1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  *  Security-Enhanced Linux (SELinux) security module
4  *
5  *  This file contains the SELinux hook function implementations.
6  *
7  *  Authors:  Stephen Smalley, <stephen.smalley.work@gmail.com>
8  *	      Chris Vance, <cvance@nai.com>
9  *	      Wayne Salamon, <wsalamon@nai.com>
10  *	      James Morris <jmorris@redhat.com>
11  *
12  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
13  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
14  *					   Eric Paris <eparis@redhat.com>
15  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
16  *			    <dgoeddel@trustedcs.com>
17  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
18  *	Paul Moore <paul@paul-moore.com>
19  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
20  *		       Yuichi Nakamura <ynakam@hitachisoft.jp>
21  *  Copyright (C) 2016 Mellanox Technologies
22  */
23 
24 #include <linux/init.h>
25 #include <linux/kd.h>
26 #include <linux/kernel.h>
27 #include <linux/kernel_read_file.h>
28 #include <linux/errno.h>
29 #include <linux/sched/signal.h>
30 #include <linux/sched/task.h>
31 #include <linux/lsm_hooks.h>
32 #include <linux/xattr.h>
33 #include <linux/capability.h>
34 #include <linux/unistd.h>
35 #include <linux/mm.h>
36 #include <linux/mman.h>
37 #include <linux/slab.h>
38 #include <linux/pagemap.h>
39 #include <linux/proc_fs.h>
40 #include <linux/swap.h>
41 #include <linux/spinlock.h>
42 #include <linux/syscalls.h>
43 #include <linux/dcache.h>
44 #include <linux/file.h>
45 #include <linux/fdtable.h>
46 #include <linux/namei.h>
47 #include <linux/mount.h>
48 #include <linux/fs_context.h>
49 #include <linux/fs_parser.h>
50 #include <linux/netfilter_ipv4.h>
51 #include <linux/netfilter_ipv6.h>
52 #include <linux/tty.h>
53 #include <net/icmp.h>
54 #include <net/ip.h>		/* for local_port_range[] */
55 #include <net/tcp.h>		/* struct or_callable used in sock_rcv_skb */
56 #include <net/inet_connection_sock.h>
57 #include <net/net_namespace.h>
58 #include <net/netlabel.h>
59 #include <linux/uaccess.h>
60 #include <asm/ioctls.h>
61 #include <linux/atomic.h>
62 #include <linux/bitops.h>
63 #include <linux/interrupt.h>
64 #include <linux/netdevice.h>	/* for network interface checks */
65 #include <net/netlink.h>
66 #include <linux/tcp.h>
67 #include <linux/udp.h>
68 #include <linux/dccp.h>
69 #include <linux/sctp.h>
70 #include <net/sctp/structs.h>
71 #include <linux/quota.h>
72 #include <linux/un.h>		/* for Unix socket types */
73 #include <net/af_unix.h>	/* for Unix socket types */
74 #include <linux/parser.h>
75 #include <linux/nfs_mount.h>
76 #include <net/ipv6.h>
77 #include <linux/hugetlb.h>
78 #include <linux/personality.h>
79 #include <linux/audit.h>
80 #include <linux/string.h>
81 #include <linux/mutex.h>
82 #include <linux/posix-timers.h>
83 #include <linux/syslog.h>
84 #include <linux/user_namespace.h>
85 #include <linux/export.h>
86 #include <linux/msg.h>
87 #include <linux/shm.h>
88 #include <uapi/linux/shm.h>
89 #include <linux/bpf.h>
90 #include <linux/kernfs.h>
91 #include <linux/stringhash.h>	/* for hashlen_string() */
92 #include <uapi/linux/mount.h>
93 #include <linux/fsnotify.h>
94 #include <linux/fanotify.h>
95 #include <linux/io_uring/cmd.h>
96 #include <uapi/linux/lsm.h>
97 
98 #include "avc.h"
99 #include "objsec.h"
100 #include "netif.h"
101 #include "netnode.h"
102 #include "netport.h"
103 #include "ibpkey.h"
104 #include "xfrm.h"
105 #include "netlabel.h"
106 #include "audit.h"
107 #include "avc_ss.h"
108 
109 #define SELINUX_INODE_INIT_XATTRS 1
110 
111 struct selinux_state selinux_state;
112 
113 /* SECMARK reference count */
114 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
115 
116 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
117 static int selinux_enforcing_boot __initdata;
118 
enforcing_setup(char * str)119 static int __init enforcing_setup(char *str)
120 {
121 	unsigned long enforcing;
122 	if (!kstrtoul(str, 0, &enforcing))
123 		selinux_enforcing_boot = enforcing ? 1 : 0;
124 	return 1;
125 }
126 __setup("enforcing=", enforcing_setup);
127 #else
128 #define selinux_enforcing_boot 1
129 #endif
130 
131 int selinux_enabled_boot __initdata = 1;
132 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
selinux_enabled_setup(char * str)133 static int __init selinux_enabled_setup(char *str)
134 {
135 	unsigned long enabled;
136 	if (!kstrtoul(str, 0, &enabled))
137 		selinux_enabled_boot = enabled ? 1 : 0;
138 	return 1;
139 }
140 __setup("selinux=", selinux_enabled_setup);
141 #endif
142 
checkreqprot_setup(char * str)143 static int __init checkreqprot_setup(char *str)
144 {
145 	unsigned long checkreqprot;
146 
147 	if (!kstrtoul(str, 0, &checkreqprot)) {
148 		if (checkreqprot)
149 			pr_err("SELinux: checkreqprot set to 1 via kernel parameter.  This is no longer supported.\n");
150 	}
151 	return 1;
152 }
153 __setup("checkreqprot=", checkreqprot_setup);
154 
155 /**
156  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
157  *
158  * Description:
159  * This function checks the SECMARK reference counter to see if any SECMARK
160  * targets are currently configured, if the reference counter is greater than
161  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
162  * enabled, false (0) if SECMARK is disabled.  If the always_check_network
163  * policy capability is enabled, SECMARK is always considered enabled.
164  *
165  */
selinux_secmark_enabled(void)166 static int selinux_secmark_enabled(void)
167 {
168 	return (selinux_policycap_alwaysnetwork() ||
169 		atomic_read(&selinux_secmark_refcount));
170 }
171 
172 /**
173  * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
174  *
175  * Description:
176  * This function checks if NetLabel or labeled IPSEC is enabled.  Returns true
177  * (1) if any are enabled or false (0) if neither are enabled.  If the
178  * always_check_network policy capability is enabled, peer labeling
179  * is always considered enabled.
180  *
181  */
selinux_peerlbl_enabled(void)182 static int selinux_peerlbl_enabled(void)
183 {
184 	return (selinux_policycap_alwaysnetwork() ||
185 		netlbl_enabled() || selinux_xfrm_enabled());
186 }
187 
selinux_netcache_avc_callback(u32 event)188 static int selinux_netcache_avc_callback(u32 event)
189 {
190 	if (event == AVC_CALLBACK_RESET) {
191 		sel_netif_flush();
192 		sel_netnode_flush();
193 		sel_netport_flush();
194 		synchronize_net();
195 	}
196 	return 0;
197 }
198 
selinux_lsm_notifier_avc_callback(u32 event)199 static int selinux_lsm_notifier_avc_callback(u32 event)
200 {
201 	if (event == AVC_CALLBACK_RESET) {
202 		sel_ib_pkey_flush();
203 		call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL);
204 	}
205 
206 	return 0;
207 }
208 
209 /*
210  * initialise the security for the init task
211  */
cred_init_security(void)212 static void cred_init_security(void)
213 {
214 	struct task_security_struct *tsec;
215 
216 	tsec = selinux_cred(unrcu_pointer(current->real_cred));
217 	tsec->osid = tsec->sid = SECINITSID_KERNEL;
218 }
219 
220 /*
221  * get the security ID of a set of credentials
222  */
cred_sid(const struct cred * cred)223 static inline u32 cred_sid(const struct cred *cred)
224 {
225 	const struct task_security_struct *tsec;
226 
227 	tsec = selinux_cred(cred);
228 	return tsec->sid;
229 }
230 
__ad_net_init(struct common_audit_data * ad,struct lsm_network_audit * net,int ifindex,struct sock * sk,u16 family)231 static void __ad_net_init(struct common_audit_data *ad,
232 			  struct lsm_network_audit *net,
233 			  int ifindex, struct sock *sk, u16 family)
234 {
235 	ad->type = LSM_AUDIT_DATA_NET;
236 	ad->u.net = net;
237 	net->netif = ifindex;
238 	net->sk = sk;
239 	net->family = family;
240 }
241 
ad_net_init_from_sk(struct common_audit_data * ad,struct lsm_network_audit * net,struct sock * sk)242 static void ad_net_init_from_sk(struct common_audit_data *ad,
243 				struct lsm_network_audit *net,
244 				struct sock *sk)
245 {
246 	__ad_net_init(ad, net, 0, sk, 0);
247 }
248 
ad_net_init_from_iif(struct common_audit_data * ad,struct lsm_network_audit * net,int ifindex,u16 family)249 static void ad_net_init_from_iif(struct common_audit_data *ad,
250 				 struct lsm_network_audit *net,
251 				 int ifindex, u16 family)
252 {
253 	__ad_net_init(ad, net, ifindex, NULL, family);
254 }
255 
256 /*
257  * get the objective security ID of a task
258  */
task_sid_obj(const struct task_struct * task)259 static inline u32 task_sid_obj(const struct task_struct *task)
260 {
261 	u32 sid;
262 
263 	rcu_read_lock();
264 	sid = cred_sid(__task_cred(task));
265 	rcu_read_unlock();
266 	return sid;
267 }
268 
269 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
270 
271 /*
272  * Try reloading inode security labels that have been marked as invalid.  The
273  * @may_sleep parameter indicates when sleeping and thus reloading labels is
274  * allowed; when set to false, returns -ECHILD when the label is
275  * invalid.  The @dentry parameter should be set to a dentry of the inode.
276  */
__inode_security_revalidate(struct inode * inode,struct dentry * dentry,bool may_sleep)277 static int __inode_security_revalidate(struct inode *inode,
278 				       struct dentry *dentry,
279 				       bool may_sleep)
280 {
281 	struct inode_security_struct *isec = selinux_inode(inode);
282 
283 	might_sleep_if(may_sleep);
284 
285 	/*
286 	 * The check of isec->initialized below is racy but
287 	 * inode_doinit_with_dentry() will recheck with
288 	 * isec->lock held.
289 	 */
290 	if (selinux_initialized() &&
291 	    data_race(isec->initialized != LABEL_INITIALIZED)) {
292 		if (!may_sleep)
293 			return -ECHILD;
294 
295 		/*
296 		 * Try reloading the inode security label.  This will fail if
297 		 * @opt_dentry is NULL and no dentry for this inode can be
298 		 * found; in that case, continue using the old label.
299 		 */
300 		inode_doinit_with_dentry(inode, dentry);
301 	}
302 	return 0;
303 }
304 
inode_security_novalidate(struct inode * inode)305 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
306 {
307 	return selinux_inode(inode);
308 }
309 
inode_security_rcu(struct inode * inode,bool rcu)310 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
311 {
312 	int error;
313 
314 	error = __inode_security_revalidate(inode, NULL, !rcu);
315 	if (error)
316 		return ERR_PTR(error);
317 	return selinux_inode(inode);
318 }
319 
320 /*
321  * Get the security label of an inode.
322  */
inode_security(struct inode * inode)323 static struct inode_security_struct *inode_security(struct inode *inode)
324 {
325 	__inode_security_revalidate(inode, NULL, true);
326 	return selinux_inode(inode);
327 }
328 
backing_inode_security_novalidate(struct dentry * dentry)329 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
330 {
331 	struct inode *inode = d_backing_inode(dentry);
332 
333 	return selinux_inode(inode);
334 }
335 
336 /*
337  * Get the security label of a dentry's backing inode.
338  */
backing_inode_security(struct dentry * dentry)339 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
340 {
341 	struct inode *inode = d_backing_inode(dentry);
342 
343 	__inode_security_revalidate(inode, dentry, true);
344 	return selinux_inode(inode);
345 }
346 
inode_free_security(struct inode * inode)347 static void inode_free_security(struct inode *inode)
348 {
349 	struct inode_security_struct *isec = selinux_inode(inode);
350 	struct superblock_security_struct *sbsec;
351 
352 	if (!isec)
353 		return;
354 	sbsec = selinux_superblock(inode->i_sb);
355 	/*
356 	 * As not all inode security structures are in a list, we check for
357 	 * empty list outside of the lock to make sure that we won't waste
358 	 * time taking a lock doing nothing.
359 	 *
360 	 * The list_del_init() function can be safely called more than once.
361 	 * It should not be possible for this function to be called with
362 	 * concurrent list_add(), but for better safety against future changes
363 	 * in the code, we use list_empty_careful() here.
364 	 */
365 	if (!list_empty_careful(&isec->list)) {
366 		spin_lock(&sbsec->isec_lock);
367 		list_del_init(&isec->list);
368 		spin_unlock(&sbsec->isec_lock);
369 	}
370 }
371 
372 struct selinux_mnt_opts {
373 	u32 fscontext_sid;
374 	u32 context_sid;
375 	u32 rootcontext_sid;
376 	u32 defcontext_sid;
377 };
378 
selinux_free_mnt_opts(void * mnt_opts)379 static void selinux_free_mnt_opts(void *mnt_opts)
380 {
381 	kfree(mnt_opts);
382 }
383 
384 enum {
385 	Opt_error = -1,
386 	Opt_context = 0,
387 	Opt_defcontext = 1,
388 	Opt_fscontext = 2,
389 	Opt_rootcontext = 3,
390 	Opt_seclabel = 4,
391 };
392 
393 #define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg}
394 static const struct {
395 	const char *name;
396 	int len;
397 	int opt;
398 	bool has_arg;
399 } tokens[] = {
400 	A(context, true),
401 	A(fscontext, true),
402 	A(defcontext, true),
403 	A(rootcontext, true),
404 	A(seclabel, false),
405 };
406 #undef A
407 
match_opt_prefix(char * s,int l,char ** arg)408 static int match_opt_prefix(char *s, int l, char **arg)
409 {
410 	int i;
411 
412 	for (i = 0; i < ARRAY_SIZE(tokens); i++) {
413 		size_t len = tokens[i].len;
414 		if (len > l || memcmp(s, tokens[i].name, len))
415 			continue;
416 		if (tokens[i].has_arg) {
417 			if (len == l || s[len] != '=')
418 				continue;
419 			*arg = s + len + 1;
420 		} else if (len != l)
421 			continue;
422 		return tokens[i].opt;
423 	}
424 	return Opt_error;
425 }
426 
427 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
428 
may_context_mount_sb_relabel(u32 sid,struct superblock_security_struct * sbsec,const struct cred * cred)429 static int may_context_mount_sb_relabel(u32 sid,
430 			struct superblock_security_struct *sbsec,
431 			const struct cred *cred)
432 {
433 	const struct task_security_struct *tsec = selinux_cred(cred);
434 	int rc;
435 
436 	rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
437 			  FILESYSTEM__RELABELFROM, NULL);
438 	if (rc)
439 		return rc;
440 
441 	rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
442 			  FILESYSTEM__RELABELTO, NULL);
443 	return rc;
444 }
445 
may_context_mount_inode_relabel(u32 sid,struct superblock_security_struct * sbsec,const struct cred * cred)446 static int may_context_mount_inode_relabel(u32 sid,
447 			struct superblock_security_struct *sbsec,
448 			const struct cred *cred)
449 {
450 	const struct task_security_struct *tsec = selinux_cred(cred);
451 	int rc;
452 	rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
453 			  FILESYSTEM__RELABELFROM, NULL);
454 	if (rc)
455 		return rc;
456 
457 	rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
458 			  FILESYSTEM__ASSOCIATE, NULL);
459 	return rc;
460 }
461 
selinux_is_genfs_special_handling(struct super_block * sb)462 static int selinux_is_genfs_special_handling(struct super_block *sb)
463 {
464 	/* Special handling. Genfs but also in-core setxattr handler */
465 	return	!strcmp(sb->s_type->name, "sysfs") ||
466 		!strcmp(sb->s_type->name, "pstore") ||
467 		!strcmp(sb->s_type->name, "debugfs") ||
468 		!strcmp(sb->s_type->name, "tracefs") ||
469 		!strcmp(sb->s_type->name, "rootfs") ||
470 		(selinux_policycap_cgroupseclabel() &&
471 		 (!strcmp(sb->s_type->name, "cgroup") ||
472 		  !strcmp(sb->s_type->name, "cgroup2")));
473 }
474 
selinux_is_sblabel_mnt(struct super_block * sb)475 static int selinux_is_sblabel_mnt(struct super_block *sb)
476 {
477 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
478 
479 	/*
480 	 * IMPORTANT: Double-check logic in this function when adding a new
481 	 * SECURITY_FS_USE_* definition!
482 	 */
483 	BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7);
484 
485 	switch (sbsec->behavior) {
486 	case SECURITY_FS_USE_XATTR:
487 	case SECURITY_FS_USE_TRANS:
488 	case SECURITY_FS_USE_TASK:
489 	case SECURITY_FS_USE_NATIVE:
490 		return 1;
491 
492 	case SECURITY_FS_USE_GENFS:
493 		return selinux_is_genfs_special_handling(sb);
494 
495 	/* Never allow relabeling on context mounts */
496 	case SECURITY_FS_USE_MNTPOINT:
497 	case SECURITY_FS_USE_NONE:
498 	default:
499 		return 0;
500 	}
501 }
502 
sb_check_xattr_support(struct super_block * sb)503 static int sb_check_xattr_support(struct super_block *sb)
504 {
505 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
506 	struct dentry *root = sb->s_root;
507 	struct inode *root_inode = d_backing_inode(root);
508 	u32 sid;
509 	int rc;
510 
511 	/*
512 	 * Make sure that the xattr handler exists and that no
513 	 * error other than -ENODATA is returned by getxattr on
514 	 * the root directory.  -ENODATA is ok, as this may be
515 	 * the first boot of the SELinux kernel before we have
516 	 * assigned xattr values to the filesystem.
517 	 */
518 	if (!(root_inode->i_opflags & IOP_XATTR)) {
519 		pr_warn("SELinux: (dev %s, type %s) has no xattr support\n",
520 			sb->s_id, sb->s_type->name);
521 		goto fallback;
522 	}
523 
524 	rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
525 	if (rc < 0 && rc != -ENODATA) {
526 		if (rc == -EOPNOTSUPP) {
527 			pr_warn("SELinux: (dev %s, type %s) has no security xattr handler\n",
528 				sb->s_id, sb->s_type->name);
529 			goto fallback;
530 		} else {
531 			pr_warn("SELinux: (dev %s, type %s) getxattr errno %d\n",
532 				sb->s_id, sb->s_type->name, -rc);
533 			return rc;
534 		}
535 	}
536 	return 0;
537 
538 fallback:
539 	/* No xattr support - try to fallback to genfs if possible. */
540 	rc = security_genfs_sid(sb->s_type->name, "/",
541 				SECCLASS_DIR, &sid);
542 	if (rc)
543 		return -EOPNOTSUPP;
544 
545 	pr_warn("SELinux: (dev %s, type %s) falling back to genfs\n",
546 		sb->s_id, sb->s_type->name);
547 	sbsec->behavior = SECURITY_FS_USE_GENFS;
548 	sbsec->sid = sid;
549 	return 0;
550 }
551 
sb_finish_set_opts(struct super_block * sb)552 static int sb_finish_set_opts(struct super_block *sb)
553 {
554 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
555 	struct dentry *root = sb->s_root;
556 	struct inode *root_inode = d_backing_inode(root);
557 	int rc = 0;
558 
559 	if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
560 		rc = sb_check_xattr_support(sb);
561 		if (rc)
562 			return rc;
563 	}
564 
565 	sbsec->flags |= SE_SBINITIALIZED;
566 
567 	/*
568 	 * Explicitly set or clear SBLABEL_MNT.  It's not sufficient to simply
569 	 * leave the flag untouched because sb_clone_mnt_opts might be handing
570 	 * us a superblock that needs the flag to be cleared.
571 	 */
572 	if (selinux_is_sblabel_mnt(sb))
573 		sbsec->flags |= SBLABEL_MNT;
574 	else
575 		sbsec->flags &= ~SBLABEL_MNT;
576 
577 	/* Initialize the root inode. */
578 	rc = inode_doinit_with_dentry(root_inode, root);
579 
580 	/* Initialize any other inodes associated with the superblock, e.g.
581 	   inodes created prior to initial policy load or inodes created
582 	   during get_sb by a pseudo filesystem that directly
583 	   populates itself. */
584 	spin_lock(&sbsec->isec_lock);
585 	while (!list_empty(&sbsec->isec_head)) {
586 		struct inode_security_struct *isec =
587 				list_first_entry(&sbsec->isec_head,
588 					   struct inode_security_struct, list);
589 		struct inode *inode = isec->inode;
590 		list_del_init(&isec->list);
591 		spin_unlock(&sbsec->isec_lock);
592 		inode = igrab(inode);
593 		if (inode) {
594 			if (!IS_PRIVATE(inode))
595 				inode_doinit_with_dentry(inode, NULL);
596 			iput(inode);
597 		}
598 		spin_lock(&sbsec->isec_lock);
599 	}
600 	spin_unlock(&sbsec->isec_lock);
601 	return rc;
602 }
603 
bad_option(struct superblock_security_struct * sbsec,char flag,u32 old_sid,u32 new_sid)604 static int bad_option(struct superblock_security_struct *sbsec, char flag,
605 		      u32 old_sid, u32 new_sid)
606 {
607 	char mnt_flags = sbsec->flags & SE_MNTMASK;
608 
609 	/* check if the old mount command had the same options */
610 	if (sbsec->flags & SE_SBINITIALIZED)
611 		if (!(sbsec->flags & flag) ||
612 		    (old_sid != new_sid))
613 			return 1;
614 
615 	/* check if we were passed the same options twice,
616 	 * aka someone passed context=a,context=b
617 	 */
618 	if (!(sbsec->flags & SE_SBINITIALIZED))
619 		if (mnt_flags & flag)
620 			return 1;
621 	return 0;
622 }
623 
624 /*
625  * Allow filesystems with binary mount data to explicitly set mount point
626  * labeling information.
627  */
selinux_set_mnt_opts(struct super_block * sb,void * mnt_opts,unsigned long kern_flags,unsigned long * set_kern_flags)628 static int selinux_set_mnt_opts(struct super_block *sb,
629 				void *mnt_opts,
630 				unsigned long kern_flags,
631 				unsigned long *set_kern_flags)
632 {
633 	const struct cred *cred = current_cred();
634 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
635 	struct dentry *root = sb->s_root;
636 	struct selinux_mnt_opts *opts = mnt_opts;
637 	struct inode_security_struct *root_isec;
638 	u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
639 	u32 defcontext_sid = 0;
640 	int rc = 0;
641 
642 	/*
643 	 * Specifying internal flags without providing a place to
644 	 * place the results is not allowed
645 	 */
646 	if (kern_flags && !set_kern_flags)
647 		return -EINVAL;
648 
649 	mutex_lock(&sbsec->lock);
650 
651 	if (!selinux_initialized()) {
652 		if (!opts) {
653 			/* Defer initialization until selinux_complete_init,
654 			   after the initial policy is loaded and the security
655 			   server is ready to handle calls. */
656 			if (kern_flags & SECURITY_LSM_NATIVE_LABELS) {
657 				sbsec->flags |= SE_SBNATIVE;
658 				*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
659 			}
660 			goto out;
661 		}
662 		rc = -EINVAL;
663 		pr_warn("SELinux: Unable to set superblock options "
664 			"before the security server is initialized\n");
665 		goto out;
666 	}
667 
668 	/*
669 	 * Binary mount data FS will come through this function twice.  Once
670 	 * from an explicit call and once from the generic calls from the vfs.
671 	 * Since the generic VFS calls will not contain any security mount data
672 	 * we need to skip the double mount verification.
673 	 *
674 	 * This does open a hole in which we will not notice if the first
675 	 * mount using this sb set explicit options and a second mount using
676 	 * this sb does not set any security options.  (The first options
677 	 * will be used for both mounts)
678 	 */
679 	if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
680 	    && !opts)
681 		goto out;
682 
683 	root_isec = backing_inode_security_novalidate(root);
684 
685 	/*
686 	 * parse the mount options, check if they are valid sids.
687 	 * also check if someone is trying to mount the same sb more
688 	 * than once with different security options.
689 	 */
690 	if (opts) {
691 		if (opts->fscontext_sid) {
692 			fscontext_sid = opts->fscontext_sid;
693 			if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
694 					fscontext_sid))
695 				goto out_double_mount;
696 			sbsec->flags |= FSCONTEXT_MNT;
697 		}
698 		if (opts->context_sid) {
699 			context_sid = opts->context_sid;
700 			if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
701 					context_sid))
702 				goto out_double_mount;
703 			sbsec->flags |= CONTEXT_MNT;
704 		}
705 		if (opts->rootcontext_sid) {
706 			rootcontext_sid = opts->rootcontext_sid;
707 			if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
708 					rootcontext_sid))
709 				goto out_double_mount;
710 			sbsec->flags |= ROOTCONTEXT_MNT;
711 		}
712 		if (opts->defcontext_sid) {
713 			defcontext_sid = opts->defcontext_sid;
714 			if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
715 					defcontext_sid))
716 				goto out_double_mount;
717 			sbsec->flags |= DEFCONTEXT_MNT;
718 		}
719 	}
720 
721 	if (sbsec->flags & SE_SBINITIALIZED) {
722 		/* previously mounted with options, but not on this attempt? */
723 		if ((sbsec->flags & SE_MNTMASK) && !opts)
724 			goto out_double_mount;
725 		rc = 0;
726 		goto out;
727 	}
728 
729 	if (strcmp(sb->s_type->name, "proc") == 0)
730 		sbsec->flags |= SE_SBPROC | SE_SBGENFS;
731 
732 	if (!strcmp(sb->s_type->name, "debugfs") ||
733 	    !strcmp(sb->s_type->name, "tracefs") ||
734 	    !strcmp(sb->s_type->name, "binder") ||
735 	    !strcmp(sb->s_type->name, "bpf") ||
736 	    !strcmp(sb->s_type->name, "pstore") ||
737 	    !strcmp(sb->s_type->name, "securityfs"))
738 		sbsec->flags |= SE_SBGENFS;
739 
740 	if (!strcmp(sb->s_type->name, "sysfs") ||
741 	    !strcmp(sb->s_type->name, "cgroup") ||
742 	    !strcmp(sb->s_type->name, "cgroup2"))
743 		sbsec->flags |= SE_SBGENFS | SE_SBGENFS_XATTR;
744 
745 	if (!sbsec->behavior) {
746 		/*
747 		 * Determine the labeling behavior to use for this
748 		 * filesystem type.
749 		 */
750 		rc = security_fs_use(sb);
751 		if (rc) {
752 			pr_warn("%s: security_fs_use(%s) returned %d\n",
753 					__func__, sb->s_type->name, rc);
754 			goto out;
755 		}
756 	}
757 
758 	/*
759 	 * If this is a user namespace mount and the filesystem type is not
760 	 * explicitly whitelisted, then no contexts are allowed on the command
761 	 * line and security labels must be ignored.
762 	 */
763 	if (sb->s_user_ns != &init_user_ns &&
764 	    strcmp(sb->s_type->name, "tmpfs") &&
765 	    strcmp(sb->s_type->name, "ramfs") &&
766 	    strcmp(sb->s_type->name, "devpts") &&
767 	    strcmp(sb->s_type->name, "overlay")) {
768 		if (context_sid || fscontext_sid || rootcontext_sid ||
769 		    defcontext_sid) {
770 			rc = -EACCES;
771 			goto out;
772 		}
773 		if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
774 			sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
775 			rc = security_transition_sid(current_sid(),
776 						     current_sid(),
777 						     SECCLASS_FILE, NULL,
778 						     &sbsec->mntpoint_sid);
779 			if (rc)
780 				goto out;
781 		}
782 		goto out_set_opts;
783 	}
784 
785 	/* sets the context of the superblock for the fs being mounted. */
786 	if (fscontext_sid) {
787 		rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
788 		if (rc)
789 			goto out;
790 
791 		sbsec->sid = fscontext_sid;
792 	}
793 
794 	/*
795 	 * Switch to using mount point labeling behavior.
796 	 * sets the label used on all file below the mountpoint, and will set
797 	 * the superblock context if not already set.
798 	 */
799 	if (sbsec->flags & SE_SBNATIVE) {
800 		/*
801 		 * This means we are initializing a superblock that has been
802 		 * mounted before the SELinux was initialized and the
803 		 * filesystem requested native labeling. We had already
804 		 * returned SECURITY_LSM_NATIVE_LABELS in *set_kern_flags
805 		 * in the original mount attempt, so now we just need to set
806 		 * the SECURITY_FS_USE_NATIVE behavior.
807 		 */
808 		sbsec->behavior = SECURITY_FS_USE_NATIVE;
809 	} else if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
810 		sbsec->behavior = SECURITY_FS_USE_NATIVE;
811 		*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
812 	}
813 
814 	if (context_sid) {
815 		if (!fscontext_sid) {
816 			rc = may_context_mount_sb_relabel(context_sid, sbsec,
817 							  cred);
818 			if (rc)
819 				goto out;
820 			sbsec->sid = context_sid;
821 		} else {
822 			rc = may_context_mount_inode_relabel(context_sid, sbsec,
823 							     cred);
824 			if (rc)
825 				goto out;
826 		}
827 		if (!rootcontext_sid)
828 			rootcontext_sid = context_sid;
829 
830 		sbsec->mntpoint_sid = context_sid;
831 		sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
832 	}
833 
834 	if (rootcontext_sid) {
835 		rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
836 						     cred);
837 		if (rc)
838 			goto out;
839 
840 		root_isec->sid = rootcontext_sid;
841 		root_isec->initialized = LABEL_INITIALIZED;
842 	}
843 
844 	if (defcontext_sid) {
845 		if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
846 			sbsec->behavior != SECURITY_FS_USE_NATIVE) {
847 			rc = -EINVAL;
848 			pr_warn("SELinux: defcontext option is "
849 			       "invalid for this filesystem type\n");
850 			goto out;
851 		}
852 
853 		if (defcontext_sid != sbsec->def_sid) {
854 			rc = may_context_mount_inode_relabel(defcontext_sid,
855 							     sbsec, cred);
856 			if (rc)
857 				goto out;
858 		}
859 
860 		sbsec->def_sid = defcontext_sid;
861 	}
862 
863 out_set_opts:
864 	rc = sb_finish_set_opts(sb);
865 out:
866 	mutex_unlock(&sbsec->lock);
867 	return rc;
868 out_double_mount:
869 	rc = -EINVAL;
870 	pr_warn("SELinux: mount invalid.  Same superblock, different "
871 	       "security settings for (dev %s, type %s)\n", sb->s_id,
872 	       sb->s_type->name);
873 	goto out;
874 }
875 
selinux_cmp_sb_context(const struct super_block * oldsb,const struct super_block * newsb)876 static int selinux_cmp_sb_context(const struct super_block *oldsb,
877 				    const struct super_block *newsb)
878 {
879 	struct superblock_security_struct *old = selinux_superblock(oldsb);
880 	struct superblock_security_struct *new = selinux_superblock(newsb);
881 	char oldflags = old->flags & SE_MNTMASK;
882 	char newflags = new->flags & SE_MNTMASK;
883 
884 	if (oldflags != newflags)
885 		goto mismatch;
886 	if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
887 		goto mismatch;
888 	if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
889 		goto mismatch;
890 	if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
891 		goto mismatch;
892 	if (oldflags & ROOTCONTEXT_MNT) {
893 		struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
894 		struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
895 		if (oldroot->sid != newroot->sid)
896 			goto mismatch;
897 	}
898 	return 0;
899 mismatch:
900 	pr_warn("SELinux: mount invalid.  Same superblock, "
901 			    "different security settings for (dev %s, "
902 			    "type %s)\n", newsb->s_id, newsb->s_type->name);
903 	return -EBUSY;
904 }
905 
selinux_sb_clone_mnt_opts(const struct super_block * oldsb,struct super_block * newsb,unsigned long kern_flags,unsigned long * set_kern_flags)906 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
907 					struct super_block *newsb,
908 					unsigned long kern_flags,
909 					unsigned long *set_kern_flags)
910 {
911 	int rc = 0;
912 	const struct superblock_security_struct *oldsbsec =
913 						selinux_superblock(oldsb);
914 	struct superblock_security_struct *newsbsec = selinux_superblock(newsb);
915 
916 	int set_fscontext =	(oldsbsec->flags & FSCONTEXT_MNT);
917 	int set_context =	(oldsbsec->flags & CONTEXT_MNT);
918 	int set_rootcontext =	(oldsbsec->flags & ROOTCONTEXT_MNT);
919 
920 	/*
921 	 * Specifying internal flags without providing a place to
922 	 * place the results is not allowed.
923 	 */
924 	if (kern_flags && !set_kern_flags)
925 		return -EINVAL;
926 
927 	mutex_lock(&newsbsec->lock);
928 
929 	/*
930 	 * if the parent was able to be mounted it clearly had no special lsm
931 	 * mount options.  thus we can safely deal with this superblock later
932 	 */
933 	if (!selinux_initialized()) {
934 		if (kern_flags & SECURITY_LSM_NATIVE_LABELS) {
935 			newsbsec->flags |= SE_SBNATIVE;
936 			*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
937 		}
938 		goto out;
939 	}
940 
941 	/* how can we clone if the old one wasn't set up?? */
942 	BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
943 
944 	/* if fs is reusing a sb, make sure that the contexts match */
945 	if (newsbsec->flags & SE_SBINITIALIZED) {
946 		mutex_unlock(&newsbsec->lock);
947 		if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context)
948 			*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
949 		return selinux_cmp_sb_context(oldsb, newsb);
950 	}
951 
952 	newsbsec->flags = oldsbsec->flags;
953 
954 	newsbsec->sid = oldsbsec->sid;
955 	newsbsec->def_sid = oldsbsec->def_sid;
956 	newsbsec->behavior = oldsbsec->behavior;
957 
958 	if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
959 		!(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
960 		rc = security_fs_use(newsb);
961 		if (rc)
962 			goto out;
963 	}
964 
965 	if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
966 		newsbsec->behavior = SECURITY_FS_USE_NATIVE;
967 		*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
968 	}
969 
970 	if (set_context) {
971 		u32 sid = oldsbsec->mntpoint_sid;
972 
973 		if (!set_fscontext)
974 			newsbsec->sid = sid;
975 		if (!set_rootcontext) {
976 			struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
977 			newisec->sid = sid;
978 		}
979 		newsbsec->mntpoint_sid = sid;
980 	}
981 	if (set_rootcontext) {
982 		const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
983 		struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
984 
985 		newisec->sid = oldisec->sid;
986 	}
987 
988 	sb_finish_set_opts(newsb);
989 out:
990 	mutex_unlock(&newsbsec->lock);
991 	return rc;
992 }
993 
994 /*
995  * NOTE: the caller is responsible for freeing the memory even if on error.
