1 // SPDX-License-Identifier: GPL-2.0-only
3 * NSA Security-Enhanced Linux (SELinux) security module
5 * This file contains the SELinux hook function implementations.
7 * Authors: Stephen Smalley, <sds@tycho.nsa.gov>
8 * Chris Vance, <cvance@nai.com>
9 * Wayne Salamon, <wsalamon@nai.com>
10 * James Morris <jmorris@redhat.com>
12 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
13 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
14 * Eric Paris <eparis@redhat.com>
15 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
16 * <dgoeddel@trustedcs.com>
17 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
18 * Paul Moore <paul@paul-moore.com>
19 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
20 * Yuichi Nakamura <ynakam@hitachisoft.jp>
21 * Copyright (C) 2016 Mellanox Technologies
24 #include <linux/init.h>
26 #include <linux/kernel.h>
27 #include <linux/kernel_read_file.h>
28 #include <linux/tracehook.h>
29 #include <linux/errno.h>
30 #include <linux/sched/signal.h>
31 #include <linux/sched/task.h>
32 #include <linux/lsm_hooks.h>
33 #include <linux/xattr.h>
34 #include <linux/capability.h>
35 #include <linux/unistd.h>
37 #include <linux/mman.h>
38 #include <linux/slab.h>
39 #include <linux/pagemap.h>
40 #include <linux/proc_fs.h>
41 #include <linux/swap.h>
42 #include <linux/spinlock.h>
43 #include <linux/syscalls.h>
44 #include <linux/dcache.h>
45 #include <linux/file.h>
46 #include <linux/fdtable.h>
47 #include <linux/namei.h>
48 #include <linux/mount.h>
49 #include <linux/fs_context.h>
50 #include <linux/fs_parser.h>
51 #include <linux/netfilter_ipv4.h>
52 #include <linux/netfilter_ipv6.h>
53 #include <linux/tty.h>
55 #include <net/ip.h> /* for local_port_range[] */
56 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
57 #include <net/inet_connection_sock.h>
58 #include <net/net_namespace.h>
59 #include <net/netlabel.h>
60 #include <linux/uaccess.h>
61 #include <asm/ioctls.h>
62 #include <linux/atomic.h>
63 #include <linux/bitops.h>
64 #include <linux/interrupt.h>
65 #include <linux/netdevice.h> /* for network interface checks */
66 #include <net/netlink.h>
67 #include <linux/tcp.h>
68 #include <linux/udp.h>
69 #include <linux/dccp.h>
70 #include <linux/sctp.h>
71 #include <net/sctp/structs.h>
72 #include <linux/quota.h>
73 #include <linux/un.h> /* for Unix socket types */
74 #include <net/af_unix.h> /* for Unix socket types */
75 #include <linux/parser.h>
76 #include <linux/nfs_mount.h>
78 #include <linux/hugetlb.h>
79 #include <linux/personality.h>
80 #include <linux/audit.h>
81 #include <linux/string.h>
82 #include <linux/mutex.h>
83 #include <linux/posix-timers.h>
84 #include <linux/syslog.h>
85 #include <linux/user_namespace.h>
86 #include <linux/export.h>
87 #include <linux/msg.h>
88 #include <linux/shm.h>
89 #include <linux/bpf.h>
90 #include <linux/kernfs.h>
91 #include <linux/stringhash.h> /* for hashlen_string() */
92 #include <uapi/linux/mount.h>
93 #include <linux/fsnotify.h>
94 #include <linux/fanotify.h>
103 #include "netlabel.h"
107 struct selinux_state selinux_state;
109 /* SECMARK reference count */
110 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
112 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
113 static int selinux_enforcing_boot __initdata;
115 static int __init enforcing_setup(char *str)
117 unsigned long enforcing;
118 if (!kstrtoul(str, 0, &enforcing))
119 selinux_enforcing_boot = enforcing ? 1 : 0;
122 __setup("enforcing=", enforcing_setup);
124 #define selinux_enforcing_boot 1
127 int selinux_enabled_boot __initdata = 1;
128 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
129 static int __init selinux_enabled_setup(char *str)
131 unsigned long enabled;
132 if (!kstrtoul(str, 0, &enabled))
133 selinux_enabled_boot = enabled ? 1 : 0;
136 __setup("selinux=", selinux_enabled_setup);
139 static unsigned int selinux_checkreqprot_boot =
140 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
142 static int __init checkreqprot_setup(char *str)
144 unsigned long checkreqprot;
146 if (!kstrtoul(str, 0, &checkreqprot)) {
147 selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
149 pr_warn("SELinux: checkreqprot set to 1 via kernel parameter. This is deprecated and will be rejected in a future kernel release.\n");
153 __setup("checkreqprot=", checkreqprot_setup);
156 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
159 * This function checks the SECMARK reference counter to see if any SECMARK
160 * targets are currently configured, if the reference counter is greater than
161 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
162 * enabled, false (0) if SECMARK is disabled. If the always_check_network
163 * policy capability is enabled, SECMARK is always considered enabled.
166 static int selinux_secmark_enabled(void)
168 return (selinux_policycap_alwaysnetwork() ||
169 atomic_read(&selinux_secmark_refcount));
173 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
176 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
177 * (1) if any are enabled or false (0) if neither are enabled. If the
178 * always_check_network policy capability is enabled, peer labeling
179 * is always considered enabled.
182 static int selinux_peerlbl_enabled(void)
184 return (selinux_policycap_alwaysnetwork() ||
185 netlbl_enabled() || selinux_xfrm_enabled());
188 static int selinux_netcache_avc_callback(u32 event)
190 if (event == AVC_CALLBACK_RESET) {
199 static int selinux_lsm_notifier_avc_callback(u32 event)
201 if (event == AVC_CALLBACK_RESET) {
203 call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL);
210 * initialise the security for the init task
212 static void cred_init_security(void)
214 struct cred *cred = (struct cred *) current->real_cred;
215 struct task_security_struct *tsec;
217 tsec = selinux_cred(cred);
218 tsec->osid = tsec->sid = SECINITSID_KERNEL;
222 * get the security ID of a set of credentials
224 static inline u32 cred_sid(const struct cred *cred)
226 const struct task_security_struct *tsec;
228 tsec = selinux_cred(cred);
233 * get the objective security ID of a task
235 static inline u32 task_sid_obj(const struct task_struct *task)
240 sid = cred_sid(__task_cred(task));
245 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
248 * Try reloading inode security labels that have been marked as invalid. The
249 * @may_sleep parameter indicates when sleeping and thus reloading labels is
250 * allowed; when set to false, returns -ECHILD when the label is
251 * invalid. The @dentry parameter should be set to a dentry of the inode.
253 static int __inode_security_revalidate(struct inode *inode,
254 struct dentry *dentry,
257 struct inode_security_struct *isec = selinux_inode(inode);
259 might_sleep_if(may_sleep);
261 if (selinux_initialized(&selinux_state) &&
262 isec->initialized != LABEL_INITIALIZED) {
267 * Try reloading the inode security label. This will fail if
268 * @opt_dentry is NULL and no dentry for this inode can be
269 * found; in that case, continue using the old label.
271 inode_doinit_with_dentry(inode, dentry);
276 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
278 return selinux_inode(inode);
281 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
285 error = __inode_security_revalidate(inode, NULL, !rcu);
287 return ERR_PTR(error);
288 return selinux_inode(inode);
292 * Get the security label of an inode.
294 static struct inode_security_struct *inode_security(struct inode *inode)
296 __inode_security_revalidate(inode, NULL, true);
297 return selinux_inode(inode);
300 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
302 struct inode *inode = d_backing_inode(dentry);
304 return selinux_inode(inode);
308 * Get the security label of a dentry's backing inode.
310 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
312 struct inode *inode = d_backing_inode(dentry);
314 __inode_security_revalidate(inode, dentry, true);
315 return selinux_inode(inode);
318 static void inode_free_security(struct inode *inode)
320 struct inode_security_struct *isec = selinux_inode(inode);
321 struct superblock_security_struct *sbsec;
325 sbsec = selinux_superblock(inode->i_sb);
327 * As not all inode security structures are in a list, we check for
328 * empty list outside of the lock to make sure that we won't waste
329 * time taking a lock doing nothing.
331 * The list_del_init() function can be safely called more than once.
332 * It should not be possible for this function to be called with
333 * concurrent list_add(), but for better safety against future changes
334 * in the code, we use list_empty_careful() here.
336 if (!list_empty_careful(&isec->list)) {
337 spin_lock(&sbsec->isec_lock);
338 list_del_init(&isec->list);
339 spin_unlock(&sbsec->isec_lock);
343 struct selinux_mnt_opts {
344 const char *fscontext, *context, *rootcontext, *defcontext;
351 static void selinux_free_mnt_opts(void *mnt_opts)
353 struct selinux_mnt_opts *opts = mnt_opts;
354 kfree(opts->fscontext);
355 kfree(opts->context);
356 kfree(opts->rootcontext);
357 kfree(opts->defcontext);
370 #define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg}
380 A(rootcontext, true),
385 static int match_opt_prefix(char *s, int l, char **arg)
389 for (i = 0; i < ARRAY_SIZE(tokens); i++) {
390 size_t len = tokens[i].len;
391 if (len > l || memcmp(s, tokens[i].name, len))
393 if (tokens[i].has_arg) {
394 if (len == l || s[len] != '=')
399 return tokens[i].opt;
404 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
406 static int may_context_mount_sb_relabel(u32 sid,
407 struct superblock_security_struct *sbsec,
408 const struct cred *cred)
410 const struct task_security_struct *tsec = selinux_cred(cred);
413 rc = avc_has_perm(&selinux_state,
414 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
415 FILESYSTEM__RELABELFROM, NULL);
419 rc = avc_has_perm(&selinux_state,
420 tsec->sid, sid, SECCLASS_FILESYSTEM,
421 FILESYSTEM__RELABELTO, NULL);
425 static int may_context_mount_inode_relabel(u32 sid,
426 struct superblock_security_struct *sbsec,
427 const struct cred *cred)
429 const struct task_security_struct *tsec = selinux_cred(cred);
431 rc = avc_has_perm(&selinux_state,
432 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
433 FILESYSTEM__RELABELFROM, NULL);
437 rc = avc_has_perm(&selinux_state,
438 sid, sbsec->sid, SECCLASS_FILESYSTEM,
439 FILESYSTEM__ASSOCIATE, NULL);
443 static int selinux_is_genfs_special_handling(struct super_block *sb)
445 /* Special handling. Genfs but also in-core setxattr handler */
446 return !strcmp(sb->s_type->name, "sysfs") ||
447 !strcmp(sb->s_type->name, "pstore") ||
448 !strcmp(sb->s_type->name, "debugfs") ||
449 !strcmp(sb->s_type->name, "tracefs") ||
450 !strcmp(sb->s_type->name, "rootfs") ||
451 (selinux_policycap_cgroupseclabel() &&
452 (!strcmp(sb->s_type->name, "cgroup") ||
453 !strcmp(sb->s_type->name, "cgroup2")));
456 static int selinux_is_sblabel_mnt(struct super_block *sb)
458 struct superblock_security_struct *sbsec = selinux_superblock(sb);
461 * IMPORTANT: Double-check logic in this function when adding a new
462 * SECURITY_FS_USE_* definition!
464 BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7);
466 switch (sbsec->behavior) {
467 case SECURITY_FS_USE_XATTR:
468 case SECURITY_FS_USE_TRANS:
469 case SECURITY_FS_USE_TASK:
470 case SECURITY_FS_USE_NATIVE:
473 case SECURITY_FS_USE_GENFS:
474 return selinux_is_genfs_special_handling(sb);
476 /* Never allow relabeling on context mounts */
477 case SECURITY_FS_USE_MNTPOINT:
478 case SECURITY_FS_USE_NONE:
484 static int sb_check_xattr_support(struct super_block *sb)
486 struct superblock_security_struct *sbsec = selinux_superblock(sb);
487 struct dentry *root = sb->s_root;
488 struct inode *root_inode = d_backing_inode(root);
493 * Make sure that the xattr handler exists and that no
494 * error other than -ENODATA is returned by getxattr on
495 * the root directory. -ENODATA is ok, as this may be
496 * the first boot of the SELinux kernel before we have
497 * assigned xattr values to the filesystem.
499 if (!(root_inode->i_opflags & IOP_XATTR)) {
500 pr_warn("SELinux: (dev %s, type %s) has no xattr support\n",
501 sb->s_id, sb->s_type->name);
505 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
506 if (rc < 0 && rc != -ENODATA) {
507 if (rc == -EOPNOTSUPP) {
508 pr_warn("SELinux: (dev %s, type %s) has no security xattr handler\n",
509 sb->s_id, sb->s_type->name);
512 pr_warn("SELinux: (dev %s, type %s) getxattr errno %d\n",
513 sb->s_id, sb->s_type->name, -rc);
520 /* No xattr support - try to fallback to genfs if possible. */
521 rc = security_genfs_sid(&selinux_state, sb->s_type->name, "/",
526 pr_warn("SELinux: (dev %s, type %s) falling back to genfs\n",
527 sb->s_id, sb->s_type->name);
528 sbsec->behavior = SECURITY_FS_USE_GENFS;
533 static int sb_finish_set_opts(struct super_block *sb)
535 struct superblock_security_struct *sbsec = selinux_superblock(sb);
536 struct dentry *root = sb->s_root;
537 struct inode *root_inode = d_backing_inode(root);
540 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
541 rc = sb_check_xattr_support(sb);
546 sbsec->flags |= SE_SBINITIALIZED;
549 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
550 * leave the flag untouched because sb_clone_mnt_opts might be handing
551 * us a superblock that needs the flag to be cleared.
553 if (selinux_is_sblabel_mnt(sb))
554 sbsec->flags |= SBLABEL_MNT;
556 sbsec->flags &= ~SBLABEL_MNT;
558 /* Initialize the root inode. */
559 rc = inode_doinit_with_dentry(root_inode, root);
561 /* Initialize any other inodes associated with the superblock, e.g.
562 inodes created prior to initial policy load or inodes created
563 during get_sb by a pseudo filesystem that directly
565 spin_lock(&sbsec->isec_lock);
566 while (!list_empty(&sbsec->isec_head)) {
567 struct inode_security_struct *isec =
568 list_first_entry(&sbsec->isec_head,
569 struct inode_security_struct, list);
570 struct inode *inode = isec->inode;
571 list_del_init(&isec->list);
572 spin_unlock(&sbsec->isec_lock);
573 inode = igrab(inode);
575 if (!IS_PRIVATE(inode))
576 inode_doinit_with_dentry(inode, NULL);
579 spin_lock(&sbsec->isec_lock);
581 spin_unlock(&sbsec->isec_lock);
585 static int bad_option(struct superblock_security_struct *sbsec, char flag,
586 u32 old_sid, u32 new_sid)
588 char mnt_flags = sbsec->flags & SE_MNTMASK;
590 /* check if the old mount command had the same options */
591 if (sbsec->flags & SE_SBINITIALIZED)
592 if (!(sbsec->flags & flag) ||
593 (old_sid != new_sid))
596 /* check if we were passed the same options twice,
597 * aka someone passed context=a,context=b
599 if (!(sbsec->flags & SE_SBINITIALIZED))
600 if (mnt_flags & flag)
605 static int parse_sid(struct super_block *sb, const char *s, u32 *sid)
607 int rc = security_context_str_to_sid(&selinux_state, s,
610 pr_warn("SELinux: security_context_str_to_sid"
611 "(%s) failed for (dev %s, type %s) errno=%d\n",
612 s, sb ? sb->s_id : "?", sb ? sb->s_type->name : "?", rc);
617 * Allow filesystems with binary mount data to explicitly set mount point
618 * labeling information.
620 static int selinux_set_mnt_opts(struct super_block *sb,
622 unsigned long kern_flags,
623 unsigned long *set_kern_flags)
625 const struct cred *cred = current_cred();
626 struct superblock_security_struct *sbsec = selinux_superblock(sb);
627 struct dentry *root = sb->s_root;
628 struct selinux_mnt_opts *opts = mnt_opts;
629 struct inode_security_struct *root_isec;
630 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
631 u32 defcontext_sid = 0;
634 mutex_lock(&sbsec->lock);
636 if (!selinux_initialized(&selinux_state)) {
638 /* Defer initialization until selinux_complete_init,
639 after the initial policy is loaded and the security
640 server is ready to handle calls. */
644 pr_warn("SELinux: Unable to set superblock options "
645 "before the security server is initialized\n");
648 if (kern_flags && !set_kern_flags) {
649 /* Specifying internal flags without providing a place to
650 * place the results is not allowed */
656 * Binary mount data FS will come through this function twice. Once
657 * from an explicit call and once from the generic calls from the vfs.
658 * Since the generic VFS calls will not contain any security mount data
659 * we need to skip the double mount verification.
661 * This does open a hole in which we will not notice if the first
662 * mount using this sb set explict options and a second mount using
663 * this sb does not set any security options. (The first options
664 * will be used for both mounts)
666 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
670 root_isec = backing_inode_security_novalidate(root);
673 * parse the mount options, check if they are valid sids.
674 * also check if someone is trying to mount the same sb more
675 * than once with different security options.
678 if (opts->fscontext) {
679 rc = parse_sid(sb, opts->fscontext, &fscontext_sid);
682 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
684 goto out_double_mount;
685 sbsec->flags |= FSCONTEXT_MNT;
688 rc = parse_sid(sb, opts->context, &context_sid);
691 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
693 goto out_double_mount;
694 sbsec->flags |= CONTEXT_MNT;
696 if (opts->rootcontext) {
697 rc = parse_sid(sb, opts->rootcontext, &rootcontext_sid);
700 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
702 goto out_double_mount;
703 sbsec->flags |= ROOTCONTEXT_MNT;
705 if (opts->defcontext) {
706 rc = parse_sid(sb, opts->defcontext, &defcontext_sid);
709 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
711 goto out_double_mount;
712 sbsec->flags |= DEFCONTEXT_MNT;
716 if (sbsec->flags & SE_SBINITIALIZED) {
717 /* previously mounted with options, but not on this attempt? */
718 if ((sbsec->flags & SE_MNTMASK) && !opts)
719 goto out_double_mount;
724 if (strcmp(sb->s_type->name, "proc") == 0)
725 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
727 if (!strcmp(sb->s_type->name, "debugfs") ||
728 !strcmp(sb->s_type->name, "tracefs") ||
729 !strcmp(sb->s_type->name, "binder") ||
730 !strcmp(sb->s_type->name, "bpf") ||
731 !strcmp(sb->s_type->name, "pstore") ||
732 !strcmp(sb->s_type->name, "securityfs"))
733 sbsec->flags |= SE_SBGENFS;
735 if (!strcmp(sb->s_type->name, "sysfs") ||
736 !strcmp(sb->s_type->name, "cgroup") ||
737 !strcmp(sb->s_type->name, "cgroup2"))
738 sbsec->flags |= SE_SBGENFS | SE_SBGENFS_XATTR;
740 if (!sbsec->behavior) {
742 * Determine the labeling behavior to use for this
745 rc = security_fs_use(&selinux_state, sb);
747 pr_warn("%s: security_fs_use(%s) returned %d\n",
748 __func__, sb->s_type->name, rc);
754 * If this is a user namespace mount and the filesystem type is not
755 * explicitly whitelisted, then no contexts are allowed on the command
756 * line and security labels must be ignored.
758 if (sb->s_user_ns != &init_user_ns &&
759 strcmp(sb->s_type->name, "tmpfs") &&
760 strcmp(sb->s_type->name, "ramfs") &&
761 strcmp(sb->s_type->name, "devpts") &&
762 strcmp(sb->s_type->name, "overlay")) {
763 if (context_sid || fscontext_sid || rootcontext_sid ||
768 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
769 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
770 rc = security_transition_sid(&selinux_state,
774 &sbsec->mntpoint_sid);
781 /* sets the context of the superblock for the fs being mounted. */
783 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
787 sbsec->sid = fscontext_sid;
791 * Switch to using mount point labeling behavior.
792 * sets the label used on all file below the mountpoint, and will set
793 * the superblock context if not already set.
795 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
796 sbsec->behavior = SECURITY_FS_USE_NATIVE;
797 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
801 if (!fscontext_sid) {
802 rc = may_context_mount_sb_relabel(context_sid, sbsec,
806 sbsec->sid = context_sid;
808 rc = may_context_mount_inode_relabel(context_sid, sbsec,
813 if (!rootcontext_sid)
814 rootcontext_sid = context_sid;
816 sbsec->mntpoint_sid = context_sid;
817 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
820 if (rootcontext_sid) {
821 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
826 root_isec->sid = rootcontext_sid;
827 root_isec->initialized = LABEL_INITIALIZED;
830 if (defcontext_sid) {
831 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
832 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
834 pr_warn("SELinux: defcontext option is "
835 "invalid for this filesystem type\n");
839 if (defcontext_sid != sbsec->def_sid) {
840 rc = may_context_mount_inode_relabel(defcontext_sid,
846 sbsec->def_sid = defcontext_sid;
850 rc = sb_finish_set_opts(sb);
852 mutex_unlock(&sbsec->lock);
856 pr_warn("SELinux: mount invalid. Same superblock, different "
857 "security settings for (dev %s, type %s)\n", sb->s_id,
862 static int selinux_cmp_sb_context(const struct super_block *oldsb,
863 const struct super_block *newsb)
865 struct superblock_security_struct *old = selinux_superblock(oldsb);
866 struct superblock_security_struct *new = selinux_superblock(newsb);
867 char oldflags = old->flags & SE_MNTMASK;
868 char newflags = new->flags & SE_MNTMASK;
870 if (oldflags != newflags)
872 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
874 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
876 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
878 if (oldflags & ROOTCONTEXT_MNT) {
879 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
880 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
881 if (oldroot->sid != newroot->sid)
886 pr_warn("SELinux: mount invalid. Same superblock, "
887 "different security settings for (dev %s, "
888 "type %s)\n", newsb->s_id, newsb->s_type->name);
892 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
893 struct super_block *newsb,
894 unsigned long kern_flags,
895 unsigned long *set_kern_flags)
898 const struct superblock_security_struct *oldsbsec =
899 selinux_superblock(oldsb);
900 struct superblock_security_struct *newsbsec = selinux_superblock(newsb);
902 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
903 int set_context = (oldsbsec->flags & CONTEXT_MNT);
904 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
907 * if the parent was able to be mounted it clearly had no special lsm
908 * mount options. thus we can safely deal with this superblock later
910 if (!selinux_initialized(&selinux_state))
914 * Specifying internal flags without providing a place to
915 * place the results is not allowed.
