2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@tycho.nsa.gov>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul@paul-moore.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 * Copyright (C) 2016 Mellanox Technologies
22 * This program is free software; you can redistribute it and/or modify
23 * it under the terms of the GNU General Public License version 2,
24 * as published by the Free Software Foundation.
27 #include <linux/init.h>
29 #include <linux/kernel.h>
30 #include <linux/tracehook.h>
31 #include <linux/errno.h>
32 #include <linux/sched/signal.h>
33 #include <linux/sched/task.h>
34 #include <linux/lsm_hooks.h>
35 #include <linux/xattr.h>
36 #include <linux/capability.h>
37 #include <linux/unistd.h>
39 #include <linux/mman.h>
40 #include <linux/slab.h>
41 #include <linux/pagemap.h>
42 #include <linux/proc_fs.h>
43 #include <linux/swap.h>
44 #include <linux/spinlock.h>
45 #include <linux/syscalls.h>
46 #include <linux/dcache.h>
47 #include <linux/file.h>
48 #include <linux/fdtable.h>
49 #include <linux/namei.h>
50 #include <linux/mount.h>
51 #include <linux/netfilter_ipv4.h>
52 #include <linux/netfilter_ipv6.h>
53 #include <linux/tty.h>
55 #include <net/ip.h> /* for local_port_range[] */
56 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
57 #include <net/inet_connection_sock.h>
58 #include <net/net_namespace.h>
59 #include <net/netlabel.h>
60 #include <linux/uaccess.h>
61 #include <asm/ioctls.h>
62 #include <linux/atomic.h>
63 #include <linux/bitops.h>
64 #include <linux/interrupt.h>
65 #include <linux/netdevice.h> /* for network interface checks */
66 #include <net/netlink.h>
67 #include <linux/tcp.h>
68 #include <linux/udp.h>
69 #include <linux/dccp.h>
70 #include <linux/sctp.h>
71 #include <net/sctp/structs.h>
72 #include <linux/quota.h>
73 #include <linux/un.h> /* for Unix socket types */
74 #include <net/af_unix.h> /* for Unix socket types */
75 #include <linux/parser.h>
76 #include <linux/nfs_mount.h>
78 #include <linux/hugetlb.h>
79 #include <linux/personality.h>
80 #include <linux/audit.h>
81 #include <linux/string.h>
82 #include <linux/selinux.h>
83 #include <linux/mutex.h>
84 #include <linux/posix-timers.h>
85 #include <linux/syslog.h>
86 #include <linux/user_namespace.h>
87 #include <linux/export.h>
88 #include <linux/msg.h>
89 #include <linux/shm.h>
90 #include <linux/bpf.h>
103 struct selinux_state selinux_state;
105 /* SECMARK reference count */
106 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
108 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
109 static int selinux_enforcing_boot;
111 static int __init enforcing_setup(char *str)
113 unsigned long enforcing;
114 if (!kstrtoul(str, 0, &enforcing))
115 selinux_enforcing_boot = enforcing ? 1 : 0;
118 __setup("enforcing=", enforcing_setup);
120 #define selinux_enforcing_boot 1
123 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
124 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
126 static int __init selinux_enabled_setup(char *str)
128 unsigned long enabled;
129 if (!kstrtoul(str, 0, &enabled))
130 selinux_enabled = enabled ? 1 : 0;
133 __setup("selinux=", selinux_enabled_setup);
135 int selinux_enabled = 1;
138 static unsigned int selinux_checkreqprot_boot =
139 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
141 static int __init checkreqprot_setup(char *str)
143 unsigned long checkreqprot;
145 if (!kstrtoul(str, 0, &checkreqprot))
146 selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
149 __setup("checkreqprot=", checkreqprot_setup);
151 static struct kmem_cache *sel_inode_cache;
152 static struct kmem_cache *file_security_cache;
155 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
158 * This function checks the SECMARK reference counter to see if any SECMARK
159 * targets are currently configured, if the reference counter is greater than
160 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
161 * enabled, false (0) if SECMARK is disabled. If the always_check_network
162 * policy capability is enabled, SECMARK is always considered enabled.
165 static int selinux_secmark_enabled(void)
167 return (selinux_policycap_alwaysnetwork() ||
168 atomic_read(&selinux_secmark_refcount));
172 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
175 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
176 * (1) if any are enabled or false (0) if neither are enabled. If the
177 * always_check_network policy capability is enabled, peer labeling
178 * is always considered enabled.
181 static int selinux_peerlbl_enabled(void)
183 return (selinux_policycap_alwaysnetwork() ||
184 netlbl_enabled() || selinux_xfrm_enabled());
187 static int selinux_netcache_avc_callback(u32 event)
189 if (event == AVC_CALLBACK_RESET) {
198 static int selinux_lsm_notifier_avc_callback(u32 event)
200 if (event == AVC_CALLBACK_RESET) {
202 call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
209 * initialise the security for the init task
211 static void cred_init_security(void)
213 struct cred *cred = (struct cred *) current->real_cred;
214 struct task_security_struct *tsec;
216 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
218 panic("SELinux: Failed to initialize initial task.\n");
220 tsec->osid = tsec->sid = SECINITSID_KERNEL;
221 cred->security = tsec;
225 * get the security ID of a set of credentials
227 static inline u32 cred_sid(const struct cred *cred)
229 const struct task_security_struct *tsec;
231 tsec = cred->security;
236 * get the objective security ID of a task
238 static inline u32 task_sid(const struct task_struct *task)
243 sid = cred_sid(__task_cred(task));
248 /* Allocate and free functions for each kind of security blob. */
250 static int inode_alloc_security(struct inode *inode)
252 struct inode_security_struct *isec;
253 u32 sid = current_sid();
255 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
259 spin_lock_init(&isec->lock);
260 INIT_LIST_HEAD(&isec->list);
262 isec->sid = SECINITSID_UNLABELED;
263 isec->sclass = SECCLASS_FILE;
264 isec->task_sid = sid;
265 isec->initialized = LABEL_INVALID;
266 inode->i_security = isec;
271 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
274 * Try reloading inode security labels that have been marked as invalid. The
275 * @may_sleep parameter indicates when sleeping and thus reloading labels is
276 * allowed; when set to false, returns -ECHILD when the label is
277 * invalid. The @dentry parameter should be set to a dentry of the inode.
279 static int __inode_security_revalidate(struct inode *inode,
280 struct dentry *dentry,
283 struct inode_security_struct *isec = inode->i_security;
285 might_sleep_if(may_sleep);
287 if (selinux_state.initialized &&
288 isec->initialized != LABEL_INITIALIZED) {
293 * Try reloading the inode security label. This will fail if
294 * @opt_dentry is NULL and no dentry for this inode can be
295 * found; in that case, continue using the old label.
297 inode_doinit_with_dentry(inode, dentry);
302 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
304 return inode->i_security;
307 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
311 error = __inode_security_revalidate(inode, NULL, !rcu);
313 return ERR_PTR(error);
314 return inode->i_security;
318 * Get the security label of an inode.
320 static struct inode_security_struct *inode_security(struct inode *inode)
322 __inode_security_revalidate(inode, NULL, true);
323 return inode->i_security;
326 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
328 struct inode *inode = d_backing_inode(dentry);
330 return inode->i_security;
334 * Get the security label of a dentry's backing inode.
336 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
338 struct inode *inode = d_backing_inode(dentry);
340 __inode_security_revalidate(inode, dentry, true);
341 return inode->i_security;
344 static void inode_free_rcu(struct rcu_head *head)
346 struct inode_security_struct *isec;
348 isec = container_of(head, struct inode_security_struct, rcu);
349 kmem_cache_free(sel_inode_cache, isec);
352 static void inode_free_security(struct inode *inode)
354 struct inode_security_struct *isec = inode->i_security;
355 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
358 * As not all inode security structures are in a list, we check for
359 * empty list outside of the lock to make sure that we won't waste
360 * time taking a lock doing nothing.
362 * The list_del_init() function can be safely called more than once.
363 * It should not be possible for this function to be called with
364 * concurrent list_add(), but for better safety against future changes
365 * in the code, we use list_empty_careful() here.
367 if (!list_empty_careful(&isec->list)) {
368 spin_lock(&sbsec->isec_lock);
369 list_del_init(&isec->list);
370 spin_unlock(&sbsec->isec_lock);
374 * The inode may still be referenced in a path walk and
375 * a call to selinux_inode_permission() can be made
376 * after inode_free_security() is called. Ideally, the VFS
377 * wouldn't do this, but fixing that is a much harder
378 * job. For now, simply free the i_security via RCU, and
379 * leave the current inode->i_security pointer intact.
380 * The inode will be freed after the RCU grace period too.
382 call_rcu(&isec->rcu, inode_free_rcu);
385 static int file_alloc_security(struct file *file)
387 struct file_security_struct *fsec;
388 u32 sid = current_sid();
390 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
395 fsec->fown_sid = sid;
396 file->f_security = fsec;
401 static void file_free_security(struct file *file)
403 struct file_security_struct *fsec = file->f_security;
404 file->f_security = NULL;
405 kmem_cache_free(file_security_cache, fsec);
408 static int superblock_alloc_security(struct super_block *sb)
410 struct superblock_security_struct *sbsec;
412 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
416 mutex_init(&sbsec->lock);
417 INIT_LIST_HEAD(&sbsec->isec_head);
418 spin_lock_init(&sbsec->isec_lock);
420 sbsec->sid = SECINITSID_UNLABELED;
421 sbsec->def_sid = SECINITSID_FILE;
422 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
423 sb->s_security = sbsec;
428 static void superblock_free_security(struct super_block *sb)
430 struct superblock_security_struct *sbsec = sb->s_security;
431 sb->s_security = NULL;
435 static inline int inode_doinit(struct inode *inode)
437 return inode_doinit_with_dentry(inode, NULL);
446 Opt_labelsupport = 5,
450 #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
452 static const match_table_t tokens = {
453 {Opt_context, CONTEXT_STR "%s"},
454 {Opt_fscontext, FSCONTEXT_STR "%s"},
455 {Opt_defcontext, DEFCONTEXT_STR "%s"},
456 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
457 {Opt_labelsupport, LABELSUPP_STR},
461 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
463 static int may_context_mount_sb_relabel(u32 sid,
464 struct superblock_security_struct *sbsec,
465 const struct cred *cred)
467 const struct task_security_struct *tsec = cred->security;
470 rc = avc_has_perm(&selinux_state,
471 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
472 FILESYSTEM__RELABELFROM, NULL);
476 rc = avc_has_perm(&selinux_state,
477 tsec->sid, sid, SECCLASS_FILESYSTEM,
478 FILESYSTEM__RELABELTO, NULL);
482 static int may_context_mount_inode_relabel(u32 sid,
483 struct superblock_security_struct *sbsec,
484 const struct cred *cred)
486 const struct task_security_struct *tsec = cred->security;
488 rc = avc_has_perm(&selinux_state,
489 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
490 FILESYSTEM__RELABELFROM, NULL);
494 rc = avc_has_perm(&selinux_state,
495 sid, sbsec->sid, SECCLASS_FILESYSTEM,
496 FILESYSTEM__ASSOCIATE, NULL);
500 static int selinux_is_genfs_special_handling(struct super_block *sb)
502 /* Special handling. Genfs but also in-core setxattr handler */
503 return !strcmp(sb->s_type->name, "sysfs") ||
504 !strcmp(sb->s_type->name, "pstore") ||
505 !strcmp(sb->s_type->name, "debugfs") ||
506 !strcmp(sb->s_type->name, "tracefs") ||
507 !strcmp(sb->s_type->name, "rootfs") ||
508 (selinux_policycap_cgroupseclabel() &&
509 (!strcmp(sb->s_type->name, "cgroup") ||
510 !strcmp(sb->s_type->name, "cgroup2")));
513 static int selinux_is_sblabel_mnt(struct super_block *sb)
515 struct superblock_security_struct *sbsec = sb->s_security;
518 * IMPORTANT: Double-check logic in this function when adding a new
519 * SECURITY_FS_USE_* definition!
521 BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7);
523 switch (sbsec->behavior) {
524 case SECURITY_FS_USE_XATTR:
525 case SECURITY_FS_USE_TRANS:
526 case SECURITY_FS_USE_TASK:
527 case SECURITY_FS_USE_NATIVE:
530 case SECURITY_FS_USE_GENFS:
531 return selinux_is_genfs_special_handling(sb);
533 /* Never allow relabeling on context mounts */
534 case SECURITY_FS_USE_MNTPOINT:
535 case SECURITY_FS_USE_NONE:
541 static int sb_finish_set_opts(struct super_block *sb)
543 struct superblock_security_struct *sbsec = sb->s_security;
544 struct dentry *root = sb->s_root;
545 struct inode *root_inode = d_backing_inode(root);
548 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
549 /* Make sure that the xattr handler exists and that no
550 error other than -ENODATA is returned by getxattr on
551 the root directory. -ENODATA is ok, as this may be
552 the first boot of the SELinux kernel before we have
553 assigned xattr values to the filesystem. */
554 if (!(root_inode->i_opflags & IOP_XATTR)) {
555 pr_warn("SELinux: (dev %s, type %s) has no "
556 "xattr support\n", sb->s_id, sb->s_type->name);
561 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
562 if (rc < 0 && rc != -ENODATA) {
563 if (rc == -EOPNOTSUPP)
564 pr_warn("SELinux: (dev %s, type "
565 "%s) has no security xattr handler\n",
566 sb->s_id, sb->s_type->name);
568 pr_warn("SELinux: (dev %s, type "
569 "%s) getxattr errno %d\n", sb->s_id,
570 sb->s_type->name, -rc);
575 sbsec->flags |= SE_SBINITIALIZED;
578 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
579 * leave the flag untouched because sb_clone_mnt_opts might be handing
580 * us a superblock that needs the flag to be cleared.
582 if (selinux_is_sblabel_mnt(sb))
583 sbsec->flags |= SBLABEL_MNT;
585 sbsec->flags &= ~SBLABEL_MNT;
587 /* Initialize the root inode. */
588 rc = inode_doinit_with_dentry(root_inode, root);
590 /* Initialize any other inodes associated with the superblock, e.g.
591 inodes created prior to initial policy load or inodes created
592 during get_sb by a pseudo filesystem that directly
594 spin_lock(&sbsec->isec_lock);
596 if (!list_empty(&sbsec->isec_head)) {
597 struct inode_security_struct *isec =
598 list_entry(sbsec->isec_head.next,
599 struct inode_security_struct, list);
600 struct inode *inode = isec->inode;
601 list_del_init(&isec->list);
602 spin_unlock(&sbsec->isec_lock);
603 inode = igrab(inode);
605 if (!IS_PRIVATE(inode))
609 spin_lock(&sbsec->isec_lock);
612 spin_unlock(&sbsec->isec_lock);
618 * This function should allow an FS to ask what it's mount security
619 * options were so it can use those later for submounts, displaying
620 * mount options, or whatever.
622 static int selinux_get_mnt_opts(const struct super_block *sb,
623 struct security_mnt_opts *opts)
626 struct superblock_security_struct *sbsec = sb->s_security;
627 char *context = NULL;
631 security_init_mnt_opts(opts);
633 if (!(sbsec->flags & SE_SBINITIALIZED))
636 if (!selinux_state.initialized)
639 /* make sure we always check enough bits to cover the mask */
640 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
642 tmp = sbsec->flags & SE_MNTMASK;
643 /* count the number of mount options for this sb */
644 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
646 opts->num_mnt_opts++;
649 /* Check if the Label support flag is set */
650 if (sbsec->flags & SBLABEL_MNT)
651 opts->num_mnt_opts++;
653 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
654 if (!opts->mnt_opts) {
659 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
660 if (!opts->mnt_opts_flags) {
666 if (sbsec->flags & FSCONTEXT_MNT) {
667 rc = security_sid_to_context(&selinux_state, sbsec->sid,
671 opts->mnt_opts[i] = context;
672 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
674 if (sbsec->flags & CONTEXT_MNT) {
675 rc = security_sid_to_context(&selinux_state,
680 opts->mnt_opts[i] = context;
681 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
683 if (sbsec->flags & DEFCONTEXT_MNT) {
684 rc = security_sid_to_context(&selinux_state, sbsec->def_sid,
688 opts->mnt_opts[i] = context;
689 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
691 if (sbsec->flags & ROOTCONTEXT_MNT) {
692 struct dentry *root = sbsec->sb->s_root;
693 struct inode_security_struct *isec = backing_inode_security(root);
695 rc = security_sid_to_context(&selinux_state, isec->sid,
699 opts->mnt_opts[i] = context;
700 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
702 if (sbsec->flags & SBLABEL_MNT) {
703 opts->mnt_opts[i] = NULL;
704 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
707 BUG_ON(i != opts->num_mnt_opts);
712 security_free_mnt_opts(opts);
716 static int bad_option(struct superblock_security_struct *sbsec, char flag,
717 u32 old_sid, u32 new_sid)
719 char mnt_flags = sbsec->flags & SE_MNTMASK;
721 /* check if the old mount command had the same options */
722 if (sbsec->flags & SE_SBINITIALIZED)
723 if (!(sbsec->flags & flag) ||
724 (old_sid != new_sid))
727 /* check if we were passed the same options twice,
728 * aka someone passed context=a,context=b
730 if (!(sbsec->flags & SE_SBINITIALIZED))
731 if (mnt_flags & flag)
737 * Allow filesystems with binary mount data to explicitly set mount point
738 * labeling information.
740 static int selinux_set_mnt_opts(struct super_block *sb,
741 struct security_mnt_opts *opts,
742 unsigned long kern_flags,
743 unsigned long *set_kern_flags)
745 const struct cred *cred = current_cred();
747 struct superblock_security_struct *sbsec = sb->s_security;
748 const char *name = sb->s_type->name;
749 struct dentry *root = sbsec->sb->s_root;
750 struct inode_security_struct *root_isec;
751 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
752 u32 defcontext_sid = 0;
753 char **mount_options = opts->mnt_opts;
754 int *flags = opts->mnt_opts_flags;
755 int num_opts = opts->num_mnt_opts;
757 mutex_lock(&sbsec->lock);
759 if (!selinux_state.initialized) {
761 /* Defer initialization until selinux_complete_init,
762 after the initial policy is loaded and the security
763 server is ready to handle calls. */
767 pr_warn("SELinux: Unable to set superblock options "
768 "before the security server is initialized\n");
771 if (kern_flags && !set_kern_flags) {
772 /* Specifying internal flags without providing a place to
773 * place the results is not allowed */
779 * Binary mount data FS will come through this function twice. Once
780 * from an explicit call and once from the generic calls from the vfs.
781 * Since the generic VFS calls will not contain any security mount data
782 * we need to skip the double mount verification.
784 * This does open a hole in which we will not notice if the first
785 * mount using this sb set explict options and a second mount using
786 * this sb does not set any security options. (The first options
787 * will be used for both mounts)
789 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
793 root_isec = backing_inode_security_novalidate(root);
796 * parse the mount options, check if they are valid sids.
797 * also check if someone is trying to mount the same sb more
798 * than once with different security options.
800 for (i = 0; i < num_opts; i++) {
803 if (flags[i] == SBLABEL_MNT)
805 rc = security_context_str_to_sid(&selinux_state,
806 mount_options[i], &sid,
809 pr_warn("SELinux: security_context_str_to_sid"
810 "(%s) failed for (dev %s, type %s) errno=%d\n",
811 mount_options[i], sb->s_id, name, rc);
818 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
820 goto out_double_mount;
822 sbsec->flags |= FSCONTEXT_MNT;
827 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
829 goto out_double_mount;
831 sbsec->flags |= CONTEXT_MNT;
833 case ROOTCONTEXT_MNT:
834 rootcontext_sid = sid;
836 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
838 goto out_double_mount;
840 sbsec->flags |= ROOTCONTEXT_MNT;
844 defcontext_sid = sid;
846 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
848 goto out_double_mount;
850 sbsec->flags |= DEFCONTEXT_MNT;
859 if (sbsec->flags & SE_SBINITIALIZED) {
860 /* previously mounted with options, but not on this attempt? */
861 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
862 goto out_double_mount;
867 if (strcmp(sb->s_type->name, "proc") == 0)
868 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
870 if (!strcmp(sb->s_type->name, "debugfs") ||
871 !strcmp(sb->s_type->name, "tracefs") ||
872 !strcmp(sb->s_type->name, "sysfs") ||
873 !strcmp(sb->s_type->name, "pstore") ||
874 !strcmp(sb->s_type->name, "cgroup") ||
875 !strcmp(sb->s_type->name, "cgroup2"))
876 sbsec->flags |= SE_SBGENFS;
878 if (!sbsec->behavior) {
880 * Determine the labeling behavior to use for this
883 rc = security_fs_use(&selinux_state, sb);
885 pr_warn("%s: security_fs_use(%s) returned %d\n",
886 __func__, sb->s_type->name, rc);
892 * If this is a user namespace mount and the filesystem type is not
893 * explicitly whitelisted, then no contexts are allowed on the command
894 * line and security labels must be ignored.