996  */
selinux_add_opt(int token,const char * s,void ** mnt_opts)997 static int selinux_add_opt(int token, const char *s, void **mnt_opts)
998 {
999 	struct selinux_mnt_opts *opts = *mnt_opts;
1000 	u32 *dst_sid;
1001 	int rc;
1002 
1003 	if (token == Opt_seclabel)
1004 		/* eaten and completely ignored */
1005 		return 0;
1006 	if (!s)
1007 		return -EINVAL;
1008 
1009 	if (!selinux_initialized()) {
1010 		pr_warn("SELinux: Unable to set superblock options before the security server is initialized\n");
1011 		return -EINVAL;
1012 	}
1013 
1014 	if (!opts) {
1015 		opts = kzalloc(sizeof(*opts), GFP_KERNEL);
1016 		if (!opts)
1017 			return -ENOMEM;
1018 		*mnt_opts = opts;
1019 	}
1020 
1021 	switch (token) {
1022 	case Opt_context:
1023 		if (opts->context_sid || opts->defcontext_sid)
1024 			goto err;
1025 		dst_sid = &opts->context_sid;
1026 		break;
1027 	case Opt_fscontext:
1028 		if (opts->fscontext_sid)
1029 			goto err;
1030 		dst_sid = &opts->fscontext_sid;
1031 		break;
1032 	case Opt_rootcontext:
1033 		if (opts->rootcontext_sid)
1034 			goto err;
1035 		dst_sid = &opts->rootcontext_sid;
1036 		break;
1037 	case Opt_defcontext:
1038 		if (opts->context_sid || opts->defcontext_sid)
1039 			goto err;
1040 		dst_sid = &opts->defcontext_sid;
1041 		break;
1042 	default:
1043 		WARN_ON(1);
1044 		return -EINVAL;
1045 	}
1046 	rc = security_context_str_to_sid(s, dst_sid, GFP_KERNEL);
1047 	if (rc)
1048 		pr_warn("SELinux: security_context_str_to_sid (%s) failed with errno=%d\n",
1049 			s, rc);
1050 	return rc;
1051 
1052 err:
1053 	pr_warn(SEL_MOUNT_FAIL_MSG);
1054 	return -EINVAL;
1055 }
1056 
show_sid(struct seq_file * m,u32 sid)1057 static int show_sid(struct seq_file *m, u32 sid)
1058 {
1059 	char *context = NULL;
1060 	u32 len;
1061 	int rc;
1062 
1063 	rc = security_sid_to_context(sid, &context, &len);
1064 	if (!rc) {
1065 		bool has_comma = strchr(context, ',');
1066 
1067 		seq_putc(m, '=');
1068 		if (has_comma)
1069 			seq_putc(m, '\"');
1070 		seq_escape(m, context, "\"\n\\");
1071 		if (has_comma)
1072 			seq_putc(m, '\"');
1073 	}
1074 	kfree(context);
1075 	return rc;
1076 }
1077 
selinux_sb_show_options(struct seq_file * m,struct super_block * sb)1078 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1079 {
1080 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
1081 	int rc;
1082 
1083 	if (!(sbsec->flags & SE_SBINITIALIZED))
1084 		return 0;
1085 
1086 	if (!selinux_initialized())
1087 		return 0;
1088 
1089 	if (sbsec->flags & FSCONTEXT_MNT) {
1090 		seq_putc(m, ',');
1091 		seq_puts(m, FSCONTEXT_STR);
1092 		rc = show_sid(m, sbsec->sid);
1093 		if (rc)
1094 			return rc;
1095 	}
1096 	if (sbsec->flags & CONTEXT_MNT) {
1097 		seq_putc(m, ',');
1098 		seq_puts(m, CONTEXT_STR);
1099 		rc = show_sid(m, sbsec->mntpoint_sid);
1100 		if (rc)
1101 			return rc;
1102 	}
1103 	if (sbsec->flags & DEFCONTEXT_MNT) {
1104 		seq_putc(m, ',');
1105 		seq_puts(m, DEFCONTEXT_STR);
1106 		rc = show_sid(m, sbsec->def_sid);
1107 		if (rc)
1108 			return rc;
1109 	}
1110 	if (sbsec->flags & ROOTCONTEXT_MNT) {
1111 		struct dentry *root = sb->s_root;
1112 		struct inode_security_struct *isec = backing_inode_security(root);
1113 		seq_putc(m, ',');
1114 		seq_puts(m, ROOTCONTEXT_STR);
1115 		rc = show_sid(m, isec->sid);
1116 		if (rc)
1117 			return rc;
1118 	}
1119 	if (sbsec->flags & SBLABEL_MNT) {
1120 		seq_putc(m, ',');
1121 		seq_puts(m, SECLABEL_STR);
1122 	}
1123 	return 0;
1124 }
1125 
inode_mode_to_security_class(umode_t mode)1126 static inline u16 inode_mode_to_security_class(umode_t mode)
1127 {
1128 	switch (mode & S_IFMT) {
1129 	case S_IFSOCK:
1130 		return SECCLASS_SOCK_FILE;
1131 	case S_IFLNK:
1132 		return SECCLASS_LNK_FILE;
1133 	case S_IFREG:
1134 		return SECCLASS_FILE;
1135 	case S_IFBLK:
1136 		return SECCLASS_BLK_FILE;
1137 	case S_IFDIR:
1138 		return SECCLASS_DIR;
1139 	case S_IFCHR:
1140 		return SECCLASS_CHR_FILE;
1141 	case S_IFIFO:
1142 		return SECCLASS_FIFO_FILE;
1143 
1144 	}
1145 
1146 	return SECCLASS_FILE;
1147 }
1148 
default_protocol_stream(int protocol)1149 static inline int default_protocol_stream(int protocol)
1150 {
1151 	return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP ||
1152 		protocol == IPPROTO_MPTCP);
1153 }
1154 
default_protocol_dgram(int protocol)1155 static inline int default_protocol_dgram(int protocol)
1156 {
1157 	return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1158 }
1159 
socket_type_to_security_class(int family,int type,int protocol)1160 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1161 {
1162 	bool extsockclass = selinux_policycap_extsockclass();
1163 
1164 	switch (family) {
1165 	case PF_UNIX:
1166 		switch (type) {
1167 		case SOCK_STREAM:
1168 		case SOCK_SEQPACKET:
1169 			return SECCLASS_UNIX_STREAM_SOCKET;
1170 		case SOCK_DGRAM:
1171 		case SOCK_RAW:
1172 			return SECCLASS_UNIX_DGRAM_SOCKET;
1173 		}
1174 		break;
1175 	case PF_INET:
1176 	case PF_INET6:
1177 		switch (type) {
1178 		case SOCK_STREAM:
1179 		case SOCK_SEQPACKET:
1180 			if (default_protocol_stream(protocol))
1181 				return SECCLASS_TCP_SOCKET;
1182 			else if (extsockclass && protocol == IPPROTO_SCTP)
1183 				return SECCLASS_SCTP_SOCKET;
1184 			else
1185 				return SECCLASS_RAWIP_SOCKET;
1186 		case SOCK_DGRAM:
1187 			if (default_protocol_dgram(protocol))
1188 				return SECCLASS_UDP_SOCKET;
1189 			else if (extsockclass && (protocol == IPPROTO_ICMP ||
1190 						  protocol == IPPROTO_ICMPV6))
1191 				return SECCLASS_ICMP_SOCKET;
1192 			else
1193 				return SECCLASS_RAWIP_SOCKET;
1194 		case SOCK_DCCP:
1195 			return SECCLASS_DCCP_SOCKET;
1196 		default:
1197 			return SECCLASS_RAWIP_SOCKET;
1198 		}
1199 		break;
1200 	case PF_NETLINK:
1201 		switch (protocol) {
1202 		case NETLINK_ROUTE:
1203 			return SECCLASS_NETLINK_ROUTE_SOCKET;
1204 		case NETLINK_SOCK_DIAG:
1205 			return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1206 		case NETLINK_NFLOG:
1207 			return SECCLASS_NETLINK_NFLOG_SOCKET;
1208 		case NETLINK_XFRM:
1209 			return SECCLASS_NETLINK_XFRM_SOCKET;
1210 		case NETLINK_SELINUX:
1211 			return SECCLASS_NETLINK_SELINUX_SOCKET;
1212 		case NETLINK_ISCSI:
1213 			return SECCLASS_NETLINK_ISCSI_SOCKET;
1214 		case NETLINK_AUDIT:
1215 			return SECCLASS_NETLINK_AUDIT_SOCKET;
1216 		case NETLINK_FIB_LOOKUP:
1217 			return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1218 		case NETLINK_CONNECTOR:
1219 			return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1220 		case NETLINK_NETFILTER:
1221 			return SECCLASS_NETLINK_NETFILTER_SOCKET;
1222 		case NETLINK_DNRTMSG:
1223 			return SECCLASS_NETLINK_DNRT_SOCKET;
1224 		case NETLINK_KOBJECT_UEVENT:
1225 			return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1226 		case NETLINK_GENERIC:
1227 			return SECCLASS_NETLINK_GENERIC_SOCKET;
1228 		case NETLINK_SCSITRANSPORT:
1229 			return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1230 		case NETLINK_RDMA:
1231 			return SECCLASS_NETLINK_RDMA_SOCKET;
1232 		case NETLINK_CRYPTO:
1233 			return SECCLASS_NETLINK_CRYPTO_SOCKET;
1234 		default:
1235 			return SECCLASS_NETLINK_SOCKET;
1236 		}
1237 	case PF_PACKET:
1238 		return SECCLASS_PACKET_SOCKET;
1239 	case PF_KEY:
1240 		return SECCLASS_KEY_SOCKET;
1241 	case PF_APPLETALK:
1242 		return SECCLASS_APPLETALK_SOCKET;
1243 	}
1244 
1245 	if (extsockclass) {
1246 		switch (family) {
1247 		case PF_AX25:
1248 			return SECCLASS_AX25_SOCKET;
1249 		case PF_IPX:
1250 			return SECCLASS_IPX_SOCKET;
1251 		case PF_NETROM:
1252 			return SECCLASS_NETROM_SOCKET;
1253 		case PF_ATMPVC:
1254 			return SECCLASS_ATMPVC_SOCKET;
1255 		case PF_X25:
1256 			return SECCLASS_X25_SOCKET;
1257 		case PF_ROSE:
1258 			return SECCLASS_ROSE_SOCKET;
1259 		case PF_DECnet:
1260 			return SECCLASS_DECNET_SOCKET;
1261 		case PF_ATMSVC:
1262 			return SECCLASS_ATMSVC_SOCKET;
1263 		case PF_RDS:
1264 			return SECCLASS_RDS_SOCKET;
1265 		case PF_IRDA:
1266 			return SECCLASS_IRDA_SOCKET;
1267 		case PF_PPPOX:
1268 			return SECCLASS_PPPOX_SOCKET;
1269 		case PF_LLC:
1270 			return SECCLASS_LLC_SOCKET;
1271 		case PF_CAN:
1272 			return SECCLASS_CAN_SOCKET;
1273 		case PF_TIPC:
1274 			return SECCLASS_TIPC_SOCKET;
1275 		case PF_BLUETOOTH:
1276 			return SECCLASS_BLUETOOTH_SOCKET;
1277 		case PF_IUCV:
1278 			return SECCLASS_IUCV_SOCKET;
1279 		case PF_RXRPC:
1280 			return SECCLASS_RXRPC_SOCKET;
1281 		case PF_ISDN:
1282 			return SECCLASS_ISDN_SOCKET;
1283 		case PF_PHONET:
1284 			return SECCLASS_PHONET_SOCKET;
1285 		case PF_IEEE802154:
1286 			return SECCLASS_IEEE802154_SOCKET;
1287 		case PF_CAIF:
1288 			return SECCLASS_CAIF_SOCKET;
1289 		case PF_ALG:
1290 			return SECCLASS_ALG_SOCKET;
1291 		case PF_NFC:
1292 			return SECCLASS_NFC_SOCKET;
1293 		case PF_VSOCK:
1294 			return SECCLASS_VSOCK_SOCKET;
1295 		case PF_KCM:
1296 			return SECCLASS_KCM_SOCKET;
1297 		case PF_QIPCRTR:
1298 			return SECCLASS_QIPCRTR_SOCKET;
1299 		case PF_SMC:
1300 			return SECCLASS_SMC_SOCKET;
1301 		case PF_XDP:
1302 			return SECCLASS_XDP_SOCKET;
1303 		case PF_MCTP:
1304 			return SECCLASS_MCTP_SOCKET;
1305 #if PF_MAX > 46
1306 #error New address family defined, please update this function.
1307 #endif
1308 		}
1309 	}
1310 
1311 	return SECCLASS_SOCKET;
1312 }
1313 
selinux_genfs_get_sid(struct dentry * dentry,u16 tclass,u16 flags,u32 * sid)1314 static int selinux_genfs_get_sid(struct dentry *dentry,
1315 				 u16 tclass,
1316 				 u16 flags,
1317 				 u32 *sid)
1318 {
1319 	int rc;
1320 	struct super_block *sb = dentry->d_sb;
1321 	char *buffer, *path;
1322 
1323 	buffer = (char *)__get_free_page(GFP_KERNEL);
1324 	if (!buffer)
1325 		return -ENOMEM;
1326 
1327 	path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1328 	if (IS_ERR(path))
1329 		rc = PTR_ERR(path);
1330 	else {
1331 		if (flags & SE_SBPROC) {
1332 			/* each process gets a /proc/PID/ entry. Strip off the
1333 			 * PID part to get a valid selinux labeling.
1334 			 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1335 			while (path[1] >= '0' && path[1] <= '9') {
1336 				path[1] = '/';
1337 				path++;
1338 			}
1339 		}
1340 		rc = security_genfs_sid(sb->s_type->name,
1341 					path, tclass, sid);
1342 		if (rc == -ENOENT) {
1343 			/* No match in policy, mark as unlabeled. */
1344 			*sid = SECINITSID_UNLABELED;
1345 			rc = 0;
1346 		}
1347 	}
1348 	free_page((unsigned long)buffer);
1349 	return rc;
1350 }
1351 
inode_doinit_use_xattr(struct inode * inode,struct dentry * dentry,u32 def_sid,u32 * sid)1352 static int inode_doinit_use_xattr(struct inode *inode, struct dentry *dentry,
1353 				  u32 def_sid, u32 *sid)
1354 {
1355 #define INITCONTEXTLEN 255
1356 	char *context;
1357 	unsigned int len;
1358 	int rc;
1359 
1360 	len = INITCONTEXTLEN;
1361 	context = kmalloc(len + 1, GFP_NOFS);
1362 	if (!context)
1363 		return -ENOMEM;
1364 
1365 	context[len] = '\0';
1366 	rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1367 	if (rc == -ERANGE) {
1368 		kfree(context);
1369 
1370 		/* Need a larger buffer.  Query for the right size. */
1371 		rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1372 		if (rc < 0)
1373 			return rc;
1374 
1375 		len = rc;
1376 		context = kmalloc(len + 1, GFP_NOFS);
1377 		if (!context)
1378 			return -ENOMEM;
1379 
1380 		context[len] = '\0';
1381 		rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX,
1382 				    context, len);
1383 	}
1384 	if (rc < 0) {
1385 		kfree(context);
1386 		if (rc != -ENODATA) {
1387 			pr_warn("SELinux: %s:  getxattr returned %d for dev=%s ino=%ld\n",
1388 				__func__, -rc, inode->i_sb->s_id, inode->i_ino);
1389 			return rc;
1390 		}
1391 		*sid = def_sid;
1392 		return 0;
1393 	}
1394 
1395 	rc = security_context_to_sid_default(context, rc, sid,
1396 					     def_sid, GFP_NOFS);
1397 	if (rc) {
1398 		char *dev = inode->i_sb->s_id;
1399 		unsigned long ino = inode->i_ino;
1400 
1401 		if (rc == -EINVAL) {
1402 			pr_notice_ratelimited("SELinux: inode=%lu on dev=%s was found to have an invalid context=%s.  This indicates you may need to relabel the inode or the filesystem in question.\n",
1403 					      ino, dev, context);
1404 		} else {
1405 			pr_warn("SELinux: %s:  context_to_sid(%s) returned %d for dev=%s ino=%ld\n",
1406 				__func__, context, -rc, dev, ino);
1407 		}
1408 	}
1409 	kfree(context);
1410 	return 0;
1411 }
1412 
1413 /* The inode's security attributes must be initialized before first use. */
inode_doinit_with_dentry(struct inode * inode,struct dentry * opt_dentry)1414 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1415 {
1416 	struct superblock_security_struct *sbsec = NULL;
1417 	struct inode_security_struct *isec = selinux_inode(inode);
1418 	u32 task_sid, sid = 0;
1419 	u16 sclass;
1420 	struct dentry *dentry;
1421 	int rc = 0;
1422 
1423 	if (isec->initialized == LABEL_INITIALIZED)
1424 		return 0;
1425 
1426 	spin_lock(&isec->lock);
1427 	if (isec->initialized == LABEL_INITIALIZED)
1428 		goto out_unlock;
1429 
1430 	if (isec->sclass == SECCLASS_FILE)
1431 		isec->sclass = inode_mode_to_security_class(inode->i_mode);
1432 
1433 	sbsec = selinux_superblock(inode->i_sb);
1434 	if (!(sbsec->flags & SE_SBINITIALIZED)) {
1435 		/* Defer initialization until selinux_complete_init,
1436 		   after the initial policy is loaded and the security
1437 		   server is ready to handle calls. */
1438 		spin_lock(&sbsec->isec_lock);
1439 		if (list_empty(&isec->list))
1440 			list_add(&isec->list, &sbsec->isec_head);
1441 		spin_unlock(&sbsec->isec_lock);
1442 		goto out_unlock;
1443 	}
1444 
1445 	sclass = isec->sclass;
1446 	task_sid = isec->task_sid;
1447 	sid = isec->sid;
1448 	isec->initialized = LABEL_PENDING;
1449 	spin_unlock(&isec->lock);
1450 
1451 	switch (sbsec->behavior) {
1452 	/*
1453 	 * In case of SECURITY_FS_USE_NATIVE we need to re-fetch the labels
1454 	 * via xattr when called from delayed_superblock_init().
1455 	 */
1456 	case SECURITY_FS_USE_NATIVE:
1457 	case SECURITY_FS_USE_XATTR:
1458 		if (!(inode->i_opflags & IOP_XATTR)) {
1459 			sid = sbsec->def_sid;
1460 			break;
1461 		}
1462 		/* Need a dentry, since the xattr API requires one.
1463 		   Life would be simpler if we could just pass the inode. */
1464 		if (opt_dentry) {
1465 			/* Called from d_instantiate or d_splice_alias. */
1466 			dentry = dget(opt_dentry);
1467 		} else {
1468 			/*
1469 			 * Called from selinux_complete_init, try to find a dentry.
1470 			 * Some filesystems really want a connected one, so try
1471 			 * that first.  We could split SECURITY_FS_USE_XATTR in
1472 			 * two, depending upon that...
1473 			 */
1474 			dentry = d_find_alias(inode);
1475 			if (!dentry)
1476 				dentry = d_find_any_alias(inode);
1477 		}
1478 		if (!dentry) {
1479 			/*
1480 			 * this is can be hit on boot when a file is accessed
1481 			 * before the policy is loaded.  When we load policy we
1482 			 * may find inodes that have no dentry on the
1483 			 * sbsec->isec_head list.  No reason to complain as these
1484 			 * will get fixed up the next time we go through
1485 			 * inode_doinit with a dentry, before these inodes could
1486 			 * be used again by userspace.
1487 			 */
1488 			goto out_invalid;
1489 		}
1490 
1491 		rc = inode_doinit_use_xattr(inode, dentry, sbsec->def_sid,
1492 					    &sid);
1493 		dput(dentry);
1494 		if (rc)
1495 			goto out;
1496 		break;
1497 	case SECURITY_FS_USE_TASK:
1498 		sid = task_sid;
1499 		break;
1500 	case SECURITY_FS_USE_TRANS:
1501 		/* Default to the fs SID. */
1502 		sid = sbsec->sid;
1503 
1504 		/* Try to obtain a transition SID. */
1505 		rc = security_transition_sid(task_sid, sid,
1506 					     sclass, NULL, &sid);
1507 		if (rc)
1508 			goto out;
1509 		break;
1510 	case SECURITY_FS_USE_MNTPOINT:
1511 		sid = sbsec->mntpoint_sid;
1512 		break;
1513 	default:
1514 		/* Default to the fs superblock SID. */
1515 		sid = sbsec->sid;
1516 
1517 		if ((sbsec->flags & SE_SBGENFS) &&
1518 		     (!S_ISLNK(inode->i_mode) ||
1519 		      selinux_policycap_genfs_seclabel_symlinks())) {
1520 			/* We must have a dentry to determine the label on
1521 			 * procfs inodes */
1522 			if (opt_dentry) {
1523 				/* Called from d_instantiate or
1524 				 * d_splice_alias. */
1525 				dentry = dget(opt_dentry);
1526 			} else {
1527 				/* Called from selinux_complete_init, try to
1528 				 * find a dentry.  Some filesystems really want
1529 				 * a connected one, so try that first.
1530 				 */
1531 				dentry = d_find_alias(inode);
1532 				if (!dentry)
1533 					dentry = d_find_any_alias(inode);
1534 			}
1535 			/*
1536 			 * This can be hit on boot when a file is accessed
1537 			 * before the policy is loaded.  When we load policy we
1538 			 * may find inodes that have no dentry on the
1539 			 * sbsec->isec_head list.  No reason to complain as
1540 			 * these will get fixed up the next time we go through
1541 			 * inode_doinit() with a dentry, before these inodes
1542 			 * could be used again by userspace.
1543 			 */
1544 			if (!dentry)
1545 				goto out_invalid;
1546 			rc = selinux_genfs_get_sid(dentry, sclass,
1547 						   sbsec->flags, &sid);
1548 			if (rc) {
1549 				dput(dentry);
1550 				goto out;
1551 			}
1552 
1553 			if ((sbsec->flags & SE_SBGENFS_XATTR) &&
1554 			    (inode->i_opflags & IOP_XATTR)) {
1555 				rc = inode_doinit_use_xattr(inode, dentry,
1556 							    sid, &sid);
1557 				if (rc) {
1558 					dput(dentry);
1559 					goto out;
1560 				}
1561 			}
1562 			dput(dentry);
1563 		}
1564 		break;
1565 	}
1566 
1567 out:
1568 	spin_lock(&isec->lock);
1569 	if (isec->initialized == LABEL_PENDING) {
1570 		if (rc) {
1571 			isec->initialized = LABEL_INVALID;
1572 			goto out_unlock;
1573 		}
1574 		isec->initialized = LABEL_INITIALIZED;
1575 		isec->sid = sid;
1576 	}
1577 
1578 out_unlock:
1579 	spin_unlock(&isec->lock);
1580 	return rc;
1581 
1582 out_invalid:
1583 	spin_lock(&isec->lock);
1584 	if (isec->initialized == LABEL_PENDING) {
1585 		isec->initialized = LABEL_INVALID;
1586 		isec->sid = sid;
1587 	}
1588 	spin_unlock(&isec->lock);
1589 	return 0;
1590 }
1591 
1592 /* Convert a Linux signal to an access vector. */
signal_to_av(int sig)1593 static inline u32 signal_to_av(int sig)
1594 {
1595 	u32 perm = 0;
1596 
1597 	switch (sig) {
1598 	case SIGCHLD:
1599 		/* Commonly granted from child to parent. */
1600 		perm = PROCESS__SIGCHLD;
1601 		break;
1602 	case SIGKILL:
1603 		/* Cannot be caught or ignored */
1604 		perm = PROCESS__SIGKILL;
1605 		break;
1606 	case SIGSTOP:
1607 		/* Cannot be caught or ignored */
1608 		perm = PROCESS__SIGSTOP;
1609 		break;
1610 	default:
1611 		/* All other signals. */
1612 		perm = PROCESS__SIGNAL;
1613 		break;
1614 	}
1615 
1616 	return perm;
1617 }
1618 
1619 #if CAP_LAST_CAP > 63
1620 #error Fix SELinux to handle capabilities > 63.
1621 #endif
1622 
1623 /* Check whether a task is allowed to use a capability. */
cred_has_capability(const struct cred * cred,int cap,unsigned int opts,bool initns)1624 static int cred_has_capability(const struct cred *cred,
1625 			       int cap, unsigned int opts, bool initns)
1626 {
1627 	struct common_audit_data ad;
1628 	struct av_decision avd;
1629 	u16 sclass;
1630 	u32 sid = cred_sid(cred);
1631 	u32 av = CAP_TO_MASK(cap);
1632 	int rc;
1633 
1634 	ad.type = LSM_AUDIT_DATA_CAP;
1635 	ad.u.cap = cap;
1636 
1637 	switch (CAP_TO_INDEX(cap)) {
1638 	case 0:
1639 		sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1640 		break;
1641 	case 1:
1642 		sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1643 		break;
1644 	default:
1645 		pr_err("SELinux:  out of range capability %d\n", cap);
1646 		BUG();
1647 		return -EINVAL;
1648 	}
1649 
1650 	rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1651 	if (!(opts & CAP_OPT_NOAUDIT)) {
1652 		int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
1653 		if (rc2)
1654 			return rc2;
1655 	}
1656 	return rc;
1657 }
1658 
1659 /* Check whether a task has a particular permission to an inode.
1660    The 'adp' parameter is optional and allows other audit
1661    data to be passed (e.g. the dentry). */
inode_has_perm(const struct cred * cred,struct inode * inode,u32 perms,struct common_audit_data * adp)1662 static int inode_has_perm(const struct cred *cred,
1663 			  struct inode *inode,
1664 			  u32 perms,
1665 			  struct common_audit_data *adp)
1666 {
1667 	struct inode_security_struct *isec;
1668 	u32 sid;
1669 
1670 	if (unlikely(IS_PRIVATE(inode)))
1671 		return 0;
1672 
1673 	sid = cred_sid(cred);
1674 	isec = selinux_inode(inode);
1675 
1676 	return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1677 }
1678 
1679 /* Same as inode_has_perm, but pass explicit audit data containing
1680    the dentry to help the auditing code to more easily generate the
1681    pathname if needed. */
dentry_has_perm(const struct cred * cred,struct dentry * dentry,u32 av)1682 static inline int dentry_has_perm(const struct cred *cred,
1683 				  struct dentry *dentry,
1684 				  u32 av)
1685 {
1686 	struct inode *inode = d_backing_inode(dentry);
1687 	struct common_audit_data ad;
1688 
1689 	ad.type = LSM_AUDIT_DATA_DENTRY;
1690 	ad.u.dentry = dentry;
1691 	__inode_security_revalidate(inode, dentry, true);
1692 	return inode_has_perm(cred, inode, av, &ad);
1693 }
1694 
1695 /* Same as inode_has_perm, but pass explicit audit data containing
1696    the path to help the auditing code to more easily generate the
1697    pathname if needed. */
path_has_perm(const struct cred * cred,const struct path * path,u32 av)1698 static inline int path_has_perm(const struct cred *cred,
1699 				const struct path *path,
1700 				u32 av)
1701 {
1702 	struct inode *inode = d_backing_inode(path->dentry);
1703 	struct common_audit_data ad;
1704 
1705 	ad.type = LSM_AUDIT_DATA_PATH;
1706 	ad.u.path = *path;
1707 	__inode_security_revalidate(inode, path->dentry, true);
1708 	return inode_has_perm(cred, inode, av, &ad);
1709 }
1710 
1711 /* Same as path_has_perm, but uses the inode from the file struct. */
file_path_has_perm(const struct cred * cred,struct file * file,u32 av)1712 static inline int file_path_has_perm(const struct cred *cred,
1713 				     struct file *file,
1714 				     u32 av)
1715 {
1716 	struct common_audit_data ad;
1717 
1718 	ad.type = LSM_AUDIT_DATA_FILE;
1719 	ad.u.file = file;
1720 	return inode_has_perm(cred, file_inode(file), av, &ad);
1721 }
1722 
1723 #ifdef CONFIG_BPF_SYSCALL
1724 static int bpf_fd_pass(const struct file *file, u32 sid);
1725 #endif
1726 
1727 /* Check whether a task can use an open file descriptor to
1728    access an inode in a given way.  Check access to the
1729    descriptor itself, and then use dentry_has_perm to
1730    check a particular permission to the file.
1731    Access to the descriptor is implicitly granted if it
1732    has the same SID as the process.  If av is zero, then
1733    access to the file is not checked, e.g. for cases
1734    where only the descriptor is affected like seek. */
file_has_perm(const struct cred * cred,struct file * file,u32 av)1735 static int file_has_perm(const struct cred *cred,
1736 			 struct file *file,
1737 			 u32 av)
1738 {
1739 	struct file_security_struct *fsec = selinux_file(file);
1740 	struct inode *inode = file_inode(file);
1741 	struct common_audit_data ad;
1742 	u32 sid = cred_sid(cred);
1743 	int rc;
1744 
1745 	ad.type = LSM_AUDIT_DATA_FILE;
1746 	ad.u.file = file;
1747 
1748 	if (sid != fsec->sid) {
1749 		rc = avc_has_perm(sid, fsec->sid,
1750 				  SECCLASS_FD,
1751 				  FD__USE,
1752 				  &ad);
1753 		if (rc)
1754 			goto out;
1755 	}
1756 
1757 #ifdef CONFIG_BPF_SYSCALL
1758 	rc = bpf_fd_pass(file, cred_sid(cred));
1759 	if (rc)
1760 		return rc;
1761 #endif
1762 
1763 	/* av is zero if only checking access to the descriptor. */
1764 	rc = 0;
1765 	if (av)
1766 		rc = inode_has_perm(cred, inode, av, &ad);
1767 
1768 out:
1769 	return rc;
1770 }
1771 
1772 /*
1773  * Determine the label for an inode that might be unioned.
1774  */
1775 static int
selinux_determine_inode_label(const struct task_security_struct * tsec,struct inode * dir,const struct qstr * name,u16 tclass,u32 * _new_isid)1776 selinux_determine_inode_label(const struct task_security_struct *tsec,
1777 				 struct inode *dir,
1778 				 const struct qstr *name, u16 tclass,
1779 				 u32 *_new_isid)
1780 {
1781 	const struct superblock_security_struct *sbsec =
1782 						selinux_superblock(dir->i_sb);
1783 
1784 	if ((sbsec->flags & SE_SBINITIALIZED) &&
1785 	    (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1786 		*_new_isid = sbsec->mntpoint_sid;
1787 	} else if ((sbsec->flags & SBLABEL_MNT) &&
1788 		   tsec->create_sid) {
1789 		*_new_isid = tsec->create_sid;
1790 	} else {
1791 		const struct inode_security_struct *dsec = inode_security(dir);
1792 		return security_transition_sid(tsec->sid,
1793 					       dsec->sid, tclass,
1794 					       name, _new_isid);
1795 	}
1796 
1797 	return 0;
1798 }
1799 
1800 /* Check whether a task can create a file. */
may_create(struct inode * dir,struct dentry * dentry,u16 tclass)1801 static int may_create(struct inode *dir,
1802 		      struct dentry *dentry,
1803 		      u16 tclass)
1804 {
1805 	const struct task_security_struct *tsec = selinux_cred(current_cred());
1806 	struct inode_security_struct *dsec;
1807 	struct superblock_security_struct *sbsec;
1808 	u32 sid, newsid;
1809 	struct common_audit_data ad;
1810 	int rc;
1811 
1812 	dsec = inode_security(dir);
1813 	sbsec = selinux_superblock(dir->i_sb);
1814 
1815 	sid = tsec->sid;
1816 
1817 	ad.type = LSM_AUDIT_DATA_DENTRY;
1818 	ad.u.dentry = dentry;
1819 
1820 	rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1821 			  DIR__ADD_NAME | DIR__SEARCH,
1822 			  &ad);
1823 	if (rc)
1824 		return rc;
1825 
1826 	rc = selinux_determine_inode_label(tsec, dir, &dentry->d_name, tclass,
1827 					   &newsid);
1828 	if (rc)
1829 		return rc;
1830 
1831 	rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1832 	if (rc)
1833 		return rc;
1834 
1835 	return avc_has_perm(newsid, sbsec->sid,
1836 			    SECCLASS_FILESYSTEM,
1837 			    FILESYSTEM__ASSOCIATE, &ad);
1838 }
1839 
1840 #define MAY_LINK	0
1841 #define MAY_UNLINK	1
1842 #define MAY_RMDIR	2
1843 
1844 /* Check whether a task can link, unlink, or rmdir a file/directory. */
may_link(struct inode * dir,struct dentry * dentry,int kind)1845 static int may_link(struct inode *dir,
1846 		    struct dentry *dentry,
1847 		    int kind)
1848 
1849 {
1850 	struct inode_security_struct *dsec, *isec;
1851 	struct common_audit_data ad;
1852 	u32 sid = current_sid();
1853 	u32 av;
1854 	int rc;
1855 
1856 	dsec = inode_security(dir);
1857 	isec = backing_inode_security(dentry);
1858 
1859 	ad.type = LSM_AUDIT_DATA_DENTRY;
1860 	ad.u.dentry = dentry;
1861 
1862 	av = DIR__SEARCH;
1863 	av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1864 	rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1865 	if (rc)
1866 		return rc;
1867 
1868 	switch (kind) {
1869 	case MAY_LINK:
1870 		av = FILE__LINK;
1871 		break;
1872 	case MAY_UNLINK:
1873 		av = FILE__UNLINK;
1874 		break;
1875 	case MAY_RMDIR:
1876 		av = DIR__RMDIR;
1877 		break;
1878 	default:
1879 		pr_warn("SELinux: %s:  unrecognized kind %d\n",
1880 			__func__, kind);
1881 		return 0;
1882 	}
1883 
1884 	rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1885 	return rc;
1886 }
1887 
may_rename(struct inode * old_dir,struct dentry * old_dentry,struct inode * new_dir,struct dentry * new_dentry)1888 static inline int may_rename(struct inode *old_dir,
1889 			     struct dentry *old_dentry,
1890 			     struct inode *new_dir,
1891 			     struct dentry *new_dentry)
1892 {
1893 	struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1894 	struct common_audit_data ad;
1895 	u32 sid = current_sid();
1896 	u32 av;
1897 	int old_is_dir, new_is_dir;
1898 	int rc;
1899 
1900 	old_dsec = inode_security(old_dir);
1901 	old_isec = backing_inode_security(old_dentry);
1902 	old_is_dir = d_is_dir(old_dentry);
1903 	new_dsec = inode_security(new_dir);
1904 
1905 	ad.type = LSM_AUDIT_DATA_DENTRY;
1906 
1907 	ad.u.dentry = old_dentry;
1908 	rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1909 			  DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1910 	if (rc)
1911 		return rc;
1912 	rc = avc_has_perm(sid, old_isec->sid,
1913 			  old_isec->sclass, FILE__RENAME, &ad);
1914 	if (rc)
1915 		return rc;
1916 	if (old_is_dir && new_dir != old_dir) {
1917 		rc = avc_has_perm(sid, old_isec->sid,
1918 				  old_isec->sclass, DIR__REPARENT, &ad);
1919 		if (rc)
1920 			return rc;
1921 	}
1922 
1923 	ad.u.dentry = new_dentry;
1924 	av = DIR__ADD_NAME | DIR__SEARCH;
1925 	if (d_is_positive(new_dentry))
1926 		av |= DIR__REMOVE_NAME;
1927 	rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1928 	if (rc)
1929 		return rc;
1930 	if (d_is_positive(new_dentry)) {
1931 		new_isec = backing_inode_security(new_dentry);
1932 		new_is_dir = d_is_dir(new_dentry);
1933 		rc = avc_has_perm(sid, new_isec->sid,
1934 				  new_isec->sclass,
1935 				  (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1936 		if (rc)
1937 			return rc;
1938 	}
1939 
1940 	return 0;
1941 }
1942 
1943 /* Check whether a task can perform a filesystem operation. */
superblock_has_perm(const struct cred * cred,const struct super_block * sb,u32 perms,struct common_audit_data * ad)1944 static int superblock_has_perm(const struct cred *cred,
1945 			       const struct super_block *sb,
1946 			       u32 perms,
1947 			       struct common_audit_data *ad)
1948 {
1949 	struct superblock_security_struct *sbsec;
1950 	u32 sid = cred_sid(cred);
1951 
1952 	sbsec = selinux_superblock(sb);
1953 	return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1954 }
1955 
1956 /* Convert a Linux mode and permission mask to an access vector. */
file_mask_to_av(int mode,int mask)1957 static inline u32 file_mask_to_av(int mode, int mask)
1958 {
1959 	u32 av = 0;
1960 
1961 	if (!S_ISDIR(mode)) {
1962 		if (mask & MAY_EXEC)
1963 			av |= FILE__EXECUTE;
1964 		if (mask & MAY_READ)
1965 			av |= FILE__READ;
1966 
1967 		if (mask & MAY_APPEND)
1968 			av |= FILE__APPEND;
1969 		else if (mask & MAY_WRITE)
1970 			av |= FILE__WRITE;
1971 
1972 	} else {
1973 		if (mask & MAY_EXEC)
1974 			av |= DIR__SEARCH;
1975 		if (mask & MAY_WRITE)
1976 			av |= DIR__WRITE;
1977 		if (mask & MAY_READ)
1978 			av |= DIR__READ;
1979 	}
1980 
1981 	return av;
1982 }
1983 
1984 /* Convert a Linux file to an access vector. */
file_to_av(const struct file * file)1985 static inline u32 file_to_av(const struct file *file)
1986 {
1987 	u32 av = 0;
1988 
1989 	if (file->f_mode & FMODE_READ)
1990 		av |= FILE__READ;
1991 	if (file->f_mode & FMODE_WRITE) {
1992 		if (file->f_flags & O_APPEND)
1993 			av |= FILE__APPEND;
1994 		else
1995 			av |= FILE__WRITE;
1996 	}
1997 	if (!av) {
1998 		/*
1999 		 * Special file opened with flags 3 for ioctl-only use.