917 if (kern_flags && !set_kern_flags)
920 /* how can we clone if the old one wasn't set up?? */
921 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
923 /* if fs is reusing a sb, make sure that the contexts match */
924 if (newsbsec->flags & SE_SBINITIALIZED) {
925 if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context)
926 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
927 return selinux_cmp_sb_context(oldsb, newsb);
930 mutex_lock(&newsbsec->lock);
932 newsbsec->flags = oldsbsec->flags;
934 newsbsec->sid = oldsbsec->sid;
935 newsbsec->def_sid = oldsbsec->def_sid;
936 newsbsec->behavior = oldsbsec->behavior;
938 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
939 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
940 rc = security_fs_use(&selinux_state, newsb);
945 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
946 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
947 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
951 u32 sid = oldsbsec->mntpoint_sid;
955 if (!set_rootcontext) {
956 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
959 newsbsec->mntpoint_sid = sid;
961 if (set_rootcontext) {
962 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
963 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
965 newisec->sid = oldisec->sid;
968 sb_finish_set_opts(newsb);
970 mutex_unlock(&newsbsec->lock);
974 static int selinux_add_opt(int token, const char *s, void **mnt_opts)
976 struct selinux_mnt_opts *opts = *mnt_opts;
977 bool is_alloc_opts = false;
979 if (token == Opt_seclabel)
980 /* eaten and completely ignored */
986 opts = kzalloc(sizeof(*opts), GFP_KERNEL);
990 is_alloc_opts = true;
995 if (opts->context || opts->defcontext)
998 if (selinux_initialized(&selinux_state))
999 parse_sid(NULL, s, &opts->context_sid);
1002 if (opts->fscontext)
1004 opts->fscontext = s;
1005 if (selinux_initialized(&selinux_state))
1006 parse_sid(NULL, s, &opts->fscontext_sid);
1008 case Opt_rootcontext:
1009 if (opts->rootcontext)
1011 opts->rootcontext = s;
1012 if (selinux_initialized(&selinux_state))
1013 parse_sid(NULL, s, &opts->rootcontext_sid);
1015 case Opt_defcontext:
1016 if (opts->context || opts->defcontext)
1018 opts->defcontext = s;
1019 if (selinux_initialized(&selinux_state))
1020 parse_sid(NULL, s, &opts->defcontext_sid);
1027 if (is_alloc_opts) {
1031 pr_warn(SEL_MOUNT_FAIL_MSG);
1035 static int show_sid(struct seq_file *m, u32 sid)
1037 char *context = NULL;
1041 rc = security_sid_to_context(&selinux_state, sid,
1044 bool has_comma = context && strchr(context, ',');
1049 seq_escape(m, context, "\"\n\\");
1057 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1059 struct superblock_security_struct *sbsec = selinux_superblock(sb);
1062 if (!(sbsec->flags & SE_SBINITIALIZED))
1065 if (!selinux_initialized(&selinux_state))
1068 if (sbsec->flags & FSCONTEXT_MNT) {
1070 seq_puts(m, FSCONTEXT_STR);
1071 rc = show_sid(m, sbsec->sid);
1075 if (sbsec->flags & CONTEXT_MNT) {
1077 seq_puts(m, CONTEXT_STR);
1078 rc = show_sid(m, sbsec->mntpoint_sid);
1082 if (sbsec->flags & DEFCONTEXT_MNT) {
1084 seq_puts(m, DEFCONTEXT_STR);
1085 rc = show_sid(m, sbsec->def_sid);
1089 if (sbsec->flags & ROOTCONTEXT_MNT) {
1090 struct dentry *root = sb->s_root;
1091 struct inode_security_struct *isec = backing_inode_security(root);
1093 seq_puts(m, ROOTCONTEXT_STR);
1094 rc = show_sid(m, isec->sid);
1098 if (sbsec->flags & SBLABEL_MNT) {
1100 seq_puts(m, SECLABEL_STR);
1105 static inline u16 inode_mode_to_security_class(umode_t mode)
1107 switch (mode & S_IFMT) {
1109 return SECCLASS_SOCK_FILE;
1111 return SECCLASS_LNK_FILE;
1113 return SECCLASS_FILE;
1115 return SECCLASS_BLK_FILE;
1117 return SECCLASS_DIR;
1119 return SECCLASS_CHR_FILE;
1121 return SECCLASS_FIFO_FILE;
1125 return SECCLASS_FILE;
1128 static inline int default_protocol_stream(int protocol)
1130 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP ||
1131 protocol == IPPROTO_MPTCP);
1134 static inline int default_protocol_dgram(int protocol)
1136 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1139 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1141 int extsockclass = selinux_policycap_extsockclass();
1147 case SOCK_SEQPACKET:
1148 return SECCLASS_UNIX_STREAM_SOCKET;
1151 return SECCLASS_UNIX_DGRAM_SOCKET;
1158 case SOCK_SEQPACKET:
1159 if (default_protocol_stream(protocol))
1160 return SECCLASS_TCP_SOCKET;
1161 else if (extsockclass && protocol == IPPROTO_SCTP)
1162 return SECCLASS_SCTP_SOCKET;
1164 return SECCLASS_RAWIP_SOCKET;
1166 if (default_protocol_dgram(protocol))
1167 return SECCLASS_UDP_SOCKET;
1168 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1169 protocol == IPPROTO_ICMPV6))
1170 return SECCLASS_ICMP_SOCKET;
1172 return SECCLASS_RAWIP_SOCKET;
1174 return SECCLASS_DCCP_SOCKET;
1176 return SECCLASS_RAWIP_SOCKET;
1182 return SECCLASS_NETLINK_ROUTE_SOCKET;
1183 case NETLINK_SOCK_DIAG:
1184 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1186 return SECCLASS_NETLINK_NFLOG_SOCKET;
1188 return SECCLASS_NETLINK_XFRM_SOCKET;
1189 case NETLINK_SELINUX:
1190 return SECCLASS_NETLINK_SELINUX_SOCKET;
1192 return SECCLASS_NETLINK_ISCSI_SOCKET;
1194 return SECCLASS_NETLINK_AUDIT_SOCKET;
1195 case NETLINK_FIB_LOOKUP:
1196 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1197 case NETLINK_CONNECTOR:
1198 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1199 case NETLINK_NETFILTER:
1200 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1201 case NETLINK_DNRTMSG:
1202 return SECCLASS_NETLINK_DNRT_SOCKET;
1203 case NETLINK_KOBJECT_UEVENT:
1204 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1205 case NETLINK_GENERIC:
1206 return SECCLASS_NETLINK_GENERIC_SOCKET;
1207 case NETLINK_SCSITRANSPORT:
1208 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1210 return SECCLASS_NETLINK_RDMA_SOCKET;
1211 case NETLINK_CRYPTO:
1212 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1214 return SECCLASS_NETLINK_SOCKET;
1217 return SECCLASS_PACKET_SOCKET;
1219 return SECCLASS_KEY_SOCKET;
1221 return SECCLASS_APPLETALK_SOCKET;
1227 return SECCLASS_AX25_SOCKET;
1229 return SECCLASS_IPX_SOCKET;
1231 return SECCLASS_NETROM_SOCKET;
1233 return SECCLASS_ATMPVC_SOCKET;
1235 return SECCLASS_X25_SOCKET;
1237 return SECCLASS_ROSE_SOCKET;
1239 return SECCLASS_DECNET_SOCKET;
1241 return SECCLASS_ATMSVC_SOCKET;
1243 return SECCLASS_RDS_SOCKET;
1245 return SECCLASS_IRDA_SOCKET;
1247 return SECCLASS_PPPOX_SOCKET;
1249 return SECCLASS_LLC_SOCKET;
1251 return SECCLASS_CAN_SOCKET;
1253 return SECCLASS_TIPC_SOCKET;
1255 return SECCLASS_BLUETOOTH_SOCKET;
1257 return SECCLASS_IUCV_SOCKET;
1259 return SECCLASS_RXRPC_SOCKET;
1261 return SECCLASS_ISDN_SOCKET;
1263 return SECCLASS_PHONET_SOCKET;
1265 return SECCLASS_IEEE802154_SOCKET;
1267 return SECCLASS_CAIF_SOCKET;
1269 return SECCLASS_ALG_SOCKET;
1271 return SECCLASS_NFC_SOCKET;
1273 return SECCLASS_VSOCK_SOCKET;
1275 return SECCLASS_KCM_SOCKET;
1277 return SECCLASS_QIPCRTR_SOCKET;
1279 return SECCLASS_SMC_SOCKET;
1281 return SECCLASS_XDP_SOCKET;
1283 return SECCLASS_MCTP_SOCKET;
1285 #error New address family defined, please update this function.
1290 return SECCLASS_SOCKET;
1293 static int selinux_genfs_get_sid(struct dentry *dentry,
1299 struct super_block *sb = dentry->d_sb;
1300 char *buffer, *path;
1302 buffer = (char *)__get_free_page(GFP_KERNEL);
1306 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1310 if (flags & SE_SBPROC) {
1311 /* each process gets a /proc/PID/ entry. Strip off the
1312 * PID part to get a valid selinux labeling.
1313 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1314 while (path[1] >= '0' && path[1] <= '9') {
1319 rc = security_genfs_sid(&selinux_state, sb->s_type->name,
1321 if (rc == -ENOENT) {
1322 /* No match in policy, mark as unlabeled. */
1323 *sid = SECINITSID_UNLABELED;
1327 free_page((unsigned long)buffer);
1331 static int inode_doinit_use_xattr(struct inode *inode, struct dentry *dentry,
1332 u32 def_sid, u32 *sid)
1334 #define INITCONTEXTLEN 255
1339 len = INITCONTEXTLEN;
1340 context = kmalloc(len + 1, GFP_NOFS);
1344 context[len] = '\0';
1345 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1346 if (rc == -ERANGE) {
1349 /* Need a larger buffer. Query for the right size. */
1350 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1355 context = kmalloc(len + 1, GFP_NOFS);
1359 context[len] = '\0';
1360 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX,
1365 if (rc != -ENODATA) {
1366 pr_warn("SELinux: %s: getxattr returned %d for dev=%s ino=%ld\n",
1367 __func__, -rc, inode->i_sb->s_id, inode->i_ino);
1374 rc = security_context_to_sid_default(&selinux_state, context, rc, sid,
1377 char *dev = inode->i_sb->s_id;
1378 unsigned long ino = inode->i_ino;
1380 if (rc == -EINVAL) {
1381 pr_notice_ratelimited("SELinux: inode=%lu on dev=%s was found to have an invalid context=%s. This indicates you may need to relabel the inode or the filesystem in question.\n",
1384 pr_warn("SELinux: %s: context_to_sid(%s) returned %d for dev=%s ino=%ld\n",
1385 __func__, context, -rc, dev, ino);
1392 /* The inode's security attributes must be initialized before first use. */
1393 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1395 struct superblock_security_struct *sbsec = NULL;
1396 struct inode_security_struct *isec = selinux_inode(inode);
1397 u32 task_sid, sid = 0;
1399 struct dentry *dentry;
1402 if (isec->initialized == LABEL_INITIALIZED)
1405 spin_lock(&isec->lock);
1406 if (isec->initialized == LABEL_INITIALIZED)
1409 if (isec->sclass == SECCLASS_FILE)
1410 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1412 sbsec = selinux_superblock(inode->i_sb);
1413 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1414 /* Defer initialization until selinux_complete_init,
1415 after the initial policy is loaded and the security
1416 server is ready to handle calls. */
1417 spin_lock(&sbsec->isec_lock);
1418 if (list_empty(&isec->list))
1419 list_add(&isec->list, &sbsec->isec_head);
1420 spin_unlock(&sbsec->isec_lock);
1424 sclass = isec->sclass;
1425 task_sid = isec->task_sid;
1427 isec->initialized = LABEL_PENDING;
1428 spin_unlock(&isec->lock);
1430 switch (sbsec->behavior) {
1431 case SECURITY_FS_USE_NATIVE:
1433 case SECURITY_FS_USE_XATTR:
1434 if (!(inode->i_opflags & IOP_XATTR)) {
1435 sid = sbsec->def_sid;
1438 /* Need a dentry, since the xattr API requires one.
1439 Life would be simpler if we could just pass the inode. */
1441 /* Called from d_instantiate or d_splice_alias. */
1442 dentry = dget(opt_dentry);
1445 * Called from selinux_complete_init, try to find a dentry.
1446 * Some filesystems really want a connected one, so try
1447 * that first. We could split SECURITY_FS_USE_XATTR in
1448 * two, depending upon that...
1450 dentry = d_find_alias(inode);
1452 dentry = d_find_any_alias(inode);
1456 * this is can be hit on boot when a file is accessed
1457 * before the policy is loaded. When we load policy we
1458 * may find inodes that have no dentry on the
1459 * sbsec->isec_head list. No reason to complain as these
1460 * will get fixed up the next time we go through
1461 * inode_doinit with a dentry, before these inodes could
1462 * be used again by userspace.
1467 rc = inode_doinit_use_xattr(inode, dentry, sbsec->def_sid,
1473 case SECURITY_FS_USE_TASK:
1476 case SECURITY_FS_USE_TRANS:
1477 /* Default to the fs SID. */
1480 /* Try to obtain a transition SID. */
1481 rc = security_transition_sid(&selinux_state, task_sid, sid,
1482 sclass, NULL, &sid);
1486 case SECURITY_FS_USE_MNTPOINT:
1487 sid = sbsec->mntpoint_sid;
1490 /* Default to the fs superblock SID. */
1493 if ((sbsec->flags & SE_SBGENFS) &&
1494 (!S_ISLNK(inode->i_mode) ||
1495 selinux_policycap_genfs_seclabel_symlinks())) {
1496 /* We must have a dentry to determine the label on
1499 /* Called from d_instantiate or
1500 * d_splice_alias. */
1501 dentry = dget(opt_dentry);
1503 /* Called from selinux_complete_init, try to
1504 * find a dentry. Some filesystems really want
1505 * a connected one, so try that first.
1507 dentry = d_find_alias(inode);
1509 dentry = d_find_any_alias(inode);
1512 * This can be hit on boot when a file is accessed
1513 * before the policy is loaded. When we load policy we
1514 * may find inodes that have no dentry on the
1515 * sbsec->isec_head list. No reason to complain as
1516 * these will get fixed up the next time we go through
1517 * inode_doinit() with a dentry, before these inodes
1518 * could be used again by userspace.
1522 rc = selinux_genfs_get_sid(dentry, sclass,
1523 sbsec->flags, &sid);
1529 if ((sbsec->flags & SE_SBGENFS_XATTR) &&
1530 (inode->i_opflags & IOP_XATTR)) {
1531 rc = inode_doinit_use_xattr(inode, dentry,
1544 spin_lock(&isec->lock);
1545 if (isec->initialized == LABEL_PENDING) {
1547 isec->initialized = LABEL_INVALID;
1550 isec->initialized = LABEL_INITIALIZED;
1555 spin_unlock(&isec->lock);
1559 spin_lock(&isec->lock);
1560 if (isec->initialized == LABEL_PENDING) {
1561 isec->initialized = LABEL_INVALID;
1564 spin_unlock(&isec->lock);
1568 /* Convert a Linux signal to an access vector. */
1569 static inline u32 signal_to_av(int sig)
1575 /* Commonly granted from child to parent. */
1576 perm = PROCESS__SIGCHLD;
1579 /* Cannot be caught or ignored */
1580 perm = PROCESS__SIGKILL;
1583 /* Cannot be caught or ignored */
1584 perm = PROCESS__SIGSTOP;
1587 /* All other signals. */
1588 perm = PROCESS__SIGNAL;
1595 #if CAP_LAST_CAP > 63
1596 #error Fix SELinux to handle capabilities > 63.
1599 /* Check whether a task is allowed to use a capability. */
1600 static int cred_has_capability(const struct cred *cred,
1601 int cap, unsigned int opts, bool initns)
1603 struct common_audit_data ad;
1604 struct av_decision avd;
1606 u32 sid = cred_sid(cred);
1607 u32 av = CAP_TO_MASK(cap);
1610 ad.type = LSM_AUDIT_DATA_CAP;
1613 switch (CAP_TO_INDEX(cap)) {
1615 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1618 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1621 pr_err("SELinux: out of range capability %d\n", cap);
1626 rc = avc_has_perm_noaudit(&selinux_state,
1627 sid, sid, sclass, av, 0, &avd);
1628 if (!(opts & CAP_OPT_NOAUDIT)) {
1629 int rc2 = avc_audit(&selinux_state,
1630 sid, sid, sclass, av, &avd, rc, &ad);
1637 /* Check whether a task has a particular permission to an inode.
1638 The 'adp' parameter is optional and allows other audit
1639 data to be passed (e.g. the dentry). */
1640 static int inode_has_perm(const struct cred *cred,
1641 struct inode *inode,
1643 struct common_audit_data *adp)
1645 struct inode_security_struct *isec;
1648 validate_creds(cred);
1650 if (unlikely(IS_PRIVATE(inode)))
1653 sid = cred_sid(cred);
1654 isec = selinux_inode(inode);
1656 return avc_has_perm(&selinux_state,
1657 sid, isec->sid, isec->sclass, perms, adp);
1660 /* Same as inode_has_perm, but pass explicit audit data containing
1661 the dentry to help the auditing code to more easily generate the
1662 pathname if needed. */
1663 static inline int dentry_has_perm(const struct cred *cred,
1664 struct dentry *dentry,
1667 struct inode *inode = d_backing_inode(dentry);
1668 struct common_audit_data ad;
1670 ad.type = LSM_AUDIT_DATA_DENTRY;
1671 ad.u.dentry = dentry;
1672 __inode_security_revalidate(inode, dentry, true);
1673 return inode_has_perm(cred, inode, av, &ad);
1676 /* Same as inode_has_perm, but pass explicit audit data containing
1677 the path to help the auditing code to more easily generate the
1678 pathname if needed. */
1679 static inline int path_has_perm(const struct cred *cred,
1680 const struct path *path,
1683 struct inode *inode = d_backing_inode(path->dentry);
1684 struct common_audit_data ad;
1686 ad.type = LSM_AUDIT_DATA_PATH;
1688 __inode_security_revalidate(inode, path->dentry, true);
1689 return inode_has_perm(cred, inode, av, &ad);
1692 /* Same as path_has_perm, but uses the inode from the file struct. */
1693 static inline int file_path_has_perm(const struct cred *cred,
1697 struct common_audit_data ad;
1699 ad.type = LSM_AUDIT_DATA_FILE;
1701 return inode_has_perm(cred, file_inode(file), av, &ad);
1704 #ifdef CONFIG_BPF_SYSCALL
1705 static int bpf_fd_pass(struct file *file, u32 sid);
1708 /* Check whether a task can use an open file descriptor to
1709 access an inode in a given way. Check access to the
1710 descriptor itself, and then use dentry_has_perm to
1711 check a particular permission to the file.
1712 Access to the descriptor is implicitly granted if it
1713 has the same SID as the process. If av is zero, then
1714 access to the file is not checked, e.g. for cases
1715 where only the descriptor is affected like seek. */
1716 static int file_has_perm(const struct cred *cred,
1720 struct file_security_struct *fsec = selinux_file(file);
1721 struct inode *inode = file_inode(file);
1722 struct common_audit_data ad;
1723 u32 sid = cred_sid(cred);
1726 ad.type = LSM_AUDIT_DATA_FILE;
1729 if (sid != fsec->sid) {
1730 rc = avc_has_perm(&selinux_state,
1739 #ifdef CONFIG_BPF_SYSCALL
1740 rc = bpf_fd_pass(file, cred_sid(cred));
1745 /* av is zero if only checking access to the descriptor. */
1748 rc = inode_has_perm(cred, inode, av, &ad);
1755 * Determine the label for an inode that might be unioned.