896 if (sb->s_user_ns != &init_user_ns &&
897 strcmp(sb->s_type->name, "tmpfs") &&
898 strcmp(sb->s_type->name, "ramfs") &&
899 strcmp(sb->s_type->name, "devpts")) {
900 if (context_sid || fscontext_sid || rootcontext_sid ||
905 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
906 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
907 rc = security_transition_sid(&selinux_state,
911 &sbsec->mntpoint_sid);
918 /* sets the context of the superblock for the fs being mounted. */
920 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
924 sbsec->sid = fscontext_sid;
928 * Switch to using mount point labeling behavior.
929 * sets the label used on all file below the mountpoint, and will set
930 * the superblock context if not already set.
932 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
933 sbsec->behavior = SECURITY_FS_USE_NATIVE;
934 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
938 if (!fscontext_sid) {
939 rc = may_context_mount_sb_relabel(context_sid, sbsec,
943 sbsec->sid = context_sid;
945 rc = may_context_mount_inode_relabel(context_sid, sbsec,
950 if (!rootcontext_sid)
951 rootcontext_sid = context_sid;
953 sbsec->mntpoint_sid = context_sid;
954 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
957 if (rootcontext_sid) {
958 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
963 root_isec->sid = rootcontext_sid;
964 root_isec->initialized = LABEL_INITIALIZED;
967 if (defcontext_sid) {
968 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
969 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
971 pr_warn("SELinux: defcontext option is "
972 "invalid for this filesystem type\n");
976 if (defcontext_sid != sbsec->def_sid) {
977 rc = may_context_mount_inode_relabel(defcontext_sid,
983 sbsec->def_sid = defcontext_sid;
987 rc = sb_finish_set_opts(sb);
989 mutex_unlock(&sbsec->lock);
993 pr_warn("SELinux: mount invalid. Same superblock, different "
994 "security settings for (dev %s, type %s)\n", sb->s_id, name);
998 static int selinux_cmp_sb_context(const struct super_block *oldsb,
999 const struct super_block *newsb)
1001 struct superblock_security_struct *old = oldsb->s_security;
1002 struct superblock_security_struct *new = newsb->s_security;
1003 char oldflags = old->flags & SE_MNTMASK;
1004 char newflags = new->flags & SE_MNTMASK;
1006 if (oldflags != newflags)
1008 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
1010 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
1012 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
1014 if (oldflags & ROOTCONTEXT_MNT) {
1015 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
1016 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
1017 if (oldroot->sid != newroot->sid)
1022 pr_warn("SELinux: mount invalid. Same superblock, "
1023 "different security settings for (dev %s, "
1024 "type %s)\n", newsb->s_id, newsb->s_type->name);
1028 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
1029 struct super_block *newsb,
1030 unsigned long kern_flags,
1031 unsigned long *set_kern_flags)
1034 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
1035 struct superblock_security_struct *newsbsec = newsb->s_security;
1037 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
1038 int set_context = (oldsbsec->flags & CONTEXT_MNT);
1039 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1042 * if the parent was able to be mounted it clearly had no special lsm
1043 * mount options. thus we can safely deal with this superblock later
1045 if (!selinux_state.initialized)
1049 * Specifying internal flags without providing a place to
1050 * place the results is not allowed.
1052 if (kern_flags && !set_kern_flags)
1055 /* how can we clone if the old one wasn't set up?? */
1056 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
1058 /* if fs is reusing a sb, make sure that the contexts match */
1059 if (newsbsec->flags & SE_SBINITIALIZED) {
1060 if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context)
1061 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
1062 return selinux_cmp_sb_context(oldsb, newsb);
1065 mutex_lock(&newsbsec->lock);
1067 newsbsec->flags = oldsbsec->flags;
1069 newsbsec->sid = oldsbsec->sid;
1070 newsbsec->def_sid = oldsbsec->def_sid;
1071 newsbsec->behavior = oldsbsec->behavior;
1073 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
1074 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
1075 rc = security_fs_use(&selinux_state, newsb);
1080 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
1081 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
1082 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
1086 u32 sid = oldsbsec->mntpoint_sid;
1089 newsbsec->sid = sid;
1090 if (!set_rootcontext) {
1091 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1094 newsbsec->mntpoint_sid = sid;
1096 if (set_rootcontext) {
1097 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
1098 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1100 newisec->sid = oldisec->sid;
1103 sb_finish_set_opts(newsb);
1105 mutex_unlock(&newsbsec->lock);
1109 static int selinux_parse_opts_str(char *options,
1110 struct security_mnt_opts *opts)
1113 char *context = NULL, *defcontext = NULL;
1114 char *fscontext = NULL, *rootcontext = NULL;
1115 int rc, num_mnt_opts = 0;
1117 opts->num_mnt_opts = 0;
1119 /* Standard string-based options. */
1120 while ((p = strsep(&options, "|")) != NULL) {
1122 substring_t args[MAX_OPT_ARGS];
1127 token = match_token(p, tokens, args);
1131 if (context || defcontext) {
1133 pr_warn(SEL_MOUNT_FAIL_MSG);
1136 context = match_strdup(&args[0]);
1146 pr_warn(SEL_MOUNT_FAIL_MSG);
1149 fscontext = match_strdup(&args[0]);
1156 case Opt_rootcontext:
1159 pr_warn(SEL_MOUNT_FAIL_MSG);
1162 rootcontext = match_strdup(&args[0]);
1169 case Opt_defcontext:
1170 if (context || defcontext) {
1172 pr_warn(SEL_MOUNT_FAIL_MSG);
1175 defcontext = match_strdup(&args[0]);
1181 case Opt_labelsupport:
1185 pr_warn("SELinux: unknown mount option\n");
1192 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
1193 if (!opts->mnt_opts)
1196 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
1198 if (!opts->mnt_opts_flags)
1202 opts->mnt_opts[num_mnt_opts] = fscontext;
1203 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1206 opts->mnt_opts[num_mnt_opts] = context;
1207 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1210 opts->mnt_opts[num_mnt_opts] = rootcontext;
1211 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1214 opts->mnt_opts[num_mnt_opts] = defcontext;
1215 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1218 opts->num_mnt_opts = num_mnt_opts;
1222 security_free_mnt_opts(opts);
1230 * string mount options parsing and call set the sbsec
1232 static int superblock_doinit(struct super_block *sb, void *data)
1235 char *options = data;
1236 struct security_mnt_opts opts;
1238 security_init_mnt_opts(&opts);
1243 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1245 rc = selinux_parse_opts_str(options, &opts);
1250 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1253 security_free_mnt_opts(&opts);
1257 static void selinux_write_opts(struct seq_file *m,
1258 struct security_mnt_opts *opts)
1263 for (i = 0; i < opts->num_mnt_opts; i++) {
1266 if (opts->mnt_opts[i])
1267 has_comma = strchr(opts->mnt_opts[i], ',');
1271 switch (opts->mnt_opts_flags[i]) {
1273 prefix = CONTEXT_STR;
1276 prefix = FSCONTEXT_STR;
1278 case ROOTCONTEXT_MNT:
1279 prefix = ROOTCONTEXT_STR;
1281 case DEFCONTEXT_MNT:
1282 prefix = DEFCONTEXT_STR;
1286 seq_puts(m, LABELSUPP_STR);
1292 /* we need a comma before each option */
1294 seq_puts(m, prefix);
1297 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
1303 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1305 struct security_mnt_opts opts;
1308 rc = selinux_get_mnt_opts(sb, &opts);
1310 /* before policy load we may get EINVAL, don't show anything */
1316 selinux_write_opts(m, &opts);
1318 security_free_mnt_opts(&opts);
1323 static inline u16 inode_mode_to_security_class(umode_t mode)
1325 switch (mode & S_IFMT) {
1327 return SECCLASS_SOCK_FILE;
1329 return SECCLASS_LNK_FILE;
1331 return SECCLASS_FILE;
1333 return SECCLASS_BLK_FILE;
1335 return SECCLASS_DIR;
1337 return SECCLASS_CHR_FILE;
1339 return SECCLASS_FIFO_FILE;
1343 return SECCLASS_FILE;
1346 static inline int default_protocol_stream(int protocol)
1348 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1351 static inline int default_protocol_dgram(int protocol)
1353 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1356 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1358 int extsockclass = selinux_policycap_extsockclass();
1364 case SOCK_SEQPACKET:
1365 return SECCLASS_UNIX_STREAM_SOCKET;
1368 return SECCLASS_UNIX_DGRAM_SOCKET;
1375 case SOCK_SEQPACKET:
1376 if (default_protocol_stream(protocol))
1377 return SECCLASS_TCP_SOCKET;
1378 else if (extsockclass && protocol == IPPROTO_SCTP)
1379 return SECCLASS_SCTP_SOCKET;
1381 return SECCLASS_RAWIP_SOCKET;
1383 if (default_protocol_dgram(protocol))
1384 return SECCLASS_UDP_SOCKET;
1385 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1386 protocol == IPPROTO_ICMPV6))
1387 return SECCLASS_ICMP_SOCKET;
1389 return SECCLASS_RAWIP_SOCKET;
1391 return SECCLASS_DCCP_SOCKET;
1393 return SECCLASS_RAWIP_SOCKET;
1399 return SECCLASS_NETLINK_ROUTE_SOCKET;
1400 case NETLINK_SOCK_DIAG:
1401 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1403 return SECCLASS_NETLINK_NFLOG_SOCKET;
1405 return SECCLASS_NETLINK_XFRM_SOCKET;
1406 case NETLINK_SELINUX:
1407 return SECCLASS_NETLINK_SELINUX_SOCKET;
1409 return SECCLASS_NETLINK_ISCSI_SOCKET;
1411 return SECCLASS_NETLINK_AUDIT_SOCKET;
1412 case NETLINK_FIB_LOOKUP:
1413 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1414 case NETLINK_CONNECTOR:
1415 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1416 case NETLINK_NETFILTER:
1417 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1418 case NETLINK_DNRTMSG:
1419 return SECCLASS_NETLINK_DNRT_SOCKET;
1420 case NETLINK_KOBJECT_UEVENT:
1421 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1422 case NETLINK_GENERIC:
1423 return SECCLASS_NETLINK_GENERIC_SOCKET;
1424 case NETLINK_SCSITRANSPORT:
1425 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1427 return SECCLASS_NETLINK_RDMA_SOCKET;
1428 case NETLINK_CRYPTO:
1429 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1431 return SECCLASS_NETLINK_SOCKET;
1434 return SECCLASS_PACKET_SOCKET;
1436 return SECCLASS_KEY_SOCKET;
1438 return SECCLASS_APPLETALK_SOCKET;
1444 return SECCLASS_AX25_SOCKET;
1446 return SECCLASS_IPX_SOCKET;
1448 return SECCLASS_NETROM_SOCKET;
1450 return SECCLASS_ATMPVC_SOCKET;
1452 return SECCLASS_X25_SOCKET;
1454 return SECCLASS_ROSE_SOCKET;
1456 return SECCLASS_DECNET_SOCKET;
1458 return SECCLASS_ATMSVC_SOCKET;
1460 return SECCLASS_RDS_SOCKET;
1462 return SECCLASS_IRDA_SOCKET;
1464 return SECCLASS_PPPOX_SOCKET;
1466 return SECCLASS_LLC_SOCKET;
1468 return SECCLASS_CAN_SOCKET;
1470 return SECCLASS_TIPC_SOCKET;
1472 return SECCLASS_BLUETOOTH_SOCKET;
1474 return SECCLASS_IUCV_SOCKET;
1476 return SECCLASS_RXRPC_SOCKET;
1478 return SECCLASS_ISDN_SOCKET;
1480 return SECCLASS_PHONET_SOCKET;
1482 return SECCLASS_IEEE802154_SOCKET;
1484 return SECCLASS_CAIF_SOCKET;
1486 return SECCLASS_ALG_SOCKET;
1488 return SECCLASS_NFC_SOCKET;
1490 return SECCLASS_VSOCK_SOCKET;
1492 return SECCLASS_KCM_SOCKET;
1494 return SECCLASS_QIPCRTR_SOCKET;
1496 return SECCLASS_SMC_SOCKET;
1498 return SECCLASS_XDP_SOCKET;
1500 #error New address family defined, please update this function.
1505 return SECCLASS_SOCKET;
1508 static int selinux_genfs_get_sid(struct dentry *dentry,
1514 struct super_block *sb = dentry->d_sb;
1515 char *buffer, *path;
1517 buffer = (char *)__get_free_page(GFP_KERNEL);
1521 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1525 if (flags & SE_SBPROC) {
1526 /* each process gets a /proc/PID/ entry. Strip off the
1527 * PID part to get a valid selinux labeling.
1528 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1529 while (path[1] >= '0' && path[1] <= '9') {
1534 rc = security_genfs_sid(&selinux_state, sb->s_type->name,
1536 if (rc == -ENOENT) {
1537 /* No match in policy, mark as unlabeled. */
1538 *sid = SECINITSID_UNLABELED;
1542 free_page((unsigned long)buffer);
1546 /* The inode's security attributes must be initialized before first use. */
1547 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1549 struct superblock_security_struct *sbsec = NULL;
1550 struct inode_security_struct *isec = inode->i_security;
1551 u32 task_sid, sid = 0;
1553 struct dentry *dentry;
1554 #define INITCONTEXTLEN 255
1555 char *context = NULL;
1559 if (isec->initialized == LABEL_INITIALIZED)
1562 spin_lock(&isec->lock);
1563 if (isec->initialized == LABEL_INITIALIZED)
1566 if (isec->sclass == SECCLASS_FILE)
1567 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1569 sbsec = inode->i_sb->s_security;
1570 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1571 /* Defer initialization until selinux_complete_init,
1572 after the initial policy is loaded and the security
1573 server is ready to handle calls. */
1574 spin_lock(&sbsec->isec_lock);
1575 if (list_empty(&isec->list))
1576 list_add(&isec->list, &sbsec->isec_head);
1577 spin_unlock(&sbsec->isec_lock);
1581 sclass = isec->sclass;
1582 task_sid = isec->task_sid;
1584 isec->initialized = LABEL_PENDING;
1585 spin_unlock(&isec->lock);
1587 switch (sbsec->behavior) {
1588 case SECURITY_FS_USE_NATIVE:
1590 case SECURITY_FS_USE_XATTR:
1591 if (!(inode->i_opflags & IOP_XATTR)) {
1592 sid = sbsec->def_sid;
1595 /* Need a dentry, since the xattr API requires one.
1596 Life would be simpler if we could just pass the inode. */
1598 /* Called from d_instantiate or d_splice_alias. */
1599 dentry = dget(opt_dentry);
1602 * Called from selinux_complete_init, try to find a dentry.
1603 * Some filesystems really want a connected one, so try
1604 * that first. We could split SECURITY_FS_USE_XATTR in
1605 * two, depending upon that...
1607 dentry = d_find_alias(inode);
1609 dentry = d_find_any_alias(inode);
1613 * this is can be hit on boot when a file is accessed
1614 * before the policy is loaded. When we load policy we
1615 * may find inodes that have no dentry on the
1616 * sbsec->isec_head list. No reason to complain as these
1617 * will get fixed up the next time we go through
1618 * inode_doinit with a dentry, before these inodes could
1619 * be used again by userspace.
1624 len = INITCONTEXTLEN;
1625 context = kmalloc(len+1, GFP_NOFS);
1631 context[len] = '\0';
1632 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1633 if (rc == -ERANGE) {
1636 /* Need a larger buffer. Query for the right size. */
1637 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1643 context = kmalloc(len+1, GFP_NOFS);
1649 context[len] = '\0';
1650 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1654 if (rc != -ENODATA) {
1655 pr_warn("SELinux: %s: getxattr returned "
1656 "%d for dev=%s ino=%ld\n", __func__,
1657 -rc, inode->i_sb->s_id, inode->i_ino);
1661 /* Map ENODATA to the default file SID */
1662 sid = sbsec->def_sid;
1665 rc = security_context_to_sid_default(&selinux_state,
1670 char *dev = inode->i_sb->s_id;
1671 unsigned long ino = inode->i_ino;
1673 if (rc == -EINVAL) {
1674 if (printk_ratelimit())
1675 pr_notice("SELinux: inode=%lu on dev=%s was found to have an invalid "
1676 "context=%s. This indicates you may need to relabel the inode or the "
1677 "filesystem in question.\n", ino, dev, context);
1679 pr_warn("SELinux: %s: context_to_sid(%s) "
1680 "returned %d for dev=%s ino=%ld\n",
1681 __func__, context, -rc, dev, ino);
1684 /* Leave with the unlabeled SID */
1691 case SECURITY_FS_USE_TASK:
1694 case SECURITY_FS_USE_TRANS:
1695 /* Default to the fs SID. */
1698 /* Try to obtain a transition SID. */
1699 rc = security_transition_sid(&selinux_state, task_sid, sid,
1700 sclass, NULL, &sid);
1704 case SECURITY_FS_USE_MNTPOINT:
1705 sid = sbsec->mntpoint_sid;
1708 /* Default to the fs superblock SID. */
1711 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1712 /* We must have a dentry to determine the label on
1715 /* Called from d_instantiate or
1716 * d_splice_alias. */
1717 dentry = dget(opt_dentry);
1719 /* Called from selinux_complete_init, try to
1720 * find a dentry. Some filesystems really want
1721 * a connected one, so try that first.
1723 dentry = d_find_alias(inode);
1725 dentry = d_find_any_alias(inode);
1728 * This can be hit on boot when a file is accessed
1729 * before the policy is loaded. When we load policy we
1730 * may find inodes that have no dentry on the
1731 * sbsec->isec_head list. No reason to complain as
1732 * these will get fixed up the next time we go through
1733 * inode_doinit() with a dentry, before these inodes
1734 * could be used again by userspace.
1738 rc = selinux_genfs_get_sid(dentry, sclass,
1739 sbsec->flags, &sid);
1748 spin_lock(&isec->lock);
1749 if (isec->initialized == LABEL_PENDING) {
1751 isec->initialized = LABEL_INVALID;
1754 isec->initialized = LABEL_INITIALIZED;
1759 spin_unlock(&isec->lock);
1763 spin_lock(&isec->lock);
1764 if (isec->initialized == LABEL_PENDING) {
1765 isec->initialized = LABEL_INVALID;
1768 spin_unlock(&isec->lock);
1772 /* Convert a Linux signal to an access vector. */
1773 static inline u32 signal_to_av(int sig)
1779 /* Commonly granted from child to parent. */
1780 perm = PROCESS__SIGCHLD;
1783 /* Cannot be caught or ignored */
1784 perm = PROCESS__SIGKILL;
1787 /* Cannot be caught or ignored */
1788 perm = PROCESS__SIGSTOP;
1791 /* All other signals. */
1792 perm = PROCESS__SIGNAL;
1799 #if CAP_LAST_CAP > 63
1800 #error Fix SELinux to handle capabilities > 63.
1803 /* Check whether a task is allowed to use a capability. */
1804 static int cred_has_capability(const struct cred *cred,
1805 int cap, unsigned int opts, bool initns)
1807 struct common_audit_data ad;
1808 struct av_decision avd;
1810 u32 sid = cred_sid(cred);
1811 u32 av = CAP_TO_MASK(cap);
1814 ad.type = LSM_AUDIT_DATA_CAP;
1817 switch (CAP_TO_INDEX(cap)) {
1819 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1822 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1825 pr_err("SELinux: out of range capability %d\n", cap);
1830 rc = avc_has_perm_noaudit(&selinux_state,
1831 sid, sid, sclass, av, 0, &avd);
1832 if (!(opts & CAP_OPT_NOAUDIT)) {
1833 int rc2 = avc_audit(&selinux_state,
1834 sid, sid, sclass, av, &avd, rc, &ad, 0);
1841 /* Check whether a task has a particular permission to an inode.
