1// SPDX-License-Identifier: GPL-2.0-only
2/*
3 * Security-Enhanced Linux (SELinux) security module
4 *
5 * This file contains the SELinux hook function implementations.
6 *
7 * Authors: Stephen Smalley, <stephen.smalley.work@gmail.com>
8 * Chris Vance, <cvance@nai.com>
9 * Wayne Salamon, <wsalamon@nai.com>
10 * James Morris <jmorris@redhat.com>
11 *
12 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
13 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
14 * Eric Paris <eparis@redhat.com>
15 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
16 * <dgoeddel@trustedcs.com>
17 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
18 * Paul Moore <paul@paul-moore.com>
19 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
20 * Yuichi Nakamura <ynakam@hitachisoft.jp>
21 * Copyright (C) 2016 Mellanox Technologies
22 */
23
24#include <linux/init.h>
25#include <linux/kd.h>
26#include <linux/kernel.h>
27#include <linux/kernel_read_file.h>
28#include <linux/errno.h>
29#include <linux/sched/signal.h>
30#include <linux/sched/task.h>
31#include <linux/lsm_hooks.h>
32#include <linux/xattr.h>
33#include <linux/capability.h>
34#include <linux/unistd.h>
35#include <linux/mm.h>
36#include <linux/mman.h>
37#include <linux/slab.h>
38#include <linux/pagemap.h>
39#include <linux/proc_fs.h>
40#include <linux/swap.h>
41#include <linux/spinlock.h>
42#include <linux/syscalls.h>
43#include <linux/dcache.h>
44#include <linux/file.h>
45#include <linux/fdtable.h>
46#include <linux/namei.h>
47#include <linux/mount.h>
48#include <linux/fs_context.h>
49#include <linux/fs_parser.h>
50#include <linux/netfilter_ipv4.h>
51#include <linux/netfilter_ipv6.h>
52#include <linux/tty.h>
53#include <net/icmp.h>
54#include <net/ip.h> /* for local_port_range[] */
55#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
56#include <net/inet_connection_sock.h>
57#include <net/net_namespace.h>
58#include <net/netlabel.h>
59#include <linux/uaccess.h>
60#include <asm/ioctls.h>
61#include <linux/atomic.h>
62#include <linux/bitops.h>
63#include <linux/interrupt.h>
64#include <linux/netdevice.h> /* for network interface checks */
65#include <net/netlink.h>
66#include <linux/tcp.h>
67#include <linux/udp.h>
68#include <linux/sctp.h>
69#include <net/sctp/structs.h>
70#include <linux/quota.h>
71#include <linux/un.h> /* for Unix socket types */
72#include <net/af_unix.h> /* for Unix socket types */
73#include <linux/parser.h>
74#include <linux/nfs_mount.h>
75#include <net/ipv6.h>
76#include <linux/hugetlb.h>
77#include <linux/personality.h>
78#include <linux/audit.h>
79#include <linux/string.h>
80#include <linux/mutex.h>
81#include <linux/posix-timers.h>
82#include <linux/syslog.h>
83#include <linux/user_namespace.h>
84#include <linux/export.h>
85#include <linux/msg.h>
86#include <linux/shm.h>
87#include <uapi/linux/shm.h>
88#include <linux/bpf.h>
89#include <linux/kernfs.h>
90#include <linux/stringhash.h> /* for hashlen_string() */
91#include <uapi/linux/mount.h>
92#include <linux/fsnotify.h>
93#include <linux/fanotify.h>
94#include <linux/io_uring/cmd.h>
95#include <uapi/linux/lsm.h>
96
97#include "avc.h"
98#include "objsec.h"
99#include "netif.h"
100#include "netnode.h"
101#include "netport.h"
102#include "ibpkey.h"
103#include "xfrm.h"
104#include "netlabel.h"
105#include "audit.h"
106#include "avc_ss.h"
107
108#define SELINUX_INODE_INIT_XATTRS 1
109
110struct selinux_state selinux_state;
111
112/* SECMARK reference count */
113static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
114
115#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
116static int selinux_enforcing_boot __initdata;
117
118static int __init enforcing_setup(char *str)
119{
120 unsigned long enforcing;
121 if (!kstrtoul(s: str, base: 0, res: &enforcing))
122 selinux_enforcing_boot = enforcing ? 1 : 0;
123 return 1;
124}
125__setup("enforcing=", enforcing_setup);
126#else
127#define selinux_enforcing_boot 1
128#endif
129
130int selinux_enabled_boot __initdata = 1;
131#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
132static int __init selinux_enabled_setup(char *str)
133{
134 unsigned long enabled;
135 if (!kstrtoul(s: str, base: 0, res: &enabled))
136 selinux_enabled_boot = enabled ? 1 : 0;
137 return 1;
138}
139__setup("selinux=", selinux_enabled_setup);
140#endif
141
142static int __init checkreqprot_setup(char *str)
143{
144 unsigned long checkreqprot;
145
146 if (!kstrtoul(s: str, base: 0, res: &checkreqprot)) {
147 if (checkreqprot)
148 pr_err("SELinux: checkreqprot set to 1 via kernel parameter. This is no longer supported.\n");
149 }
150 return 1;
151}
152__setup("checkreqprot=", checkreqprot_setup);
153
154/**
155 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
156 *
157 * Description:
158 * This function checks the SECMARK reference counter to see if any SECMARK
159 * targets are currently configured, if the reference counter is greater than
160 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
161 * enabled, false (0) if SECMARK is disabled. If the always_check_network
162 * policy capability is enabled, SECMARK is always considered enabled.
163 *
164 */
165static int selinux_secmark_enabled(void)
166{
167 return (selinux_policycap_alwaysnetwork() ||
168 atomic_read(v: &selinux_secmark_refcount));
169}
170
171/**
172 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
173 *
174 * Description:
175 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
176 * (1) if any are enabled or false (0) if neither are enabled. If the
177 * always_check_network policy capability is enabled, peer labeling
178 * is always considered enabled.
179 *
180 */
181static int selinux_peerlbl_enabled(void)
182{
183 return (selinux_policycap_alwaysnetwork() ||
184 netlbl_enabled() || selinux_xfrm_enabled());
185}
186
187static int selinux_netcache_avc_callback(u32 event)
188{
189 if (event == AVC_CALLBACK_RESET) {
190 sel_netif_flush();
191 sel_netnode_flush();
192 sel_netport_flush();
193 synchronize_net();
194 }
195 return 0;
196}
197
198static int selinux_lsm_notifier_avc_callback(u32 event)
199{
200 if (event == AVC_CALLBACK_RESET) {
201 sel_ib_pkey_flush();
202 call_blocking_lsm_notifier(event: LSM_POLICY_CHANGE, NULL);
203 }
204
205 return 0;
206}
207
208/*
209 * initialise the security for the init task
210 */
211static void cred_init_security(void)
212{
213 struct task_security_struct *tsec;
214
215 /* NOTE: the lsm framework zeros out the buffer on allocation */
216
217 tsec = selinux_cred(unrcu_pointer(current->real_cred));
218 tsec->osid = tsec->sid = tsec->avdcache.sid = SECINITSID_KERNEL;
219}
220
221/*
222 * get the security ID of a set of credentials
223 */
224static inline u32 cred_sid(const struct cred *cred)
225{
226 const struct task_security_struct *tsec;
227
228 tsec = selinux_cred(cred);
229 return tsec->sid;
230}
231
232static void __ad_net_init(struct common_audit_data *ad,
233 struct lsm_network_audit *net,
234 int ifindex, struct sock *sk, u16 family)
235{
236 ad->type = LSM_AUDIT_DATA_NET;
237 ad->u.net = net;
238 net->netif = ifindex;
239 net->sk = sk;
240 net->family = family;
241}
242
243static void ad_net_init_from_sk(struct common_audit_data *ad,
244 struct lsm_network_audit *net,
245 struct sock *sk)
246{
247 __ad_net_init(ad, net, ifindex: 0, sk, family: 0);
248}
249
250static void ad_net_init_from_iif(struct common_audit_data *ad,
251 struct lsm_network_audit *net,
252 int ifindex, u16 family)
253{
254 __ad_net_init(ad, net, ifindex, NULL, family);
255}
256
257/*
258 * get the objective security ID of a task
259 */
260static inline u32 task_sid_obj(const struct task_struct *task)
261{
262 u32 sid;
263
264 rcu_read_lock();
265 sid = cred_sid(__task_cred(task));
266 rcu_read_unlock();
267 return sid;
268}
269
270static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
271
272/*
273 * Try reloading inode security labels that have been marked as invalid. The
274 * @may_sleep parameter indicates when sleeping and thus reloading labels is
275 * allowed; when set to false, returns -ECHILD when the label is
276 * invalid. The @dentry parameter should be set to a dentry of the inode.
277 */
278static int __inode_security_revalidate(struct inode *inode,
279 struct dentry *dentry,
280 bool may_sleep)
281{
282 if (!selinux_initialized())
283 return 0;
284
285 if (may_sleep)
286 might_sleep();
287 else
288 return -ECHILD;
289
290 /*
291 * Check to ensure that an inode's SELinux state is valid and try
292 * reloading the inode security label if necessary. This will fail if
293 * @dentry is NULL and no dentry for this inode can be found; in that
294 * case, continue using the old label.
295 */
296 inode_doinit_with_dentry(inode, opt_dentry: dentry);
297 return 0;
298}
299
300static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
301{
302 return selinux_inode(inode);
303}
304
305static inline struct inode_security_struct *inode_security_rcu(struct inode *inode,
306 bool rcu)
307{
308 int rc;
309 struct inode_security_struct *isec = selinux_inode(inode);
310
311 /* check below is racy, but revalidate will recheck with lock held */
312 if (data_race(likely(isec->initialized == LABEL_INITIALIZED)))
313 return isec;
314 rc = __inode_security_revalidate(inode, NULL, may_sleep: !rcu);
315 if (rc)
316 return ERR_PTR(error: rc);
317 return isec;
318}
319
320/*
321 * Get the security label of an inode.
322 */
323static inline struct inode_security_struct *inode_security(struct inode *inode)
324{
325 struct inode_security_struct *isec = selinux_inode(inode);
326
327 /* check below is racy, but revalidate will recheck with lock held */
328 if (data_race(likely(isec->initialized == LABEL_INITIALIZED)))
329 return isec;
330 __inode_security_revalidate(inode, NULL, may_sleep: true);
331 return isec;
332}
333
334static inline struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
335{
336 return selinux_inode(inode: d_backing_inode(upper: dentry));
337}
338
339/*
340 * Get the security label of a dentry's backing inode.
341 */
342static inline struct inode_security_struct *backing_inode_security(struct dentry *dentry)
343{
344 struct inode *inode = d_backing_inode(upper: dentry);
345 struct inode_security_struct *isec = selinux_inode(inode);
346
347 /* check below is racy, but revalidate will recheck with lock held */
348 if (data_race(likely(isec->initialized == LABEL_INITIALIZED)))
349 return isec;
350 __inode_security_revalidate(inode, dentry, may_sleep: true);
351 return isec;
352}
353
354static void inode_free_security(struct inode *inode)
355{
356 struct inode_security_struct *isec = selinux_inode(inode);
357 struct superblock_security_struct *sbsec;
358
359 if (!isec)
360 return;
361 sbsec = selinux_superblock(superblock: inode->i_sb);
362 /*
363 * As not all inode security structures are in a list, we check for
364 * empty list outside of the lock to make sure that we won't waste
365 * time taking a lock doing nothing.
366 *
367 * The list_del_init() function can be safely called more than once.
368 * It should not be possible for this function to be called with
369 * concurrent list_add(), but for better safety against future changes
370 * in the code, we use list_empty_careful() here.
371 */
372 if (!list_empty_careful(head: &isec->list)) {
373 spin_lock(lock: &sbsec->isec_lock);
374 list_del_init(entry: &isec->list);
375 spin_unlock(lock: &sbsec->isec_lock);
376 }
377}
378
379struct selinux_mnt_opts {
380 u32 fscontext_sid;
381 u32 context_sid;
382 u32 rootcontext_sid;
383 u32 defcontext_sid;
384};
385
386static void selinux_free_mnt_opts(void *mnt_opts)
387{
388 kfree(objp: mnt_opts);
389}
390
391enum {
392 Opt_error = -1,
393 Opt_context = 0,
394 Opt_defcontext = 1,
395 Opt_fscontext = 2,
396 Opt_rootcontext = 3,
397 Opt_seclabel = 4,
398};
399
400#define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg}
401static const struct {
402 const char *name;
403 int len;
404 int opt;
405 bool has_arg;
406} tokens[] = {
407 A(context, true),
408 A(fscontext, true),
409 A(defcontext, true),
410 A(rootcontext, true),
411 A(seclabel, false),
412};
413#undef A
414
415static int match_opt_prefix(char *s, int l, char **arg)
416{
417 unsigned int i;
418
419 for (i = 0; i < ARRAY_SIZE(tokens); i++) {
420 size_t len = tokens[i].len;
421 if (len > l || memcmp(s, tokens[i].name, len))
422 continue;
423 if (tokens[i].has_arg) {
424 if (len == l || s[len] != '=')
425 continue;
426 *arg = s + len + 1;
427 } else if (len != l)
428 continue;
429 return tokens[i].opt;
430 }
431 return Opt_error;
432}
433
434#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
435
436static int may_context_mount_sb_relabel(u32 sid,
437 struct superblock_security_struct *sbsec,
438 const struct cred *cred)
439{
440 const struct task_security_struct *tsec = selinux_cred(cred);
441 int rc;
442
443 rc = avc_has_perm(ssid: tsec->sid, tsid: sbsec->sid, SECCLASS_FILESYSTEM,
444 FILESYSTEM__RELABELFROM, NULL);
445 if (rc)
446 return rc;
447
448 rc = avc_has_perm(ssid: tsec->sid, tsid: sid, SECCLASS_FILESYSTEM,
449 FILESYSTEM__RELABELTO, NULL);
450 return rc;
451}
452
453static int may_context_mount_inode_relabel(u32 sid,
454 struct superblock_security_struct *sbsec,
455 const struct cred *cred)
456{
457 const struct task_security_struct *tsec = selinux_cred(cred);
458 int rc;
459 rc = avc_has_perm(ssid: tsec->sid, tsid: sbsec->sid, SECCLASS_FILESYSTEM,
460 FILESYSTEM__RELABELFROM, NULL);
461 if (rc)
462 return rc;
463
464 rc = avc_has_perm(ssid: sid, tsid: sbsec->sid, SECCLASS_FILESYSTEM,
465 FILESYSTEM__ASSOCIATE, NULL);
466 return rc;
467}
468
469static int selinux_is_genfs_special_handling(struct super_block *sb)
470{
471 /* Special handling. Genfs but also in-core setxattr handler */
472 return !strcmp(sb->s_type->name, "sysfs") ||
473 !strcmp(sb->s_type->name, "pstore") ||
474 !strcmp(sb->s_type->name, "debugfs") ||
475 !strcmp(sb->s_type->name, "tracefs") ||
476 !strcmp(sb->s_type->name, "rootfs") ||
477 (selinux_policycap_cgroupseclabel() &&
478 (!strcmp(sb->s_type->name, "cgroup") ||
479 !strcmp(sb->s_type->name, "cgroup2"))) ||
480 (selinux_policycap_functionfs_seclabel() &&
481 !strcmp(sb->s_type->name, "functionfs"));
482}
483
484static int selinux_is_sblabel_mnt(struct super_block *sb)
485{
486 struct superblock_security_struct *sbsec = selinux_superblock(superblock: sb);
487
488 /*
489 * IMPORTANT: Double-check logic in this function when adding a new
490 * SECURITY_FS_USE_* definition!
491 */
492 BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7);
493
494 switch (sbsec->behavior) {
495 case SECURITY_FS_USE_XATTR:
496 case SECURITY_FS_USE_TRANS:
497 case SECURITY_FS_USE_TASK:
498 case SECURITY_FS_USE_NATIVE:
499 return 1;
500
501 case SECURITY_FS_USE_GENFS:
502 return selinux_is_genfs_special_handling(sb);
503
504 /* Never allow relabeling on context mounts */
505 case SECURITY_FS_USE_MNTPOINT:
506 case SECURITY_FS_USE_NONE:
507 default:
508 return 0;
509 }
510}
511
512static int sb_check_xattr_support(struct super_block *sb)
513{
514 struct superblock_security_struct *sbsec = selinux_superblock(superblock: sb);
515 struct dentry *root = sb->s_root;
516 struct inode *root_inode = d_backing_inode(upper: root);
517 u32 sid;
518 int rc;
519
520 /*
521 * Make sure that the xattr handler exists and that no
522 * error other than -ENODATA is returned by getxattr on
523 * the root directory. -ENODATA is ok, as this may be
524 * the first boot of the SELinux kernel before we have
525 * assigned xattr values to the filesystem.
526 */
527 if (!(root_inode->i_opflags & IOP_XATTR)) {
528 pr_warn("SELinux: (dev %s, type %s) has no xattr support\n",
529 sb->s_id, sb->s_type->name);
530 goto fallback;
531 }
532
533 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
534 if (rc < 0 && rc != -ENODATA) {
535 if (rc == -EOPNOTSUPP) {
536 pr_warn("SELinux: (dev %s, type %s) has no security xattr handler\n",
537 sb->s_id, sb->s_type->name);
538 goto fallback;
539 } else {
540 pr_warn("SELinux: (dev %s, type %s) getxattr errno %d\n",
541 sb->s_id, sb->s_type->name, -rc);
542 return rc;
543 }
544 }
545 return 0;
546
547fallback:
548 /* No xattr support - try to fallback to genfs if possible. */
549 rc = security_genfs_sid(fstype: sb->s_type->name, path: "/",
550 SECCLASS_DIR, sid: &sid);
551 if (rc)
552 return -EOPNOTSUPP;
553
554 pr_warn("SELinux: (dev %s, type %s) falling back to genfs\n",
555 sb->s_id, sb->s_type->name);
556 sbsec->behavior = SECURITY_FS_USE_GENFS;
557 sbsec->sid = sid;
558 return 0;
559}
560
561static int sb_finish_set_opts(struct super_block *sb)
562{
563 struct superblock_security_struct *sbsec = selinux_superblock(superblock: sb);
564 struct dentry *root = sb->s_root;
565 struct inode *root_inode = d_backing_inode(upper: root);
566 int rc = 0;
567
568 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
569 rc = sb_check_xattr_support(sb);
570 if (rc)
571 return rc;
572 }
573
574 sbsec->flags |= SE_SBINITIALIZED;
575
576 /*
577 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
578 * leave the flag untouched because sb_clone_mnt_opts might be handing
579 * us a superblock that needs the flag to be cleared.
580 */
581 if (selinux_is_sblabel_mnt(sb))
582 sbsec->flags |= SBLABEL_MNT;
583 else
584 sbsec->flags &= ~SBLABEL_MNT;
585
586 /* Initialize the root inode. */
587 rc = inode_doinit_with_dentry(inode: root_inode, opt_dentry: root);
588
589 /* Initialize any other inodes associated with the superblock, e.g.
590 inodes created prior to initial policy load or inodes created
591 during get_sb by a pseudo filesystem that directly
592 populates itself. */
593 spin_lock(lock: &sbsec->isec_lock);
594 while (!list_empty(head: &sbsec->isec_head)) {
595 struct inode_security_struct *isec =
596 list_first_entry(&sbsec->isec_head,
597 struct inode_security_struct, list);
598 struct inode *inode = isec->inode;
599 list_del_init(entry: &isec->list);
600 spin_unlock(lock: &sbsec->isec_lock);
601 inode = igrab(inode);
602 if (inode) {
603 if (!IS_PRIVATE(inode))
604 inode_doinit_with_dentry(inode, NULL);
605 iput(inode);
606 }
607 spin_lock(lock: &sbsec->isec_lock);
608 }
609 spin_unlock(lock: &sbsec->isec_lock);
610 return rc;
611}
612
613static int bad_option(struct superblock_security_struct *sbsec, char flag,
614 u32 old_sid, u32 new_sid)
615{
616 char mnt_flags = sbsec->flags & SE_MNTMASK;
617
618 /* check if the old mount command had the same options */
619 if (sbsec->flags & SE_SBINITIALIZED)
620 if (!(sbsec->flags & flag) ||
621 (old_sid != new_sid))
622 return 1;
623
624 /* check if we were passed the same options twice,
625 * aka someone passed context=a,context=b
626 */
627 if (!(sbsec->flags & SE_SBINITIALIZED))
628 if (mnt_flags & flag)
629 return 1;
630 return 0;
631}
632
633/*
634 * Allow filesystems with binary mount data to explicitly set mount point
635 * labeling information.