1758 selinux_determine_inode_label(const struct task_security_struct *tsec,
1760 const struct qstr *name, u16 tclass,
1763 const struct superblock_security_struct *sbsec =
1764 selinux_superblock(dir->i_sb);
1766 if ((sbsec->flags & SE_SBINITIALIZED) &&
1767 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1768 *_new_isid = sbsec->mntpoint_sid;
1769 } else if ((sbsec->flags & SBLABEL_MNT) &&
1771 *_new_isid = tsec->create_sid;
1773 const struct inode_security_struct *dsec = inode_security(dir);
1774 return security_transition_sid(&selinux_state, tsec->sid,
1782 /* Check whether a task can create a file. */
1783 static int may_create(struct inode *dir,
1784 struct dentry *dentry,
1787 const struct task_security_struct *tsec = selinux_cred(current_cred());
1788 struct inode_security_struct *dsec;
1789 struct superblock_security_struct *sbsec;
1791 struct common_audit_data ad;
1794 dsec = inode_security(dir);
1795 sbsec = selinux_superblock(dir->i_sb);
1799 ad.type = LSM_AUDIT_DATA_DENTRY;
1800 ad.u.dentry = dentry;
1802 rc = avc_has_perm(&selinux_state,
1803 sid, dsec->sid, SECCLASS_DIR,
1804 DIR__ADD_NAME | DIR__SEARCH,
1809 rc = selinux_determine_inode_label(tsec, dir, &dentry->d_name, tclass,
1814 rc = avc_has_perm(&selinux_state,
1815 sid, newsid, tclass, FILE__CREATE, &ad);
1819 return avc_has_perm(&selinux_state,
1821 SECCLASS_FILESYSTEM,
1822 FILESYSTEM__ASSOCIATE, &ad);
1826 #define MAY_UNLINK 1
1829 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1830 static int may_link(struct inode *dir,
1831 struct dentry *dentry,
1835 struct inode_security_struct *dsec, *isec;
1836 struct common_audit_data ad;
1837 u32 sid = current_sid();
1841 dsec = inode_security(dir);
1842 isec = backing_inode_security(dentry);
1844 ad.type = LSM_AUDIT_DATA_DENTRY;
1845 ad.u.dentry = dentry;
1848 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1849 rc = avc_has_perm(&selinux_state,
1850 sid, dsec->sid, SECCLASS_DIR, av, &ad);
1865 pr_warn("SELinux: %s: unrecognized kind %d\n",
1870 rc = avc_has_perm(&selinux_state,
1871 sid, isec->sid, isec->sclass, av, &ad);
1875 static inline int may_rename(struct inode *old_dir,
1876 struct dentry *old_dentry,
1877 struct inode *new_dir,
1878 struct dentry *new_dentry)
1880 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1881 struct common_audit_data ad;
1882 u32 sid = current_sid();
1884 int old_is_dir, new_is_dir;
1887 old_dsec = inode_security(old_dir);
1888 old_isec = backing_inode_security(old_dentry);
1889 old_is_dir = d_is_dir(old_dentry);
1890 new_dsec = inode_security(new_dir);
1892 ad.type = LSM_AUDIT_DATA_DENTRY;
1894 ad.u.dentry = old_dentry;
1895 rc = avc_has_perm(&selinux_state,
1896 sid, old_dsec->sid, SECCLASS_DIR,
1897 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1900 rc = avc_has_perm(&selinux_state,
1902 old_isec->sclass, FILE__RENAME, &ad);
1905 if (old_is_dir && new_dir != old_dir) {
1906 rc = avc_has_perm(&selinux_state,
1908 old_isec->sclass, DIR__REPARENT, &ad);
1913 ad.u.dentry = new_dentry;
1914 av = DIR__ADD_NAME | DIR__SEARCH;
1915 if (d_is_positive(new_dentry))
1916 av |= DIR__REMOVE_NAME;
1917 rc = avc_has_perm(&selinux_state,
1918 sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1921 if (d_is_positive(new_dentry)) {
1922 new_isec = backing_inode_security(new_dentry);
1923 new_is_dir = d_is_dir(new_dentry);
1924 rc = avc_has_perm(&selinux_state,
1927 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1935 /* Check whether a task can perform a filesystem operation. */
1936 static int superblock_has_perm(const struct cred *cred,
1937 struct super_block *sb,
1939 struct common_audit_data *ad)
1941 struct superblock_security_struct *sbsec;
1942 u32 sid = cred_sid(cred);
1944 sbsec = selinux_superblock(sb);
1945 return avc_has_perm(&selinux_state,
1946 sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1949 /* Convert a Linux mode and permission mask to an access vector. */
1950 static inline u32 file_mask_to_av(int mode, int mask)
1954 if (!S_ISDIR(mode)) {
1955 if (mask & MAY_EXEC)
1956 av |= FILE__EXECUTE;
1957 if (mask & MAY_READ)
1960 if (mask & MAY_APPEND)
1962 else if (mask & MAY_WRITE)
1966 if (mask & MAY_EXEC)
1968 if (mask & MAY_WRITE)
1970 if (mask & MAY_READ)
1977 /* Convert a Linux file to an access vector. */
1978 static inline u32 file_to_av(struct file *file)
1982 if (file->f_mode & FMODE_READ)
1984 if (file->f_mode & FMODE_WRITE) {
1985 if (file->f_flags & O_APPEND)
1992 * Special file opened with flags 3 for ioctl-only use.
2001 * Convert a file to an access vector and include the correct
2004 static inline u32 open_file_to_av(struct file *file)
2006 u32 av = file_to_av(file);
2007 struct inode *inode = file_inode(file);
2009 if (selinux_policycap_openperm() &&
2010 inode->i_sb->s_magic != SOCKFS_MAGIC)
2016 /* Hook functions begin here. */
2018 static int selinux_binder_set_context_mgr(const struct cred *mgr)
2020 return avc_has_perm(&selinux_state,
2021 current_sid(), cred_sid(mgr), SECCLASS_BINDER,
2022 BINDER__SET_CONTEXT_MGR, NULL);
2025 static int selinux_binder_transaction(const struct cred *from,
2026 const struct cred *to)
2028 u32 mysid = current_sid();
2029 u32 fromsid = cred_sid(from);
2030 u32 tosid = cred_sid(to);
2033 if (mysid != fromsid) {
2034 rc = avc_has_perm(&selinux_state,
2035 mysid, fromsid, SECCLASS_BINDER,
2036 BINDER__IMPERSONATE, NULL);
2041 return avc_has_perm(&selinux_state, fromsid, tosid,
2042 SECCLASS_BINDER, BINDER__CALL, NULL);
2045 static int selinux_binder_transfer_binder(const struct cred *from,
2046 const struct cred *to)
2048 return avc_has_perm(&selinux_state,
2049 cred_sid(from), cred_sid(to),
2050 SECCLASS_BINDER, BINDER__TRANSFER,
2054 static int selinux_binder_transfer_file(const struct cred *from,
2055 const struct cred *to,
2058 u32 sid = cred_sid(to);
2059 struct file_security_struct *fsec = selinux_file(file);
2060 struct dentry *dentry = file->f_path.dentry;
2061 struct inode_security_struct *isec;
2062 struct common_audit_data ad;
2065 ad.type = LSM_AUDIT_DATA_PATH;
2066 ad.u.path = file->f_path;
2068 if (sid != fsec->sid) {
2069 rc = avc_has_perm(&selinux_state,
2078 #ifdef CONFIG_BPF_SYSCALL
2079 rc = bpf_fd_pass(file, sid);
2084 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2087 isec = backing_inode_security(dentry);
2088 return avc_has_perm(&selinux_state,
2089 sid, isec->sid, isec->sclass, file_to_av(file),
2093 static int selinux_ptrace_access_check(struct task_struct *child,
2096 u32 sid = current_sid();
2097 u32 csid = task_sid_obj(child);
2099 if (mode & PTRACE_MODE_READ)
2100 return avc_has_perm(&selinux_state,
2101 sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2103 return avc_has_perm(&selinux_state,
2104 sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2107 static int selinux_ptrace_traceme(struct task_struct *parent)
2109 return avc_has_perm(&selinux_state,
2110 task_sid_obj(parent), task_sid_obj(current),
2111 SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2114 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2115 kernel_cap_t *inheritable, kernel_cap_t *permitted)
2117 return avc_has_perm(&selinux_state,
2118 current_sid(), task_sid_obj(target), SECCLASS_PROCESS,
2119 PROCESS__GETCAP, NULL);
2122 static int selinux_capset(struct cred *new, const struct cred *old,
2123 const kernel_cap_t *effective,
2124 const kernel_cap_t *inheritable,
2125 const kernel_cap_t *permitted)
2127 return avc_has_perm(&selinux_state,
2128 cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2129 PROCESS__SETCAP, NULL);
2133 * (This comment used to live with the selinux_task_setuid hook,
2134 * which was removed).
2136 * Since setuid only affects the current process, and since the SELinux
2137 * controls are not based on the Linux identity attributes, SELinux does not
2138 * need to control this operation. However, SELinux does control the use of
2139 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2142 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2143 int cap, unsigned int opts)
2145 return cred_has_capability(cred, cap, opts, ns == &init_user_ns);
2148 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2150 const struct cred *cred = current_cred();
2165 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2173 case Q_XGETNEXTQUOTA:
2174 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2177 rc = 0; /* let the kernel handle invalid cmds */
2183 static int selinux_quota_on(struct dentry *dentry)
2185 const struct cred *cred = current_cred();
2187 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2190 static int selinux_syslog(int type)
2193 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2194 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2195 return avc_has_perm(&selinux_state,
2196 current_sid(), SECINITSID_KERNEL,
2197 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2198 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2199 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2200 /* Set level of messages printed to console */
2201 case SYSLOG_ACTION_CONSOLE_LEVEL:
2202 return avc_has_perm(&selinux_state,
2203 current_sid(), SECINITSID_KERNEL,
2204 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2207 /* All other syslog types */
2208 return avc_has_perm(&selinux_state,
2209 current_sid(), SECINITSID_KERNEL,
2210 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2214 * Check that a process has enough memory to allocate a new virtual
2215 * mapping. 0 means there is enough memory for the allocation to
2216 * succeed and -ENOMEM implies there is not.
2218 * Do not audit the selinux permission check, as this is applied to all
2219 * processes that allocate mappings.
2221 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2223 int rc, cap_sys_admin = 0;
2225 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2226 CAP_OPT_NOAUDIT, true);
2230 return cap_sys_admin;
2233 /* binprm security operations */
2235 static u32 ptrace_parent_sid(void)
2238 struct task_struct *tracer;
2241 tracer = ptrace_parent(current);
2243 sid = task_sid_obj(tracer);
2249 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2250 const struct task_security_struct *old_tsec,
2251 const struct task_security_struct *new_tsec)
2253 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2254 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2258 if (!nnp && !nosuid)
2259 return 0; /* neither NNP nor nosuid */
2261 if (new_tsec->sid == old_tsec->sid)
2262 return 0; /* No change in credentials */
2265 * If the policy enables the nnp_nosuid_transition policy capability,
2266 * then we permit transitions under NNP or nosuid if the
2267 * policy allows the corresponding permission between
2268 * the old and new contexts.
2270 if (selinux_policycap_nnp_nosuid_transition()) {
2273 av |= PROCESS2__NNP_TRANSITION;
2275 av |= PROCESS2__NOSUID_TRANSITION;
2276 rc = avc_has_perm(&selinux_state,
2277 old_tsec->sid, new_tsec->sid,
2278 SECCLASS_PROCESS2, av, NULL);
2284 * We also permit NNP or nosuid transitions to bounded SIDs,
2285 * i.e. SIDs that are guaranteed to only be allowed a subset
2286 * of the permissions of the current SID.
2288 rc = security_bounded_transition(&selinux_state, old_tsec->sid,
2294 * On failure, preserve the errno values for NNP vs nosuid.
2295 * NNP: Operation not permitted for caller.
2296 * nosuid: Permission denied to file.
2303 static int selinux_bprm_creds_for_exec(struct linux_binprm *bprm)
2305 const struct task_security_struct *old_tsec;
2306 struct task_security_struct *new_tsec;
2307 struct inode_security_struct *isec;
2308 struct common_audit_data ad;
2309 struct inode *inode = file_inode(bprm->file);
2312 /* SELinux context only depends on initial program or script and not
2313 * the script interpreter */
2315 old_tsec = selinux_cred(current_cred());
2316 new_tsec = selinux_cred(bprm->cred);
2317 isec = inode_security(inode);
2319 /* Default to the current task SID. */
2320 new_tsec->sid = old_tsec->sid;
2321 new_tsec->osid = old_tsec->sid;
2323 /* Reset fs, key, and sock SIDs on execve. */
2324 new_tsec->create_sid = 0;
2325 new_tsec->keycreate_sid = 0;
2326 new_tsec->sockcreate_sid = 0;
2328 if (old_tsec->exec_sid) {
2329 new_tsec->sid = old_tsec->exec_sid;
2330 /* Reset exec SID on execve. */
2331 new_tsec->exec_sid = 0;
2333 /* Fail on NNP or nosuid if not an allowed transition. */
2334 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2338 /* Check for a default transition on this program. */
2339 rc = security_transition_sid(&selinux_state, old_tsec->sid,
2340 isec->sid, SECCLASS_PROCESS, NULL,
2346 * Fallback to old SID on NNP or nosuid if not an allowed
2349 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2351 new_tsec->sid = old_tsec->sid;
2354 ad.type = LSM_AUDIT_DATA_FILE;
2355 ad.u.file = bprm->file;
2357 if (new_tsec->sid == old_tsec->sid) {
2358 rc = avc_has_perm(&selinux_state,
2359 old_tsec->sid, isec->sid,
2360 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2364 /* Check permissions for the transition. */
2365 rc = avc_has_perm(&selinux_state,
2366 old_tsec->sid, new_tsec->sid,
2367 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2371 rc = avc_has_perm(&selinux_state,
2372 new_tsec->sid, isec->sid,
2373 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2377 /* Check for shared state */
2378 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2379 rc = avc_has_perm(&selinux_state,
2380 old_tsec->sid, new_tsec->sid,
2381 SECCLASS_PROCESS, PROCESS__SHARE,
2387 /* Make sure that anyone attempting to ptrace over a task that
2388 * changes its SID has the appropriate permit */
2389 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2390 u32 ptsid = ptrace_parent_sid();
2392 rc = avc_has_perm(&selinux_state,
2393 ptsid, new_tsec->sid,
2395 PROCESS__PTRACE, NULL);
2401 /* Clear any possibly unsafe personality bits on exec: */
2402 bprm->per_clear |= PER_CLEAR_ON_SETID;
2404 /* Enable secure mode for SIDs transitions unless
2405 the noatsecure permission is granted between
2406 the two SIDs, i.e. ahp returns 0. */
2407 rc = avc_has_perm(&selinux_state,
2408 old_tsec->sid, new_tsec->sid,
2409 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2411 bprm->secureexec |= !!rc;
2417 static int match_file(const void *p, struct file *file, unsigned fd)
2419 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2422 /* Derived from fs/exec.c:flush_old_files. */
2423 static inline void flush_unauthorized_files(const struct cred *cred,
2424 struct files_struct *files)
2426 struct file *file, *devnull = NULL;
2427 struct tty_struct *tty;
2431 tty = get_current_tty();
2433 spin_lock(&tty->files_lock);
2434 if (!list_empty(&tty->tty_files)) {
2435 struct tty_file_private *file_priv;
2437 /* Revalidate access to controlling tty.
2438 Use file_path_has_perm on the tty path directly
2439 rather than using file_has_perm, as this particular
2440 open file may belong to another process and we are
2441 only interested in the inode-based check here. */
2442 file_priv = list_first_entry(&tty->tty_files,
2443 struct tty_file_private, list);
2444 file = file_priv->file;
2445 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2448 spin_unlock(&tty->files_lock);
2451 /* Reset controlling tty. */
2455 /* Revalidate access to inherited open files. */
2456 n = iterate_fd(files, 0, match_file, cred);
2457 if (!n) /* none found? */
2460 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2461 if (IS_ERR(devnull))
2463 /* replace all the matching ones with this */
2465 replace_fd(n - 1, devnull, 0);
2466 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2472 * Prepare a process for imminent new credential changes due to exec
2474 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2476 struct task_security_struct *new_tsec;
2477 struct rlimit *rlim, *initrlim;
2480 new_tsec = selinux_cred(bprm->cred);
2481 if (new_tsec->sid == new_tsec->osid)
2484 /* Close files for which the new task SID is not authorized. */
2485 flush_unauthorized_files(bprm->cred, current->files);
2487 /* Always clear parent death signal on SID transitions. */
2488 current->pdeath_signal = 0;
2490 /* Check whether the new SID can inherit resource limits from the old
2491 * SID. If not, reset all soft limits to the lower of the current
2492 * task's hard limit and the init task's soft limit.
2494 * Note that the setting of hard limits (even to lower them) can be
2495 * controlled by the setrlimit check. The inclusion of the init task's
2496 * soft limit into the computation is to avoid resetting soft limits
2497 * higher than the default soft limit for cases where the default is
2498 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2500 rc = avc_has_perm(&selinux_state,
2501 new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2502 PROCESS__RLIMITINH, NULL);
2504 /* protect against do_prlimit() */
2506 for (i = 0; i < RLIM_NLIMITS; i++) {
2507 rlim = current->signal->rlim + i;
2508 initrlim = init_task.signal->rlim + i;
2509 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2511 task_unlock(current);
2512 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2513 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2518 * Clean up the process immediately after the installation of new credentials
2521 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2523 const struct task_security_struct *tsec = selinux_cred(current_cred());
2533 /* Check whether the new SID can inherit signal state from the old SID.
2534 * If not, clear itimers to avoid subsequent signal generation and
2535 * flush and unblock signals.
2537 * This must occur _after_ the task SID has been updated so that any
2538 * kill done after the flush will be checked against the new SID.
2540 rc = avc_has_perm(&selinux_state,
2541 osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2545 spin_lock_irq(¤t->sighand->siglock);
2546 if (!fatal_signal_pending(current)) {
2547 flush_sigqueue(¤t->pending);
2548 flush_sigqueue(¤t->signal->shared_pending);
2549 flush_signal_handlers(current, 1);
2550 sigemptyset(¤t->blocked);
2551 recalc_sigpending();
2553 spin_unlock_irq(¤t->sighand->siglock);
2556 /* Wake up the parent if it is waiting so that it can recheck
2557 * wait permission to the new task SID. */
2558 read_lock(&tasklist_lock);
2559 __wake_up_parent(current, current->real_parent);
2560 read_unlock(&tasklist_lock);
2563 /* superblock security operations */
2565 static int selinux_sb_alloc_security(struct super_block *sb)
2567 struct superblock_security_struct *sbsec = selinux_superblock(sb);
2569 mutex_init(&sbsec->lock);
2570 INIT_LIST_HEAD(&sbsec->isec_head);
2571 spin_lock_init(&sbsec->isec_lock);
2572 sbsec->sid = SECINITSID_UNLABELED;
2573 sbsec->def_sid = SECINITSID_FILE;
2574 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
2579 static inline int opt_len(const char *s)
2581 bool open_quote = false;
2585 for (len = 0; (c = s[len]) != '\0'; len++) {
2587 open_quote = !open_quote;
2588 if (c == ',' && !open_quote)
2594 static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts)
2596 char *from = options;
2602 int len = opt_len(from);
2606 token = match_opt_prefix(from, len, &arg);
2608 if (token != Opt_error) {
2613 for (p = q = arg; p < from + len; p++) {
2618 arg = kmemdup_nul(arg, q - arg, GFP_KERNEL);
2624 rc = selinux_add_opt(token, arg, mnt_opts);
2630 if (!first) { // copy with preceding comma
2635 memmove(to, from, len);
2648 selinux_free_mnt_opts(*mnt_opts);
2654 static int selinux_sb_mnt_opts_compat(struct super_block *sb, void *mnt_opts)
2656 struct selinux_mnt_opts *opts = mnt_opts;
2657 struct superblock_security_struct *sbsec = selinux_superblock(sb);
2660 * Superblock not initialized (i.e. no options) - reject if any
2661 * options specified, otherwise accept.
2663 if (!(sbsec->flags & SE_SBINITIALIZED))
2664 return opts ? 1 : 0;
2667 * Superblock initialized and no options specified - reject if
2668 * superblock has any options set, otherwise accept.