2000 		 */
2001 		av = FILE__IOCTL;
2002 	}
2003 
2004 	return av;
2005 }
2006 
2007 /*
2008  * Convert a file to an access vector and include the correct
2009  * open permission.
2010  */
open_file_to_av(struct file * file)2011 static inline u32 open_file_to_av(struct file *file)
2012 {
2013 	u32 av = file_to_av(file);
2014 	struct inode *inode = file_inode(file);
2015 
2016 	if (selinux_policycap_openperm() &&
2017 	    inode->i_sb->s_magic != SOCKFS_MAGIC)
2018 		av |= FILE__OPEN;
2019 
2020 	return av;
2021 }
2022 
2023 /* Hook functions begin here. */
2024 
selinux_binder_set_context_mgr(const struct cred * mgr)2025 static int selinux_binder_set_context_mgr(const struct cred *mgr)
2026 {
2027 	return avc_has_perm(current_sid(), cred_sid(mgr), SECCLASS_BINDER,
2028 			    BINDER__SET_CONTEXT_MGR, NULL);
2029 }
2030 
selinux_binder_transaction(const struct cred * from,const struct cred * to)2031 static int selinux_binder_transaction(const struct cred *from,
2032 				      const struct cred *to)
2033 {
2034 	u32 mysid = current_sid();
2035 	u32 fromsid = cred_sid(from);
2036 	u32 tosid = cred_sid(to);
2037 	int rc;
2038 
2039 	if (mysid != fromsid) {
2040 		rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2041 				  BINDER__IMPERSONATE, NULL);
2042 		if (rc)
2043 			return rc;
2044 	}
2045 
2046 	return avc_has_perm(fromsid, tosid,
2047 			    SECCLASS_BINDER, BINDER__CALL, NULL);
2048 }
2049 
selinux_binder_transfer_binder(const struct cred * from,const struct cred * to)2050 static int selinux_binder_transfer_binder(const struct cred *from,
2051 					  const struct cred *to)
2052 {
2053 	return avc_has_perm(cred_sid(from), cred_sid(to),
2054 			    SECCLASS_BINDER, BINDER__TRANSFER,
2055 			    NULL);
2056 }
2057 
selinux_binder_transfer_file(const struct cred * from,const struct cred * to,const struct file * file)2058 static int selinux_binder_transfer_file(const struct cred *from,
2059 					const struct cred *to,
2060 					const struct file *file)
2061 {
2062 	u32 sid = cred_sid(to);
2063 	struct file_security_struct *fsec = selinux_file(file);
2064 	struct dentry *dentry = file->f_path.dentry;
2065 	struct inode_security_struct *isec;
2066 	struct common_audit_data ad;
2067 	int rc;
2068 
2069 	ad.type = LSM_AUDIT_DATA_PATH;
2070 	ad.u.path = file->f_path;
2071 
2072 	if (sid != fsec->sid) {
2073 		rc = avc_has_perm(sid, fsec->sid,
2074 				  SECCLASS_FD,
2075 				  FD__USE,
2076 				  &ad);
2077 		if (rc)
2078 			return rc;
2079 	}
2080 
2081 #ifdef CONFIG_BPF_SYSCALL
2082 	rc = bpf_fd_pass(file, sid);
2083 	if (rc)
2084 		return rc;
2085 #endif
2086 
2087 	if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2088 		return 0;
2089 
2090 	isec = backing_inode_security(dentry);
2091 	return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2092 			    &ad);
2093 }
2094 
selinux_ptrace_access_check(struct task_struct * child,unsigned int mode)2095 static int selinux_ptrace_access_check(struct task_struct *child,
2096 				       unsigned int mode)
2097 {
2098 	u32 sid = current_sid();
2099 	u32 csid = task_sid_obj(child);
2100 
2101 	if (mode & PTRACE_MODE_READ)
2102 		return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ,
2103 				NULL);
2104 
2105 	return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE,
2106 			NULL);
2107 }
2108 
selinux_ptrace_traceme(struct task_struct * parent)2109 static int selinux_ptrace_traceme(struct task_struct *parent)
2110 {
2111 	return avc_has_perm(task_sid_obj(parent), task_sid_obj(current),
2112 			    SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2113 }
2114 
selinux_capget(const struct task_struct * target,kernel_cap_t * effective,kernel_cap_t * inheritable,kernel_cap_t * permitted)2115 static int selinux_capget(const struct task_struct *target, kernel_cap_t *effective,
2116 			  kernel_cap_t *inheritable, kernel_cap_t *permitted)
2117 {
2118 	return avc_has_perm(current_sid(), task_sid_obj(target),
2119 			SECCLASS_PROCESS, PROCESS__GETCAP, NULL);
2120 }
2121 
selinux_capset(struct cred * new,const struct cred * old,const kernel_cap_t * effective,const kernel_cap_t * inheritable,const kernel_cap_t * permitted)2122 static int selinux_capset(struct cred *new, const struct cred *old,
2123 			  const kernel_cap_t *effective,
2124 			  const kernel_cap_t *inheritable,
2125 			  const kernel_cap_t *permitted)
2126 {
2127 	return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2128 			    PROCESS__SETCAP, NULL);
2129 }
2130 
2131 /*
2132  * (This comment used to live with the selinux_task_setuid hook,
2133  * which was removed).
2134  *
2135  * Since setuid only affects the current process, and since the SELinux
2136  * controls are not based on the Linux identity attributes, SELinux does not
2137  * need to control this operation.  However, SELinux does control the use of
2138  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2139  */
2140 
selinux_capable(const struct cred * cred,struct user_namespace * ns,int cap,unsigned int opts)2141 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2142 			   int cap, unsigned int opts)
2143 {
2144 	return cred_has_capability(cred, cap, opts, ns == &init_user_ns);
2145 }
2146 
selinux_quotactl(int cmds,int type,int id,const struct super_block * sb)2147 static int selinux_quotactl(int cmds, int type, int id, const struct super_block *sb)
2148 {
2149 	const struct cred *cred = current_cred();
2150 	int rc = 0;
2151 
2152 	if (!sb)
2153 		return 0;
2154 
2155 	switch (cmds) {
2156 	case Q_SYNC:
2157 	case Q_QUOTAON:
2158 	case Q_QUOTAOFF:
2159 	case Q_SETINFO:
2160 	case Q_SETQUOTA:
2161 	case Q_XQUOTAOFF:
2162 	case Q_XQUOTAON:
2163 	case Q_XSETQLIM:
2164 		rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2165 		break;
2166 	case Q_GETFMT:
2167 	case Q_GETINFO:
2168 	case Q_GETQUOTA:
2169 	case Q_XGETQUOTA:
2170 	case Q_XGETQSTAT:
2171 	case Q_XGETQSTATV:
2172 	case Q_XGETNEXTQUOTA:
2173 		rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2174 		break;
2175 	default:
2176 		rc = 0;  /* let the kernel handle invalid cmds */
2177 		break;
2178 	}
2179 	return rc;
2180 }
2181 
selinux_quota_on(struct dentry * dentry)2182 static int selinux_quota_on(struct dentry *dentry)
2183 {
2184 	const struct cred *cred = current_cred();
2185 
2186 	return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2187 }
2188 
selinux_syslog(int type)2189 static int selinux_syslog(int type)
2190 {
2191 	switch (type) {
2192 	case SYSLOG_ACTION_READ_ALL:	/* Read last kernel messages */
2193 	case SYSLOG_ACTION_SIZE_BUFFER:	/* Return size of the log buffer */
2194 		return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2195 				    SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2196 	case SYSLOG_ACTION_CONSOLE_OFF:	/* Disable logging to console */
2197 	case SYSLOG_ACTION_CONSOLE_ON:	/* Enable logging to console */
2198 	/* Set level of messages printed to console */
2199 	case SYSLOG_ACTION_CONSOLE_LEVEL:
2200 		return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2201 				    SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2202 				    NULL);
2203 	}
2204 	/* All other syslog types */
2205 	return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2206 			    SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2207 }
2208 
2209 /*
2210  * Check permission for allocating a new virtual mapping. Returns
2211  * 0 if permission is granted, negative error code if not.
2212  *
2213  * Do not audit the selinux permission check, as this is applied to all
2214  * processes that allocate mappings.
2215  */
selinux_vm_enough_memory(struct mm_struct * mm,long pages)2216 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2217 {
2218 	return cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2219 				   CAP_OPT_NOAUDIT, true);
2220 }
2221 
2222 /* binprm security operations */
2223 
ptrace_parent_sid(void)2224 static u32 ptrace_parent_sid(void)
2225 {
2226 	u32 sid = 0;
2227 	struct task_struct *tracer;
2228 
2229 	rcu_read_lock();
2230 	tracer = ptrace_parent(current);
2231 	if (tracer)
2232 		sid = task_sid_obj(tracer);
2233 	rcu_read_unlock();
2234 
2235 	return sid;
2236 }
2237 
check_nnp_nosuid(const struct linux_binprm * bprm,const struct task_security_struct * old_tsec,const struct task_security_struct * new_tsec)2238 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2239 			    const struct task_security_struct *old_tsec,
2240 			    const struct task_security_struct *new_tsec)
2241 {
2242 	int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2243 	int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2244 	int rc;
2245 	u32 av;
2246 
2247 	if (!nnp && !nosuid)
2248 		return 0; /* neither NNP nor nosuid */
2249 
2250 	if (new_tsec->sid == old_tsec->sid)
2251 		return 0; /* No change in credentials */
2252 
2253 	/*
2254 	 * If the policy enables the nnp_nosuid_transition policy capability,
2255 	 * then we permit transitions under NNP or nosuid if the
2256 	 * policy allows the corresponding permission between
2257 	 * the old and new contexts.
2258 	 */
2259 	if (selinux_policycap_nnp_nosuid_transition()) {
2260 		av = 0;
2261 		if (nnp)
2262 			av |= PROCESS2__NNP_TRANSITION;
2263 		if (nosuid)
2264 			av |= PROCESS2__NOSUID_TRANSITION;
2265 		rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2266 				  SECCLASS_PROCESS2, av, NULL);
2267 		if (!rc)
2268 			return 0;
2269 	}
2270 
2271 	/*
2272 	 * We also permit NNP or nosuid transitions to bounded SIDs,
2273 	 * i.e. SIDs that are guaranteed to only be allowed a subset
2274 	 * of the permissions of the current SID.
2275 	 */
2276 	rc = security_bounded_transition(old_tsec->sid,
2277 					 new_tsec->sid);
2278 	if (!rc)
2279 		return 0;
2280 
2281 	/*
2282 	 * On failure, preserve the errno values for NNP vs nosuid.
2283 	 * NNP:  Operation not permitted for caller.
2284 	 * nosuid:  Permission denied to file.
2285 	 */
2286 	if (nnp)
2287 		return -EPERM;
2288 	return -EACCES;
2289 }
2290 
selinux_bprm_creds_for_exec(struct linux_binprm * bprm)2291 static int selinux_bprm_creds_for_exec(struct linux_binprm *bprm)
2292 {
2293 	const struct task_security_struct *old_tsec;
2294 	struct task_security_struct *new_tsec;
2295 	struct inode_security_struct *isec;
2296 	struct common_audit_data ad;
2297 	struct inode *inode = file_inode(bprm->file);
2298 	int rc;
2299 
2300 	/* SELinux context only depends on initial program or script and not
2301 	 * the script interpreter */
2302 
2303 	old_tsec = selinux_cred(current_cred());
2304 	new_tsec = selinux_cred(bprm->cred);
2305 	isec = inode_security(inode);
2306 
2307 	/* Default to the current task SID. */
2308 	new_tsec->sid = old_tsec->sid;
2309 	new_tsec->osid = old_tsec->sid;
2310 
2311 	/* Reset fs, key, and sock SIDs on execve. */
2312 	new_tsec->create_sid = 0;
2313 	new_tsec->keycreate_sid = 0;
2314 	new_tsec->sockcreate_sid = 0;
2315 
2316 	/*
2317 	 * Before policy is loaded, label any task outside kernel space
2318 	 * as SECINITSID_INIT, so that any userspace tasks surviving from
2319 	 * early boot end up with a label different from SECINITSID_KERNEL
2320 	 * (if the policy chooses to set SECINITSID_INIT != SECINITSID_KERNEL).
2321 	 */
2322 	if (!selinux_initialized()) {
2323 		new_tsec->sid = SECINITSID_INIT;
2324 		/* also clear the exec_sid just in case */
2325 		new_tsec->exec_sid = 0;
2326 		return 0;
2327 	}
2328 
2329 	if (old_tsec->exec_sid) {
2330 		new_tsec->sid = old_tsec->exec_sid;
2331 		/* Reset exec SID on execve. */
2332 		new_tsec->exec_sid = 0;
2333 
2334 		/* Fail on NNP or nosuid if not an allowed transition. */
2335 		rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2336 		if (rc)
2337 			return rc;
2338 	} else {
2339 		/* Check for a default transition on this program. */
2340 		rc = security_transition_sid(old_tsec->sid,
2341 					     isec->sid, SECCLASS_PROCESS, NULL,
2342 					     &new_tsec->sid);
2343 		if (rc)
2344 			return rc;
2345 
2346 		/*
2347 		 * Fallback to old SID on NNP or nosuid if not an allowed
2348 		 * transition.
2349 		 */
2350 		rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2351 		if (rc)
2352 			new_tsec->sid = old_tsec->sid;
2353 	}
2354 
2355 	ad.type = LSM_AUDIT_DATA_FILE;
2356 	ad.u.file = bprm->file;
2357 
2358 	if (new_tsec->sid == old_tsec->sid) {
2359 		rc = avc_has_perm(old_tsec->sid, isec->sid,
2360 				  SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2361 		if (rc)
2362 			return rc;
2363 	} else {
2364 		/* Check permissions for the transition. */
2365 		rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2366 				  SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2367 		if (rc)
2368 			return rc;
2369 
2370 		rc = avc_has_perm(new_tsec->sid, isec->sid,
2371 				  SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2372 		if (rc)
2373 			return rc;
2374 
2375 		/* Check for shared state */
2376 		if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2377 			rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2378 					  SECCLASS_PROCESS, PROCESS__SHARE,
2379 					  NULL);
2380 			if (rc)
2381 				return -EPERM;
2382 		}
2383 
2384 		/* Make sure that anyone attempting to ptrace over a task that
2385 		 * changes its SID has the appropriate permit */
2386 		if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2387 			u32 ptsid = ptrace_parent_sid();
2388 			if (ptsid != 0) {
2389 				rc = avc_has_perm(ptsid, new_tsec->sid,
2390 						  SECCLASS_PROCESS,
2391 						  PROCESS__PTRACE, NULL);
2392 				if (rc)
2393 					return -EPERM;
2394 			}
2395 		}
2396 
2397 		/* Clear any possibly unsafe personality bits on exec: */
2398 		bprm->per_clear |= PER_CLEAR_ON_SETID;
2399 
2400 		/* Enable secure mode for SIDs transitions unless
2401 		   the noatsecure permission is granted between
2402 		   the two SIDs, i.e. ahp returns 0. */
2403 		rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2404 				  SECCLASS_PROCESS, PROCESS__NOATSECURE,
2405 				  NULL);
2406 		bprm->secureexec |= !!rc;
2407 	}
2408 
2409 	return 0;
2410 }
2411 
match_file(const void * p,struct file * file,unsigned fd)2412 static int match_file(const void *p, struct file *file, unsigned fd)
2413 {
2414 	return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2415 }
2416 
2417 /* Derived from fs/exec.c:flush_old_files. */
flush_unauthorized_files(const struct cred * cred,struct files_struct * files)2418 static inline void flush_unauthorized_files(const struct cred *cred,
2419 					    struct files_struct *files)
2420 {
2421 	struct file *file, *devnull = NULL;
2422 	struct tty_struct *tty;
2423 	int drop_tty = 0;
2424 	unsigned n;
2425 
2426 	tty = get_current_tty();
2427 	if (tty) {
2428 		spin_lock(&tty->files_lock);
2429 		if (!list_empty(&tty->tty_files)) {
2430 			struct tty_file_private *file_priv;
2431 
2432 			/* Revalidate access to controlling tty.
2433 			   Use file_path_has_perm on the tty path directly
2434 			   rather than using file_has_perm, as this particular
2435 			   open file may belong to another process and we are
2436 			   only interested in the inode-based check here. */
2437 			file_priv = list_first_entry(&tty->tty_files,
2438 						struct tty_file_private, list);
2439 			file = file_priv->file;
2440 			if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2441 				drop_tty = 1;
2442 		}
2443 		spin_unlock(&tty->files_lock);
2444 		tty_kref_put(tty);
2445 	}
2446 	/* Reset controlling tty. */
2447 	if (drop_tty)
2448 		no_tty();
2449 
2450 	/* Revalidate access to inherited open files. */
2451 	n = iterate_fd(files, 0, match_file, cred);
2452 	if (!n) /* none found? */
2453 		return;
2454 
2455 	devnull = dentry_open(&selinux_null, O_RDWR, cred);
2456 	if (IS_ERR(devnull))
2457 		devnull = NULL;
2458 	/* replace all the matching ones with this */
2459 	do {
2460 		replace_fd(n - 1, devnull, 0);
2461 	} while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2462 	if (devnull)
2463 		fput(devnull);
2464 }
2465 
2466 /*
2467  * Prepare a process for imminent new credential changes due to exec
2468  */
selinux_bprm_committing_creds(const struct linux_binprm * bprm)2469 static void selinux_bprm_committing_creds(const struct linux_binprm *bprm)
2470 {
2471 	struct task_security_struct *new_tsec;
2472 	struct rlimit *rlim, *initrlim;
2473 	int rc, i;
2474 
2475 	new_tsec = selinux_cred(bprm->cred);
2476 	if (new_tsec->sid == new_tsec->osid)
2477 		return;
2478 
2479 	/* Close files for which the new task SID is not authorized. */
2480 	flush_unauthorized_files(bprm->cred, current->files);
2481 
2482 	/* Always clear parent death signal on SID transitions. */
2483 	current->pdeath_signal = 0;
2484 
2485 	/* Check whether the new SID can inherit resource limits from the old
2486 	 * SID.  If not, reset all soft limits to the lower of the current
2487 	 * task's hard limit and the init task's soft limit.
2488 	 *
2489 	 * Note that the setting of hard limits (even to lower them) can be
2490 	 * controlled by the setrlimit check.  The inclusion of the init task's
2491 	 * soft limit into the computation is to avoid resetting soft limits
2492 	 * higher than the default soft limit for cases where the default is
2493 	 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2494 	 */
2495 	rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2496 			  PROCESS__RLIMITINH, NULL);
2497 	if (rc) {
2498 		/* protect against do_prlimit() */
2499 		task_lock(current);
2500 		for (i = 0; i < RLIM_NLIMITS; i++) {
2501 			rlim = current->signal->rlim + i;
2502 			initrlim = init_task.signal->rlim + i;
2503 			rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2504 		}
2505 		task_unlock(current);
2506 		if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2507 			update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2508 	}
2509 }
2510 
2511 /*
2512  * Clean up the process immediately after the installation of new credentials
2513  * due to exec
2514  */
selinux_bprm_committed_creds(const struct linux_binprm * bprm)2515 static void selinux_bprm_committed_creds(const struct linux_binprm *bprm)
2516 {
2517 	const struct task_security_struct *tsec = selinux_cred(current_cred());
2518 	u32 osid, sid;
2519 	int rc;
2520 
2521 	osid = tsec->osid;
2522 	sid = tsec->sid;
2523 
2524 	if (sid == osid)
2525 		return;
2526 
2527 	/* Check whether the new SID can inherit signal state from the old SID.
2528 	 * If not, clear itimers to avoid subsequent signal generation and
2529 	 * flush and unblock signals.
2530 	 *
2531 	 * This must occur _after_ the task SID has been updated so that any
2532 	 * kill done after the flush will be checked against the new SID.
2533 	 */
2534 	rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2535 	if (rc) {
2536 		clear_itimer();
2537 
2538 		spin_lock_irq(&unrcu_pointer(current->sighand)->siglock);
2539 		if (!fatal_signal_pending(current)) {
2540 			flush_sigqueue(&current->pending);
2541 			flush_sigqueue(&current->signal->shared_pending);
2542 			flush_signal_handlers(current, 1);
2543 			sigemptyset(&current->blocked);
2544 			recalc_sigpending();
2545 		}
2546 		spin_unlock_irq(&unrcu_pointer(current->sighand)->siglock);
2547 	}
2548 
2549 	/* Wake up the parent if it is waiting so that it can recheck
2550 	 * wait permission to the new task SID. */
2551 	read_lock(&tasklist_lock);
2552 	__wake_up_parent(current, unrcu_pointer(current->real_parent));
2553 	read_unlock(&tasklist_lock);
2554 }
2555 
2556 /* superblock security operations */
2557 
selinux_sb_alloc_security(struct super_block * sb)2558 static int selinux_sb_alloc_security(struct super_block *sb)
2559 {
2560 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
2561 
2562 	mutex_init(&sbsec->lock);
2563 	INIT_LIST_HEAD(&sbsec->isec_head);
2564 	spin_lock_init(&sbsec->isec_lock);
2565 	sbsec->sid = SECINITSID_UNLABELED;
2566 	sbsec->def_sid = SECINITSID_FILE;
2567 	sbsec->mntpoint_sid = SECINITSID_UNLABELED;
2568 
2569 	return 0;
2570 }
2571 
opt_len(const char * s)2572 static inline int opt_len(const char *s)
2573 {
2574 	bool open_quote = false;
2575 	int len;
2576 	char c;
2577 
2578 	for (len = 0; (c = s[len]) != '\0'; len++) {
2579 		if (c == '"')
2580 			open_quote = !open_quote;
2581 		if (c == ',' && !open_quote)
2582 			break;
2583 	}
2584 	return len;
2585 }
2586 
selinux_sb_eat_lsm_opts(char * options,void ** mnt_opts)2587 static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts)
2588 {
2589 	char *from = options;
2590 	char *to = options;
2591 	bool first = true;
2592 	int rc;
2593 
2594 	while (1) {
2595 		int len = opt_len(from);
2596 		int token;
2597 		char *arg = NULL;
2598 
2599 		token = match_opt_prefix(from, len, &arg);
2600 
2601 		if (token != Opt_error) {
2602 			char *p, *q;
2603 
2604 			/* strip quotes */
2605 			if (arg) {
2606 				for (p = q = arg; p < from + len; p++) {
2607 					char c = *p;
2608 					if (c != '"')
2609 						*q++ = c;
2610 				}
2611 				arg = kmemdup_nul(arg, q - arg, GFP_KERNEL);
2612 				if (!arg) {
2613 					rc = -ENOMEM;
2614 					goto free_opt;
2615 				}
2616 			}
2617 			rc = selinux_add_opt(token, arg, mnt_opts);
2618 			kfree(arg);
2619 			arg = NULL;
2620 			if (unlikely(rc)) {
2621 				goto free_opt;
2622 			}
2623 		} else {
2624 			if (!first) {	// copy with preceding comma
2625 				from--;
2626 				len++;
2627 			}
2628 			if (to != from)
2629 				memmove(to, from, len);
2630 			to += len;
2631 			first = false;
2632 		}
2633 		if (!from[len])
2634 			break;
2635 		from += len + 1;
2636 	}
2637 	*to = '\0';
2638 	return 0;
2639 
2640 free_opt:
2641 	if (*mnt_opts) {
2642 		selinux_free_mnt_opts(*mnt_opts);
2643 		*mnt_opts = NULL;
2644 	}
2645 	return rc;
2646 }
2647 
selinux_sb_mnt_opts_compat(struct super_block * sb,void * mnt_opts)2648 static int selinux_sb_mnt_opts_compat(struct super_block *sb, void *mnt_opts)
2649 {
2650 	struct selinux_mnt_opts *opts = mnt_opts;
2651 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
2652 
2653 	/*
2654 	 * Superblock not initialized (i.e. no options) - reject if any
2655 	 * options specified, otherwise accept.
2656 	 */
2657 	if (!(sbsec->flags & SE_SBINITIALIZED))
2658 		return opts ? 1 : 0;
2659 
2660 	/*
2661 	 * Superblock initialized and no options specified - reject if
2662 	 * superblock has any options set, otherwise accept.
2663 	 */
2664 	if (!opts)
2665 		return (sbsec->flags & SE_MNTMASK) ? 1 : 0;
2666 
2667 	if (opts->fscontext_sid) {
2668 		if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
2669 			       opts->fscontext_sid))
2670 			return 1;
2671 	}
2672 	if (opts->context_sid) {
2673 		if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
2674 			       opts->context_sid))
2675 			return 1;
2676 	}
2677 	if (opts->rootcontext_sid) {
2678 		struct inode_security_struct *root_isec;
2679 
2680 		root_isec = backing_inode_security(sb->s_root);
2681 		if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
2682 			       opts->rootcontext_sid))
2683 			return 1;
2684 	}
2685 	if (opts->defcontext_sid) {
2686 		if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
2687 			       opts->defcontext_sid))
2688 			return 1;
2689 	}
2690 	return 0;
2691 }
2692 
selinux_sb_remount(struct super_block * sb,void * mnt_opts)2693 static int selinux_sb_remount(struct super_block *sb, void *mnt_opts)
2694 {
2695 	struct selinux_mnt_opts *opts = mnt_opts;
2696 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
2697 
2698 	if (!(sbsec->flags & SE_SBINITIALIZED))
2699 		return 0;
2700 
2701 	if (!opts)
2702 		return 0;
2703 
2704 	if (opts->fscontext_sid) {
2705 		if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
2706 			       opts->fscontext_sid))
2707 			goto out_bad_option;
2708 	}
2709 	if (opts->context_sid) {
2710 		if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
2711 			       opts->context_sid))
2712 			goto out_bad_option;
2713 	}
2714 	if (opts->rootcontext_sid) {
2715 		struct inode_security_struct *root_isec;
2716 		root_isec = backing_inode_security(sb->s_root);
2717 		if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
2718 			       opts->rootcontext_sid))
2719 			goto out_bad_option;
2720 	}
2721 	if (opts->defcontext_sid) {
2722 		if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
2723 			       opts->defcontext_sid))
2724 			goto out_bad_option;
2725 	}
2726 	return 0;
2727 
2728 out_bad_option:
2729 	pr_warn("SELinux: unable to change security options "
2730 	       "during remount (dev %s, type=%s)\n", sb->s_id,
2731 	       sb->s_type->name);
2732 	return -EINVAL;
2733 }
2734 
selinux_sb_kern_mount(const struct super_block * sb)2735 static int selinux_sb_kern_mount(const struct super_block *sb)
2736 {
2737 	const struct cred *cred = current_cred();
2738 	struct common_audit_data ad;
2739 
2740 	ad.type = LSM_AUDIT_DATA_DENTRY;
2741 	ad.u.dentry = sb->s_root;
2742 	return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2743 }
2744 
selinux_sb_statfs(struct dentry * dentry)2745 static int selinux_sb_statfs(struct dentry *dentry)
2746 {
2747 	const struct cred *cred = current_cred();
2748 	struct common_audit_data ad;
2749 
2750 	ad.type = LSM_AUDIT_DATA_DENTRY;
2751 	ad.u.dentry = dentry->d_sb->s_root;
2752 	return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2753 }
2754 
selinux_mount(const char * dev_name,const struct path * path,const char * type,unsigned long flags,void * data)2755 static int selinux_mount(const char *dev_name,
2756 			 const struct path *path,
2757 			 const char *type,
2758 			 unsigned long flags,
2759 			 void *data)
2760 {
2761 	const struct cred *cred = current_cred();
2762 
2763 	if (flags & MS_REMOUNT)
2764 		return superblock_has_perm(cred, path->dentry->d_sb,
2765 					   FILESYSTEM__REMOUNT, NULL);
2766 	else
2767 		return path_has_perm(cred, path, FILE__MOUNTON);
2768 }
2769 
selinux_move_mount(const struct path * from_path,const struct path * to_path)2770 static int selinux_move_mount(const struct path *from_path,
2771 			      const struct path *to_path)
2772 {
2773 	const struct cred *cred = current_cred();
2774 
2775 	return path_has_perm(cred, to_path, FILE__MOUNTON);
2776 }
2777 
selinux_umount(struct vfsmount * mnt,int flags)2778 static int selinux_umount(struct vfsmount *mnt, int flags)
2779 {
2780 	const struct cred *cred = current_cred();
2781 
2782 	return superblock_has_perm(cred, mnt->mnt_sb,
2783 				   FILESYSTEM__UNMOUNT, NULL);
2784 }
2785 
selinux_fs_context_submount(struct fs_context * fc,struct super_block * reference)2786 static int selinux_fs_context_submount(struct fs_context *fc,
2787 				   struct super_block *reference)
2788 {
2789 	const struct superblock_security_struct *sbsec = selinux_superblock(reference);
2790 	struct selinux_mnt_opts *opts;
2791 
2792 	/*
2793 	 * Ensure that fc->security remains NULL when no options are set
2794 	 * as expected by selinux_set_mnt_opts().