636 */
637static int selinux_set_mnt_opts(struct super_block *sb,
638 void *mnt_opts,
639 unsigned long kern_flags,
640 unsigned long *set_kern_flags)
641{
642 const struct cred *cred = current_cred();
643 struct superblock_security_struct *sbsec = selinux_superblock(superblock: sb);
644 struct dentry *root = sb->s_root;
645 struct selinux_mnt_opts *opts = mnt_opts;
646 struct inode_security_struct *root_isec;
647 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
648 u32 defcontext_sid = 0;
649 int rc = 0;
650
651 /*
652 * Specifying internal flags without providing a place to
653 * place the results is not allowed
654 */
655 if (kern_flags && !set_kern_flags)
656 return -EINVAL;
657
658 mutex_lock(lock: &sbsec->lock);
659
660 if (!selinux_initialized()) {
661 if (!opts) {
662 /* Defer initialization until selinux_complete_init,
663 after the initial policy is loaded and the security
664 server is ready to handle calls. */
665 if (kern_flags & SECURITY_LSM_NATIVE_LABELS) {
666 sbsec->flags |= SE_SBNATIVE;
667 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
668 }
669 goto out;
670 }
671 rc = -EINVAL;
672 pr_warn("SELinux: Unable to set superblock options "
673 "before the security server is initialized\n");
674 goto out;
675 }
676
677 /*
678 * Binary mount data FS will come through this function twice. Once
679 * from an explicit call and once from the generic calls from the vfs.
680 * Since the generic VFS calls will not contain any security mount data
681 * we need to skip the double mount verification.
682 *
683 * This does open a hole in which we will not notice if the first
684 * mount using this sb set explicit options and a second mount using
685 * this sb does not set any security options. (The first options
686 * will be used for both mounts)
687 */
688 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
689 && !opts)
690 goto out;
691
692 root_isec = backing_inode_security_novalidate(dentry: root);
693
694 /*
695 * parse the mount options, check if they are valid sids.
696 * also check if someone is trying to mount the same sb more
697 * than once with different security options.
698 */
699 if (opts) {
700 if (opts->fscontext_sid) {
701 fscontext_sid = opts->fscontext_sid;
702 if (bad_option(sbsec, FSCONTEXT_MNT, old_sid: sbsec->sid,
703 new_sid: fscontext_sid))
704 goto out_double_mount;
705 sbsec->flags |= FSCONTEXT_MNT;
706 }
707 if (opts->context_sid) {
708 context_sid = opts->context_sid;
709 if (bad_option(sbsec, CONTEXT_MNT, old_sid: sbsec->mntpoint_sid,
710 new_sid: context_sid))
711 goto out_double_mount;
712 sbsec->flags |= CONTEXT_MNT;
713 }
714 if (opts->rootcontext_sid) {
715 rootcontext_sid = opts->rootcontext_sid;
716 if (bad_option(sbsec, ROOTCONTEXT_MNT, old_sid: root_isec->sid,
717 new_sid: rootcontext_sid))
718 goto out_double_mount;
719 sbsec->flags |= ROOTCONTEXT_MNT;
720 }
721 if (opts->defcontext_sid) {
722 defcontext_sid = opts->defcontext_sid;
723 if (bad_option(sbsec, DEFCONTEXT_MNT, old_sid: sbsec->def_sid,
724 new_sid: defcontext_sid))
725 goto out_double_mount;
726 sbsec->flags |= DEFCONTEXT_MNT;
727 }
728 }
729
730 if (sbsec->flags & SE_SBINITIALIZED) {
731 /* previously mounted with options, but not on this attempt? */
732 if ((sbsec->flags & SE_MNTMASK) && !opts)
733 goto out_double_mount;
734 rc = 0;
735 goto out;
736 }
737
738 if (strcmp(sb->s_type->name, "proc") == 0)
739 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
740
741 if (!strcmp(sb->s_type->name, "debugfs") ||
742 !strcmp(sb->s_type->name, "tracefs") ||
743 !strcmp(sb->s_type->name, "binder") ||
744 !strcmp(sb->s_type->name, "bpf") ||
745 !strcmp(sb->s_type->name, "pstore") ||
746 !strcmp(sb->s_type->name, "securityfs") ||
747 (selinux_policycap_functionfs_seclabel() &&
748 !strcmp(sb->s_type->name, "functionfs")))
749 sbsec->flags |= SE_SBGENFS;
750
751 if (!strcmp(sb->s_type->name, "sysfs") ||
752 !strcmp(sb->s_type->name, "cgroup") ||
753 !strcmp(sb->s_type->name, "cgroup2"))
754 sbsec->flags |= SE_SBGENFS | SE_SBGENFS_XATTR;
755
756 if (!sbsec->behavior) {
757 /*
758 * Determine the labeling behavior to use for this
759 * filesystem type.
760 */
761 rc = security_fs_use(sb);
762 if (rc) {
763 pr_warn("%s: security_fs_use(%s) returned %d\n",
764 __func__, sb->s_type->name, rc);
765 goto out;
766 }
767 }
768
769 /*
770 * If this is a user namespace mount and the filesystem type is not
771 * explicitly whitelisted, then no contexts are allowed on the command
772 * line and security labels must be ignored.
773 */
774 if (sb->s_user_ns != &init_user_ns &&
775 strcmp(sb->s_type->name, "tmpfs") &&
776 strcmp(sb->s_type->name, "ramfs") &&
777 strcmp(sb->s_type->name, "devpts") &&
778 strcmp(sb->s_type->name, "overlay")) {
779 if (context_sid || fscontext_sid || rootcontext_sid ||
780 defcontext_sid) {
781 rc = -EACCES;
782 goto out;
783 }
784 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
785 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
786 rc = security_transition_sid(ssid: current_sid(),
787 tsid: current_sid(),
788 SECCLASS_FILE, NULL,
789 out_sid: &sbsec->mntpoint_sid);
790 if (rc)
791 goto out;
792 }
793 goto out_set_opts;
794 }
795
796 /* sets the context of the superblock for the fs being mounted. */
797 if (fscontext_sid) {
798 rc = may_context_mount_sb_relabel(sid: fscontext_sid, sbsec, cred);
799 if (rc)
800 goto out;
801
802 sbsec->sid = fscontext_sid;
803 }
804
805 /*
806 * Switch to using mount point labeling behavior.
807 * sets the label used on all file below the mountpoint, and will set
808 * the superblock context if not already set.
809 */
810 if (sbsec->flags & SE_SBNATIVE) {
811 /*
812 * This means we are initializing a superblock that has been
813 * mounted before the SELinux was initialized and the
814 * filesystem requested native labeling. We had already
815 * returned SECURITY_LSM_NATIVE_LABELS in *set_kern_flags
816 * in the original mount attempt, so now we just need to set
817 * the SECURITY_FS_USE_NATIVE behavior.
818 */
819 sbsec->behavior = SECURITY_FS_USE_NATIVE;
820 } else if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
821 sbsec->behavior = SECURITY_FS_USE_NATIVE;
822 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
823 }
824
825 if (context_sid) {
826 if (!fscontext_sid) {
827 rc = may_context_mount_sb_relabel(sid: context_sid, sbsec,
828 cred);
829 if (rc)
830 goto out;
831 sbsec->sid = context_sid;
832 } else {
833 rc = may_context_mount_inode_relabel(sid: context_sid, sbsec,
834 cred);
835 if (rc)
836 goto out;
837 }
838 if (!rootcontext_sid)
839 rootcontext_sid = context_sid;
840
841 sbsec->mntpoint_sid = context_sid;
842 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
843 }
844
845 if (rootcontext_sid) {
846 rc = may_context_mount_inode_relabel(sid: rootcontext_sid, sbsec,
847 cred);
848 if (rc)
849 goto out;
850
851 root_isec->sid = rootcontext_sid;
852 root_isec->initialized = LABEL_INITIALIZED;
853 }
854
855 if (defcontext_sid) {
856 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
857 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
858 rc = -EINVAL;
859 pr_warn("SELinux: defcontext option is "
860 "invalid for this filesystem type\n");
861 goto out;
862 }
863
864 if (defcontext_sid != sbsec->def_sid) {
865 rc = may_context_mount_inode_relabel(sid: defcontext_sid,
866 sbsec, cred);
867 if (rc)
868 goto out;
869 }
870
871 sbsec->def_sid = defcontext_sid;
872 }
873
874out_set_opts:
875 rc = sb_finish_set_opts(sb);
876out:
877 mutex_unlock(lock: &sbsec->lock);
878 return rc;
879out_double_mount:
880 rc = -EINVAL;
881 pr_warn("SELinux: mount invalid. Same superblock, different "
882 "security settings for (dev %s, type %s)\n", sb->s_id,
883 sb->s_type->name);
884 goto out;
885}
886
887static int selinux_cmp_sb_context(const struct super_block *oldsb,
888 const struct super_block *newsb)
889{
890 struct superblock_security_struct *old = selinux_superblock(superblock: oldsb);
891 struct superblock_security_struct *new = selinux_superblock(superblock: newsb);
892 char oldflags = old->flags & SE_MNTMASK;
893 char newflags = new->flags & SE_MNTMASK;
894
895 if (oldflags != newflags)
896 goto mismatch;
897 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
898 goto mismatch;
899 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
900 goto mismatch;
901 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
902 goto mismatch;
903 if (oldflags & ROOTCONTEXT_MNT) {
904 struct inode_security_struct *oldroot = backing_inode_security(dentry: oldsb->s_root);
905 struct inode_security_struct *newroot = backing_inode_security(dentry: newsb->s_root);
906 if (oldroot->sid != newroot->sid)
907 goto mismatch;
908 }
909 return 0;
910mismatch:
911 pr_warn("SELinux: mount invalid. Same superblock, "
912 "different security settings for (dev %s, "
913 "type %s)\n", newsb->s_id, newsb->s_type->name);
914 return -EBUSY;
915}
916
917static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
918 struct super_block *newsb,
919 unsigned long kern_flags,
920 unsigned long *set_kern_flags)
921{
922 int rc = 0;
923 const struct superblock_security_struct *oldsbsec =
924 selinux_superblock(superblock: oldsb);
925 struct superblock_security_struct *newsbsec = selinux_superblock(superblock: newsb);
926
927 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
928 int set_context = (oldsbsec->flags & CONTEXT_MNT);
929 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
930
931 /*
932 * Specifying internal flags without providing a place to
933 * place the results is not allowed.
934 */
935 if (kern_flags && !set_kern_flags)
936 return -EINVAL;
937
938 mutex_lock(lock: &newsbsec->lock);
939
940 /*
941 * if the parent was able to be mounted it clearly had no special lsm
942 * mount options. thus we can safely deal with this superblock later
943 */
944 if (!selinux_initialized()) {
945 if (kern_flags & SECURITY_LSM_NATIVE_LABELS) {
946 newsbsec->flags |= SE_SBNATIVE;
947 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
948 }
949 goto out;
950 }
951
952 /* how can we clone if the old one wasn't set up?? */
953 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
954
955 /* if fs is reusing a sb, make sure that the contexts match */
956 if (newsbsec->flags & SE_SBINITIALIZED) {
957 mutex_unlock(lock: &newsbsec->lock);
958 if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context)
959 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
960 return selinux_cmp_sb_context(oldsb, newsb);
961 }
962
963 newsbsec->flags = oldsbsec->flags;
964
965 newsbsec->sid = oldsbsec->sid;
966 newsbsec->def_sid = oldsbsec->def_sid;
967 newsbsec->behavior = oldsbsec->behavior;
968
969 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
970 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
971 rc = security_fs_use(sb: newsb);
972 if (rc)
973 goto out;
974 }
975
976 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
977 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
978 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
979 }
980
981 if (set_context) {
982 u32 sid = oldsbsec->mntpoint_sid;
983
984 if (!set_fscontext)
985 newsbsec->sid = sid;
986 if (!set_rootcontext) {
987 struct inode_security_struct *newisec = backing_inode_security(dentry: newsb->s_root);
988 newisec->sid = sid;
989 }
990 newsbsec->mntpoint_sid = sid;
991 }
992 if (set_rootcontext) {
993 const struct inode_security_struct *oldisec = backing_inode_security(dentry: oldsb->s_root);
994 struct inode_security_struct *newisec = backing_inode_security(dentry: newsb->s_root);
995
996 newisec->sid = oldisec->sid;
997 }
998
999 sb_finish_set_opts(sb: newsb);
1000out:
1001 mutex_unlock(lock: &newsbsec->lock);
1002 return rc;
1003}
1004
1005/*
1006 * NOTE: the caller is responsible for freeing the memory even if on error.
1007 */
1008static int selinux_add_opt(int token, const char *s, void **mnt_opts)
1009{
1010 struct selinux_mnt_opts *opts = *mnt_opts;
1011 u32 *dst_sid;
1012 int rc;
1013
1014 if (token == Opt_seclabel)
1015 /* eaten and completely ignored */
1016 return 0;
1017 if (!s)
1018 return -EINVAL;
1019
1020 if (!selinux_initialized()) {
1021 pr_warn("SELinux: Unable to set superblock options before the security server is initialized\n");
1022 return -EINVAL;
1023 }
1024
1025 if (!opts) {
1026 opts = kzalloc(sizeof(*opts), GFP_KERNEL);
1027 if (!opts)
1028 return -ENOMEM;
1029 *mnt_opts = opts;
1030 }
1031
1032 switch (token) {
1033 case Opt_context:
1034 if (opts->context_sid || opts->defcontext_sid)
1035 goto err;
1036 dst_sid = &opts->context_sid;
1037 break;
1038 case Opt_fscontext:
1039 if (opts->fscontext_sid)
1040 goto err;
1041 dst_sid = &opts->fscontext_sid;
1042 break;
1043 case Opt_rootcontext:
1044 if (opts->rootcontext_sid)
1045 goto err;
1046 dst_sid = &opts->rootcontext_sid;
1047 break;
1048 case Opt_defcontext:
1049 if (opts->context_sid || opts->defcontext_sid)
1050 goto err;
1051 dst_sid = &opts->defcontext_sid;
1052 break;
1053 default:
1054 WARN_ON(1);
1055 return -EINVAL;
1056 }
1057 rc = security_context_str_to_sid(scontext: s, out_sid: dst_sid, GFP_KERNEL);
1058 if (rc)
1059 pr_warn("SELinux: security_context_str_to_sid (%s) failed with errno=%d\n",
1060 s, rc);
1061 return rc;
1062
1063err:
1064 pr_warn(SEL_MOUNT_FAIL_MSG);
1065 return -EINVAL;
1066}
1067
1068static int show_sid(struct seq_file *m, u32 sid)
1069{
1070 char *context = NULL;
1071 u32 len;
1072 int rc;
1073
1074 rc = security_sid_to_context(sid, scontext: &context, scontext_len: &len);
1075 if (!rc) {
1076 bool has_comma = strchr(context, ',');
1077
1078 seq_putc(m, c: '=');
1079 if (has_comma)
1080 seq_putc(m, c: '\"');
1081 seq_escape(m, s: context, esc: "\"\n\\");
1082 if (has_comma)
1083 seq_putc(m, c: '\"');
1084 }
1085 kfree(objp: context);
1086 return rc;
1087}
1088
1089static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1090{
1091 struct superblock_security_struct *sbsec = selinux_superblock(superblock: sb);
1092 int rc;
1093
1094 if (!(sbsec->flags & SE_SBINITIALIZED))
1095 return 0;
1096
1097 if (!selinux_initialized())
1098 return 0;
1099
1100 if (sbsec->flags & FSCONTEXT_MNT) {
1101 seq_putc(m, c: ',');
1102 seq_puts(m, FSCONTEXT_STR);
1103 rc = show_sid(m, sid: sbsec->sid);
1104 if (rc)
1105 return rc;
1106 }
1107 if (sbsec->flags & CONTEXT_MNT) {
1108 seq_putc(m, c: ',');
1109 seq_puts(m, CONTEXT_STR);
1110 rc = show_sid(m, sid: sbsec->mntpoint_sid);
1111 if (rc)
1112 return rc;
1113 }
1114 if (sbsec->flags & DEFCONTEXT_MNT) {
1115 seq_putc(m, c: ',');
1116 seq_puts(m, DEFCONTEXT_STR);
1117 rc = show_sid(m, sid: sbsec->def_sid);
1118 if (rc)
1119 return rc;
1120 }
1121 if (sbsec->flags & ROOTCONTEXT_MNT) {
1122 struct dentry *root = sb->s_root;
1123 struct inode_security_struct *isec = backing_inode_security(dentry: root);
1124 seq_putc(m, c: ',');
1125 seq_puts(m, ROOTCONTEXT_STR);
1126 rc = show_sid(m, sid: isec->sid);
1127 if (rc)
1128 return rc;
1129 }
1130 if (sbsec->flags & SBLABEL_MNT) {
1131 seq_putc(m, c: ',');
1132 seq_puts(m, SECLABEL_STR);
1133 }
1134 return 0;
1135}
1136
1137static inline u16 inode_mode_to_security_class(umode_t mode)
1138{
1139 switch (mode & S_IFMT) {
1140 case S_IFSOCK:
1141 return SECCLASS_SOCK_FILE;
1142 case S_IFLNK:
1143 return SECCLASS_LNK_FILE;
1144 case S_IFREG:
1145 return SECCLASS_FILE;
1146 case S_IFBLK:
1147 return SECCLASS_BLK_FILE;
1148 case S_IFDIR:
1149 return SECCLASS_DIR;
1150 case S_IFCHR:
1151 return SECCLASS_CHR_FILE;
1152 case S_IFIFO:
1153 return SECCLASS_FIFO_FILE;
1154
1155 }
1156
1157 return SECCLASS_FILE;
1158}
1159
1160static inline int default_protocol_stream(int protocol)
1161{
1162 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP ||
1163 protocol == IPPROTO_MPTCP);
1164}
1165
1166static inline int default_protocol_dgram(int protocol)
1167{
1168 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1169}
1170
1171static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1172{
1173 bool extsockclass = selinux_policycap_extsockclass();
1174
1175 switch (family) {
1176 case PF_UNIX:
1177 switch (type) {
1178 case SOCK_STREAM:
1179 case SOCK_SEQPACKET:
1180 return SECCLASS_UNIX_STREAM_SOCKET;
1181 case SOCK_DGRAM:
1182 case SOCK_RAW:
1183 return SECCLASS_UNIX_DGRAM_SOCKET;
1184 }
1185 break;
1186 case PF_INET:
1187 case PF_INET6:
1188 switch (type) {
1189 case SOCK_STREAM:
1190 case SOCK_SEQPACKET:
1191 if (default_protocol_stream(protocol))
1192 return SECCLASS_TCP_SOCKET;
1193 else if (extsockclass && protocol == IPPROTO_SCTP)
1194 return SECCLASS_SCTP_SOCKET;
1195 else
1196 return SECCLASS_RAWIP_SOCKET;
1197 case SOCK_DGRAM:
1198 if (default_protocol_dgram(protocol))
1199 return SECCLASS_UDP_SOCKET;
1200 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1201 protocol == IPPROTO_ICMPV6))
1202 return SECCLASS_ICMP_SOCKET;
1203 else
1204 return SECCLASS_RAWIP_SOCKET;
1205 default:
1206 return SECCLASS_RAWIP_SOCKET;
1207 }
1208 break;
1209 case PF_NETLINK:
1210 switch (protocol) {
1211 case NETLINK_ROUTE:
1212 return SECCLASS_NETLINK_ROUTE_SOCKET;
1213 case NETLINK_SOCK_DIAG:
1214 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1215 case NETLINK_NFLOG:
1216 return SECCLASS_NETLINK_NFLOG_SOCKET;
1217 case NETLINK_XFRM:
1218 return SECCLASS_NETLINK_XFRM_SOCKET;
1219 case NETLINK_SELINUX:
1220 return SECCLASS_NETLINK_SELINUX_SOCKET;
1221 case NETLINK_ISCSI:
1222 return SECCLASS_NETLINK_ISCSI_SOCKET;
1223 case NETLINK_AUDIT:
1224 return SECCLASS_NETLINK_AUDIT_SOCKET;
1225 case NETLINK_FIB_LOOKUP:
1226 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1227 case NETLINK_CONNECTOR:
1228 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1229 case NETLINK_NETFILTER:
1230 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1231 case NETLINK_DNRTMSG:
1232 return SECCLASS_NETLINK_DNRT_SOCKET;
1233 case NETLINK_KOBJECT_UEVENT:
1234 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1235 case NETLINK_GENERIC:
1236 return SECCLASS_NETLINK_GENERIC_SOCKET;
1237 case NETLINK_SCSITRANSPORT:
1238 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1239 case NETLINK_RDMA:
1240 return SECCLASS_NETLINK_RDMA_SOCKET;
1241 case NETLINK_CRYPTO:
1242 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1243 default:
1244 return SECCLASS_NETLINK_SOCKET;
1245 }
1246 case PF_PACKET:
1247 return SECCLASS_PACKET_SOCKET;
1248 case PF_KEY:
1249 return SECCLASS_KEY_SOCKET;
1250 case PF_APPLETALK:
1251 return SECCLASS_APPLETALK_SOCKET;
1252 }
1253
1254 if (extsockclass) {
1255 switch (family) {
1256 case PF_AX25:
1257 return SECCLASS_AX25_SOCKET;
1258 case PF_IPX:
1259 return SECCLASS_IPX_SOCKET;
1260 case PF_NETROM:
1261 return SECCLASS_NETROM_SOCKET;
1262 case PF_ATMPVC:
1263 return SECCLASS_ATMPVC_SOCKET;
1264 case PF_X25:
1265 return SECCLASS_X25_SOCKET;
1266 case PF_ROSE:
1267 return SECCLASS_ROSE_SOCKET;
1268 case PF_DECnet:
1269 return SECCLASS_DECNET_SOCKET;
1270 case PF_ATMSVC:
1271 return SECCLASS_ATMSVC_SOCKET;
1272 case PF_RDS:
1273 return SECCLASS_RDS_SOCKET;
1274 case PF_IRDA:
1275 return SECCLASS_IRDA_SOCKET;
1276 case PF_PPPOX:
1277 return SECCLASS_PPPOX_SOCKET;
1278 case PF_LLC:
1279 return SECCLASS_LLC_SOCKET;
1280 case PF_CAN:
1281 return SECCLASS_CAN_SOCKET;
1282 case PF_TIPC:
1283 return SECCLASS_TIPC_SOCKET;
1284 case PF_BLUETOOTH:
1285 return SECCLASS_BLUETOOTH_SOCKET;
1286 case PF_IUCV:
1287 return SECCLASS_IUCV_SOCKET;
1288 case PF_RXRPC:
1289 return SECCLASS_RXRPC_SOCKET;
1290 case PF_ISDN:
1291 return SECCLASS_ISDN_SOCKET;
1292 case PF_PHONET:
1293 return SECCLASS_PHONET_SOCKET;
1294 case PF_IEEE802154:
1295 return SECCLASS_IEEE802154_SOCKET;
1296 case PF_CAIF:
1297 return SECCLASS_CAIF_SOCKET;
1298 case PF_ALG:
1299 return SECCLASS_ALG_SOCKET;
1300 case PF_NFC:
1301 return SECCLASS_NFC_SOCKET;
1302 case PF_VSOCK:
1303 return SECCLASS_VSOCK_SOCKET;
1304 case PF_KCM:
1305 return SECCLASS_KCM_SOCKET;
1306 case PF_QIPCRTR:
1307 return SECCLASS_QIPCRTR_SOCKET;
1308 case PF_SMC:
1309 return SECCLASS_SMC_SOCKET;
1310 case PF_XDP:
1311 return SECCLASS_XDP_SOCKET;
1312 case PF_MCTP:
1313 return SECCLASS_MCTP_SOCKET;
1314#if PF_MAX > 46
1315#error New address family defined, please update this function.