1842 The 'adp' parameter is optional and allows other audit
1843 data to be passed (e.g. the dentry). */
1844 static int inode_has_perm(const struct cred *cred,
1845 struct inode *inode,
1847 struct common_audit_data *adp)
1849 struct inode_security_struct *isec;
1852 validate_creds(cred);
1854 if (unlikely(IS_PRIVATE(inode)))
1857 sid = cred_sid(cred);
1858 isec = inode->i_security;
1860 return avc_has_perm(&selinux_state,
1861 sid, isec->sid, isec->sclass, perms, adp);
1864 /* Same as inode_has_perm, but pass explicit audit data containing
1865 the dentry to help the auditing code to more easily generate the
1866 pathname if needed. */
1867 static inline int dentry_has_perm(const struct cred *cred,
1868 struct dentry *dentry,
1871 struct inode *inode = d_backing_inode(dentry);
1872 struct common_audit_data ad;
1874 ad.type = LSM_AUDIT_DATA_DENTRY;
1875 ad.u.dentry = dentry;
1876 __inode_security_revalidate(inode, dentry, true);
1877 return inode_has_perm(cred, inode, av, &ad);
1880 /* Same as inode_has_perm, but pass explicit audit data containing
1881 the path to help the auditing code to more easily generate the
1882 pathname if needed. */
1883 static inline int path_has_perm(const struct cred *cred,
1884 const struct path *path,
1887 struct inode *inode = d_backing_inode(path->dentry);
1888 struct common_audit_data ad;
1890 ad.type = LSM_AUDIT_DATA_PATH;
1892 __inode_security_revalidate(inode, path->dentry, true);
1893 return inode_has_perm(cred, inode, av, &ad);
1896 /* Same as path_has_perm, but uses the inode from the file struct. */
1897 static inline int file_path_has_perm(const struct cred *cred,
1901 struct common_audit_data ad;
1903 ad.type = LSM_AUDIT_DATA_FILE;
1905 return inode_has_perm(cred, file_inode(file), av, &ad);
1908 #ifdef CONFIG_BPF_SYSCALL
1909 static int bpf_fd_pass(struct file *file, u32 sid);
1912 /* Check whether a task can use an open file descriptor to
1913 access an inode in a given way. Check access to the
1914 descriptor itself, and then use dentry_has_perm to
1915 check a particular permission to the file.
1916 Access to the descriptor is implicitly granted if it
1917 has the same SID as the process. If av is zero, then
1918 access to the file is not checked, e.g. for cases
1919 where only the descriptor is affected like seek. */
1920 static int file_has_perm(const struct cred *cred,
1924 struct file_security_struct *fsec = file->f_security;
1925 struct inode *inode = file_inode(file);
1926 struct common_audit_data ad;
1927 u32 sid = cred_sid(cred);
1930 ad.type = LSM_AUDIT_DATA_FILE;
1933 if (sid != fsec->sid) {
1934 rc = avc_has_perm(&selinux_state,
1943 #ifdef CONFIG_BPF_SYSCALL
1944 rc = bpf_fd_pass(file, cred_sid(cred));
1949 /* av is zero if only checking access to the descriptor. */
1952 rc = inode_has_perm(cred, inode, av, &ad);
1959 * Determine the label for an inode that might be unioned.
1962 selinux_determine_inode_label(const struct task_security_struct *tsec,
1964 const struct qstr *name, u16 tclass,
1967 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1969 if ((sbsec->flags & SE_SBINITIALIZED) &&
1970 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1971 *_new_isid = sbsec->mntpoint_sid;
1972 } else if ((sbsec->flags & SBLABEL_MNT) &&
1974 *_new_isid = tsec->create_sid;
1976 const struct inode_security_struct *dsec = inode_security(dir);
1977 return security_transition_sid(&selinux_state, tsec->sid,
1985 /* Check whether a task can create a file. */
1986 static int may_create(struct inode *dir,
1987 struct dentry *dentry,
1990 const struct task_security_struct *tsec = current_security();
1991 struct inode_security_struct *dsec;
1992 struct superblock_security_struct *sbsec;
1994 struct common_audit_data ad;
1997 dsec = inode_security(dir);
1998 sbsec = dir->i_sb->s_security;
2002 ad.type = LSM_AUDIT_DATA_DENTRY;
2003 ad.u.dentry = dentry;
2005 rc = avc_has_perm(&selinux_state,
2006 sid, dsec->sid, SECCLASS_DIR,
2007 DIR__ADD_NAME | DIR__SEARCH,
2012 rc = selinux_determine_inode_label(current_security(), dir,
2013 &dentry->d_name, tclass, &newsid);
2017 rc = avc_has_perm(&selinux_state,
2018 sid, newsid, tclass, FILE__CREATE, &ad);
2022 return avc_has_perm(&selinux_state,
2024 SECCLASS_FILESYSTEM,
2025 FILESYSTEM__ASSOCIATE, &ad);
2029 #define MAY_UNLINK 1
2032 /* Check whether a task can link, unlink, or rmdir a file/directory. */
2033 static int may_link(struct inode *dir,
2034 struct dentry *dentry,
2038 struct inode_security_struct *dsec, *isec;
2039 struct common_audit_data ad;
2040 u32 sid = current_sid();
2044 dsec = inode_security(dir);
2045 isec = backing_inode_security(dentry);
2047 ad.type = LSM_AUDIT_DATA_DENTRY;
2048 ad.u.dentry = dentry;
2051 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
2052 rc = avc_has_perm(&selinux_state,
2053 sid, dsec->sid, SECCLASS_DIR, av, &ad);
2068 pr_warn("SELinux: %s: unrecognized kind %d\n",
2073 rc = avc_has_perm(&selinux_state,
2074 sid, isec->sid, isec->sclass, av, &ad);
2078 static inline int may_rename(struct inode *old_dir,
2079 struct dentry *old_dentry,
2080 struct inode *new_dir,
2081 struct dentry *new_dentry)
2083 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2084 struct common_audit_data ad;
2085 u32 sid = current_sid();
2087 int old_is_dir, new_is_dir;
2090 old_dsec = inode_security(old_dir);
2091 old_isec = backing_inode_security(old_dentry);
2092 old_is_dir = d_is_dir(old_dentry);
2093 new_dsec = inode_security(new_dir);
2095 ad.type = LSM_AUDIT_DATA_DENTRY;
2097 ad.u.dentry = old_dentry;
2098 rc = avc_has_perm(&selinux_state,
2099 sid, old_dsec->sid, SECCLASS_DIR,
2100 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
2103 rc = avc_has_perm(&selinux_state,
2105 old_isec->sclass, FILE__RENAME, &ad);
2108 if (old_is_dir && new_dir != old_dir) {
2109 rc = avc_has_perm(&selinux_state,
2111 old_isec->sclass, DIR__REPARENT, &ad);
2116 ad.u.dentry = new_dentry;
2117 av = DIR__ADD_NAME | DIR__SEARCH;
2118 if (d_is_positive(new_dentry))
2119 av |= DIR__REMOVE_NAME;
2120 rc = avc_has_perm(&selinux_state,
2121 sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
2124 if (d_is_positive(new_dentry)) {
2125 new_isec = backing_inode_security(new_dentry);
2126 new_is_dir = d_is_dir(new_dentry);
2127 rc = avc_has_perm(&selinux_state,
2130 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
2138 /* Check whether a task can perform a filesystem operation. */
2139 static int superblock_has_perm(const struct cred *cred,
2140 struct super_block *sb,
2142 struct common_audit_data *ad)
2144 struct superblock_security_struct *sbsec;
2145 u32 sid = cred_sid(cred);
2147 sbsec = sb->s_security;
2148 return avc_has_perm(&selinux_state,
2149 sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
2152 /* Convert a Linux mode and permission mask to an access vector. */
2153 static inline u32 file_mask_to_av(int mode, int mask)
2157 if (!S_ISDIR(mode)) {
2158 if (mask & MAY_EXEC)
2159 av |= FILE__EXECUTE;
2160 if (mask & MAY_READ)
2163 if (mask & MAY_APPEND)
2165 else if (mask & MAY_WRITE)
2169 if (mask & MAY_EXEC)
2171 if (mask & MAY_WRITE)
2173 if (mask & MAY_READ)
2180 /* Convert a Linux file to an access vector. */
2181 static inline u32 file_to_av(struct file *file)
2185 if (file->f_mode & FMODE_READ)
2187 if (file->f_mode & FMODE_WRITE) {
2188 if (file->f_flags & O_APPEND)
2195 * Special file opened with flags 3 for ioctl-only use.
2204 * Convert a file to an access vector and include the correct open
2207 static inline u32 open_file_to_av(struct file *file)
2209 u32 av = file_to_av(file);
2210 struct inode *inode = file_inode(file);
2212 if (selinux_policycap_openperm() &&
2213 inode->i_sb->s_magic != SOCKFS_MAGIC)
2219 /* Hook functions begin here. */
2221 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2223 u32 mysid = current_sid();
2224 u32 mgrsid = task_sid(mgr);
2226 return avc_has_perm(&selinux_state,
2227 mysid, mgrsid, SECCLASS_BINDER,
2228 BINDER__SET_CONTEXT_MGR, NULL);
2231 static int selinux_binder_transaction(struct task_struct *from,
2232 struct task_struct *to)
2234 u32 mysid = current_sid();
2235 u32 fromsid = task_sid(from);
2236 u32 tosid = task_sid(to);
2239 if (mysid != fromsid) {
2240 rc = avc_has_perm(&selinux_state,
2241 mysid, fromsid, SECCLASS_BINDER,
2242 BINDER__IMPERSONATE, NULL);
2247 return avc_has_perm(&selinux_state,
2248 fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2252 static int selinux_binder_transfer_binder(struct task_struct *from,
2253 struct task_struct *to)
2255 u32 fromsid = task_sid(from);
2256 u32 tosid = task_sid(to);
2258 return avc_has_perm(&selinux_state,
2259 fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2263 static int selinux_binder_transfer_file(struct task_struct *from,
2264 struct task_struct *to,
2267 u32 sid = task_sid(to);
2268 struct file_security_struct *fsec = file->f_security;
2269 struct dentry *dentry = file->f_path.dentry;
2270 struct inode_security_struct *isec;
2271 struct common_audit_data ad;
2274 ad.type = LSM_AUDIT_DATA_PATH;
2275 ad.u.path = file->f_path;
2277 if (sid != fsec->sid) {
2278 rc = avc_has_perm(&selinux_state,
2287 #ifdef CONFIG_BPF_SYSCALL
2288 rc = bpf_fd_pass(file, sid);
2293 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2296 isec = backing_inode_security(dentry);
2297 return avc_has_perm(&selinux_state,
2298 sid, isec->sid, isec->sclass, file_to_av(file),
2302 static int selinux_ptrace_access_check(struct task_struct *child,
2305 u32 sid = current_sid();
2306 u32 csid = task_sid(child);
2308 if (mode & PTRACE_MODE_READ)
2309 return avc_has_perm(&selinux_state,
2310 sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2312 return avc_has_perm(&selinux_state,
2313 sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2316 static int selinux_ptrace_traceme(struct task_struct *parent)
2318 return avc_has_perm(&selinux_state,
2319 task_sid(parent), current_sid(), SECCLASS_PROCESS,
2320 PROCESS__PTRACE, NULL);
2323 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2324 kernel_cap_t *inheritable, kernel_cap_t *permitted)
2326 return avc_has_perm(&selinux_state,
2327 current_sid(), task_sid(target), SECCLASS_PROCESS,
2328 PROCESS__GETCAP, NULL);
2331 static int selinux_capset(struct cred *new, const struct cred *old,
2332 const kernel_cap_t *effective,
2333 const kernel_cap_t *inheritable,
2334 const kernel_cap_t *permitted)
2336 return avc_has_perm(&selinux_state,
2337 cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2338 PROCESS__SETCAP, NULL);
2342 * (This comment used to live with the selinux_task_setuid hook,
2343 * which was removed).
2345 * Since setuid only affects the current process, and since the SELinux
2346 * controls are not based on the Linux identity attributes, SELinux does not
2347 * need to control this operation. However, SELinux does control the use of
2348 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2351 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2352 int cap, unsigned int opts)
2354 return cred_has_capability(cred, cap, opts, ns == &init_user_ns);
2357 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2359 const struct cred *cred = current_cred();
2371 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2376 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2379 rc = 0; /* let the kernel handle invalid cmds */
2385 static int selinux_quota_on(struct dentry *dentry)
2387 const struct cred *cred = current_cred();
2389 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2392 static int selinux_syslog(int type)
2395 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2396 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2397 return avc_has_perm(&selinux_state,
2398 current_sid(), SECINITSID_KERNEL,
2399 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2400 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2401 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2402 /* Set level of messages printed to console */
2403 case SYSLOG_ACTION_CONSOLE_LEVEL:
2404 return avc_has_perm(&selinux_state,
2405 current_sid(), SECINITSID_KERNEL,
2406 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2409 /* All other syslog types */
2410 return avc_has_perm(&selinux_state,
2411 current_sid(), SECINITSID_KERNEL,
2412 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2416 * Check that a process has enough memory to allocate a new virtual
2417 * mapping. 0 means there is enough memory for the allocation to
2418 * succeed and -ENOMEM implies there is not.
2420 * Do not audit the selinux permission check, as this is applied to all
2421 * processes that allocate mappings.
2423 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2425 int rc, cap_sys_admin = 0;
2427 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2428 CAP_OPT_NOAUDIT, true);
2432 return cap_sys_admin;
2435 /* binprm security operations */
2437 static u32 ptrace_parent_sid(void)
2440 struct task_struct *tracer;
2443 tracer = ptrace_parent(current);
2445 sid = task_sid(tracer);
2451 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2452 const struct task_security_struct *old_tsec,
2453 const struct task_security_struct *new_tsec)
2455 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2456 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2460 if (!nnp && !nosuid)
2461 return 0; /* neither NNP nor nosuid */
2463 if (new_tsec->sid == old_tsec->sid)
2464 return 0; /* No change in credentials */
2467 * If the policy enables the nnp_nosuid_transition policy capability,
2468 * then we permit transitions under NNP or nosuid if the
2469 * policy allows the corresponding permission between
2470 * the old and new contexts.
2472 if (selinux_policycap_nnp_nosuid_transition()) {
2475 av |= PROCESS2__NNP_TRANSITION;
2477 av |= PROCESS2__NOSUID_TRANSITION;
2478 rc = avc_has_perm(&selinux_state,
2479 old_tsec->sid, new_tsec->sid,
2480 SECCLASS_PROCESS2, av, NULL);
2486 * We also permit NNP or nosuid transitions to bounded SIDs,
2487 * i.e. SIDs that are guaranteed to only be allowed a subset
2488 * of the permissions of the current SID.
2490 rc = security_bounded_transition(&selinux_state, old_tsec->sid,
2496 * On failure, preserve the errno values for NNP vs nosuid.
2497 * NNP: Operation not permitted for caller.
2498 * nosuid: Permission denied to file.
2505 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2507 const struct task_security_struct *old_tsec;
2508 struct task_security_struct *new_tsec;
2509 struct inode_security_struct *isec;
2510 struct common_audit_data ad;
2511 struct inode *inode = file_inode(bprm->file);
2514 /* SELinux context only depends on initial program or script and not
2515 * the script interpreter */
2516 if (bprm->called_set_creds)
2519 old_tsec = current_security();
2520 new_tsec = bprm->cred->security;
2521 isec = inode_security(inode);
2523 /* Default to the current task SID. */
2524 new_tsec->sid = old_tsec->sid;
2525 new_tsec->osid = old_tsec->sid;
2527 /* Reset fs, key, and sock SIDs on execve. */
2528 new_tsec->create_sid = 0;
2529 new_tsec->keycreate_sid = 0;
2530 new_tsec->sockcreate_sid = 0;
2532 if (old_tsec->exec_sid) {
2533 new_tsec->sid = old_tsec->exec_sid;
2534 /* Reset exec SID on execve. */
2535 new_tsec->exec_sid = 0;
2537 /* Fail on NNP or nosuid if not an allowed transition. */
2538 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2542 /* Check for a default transition on this program. */
2543 rc = security_transition_sid(&selinux_state, old_tsec->sid,
2544 isec->sid, SECCLASS_PROCESS, NULL,
2550 * Fallback to old SID on NNP or nosuid if not an allowed
2553 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2555 new_tsec->sid = old_tsec->sid;
2558 ad.type = LSM_AUDIT_DATA_FILE;
2559 ad.u.file = bprm->file;
2561 if (new_tsec->sid == old_tsec->sid) {
2562 rc = avc_has_perm(&selinux_state,
2563 old_tsec->sid, isec->sid,
2564 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2568 /* Check permissions for the transition. */
2569 rc = avc_has_perm(&selinux_state,
2570 old_tsec->sid, new_tsec->sid,
2571 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2575 rc = avc_has_perm(&selinux_state,
2576 new_tsec->sid, isec->sid,
2577 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2581 /* Check for shared state */
2582 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2583 rc = avc_has_perm(&selinux_state,
2584 old_tsec->sid, new_tsec->sid,
2585 SECCLASS_PROCESS, PROCESS__SHARE,
2591 /* Make sure that anyone attempting to ptrace over a task that
2592 * changes its SID has the appropriate permit */
2593 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2594 u32 ptsid = ptrace_parent_sid();
2596 rc = avc_has_perm(&selinux_state,
2597 ptsid, new_tsec->sid,
2599 PROCESS__PTRACE, NULL);
2605 /* Clear any possibly unsafe personality bits on exec: */
2606 bprm->per_clear |= PER_CLEAR_ON_SETID;
2608 /* Enable secure mode for SIDs transitions unless
2609 the noatsecure permission is granted between
2610 the two SIDs, i.e. ahp returns 0. */
2611 rc = avc_has_perm(&selinux_state,
2612 old_tsec->sid, new_tsec->sid,
2613 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2615 bprm->secureexec |= !!rc;
2621 static int match_file(const void *p, struct file *file, unsigned fd)
2623 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2626 /* Derived from fs/exec.c:flush_old_files. */
2627 static inline void flush_unauthorized_files(const struct cred *cred,
2628 struct files_struct *files)
2630 struct file *file, *devnull = NULL;
2631 struct tty_struct *tty;
2635 tty = get_current_tty();
2637 spin_lock(&tty->files_lock);
2638 if (!list_empty(&tty->tty_files)) {
2639 struct tty_file_private *file_priv;
2641 /* Revalidate access to controlling tty.
2642 Use file_path_has_perm on the tty path directly
2643 rather than using file_has_perm, as this particular
2644 open file may belong to another process and we are
2645 only interested in the inode-based check here. */
2646 file_priv = list_first_entry(&tty->tty_files,
2647 struct tty_file_private, list);
2648 file = file_priv->file;
2649 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2652 spin_unlock(&tty->files_lock);
2655 /* Reset controlling tty. */
2659 /* Revalidate access to inherited open files. */
2660 n = iterate_fd(files, 0, match_file, cred);
2661 if (!n) /* none found? */
2664 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2665 if (IS_ERR(devnull))
2667 /* replace all the matching ones with this */
2669 replace_fd(n - 1, devnull, 0);
2670 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2676 * Prepare a process for imminent new credential changes due to exec
2678 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2680 struct task_security_struct *new_tsec;
2681 struct rlimit *rlim, *initrlim;
2684 new_tsec = bprm->cred->security;
2685 if (new_tsec->sid == new_tsec->osid)
2688 /* Close files for which the new task SID is not authorized. */
2689 flush_unauthorized_files(bprm->cred, current->files);
2691 /* Always clear parent death signal on SID transitions. */
2692 current->pdeath_signal = 0;
2694 /* Check whether the new SID can inherit resource limits from the old
2695 * SID. If not, reset all soft limits to the lower of the current
2696 * task's hard limit and the init task's soft limit.
2698 * Note that the setting of hard limits (even to lower them) can be
2699 * controlled by the setrlimit check. The inclusion of the init task's
2700 * soft limit into the computation is to avoid resetting soft limits
2701 * higher than the default soft limit for cases where the default is
2702 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2704 rc = avc_has_perm(&selinux_state,
2705 new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2706 PROCESS__RLIMITINH, NULL);
2708 /* protect against do_prlimit() */
2710 for (i = 0; i < RLIM_NLIMITS; i++) {
2711 rlim = current->signal->rlim + i;
2712 initrlim = init_task.signal->rlim + i;
2713 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2715 task_unlock(current);
2716 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2717 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2722 * Clean up the process immediately after the installation of new credentials
2725 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2727 const struct task_security_struct *tsec = current_security();
2728 struct itimerval itimer;
2738 /* Check whether the new SID can inherit signal state from the old SID.