2795 	 */
2796 	if (!(sbsec->flags & (FSCONTEXT_MNT|CONTEXT_MNT|DEFCONTEXT_MNT)))
2797 		return 0;
2798 
2799 	opts = kzalloc(sizeof(*opts), GFP_KERNEL);
2800 	if (!opts)
2801 		return -ENOMEM;
2802 
2803 	if (sbsec->flags & FSCONTEXT_MNT)
2804 		opts->fscontext_sid = sbsec->sid;
2805 	if (sbsec->flags & CONTEXT_MNT)
2806 		opts->context_sid = sbsec->mntpoint_sid;
2807 	if (sbsec->flags & DEFCONTEXT_MNT)
2808 		opts->defcontext_sid = sbsec->def_sid;
2809 	fc->security = opts;
2810 	return 0;
2811 }
2812 
selinux_fs_context_dup(struct fs_context * fc,struct fs_context * src_fc)2813 static int selinux_fs_context_dup(struct fs_context *fc,
2814 				  struct fs_context *src_fc)
2815 {
2816 	const struct selinux_mnt_opts *src = src_fc->security;
2817 
2818 	if (!src)
2819 		return 0;
2820 
2821 	fc->security = kmemdup(src, sizeof(*src), GFP_KERNEL);
2822 	return fc->security ? 0 : -ENOMEM;
2823 }
2824 
2825 static const struct fs_parameter_spec selinux_fs_parameters[] = {
2826 	fsparam_string(CONTEXT_STR,	Opt_context),
2827 	fsparam_string(DEFCONTEXT_STR,	Opt_defcontext),
2828 	fsparam_string(FSCONTEXT_STR,	Opt_fscontext),
2829 	fsparam_string(ROOTCONTEXT_STR,	Opt_rootcontext),
2830 	fsparam_flag  (SECLABEL_STR,	Opt_seclabel),
2831 	{}
2832 };
2833 
selinux_fs_context_parse_param(struct fs_context * fc,struct fs_parameter * param)2834 static int selinux_fs_context_parse_param(struct fs_context *fc,
2835 					  struct fs_parameter *param)
2836 {
2837 	struct fs_parse_result result;
2838 	int opt;
2839 
2840 	opt = fs_parse(fc, selinux_fs_parameters, param, &result);
2841 	if (opt < 0)
2842 		return opt;
2843 
2844 	return selinux_add_opt(opt, param->string, &fc->security);
2845 }
2846 
2847 /* inode security operations */
2848 
selinux_inode_alloc_security(struct inode * inode)2849 static int selinux_inode_alloc_security(struct inode *inode)
2850 {
2851 	struct inode_security_struct *isec = selinux_inode(inode);
2852 	u32 sid = current_sid();
2853 
2854 	spin_lock_init(&isec->lock);
2855 	INIT_LIST_HEAD(&isec->list);
2856 	isec->inode = inode;
2857 	isec->sid = SECINITSID_UNLABELED;
2858 	isec->sclass = SECCLASS_FILE;
2859 	isec->task_sid = sid;
2860 	isec->initialized = LABEL_INVALID;
2861 
2862 	return 0;
2863 }
2864 
selinux_inode_free_security(struct inode * inode)2865 static void selinux_inode_free_security(struct inode *inode)
2866 {
2867 	inode_free_security(inode);
2868 }
2869 
selinux_dentry_init_security(struct dentry * dentry,int mode,const struct qstr * name,const char ** xattr_name,void ** ctx,u32 * ctxlen)2870 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2871 					const struct qstr *name,
2872 					const char **xattr_name, void **ctx,
2873 					u32 *ctxlen)
2874 {
2875 	u32 newsid;
2876 	int rc;
2877 
2878 	rc = selinux_determine_inode_label(selinux_cred(current_cred()),
2879 					   d_inode(dentry->d_parent), name,
2880 					   inode_mode_to_security_class(mode),
2881 					   &newsid);
2882 	if (rc)
2883 		return rc;
2884 
2885 	if (xattr_name)
2886 		*xattr_name = XATTR_NAME_SELINUX;
2887 
2888 	return security_sid_to_context(newsid, (char **)ctx,
2889 				       ctxlen);
2890 }
2891 
selinux_dentry_create_files_as(struct dentry * dentry,int mode,struct qstr * name,const struct cred * old,struct cred * new)2892 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2893 					  struct qstr *name,
2894 					  const struct cred *old,
2895 					  struct cred *new)
2896 {
2897 	u32 newsid;
2898 	int rc;
2899 	struct task_security_struct *tsec;
2900 
2901 	rc = selinux_determine_inode_label(selinux_cred(old),
2902 					   d_inode(dentry->d_parent), name,
2903 					   inode_mode_to_security_class(mode),
2904 					   &newsid);
2905 	if (rc)
2906 		return rc;
2907 
2908 	tsec = selinux_cred(new);
2909 	tsec->create_sid = newsid;
2910 	return 0;
2911 }
2912 
selinux_inode_init_security(struct inode * inode,struct inode * dir,const struct qstr * qstr,struct xattr * xattrs,int * xattr_count)2913 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2914 				       const struct qstr *qstr,
2915 				       struct xattr *xattrs, int *xattr_count)
2916 {
2917 	const struct task_security_struct *tsec = selinux_cred(current_cred());
2918 	struct superblock_security_struct *sbsec;
2919 	struct xattr *xattr = lsm_get_xattr_slot(xattrs, xattr_count);
2920 	u32 newsid, clen;
2921 	u16 newsclass;
2922 	int rc;
2923 	char *context;
2924 
2925 	sbsec = selinux_superblock(dir->i_sb);
2926 
2927 	newsid = tsec->create_sid;
2928 	newsclass = inode_mode_to_security_class(inode->i_mode);
2929 	rc = selinux_determine_inode_label(tsec, dir, qstr, newsclass, &newsid);
2930 	if (rc)
2931 		return rc;
2932 
2933 	/* Possibly defer initialization to selinux_complete_init. */
2934 	if (sbsec->flags & SE_SBINITIALIZED) {
2935 		struct inode_security_struct *isec = selinux_inode(inode);
2936 		isec->sclass = newsclass;
2937 		isec->sid = newsid;
2938 		isec->initialized = LABEL_INITIALIZED;
2939 	}
2940 
2941 	if (!selinux_initialized() ||
2942 	    !(sbsec->flags & SBLABEL_MNT))
2943 		return -EOPNOTSUPP;
2944 
2945 	if (xattr) {
2946 		rc = security_sid_to_context_force(newsid,
2947 						   &context, &clen);
2948 		if (rc)
2949 			return rc;
2950 		xattr->value = context;
2951 		xattr->value_len = clen;
2952 		xattr->name = XATTR_SELINUX_SUFFIX;
2953 	}
2954 
2955 	return 0;
2956 }
2957 
selinux_inode_init_security_anon(struct inode * inode,const struct qstr * name,const struct inode * context_inode)2958 static int selinux_inode_init_security_anon(struct inode *inode,
2959 					    const struct qstr *name,
2960 					    const struct inode *context_inode)
2961 {
2962 	u32 sid = current_sid();
2963 	struct common_audit_data ad;
2964 	struct inode_security_struct *isec;
2965 	int rc;
2966 
2967 	if (unlikely(!selinux_initialized()))
2968 		return 0;
2969 
2970 	isec = selinux_inode(inode);
2971 
2972 	/*
2973 	 * We only get here once per ephemeral inode.  The inode has
2974 	 * been initialized via inode_alloc_security but is otherwise
2975 	 * untouched.
2976 	 */
2977 
2978 	if (context_inode) {
2979 		struct inode_security_struct *context_isec =
2980 			selinux_inode(context_inode);
2981 		if (context_isec->initialized != LABEL_INITIALIZED) {
2982 			pr_err("SELinux:  context_inode is not initialized\n");
2983 			return -EACCES;
2984 		}
2985 
2986 		isec->sclass = context_isec->sclass;
2987 		isec->sid = context_isec->sid;
2988 	} else {
2989 		isec->sclass = SECCLASS_ANON_INODE;
2990 		rc = security_transition_sid(
2991 			sid, sid,
2992 			isec->sclass, name, &isec->sid);
2993 		if (rc)
2994 			return rc;
2995 	}
2996 
2997 	isec->initialized = LABEL_INITIALIZED;
2998 	/*
2999 	 * Now that we've initialized security, check whether we're
3000 	 * allowed to actually create this type of anonymous inode.
3001 	 */
3002 
3003 	ad.type = LSM_AUDIT_DATA_ANONINODE;
3004 	ad.u.anonclass = name ? (const char *)name->name : "?";
3005 
3006 	return avc_has_perm(sid,
3007 			    isec->sid,
3008 			    isec->sclass,
3009 			    FILE__CREATE,
3010 			    &ad);
3011 }
3012 
selinux_inode_create(struct inode * dir,struct dentry * dentry,umode_t mode)3013 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
3014 {
3015 	return may_create(dir, dentry, SECCLASS_FILE);
3016 }
3017 
selinux_inode_link(struct dentry * old_dentry,struct inode * dir,struct dentry * new_dentry)3018 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
3019 {
3020 	return may_link(dir, old_dentry, MAY_LINK);
3021 }
3022 
selinux_inode_unlink(struct inode * dir,struct dentry * dentry)3023 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
3024 {
3025 	return may_link(dir, dentry, MAY_UNLINK);
3026 }
3027 
selinux_inode_symlink(struct inode * dir,struct dentry * dentry,const char * name)3028 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
3029 {
3030 	return may_create(dir, dentry, SECCLASS_LNK_FILE);
3031 }
3032 
selinux_inode_mkdir(struct inode * dir,struct dentry * dentry,umode_t mask)3033 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
3034 {
3035 	return may_create(dir, dentry, SECCLASS_DIR);
3036 }
3037 
selinux_inode_rmdir(struct inode * dir,struct dentry * dentry)3038 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
3039 {
3040 	return may_link(dir, dentry, MAY_RMDIR);
3041 }
3042 
selinux_inode_mknod(struct inode * dir,struct dentry * dentry,umode_t mode,dev_t dev)3043 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
3044 {
3045 	return may_create(dir, dentry, inode_mode_to_security_class(mode));
3046 }
3047 
selinux_inode_rename(struct inode * old_inode,struct dentry * old_dentry,struct inode * new_inode,struct dentry * new_dentry)3048 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
3049 				struct inode *new_inode, struct dentry *new_dentry)
3050 {
3051 	return may_rename(old_inode, old_dentry, new_inode, new_dentry);
3052 }
3053 
selinux_inode_readlink(struct dentry * dentry)3054 static int selinux_inode_readlink(struct dentry *dentry)
3055 {
3056 	const struct cred *cred = current_cred();
3057 
3058 	return dentry_has_perm(cred, dentry, FILE__READ);
3059 }
3060 
selinux_inode_follow_link(struct dentry * dentry,struct inode * inode,bool rcu)3061 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3062 				     bool rcu)
3063 {
3064 	struct common_audit_data ad;
3065 	struct inode_security_struct *isec;
3066 	u32 sid = current_sid();
3067 
3068 	ad.type = LSM_AUDIT_DATA_DENTRY;
3069 	ad.u.dentry = dentry;
3070 	isec = inode_security_rcu(inode, rcu);
3071 	if (IS_ERR(isec))
3072 		return PTR_ERR(isec);
3073 
3074 	return avc_has_perm(sid, isec->sid, isec->sclass, FILE__READ, &ad);
3075 }
3076 
audit_inode_permission(struct inode * inode,u32 perms,u32 audited,u32 denied,int result)3077 static noinline int audit_inode_permission(struct inode *inode,
3078 					   u32 perms, u32 audited, u32 denied,
3079 					   int result)
3080 {
3081 	struct common_audit_data ad;
3082 	struct inode_security_struct *isec = selinux_inode(inode);
3083 
3084 	ad.type = LSM_AUDIT_DATA_INODE;
3085 	ad.u.inode = inode;
3086 
3087 	return slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
3088 			    audited, denied, result, &ad);
3089 }
3090 
selinux_inode_permission(struct inode * inode,int mask)3091 static int selinux_inode_permission(struct inode *inode, int mask)
3092 {
3093 	u32 perms;
3094 	bool from_access;
3095 	bool no_block = mask & MAY_NOT_BLOCK;
3096 	struct inode_security_struct *isec;
3097 	u32 sid = current_sid();
3098 	struct av_decision avd;
3099 	int rc, rc2;
3100 	u32 audited, denied;
3101 
3102 	from_access = mask & MAY_ACCESS;
3103 	mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3104 
3105 	/* No permission to check.  Existence test. */
3106 	if (!mask)
3107 		return 0;
3108 
3109 	if (unlikely(IS_PRIVATE(inode)))
3110 		return 0;
3111 
3112 	perms = file_mask_to_av(inode->i_mode, mask);
3113 
3114 	isec = inode_security_rcu(inode, no_block);
3115 	if (IS_ERR(isec))
3116 		return PTR_ERR(isec);
3117 
3118 	rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0,
3119 				  &avd);
3120 	audited = avc_audit_required(perms, &avd, rc,
3121 				     from_access ? FILE__AUDIT_ACCESS : 0,
3122 				     &denied);
3123 	if (likely(!audited))
3124 		return rc;
3125 
3126 	rc2 = audit_inode_permission(inode, perms, audited, denied, rc);
3127 	if (rc2)
3128 		return rc2;
3129 	return rc;
3130 }
3131 
selinux_inode_setattr(struct mnt_idmap * idmap,struct dentry * dentry,struct iattr * iattr)3132 static int selinux_inode_setattr(struct mnt_idmap *idmap, struct dentry *dentry,
3133 				 struct iattr *iattr)
3134 {
3135 	const struct cred *cred = current_cred();
3136 	struct inode *inode = d_backing_inode(dentry);
3137 	unsigned int ia_valid = iattr->ia_valid;
3138 	__u32 av = FILE__WRITE;
3139 
3140 	/* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3141 	if (ia_valid & ATTR_FORCE) {
3142 		ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3143 			      ATTR_FORCE);
3144 		if (!ia_valid)
3145 			return 0;
3146 	}
3147 
3148 	if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3149 			ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3150 		return dentry_has_perm(cred, dentry, FILE__SETATTR);
3151 
3152 	if (selinux_policycap_openperm() &&
3153 	    inode->i_sb->s_magic != SOCKFS_MAGIC &&
3154 	    (ia_valid & ATTR_SIZE) &&
3155 	    !(ia_valid & ATTR_FILE))
3156 		av |= FILE__OPEN;
3157 
3158 	return dentry_has_perm(cred, dentry, av);
3159 }
3160 
selinux_inode_getattr(const struct path * path)3161 static int selinux_inode_getattr(const struct path *path)
3162 {
3163 	return path_has_perm(current_cred(), path, FILE__GETATTR);
3164 }
3165 
has_cap_mac_admin(bool audit)3166 static bool has_cap_mac_admin(bool audit)
3167 {
3168 	const struct cred *cred = current_cred();
3169 	unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT;
3170 
3171 	if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts))
3172 		return false;
3173 	if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true))
3174 		return false;
3175 	return true;
3176 }
3177 
3178 /**
3179  * selinux_inode_xattr_skipcap - Skip the xattr capability checks?
3180  * @name: name of the xattr
3181  *
3182  * Returns 1 to indicate that SELinux "owns" the access control rights to xattrs
3183  * named @name; the LSM layer should avoid enforcing any traditional
3184  * capability based access controls on this xattr.  Returns 0 to indicate that
3185  * SELinux does not "own" the access control rights to xattrs named @name and is
3186  * deferring to the LSM layer for further access controls, including capability
3187  * based controls.
3188  */
selinux_inode_xattr_skipcap(const char * name)3189 static int selinux_inode_xattr_skipcap(const char *name)
3190 {
3191 	/* require capability check if not a selinux xattr */
3192 	return !strcmp(name, XATTR_NAME_SELINUX);
3193 }
3194 
selinux_inode_setxattr(struct mnt_idmap * idmap,struct dentry * dentry,const char * name,const void * value,size_t size,int flags)3195 static int selinux_inode_setxattr(struct mnt_idmap *idmap,
3196 				  struct dentry *dentry, const char *name,
3197 				  const void *value, size_t size, int flags)
3198 {
3199 	struct inode *inode = d_backing_inode(dentry);
3200 	struct inode_security_struct *isec;
3201 	struct superblock_security_struct *sbsec;
3202 	struct common_audit_data ad;
3203 	u32 newsid, sid = current_sid();
3204 	int rc = 0;
3205 
3206 	/* if not a selinux xattr, only check the ordinary setattr perm */
3207 	if (strcmp(name, XATTR_NAME_SELINUX))
3208 		return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3209 
3210 	if (!selinux_initialized())
3211 		return (inode_owner_or_capable(idmap, inode) ? 0 : -EPERM);
3212 
3213 	sbsec = selinux_superblock(inode->i_sb);
3214 	if (!(sbsec->flags & SBLABEL_MNT))
3215 		return -EOPNOTSUPP;
3216 
3217 	if (!inode_owner_or_capable(idmap, inode))
3218 		return -EPERM;
3219 
3220 	ad.type = LSM_AUDIT_DATA_DENTRY;
3221 	ad.u.dentry = dentry;
3222 
3223 	isec = backing_inode_security(dentry);
3224 	rc = avc_has_perm(sid, isec->sid, isec->sclass,
3225 			  FILE__RELABELFROM, &ad);
3226 	if (rc)
3227 		return rc;
3228 
3229 	rc = security_context_to_sid(value, size, &newsid,
3230 				     GFP_KERNEL);
3231 	if (rc == -EINVAL) {
3232 		if (!has_cap_mac_admin(true)) {
3233 			struct audit_buffer *ab;
3234 			size_t audit_size;
3235 
3236 			/* We strip a nul only if it is at the end, otherwise the
3237 			 * context contains a nul and we should audit that */
3238 			if (value) {
3239 				const char *str = value;
3240 
3241 				if (str[size - 1] == '\0')
3242 					audit_size = size - 1;
3243 				else
3244 					audit_size = size;
3245 			} else {
3246 				audit_size = 0;
3247 			}
3248 			ab = audit_log_start(audit_context(),
3249 					     GFP_ATOMIC, AUDIT_SELINUX_ERR);
3250 			if (!ab)
3251 				return rc;
3252 			audit_log_format(ab, "op=setxattr invalid_context=");
3253 			audit_log_n_untrustedstring(ab, value, audit_size);
3254 			audit_log_end(ab);
3255 
3256 			return rc;
3257 		}
3258 		rc = security_context_to_sid_force(value,
3259 						   size, &newsid);
3260 	}
3261 	if (rc)
3262 		return rc;
3263 
3264 	rc = avc_has_perm(sid, newsid, isec->sclass,
3265 			  FILE__RELABELTO, &ad);
3266 	if (rc)
3267 		return rc;
3268 
3269 	rc = security_validate_transition(isec->sid, newsid,
3270 					  sid, isec->sclass);
3271 	if (rc)
3272 		return rc;
3273 
3274 	return avc_has_perm(newsid,
3275 			    sbsec->sid,
3276 			    SECCLASS_FILESYSTEM,
3277 			    FILESYSTEM__ASSOCIATE,
3278 			    &ad);
3279 }
3280 
selinux_inode_set_acl(struct mnt_idmap * idmap,struct dentry * dentry,const char * acl_name,struct posix_acl * kacl)3281 static int selinux_inode_set_acl(struct mnt_idmap *idmap,
3282 				 struct dentry *dentry, const char *acl_name,
3283 				 struct posix_acl *kacl)
3284 {
3285 	return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3286 }
3287 
selinux_inode_get_acl(struct mnt_idmap * idmap,struct dentry * dentry,const char * acl_name)3288 static int selinux_inode_get_acl(struct mnt_idmap *idmap,
3289 				 struct dentry *dentry, const char *acl_name)
3290 {
3291 	return dentry_has_perm(current_cred(), dentry, FILE__GETATTR);
3292 }
3293 
selinux_inode_remove_acl(struct mnt_idmap * idmap,struct dentry * dentry,const char * acl_name)3294 static int selinux_inode_remove_acl(struct mnt_idmap *idmap,
3295 				    struct dentry *dentry, const char *acl_name)
3296 {
3297 	return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3298 }
3299 
selinux_inode_post_setxattr(struct dentry * dentry,const char * name,const void * value,size_t size,int flags)3300 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3301 					const void *value, size_t size,
3302 					int flags)
3303 {
3304 	struct inode *inode = d_backing_inode(dentry);
3305 	struct inode_security_struct *isec;
3306 	u32 newsid;
3307 	int rc;
3308 
3309 	if (strcmp(name, XATTR_NAME_SELINUX)) {
3310 		/* Not an attribute we recognize, so nothing to do. */
3311 		return;
3312 	}
3313 
3314 	if (!selinux_initialized()) {
3315 		/* If we haven't even been initialized, then we can't validate
3316 		 * against a policy, so leave the label as invalid. It may
3317 		 * resolve to a valid label on the next revalidation try if
3318 		 * we've since initialized.
3319 		 */
3320 		return;
3321 	}
3322 
3323 	rc = security_context_to_sid_force(value, size,
3324 					   &newsid);
3325 	if (rc) {
3326 		pr_err("SELinux:  unable to map context to SID"
3327 		       "for (%s, %lu), rc=%d\n",
3328 		       inode->i_sb->s_id, inode->i_ino, -rc);
3329 		return;
3330 	}
3331 
3332 	isec = backing_inode_security(dentry);
3333 	spin_lock(&isec->lock);
3334 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
3335 	isec->sid = newsid;
3336 	isec->initialized = LABEL_INITIALIZED;
3337 	spin_unlock(&isec->lock);
3338 }
3339 
selinux_inode_getxattr(struct dentry * dentry,const char * name)3340 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3341 {
3342 	const struct cred *cred = current_cred();
3343 
3344 	return dentry_has_perm(cred, dentry, FILE__GETATTR);
3345 }
3346 
selinux_inode_listxattr(struct dentry * dentry)3347 static int selinux_inode_listxattr(struct dentry *dentry)
3348 {
3349 	const struct cred *cred = current_cred();
3350 
3351 	return dentry_has_perm(cred, dentry, FILE__GETATTR);
3352 }
3353 
selinux_inode_removexattr(struct mnt_idmap * idmap,struct dentry * dentry,const char * name)3354 static int selinux_inode_removexattr(struct mnt_idmap *idmap,
3355 				     struct dentry *dentry, const char *name)
3356 {
3357 	/* if not a selinux xattr, only check the ordinary setattr perm */
3358 	if (strcmp(name, XATTR_NAME_SELINUX))
3359 		return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3360 
3361 	if (!selinux_initialized())
3362 		return 0;
3363 
3364 	/* No one is allowed to remove a SELinux security label.
3365 	   You can change the label, but all data must be labeled. */
3366 	return -EACCES;
3367 }
3368 
selinux_path_notify(const struct path * path,u64 mask,unsigned int obj_type)3369 static int selinux_path_notify(const struct path *path, u64 mask,
3370 						unsigned int obj_type)
3371 {
3372 	int ret;
3373 	u32 perm;
3374 
3375 	struct common_audit_data ad;
3376 
3377 	ad.type = LSM_AUDIT_DATA_PATH;
3378 	ad.u.path = *path;
3379 
3380 	/*
3381 	 * Set permission needed based on the type of mark being set.
3382 	 * Performs an additional check for sb watches.
3383 	 */
3384 	switch (obj_type) {
3385 	case FSNOTIFY_OBJ_TYPE_VFSMOUNT:
3386 		perm = FILE__WATCH_MOUNT;
3387 		break;
3388 	case FSNOTIFY_OBJ_TYPE_SB:
3389 		perm = FILE__WATCH_SB;
3390 		ret = superblock_has_perm(current_cred(), path->dentry->d_sb,
3391 						FILESYSTEM__WATCH, &ad);
3392 		if (ret)
3393 			return ret;
3394 		break;
3395 	case FSNOTIFY_OBJ_TYPE_INODE:
3396 		perm = FILE__WATCH;
3397 		break;
3398 	default:
3399 		return -EINVAL;
3400 	}
3401 
3402 	/* blocking watches require the file:watch_with_perm permission */
3403 	if (mask & (ALL_FSNOTIFY_PERM_EVENTS))
3404 		perm |= FILE__WATCH_WITH_PERM;
3405 
3406 	/* watches on read-like events need the file:watch_reads permission */
3407 	if (mask & (FS_ACCESS | FS_ACCESS_PERM | FS_CLOSE_NOWRITE))
3408 		perm |= FILE__WATCH_READS;
3409 
3410 	return path_has_perm(current_cred(), path, perm);
3411 }
3412 
3413 /*
3414  * Copy the inode security context value to the user.
3415  *
3416  * Permission check is handled by selinux_inode_getxattr hook.
3417  */
selinux_inode_getsecurity(struct mnt_idmap * idmap,struct inode * inode,const char * name,void ** buffer,bool alloc)3418 static int selinux_inode_getsecurity(struct mnt_idmap *idmap,
3419 				     struct inode *inode, const char *name,
3420 				     void **buffer, bool alloc)
3421 {
3422 	u32 size;
3423 	int error;
3424 	char *context = NULL;
3425 	struct inode_security_struct *isec;
3426 
3427 	/*
3428 	 * If we're not initialized yet, then we can't validate contexts, so
3429 	 * just let vfs_getxattr fall back to using the on-disk xattr.
3430 	 */
3431 	if (!selinux_initialized() ||
3432 	    strcmp(name, XATTR_SELINUX_SUFFIX))
3433 		return -EOPNOTSUPP;
3434 
3435 	/*
3436 	 * If the caller has CAP_MAC_ADMIN, then get the raw context
3437 	 * value even if it is not defined by current policy; otherwise,
3438 	 * use the in-core value under current policy.
3439 	 * Use the non-auditing forms of the permission checks since
3440 	 * getxattr may be called by unprivileged processes commonly
3441 	 * and lack of permission just means that we fall back to the
3442 	 * in-core context value, not a denial.
3443 	 */
3444 	isec = inode_security(inode);
3445 	if (has_cap_mac_admin(false))
3446 		error = security_sid_to_context_force(isec->sid, &context,
3447 						      &size);
3448 	else
3449 		error = security_sid_to_context(isec->sid,
3450 						&context, &size);
3451 	if (error)
3452 		return error;
3453 	error = size;
3454 	if (alloc) {
3455 		*buffer = context;
3456 		goto out_nofree;
3457 	}
3458 	kfree(context);
3459 out_nofree:
3460 	return error;
3461 }
3462 
selinux_inode_setsecurity(struct inode * inode,const char * name,const void * value,size_t size,int flags)3463 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3464 				     const void *value, size_t size, int flags)
3465 {
3466 	struct inode_security_struct *isec = inode_security_novalidate(inode);
3467 	struct superblock_security_struct *sbsec;
3468 	u32 newsid;
3469 	int rc;
3470 
3471 	if (strcmp(name, XATTR_SELINUX_SUFFIX))
3472 		return -EOPNOTSUPP;
3473 
3474 	sbsec = selinux_superblock(inode->i_sb);
3475 	if (!(sbsec->flags & SBLABEL_MNT))
3476 		return -EOPNOTSUPP;
3477 
3478 	if (!value || !size)
3479 		return -EACCES;
3480 
3481 	rc = security_context_to_sid(value, size, &newsid,
3482 				     GFP_KERNEL);
3483 	if (rc)
3484 		return rc;
3485 
3486 	spin_lock(&isec->lock);
3487 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
3488 	isec->sid = newsid;
3489 	isec->initialized = LABEL_INITIALIZED;
3490 	spin_unlock(&isec->lock);
3491 	return 0;
3492 }
3493 
selinux_inode_listsecurity(struct inode * inode,char * buffer,size_t buffer_size)3494 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3495 {
3496 	const int len = sizeof(XATTR_NAME_SELINUX);
3497 
3498 	if (!selinux_initialized())
3499 		return 0;
3500 
3501 	if (buffer && len <= buffer_size)
3502 		memcpy(buffer, XATTR_NAME_SELINUX, len);
3503 	return len;
3504 }
3505 
selinux_inode_getsecid(struct inode * inode,u32 * secid)3506 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3507 {
3508 	struct inode_security_struct *isec = inode_security_novalidate(inode);
3509 	*secid = isec->sid;
3510 }
3511 
selinux_inode_copy_up(struct dentry * src,struct cred ** new)3512 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3513 {
3514 	u32 sid;
3515 	struct task_security_struct *tsec;
3516 	struct cred *new_creds = *new;
3517 
3518 	if (new_creds == NULL) {
3519 		new_creds = prepare_creds();
3520 		if (!new_creds)
3521 			return -ENOMEM;
3522 	}
3523 
3524 	tsec = selinux_cred(new_creds);
3525 	/* Get label from overlay inode and set it in create_sid */
3526 	selinux_inode_getsecid(d_inode(src), &sid);
3527 	tsec->create_sid = sid;
3528 	*new = new_creds;
3529 	return 0;
3530 }
3531 
selinux_inode_copy_up_xattr(struct dentry * dentry,const char * name)3532 static int selinux_inode_copy_up_xattr(struct dentry *dentry, const char *name)
3533 {
3534 	/* The copy_up hook above sets the initial context on an inode, but we
3535 	 * don't then want to overwrite it by blindly copying all the lower
3536 	 * xattrs up.  Instead, filter out SELinux-related xattrs following
3537 	 * policy load.
3538 	 */
3539 	if (selinux_initialized() && !strcmp(name, XATTR_NAME_SELINUX))
3540 		return -ECANCELED; /* Discard */
3541 	/*
3542 	 * Any other attribute apart from SELINUX is not claimed, supported
3543 	 * by selinux.
3544 	 */
3545 	return -EOPNOTSUPP;
3546 }
3547 
3548 /* kernfs node operations */
3549 
selinux_kernfs_init_security(struct kernfs_node * kn_dir,struct kernfs_node * kn)3550 static int selinux_kernfs_init_security(struct kernfs_node *kn_dir,
3551 					struct kernfs_node *kn)
3552 {
3553 	const struct task_security_struct *tsec = selinux_cred(current_cred());
3554 	u32 parent_sid, newsid, clen;
3555 	int rc;
3556 	char *context;
3557 
3558 	rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, NULL, 0);
3559 	if (rc == -ENODATA)
3560 		return 0;
3561 	else if (rc < 0)
3562 		return rc;
3563 
3564 	clen = (u32)rc;
3565 	context = kmalloc(clen, GFP_KERNEL);
3566 	if (!context)
3567 		return -ENOMEM;
3568 
3569 	rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, context, clen);
3570 	if (rc < 0) {
3571 		kfree(context);
3572 		return rc;
3573 	}
3574 
3575 	rc = security_context_to_sid(context, clen, &parent_sid,
3576 				     GFP_KERNEL);
3577 	kfree(context);
3578 	if (rc)
3579 		return rc;
3580 
3581 	if (tsec->create_sid) {
3582 		newsid = tsec->create_sid;
3583 	} else {
3584 		u16 secclass = inode_mode_to_security_class(kn->mode);
3585 		struct qstr q;
3586 
3587 		q.name = kn->name;
3588 		q.hash_len = hashlen_string(kn_dir, kn->name);
3589 
3590 		rc = security_transition_sid(tsec->sid,
3591 					     parent_sid, secclass, &q,
3592 					     &newsid);
3593 		if (rc)
3594 			return rc;
3595 	}
3596 
3597 	rc = security_sid_to_context_force(newsid,
3598 					   &context, &clen);
3599 	if (rc)
3600 		return rc;
3601 
3602 	rc = kernfs_xattr_set(kn, XATTR_NAME_SELINUX, context, clen,
3603 			      XATTR_CREATE);
3604 	kfree(context);
3605 	return rc;
3606 }
3607 
3608 
3609 /* file security operations */
3610 
selinux_revalidate_file_permission(struct file * file,int mask)3611 static int selinux_revalidate_file_permission(struct file *file, int mask)
3612 {
3613 	const struct cred *cred = current_cred();
3614 	struct inode *inode = file_inode(file);
3615 
3616 	/* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3617 	if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3618 		mask |= MAY_APPEND;
3619 
3620 	return file_has_perm(cred, file,
3621 			     file_mask_to_av(inode->i_mode, mask));
3622 }
3623 
selinux_file_permission(struct file * file,int mask)3624 static int selinux_file_permission(struct file *file, int mask)
3625 {
3626 	struct inode *inode = file_inode(file);
3627 	struct file_security_struct *fsec = selinux_file(file);
3628 	struct inode_security_struct *isec;
3629 	u32 sid = current_sid();
3630 
3631 	if (!mask)
3632 		/* No permission to check.  Existence test. */
3633 		return 0;
3634 
3635 	isec = inode_security(inode);
3636 	if (sid == fsec->sid && fsec->isid == isec->sid &&
3637 	    fsec->pseqno == avc_policy_seqno())
3638 		/* No change since file_open check. */
3639 		return 0;
3640 
3641 	return selinux_revalidate_file_permission(file, mask);
3642 }
3643 
selinux_file_alloc_security(struct file * file)3644 static int selinux_file_alloc_security(struct file *file)
3645 {
3646 	struct file_security_struct *fsec = selinux_file(file);
3647 	u32 sid = current_sid();
3648 
3649 	fsec->sid = sid;
3650 	fsec->fown_sid = sid;
3651 
3652 	return 0;
3653 }
3654 
3655 /*
3656  * Check whether a task has the ioctl permission and cmd
3657  * operation to an inode.
3658  */
ioctl_has_perm(const struct cred * cred,struct file * file,u32 requested,u16 cmd)3659 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3660 		u32 requested, u16 cmd)
3661 {
3662 	struct common_audit_data ad;
3663 	struct file_security_struct *fsec = selinux_file(file);
3664 	struct inode *inode = file_inode(file);
3665 	struct inode_security_struct *isec;
3666 	struct lsm_ioctlop_audit ioctl;
3667 	u32 ssid = cred_sid(cred);
3668 	int rc;
3669 	u8 driver = cmd >> 8;
3670 	u8 xperm = cmd & 0xff;
3671 
3672 	ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3673 	ad.u.op = &ioctl;
3674 	ad.u.op->cmd = cmd;
3675 	ad.u.op->path = file->f_path;
3676 
3677 	if (ssid != fsec->sid) {
3678 		rc = avc_has_perm(ssid, fsec->sid,
3679 				SECCLASS_FD,
3680 				FD__USE,
3681 				&ad);
3682 		if (rc)
3683 			goto out;
3684 	}
3685 
3686 	if (unlikely(IS_PRIVATE(inode)))
3687 		return 0;
3688 
3689 	isec = inode_security(inode);
3690 	rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
3691 				    requested, driver, xperm, &ad);
3692 out:
3693 	return rc;
3694 }
3695 
selinux_file_ioctl(struct file * file,unsigned int cmd,unsigned long arg)3696 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3697 			      unsigned long arg)
3698 {
3699 	const struct cred *cred = current_cred();
3700 	int error = 0;
3701 
3702 	switch (cmd) {
3703 	case FIONREAD:
3704 	case FIBMAP:
3705 	case FIGETBSZ:
3706 	case FS_IOC_GETFLAGS:
3707 	case FS_IOC_GETVERSION:
3708 		error = file_has_perm(cred, file, FILE__GETATTR);
3709 		break;
3710 
3711 	case FS_IOC_SETFLAGS:
3712 	case FS_IOC_SETVERSION:
3713 		error = file_has_perm(cred, file, FILE__SETATTR);
3714 		break;
3715 
3716 	/* sys_ioctl() checks */
3717 	case FIONBIO:
3718 	case FIOASYNC:
3719 		error = file_has_perm(cred, file, 0);
3720 		break;
3721 
3722 	case KDSKBENT:
3723 	case KDSKBSENT:
3724 		error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3725 					    CAP_OPT_NONE, true);
3726 		break;
3727 
3728 	case FIOCLEX:
3729 	case FIONCLEX:
3730 		if (!selinux_policycap_ioctl_skip_cloexec())
3731 			error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3732 		break;
3733 
3734 	/* default case assumes that the command will go
3735 	 * to the file's ioctl() function.
3736 	 */
3737 	default:
3738 		error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3739 	}
3740 	return error;
3741 }
3742 
selinux_file_ioctl_compat(struct file * file,unsigned int cmd,unsigned long arg)3743 static int selinux_file_ioctl_compat(struct file *file, unsigned int cmd,
3744 			      unsigned long arg)
3745 {
3746 	/*
3747 	 * If we are in a 64-bit kernel running 32-bit userspace, we need to
3748 	 * make sure we don't compare 32-bit flags to 64-bit flags.
3749 	 */
3750 	switch (cmd) {
3751 	case FS_IOC32_GETFLAGS:
3752 		cmd = FS_IOC_GETFLAGS;
3753 		break;
3754 	case FS_IOC32_SETFLAGS:
3755 		cmd = FS_IOC_SETFLAGS;
3756 		break;
3757 	case FS_IOC32_GETVERSION:
3758 		cmd = FS_IOC_GETVERSION;
3759 		break;
3760 	case FS_IOC32_SETVERSION:
3761 		cmd = FS_IOC_SETVERSION;
3762 		break;
3763 	default:
3764 		break;
3765 	}
3766 
3767 	return selinux_file_ioctl(file, cmd, arg);
3768 }
3769 
3770 static int default_noexec __ro_after_init;
3771 
file_map_prot_check(struct file * file,unsigned long prot,int shared)3772 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3773 {
3774 	const struct cred *cred = current_cred();
3775 	u32 sid = cred_sid(cred);
3776 	int rc = 0;
3777 
3778 	if (default_noexec &&
3779 	    (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3780 				   (!shared && (prot & PROT_WRITE)))) {
3781 		/*
3782 		 * We are making executable an anonymous mapping or a
3783 		 * private file mapping that will also be writable.