1316#endif
1317 }
1318 }
1319
1320 return SECCLASS_SOCKET;
1321}
1322
1323static int selinux_genfs_get_sid(struct dentry *dentry,
1324 u16 tclass,
1325 u16 flags,
1326 u32 *sid)
1327{
1328 int rc;
1329 struct super_block *sb = dentry->d_sb;
1330 char *buffer, *path;
1331
1332 buffer = (char *)__get_free_page(GFP_KERNEL);
1333 if (!buffer)
1334 return -ENOMEM;
1335
1336 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1337 if (IS_ERR(ptr: path))
1338 rc = PTR_ERR(ptr: path);
1339 else {
1340 if (flags & SE_SBPROC) {
1341 /* each process gets a /proc/PID/ entry. Strip off the
1342 * PID part to get a valid selinux labeling.
1343 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1344 while (path[1] >= '0' && path[1] <= '9') {
1345 path[1] = '/';
1346 path++;
1347 }
1348 }
1349 rc = security_genfs_sid(fstype: sb->s_type->name,
1350 path, sclass: tclass, sid);
1351 if (rc == -ENOENT) {
1352 /* No match in policy, mark as unlabeled. */
1353 *sid = SECINITSID_UNLABELED;
1354 rc = 0;
1355 }
1356 }
1357 free_page((unsigned long)buffer);
1358 return rc;
1359}
1360
1361static int inode_doinit_use_xattr(struct inode *inode, struct dentry *dentry,
1362 u32 def_sid, u32 *sid)
1363{
1364#define INITCONTEXTLEN 255
1365 char *context;
1366 unsigned int len;
1367 int rc;
1368
1369 len = INITCONTEXTLEN;
1370 context = kmalloc(len + 1, GFP_NOFS);
1371 if (!context)
1372 return -ENOMEM;
1373
1374 context[len] = '\0';
1375 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1376 if (rc == -ERANGE) {
1377 kfree(objp: context);
1378
1379 /* Need a larger buffer. Query for the right size. */
1380 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1381 if (rc < 0)
1382 return rc;
1383
1384 len = rc;
1385 context = kmalloc(len + 1, GFP_NOFS);
1386 if (!context)
1387 return -ENOMEM;
1388
1389 context[len] = '\0';
1390 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX,
1391 context, len);
1392 }
1393 if (rc < 0) {
1394 kfree(objp: context);
1395 if (rc != -ENODATA) {
1396 pr_warn("SELinux: %s: getxattr returned %d for dev=%s ino=%ld\n",
1397 __func__, -rc, inode->i_sb->s_id, inode->i_ino);
1398 return rc;
1399 }
1400 *sid = def_sid;
1401 return 0;
1402 }
1403
1404 rc = security_context_to_sid_default(scontext: context, scontext_len: rc, out_sid: sid,
1405 def_sid, GFP_NOFS);
1406 if (rc) {
1407 char *dev = inode->i_sb->s_id;
1408 unsigned long ino = inode->i_ino;
1409
1410 if (rc == -EINVAL) {
1411 pr_notice_ratelimited("SELinux: inode=%lu on dev=%s was found to have an invalid context=%s. This indicates you may need to relabel the inode or the filesystem in question.\n",
1412 ino, dev, context);
1413 } else {
1414 pr_warn("SELinux: %s: context_to_sid(%s) returned %d for dev=%s ino=%ld\n",
1415 __func__, context, -rc, dev, ino);
1416 }
1417 }
1418 kfree(objp: context);
1419 return 0;
1420}
1421
1422/* The inode's security attributes must be initialized before first use. */
1423static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1424{
1425 struct superblock_security_struct *sbsec = NULL;
1426 struct inode_security_struct *isec = selinux_inode(inode);
1427 u32 task_sid, sid = 0;
1428 u16 sclass;
1429 struct dentry *dentry;
1430 int rc = 0;
1431
1432 if (isec->initialized == LABEL_INITIALIZED)
1433 return 0;
1434
1435 spin_lock(lock: &isec->lock);
1436 if (isec->initialized == LABEL_INITIALIZED)
1437 goto out_unlock;
1438
1439 if (isec->sclass == SECCLASS_FILE)
1440 isec->sclass = inode_mode_to_security_class(mode: inode->i_mode);
1441
1442 sbsec = selinux_superblock(superblock: inode->i_sb);
1443 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1444 /* Defer initialization until selinux_complete_init,
1445 after the initial policy is loaded and the security
1446 server is ready to handle calls. */
1447 spin_lock(lock: &sbsec->isec_lock);
1448 if (list_empty(head: &isec->list))
1449 list_add(new: &isec->list, head: &sbsec->isec_head);
1450 spin_unlock(lock: &sbsec->isec_lock);
1451 goto out_unlock;
1452 }
1453
1454 sclass = isec->sclass;
1455 task_sid = isec->task_sid;
1456 sid = isec->sid;
1457 isec->initialized = LABEL_PENDING;
1458 spin_unlock(lock: &isec->lock);
1459
1460 switch (sbsec->behavior) {
1461 /*
1462 * In case of SECURITY_FS_USE_NATIVE we need to re-fetch the labels
1463 * via xattr when called from delayed_superblock_init().
1464 */
1465 case SECURITY_FS_USE_NATIVE:
1466 case SECURITY_FS_USE_XATTR:
1467 if (!(inode->i_opflags & IOP_XATTR)) {
1468 sid = sbsec->def_sid;
1469 break;
1470 }
1471 /* Need a dentry, since the xattr API requires one.
1472 Life would be simpler if we could just pass the inode. */
1473 if (opt_dentry) {
1474 /* Called from d_instantiate or d_splice_alias. */
1475 dentry = dget(dentry: opt_dentry);
1476 } else {
1477 /*
1478 * Called from selinux_complete_init, try to find a dentry.
1479 * Some filesystems really want a connected one, so try
1480 * that first. We could split SECURITY_FS_USE_XATTR in
1481 * two, depending upon that...
1482 */
1483 dentry = d_find_alias(inode);
1484 if (!dentry)
1485 dentry = d_find_any_alias(inode);
1486 }
1487 if (!dentry) {
1488 /*
1489 * this is can be hit on boot when a file is accessed
1490 * before the policy is loaded. When we load policy we
1491 * may find inodes that have no dentry on the
1492 * sbsec->isec_head list. No reason to complain as these
1493 * will get fixed up the next time we go through
1494 * inode_doinit with a dentry, before these inodes could
1495 * be used again by userspace.
1496 */
1497 goto out_invalid;
1498 }
1499
1500 rc = inode_doinit_use_xattr(inode, dentry, def_sid: sbsec->def_sid,
1501 sid: &sid);
1502 dput(dentry);
1503 if (rc)
1504 goto out;
1505 break;
1506 case SECURITY_FS_USE_TASK:
1507 sid = task_sid;
1508 break;
1509 case SECURITY_FS_USE_TRANS:
1510 /* Default to the fs SID. */
1511 sid = sbsec->sid;
1512
1513 /* Try to obtain a transition SID. */
1514 rc = security_transition_sid(ssid: task_sid, tsid: sid,
1515 tclass: sclass, NULL, out_sid: &sid);
1516 if (rc)
1517 goto out;
1518 break;
1519 case SECURITY_FS_USE_MNTPOINT:
1520 sid = sbsec->mntpoint_sid;
1521 break;
1522 default:
1523 /* Default to the fs superblock SID. */
1524 sid = sbsec->sid;
1525
1526 if ((sbsec->flags & SE_SBGENFS) &&
1527 (!S_ISLNK(inode->i_mode) ||
1528 selinux_policycap_genfs_seclabel_symlinks())) {
1529 /* We must have a dentry to determine the label on
1530 * procfs inodes */
1531 if (opt_dentry) {
1532 /* Called from d_instantiate or
1533 * d_splice_alias. */
1534 dentry = dget(dentry: opt_dentry);
1535 } else {
1536 /* Called from selinux_complete_init, try to
1537 * find a dentry. Some filesystems really want
1538 * a connected one, so try that first.
1539 */
1540 dentry = d_find_alias(inode);
1541 if (!dentry)
1542 dentry = d_find_any_alias(inode);
1543 }
1544 /*
1545 * This can be hit on boot when a file is accessed
1546 * before the policy is loaded. When we load policy we
1547 * may find inodes that have no dentry on the
1548 * sbsec->isec_head list. No reason to complain as
1549 * these will get fixed up the next time we go through
1550 * inode_doinit() with a dentry, before these inodes
1551 * could be used again by userspace.
1552 */
1553 if (!dentry)
1554 goto out_invalid;
1555 rc = selinux_genfs_get_sid(dentry, tclass: sclass,
1556 flags: sbsec->flags, sid: &sid);
1557 if (rc) {
1558 dput(dentry);
1559 goto out;
1560 }
1561
1562 if ((sbsec->flags & SE_SBGENFS_XATTR) &&
1563 (inode->i_opflags & IOP_XATTR)) {
1564 rc = inode_doinit_use_xattr(inode, dentry,
1565 def_sid: sid, sid: &sid);
1566 if (rc) {
1567 dput(dentry);
1568 goto out;
1569 }
1570 }
1571 dput(dentry);
1572 }
1573 break;
1574 }
1575
1576out:
1577 spin_lock(lock: &isec->lock);
1578 if (isec->initialized == LABEL_PENDING) {
1579 if (rc) {
1580 isec->initialized = LABEL_INVALID;
1581 goto out_unlock;
1582 }
1583 isec->initialized = LABEL_INITIALIZED;
1584 isec->sid = sid;
1585 }
1586
1587out_unlock:
1588 spin_unlock(lock: &isec->lock);
1589 return rc;
1590
1591out_invalid:
1592 spin_lock(lock: &isec->lock);
1593 if (isec->initialized == LABEL_PENDING) {
1594 isec->initialized = LABEL_INVALID;
1595 isec->sid = sid;
1596 }
1597 spin_unlock(lock: &isec->lock);
1598 return 0;
1599}
1600
1601/* Convert a Linux signal to an access vector. */
1602static inline u32 signal_to_av(int sig)
1603{
1604 u32 perm = 0;
1605
1606 switch (sig) {
1607 case SIGCHLD:
1608 /* Commonly granted from child to parent. */
1609 perm = PROCESS__SIGCHLD;
1610 break;
1611 case SIGKILL:
1612 /* Cannot be caught or ignored */
1613 perm = PROCESS__SIGKILL;
1614 break;
1615 case SIGSTOP:
1616 /* Cannot be caught or ignored */
1617 perm = PROCESS__SIGSTOP;
1618 break;
1619 default:
1620 /* All other signals. */
1621 perm = PROCESS__SIGNAL;
1622 break;
1623 }
1624
1625 return perm;
1626}
1627
1628#if CAP_LAST_CAP > 63
1629#error Fix SELinux to handle capabilities > 63.
1630#endif
1631
1632/* Check whether a task is allowed to use a capability. */
1633static int cred_has_capability(const struct cred *cred,
1634 int cap, unsigned int opts, bool initns)
1635{
1636 struct common_audit_data ad;
1637 struct av_decision avd;
1638 u16 sclass;
1639 u32 sid = cred_sid(cred);
1640 u32 av = CAP_TO_MASK(cap);
1641 int rc;
1642
1643 ad.type = LSM_AUDIT_DATA_CAP;
1644 ad.u.cap = cap;
1645
1646 switch (CAP_TO_INDEX(cap)) {
1647 case 0:
1648 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1649 break;
1650 case 1:
1651 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1652 break;
1653 default:
1654 pr_err("SELinux: out of range capability %d\n", cap);
1655 BUG();
1656 return -EINVAL;
1657 }
1658
1659 rc = avc_has_perm_noaudit(ssid: sid, tsid: sid, tclass: sclass, requested: av, flags: 0, avd: &avd);
1660 if (!(opts & CAP_OPT_NOAUDIT)) {
1661 int rc2 = avc_audit(ssid: sid, tsid: sid, tclass: sclass, requested: av, avd: &avd, result: rc, a: &ad);
1662 if (rc2)
1663 return rc2;
1664 }
1665 return rc;
1666}
1667
1668/* Check whether a task has a particular permission to an inode.
1669 The 'adp' parameter is optional and allows other audit
1670 data to be passed (e.g. the dentry). */
1671static int inode_has_perm(const struct cred *cred,
1672 struct inode *inode,
1673 u32 perms,
1674 struct common_audit_data *adp)
1675{
1676 struct inode_security_struct *isec;
1677 u32 sid;
1678
1679 if (unlikely(IS_PRIVATE(inode)))
1680 return 0;
1681
1682 sid = cred_sid(cred);
1683 isec = selinux_inode(inode);
1684
1685 return avc_has_perm(ssid: sid, tsid: isec->sid, tclass: isec->sclass, requested: perms, auditdata: adp);
1686}
1687
1688/* Same as inode_has_perm, but pass explicit audit data containing
1689 the dentry to help the auditing code to more easily generate the
1690 pathname if needed. */
1691static inline int dentry_has_perm(const struct cred *cred,
1692 struct dentry *dentry,
1693 u32 av)
1694{
1695 struct common_audit_data ad;
1696 struct inode *inode = d_backing_inode(upper: dentry);
1697 struct inode_security_struct *isec = selinux_inode(inode);
1698
1699 ad.type = LSM_AUDIT_DATA_DENTRY;
1700 ad.u.dentry = dentry;
1701 /* check below is racy, but revalidate will recheck with lock held */
1702 if (data_race(unlikely(isec->initialized != LABEL_INITIALIZED)))
1703 __inode_security_revalidate(inode, dentry, may_sleep: true);
1704 return inode_has_perm(cred, inode, perms: av, adp: &ad);
1705}
1706
1707/* Same as inode_has_perm, but pass explicit audit data containing
1708 the path to help the auditing code to more easily generate the
1709 pathname if needed. */
1710static inline int path_has_perm(const struct cred *cred,
1711 const struct path *path,
1712 u32 av)
1713{
1714 struct common_audit_data ad;
1715 struct inode *inode = d_backing_inode(upper: path->dentry);
1716 struct inode_security_struct *isec = selinux_inode(inode);
1717
1718 ad.type = LSM_AUDIT_DATA_PATH;
1719 ad.u.path = *path;
1720 /* check below is racy, but revalidate will recheck with lock held */
1721 if (data_race(unlikely(isec->initialized != LABEL_INITIALIZED)))
1722 __inode_security_revalidate(inode, dentry: path->dentry, may_sleep: true);
1723 return inode_has_perm(cred, inode, perms: av, adp: &ad);
1724}
1725
1726/* Same as path_has_perm, but uses the inode from the file struct. */
1727static inline int file_path_has_perm(const struct cred *cred,
1728 struct file *file,
1729 u32 av)
1730{
1731 struct common_audit_data ad;
1732
1733 ad.type = LSM_AUDIT_DATA_FILE;
1734 ad.u.file = file;
1735 return inode_has_perm(cred, inode: file_inode(f: file), perms: av, adp: &ad);
1736}
1737
1738#ifdef CONFIG_BPF_SYSCALL
1739static int bpf_fd_pass(const struct file *file, u32 sid);
1740#endif
1741
1742/* Check whether a task can use an open file descriptor to
1743 access an inode in a given way. Check access to the
1744 descriptor itself, and then use dentry_has_perm to
1745 check a particular permission to the file.
1746 Access to the descriptor is implicitly granted if it
1747 has the same SID as the process. If av is zero, then
1748 access to the file is not checked, e.g. for cases
1749 where only the descriptor is affected like seek. */
1750static int file_has_perm(const struct cred *cred,
1751 struct file *file,
1752 u32 av)
1753{
1754 struct file_security_struct *fsec = selinux_file(file);
1755 struct inode *inode = file_inode(f: file);
1756 struct common_audit_data ad;
1757 u32 sid = cred_sid(cred);
1758 int rc;
1759
1760 ad.type = LSM_AUDIT_DATA_FILE;
1761 ad.u.file = file;
1762
1763 if (sid != fsec->sid) {
1764 rc = avc_has_perm(ssid: sid, tsid: fsec->sid,
1765 SECCLASS_FD,
1766 FD__USE,
1767 auditdata: &ad);
1768 if (rc)
1769 goto out;
1770 }
1771
1772#ifdef CONFIG_BPF_SYSCALL
1773 rc = bpf_fd_pass(file, cred_sid(cred));
1774 if (rc)
1775 return rc;
1776#endif
1777
1778 /* av is zero if only checking access to the descriptor. */
1779 rc = 0;
1780 if (av)
1781 rc = inode_has_perm(cred, inode, perms: av, adp: &ad);
1782
1783out:
1784 return rc;
1785}
1786
1787/*
1788 * Determine the label for an inode that might be unioned.