2739 * If not, clear itimers to avoid subsequent signal generation and
2740 * flush and unblock signals.
2742 * This must occur _after_ the task SID has been updated so that any
2743 * kill done after the flush will be checked against the new SID.
2745 rc = avc_has_perm(&selinux_state,
2746 osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2748 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2749 memset(&itimer, 0, sizeof itimer);
2750 for (i = 0; i < 3; i++)
2751 do_setitimer(i, &itimer, NULL);
2753 spin_lock_irq(¤t->sighand->siglock);
2754 if (!fatal_signal_pending(current)) {
2755 flush_sigqueue(¤t->pending);
2756 flush_sigqueue(¤t->signal->shared_pending);
2757 flush_signal_handlers(current, 1);
2758 sigemptyset(¤t->blocked);
2759 recalc_sigpending();
2761 spin_unlock_irq(¤t->sighand->siglock);
2764 /* Wake up the parent if it is waiting so that it can recheck
2765 * wait permission to the new task SID. */
2766 read_lock(&tasklist_lock);
2767 __wake_up_parent(current, current->real_parent);
2768 read_unlock(&tasklist_lock);
2771 /* superblock security operations */
2773 static int selinux_sb_alloc_security(struct super_block *sb)
2775 return superblock_alloc_security(sb);
2778 static void selinux_sb_free_security(struct super_block *sb)
2780 superblock_free_security(sb);
2783 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2788 return !memcmp(prefix, option, plen);
2791 static inline int selinux_option(char *option, int len)
2793 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2794 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2795 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2796 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2797 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2800 static inline void take_option(char **to, char *from, int *first, int len)
2807 memcpy(*to, from, len);
2811 static inline void take_selinux_option(char **to, char *from, int *first,
2814 int current_size = 0;
2822 while (current_size < len) {
2832 static int selinux_sb_copy_data(char *orig, char *copy)
2834 int fnosec, fsec, rc = 0;
2835 char *in_save, *in_curr, *in_end;
2836 char *sec_curr, *nosec_save, *nosec;
2842 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2850 in_save = in_end = orig;
2854 open_quote = !open_quote;
2855 if ((*in_end == ',' && open_quote == 0) ||
2857 int len = in_end - in_curr;
2859 if (selinux_option(in_curr, len))
2860 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2862 take_option(&nosec, in_curr, &fnosec, len);
2864 in_curr = in_end + 1;
2866 } while (*in_end++);
2868 strcpy(in_save, nosec_save);
2869 free_page((unsigned long)nosec_save);
2874 static int selinux_sb_remount(struct super_block *sb, void *data)
2877 struct security_mnt_opts opts;
2878 char *secdata, **mount_options;
2879 struct superblock_security_struct *sbsec = sb->s_security;
2881 if (!(sbsec->flags & SE_SBINITIALIZED))
2887 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2890 security_init_mnt_opts(&opts);
2891 secdata = alloc_secdata();
2894 rc = selinux_sb_copy_data(data, secdata);
2896 goto out_free_secdata;
2898 rc = selinux_parse_opts_str(secdata, &opts);
2900 goto out_free_secdata;
2902 mount_options = opts.mnt_opts;
2903 flags = opts.mnt_opts_flags;
2905 for (i = 0; i < opts.num_mnt_opts; i++) {
2908 if (flags[i] == SBLABEL_MNT)
2910 rc = security_context_str_to_sid(&selinux_state,
2911 mount_options[i], &sid,
2914 pr_warn("SELinux: security_context_str_to_sid"
2915 "(%s) failed for (dev %s, type %s) errno=%d\n",
2916 mount_options[i], sb->s_id, sb->s_type->name, rc);
2922 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2923 goto out_bad_option;
2926 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2927 goto out_bad_option;
2929 case ROOTCONTEXT_MNT: {
2930 struct inode_security_struct *root_isec;
2931 root_isec = backing_inode_security(sb->s_root);
2933 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2934 goto out_bad_option;
2937 case DEFCONTEXT_MNT:
2938 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2939 goto out_bad_option;
2948 security_free_mnt_opts(&opts);
2950 free_secdata(secdata);
2953 pr_warn("SELinux: unable to change security options "
2954 "during remount (dev %s, type=%s)\n", sb->s_id,
2959 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2961 const struct cred *cred = current_cred();
2962 struct common_audit_data ad;
2965 rc = superblock_doinit(sb, data);
2969 /* Allow all mounts performed by the kernel */
2970 if (flags & (MS_KERNMOUNT | MS_SUBMOUNT))
2973 ad.type = LSM_AUDIT_DATA_DENTRY;
2974 ad.u.dentry = sb->s_root;
2975 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2978 static int selinux_sb_statfs(struct dentry *dentry)
2980 const struct cred *cred = current_cred();
2981 struct common_audit_data ad;
2983 ad.type = LSM_AUDIT_DATA_DENTRY;
2984 ad.u.dentry = dentry->d_sb->s_root;
2985 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2988 static int selinux_mount(const char *dev_name,
2989 const struct path *path,
2991 unsigned long flags,
2994 const struct cred *cred = current_cred();
2996 if (flags & MS_REMOUNT)
2997 return superblock_has_perm(cred, path->dentry->d_sb,
2998 FILESYSTEM__REMOUNT, NULL);
3000 return path_has_perm(cred, path, FILE__MOUNTON);
3003 static int selinux_umount(struct vfsmount *mnt, int flags)
3005 const struct cred *cred = current_cred();
3007 return superblock_has_perm(cred, mnt->mnt_sb,
3008 FILESYSTEM__UNMOUNT, NULL);
3011 /* inode security operations */
3013 static int selinux_inode_alloc_security(struct inode *inode)
3015 return inode_alloc_security(inode);
3018 static void selinux_inode_free_security(struct inode *inode)
3020 inode_free_security(inode);
3023 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
3024 const struct qstr *name, void **ctx,
3030 rc = selinux_determine_inode_label(current_security(),
3031 d_inode(dentry->d_parent), name,
3032 inode_mode_to_security_class(mode),
3037 return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
3041 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
3043 const struct cred *old,
3048 struct task_security_struct *tsec;
3050 rc = selinux_determine_inode_label(old->security,
3051 d_inode(dentry->d_parent), name,
3052 inode_mode_to_security_class(mode),
3057 tsec = new->security;
3058 tsec->create_sid = newsid;
3062 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
3063 const struct qstr *qstr,
3065 void **value, size_t *len)
3067 const struct task_security_struct *tsec = current_security();
3068 struct superblock_security_struct *sbsec;
3073 sbsec = dir->i_sb->s_security;
3075 newsid = tsec->create_sid;
3077 rc = selinux_determine_inode_label(current_security(),
3079 inode_mode_to_security_class(inode->i_mode),
3084 /* Possibly defer initialization to selinux_complete_init. */
3085 if (sbsec->flags & SE_SBINITIALIZED) {
3086 struct inode_security_struct *isec = inode->i_security;
3087 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3089 isec->initialized = LABEL_INITIALIZED;
3092 if (!selinux_state.initialized || !(sbsec->flags & SBLABEL_MNT))
3096 *name = XATTR_SELINUX_SUFFIX;
3099 rc = security_sid_to_context_force(&selinux_state, newsid,
3110 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
3112 return may_create(dir, dentry, SECCLASS_FILE);
3115 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
3117 return may_link(dir, old_dentry, MAY_LINK);
3120 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
3122 return may_link(dir, dentry, MAY_UNLINK);
3125 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
3127 return may_create(dir, dentry, SECCLASS_LNK_FILE);
3130 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
3132 return may_create(dir, dentry, SECCLASS_DIR);
3135 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
3137 return may_link(dir, dentry, MAY_RMDIR);
3140 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
3142 return may_create(dir, dentry, inode_mode_to_security_class(mode));
3145 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
3146 struct inode *new_inode, struct dentry *new_dentry)
3148 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
3151 static int selinux_inode_readlink(struct dentry *dentry)
3153 const struct cred *cred = current_cred();
3155 return dentry_has_perm(cred, dentry, FILE__READ);
3158 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3161 const struct cred *cred = current_cred();
3162 struct common_audit_data ad;
3163 struct inode_security_struct *isec;
3166 validate_creds(cred);
3168 ad.type = LSM_AUDIT_DATA_DENTRY;
3169 ad.u.dentry = dentry;
3170 sid = cred_sid(cred);
3171 isec = inode_security_rcu(inode, rcu);
3173 return PTR_ERR(isec);
3175 return avc_has_perm_flags(&selinux_state,
3176 sid, isec->sid, isec->sclass, FILE__READ, &ad,
3177 rcu ? MAY_NOT_BLOCK : 0);
3180 static noinline int audit_inode_permission(struct inode *inode,
3181 u32 perms, u32 audited, u32 denied,
3184 struct common_audit_data ad;
3185 struct inode_security_struct *isec = inode->i_security;
3188 ad.type = LSM_AUDIT_DATA_INODE;
3191 rc = slow_avc_audit(&selinux_state,
3192 current_sid(), isec->sid, isec->sclass, perms,
3193 audited, denied, result, &ad);
3199 static int selinux_inode_permission(struct inode *inode, int mask)
3201 const struct cred *cred = current_cred();
3204 unsigned flags = mask & MAY_NOT_BLOCK;
3205 struct inode_security_struct *isec;
3207 struct av_decision avd;
3209 u32 audited, denied;
3211 from_access = mask & MAY_ACCESS;
3212 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3214 /* No permission to check. Existence test. */
3218 validate_creds(cred);
3220 if (unlikely(IS_PRIVATE(inode)))
3223 perms = file_mask_to_av(inode->i_mode, mask);
3225 sid = cred_sid(cred);
3226 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3228 return PTR_ERR(isec);
3230 rc = avc_has_perm_noaudit(&selinux_state,
3231 sid, isec->sid, isec->sclass, perms,
3232 (flags & MAY_NOT_BLOCK) ? AVC_NONBLOCKING : 0,
3234 audited = avc_audit_required(perms, &avd, rc,
3235 from_access ? FILE__AUDIT_ACCESS : 0,
3237 if (likely(!audited))
3240 /* fall back to ref-walk if we have to generate audit */
3241 if (flags & MAY_NOT_BLOCK)
3244 rc2 = audit_inode_permission(inode, perms, audited, denied, rc);
3250 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3252 const struct cred *cred = current_cred();
3253 struct inode *inode = d_backing_inode(dentry);
3254 unsigned int ia_valid = iattr->ia_valid;
3255 __u32 av = FILE__WRITE;
3257 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3258 if (ia_valid & ATTR_FORCE) {
3259 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3265 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3266 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3267 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3269 if (selinux_policycap_openperm() &&
3270 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3271 (ia_valid & ATTR_SIZE) &&
3272 !(ia_valid & ATTR_FILE))
3275 return dentry_has_perm(cred, dentry, av);
3278 static int selinux_inode_getattr(const struct path *path)
3280 return path_has_perm(current_cred(), path, FILE__GETATTR);
3283 static bool has_cap_mac_admin(bool audit)
3285 const struct cred *cred = current_cred();
3286 unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT;
3288 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts))
3290 if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true))
3295 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3296 const void *value, size_t size, int flags)
3298 struct inode *inode = d_backing_inode(dentry);
3299 struct inode_security_struct *isec;
3300 struct superblock_security_struct *sbsec;
3301 struct common_audit_data ad;
3302 u32 newsid, sid = current_sid();
3305 if (strcmp(name, XATTR_NAME_SELINUX)) {
3306 rc = cap_inode_setxattr(dentry, name, value, size, flags);
3310 /* Not an attribute we recognize, so just check the
3311 ordinary setattr permission. */
3312 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3315 if (!selinux_state.initialized)
3316 return (inode_owner_or_capable(inode) ? 0 : -EPERM);
3318 sbsec = inode->i_sb->s_security;
3319 if (!(sbsec->flags & SBLABEL_MNT))
3322 if (!inode_owner_or_capable(inode))
3325 ad.type = LSM_AUDIT_DATA_DENTRY;
3326 ad.u.dentry = dentry;
3328 isec = backing_inode_security(dentry);
3329 rc = avc_has_perm(&selinux_state,
3330 sid, isec->sid, isec->sclass,
3331 FILE__RELABELFROM, &ad);
3335 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3337 if (rc == -EINVAL) {
3338 if (!has_cap_mac_admin(true)) {
3339 struct audit_buffer *ab;
3342 /* We strip a nul only if it is at the end, otherwise the
3343 * context contains a nul and we should audit that */
3345 const char *str = value;
3347 if (str[size - 1] == '\0')
3348 audit_size = size - 1;
3354 ab = audit_log_start(audit_context(),
3355 GFP_ATOMIC, AUDIT_SELINUX_ERR);
3356 audit_log_format(ab, "op=setxattr invalid_context=");
3357 audit_log_n_untrustedstring(ab, value, audit_size);
3362 rc = security_context_to_sid_force(&selinux_state, value,
3368 rc = avc_has_perm(&selinux_state,
3369 sid, newsid, isec->sclass,
3370 FILE__RELABELTO, &ad);
3374 rc = security_validate_transition(&selinux_state, isec->sid, newsid,
3379 return avc_has_perm(&selinux_state,
3382 SECCLASS_FILESYSTEM,
3383 FILESYSTEM__ASSOCIATE,
3387 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3388 const void *value, size_t size,
3391 struct inode *inode = d_backing_inode(dentry);
3392 struct inode_security_struct *isec;
3396 if (strcmp(name, XATTR_NAME_SELINUX)) {
3397 /* Not an attribute we recognize, so nothing to do. */
3401 if (!selinux_state.initialized) {
3402 /* If we haven't even been initialized, then we can't validate
3403 * against a policy, so leave the label as invalid. It may
3404 * resolve to a valid label on the next revalidation try if
3405 * we've since initialized.
3410 rc = security_context_to_sid_force(&selinux_state, value, size,
3413 pr_err("SELinux: unable to map context to SID"
3414 "for (%s, %lu), rc=%d\n",
3415 inode->i_sb->s_id, inode->i_ino, -rc);
3419 isec = backing_inode_security(dentry);
3420 spin_lock(&isec->lock);
3421 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3423 isec->initialized = LABEL_INITIALIZED;
3424 spin_unlock(&isec->lock);
3429 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3431 const struct cred *cred = current_cred();
3433 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3436 static int selinux_inode_listxattr(struct dentry *dentry)
3438 const struct cred *cred = current_cred();
3440 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3443 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3445 if (strcmp(name, XATTR_NAME_SELINUX)) {
3446 int rc = cap_inode_removexattr(dentry, name);
3450 /* Not an attribute we recognize, so just check the
3451 ordinary setattr permission. */
3452 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3455 /* No one is allowed to remove a SELinux security label.
3456 You can change the label, but all data must be labeled. */
3461 * Copy the inode security context value to the user.
3463 * Permission check is handled by selinux_inode_getxattr hook.
3465 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
3469 char *context = NULL;
3470 struct inode_security_struct *isec;
3472 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3476 * If the caller has CAP_MAC_ADMIN, then get the raw context
3477 * value even if it is not defined by current policy; otherwise,
3478 * use the in-core value under current policy.
3479 * Use the non-auditing forms of the permission checks since
3480 * getxattr may be called by unprivileged processes commonly
3481 * and lack of permission just means that we fall back to the
3482 * in-core context value, not a denial.
3484 isec = inode_security(inode);
3485 if (has_cap_mac_admin(false))
3486 error = security_sid_to_context_force(&selinux_state,
3487 isec->sid, &context,
3490 error = security_sid_to_context(&selinux_state, isec->sid,
3504 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3505 const void *value, size_t size, int flags)
3507 struct inode_security_struct *isec = inode_security_novalidate(inode);
3508 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
3512 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3515 if (!(sbsec->flags & SBLABEL_MNT))
3518 if (!value || !size)
3521 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3526 spin_lock(&isec->lock);
3527 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3529 isec->initialized = LABEL_INITIALIZED;
3530 spin_unlock(&isec->lock);
3534 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3536 const int len = sizeof(XATTR_NAME_SELINUX);
3537 if (buffer && len <= buffer_size)
3538 memcpy(buffer, XATTR_NAME_SELINUX, len);
3542 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3544 struct inode_security_struct *isec = inode_security_novalidate(inode);
3548 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3551 struct task_security_struct *tsec;
3552 struct cred *new_creds = *new;
3554 if (new_creds == NULL) {
3555 new_creds = prepare_creds();
3560 tsec = new_creds->security;
3561 /* Get label from overlay inode and set it in create_sid */
3562 selinux_inode_getsecid(d_inode(src), &sid);
3563 tsec->create_sid = sid;
3568 static int selinux_inode_copy_up_xattr(const char *name)
3570 /* The copy_up hook above sets the initial context on an inode, but we
3571 * don't then want to overwrite it by blindly copying all the lower
3572 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3574 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3575 return 1; /* Discard */
3577 * Any other attribute apart from SELINUX is not claimed, supported
3583 /* file security operations */
3585 static int selinux_revalidate_file_permission(struct file *file, int mask)
3587 const struct cred *cred = current_cred();
3588 struct inode *inode = file_inode(file);
3590 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3591 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3594 return file_has_perm(cred, file,
3595 file_mask_to_av(inode->i_mode, mask));
3598 static int selinux_file_permission(struct file *file, int mask)
3600 struct inode *inode = file_inode(file);
3601 struct file_security_struct *fsec = file->f_security;
3602 struct inode_security_struct *isec;
3603 u32 sid = current_sid();
3606 /* No permission to check. Existence test. */
3609 isec = inode_security(inode);
3610 if (sid == fsec->sid && fsec->isid == isec->sid &&
3611 fsec->pseqno == avc_policy_seqno(&selinux_state))
3612 /* No change since file_open check. */
3615 return selinux_revalidate_file_permission(file, mask);
3618 static int selinux_file_alloc_security(struct file *file)
3620 return file_alloc_security(file);
3623 static void selinux_file_free_security(struct file *file)
3625 file_free_security(file);
3629 * Check whether a task has the ioctl permission and cmd
3630 * operation to an inode.
3632 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3633 u32 requested, u16 cmd)
3635 struct common_audit_data ad;
3636 struct file_security_struct *fsec = file->f_security;
3637 struct inode *inode = file_inode(file);
3638 struct inode_security_struct *isec;
3639 struct lsm_ioctlop_audit ioctl;
3640 u32 ssid = cred_sid(cred);
3642 u8 driver = cmd >> 8;
3643 u8 xperm = cmd & 0xff;
3645 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3648 ad.u.op->path = file->f_path;
3650 if (ssid != fsec->sid) {
3651 rc = avc_has_perm(&selinux_state,
3660 if (unlikely(IS_PRIVATE(inode)))
3663 isec = inode_security(inode);
3664 rc = avc_has_extended_perms(&selinux_state,
3665 ssid, isec->sid, isec->sclass,
3666 requested, driver, xperm, &ad);
3671 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3674 const struct cred *cred = current_cred();
3684 case FS_IOC_GETFLAGS:
3686 case FS_IOC_GETVERSION:
3687 error = file_has_perm(cred, file, FILE__GETATTR);
3690 case FS_IOC_SETFLAGS:
3692 case FS_IOC_SETVERSION:
3693 error = file_has_perm(cred, file, FILE__SETATTR);
3696 /* sys_ioctl() checks */
3700 error = file_has_perm(cred, file, 0);
3705 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3706 CAP_OPT_NONE, true);
3709 /* default case assumes that the command will go
3710 * to the file's ioctl() function.
3713 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3718 static int default_noexec;
3720 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3722 const struct cred *cred = current_cred();
3723 u32 sid = cred_sid(cred);
3726 if (default_noexec &&
3727 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3728 (!shared && (prot & PROT_WRITE)))) {
3730 * We are making executable an anonymous mapping or a
3731 * private file mapping that will also be writable.
3732 * This has an additional check.