3784 		 * This has an additional check.
3785 		 */
3786 		rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3787 				  PROCESS__EXECMEM, NULL);
3788 		if (rc)
3789 			goto error;
3790 	}
3791 
3792 	if (file) {
3793 		/* read access is always possible with a mapping */
3794 		u32 av = FILE__READ;
3795 
3796 		/* write access only matters if the mapping is shared */
3797 		if (shared && (prot & PROT_WRITE))
3798 			av |= FILE__WRITE;
3799 
3800 		if (prot & PROT_EXEC)
3801 			av |= FILE__EXECUTE;
3802 
3803 		return file_has_perm(cred, file, av);
3804 	}
3805 
3806 error:
3807 	return rc;
3808 }
3809 
selinux_mmap_addr(unsigned long addr)3810 static int selinux_mmap_addr(unsigned long addr)
3811 {
3812 	int rc = 0;
3813 
3814 	if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3815 		u32 sid = current_sid();
3816 		rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3817 				  MEMPROTECT__MMAP_ZERO, NULL);
3818 	}
3819 
3820 	return rc;
3821 }
3822 
selinux_mmap_file(struct file * file,unsigned long reqprot __always_unused,unsigned long prot,unsigned long flags)3823 static int selinux_mmap_file(struct file *file,
3824 			     unsigned long reqprot __always_unused,
3825 			     unsigned long prot, unsigned long flags)
3826 {
3827 	struct common_audit_data ad;
3828 	int rc;
3829 
3830 	if (file) {
3831 		ad.type = LSM_AUDIT_DATA_FILE;
3832 		ad.u.file = file;
3833 		rc = inode_has_perm(current_cred(), file_inode(file),
3834 				    FILE__MAP, &ad);
3835 		if (rc)
3836 			return rc;
3837 	}
3838 
3839 	return file_map_prot_check(file, prot,
3840 				   (flags & MAP_TYPE) == MAP_SHARED);
3841 }
3842 
selinux_file_mprotect(struct vm_area_struct * vma,unsigned long reqprot __always_unused,unsigned long prot)3843 static int selinux_file_mprotect(struct vm_area_struct *vma,
3844 				 unsigned long reqprot __always_unused,
3845 				 unsigned long prot)
3846 {
3847 	const struct cred *cred = current_cred();
3848 	u32 sid = cred_sid(cred);
3849 
3850 	if (default_noexec &&
3851 	    (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3852 		int rc = 0;
3853 		/*
3854 		 * We don't use the vma_is_initial_heap() helper as it has
3855 		 * a history of problems and is currently broken on systems
3856 		 * where there is no heap, e.g. brk == start_brk.  Before
3857 		 * replacing the conditional below with vma_is_initial_heap(),
3858 		 * or something similar, please ensure that the logic is the
3859 		 * same as what we have below or you have tested every possible
3860 		 * corner case you can think to test.
3861 		 */
3862 		if (vma->vm_start >= vma->vm_mm->start_brk &&
3863 		    vma->vm_end <= vma->vm_mm->brk) {
3864 			rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3865 					  PROCESS__EXECHEAP, NULL);
3866 		} else if (!vma->vm_file && (vma_is_initial_stack(vma) ||
3867 			    vma_is_stack_for_current(vma))) {
3868 			rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3869 					  PROCESS__EXECSTACK, NULL);
3870 		} else if (vma->vm_file && vma->anon_vma) {
3871 			/*
3872 			 * We are making executable a file mapping that has
3873 			 * had some COW done. Since pages might have been
3874 			 * written, check ability to execute the possibly
3875 			 * modified content.  This typically should only
3876 			 * occur for text relocations.
3877 			 */
3878 			rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3879 		}
3880 		if (rc)
3881 			return rc;
3882 	}
3883 
3884 	return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3885 }
3886 
selinux_file_lock(struct file * file,unsigned int cmd)3887 static int selinux_file_lock(struct file *file, unsigned int cmd)
3888 {
3889 	const struct cred *cred = current_cred();
3890 
3891 	return file_has_perm(cred, file, FILE__LOCK);
3892 }
3893 
selinux_file_fcntl(struct file * file,unsigned int cmd,unsigned long arg)3894 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3895 			      unsigned long arg)
3896 {
3897 	const struct cred *cred = current_cred();
3898 	int err = 0;
3899 
3900 	switch (cmd) {
3901 	case F_SETFL:
3902 		if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3903 			err = file_has_perm(cred, file, FILE__WRITE);
3904 			break;
3905 		}
3906 		fallthrough;
3907 	case F_SETOWN:
3908 	case F_SETSIG:
3909 	case F_GETFL:
3910 	case F_GETOWN:
3911 	case F_GETSIG:
3912 	case F_GETOWNER_UIDS:
3913 		/* Just check FD__USE permission */
3914 		err = file_has_perm(cred, file, 0);
3915 		break;
3916 	case F_GETLK:
3917 	case F_SETLK:
3918 	case F_SETLKW:
3919 	case F_OFD_GETLK:
3920 	case F_OFD_SETLK:
3921 	case F_OFD_SETLKW:
3922 #if BITS_PER_LONG == 32
3923 	case F_GETLK64:
3924 	case F_SETLK64:
3925 	case F_SETLKW64:
3926 #endif
3927 		err = file_has_perm(cred, file, FILE__LOCK);
3928 		break;
3929 	}
3930 
3931 	return err;
3932 }
3933 
selinux_file_set_fowner(struct file * file)3934 static void selinux_file_set_fowner(struct file *file)
3935 {
3936 	struct file_security_struct *fsec;
3937 
3938 	fsec = selinux_file(file);
3939 	fsec->fown_sid = current_sid();
3940 }
3941 
selinux_file_send_sigiotask(struct task_struct * tsk,struct fown_struct * fown,int signum)3942 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3943 				       struct fown_struct *fown, int signum)
3944 {
3945 	struct file *file;
3946 	u32 sid = task_sid_obj(tsk);
3947 	u32 perm;
3948 	struct file_security_struct *fsec;
3949 
3950 	/* struct fown_struct is never outside the context of a struct file */
3951 	file = fown->file;
3952 
3953 	fsec = selinux_file(file);
3954 
3955 	if (!signum)
3956 		perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3957 	else
3958 		perm = signal_to_av(signum);
3959 
3960 	return avc_has_perm(fsec->fown_sid, sid,
3961 			    SECCLASS_PROCESS, perm, NULL);
3962 }
3963 
selinux_file_receive(struct file * file)3964 static int selinux_file_receive(struct file *file)
3965 {
3966 	const struct cred *cred = current_cred();
3967 
3968 	return file_has_perm(cred, file, file_to_av(file));
3969 }
3970 
selinux_file_open(struct file * file)3971 static int selinux_file_open(struct file *file)
3972 {
3973 	struct file_security_struct *fsec;
3974 	struct inode_security_struct *isec;
3975 
3976 	fsec = selinux_file(file);
3977 	isec = inode_security(file_inode(file));
3978 	/*
3979 	 * Save inode label and policy sequence number
3980 	 * at open-time so that selinux_file_permission
3981 	 * can determine whether revalidation is necessary.
3982 	 * Task label is already saved in the file security
3983 	 * struct as its SID.
3984 	 */
3985 	fsec->isid = isec->sid;
3986 	fsec->pseqno = avc_policy_seqno();
3987 	/*
3988 	 * Since the inode label or policy seqno may have changed
3989 	 * between the selinux_inode_permission check and the saving
3990 	 * of state above, recheck that access is still permitted.
3991 	 * Otherwise, access might never be revalidated against the
3992 	 * new inode label or new policy.
3993 	 * This check is not redundant - do not remove.
3994 	 */
3995 	return file_path_has_perm(file->f_cred, file, open_file_to_av(file));
3996 }
3997 
3998 /* task security operations */
3999 
selinux_task_alloc(struct task_struct * task,unsigned long clone_flags)4000 static int selinux_task_alloc(struct task_struct *task,
4001 			      unsigned long clone_flags)
4002 {
4003 	u32 sid = current_sid();
4004 
4005 	return avc_has_perm(sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
4006 }
4007 
4008 /*
4009  * prepare a new set of credentials for modification
4010  */
selinux_cred_prepare(struct cred * new,const struct cred * old,gfp_t gfp)4011 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
4012 				gfp_t gfp)
4013 {
4014 	const struct task_security_struct *old_tsec = selinux_cred(old);
4015 	struct task_security_struct *tsec = selinux_cred(new);
4016 
4017 	*tsec = *old_tsec;
4018 	return 0;
4019 }
4020 
4021 /*
4022  * transfer the SELinux data to a blank set of creds
4023  */
selinux_cred_transfer(struct cred * new,const struct cred * old)4024 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
4025 {
4026 	const struct task_security_struct *old_tsec = selinux_cred(old);
4027 	struct task_security_struct *tsec = selinux_cred(new);
4028 
4029 	*tsec = *old_tsec;
4030 }
4031 
selinux_cred_getsecid(const struct cred * c,u32 * secid)4032 static void selinux_cred_getsecid(const struct cred *c, u32 *secid)
4033 {
4034 	*secid = cred_sid(c);
4035 }
4036 
4037 /*
4038  * set the security data for a kernel service
4039  * - all the creation contexts are set to unlabelled
4040  */
selinux_kernel_act_as(struct cred * new,u32 secid)4041 static int selinux_kernel_act_as(struct cred *new, u32 secid)
4042 {
4043 	struct task_security_struct *tsec = selinux_cred(new);
4044 	u32 sid = current_sid();
4045 	int ret;
4046 
4047 	ret = avc_has_perm(sid, secid,
4048 			   SECCLASS_KERNEL_SERVICE,
4049 			   KERNEL_SERVICE__USE_AS_OVERRIDE,
4050 			   NULL);
4051 	if (ret == 0) {
4052 		tsec->sid = secid;
4053 		tsec->create_sid = 0;
4054 		tsec->keycreate_sid = 0;
4055 		tsec->sockcreate_sid = 0;
4056 	}
4057 	return ret;
4058 }
4059 
4060 /*
4061  * set the file creation context in a security record to the same as the
4062  * objective context of the specified inode
4063  */
selinux_kernel_create_files_as(struct cred * new,struct inode * inode)4064 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
4065 {
4066 	struct inode_security_struct *isec = inode_security(inode);
4067 	struct task_security_struct *tsec = selinux_cred(new);
4068 	u32 sid = current_sid();
4069 	int ret;
4070 
4071 	ret = avc_has_perm(sid, isec->sid,
4072 			   SECCLASS_KERNEL_SERVICE,
4073 			   KERNEL_SERVICE__CREATE_FILES_AS,
4074 			   NULL);
4075 
4076 	if (ret == 0)
4077 		tsec->create_sid = isec->sid;
4078 	return ret;
4079 }
4080 
selinux_kernel_module_request(char * kmod_name)4081 static int selinux_kernel_module_request(char *kmod_name)
4082 {
4083 	struct common_audit_data ad;
4084 
4085 	ad.type = LSM_AUDIT_DATA_KMOD;
4086 	ad.u.kmod_name = kmod_name;
4087 
4088 	return avc_has_perm(current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
4089 			    SYSTEM__MODULE_REQUEST, &ad);
4090 }
4091 
selinux_kernel_module_from_file(struct file * file)4092 static int selinux_kernel_module_from_file(struct file *file)
4093 {
4094 	struct common_audit_data ad;
4095 	struct inode_security_struct *isec;
4096 	struct file_security_struct *fsec;
4097 	u32 sid = current_sid();
4098 	int rc;
4099 
4100 	/* init_module */
4101 	if (file == NULL)
4102 		return avc_has_perm(sid, sid, SECCLASS_SYSTEM,
4103 					SYSTEM__MODULE_LOAD, NULL);
4104 
4105 	/* finit_module */
4106 
4107 	ad.type = LSM_AUDIT_DATA_FILE;
4108 	ad.u.file = file;
4109 
4110 	fsec = selinux_file(file);
4111 	if (sid != fsec->sid) {
4112 		rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
4113 		if (rc)
4114 			return rc;
4115 	}
4116 
4117 	isec = inode_security(file_inode(file));
4118 	return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM,
4119 				SYSTEM__MODULE_LOAD, &ad);
4120 }
4121 
selinux_kernel_read_file(struct file * file,enum kernel_read_file_id id,bool contents)4122 static int selinux_kernel_read_file(struct file *file,
4123 				    enum kernel_read_file_id id,
4124 				    bool contents)
4125 {
4126 	int rc = 0;
4127 
4128 	switch (id) {
4129 	case READING_MODULE:
4130 		rc = selinux_kernel_module_from_file(contents ? file : NULL);
4131 		break;
4132 	default:
4133 		break;
4134 	}
4135 
4136 	return rc;
4137 }
4138 
selinux_kernel_load_data(enum kernel_load_data_id id,bool contents)4139 static int selinux_kernel_load_data(enum kernel_load_data_id id, bool contents)
4140 {
4141 	int rc = 0;
4142 
4143 	switch (id) {
4144 	case LOADING_MODULE:
4145 		rc = selinux_kernel_module_from_file(NULL);
4146 		break;
4147 	default:
4148 		break;
4149 	}
4150 
4151 	return rc;
4152 }
4153 
selinux_task_setpgid(struct task_struct * p,pid_t pgid)4154 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
4155 {
4156 	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4157 			    PROCESS__SETPGID, NULL);
4158 }
4159 
selinux_task_getpgid(struct task_struct * p)4160 static int selinux_task_getpgid(struct task_struct *p)
4161 {
4162 	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4163 			    PROCESS__GETPGID, NULL);
4164 }
4165 
selinux_task_getsid(struct task_struct * p)4166 static int selinux_task_getsid(struct task_struct *p)
4167 {
4168 	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4169 			    PROCESS__GETSESSION, NULL);
4170 }
4171 
selinux_current_getsecid_subj(u32 * secid)4172 static void selinux_current_getsecid_subj(u32 *secid)
4173 {
4174 	*secid = current_sid();
4175 }
4176 
selinux_task_getsecid_obj(struct task_struct * p,u32 * secid)4177 static void selinux_task_getsecid_obj(struct task_struct *p, u32 *secid)
4178 {
4179 	*secid = task_sid_obj(p);
4180 }
4181 
selinux_task_setnice(struct task_struct * p,int nice)4182 static int selinux_task_setnice(struct task_struct *p, int nice)
4183 {
4184 	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4185 			    PROCESS__SETSCHED, NULL);
4186 }
4187 
selinux_task_setioprio(struct task_struct * p,int ioprio)4188 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
4189 {
4190 	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4191 			    PROCESS__SETSCHED, NULL);
4192 }
4193 
selinux_task_getioprio(struct task_struct * p)4194 static int selinux_task_getioprio(struct task_struct *p)
4195 {
4196 	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4197 			    PROCESS__GETSCHED, NULL);
4198 }
4199 
selinux_task_prlimit(const struct cred * cred,const struct cred * tcred,unsigned int flags)4200 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
4201 				unsigned int flags)
4202 {
4203 	u32 av = 0;
4204 
4205 	if (!flags)
4206 		return 0;
4207 	if (flags & LSM_PRLIMIT_WRITE)
4208 		av |= PROCESS__SETRLIMIT;
4209 	if (flags & LSM_PRLIMIT_READ)
4210 		av |= PROCESS__GETRLIMIT;
4211 	return avc_has_perm(cred_sid(cred), cred_sid(tcred),
4212 			    SECCLASS_PROCESS, av, NULL);
4213 }
4214 
selinux_task_setrlimit(struct task_struct * p,unsigned int resource,struct rlimit * new_rlim)4215 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4216 		struct rlimit *new_rlim)
4217 {
4218 	struct rlimit *old_rlim = p->signal->rlim + resource;
4219 
4220 	/* Control the ability to change the hard limit (whether
4221 	   lowering or raising it), so that the hard limit can
4222 	   later be used as a safe reset point for the soft limit
4223 	   upon context transitions.  See selinux_bprm_committing_creds. */
4224 	if (old_rlim->rlim_max != new_rlim->rlim_max)
4225 		return avc_has_perm(current_sid(), task_sid_obj(p),
4226 				    SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
4227 
4228 	return 0;
4229 }
4230 
selinux_task_setscheduler(struct task_struct * p)4231 static int selinux_task_setscheduler(struct task_struct *p)
4232 {
4233 	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4234 			    PROCESS__SETSCHED, NULL);
4235 }
4236 
selinux_task_getscheduler(struct task_struct * p)4237 static int selinux_task_getscheduler(struct task_struct *p)
4238 {
4239 	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4240 			    PROCESS__GETSCHED, NULL);
4241 }
4242 
selinux_task_movememory(struct task_struct * p)4243 static int selinux_task_movememory(struct task_struct *p)
4244 {
4245 	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4246 			    PROCESS__SETSCHED, NULL);
4247 }
4248 
selinux_task_kill(struct task_struct * p,struct kernel_siginfo * info,int sig,const struct cred * cred)4249 static int selinux_task_kill(struct task_struct *p, struct kernel_siginfo *info,
4250 				int sig, const struct cred *cred)
4251 {
4252 	u32 secid;
4253 	u32 perm;
4254 
4255 	if (!sig)
4256 		perm = PROCESS__SIGNULL; /* null signal; existence test */
4257 	else
4258 		perm = signal_to_av(sig);
4259 	if (!cred)
4260 		secid = current_sid();
4261 	else
4262 		secid = cred_sid(cred);
4263 	return avc_has_perm(secid, task_sid_obj(p), SECCLASS_PROCESS, perm, NULL);
4264 }
4265 
selinux_task_to_inode(struct task_struct * p,struct inode * inode)4266 static void selinux_task_to_inode(struct task_struct *p,
4267 				  struct inode *inode)
4268 {
4269 	struct inode_security_struct *isec = selinux_inode(inode);
4270 	u32 sid = task_sid_obj(p);
4271 
4272 	spin_lock(&isec->lock);
4273 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
4274 	isec->sid = sid;
4275 	isec->initialized = LABEL_INITIALIZED;
4276 	spin_unlock(&isec->lock);
4277 }
4278 
selinux_userns_create(const struct cred * cred)4279 static int selinux_userns_create(const struct cred *cred)
4280 {
4281 	u32 sid = current_sid();
4282 
4283 	return avc_has_perm(sid, sid, SECCLASS_USER_NAMESPACE,
4284 			USER_NAMESPACE__CREATE, NULL);
4285 }
4286 
4287 /* Returns error only if unable to parse addresses */
selinux_parse_skb_ipv4(struct sk_buff * skb,struct common_audit_data * ad,u8 * proto)4288 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4289 			struct common_audit_data *ad, u8 *proto)
4290 {
4291 	int offset, ihlen, ret = -EINVAL;
4292 	struct iphdr _iph, *ih;
4293 
4294 	offset = skb_network_offset(skb);
4295 	ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
4296 	if (ih == NULL)
4297 		goto out;
4298 
4299 	ihlen = ih->ihl * 4;
4300 	if (ihlen < sizeof(_iph))
4301 		goto out;
4302 
4303 	ad->u.net->v4info.saddr = ih->saddr;
4304 	ad->u.net->v4info.daddr = ih->daddr;
4305 	ret = 0;
4306 
4307 	if (proto)
4308 		*proto = ih->protocol;
4309 
4310 	switch (ih->protocol) {
4311 	case IPPROTO_TCP: {
4312 		struct tcphdr _tcph, *th;
4313 
4314 		if (ntohs(ih->frag_off) & IP_OFFSET)
4315 			break;
4316 
4317 		offset += ihlen;
4318 		th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4319 		if (th == NULL)
4320 			break;
4321 
4322 		ad->u.net->sport = th->source;
4323 		ad->u.net->dport = th->dest;
4324 		break;
4325 	}
4326 
4327 	case IPPROTO_UDP: {
4328 		struct udphdr _udph, *uh;
4329 
4330 		if (ntohs(ih->frag_off) & IP_OFFSET)
4331 			break;
4332 
4333 		offset += ihlen;
4334 		uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4335 		if (uh == NULL)
4336 			break;
4337 
4338 		ad->u.net->sport = uh->source;
4339 		ad->u.net->dport = uh->dest;
4340 		break;
4341 	}
4342 
4343 	case IPPROTO_DCCP: {
4344 		struct dccp_hdr _dccph, *dh;
4345 
4346 		if (ntohs(ih->frag_off) & IP_OFFSET)
4347 			break;
4348 
4349 		offset += ihlen;
4350 		dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4351 		if (dh == NULL)
4352 			break;
4353 
4354 		ad->u.net->sport = dh->dccph_sport;
4355 		ad->u.net->dport = dh->dccph_dport;
4356 		break;
4357 	}
4358 
4359 #if IS_ENABLED(CONFIG_IP_SCTP)
4360 	case IPPROTO_SCTP: {
4361 		struct sctphdr _sctph, *sh;
4362 
4363 		if (ntohs(ih->frag_off) & IP_OFFSET)
4364 			break;
4365 
4366 		offset += ihlen;
4367 		sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4368 		if (sh == NULL)
4369 			break;
4370 
4371 		ad->u.net->sport = sh->source;
4372 		ad->u.net->dport = sh->dest;
4373 		break;
4374 	}
4375 #endif
4376 	default:
4377 		break;
4378 	}
4379 out:
4380 	return ret;
4381 }
4382 
4383 #if IS_ENABLED(CONFIG_IPV6)
4384 
4385 /* Returns error only if unable to parse addresses */
selinux_parse_skb_ipv6(struct sk_buff * skb,struct common_audit_data * ad,u8 * proto)4386 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4387 			struct common_audit_data *ad, u8 *proto)
4388 {
4389 	u8 nexthdr;
4390 	int ret = -EINVAL, offset;
4391 	struct ipv6hdr _ipv6h, *ip6;
4392 	__be16 frag_off;
4393 
4394 	offset = skb_network_offset(skb);
4395 	ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4396 	if (ip6 == NULL)
4397 		goto out;
4398 
4399 	ad->u.net->v6info.saddr = ip6->saddr;
4400 	ad->u.net->v6info.daddr = ip6->daddr;
4401 	ret = 0;
4402 
4403 	nexthdr = ip6->nexthdr;
4404 	offset += sizeof(_ipv6h);
4405 	offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4406 	if (offset < 0)
4407 		goto out;
4408 
4409 	if (proto)
4410 		*proto = nexthdr;
4411 
4412 	switch (nexthdr) {
4413 	case IPPROTO_TCP: {
4414 		struct tcphdr _tcph, *th;
4415 
4416 		th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4417 		if (th == NULL)
4418 			break;
4419 
4420 		ad->u.net->sport = th->source;
4421 		ad->u.net->dport = th->dest;
4422 		break;
4423 	}
4424 
4425 	case IPPROTO_UDP: {
4426 		struct udphdr _udph, *uh;
4427 
4428 		uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4429 		if (uh == NULL)
4430 			break;
4431 
4432 		ad->u.net->sport = uh->source;
4433 		ad->u.net->dport = uh->dest;
4434 		break;
4435 	}
4436 
4437 	case IPPROTO_DCCP: {
4438 		struct dccp_hdr _dccph, *dh;
4439 
4440 		dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4441 		if (dh == NULL)
4442 			break;
4443 
4444 		ad->u.net->sport = dh->dccph_sport;
4445 		ad->u.net->dport = dh->dccph_dport;
4446 		break;
4447 	}
4448 
4449 #if IS_ENABLED(CONFIG_IP_SCTP)
4450 	case IPPROTO_SCTP: {
4451 		struct sctphdr _sctph, *sh;
4452 
4453 		sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4454 		if (sh == NULL)
4455 			break;
4456 
4457 		ad->u.net->sport = sh->source;
4458 		ad->u.net->dport = sh->dest;
4459 		break;
4460 	}
4461 #endif
4462 	/* includes fragments */
4463 	default:
4464 		break;
4465 	}
4466 out:
4467 	return ret;
4468 }
4469 
4470 #endif /* IPV6 */
4471 
selinux_parse_skb(struct sk_buff * skb,struct common_audit_data * ad,char ** _addrp,int src,u8 * proto)4472 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4473 			     char **_addrp, int src, u8 *proto)
4474 {
4475 	char *addrp;
4476 	int ret;
4477 
4478 	switch (ad->u.net->family) {
4479 	case PF_INET:
4480 		ret = selinux_parse_skb_ipv4(skb, ad, proto);
4481 		if (ret)
4482 			goto parse_error;
4483 		addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4484 				       &ad->u.net->v4info.daddr);
4485 		goto okay;
4486 
4487 #if IS_ENABLED(CONFIG_IPV6)
4488 	case PF_INET6:
4489 		ret = selinux_parse_skb_ipv6(skb, ad, proto);
4490 		if (ret)
4491 			goto parse_error;
4492 		addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4493 				       &ad->u.net->v6info.daddr);
4494 		goto okay;
4495 #endif	/* IPV6 */
4496 	default:
4497 		addrp = NULL;
4498 		goto okay;
4499 	}
4500 
4501 parse_error:
4502 	pr_warn(
4503 	       "SELinux: failure in selinux_parse_skb(),"
4504 	       " unable to parse packet\n");
4505 	return ret;
4506 
4507 okay:
4508 	if (_addrp)
4509 		*_addrp = addrp;
4510 	return 0;
4511 }
4512 
4513 /**
4514  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4515  * @skb: the packet
4516  * @family: protocol family
4517  * @sid: the packet's peer label SID
4518  *
4519  * Description:
4520  * Check the various different forms of network peer labeling and determine
4521  * the peer label/SID for the packet; most of the magic actually occurs in
4522  * the security server function security_net_peersid_cmp().  The function
4523  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4524  * or -EACCES if @sid is invalid due to inconsistencies with the different
4525  * peer labels.
4526  *
4527  */
selinux_skb_peerlbl_sid(struct sk_buff * skb,u16 family,u32 * sid)4528 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4529 {
4530 	int err;
4531 	u32 xfrm_sid;
4532 	u32 nlbl_sid;
4533 	u32 nlbl_type;
4534 
4535 	err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4536 	if (unlikely(err))
4537 		return -EACCES;
4538 	err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4539 	if (unlikely(err))
4540 		return -EACCES;
4541 
4542 	err = security_net_peersid_resolve(nlbl_sid,
4543 					   nlbl_type, xfrm_sid, sid);
4544 	if (unlikely(err)) {
4545 		pr_warn(
4546 		       "SELinux: failure in selinux_skb_peerlbl_sid(),"
4547 		       " unable to determine packet's peer label\n");
4548 		return -EACCES;
4549 	}
4550 
4551 	return 0;
4552 }
4553 
4554 /**
4555  * selinux_conn_sid - Determine the child socket label for a connection
4556  * @sk_sid: the parent socket's SID
4557  * @skb_sid: the packet's SID
4558  * @conn_sid: the resulting connection SID
4559  *
4560  * If @skb_sid is valid then the user:role:type information from @sk_sid is
4561  * combined with the MLS information from @skb_sid in order to create
4562  * @conn_sid.  If @skb_sid is not valid then @conn_sid is simply a copy
4563  * of @sk_sid.  Returns zero on success, negative values on failure.
4564  *
4565  */
selinux_conn_sid(u32 sk_sid,u32 skb_sid,u32 * conn_sid)4566 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4567 {
4568 	int err = 0;
4569 
4570 	if (skb_sid != SECSID_NULL)
4571 		err = security_sid_mls_copy(sk_sid, skb_sid,
4572 					    conn_sid);
4573 	else
4574 		*conn_sid = sk_sid;
4575 
4576 	return err;
4577 }
4578 
4579 /* socket security operations */
4580 
socket_sockcreate_sid(const struct task_security_struct * tsec,u16 secclass,u32 * socksid)4581 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4582 				 u16 secclass, u32 *socksid)
4583 {
4584 	if (tsec->sockcreate_sid > SECSID_NULL) {
4585 		*socksid = tsec->sockcreate_sid;
4586 		return 0;
4587 	}
4588 
4589 	return security_transition_sid(tsec->sid, tsec->sid,
4590 				       secclass, NULL, socksid);
4591 }
4592 
sock_has_perm(struct sock * sk,u32 perms)4593 static int sock_has_perm(struct sock *sk, u32 perms)
4594 {
4595 	struct sk_security_struct *sksec = selinux_sock(sk);
4596 	struct common_audit_data ad;
4597 	struct lsm_network_audit net;
4598 
4599 	if (sksec->sid == SECINITSID_KERNEL)
4600 		return 0;
4601 
4602 	/*
4603 	 * Before POLICYDB_CAP_USERSPACE_INITIAL_CONTEXT, sockets that
4604 	 * inherited the kernel context from early boot used to be skipped
4605 	 * here, so preserve that behavior unless the capability is set.
4606 	 *
4607 	 * By setting the capability the policy signals that it is ready
4608 	 * for this quirk to be fixed. Note that sockets created by a kernel
4609 	 * thread or a usermode helper executed without a transition will
4610 	 * still be skipped in this check regardless of the policycap
4611 	 * setting.
4612 	 */
4613 	if (!selinux_policycap_userspace_initial_context() &&
4614 	    sksec->sid == SECINITSID_INIT)
4615 		return 0;
4616 
4617 	ad_net_init_from_sk(&ad, &net, sk);
4618 
4619 	return avc_has_perm(current_sid(), sksec->sid, sksec->sclass, perms,
4620 			    &ad);
4621 }
4622 
selinux_socket_create(int family,int type,int protocol,int kern)4623 static int selinux_socket_create(int family, int type,
4624 				 int protocol, int kern)
4625 {
4626 	const struct task_security_struct *tsec = selinux_cred(current_cred());
4627 	u32 newsid;
4628 	u16 secclass;
4629 	int rc;
4630 
4631 	if (kern)
4632 		return 0;
4633 
4634 	secclass = socket_type_to_security_class(family, type, protocol);
4635 	rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4636 	if (rc)
4637 		return rc;
4638 
4639 	return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4640 }
4641 
selinux_socket_post_create(struct socket * sock,int family,int type,int protocol,int kern)4642 static int selinux_socket_post_create(struct socket *sock, int family,
4643 				      int type, int protocol, int kern)
4644 {
4645 	const struct task_security_struct *tsec = selinux_cred(current_cred());
4646 	struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4647 	struct sk_security_struct *sksec;
4648 	u16 sclass = socket_type_to_security_class(family, type, protocol);
4649 	u32 sid = SECINITSID_KERNEL;
4650 	int err = 0;
4651 
4652 	if (!kern) {
4653 		err = socket_sockcreate_sid(tsec, sclass, &sid);
4654 		if (err)
4655 			return err;
4656 	}
4657 
4658 	isec->sclass = sclass;
4659 	isec->sid = sid;
4660 	isec->initialized = LABEL_INITIALIZED;
4661 
4662 	if (sock->sk) {
4663 		sksec = selinux_sock(sock->sk);
4664 		sksec->sclass = sclass;
4665 		sksec->sid = sid;
4666 		/* Allows detection of the first association on this socket */
4667 		if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4668 			sksec->sctp_assoc_state = SCTP_ASSOC_UNSET;
4669 
4670 		err = selinux_netlbl_socket_post_create(sock->sk, family);
4671 	}
4672 
4673 	return err;
4674 }
4675 
selinux_socket_socketpair(struct socket * socka,struct socket * sockb)4676 static int selinux_socket_socketpair(struct socket *socka,
4677 				     struct socket *sockb)
4678 {
4679 	struct sk_security_struct *sksec_a = selinux_sock(socka->sk);
4680 	struct sk_security_struct *sksec_b = selinux_sock(sockb->sk);
4681 
4682 	sksec_a->peer_sid = sksec_b->sid;
4683 	sksec_b->peer_sid = sksec_a->sid;
4684 
4685 	return 0;
4686 }
4687 
4688 /* Range of port numbers used to automatically bind.