2671 return (sbsec->flags & SE_MNTMASK) ? 1 : 0;
2673 if (opts->fscontext) {
2674 if (opts->fscontext_sid == SECSID_NULL)
2676 else if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
2677 opts->fscontext_sid))
2680 if (opts->context) {
2681 if (opts->context_sid == SECSID_NULL)
2683 else if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
2687 if (opts->rootcontext) {
2688 if (opts->rootcontext_sid == SECSID_NULL)
2691 struct inode_security_struct *root_isec;
2693 root_isec = backing_inode_security(sb->s_root);
2694 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
2695 opts->rootcontext_sid))
2699 if (opts->defcontext) {
2700 if (opts->defcontext_sid == SECSID_NULL)
2702 else if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
2703 opts->defcontext_sid))
2709 static int selinux_sb_remount(struct super_block *sb, void *mnt_opts)
2711 struct selinux_mnt_opts *opts = mnt_opts;
2712 struct superblock_security_struct *sbsec = selinux_superblock(sb);
2716 if (!(sbsec->flags & SE_SBINITIALIZED))
2722 if (opts->fscontext) {
2723 rc = parse_sid(sb, opts->fscontext, &sid);
2726 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2727 goto out_bad_option;
2729 if (opts->context) {
2730 rc = parse_sid(sb, opts->context, &sid);
2733 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2734 goto out_bad_option;
2736 if (opts->rootcontext) {
2737 struct inode_security_struct *root_isec;
2738 root_isec = backing_inode_security(sb->s_root);
2739 rc = parse_sid(sb, opts->rootcontext, &sid);
2742 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2743 goto out_bad_option;
2745 if (opts->defcontext) {
2746 rc = parse_sid(sb, opts->defcontext, &sid);
2749 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2750 goto out_bad_option;
2755 pr_warn("SELinux: unable to change security options "
2756 "during remount (dev %s, type=%s)\n", sb->s_id,
2761 static int selinux_sb_kern_mount(struct super_block *sb)
2763 const struct cred *cred = current_cred();
2764 struct common_audit_data ad;
2766 ad.type = LSM_AUDIT_DATA_DENTRY;
2767 ad.u.dentry = sb->s_root;
2768 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2771 static int selinux_sb_statfs(struct dentry *dentry)
2773 const struct cred *cred = current_cred();
2774 struct common_audit_data ad;
2776 ad.type = LSM_AUDIT_DATA_DENTRY;
2777 ad.u.dentry = dentry->d_sb->s_root;
2778 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2781 static int selinux_mount(const char *dev_name,
2782 const struct path *path,
2784 unsigned long flags,
2787 const struct cred *cred = current_cred();
2789 if (flags & MS_REMOUNT)
2790 return superblock_has_perm(cred, path->dentry->d_sb,
2791 FILESYSTEM__REMOUNT, NULL);
2793 return path_has_perm(cred, path, FILE__MOUNTON);
2796 static int selinux_move_mount(const struct path *from_path,
2797 const struct path *to_path)
2799 const struct cred *cred = current_cred();
2801 return path_has_perm(cred, to_path, FILE__MOUNTON);
2804 static int selinux_umount(struct vfsmount *mnt, int flags)
2806 const struct cred *cred = current_cred();
2808 return superblock_has_perm(cred, mnt->mnt_sb,
2809 FILESYSTEM__UNMOUNT, NULL);
2812 static int selinux_fs_context_dup(struct fs_context *fc,
2813 struct fs_context *src_fc)
2815 const struct selinux_mnt_opts *src = src_fc->security;
2816 struct selinux_mnt_opts *opts;
2821 fc->security = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL);
2825 opts = fc->security;
2827 if (src->fscontext) {
2828 opts->fscontext = kstrdup(src->fscontext, GFP_KERNEL);
2829 if (!opts->fscontext)
2833 opts->context = kstrdup(src->context, GFP_KERNEL);
2837 if (src->rootcontext) {
2838 opts->rootcontext = kstrdup(src->rootcontext, GFP_KERNEL);
2839 if (!opts->rootcontext)
2842 if (src->defcontext) {
2843 opts->defcontext = kstrdup(src->defcontext, GFP_KERNEL);
2844 if (!opts->defcontext)
2850 static const struct fs_parameter_spec selinux_fs_parameters[] = {
2851 fsparam_string(CONTEXT_STR, Opt_context),
2852 fsparam_string(DEFCONTEXT_STR, Opt_defcontext),
2853 fsparam_string(FSCONTEXT_STR, Opt_fscontext),
2854 fsparam_string(ROOTCONTEXT_STR, Opt_rootcontext),
2855 fsparam_flag (SECLABEL_STR, Opt_seclabel),
2859 static int selinux_fs_context_parse_param(struct fs_context *fc,
2860 struct fs_parameter *param)
2862 struct fs_parse_result result;
2865 opt = fs_parse(fc, selinux_fs_parameters, param, &result);
2869 rc = selinux_add_opt(opt, param->string, &fc->security);
2871 param->string = NULL;
2876 /* inode security operations */
2878 static int selinux_inode_alloc_security(struct inode *inode)
2880 struct inode_security_struct *isec = selinux_inode(inode);
2881 u32 sid = current_sid();
2883 spin_lock_init(&isec->lock);
2884 INIT_LIST_HEAD(&isec->list);
2885 isec->inode = inode;
2886 isec->sid = SECINITSID_UNLABELED;
2887 isec->sclass = SECCLASS_FILE;
2888 isec->task_sid = sid;
2889 isec->initialized = LABEL_INVALID;
2894 static void selinux_inode_free_security(struct inode *inode)
2896 inode_free_security(inode);
2899 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2900 const struct qstr *name,
2901 const char **xattr_name, void **ctx,
2907 rc = selinux_determine_inode_label(selinux_cred(current_cred()),
2908 d_inode(dentry->d_parent), name,
2909 inode_mode_to_security_class(mode),
2915 *xattr_name = XATTR_NAME_SELINUX;
2917 return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
2921 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2923 const struct cred *old,
2928 struct task_security_struct *tsec;
2930 rc = selinux_determine_inode_label(selinux_cred(old),
2931 d_inode(dentry->d_parent), name,
2932 inode_mode_to_security_class(mode),
2937 tsec = selinux_cred(new);
2938 tsec->create_sid = newsid;
2942 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2943 const struct qstr *qstr,
2945 void **value, size_t *len)
2947 const struct task_security_struct *tsec = selinux_cred(current_cred());
2948 struct superblock_security_struct *sbsec;
2953 sbsec = selinux_superblock(dir->i_sb);
2955 newsid = tsec->create_sid;
2957 rc = selinux_determine_inode_label(tsec, dir, qstr,
2958 inode_mode_to_security_class(inode->i_mode),
2963 /* Possibly defer initialization to selinux_complete_init. */
2964 if (sbsec->flags & SE_SBINITIALIZED) {
2965 struct inode_security_struct *isec = selinux_inode(inode);
2966 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2968 isec->initialized = LABEL_INITIALIZED;
2971 if (!selinux_initialized(&selinux_state) ||
2972 !(sbsec->flags & SBLABEL_MNT))
2976 *name = XATTR_SELINUX_SUFFIX;
2979 rc = security_sid_to_context_force(&selinux_state, newsid,
2990 static int selinux_inode_init_security_anon(struct inode *inode,
2991 const struct qstr *name,
2992 const struct inode *context_inode)
2994 const struct task_security_struct *tsec = selinux_cred(current_cred());
2995 struct common_audit_data ad;
2996 struct inode_security_struct *isec;
2999 if (unlikely(!selinux_initialized(&selinux_state)))
3002 isec = selinux_inode(inode);
3005 * We only get here once per ephemeral inode. The inode has
3006 * been initialized via inode_alloc_security but is otherwise
3010 if (context_inode) {
3011 struct inode_security_struct *context_isec =
3012 selinux_inode(context_inode);
3013 if (context_isec->initialized != LABEL_INITIALIZED) {
3014 pr_err("SELinux: context_inode is not initialized");
3018 isec->sclass = context_isec->sclass;
3019 isec->sid = context_isec->sid;
3021 isec->sclass = SECCLASS_ANON_INODE;
3022 rc = security_transition_sid(
3023 &selinux_state, tsec->sid, tsec->sid,
3024 isec->sclass, name, &isec->sid);
3029 isec->initialized = LABEL_INITIALIZED;
3031 * Now that we've initialized security, check whether we're
3032 * allowed to actually create this type of anonymous inode.
3035 ad.type = LSM_AUDIT_DATA_INODE;
3038 return avc_has_perm(&selinux_state,
3046 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
3048 return may_create(dir, dentry, SECCLASS_FILE);
3051 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
3053 return may_link(dir, old_dentry, MAY_LINK);
3056 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
3058 return may_link(dir, dentry, MAY_UNLINK);
3061 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
3063 return may_create(dir, dentry, SECCLASS_LNK_FILE);
3066 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
3068 return may_create(dir, dentry, SECCLASS_DIR);
3071 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
3073 return may_link(dir, dentry, MAY_RMDIR);
3076 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
3078 return may_create(dir, dentry, inode_mode_to_security_class(mode));
3081 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
3082 struct inode *new_inode, struct dentry *new_dentry)
3084 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
3087 static int selinux_inode_readlink(struct dentry *dentry)
3089 const struct cred *cred = current_cred();
3091 return dentry_has_perm(cred, dentry, FILE__READ);
3094 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3097 const struct cred *cred = current_cred();
3098 struct common_audit_data ad;
3099 struct inode_security_struct *isec;
3102 validate_creds(cred);
3104 ad.type = LSM_AUDIT_DATA_DENTRY;
3105 ad.u.dentry = dentry;
3106 sid = cred_sid(cred);
3107 isec = inode_security_rcu(inode, rcu);
3109 return PTR_ERR(isec);
3111 return avc_has_perm(&selinux_state,
3112 sid, isec->sid, isec->sclass, FILE__READ, &ad);
3115 static noinline int audit_inode_permission(struct inode *inode,
3116 u32 perms, u32 audited, u32 denied,
3119 struct common_audit_data ad;
3120 struct inode_security_struct *isec = selinux_inode(inode);
3122 ad.type = LSM_AUDIT_DATA_INODE;
3125 return slow_avc_audit(&selinux_state,
3126 current_sid(), isec->sid, isec->sclass, perms,
3127 audited, denied, result, &ad);
3130 static int selinux_inode_permission(struct inode *inode, int mask)
3132 const struct cred *cred = current_cred();
3135 bool no_block = mask & MAY_NOT_BLOCK;
3136 struct inode_security_struct *isec;
3138 struct av_decision avd;
3140 u32 audited, denied;
3142 from_access = mask & MAY_ACCESS;
3143 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3145 /* No permission to check. Existence test. */
3149 validate_creds(cred);
3151 if (unlikely(IS_PRIVATE(inode)))
3154 perms = file_mask_to_av(inode->i_mode, mask);
3156 sid = cred_sid(cred);
3157 isec = inode_security_rcu(inode, no_block);
3159 return PTR_ERR(isec);
3161 rc = avc_has_perm_noaudit(&selinux_state,
3162 sid, isec->sid, isec->sclass, perms, 0,
3164 audited = avc_audit_required(perms, &avd, rc,
3165 from_access ? FILE__AUDIT_ACCESS : 0,
3167 if (likely(!audited))
3170 rc2 = audit_inode_permission(inode, perms, audited, denied, rc);
3176 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3178 const struct cred *cred = current_cred();
3179 struct inode *inode = d_backing_inode(dentry);
3180 unsigned int ia_valid = iattr->ia_valid;
3181 __u32 av = FILE__WRITE;
3183 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3184 if (ia_valid & ATTR_FORCE) {
3185 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3191 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3192 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3193 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3195 if (selinux_policycap_openperm() &&
3196 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3197 (ia_valid & ATTR_SIZE) &&
3198 !(ia_valid & ATTR_FILE))
3201 return dentry_has_perm(cred, dentry, av);
3204 static int selinux_inode_getattr(const struct path *path)
3206 return path_has_perm(current_cred(), path, FILE__GETATTR);
3209 static bool has_cap_mac_admin(bool audit)
3211 const struct cred *cred = current_cred();
3212 unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT;
3214 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts))
3216 if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true))
3221 static int selinux_inode_setxattr(struct user_namespace *mnt_userns,
3222 struct dentry *dentry, const char *name,
3223 const void *value, size_t size, int flags)
3225 struct inode *inode = d_backing_inode(dentry);
3226 struct inode_security_struct *isec;
3227 struct superblock_security_struct *sbsec;
3228 struct common_audit_data ad;
3229 u32 newsid, sid = current_sid();
3232 if (strcmp(name, XATTR_NAME_SELINUX)) {
3233 rc = cap_inode_setxattr(dentry, name, value, size, flags);
3237 /* Not an attribute we recognize, so just check the
3238 ordinary setattr permission. */
3239 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3242 if (!selinux_initialized(&selinux_state))
3243 return (inode_owner_or_capable(mnt_userns, inode) ? 0 : -EPERM);
3245 sbsec = selinux_superblock(inode->i_sb);
3246 if (!(sbsec->flags & SBLABEL_MNT))
3249 if (!inode_owner_or_capable(mnt_userns, inode))
3252 ad.type = LSM_AUDIT_DATA_DENTRY;
3253 ad.u.dentry = dentry;
3255 isec = backing_inode_security(dentry);
3256 rc = avc_has_perm(&selinux_state,
3257 sid, isec->sid, isec->sclass,
3258 FILE__RELABELFROM, &ad);
3262 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3264 if (rc == -EINVAL) {
3265 if (!has_cap_mac_admin(true)) {
3266 struct audit_buffer *ab;
3269 /* We strip a nul only if it is at the end, otherwise the
3270 * context contains a nul and we should audit that */
3272 const char *str = value;
3274 if (str[size - 1] == '\0')
3275 audit_size = size - 1;
3281 ab = audit_log_start(audit_context(),
3282 GFP_ATOMIC, AUDIT_SELINUX_ERR);
3285 audit_log_format(ab, "op=setxattr invalid_context=");
3286 audit_log_n_untrustedstring(ab, value, audit_size);
3291 rc = security_context_to_sid_force(&selinux_state, value,
3297 rc = avc_has_perm(&selinux_state,
3298 sid, newsid, isec->sclass,
3299 FILE__RELABELTO, &ad);
3303 rc = security_validate_transition(&selinux_state, isec->sid, newsid,
3308 return avc_has_perm(&selinux_state,
3311 SECCLASS_FILESYSTEM,
3312 FILESYSTEM__ASSOCIATE,
3316 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3317 const void *value, size_t size,
3320 struct inode *inode = d_backing_inode(dentry);
3321 struct inode_security_struct *isec;
3325 if (strcmp(name, XATTR_NAME_SELINUX)) {
3326 /* Not an attribute we recognize, so nothing to do. */
3330 if (!selinux_initialized(&selinux_state)) {
3331 /* If we haven't even been initialized, then we can't validate
3332 * against a policy, so leave the label as invalid. It may
3333 * resolve to a valid label on the next revalidation try if
3334 * we've since initialized.
3339 rc = security_context_to_sid_force(&selinux_state, value, size,
3342 pr_err("SELinux: unable to map context to SID"
3343 "for (%s, %lu), rc=%d\n",
3344 inode->i_sb->s_id, inode->i_ino, -rc);
3348 isec = backing_inode_security(dentry);
3349 spin_lock(&isec->lock);
3350 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3352 isec->initialized = LABEL_INITIALIZED;
3353 spin_unlock(&isec->lock);
3358 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3360 const struct cred *cred = current_cred();
3362 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3365 static int selinux_inode_listxattr(struct dentry *dentry)
3367 const struct cred *cred = current_cred();
3369 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3372 static int selinux_inode_removexattr(struct user_namespace *mnt_userns,
3373 struct dentry *dentry, const char *name)
3375 if (strcmp(name, XATTR_NAME_SELINUX)) {
3376 int rc = cap_inode_removexattr(mnt_userns, dentry, name);
3380 /* Not an attribute we recognize, so just check the
3381 ordinary setattr permission. */
3382 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3385 if (!selinux_initialized(&selinux_state))
3388 /* No one is allowed to remove a SELinux security label.
3389 You can change the label, but all data must be labeled. */
3393 static int selinux_path_notify(const struct path *path, u64 mask,
3394 unsigned int obj_type)
3399 struct common_audit_data ad;
3401 ad.type = LSM_AUDIT_DATA_PATH;
3405 * Set permission needed based on the type of mark being set.
3406 * Performs an additional check for sb watches.
3409 case FSNOTIFY_OBJ_TYPE_VFSMOUNT:
3410 perm = FILE__WATCH_MOUNT;
3412 case FSNOTIFY_OBJ_TYPE_SB:
3413 perm = FILE__WATCH_SB;
3414 ret = superblock_has_perm(current_cred(), path->dentry->d_sb,
3415 FILESYSTEM__WATCH, &ad);
3419 case FSNOTIFY_OBJ_TYPE_INODE:
3426 /* blocking watches require the file:watch_with_perm permission */
3427 if (mask & (ALL_FSNOTIFY_PERM_EVENTS))
3428 perm |= FILE__WATCH_WITH_PERM;
3430 /* watches on read-like events need the file:watch_reads permission */
3431 if (mask & (FS_ACCESS | FS_ACCESS_PERM | FS_CLOSE_NOWRITE))
3432 perm |= FILE__WATCH_READS;
3434 return path_has_perm(current_cred(), path, perm);
3438 * Copy the inode security context value to the user.
3440 * Permission check is handled by selinux_inode_getxattr hook.
3442 static int selinux_inode_getsecurity(struct user_namespace *mnt_userns,
3443 struct inode *inode, const char *name,
3444 void **buffer, bool alloc)
3448 char *context = NULL;
3449 struct inode_security_struct *isec;
3452 * If we're not initialized yet, then we can't validate contexts, so
3453 * just let vfs_getxattr fall back to using the on-disk xattr.
3455 if (!selinux_initialized(&selinux_state) ||
3456 strcmp(name, XATTR_SELINUX_SUFFIX))
3460 * If the caller has CAP_MAC_ADMIN, then get the raw context
3461 * value even if it is not defined by current policy; otherwise,
3462 * use the in-core value under current policy.
3463 * Use the non-auditing forms of the permission checks since
3464 * getxattr may be called by unprivileged processes commonly
3465 * and lack of permission just means that we fall back to the
3466 * in-core context value, not a denial.
3468 isec = inode_security(inode);
3469 if (has_cap_mac_admin(false))
3470 error = security_sid_to_context_force(&selinux_state,
3471 isec->sid, &context,
3474 error = security_sid_to_context(&selinux_state, isec->sid,
3488 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3489 const void *value, size_t size, int flags)
3491 struct inode_security_struct *isec = inode_security_novalidate(inode);
3492 struct superblock_security_struct *sbsec;
3496 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3499 sbsec = selinux_superblock(inode->i_sb);
3500 if (!(sbsec->flags & SBLABEL_MNT))
3503 if (!value || !size)
3506 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3511 spin_lock(&isec->lock);
3512 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3514 isec->initialized = LABEL_INITIALIZED;
3515 spin_unlock(&isec->lock);
3519 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3521 const int len = sizeof(XATTR_NAME_SELINUX);
3523 if (!selinux_initialized(&selinux_state))
3526 if (buffer && len <= buffer_size)
3527 memcpy(buffer, XATTR_NAME_SELINUX, len);
3531 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3533 struct inode_security_struct *isec = inode_security_novalidate(inode);
3537 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3540 struct task_security_struct *tsec;
3541 struct cred *new_creds = *new;
3543 if (new_creds == NULL) {
3544 new_creds = prepare_creds();
3549 tsec = selinux_cred(new_creds);
3550 /* Get label from overlay inode and set it in create_sid */
3551 selinux_inode_getsecid(d_inode(src), &sid);
3552 tsec->create_sid = sid;
3557 static int selinux_inode_copy_up_xattr(const char *name)
3559 /* The copy_up hook above sets the initial context on an inode, but we
3560 * don't then want to overwrite it by blindly copying all the lower
3561 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3563 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3564 return 1; /* Discard */
3566 * Any other attribute apart from SELINUX is not claimed, supported
3572 /* kernfs node operations */
3574 static int selinux_kernfs_init_security(struct kernfs_node *kn_dir,
3575 struct kernfs_node *kn)
3577 const struct task_security_struct *tsec = selinux_cred(current_cred());
3578 u32 parent_sid, newsid, clen;
3582 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, NULL, 0);
3589 context = kmalloc(clen, GFP_KERNEL);
3593 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, context, clen);
3599 rc = security_context_to_sid(&selinux_state, context, clen, &parent_sid,
3605 if (tsec->create_sid) {
3606 newsid = tsec->create_sid;
3608 u16 secclass = inode_mode_to_security_class(kn->mode);
3612 q.hash_len = hashlen_string(kn_dir, kn->name);
3614 rc = security_transition_sid(&selinux_state, tsec->sid,
3615 parent_sid, secclass, &q,
3621 rc = security_sid_to_context_force(&selinux_state, newsid,
3626 rc = kernfs_xattr_set(kn, XATTR_NAME_SELINUX, context, clen,
3633 /* file security operations */
3635 static int selinux_revalidate_file_permission(struct file *file, int mask)
3637 const struct cred *cred = current_cred();
3638 struct inode *inode = file_inode(file);
3640 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3641 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3644 return file_has_perm(cred, file,
3645 file_mask_to_av(inode->i_mode, mask));
3648 static int selinux_file_permission(struct file *file, int mask)
3650 struct inode *inode = file_inode(file);
3651 struct file_security_struct *fsec = selinux_file(file);
3652 struct inode_security_struct *isec;
3653 u32 sid = current_sid();
3656 /* No permission to check. Existence test. */
3659 isec = inode_security(inode);
3660 if (sid == fsec->sid && fsec->isid == isec->sid &&
3661 fsec->pseqno == avc_policy_seqno(&selinux_state))
3662 /* No change since file_open check. */
3665 return selinux_revalidate_file_permission(file, mask);
3668 static int selinux_file_alloc_security(struct file *file)
3670 struct file_security_struct *fsec = selinux_file(file);
3671 u32 sid = current_sid();
3674 fsec->fown_sid = sid;
3680 * Check whether a task has the ioctl permission and cmd
3681 * operation to an inode.
3683 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3684 u32 requested, u16 cmd)
3686 struct common_audit_data ad;
3687 struct file_security_struct *fsec = selinux_file(file);
3688 struct inode *inode = file_inode(file);
3689 struct inode_security_struct *isec;
3690 struct lsm_ioctlop_audit ioctl;
3691 u32 ssid = cred_sid(cred);
3693 u8 driver = cmd >> 8;
3694 u8 xperm = cmd & 0xff;
3696 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3699 ad.u.op->path = file->f_path;
3701 if (ssid != fsec->sid) {
3702 rc = avc_has_perm(&selinux_state,
3711 if (unlikely(IS_PRIVATE(inode)))
3714 isec = inode_security(inode);
3715 rc = avc_has_extended_perms(&selinux_state,
3716 ssid, isec->sid, isec->sclass,
3717 requested, driver, xperm, &ad);
3722 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3725 const struct cred *cred = current_cred();
3732 case FS_IOC_GETFLAGS:
3733 case FS_IOC_GETVERSION:
3734 error = file_has_perm(cred, file, FILE__GETATTR);
3737 case FS_IOC_SETFLAGS:
3738 case FS_IOC_SETVERSION:
3739 error = file_has_perm(cred, file, FILE__SETATTR);
3742 /* sys_ioctl() checks */
3745 error = file_has_perm(cred, file, 0);
3750 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3751 CAP_OPT_NONE, true);
3756 if (!selinux_policycap_ioctl_skip_cloexec())
3757 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3760 /* default case assumes that the command will go
3761 * to the file's ioctl() function.
3764 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3769 static int default_noexec __ro_after_init;
3771 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3773 const struct cred *cred = current_cred();
3774 u32 sid = cred_sid(cred);
3777 if (default_noexec &&
3778 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3779 (!shared && (prot & PROT_WRITE)))) {
3781 * We are making executable an anonymous mapping or a
3782 * private file mapping that will also be writable.
3783 * This has an additional check.