1789 */
1790static int
1791selinux_determine_inode_label(const struct task_security_struct *tsec,
1792 struct inode *dir,
1793 const struct qstr *name, u16 tclass,
1794 u32 *_new_isid)
1795{
1796 const struct superblock_security_struct *sbsec =
1797 selinux_superblock(superblock: dir->i_sb);
1798
1799 if ((sbsec->flags & SE_SBINITIALIZED) &&
1800 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1801 *_new_isid = sbsec->mntpoint_sid;
1802 } else if ((sbsec->flags & SBLABEL_MNT) &&
1803 tsec->create_sid) {
1804 *_new_isid = tsec->create_sid;
1805 } else {
1806 const struct inode_security_struct *dsec = inode_security(inode: dir);
1807 return security_transition_sid(ssid: tsec->sid,
1808 tsid: dsec->sid, tclass,
1809 qstr: name, out_sid: _new_isid);
1810 }
1811
1812 return 0;
1813}
1814
1815/* Check whether a task can create a file. */
1816static int may_create(struct inode *dir,
1817 struct dentry *dentry,
1818 u16 tclass)
1819{
1820 const struct task_security_struct *tsec = selinux_cred(current_cred());
1821 struct inode_security_struct *dsec;
1822 struct superblock_security_struct *sbsec;
1823 u32 sid, newsid;
1824 struct common_audit_data ad;
1825 int rc;
1826
1827 dsec = inode_security(inode: dir);
1828 sbsec = selinux_superblock(superblock: dir->i_sb);
1829
1830 sid = tsec->sid;
1831
1832 ad.type = LSM_AUDIT_DATA_DENTRY;
1833 ad.u.dentry = dentry;
1834
1835 rc = avc_has_perm(ssid: sid, tsid: dsec->sid, SECCLASS_DIR,
1836 DIR__ADD_NAME | DIR__SEARCH,
1837 auditdata: &ad);
1838 if (rc)
1839 return rc;
1840
1841 rc = selinux_determine_inode_label(tsec, dir, name: &dentry->d_name, tclass,
1842 new_isid: &newsid);
1843 if (rc)
1844 return rc;
1845
1846 rc = avc_has_perm(ssid: sid, tsid: newsid, tclass, FILE__CREATE, auditdata: &ad);
1847 if (rc)
1848 return rc;
1849
1850 return avc_has_perm(ssid: newsid, tsid: sbsec->sid,
1851 SECCLASS_FILESYSTEM,
1852 FILESYSTEM__ASSOCIATE, auditdata: &ad);
1853}
1854
1855#define MAY_LINK 0
1856#define MAY_UNLINK 1
1857#define MAY_RMDIR 2
1858
1859/* Check whether a task can link, unlink, or rmdir a file/directory. */
1860static int may_link(struct inode *dir,
1861 struct dentry *dentry,
1862 int kind)
1863
1864{
1865 struct inode_security_struct *dsec, *isec;
1866 struct common_audit_data ad;
1867 u32 sid = current_sid();
1868 u32 av;
1869 int rc;
1870
1871 dsec = inode_security(inode: dir);
1872 isec = backing_inode_security(dentry);
1873
1874 ad.type = LSM_AUDIT_DATA_DENTRY;
1875 ad.u.dentry = dentry;
1876
1877 av = DIR__SEARCH;
1878 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1879 rc = avc_has_perm(ssid: sid, tsid: dsec->sid, SECCLASS_DIR, requested: av, auditdata: &ad);
1880 if (rc)
1881 return rc;
1882
1883 switch (kind) {
1884 case MAY_LINK:
1885 av = FILE__LINK;
1886 break;
1887 case MAY_UNLINK:
1888 av = FILE__UNLINK;
1889 break;
1890 case MAY_RMDIR:
1891 av = DIR__RMDIR;
1892 break;
1893 default:
1894 pr_warn("SELinux: %s: unrecognized kind %d\n",
1895 __func__, kind);
1896 return 0;
1897 }
1898
1899 rc = avc_has_perm(ssid: sid, tsid: isec->sid, tclass: isec->sclass, requested: av, auditdata: &ad);
1900 return rc;
1901}
1902
1903static inline int may_rename(struct inode *old_dir,
1904 struct dentry *old_dentry,
1905 struct inode *new_dir,
1906 struct dentry *new_dentry)
1907{
1908 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1909 struct common_audit_data ad;
1910 u32 sid = current_sid();
1911 u32 av;
1912 int old_is_dir, new_is_dir;
1913 int rc;
1914
1915 old_dsec = inode_security(inode: old_dir);
1916 old_isec = backing_inode_security(dentry: old_dentry);
1917 old_is_dir = d_is_dir(dentry: old_dentry);
1918 new_dsec = inode_security(inode: new_dir);
1919
1920 ad.type = LSM_AUDIT_DATA_DENTRY;
1921
1922 ad.u.dentry = old_dentry;
1923 rc = avc_has_perm(ssid: sid, tsid: old_dsec->sid, SECCLASS_DIR,
1924 DIR__REMOVE_NAME | DIR__SEARCH, auditdata: &ad);
1925 if (rc)
1926 return rc;
1927 rc = avc_has_perm(ssid: sid, tsid: old_isec->sid,
1928 tclass: old_isec->sclass, FILE__RENAME, auditdata: &ad);
1929 if (rc)
1930 return rc;
1931 if (old_is_dir && new_dir != old_dir) {
1932 rc = avc_has_perm(ssid: sid, tsid: old_isec->sid,
1933 tclass: old_isec->sclass, DIR__REPARENT, auditdata: &ad);
1934 if (rc)
1935 return rc;
1936 }
1937
1938 ad.u.dentry = new_dentry;
1939 av = DIR__ADD_NAME | DIR__SEARCH;
1940 if (d_is_positive(dentry: new_dentry))
1941 av |= DIR__REMOVE_NAME;
1942 rc = avc_has_perm(ssid: sid, tsid: new_dsec->sid, SECCLASS_DIR, requested: av, auditdata: &ad);
1943 if (rc)
1944 return rc;
1945 if (d_is_positive(dentry: new_dentry)) {
1946 new_isec = backing_inode_security(dentry: new_dentry);
1947 new_is_dir = d_is_dir(dentry: new_dentry);
1948 rc = avc_has_perm(ssid: sid, tsid: new_isec->sid,
1949 tclass: new_isec->sclass,
1950 requested: (new_is_dir ? DIR__RMDIR : FILE__UNLINK), auditdata: &ad);
1951 if (rc)
1952 return rc;
1953 }
1954
1955 return 0;
1956}
1957
1958/* Check whether a task can perform a filesystem operation. */
1959static int superblock_has_perm(const struct cred *cred,
1960 const struct super_block *sb,
1961 u32 perms,
1962 struct common_audit_data *ad)
1963{
1964 struct superblock_security_struct *sbsec;
1965 u32 sid = cred_sid(cred);
1966
1967 sbsec = selinux_superblock(superblock: sb);
1968 return avc_has_perm(ssid: sid, tsid: sbsec->sid, SECCLASS_FILESYSTEM, requested: perms, auditdata: ad);
1969}
1970
1971/* Convert a Linux mode and permission mask to an access vector. */
1972static inline u32 file_mask_to_av(int mode, int mask)
1973{
1974 u32 av = 0;
1975
1976 if (!S_ISDIR(mode)) {
1977 if (mask & MAY_EXEC)
1978 av |= FILE__EXECUTE;
1979 if (mask & MAY_READ)
1980 av |= FILE__READ;
1981
1982 if (mask & MAY_APPEND)
1983 av |= FILE__APPEND;
1984 else if (mask & MAY_WRITE)
1985 av |= FILE__WRITE;
1986
1987 } else {
1988 if (mask & MAY_EXEC)
1989 av |= DIR__SEARCH;
1990 if (mask & MAY_WRITE)
1991 av |= DIR__WRITE;
1992 if (mask & MAY_READ)
1993 av |= DIR__READ;
1994 }
1995
1996 return av;
1997}
1998
1999/* Convert a Linux file to an access vector. */
2000static inline u32 file_to_av(const struct file *file)
2001{
2002 u32 av = 0;
2003
2004 if (file->f_mode & FMODE_READ)
2005 av |= FILE__READ;
2006 if (file->f_mode & FMODE_WRITE) {
2007 if (file->f_flags & O_APPEND)
2008 av |= FILE__APPEND;
2009 else
2010 av |= FILE__WRITE;
2011 }
2012 if (!av) {
2013 /*
2014 * Special file opened with flags 3 for ioctl-only use.
2015 */
2016 av = FILE__IOCTL;
2017 }
2018
2019 return av;
2020}
2021
2022/*
2023 * Convert a file to an access vector and include the correct
2024 * open permission.
2025 */
2026static inline u32 open_file_to_av(struct file *file)
2027{
2028 u32 av = file_to_av(file);
2029 struct inode *inode = file_inode(f: file);
2030
2031 if (selinux_policycap_openperm() &&
2032 inode->i_sb->s_magic != SOCKFS_MAGIC)
2033 av |= FILE__OPEN;
2034
2035 return av;
2036}
2037
2038/* Hook functions begin here. */
2039
2040static int selinux_binder_set_context_mgr(const struct cred *mgr)
2041{
2042 return avc_has_perm(ssid: current_sid(), tsid: cred_sid(cred: mgr), SECCLASS_BINDER,
2043 BINDER__SET_CONTEXT_MGR, NULL);
2044}
2045
2046static int selinux_binder_transaction(const struct cred *from,
2047 const struct cred *to)
2048{
2049 u32 mysid = current_sid();
2050 u32 fromsid = cred_sid(cred: from);
2051 u32 tosid = cred_sid(cred: to);
2052 int rc;
2053
2054 if (mysid != fromsid) {
2055 rc = avc_has_perm(ssid: mysid, tsid: fromsid, SECCLASS_BINDER,
2056 BINDER__IMPERSONATE, NULL);
2057 if (rc)
2058 return rc;
2059 }
2060
2061 return avc_has_perm(ssid: fromsid, tsid: tosid,
2062 SECCLASS_BINDER, BINDER__CALL, NULL);
2063}
2064
2065static int selinux_binder_transfer_binder(const struct cred *from,
2066 const struct cred *to)
2067{
2068 return avc_has_perm(ssid: cred_sid(cred: from), tsid: cred_sid(cred: to),
2069 SECCLASS_BINDER, BINDER__TRANSFER,
2070 NULL);
2071}
2072
2073static int selinux_binder_transfer_file(const struct cred *from,
2074 const struct cred *to,
2075 const struct file *file)
2076{
2077 u32 sid = cred_sid(cred: to);
2078 struct file_security_struct *fsec = selinux_file(file);
2079 struct dentry *dentry = file->f_path.dentry;
2080 struct inode_security_struct *isec;
2081 struct common_audit_data ad;
2082 int rc;
2083
2084 ad.type = LSM_AUDIT_DATA_PATH;
2085 ad.u.path = file->f_path;
2086
2087 if (sid != fsec->sid) {
2088 rc = avc_has_perm(ssid: sid, tsid: fsec->sid,
2089 SECCLASS_FD,
2090 FD__USE,
2091 auditdata: &ad);
2092 if (rc)
2093 return rc;
2094 }
2095
2096#ifdef CONFIG_BPF_SYSCALL
2097 rc = bpf_fd_pass(file, sid);
2098 if (rc)
2099 return rc;
2100#endif
2101
2102 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2103 return 0;
2104
2105 isec = backing_inode_security(dentry);
2106 return avc_has_perm(ssid: sid, tsid: isec->sid, tclass: isec->sclass, requested: file_to_av(file),
2107 auditdata: &ad);
2108}
2109
2110static int selinux_ptrace_access_check(struct task_struct *child,
2111 unsigned int mode)
2112{
2113 u32 sid = current_sid();
2114 u32 csid = task_sid_obj(task: child);
2115
2116 if (mode & PTRACE_MODE_READ)
2117 return avc_has_perm(ssid: sid, tsid: csid, SECCLASS_FILE, FILE__READ,
2118 NULL);
2119
2120 return avc_has_perm(ssid: sid, tsid: csid, SECCLASS_PROCESS, PROCESS__PTRACE,
2121 NULL);
2122}
2123
2124static int selinux_ptrace_traceme(struct task_struct *parent)
2125{
2126 return avc_has_perm(ssid: task_sid_obj(task: parent), tsid: task_sid_obj(current),
2127 SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2128}
2129
2130static int selinux_capget(const struct task_struct *target, kernel_cap_t *effective,
2131 kernel_cap_t *inheritable, kernel_cap_t *permitted)
2132{
2133 return avc_has_perm(ssid: current_sid(), tsid: task_sid_obj(task: target),
2134 SECCLASS_PROCESS, PROCESS__GETCAP, NULL);
2135}
2136
2137static int selinux_capset(struct cred *new, const struct cred *old,
2138 const kernel_cap_t *effective,
2139 const kernel_cap_t *inheritable,
2140 const kernel_cap_t *permitted)
2141{
2142 return avc_has_perm(ssid: cred_sid(cred: old), tsid: cred_sid(cred: new), SECCLASS_PROCESS,
2143 PROCESS__SETCAP, NULL);
2144}
2145
2146/*
2147 * (This comment used to live with the selinux_task_setuid hook,
2148 * which was removed).
2149 *
2150 * Since setuid only affects the current process, and since the SELinux
2151 * controls are not based on the Linux identity attributes, SELinux does not
2152 * need to control this operation. However, SELinux does control the use of
2153 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2154 */
2155
2156static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2157 int cap, unsigned int opts)
2158{
2159 return cred_has_capability(cred, cap, opts, initns: ns == &init_user_ns);
2160}
2161
2162static int selinux_quotactl(int cmds, int type, int id, const struct super_block *sb)
2163{
2164 const struct cred *cred = current_cred();
2165 int rc = 0;
2166
2167 if (!sb)
2168 return 0;
2169
2170 switch (cmds) {
2171 case Q_SYNC:
2172 case Q_QUOTAON:
2173 case Q_QUOTAOFF:
2174 case Q_SETINFO:
2175 case Q_SETQUOTA:
2176 case Q_XQUOTAOFF:
2177 case Q_XQUOTAON:
2178 case Q_XSETQLIM:
2179 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2180 break;
2181 case Q_GETFMT:
2182 case Q_GETINFO:
2183 case Q_GETQUOTA:
2184 case Q_XGETQUOTA:
2185 case Q_XGETQSTAT:
2186 case Q_XGETQSTATV:
2187 case Q_XGETNEXTQUOTA:
2188 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2189 break;
2190 default:
2191 rc = 0; /* let the kernel handle invalid cmds */
2192 break;
2193 }
2194 return rc;
2195}
2196
2197static int selinux_quota_on(struct dentry *dentry)
2198{
2199 const struct cred *cred = current_cred();
2200
2201 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2202}
2203
2204static int selinux_syslog(int type)
2205{
2206 switch (type) {
2207 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2208 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2209 return avc_has_perm(ssid: current_sid(), SECINITSID_KERNEL,
2210 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2211 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2212 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2213 /* Set level of messages printed to console */
2214 case SYSLOG_ACTION_CONSOLE_LEVEL:
2215 return avc_has_perm(ssid: current_sid(), SECINITSID_KERNEL,
2216 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2217 NULL);
2218 }
2219 /* All other syslog types */
2220 return avc_has_perm(ssid: current_sid(), SECINITSID_KERNEL,
2221 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2222}
2223
2224/*
2225 * Check permission for allocating a new virtual mapping. Returns
2226 * 0 if permission is granted, negative error code if not.
2227 *
2228 * Do not audit the selinux permission check, as this is applied to all
2229 * processes that allocate mappings.
2230 */
2231static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2232{
2233 return cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2234 CAP_OPT_NOAUDIT, initns: true);
2235}
2236
2237/* binprm security operations */
2238
2239static u32 ptrace_parent_sid(void)
2240{
2241 u32 sid = 0;
2242 struct task_struct *tracer;
2243
2244 rcu_read_lock();
2245 tracer = ptrace_parent(current);
2246 if (tracer)
2247 sid = task_sid_obj(task: tracer);
2248 rcu_read_unlock();
2249
2250 return sid;
2251}
2252
2253static int check_nnp_nosuid(const struct linux_binprm *bprm,
2254 const struct task_security_struct *old_tsec,
2255 const struct task_security_struct *new_tsec)
2256{
2257 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2258 int nosuid = !mnt_may_suid(mnt: bprm->file->f_path.mnt);
2259 int rc;
2260 u32 av;
2261
2262 if (!nnp && !nosuid)
2263 return 0; /* neither NNP nor nosuid */
2264
2265 if (new_tsec->sid == old_tsec->sid)
2266 return 0; /* No change in credentials */
2267
2268 /*
2269 * If the policy enables the nnp_nosuid_transition policy capability,
2270 * then we permit transitions under NNP or nosuid if the
2271 * policy allows the corresponding permission between
2272 * the old and new contexts.
2273 */
2274 if (selinux_policycap_nnp_nosuid_transition()) {
2275 av = 0;
2276 if (nnp)
2277 av |= PROCESS2__NNP_TRANSITION;
2278 if (nosuid)
2279 av |= PROCESS2__NOSUID_TRANSITION;
2280 rc = avc_has_perm(ssid: old_tsec->sid, tsid: new_tsec->sid,
2281 SECCLASS_PROCESS2, requested: av, NULL);
2282 if (!rc)
2283 return 0;
2284 }
2285
2286 /*
2287 * We also permit NNP or nosuid transitions to bounded SIDs,
2288 * i.e. SIDs that are guaranteed to only be allowed a subset
2289 * of the permissions of the current SID.
2290 */
2291 rc = security_bounded_transition(old_sid: old_tsec->sid,
2292 new_sid: new_tsec->sid);
2293 if (!rc)
2294 return 0;
2295
2296 /*
2297 * On failure, preserve the errno values for NNP vs nosuid.
2298 * NNP: Operation not permitted for caller.
2299 * nosuid: Permission denied to file.
2300 */
2301 if (nnp)
2302 return -EPERM;
2303 return -EACCES;
2304}
2305
2306static int selinux_bprm_creds_for_exec(struct linux_binprm *bprm)
2307{
2308 const struct task_security_struct *old_tsec;
2309 struct task_security_struct *new_tsec;
2310 struct inode_security_struct *isec;
2311 struct common_audit_data ad;
2312 struct inode *inode = file_inode(f: bprm->file);
2313 int rc;
2314
2315 /* SELinux context only depends on initial program or script and not
2316 * the script interpreter */
2317
2318 old_tsec = selinux_cred(current_cred());
2319 new_tsec = selinux_cred(cred: bprm->cred);
2320 isec = inode_security(inode);
2321
2322 /* Default to the current task SID. */
2323 new_tsec->sid = old_tsec->sid;
2324 new_tsec->osid = old_tsec->sid;
2325
2326 /* Reset fs, key, and sock SIDs on execve. */
2327 new_tsec->create_sid = 0;
2328 new_tsec->keycreate_sid = 0;
2329 new_tsec->sockcreate_sid = 0;
2330
2331 /*
2332 * Before policy is loaded, label any task outside kernel space
2333 * as SECINITSID_INIT, so that any userspace tasks surviving from
2334 * early boot end up with a label different from SECINITSID_KERNEL
2335 * (if the policy chooses to set SECINITSID_INIT != SECINITSID_KERNEL).