4689    Need to determine whether we should perform a name_bind
4690    permission check between the socket and the port number. */
4691 
selinux_socket_bind(struct socket * sock,struct sockaddr * address,int addrlen)4692 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4693 {
4694 	struct sock *sk = sock->sk;
4695 	struct sk_security_struct *sksec = selinux_sock(sk);
4696 	u16 family;
4697 	int err;
4698 
4699 	err = sock_has_perm(sk, SOCKET__BIND);
4700 	if (err)
4701 		goto out;
4702 
4703 	/* If PF_INET or PF_INET6, check name_bind permission for the port. */
4704 	family = sk->sk_family;
4705 	if (family == PF_INET || family == PF_INET6) {
4706 		char *addrp;
4707 		struct common_audit_data ad;
4708 		struct lsm_network_audit net = {0,};
4709 		struct sockaddr_in *addr4 = NULL;
4710 		struct sockaddr_in6 *addr6 = NULL;
4711 		u16 family_sa;
4712 		unsigned short snum;
4713 		u32 sid, node_perm;
4714 
4715 		/*
4716 		 * sctp_bindx(3) calls via selinux_sctp_bind_connect()
4717 		 * that validates multiple binding addresses. Because of this
4718 		 * need to check address->sa_family as it is possible to have
4719 		 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4720 		 */
4721 		if (addrlen < offsetofend(struct sockaddr, sa_family))
4722 			return -EINVAL;
4723 		family_sa = address->sa_family;
4724 		switch (family_sa) {
4725 		case AF_UNSPEC:
4726 		case AF_INET:
4727 			if (addrlen < sizeof(struct sockaddr_in))
4728 				return -EINVAL;
4729 			addr4 = (struct sockaddr_in *)address;
4730 			if (family_sa == AF_UNSPEC) {
4731 				if (family == PF_INET6) {
4732 					/* Length check from inet6_bind_sk() */
4733 					if (addrlen < SIN6_LEN_RFC2133)
4734 						return -EINVAL;
4735 					/* Family check from __inet6_bind() */
4736 					goto err_af;
4737 				}
4738 				/* see __inet_bind(), we only want to allow
4739 				 * AF_UNSPEC if the address is INADDR_ANY
4740 				 */
4741 				if (addr4->sin_addr.s_addr != htonl(INADDR_ANY))
4742 					goto err_af;
4743 				family_sa = AF_INET;
4744 			}
4745 			snum = ntohs(addr4->sin_port);
4746 			addrp = (char *)&addr4->sin_addr.s_addr;
4747 			break;
4748 		case AF_INET6:
4749 			if (addrlen < SIN6_LEN_RFC2133)
4750 				return -EINVAL;
4751 			addr6 = (struct sockaddr_in6 *)address;
4752 			snum = ntohs(addr6->sin6_port);
4753 			addrp = (char *)&addr6->sin6_addr.s6_addr;
4754 			break;
4755 		default:
4756 			goto err_af;
4757 		}
4758 
4759 		ad.type = LSM_AUDIT_DATA_NET;
4760 		ad.u.net = &net;
4761 		ad.u.net->sport = htons(snum);
4762 		ad.u.net->family = family_sa;
4763 
4764 		if (snum) {
4765 			int low, high;
4766 
4767 			inet_get_local_port_range(sock_net(sk), &low, &high);
4768 
4769 			if (inet_port_requires_bind_service(sock_net(sk), snum) ||
4770 			    snum < low || snum > high) {
4771 				err = sel_netport_sid(sk->sk_protocol,
4772 						      snum, &sid);
4773 				if (err)
4774 					goto out;
4775 				err = avc_has_perm(sksec->sid, sid,
4776 						   sksec->sclass,
4777 						   SOCKET__NAME_BIND, &ad);
4778 				if (err)
4779 					goto out;
4780 			}
4781 		}
4782 
4783 		switch (sksec->sclass) {
4784 		case SECCLASS_TCP_SOCKET:
4785 			node_perm = TCP_SOCKET__NODE_BIND;
4786 			break;
4787 
4788 		case SECCLASS_UDP_SOCKET:
4789 			node_perm = UDP_SOCKET__NODE_BIND;
4790 			break;
4791 
4792 		case SECCLASS_DCCP_SOCKET:
4793 			node_perm = DCCP_SOCKET__NODE_BIND;
4794 			break;
4795 
4796 		case SECCLASS_SCTP_SOCKET:
4797 			node_perm = SCTP_SOCKET__NODE_BIND;
4798 			break;
4799 
4800 		default:
4801 			node_perm = RAWIP_SOCKET__NODE_BIND;
4802 			break;
4803 		}
4804 
4805 		err = sel_netnode_sid(addrp, family_sa, &sid);
4806 		if (err)
4807 			goto out;
4808 
4809 		if (family_sa == AF_INET)
4810 			ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4811 		else
4812 			ad.u.net->v6info.saddr = addr6->sin6_addr;
4813 
4814 		err = avc_has_perm(sksec->sid, sid,
4815 				   sksec->sclass, node_perm, &ad);
4816 		if (err)
4817 			goto out;
4818 	}
4819 out:
4820 	return err;
4821 err_af:
4822 	/* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */
4823 	if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4824 		return -EINVAL;
4825 	return -EAFNOSUPPORT;
4826 }
4827 
4828 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3)
4829  * and sctp_sendmsg(3) as described in Documentation/security/SCTP.rst
4830  */
selinux_socket_connect_helper(struct socket * sock,struct sockaddr * address,int addrlen)4831 static int selinux_socket_connect_helper(struct socket *sock,
4832 					 struct sockaddr *address, int addrlen)
4833 {
4834 	struct sock *sk = sock->sk;
4835 	struct sk_security_struct *sksec = selinux_sock(sk);
4836 	int err;
4837 
4838 	err = sock_has_perm(sk, SOCKET__CONNECT);
4839 	if (err)
4840 		return err;
4841 	if (addrlen < offsetofend(struct sockaddr, sa_family))
4842 		return -EINVAL;
4843 
4844 	/* connect(AF_UNSPEC) has special handling, as it is a documented
4845 	 * way to disconnect the socket
4846 	 */
4847 	if (address->sa_family == AF_UNSPEC)
4848 		return 0;
4849 
4850 	/*
4851 	 * If a TCP, DCCP or SCTP socket, check name_connect permission
4852 	 * for the port.
4853 	 */
4854 	if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4855 	    sksec->sclass == SECCLASS_DCCP_SOCKET ||
4856 	    sksec->sclass == SECCLASS_SCTP_SOCKET) {
4857 		struct common_audit_data ad;
4858 		struct lsm_network_audit net = {0,};
4859 		struct sockaddr_in *addr4 = NULL;
4860 		struct sockaddr_in6 *addr6 = NULL;
4861 		unsigned short snum;
4862 		u32 sid, perm;
4863 
4864 		/* sctp_connectx(3) calls via selinux_sctp_bind_connect()
4865 		 * that validates multiple connect addresses. Because of this
4866 		 * need to check address->sa_family as it is possible to have
4867 		 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4868 		 */
4869 		switch (address->sa_family) {
4870 		case AF_INET:
4871 			addr4 = (struct sockaddr_in *)address;
4872 			if (addrlen < sizeof(struct sockaddr_in))
4873 				return -EINVAL;
4874 			snum = ntohs(addr4->sin_port);
4875 			break;
4876 		case AF_INET6:
4877 			addr6 = (struct sockaddr_in6 *)address;
4878 			if (addrlen < SIN6_LEN_RFC2133)
4879 				return -EINVAL;
4880 			snum = ntohs(addr6->sin6_port);
4881 			break;
4882 		default:
4883 			/* Note that SCTP services expect -EINVAL, whereas
4884 			 * others expect -EAFNOSUPPORT.
4885 			 */
4886 			if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4887 				return -EINVAL;
4888 			else
4889 				return -EAFNOSUPPORT;
4890 		}
4891 
4892 		err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4893 		if (err)
4894 			return err;
4895 
4896 		switch (sksec->sclass) {
4897 		case SECCLASS_TCP_SOCKET:
4898 			perm = TCP_SOCKET__NAME_CONNECT;
4899 			break;
4900 		case SECCLASS_DCCP_SOCKET:
4901 			perm = DCCP_SOCKET__NAME_CONNECT;
4902 			break;
4903 		case SECCLASS_SCTP_SOCKET:
4904 			perm = SCTP_SOCKET__NAME_CONNECT;
4905 			break;
4906 		}
4907 
4908 		ad.type = LSM_AUDIT_DATA_NET;
4909 		ad.u.net = &net;
4910 		ad.u.net->dport = htons(snum);
4911 		ad.u.net->family = address->sa_family;
4912 		err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
4913 		if (err)
4914 			return err;
4915 	}
4916 
4917 	return 0;
4918 }
4919 
4920 /* Supports connect(2), see comments in selinux_socket_connect_helper() */
selinux_socket_connect(struct socket * sock,struct sockaddr * address,int addrlen)4921 static int selinux_socket_connect(struct socket *sock,
4922 				  struct sockaddr *address, int addrlen)
4923 {
4924 	int err;
4925 	struct sock *sk = sock->sk;
4926 
4927 	err = selinux_socket_connect_helper(sock, address, addrlen);
4928 	if (err)
4929 		return err;
4930 
4931 	return selinux_netlbl_socket_connect(sk, address);
4932 }
4933 
selinux_socket_listen(struct socket * sock,int backlog)4934 static int selinux_socket_listen(struct socket *sock, int backlog)
4935 {
4936 	return sock_has_perm(sock->sk, SOCKET__LISTEN);
4937 }
4938 
selinux_socket_accept(struct socket * sock,struct socket * newsock)4939 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4940 {
4941 	int err;
4942 	struct inode_security_struct *isec;
4943 	struct inode_security_struct *newisec;
4944 	u16 sclass;
4945 	u32 sid;
4946 
4947 	err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
4948 	if (err)
4949 		return err;
4950 
4951 	isec = inode_security_novalidate(SOCK_INODE(sock));
4952 	spin_lock(&isec->lock);
4953 	sclass = isec->sclass;
4954 	sid = isec->sid;
4955 	spin_unlock(&isec->lock);
4956 
4957 	newisec = inode_security_novalidate(SOCK_INODE(newsock));
4958 	newisec->sclass = sclass;
4959 	newisec->sid = sid;
4960 	newisec->initialized = LABEL_INITIALIZED;
4961 
4962 	return 0;
4963 }
4964 
selinux_socket_sendmsg(struct socket * sock,struct msghdr * msg,int size)4965 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4966 				  int size)
4967 {
4968 	return sock_has_perm(sock->sk, SOCKET__WRITE);
4969 }
4970 
selinux_socket_recvmsg(struct socket * sock,struct msghdr * msg,int size,int flags)4971 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4972 				  int size, int flags)
4973 {
4974 	return sock_has_perm(sock->sk, SOCKET__READ);
4975 }
4976 
selinux_socket_getsockname(struct socket * sock)4977 static int selinux_socket_getsockname(struct socket *sock)
4978 {
4979 	return sock_has_perm(sock->sk, SOCKET__GETATTR);
4980 }
4981 
selinux_socket_getpeername(struct socket * sock)4982 static int selinux_socket_getpeername(struct socket *sock)
4983 {
4984 	return sock_has_perm(sock->sk, SOCKET__GETATTR);
4985 }
4986 
selinux_socket_setsockopt(struct socket * sock,int level,int optname)4987 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4988 {
4989 	int err;
4990 
4991 	err = sock_has_perm(sock->sk, SOCKET__SETOPT);
4992 	if (err)
4993 		return err;
4994 
4995 	return selinux_netlbl_socket_setsockopt(sock, level, optname);
4996 }
4997 
selinux_socket_getsockopt(struct socket * sock,int level,int optname)4998 static int selinux_socket_getsockopt(struct socket *sock, int level,
4999 				     int optname)
5000 {
5001 	return sock_has_perm(sock->sk, SOCKET__GETOPT);
5002 }
5003 
selinux_socket_shutdown(struct socket * sock,int how)5004 static int selinux_socket_shutdown(struct socket *sock, int how)
5005 {
5006 	return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
5007 }
5008 
selinux_socket_unix_stream_connect(struct sock * sock,struct sock * other,struct sock * newsk)5009 static int selinux_socket_unix_stream_connect(struct sock *sock,
5010 					      struct sock *other,
5011 					      struct sock *newsk)
5012 {
5013 	struct sk_security_struct *sksec_sock = selinux_sock(sock);
5014 	struct sk_security_struct *sksec_other = selinux_sock(other);
5015 	struct sk_security_struct *sksec_new = selinux_sock(newsk);
5016 	struct common_audit_data ad;
5017 	struct lsm_network_audit net;
5018 	int err;
5019 
5020 	ad_net_init_from_sk(&ad, &net, other);
5021 
5022 	err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
5023 			   sksec_other->sclass,
5024 			   UNIX_STREAM_SOCKET__CONNECTTO, &ad);
5025 	if (err)
5026 		return err;
5027 
5028 	/* server child socket */
5029 	sksec_new->peer_sid = sksec_sock->sid;
5030 	err = security_sid_mls_copy(sksec_other->sid,
5031 				    sksec_sock->sid, &sksec_new->sid);
5032 	if (err)
5033 		return err;
5034 
5035 	/* connecting socket */
5036 	sksec_sock->peer_sid = sksec_new->sid;
5037 
5038 	return 0;
5039 }
5040 
selinux_socket_unix_may_send(struct socket * sock,struct socket * other)5041 static int selinux_socket_unix_may_send(struct socket *sock,
5042 					struct socket *other)
5043 {
5044 	struct sk_security_struct *ssec = selinux_sock(sock->sk);
5045 	struct sk_security_struct *osec = selinux_sock(other->sk);
5046 	struct common_audit_data ad;
5047 	struct lsm_network_audit net;
5048 
5049 	ad_net_init_from_sk(&ad, &net, other->sk);
5050 
5051 	return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
5052 			    &ad);
5053 }
5054 
selinux_inet_sys_rcv_skb(struct net * ns,int ifindex,char * addrp,u16 family,u32 peer_sid,struct common_audit_data * ad)5055 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
5056 				    char *addrp, u16 family, u32 peer_sid,
5057 				    struct common_audit_data *ad)
5058 {
5059 	int err;
5060 	u32 if_sid;
5061 	u32 node_sid;
5062 
5063 	err = sel_netif_sid(ns, ifindex, &if_sid);
5064 	if (err)
5065 		return err;
5066 	err = avc_has_perm(peer_sid, if_sid,
5067 			   SECCLASS_NETIF, NETIF__INGRESS, ad);
5068 	if (err)
5069 		return err;
5070 
5071 	err = sel_netnode_sid(addrp, family, &node_sid);
5072 	if (err)
5073 		return err;
5074 	return avc_has_perm(peer_sid, node_sid,
5075 			    SECCLASS_NODE, NODE__RECVFROM, ad);
5076 }
5077 
selinux_sock_rcv_skb_compat(struct sock * sk,struct sk_buff * skb,u16 family)5078 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
5079 				       u16 family)
5080 {
5081 	int err = 0;
5082 	struct sk_security_struct *sksec = selinux_sock(sk);
5083 	u32 sk_sid = sksec->sid;
5084 	struct common_audit_data ad;
5085 	struct lsm_network_audit net;
5086 	char *addrp;
5087 
5088 	ad_net_init_from_iif(&ad, &net, skb->skb_iif, family);
5089 	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5090 	if (err)
5091 		return err;
5092 
5093 	if (selinux_secmark_enabled()) {
5094 		err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
5095 				   PACKET__RECV, &ad);
5096 		if (err)
5097 			return err;
5098 	}
5099 
5100 	err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
5101 	if (err)
5102 		return err;
5103 	err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
5104 
5105 	return err;
5106 }
5107 
selinux_socket_sock_rcv_skb(struct sock * sk,struct sk_buff * skb)5108 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
5109 {
5110 	int err, peerlbl_active, secmark_active;
5111 	struct sk_security_struct *sksec = selinux_sock(sk);
5112 	u16 family = sk->sk_family;
5113 	u32 sk_sid = sksec->sid;
5114 	struct common_audit_data ad;
5115 	struct lsm_network_audit net;
5116 	char *addrp;
5117 
5118 	if (family != PF_INET && family != PF_INET6)
5119 		return 0;
5120 
5121 	/* Handle mapped IPv4 packets arriving via IPv6 sockets */
5122 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5123 		family = PF_INET;
5124 
5125 	/* If any sort of compatibility mode is enabled then handoff processing
5126 	 * to the selinux_sock_rcv_skb_compat() function to deal with the
5127 	 * special handling.  We do this in an attempt to keep this function
5128 	 * as fast and as clean as possible. */
5129 	if (!selinux_policycap_netpeer())
5130 		return selinux_sock_rcv_skb_compat(sk, skb, family);
5131 
5132 	secmark_active = selinux_secmark_enabled();
5133 	peerlbl_active = selinux_peerlbl_enabled();
5134 	if (!secmark_active && !peerlbl_active)
5135 		return 0;
5136 
5137 	ad_net_init_from_iif(&ad, &net, skb->skb_iif, family);
5138 	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5139 	if (err)
5140 		return err;
5141 
5142 	if (peerlbl_active) {
5143 		u32 peer_sid;
5144 
5145 		err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
5146 		if (err)
5147 			return err;
5148 		err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
5149 					       addrp, family, peer_sid, &ad);
5150 		if (err) {
5151 			selinux_netlbl_err(skb, family, err, 0);
5152 			return err;
5153 		}
5154 		err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
5155 				   PEER__RECV, &ad);
5156 		if (err) {
5157 			selinux_netlbl_err(skb, family, err, 0);
5158 			return err;
5159 		}
5160 	}
5161 
5162 	if (secmark_active) {
5163 		err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
5164 				   PACKET__RECV, &ad);
5165 		if (err)
5166 			return err;
5167 	}
5168 
5169 	return err;
5170 }
5171 
selinux_socket_getpeersec_stream(struct socket * sock,sockptr_t optval,sockptr_t optlen,unsigned int len)5172 static int selinux_socket_getpeersec_stream(struct socket *sock,
5173 					    sockptr_t optval, sockptr_t optlen,
5174 					    unsigned int len)
5175 {
5176 	int err = 0;
5177 	char *scontext = NULL;
5178 	u32 scontext_len;
5179 	struct sk_security_struct *sksec = selinux_sock(sock->sk);
5180 	u32 peer_sid = SECSID_NULL;
5181 
5182 	if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
5183 	    sksec->sclass == SECCLASS_TCP_SOCKET ||
5184 	    sksec->sclass == SECCLASS_SCTP_SOCKET)
5185 		peer_sid = sksec->peer_sid;
5186 	if (peer_sid == SECSID_NULL)
5187 		return -ENOPROTOOPT;
5188 
5189 	err = security_sid_to_context(peer_sid, &scontext,
5190 				      &scontext_len);
5191 	if (err)
5192 		return err;
5193 	if (scontext_len > len) {
5194 		err = -ERANGE;
5195 		goto out_len;
5196 	}
5197 
5198 	if (copy_to_sockptr(optval, scontext, scontext_len))
5199 		err = -EFAULT;
5200 out_len:
5201 	if (copy_to_sockptr(optlen, &scontext_len, sizeof(scontext_len)))
5202 		err = -EFAULT;
5203 	kfree(scontext);
5204 	return err;
5205 }
5206 
selinux_socket_getpeersec_dgram(struct socket * sock,struct sk_buff * skb,u32 * secid)5207 static int selinux_socket_getpeersec_dgram(struct socket *sock,
5208 					   struct sk_buff *skb, u32 *secid)
5209 {
5210 	u32 peer_secid = SECSID_NULL;
5211 	u16 family;
5212 
5213 	if (skb && skb->protocol == htons(ETH_P_IP))
5214 		family = PF_INET;
5215 	else if (skb && skb->protocol == htons(ETH_P_IPV6))
5216 		family = PF_INET6;
5217 	else if (sock)
5218 		family = sock->sk->sk_family;
5219 	else {
5220 		*secid = SECSID_NULL;
5221 		return -EINVAL;
5222 	}
5223 
5224 	if (sock && family == PF_UNIX) {
5225 		struct inode_security_struct *isec;
5226 		isec = inode_security_novalidate(SOCK_INODE(sock));
5227 		peer_secid = isec->sid;
5228 	} else if (skb)
5229 		selinux_skb_peerlbl_sid(skb, family, &peer_secid);
5230 
5231 	*secid = peer_secid;
5232 	if (peer_secid == SECSID_NULL)
5233 		return -ENOPROTOOPT;
5234 	return 0;
5235 }
5236 
selinux_sk_alloc_security(struct sock * sk,int family,gfp_t priority)5237 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
5238 {
5239 	struct sk_security_struct *sksec = selinux_sock(sk);
5240 
5241 	sksec->peer_sid = SECINITSID_UNLABELED;
5242 	sksec->sid = SECINITSID_UNLABELED;
5243 	sksec->sclass = SECCLASS_SOCKET;
5244 	selinux_netlbl_sk_security_reset(sksec);
5245 
5246 	return 0;
5247 }
5248 
selinux_sk_free_security(struct sock * sk)5249 static void selinux_sk_free_security(struct sock *sk)
5250 {
5251 	struct sk_security_struct *sksec = selinux_sock(sk);
5252 
5253 	selinux_netlbl_sk_security_free(sksec);
5254 }
5255 
selinux_sk_clone_security(const struct sock * sk,struct sock * newsk)5256 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
5257 {
5258 	struct sk_security_struct *sksec = selinux_sock(sk);
5259 	struct sk_security_struct *newsksec = selinux_sock(newsk);
5260 
5261 	newsksec->sid = sksec->sid;
5262 	newsksec->peer_sid = sksec->peer_sid;
5263 	newsksec->sclass = sksec->sclass;
5264 
5265 	selinux_netlbl_sk_security_reset(newsksec);
5266 }
5267 
selinux_sk_getsecid(const struct sock * sk,u32 * secid)5268 static void selinux_sk_getsecid(const struct sock *sk, u32 *secid)
5269 {
5270 	if (!sk)
5271 		*secid = SECINITSID_ANY_SOCKET;
5272 	else {
5273 		const struct sk_security_struct *sksec = selinux_sock(sk);
5274 
5275 		*secid = sksec->sid;
5276 	}
5277 }
5278 
selinux_sock_graft(struct sock * sk,struct socket * parent)5279 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
5280 {
5281 	struct inode_security_struct *isec =
5282 		inode_security_novalidate(SOCK_INODE(parent));
5283 	struct sk_security_struct *sksec = selinux_sock(sk);
5284 
5285 	if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
5286 	    sk->sk_family == PF_UNIX)
5287 		isec->sid = sksec->sid;
5288 	sksec->sclass = isec->sclass;
5289 }
5290 
5291 /*
5292  * Determines peer_secid for the asoc and updates socket's peer label
5293  * if it's the first association on the socket.
5294  */
selinux_sctp_process_new_assoc(struct sctp_association * asoc,struct sk_buff * skb)5295 static int selinux_sctp_process_new_assoc(struct sctp_association *asoc,
5296 					  struct sk_buff *skb)
5297 {
5298 	struct sock *sk = asoc->base.sk;
5299 	u16 family = sk->sk_family;
5300 	struct sk_security_struct *sksec = selinux_sock(sk);
5301 	struct common_audit_data ad;
5302 	struct lsm_network_audit net;
5303 	int err;
5304 
5305 	/* handle mapped IPv4 packets arriving via IPv6 sockets */
5306 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5307 		family = PF_INET;
5308 
5309 	if (selinux_peerlbl_enabled()) {
5310 		asoc->peer_secid = SECSID_NULL;
5311 
5312 		/* This will return peer_sid = SECSID_NULL if there are
5313 		 * no peer labels, see security_net_peersid_resolve().
5314 		 */
5315 		err = selinux_skb_peerlbl_sid(skb, family, &asoc->peer_secid);
5316 		if (err)
5317 			return err;
5318 
5319 		if (asoc->peer_secid == SECSID_NULL)
5320 			asoc->peer_secid = SECINITSID_UNLABELED;
5321 	} else {
5322 		asoc->peer_secid = SECINITSID_UNLABELED;
5323 	}
5324 
5325 	if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) {
5326 		sksec->sctp_assoc_state = SCTP_ASSOC_SET;
5327 
5328 		/* Here as first association on socket. As the peer SID
5329 		 * was allowed by peer recv (and the netif/node checks),
5330 		 * then it is approved by policy and used as the primary
5331 		 * peer SID for getpeercon(3).
5332 		 */
5333 		sksec->peer_sid = asoc->peer_secid;
5334 	} else if (sksec->peer_sid != asoc->peer_secid) {
5335 		/* Other association peer SIDs are checked to enforce
5336 		 * consistency among the peer SIDs.
5337 		 */
5338 		ad_net_init_from_sk(&ad, &net, asoc->base.sk);
5339 		err = avc_has_perm(sksec->peer_sid, asoc->peer_secid,
5340 				   sksec->sclass, SCTP_SOCKET__ASSOCIATION,
5341 				   &ad);
5342 		if (err)
5343 			return err;
5344 	}
5345 	return 0;
5346 }
5347 
5348 /* Called whenever SCTP receives an INIT or COOKIE ECHO chunk. This
5349  * happens on an incoming connect(2), sctp_connectx(3) or
5350  * sctp_sendmsg(3) (with no association already present).
5351  */
selinux_sctp_assoc_request(struct sctp_association * asoc,struct sk_buff * skb)5352 static int selinux_sctp_assoc_request(struct sctp_association *asoc,
5353 				      struct sk_buff *skb)
5354 {
5355 	struct sk_security_struct *sksec = selinux_sock(asoc->base.sk);
5356 	u32 conn_sid;
5357 	int err;
5358 
5359 	if (!selinux_policycap_extsockclass())
5360 		return 0;
5361 
5362 	err = selinux_sctp_process_new_assoc(asoc, skb);
5363 	if (err)
5364 		return err;
5365 
5366 	/* Compute the MLS component for the connection and store
5367 	 * the information in asoc. This will be used by SCTP TCP type
5368 	 * sockets and peeled off connections as they cause a new
5369 	 * socket to be generated. selinux_sctp_sk_clone() will then
5370 	 * plug this into the new socket.
5371 	 */
5372 	err = selinux_conn_sid(sksec->sid, asoc->peer_secid, &conn_sid);
5373 	if (err)
5374 		return err;
5375 
5376 	asoc->secid = conn_sid;
5377 
5378 	/* Set any NetLabel labels including CIPSO/CALIPSO options. */
5379 	return selinux_netlbl_sctp_assoc_request(asoc, skb);
5380 }
5381 
5382 /* Called when SCTP receives a COOKIE ACK chunk as the final
5383  * response to an association request (initited by us).
5384  */
selinux_sctp_assoc_established(struct sctp_association * asoc,struct sk_buff * skb)5385 static int selinux_sctp_assoc_established(struct sctp_association *asoc,
5386 					  struct sk_buff *skb)
5387 {
5388 	struct sk_security_struct *sksec = selinux_sock(asoc->base.sk);
5389 
5390 	if (!selinux_policycap_extsockclass())
5391 		return 0;
5392 
5393 	/* Inherit secid from the parent socket - this will be picked up
5394 	 * by selinux_sctp_sk_clone() if the association gets peeled off
5395 	 * into a new socket.
5396 	 */
5397 	asoc->secid = sksec->sid;
5398 
5399 	return selinux_sctp_process_new_assoc(asoc, skb);
5400 }
5401 
5402 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting
5403  * based on their @optname.
5404  */
selinux_sctp_bind_connect(struct sock * sk,int optname,struct sockaddr * address,int addrlen)5405 static int selinux_sctp_bind_connect(struct sock *sk, int optname,
5406 				     struct sockaddr *address,
5407 				     int addrlen)
5408 {
5409 	int len, err = 0, walk_size = 0;
5410 	void *addr_buf;
5411 	struct sockaddr *addr;
5412 	struct socket *sock;
5413 
5414 	if (!selinux_policycap_extsockclass())
5415 		return 0;
5416 
5417 	/* Process one or more addresses that may be IPv4 or IPv6 */
5418 	sock = sk->sk_socket;
5419 	addr_buf = address;
5420 
5421 	while (walk_size < addrlen) {
5422 		if (walk_size + sizeof(sa_family_t) > addrlen)
5423 			return -EINVAL;
5424 
5425 		addr = addr_buf;
5426 		switch (addr->sa_family) {
5427 		case AF_UNSPEC:
5428 		case AF_INET:
5429 			len = sizeof(struct sockaddr_in);
5430 			break;
5431 		case AF_INET6:
5432 			len = sizeof(struct sockaddr_in6);
5433 			break;
5434 		default:
5435 			return -EINVAL;
5436 		}
5437 
5438 		if (walk_size + len > addrlen)
5439 			return -EINVAL;
5440 
5441 		err = -EINVAL;
5442 		switch (optname) {
5443 		/* Bind checks */
5444 		case SCTP_PRIMARY_ADDR:
5445 		case SCTP_SET_PEER_PRIMARY_ADDR:
5446 		case SCTP_SOCKOPT_BINDX_ADD:
5447 			err = selinux_socket_bind(sock, addr, len);
5448 			break;
5449 		/* Connect checks */
5450 		case SCTP_SOCKOPT_CONNECTX:
5451 		case SCTP_PARAM_SET_PRIMARY:
5452 		case SCTP_PARAM_ADD_IP:
5453 		case SCTP_SENDMSG_CONNECT:
5454 			err = selinux_socket_connect_helper(sock, addr, len);
5455 			if (err)
5456 				return err;
5457 
5458 			/* As selinux_sctp_bind_connect() is called by the
5459 			 * SCTP protocol layer, the socket is already locked,
5460 			 * therefore selinux_netlbl_socket_connect_locked()
5461 			 * is called here. The situations handled are:
5462 			 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2),
5463 			 * whenever a new IP address is added or when a new
5464 			 * primary address is selected.
5465 			 * Note that an SCTP connect(2) call happens before
5466 			 * the SCTP protocol layer and is handled via
5467 			 * selinux_socket_connect().
5468 			 */
5469 			err = selinux_netlbl_socket_connect_locked(sk, addr);
5470 			break;
5471 		}
5472 
5473 		if (err)
5474 			return err;
5475 
5476 		addr_buf += len;
5477 		walk_size += len;
5478 	}
5479 
5480 	return 0;
5481 }
5482 
5483 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */
selinux_sctp_sk_clone(struct sctp_association * asoc,struct sock * sk,struct sock * newsk)5484 static void selinux_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk,
5485 				  struct sock *newsk)
5486 {
5487 	struct sk_security_struct *sksec = selinux_sock(sk);
5488 	struct sk_security_struct *newsksec = selinux_sock(newsk);
5489 
5490 	/* If policy does not support SECCLASS_SCTP_SOCKET then call
5491 	 * the non-sctp clone version.
5492 	 */
5493 	if (!selinux_policycap_extsockclass())
5494 		return selinux_sk_clone_security(sk, newsk);
5495 
5496 	newsksec->sid = asoc->secid;
5497 	newsksec->peer_sid = asoc->peer_secid;
5498 	newsksec->sclass = sksec->sclass;
5499 	selinux_netlbl_sctp_sk_clone(sk, newsk);
5500 }
5501 
selinux_mptcp_add_subflow(struct sock * sk,struct sock * ssk)5502 static int selinux_mptcp_add_subflow(struct sock *sk, struct sock *ssk)
5503 {
5504 	struct sk_security_struct *ssksec = selinux_sock(ssk);
5505 	struct sk_security_struct *sksec = selinux_sock(sk);
5506 
5507 	ssksec->sclass = sksec->sclass;
5508 	ssksec->sid = sksec->sid;
5509 
5510 	/* replace the existing subflow label deleting the existing one
5511 	 * and re-recreating a new label using the updated context
5512 	 */
5513 	selinux_netlbl_sk_security_free(ssksec);
5514 	return selinux_netlbl_socket_post_create(ssk, ssk->sk_family);
5515 }
5516 
selinux_inet_conn_request(const struct sock * sk,struct sk_buff * skb,struct request_sock * req)5517 static int selinux_inet_conn_request(const struct sock *sk, struct sk_buff *skb,
5518 				     struct request_sock *req)
5519 {
5520 	struct sk_security_struct *sksec = selinux_sock(sk);
5521 	int err;
5522 	u16 family = req->rsk_ops->family;
5523 	u32 connsid;
5524 	u32 peersid;
5525 
5526 	err = selinux_skb_peerlbl_sid(skb, family, &peersid);
5527 	if (err)
5528 		return err;
5529 	err = selinux_conn_sid(sksec->sid, peersid, &connsid);
5530 	if (err)
5531 		return err;
5532 	req->secid = connsid;
5533 	req->peer_secid = peersid;
5534 
5535 	return selinux_netlbl_inet_conn_request(req, family);
5536 }
5537 
selinux_inet_csk_clone(struct sock * newsk,const struct request_sock * req)5538 static void selinux_inet_csk_clone(struct sock *newsk,
5539 				   const struct request_sock *req)
5540 {
5541 	struct sk_security_struct *newsksec = selinux_sock(newsk);
5542 
5543 	newsksec->sid = req->secid;
5544 	newsksec->peer_sid = req->peer_secid;
5545 	/* NOTE: Ideally, we should also get the isec->sid for the
5546 	   new socket in sync, but we don't have the isec available yet.
5547 	   So we will wait until sock_graft to do it, by which
5548 	   time it will have been created and available. */
5549 
5550 	/* We don't need to take any sort of lock here as we are the only
5551 	 * thread with access to newsksec */
5552 	selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
5553 }
5554 
selinux_inet_conn_established(struct sock * sk,struct sk_buff * skb)5555 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
5556 {
5557 	u16 family = sk->sk_family;
5558 	struct sk_security_struct *sksec = selinux_sock(sk);
5559 
5560 	/* handle mapped IPv4 packets arriving via IPv6 sockets */
5561 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5562 		family = PF_INET;
5563 
5564 	selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
5565 }
5566 
selinux_secmark_relabel_packet(u32 sid)5567 static int selinux_secmark_relabel_packet(u32 sid)
5568 {
5569 	return avc_has_perm(current_sid(), sid, SECCLASS_PACKET, PACKET__RELABELTO,
5570 			    NULL);
5571 }
5572 
selinux_secmark_refcount_inc(void)5573 static void selinux_secmark_refcount_inc(void)
5574 {
5575 	atomic_inc(&selinux_secmark_refcount);
5576 }
5577 
selinux_secmark_refcount_dec(void)5578 static void selinux_secmark_refcount_dec(void)
5579 {
5580 	atomic_dec(&selinux_secmark_refcount);
5581 }
5582 
selinux_req_classify_flow(const struct request_sock * req,struct flowi_common * flic)5583 static void selinux_req_classify_flow(const struct request_sock *req,
5584 				      struct flowi_common *flic)
5585 {
5586 	flic->flowic_secid = req->secid;
5587 }
5588 
selinux_tun_dev_alloc_security(void * security)5589 static int selinux_tun_dev_alloc_security(void *security)
5590 {
5591 	struct tun_security_struct *tunsec = selinux_tun_dev(security);
5592 
5593 	tunsec->sid = current_sid();
5594 	return 0;
5595 }
5596 
selinux_tun_dev_create(void)5597 static int selinux_tun_dev_create(void)
5598 {
5599 	u32 sid = current_sid();
5600 
5601 	/* we aren't taking into account the "sockcreate" SID since the socket
5602 	 * that is being created here is not a socket in the traditional sense,
5603 	 * instead it is a private sock, accessible only to the kernel, and
5604 	 * representing a wide range of network traffic spanning multiple
5605 	 * connections unlike traditional sockets - check the TUN driver to
5606 	 * get a better understanding of why this socket is special */
5607 
5608 	return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5609 			    NULL);
5610 }
5611 
selinux_tun_dev_attach_queue(void * security)5612 static int selinux_tun_dev_attach_queue(void *security)
5613 {
5614 	struct tun_security_struct *tunsec = selinux_tun_dev(security);
5615 
5616 	return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5617 			    TUN_SOCKET__ATTACH_QUEUE, NULL);
5618 }
5619 
selinux_tun_dev_attach(struct sock * sk,void * security)5620 static int selinux_tun_dev_attach(struct sock *sk, void *security)
5621 {
5622 	struct tun_security_struct *tunsec = selinux_tun_dev(security);
5623 	struct sk_security_struct *sksec = selinux_sock(sk);
5624 
5625 	/* we don't currently perform any NetLabel based labeling here and it
5626 	 * isn't clear that we would want to do so anyway; while we could apply
5627 	 * labeling without the support of the TUN user the resulting labeled
5628 	 * traffic from the other end of the connection would almost certainly
5629 	 * cause confusion to the TUN user that had no idea network labeling
5630 	 * protocols were being used */
5631 
5632 	sksec->sid = tunsec->sid;
5633 	sksec->sclass = SECCLASS_TUN_SOCKET;
5634 
5635 	return 0;
5636 }
5637 
selinux_tun_dev_open(void * security)5638 static int selinux_tun_dev_open(void *security)
5639 {
5640 	struct tun_security_struct *tunsec = selinux_tun_dev(security);
5641 	u32 sid = current_sid();
5642 	int err;
5643 
5644 	err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5645 			   TUN_SOCKET__RELABELFROM, NULL);
5646 	if (err)
5647 		return err;
5648 	err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
5649 			   TUN_SOCKET__RELABELTO, NULL);
5650 	if (err)
5651 		return err;
5652 	tunsec->sid = sid;
5653 
5654 	return 0;
5655 }
5656 
5657 #ifdef CONFIG_NETFILTER
5658 
selinux_ip_forward(void * priv,struct sk_buff * skb,const struct nf_hook_state * state)5659 static unsigned int selinux_ip_forward(void *priv, struct sk_buff *skb,
5660 				       const struct nf_hook_state *state)
5661 {
5662 	int ifindex;
5663 	u16 family;
5664 	char *addrp;
5665 	u32 peer_sid;
5666 	struct common_audit_data ad;
5667 	struct lsm_network_audit net;
5668 	int secmark_active, peerlbl_active;
5669 
5670 	if (!selinux_policycap_netpeer())
5671 		return NF_ACCEPT;
5672 
5673 	secmark_active = selinux_secmark_enabled();
5674 	peerlbl_active = selinux_peerlbl_enabled();
5675 	if (!secmark_active && !peerlbl_active)
5676 		return NF_ACCEPT;
5677 
5678 	family = state->pf;
5679 	if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5680 		return NF_DROP;
5681 
5682 	ifindex = state->in->ifindex;
5683 	ad_net_init_from_iif(&ad, &net, ifindex, family);
5684 	if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5685 		return NF_DROP;
5686 
5687 	if (peerlbl_active) {
5688 		int err;
5689 
5690 		err = selinux_inet_sys_rcv_skb(state->net, ifindex,
5691 					       addrp, family, peer_sid, &ad);
5692 		if (err) {
5693 			selinux_netlbl_err(skb, family, err, 1);
5694 			return NF_DROP;
5695 		}
5696 	}
5697 
5698 	if (secmark_active)
5699 		if (avc_has_perm(peer_sid, skb->secmark,
5700 				 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5701 			return NF_DROP;
5702 
5703 	if (netlbl_enabled())
5704 		/* we do this in the FORWARD path and not the POST_ROUTING
5705 		 * path because we want to make sure we apply the necessary
5706 		 * labeling before IPsec is applied so we can leverage AH
5707 		 * protection */
5708 		if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5709 			return NF_DROP;
5710 
5711 	return NF_ACCEPT;
5712 }
5713 
selinux_ip_output(void * priv,struct sk_buff * skb,const struct nf_hook_state * state)5714 static unsigned int selinux_ip_output(void *priv, struct sk_buff *skb,
5715 				      const struct nf_hook_state *state)
5716 {
5717 	struct sock *sk;
5718 	u32 sid;
5719 
5720 	if (!netlbl_enabled())
5721 		return NF_ACCEPT;
5722 
5723 	/* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5724 	 * because we want to make sure we apply the necessary labeling
5725 	 * before IPsec is applied so we can leverage AH protection */
5726 	sk = skb->sk;
5727 	if (sk) {
5728 		struct sk_security_struct *sksec;
5729 
5730 		if (sk_listener(sk))
5731 			/* if the socket is the listening state then this
5732 			 * packet is a SYN-ACK packet which means it needs to
5733 			 * be labeled based on the connection/request_sock and
5734 			 * not the parent socket.  unfortunately, we can't
5735 			 * lookup the request_sock yet as it isn't queued on
5736 			 * the parent socket until after the SYN-ACK is sent.