3785 rc = avc_has_perm(&selinux_state,
3786 sid, sid, SECCLASS_PROCESS,
3787 PROCESS__EXECMEM, NULL);
3793 /* read access is always possible with a mapping */
3794 u32 av = FILE__READ;
3796 /* write access only matters if the mapping is shared */
3797 if (shared && (prot & PROT_WRITE))
3800 if (prot & PROT_EXEC)
3801 av |= FILE__EXECUTE;
3803 return file_has_perm(cred, file, av);
3810 static int selinux_mmap_addr(unsigned long addr)
3814 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3815 u32 sid = current_sid();
3816 rc = avc_has_perm(&selinux_state,
3817 sid, sid, SECCLASS_MEMPROTECT,
3818 MEMPROTECT__MMAP_ZERO, NULL);
3824 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3825 unsigned long prot, unsigned long flags)
3827 struct common_audit_data ad;
3831 ad.type = LSM_AUDIT_DATA_FILE;
3833 rc = inode_has_perm(current_cred(), file_inode(file),
3839 if (checkreqprot_get(&selinux_state))
3842 return file_map_prot_check(file, prot,
3843 (flags & MAP_TYPE) == MAP_SHARED);
3846 static int selinux_file_mprotect(struct vm_area_struct *vma,
3847 unsigned long reqprot,
3850 const struct cred *cred = current_cred();
3851 u32 sid = cred_sid(cred);
3853 if (checkreqprot_get(&selinux_state))
3856 if (default_noexec &&
3857 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3859 if (vma->vm_start >= vma->vm_mm->start_brk &&
3860 vma->vm_end <= vma->vm_mm->brk) {
3861 rc = avc_has_perm(&selinux_state,
3862 sid, sid, SECCLASS_PROCESS,
3863 PROCESS__EXECHEAP, NULL);
3864 } else if (!vma->vm_file &&
3865 ((vma->vm_start <= vma->vm_mm->start_stack &&
3866 vma->vm_end >= vma->vm_mm->start_stack) ||
3867 vma_is_stack_for_current(vma))) {
3868 rc = avc_has_perm(&selinux_state,
3869 sid, sid, SECCLASS_PROCESS,
3870 PROCESS__EXECSTACK, NULL);
3871 } else if (vma->vm_file && vma->anon_vma) {
3873 * We are making executable a file mapping that has
3874 * had some COW done. Since pages might have been
3875 * written, check ability to execute the possibly
3876 * modified content. This typically should only
3877 * occur for text relocations.
3879 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3885 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3888 static int selinux_file_lock(struct file *file, unsigned int cmd)
3890 const struct cred *cred = current_cred();
3892 return file_has_perm(cred, file, FILE__LOCK);
3895 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3898 const struct cred *cred = current_cred();
3903 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3904 err = file_has_perm(cred, file, FILE__WRITE);
3913 case F_GETOWNER_UIDS:
3914 /* Just check FD__USE permission */
3915 err = file_has_perm(cred, file, 0);
3923 #if BITS_PER_LONG == 32
3928 err = file_has_perm(cred, file, FILE__LOCK);
3935 static void selinux_file_set_fowner(struct file *file)
3937 struct file_security_struct *fsec;
3939 fsec = selinux_file(file);
3940 fsec->fown_sid = current_sid();
3943 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3944 struct fown_struct *fown, int signum)
3947 u32 sid = task_sid_obj(tsk);
3949 struct file_security_struct *fsec;
3951 /* struct fown_struct is never outside the context of a struct file */
3952 file = container_of(fown, struct file, f_owner);
3954 fsec = selinux_file(file);
3957 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3959 perm = signal_to_av(signum);
3961 return avc_has_perm(&selinux_state,
3962 fsec->fown_sid, sid,
3963 SECCLASS_PROCESS, perm, NULL);
3966 static int selinux_file_receive(struct file *file)
3968 const struct cred *cred = current_cred();
3970 return file_has_perm(cred, file, file_to_av(file));
3973 static int selinux_file_open(struct file *file)
3975 struct file_security_struct *fsec;
3976 struct inode_security_struct *isec;
3978 fsec = selinux_file(file);
3979 isec = inode_security(file_inode(file));
3981 * Save inode label and policy sequence number
3982 * at open-time so that selinux_file_permission
3983 * can determine whether revalidation is necessary.
3984 * Task label is already saved in the file security
3985 * struct as its SID.
3987 fsec->isid = isec->sid;
3988 fsec->pseqno = avc_policy_seqno(&selinux_state);
3990 * Since the inode label or policy seqno may have changed
3991 * between the selinux_inode_permission check and the saving
3992 * of state above, recheck that access is still permitted.
3993 * Otherwise, access might never be revalidated against the
3994 * new inode label or new policy.
3995 * This check is not redundant - do not remove.
3997 return file_path_has_perm(file->f_cred, file, open_file_to_av(file));
4000 /* task security operations */
4002 static int selinux_task_alloc(struct task_struct *task,
4003 unsigned long clone_flags)
4005 u32 sid = current_sid();
4007 return avc_has_perm(&selinux_state,
4008 sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
4012 * prepare a new set of credentials for modification
4014 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
4017 const struct task_security_struct *old_tsec = selinux_cred(old);
4018 struct task_security_struct *tsec = selinux_cred(new);
4025 * transfer the SELinux data to a blank set of creds
4027 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
4029 const struct task_security_struct *old_tsec = selinux_cred(old);
4030 struct task_security_struct *tsec = selinux_cred(new);
4035 static void selinux_cred_getsecid(const struct cred *c, u32 *secid)
4037 *secid = cred_sid(c);
4041 * set the security data for a kernel service
4042 * - all the creation contexts are set to unlabelled
4044 static int selinux_kernel_act_as(struct cred *new, u32 secid)
4046 struct task_security_struct *tsec = selinux_cred(new);
4047 u32 sid = current_sid();
4050 ret = avc_has_perm(&selinux_state,
4052 SECCLASS_KERNEL_SERVICE,
4053 KERNEL_SERVICE__USE_AS_OVERRIDE,
4057 tsec->create_sid = 0;
4058 tsec->keycreate_sid = 0;
4059 tsec->sockcreate_sid = 0;
4065 * set the file creation context in a security record to the same as the
4066 * objective context of the specified inode
4068 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
4070 struct inode_security_struct *isec = inode_security(inode);
4071 struct task_security_struct *tsec = selinux_cred(new);
4072 u32 sid = current_sid();
4075 ret = avc_has_perm(&selinux_state,
4077 SECCLASS_KERNEL_SERVICE,
4078 KERNEL_SERVICE__CREATE_FILES_AS,
4082 tsec->create_sid = isec->sid;
4086 static int selinux_kernel_module_request(char *kmod_name)
4088 struct common_audit_data ad;
4090 ad.type = LSM_AUDIT_DATA_KMOD;
4091 ad.u.kmod_name = kmod_name;
4093 return avc_has_perm(&selinux_state,
4094 current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
4095 SYSTEM__MODULE_REQUEST, &ad);
4098 static int selinux_kernel_module_from_file(struct file *file)
4100 struct common_audit_data ad;
4101 struct inode_security_struct *isec;
4102 struct file_security_struct *fsec;
4103 u32 sid = current_sid();
4108 return avc_has_perm(&selinux_state,
4109 sid, sid, SECCLASS_SYSTEM,
4110 SYSTEM__MODULE_LOAD, NULL);
4114 ad.type = LSM_AUDIT_DATA_FILE;
4117 fsec = selinux_file(file);
4118 if (sid != fsec->sid) {
4119 rc = avc_has_perm(&selinux_state,
4120 sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
4125 isec = inode_security(file_inode(file));
4126 return avc_has_perm(&selinux_state,
4127 sid, isec->sid, SECCLASS_SYSTEM,
4128 SYSTEM__MODULE_LOAD, &ad);
4131 static int selinux_kernel_read_file(struct file *file,
4132 enum kernel_read_file_id id,
4138 case READING_MODULE:
4139 rc = selinux_kernel_module_from_file(contents ? file : NULL);
4148 static int selinux_kernel_load_data(enum kernel_load_data_id id, bool contents)
4153 case LOADING_MODULE:
4154 rc = selinux_kernel_module_from_file(NULL);
4163 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
4165 return avc_has_perm(&selinux_state,
4166 current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4167 PROCESS__SETPGID, NULL);
4170 static int selinux_task_getpgid(struct task_struct *p)
4172 return avc_has_perm(&selinux_state,
4173 current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4174 PROCESS__GETPGID, NULL);
4177 static int selinux_task_getsid(struct task_struct *p)
4179 return avc_has_perm(&selinux_state,
4180 current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4181 PROCESS__GETSESSION, NULL);
4184 static void selinux_current_getsecid_subj(u32 *secid)
4186 *secid = current_sid();
4189 static void selinux_task_getsecid_obj(struct task_struct *p, u32 *secid)
4191 *secid = task_sid_obj(p);
4194 static int selinux_task_setnice(struct task_struct *p, int nice)
4196 return avc_has_perm(&selinux_state,
4197 current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4198 PROCESS__SETSCHED, NULL);
4201 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
4203 return avc_has_perm(&selinux_state,
4204 current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4205 PROCESS__SETSCHED, NULL);
4208 static int selinux_task_getioprio(struct task_struct *p)
4210 return avc_has_perm(&selinux_state,
4211 current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4212 PROCESS__GETSCHED, NULL);
4215 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
4222 if (flags & LSM_PRLIMIT_WRITE)
4223 av |= PROCESS__SETRLIMIT;
4224 if (flags & LSM_PRLIMIT_READ)
4225 av |= PROCESS__GETRLIMIT;
4226 return avc_has_perm(&selinux_state,
4227 cred_sid(cred), cred_sid(tcred),
4228 SECCLASS_PROCESS, av, NULL);
4231 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4232 struct rlimit *new_rlim)
4234 struct rlimit *old_rlim = p->signal->rlim + resource;
4236 /* Control the ability to change the hard limit (whether
4237 lowering or raising it), so that the hard limit can
4238 later be used as a safe reset point for the soft limit
4239 upon context transitions. See selinux_bprm_committing_creds. */
4240 if (old_rlim->rlim_max != new_rlim->rlim_max)
4241 return avc_has_perm(&selinux_state,
4242 current_sid(), task_sid_obj(p),
4243 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
4248 static int selinux_task_setscheduler(struct task_struct *p)
4250 return avc_has_perm(&selinux_state,
4251 current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4252 PROCESS__SETSCHED, NULL);
4255 static int selinux_task_getscheduler(struct task_struct *p)
4257 return avc_has_perm(&selinux_state,
4258 current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4259 PROCESS__GETSCHED, NULL);
4262 static int selinux_task_movememory(struct task_struct *p)
4264 return avc_has_perm(&selinux_state,
4265 current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4266 PROCESS__SETSCHED, NULL);
4269 static int selinux_task_kill(struct task_struct *p, struct kernel_siginfo *info,
4270 int sig, const struct cred *cred)
4276 perm = PROCESS__SIGNULL; /* null signal; existence test */
4278 perm = signal_to_av(sig);
4280 secid = current_sid();
4282 secid = cred_sid(cred);
4283 return avc_has_perm(&selinux_state,
4284 secid, task_sid_obj(p), SECCLASS_PROCESS, perm, NULL);
4287 static void selinux_task_to_inode(struct task_struct *p,
4288 struct inode *inode)
4290 struct inode_security_struct *isec = selinux_inode(inode);
4291 u32 sid = task_sid_obj(p);
4293 spin_lock(&isec->lock);
4294 isec->sclass = inode_mode_to_security_class(inode->i_mode);
4296 isec->initialized = LABEL_INITIALIZED;
4297 spin_unlock(&isec->lock);
4300 /* Returns error only if unable to parse addresses */
4301 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4302 struct common_audit_data *ad, u8 *proto)
4304 int offset, ihlen, ret = -EINVAL;
4305 struct iphdr _iph, *ih;
4307 offset = skb_network_offset(skb);
4308 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
4312 ihlen = ih->ihl * 4;
4313 if (ihlen < sizeof(_iph))
4316 ad->u.net->v4info.saddr = ih->saddr;
4317 ad->u.net->v4info.daddr = ih->daddr;
4321 *proto = ih->protocol;
4323 switch (ih->protocol) {
4325 struct tcphdr _tcph, *th;
4327 if (ntohs(ih->frag_off) & IP_OFFSET)
4331 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4335 ad->u.net->sport = th->source;
4336 ad->u.net->dport = th->dest;
4341 struct udphdr _udph, *uh;
4343 if (ntohs(ih->frag_off) & IP_OFFSET)
4347 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4351 ad->u.net->sport = uh->source;
4352 ad->u.net->dport = uh->dest;
4356 case IPPROTO_DCCP: {
4357 struct dccp_hdr _dccph, *dh;
4359 if (ntohs(ih->frag_off) & IP_OFFSET)
4363 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4367 ad->u.net->sport = dh->dccph_sport;
4368 ad->u.net->dport = dh->dccph_dport;
4372 #if IS_ENABLED(CONFIG_IP_SCTP)
4373 case IPPROTO_SCTP: {
4374 struct sctphdr _sctph, *sh;
4376 if (ntohs(ih->frag_off) & IP_OFFSET)
4380 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4384 ad->u.net->sport = sh->source;
4385 ad->u.net->dport = sh->dest;
4396 #if IS_ENABLED(CONFIG_IPV6)
4398 /* Returns error only if unable to parse addresses */
4399 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4400 struct common_audit_data *ad, u8 *proto)
4403 int ret = -EINVAL, offset;
4404 struct ipv6hdr _ipv6h, *ip6;
4407 offset = skb_network_offset(skb);
4408 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4412 ad->u.net->v6info.saddr = ip6->saddr;
4413 ad->u.net->v6info.daddr = ip6->daddr;
4416 nexthdr = ip6->nexthdr;
4417 offset += sizeof(_ipv6h);
4418 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4427 struct tcphdr _tcph, *th;
4429 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4433 ad->u.net->sport = th->source;
4434 ad->u.net->dport = th->dest;
4439 struct udphdr _udph, *uh;
4441 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4445 ad->u.net->sport = uh->source;
4446 ad->u.net->dport = uh->dest;
4450 case IPPROTO_DCCP: {
4451 struct dccp_hdr _dccph, *dh;
4453 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4457 ad->u.net->sport = dh->dccph_sport;
4458 ad->u.net->dport = dh->dccph_dport;
4462 #if IS_ENABLED(CONFIG_IP_SCTP)
4463 case IPPROTO_SCTP: {
4464 struct sctphdr _sctph, *sh;
4466 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4470 ad->u.net->sport = sh->source;
4471 ad->u.net->dport = sh->dest;
4475 /* includes fragments */
4485 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4486 char **_addrp, int src, u8 *proto)
4491 switch (ad->u.net->family) {
4493 ret = selinux_parse_skb_ipv4(skb, ad, proto);
4496 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4497 &ad->u.net->v4info.daddr);
4500 #if IS_ENABLED(CONFIG_IPV6)
4502 ret = selinux_parse_skb_ipv6(skb, ad, proto);
4505 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4506 &ad->u.net->v6info.daddr);
4516 "SELinux: failure in selinux_parse_skb(),"
4517 " unable to parse packet\n");
4527 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4529 * @family: protocol family
4530 * @sid: the packet's peer label SID
4533 * Check the various different forms of network peer labeling and determine
4534 * the peer label/SID for the packet; most of the magic actually occurs in
4535 * the security server function security_net_peersid_cmp(). The function
4536 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4537 * or -EACCES if @sid is invalid due to inconsistencies with the different
4541 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4548 err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4551 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4555 err = security_net_peersid_resolve(&selinux_state, nlbl_sid,
4556 nlbl_type, xfrm_sid, sid);
4557 if (unlikely(err)) {
4559 "SELinux: failure in selinux_skb_peerlbl_sid(),"
4560 " unable to determine packet's peer label\n");
4568 * selinux_conn_sid - Determine the child socket label for a connection
4569 * @sk_sid: the parent socket's SID
4570 * @skb_sid: the packet's SID
4571 * @conn_sid: the resulting connection SID
4573 * If @skb_sid is valid then the user:role:type information from @sk_sid is
4574 * combined with the MLS information from @skb_sid in order to create
4575 * @conn_sid. If @skb_sid is not valid then @conn_sid is simply a copy
4576 * of @sk_sid. Returns zero on success, negative values on failure.
4579 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4583 if (skb_sid != SECSID_NULL)
4584 err = security_sid_mls_copy(&selinux_state, sk_sid, skb_sid,
4592 /* socket security operations */
4594 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4595 u16 secclass, u32 *socksid)
4597 if (tsec->sockcreate_sid > SECSID_NULL) {
4598 *socksid = tsec->sockcreate_sid;
4602 return security_transition_sid(&selinux_state, tsec->sid, tsec->sid,
4603 secclass, NULL, socksid);
4606 static int sock_has_perm(struct sock *sk, u32 perms)
4608 struct sk_security_struct *sksec = sk->sk_security;
4609 struct common_audit_data ad;
4610 struct lsm_network_audit net = {0,};
4612 if (sksec->sid == SECINITSID_KERNEL)
4615 ad.type = LSM_AUDIT_DATA_NET;
4619 return avc_has_perm(&selinux_state,
4620 current_sid(), sksec->sid, sksec->sclass, perms,
4624 static int selinux_socket_create(int family, int type,
4625 int protocol, int kern)
4627 const struct task_security_struct *tsec = selinux_cred(current_cred());
4635 secclass = socket_type_to_security_class(family, type, protocol);
4636 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4640 return avc_has_perm(&selinux_state,
4641 tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4644 static int selinux_socket_post_create(struct socket *sock, int family,
4645 int type, int protocol, int kern)
4647 const struct task_security_struct *tsec = selinux_cred(current_cred());
4648 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4649 struct sk_security_struct *sksec;
4650 u16 sclass = socket_type_to_security_class(family, type, protocol);
4651 u32 sid = SECINITSID_KERNEL;
4655 err = socket_sockcreate_sid(tsec, sclass, &sid);
4660 isec->sclass = sclass;
4662 isec->initialized = LABEL_INITIALIZED;
4665 sksec = sock->sk->sk_security;
4666 sksec->sclass = sclass;
4668 /* Allows detection of the first association on this socket */
4669 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4670 sksec->sctp_assoc_state = SCTP_ASSOC_UNSET;
4672 err = selinux_netlbl_socket_post_create(sock->sk, family);
4678 static int selinux_socket_socketpair(struct socket *socka,
4679 struct socket *sockb)
4681 struct sk_security_struct *sksec_a = socka->sk->sk_security;
4682 struct sk_security_struct *sksec_b = sockb->sk->sk_security;
4684 sksec_a->peer_sid = sksec_b->sid;
4685 sksec_b->peer_sid = sksec_a->sid;
4690 /* Range of port numbers used to automatically bind.
4691 Need to determine whether we should perform a name_bind
4692 permission check between the socket and the port number. */
4694 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4696 struct sock *sk = sock->sk;
4697 struct sk_security_struct *sksec = sk->sk_security;
4701 err = sock_has_perm(sk, SOCKET__BIND);
4705 /* If PF_INET or PF_INET6, check name_bind permission for the port. */
4706 family = sk->sk_family;
4707 if (family == PF_INET || family == PF_INET6) {
4709 struct common_audit_data ad;
4710 struct lsm_network_audit net = {0,};
4711 struct sockaddr_in *addr4 = NULL;
4712 struct sockaddr_in6 *addr6 = NULL;
4714 unsigned short snum;
4718 * sctp_bindx(3) calls via selinux_sctp_bind_connect()
4719 * that validates multiple binding addresses. Because of this
4720 * need to check address->sa_family as it is possible to have
4721 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4723 if (addrlen < offsetofend(struct sockaddr, sa_family))
4725 family_sa = address->sa_family;
4726 switch (family_sa) {
4729 if (addrlen < sizeof(struct sockaddr_in))
4731 addr4 = (struct sockaddr_in *)address;
4732 if (family_sa == AF_UNSPEC) {
4733 /* see __inet_bind(), we only want to allow
4734 * AF_UNSPEC if the address is INADDR_ANY
4736 if (addr4->sin_addr.s_addr != htonl(INADDR_ANY))
4738 family_sa = AF_INET;
4740 snum = ntohs(addr4->sin_port);
4741 addrp = (char *)&addr4->sin_addr.s_addr;
4744 if (addrlen < SIN6_LEN_RFC2133)
4746 addr6 = (struct sockaddr_in6 *)address;
4747 snum = ntohs(addr6->sin6_port);
4748 addrp = (char *)&addr6->sin6_addr.s6_addr;
4754 ad.type = LSM_AUDIT_DATA_NET;
4756 ad.u.net->sport = htons(snum);
4757 ad.u.net->family = family_sa;
4762 inet_get_local_port_range(sock_net(sk), &low, &high);
4764 if (inet_port_requires_bind_service(sock_net(sk), snum) ||
4765 snum < low || snum > high) {
4766 err = sel_netport_sid(sk->sk_protocol,
4770 err = avc_has_perm(&selinux_state,
4773 SOCKET__NAME_BIND, &ad);
4779 switch (sksec->sclass) {
4780 case SECCLASS_TCP_SOCKET:
4781 node_perm = TCP_SOCKET__NODE_BIND;
4784 case SECCLASS_UDP_SOCKET:
4785 node_perm = UDP_SOCKET__NODE_BIND;
4788 case SECCLASS_DCCP_SOCKET:
4789 node_perm = DCCP_SOCKET__NODE_BIND;
4792 case SECCLASS_SCTP_SOCKET:
4793 node_perm = SCTP_SOCKET__NODE_BIND;
4797 node_perm = RAWIP_SOCKET__NODE_BIND;
4801 err = sel_netnode_sid(addrp, family_sa, &sid);
4805 if (family_sa == AF_INET)
4806 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4808 ad.u.net->v6info.saddr = addr6->sin6_addr;
4810 err = avc_has_perm(&selinux_state,
4812 sksec->sclass, node_perm, &ad);
4819 /* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */
4820 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4822 return -EAFNOSUPPORT;
4825 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3)
4826 * and sctp_sendmsg(3) as described in Documentation/security/SCTP.rst
4828 static int selinux_socket_connect_helper(struct socket *sock,
4829 struct sockaddr *address, int addrlen)
4831 struct sock *sk = sock->sk;
4832 struct sk_security_struct *sksec = sk->sk_security;
4835 err = sock_has_perm(sk, SOCKET__CONNECT);
4838 if (addrlen < offsetofend(struct sockaddr, sa_family))
4841 /* connect(AF_UNSPEC) has special handling, as it is a documented
4842 * way to disconnect the socket
4844 if (address->sa_family == AF_UNSPEC)
4848 * If a TCP, DCCP or SCTP socket, check name_connect permission
4851 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4852 sksec->sclass == SECCLASS_DCCP_SOCKET ||
4853 sksec->sclass == SECCLASS_SCTP_SOCKET) {
4854 struct common_audit_data ad;
4855 struct lsm_network_audit net = {0,};
4856 struct sockaddr_in *addr4 = NULL;
4857 struct sockaddr_in6 *addr6 = NULL;
4858 unsigned short snum;
4861 /* sctp_connectx(3) calls via selinux_sctp_bind_connect()
4862 * that validates multiple connect addresses. Because of this
4863 * need to check address->sa_family as it is possible to have
4864 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4866 switch (address->sa_family) {
4868 addr4 = (struct sockaddr_in *)address;
4869 if (addrlen < sizeof(struct sockaddr_in))
4871 snum = ntohs(addr4->sin_port);
4874 addr6 = (struct sockaddr_in6 *)address;
4875 if (addrlen < SIN6_LEN_RFC2133)
4877 snum = ntohs(addr6->sin6_port);
4880 /* Note that SCTP services expect -EINVAL, whereas
4881 * others expect -EAFNOSUPPORT.