3734 rc = avc_has_perm(&selinux_state,
3735 sid, sid, SECCLASS_PROCESS,
3736 PROCESS__EXECMEM, NULL);
3742 /* read access is always possible with a mapping */
3743 u32 av = FILE__READ;
3745 /* write access only matters if the mapping is shared */
3746 if (shared && (prot & PROT_WRITE))
3749 if (prot & PROT_EXEC)
3750 av |= FILE__EXECUTE;
3752 return file_has_perm(cred, file, av);
3759 static int selinux_mmap_addr(unsigned long addr)
3763 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3764 u32 sid = current_sid();
3765 rc = avc_has_perm(&selinux_state,
3766 sid, sid, SECCLASS_MEMPROTECT,
3767 MEMPROTECT__MMAP_ZERO, NULL);
3773 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3774 unsigned long prot, unsigned long flags)
3776 struct common_audit_data ad;
3780 ad.type = LSM_AUDIT_DATA_FILE;
3782 rc = inode_has_perm(current_cred(), file_inode(file),
3788 if (selinux_state.checkreqprot)
3791 return file_map_prot_check(file, prot,
3792 (flags & MAP_TYPE) == MAP_SHARED);
3795 static int selinux_file_mprotect(struct vm_area_struct *vma,
3796 unsigned long reqprot,
3799 const struct cred *cred = current_cred();
3800 u32 sid = cred_sid(cred);
3802 if (selinux_state.checkreqprot)
3805 if (default_noexec &&
3806 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3808 if (vma->vm_start >= vma->vm_mm->start_brk &&
3809 vma->vm_end <= vma->vm_mm->brk) {
3810 rc = avc_has_perm(&selinux_state,
3811 sid, sid, SECCLASS_PROCESS,
3812 PROCESS__EXECHEAP, NULL);
3813 } else if (!vma->vm_file &&
3814 ((vma->vm_start <= vma->vm_mm->start_stack &&
3815 vma->vm_end >= vma->vm_mm->start_stack) ||
3816 vma_is_stack_for_current(vma))) {
3817 rc = avc_has_perm(&selinux_state,
3818 sid, sid, SECCLASS_PROCESS,
3819 PROCESS__EXECSTACK, NULL);
3820 } else if (vma->vm_file && vma->anon_vma) {
3822 * We are making executable a file mapping that has
3823 * had some COW done. Since pages might have been
3824 * written, check ability to execute the possibly
3825 * modified content. This typically should only
3826 * occur for text relocations.
3828 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3834 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3837 static int selinux_file_lock(struct file *file, unsigned int cmd)
3839 const struct cred *cred = current_cred();
3841 return file_has_perm(cred, file, FILE__LOCK);
3844 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3847 const struct cred *cred = current_cred();
3852 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3853 err = file_has_perm(cred, file, FILE__WRITE);
3862 case F_GETOWNER_UIDS:
3863 /* Just check FD__USE permission */
3864 err = file_has_perm(cred, file, 0);
3872 #if BITS_PER_LONG == 32
3877 err = file_has_perm(cred, file, FILE__LOCK);
3884 static void selinux_file_set_fowner(struct file *file)
3886 struct file_security_struct *fsec;
3888 fsec = file->f_security;
3889 fsec->fown_sid = current_sid();
3892 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3893 struct fown_struct *fown, int signum)
3896 u32 sid = task_sid(tsk);
3898 struct file_security_struct *fsec;
3900 /* struct fown_struct is never outside the context of a struct file */
3901 file = container_of(fown, struct file, f_owner);
3903 fsec = file->f_security;
3906 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3908 perm = signal_to_av(signum);
3910 return avc_has_perm(&selinux_state,
3911 fsec->fown_sid, sid,
3912 SECCLASS_PROCESS, perm, NULL);
3915 static int selinux_file_receive(struct file *file)
3917 const struct cred *cred = current_cred();
3919 return file_has_perm(cred, file, file_to_av(file));
3922 static int selinux_file_open(struct file *file)
3924 struct file_security_struct *fsec;
3925 struct inode_security_struct *isec;
3927 fsec = file->f_security;
3928 isec = inode_security(file_inode(file));
3930 * Save inode label and policy sequence number
3931 * at open-time so that selinux_file_permission
3932 * can determine whether revalidation is necessary.
3933 * Task label is already saved in the file security
3934 * struct as its SID.
3936 fsec->isid = isec->sid;
3937 fsec->pseqno = avc_policy_seqno(&selinux_state);
3939 * Since the inode label or policy seqno may have changed
3940 * between the selinux_inode_permission check and the saving
3941 * of state above, recheck that access is still permitted.
3942 * Otherwise, access might never be revalidated against the
3943 * new inode label or new policy.
3944 * This check is not redundant - do not remove.
3946 return file_path_has_perm(file->f_cred, file, open_file_to_av(file));
3949 /* task security operations */
3951 static int selinux_task_alloc(struct task_struct *task,
3952 unsigned long clone_flags)
3954 u32 sid = current_sid();
3956 return avc_has_perm(&selinux_state,
3957 sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
3961 * allocate the SELinux part of blank credentials
3963 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3965 struct task_security_struct *tsec;
3967 tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3971 cred->security = tsec;
3976 * detach and free the LSM part of a set of credentials
3978 static void selinux_cred_free(struct cred *cred)
3980 struct task_security_struct *tsec = cred->security;
3983 * cred->security == NULL if security_cred_alloc_blank() or
3984 * security_prepare_creds() returned an error.
3986 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3987 cred->security = (void *) 0x7UL;
3992 * prepare a new set of credentials for modification
3994 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3997 const struct task_security_struct *old_tsec;
3998 struct task_security_struct *tsec;
4000 old_tsec = old->security;
4002 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
4006 new->security = tsec;
4011 * transfer the SELinux data to a blank set of creds
4013 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
4015 const struct task_security_struct *old_tsec = old->security;
4016 struct task_security_struct *tsec = new->security;
4021 static void selinux_cred_getsecid(const struct cred *c, u32 *secid)
4023 *secid = cred_sid(c);
4027 * set the security data for a kernel service
4028 * - all the creation contexts are set to unlabelled
4030 static int selinux_kernel_act_as(struct cred *new, u32 secid)
4032 struct task_security_struct *tsec = new->security;
4033 u32 sid = current_sid();
4036 ret = avc_has_perm(&selinux_state,
4038 SECCLASS_KERNEL_SERVICE,
4039 KERNEL_SERVICE__USE_AS_OVERRIDE,
4043 tsec->create_sid = 0;
4044 tsec->keycreate_sid = 0;
4045 tsec->sockcreate_sid = 0;
4051 * set the file creation context in a security record to the same as the
4052 * objective context of the specified inode
4054 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
4056 struct inode_security_struct *isec = inode_security(inode);
4057 struct task_security_struct *tsec = new->security;
4058 u32 sid = current_sid();
4061 ret = avc_has_perm(&selinux_state,
4063 SECCLASS_KERNEL_SERVICE,
4064 KERNEL_SERVICE__CREATE_FILES_AS,
4068 tsec->create_sid = isec->sid;
4072 static int selinux_kernel_module_request(char *kmod_name)
4074 struct common_audit_data ad;
4076 ad.type = LSM_AUDIT_DATA_KMOD;
4077 ad.u.kmod_name = kmod_name;
4079 return avc_has_perm(&selinux_state,
4080 current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
4081 SYSTEM__MODULE_REQUEST, &ad);
4084 static int selinux_kernel_module_from_file(struct file *file)
4086 struct common_audit_data ad;
4087 struct inode_security_struct *isec;
4088 struct file_security_struct *fsec;
4089 u32 sid = current_sid();
4094 return avc_has_perm(&selinux_state,
4095 sid, sid, SECCLASS_SYSTEM,
4096 SYSTEM__MODULE_LOAD, NULL);
4100 ad.type = LSM_AUDIT_DATA_FILE;
4103 fsec = file->f_security;
4104 if (sid != fsec->sid) {
4105 rc = avc_has_perm(&selinux_state,
4106 sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
4111 isec = inode_security(file_inode(file));
4112 return avc_has_perm(&selinux_state,
4113 sid, isec->sid, SECCLASS_SYSTEM,
4114 SYSTEM__MODULE_LOAD, &ad);
4117 static int selinux_kernel_read_file(struct file *file,
4118 enum kernel_read_file_id id)
4123 case READING_MODULE:
4124 rc = selinux_kernel_module_from_file(file);
4133 static int selinux_kernel_load_data(enum kernel_load_data_id id)
4138 case LOADING_MODULE:
4139 rc = selinux_kernel_module_from_file(NULL);
4147 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
4149 return avc_has_perm(&selinux_state,
4150 current_sid(), task_sid(p), SECCLASS_PROCESS,
4151 PROCESS__SETPGID, NULL);
4154 static int selinux_task_getpgid(struct task_struct *p)
4156 return avc_has_perm(&selinux_state,
4157 current_sid(), task_sid(p), SECCLASS_PROCESS,
4158 PROCESS__GETPGID, NULL);
4161 static int selinux_task_getsid(struct task_struct *p)
4163 return avc_has_perm(&selinux_state,
4164 current_sid(), task_sid(p), SECCLASS_PROCESS,
4165 PROCESS__GETSESSION, NULL);
4168 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
4170 *secid = task_sid(p);
4173 static int selinux_task_setnice(struct task_struct *p, int nice)
4175 return avc_has_perm(&selinux_state,
4176 current_sid(), task_sid(p), SECCLASS_PROCESS,
4177 PROCESS__SETSCHED, NULL);
4180 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
4182 return avc_has_perm(&selinux_state,
4183 current_sid(), task_sid(p), SECCLASS_PROCESS,
4184 PROCESS__SETSCHED, NULL);
4187 static int selinux_task_getioprio(struct task_struct *p)
4189 return avc_has_perm(&selinux_state,
4190 current_sid(), task_sid(p), SECCLASS_PROCESS,
4191 PROCESS__GETSCHED, NULL);
4194 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
4201 if (flags & LSM_PRLIMIT_WRITE)
4202 av |= PROCESS__SETRLIMIT;
4203 if (flags & LSM_PRLIMIT_READ)
4204 av |= PROCESS__GETRLIMIT;
4205 return avc_has_perm(&selinux_state,
4206 cred_sid(cred), cred_sid(tcred),
4207 SECCLASS_PROCESS, av, NULL);
4210 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4211 struct rlimit *new_rlim)
4213 struct rlimit *old_rlim = p->signal->rlim + resource;
4215 /* Control the ability to change the hard limit (whether
4216 lowering or raising it), so that the hard limit can
4217 later be used as a safe reset point for the soft limit
4218 upon context transitions. See selinux_bprm_committing_creds. */
4219 if (old_rlim->rlim_max != new_rlim->rlim_max)
4220 return avc_has_perm(&selinux_state,
4221 current_sid(), task_sid(p),
4222 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
4227 static int selinux_task_setscheduler(struct task_struct *p)
4229 return avc_has_perm(&selinux_state,
4230 current_sid(), task_sid(p), SECCLASS_PROCESS,
4231 PROCESS__SETSCHED, NULL);
4234 static int selinux_task_getscheduler(struct task_struct *p)
4236 return avc_has_perm(&selinux_state,
4237 current_sid(), task_sid(p), SECCLASS_PROCESS,
4238 PROCESS__GETSCHED, NULL);
4241 static int selinux_task_movememory(struct task_struct *p)
4243 return avc_has_perm(&selinux_state,
4244 current_sid(), task_sid(p), SECCLASS_PROCESS,
4245 PROCESS__SETSCHED, NULL);
4248 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
4249 int sig, const struct cred *cred)
4255 perm = PROCESS__SIGNULL; /* null signal; existence test */
4257 perm = signal_to_av(sig);
4259 secid = current_sid();
4261 secid = cred_sid(cred);
4262 return avc_has_perm(&selinux_state,
4263 secid, task_sid(p), SECCLASS_PROCESS, perm, NULL);
4266 static void selinux_task_to_inode(struct task_struct *p,
4267 struct inode *inode)
4269 struct inode_security_struct *isec = inode->i_security;
4270 u32 sid = task_sid(p);
4272 spin_lock(&isec->lock);
4273 isec->sclass = inode_mode_to_security_class(inode->i_mode);
4275 isec->initialized = LABEL_INITIALIZED;
4276 spin_unlock(&isec->lock);
4279 /* Returns error only if unable to parse addresses */
4280 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4281 struct common_audit_data *ad, u8 *proto)
4283 int offset, ihlen, ret = -EINVAL;
4284 struct iphdr _iph, *ih;
4286 offset = skb_network_offset(skb);
4287 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
4291 ihlen = ih->ihl * 4;
4292 if (ihlen < sizeof(_iph))
4295 ad->u.net->v4info.saddr = ih->saddr;
4296 ad->u.net->v4info.daddr = ih->daddr;
4300 *proto = ih->protocol;
4302 switch (ih->protocol) {
4304 struct tcphdr _tcph, *th;
4306 if (ntohs(ih->frag_off) & IP_OFFSET)
4310 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4314 ad->u.net->sport = th->source;
4315 ad->u.net->dport = th->dest;
4320 struct udphdr _udph, *uh;
4322 if (ntohs(ih->frag_off) & IP_OFFSET)
4326 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4330 ad->u.net->sport = uh->source;
4331 ad->u.net->dport = uh->dest;
4335 case IPPROTO_DCCP: {
4336 struct dccp_hdr _dccph, *dh;
4338 if (ntohs(ih->frag_off) & IP_OFFSET)
4342 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4346 ad->u.net->sport = dh->dccph_sport;
4347 ad->u.net->dport = dh->dccph_dport;
4351 #if IS_ENABLED(CONFIG_IP_SCTP)
4352 case IPPROTO_SCTP: {
4353 struct sctphdr _sctph, *sh;
4355 if (ntohs(ih->frag_off) & IP_OFFSET)
4359 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4363 ad->u.net->sport = sh->source;
4364 ad->u.net->dport = sh->dest;
4375 #if IS_ENABLED(CONFIG_IPV6)
4377 /* Returns error only if unable to parse addresses */
4378 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4379 struct common_audit_data *ad, u8 *proto)
4382 int ret = -EINVAL, offset;
4383 struct ipv6hdr _ipv6h, *ip6;
4386 offset = skb_network_offset(skb);
4387 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4391 ad->u.net->v6info.saddr = ip6->saddr;
4392 ad->u.net->v6info.daddr = ip6->daddr;
4395 nexthdr = ip6->nexthdr;
4396 offset += sizeof(_ipv6h);
4397 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4406 struct tcphdr _tcph, *th;
4408 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4412 ad->u.net->sport = th->source;
4413 ad->u.net->dport = th->dest;
4418 struct udphdr _udph, *uh;
4420 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4424 ad->u.net->sport = uh->source;
4425 ad->u.net->dport = uh->dest;
4429 case IPPROTO_DCCP: {
4430 struct dccp_hdr _dccph, *dh;
4432 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4436 ad->u.net->sport = dh->dccph_sport;
4437 ad->u.net->dport = dh->dccph_dport;
4441 #if IS_ENABLED(CONFIG_IP_SCTP)
4442 case IPPROTO_SCTP: {
4443 struct sctphdr _sctph, *sh;
4445 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4449 ad->u.net->sport = sh->source;
4450 ad->u.net->dport = sh->dest;
4454 /* includes fragments */
4464 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4465 char **_addrp, int src, u8 *proto)
4470 switch (ad->u.net->family) {
4472 ret = selinux_parse_skb_ipv4(skb, ad, proto);
4475 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4476 &ad->u.net->v4info.daddr);
4479 #if IS_ENABLED(CONFIG_IPV6)
4481 ret = selinux_parse_skb_ipv6(skb, ad, proto);
4484 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4485 &ad->u.net->v6info.daddr);
4495 "SELinux: failure in selinux_parse_skb(),"
4496 " unable to parse packet\n");
4506 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4508 * @family: protocol family
4509 * @sid: the packet's peer label SID
4512 * Check the various different forms of network peer labeling and determine
4513 * the peer label/SID for the packet; most of the magic actually occurs in
4514 * the security server function security_net_peersid_cmp(). The function
4515 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4516 * or -EACCES if @sid is invalid due to inconsistencies with the different
4520 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4527 err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4530 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4534 err = security_net_peersid_resolve(&selinux_state, nlbl_sid,
4535 nlbl_type, xfrm_sid, sid);
4536 if (unlikely(err)) {
4538 "SELinux: failure in selinux_skb_peerlbl_sid(),"
4539 " unable to determine packet's peer label\n");
4547 * selinux_conn_sid - Determine the child socket label for a connection
4548 * @sk_sid: the parent socket's SID
4549 * @skb_sid: the packet's SID
4550 * @conn_sid: the resulting connection SID
4552 * If @skb_sid is valid then the user:role:type information from @sk_sid is
4553 * combined with the MLS information from @skb_sid in order to create
4554 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy
4555 * of @sk_sid. Returns zero on success, negative values on failure.
4558 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4562 if (skb_sid != SECSID_NULL)
4563 err = security_sid_mls_copy(&selinux_state, sk_sid, skb_sid,
4571 /* socket security operations */
4573 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4574 u16 secclass, u32 *socksid)
4576 if (tsec->sockcreate_sid > SECSID_NULL) {
4577 *socksid = tsec->sockcreate_sid;
4581 return security_transition_sid(&selinux_state, tsec->sid, tsec->sid,
4582 secclass, NULL, socksid);
4585 static int sock_has_perm(struct sock *sk, u32 perms)
4587 struct sk_security_struct *sksec = sk->sk_security;
4588 struct common_audit_data ad;
4589 struct lsm_network_audit net = {0,};
4591 if (sksec->sid == SECINITSID_KERNEL)
4594 ad.type = LSM_AUDIT_DATA_NET;
4598 return avc_has_perm(&selinux_state,
4599 current_sid(), sksec->sid, sksec->sclass, perms,
4603 static int selinux_socket_create(int family, int type,
4604 int protocol, int kern)
4606 const struct task_security_struct *tsec = current_security();
4614 secclass = socket_type_to_security_class(family, type, protocol);
4615 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4619 return avc_has_perm(&selinux_state,
4620 tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4623 static int selinux_socket_post_create(struct socket *sock, int family,
4624 int type, int protocol, int kern)
4626 const struct task_security_struct *tsec = current_security();
4627 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4628 struct sk_security_struct *sksec;
4629 u16 sclass = socket_type_to_security_class(family, type, protocol);
4630 u32 sid = SECINITSID_KERNEL;
4634 err = socket_sockcreate_sid(tsec, sclass, &sid);
4639 isec->sclass = sclass;
4641 isec->initialized = LABEL_INITIALIZED;
4644 sksec = sock->sk->sk_security;
4645 sksec->sclass = sclass;
4647 /* Allows detection of the first association on this socket */
4648 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4649 sksec->sctp_assoc_state = SCTP_ASSOC_UNSET;
4651 err = selinux_netlbl_socket_post_create(sock->sk, family);
4657 static int selinux_socket_socketpair(struct socket *socka,
4658 struct socket *sockb)
4660 struct sk_security_struct *sksec_a = socka->sk->sk_security;
4661 struct sk_security_struct *sksec_b = sockb->sk->sk_security;
4663 sksec_a->peer_sid = sksec_b->sid;
4664 sksec_b->peer_sid = sksec_a->sid;
4669 /* Range of port numbers used to automatically bind.