5737 			 * the "solution" is to simply pass the packet as-is
5738 			 * as any IP option based labeling should be copied
5739 			 * from the initial connection request (in the IP
5740 			 * layer).  it is far from ideal, but until we get a
5741 			 * security label in the packet itself this is the
5742 			 * best we can do. */
5743 			return NF_ACCEPT;
5744 
5745 		/* standard practice, label using the parent socket */
5746 		sksec = selinux_sock(sk);
5747 		sid = sksec->sid;
5748 	} else
5749 		sid = SECINITSID_KERNEL;
5750 	if (selinux_netlbl_skbuff_setsid(skb, state->pf, sid) != 0)
5751 		return NF_DROP;
5752 
5753 	return NF_ACCEPT;
5754 }
5755 
5756 
selinux_ip_postroute_compat(struct sk_buff * skb,const struct nf_hook_state * state)5757 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5758 					const struct nf_hook_state *state)
5759 {
5760 	struct sock *sk;
5761 	struct sk_security_struct *sksec;
5762 	struct common_audit_data ad;
5763 	struct lsm_network_audit net;
5764 	u8 proto = 0;
5765 
5766 	sk = skb_to_full_sk(skb);
5767 	if (sk == NULL)
5768 		return NF_ACCEPT;
5769 	sksec = selinux_sock(sk);
5770 
5771 	ad_net_init_from_iif(&ad, &net, state->out->ifindex, state->pf);
5772 	if (selinux_parse_skb(skb, &ad, NULL, 0, &proto))
5773 		return NF_DROP;
5774 
5775 	if (selinux_secmark_enabled())
5776 		if (avc_has_perm(sksec->sid, skb->secmark,
5777 				 SECCLASS_PACKET, PACKET__SEND, &ad))
5778 			return NF_DROP_ERR(-ECONNREFUSED);
5779 
5780 	if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5781 		return NF_DROP_ERR(-ECONNREFUSED);
5782 
5783 	return NF_ACCEPT;
5784 }
5785 
selinux_ip_postroute(void * priv,struct sk_buff * skb,const struct nf_hook_state * state)5786 static unsigned int selinux_ip_postroute(void *priv,
5787 					 struct sk_buff *skb,
5788 					 const struct nf_hook_state *state)
5789 {
5790 	u16 family;
5791 	u32 secmark_perm;
5792 	u32 peer_sid;
5793 	int ifindex;
5794 	struct sock *sk;
5795 	struct common_audit_data ad;
5796 	struct lsm_network_audit net;
5797 	char *addrp;
5798 	int secmark_active, peerlbl_active;
5799 
5800 	/* If any sort of compatibility mode is enabled then handoff processing
5801 	 * to the selinux_ip_postroute_compat() function to deal with the
5802 	 * special handling.  We do this in an attempt to keep this function
5803 	 * as fast and as clean as possible. */
5804 	if (!selinux_policycap_netpeer())
5805 		return selinux_ip_postroute_compat(skb, state);
5806 
5807 	secmark_active = selinux_secmark_enabled();
5808 	peerlbl_active = selinux_peerlbl_enabled();
5809 	if (!secmark_active && !peerlbl_active)
5810 		return NF_ACCEPT;
5811 
5812 	sk = skb_to_full_sk(skb);
5813 
5814 #ifdef CONFIG_XFRM
5815 	/* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5816 	 * packet transformation so allow the packet to pass without any checks
5817 	 * since we'll have another chance to perform access control checks
5818 	 * when the packet is on it's final way out.
5819 	 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5820 	 *       is NULL, in this case go ahead and apply access control.
5821 	 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5822 	 *       TCP listening state we cannot wait until the XFRM processing
5823 	 *       is done as we will miss out on the SA label if we do;
5824 	 *       unfortunately, this means more work, but it is only once per
5825 	 *       connection. */
5826 	if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5827 	    !(sk && sk_listener(sk)))
5828 		return NF_ACCEPT;
5829 #endif
5830 
5831 	family = state->pf;
5832 	if (sk == NULL) {
5833 		/* Without an associated socket the packet is either coming
5834 		 * from the kernel or it is being forwarded; check the packet
5835 		 * to determine which and if the packet is being forwarded
5836 		 * query the packet directly to determine the security label. */
5837 		if (skb->skb_iif) {
5838 			secmark_perm = PACKET__FORWARD_OUT;
5839 			if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5840 				return NF_DROP;
5841 		} else {
5842 			secmark_perm = PACKET__SEND;
5843 			peer_sid = SECINITSID_KERNEL;
5844 		}
5845 	} else if (sk_listener(sk)) {
5846 		/* Locally generated packet but the associated socket is in the
5847 		 * listening state which means this is a SYN-ACK packet.  In
5848 		 * this particular case the correct security label is assigned
5849 		 * to the connection/request_sock but unfortunately we can't
5850 		 * query the request_sock as it isn't queued on the parent
5851 		 * socket until after the SYN-ACK packet is sent; the only
5852 		 * viable choice is to regenerate the label like we do in
5853 		 * selinux_inet_conn_request().  See also selinux_ip_output()
5854 		 * for similar problems. */
5855 		u32 skb_sid;
5856 		struct sk_security_struct *sksec;
5857 
5858 		sksec = selinux_sock(sk);
5859 		if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5860 			return NF_DROP;
5861 		/* At this point, if the returned skb peerlbl is SECSID_NULL
5862 		 * and the packet has been through at least one XFRM
5863 		 * transformation then we must be dealing with the "final"
5864 		 * form of labeled IPsec packet; since we've already applied
5865 		 * all of our access controls on this packet we can safely
5866 		 * pass the packet. */
5867 		if (skb_sid == SECSID_NULL) {
5868 			switch (family) {
5869 			case PF_INET:
5870 				if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5871 					return NF_ACCEPT;
5872 				break;
5873 			case PF_INET6:
5874 				if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5875 					return NF_ACCEPT;
5876 				break;
5877 			default:
5878 				return NF_DROP_ERR(-ECONNREFUSED);
5879 			}
5880 		}
5881 		if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5882 			return NF_DROP;
5883 		secmark_perm = PACKET__SEND;
5884 	} else {
5885 		/* Locally generated packet, fetch the security label from the
5886 		 * associated socket. */
5887 		struct sk_security_struct *sksec = selinux_sock(sk);
5888 		peer_sid = sksec->sid;
5889 		secmark_perm = PACKET__SEND;
5890 	}
5891 
5892 	ifindex = state->out->ifindex;
5893 	ad_net_init_from_iif(&ad, &net, ifindex, family);
5894 	if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5895 		return NF_DROP;
5896 
5897 	if (secmark_active)
5898 		if (avc_has_perm(peer_sid, skb->secmark,
5899 				 SECCLASS_PACKET, secmark_perm, &ad))
5900 			return NF_DROP_ERR(-ECONNREFUSED);
5901 
5902 	if (peerlbl_active) {
5903 		u32 if_sid;
5904 		u32 node_sid;
5905 
5906 		if (sel_netif_sid(state->net, ifindex, &if_sid))
5907 			return NF_DROP;
5908 		if (avc_has_perm(peer_sid, if_sid,
5909 				 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5910 			return NF_DROP_ERR(-ECONNREFUSED);
5911 
5912 		if (sel_netnode_sid(addrp, family, &node_sid))
5913 			return NF_DROP;
5914 		if (avc_has_perm(peer_sid, node_sid,
5915 				 SECCLASS_NODE, NODE__SENDTO, &ad))
5916 			return NF_DROP_ERR(-ECONNREFUSED);
5917 	}
5918 
5919 	return NF_ACCEPT;
5920 }
5921 #endif	/* CONFIG_NETFILTER */
5922 
selinux_netlink_send(struct sock * sk,struct sk_buff * skb)5923 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5924 {
5925 	int rc = 0;
5926 	unsigned int msg_len;
5927 	unsigned int data_len = skb->len;
5928 	unsigned char *data = skb->data;
5929 	struct nlmsghdr *nlh;
5930 	struct sk_security_struct *sksec = selinux_sock(sk);
5931 	u16 sclass = sksec->sclass;
5932 	u32 perm;
5933 
5934 	while (data_len >= nlmsg_total_size(0)) {
5935 		nlh = (struct nlmsghdr *)data;
5936 
5937 		/* NOTE: the nlmsg_len field isn't reliably set by some netlink
5938 		 *       users which means we can't reject skb's with bogus
5939 		 *       length fields; our solution is to follow what
5940 		 *       netlink_rcv_skb() does and simply skip processing at
5941 		 *       messages with length fields that are clearly junk
5942 		 */
5943 		if (nlh->nlmsg_len < NLMSG_HDRLEN || nlh->nlmsg_len > data_len)
5944 			return 0;
5945 
5946 		rc = selinux_nlmsg_lookup(sclass, nlh->nlmsg_type, &perm);
5947 		if (rc == 0) {
5948 			rc = sock_has_perm(sk, perm);
5949 			if (rc)
5950 				return rc;
5951 		} else if (rc == -EINVAL) {
5952 			/* -EINVAL is a missing msg/perm mapping */
5953 			pr_warn_ratelimited("SELinux: unrecognized netlink"
5954 				" message: protocol=%hu nlmsg_type=%hu sclass=%s"
5955 				" pid=%d comm=%s\n",
5956 				sk->sk_protocol, nlh->nlmsg_type,
5957 				secclass_map[sclass - 1].name,
5958 				task_pid_nr(current), current->comm);
5959 			if (enforcing_enabled() &&
5960 			    !security_get_allow_unknown())
5961 				return rc;
5962 			rc = 0;
5963 		} else if (rc == -ENOENT) {
5964 			/* -ENOENT is a missing socket/class mapping, ignore */
5965 			rc = 0;
5966 		} else {
5967 			return rc;
5968 		}
5969 
5970 		/* move to the next message after applying netlink padding */
5971 		msg_len = NLMSG_ALIGN(nlh->nlmsg_len);
5972 		if (msg_len >= data_len)
5973 			return 0;
5974 		data_len -= msg_len;
5975 		data += msg_len;
5976 	}
5977 
5978 	return rc;
5979 }
5980 
ipc_init_security(struct ipc_security_struct * isec,u16 sclass)5981 static void ipc_init_security(struct ipc_security_struct *isec, u16 sclass)
5982 {
5983 	isec->sclass = sclass;
5984 	isec->sid = current_sid();
5985 }
5986 
ipc_has_perm(struct kern_ipc_perm * ipc_perms,u32 perms)5987 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5988 			u32 perms)
5989 {
5990 	struct ipc_security_struct *isec;
5991 	struct common_audit_data ad;
5992 	u32 sid = current_sid();
5993 
5994 	isec = selinux_ipc(ipc_perms);
5995 
5996 	ad.type = LSM_AUDIT_DATA_IPC;
5997 	ad.u.ipc_id = ipc_perms->key;
5998 
5999 	return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
6000 }
6001 
selinux_msg_msg_alloc_security(struct msg_msg * msg)6002 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
6003 {
6004 	struct msg_security_struct *msec;
6005 
6006 	msec = selinux_msg_msg(msg);
6007 	msec->sid = SECINITSID_UNLABELED;
6008 
6009 	return 0;
6010 }
6011 
6012 /* message queue security operations */
selinux_msg_queue_alloc_security(struct kern_ipc_perm * msq)6013 static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq)
6014 {
6015 	struct ipc_security_struct *isec;
6016 	struct common_audit_data ad;
6017 	u32 sid = current_sid();
6018 
6019 	isec = selinux_ipc(msq);
6020 	ipc_init_security(isec, SECCLASS_MSGQ);
6021 
6022 	ad.type = LSM_AUDIT_DATA_IPC;
6023 	ad.u.ipc_id = msq->key;
6024 
6025 	return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
6026 			    MSGQ__CREATE, &ad);
6027 }
6028 
selinux_msg_queue_associate(struct kern_ipc_perm * msq,int msqflg)6029 static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
6030 {
6031 	struct ipc_security_struct *isec;
6032 	struct common_audit_data ad;
6033 	u32 sid = current_sid();
6034 
6035 	isec = selinux_ipc(msq);
6036 
6037 	ad.type = LSM_AUDIT_DATA_IPC;
6038 	ad.u.ipc_id = msq->key;
6039 
6040 	return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
6041 			    MSGQ__ASSOCIATE, &ad);
6042 }
6043 
selinux_msg_queue_msgctl(struct kern_ipc_perm * msq,int cmd)6044 static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)
6045 {
6046 	u32 perms;
6047 
6048 	switch (cmd) {
6049 	case IPC_INFO:
6050 	case MSG_INFO:
6051 		/* No specific object, just general system-wide information. */
6052 		return avc_has_perm(current_sid(), SECINITSID_KERNEL,
6053 				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6054 	case IPC_STAT:
6055 	case MSG_STAT:
6056 	case MSG_STAT_ANY:
6057 		perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
6058 		break;
6059 	case IPC_SET:
6060 		perms = MSGQ__SETATTR;
6061 		break;
6062 	case IPC_RMID:
6063 		perms = MSGQ__DESTROY;
6064 		break;
6065 	default:
6066 		return 0;
6067 	}
6068 
6069 	return ipc_has_perm(msq, perms);
6070 }
6071 
selinux_msg_queue_msgsnd(struct kern_ipc_perm * msq,struct msg_msg * msg,int msqflg)6072 static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg)
6073 {
6074 	struct ipc_security_struct *isec;
6075 	struct msg_security_struct *msec;
6076 	struct common_audit_data ad;
6077 	u32 sid = current_sid();
6078 	int rc;
6079 
6080 	isec = selinux_ipc(msq);
6081 	msec = selinux_msg_msg(msg);
6082 
6083 	/*
6084 	 * First time through, need to assign label to the message
6085 	 */
6086 	if (msec->sid == SECINITSID_UNLABELED) {
6087 		/*
6088 		 * Compute new sid based on current process and
6089 		 * message queue this message will be stored in
6090 		 */
6091 		rc = security_transition_sid(sid, isec->sid,
6092 					     SECCLASS_MSG, NULL, &msec->sid);
6093 		if (rc)
6094 			return rc;
6095 	}
6096 
6097 	ad.type = LSM_AUDIT_DATA_IPC;
6098 	ad.u.ipc_id = msq->key;
6099 
6100 	/* Can this process write to the queue? */
6101 	rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
6102 			  MSGQ__WRITE, &ad);
6103 	if (!rc)
6104 		/* Can this process send the message */
6105 		rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
6106 				  MSG__SEND, &ad);
6107 	if (!rc)
6108 		/* Can the message be put in the queue? */
6109 		rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
6110 				  MSGQ__ENQUEUE, &ad);
6111 
6112 	return rc;
6113 }
6114 
selinux_msg_queue_msgrcv(struct kern_ipc_perm * msq,struct msg_msg * msg,struct task_struct * target,long type,int mode)6115 static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg,
6116 				    struct task_struct *target,
6117 				    long type, int mode)
6118 {
6119 	struct ipc_security_struct *isec;
6120 	struct msg_security_struct *msec;
6121 	struct common_audit_data ad;
6122 	u32 sid = task_sid_obj(target);
6123 	int rc;
6124 
6125 	isec = selinux_ipc(msq);
6126 	msec = selinux_msg_msg(msg);
6127 
6128 	ad.type = LSM_AUDIT_DATA_IPC;
6129 	ad.u.ipc_id = msq->key;
6130 
6131 	rc = avc_has_perm(sid, isec->sid,
6132 			  SECCLASS_MSGQ, MSGQ__READ, &ad);
6133 	if (!rc)
6134 		rc = avc_has_perm(sid, msec->sid,
6135 				  SECCLASS_MSG, MSG__RECEIVE, &ad);
6136 	return rc;
6137 }
6138 
6139 /* Shared Memory security operations */
selinux_shm_alloc_security(struct kern_ipc_perm * shp)6140 static int selinux_shm_alloc_security(struct kern_ipc_perm *shp)
6141 {
6142 	struct ipc_security_struct *isec;
6143 	struct common_audit_data ad;
6144 	u32 sid = current_sid();
6145 
6146 	isec = selinux_ipc(shp);
6147 	ipc_init_security(isec, SECCLASS_SHM);
6148 
6149 	ad.type = LSM_AUDIT_DATA_IPC;
6150 	ad.u.ipc_id = shp->key;
6151 
6152 	return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
6153 			    SHM__CREATE, &ad);
6154 }
6155 
selinux_shm_associate(struct kern_ipc_perm * shp,int shmflg)6156 static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg)
6157 {
6158 	struct ipc_security_struct *isec;
6159 	struct common_audit_data ad;
6160 	u32 sid = current_sid();
6161 
6162 	isec = selinux_ipc(shp);
6163 
6164 	ad.type = LSM_AUDIT_DATA_IPC;
6165 	ad.u.ipc_id = shp->key;
6166 
6167 	return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
6168 			    SHM__ASSOCIATE, &ad);
6169 }
6170 
6171 /* Note, at this point, shp is locked down */
selinux_shm_shmctl(struct kern_ipc_perm * shp,int cmd)6172 static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd)
6173 {
6174 	u32 perms;
6175 
6176 	switch (cmd) {
6177 	case IPC_INFO:
6178 	case SHM_INFO:
6179 		/* No specific object, just general system-wide information. */
6180 		return avc_has_perm(current_sid(), SECINITSID_KERNEL,
6181 				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6182 	case IPC_STAT:
6183 	case SHM_STAT:
6184 	case SHM_STAT_ANY:
6185 		perms = SHM__GETATTR | SHM__ASSOCIATE;
6186 		break;
6187 	case IPC_SET:
6188 		perms = SHM__SETATTR;
6189 		break;
6190 	case SHM_LOCK:
6191 	case SHM_UNLOCK:
6192 		perms = SHM__LOCK;
6193 		break;
6194 	case IPC_RMID:
6195 		perms = SHM__DESTROY;
6196 		break;
6197 	default:
6198 		return 0;
6199 	}
6200 
6201 	return ipc_has_perm(shp, perms);
6202 }
6203 
selinux_shm_shmat(struct kern_ipc_perm * shp,char __user * shmaddr,int shmflg)6204 static int selinux_shm_shmat(struct kern_ipc_perm *shp,
6205 			     char __user *shmaddr, int shmflg)
6206 {
6207 	u32 perms;
6208 
6209 	if (shmflg & SHM_RDONLY)
6210 		perms = SHM__READ;
6211 	else
6212 		perms = SHM__READ | SHM__WRITE;
6213 
6214 	return ipc_has_perm(shp, perms);
6215 }
6216 
6217 /* Semaphore security operations */
selinux_sem_alloc_security(struct kern_ipc_perm * sma)6218 static int selinux_sem_alloc_security(struct kern_ipc_perm *sma)
6219 {
6220 	struct ipc_security_struct *isec;
6221 	struct common_audit_data ad;
6222 	u32 sid = current_sid();
6223 
6224 	isec = selinux_ipc(sma);
6225 	ipc_init_security(isec, SECCLASS_SEM);
6226 
6227 	ad.type = LSM_AUDIT_DATA_IPC;
6228 	ad.u.ipc_id = sma->key;
6229 
6230 	return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
6231 			    SEM__CREATE, &ad);
6232 }
6233 
selinux_sem_associate(struct kern_ipc_perm * sma,int semflg)6234 static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg)
6235 {
6236 	struct ipc_security_struct *isec;
6237 	struct common_audit_data ad;
6238 	u32 sid = current_sid();
6239 
6240 	isec = selinux_ipc(sma);
6241 
6242 	ad.type = LSM_AUDIT_DATA_IPC;
6243 	ad.u.ipc_id = sma->key;
6244 
6245 	return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
6246 			    SEM__ASSOCIATE, &ad);
6247 }
6248 
6249 /* Note, at this point, sma is locked down */
selinux_sem_semctl(struct kern_ipc_perm * sma,int cmd)6250 static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd)
6251 {
6252 	int err;
6253 	u32 perms;
6254 
6255 	switch (cmd) {
6256 	case IPC_INFO:
6257 	case SEM_INFO:
6258 		/* No specific object, just general system-wide information. */
6259 		return avc_has_perm(current_sid(), SECINITSID_KERNEL,
6260 				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6261 	case GETPID:
6262 	case GETNCNT:
6263 	case GETZCNT:
6264 		perms = SEM__GETATTR;
6265 		break;
6266 	case GETVAL:
6267 	case GETALL:
6268 		perms = SEM__READ;
6269 		break;
6270 	case SETVAL:
6271 	case SETALL:
6272 		perms = SEM__WRITE;
6273 		break;
6274 	case IPC_RMID:
6275 		perms = SEM__DESTROY;
6276 		break;
6277 	case IPC_SET:
6278 		perms = SEM__SETATTR;
6279 		break;
6280 	case IPC_STAT:
6281 	case SEM_STAT:
6282 	case SEM_STAT_ANY:
6283 		perms = SEM__GETATTR | SEM__ASSOCIATE;
6284 		break;
6285 	default:
6286 		return 0;
6287 	}
6288 
6289 	err = ipc_has_perm(sma, perms);
6290 	return err;
6291 }
6292 
selinux_sem_semop(struct kern_ipc_perm * sma,struct sembuf * sops,unsigned nsops,int alter)6293 static int selinux_sem_semop(struct kern_ipc_perm *sma,
6294 			     struct sembuf *sops, unsigned nsops, int alter)
6295 {
6296 	u32 perms;
6297 
6298 	if (alter)
6299 		perms = SEM__READ | SEM__WRITE;
6300 	else
6301 		perms = SEM__READ;
6302 
6303 	return ipc_has_perm(sma, perms);
6304 }
6305 
selinux_ipc_permission(struct kern_ipc_perm * ipcp,short flag)6306 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
6307 {
6308 	u32 av = 0;
6309 
6310 	av = 0;
6311 	if (flag & S_IRUGO)
6312 		av |= IPC__UNIX_READ;
6313 	if (flag & S_IWUGO)
6314 		av |= IPC__UNIX_WRITE;
6315 
6316 	if (av == 0)
6317 		return 0;
6318 
6319 	return ipc_has_perm(ipcp, av);
6320 }
6321 
selinux_ipc_getsecid(struct kern_ipc_perm * ipcp,u32 * secid)6322 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
6323 {
6324 	struct ipc_security_struct *isec = selinux_ipc(ipcp);
6325 	*secid = isec->sid;
6326 }
6327 
selinux_d_instantiate(struct dentry * dentry,struct inode * inode)6328 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
6329 {
6330 	if (inode)
6331 		inode_doinit_with_dentry(inode, dentry);
6332 }
6333 
selinux_lsm_getattr(unsigned int attr,struct task_struct * p,char ** value)6334 static int selinux_lsm_getattr(unsigned int attr, struct task_struct *p,
6335 			       char **value)
6336 {
6337 	const struct task_security_struct *tsec;
6338 	int error;
6339 	u32 sid;
6340 	u32 len;
6341 
6342 	rcu_read_lock();
6343 	tsec = selinux_cred(__task_cred(p));
6344 	if (p != current) {
6345 		error = avc_has_perm(current_sid(), tsec->sid,
6346 				     SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
6347 		if (error)
6348 			goto err_unlock;
6349 	}
6350 	switch (attr) {
6351 	case LSM_ATTR_CURRENT:
6352 		sid = tsec->sid;
6353 		break;
6354 	case LSM_ATTR_PREV:
6355 		sid = tsec->osid;
6356 		break;
6357 	case LSM_ATTR_EXEC:
6358 		sid = tsec->exec_sid;
6359 		break;
6360 	case LSM_ATTR_FSCREATE:
6361 		sid = tsec->create_sid;
6362 		break;
6363 	case LSM_ATTR_KEYCREATE:
6364 		sid = tsec->keycreate_sid;
6365 		break;
6366 	case LSM_ATTR_SOCKCREATE:
6367 		sid = tsec->sockcreate_sid;
6368 		break;
6369 	default:
6370 		error = -EOPNOTSUPP;
6371 		goto err_unlock;
6372 	}
6373 	rcu_read_unlock();
6374 
6375 	if (sid == SECSID_NULL) {
6376 		*value = NULL;
6377 		return 0;
6378 	}
6379 
6380 	error = security_sid_to_context(sid, value, &len);
6381 	if (error)
6382 		return error;
6383 	return len;
6384 
6385 err_unlock:
6386 	rcu_read_unlock();
6387 	return error;
6388 }
6389 
selinux_lsm_setattr(u64 attr,void * value,size_t size)6390 static int selinux_lsm_setattr(u64 attr, void *value, size_t size)
6391 {
6392 	struct task_security_struct *tsec;
6393 	struct cred *new;
6394 	u32 mysid = current_sid(), sid = 0, ptsid;
6395 	int error;
6396 	char *str = value;
6397 
6398 	/*
6399 	 * Basic control over ability to set these attributes at all.
6400 	 */
6401 	switch (attr) {
6402 	case LSM_ATTR_EXEC:
6403 		error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
6404 				     PROCESS__SETEXEC, NULL);
6405 		break;
6406 	case LSM_ATTR_FSCREATE:
6407 		error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
6408 				     PROCESS__SETFSCREATE, NULL);
6409 		break;
6410 	case LSM_ATTR_KEYCREATE:
6411 		error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
6412 				     PROCESS__SETKEYCREATE, NULL);
6413 		break;
6414 	case LSM_ATTR_SOCKCREATE:
6415 		error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
6416 				     PROCESS__SETSOCKCREATE, NULL);
6417 		break;
6418 	case LSM_ATTR_CURRENT:
6419 		error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
6420 				     PROCESS__SETCURRENT, NULL);
6421 		break;
6422 	default:
6423 		error = -EOPNOTSUPP;
6424 		break;
6425 	}
6426 	if (error)
6427 		return error;
6428 
6429 	/* Obtain a SID for the context, if one was specified. */
6430 	if (size && str[0] && str[0] != '\n') {
6431 		if (str[size-1] == '\n') {
6432 			str[size-1] = 0;
6433 			size--;
6434 		}
6435 		error = security_context_to_sid(value, size,
6436 						&sid, GFP_KERNEL);
6437 		if (error == -EINVAL && attr == LSM_ATTR_FSCREATE) {
6438 			if (!has_cap_mac_admin(true)) {
6439 				struct audit_buffer *ab;
6440 				size_t audit_size;
6441 
6442 				/* We strip a nul only if it is at the end,
6443 				 * otherwise the context contains a nul and
6444 				 * we should audit that */
6445 				if (str[size - 1] == '\0')
6446 					audit_size = size - 1;
6447 				else
6448 					audit_size = size;
6449 				ab = audit_log_start(audit_context(),
6450 						     GFP_ATOMIC,
6451 						     AUDIT_SELINUX_ERR);
6452 				if (!ab)
6453 					return error;
6454 				audit_log_format(ab, "op=fscreate invalid_context=");
6455 				audit_log_n_untrustedstring(ab, value,
6456 							    audit_size);
6457 				audit_log_end(ab);
6458 
6459 				return error;
6460 			}
6461 			error = security_context_to_sid_force(value, size,
6462 							&sid);
6463 		}
6464 		if (error)
6465 			return error;
6466 	}
6467 
6468 	new = prepare_creds();
6469 	if (!new)
6470 		return -ENOMEM;
6471 
6472 	/* Permission checking based on the specified context is
6473 	   performed during the actual operation (execve,
6474 	   open/mkdir/...), when we know the full context of the
6475 	   operation.  See selinux_bprm_creds_for_exec for the execve
6476 	   checks and may_create for the file creation checks. The
6477 	   operation will then fail if the context is not permitted. */
6478 	tsec = selinux_cred(new);
6479 	if (attr == LSM_ATTR_EXEC) {
6480 		tsec->exec_sid = sid;
6481 	} else if (attr == LSM_ATTR_FSCREATE) {
6482 		tsec->create_sid = sid;
6483 	} else if (attr == LSM_ATTR_KEYCREATE) {
6484 		if (sid) {
6485 			error = avc_has_perm(mysid, sid,
6486 					     SECCLASS_KEY, KEY__CREATE, NULL);
6487 			if (error)
6488 				goto abort_change;
6489 		}
6490 		tsec->keycreate_sid = sid;
6491 	} else if (attr == LSM_ATTR_SOCKCREATE) {
6492 		tsec->sockcreate_sid = sid;
6493 	} else if (attr == LSM_ATTR_CURRENT) {
6494 		error = -EINVAL;
6495 		if (sid == 0)
6496 			goto abort_change;
6497 
6498 		if (!current_is_single_threaded()) {
6499 			error = security_bounded_transition(tsec->sid, sid);
6500 			if (error)
6501 				goto abort_change;
6502 		}
6503 
6504 		/* Check permissions for the transition. */
6505 		error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
6506 				     PROCESS__DYNTRANSITION, NULL);
6507 		if (error)
6508 			goto abort_change;
6509 
6510 		/* Check for ptracing, and update the task SID if ok.
6511 		   Otherwise, leave SID unchanged and fail. */
6512 		ptsid = ptrace_parent_sid();
6513 		if (ptsid != 0) {
6514 			error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
6515 					     PROCESS__PTRACE, NULL);
6516 			if (error)
6517 				goto abort_change;
6518 		}
6519 
6520 		tsec->sid = sid;
6521 	} else {
6522 		error = -EINVAL;
6523 		goto abort_change;
6524 	}
6525 
6526 	commit_creds(new);
6527 	return size;
6528 
6529 abort_change:
6530 	abort_creds(new);
6531 	return error;
6532 }
6533 
6534 /**
6535  * selinux_getselfattr - Get SELinux current task attributes
6536  * @attr: the requested attribute
6537  * @ctx: buffer to receive the result
6538  * @size: buffer size (input), buffer size used (output)
6539  * @flags: unused
6540  *
6541  * Fill the passed user space @ctx with the details of the requested
6542  * attribute.
6543  *
6544  * Returns the number of attributes on success, an error code otherwise.
6545  * There will only ever be one attribute.