4883 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4886 return -EAFNOSUPPORT;
4889 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4893 switch (sksec->sclass) {
4894 case SECCLASS_TCP_SOCKET:
4895 perm = TCP_SOCKET__NAME_CONNECT;
4897 case SECCLASS_DCCP_SOCKET:
4898 perm = DCCP_SOCKET__NAME_CONNECT;
4900 case SECCLASS_SCTP_SOCKET:
4901 perm = SCTP_SOCKET__NAME_CONNECT;
4905 ad.type = LSM_AUDIT_DATA_NET;
4907 ad.u.net->dport = htons(snum);
4908 ad.u.net->family = address->sa_family;
4909 err = avc_has_perm(&selinux_state,
4910 sksec->sid, sid, sksec->sclass, perm, &ad);
4918 /* Supports connect(2), see comments in selinux_socket_connect_helper() */
4919 static int selinux_socket_connect(struct socket *sock,
4920 struct sockaddr *address, int addrlen)
4923 struct sock *sk = sock->sk;
4925 err = selinux_socket_connect_helper(sock, address, addrlen);
4929 return selinux_netlbl_socket_connect(sk, address);
4932 static int selinux_socket_listen(struct socket *sock, int backlog)
4934 return sock_has_perm(sock->sk, SOCKET__LISTEN);
4937 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4940 struct inode_security_struct *isec;
4941 struct inode_security_struct *newisec;
4945 err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
4949 isec = inode_security_novalidate(SOCK_INODE(sock));
4950 spin_lock(&isec->lock);
4951 sclass = isec->sclass;
4953 spin_unlock(&isec->lock);
4955 newisec = inode_security_novalidate(SOCK_INODE(newsock));
4956 newisec->sclass = sclass;
4958 newisec->initialized = LABEL_INITIALIZED;
4963 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4966 return sock_has_perm(sock->sk, SOCKET__WRITE);
4969 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4970 int size, int flags)
4972 return sock_has_perm(sock->sk, SOCKET__READ);
4975 static int selinux_socket_getsockname(struct socket *sock)
4977 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4980 static int selinux_socket_getpeername(struct socket *sock)
4982 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4985 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4989 err = sock_has_perm(sock->sk, SOCKET__SETOPT);
4993 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4996 static int selinux_socket_getsockopt(struct socket *sock, int level,
4999 return sock_has_perm(sock->sk, SOCKET__GETOPT);
5002 static int selinux_socket_shutdown(struct socket *sock, int how)
5004 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
5007 static int selinux_socket_unix_stream_connect(struct sock *sock,
5011 struct sk_security_struct *sksec_sock = sock->sk_security;
5012 struct sk_security_struct *sksec_other = other->sk_security;
5013 struct sk_security_struct *sksec_new = newsk->sk_security;
5014 struct common_audit_data ad;
5015 struct lsm_network_audit net = {0,};
5018 ad.type = LSM_AUDIT_DATA_NET;
5020 ad.u.net->sk = other;
5022 err = avc_has_perm(&selinux_state,
5023 sksec_sock->sid, sksec_other->sid,
5024 sksec_other->sclass,
5025 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
5029 /* server child socket */
5030 sksec_new->peer_sid = sksec_sock->sid;
5031 err = security_sid_mls_copy(&selinux_state, sksec_other->sid,
5032 sksec_sock->sid, &sksec_new->sid);
5036 /* connecting socket */
5037 sksec_sock->peer_sid = sksec_new->sid;
5042 static int selinux_socket_unix_may_send(struct socket *sock,
5043 struct socket *other)
5045 struct sk_security_struct *ssec = sock->sk->sk_security;
5046 struct sk_security_struct *osec = other->sk->sk_security;
5047 struct common_audit_data ad;
5048 struct lsm_network_audit net = {0,};
5050 ad.type = LSM_AUDIT_DATA_NET;
5052 ad.u.net->sk = other->sk;
5054 return avc_has_perm(&selinux_state,
5055 ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
5059 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
5060 char *addrp, u16 family, u32 peer_sid,
5061 struct common_audit_data *ad)
5067 err = sel_netif_sid(ns, ifindex, &if_sid);
5070 err = avc_has_perm(&selinux_state,
5072 SECCLASS_NETIF, NETIF__INGRESS, ad);
5076 err = sel_netnode_sid(addrp, family, &node_sid);
5079 return avc_has_perm(&selinux_state,
5081 SECCLASS_NODE, NODE__RECVFROM, ad);
5084 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
5088 struct sk_security_struct *sksec = sk->sk_security;
5089 u32 sk_sid = sksec->sid;
5090 struct common_audit_data ad;
5091 struct lsm_network_audit net = {0,};
5094 ad.type = LSM_AUDIT_DATA_NET;
5096 ad.u.net->netif = skb->skb_iif;
5097 ad.u.net->family = family;
5098 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5102 if (selinux_secmark_enabled()) {
5103 err = avc_has_perm(&selinux_state,
5104 sk_sid, skb->secmark, SECCLASS_PACKET,
5110 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
5113 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
5118 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
5121 struct sk_security_struct *sksec = sk->sk_security;
5122 u16 family = sk->sk_family;
5123 u32 sk_sid = sksec->sid;
5124 struct common_audit_data ad;
5125 struct lsm_network_audit net = {0,};
5130 if (family != PF_INET && family != PF_INET6)
5133 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
5134 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5137 /* If any sort of compatibility mode is enabled then handoff processing
5138 * to the selinux_sock_rcv_skb_compat() function to deal with the
5139 * special handling. We do this in an attempt to keep this function
5140 * as fast and as clean as possible. */
5141 if (!selinux_policycap_netpeer())
5142 return selinux_sock_rcv_skb_compat(sk, skb, family);
5144 secmark_active = selinux_secmark_enabled();
5145 peerlbl_active = selinux_peerlbl_enabled();
5146 if (!secmark_active && !peerlbl_active)
5149 ad.type = LSM_AUDIT_DATA_NET;
5151 ad.u.net->netif = skb->skb_iif;
5152 ad.u.net->family = family;
5153 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5157 if (peerlbl_active) {
5160 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
5163 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
5164 addrp, family, peer_sid, &ad);
5166 selinux_netlbl_err(skb, family, err, 0);
5169 err = avc_has_perm(&selinux_state,
5170 sk_sid, peer_sid, SECCLASS_PEER,
5173 selinux_netlbl_err(skb, family, err, 0);
5178 if (secmark_active) {
5179 err = avc_has_perm(&selinux_state,
5180 sk_sid, skb->secmark, SECCLASS_PACKET,
5189 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
5190 int __user *optlen, unsigned len)
5195 struct sk_security_struct *sksec = sock->sk->sk_security;
5196 u32 peer_sid = SECSID_NULL;
5198 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
5199 sksec->sclass == SECCLASS_TCP_SOCKET ||
5200 sksec->sclass == SECCLASS_SCTP_SOCKET)
5201 peer_sid = sksec->peer_sid;
5202 if (peer_sid == SECSID_NULL)
5203 return -ENOPROTOOPT;
5205 err = security_sid_to_context(&selinux_state, peer_sid, &scontext,
5210 if (scontext_len > len) {
5215 if (copy_to_user(optval, scontext, scontext_len))
5219 if (put_user(scontext_len, optlen))
5225 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
5227 u32 peer_secid = SECSID_NULL;
5229 struct inode_security_struct *isec;
5231 if (skb && skb->protocol == htons(ETH_P_IP))
5233 else if (skb && skb->protocol == htons(ETH_P_IPV6))
5236 family = sock->sk->sk_family;
5240 if (sock && family == PF_UNIX) {
5241 isec = inode_security_novalidate(SOCK_INODE(sock));
5242 peer_secid = isec->sid;
5244 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
5247 *secid = peer_secid;
5248 if (peer_secid == SECSID_NULL)
5253 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
5255 struct sk_security_struct *sksec;
5257 sksec = kzalloc(sizeof(*sksec), priority);
5261 sksec->peer_sid = SECINITSID_UNLABELED;
5262 sksec->sid = SECINITSID_UNLABELED;
5263 sksec->sclass = SECCLASS_SOCKET;
5264 selinux_netlbl_sk_security_reset(sksec);
5265 sk->sk_security = sksec;
5270 static void selinux_sk_free_security(struct sock *sk)
5272 struct sk_security_struct *sksec = sk->sk_security;
5274 sk->sk_security = NULL;
5275 selinux_netlbl_sk_security_free(sksec);
5279 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
5281 struct sk_security_struct *sksec = sk->sk_security;
5282 struct sk_security_struct *newsksec = newsk->sk_security;
5284 newsksec->sid = sksec->sid;
5285 newsksec->peer_sid = sksec->peer_sid;
5286 newsksec->sclass = sksec->sclass;
5288 selinux_netlbl_sk_security_reset(newsksec);
5291 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
5294 *secid = SECINITSID_ANY_SOCKET;
5296 struct sk_security_struct *sksec = sk->sk_security;
5298 *secid = sksec->sid;
5302 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
5304 struct inode_security_struct *isec =
5305 inode_security_novalidate(SOCK_INODE(parent));
5306 struct sk_security_struct *sksec = sk->sk_security;
5308 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
5309 sk->sk_family == PF_UNIX)
5310 isec->sid = sksec->sid;
5311 sksec->sclass = isec->sclass;
5315 * Determines peer_secid for the asoc and updates socket's peer label
5316 * if it's the first association on the socket.
5318 static int selinux_sctp_process_new_assoc(struct sctp_association *asoc,
5319 struct sk_buff *skb)
5321 struct sock *sk = asoc->base.sk;
5322 u16 family = sk->sk_family;
5323 struct sk_security_struct *sksec = sk->sk_security;
5324 struct common_audit_data ad;
5325 struct lsm_network_audit net = {0,};
5328 /* handle mapped IPv4 packets arriving via IPv6 sockets */
5329 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5332 if (selinux_peerlbl_enabled()) {
5333 asoc->peer_secid = SECSID_NULL;
5335 /* This will return peer_sid = SECSID_NULL if there are
5336 * no peer labels, see security_net_peersid_resolve().
5338 err = selinux_skb_peerlbl_sid(skb, family, &asoc->peer_secid);
5342 if (asoc->peer_secid == SECSID_NULL)
5343 asoc->peer_secid = SECINITSID_UNLABELED;
5345 asoc->peer_secid = SECINITSID_UNLABELED;
5348 if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) {
5349 sksec->sctp_assoc_state = SCTP_ASSOC_SET;
5351 /* Here as first association on socket. As the peer SID
5352 * was allowed by peer recv (and the netif/node checks),
5353 * then it is approved by policy and used as the primary
5354 * peer SID for getpeercon(3).
5356 sksec->peer_sid = asoc->peer_secid;
5357 } else if (sksec->peer_sid != asoc->peer_secid) {
5358 /* Other association peer SIDs are checked to enforce
5359 * consistency among the peer SIDs.
5361 ad.type = LSM_AUDIT_DATA_NET;
5363 ad.u.net->sk = asoc->base.sk;
5364 err = avc_has_perm(&selinux_state,
5365 sksec->peer_sid, asoc->peer_secid,
5366 sksec->sclass, SCTP_SOCKET__ASSOCIATION,
5374 /* Called whenever SCTP receives an INIT or COOKIE ECHO chunk. This
5375 * happens on an incoming connect(2), sctp_connectx(3) or
5376 * sctp_sendmsg(3) (with no association already present).
5378 static int selinux_sctp_assoc_request(struct sctp_association *asoc,
5379 struct sk_buff *skb)
5381 struct sk_security_struct *sksec = asoc->base.sk->sk_security;
5385 if (!selinux_policycap_extsockclass())
5388 err = selinux_sctp_process_new_assoc(asoc, skb);
5392 /* Compute the MLS component for the connection and store
5393 * the information in asoc. This will be used by SCTP TCP type
5394 * sockets and peeled off connections as they cause a new
5395 * socket to be generated. selinux_sctp_sk_clone() will then
5396 * plug this into the new socket.
5398 err = selinux_conn_sid(sksec->sid, asoc->peer_secid, &conn_sid);
5402 asoc->secid = conn_sid;
5404 /* Set any NetLabel labels including CIPSO/CALIPSO options. */
5405 return selinux_netlbl_sctp_assoc_request(asoc, skb);
5408 /* Called when SCTP receives a COOKIE ACK chunk as the final
5409 * response to an association request (initited by us).
5411 static int selinux_sctp_assoc_established(struct sctp_association *asoc,
5412 struct sk_buff *skb)
5414 struct sk_security_struct *sksec = asoc->base.sk->sk_security;
5416 if (!selinux_policycap_extsockclass())
5419 /* Inherit secid from the parent socket - this will be picked up
5420 * by selinux_sctp_sk_clone() if the association gets peeled off
5421 * into a new socket.
5423 asoc->secid = sksec->sid;
5425 return selinux_sctp_process_new_assoc(asoc, skb);
5428 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting
5429 * based on their @optname.
5431 static int selinux_sctp_bind_connect(struct sock *sk, int optname,
5432 struct sockaddr *address,
5435 int len, err = 0, walk_size = 0;
5437 struct sockaddr *addr;
5438 struct socket *sock;
5440 if (!selinux_policycap_extsockclass())
5443 /* Process one or more addresses that may be IPv4 or IPv6 */
5444 sock = sk->sk_socket;
5447 while (walk_size < addrlen) {
5448 if (walk_size + sizeof(sa_family_t) > addrlen)
5452 switch (addr->sa_family) {
5455 len = sizeof(struct sockaddr_in);
5458 len = sizeof(struct sockaddr_in6);
5464 if (walk_size + len > addrlen)
5470 case SCTP_PRIMARY_ADDR:
5471 case SCTP_SET_PEER_PRIMARY_ADDR:
5472 case SCTP_SOCKOPT_BINDX_ADD:
5473 err = selinux_socket_bind(sock, addr, len);
5475 /* Connect checks */
5476 case SCTP_SOCKOPT_CONNECTX:
5477 case SCTP_PARAM_SET_PRIMARY:
5478 case SCTP_PARAM_ADD_IP:
5479 case SCTP_SENDMSG_CONNECT:
5480 err = selinux_socket_connect_helper(sock, addr, len);
5484 /* As selinux_sctp_bind_connect() is called by the
5485 * SCTP protocol layer, the socket is already locked,
5486 * therefore selinux_netlbl_socket_connect_locked()
5487 * is called here. The situations handled are:
5488 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2),
5489 * whenever a new IP address is added or when a new
5490 * primary address is selected.
5491 * Note that an SCTP connect(2) call happens before
5492 * the SCTP protocol layer and is handled via
5493 * selinux_socket_connect().
5495 err = selinux_netlbl_socket_connect_locked(sk, addr);
5509 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */
5510 static void selinux_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk,
5513 struct sk_security_struct *sksec = sk->sk_security;
5514 struct sk_security_struct *newsksec = newsk->sk_security;
5516 /* If policy does not support SECCLASS_SCTP_SOCKET then call
5517 * the non-sctp clone version.
5519 if (!selinux_policycap_extsockclass())
5520 return selinux_sk_clone_security(sk, newsk);
5522 newsksec->sid = asoc->secid;
5523 newsksec->peer_sid = asoc->peer_secid;
5524 newsksec->sclass = sksec->sclass;
5525 selinux_netlbl_sctp_sk_clone(sk, newsk);
5528 static int selinux_inet_conn_request(const struct sock *sk, struct sk_buff *skb,
5529 struct request_sock *req)
5531 struct sk_security_struct *sksec = sk->sk_security;
5533 u16 family = req->rsk_ops->family;
5537 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
5540 err = selinux_conn_sid(sksec->sid, peersid, &connsid);
5543 req->secid = connsid;
5544 req->peer_secid = peersid;
5546 return selinux_netlbl_inet_conn_request(req, family);
5549 static void selinux_inet_csk_clone(struct sock *newsk,
5550 const struct request_sock *req)
5552 struct sk_security_struct *newsksec = newsk->sk_security;
5554 newsksec->sid = req->secid;
5555 newsksec->peer_sid = req->peer_secid;
5556 /* NOTE: Ideally, we should also get the isec->sid for the
5557 new socket in sync, but we don't have the isec available yet.
5558 So we will wait until sock_graft to do it, by which
5559 time it will have been created and available. */
5561 /* We don't need to take any sort of lock here as we are the only
5562 * thread with access to newsksec */
5563 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
5566 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
5568 u16 family = sk->sk_family;
5569 struct sk_security_struct *sksec = sk->sk_security;
5571 /* handle mapped IPv4 packets arriving via IPv6 sockets */
5572 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5575 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
5578 static int selinux_secmark_relabel_packet(u32 sid)
5580 const struct task_security_struct *__tsec;
5583 __tsec = selinux_cred(current_cred());
5586 return avc_has_perm(&selinux_state,
5587 tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO,
5591 static void selinux_secmark_refcount_inc(void)
5593 atomic_inc(&selinux_secmark_refcount);
5596 static void selinux_secmark_refcount_dec(void)
5598 atomic_dec(&selinux_secmark_refcount);
5601 static void selinux_req_classify_flow(const struct request_sock *req,
5602 struct flowi_common *flic)
5604 flic->flowic_secid = req->secid;
5607 static int selinux_tun_dev_alloc_security(void **security)
5609 struct tun_security_struct *tunsec;
5611 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
5614 tunsec->sid = current_sid();
5620 static void selinux_tun_dev_free_security(void *security)
5625 static int selinux_tun_dev_create(void)
5627 u32 sid = current_sid();
5629 /* we aren't taking into account the "sockcreate" SID since the socket
5630 * that is being created here is not a socket in the traditional sense,
5631 * instead it is a private sock, accessible only to the kernel, and
5632 * representing a wide range of network traffic spanning multiple
5633 * connections unlike traditional sockets - check the TUN driver to
5634 * get a better understanding of why this socket is special */
5636 return avc_has_perm(&selinux_state,
5637 sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5641 static int selinux_tun_dev_attach_queue(void *security)
5643 struct tun_security_struct *tunsec = security;
5645 return avc_has_perm(&selinux_state,
5646 current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5647 TUN_SOCKET__ATTACH_QUEUE, NULL);
5650 static int selinux_tun_dev_attach(struct sock *sk, void *security)
5652 struct tun_security_struct *tunsec = security;
5653 struct sk_security_struct *sksec = sk->sk_security;
5655 /* we don't currently perform any NetLabel based labeling here and it
5656 * isn't clear that we would want to do so anyway; while we could apply
5657 * labeling without the support of the TUN user the resulting labeled
5658 * traffic from the other end of the connection would almost certainly
5659 * cause confusion to the TUN user that had no idea network labeling
5660 * protocols were being used */
5662 sksec->sid = tunsec->sid;
5663 sksec->sclass = SECCLASS_TUN_SOCKET;
5668 static int selinux_tun_dev_open(void *security)
5670 struct tun_security_struct *tunsec = security;
5671 u32 sid = current_sid();
5674 err = avc_has_perm(&selinux_state,
5675 sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5676 TUN_SOCKET__RELABELFROM, NULL);
5679 err = avc_has_perm(&selinux_state,
5680 sid, sid, SECCLASS_TUN_SOCKET,
5681 TUN_SOCKET__RELABELTO, NULL);
5689 #ifdef CONFIG_NETFILTER
5691 static unsigned int selinux_ip_forward(void *priv, struct sk_buff *skb,
5692 const struct nf_hook_state *state)
5698 struct common_audit_data ad;
5699 struct lsm_network_audit net = {0,};
5700 int secmark_active, peerlbl_active;
5702 if (!selinux_policycap_netpeer())
5705 secmark_active = selinux_secmark_enabled();
5706 peerlbl_active = selinux_peerlbl_enabled();
5707 if (!secmark_active && !peerlbl_active)
5711 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5714 ifindex = state->in->ifindex;
5715 ad.type = LSM_AUDIT_DATA_NET;
5717 ad.u.net->netif = ifindex;
5718 ad.u.net->family = family;
5719 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5722 if (peerlbl_active) {
5725 err = selinux_inet_sys_rcv_skb(state->net, ifindex,
5726 addrp, family, peer_sid, &ad);
5728 selinux_netlbl_err(skb, family, err, 1);
5734 if (avc_has_perm(&selinux_state,
5735 peer_sid, skb->secmark,
5736 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5739 if (netlbl_enabled())
5740 /* we do this in the FORWARD path and not the POST_ROUTING
5741 * path because we want to make sure we apply the necessary
5742 * labeling before IPsec is applied so we can leverage AH
5744 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5750 static unsigned int selinux_ip_output(void *priv, struct sk_buff *skb,
5751 const struct nf_hook_state *state)
5756 if (!netlbl_enabled())
5759 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5760 * because we want to make sure we apply the necessary labeling
5761 * before IPsec is applied so we can leverage AH protection */
5764 struct sk_security_struct *sksec;
5766 if (sk_listener(sk))
5767 /* if the socket is the listening state then this
5768 * packet is a SYN-ACK packet which means it needs to
5769 * be labeled based on the connection/request_sock and
5770 * not the parent socket. unfortunately, we can't
5771 * lookup the request_sock yet as it isn't queued on
5772 * the parent socket until after the SYN-ACK is sent.