4670 Need to determine whether we should perform a name_bind
4671 permission check between the socket and the port number. */
4673 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4675 struct sock *sk = sock->sk;
4676 struct sk_security_struct *sksec = sk->sk_security;
4680 err = sock_has_perm(sk, SOCKET__BIND);
4684 /* If PF_INET or PF_INET6, check name_bind permission for the port. */
4685 family = sk->sk_family;
4686 if (family == PF_INET || family == PF_INET6) {
4688 struct common_audit_data ad;
4689 struct lsm_network_audit net = {0,};
4690 struct sockaddr_in *addr4 = NULL;
4691 struct sockaddr_in6 *addr6 = NULL;
4692 u16 family_sa = address->sa_family;
4693 unsigned short snum;
4697 * sctp_bindx(3) calls via selinux_sctp_bind_connect()
4698 * that validates multiple binding addresses. Because of this
4699 * need to check address->sa_family as it is possible to have
4700 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4702 switch (family_sa) {
4705 if (addrlen < sizeof(struct sockaddr_in))
4707 addr4 = (struct sockaddr_in *)address;
4708 if (family_sa == AF_UNSPEC) {
4709 /* see __inet_bind(), we only want to allow
4710 * AF_UNSPEC if the address is INADDR_ANY
4712 if (addr4->sin_addr.s_addr != htonl(INADDR_ANY))
4714 family_sa = AF_INET;
4716 snum = ntohs(addr4->sin_port);
4717 addrp = (char *)&addr4->sin_addr.s_addr;
4720 if (addrlen < SIN6_LEN_RFC2133)
4722 addr6 = (struct sockaddr_in6 *)address;
4723 snum = ntohs(addr6->sin6_port);
4724 addrp = (char *)&addr6->sin6_addr.s6_addr;
4730 ad.type = LSM_AUDIT_DATA_NET;
4732 ad.u.net->sport = htons(snum);
4733 ad.u.net->family = family_sa;
4738 inet_get_local_port_range(sock_net(sk), &low, &high);
4740 if (snum < max(inet_prot_sock(sock_net(sk)), low) ||
4742 err = sel_netport_sid(sk->sk_protocol,
4746 err = avc_has_perm(&selinux_state,
4749 SOCKET__NAME_BIND, &ad);
4755 switch (sksec->sclass) {
4756 case SECCLASS_TCP_SOCKET:
4757 node_perm = TCP_SOCKET__NODE_BIND;
4760 case SECCLASS_UDP_SOCKET:
4761 node_perm = UDP_SOCKET__NODE_BIND;
4764 case SECCLASS_DCCP_SOCKET:
4765 node_perm = DCCP_SOCKET__NODE_BIND;
4768 case SECCLASS_SCTP_SOCKET:
4769 node_perm = SCTP_SOCKET__NODE_BIND;
4773 node_perm = RAWIP_SOCKET__NODE_BIND;
4777 err = sel_netnode_sid(addrp, family_sa, &sid);
4781 if (family_sa == AF_INET)
4782 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4784 ad.u.net->v6info.saddr = addr6->sin6_addr;
4786 err = avc_has_perm(&selinux_state,
4788 sksec->sclass, node_perm, &ad);
4795 /* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */
4796 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4798 return -EAFNOSUPPORT;
4801 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3)
4802 * and sctp_sendmsg(3) as described in Documentation/security/LSM-sctp.rst
4804 static int selinux_socket_connect_helper(struct socket *sock,
4805 struct sockaddr *address, int addrlen)
4807 struct sock *sk = sock->sk;
4808 struct sk_security_struct *sksec = sk->sk_security;
4811 err = sock_has_perm(sk, SOCKET__CONNECT);
4816 * If a TCP, DCCP or SCTP socket, check name_connect permission
4819 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4820 sksec->sclass == SECCLASS_DCCP_SOCKET ||
4821 sksec->sclass == SECCLASS_SCTP_SOCKET) {
4822 struct common_audit_data ad;
4823 struct lsm_network_audit net = {0,};
4824 struct sockaddr_in *addr4 = NULL;
4825 struct sockaddr_in6 *addr6 = NULL;
4826 unsigned short snum = 0;
4829 /* sctp_connectx(3) calls via selinux_sctp_bind_connect()
4830 * that validates multiple connect addresses. Because of this
4831 * need to check address->sa_family as it is possible to have
4832 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4834 switch (address->sa_family) {
4836 addr4 = (struct sockaddr_in *)address;
4837 if (addrlen < sizeof(struct sockaddr_in))
4839 snum = ntohs(addr4->sin_port);
4842 addr6 = (struct sockaddr_in6 *)address;
4843 if (addrlen < SIN6_LEN_RFC2133)
4845 snum = ntohs(addr6->sin6_port);
4848 /* Note that SCTP services expect -EINVAL, whereas
4849 * others must handle this at the protocol level:
4850 * connect(AF_UNSPEC) on a connected socket is
4851 * a documented way disconnect the socket.
4853 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4857 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4861 switch (sksec->sclass) {
4862 case SECCLASS_TCP_SOCKET:
4863 perm = TCP_SOCKET__NAME_CONNECT;
4865 case SECCLASS_DCCP_SOCKET:
4866 perm = DCCP_SOCKET__NAME_CONNECT;
4868 case SECCLASS_SCTP_SOCKET:
4869 perm = SCTP_SOCKET__NAME_CONNECT;
4873 ad.type = LSM_AUDIT_DATA_NET;
4875 ad.u.net->dport = htons(snum);
4876 ad.u.net->family = address->sa_family;
4877 err = avc_has_perm(&selinux_state,
4878 sksec->sid, sid, sksec->sclass, perm, &ad);
4886 /* Supports connect(2), see comments in selinux_socket_connect_helper() */
4887 static int selinux_socket_connect(struct socket *sock,
4888 struct sockaddr *address, int addrlen)
4891 struct sock *sk = sock->sk;
4893 err = selinux_socket_connect_helper(sock, address, addrlen);
4897 return selinux_netlbl_socket_connect(sk, address);
4900 static int selinux_socket_listen(struct socket *sock, int backlog)
4902 return sock_has_perm(sock->sk, SOCKET__LISTEN);
4905 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4908 struct inode_security_struct *isec;
4909 struct inode_security_struct *newisec;
4913 err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
4917 isec = inode_security_novalidate(SOCK_INODE(sock));
4918 spin_lock(&isec->lock);
4919 sclass = isec->sclass;
4921 spin_unlock(&isec->lock);
4923 newisec = inode_security_novalidate(SOCK_INODE(newsock));
4924 newisec->sclass = sclass;
4926 newisec->initialized = LABEL_INITIALIZED;
4931 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4934 return sock_has_perm(sock->sk, SOCKET__WRITE);
4937 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4938 int size, int flags)
4940 return sock_has_perm(sock->sk, SOCKET__READ);
4943 static int selinux_socket_getsockname(struct socket *sock)
4945 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4948 static int selinux_socket_getpeername(struct socket *sock)
4950 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4953 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4957 err = sock_has_perm(sock->sk, SOCKET__SETOPT);
4961 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4964 static int selinux_socket_getsockopt(struct socket *sock, int level,
4967 return sock_has_perm(sock->sk, SOCKET__GETOPT);
4970 static int selinux_socket_shutdown(struct socket *sock, int how)
4972 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
4975 static int selinux_socket_unix_stream_connect(struct sock *sock,
4979 struct sk_security_struct *sksec_sock = sock->sk_security;
4980 struct sk_security_struct *sksec_other = other->sk_security;
4981 struct sk_security_struct *sksec_new = newsk->sk_security;
4982 struct common_audit_data ad;
4983 struct lsm_network_audit net = {0,};
4986 ad.type = LSM_AUDIT_DATA_NET;
4988 ad.u.net->sk = other;
4990 err = avc_has_perm(&selinux_state,
4991 sksec_sock->sid, sksec_other->sid,
4992 sksec_other->sclass,
4993 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4997 /* server child socket */
4998 sksec_new->peer_sid = sksec_sock->sid;
4999 err = security_sid_mls_copy(&selinux_state, sksec_other->sid,
5000 sksec_sock->sid, &sksec_new->sid);
5004 /* connecting socket */
5005 sksec_sock->peer_sid = sksec_new->sid;
5010 static int selinux_socket_unix_may_send(struct socket *sock,
5011 struct socket *other)
5013 struct sk_security_struct *ssec = sock->sk->sk_security;
5014 struct sk_security_struct *osec = other->sk->sk_security;
5015 struct common_audit_data ad;
5016 struct lsm_network_audit net = {0,};
5018 ad.type = LSM_AUDIT_DATA_NET;
5020 ad.u.net->sk = other->sk;
5022 return avc_has_perm(&selinux_state,
5023 ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
5027 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
5028 char *addrp, u16 family, u32 peer_sid,
5029 struct common_audit_data *ad)
5035 err = sel_netif_sid(ns, ifindex, &if_sid);
5038 err = avc_has_perm(&selinux_state,
5040 SECCLASS_NETIF, NETIF__INGRESS, ad);
5044 err = sel_netnode_sid(addrp, family, &node_sid);
5047 return avc_has_perm(&selinux_state,
5049 SECCLASS_NODE, NODE__RECVFROM, ad);
5052 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
5056 struct sk_security_struct *sksec = sk->sk_security;
5057 u32 sk_sid = sksec->sid;
5058 struct common_audit_data ad;
5059 struct lsm_network_audit net = {0,};
5062 ad.type = LSM_AUDIT_DATA_NET;
5064 ad.u.net->netif = skb->skb_iif;
5065 ad.u.net->family = family;
5066 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5070 if (selinux_secmark_enabled()) {
5071 err = avc_has_perm(&selinux_state,
5072 sk_sid, skb->secmark, SECCLASS_PACKET,
5078 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
5081 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
5086 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
5089 struct sk_security_struct *sksec = sk->sk_security;
5090 u16 family = sk->sk_family;
5091 u32 sk_sid = sksec->sid;
5092 struct common_audit_data ad;
5093 struct lsm_network_audit net = {0,};
5098 if (family != PF_INET && family != PF_INET6)
5101 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
5102 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5105 /* If any sort of compatibility mode is enabled then handoff processing
5106 * to the selinux_sock_rcv_skb_compat() function to deal with the
5107 * special handling. We do this in an attempt to keep this function
5108 * as fast and as clean as possible. */
5109 if (!selinux_policycap_netpeer())
5110 return selinux_sock_rcv_skb_compat(sk, skb, family);
5112 secmark_active = selinux_secmark_enabled();
5113 peerlbl_active = selinux_peerlbl_enabled();
5114 if (!secmark_active && !peerlbl_active)
5117 ad.type = LSM_AUDIT_DATA_NET;
5119 ad.u.net->netif = skb->skb_iif;
5120 ad.u.net->family = family;
5121 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5125 if (peerlbl_active) {
5128 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
5131 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
5132 addrp, family, peer_sid, &ad);
5134 selinux_netlbl_err(skb, family, err, 0);
5137 err = avc_has_perm(&selinux_state,
5138 sk_sid, peer_sid, SECCLASS_PEER,
5141 selinux_netlbl_err(skb, family, err, 0);
5146 if (secmark_active) {
5147 err = avc_has_perm(&selinux_state,
5148 sk_sid, skb->secmark, SECCLASS_PACKET,
5157 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
5158 int __user *optlen, unsigned len)
5163 struct sk_security_struct *sksec = sock->sk->sk_security;
5164 u32 peer_sid = SECSID_NULL;
5166 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
5167 sksec->sclass == SECCLASS_TCP_SOCKET ||
5168 sksec->sclass == SECCLASS_SCTP_SOCKET)
5169 peer_sid = sksec->peer_sid;
5170 if (peer_sid == SECSID_NULL)
5171 return -ENOPROTOOPT;
5173 err = security_sid_to_context(&selinux_state, peer_sid, &scontext,
5178 if (scontext_len > len) {
5183 if (copy_to_user(optval, scontext, scontext_len))
5187 if (put_user(scontext_len, optlen))
5193 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
5195 u32 peer_secid = SECSID_NULL;
5197 struct inode_security_struct *isec;
5199 if (skb && skb->protocol == htons(ETH_P_IP))
5201 else if (skb && skb->protocol == htons(ETH_P_IPV6))
5204 family = sock->sk->sk_family;
5208 if (sock && family == PF_UNIX) {
5209 isec = inode_security_novalidate(SOCK_INODE(sock));
5210 peer_secid = isec->sid;
5212 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
5215 *secid = peer_secid;
5216 if (peer_secid == SECSID_NULL)
5221 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
5223 struct sk_security_struct *sksec;
5225 sksec = kzalloc(sizeof(*sksec), priority);
5229 sksec->peer_sid = SECINITSID_UNLABELED;
5230 sksec->sid = SECINITSID_UNLABELED;
5231 sksec->sclass = SECCLASS_SOCKET;
5232 selinux_netlbl_sk_security_reset(sksec);
5233 sk->sk_security = sksec;
5238 static void selinux_sk_free_security(struct sock *sk)
5240 struct sk_security_struct *sksec = sk->sk_security;
5242 sk->sk_security = NULL;
5243 selinux_netlbl_sk_security_free(sksec);
5247 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
5249 struct sk_security_struct *sksec = sk->sk_security;
5250 struct sk_security_struct *newsksec = newsk->sk_security;
5252 newsksec->sid = sksec->sid;
5253 newsksec->peer_sid = sksec->peer_sid;
5254 newsksec->sclass = sksec->sclass;
5256 selinux_netlbl_sk_security_reset(newsksec);
5259 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
5262 *secid = SECINITSID_ANY_SOCKET;
5264 struct sk_security_struct *sksec = sk->sk_security;
5266 *secid = sksec->sid;
5270 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
5272 struct inode_security_struct *isec =
5273 inode_security_novalidate(SOCK_INODE(parent));
5274 struct sk_security_struct *sksec = sk->sk_security;
5276 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
5277 sk->sk_family == PF_UNIX)
5278 isec->sid = sksec->sid;
5279 sksec->sclass = isec->sclass;
5282 /* Called whenever SCTP receives an INIT chunk. This happens when an incoming
5283 * connect(2), sctp_connectx(3) or sctp_sendmsg(3) (with no association
5286 static int selinux_sctp_assoc_request(struct sctp_endpoint *ep,
5287 struct sk_buff *skb)
5289 struct sk_security_struct *sksec = ep->base.sk->sk_security;
5290 struct common_audit_data ad;
5291 struct lsm_network_audit net = {0,};
5293 u32 peer_sid = SECINITSID_UNLABELED;
5297 if (!selinux_policycap_extsockclass())
5300 peerlbl_active = selinux_peerlbl_enabled();
5302 if (peerlbl_active) {
5303 /* This will return peer_sid = SECSID_NULL if there are
5304 * no peer labels, see security_net_peersid_resolve().
5306 err = selinux_skb_peerlbl_sid(skb, ep->base.sk->sk_family,
5311 if (peer_sid == SECSID_NULL)
5312 peer_sid = SECINITSID_UNLABELED;
5315 if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) {
5316 sksec->sctp_assoc_state = SCTP_ASSOC_SET;
5318 /* Here as first association on socket. As the peer SID
5319 * was allowed by peer recv (and the netif/node checks),
5320 * then it is approved by policy and used as the primary
5321 * peer SID for getpeercon(3).
5323 sksec->peer_sid = peer_sid;
5324 } else if (sksec->peer_sid != peer_sid) {
5325 /* Other association peer SIDs are checked to enforce
5326 * consistency among the peer SIDs.
5328 ad.type = LSM_AUDIT_DATA_NET;
5330 ad.u.net->sk = ep->base.sk;
5331 err = avc_has_perm(&selinux_state,
5332 sksec->peer_sid, peer_sid, sksec->sclass,
5333 SCTP_SOCKET__ASSOCIATION, &ad);
5338 /* Compute the MLS component for the connection and store
5339 * the information in ep. This will be used by SCTP TCP type
5340 * sockets and peeled off connections as they cause a new
5341 * socket to be generated. selinux_sctp_sk_clone() will then
5342 * plug this into the new socket.
5344 err = selinux_conn_sid(sksec->sid, peer_sid, &conn_sid);
5348 ep->secid = conn_sid;
5349 ep->peer_secid = peer_sid;
5351 /* Set any NetLabel labels including CIPSO/CALIPSO options. */
5352 return selinux_netlbl_sctp_assoc_request(ep, skb);
5355 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting
5356 * based on their @optname.
5358 static int selinux_sctp_bind_connect(struct sock *sk, int optname,
5359 struct sockaddr *address,
5362 int len, err = 0, walk_size = 0;
5364 struct sockaddr *addr;
5365 struct socket *sock;
5367 if (!selinux_policycap_extsockclass())
5370 /* Process one or more addresses that may be IPv4 or IPv6 */
5371 sock = sk->sk_socket;
5374 while (walk_size < addrlen) {
5375 if (walk_size + sizeof(sa_family_t) > addrlen)
5379 switch (addr->sa_family) {
5382 len = sizeof(struct sockaddr_in);
5385 len = sizeof(struct sockaddr_in6);
5391 if (walk_size + len > addrlen)
5397 case SCTP_PRIMARY_ADDR:
5398 case SCTP_SET_PEER_PRIMARY_ADDR:
5399 case SCTP_SOCKOPT_BINDX_ADD:
5400 err = selinux_socket_bind(sock, addr, len);
5402 /* Connect checks */
5403 case SCTP_SOCKOPT_CONNECTX:
5404 case SCTP_PARAM_SET_PRIMARY:
5405 case SCTP_PARAM_ADD_IP:
5406 case SCTP_SENDMSG_CONNECT:
5407 err = selinux_socket_connect_helper(sock, addr, len);
5411 /* As selinux_sctp_bind_connect() is called by the
5412 * SCTP protocol layer, the socket is already locked,
5413 * therefore selinux_netlbl_socket_connect_locked() is
5414 * is called here. The situations handled are:
5415 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2),
5416 * whenever a new IP address is added or when a new
5417 * primary address is selected.
5418 * Note that an SCTP connect(2) call happens before
5419 * the SCTP protocol layer and is handled via
5420 * selinux_socket_connect().
5422 err = selinux_netlbl_socket_connect_locked(sk, addr);
5436 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */
5437 static void selinux_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk,
5440 struct sk_security_struct *sksec = sk->sk_security;
5441 struct sk_security_struct *newsksec = newsk->sk_security;
5443 /* If policy does not support SECCLASS_SCTP_SOCKET then call
5444 * the non-sctp clone version.
5446 if (!selinux_policycap_extsockclass())
5447 return selinux_sk_clone_security(sk, newsk);
5449 newsksec->sid = ep->secid;
5450 newsksec->peer_sid = ep->peer_secid;
5451 newsksec->sclass = sksec->sclass;
5452 selinux_netlbl_sctp_sk_clone(sk, newsk);
5455 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
5456 struct request_sock *req)
5458 struct sk_security_struct *sksec = sk->sk_security;
5460 u16 family = req->rsk_ops->family;
5464 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
5467 err = selinux_conn_sid(sksec->sid, peersid, &connsid);
5470 req->secid = connsid;
5471 req->peer_secid = peersid;
5473 return selinux_netlbl_inet_conn_request(req, family);
5476 static void selinux_inet_csk_clone(struct sock *newsk,
5477 const struct request_sock *req)
5479 struct sk_security_struct *newsksec = newsk->sk_security;
5481 newsksec->sid = req->secid;
5482 newsksec->peer_sid = req->peer_secid;
5483 /* NOTE: Ideally, we should also get the isec->sid for the
5484 new socket in sync, but we don't have the isec available yet.