6546  */
selinux_getselfattr(unsigned int attr,struct lsm_ctx __user * ctx,u32 * size,u32 flags)6547 static int selinux_getselfattr(unsigned int attr, struct lsm_ctx __user *ctx,
6548 			       u32 *size, u32 flags)
6549 {
6550 	int rc;
6551 	char *val = NULL;
6552 	int val_len;
6553 
6554 	val_len = selinux_lsm_getattr(attr, current, &val);
6555 	if (val_len < 0)
6556 		return val_len;
6557 	rc = lsm_fill_user_ctx(ctx, size, val, val_len, LSM_ID_SELINUX, 0);
6558 	kfree(val);
6559 	return (!rc ? 1 : rc);
6560 }
6561 
selinux_setselfattr(unsigned int attr,struct lsm_ctx * ctx,u32 size,u32 flags)6562 static int selinux_setselfattr(unsigned int attr, struct lsm_ctx *ctx,
6563 			       u32 size, u32 flags)
6564 {
6565 	int rc;
6566 
6567 	rc = selinux_lsm_setattr(attr, ctx->ctx, ctx->ctx_len);
6568 	if (rc > 0)
6569 		return 0;
6570 	return rc;
6571 }
6572 
selinux_getprocattr(struct task_struct * p,const char * name,char ** value)6573 static int selinux_getprocattr(struct task_struct *p,
6574 			       const char *name, char **value)
6575 {
6576 	unsigned int attr = lsm_name_to_attr(name);
6577 	int rc;
6578 
6579 	if (attr) {
6580 		rc = selinux_lsm_getattr(attr, p, value);
6581 		if (rc != -EOPNOTSUPP)
6582 			return rc;
6583 	}
6584 
6585 	return -EINVAL;
6586 }
6587 
selinux_setprocattr(const char * name,void * value,size_t size)6588 static int selinux_setprocattr(const char *name, void *value, size_t size)
6589 {
6590 	int attr = lsm_name_to_attr(name);
6591 
6592 	if (attr)
6593 		return selinux_lsm_setattr(attr, value, size);
6594 	return -EINVAL;
6595 }
6596 
selinux_ismaclabel(const char * name)6597 static int selinux_ismaclabel(const char *name)
6598 {
6599 	return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
6600 }
6601 
selinux_secid_to_secctx(u32 secid,char ** secdata,u32 * seclen)6602 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
6603 {
6604 	return security_sid_to_context(secid,
6605 				       secdata, seclen);
6606 }
6607 
selinux_secctx_to_secid(const char * secdata,u32 seclen,u32 * secid)6608 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
6609 {
6610 	return security_context_to_sid(secdata, seclen,
6611 				       secid, GFP_KERNEL);
6612 }
6613 
selinux_release_secctx(char * secdata,u32 seclen)6614 static void selinux_release_secctx(char *secdata, u32 seclen)
6615 {
6616 	kfree(secdata);
6617 }
6618 
selinux_inode_invalidate_secctx(struct inode * inode)6619 static void selinux_inode_invalidate_secctx(struct inode *inode)
6620 {
6621 	struct inode_security_struct *isec = selinux_inode(inode);
6622 
6623 	spin_lock(&isec->lock);
6624 	isec->initialized = LABEL_INVALID;
6625 	spin_unlock(&isec->lock);
6626 }
6627 
6628 /*
6629  *	called with inode->i_mutex locked
6630  */
selinux_inode_notifysecctx(struct inode * inode,void * ctx,u32 ctxlen)6631 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
6632 {
6633 	int rc = selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX,
6634 					   ctx, ctxlen, 0);
6635 	/* Do not return error when suppressing label (SBLABEL_MNT not set). */
6636 	return rc == -EOPNOTSUPP ? 0 : rc;
6637 }
6638 
6639 /*
6640  *	called with inode->i_mutex locked
6641  */
selinux_inode_setsecctx(struct dentry * dentry,void * ctx,u32 ctxlen)6642 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
6643 {
6644 	return __vfs_setxattr_locked(&nop_mnt_idmap, dentry, XATTR_NAME_SELINUX,
6645 				     ctx, ctxlen, 0, NULL);
6646 }
6647 
selinux_inode_getsecctx(struct inode * inode,void ** ctx,u32 * ctxlen)6648 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
6649 {
6650 	int len = 0;
6651 	len = selinux_inode_getsecurity(&nop_mnt_idmap, inode,
6652 					XATTR_SELINUX_SUFFIX, ctx, true);
6653 	if (len < 0)
6654 		return len;
6655 	*ctxlen = len;
6656 	return 0;
6657 }
6658 #ifdef CONFIG_KEYS
6659 
selinux_key_alloc(struct key * k,const struct cred * cred,unsigned long flags)6660 static int selinux_key_alloc(struct key *k, const struct cred *cred,
6661 			     unsigned long flags)
6662 {
6663 	const struct task_security_struct *tsec;
6664 	struct key_security_struct *ksec = selinux_key(k);
6665 
6666 	tsec = selinux_cred(cred);
6667 	if (tsec->keycreate_sid)
6668 		ksec->sid = tsec->keycreate_sid;
6669 	else
6670 		ksec->sid = tsec->sid;
6671 
6672 	return 0;
6673 }
6674 
selinux_key_permission(key_ref_t key_ref,const struct cred * cred,enum key_need_perm need_perm)6675 static int selinux_key_permission(key_ref_t key_ref,
6676 				  const struct cred *cred,
6677 				  enum key_need_perm need_perm)
6678 {
6679 	struct key *key;
6680 	struct key_security_struct *ksec;
6681 	u32 perm, sid;
6682 
6683 	switch (need_perm) {
6684 	case KEY_NEED_VIEW:
6685 		perm = KEY__VIEW;
6686 		break;
6687 	case KEY_NEED_READ:
6688 		perm = KEY__READ;
6689 		break;
6690 	case KEY_NEED_WRITE:
6691 		perm = KEY__WRITE;
6692 		break;
6693 	case KEY_NEED_SEARCH:
6694 		perm = KEY__SEARCH;
6695 		break;
6696 	case KEY_NEED_LINK:
6697 		perm = KEY__LINK;
6698 		break;
6699 	case KEY_NEED_SETATTR:
6700 		perm = KEY__SETATTR;
6701 		break;
6702 	case KEY_NEED_UNLINK:
6703 	case KEY_SYSADMIN_OVERRIDE:
6704 	case KEY_AUTHTOKEN_OVERRIDE:
6705 	case KEY_DEFER_PERM_CHECK:
6706 		return 0;
6707 	default:
6708 		WARN_ON(1);
6709 		return -EPERM;
6710 
6711 	}
6712 
6713 	sid = cred_sid(cred);
6714 	key = key_ref_to_ptr(key_ref);
6715 	ksec = selinux_key(key);
6716 
6717 	return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6718 }
6719 
selinux_key_getsecurity(struct key * key,char ** _buffer)6720 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6721 {
6722 	struct key_security_struct *ksec = selinux_key(key);
6723 	char *context = NULL;
6724 	unsigned len;
6725 	int rc;
6726 
6727 	rc = security_sid_to_context(ksec->sid,
6728 				     &context, &len);
6729 	if (!rc)
6730 		rc = len;
6731 	*_buffer = context;
6732 	return rc;
6733 }
6734 
6735 #ifdef CONFIG_KEY_NOTIFICATIONS
selinux_watch_key(struct key * key)6736 static int selinux_watch_key(struct key *key)
6737 {
6738 	struct key_security_struct *ksec = selinux_key(key);
6739 	u32 sid = current_sid();
6740 
6741 	return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, KEY__VIEW, NULL);
6742 }
6743 #endif
6744 #endif
6745 
6746 #ifdef CONFIG_SECURITY_INFINIBAND
selinux_ib_pkey_access(void * ib_sec,u64 subnet_prefix,u16 pkey_val)6747 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6748 {
6749 	struct common_audit_data ad;
6750 	int err;
6751 	u32 sid = 0;
6752 	struct ib_security_struct *sec = ib_sec;
6753 	struct lsm_ibpkey_audit ibpkey;
6754 
6755 	err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
6756 	if (err)
6757 		return err;
6758 
6759 	ad.type = LSM_AUDIT_DATA_IBPKEY;
6760 	ibpkey.subnet_prefix = subnet_prefix;
6761 	ibpkey.pkey = pkey_val;
6762 	ad.u.ibpkey = &ibpkey;
6763 	return avc_has_perm(sec->sid, sid,
6764 			    SECCLASS_INFINIBAND_PKEY,
6765 			    INFINIBAND_PKEY__ACCESS, &ad);
6766 }
6767 
selinux_ib_endport_manage_subnet(void * ib_sec,const char * dev_name,u8 port_num)6768 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6769 					    u8 port_num)
6770 {
6771 	struct common_audit_data ad;
6772 	int err;
6773 	u32 sid = 0;
6774 	struct ib_security_struct *sec = ib_sec;
6775 	struct lsm_ibendport_audit ibendport;
6776 
6777 	err = security_ib_endport_sid(dev_name, port_num,
6778 				      &sid);
6779 
6780 	if (err)
6781 		return err;
6782 
6783 	ad.type = LSM_AUDIT_DATA_IBENDPORT;
6784 	ibendport.dev_name = dev_name;
6785 	ibendport.port = port_num;
6786 	ad.u.ibendport = &ibendport;
6787 	return avc_has_perm(sec->sid, sid,
6788 			    SECCLASS_INFINIBAND_ENDPORT,
6789 			    INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
6790 }
6791 
selinux_ib_alloc_security(void * ib_sec)6792 static int selinux_ib_alloc_security(void *ib_sec)
6793 {
6794 	struct ib_security_struct *sec = selinux_ib(ib_sec);
6795 
6796 	sec->sid = current_sid();
6797 	return 0;
6798 }
6799 #endif
6800 
6801 #ifdef CONFIG_BPF_SYSCALL
selinux_bpf(int cmd,union bpf_attr * attr,unsigned int size)6802 static int selinux_bpf(int cmd, union bpf_attr *attr,
6803 				     unsigned int size)
6804 {
6805 	u32 sid = current_sid();
6806 	int ret;
6807 
6808 	switch (cmd) {
6809 	case BPF_MAP_CREATE:
6810 		ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
6811 				   NULL);
6812 		break;
6813 	case BPF_PROG_LOAD:
6814 		ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
6815 				   NULL);
6816 		break;
6817 	default:
6818 		ret = 0;
6819 		break;
6820 	}
6821 
6822 	return ret;
6823 }
6824 
bpf_map_fmode_to_av(fmode_t fmode)6825 static u32 bpf_map_fmode_to_av(fmode_t fmode)
6826 {
6827 	u32 av = 0;
6828 
6829 	if (fmode & FMODE_READ)
6830 		av |= BPF__MAP_READ;
6831 	if (fmode & FMODE_WRITE)
6832 		av |= BPF__MAP_WRITE;
6833 	return av;
6834 }
6835 
6836 /* This function will check the file pass through unix socket or binder to see
6837  * if it is a bpf related object. And apply corresponding checks on the bpf
6838  * object based on the type. The bpf maps and programs, not like other files and
6839  * socket, are using a shared anonymous inode inside the kernel as their inode.
6840  * So checking that inode cannot identify if the process have privilege to
6841  * access the bpf object and that's why we have to add this additional check in
6842  * selinux_file_receive and selinux_binder_transfer_files.
6843  */
bpf_fd_pass(const struct file * file,u32 sid)6844 static int bpf_fd_pass(const struct file *file, u32 sid)
6845 {
6846 	struct bpf_security_struct *bpfsec;
6847 	struct bpf_prog *prog;
6848 	struct bpf_map *map;
6849 	int ret;
6850 
6851 	if (file->f_op == &bpf_map_fops) {
6852 		map = file->private_data;
6853 		bpfsec = map->security;
6854 		ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
6855 				   bpf_map_fmode_to_av(file->f_mode), NULL);
6856 		if (ret)
6857 			return ret;
6858 	} else if (file->f_op == &bpf_prog_fops) {
6859 		prog = file->private_data;
6860 		bpfsec = prog->aux->security;
6861 		ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
6862 				   BPF__PROG_RUN, NULL);
6863 		if (ret)
6864 			return ret;
6865 	}
6866 	return 0;
6867 }
6868 
selinux_bpf_map(struct bpf_map * map,fmode_t fmode)6869 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)
6870 {
6871 	u32 sid = current_sid();
6872 	struct bpf_security_struct *bpfsec;
6873 
6874 	bpfsec = map->security;
6875 	return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
6876 			    bpf_map_fmode_to_av(fmode), NULL);
6877 }
6878 
selinux_bpf_prog(struct bpf_prog * prog)6879 static int selinux_bpf_prog(struct bpf_prog *prog)
6880 {
6881 	u32 sid = current_sid();
6882 	struct bpf_security_struct *bpfsec;
6883 
6884 	bpfsec = prog->aux->security;
6885 	return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
6886 			    BPF__PROG_RUN, NULL);
6887 }
6888 
selinux_bpf_map_create(struct bpf_map * map,union bpf_attr * attr,struct bpf_token * token)6889 static int selinux_bpf_map_create(struct bpf_map *map, union bpf_attr *attr,
6890 				  struct bpf_token *token)
6891 {
6892 	struct bpf_security_struct *bpfsec;
6893 
6894 	bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6895 	if (!bpfsec)
6896 		return -ENOMEM;
6897 
6898 	bpfsec->sid = current_sid();
6899 	map->security = bpfsec;
6900 
6901 	return 0;
6902 }
6903 
selinux_bpf_map_free(struct bpf_map * map)6904 static void selinux_bpf_map_free(struct bpf_map *map)
6905 {
6906 	struct bpf_security_struct *bpfsec = map->security;
6907 
6908 	map->security = NULL;
6909 	kfree(bpfsec);
6910 }
6911 
selinux_bpf_prog_load(struct bpf_prog * prog,union bpf_attr * attr,struct bpf_token * token)6912 static int selinux_bpf_prog_load(struct bpf_prog *prog, union bpf_attr *attr,
6913 				 struct bpf_token *token)
6914 {
6915 	struct bpf_security_struct *bpfsec;
6916 
6917 	bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6918 	if (!bpfsec)
6919 		return -ENOMEM;
6920 
6921 	bpfsec->sid = current_sid();
6922 	prog->aux->security = bpfsec;
6923 
6924 	return 0;
6925 }
6926 
selinux_bpf_prog_free(struct bpf_prog * prog)6927 static void selinux_bpf_prog_free(struct bpf_prog *prog)
6928 {
6929 	struct bpf_security_struct *bpfsec = prog->aux->security;
6930 
6931 	prog->aux->security = NULL;
6932 	kfree(bpfsec);
6933 }
6934 
selinux_bpf_token_create(struct bpf_token * token,union bpf_attr * attr,const struct path * path)6935 static int selinux_bpf_token_create(struct bpf_token *token, union bpf_attr *attr,
6936 				    const struct path *path)
6937 {
6938 	struct bpf_security_struct *bpfsec;
6939 
6940 	bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6941 	if (!bpfsec)
6942 		return -ENOMEM;
6943 
6944 	bpfsec->sid = current_sid();
6945 	token->security = bpfsec;
6946 
6947 	return 0;
6948 }
6949 
selinux_bpf_token_free(struct bpf_token * token)6950 static void selinux_bpf_token_free(struct bpf_token *token)
6951 {
6952 	struct bpf_security_struct *bpfsec = token->security;
6953 
6954 	token->security = NULL;
6955 	kfree(bpfsec);
6956 }
6957 #endif
6958 
6959 struct lsm_blob_sizes selinux_blob_sizes __ro_after_init = {
6960 	.lbs_cred = sizeof(struct task_security_struct),
6961 	.lbs_file = sizeof(struct file_security_struct),
6962 	.lbs_inode = sizeof(struct inode_security_struct),
6963 	.lbs_ipc = sizeof(struct ipc_security_struct),
6964 	.lbs_key = sizeof(struct key_security_struct),
6965 	.lbs_msg_msg = sizeof(struct msg_security_struct),
6966 #ifdef CONFIG_PERF_EVENTS
6967 	.lbs_perf_event = sizeof(struct perf_event_security_struct),
6968 #endif
6969 	.lbs_sock = sizeof(struct sk_security_struct),
6970 	.lbs_superblock = sizeof(struct superblock_security_struct),
6971 	.lbs_xattr_count = SELINUX_INODE_INIT_XATTRS,
6972 	.lbs_tun_dev = sizeof(struct tun_security_struct),
6973 	.lbs_ib = sizeof(struct ib_security_struct),
6974 };
6975 
6976 #ifdef CONFIG_PERF_EVENTS
selinux_perf_event_open(struct perf_event_attr * attr,int type)6977 static int selinux_perf_event_open(struct perf_event_attr *attr, int type)
6978 {
6979 	u32 requested, sid = current_sid();
6980 
6981 	if (type == PERF_SECURITY_OPEN)
6982 		requested = PERF_EVENT__OPEN;
6983 	else if (type == PERF_SECURITY_CPU)
6984 		requested = PERF_EVENT__CPU;
6985 	else if (type == PERF_SECURITY_KERNEL)
6986 		requested = PERF_EVENT__KERNEL;
6987 	else if (type == PERF_SECURITY_TRACEPOINT)
6988 		requested = PERF_EVENT__TRACEPOINT;
6989 	else
6990 		return -EINVAL;
6991 
6992 	return avc_has_perm(sid, sid, SECCLASS_PERF_EVENT,
6993 			    requested, NULL);
6994 }
6995 
selinux_perf_event_alloc(struct perf_event * event)6996 static int selinux_perf_event_alloc(struct perf_event *event)
6997 {
6998 	struct perf_event_security_struct *perfsec;
6999 
7000 	perfsec = selinux_perf_event(event->security);
7001 	perfsec->sid = current_sid();
7002 
7003 	return 0;
7004 }
7005 
selinux_perf_event_read(struct perf_event * event)7006 static int selinux_perf_event_read(struct perf_event *event)
7007 {
7008 	struct perf_event_security_struct *perfsec = event->security;
7009 	u32 sid = current_sid();
7010 
7011 	return avc_has_perm(sid, perfsec->sid,
7012 			    SECCLASS_PERF_EVENT, PERF_EVENT__READ, NULL);
7013 }
7014 
selinux_perf_event_write(struct perf_event * event)7015 static int selinux_perf_event_write(struct perf_event *event)
7016 {
7017 	struct perf_event_security_struct *perfsec = event->security;
7018 	u32 sid = current_sid();
7019 
7020 	return avc_has_perm(sid, perfsec->sid,
7021 			    SECCLASS_PERF_EVENT, PERF_EVENT__WRITE, NULL);
7022 }
7023 #endif
7024 
7025 #ifdef CONFIG_IO_URING
7026 /**
7027  * selinux_uring_override_creds - check the requested cred override
7028  * @new: the target creds
7029  *
7030  * Check to see if the current task is allowed to override it's credentials
7031  * to service an io_uring operation.
7032  */
selinux_uring_override_creds(const struct cred * new)7033 static int selinux_uring_override_creds(const struct cred *new)
7034 {
7035 	return avc_has_perm(current_sid(), cred_sid(new),
7036 			    SECCLASS_IO_URING, IO_URING__OVERRIDE_CREDS, NULL);
7037 }
7038 
7039 /**
7040  * selinux_uring_sqpoll - check if a io_uring polling thread can be created
7041  *
7042  * Check to see if the current task is allowed to create a new io_uring
7043  * kernel polling thread.
7044  */
selinux_uring_sqpoll(void)7045 static int selinux_uring_sqpoll(void)
7046 {
7047 	u32 sid = current_sid();
7048 
7049 	return avc_has_perm(sid, sid,
7050 			    SECCLASS_IO_URING, IO_URING__SQPOLL, NULL);
7051 }
7052 
7053 /**
7054  * selinux_uring_cmd - check if IORING_OP_URING_CMD is allowed
7055  * @ioucmd: the io_uring command structure
7056  *
7057  * Check to see if the current domain is allowed to execute an
7058  * IORING_OP_URING_CMD against the device/file specified in @ioucmd.
7059  *
7060  */
selinux_uring_cmd(struct io_uring_cmd * ioucmd)7061 static int selinux_uring_cmd(struct io_uring_cmd *ioucmd)
7062 {
7063 	struct file *file = ioucmd->file;
7064 	struct inode *inode = file_inode(file);
7065 	struct inode_security_struct *isec = selinux_inode(inode);
7066 	struct common_audit_data ad;
7067 
7068 	ad.type = LSM_AUDIT_DATA_FILE;
7069 	ad.u.file = file;
7070 
7071 	return avc_has_perm(current_sid(), isec->sid,
7072 			    SECCLASS_IO_URING, IO_URING__CMD, &ad);
7073 }
7074 #endif /* CONFIG_IO_URING */
7075 
7076 static const struct lsm_id selinux_lsmid = {
7077 	.name = "selinux",
7078 	.id = LSM_ID_SELINUX,
7079 };
7080 
7081 /*
7082  * IMPORTANT NOTE: When adding new hooks, please be careful to keep this order:
7083  * 1. any hooks that don't belong to (2.) or (3.) below,
7084  * 2. hooks that both access structures allocated by other hooks, and allocate
7085  *    structures that can be later accessed by other hooks (mostly "cloning"
7086  *    hooks),
7087  * 3. hooks that only allocate structures that can be later accessed by other
7088  *    hooks ("allocating" hooks).
7089  *
7090  * Please follow block comment delimiters in the list to keep this order.
7091  */
7092 static struct security_hook_list selinux_hooks[] __ro_after_init = {
7093 	LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
7094 	LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
7095 	LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
7096 	LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
7097 
7098 	LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
7099 	LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
7100 	LSM_HOOK_INIT(capget, selinux_capget),
7101 	LSM_HOOK_INIT(capset, selinux_capset),
7102 	LSM_HOOK_INIT(capable, selinux_capable),
7103 	LSM_HOOK_INIT(quotactl, selinux_quotactl),
7104 	LSM_HOOK_INIT(quota_on, selinux_quota_on),
7105 	LSM_HOOK_INIT(syslog, selinux_syslog),
7106 	LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
7107 
7108 	LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
7109 
7110 	LSM_HOOK_INIT(bprm_creds_for_exec, selinux_bprm_creds_for_exec),
7111 	LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
7112 	LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
7113 
7114 	LSM_HOOK_INIT(sb_free_mnt_opts, selinux_free_mnt_opts),
7115 	LSM_HOOK_INIT(sb_mnt_opts_compat, selinux_sb_mnt_opts_compat),
7116 	LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
7117 	LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
7118 	LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
7119 	LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
7120 	LSM_HOOK_INIT(sb_mount, selinux_mount),
7121 	LSM_HOOK_INIT(sb_umount, selinux_umount),
7122 	LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
7123 	LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
7124 
7125 	LSM_HOOK_INIT(move_mount, selinux_move_mount),
7126 
7127 	LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
7128 	LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
7129 
7130 	LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
7131 	LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
7132 	LSM_HOOK_INIT(inode_init_security_anon, selinux_inode_init_security_anon),
7133 	LSM_HOOK_INIT(inode_create, selinux_inode_create),
7134 	LSM_HOOK_INIT(inode_link, selinux_inode_link),
7135 	LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
7136 	LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
7137 	LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
7138 	LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
7139 	LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
7140 	LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
7141 	LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
7142 	LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
7143 	LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
7144 	LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
7145 	LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
7146 	LSM_HOOK_INIT(inode_xattr_skipcap, selinux_inode_xattr_skipcap),
7147 	LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
7148 	LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
7149 	LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
7150 	LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
7151 	LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
7152 	LSM_HOOK_INIT(inode_set_acl, selinux_inode_set_acl),
7153 	LSM_HOOK_INIT(inode_get_acl, selinux_inode_get_acl),
7154 	LSM_HOOK_INIT(inode_remove_acl, selinux_inode_remove_acl),
7155 	LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
7156 	LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
7157 	LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
7158 	LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
7159 	LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
7160 	LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
7161 	LSM_HOOK_INIT(path_notify, selinux_path_notify),
7162 
7163 	LSM_HOOK_INIT(kernfs_init_security, selinux_kernfs_init_security),
7164 
7165 	LSM_HOOK_INIT(file_permission, selinux_file_permission),
7166 	LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
7167 	LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
7168 	LSM_HOOK_INIT(file_ioctl_compat, selinux_file_ioctl_compat),
7169 	LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
7170 	LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
7171 	LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
7172 	LSM_HOOK_INIT(file_lock, selinux_file_lock),
7173 	LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
7174 	LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
7175 	LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
7176 	LSM_HOOK_INIT(file_receive, selinux_file_receive),
7177 
7178 	LSM_HOOK_INIT(file_open, selinux_file_open),
7179 
7180 	LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
7181 	LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
7182 	LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
7183 	LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid),
7184 	LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
7185 	LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
7186 	LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
7187 	LSM_HOOK_INIT(kernel_load_data, selinux_kernel_load_data),
7188 	LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
7189 	LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
7190 	LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
7191 	LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
7192 	LSM_HOOK_INIT(current_getsecid_subj, selinux_current_getsecid_subj),
7193 	LSM_HOOK_INIT(task_getsecid_obj, selinux_task_getsecid_obj),
7194 	LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
7195 	LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
7196 	LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
7197 	LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
7198 	LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
7199 	LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
7200 	LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
7201 	LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
7202 	LSM_HOOK_INIT(task_kill, selinux_task_kill),
7203 	LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
7204 	LSM_HOOK_INIT(userns_create, selinux_userns_create),
7205 
7206 	LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
7207 	LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
7208 
7209 	LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
7210 	LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
7211 	LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
7212 	LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
7213 
7214 	LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
7215 	LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
7216 	LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
7217 
7218 	LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
7219 	LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
7220 	LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
7221 
7222 	LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
7223 
7224 	LSM_HOOK_INIT(getselfattr, selinux_getselfattr),
7225 	LSM_HOOK_INIT(setselfattr, selinux_setselfattr),
7226 	LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
7227 	LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
7228 
7229 	LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
7230 	LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
7231 	LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
7232 	LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
7233 	LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
7234 	LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
7235 
7236 	LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
7237 	LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
7238 
7239 	LSM_HOOK_INIT(socket_create, selinux_socket_create),
7240 	LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
7241 	LSM_HOOK_INIT(socket_socketpair, selinux_socket_socketpair),
7242 	LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
7243 	LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
7244 	LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
7245 	LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
7246 	LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
7247 	LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
7248 	LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
7249 	LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
7250 	LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
7251 	LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
7252 	LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
7253 	LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
7254 	LSM_HOOK_INIT(socket_getpeersec_stream,
7255 			selinux_socket_getpeersec_stream),
7256 	LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
7257 	LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
7258 	LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
7259 	LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
7260 	LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
7261 	LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request),
7262 	LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone),
7263 	LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect),
7264 	LSM_HOOK_INIT(sctp_assoc_established, selinux_sctp_assoc_established),
7265 	LSM_HOOK_INIT(mptcp_add_subflow, selinux_mptcp_add_subflow),
7266 	LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
7267 	LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
7268 	LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
7269 	LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
7270 	LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
7271 	LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
7272 	LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
7273 	LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
7274 	LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
7275 	LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
7276 	LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
7277 #ifdef CONFIG_SECURITY_INFINIBAND
7278 	LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
7279 	LSM_HOOK_INIT(ib_endport_manage_subnet,
7280 		      selinux_ib_endport_manage_subnet),
7281 #endif
7282 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7283 	LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
7284 	LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
7285 	LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
7286 	LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
7287 	LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
7288 	LSM_HOOK_INIT(xfrm_state_pol_flow_match,
7289 			selinux_xfrm_state_pol_flow_match),
7290 	LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
7291 #endif
7292 
7293 #ifdef CONFIG_KEYS
7294 	LSM_HOOK_INIT(key_permission, selinux_key_permission),
7295 	LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
7296 #ifdef CONFIG_KEY_NOTIFICATIONS
7297 	LSM_HOOK_INIT(watch_key, selinux_watch_key),
7298 #endif
7299 #endif
7300 
7301 #ifdef CONFIG_AUDIT
7302 	LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
7303 	LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
7304 	LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
7305 #endif
7306 
7307 #ifdef CONFIG_BPF_SYSCALL
7308 	LSM_HOOK_INIT(bpf, selinux_bpf),
7309 	LSM_HOOK_INIT(bpf_map, selinux_bpf_map),
7310 	LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog),
7311 	LSM_HOOK_INIT(bpf_map_free, selinux_bpf_map_free),
7312 	LSM_HOOK_INIT(bpf_prog_free, selinux_bpf_prog_free),
7313 	LSM_HOOK_INIT(bpf_token_free, selinux_bpf_token_free),
7314 #endif
7315 
7316 #ifdef CONFIG_PERF_EVENTS
7317 	LSM_HOOK_INIT(perf_event_open, selinux_perf_event_open),
7318 	LSM_HOOK_INIT(perf_event_read, selinux_perf_event_read),
7319 	LSM_HOOK_INIT(perf_event_write, selinux_perf_event_write),
7320 #endif
7321 
7322 #ifdef CONFIG_IO_URING
7323 	LSM_HOOK_INIT(uring_override_creds, selinux_uring_override_creds),
7324 	LSM_HOOK_INIT(uring_sqpoll, selinux_uring_sqpoll),
7325 	LSM_HOOK_INIT(uring_cmd, selinux_uring_cmd),
7326 #endif
7327 
7328 	/*
7329 	 * PUT "CLONING" (ACCESSING + ALLOCATING) HOOKS HERE
7330 	 */
7331 	LSM_HOOK_INIT(fs_context_submount, selinux_fs_context_submount),
7332 	LSM_HOOK_INIT(fs_context_dup, selinux_fs_context_dup),
7333 	LSM_HOOK_INIT(fs_context_parse_param, selinux_fs_context_parse_param),
7334 	LSM_HOOK_INIT(sb_eat_lsm_opts, selinux_sb_eat_lsm_opts),
7335 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7336 	LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
7337 #endif
7338 
7339 	/*
7340 	 * PUT "ALLOCATING" HOOKS HERE
7341 	 */
7342 	LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
7343 	LSM_HOOK_INIT(msg_queue_alloc_security,
7344 		      selinux_msg_queue_alloc_security),
7345 	LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
7346 	LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
7347 	LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
7348 	LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
7349 	LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
7350 	LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
7351 	LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
7352 	LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
7353 #ifdef CONFIG_SECURITY_INFINIBAND
7354 	LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
7355 #endif
7356 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7357 	LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
7358 	LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
7359 	LSM_HOOK_INIT(xfrm_state_alloc_acquire,
7360 		      selinux_xfrm_state_alloc_acquire),
7361 #endif
7362 #ifdef CONFIG_KEYS
7363 	LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
7364 #endif
7365 #ifdef CONFIG_AUDIT
7366 	LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
7367 #endif
7368 #ifdef CONFIG_BPF_SYSCALL
7369 	LSM_HOOK_INIT(bpf_map_create, selinux_bpf_map_create),
7370 	LSM_HOOK_INIT(bpf_prog_load, selinux_bpf_prog_load),
7371 	LSM_HOOK_INIT(bpf_token_create, selinux_bpf_token_create),
7372 #endif
7373 #ifdef CONFIG_PERF_EVENTS
7374 	LSM_HOOK_INIT(perf_event_alloc, selinux_perf_event_alloc),
7375 #endif
7376 };
7377 
selinux_init(void)7378 static __init int selinux_init(void)
7379 {
7380 	pr_info("SELinux:  Initializing.\n");
7381 
7382 	memset(&selinux_state, 0, sizeof(selinux_state));
7383 	enforcing_set(selinux_enforcing_boot);
7384 	selinux_avc_init();
7385 	mutex_init(&selinux_state.status_lock);
7386 	mutex_init(&selinux_state.policy_mutex);
7387 
7388 	/* Set the security state for the initial task. */
7389 	cred_init_security();
7390 
7391 	default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
7392 	if (!default_noexec)
7393 		pr_notice("SELinux:  virtual memory is executable by default\n");
7394 
7395 	avc_init();
7396 
7397 	avtab_cache_init();
7398 
7399 	ebitmap_cache_init();
7400 
7401 	hashtab_cache_init();
7402 
7403 	security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks),
7404 			   &selinux_lsmid);
7405 
7406 	if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
7407 		panic("SELinux: Unable to register AVC netcache callback\n");
7408 
7409 	if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
7410 		panic("SELinux: Unable to register AVC LSM notifier callback\n");
7411 
7412 	if (selinux_enforcing_boot)
7413 		pr_debug("SELinux:  Starting in enforcing mode\n");
7414 	else
7415 		pr_debug("SELinux:  Starting in permissive mode\n");
7416 
7417 	fs_validate_description("selinux", selinux_fs_parameters);
7418 
7419 	return 0;
7420 }
7421 
delayed_superblock_init(struct super_block * sb,void * unused)7422 static void delayed_superblock_init(struct super_block *sb, void *unused)
7423 {
7424 	selinux_set_mnt_opts(sb, NULL, 0, NULL);
7425 }
7426 
selinux_complete_init(void)7427 void selinux_complete_init(void)
7428 {
7429 	pr_debug("SELinux:  Completing initialization.\n");
7430 
7431 	/* Set up any superblocks initialized prior to the policy load. */
7432 	pr_debug("SELinux:  Setting up existing superblocks.\n");
7433 	iterate_supers(delayed_superblock_init, NULL);
7434 }
7435 
7436 /* SELinux requires early initialization in order to label
7437    all processes and objects when they are created. */
7438 DEFINE_LSM(selinux) = {
7439 	.name = "selinux",
7440 	.flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE,
7441 	.enabled = &selinux_enabled_boot,
7442 	.blobs = &selinux_blob_sizes,
7443 	.init = selinux_init,
7444 };
7445 
7446 #if defined(CONFIG_NETFILTER)
7447 static const struct nf_hook_ops selinux_nf_ops[] = {
7448 	{
7449 		.hook =		selinux_ip_postroute,
7450 		.pf =		NFPROTO_IPV4,
7451 		.hooknum =	NF_INET_POST_ROUTING,
7452 		.priority =	NF_IP_PRI_SELINUX_LAST,
7453 	},
7454 	{
7455 		.hook =		selinux_ip_forward,
7456 		.pf =		NFPROTO_IPV4,
7457 		.hooknum =	NF_INET_FORWARD,
7458 		.priority =	NF_IP_PRI_SELINUX_FIRST,
7459 	},
7460 	{
7461 		.hook =		selinux_ip_output,
7462 		.pf =		NFPROTO_IPV4,
7463 		.hooknum =	NF_INET_LOCAL_OUT,
7464 		.priority =	NF_IP_PRI_SELINUX_FIRST,
7465 	},
7466 #if IS_ENABLED(CONFIG_IPV6)
7467 	{
7468 		.hook =		selinux_ip_postroute,
7469 		.pf =		NFPROTO_IPV6,
7470 		.hooknum =	NF_INET_POST_ROUTING,
7471 		.priority =	NF_IP6_PRI_SELINUX_LAST,
7472 	},
7473 	{
7474 		.hook =		selinux_ip_forward,
7475 		.pf =		NFPROTO_IPV6,
7476 		.hooknum =	NF_INET_FORWARD,
7477 		.priority =	NF_IP6_PRI_SELINUX_FIRST,
7478 	},
7479 	{
7480 		.hook =		selinux_ip_output,
7481 		.pf =		NFPROTO_IPV6,
7482 		.hooknum =	NF_INET_LOCAL_OUT,
7483 		.priority =	NF_IP6_PRI_SELINUX_FIRST,
7484 	},
7485 #endif	/* IPV6 */
7486 };
7487 
selinux_nf_register(struct net * net)7488 static int __net_init selinux_nf_register(struct net *net)
7489 {
7490 	return nf_register_net_hooks(net, selinux_nf_ops,
7491 				     ARRAY_SIZE(selinux_nf_ops));
7492 }
7493 
selinux_nf_unregister(struct net * net)7494 static void __net_exit selinux_nf_unregister(struct net *net)
7495 {
7496 	nf_unregister_net_hooks(net, selinux_nf_ops,
7497 				ARRAY_SIZE(selinux_nf_ops));
7498 }
7499 
7500 static struct pernet_operations selinux_net_ops = {
7501 	.init = selinux_nf_register,
7502 	.exit = selinux_nf_unregister,
7503 };
7504 
selinux_nf_ip_init(void)7505 static int __init selinux_nf_ip_init(void)
7506 {
7507 	int err;
7508 
7509 	if (!selinux_enabled_boot)
7510 		return 0;
7511 
7512 	pr_debug("SELinux:  Registering netfilter hooks\n");
7513 
7514 	err = register_pernet_subsys(&selinux_net_ops);
7515 	if (err)
7516 		panic("SELinux: register_pernet_subsys: error %d\n", err);
7517 
7518 	return 0;
7519 }
7520 __initcall(selinux_nf_ip_init);
7521 #endif /* CONFIG_NETFILTER */
7522