5773 * the "solution" is to simply pass the packet as-is
5774 * as any IP option based labeling should be copied
5775 * from the initial connection request (in the IP
5776 * layer). it is far from ideal, but until we get a
5777 * security label in the packet itself this is the
5778 * best we can do. */
5781 /* standard practice, label using the parent socket */
5782 sksec = sk->sk_security;
5785 sid = SECINITSID_KERNEL;
5786 if (selinux_netlbl_skbuff_setsid(skb, state->pf, sid) != 0)
5793 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5794 const struct nf_hook_state *state)
5797 struct sk_security_struct *sksec;
5798 struct common_audit_data ad;
5799 struct lsm_network_audit net = {0,};
5802 sk = skb_to_full_sk(skb);
5805 sksec = sk->sk_security;
5807 ad.type = LSM_AUDIT_DATA_NET;
5809 ad.u.net->netif = state->out->ifindex;
5810 ad.u.net->family = state->pf;
5811 if (selinux_parse_skb(skb, &ad, NULL, 0, &proto))
5814 if (selinux_secmark_enabled())
5815 if (avc_has_perm(&selinux_state,
5816 sksec->sid, skb->secmark,
5817 SECCLASS_PACKET, PACKET__SEND, &ad))
5818 return NF_DROP_ERR(-ECONNREFUSED);
5820 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5821 return NF_DROP_ERR(-ECONNREFUSED);
5826 static unsigned int selinux_ip_postroute(void *priv,
5827 struct sk_buff *skb,
5828 const struct nf_hook_state *state)
5835 struct common_audit_data ad;
5836 struct lsm_network_audit net = {0,};
5838 int secmark_active, peerlbl_active;
5840 /* If any sort of compatibility mode is enabled then handoff processing
5841 * to the selinux_ip_postroute_compat() function to deal with the
5842 * special handling. We do this in an attempt to keep this function
5843 * as fast and as clean as possible. */
5844 if (!selinux_policycap_netpeer())
5845 return selinux_ip_postroute_compat(skb, state);
5847 secmark_active = selinux_secmark_enabled();
5848 peerlbl_active = selinux_peerlbl_enabled();
5849 if (!secmark_active && !peerlbl_active)
5852 sk = skb_to_full_sk(skb);
5855 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5856 * packet transformation so allow the packet to pass without any checks
5857 * since we'll have another chance to perform access control checks
5858 * when the packet is on it's final way out.
5859 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5860 * is NULL, in this case go ahead and apply access control.
5861 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5862 * TCP listening state we cannot wait until the XFRM processing
5863 * is done as we will miss out on the SA label if we do;
5864 * unfortunately, this means more work, but it is only once per
5866 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5867 !(sk && sk_listener(sk)))
5873 /* Without an associated socket the packet is either coming
5874 * from the kernel or it is being forwarded; check the packet
5875 * to determine which and if the packet is being forwarded
5876 * query the packet directly to determine the security label. */
5878 secmark_perm = PACKET__FORWARD_OUT;
5879 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5882 secmark_perm = PACKET__SEND;
5883 peer_sid = SECINITSID_KERNEL;
5885 } else if (sk_listener(sk)) {
5886 /* Locally generated packet but the associated socket is in the
5887 * listening state which means this is a SYN-ACK packet. In
5888 * this particular case the correct security label is assigned
5889 * to the connection/request_sock but unfortunately we can't
5890 * query the request_sock as it isn't queued on the parent
5891 * socket until after the SYN-ACK packet is sent; the only
5892 * viable choice is to regenerate the label like we do in
5893 * selinux_inet_conn_request(). See also selinux_ip_output()
5894 * for similar problems. */
5896 struct sk_security_struct *sksec;
5898 sksec = sk->sk_security;
5899 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5901 /* At this point, if the returned skb peerlbl is SECSID_NULL
5902 * and the packet has been through at least one XFRM
5903 * transformation then we must be dealing with the "final"
5904 * form of labeled IPsec packet; since we've already applied
5905 * all of our access controls on this packet we can safely
5906 * pass the packet. */
5907 if (skb_sid == SECSID_NULL) {
5910 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5914 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5918 return NF_DROP_ERR(-ECONNREFUSED);
5921 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5923 secmark_perm = PACKET__SEND;
5925 /* Locally generated packet, fetch the security label from the
5926 * associated socket. */
5927 struct sk_security_struct *sksec = sk->sk_security;
5928 peer_sid = sksec->sid;
5929 secmark_perm = PACKET__SEND;
5932 ifindex = state->out->ifindex;
5933 ad.type = LSM_AUDIT_DATA_NET;
5935 ad.u.net->netif = ifindex;
5936 ad.u.net->family = family;
5937 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5941 if (avc_has_perm(&selinux_state,
5942 peer_sid, skb->secmark,
5943 SECCLASS_PACKET, secmark_perm, &ad))
5944 return NF_DROP_ERR(-ECONNREFUSED);
5946 if (peerlbl_active) {
5950 if (sel_netif_sid(state->net, ifindex, &if_sid))
5952 if (avc_has_perm(&selinux_state,
5954 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5955 return NF_DROP_ERR(-ECONNREFUSED);
5957 if (sel_netnode_sid(addrp, family, &node_sid))
5959 if (avc_has_perm(&selinux_state,
5961 SECCLASS_NODE, NODE__SENDTO, &ad))
5962 return NF_DROP_ERR(-ECONNREFUSED);
5967 #endif /* CONFIG_NETFILTER */
5969 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5972 unsigned int msg_len;
5973 unsigned int data_len = skb->len;
5974 unsigned char *data = skb->data;
5975 struct nlmsghdr *nlh;
5976 struct sk_security_struct *sksec = sk->sk_security;
5977 u16 sclass = sksec->sclass;
5980 while (data_len >= nlmsg_total_size(0)) {
5981 nlh = (struct nlmsghdr *)data;
5983 /* NOTE: the nlmsg_len field isn't reliably set by some netlink
5984 * users which means we can't reject skb's with bogus
5985 * length fields; our solution is to follow what
5986 * netlink_rcv_skb() does and simply skip processing at
5987 * messages with length fields that are clearly junk
5989 if (nlh->nlmsg_len < NLMSG_HDRLEN || nlh->nlmsg_len > data_len)
5992 rc = selinux_nlmsg_lookup(sclass, nlh->nlmsg_type, &perm);
5994 rc = sock_has_perm(sk, perm);
5997 } else if (rc == -EINVAL) {
5998 /* -EINVAL is a missing msg/perm mapping */
5999 pr_warn_ratelimited("SELinux: unrecognized netlink"
6000 " message: protocol=%hu nlmsg_type=%hu sclass=%s"
6001 " pid=%d comm=%s\n",
6002 sk->sk_protocol, nlh->nlmsg_type,
6003 secclass_map[sclass - 1].name,
6004 task_pid_nr(current), current->comm);
6005 if (enforcing_enabled(&selinux_state) &&
6006 !security_get_allow_unknown(&selinux_state))
6009 } else if (rc == -ENOENT) {
6010 /* -ENOENT is a missing socket/class mapping, ignore */
6016 /* move to the next message after applying netlink padding */
6017 msg_len = NLMSG_ALIGN(nlh->nlmsg_len);
6018 if (msg_len >= data_len)
6020 data_len -= msg_len;
6027 static void ipc_init_security(struct ipc_security_struct *isec, u16 sclass)
6029 isec->sclass = sclass;
6030 isec->sid = current_sid();
6033 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
6036 struct ipc_security_struct *isec;
6037 struct common_audit_data ad;
6038 u32 sid = current_sid();
6040 isec = selinux_ipc(ipc_perms);
6042 ad.type = LSM_AUDIT_DATA_IPC;
6043 ad.u.ipc_id = ipc_perms->key;
6045 return avc_has_perm(&selinux_state,
6046 sid, isec->sid, isec->sclass, perms, &ad);
6049 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
6051 struct msg_security_struct *msec;
6053 msec = selinux_msg_msg(msg);
6054 msec->sid = SECINITSID_UNLABELED;
6059 /* message queue security operations */
6060 static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq)
6062 struct ipc_security_struct *isec;
6063 struct common_audit_data ad;
6064 u32 sid = current_sid();
6067 isec = selinux_ipc(msq);
6068 ipc_init_security(isec, SECCLASS_MSGQ);
6070 ad.type = LSM_AUDIT_DATA_IPC;
6071 ad.u.ipc_id = msq->key;
6073 rc = avc_has_perm(&selinux_state,
6074 sid, isec->sid, SECCLASS_MSGQ,
6079 static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
6081 struct ipc_security_struct *isec;
6082 struct common_audit_data ad;
6083 u32 sid = current_sid();
6085 isec = selinux_ipc(msq);
6087 ad.type = LSM_AUDIT_DATA_IPC;
6088 ad.u.ipc_id = msq->key;
6090 return avc_has_perm(&selinux_state,
6091 sid, isec->sid, SECCLASS_MSGQ,
6092 MSGQ__ASSOCIATE, &ad);
6095 static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)
6103 /* No specific object, just general system-wide information. */
6104 return avc_has_perm(&selinux_state,
6105 current_sid(), SECINITSID_KERNEL,
6106 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6110 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
6113 perms = MSGQ__SETATTR;
6116 perms = MSGQ__DESTROY;
6122 err = ipc_has_perm(msq, perms);
6126 static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg)
6128 struct ipc_security_struct *isec;
6129 struct msg_security_struct *msec;
6130 struct common_audit_data ad;
6131 u32 sid = current_sid();
6134 isec = selinux_ipc(msq);
6135 msec = selinux_msg_msg(msg);
6138 * First time through, need to assign label to the message
6140 if (msec->sid == SECINITSID_UNLABELED) {
6142 * Compute new sid based on current process and
6143 * message queue this message will be stored in
6145 rc = security_transition_sid(&selinux_state, sid, isec->sid,
6146 SECCLASS_MSG, NULL, &msec->sid);
6151 ad.type = LSM_AUDIT_DATA_IPC;
6152 ad.u.ipc_id = msq->key;
6154 /* Can this process write to the queue? */
6155 rc = avc_has_perm(&selinux_state,
6156 sid, isec->sid, SECCLASS_MSGQ,
6159 /* Can this process send the message */
6160 rc = avc_has_perm(&selinux_state,
6161 sid, msec->sid, SECCLASS_MSG,
6164 /* Can the message be put in the queue? */
6165 rc = avc_has_perm(&selinux_state,
6166 msec->sid, isec->sid, SECCLASS_MSGQ,
6167 MSGQ__ENQUEUE, &ad);
6172 static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg,
6173 struct task_struct *target,
6174 long type, int mode)
6176 struct ipc_security_struct *isec;
6177 struct msg_security_struct *msec;
6178 struct common_audit_data ad;
6179 u32 sid = task_sid_obj(target);
6182 isec = selinux_ipc(msq);
6183 msec = selinux_msg_msg(msg);
6185 ad.type = LSM_AUDIT_DATA_IPC;
6186 ad.u.ipc_id = msq->key;
6188 rc = avc_has_perm(&selinux_state,
6190 SECCLASS_MSGQ, MSGQ__READ, &ad);
6192 rc = avc_has_perm(&selinux_state,
6194 SECCLASS_MSG, MSG__RECEIVE, &ad);
6198 /* Shared Memory security operations */
6199 static int selinux_shm_alloc_security(struct kern_ipc_perm *shp)
6201 struct ipc_security_struct *isec;
6202 struct common_audit_data ad;
6203 u32 sid = current_sid();
6206 isec = selinux_ipc(shp);
6207 ipc_init_security(isec, SECCLASS_SHM);
6209 ad.type = LSM_AUDIT_DATA_IPC;
6210 ad.u.ipc_id = shp->key;
6212 rc = avc_has_perm(&selinux_state,
6213 sid, isec->sid, SECCLASS_SHM,
6218 static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg)
6220 struct ipc_security_struct *isec;
6221 struct common_audit_data ad;
6222 u32 sid = current_sid();
6224 isec = selinux_ipc(shp);
6226 ad.type = LSM_AUDIT_DATA_IPC;
6227 ad.u.ipc_id = shp->key;
6229 return avc_has_perm(&selinux_state,
6230 sid, isec->sid, SECCLASS_SHM,
6231 SHM__ASSOCIATE, &ad);
6234 /* Note, at this point, shp is locked down */
6235 static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd)
6243 /* No specific object, just general system-wide information. */
6244 return avc_has_perm(&selinux_state,
6245 current_sid(), SECINITSID_KERNEL,
6246 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6250 perms = SHM__GETATTR | SHM__ASSOCIATE;
6253 perms = SHM__SETATTR;
6260 perms = SHM__DESTROY;
6266 err = ipc_has_perm(shp, perms);
6270 static int selinux_shm_shmat(struct kern_ipc_perm *shp,
6271 char __user *shmaddr, int shmflg)
6275 if (shmflg & SHM_RDONLY)
6278 perms = SHM__READ | SHM__WRITE;
6280 return ipc_has_perm(shp, perms);
6283 /* Semaphore security operations */
6284 static int selinux_sem_alloc_security(struct kern_ipc_perm *sma)
6286 struct ipc_security_struct *isec;
6287 struct common_audit_data ad;
6288 u32 sid = current_sid();
6291 isec = selinux_ipc(sma);
6292 ipc_init_security(isec, SECCLASS_SEM);
6294 ad.type = LSM_AUDIT_DATA_IPC;
6295 ad.u.ipc_id = sma->key;
6297 rc = avc_has_perm(&selinux_state,
6298 sid, isec->sid, SECCLASS_SEM,
6303 static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg)
6305 struct ipc_security_struct *isec;
6306 struct common_audit_data ad;
6307 u32 sid = current_sid();
6309 isec = selinux_ipc(sma);
6311 ad.type = LSM_AUDIT_DATA_IPC;
6312 ad.u.ipc_id = sma->key;
6314 return avc_has_perm(&selinux_state,
6315 sid, isec->sid, SECCLASS_SEM,
6316 SEM__ASSOCIATE, &ad);
6319 /* Note, at this point, sma is locked down */
6320 static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd)
6328 /* No specific object, just general system-wide information. */
6329 return avc_has_perm(&selinux_state,
6330 current_sid(), SECINITSID_KERNEL,
6331 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6335 perms = SEM__GETATTR;
6346 perms = SEM__DESTROY;
6349 perms = SEM__SETATTR;
6354 perms = SEM__GETATTR | SEM__ASSOCIATE;
6360 err = ipc_has_perm(sma, perms);
6364 static int selinux_sem_semop(struct kern_ipc_perm *sma,
6365 struct sembuf *sops, unsigned nsops, int alter)
6370 perms = SEM__READ | SEM__WRITE;
6374 return ipc_has_perm(sma, perms);
6377 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
6383 av |= IPC__UNIX_READ;
6385 av |= IPC__UNIX_WRITE;
6390 return ipc_has_perm(ipcp, av);
6393 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
6395 struct ipc_security_struct *isec = selinux_ipc(ipcp);
6399 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
6402 inode_doinit_with_dentry(inode, dentry);
6405 static int selinux_getprocattr(struct task_struct *p,
6406 char *name, char **value)
6408 const struct task_security_struct *__tsec;
6414 __tsec = selinux_cred(__task_cred(p));
6417 error = avc_has_perm(&selinux_state,
6418 current_sid(), __tsec->sid,
6419 SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
6424 if (!strcmp(name, "current"))
6426 else if (!strcmp(name, "prev"))
6428 else if (!strcmp(name, "exec"))
6429 sid = __tsec->exec_sid;
6430 else if (!strcmp(name, "fscreate"))
6431 sid = __tsec->create_sid;
6432 else if (!strcmp(name, "keycreate"))
6433 sid = __tsec->keycreate_sid;
6434 else if (!strcmp(name, "sockcreate"))
6435 sid = __tsec->sockcreate_sid;
6445 error = security_sid_to_context(&selinux_state, sid, value, &len);
6455 static int selinux_setprocattr(const char *name, void *value, size_t size)
6457 struct task_security_struct *tsec;
6459 u32 mysid = current_sid(), sid = 0, ptsid;
6464 * Basic control over ability to set these attributes at all.
6466 if (!strcmp(name, "exec"))
6467 error = avc_has_perm(&selinux_state,
6468 mysid, mysid, SECCLASS_PROCESS,
6469 PROCESS__SETEXEC, NULL);
6470 else if (!strcmp(name, "fscreate"))
6471 error = avc_has_perm(&selinux_state,
6472 mysid, mysid, SECCLASS_PROCESS,
6473 PROCESS__SETFSCREATE, NULL);
6474 else if (!strcmp(name, "keycreate"))
6475 error = avc_has_perm(&selinux_state,
6476 mysid, mysid, SECCLASS_PROCESS,
6477 PROCESS__SETKEYCREATE, NULL);
6478 else if (!strcmp(name, "sockcreate"))
6479 error = avc_has_perm(&selinux_state,
6480 mysid, mysid, SECCLASS_PROCESS,
6481 PROCESS__SETSOCKCREATE, NULL);
6482 else if (!strcmp(name, "current"))
6483 error = avc_has_perm(&selinux_state,
6484 mysid, mysid, SECCLASS_PROCESS,
6485 PROCESS__SETCURRENT, NULL);
6491 /* Obtain a SID for the context, if one was specified. */
6492 if (size && str[0] && str[0] != '\n') {
6493 if (str[size-1] == '\n') {
6497 error = security_context_to_sid(&selinux_state, value, size,
6499 if (error == -EINVAL && !strcmp(name, "fscreate")) {
6500 if (!has_cap_mac_admin(true)) {
6501 struct audit_buffer *ab;
6504 /* We strip a nul only if it is at the end, otherwise the
6505 * context contains a nul and we should audit that */
6506 if (str[size - 1] == '\0')
6507 audit_size = size - 1;
6510 ab = audit_log_start(audit_context(),
6515 audit_log_format(ab, "op=fscreate invalid_context=");
6516 audit_log_n_untrustedstring(ab, value, audit_size);
6521 error = security_context_to_sid_force(
6529 new = prepare_creds();
6533 /* Permission checking based on the specified context is
6534 performed during the actual operation (execve,
6535 open/mkdir/...), when we know the full context of the
6536 operation. See selinux_bprm_creds_for_exec for the execve
6537 checks and may_create for the file creation checks. The
6538 operation will then fail if the context is not permitted. */
6539 tsec = selinux_cred(new);
6540 if (!strcmp(name, "exec")) {
6541 tsec->exec_sid = sid;
6542 } else if (!strcmp(name, "fscreate")) {
6543 tsec->create_sid = sid;
6544 } else if (!strcmp(name, "keycreate")) {
6546 error = avc_has_perm(&selinux_state, mysid, sid,
6547 SECCLASS_KEY, KEY__CREATE, NULL);
6551 tsec->keycreate_sid = sid;
6552 } else if (!strcmp(name, "sockcreate")) {
6553 tsec->sockcreate_sid = sid;
6554 } else if (!strcmp(name, "current")) {
6559 /* Only allow single threaded processes to change context */
6561 if (!current_is_single_threaded()) {
6562 error = security_bounded_transition(&selinux_state,
6568 /* Check permissions for the transition. */
6569 error = avc_has_perm(&selinux_state,
6570 tsec->sid, sid, SECCLASS_PROCESS,
6571 PROCESS__DYNTRANSITION, NULL);
6575 /* Check for ptracing, and update the task SID if ok.