2336 */
2337 if (!selinux_initialized()) {
2338 new_tsec->sid = SECINITSID_INIT;
2339 /* also clear the exec_sid just in case */
2340 new_tsec->exec_sid = 0;
2341 return 0;
2342 }
2343
2344 if (old_tsec->exec_sid) {
2345 new_tsec->sid = old_tsec->exec_sid;
2346 /* Reset exec SID on execve. */
2347 new_tsec->exec_sid = 0;
2348
2349 /* Fail on NNP or nosuid if not an allowed transition. */
2350 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2351 if (rc)
2352 return rc;
2353 } else {
2354 /* Check for a default transition on this program. */
2355 rc = security_transition_sid(ssid: old_tsec->sid,
2356 tsid: isec->sid, SECCLASS_PROCESS, NULL,
2357 out_sid: &new_tsec->sid);
2358 if (rc)
2359 return rc;
2360
2361 /*
2362 * Fallback to old SID on NNP or nosuid if not an allowed
2363 * transition.
2364 */
2365 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2366 if (rc)
2367 new_tsec->sid = old_tsec->sid;
2368 }
2369
2370 ad.type = LSM_AUDIT_DATA_FILE;
2371 ad.u.file = bprm->file;
2372
2373 if (new_tsec->sid == old_tsec->sid) {
2374 rc = avc_has_perm(ssid: old_tsec->sid, tsid: isec->sid,
2375 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, auditdata: &ad);
2376 if (rc)
2377 return rc;
2378 } else {
2379 /* Check permissions for the transition. */
2380 rc = avc_has_perm(ssid: old_tsec->sid, tsid: new_tsec->sid,
2381 SECCLASS_PROCESS, PROCESS__TRANSITION, auditdata: &ad);
2382 if (rc)
2383 return rc;
2384
2385 rc = avc_has_perm(ssid: new_tsec->sid, tsid: isec->sid,
2386 SECCLASS_FILE, FILE__ENTRYPOINT, auditdata: &ad);
2387 if (rc)
2388 return rc;
2389
2390 /* Check for shared state */
2391 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2392 rc = avc_has_perm(ssid: old_tsec->sid, tsid: new_tsec->sid,
2393 SECCLASS_PROCESS, PROCESS__SHARE,
2394 NULL);
2395 if (rc)
2396 return -EPERM;
2397 }
2398
2399 /* Make sure that anyone attempting to ptrace over a task that
2400 * changes its SID has the appropriate permit */
2401 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2402 u32 ptsid = ptrace_parent_sid();
2403 if (ptsid != 0) {
2404 rc = avc_has_perm(ssid: ptsid, tsid: new_tsec->sid,
2405 SECCLASS_PROCESS,
2406 PROCESS__PTRACE, NULL);
2407 if (rc)
2408 return -EPERM;
2409 }
2410 }
2411
2412 /* Clear any possibly unsafe personality bits on exec: */
2413 bprm->per_clear |= PER_CLEAR_ON_SETID;
2414
2415 /* Enable secure mode for SIDs transitions unless
2416 the noatsecure permission is granted between
2417 the two SIDs, i.e. ahp returns 0. */
2418 rc = avc_has_perm(ssid: old_tsec->sid, tsid: new_tsec->sid,
2419 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2420 NULL);
2421 bprm->secureexec |= !!rc;
2422 }
2423
2424 return 0;
2425}
2426
2427static int match_file(const void *p, struct file *file, unsigned fd)
2428{
2429 return file_has_perm(cred: p, file, av: file_to_av(file)) ? fd + 1 : 0;
2430}
2431
2432/* Derived from fs/exec.c:flush_old_files. */
2433static inline void flush_unauthorized_files(const struct cred *cred,
2434 struct files_struct *files)
2435{
2436 struct file *file, *devnull = NULL;
2437 struct tty_struct *tty;
2438 int drop_tty = 0;
2439 unsigned n;
2440
2441 tty = get_current_tty();
2442 if (tty) {
2443 spin_lock(lock: &tty->files_lock);
2444 if (!list_empty(head: &tty->tty_files)) {
2445 struct tty_file_private *file_priv;
2446
2447 /* Revalidate access to controlling tty.
2448 Use file_path_has_perm on the tty path directly
2449 rather than using file_has_perm, as this particular
2450 open file may belong to another process and we are
2451 only interested in the inode-based check here. */
2452 file_priv = list_first_entry(&tty->tty_files,
2453 struct tty_file_private, list);
2454 file = file_priv->file;
2455 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2456 drop_tty = 1;
2457 }
2458 spin_unlock(lock: &tty->files_lock);
2459 tty_kref_put(tty);
2460 }
2461 /* Reset controlling tty. */
2462 if (drop_tty)
2463 no_tty();
2464
2465 /* Revalidate access to inherited open files. */
2466 n = iterate_fd(files, 0, match_file, cred);
2467 if (!n) /* none found? */
2468 return;
2469
2470 devnull = dentry_open(path: &selinux_null, O_RDWR, creds: cred);
2471 if (IS_ERR(ptr: devnull))
2472 devnull = NULL;
2473 /* replace all the matching ones with this */
2474 do {
2475 replace_fd(fd: n - 1, file: devnull, flags: 0);
2476 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2477 if (devnull)
2478 fput(devnull);
2479}
2480
2481/*
2482 * Prepare a process for imminent new credential changes due to exec
2483 */
2484static void selinux_bprm_committing_creds(const struct linux_binprm *bprm)
2485{
2486 struct task_security_struct *new_tsec;
2487 struct rlimit *rlim, *initrlim;
2488 int rc, i;
2489
2490 new_tsec = selinux_cred(cred: bprm->cred);
2491 if (new_tsec->sid == new_tsec->osid)
2492 return;
2493
2494 /* Close files for which the new task SID is not authorized. */
2495 flush_unauthorized_files(cred: bprm->cred, current->files);
2496
2497 /* Always clear parent death signal on SID transitions. */
2498 current->pdeath_signal = 0;
2499
2500 /* Check whether the new SID can inherit resource limits from the old
2501 * SID. If not, reset all soft limits to the lower of the current
2502 * task's hard limit and the init task's soft limit.
2503 *
2504 * Note that the setting of hard limits (even to lower them) can be
2505 * controlled by the setrlimit check. The inclusion of the init task's
2506 * soft limit into the computation is to avoid resetting soft limits
2507 * higher than the default soft limit for cases where the default is
2508 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2509 */
2510 rc = avc_has_perm(ssid: new_tsec->osid, tsid: new_tsec->sid, SECCLASS_PROCESS,
2511 PROCESS__RLIMITINH, NULL);
2512 if (rc) {
2513 /* protect against do_prlimit() */
2514 task_lock(current);
2515 for (i = 0; i < RLIM_NLIMITS; i++) {
2516 rlim = current->signal->rlim + i;
2517 initrlim = init_task.signal->rlim + i;
2518 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2519 }
2520 task_unlock(current);
2521 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2522 update_rlimit_cpu(current, rlim_new: rlimit(RLIMIT_CPU));
2523 }
2524}
2525
2526/*
2527 * Clean up the process immediately after the installation of new credentials
2528 * due to exec
2529 */
2530static void selinux_bprm_committed_creds(const struct linux_binprm *bprm)
2531{
2532 const struct task_security_struct *tsec = selinux_cred(current_cred());
2533 u32 osid, sid;
2534 int rc;
2535
2536 osid = tsec->osid;
2537 sid = tsec->sid;
2538
2539 if (sid == osid)
2540 return;
2541
2542 /* Check whether the new SID can inherit signal state from the old SID.
2543 * If not, clear itimers to avoid subsequent signal generation and
2544 * flush and unblock signals.
2545 *
2546 * This must occur _after_ the task SID has been updated so that any
2547 * kill done after the flush will be checked against the new SID.
2548 */
2549 rc = avc_has_perm(ssid: osid, tsid: sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2550 if (rc) {
2551 clear_itimer();
2552
2553 spin_lock_irq(lock: &unrcu_pointer(current->sighand)->siglock);
2554 if (!fatal_signal_pending(current)) {
2555 flush_sigqueue(queue: &current->pending);
2556 flush_sigqueue(queue: &current->signal->shared_pending);
2557 flush_signal_handlers(current, force_default: 1);
2558 sigemptyset(set: &current->blocked);
2559 recalc_sigpending();
2560 }
2561 spin_unlock_irq(lock: &unrcu_pointer(current->sighand)->siglock);
2562 }
2563
2564 /* Wake up the parent if it is waiting so that it can recheck
2565 * wait permission to the new task SID. */
2566 read_lock(&tasklist_lock);
2567 __wake_up_parent(current, unrcu_pointer(current->real_parent));
2568 read_unlock(&tasklist_lock);
2569}
2570
2571/* superblock security operations */
2572
2573static int selinux_sb_alloc_security(struct super_block *sb)
2574{
2575 struct superblock_security_struct *sbsec = selinux_superblock(superblock: sb);
2576
2577 mutex_init(&sbsec->lock);
2578 INIT_LIST_HEAD(list: &sbsec->isec_head);
2579 spin_lock_init(&sbsec->isec_lock);
2580 sbsec->sid = SECINITSID_UNLABELED;
2581 sbsec->def_sid = SECINITSID_FILE;
2582 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
2583
2584 return 0;
2585}
2586
2587static inline int opt_len(const char *s)
2588{
2589 bool open_quote = false;
2590 int len;
2591 char c;
2592
2593 for (len = 0; (c = s[len]) != '\0'; len++) {
2594 if (c == '"')
2595 open_quote = !open_quote;
2596 if (c == ',' && !open_quote)
2597 break;
2598 }
2599 return len;
2600}
2601
2602static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts)
2603{
2604 char *from = options;
2605 char *to = options;
2606 bool first = true;
2607 int rc;
2608
2609 while (1) {
2610 int len = opt_len(s: from);
2611 int token;
2612 char *arg = NULL;
2613
2614 token = match_opt_prefix(s: from, l: len, arg: &arg);
2615
2616 if (token != Opt_error) {
2617 char *p, *q;
2618
2619 /* strip quotes */
2620 if (arg) {
2621 for (p = q = arg; p < from + len; p++) {
2622 char c = *p;
2623 if (c != '"')
2624 *q++ = c;
2625 }
2626 arg = kmemdup_nul(s: arg, len: q - arg, GFP_KERNEL);
2627 if (!arg) {
2628 rc = -ENOMEM;
2629 goto free_opt;
2630 }
2631 }
2632 rc = selinux_add_opt(token, s: arg, mnt_opts);
2633 kfree(objp: arg);
2634 arg = NULL;
2635 if (unlikely(rc)) {
2636 goto free_opt;
2637 }
2638 } else {
2639 if (!first) { // copy with preceding comma
2640 from--;
2641 len++;
2642 }
2643 if (to != from)
2644 memmove(dest: to, src: from, count: len);
2645 to += len;
2646 first = false;
2647 }
2648 if (!from[len])
2649 break;
2650 from += len + 1;
2651 }
2652 *to = '\0';
2653 return 0;
2654
2655free_opt:
2656 if (*mnt_opts) {
2657 selinux_free_mnt_opts(mnt_opts: *mnt_opts);
2658 *mnt_opts = NULL;
2659 }
2660 return rc;
2661}
2662
2663static int selinux_sb_mnt_opts_compat(struct super_block *sb, void *mnt_opts)
2664{
2665 struct selinux_mnt_opts *opts = mnt_opts;
2666 struct superblock_security_struct *sbsec = selinux_superblock(superblock: sb);
2667
2668 /*
2669 * Superblock not initialized (i.e. no options) - reject if any
2670 * options specified, otherwise accept.
2671 */
2672 if (!(sbsec->flags & SE_SBINITIALIZED))
2673 return opts ? 1 : 0;
2674
2675 /*
2676 * Superblock initialized and no options specified - reject if
2677 * superblock has any options set, otherwise accept.
2678 */
2679 if (!opts)
2680 return (sbsec->flags & SE_MNTMASK) ? 1 : 0;
2681
2682 if (opts->fscontext_sid) {
2683 if (bad_option(sbsec, FSCONTEXT_MNT, old_sid: sbsec->sid,
2684 new_sid: opts->fscontext_sid))
2685 return 1;
2686 }
2687 if (opts->context_sid) {
2688 if (bad_option(sbsec, CONTEXT_MNT, old_sid: sbsec->mntpoint_sid,
2689 new_sid: opts->context_sid))
2690 return 1;
2691 }
2692 if (opts->rootcontext_sid) {
2693 struct inode_security_struct *root_isec;
2694
2695 root_isec = backing_inode_security(dentry: sb->s_root);
2696 if (bad_option(sbsec, ROOTCONTEXT_MNT, old_sid: root_isec->sid,
2697 new_sid: opts->rootcontext_sid))
2698 return 1;
2699 }
2700 if (opts->defcontext_sid) {
2701 if (bad_option(sbsec, DEFCONTEXT_MNT, old_sid: sbsec->def_sid,
2702 new_sid: opts->defcontext_sid))
2703 return 1;
2704 }
2705 return 0;
2706}
2707
2708static int selinux_sb_remount(struct super_block *sb, void *mnt_opts)
2709{
2710 struct selinux_mnt_opts *opts = mnt_opts;
2711 struct superblock_security_struct *sbsec = selinux_superblock(superblock: sb);
2712
2713 if (!(sbsec->flags & SE_SBINITIALIZED))
2714 return 0;
2715
2716 if (!opts)
2717 return 0;
2718
2719 if (opts->fscontext_sid) {
2720 if (bad_option(sbsec, FSCONTEXT_MNT, old_sid: sbsec->sid,
2721 new_sid: opts->fscontext_sid))
2722 goto out_bad_option;
2723 }
2724 if (opts->context_sid) {
2725 if (bad_option(sbsec, CONTEXT_MNT, old_sid: sbsec->mntpoint_sid,
2726 new_sid: opts->context_sid))
2727 goto out_bad_option;
2728 }
2729 if (opts->rootcontext_sid) {
2730 struct inode_security_struct *root_isec;
2731 root_isec = backing_inode_security(dentry: sb->s_root);
2732 if (bad_option(sbsec, ROOTCONTEXT_MNT, old_sid: root_isec->sid,
2733 new_sid: opts->rootcontext_sid))
2734 goto out_bad_option;
2735 }
2736 if (opts->defcontext_sid) {
2737 if (bad_option(sbsec, DEFCONTEXT_MNT, old_sid: sbsec->def_sid,
2738 new_sid: opts->defcontext_sid))
2739 goto out_bad_option;
2740 }
2741 return 0;
2742
2743out_bad_option:
2744 pr_warn("SELinux: unable to change security options "
2745 "during remount (dev %s, type=%s)\n", sb->s_id,
2746 sb->s_type->name);
2747 return -EINVAL;
2748}
2749
2750static int selinux_sb_kern_mount(const struct super_block *sb)
2751{
2752 const struct cred *cred = current_cred();
2753 struct common_audit_data ad;
2754
2755 ad.type = LSM_AUDIT_DATA_DENTRY;
2756 ad.u.dentry = sb->s_root;
2757 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, ad: &ad);
2758}
2759
2760static int selinux_sb_statfs(struct dentry *dentry)
2761{
2762 const struct cred *cred = current_cred();
2763 struct common_audit_data ad;
2764
2765 ad.type = LSM_AUDIT_DATA_DENTRY;
2766 ad.u.dentry = dentry->d_sb->s_root;
2767 return superblock_has_perm(cred, sb: dentry->d_sb, FILESYSTEM__GETATTR, ad: &ad);
2768}
2769
2770static int selinux_mount(const char *dev_name,
2771 const struct path *path,
2772 const char *type,
2773 unsigned long flags,
2774 void *data)
2775{
2776 const struct cred *cred = current_cred();
2777
2778 if (flags & MS_REMOUNT)
2779 return superblock_has_perm(cred, sb: path->dentry->d_sb,
2780 FILESYSTEM__REMOUNT, NULL);
2781 else
2782 return path_has_perm(cred, path, FILE__MOUNTON);
2783}
2784
2785static int selinux_move_mount(const struct path *from_path,
2786 const struct path *to_path)
2787{
2788 const struct cred *cred = current_cred();
2789
2790 return path_has_perm(cred, path: to_path, FILE__MOUNTON);
2791}
2792
2793static int selinux_umount(struct vfsmount *mnt, int flags)
2794{
2795 const struct cred *cred = current_cred();
2796
2797 return superblock_has_perm(cred, sb: mnt->mnt_sb,
2798 FILESYSTEM__UNMOUNT, NULL);
2799}
2800
2801static int selinux_fs_context_submount(struct fs_context *fc,
2802 struct super_block *reference)
2803{
2804 const struct superblock_security_struct *sbsec = selinux_superblock(superblock: reference);
2805 struct selinux_mnt_opts *opts;
2806
2807 /*
2808 * Ensure that fc->security remains NULL when no options are set
2809 * as expected by selinux_set_mnt_opts().
2810 */
2811 if (!(sbsec->flags & (FSCONTEXT_MNT|CONTEXT_MNT|DEFCONTEXT_MNT)))
2812 return 0;
2813
2814 opts = kzalloc(sizeof(*opts), GFP_KERNEL);
2815 if (!opts)
2816 return -ENOMEM;
2817
2818 if (sbsec->flags & FSCONTEXT_MNT)
2819 opts->fscontext_sid = sbsec->sid;
2820 if (sbsec->flags & CONTEXT_MNT)
2821 opts->context_sid = sbsec->mntpoint_sid;
2822 if (sbsec->flags & DEFCONTEXT_MNT)
2823 opts->defcontext_sid = sbsec->def_sid;
2824 fc->security = opts;
2825 return 0;
2826}
2827
2828static int selinux_fs_context_dup(struct fs_context *fc,
2829 struct fs_context *src_fc)
2830{
2831 const struct selinux_mnt_opts *src = src_fc->security;
2832
2833 if (!src)
2834 return 0;
2835
2836 fc->security = kmemdup(src, sizeof(*src), GFP_KERNEL);
2837 return fc->security ? 0 : -ENOMEM;
2838}
2839
2840static const struct fs_parameter_spec selinux_fs_parameters[] = {
2841 fsparam_string(CONTEXT_STR, Opt_context),
2842 fsparam_string(DEFCONTEXT_STR, Opt_defcontext),
2843 fsparam_string(FSCONTEXT_STR, Opt_fscontext),
2844 fsparam_string(ROOTCONTEXT_STR, Opt_rootcontext),
2845 fsparam_flag (SECLABEL_STR, Opt_seclabel),
2846 {}
2847};
2848
2849static int selinux_fs_context_parse_param(struct fs_context *fc,
2850 struct fs_parameter *param)
2851{
2852 struct fs_parse_result result;
2853 int opt;
2854
2855 opt = fs_parse(fc, desc: selinux_fs_parameters, param, result: &result);
2856 if (opt < 0)
2857 return opt;
2858
2859 return selinux_add_opt(token: opt, s: param->string, mnt_opts: &fc->security);
2860}
2861
2862/* inode security operations */
2863
2864static int selinux_inode_alloc_security(struct inode *inode)
2865{
2866 struct inode_security_struct *isec = selinux_inode(inode);
2867 u32 sid = current_sid();
2868
2869 spin_lock_init(&isec->lock);
2870 INIT_LIST_HEAD(list: &isec->list);
2871 isec->inode = inode;
2872 isec->sid = SECINITSID_UNLABELED;
2873 isec->sclass = SECCLASS_FILE;
2874 isec->task_sid = sid;
2875 isec->initialized = LABEL_INVALID;
2876
2877 return 0;
2878}
2879
2880static void selinux_inode_free_security(struct inode *inode)
2881{
2882 inode_free_security(inode);
2883}
2884
2885static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2886 const struct qstr *name,
2887 const char **xattr_name,
2888 struct lsm_context *cp)
2889{
2890 u32 newsid;
2891 int rc;
2892
2893 rc = selinux_determine_inode_label(tsec: selinux_cred(current_cred()),
2894 dir: d_inode(dentry: dentry->d_parent), name,
2895 tclass: inode_mode_to_security_class(mode),
2896 new_isid: &newsid);
2897 if (rc)
2898 return rc;
2899
2900 if (xattr_name)
2901 *xattr_name = XATTR_NAME_SELINUX;
2902
2903 cp->id = LSM_ID_SELINUX;
2904 return security_sid_to_context(sid: newsid, scontext: &cp->context, scontext_len: &cp->len);
2905}
2906
2907static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2908 const struct qstr *name,
2909 const struct cred *old,
2910 struct cred *new)
2911{
2912 u32 newsid;
2913 int rc;
2914 struct task_security_struct *tsec;
2915
2916 rc = selinux_determine_inode_label(tsec: selinux_cred(cred: old),
2917 dir: d_inode(dentry: dentry->d_parent), name,
2918 tclass: inode_mode_to_security_class(mode),
2919 new_isid: &newsid);
2920 if (rc)
2921 return rc;
2922
2923 tsec = selinux_cred(cred: new);
2924 tsec->create_sid = newsid;
2925 return 0;
2926}
2927
2928static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2929 const struct qstr *qstr,
2930 struct xattr *xattrs, int *xattr_count)
2931{
2932 const struct task_security_struct *tsec = selinux_cred(current_cred());
2933 struct superblock_security_struct *sbsec;
2934 struct xattr *xattr = lsm_get_xattr_slot(xattrs, xattr_count);
2935 u32 newsid, clen;
2936 u16 newsclass;
2937 int rc;
2938 char *context;
2939
2940 sbsec = selinux_superblock(superblock: dir->i_sb);
2941
2942 newsid = tsec->create_sid;
2943 newsclass = inode_mode_to_security_class(mode: inode->i_mode);
2944 rc = selinux_determine_inode_label(tsec, dir, name: qstr, tclass: newsclass, new_isid: &newsid);
2945 if (rc)
2946 return rc;
2947
2948 /* Possibly defer initialization to selinux_complete_init. */
2949 if (sbsec->flags & SE_SBINITIALIZED) {
2950 struct inode_security_struct *isec = selinux_inode(inode);
2951 isec->sclass = newsclass;
2952 isec->sid = newsid;
2953 isec->initialized = LABEL_INITIALIZED;
2954 }
2955
2956 if (!selinux_initialized() ||
2957 !(sbsec->flags & SBLABEL_MNT))
2958 return -EOPNOTSUPP;
2959
2960 if (xattr) {
2961 rc = security_sid_to_context_force(sid: newsid,
2962 scontext: &context, scontext_len: &clen);
2963 if (rc)
2964 return rc;
2965 xattr->value = context;
2966 xattr->value_len = clen;
2967 xattr->name = XATTR_SELINUX_SUFFIX;
2968 }
2969
2970 return 0;
2971}
2972
2973static int selinux_inode_init_security_anon(struct inode *inode,
2974 const struct qstr *name,
2975 const struct inode *context_inode)
2976{
2977 u32 sid = current_sid();
2978 struct common_audit_data ad;
2979 struct inode_security_struct *isec;
2980 int rc;
2981
2982 if (unlikely(!selinux_initialized()))
2983 return 0;
2984
2985 isec = selinux_inode(inode);
2986
2987 /*
2988 * We only get here once per ephemeral inode. The inode has
2989 * been initialized via inode_alloc_security but is otherwise
2990 * untouched.
