* CONFIG_NETFILTER */
7249 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7250 int selinux_disable(struct selinux_state *state)
7252 if (state->initialized) {
7253 /* Not permitted after initial policy load. */
7257 if (state->disabled) {
7258 /* Only do this once. */
7262 state->disabled = 1;
7264 pr_info("SELinux: Disabled at runtime.\n");
7266 selinux_enabled = 0;
7268 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
7270 /* Try to destroy the avc node cache */
7273 /* Unregister netfilter hooks. */
7274 selinux_nf_ip_exit();
7276 /* Unregister selinuxfs. */