6576 Otherwise, leave SID unchanged and fail. */
6577 ptsid = ptrace_parent_sid();
6579 error = avc_has_perm(&selinux_state,
6580 ptsid, sid, SECCLASS_PROCESS,
6581 PROCESS__PTRACE, NULL);
6600 static int selinux_ismaclabel(const char *name)
6602 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
6605 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
6607 return security_sid_to_context(&selinux_state, secid,
6611 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
6613 return security_context_to_sid(&selinux_state, secdata, seclen,
6617 static void selinux_release_secctx(char *secdata, u32 seclen)
6622 static void selinux_inode_invalidate_secctx(struct inode *inode)
6624 struct inode_security_struct *isec = selinux_inode(inode);
6626 spin_lock(&isec->lock);
6627 isec->initialized = LABEL_INVALID;
6628 spin_unlock(&isec->lock);
6632 * called with inode->i_mutex locked
6634 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
6636 int rc = selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX,
6638 /* Do not return error when suppressing label (SBLABEL_MNT not set). */
6639 return rc == -EOPNOTSUPP ? 0 : rc;
6643 * called with inode->i_mutex locked
6645 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
6647 return __vfs_setxattr_noperm(&init_user_ns, dentry, XATTR_NAME_SELINUX,
6651 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
6654 len = selinux_inode_getsecurity(&init_user_ns, inode,
6655 XATTR_SELINUX_SUFFIX, ctx, true);
6663 static int selinux_key_alloc(struct key *k, const struct cred *cred,
6664 unsigned long flags)
6666 const struct task_security_struct *tsec;
6667 struct key_security_struct *ksec;
6669 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
6673 tsec = selinux_cred(cred);
6674 if (tsec->keycreate_sid)
6675 ksec->sid = tsec->keycreate_sid;
6677 ksec->sid = tsec->sid;
6683 static void selinux_key_free(struct key *k)
6685 struct key_security_struct *ksec = k->security;
6691 static int selinux_key_permission(key_ref_t key_ref,
6692 const struct cred *cred,
6693 enum key_need_perm need_perm)
6696 struct key_security_struct *ksec;
6699 switch (need_perm) {
6706 case KEY_NEED_WRITE:
6709 case KEY_NEED_SEARCH:
6715 case KEY_NEED_SETATTR:
6716 perm = KEY__SETATTR;
6718 case KEY_NEED_UNLINK:
6719 case KEY_SYSADMIN_OVERRIDE:
6720 case KEY_AUTHTOKEN_OVERRIDE:
6721 case KEY_DEFER_PERM_CHECK:
6729 sid = cred_sid(cred);
6730 key = key_ref_to_ptr(key_ref);
6731 ksec = key->security;
6733 return avc_has_perm(&selinux_state,
6734 sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6737 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6739 struct key_security_struct *ksec = key->security;
6740 char *context = NULL;
6744 rc = security_sid_to_context(&selinux_state, ksec->sid,
6752 #ifdef CONFIG_KEY_NOTIFICATIONS
6753 static int selinux_watch_key(struct key *key)
6755 struct key_security_struct *ksec = key->security;
6756 u32 sid = current_sid();
6758 return avc_has_perm(&selinux_state,
6759 sid, ksec->sid, SECCLASS_KEY, KEY__VIEW, NULL);
6764 #ifdef CONFIG_SECURITY_INFINIBAND
6765 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6767 struct common_audit_data ad;
6770 struct ib_security_struct *sec = ib_sec;
6771 struct lsm_ibpkey_audit ibpkey;
6773 err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
6777 ad.type = LSM_AUDIT_DATA_IBPKEY;
6778 ibpkey.subnet_prefix = subnet_prefix;
6779 ibpkey.pkey = pkey_val;
6780 ad.u.ibpkey = &ibpkey;
6781 return avc_has_perm(&selinux_state,
6783 SECCLASS_INFINIBAND_PKEY,
6784 INFINIBAND_PKEY__ACCESS, &ad);
6787 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6790 struct common_audit_data ad;
6793 struct ib_security_struct *sec = ib_sec;
6794 struct lsm_ibendport_audit ibendport;
6796 err = security_ib_endport_sid(&selinux_state, dev_name, port_num,
6802 ad.type = LSM_AUDIT_DATA_IBENDPORT;
6803 ibendport.dev_name = dev_name;
6804 ibendport.port = port_num;
6805 ad.u.ibendport = &ibendport;
6806 return avc_has_perm(&selinux_state,
6808 SECCLASS_INFINIBAND_ENDPORT,
6809 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
6812 static int selinux_ib_alloc_security(void **ib_sec)
6814 struct ib_security_struct *sec;
6816 sec = kzalloc(sizeof(*sec), GFP_KERNEL);
6819 sec->sid = current_sid();
6825 static void selinux_ib_free_security(void *ib_sec)
6831 #ifdef CONFIG_BPF_SYSCALL
6832 static int selinux_bpf(int cmd, union bpf_attr *attr,
6835 u32 sid = current_sid();
6839 case BPF_MAP_CREATE:
6840 ret = avc_has_perm(&selinux_state,
6841 sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
6845 ret = avc_has_perm(&selinux_state,
6846 sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
6857 static u32 bpf_map_fmode_to_av(fmode_t fmode)
6861 if (fmode & FMODE_READ)
6862 av |= BPF__MAP_READ;
6863 if (fmode & FMODE_WRITE)
6864 av |= BPF__MAP_WRITE;
6868 /* This function will check the file pass through unix socket or binder to see
6869 * if it is a bpf related object. And apply correspinding checks on the bpf
6870 * object based on the type. The bpf maps and programs, not like other files and
6871 * socket, are using a shared anonymous inode inside the kernel as their inode.
6872 * So checking that inode cannot identify if the process have privilege to
6873 * access the bpf object and that's why we have to add this additional check in
6874 * selinux_file_receive and selinux_binder_transfer_files.
6876 static int bpf_fd_pass(struct file *file, u32 sid)
6878 struct bpf_security_struct *bpfsec;
6879 struct bpf_prog *prog;
6880 struct bpf_map *map;
6883 if (file->f_op == &bpf_map_fops) {
6884 map = file->private_data;
6885 bpfsec = map->security;
6886 ret = avc_has_perm(&selinux_state,
6887 sid, bpfsec->sid, SECCLASS_BPF,
6888 bpf_map_fmode_to_av(file->f_mode), NULL);
6891 } else if (file->f_op == &bpf_prog_fops) {
6892 prog = file->private_data;
6893 bpfsec = prog->aux->security;
6894 ret = avc_has_perm(&selinux_state,
6895 sid, bpfsec->sid, SECCLASS_BPF,
6896 BPF__PROG_RUN, NULL);
6903 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)
6905 u32 sid = current_sid();
6906 struct bpf_security_struct *bpfsec;
6908 bpfsec = map->security;
6909 return avc_has_perm(&selinux_state,
6910 sid, bpfsec->sid, SECCLASS_BPF,
6911 bpf_map_fmode_to_av(fmode), NULL);
6914 static int selinux_bpf_prog(struct bpf_prog *prog)
6916 u32 sid = current_sid();
6917 struct bpf_security_struct *bpfsec;
6919 bpfsec = prog->aux->security;
6920 return avc_has_perm(&selinux_state,
6921 sid, bpfsec->sid, SECCLASS_BPF,
6922 BPF__PROG_RUN, NULL);
6925 static int selinux_bpf_map_alloc(struct bpf_map *map)
6927 struct bpf_security_struct *bpfsec;
6929 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6933 bpfsec->sid = current_sid();
6934 map->security = bpfsec;
6939 static void selinux_bpf_map_free(struct bpf_map *map)
6941 struct bpf_security_struct *bpfsec = map->security;
6943 map->security = NULL;
6947 static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux)
6949 struct bpf_security_struct *bpfsec;
6951 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6955 bpfsec->sid = current_sid();
6956 aux->security = bpfsec;
6961 static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
6963 struct bpf_security_struct *bpfsec = aux->security;
6965 aux->security = NULL;
6970 struct lsm_blob_sizes selinux_blob_sizes __lsm_ro_after_init = {
6971 .lbs_cred = sizeof(struct task_security_struct),
6972 .lbs_file = sizeof(struct file_security_struct),
6973 .lbs_inode = sizeof(struct inode_security_struct),
6974 .lbs_ipc = sizeof(struct ipc_security_struct),
6975 .lbs_msg_msg = sizeof(struct msg_security_struct),
6976 .lbs_superblock = sizeof(struct superblock_security_struct),
6979 #ifdef CONFIG_PERF_EVENTS
6980 static int selinux_perf_event_open(struct perf_event_attr *attr, int type)
6982 u32 requested, sid = current_sid();
6984 if (type == PERF_SECURITY_OPEN)
6985 requested = PERF_EVENT__OPEN;
6986 else if (type == PERF_SECURITY_CPU)
6987 requested = PERF_EVENT__CPU;
6988 else if (type == PERF_SECURITY_KERNEL)
6989 requested = PERF_EVENT__KERNEL;
6990 else if (type == PERF_SECURITY_TRACEPOINT)
6991 requested = PERF_EVENT__TRACEPOINT;
6995 return avc_has_perm(&selinux_state, sid, sid, SECCLASS_PERF_EVENT,
6999 static int selinux_perf_event_alloc(struct perf_event *event)
7001 struct perf_event_security_struct *perfsec;
7003 perfsec = kzalloc(sizeof(*perfsec), GFP_KERNEL);
7007 perfsec->sid = current_sid();
7008 event->security = perfsec;
7013 static void selinux_perf_event_free(struct perf_event *event)
7015 struct perf_event_security_struct *perfsec = event->security;
7017 event->security = NULL;
7021 static int selinux_perf_event_read(struct perf_event *event)
7023 struct perf_event_security_struct *perfsec = event->security;
7024 u32 sid = current_sid();
7026 return avc_has_perm(&selinux_state, sid, perfsec->sid,
7027 SECCLASS_PERF_EVENT, PERF_EVENT__READ, NULL);
7030 static int selinux_perf_event_write(struct perf_event *event)
7032 struct perf_event_security_struct *perfsec = event->security;
7033 u32 sid = current_sid();
7035 return avc_has_perm(&selinux_state, sid, perfsec->sid,
7036 SECCLASS_PERF_EVENT, PERF_EVENT__WRITE, NULL);
7040 #ifdef CONFIG_IO_URING
7042 * selinux_uring_override_creds - check the requested cred override
7043 * @new: the target creds
7045 * Check to see if the current task is allowed to override it's credentials
7046 * to service an io_uring operation.
7048 static int selinux_uring_override_creds(const struct cred *new)
7050 return avc_has_perm(&selinux_state, current_sid(), cred_sid(new),
7051 SECCLASS_IO_URING, IO_URING__OVERRIDE_CREDS, NULL);
7055 * selinux_uring_sqpoll - check if a io_uring polling thread can be created
7057 * Check to see if the current task is allowed to create a new io_uring
7058 * kernel polling thread.
7060 static int selinux_uring_sqpoll(void)
7062 int sid = current_sid();
7064 return avc_has_perm(&selinux_state, sid, sid,
7065 SECCLASS_IO_URING, IO_URING__SQPOLL, NULL);
7067 #endif /* CONFIG_IO_URING */
7070 * IMPORTANT NOTE: When adding new hooks, please be careful to keep this order:
7071 * 1. any hooks that don't belong to (2.) or (3.) below,
7072 * 2. hooks that both access structures allocated by other hooks, and allocate
7073 * structures that can be later accessed by other hooks (mostly "cloning"
7075 * 3. hooks that only allocate structures that can be later accessed by other
7076 * hooks ("allocating" hooks).
7078 * Please follow block comment delimiters in the list to keep this order.
7080 * This ordering is needed for SELinux runtime disable to work at least somewhat
7081 * safely. Breaking the ordering rules above might lead to NULL pointer derefs
7082 * when disabling SELinux at runtime.
7084 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
7085 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
7086 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
7087 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
7088 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
7090 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
7091 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
7092 LSM_HOOK_INIT(capget, selinux_capget),
7093 LSM_HOOK_INIT(capset, selinux_capset),
7094 LSM_HOOK_INIT(capable, selinux_capable),
7095 LSM_HOOK_INIT(quotactl, selinux_quotactl),
7096 LSM_HOOK_INIT(quota_on, selinux_quota_on),
7097 LSM_HOOK_INIT(syslog, selinux_syslog),
7098 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
7100 LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
7102 LSM_HOOK_INIT(bprm_creds_for_exec, selinux_bprm_creds_for_exec),
7103 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
7104 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
7106 LSM_HOOK_INIT(sb_free_mnt_opts, selinux_free_mnt_opts),
7107 LSM_HOOK_INIT(sb_mnt_opts_compat, selinux_sb_mnt_opts_compat),
7108 LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
7109 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
7110 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
7111 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
7112 LSM_HOOK_INIT(sb_mount, selinux_mount),
7113 LSM_HOOK_INIT(sb_umount, selinux_umount),
7114 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
7115 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
7117 LSM_HOOK_INIT(move_mount, selinux_move_mount),
7119 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
7120 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
7122 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
7123 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
7124 LSM_HOOK_INIT(inode_init_security_anon, selinux_inode_init_security_anon),
7125 LSM_HOOK_INIT(inode_create, selinux_inode_create),
7126 LSM_HOOK_INIT(inode_link, selinux_inode_link),
7127 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
7128 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
7129 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
7130 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
7131 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
7132 LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
7133 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
7134 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
7135 LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
7136 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
7137 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
7138 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
7139 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
7140 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
7141 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
7142 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
7143 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
7144 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
7145 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
7146 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
7147 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
7148 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
7149 LSM_HOOK_INIT(path_notify, selinux_path_notify),
7151 LSM_HOOK_INIT(kernfs_init_security, selinux_kernfs_init_security),
7153 LSM_HOOK_INIT(file_permission, selinux_file_permission),
7154 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
7155 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
7156 LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
7157 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
7158 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
7159 LSM_HOOK_INIT(file_lock, selinux_file_lock),
7160 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
7161 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
7162 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
7163 LSM_HOOK_INIT(file_receive, selinux_file_receive),
7165 LSM_HOOK_INIT(file_open, selinux_file_open),
7167 LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
7168 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
7169 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
7170 LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid),
7171 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
7172 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
7173 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
7174 LSM_HOOK_INIT(kernel_load_data, selinux_kernel_load_data),
7175 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
7176 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
7177 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
7178 LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
7179 LSM_HOOK_INIT(current_getsecid_subj, selinux_current_getsecid_subj),
7180 LSM_HOOK_INIT(task_getsecid_obj, selinux_task_getsecid_obj),
7181 LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
7182 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
7183 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
7184 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
7185 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
7186 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
7187 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
7188 LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
7189 LSM_HOOK_INIT(task_kill, selinux_task_kill),
7190 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
7192 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
7193 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
7195 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
7196 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
7197 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
7198 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
7200 LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
7201 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
7202 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
7204 LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
7205 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
7206 LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
7208 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
7210 LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
7211 LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
7213 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
7214 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
7215 LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
7216 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
7217 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
7218 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
7220 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
7221 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
7223 LSM_HOOK_INIT(socket_create, selinux_socket_create),
7224 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
7225 LSM_HOOK_INIT(socket_socketpair, selinux_socket_socketpair),
7226 LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
7227 LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
7228 LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
7229 LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
7230 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
7231 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
7232 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
7233 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
7234 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
7235 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
7236 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
7237 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
7238 LSM_HOOK_INIT(socket_getpeersec_stream,
7239 selinux_socket_getpeersec_stream),
7240 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
7241 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
7242 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
7243 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
7244 LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
7245 LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request),
7246 LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone),
7247 LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect),
7248 LSM_HOOK_INIT(sctp_assoc_established, selinux_sctp_assoc_established),
7249 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
7250 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
7251 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
7252 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
7253 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
7254 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
7255 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
7256 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
7257 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
7258 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
7259 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
7260 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
7261 #ifdef CONFIG_SECURITY_INFINIBAND
7262 LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
7263 LSM_HOOK_INIT(ib_endport_manage_subnet,
7264 selinux_ib_endport_manage_subnet),
7265 LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
7267 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7268 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
7269 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
7270 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
7271 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
7272 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
7273 LSM_HOOK_INIT(xfrm_state_pol_flow_match,
7274 selinux_xfrm_state_pol_flow_match),
7275 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
7279 LSM_HOOK_INIT(key_free, selinux_key_free),
7280 LSM_HOOK_INIT(key_permission, selinux_key_permission),
7281 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
7282 #ifdef CONFIG_KEY_NOTIFICATIONS
7283 LSM_HOOK_INIT(watch_key, selinux_watch_key),
7288 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
7289 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
7290 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
7293 #ifdef CONFIG_BPF_SYSCALL
7294 LSM_HOOK_INIT(bpf, selinux_bpf),
7295 LSM_HOOK_INIT(bpf_map, selinux_bpf_map),
7296 LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog),
7297 LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free),
7298 LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free),
7301 #ifdef CONFIG_PERF_EVENTS
7302 LSM_HOOK_INIT(perf_event_open, selinux_perf_event_open),
7303 LSM_HOOK_INIT(perf_event_free, selinux_perf_event_free),
7304 LSM_HOOK_INIT(perf_event_read, selinux_perf_event_read),
7305 LSM_HOOK_INIT(perf_event_write, selinux_perf_event_write),
7308 #ifdef CONFIG_IO_URING
7309 LSM_HOOK_INIT(uring_override_creds, selinux_uring_override_creds),
7310 LSM_HOOK_INIT(uring_sqpoll, selinux_uring_sqpoll),
7314 * PUT "CLONING" (ACCESSING + ALLOCATING) HOOKS HERE
7316 LSM_HOOK_INIT(fs_context_dup, selinux_fs_context_dup),
7317 LSM_HOOK_INIT(fs_context_parse_param, selinux_fs_context_parse_param),
7318 LSM_HOOK_INIT(sb_eat_lsm_opts, selinux_sb_eat_lsm_opts),
7319 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7320 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
7324 * PUT "ALLOCATING" HOOKS HERE
7326 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
7327 LSM_HOOK_INIT(msg_queue_alloc_security,
7328 selinux_msg_queue_alloc_security),
7329 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
7330 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
7331 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
7332 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
7333 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
7334 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
7335 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
7336 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
7337 #ifdef CONFIG_SECURITY_INFINIBAND
7338 LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
7340 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7341 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
7342 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
7343 LSM_HOOK_INIT(xfrm_state_alloc_acquire,
7344 selinux_xfrm_state_alloc_acquire),
7347 LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
7350 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
7352 #ifdef CONFIG_BPF_SYSCALL
7353 LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc),
7354 LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc),
7356 #ifdef CONFIG_PERF_EVENTS
7357 LSM_HOOK_INIT(perf_event_alloc, selinux_perf_event_alloc),
7361 static __init int selinux_init(void)
7363 pr_info("SELinux: Initializing.\n");
7365 memset(&selinux_state, 0, sizeof(selinux_state));
7366 enforcing_set(&selinux_state, selinux_enforcing_boot);
7367 checkreqprot_set(&selinux_state, selinux_checkreqprot_boot);
7368 selinux_avc_init(&selinux_state.avc);
7369 mutex_init(&selinux_state.status_lock);
7370 mutex_init(&selinux_state.policy_mutex);
7372 /* Set the security state for the initial task. */
7373 cred_init_security();
7375 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
7381 ebitmap_cache_init();
7383 hashtab_cache_init();
7385 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
7387 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
7388 panic("SELinux: Unable to register AVC netcache callback\n");
7390 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
7391 panic("SELinux: Unable to register AVC LSM notifier callback\n");
7393 if (selinux_enforcing_boot)
7394 pr_debug("SELinux: Starting in enforcing mode\n");
7396 pr_debug("SELinux: Starting in permissive mode\n");
7398 fs_validate_description("selinux", selinux_fs_parameters);
7403 static void delayed_superblock_init(struct super_block *sb, void *unused)
7405 selinux_set_mnt_opts(sb, NULL, 0, NULL);
7408 void selinux_complete_init(void)
7410 pr_debug("SELinux: Completing initialization.\n");
7412 /* Set up any superblocks initialized prior to the policy load. */
7413 pr_debug("SELinux: Setting up existing superblocks.\n");
7414 iterate_supers(delayed_superblock_init, NULL);
7417 /* SELinux requires early initialization in order to label
7418 all processes and objects when they are created. */
7419 DEFINE_LSM(selinux) = {
7421 .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE,
7422 .enabled = &selinux_enabled_boot,
7423 .blobs = &selinux_blob_sizes,
7424 .init = selinux_init,
7427 #if defined(CONFIG_NETFILTER)
7429 static const struct nf_hook_ops selinux_nf_ops[] = {
7431 .hook = selinux_ip_postroute,
7433 .hooknum = NF_INET_POST_ROUTING,
7434 .priority = NF_IP_PRI_SELINUX_LAST,
7437 .hook = selinux_ip_forward,
7439 .hooknum = NF_INET_FORWARD,
7440 .priority = NF_IP_PRI_SELINUX_FIRST,
7443 .hook = selinux_ip_output,
7445 .hooknum = NF_INET_LOCAL_OUT,
7446 .priority = NF_IP_PRI_SELINUX_FIRST,
7448 #if IS_ENABLED(CONFIG_IPV6)
7450 .hook = selinux_ip_postroute,
7452 .hooknum = NF_INET_POST_ROUTING,
7453 .priority = NF_IP6_PRI_SELINUX_LAST,
7456 .hook = selinux_ip_forward,
7458 .hooknum = NF_INET_FORWARD,
7459 .priority = NF_IP6_PRI_SELINUX_FIRST,
7462 .hook = selinux_ip_output,
7464 .hooknum = NF_INET_LOCAL_OUT,
7465 .priority = NF_IP6_PRI_SELINUX_FIRST,
7470 static int __net_init selinux_nf_register(struct net *net)
7472 return nf_register_net_hooks(net, selinux_nf_ops,
7473 ARRAY_SIZE(selinux_nf_ops));
7476 static void __net_exit selinux_nf_unregister(struct net *net)
7478 nf_unregister_net_hooks(net, selinux_nf_ops,
7479 ARRAY_SIZE(selinux_nf_ops));
7482 static struct pernet_operations selinux_net_ops = {
7483 .init = selinux_nf_register,
7484 .exit = selinux_nf_unregister,
7487 static int __init selinux_nf_ip_init(void)
7491 if (!selinux_enabled_boot)
7494 pr_debug("SELinux: Registering netfilter hooks\n");
7496 err = register_pernet_subsys(&selinux_net_ops);
7498 panic("SELinux: register_pernet_subsys: error %d\n", err);
7502 __initcall(selinux_nf_ip_init);
7504 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7505 static void selinux_nf_ip_exit(void)
7507 pr_debug("SELinux: Unregistering netfilter hooks\n");
7509 unregister_pernet_subsys(&selinux_net_ops);
7513 #else /* CONFIG_NETFILTER */
7515 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7516 #define selinux_nf_ip_exit()
7519 #endif /* CONFIG_NETFILTER */
7521 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7522 int selinux_disable(struct selinux_state *state)
7524 if (selinux_initialized(state)) {
7525 /* Not permitted after initial policy load. */
7529 if (selinux_disabled(state)) {
7530 /* Only do this once. */
7534 selinux_mark_disabled(state);
7536 pr_info("SELinux: Disabled at runtime.\n");
7539 * Unregister netfilter hooks.
7540 * Must be done before security_delete_hooks() to avoid breaking
7543 selinux_nf_ip_exit();
7545 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
7547 /* Try to destroy the avc node cache */
7550 /* Unregister selinuxfs. */