2991 */
2992
2993 if (context_inode) {
2994 struct inode_security_struct *context_isec =
2995 selinux_inode(inode: context_inode);
2996 if (context_isec->initialized != LABEL_INITIALIZED) {
2997 pr_err("SELinux: context_inode is not initialized\n");
2998 return -EACCES;
2999 }
3000
3001 isec->sclass = context_isec->sclass;
3002 isec->sid = context_isec->sid;
3003 } else {
3004 isec->sclass = SECCLASS_ANON_INODE;
3005 rc = security_transition_sid(
3006 ssid: sid, tsid: sid,
3007 tclass: isec->sclass, qstr: name, out_sid: &isec->sid);
3008 if (rc)
3009 return rc;
3010 }
3011
3012 isec->initialized = LABEL_INITIALIZED;
3013 /*
3014 * Now that we've initialized security, check whether we're
3015 * allowed to actually create this type of anonymous inode.
3016 */
3017
3018 ad.type = LSM_AUDIT_DATA_ANONINODE;
3019 ad.u.anonclass = name ? (const char *)name->name : "?";
3020
3021 return avc_has_perm(ssid: sid,
3022 tsid: isec->sid,
3023 tclass: isec->sclass,
3024 FILE__CREATE,
3025 auditdata: &ad);
3026}
3027
3028static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
3029{
3030 return may_create(dir, dentry, SECCLASS_FILE);
3031}
3032
3033static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
3034{
3035 return may_link(dir, dentry: old_dentry, MAY_LINK);
3036}
3037
3038static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
3039{
3040 return may_link(dir, dentry, MAY_UNLINK);
3041}
3042
3043static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
3044{
3045 return may_create(dir, dentry, SECCLASS_LNK_FILE);
3046}
3047
3048static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
3049{
3050 return may_create(dir, dentry, SECCLASS_DIR);
3051}
3052
3053static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
3054{
3055 return may_link(dir, dentry, MAY_RMDIR);
3056}
3057
3058static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
3059{
3060 return may_create(dir, dentry, tclass: inode_mode_to_security_class(mode));
3061}
3062
3063static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
3064 struct inode *new_inode, struct dentry *new_dentry)
3065{
3066 return may_rename(old_dir: old_inode, old_dentry, new_dir: new_inode, new_dentry);
3067}
3068
3069static int selinux_inode_readlink(struct dentry *dentry)
3070{
3071 const struct cred *cred = current_cred();
3072
3073 return dentry_has_perm(cred, dentry, FILE__READ);
3074}
3075
3076static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3077 bool rcu)
3078{
3079 struct common_audit_data ad;
3080 struct inode_security_struct *isec;
3081 u32 sid = current_sid();
3082
3083 ad.type = LSM_AUDIT_DATA_DENTRY;
3084 ad.u.dentry = dentry;
3085 isec = inode_security_rcu(inode, rcu);
3086 if (IS_ERR(ptr: isec))
3087 return PTR_ERR(ptr: isec);
3088
3089 return avc_has_perm(ssid: sid, tsid: isec->sid, tclass: isec->sclass, FILE__READ, auditdata: &ad);
3090}
3091
3092static noinline int audit_inode_permission(struct inode *inode,
3093 u32 perms, u32 audited, u32 denied,
3094 int result)
3095{
3096 struct common_audit_data ad;
3097 struct inode_security_struct *isec = selinux_inode(inode);
3098
3099 ad.type = LSM_AUDIT_DATA_INODE;
3100 ad.u.inode = inode;
3101
3102 return slow_avc_audit(ssid: current_sid(), tsid: isec->sid, tclass: isec->sclass, requested: perms,
3103 audited, denied, result, a: &ad);
3104}
3105
3106/**
3107 * task_avdcache_reset - Reset the task's AVD cache
3108 * @tsec: the task's security state
3109 *
3110 * Clear the task's AVD cache in @tsec and reset it to the current policy's
3111 * and task's info.
3112 */
3113static inline void task_avdcache_reset(struct task_security_struct *tsec)
3114{
3115 memset(s: &tsec->avdcache.dir, c: 0, n: sizeof(tsec->avdcache.dir));
3116 tsec->avdcache.sid = tsec->sid;
3117 tsec->avdcache.seqno = avc_policy_seqno();
3118 tsec->avdcache.dir_spot = TSEC_AVDC_DIR_SIZE - 1;
3119}
3120
3121/**
3122 * task_avdcache_search - Search the task's AVD cache
3123 * @tsec: the task's security state
3124 * @isec: the inode to search for in the cache
3125 * @avdc: matching avd cache entry returned to the caller
3126 *
3127 * Search @tsec for a AVD cache entry that matches @isec and return it to the
3128 * caller via @avdc. Returns 0 if a match is found, negative values otherwise.
3129 */
3130static inline int task_avdcache_search(struct task_security_struct *tsec,
3131 struct inode_security_struct *isec,
3132 struct avdc_entry **avdc)
3133{
3134 int orig, iter;
3135
3136 /* focused on path walk optimization, only cache directories */
3137 if (isec->sclass != SECCLASS_DIR)
3138 return -ENOENT;
3139
3140 if (unlikely(tsec->sid != tsec->avdcache.sid ||
3141 tsec->avdcache.seqno != avc_policy_seqno())) {
3142 task_avdcache_reset(tsec);
3143 return -ENOENT;
3144 }
3145
3146 orig = iter = tsec->avdcache.dir_spot;
3147 do {
3148 if (tsec->avdcache.dir[iter].isid == isec->sid) {
3149 /* cache hit */
3150 tsec->avdcache.dir_spot = iter;
3151 *avdc = &tsec->avdcache.dir[iter];
3152 return 0;
3153 }
3154 iter = (iter - 1) & (TSEC_AVDC_DIR_SIZE - 1);
3155 } while (iter != orig);
3156
3157 return -ENOENT;
3158}
3159
3160/**
3161 * task_avdcache_update - Update the task's AVD cache
3162 * @tsec: the task's security state
3163 * @isec: the inode associated with the cache entry
3164 * @avd: the AVD to cache
3165 * @audited: the permission audit bitmask to cache
3166 *
3167 * Update the AVD cache in @tsec with the @avdc and @audited info associated
3168 * with @isec.
3169 */
3170static inline void task_avdcache_update(struct task_security_struct *tsec,
3171 struct inode_security_struct *isec,
3172 struct av_decision *avd,
3173 u32 audited)
3174{
3175 int spot;
3176
3177 /* focused on path walk optimization, only cache directories */
3178 if (isec->sclass != SECCLASS_DIR)
3179 return;
3180
3181 /* update cache */
3182 spot = (tsec->avdcache.dir_spot + 1) & (TSEC_AVDC_DIR_SIZE - 1);
3183 tsec->avdcache.dir_spot = spot;
3184 tsec->avdcache.dir[spot].isid = isec->sid;
3185 tsec->avdcache.dir[spot].audited = audited;
3186 tsec->avdcache.dir[spot].allowed = avd->allowed;
3187 tsec->avdcache.dir[spot].permissive = avd->flags & AVD_FLAGS_PERMISSIVE;
3188 tsec->avdcache.permissive_neveraudit =
3189 (avd->flags == (AVD_FLAGS_PERMISSIVE|AVD_FLAGS_NEVERAUDIT));
3190}
3191
3192/**
3193 * selinux_inode_permission - Check if the current task can access an inode
3194 * @inode: the inode that is being accessed
3195 * @requested: the accesses being requested
3196 *
3197 * Check if the current task is allowed to access @inode according to
3198 * @requested. Returns 0 if allowed, negative values otherwise.
3199 */
3200static int selinux_inode_permission(struct inode *inode, int requested)
3201{
3202 int mask;
3203 u32 perms;
3204 struct task_security_struct *tsec;
3205 struct inode_security_struct *isec;
3206 struct avdc_entry *avdc;
3207 int rc, rc2;
3208 u32 audited, denied;
3209
3210 mask = requested & (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3211
3212 /* No permission to check. Existence test. */
3213 if (!mask)
3214 return 0;
3215
3216 tsec = selinux_cred(current_cred());
3217 if (task_avdcache_permnoaudit(tsec))
3218 return 0;
3219
3220 isec = inode_security_rcu(inode, rcu: requested & MAY_NOT_BLOCK);
3221 if (IS_ERR(ptr: isec))
3222 return PTR_ERR(ptr: isec);
3223 perms = file_mask_to_av(mode: inode->i_mode, mask);
3224
3225 rc = task_avdcache_search(tsec, isec, avdc: &avdc);
3226 if (likely(!rc)) {
3227 /* Cache hit. */
3228 audited = perms & avdc->audited;
3229 denied = perms & ~avdc->allowed;
3230 if (unlikely(denied && enforcing_enabled() &&
3231 !avdc->permissive))
3232 rc = -EACCES;
3233 } else {
3234 struct av_decision avd;
3235
3236 /* Cache miss. */
3237 rc = avc_has_perm_noaudit(ssid: tsec->sid, tsid: isec->sid, tclass: isec->sclass,
3238 requested: perms, flags: 0, avd: &avd);
3239 audited = avc_audit_required(requested: perms, avd: &avd, result: rc,
3240 auditdeny: (requested & MAY_ACCESS) ? FILE__AUDIT_ACCESS : 0,
3241 deniedp: &denied);
3242 task_avdcache_update(tsec, isec, avd: &avd, audited);
3243 }
3244
3245 if (likely(!audited))
3246 return rc;
3247
3248 rc2 = audit_inode_permission(inode, perms, audited, denied, result: rc);
3249 if (rc2)
3250 return rc2;
3251
3252 return rc;
3253}
3254
3255static int selinux_inode_setattr(struct mnt_idmap *idmap, struct dentry *dentry,
3256 struct iattr *iattr)
3257{
3258 const struct cred *cred = current_cred();
3259 struct inode *inode = d_backing_inode(upper: dentry);
3260 unsigned int ia_valid = iattr->ia_valid;
3261 u32 av = FILE__WRITE;
3262
3263 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3264 if (ia_valid & ATTR_FORCE) {
3265 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3266 ATTR_FORCE);
3267 if (!ia_valid)
3268 return 0;
3269 }
3270
3271 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3272 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3273 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3274
3275 if (selinux_policycap_openperm() &&
3276 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3277 (ia_valid & ATTR_SIZE) &&
3278 !(ia_valid & ATTR_FILE))
3279 av |= FILE__OPEN;
3280
3281 return dentry_has_perm(cred, dentry, av);
3282}
3283
3284static int selinux_inode_getattr(const struct path *path)
3285{
3286 struct task_security_struct *tsec;
3287
3288 tsec = selinux_cred(current_cred());
3289
3290 if (task_avdcache_permnoaudit(tsec))
3291 return 0;
3292
3293 return path_has_perm(current_cred(), path, FILE__GETATTR);
3294}
3295
3296static bool has_cap_mac_admin(bool audit)
3297{
3298 const struct cred *cred = current_cred();
3299 unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT;
3300
3301 if (cap_capable(cred, ns: &init_user_ns, CAP_MAC_ADMIN, opts))
3302 return false;
3303 if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, initns: true))
3304 return false;
3305 return true;
3306}
3307
3308/**
3309 * selinux_inode_xattr_skipcap - Skip the xattr capability checks?
3310 * @name: name of the xattr
3311 *
3312 * Returns 1 to indicate that SELinux "owns" the access control rights to xattrs
3313 * named @name; the LSM layer should avoid enforcing any traditional
3314 * capability based access controls on this xattr. Returns 0 to indicate that
3315 * SELinux does not "own" the access control rights to xattrs named @name and is
3316 * deferring to the LSM layer for further access controls, including capability
3317 * based controls.
3318 */
3319static int selinux_inode_xattr_skipcap(const char *name)
3320{
3321 /* require capability check if not a selinux xattr */
3322 return !strcmp(name, XATTR_NAME_SELINUX);
3323}
3324
3325static int selinux_inode_setxattr(struct mnt_idmap *idmap,
3326 struct dentry *dentry, const char *name,
3327 const void *value, size_t size, int flags)
3328{
3329 struct inode *inode = d_backing_inode(upper: dentry);
3330 struct inode_security_struct *isec;
3331 struct superblock_security_struct *sbsec;
3332 struct common_audit_data ad;
3333 u32 newsid, sid = current_sid();
3334 int rc = 0;
3335
3336 /* if not a selinux xattr, only check the ordinary setattr perm */
3337 if (strcmp(name, XATTR_NAME_SELINUX))
3338 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3339
3340 if (!selinux_initialized())
3341 return (inode_owner_or_capable(idmap, inode) ? 0 : -EPERM);
3342
3343 sbsec = selinux_superblock(superblock: inode->i_sb);
3344 if (!(sbsec->flags & SBLABEL_MNT))
3345 return -EOPNOTSUPP;
3346
3347 if (!inode_owner_or_capable(idmap, inode))
3348 return -EPERM;
3349
3350 ad.type = LSM_AUDIT_DATA_DENTRY;
3351 ad.u.dentry = dentry;
3352
3353 isec = backing_inode_security(dentry);
3354 rc = avc_has_perm(ssid: sid, tsid: isec->sid, tclass: isec->sclass,
3355 FILE__RELABELFROM, auditdata: &ad);
3356 if (rc)
3357 return rc;
3358
3359 rc = security_context_to_sid(scontext: value, scontext_len: size, out_sid: &newsid,
3360 GFP_KERNEL);
3361 if (rc == -EINVAL) {
3362 if (!has_cap_mac_admin(audit: true)) {
3363 struct audit_buffer *ab;
3364 size_t audit_size;
3365
3366 /* We strip a nul only if it is at the end, otherwise the
3367 * context contains a nul and we should audit that */
3368 if (value) {
3369 const char *str = value;
3370
3371 if (str[size - 1] == '\0')
3372 audit_size = size - 1;
3373 else
3374 audit_size = size;
3375 } else {
3376 audit_size = 0;
3377 }
3378 ab = audit_log_start(ctx: audit_context(),
3379 GFP_ATOMIC, AUDIT_SELINUX_ERR);
3380 if (!ab)
3381 return rc;
3382 audit_log_format(ab, fmt: "op=setxattr invalid_context=");
3383 audit_log_n_untrustedstring(ab, string: value, n: audit_size);
3384 audit_log_end(ab);
3385
3386 return rc;
3387 }
3388 rc = security_context_to_sid_force(scontext: value,
3389 scontext_len: size, sid: &newsid);
3390 }
3391 if (rc)
3392 return rc;
3393
3394 rc = avc_has_perm(ssid: sid, tsid: newsid, tclass: isec->sclass,
3395 FILE__RELABELTO, auditdata: &ad);
3396 if (rc)
3397 return rc;
3398
3399 rc = security_validate_transition(oldsid: isec->sid, newsid,
3400 tasksid: sid, tclass: isec->sclass);
3401 if (rc)
3402 return rc;
3403
3404 return avc_has_perm(ssid: newsid,
3405 tsid: sbsec->sid,
3406 SECCLASS_FILESYSTEM,
3407 FILESYSTEM__ASSOCIATE,
3408 auditdata: &ad);
3409}
3410
3411static int selinux_inode_set_acl(struct mnt_idmap *idmap,
3412 struct dentry *dentry, const char *acl_name,
3413 struct posix_acl *kacl)
3414{
3415 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3416}
3417
3418static int selinux_inode_get_acl(struct mnt_idmap *idmap,
3419 struct dentry *dentry, const char *acl_name)
3420{
3421 return dentry_has_perm(current_cred(), dentry, FILE__GETATTR);
3422}
3423
3424static int selinux_inode_remove_acl(struct mnt_idmap *idmap,
3425 struct dentry *dentry, const char *acl_name)
3426{
3427 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3428}
3429
3430static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3431 const void *value, size_t size,
3432 int flags)
3433{
3434 struct inode *inode = d_backing_inode(upper: dentry);
3435 struct inode_security_struct *isec;
3436 u32 newsid;
3437 int rc;
3438
3439 if (strcmp(name, XATTR_NAME_SELINUX)) {
3440 /* Not an attribute we recognize, so nothing to do. */
3441 return;
3442 }
3443
3444 if (!selinux_initialized()) {
3445 /* If we haven't even been initialized, then we can't validate
3446 * against a policy, so leave the label as invalid. It may
3447 * resolve to a valid label on the next revalidation try if
3448 * we've since initialized.
3449 */
3450 return;
3451 }
3452
3453 rc = security_context_to_sid_force(scontext: value, scontext_len: size,
3454 sid: &newsid);
3455 if (rc) {
3456 pr_err("SELinux: unable to map context to SID"
3457 "for (%s, %lu), rc=%d\n",
3458 inode->i_sb->s_id, inode->i_ino, -rc);
3459 return;
3460 }
3461
3462 isec = backing_inode_security(dentry);
3463 spin_lock(lock: &isec->lock);
3464 isec->sclass = inode_mode_to_security_class(mode: inode->i_mode);
3465 isec->sid = newsid;
3466 isec->initialized = LABEL_INITIALIZED;
3467 spin_unlock(lock: &isec->lock);
3468}
3469
3470static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3471{
3472 const struct cred *cred = current_cred();
3473
3474 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3475}
3476
3477static int selinux_inode_listxattr(struct dentry *dentry)
3478{
3479 const struct cred *cred = current_cred();
3480
3481 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3482}
3483
3484static int selinux_inode_removexattr(struct mnt_idmap *idmap,
3485 struct dentry *dentry, const char *name)
3486{
3487 /* if not a selinux xattr, only check the ordinary setattr perm */
3488 if (strcmp(name, XATTR_NAME_SELINUX))
3489 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3490
3491 if (!selinux_initialized())
3492 return 0;
3493
3494 /* No one is allowed to remove a SELinux security label.