5485 So we will wait until sock_graft to do it, by which
5486 time it will have been created and available. */
5488 /* We don't need to take any sort of lock here as we are the only
5489 * thread with access to newsksec */
5490 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
5493 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
5495 u16 family = sk->sk_family;
5496 struct sk_security_struct *sksec = sk->sk_security;
5498 /* handle mapped IPv4 packets arriving via IPv6 sockets */
5499 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5502 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
5505 static int selinux_secmark_relabel_packet(u32 sid)
5507 const struct task_security_struct *__tsec;
5510 __tsec = current_security();
5513 return avc_has_perm(&selinux_state,
5514 tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO,
5518 static void selinux_secmark_refcount_inc(void)
5520 atomic_inc(&selinux_secmark_refcount);
5523 static void selinux_secmark_refcount_dec(void)
5525 atomic_dec(&selinux_secmark_refcount);
5528 static void selinux_req_classify_flow(const struct request_sock *req,
5531 fl->flowi_secid = req->secid;
5534 static int selinux_tun_dev_alloc_security(void **security)
5536 struct tun_security_struct *tunsec;
5538 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
5541 tunsec->sid = current_sid();
5547 static void selinux_tun_dev_free_security(void *security)
5552 static int selinux_tun_dev_create(void)
5554 u32 sid = current_sid();
5556 /* we aren't taking into account the "sockcreate" SID since the socket
5557 * that is being created here is not a socket in the traditional sense,
5558 * instead it is a private sock, accessible only to the kernel, and
5559 * representing a wide range of network traffic spanning multiple
5560 * connections unlike traditional sockets - check the TUN driver to
5561 * get a better understanding of why this socket is special */
5563 return avc_has_perm(&selinux_state,
5564 sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5568 static int selinux_tun_dev_attach_queue(void *security)
5570 struct tun_security_struct *tunsec = security;
5572 return avc_has_perm(&selinux_state,
5573 current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5574 TUN_SOCKET__ATTACH_QUEUE, NULL);
5577 static int selinux_tun_dev_attach(struct sock *sk, void *security)
5579 struct tun_security_struct *tunsec = security;
5580 struct sk_security_struct *sksec = sk->sk_security;
5582 /* we don't currently perform any NetLabel based labeling here and it
5583 * isn't clear that we would want to do so anyway; while we could apply
5584 * labeling without the support of the TUN user the resulting labeled
5585 * traffic from the other end of the connection would almost certainly
5586 * cause confusion to the TUN user that had no idea network labeling
5587 * protocols were being used */
5589 sksec->sid = tunsec->sid;
5590 sksec->sclass = SECCLASS_TUN_SOCKET;
5595 static int selinux_tun_dev_open(void *security)
5597 struct tun_security_struct *tunsec = security;
5598 u32 sid = current_sid();
5601 err = avc_has_perm(&selinux_state,
5602 sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5603 TUN_SOCKET__RELABELFROM, NULL);
5606 err = avc_has_perm(&selinux_state,
5607 sid, sid, SECCLASS_TUN_SOCKET,
5608 TUN_SOCKET__RELABELTO, NULL);
5616 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
5619 unsigned int msg_len;
5620 unsigned int data_len = skb->len;
5621 unsigned char *data = skb->data;
5622 struct nlmsghdr *nlh;
5623 struct sk_security_struct *sksec = sk->sk_security;
5624 u16 sclass = sksec->sclass;
5627 while (data_len >= nlmsg_total_size(0)) {
5628 nlh = (struct nlmsghdr *)data;
5630 /* NOTE: the nlmsg_len field isn't reliably set by some netlink
5631 * users which means we can't reject skb's with bogus
5632 * length fields; our solution is to follow what
5633 * netlink_rcv_skb() does and simply skip processing at
5634 * messages with length fields that are clearly junk
5636 if (nlh->nlmsg_len < NLMSG_HDRLEN || nlh->nlmsg_len > data_len)
5639 rc = selinux_nlmsg_lookup(sclass, nlh->nlmsg_type, &perm);
5641 rc = sock_has_perm(sk, perm);
5644 } else if (rc == -EINVAL) {
5645 /* -EINVAL is a missing msg/perm mapping */
5646 pr_warn_ratelimited("SELinux: unrecognized netlink"
5647 " message: protocol=%hu nlmsg_type=%hu sclass=%s"
5648 " pid=%d comm=%s\n",
5649 sk->sk_protocol, nlh->nlmsg_type,
5650 secclass_map[sclass - 1].name,
5651 task_pid_nr(current), current->comm);
5652 if (enforcing_enabled(&selinux_state) &&
5653 !security_get_allow_unknown(&selinux_state))
5656 } else if (rc == -ENOENT) {
5657 /* -ENOENT is a missing socket/class mapping, ignore */
5663 /* move to the next message after applying netlink padding */
5664 msg_len = NLMSG_ALIGN(nlh->nlmsg_len);
5665 if (msg_len >= data_len)
5667 data_len -= msg_len;
5674 #ifdef CONFIG_NETFILTER
5676 static unsigned int selinux_ip_forward(struct sk_buff *skb,
5677 const struct net_device *indev,
5683 struct common_audit_data ad;
5684 struct lsm_network_audit net = {0,};
5689 if (!selinux_policycap_netpeer())
5692 secmark_active = selinux_secmark_enabled();
5693 netlbl_active = netlbl_enabled();
5694 peerlbl_active = selinux_peerlbl_enabled();
5695 if (!secmark_active && !peerlbl_active)
5698 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5701 ad.type = LSM_AUDIT_DATA_NET;
5703 ad.u.net->netif = indev->ifindex;
5704 ad.u.net->family = family;
5705 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5708 if (peerlbl_active) {
5709 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
5710 addrp, family, peer_sid, &ad);
5712 selinux_netlbl_err(skb, family, err, 1);
5718 if (avc_has_perm(&selinux_state,
5719 peer_sid, skb->secmark,
5720 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5724 /* we do this in the FORWARD path and not the POST_ROUTING
5725 * path because we want to make sure we apply the necessary
5726 * labeling before IPsec is applied so we can leverage AH
5728 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5734 static unsigned int selinux_ipv4_forward(void *priv,
5735 struct sk_buff *skb,
5736 const struct nf_hook_state *state)
5738 return selinux_ip_forward(skb, state->in, PF_INET);
5741 #if IS_ENABLED(CONFIG_IPV6)
5742 static unsigned int selinux_ipv6_forward(void *priv,
5743 struct sk_buff *skb,
5744 const struct nf_hook_state *state)
5746 return selinux_ip_forward(skb, state->in, PF_INET6);
5750 static unsigned int selinux_ip_output(struct sk_buff *skb,
5756 if (!netlbl_enabled())
5759 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5760 * because we want to make sure we apply the necessary labeling
5761 * before IPsec is applied so we can leverage AH protection */
5764 struct sk_security_struct *sksec;
5766 if (sk_listener(sk))
5767 /* if the socket is the listening state then this
5768 * packet is a SYN-ACK packet which means it needs to
5769 * be labeled based on the connection/request_sock and
5770 * not the parent socket. unfortunately, we can't
5771 * lookup the request_sock yet as it isn't queued on
5772 * the parent socket until after the SYN-ACK is sent.
5773 * the "solution" is to simply pass the packet as-is
5774 * as any IP option based labeling should be copied
5775 * from the initial connection request (in the IP
5776 * layer). it is far from ideal, but until we get a
5777 * security label in the packet itself this is the
5778 * best we can do. */
5781 /* standard practice, label using the parent socket */
5782 sksec = sk->sk_security;
5785 sid = SECINITSID_KERNEL;
5786 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
5792 static unsigned int selinux_ipv4_output(void *priv,
5793 struct sk_buff *skb,
5794 const struct nf_hook_state *state)
5796 return selinux_ip_output(skb, PF_INET);
5799 #if IS_ENABLED(CONFIG_IPV6)
5800 static unsigned int selinux_ipv6_output(void *priv,
5801 struct sk_buff *skb,
5802 const struct nf_hook_state *state)
5804 return selinux_ip_output(skb, PF_INET6);
5808 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5812 struct sock *sk = skb_to_full_sk(skb);
5813 struct sk_security_struct *sksec;
5814 struct common_audit_data ad;
5815 struct lsm_network_audit net = {0,};
5821 sksec = sk->sk_security;
5823 ad.type = LSM_AUDIT_DATA_NET;
5825 ad.u.net->netif = ifindex;
5826 ad.u.net->family = family;
5827 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
5830 if (selinux_secmark_enabled())
5831 if (avc_has_perm(&selinux_state,
5832 sksec->sid, skb->secmark,
5833 SECCLASS_PACKET, PACKET__SEND, &ad))
5834 return NF_DROP_ERR(-ECONNREFUSED);
5836 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5837 return NF_DROP_ERR(-ECONNREFUSED);
5842 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5843 const struct net_device *outdev,
5848 int ifindex = outdev->ifindex;
5850 struct common_audit_data ad;
5851 struct lsm_network_audit net = {0,};
5856 /* If any sort of compatibility mode is enabled then handoff processing
5857 * to the selinux_ip_postroute_compat() function to deal with the
5858 * special handling. We do this in an attempt to keep this function
5859 * as fast and as clean as possible. */
5860 if (!selinux_policycap_netpeer())
5861 return selinux_ip_postroute_compat(skb, ifindex, family);
5863 secmark_active = selinux_secmark_enabled();
5864 peerlbl_active = selinux_peerlbl_enabled();
5865 if (!secmark_active && !peerlbl_active)
5868 sk = skb_to_full_sk(skb);
5871 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5872 * packet transformation so allow the packet to pass without any checks
5873 * since we'll have another chance to perform access control checks
5874 * when the packet is on it's final way out.
5875 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5876 * is NULL, in this case go ahead and apply access control.
5877 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5878 * TCP listening state we cannot wait until the XFRM processing
5879 * is done as we will miss out on the SA label if we do;
5880 * unfortunately, this means more work, but it is only once per
5882 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5883 !(sk && sk_listener(sk)))
5888 /* Without an associated socket the packet is either coming
5889 * from the kernel or it is being forwarded; check the packet
5890 * to determine which and if the packet is being forwarded
5891 * query the packet directly to determine the security label. */
5893 secmark_perm = PACKET__FORWARD_OUT;
5894 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5897 secmark_perm = PACKET__SEND;
5898 peer_sid = SECINITSID_KERNEL;
5900 } else if (sk_listener(sk)) {
5901 /* Locally generated packet but the associated socket is in the
5902 * listening state which means this is a SYN-ACK packet. In
5903 * this particular case the correct security label is assigned
5904 * to the connection/request_sock but unfortunately we can't
5905 * query the request_sock as it isn't queued on the parent
5906 * socket until after the SYN-ACK packet is sent; the only
5907 * viable choice is to regenerate the label like we do in
5908 * selinux_inet_conn_request(). See also selinux_ip_output()
5909 * for similar problems. */
5911 struct sk_security_struct *sksec;
5913 sksec = sk->sk_security;
5914 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5916 /* At this point, if the returned skb peerlbl is SECSID_NULL
5917 * and the packet has been through at least one XFRM
5918 * transformation then we must be dealing with the "final"
5919 * form of labeled IPsec packet; since we've already applied
5920 * all of our access controls on this packet we can safely
5921 * pass the packet. */
5922 if (skb_sid == SECSID_NULL) {
5925 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5929 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5933 return NF_DROP_ERR(-ECONNREFUSED);
5936 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5938 secmark_perm = PACKET__SEND;
5940 /* Locally generated packet, fetch the security label from the
5941 * associated socket. */
5942 struct sk_security_struct *sksec = sk->sk_security;
5943 peer_sid = sksec->sid;
5944 secmark_perm = PACKET__SEND;
5947 ad.type = LSM_AUDIT_DATA_NET;
5949 ad.u.net->netif = ifindex;
5950 ad.u.net->family = family;
5951 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5955 if (avc_has_perm(&selinux_state,
5956 peer_sid, skb->secmark,
5957 SECCLASS_PACKET, secmark_perm, &ad))
5958 return NF_DROP_ERR(-ECONNREFUSED);
5960 if (peerlbl_active) {
5964 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5966 if (avc_has_perm(&selinux_state,
5968 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5969 return NF_DROP_ERR(-ECONNREFUSED);
5971 if (sel_netnode_sid(addrp, family, &node_sid))
5973 if (avc_has_perm(&selinux_state,
5975 SECCLASS_NODE, NODE__SENDTO, &ad))
5976 return NF_DROP_ERR(-ECONNREFUSED);
5982 static unsigned int selinux_ipv4_postroute(void *priv,
5983 struct sk_buff *skb,
5984 const struct nf_hook_state *state)
5986 return selinux_ip_postroute(skb, state->out, PF_INET);
5989 #if IS_ENABLED(CONFIG_IPV6)
5990 static unsigned int selinux_ipv6_postroute(void *priv,
5991 struct sk_buff *skb,
5992 const struct nf_hook_state *state)
5994 return selinux_ip_postroute(skb, state->out, PF_INET6);
5998 #endif /* CONFIG_NETFILTER */
6000 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
6002 return selinux_nlmsg_perm(sk, skb);
6005 static int ipc_alloc_security(struct kern_ipc_perm *perm,
6008 struct ipc_security_struct *isec;
6010 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
6014 isec->sclass = sclass;
6015 isec->sid = current_sid();
6016 perm->security = isec;
6021 static void ipc_free_security(struct kern_ipc_perm *perm)
6023 struct ipc_security_struct *isec = perm->security;
6024 perm->security = NULL;
6028 static int msg_msg_alloc_security(struct msg_msg *msg)
6030 struct msg_security_struct *msec;
6032 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
6036 msec->sid = SECINITSID_UNLABELED;
6037 msg->security = msec;
6042 static void msg_msg_free_security(struct msg_msg *msg)
6044 struct msg_security_struct *msec = msg->security;
6046 msg->security = NULL;
6050 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
6053 struct ipc_security_struct *isec;
6054 struct common_audit_data ad;
6055 u32 sid = current_sid();
6057 isec = ipc_perms->security;
6059 ad.type = LSM_AUDIT_DATA_IPC;
6060 ad.u.ipc_id = ipc_perms->key;
6062 return avc_has_perm(&selinux_state,
6063 sid, isec->sid, isec->sclass, perms, &ad);
6066 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
6068 return msg_msg_alloc_security(msg);
6071 static void selinux_msg_msg_free_security(struct msg_msg *msg)
6073 msg_msg_free_security(msg);
6076 /* message queue security operations */
6077 static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq)
6079 struct ipc_security_struct *isec;
6080 struct common_audit_data ad;
6081 u32 sid = current_sid();
6084 rc = ipc_alloc_security(msq, SECCLASS_MSGQ);
6088 isec = msq->security;
6090 ad.type = LSM_AUDIT_DATA_IPC;
6091 ad.u.ipc_id = msq->key;
6093 rc = avc_has_perm(&selinux_state,
6094 sid, isec->sid, SECCLASS_MSGQ,
6097 ipc_free_security(msq);
6103 static void selinux_msg_queue_free_security(struct kern_ipc_perm *msq)
6105 ipc_free_security(msq);
6108 static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
6110 struct ipc_security_struct *isec;
6111 struct common_audit_data ad;
6112 u32 sid = current_sid();
6114 isec = msq->security;
6116 ad.type = LSM_AUDIT_DATA_IPC;
6117 ad.u.ipc_id = msq->key;
6119 return avc_has_perm(&selinux_state,
6120 sid, isec->sid, SECCLASS_MSGQ,
6121 MSGQ__ASSOCIATE, &ad);
6124 static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)
6132 /* No specific object, just general system-wide information. */
6133 return avc_has_perm(&selinux_state,
6134 current_sid(), SECINITSID_KERNEL,
6135 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6139 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
6142 perms = MSGQ__SETATTR;
6145 perms = MSGQ__DESTROY;
6151 err = ipc_has_perm(msq, perms);
6155 static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg)
6157 struct ipc_security_struct *isec;
6158 struct msg_security_struct *msec;
6159 struct common_audit_data ad;
6160 u32 sid = current_sid();
6163 isec = msq->security;
6164 msec = msg->security;
6167 * First time through, need to assign label to the message
6169 if (msec->sid == SECINITSID_UNLABELED) {
6171 * Compute new sid based on current process and
6172 * message queue this message will be stored in
6174 rc = security_transition_sid(&selinux_state, sid, isec->sid,
6175 SECCLASS_MSG, NULL, &msec->sid);
6180 ad.type = LSM_AUDIT_DATA_IPC;
6181 ad.u.ipc_id = msq->key;
6183 /* Can this process write to the queue? */
6184 rc = avc_has_perm(&selinux_state,
6185 sid, isec->sid, SECCLASS_MSGQ,
6188 /* Can this process send the message */
6189 rc = avc_has_perm(&selinux_state,
6190 sid, msec->sid, SECCLASS_MSG,
6193 /* Can the message be put in the queue? */
6194 rc = avc_has_perm(&selinux_state,
6195 msec->sid, isec->sid, SECCLASS_MSGQ,
6196 MSGQ__ENQUEUE, &ad);
6201 static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg,
6202 struct task_struct *target,
6203 long type, int mode)
6205 struct ipc_security_struct *isec;
6206 struct msg_security_struct *msec;
6207 struct common_audit_data ad;
6208 u32 sid = task_sid(target);
6211 isec = msq->security;
6212 msec = msg->security;
6214 ad.type = LSM_AUDIT_DATA_IPC;
6215 ad.u.ipc_id = msq->key;
6217 rc = avc_has_perm(&selinux_state,
6219 SECCLASS_MSGQ, MSGQ__READ, &ad);
6221 rc = avc_has_perm(&selinux_state,
6223 SECCLASS_MSG, MSG__RECEIVE, &ad);
6227 /* Shared Memory security operations */
6228 static int selinux_shm_alloc_security(struct kern_ipc_perm *shp)
6230 struct ipc_security_struct *isec;
6231 struct common_audit_data ad;
6232 u32 sid = current_sid();
6235 rc = ipc_alloc_security(shp, SECCLASS_SHM);
6239 isec = shp->security;
6241 ad.type = LSM_AUDIT_DATA_IPC;
6242 ad.u.ipc_id = shp->key;
6244 rc = avc_has_perm(&selinux_state,
6245 sid, isec->sid, SECCLASS_SHM,
6248 ipc_free_security(shp);
6254 static void selinux_shm_free_security(struct kern_ipc_perm *shp)
6256 ipc_free_security(shp);
6259 static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg)
6261 struct ipc_security_struct *isec;
6262 struct common_audit_data ad;
6263 u32 sid = current_sid();
6265 isec = shp->security;
6267 ad.type = LSM_AUDIT_DATA_IPC;
6268 ad.u.ipc_id = shp->key;
6270 return avc_has_perm(&selinux_state,
6271 sid, isec->sid, SECCLASS_SHM,
6272 SHM__ASSOCIATE, &ad);
6275 /* Note, at this point, shp is locked down */
6276 static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd)
6284 /* No specific object, just general system-wide information. */
6285 return avc_has_perm(&selinux_state,
6286 current_sid(), SECINITSID_KERNEL,
6287 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6291 perms = SHM__GETATTR | SHM__ASSOCIATE;
6294 perms = SHM__SETATTR;
6301 perms = SHM__DESTROY;
6307 err = ipc_has_perm(shp, perms);
6311 static int selinux_shm_shmat(struct kern_ipc_perm *shp,
6312 char __user *shmaddr, int shmflg)
6316 if (shmflg & SHM_RDONLY)
6319 perms = SHM__READ | SHM__WRITE;
6321 return ipc_has_perm(shp, perms);
6324 /* Semaphore security operations */
6325 static int selinux_sem_alloc_security(struct kern_ipc_perm *sma)
6327 struct ipc_security_struct *isec;
6328 struct common_audit_data ad;
6329 u32 sid = current_sid();
6332 rc = ipc_alloc_security(sma, SECCLASS_SEM);
6336 isec = sma->security;
6338 ad.type = LSM_AUDIT_DATA_IPC;
6339 ad.u.ipc_id = sma->key;
6341 rc = avc_has_perm(&selinux_state,
6342 sid, isec->sid, SECCLASS_SEM,
6345 ipc_free_security(sma);
6351 static void selinux_sem_free_security(struct kern_ipc_perm *sma)
6353 ipc_free_security(sma);
6356 static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg)
6358 struct ipc_security_struct *isec;
6359 struct common_audit_data ad;
6360 u32 sid = current_sid();
6362 isec = sma->security;
6364 ad.type = LSM_AUDIT_DATA_IPC;
6365 ad.u.ipc_id = sma->key;
6367 return avc_has_perm(&selinux_state,
6368 sid, isec->sid, SECCLASS_SEM,
6369 SEM__ASSOCIATE, &ad);
6372 /* Note, at this point, sma is locked down */
6373 static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd)
6381 /* No specific object, just general system-wide information. */
6382 return avc_has_perm(&selinux_state,
6383 current_sid(), SECINITSID_KERNEL,
6384 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6388 perms = SEM__GETATTR;
6399 perms = SEM__DESTROY;
6402 perms = SEM__SETATTR;
6407 perms = SEM__GETATTR | SEM__ASSOCIATE;
6413 err = ipc_has_perm(sma, perms);
6417 static int selinux_sem_semop(struct kern_ipc_perm *sma,
6418 struct sembuf *sops, unsigned nsops, int alter)
6423 perms = SEM__READ | SEM__WRITE;
6427 return ipc_has_perm(sma, perms);
6430 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
6436 av |= IPC__UNIX_READ;
6438 av |= IPC__UNIX_WRITE;
6443 return ipc_has_perm(ipcp, av);
6446 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
6448 struct ipc_security_struct *isec = ipcp->security;
6452 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
6455 inode_doinit_with_dentry(inode, dentry);
6458 static int selinux_getprocattr(struct task_struct *p,
6459 char *name, char **value)
6461 const struct task_security_struct *__tsec;
6467 __tsec = __task_cred(p)->security;
6470 error = avc_has_perm(&selinux_state,
6471 current_sid(), __tsec->sid,
6472 SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
6477 if (!strcmp(name, "current"))
6479 else if (!strcmp(name, "prev"))
6481 else if (!strcmp(name, "exec"))
6482 sid = __tsec->exec_sid;
6483 else if (!strcmp(name, "fscreate"))
6484 sid = __tsec->create_sid;
6485 else if (!strcmp(name, "keycreate"))
6486 sid = __tsec->keycreate_sid;
6487 else if (!strcmp(name, "sockcreate"))
6488 sid = __tsec->sockcreate_sid;
6498 error = security_sid_to_context(&selinux_state, sid, value, &len);
6508 static int selinux_setprocattr(const char *name, void *value, size_t size)
6510 struct task_security_struct *tsec;
6512 u32 mysid = current_sid(), sid = 0, ptsid;
6517 * Basic control over ability to set these attributes at all.