3495 You can change the label, but all data must be labeled. */
3496 return -EACCES;
3497}
3498
3499static int selinux_inode_file_setattr(struct dentry *dentry,
3500 struct file_kattr *fa)
3501{
3502 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3503}
3504
3505static int selinux_inode_file_getattr(struct dentry *dentry,
3506 struct file_kattr *fa)
3507{
3508 return dentry_has_perm(current_cred(), dentry, FILE__GETATTR);
3509}
3510
3511static int selinux_path_notify(const struct path *path, u64 mask,
3512 unsigned int obj_type)
3513{
3514 int ret;
3515 u32 perm;
3516
3517 struct common_audit_data ad;
3518
3519 ad.type = LSM_AUDIT_DATA_PATH;
3520 ad.u.path = *path;
3521
3522 /*
3523 * Set permission needed based on the type of mark being set.
3524 * Performs an additional check for sb watches.
3525 */
3526 switch (obj_type) {
3527 case FSNOTIFY_OBJ_TYPE_VFSMOUNT:
3528 perm = FILE__WATCH_MOUNT;
3529 break;
3530 case FSNOTIFY_OBJ_TYPE_SB:
3531 perm = FILE__WATCH_SB;
3532 ret = superblock_has_perm(current_cred(), sb: path->dentry->d_sb,
3533 FILESYSTEM__WATCH, ad: &ad);
3534 if (ret)
3535 return ret;
3536 break;
3537 case FSNOTIFY_OBJ_TYPE_INODE:
3538 perm = FILE__WATCH;
3539 break;
3540 case FSNOTIFY_OBJ_TYPE_MNTNS:
3541 perm = FILE__WATCH_MOUNTNS;
3542 break;
3543 default:
3544 return -EINVAL;
3545 }
3546
3547 /* blocking watches require the file:watch_with_perm permission */
3548 if (mask & (ALL_FSNOTIFY_PERM_EVENTS))
3549 perm |= FILE__WATCH_WITH_PERM;
3550
3551 /* watches on read-like events need the file:watch_reads permission */
3552 if (mask & (FS_ACCESS | FS_ACCESS_PERM | FS_PRE_ACCESS |
3553 FS_CLOSE_NOWRITE))
3554 perm |= FILE__WATCH_READS;
3555
3556 return path_has_perm(current_cred(), path, av: perm);
3557}
3558
3559/*
3560 * Copy the inode security context value to the user.
3561 *
3562 * Permission check is handled by selinux_inode_getxattr hook.
3563 */
3564static int selinux_inode_getsecurity(struct mnt_idmap *idmap,
3565 struct inode *inode, const char *name,
3566 void **buffer, bool alloc)
3567{
3568 u32 size;
3569 int error;
3570 char *context = NULL;
3571 struct inode_security_struct *isec;
3572
3573 /*
3574 * If we're not initialized yet, then we can't validate contexts, so
3575 * just let vfs_getxattr fall back to using the on-disk xattr.
3576 */
3577 if (!selinux_initialized() ||
3578 strcmp(name, XATTR_SELINUX_SUFFIX))
3579 return -EOPNOTSUPP;
3580
3581 /*
3582 * If the caller has CAP_MAC_ADMIN, then get the raw context
3583 * value even if it is not defined by current policy; otherwise,
3584 * use the in-core value under current policy.
3585 * Use the non-auditing forms of the permission checks since
3586 * getxattr may be called by unprivileged processes commonly
3587 * and lack of permission just means that we fall back to the
3588 * in-core context value, not a denial.
3589 */
3590 isec = inode_security(inode);
3591 if (has_cap_mac_admin(audit: false))
3592 error = security_sid_to_context_force(sid: isec->sid, scontext: &context,
3593 scontext_len: &size);
3594 else
3595 error = security_sid_to_context(sid: isec->sid,
3596 scontext: &context, scontext_len: &size);
3597 if (error)
3598 return error;
3599 error = size;
3600 if (alloc) {
3601 *buffer = context;
3602 goto out_nofree;
3603 }
3604 kfree(objp: context);
3605out_nofree:
3606 return error;
3607}
3608
3609static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3610 const void *value, size_t size, int flags)
3611{
3612 struct inode_security_struct *isec = inode_security_novalidate(inode);
3613 struct superblock_security_struct *sbsec;
3614 u32 newsid;
3615 int rc;
3616
3617 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3618 return -EOPNOTSUPP;
3619
3620 sbsec = selinux_superblock(superblock: inode->i_sb);
3621 if (!(sbsec->flags & SBLABEL_MNT))
3622 return -EOPNOTSUPP;
3623
3624 if (!value || !size)
3625 return -EACCES;
3626
3627 rc = security_context_to_sid(scontext: value, scontext_len: size, out_sid: &newsid,
3628 GFP_KERNEL);
3629 if (rc)
3630 return rc;
3631
3632 spin_lock(lock: &isec->lock);
3633 isec->sclass = inode_mode_to_security_class(mode: inode->i_mode);
3634 isec->sid = newsid;
3635 isec->initialized = LABEL_INITIALIZED;
3636 spin_unlock(lock: &isec->lock);
3637 return 0;
3638}
3639
3640static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3641{
3642 const int len = sizeof(XATTR_NAME_SELINUX);
3643
3644 if (!selinux_initialized())
3645 return 0;
3646
3647 if (buffer && len <= buffer_size)
3648 memcpy(to: buffer, XATTR_NAME_SELINUX, len);
3649 return len;
3650}
3651
3652static void selinux_inode_getlsmprop(struct inode *inode, struct lsm_prop *prop)
3653{
3654 struct inode_security_struct *isec = inode_security_novalidate(inode);
3655
3656 prop->selinux.secid = isec->sid;
3657}
3658
3659static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3660{
3661 struct lsm_prop prop;
3662 struct task_security_struct *tsec;
3663 struct cred *new_creds = *new;
3664
3665 if (new_creds == NULL) {
3666 new_creds = prepare_creds();
3667 if (!new_creds)
3668 return -ENOMEM;
3669 }
3670
3671 tsec = selinux_cred(cred: new_creds);
3672 /* Get label from overlay inode and set it in create_sid */
3673 selinux_inode_getlsmprop(inode: d_inode(dentry: src), prop: &prop);
3674 tsec->create_sid = prop.selinux.secid;
3675 *new = new_creds;
3676 return 0;
3677}
3678
3679static int selinux_inode_copy_up_xattr(struct dentry *dentry, const char *name)
3680{
3681 /* The copy_up hook above sets the initial context on an inode, but we
3682 * don't then want to overwrite it by blindly copying all the lower
3683 * xattrs up. Instead, filter out SELinux-related xattrs following
3684 * policy load.
3685 */
3686 if (selinux_initialized() && !strcmp(name, XATTR_NAME_SELINUX))
3687 return -ECANCELED; /* Discard */
3688 /*
3689 * Any other attribute apart from SELINUX is not claimed, supported
3690 * by selinux.
3691 */
3692 return -EOPNOTSUPP;
3693}
3694
3695/* kernfs node operations */
3696
3697static int selinux_kernfs_init_security(struct kernfs_node *kn_dir,
3698 struct kernfs_node *kn)
3699{
3700 const struct task_security_struct *tsec = selinux_cred(current_cred());
3701 u32 parent_sid, newsid, clen;
3702 int rc;
3703 char *context;
3704
3705 rc = kernfs_xattr_get(kn: kn_dir, XATTR_NAME_SELINUX, NULL, size: 0);
3706 if (rc == -ENODATA)
3707 return 0;
3708 else if (rc < 0)
3709 return rc;
3710
3711 clen = (u32)rc;
3712 context = kmalloc(clen, GFP_KERNEL);
3713 if (!context)
3714 return -ENOMEM;
3715
3716 rc = kernfs_xattr_get(kn: kn_dir, XATTR_NAME_SELINUX, value: context, size: clen);
3717 if (rc < 0) {
3718 kfree(objp: context);
3719 return rc;
3720 }
3721
3722 rc = security_context_to_sid(scontext: context, scontext_len: clen, out_sid: &parent_sid,
3723 GFP_KERNEL);
3724 kfree(objp: context);
3725 if (rc)
3726 return rc;
3727
3728 if (tsec->create_sid) {
3729 newsid = tsec->create_sid;
3730 } else {
3731 u16 secclass = inode_mode_to_security_class(mode: kn->mode);
3732 const char *kn_name;
3733 struct qstr q;
3734
3735 /* kn is fresh, can't be renamed, name goes not away */
3736 kn_name = rcu_dereference_check(kn->name, true);
3737 q.name = kn_name;
3738 q.hash_len = hashlen_string(salt: kn_dir, name: kn_name);
3739
3740 rc = security_transition_sid(ssid: tsec->sid,
3741 tsid: parent_sid, tclass: secclass, qstr: &q,
3742 out_sid: &newsid);
3743 if (rc)
3744 return rc;
3745 }
3746
3747 rc = security_sid_to_context_force(sid: newsid,
3748 scontext: &context, scontext_len: &clen);
3749 if (rc)
3750 return rc;
3751
3752 rc = kernfs_xattr_set(kn, XATTR_NAME_SELINUX, value: context, size: clen,
3753 XATTR_CREATE);
3754 kfree(objp: context);
3755 return rc;
3756}
3757
3758
3759/* file security operations */
3760
3761static int selinux_revalidate_file_permission(struct file *file, int mask)
3762{
3763 const struct cred *cred = current_cred();
3764 struct inode *inode = file_inode(f: file);
3765
3766 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3767 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3768 mask |= MAY_APPEND;
3769
3770 return file_has_perm(cred, file,
3771 av: file_mask_to_av(mode: inode->i_mode, mask));
3772}
3773
3774static int selinux_file_permission(struct file *file, int mask)
3775{
3776 struct inode *inode = file_inode(f: file);
3777 struct file_security_struct *fsec = selinux_file(file);
3778 struct inode_security_struct *isec;
3779 u32 sid = current_sid();
3780
3781 if (!mask)
3782 /* No permission to check. Existence test. */
3783 return 0;
3784
3785 isec = inode_security(inode);
3786 if (sid == fsec->sid && fsec->isid == isec->sid &&
3787 fsec->pseqno == avc_policy_seqno())
3788 /* No change since file_open check. */
3789 return 0;
3790
3791 return selinux_revalidate_file_permission(file, mask);
3792}
3793
3794static int selinux_file_alloc_security(struct file *file)
3795{
3796 struct file_security_struct *fsec = selinux_file(file);
3797 u32 sid = current_sid();
3798
3799 fsec->sid = sid;
3800 fsec->fown_sid = sid;
3801
3802 return 0;
3803}
3804
3805/*
3806 * Check whether a task has the ioctl permission and cmd
3807 * operation to an inode.
3808 */
3809static int ioctl_has_perm(const struct cred *cred, struct file *file,
3810 u32 requested, u16 cmd)
3811{
3812 struct common_audit_data ad;
3813 struct file_security_struct *fsec = selinux_file(file);
3814 struct inode *inode = file_inode(f: file);
3815 struct inode_security_struct *isec;
3816 struct lsm_ioctlop_audit ioctl;
3817 u32 ssid = cred_sid(cred);
3818 int rc;
3819 u8 driver = cmd >> 8;
3820 u8 xperm = cmd & 0xff;
3821
3822 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3823 ad.u.op = &ioctl;
3824 ad.u.op->cmd = cmd;
3825 ad.u.op->path = file->f_path;
3826
3827 if (ssid != fsec->sid) {
3828 rc = avc_has_perm(ssid, tsid: fsec->sid,
3829 SECCLASS_FD,
3830 FD__USE,
3831 auditdata: &ad);
3832 if (rc)
3833 goto out;
3834 }
3835
3836 if (unlikely(IS_PRIVATE(inode)))
3837 return 0;
3838
3839 isec = inode_security(inode);
3840 rc = avc_has_extended_perms(ssid, tsid: isec->sid, tclass: isec->sclass, requested,
3841 driver, AVC_EXT_IOCTL, perm: xperm, ad: &ad);
3842out:
3843 return rc;
3844}
3845
3846static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3847 unsigned long arg)
3848{
3849 const struct cred *cred = current_cred();
3850 int error = 0;
3851
3852 switch (cmd) {
3853 case FIONREAD:
3854 case FIBMAP:
3855 case FIGETBSZ:
3856 case FS_IOC_GETFLAGS:
3857 case FS_IOC_GETVERSION:
3858 error = file_has_perm(cred, file, FILE__GETATTR);
3859 break;
3860
3861 case FS_IOC_SETFLAGS:
3862 case FS_IOC_SETVERSION:
3863 error = file_has_perm(cred, file, FILE__SETATTR);
3864 break;
3865
3866 /* sys_ioctl() checks */
3867 case FIONBIO:
3868 case FIOASYNC:
3869 error = file_has_perm(cred, file, av: 0);
3870 break;
3871
3872 case KDSKBENT:
3873 case KDSKBSENT:
3874 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3875 CAP_OPT_NONE, initns: true);
3876 break;
3877
3878 case FIOCLEX:
3879 case FIONCLEX:
3880 if (!selinux_policycap_ioctl_skip_cloexec())
3881 error = ioctl_has_perm(cred, file, FILE__IOCTL, cmd: (u16) cmd);
3882 break;
3883
3884 /* default case assumes that the command will go
3885 * to the file's ioctl() function.
3886 */
3887 default:
3888 error = ioctl_has_perm(cred, file, FILE__IOCTL, cmd: (u16) cmd);
3889 }
3890 return error;
3891}
3892
3893static int selinux_file_ioctl_compat(struct file *file, unsigned int cmd,
3894 unsigned long arg)
3895{
3896 /*
3897 * If we are in a 64-bit kernel running 32-bit userspace, we need to
3898 * make sure we don't compare 32-bit flags to 64-bit flags.
3899 */
3900 switch (cmd) {
3901 case FS_IOC32_GETFLAGS:
3902 cmd = FS_IOC_GETFLAGS;
3903 break;
3904 case FS_IOC32_SETFLAGS:
3905 cmd = FS_IOC_SETFLAGS;
3906 break;
3907 case FS_IOC32_GETVERSION:
3908 cmd = FS_IOC_GETVERSION;
3909 break;
3910 case FS_IOC32_SETVERSION:
3911 cmd = FS_IOC_SETVERSION;
3912 break;
3913 default:
3914 break;
3915 }
3916
3917 return selinux_file_ioctl(file, cmd, arg);
3918}
3919
3920static int default_noexec __ro_after_init;
3921
3922static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3923{
3924 const struct cred *cred = current_cred();
3925 u32 sid = cred_sid(cred);
3926 int rc = 0;
3927
3928 if (default_noexec &&
3929 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3930 (!shared && (prot & PROT_WRITE)))) {
3931 /*
3932 * We are making executable an anonymous mapping or a
3933 * private file mapping that will also be writable.
3934 * This has an additional check.
3935 */
3936 rc = avc_has_perm(ssid: sid, tsid: sid, SECCLASS_PROCESS,
3937 PROCESS__EXECMEM, NULL);
3938 if (rc)
3939 goto error;
3940 }
3941
3942 if (file) {
3943 /* read access is always possible with a mapping */
3944 u32 av = FILE__READ;
3945
3946 /* write access only matters if the mapping is shared */
3947 if (shared && (prot & PROT_WRITE))
3948 av |= FILE__WRITE;
3949
3950 if (prot & PROT_EXEC)
3951 av |= FILE__EXECUTE;
3952
3953 return file_has_perm(cred, file, av);
3954 }
3955
3956error:
3957 return rc;
3958}
3959
3960static int selinux_mmap_addr(unsigned long addr)
3961{
3962 int rc = 0;
3963
3964 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3965 u32 sid = current_sid();
3966 rc = avc_has_perm(ssid: sid, tsid: sid, SECCLASS_MEMPROTECT,
3967 MEMPROTECT__MMAP_ZERO, NULL);
3968 }
3969
3970 return rc;
3971}
3972
3973static int selinux_mmap_file(struct file *file,
3974 unsigned long reqprot __always_unused,
3975 unsigned long prot, unsigned long flags)
3976{
3977 struct common_audit_data ad;
3978 int rc;
3979
3980 if (file) {
3981 ad.type = LSM_AUDIT_DATA_FILE;
3982 ad.u.file = file;
3983 rc = inode_has_perm(current_cred(), inode: file_inode(f: file),
3984 FILE__MAP, adp: &ad);
3985 if (rc)
3986 return rc;
3987 }
3988
3989 return file_map_prot_check(file, prot,
3990 shared: (flags & MAP_TYPE) == MAP_SHARED);
3991}
3992
3993static int selinux_file_mprotect(struct vm_area_struct *vma,
3994 unsigned long reqprot __always_unused,
3995 unsigned long prot)
3996{
3997 const struct cred *cred = current_cred();
3998 u32 sid = cred_sid(cred);
3999
4000 if (default_noexec &&
4001 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
4002 int rc = 0;
4003 /*
4004 * We don't use the vma_is_initial_heap() helper as it has
4005 * a history of problems and is currently broken on systems
4006 * where there is no heap, e.g. brk == start_brk. Before
4007 * replacing the conditional below with vma_is_initial_heap(),
4008 * or something similar, please ensure that the logic is the
4009 * same as what we have below or you have tested every possible
4010 * corner case you can think to test.
4011 */
4012 if (vma->vm_start >= vma->vm_mm->start_brk &&
4013 vma->vm_end <= vma->vm_mm->brk) {
4014 rc = avc_has_perm(ssid: sid, tsid: sid, SECCLASS_PROCESS,
4015 PROCESS__EXECHEAP, NULL);
4016 } else if (!vma->vm_file && (vma_is_initial_stack(vma) ||
4017 vma_is_stack_for_current(vma))) {
4018 rc = avc_has_perm(ssid: sid, tsid: sid, SECCLASS_PROCESS,
4019 PROCESS__EXECSTACK, NULL);
4020 } else if (vma->vm_file && vma->anon_vma) {
4021 /*
4022 * We are making executable a file mapping that has
4023 * had some COW done. Since pages might have been
4024 * written, check ability to execute the possibly
4025 * modified content. This typically should only
4026 * occur for text relocations.
4027 */
4028 rc = file_has_perm(cred, file: vma->vm_file, FILE__EXECMOD);
4029 }
4030 if (rc)
4031 return rc;
4032 }
4033
4034 return file_map_prot_check(file: vma->vm_file, prot, shared: vma->vm_flags&VM_SHARED);
4035}
4036
4037static int selinux_file_lock(struct file *file, unsigned int cmd)
4038{
4039 const struct cred *cred = current_cred();
4040
4041 return file_has_perm(cred, file, FILE__LOCK);
4042}
4043
4044static int selinux_file_fcntl(struct file *file, unsigned int cmd,
4045 unsigned long arg)
4046{
4047 const struct cred *cred = current_cred();
4048 int err = 0;
4049
4050 switch (cmd) {
4051 case F_SETFL:
4052 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
4053 err = file_has_perm(cred, file, FILE__WRITE);
4054 break;
4055 }
4056 fallthrough;
4057 case F_SETOWN:
4058 case F_SETSIG:
4059 case F_GETFL:
4060 case F_GETOWN:
4061 case F_GETSIG:
4062 case F_GETOWNER_UIDS:
4063 /* Just check FD__USE permission */
4064 err = file_has_perm(cred, file, av: 0);
4065 break;
4066 case F_GETLK:
4067 case F_SETLK:
4068 case F_SETLKW:
4069 case F_OFD_GETLK:
4070 case F_OFD_SETLK:
4071 case F_OFD_SETLKW:
4072#if BITS_PER_LONG == 32
4073 case F_GETLK64:
4074 case F_SETLK64:
4075 case F_SETLKW64:
4076#endif
4077 err = file_has_perm(cred, file, FILE__LOCK);
4078 break;
4079 }
4080
4081 return err;
4082}
4083
4084static void selinux_file_set_fowner(struct file *file)
4085{
4086 struct file_security_struct *fsec;
4087
4088 fsec = selinux_file(file);
4089 fsec->fown_sid = current_sid();
4090}
4091
4092static int selinux_file_send_sigiotask(struct task_struct *tsk,
4093 struct fown_struct *fown, int signum)
4094{
4095 struct file *file;
4096 u32 sid = task_sid_obj(task: tsk);
4097 u32 perm;
4098 struct file_security_struct *fsec;
4099
4100 /* struct fown_struct is never outside the context of a struct file */
4101 file = fown->file;
4102
4103 fsec = selinux_file(file);
4104
4105 if (!signum)
4106 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
4107 else
4108 perm = signal_to_av(sig: signum);
4109
4110 return avc_has_perm(ssid: fsec->fown_sid, tsid: sid,
4111 SECCLASS_PROCESS, requested: perm, NULL);
4112}
4113
4114static int selinux_file_receive(struct file *file)
4115{
4116 const struct cred *cred = current_cred();
4117
4118 return file_has_perm(cred, file, av: file_to_av(file));
4119}
4120
4121static int selinux_file_open(struct file *file)
4122{
4123 struct file_security_struct *fsec;
4124 struct inode_security_struct *isec;
4125
4126 fsec = selinux_file(file);
4127 isec = inode_security(inode: file_inode(f: file));
4128 /*
4129 * Save inode label and policy sequence number
4130 * at open-time so that selinux_file_permission
4131 * can determine whether revalidation is necessary.