6519 if (!strcmp(name, "exec"))
6520 error = avc_has_perm(&selinux_state,
6521 mysid, mysid, SECCLASS_PROCESS,
6522 PROCESS__SETEXEC, NULL);
6523 else if (!strcmp(name, "fscreate"))
6524 error = avc_has_perm(&selinux_state,
6525 mysid, mysid, SECCLASS_PROCESS,
6526 PROCESS__SETFSCREATE, NULL);
6527 else if (!strcmp(name, "keycreate"))
6528 error = avc_has_perm(&selinux_state,
6529 mysid, mysid, SECCLASS_PROCESS,
6530 PROCESS__SETKEYCREATE, NULL);
6531 else if (!strcmp(name, "sockcreate"))
6532 error = avc_has_perm(&selinux_state,
6533 mysid, mysid, SECCLASS_PROCESS,
6534 PROCESS__SETSOCKCREATE, NULL);
6535 else if (!strcmp(name, "current"))
6536 error = avc_has_perm(&selinux_state,
6537 mysid, mysid, SECCLASS_PROCESS,
6538 PROCESS__SETCURRENT, NULL);
6544 /* Obtain a SID for the context, if one was specified. */
6545 if (size && str[0] && str[0] != '\n') {
6546 if (str[size-1] == '\n') {
6550 error = security_context_to_sid(&selinux_state, value, size,
6552 if (error == -EINVAL && !strcmp(name, "fscreate")) {
6553 if (!has_cap_mac_admin(true)) {
6554 struct audit_buffer *ab;
6557 /* We strip a nul only if it is at the end, otherwise the
6558 * context contains a nul and we should audit that */
6559 if (str[size - 1] == '\0')
6560 audit_size = size - 1;
6563 ab = audit_log_start(audit_context(),
6566 audit_log_format(ab, "op=fscreate invalid_context=");
6567 audit_log_n_untrustedstring(ab, value, audit_size);
6572 error = security_context_to_sid_force(
6580 new = prepare_creds();
6584 /* Permission checking based on the specified context is
6585 performed during the actual operation (execve,
6586 open/mkdir/...), when we know the full context of the
6587 operation. See selinux_bprm_set_creds for the execve
6588 checks and may_create for the file creation checks. The
6589 operation will then fail if the context is not permitted. */
6590 tsec = new->security;
6591 if (!strcmp(name, "exec")) {
6592 tsec->exec_sid = sid;
6593 } else if (!strcmp(name, "fscreate")) {
6594 tsec->create_sid = sid;
6595 } else if (!strcmp(name, "keycreate")) {
6597 error = avc_has_perm(&selinux_state, mysid, sid,
6598 SECCLASS_KEY, KEY__CREATE, NULL);
6602 tsec->keycreate_sid = sid;
6603 } else if (!strcmp(name, "sockcreate")) {
6604 tsec->sockcreate_sid = sid;
6605 } else if (!strcmp(name, "current")) {
6610 /* Only allow single threaded processes to change context */
6612 if (!current_is_single_threaded()) {
6613 error = security_bounded_transition(&selinux_state,
6619 /* Check permissions for the transition. */
6620 error = avc_has_perm(&selinux_state,
6621 tsec->sid, sid, SECCLASS_PROCESS,
6622 PROCESS__DYNTRANSITION, NULL);
6626 /* Check for ptracing, and update the task SID if ok.
6627 Otherwise, leave SID unchanged and fail. */
6628 ptsid = ptrace_parent_sid();
6630 error = avc_has_perm(&selinux_state,
6631 ptsid, sid, SECCLASS_PROCESS,
6632 PROCESS__PTRACE, NULL);
6651 static int selinux_ismaclabel(const char *name)
6653 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
6656 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
6658 return security_sid_to_context(&selinux_state, secid,
6662 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
6664 return security_context_to_sid(&selinux_state, secdata, seclen,
6668 static void selinux_release_secctx(char *secdata, u32 seclen)
6673 static void selinux_inode_invalidate_secctx(struct inode *inode)
6675 struct inode_security_struct *isec = inode->i_security;
6677 spin_lock(&isec->lock);
6678 isec->initialized = LABEL_INVALID;
6679 spin_unlock(&isec->lock);
6683 * called with inode->i_mutex locked
6685 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
6687 int rc = selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX,
6689 /* Do not return error when suppressing label (SBLABEL_MNT not set). */
6690 return rc == -EOPNOTSUPP ? 0 : rc;
6694 * called with inode->i_mutex locked
6696 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
6698 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
6701 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
6704 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
6713 static int selinux_key_alloc(struct key *k, const struct cred *cred,
6714 unsigned long flags)
6716 const struct task_security_struct *tsec;
6717 struct key_security_struct *ksec;
6719 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
6723 tsec = cred->security;
6724 if (tsec->keycreate_sid)
6725 ksec->sid = tsec->keycreate_sid;
6727 ksec->sid = tsec->sid;
6733 static void selinux_key_free(struct key *k)
6735 struct key_security_struct *ksec = k->security;
6741 static int selinux_key_permission(key_ref_t key_ref,
6742 const struct cred *cred,
6746 struct key_security_struct *ksec;
6749 /* if no specific permissions are requested, we skip the
6750 permission check. No serious, additional covert channels
6751 appear to be created. */
6755 sid = cred_sid(cred);
6757 key = key_ref_to_ptr(key_ref);
6758 ksec = key->security;
6760 return avc_has_perm(&selinux_state,
6761 sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6764 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6766 struct key_security_struct *ksec = key->security;
6767 char *context = NULL;
6771 rc = security_sid_to_context(&selinux_state, ksec->sid,
6780 #ifdef CONFIG_SECURITY_INFINIBAND
6781 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6783 struct common_audit_data ad;
6786 struct ib_security_struct *sec = ib_sec;
6787 struct lsm_ibpkey_audit ibpkey;
6789 err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
6793 ad.type = LSM_AUDIT_DATA_IBPKEY;
6794 ibpkey.subnet_prefix = subnet_prefix;
6795 ibpkey.pkey = pkey_val;
6796 ad.u.ibpkey = &ibpkey;
6797 return avc_has_perm(&selinux_state,
6799 SECCLASS_INFINIBAND_PKEY,
6800 INFINIBAND_PKEY__ACCESS, &ad);
6803 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6806 struct common_audit_data ad;
6809 struct ib_security_struct *sec = ib_sec;
6810 struct lsm_ibendport_audit ibendport;
6812 err = security_ib_endport_sid(&selinux_state, dev_name, port_num,
6818 ad.type = LSM_AUDIT_DATA_IBENDPORT;
6819 strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name));
6820 ibendport.port = port_num;
6821 ad.u.ibendport = &ibendport;
6822 return avc_has_perm(&selinux_state,
6824 SECCLASS_INFINIBAND_ENDPORT,
6825 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
6828 static int selinux_ib_alloc_security(void **ib_sec)
6830 struct ib_security_struct *sec;
6832 sec = kzalloc(sizeof(*sec), GFP_KERNEL);
6835 sec->sid = current_sid();
6841 static void selinux_ib_free_security(void *ib_sec)
6847 #ifdef CONFIG_BPF_SYSCALL
6848 static int selinux_bpf(int cmd, union bpf_attr *attr,
6851 u32 sid = current_sid();
6855 case BPF_MAP_CREATE:
6856 ret = avc_has_perm(&selinux_state,
6857 sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
6861 ret = avc_has_perm(&selinux_state,
6862 sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
6873 static u32 bpf_map_fmode_to_av(fmode_t fmode)
6877 if (fmode & FMODE_READ)
6878 av |= BPF__MAP_READ;
6879 if (fmode & FMODE_WRITE)
6880 av |= BPF__MAP_WRITE;
6884 /* This function will check the file pass through unix socket or binder to see
6885 * if it is a bpf related object. And apply correspinding checks on the bpf
6886 * object based on the type. The bpf maps and programs, not like other files and
6887 * socket, are using a shared anonymous inode inside the kernel as their inode.
6888 * So checking that inode cannot identify if the process have privilege to
6889 * access the bpf object and that's why we have to add this additional check in
6890 * selinux_file_receive and selinux_binder_transfer_files.
6892 static int bpf_fd_pass(struct file *file, u32 sid)
6894 struct bpf_security_struct *bpfsec;
6895 struct bpf_prog *prog;
6896 struct bpf_map *map;
6899 if (file->f_op == &bpf_map_fops) {
6900 map = file->private_data;
6901 bpfsec = map->security;
6902 ret = avc_has_perm(&selinux_state,
6903 sid, bpfsec->sid, SECCLASS_BPF,
6904 bpf_map_fmode_to_av(file->f_mode), NULL);
6907 } else if (file->f_op == &bpf_prog_fops) {
6908 prog = file->private_data;
6909 bpfsec = prog->aux->security;
6910 ret = avc_has_perm(&selinux_state,
6911 sid, bpfsec->sid, SECCLASS_BPF,
6912 BPF__PROG_RUN, NULL);
6919 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)
6921 u32 sid = current_sid();
6922 struct bpf_security_struct *bpfsec;
6924 bpfsec = map->security;
6925 return avc_has_perm(&selinux_state,
6926 sid, bpfsec->sid, SECCLASS_BPF,
6927 bpf_map_fmode_to_av(fmode), NULL);
6930 static int selinux_bpf_prog(struct bpf_prog *prog)
6932 u32 sid = current_sid();
6933 struct bpf_security_struct *bpfsec;
6935 bpfsec = prog->aux->security;
6936 return avc_has_perm(&selinux_state,
6937 sid, bpfsec->sid, SECCLASS_BPF,
6938 BPF__PROG_RUN, NULL);
6941 static int selinux_bpf_map_alloc(struct bpf_map *map)
6943 struct bpf_security_struct *bpfsec;
6945 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6949 bpfsec->sid = current_sid();
6950 map->security = bpfsec;
6955 static void selinux_bpf_map_free(struct bpf_map *map)
6957 struct bpf_security_struct *bpfsec = map->security;
6959 map->security = NULL;
6963 static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux)
6965 struct bpf_security_struct *bpfsec;
6967 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6971 bpfsec->sid = current_sid();
6972 aux->security = bpfsec;
6977 static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
6979 struct bpf_security_struct *bpfsec = aux->security;
6981 aux->security = NULL;
6986 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
6987 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
6988 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
6989 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
6990 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
6992 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
6993 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
6994 LSM_HOOK_INIT(capget, selinux_capget),
6995 LSM_HOOK_INIT(capset, selinux_capset),
6996 LSM_HOOK_INIT(capable, selinux_capable),
6997 LSM_HOOK_INIT(quotactl, selinux_quotactl),
6998 LSM_HOOK_INIT(quota_on, selinux_quota_on),
6999 LSM_HOOK_INIT(syslog, selinux_syslog),
7000 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
7002 LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
7004 LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
7005 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
7006 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
7008 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
7009 LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
7010 LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data),
7011 LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
7012 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
7013 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
7014 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
7015 LSM_HOOK_INIT(sb_mount, selinux_mount),
7016 LSM_HOOK_INIT(sb_umount, selinux_umount),
7017 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
7018 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
7019 LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str),
7021 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
7022 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
7024 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
7025 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
7026 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
7027 LSM_HOOK_INIT(inode_create, selinux_inode_create),
7028 LSM_HOOK_INIT(inode_link, selinux_inode_link),
7029 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
7030 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
7031 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
7032 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
7033 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
7034 LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
7035 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
7036 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
7037 LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
7038 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
7039 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
7040 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
7041 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
7042 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
7043 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
7044 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
7045 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
7046 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
7047 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
7048 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
7049 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
7050 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
7052 LSM_HOOK_INIT(file_permission, selinux_file_permission),
7053 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
7054 LSM_HOOK_INIT(file_free_security, selinux_file_free_security),
7055 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
7056 LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
7057 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
7058 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
7059 LSM_HOOK_INIT(file_lock, selinux_file_lock),
7060 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
7061 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
7062 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
7063 LSM_HOOK_INIT(file_receive, selinux_file_receive),
7065 LSM_HOOK_INIT(file_open, selinux_file_open),
7067 LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
7068 LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank),
7069 LSM_HOOK_INIT(cred_free, selinux_cred_free),
7070 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
7071 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
7072 LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid),
7073 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
7074 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
7075 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
7076 LSM_HOOK_INIT(kernel_load_data, selinux_kernel_load_data),
7077 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
7078 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
7079 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
7080 LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
7081 LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
7082 LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
7083 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
7084 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
7085 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
7086 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
7087 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
7088 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
7089 LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
7090 LSM_HOOK_INIT(task_kill, selinux_task_kill),
7091 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
7093 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
7094 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
7096 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
7097 LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security),
7099 LSM_HOOK_INIT(msg_queue_alloc_security,
7100 selinux_msg_queue_alloc_security),
7101 LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security),
7102 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
7103 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
7104 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
7105 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
7107 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
7108 LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security),
7109 LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
7110 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
7111 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
7113 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
7114 LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security),
7115 LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
7116 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
7117 LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
7119 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
7121 LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
7122 LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
7124 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
7125 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
7126 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
7127 LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
7128 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
7129 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
7130 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
7131 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
7133 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
7134 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
7136 LSM_HOOK_INIT(socket_create, selinux_socket_create),
7137 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
7138 LSM_HOOK_INIT(socket_socketpair, selinux_socket_socketpair),
7139 LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
7140 LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
7141 LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
7142 LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
7143 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
7144 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
7145 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
7146 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
7147 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
7148 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
7149 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
7150 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
7151 LSM_HOOK_INIT(socket_getpeersec_stream,
7152 selinux_socket_getpeersec_stream),
7153 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
7154 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
7155 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
7156 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
7157 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
7158 LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
7159 LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request),
7160 LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone),
7161 LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect),
7162 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
7163 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
7164 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
7165 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
7166 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
7167 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
7168 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
7169 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
7170 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
7171 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
7172 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
7173 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
7174 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
7175 #ifdef CONFIG_SECURITY_INFINIBAND
7176 LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
7177 LSM_HOOK_INIT(ib_endport_manage_subnet,
7178 selinux_ib_endport_manage_subnet),
7179 LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
7180 LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
7182 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7183 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
7184 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
7185 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
7186 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
7187 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
7188 LSM_HOOK_INIT(xfrm_state_alloc_acquire,
7189 selinux_xfrm_state_alloc_acquire),
7190 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
7191 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
7192 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
7193 LSM_HOOK_INIT(xfrm_state_pol_flow_match,
7194 selinux_xfrm_state_pol_flow_match),
7195 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
7199 LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
7200 LSM_HOOK_INIT(key_free, selinux_key_free),
7201 LSM_HOOK_INIT(key_permission, selinux_key_permission),
7202 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
7206 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
7207 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
7208 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
7209 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
7212 #ifdef CONFIG_BPF_SYSCALL
7213 LSM_HOOK_INIT(bpf, selinux_bpf),
7214 LSM_HOOK_INIT(bpf_map, selinux_bpf_map),
7215 LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog),
7216 LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc),
7217 LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc),
7218 LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free),
7219 LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free),
7223 static __init int selinux_init(void)
7225 if (!security_module_enable("selinux")) {
7226 selinux_enabled = 0;
7230 if (!selinux_enabled) {
7231 pr_info("SELinux: Disabled at boot.\n");
7235 pr_info("SELinux: Initializing.\n");
7237 memset(&selinux_state, 0, sizeof(selinux_state));
7238 enforcing_set(&selinux_state, selinux_enforcing_boot);
7239 selinux_state.checkreqprot = selinux_checkreqprot_boot;
7240 selinux_ss_init(&selinux_state.ss);
7241 selinux_avc_init(&selinux_state.avc);
7243 /* Set the security state for the initial task. */
7244 cred_init_security();
7246 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
7248 sel_inode_cache = kmem_cache_create("selinux_inode_security",
7249 sizeof(struct inode_security_struct),
7250 0, SLAB_PANIC, NULL);
7251 file_security_cache = kmem_cache_create("selinux_file_security",
7252 sizeof(struct file_security_struct),
7253 0, SLAB_PANIC, NULL);
7258 ebitmap_cache_init();
7260 hashtab_cache_init();
7262 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
7264 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
7265 panic("SELinux: Unable to register AVC netcache callback\n");
7267 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
7268 panic("SELinux: Unable to register AVC LSM notifier callback\n");
7270 if (selinux_enforcing_boot)
7271 pr_debug("SELinux: Starting in enforcing mode\n");
7273 pr_debug("SELinux: Starting in permissive mode\n");
7278 static void delayed_superblock_init(struct super_block *sb, void *unused)
7280 superblock_doinit(sb, NULL);
7283 void selinux_complete_init(void)
7285 pr_debug("SELinux: Completing initialization.\n");
7287 /* Set up any superblocks initialized prior to the policy load. */
7288 pr_debug("SELinux: Setting up existing superblocks.\n");
7289 iterate_supers(delayed_superblock_init, NULL);
7292 /* SELinux requires early initialization in order to label
7293 all processes and objects when they are created. */
7294 security_initcall(selinux_init);
7296 #if defined(CONFIG_NETFILTER)
7298 static const struct nf_hook_ops selinux_nf_ops[] = {
7300 .hook = selinux_ipv4_postroute,
7302 .hooknum = NF_INET_POST_ROUTING,
7303 .priority = NF_IP_PRI_SELINUX_LAST,
7306 .hook = selinux_ipv4_forward,
7308 .hooknum = NF_INET_FORWARD,
7309 .priority = NF_IP_PRI_SELINUX_FIRST,
7312 .hook = selinux_ipv4_output,
7314 .hooknum = NF_INET_LOCAL_OUT,
7315 .priority = NF_IP_PRI_SELINUX_FIRST,
7317 #if IS_ENABLED(CONFIG_IPV6)
7319 .hook = selinux_ipv6_postroute,
7321 .hooknum = NF_INET_POST_ROUTING,
7322 .priority = NF_IP6_PRI_SELINUX_LAST,
7325 .hook = selinux_ipv6_forward,
7327 .hooknum = NF_INET_FORWARD,
7328 .priority = NF_IP6_PRI_SELINUX_FIRST,
7331 .hook = selinux_ipv6_output,
7333 .hooknum = NF_INET_LOCAL_OUT,
7334 .priority = NF_IP6_PRI_SELINUX_FIRST,
7339 static int __net_init selinux_nf_register(struct net *net)
7341 return nf_register_net_hooks(net, selinux_nf_ops,
7342 ARRAY_SIZE(selinux_nf_ops));
7345 static void __net_exit selinux_nf_unregister(struct net *net)
7347 nf_unregister_net_hooks(net, selinux_nf_ops,
7348 ARRAY_SIZE(selinux_nf_ops));
7351 static struct pernet_operations selinux_net_ops = {
7352 .init = selinux_nf_register,
7353 .exit = selinux_nf_unregister,
7356 static int __init selinux_nf_ip_init(void)
7360 if (!selinux_enabled)
7363 pr_debug("SELinux: Registering netfilter hooks\n");
7365 err = register_pernet_subsys(&selinux_net_ops);
7367 panic("SELinux: register_pernet_subsys: error %d\n", err);
7371 __initcall(selinux_nf_ip_init);
7373 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7374 static void selinux_nf_ip_exit(void)
7376 pr_debug("SELinux: Unregistering netfilter hooks\n");
7378 unregister_pernet_subsys(&selinux_net_ops);
7382 #else /* CONFIG_NETFILTER */
7384 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7385 #define selinux_nf_ip_exit()
7388 #endif /* CONFIG_NETFILTER */
7390 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7391 int selinux_disable(struct selinux_state *state)
7393 if (state->initialized) {
7394 /* Not permitted after initial policy load. */
7398 if (state->disabled) {
7399 /* Only do this once. */
7403 state->disabled = 1;
7405 pr_info("SELinux: Disabled at runtime.\n");
7407 selinux_enabled = 0;
7409 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
7411 /* Try to destroy the avc node cache */
7414 /* Unregister netfilter hooks. */
7415 selinux_nf_ip_exit();
7417 /* Unregister selinuxfs. */