4132 * Task label is already saved in the file security
4133 * struct as its SID.
4134 */
4135 fsec->isid = isec->sid;
4136 fsec->pseqno = avc_policy_seqno();
4137 /*
4138 * Since the inode label or policy seqno may have changed
4139 * between the selinux_inode_permission check and the saving
4140 * of state above, recheck that access is still permitted.
4141 * Otherwise, access might never be revalidated against the
4142 * new inode label or new policy.
4143 * This check is not redundant - do not remove.
4144 */
4145 return file_path_has_perm(cred: file->f_cred, file, av: open_file_to_av(file));
4146}
4147
4148/* task security operations */
4149
4150static int selinux_task_alloc(struct task_struct *task,
4151 u64 clone_flags)
4152{
4153 u32 sid = current_sid();
4154
4155 return avc_has_perm(ssid: sid, tsid: sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
4156}
4157
4158/*
4159 * prepare a new set of credentials for modification
4160 */
4161static int selinux_cred_prepare(struct cred *new, const struct cred *old,
4162 gfp_t gfp)
4163{
4164 const struct task_security_struct *old_tsec = selinux_cred(cred: old);
4165 struct task_security_struct *tsec = selinux_cred(cred: new);
4166
4167 *tsec = *old_tsec;
4168 return 0;
4169}
4170
4171/*
4172 * transfer the SELinux data to a blank set of creds
4173 */
4174static void selinux_cred_transfer(struct cred *new, const struct cred *old)
4175{
4176 const struct task_security_struct *old_tsec = selinux_cred(cred: old);
4177 struct task_security_struct *tsec = selinux_cred(cred: new);
4178
4179 *tsec = *old_tsec;
4180}
4181
4182static void selinux_cred_getsecid(const struct cred *c, u32 *secid)
4183{
4184 *secid = cred_sid(cred: c);
4185}
4186
4187static void selinux_cred_getlsmprop(const struct cred *c, struct lsm_prop *prop)
4188{
4189 prop->selinux.secid = cred_sid(cred: c);
4190}
4191
4192/*
4193 * set the security data for a kernel service
4194 * - all the creation contexts are set to unlabelled
4195 */
4196static int selinux_kernel_act_as(struct cred *new, u32 secid)
4197{
4198 struct task_security_struct *tsec = selinux_cred(cred: new);
4199 u32 sid = current_sid();
4200 int ret;
4201
4202 ret = avc_has_perm(ssid: sid, tsid: secid,
4203 SECCLASS_KERNEL_SERVICE,
4204 KERNEL_SERVICE__USE_AS_OVERRIDE,
4205 NULL);
4206 if (ret == 0) {
4207 tsec->sid = secid;
4208 tsec->create_sid = 0;
4209 tsec->keycreate_sid = 0;
4210 tsec->sockcreate_sid = 0;
4211 }
4212 return ret;
4213}
4214
4215/*
4216 * set the file creation context in a security record to the same as the
4217 * objective context of the specified inode
4218 */
4219static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
4220{
4221 struct inode_security_struct *isec = inode_security(inode);
4222 struct task_security_struct *tsec = selinux_cred(cred: new);
4223 u32 sid = current_sid();
4224 int ret;
4225
4226 ret = avc_has_perm(ssid: sid, tsid: isec->sid,
4227 SECCLASS_KERNEL_SERVICE,
4228 KERNEL_SERVICE__CREATE_FILES_AS,
4229 NULL);
4230
4231 if (ret == 0)
4232 tsec->create_sid = isec->sid;
4233 return ret;
4234}
4235
4236static int selinux_kernel_module_request(char *kmod_name)
4237{
4238 struct common_audit_data ad;
4239
4240 ad.type = LSM_AUDIT_DATA_KMOD;
4241 ad.u.kmod_name = kmod_name;
4242
4243 return avc_has_perm(ssid: current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
4244 SYSTEM__MODULE_REQUEST, auditdata: &ad);
4245}
4246
4247static int selinux_kernel_load_from_file(struct file *file, u32 requested)
4248{
4249 struct common_audit_data ad;
4250 struct inode_security_struct *isec;
4251 struct file_security_struct *fsec;
4252 u32 sid = current_sid();
4253 int rc;
4254
4255 if (file == NULL)
4256 return avc_has_perm(ssid: sid, tsid: sid, SECCLASS_SYSTEM, requested, NULL);
4257
4258 ad.type = LSM_AUDIT_DATA_FILE;
4259 ad.u.file = file;
4260
4261 fsec = selinux_file(file);
4262 if (sid != fsec->sid) {
4263 rc = avc_has_perm(ssid: sid, tsid: fsec->sid, SECCLASS_FD, FD__USE, auditdata: &ad);
4264 if (rc)
4265 return rc;
4266 }
4267
4268 isec = inode_security(inode: file_inode(f: file));
4269 return avc_has_perm(ssid: sid, tsid: isec->sid, SECCLASS_SYSTEM, requested, auditdata: &ad);
4270}
4271
4272static int selinux_kernel_read_file(struct file *file,
4273 enum kernel_read_file_id id,
4274 bool contents)
4275{
4276 int rc = 0;
4277
4278 BUILD_BUG_ON_MSG(READING_MAX_ID > 7,
4279 "New kernel_read_file_id introduced; update SELinux!");
4280
4281 switch (id) {
4282 case READING_FIRMWARE:
4283 rc = selinux_kernel_load_from_file(file, SYSTEM__FIRMWARE_LOAD);
4284 break;
4285 case READING_MODULE:
4286 rc = selinux_kernel_load_from_file(file, SYSTEM__MODULE_LOAD);
4287 break;
4288 case READING_KEXEC_IMAGE:
4289 rc = selinux_kernel_load_from_file(file,
4290 SYSTEM__KEXEC_IMAGE_LOAD);
4291 break;
4292 case READING_KEXEC_INITRAMFS:
4293 rc = selinux_kernel_load_from_file(file,
4294 SYSTEM__KEXEC_INITRAMFS_LOAD);
4295 break;
4296 case READING_POLICY:
4297 rc = selinux_kernel_load_from_file(file, SYSTEM__POLICY_LOAD);
4298 break;
4299 case READING_X509_CERTIFICATE:
4300 rc = selinux_kernel_load_from_file(file,
4301 SYSTEM__X509_CERTIFICATE_LOAD);
4302 break;
4303 default:
4304 break;
4305 }
4306
4307 return rc;
4308}
4309
4310static int selinux_kernel_load_data(enum kernel_load_data_id id, bool contents)
4311{
4312 int rc = 0;
4313
4314 BUILD_BUG_ON_MSG(LOADING_MAX_ID > 7,
4315 "New kernel_load_data_id introduced; update SELinux!");
4316
4317 switch (id) {
4318 case LOADING_FIRMWARE:
4319 rc = selinux_kernel_load_from_file(NULL, SYSTEM__FIRMWARE_LOAD);
4320 break;
4321 case LOADING_MODULE:
4322 rc = selinux_kernel_load_from_file(NULL, SYSTEM__MODULE_LOAD);
4323 break;
4324 case LOADING_KEXEC_IMAGE:
4325 rc = selinux_kernel_load_from_file(NULL,
4326 SYSTEM__KEXEC_IMAGE_LOAD);
4327 break;
4328 case LOADING_KEXEC_INITRAMFS:
4329 rc = selinux_kernel_load_from_file(NULL,
4330 SYSTEM__KEXEC_INITRAMFS_LOAD);
4331 break;
4332 case LOADING_POLICY:
4333 rc = selinux_kernel_load_from_file(NULL,
4334 SYSTEM__POLICY_LOAD);
4335 break;
4336 case LOADING_X509_CERTIFICATE:
4337 rc = selinux_kernel_load_from_file(NULL,
4338 SYSTEM__X509_CERTIFICATE_LOAD);
4339 break;
4340 default:
4341 break;
4342 }
4343
4344 return rc;
4345}
4346
4347static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
4348{
4349 return avc_has_perm(ssid: current_sid(), tsid: task_sid_obj(task: p), SECCLASS_PROCESS,
4350 PROCESS__SETPGID, NULL);
4351}
4352
4353static int selinux_task_getpgid(struct task_struct *p)
4354{
4355 return avc_has_perm(ssid: current_sid(), tsid: task_sid_obj(task: p), SECCLASS_PROCESS,
4356 PROCESS__GETPGID, NULL);
4357}
4358
4359static int selinux_task_getsid(struct task_struct *p)
4360{
4361 return avc_has_perm(ssid: current_sid(), tsid: task_sid_obj(task: p), SECCLASS_PROCESS,
4362 PROCESS__GETSESSION, NULL);
4363}
4364
4365static void selinux_current_getlsmprop_subj(struct lsm_prop *prop)
4366{
4367 prop->selinux.secid = current_sid();
4368}
4369
4370static void selinux_task_getlsmprop_obj(struct task_struct *p,
4371 struct lsm_prop *prop)
4372{
4373 prop->selinux.secid = task_sid_obj(task: p);
4374}
4375
4376static int selinux_task_setnice(struct task_struct *p, int nice)
4377{
4378 return avc_has_perm(ssid: current_sid(), tsid: task_sid_obj(task: p), SECCLASS_PROCESS,
4379 PROCESS__SETSCHED, NULL);
4380}
4381
4382static int selinux_task_setioprio(struct task_struct *p, int ioprio)
4383{
4384 return avc_has_perm(ssid: current_sid(), tsid: task_sid_obj(task: p), SECCLASS_PROCESS,
4385 PROCESS__SETSCHED, NULL);
4386}
4387
4388static int selinux_task_getioprio(struct task_struct *p)
4389{
4390 return avc_has_perm(ssid: current_sid(), tsid: task_sid_obj(task: p), SECCLASS_PROCESS,
4391 PROCESS__GETSCHED, NULL);
4392}
4393
4394static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
4395 unsigned int flags)
4396{
4397 u32 av = 0;
4398
4399 if (!flags)
4400 return 0;
4401 if (flags & LSM_PRLIMIT_WRITE)
4402 av |= PROCESS__SETRLIMIT;
4403 if (flags & LSM_PRLIMIT_READ)
4404 av |= PROCESS__GETRLIMIT;
4405 return avc_has_perm(ssid: cred_sid(cred), tsid: cred_sid(cred: tcred),
4406 SECCLASS_PROCESS, requested: av, NULL);
4407}
4408
4409static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4410 struct rlimit *new_rlim)
4411{
4412 struct rlimit *old_rlim = p->signal->rlim + resource;
4413
4414 /* Control the ability to change the hard limit (whether
4415 lowering or raising it), so that the hard limit can
4416 later be used as a safe reset point for the soft limit
4417 upon context transitions. See selinux_bprm_committing_creds. */
4418 if (old_rlim->rlim_max != new_rlim->rlim_max)
4419 return avc_has_perm(ssid: current_sid(), tsid: task_sid_obj(task: p),
4420 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
4421
4422 return 0;
4423}
4424
4425static int selinux_task_setscheduler(struct task_struct *p)
4426{
4427 return avc_has_perm(ssid: current_sid(), tsid: task_sid_obj(task: p), SECCLASS_PROCESS,
4428 PROCESS__SETSCHED, NULL);
4429}
4430
4431static int selinux_task_getscheduler(struct task_struct *p)
4432{
4433 return avc_has_perm(ssid: current_sid(), tsid: task_sid_obj(task: p), SECCLASS_PROCESS,
4434 PROCESS__GETSCHED, NULL);
4435}
4436
4437static int selinux_task_movememory(struct task_struct *p)
4438{
4439 return avc_has_perm(ssid: current_sid(), tsid: task_sid_obj(task: p), SECCLASS_PROCESS,
4440 PROCESS__SETSCHED, NULL);
4441}
4442
4443static int selinux_task_kill(struct task_struct *p, struct kernel_siginfo *info,
4444 int sig, const struct cred *cred)
4445{
4446 u32 secid;
4447 u32 perm;
4448
4449 if (!sig)
4450 perm = PROCESS__SIGNULL; /* null signal; existence test */
4451 else
4452 perm = signal_to_av(sig);
4453 if (!cred)
4454 secid = current_sid();
4455 else
4456 secid = cred_sid(cred);
4457 return avc_has_perm(ssid: secid, tsid: task_sid_obj(task: p), SECCLASS_PROCESS, requested: perm, NULL);
4458}
4459
4460static void selinux_task_to_inode(struct task_struct *p,
4461 struct inode *inode)
4462{
4463 struct inode_security_struct *isec = selinux_inode(inode);
4464 u32 sid = task_sid_obj(task: p);
4465
4466 spin_lock(lock: &isec->lock);
4467 isec->sclass = inode_mode_to_security_class(mode: inode->i_mode);
4468 isec->sid = sid;
4469 isec->initialized = LABEL_INITIALIZED;
4470 spin_unlock(lock: &isec->lock);
4471}
4472
4473static int selinux_userns_create(const struct cred *cred)
4474{
4475 u32 sid = current_sid();
4476
4477 return avc_has_perm(ssid: sid, tsid: sid, SECCLASS_USER_NAMESPACE,
4478 USER_NAMESPACE__CREATE, NULL);
4479}
4480
4481/* Returns error only if unable to parse addresses */
4482static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4483 struct common_audit_data *ad, u8 *proto)
4484{
4485 int offset, ihlen, ret = -EINVAL;
4486 struct iphdr _iph, *ih;
4487
4488 offset = skb_network_offset(skb);
4489 ih = skb_header_pointer(skb, offset, len: sizeof(_iph), buffer: &_iph);
4490 if (ih == NULL)
4491 goto out;
4492
4493 ihlen = ih->ihl * 4;
4494 if (ihlen < sizeof(_iph))
4495 goto out;
4496
4497 ad->u.net->v4info.saddr = ih->saddr;
4498 ad->u.net->v4info.daddr = ih->daddr;
4499 ret = 0;
4500
4501 if (proto)
4502 *proto = ih->protocol;
4503
4504 switch (ih->protocol) {
4505 case IPPROTO_TCP: {
4506 struct tcphdr _tcph, *th;
4507
4508 if (ntohs(ih->frag_off) & IP_OFFSET)
4509 break;
4510
4511 offset += ihlen;
4512 th = skb_header_pointer(skb, offset, len: sizeof(_tcph), buffer: &_tcph);
4513 if (th == NULL)
4514 break;
4515
4516 ad->u.net->sport = th->source;
4517 ad->u.net->dport = th->dest;
4518 break;
4519 }
4520
4521 case IPPROTO_UDP: {
4522 struct udphdr _udph, *uh;
4523
4524 if (ntohs(ih->frag_off) & IP_OFFSET)
4525 break;
4526
4527 offset += ihlen;
4528 uh = skb_header_pointer(skb, offset, len: sizeof(_udph), buffer: &_udph);
4529 if (uh == NULL)
4530 break;
4531
4532 ad->u.net->sport = uh->source;
4533 ad->u.net->dport = uh->dest;
4534 break;
4535 }
4536
4537#if IS_ENABLED(CONFIG_IP_SCTP)
4538 case IPPROTO_SCTP: {
4539 struct sctphdr _sctph, *sh;
4540
4541 if (ntohs(ih->frag_off) & IP_OFFSET)
4542 break;
4543
4544 offset += ihlen;
4545 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4546 if (sh == NULL)
4547 break;
4548
4549 ad->u.net->sport = sh->source;
4550 ad->u.net->dport = sh->dest;
4551 break;
4552 }
4553#endif
4554 default:
4555 break;
4556 }
4557out:
4558 return ret;
4559}
4560
4561#if IS_ENABLED(CONFIG_IPV6)
4562
4563/* Returns error only if unable to parse addresses */
4564static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4565 struct common_audit_data *ad, u8 *proto)
4566{
4567 u8 nexthdr;
4568 int ret = -EINVAL, offset;
4569 struct ipv6hdr _ipv6h, *ip6;
4570 __be16 frag_off;
4571
4572 offset = skb_network_offset(skb);
4573 ip6 = skb_header_pointer(skb, offset, len: sizeof(_ipv6h), buffer: &_ipv6h);
4574 if (ip6 == NULL)
4575 goto out;
4576
4577 ad->u.net->v6info.saddr = ip6->saddr;
4578 ad->u.net->v6info.daddr = ip6->daddr;
4579 ret = 0;
4580
4581 nexthdr = ip6->nexthdr;
4582 offset += sizeof(_ipv6h);
4583 offset = ipv6_skip_exthdr(skb, start: offset, nexthdrp: &nexthdr, frag_offp: &frag_off);
4584 if (offset < 0)
4585 goto out;
4586
4587 if (proto)
4588 *proto = nexthdr;
4589
4590 switch (nexthdr) {
4591 case IPPROTO_TCP: {
4592 struct tcphdr _tcph, *th;
4593
4594 th = skb_header_pointer(skb, offset, len: sizeof(_tcph), buffer: &_tcph);
4595 if (th == NULL)
4596 break;
4597
4598 ad->u.net->sport = th->source;
4599 ad->u.net->dport = th->dest;
4600 break;
4601 }
4602
4603 case IPPROTO_UDP: {
4604 struct udphdr _udph, *uh;
4605
4606 uh = skb_header_pointer(skb, offset, len: sizeof(_udph), buffer: &_udph);
4607 if (uh == NULL)
4608 break;
4609
4610 ad->u.net->sport = uh->source;
4611 ad->u.net->dport = uh->dest;
4612 break;
4613 }
4614
4615#if IS_ENABLED(CONFIG_IP_SCTP)
4616 case IPPROTO_SCTP: {
4617 struct sctphdr _sctph, *sh;
4618
4619 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4620 if (sh == NULL)
4621 break;
4622
4623 ad->u.net->sport = sh->source;
4624 ad->u.net->dport = sh->dest;
4625 break;
4626 }
4627#endif
4628 /* includes fragments */
4629 default:
4630 break;
4631 }
4632out:
4633 return ret;
4634}
4635
4636#endif /* IPV6 */
4637
4638static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4639 char **_addrp, int src, u8 *proto)
4640{
4641 char *addrp;
4642 int ret;
4643
4644 switch (ad->u.net->family) {
4645 case PF_INET:
4646 ret = selinux_parse_skb_ipv4(skb, ad, proto);
4647 if (ret)
4648 goto parse_error;
4649 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4650 &ad->u.net->v4info.daddr);
4651 goto okay;
4652
4653#if IS_ENABLED(CONFIG_IPV6)
4654 case PF_INET6:
4655 ret = selinux_parse_skb_ipv6(skb, ad, proto);
4656 if (ret)
4657 goto parse_error;
4658 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4659 &ad->u.net->v6info.daddr);
4660 goto okay;
4661#endif /* IPV6 */
4662 default:
4663 addrp = NULL;
4664 goto okay;
4665 }
4666
4667parse_error:
4668 pr_warn(
4669 "SELinux: failure in selinux_parse_skb(),"
4670 " unable to parse packet\n");
4671 return ret;
4672
4673okay:
4674 if (_addrp)
4675 *_addrp = addrp;
4676 return 0;
4677}
4678
4679/**
4680 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4681 * @skb: the packet
4682 * @family: protocol family
4683 * @sid: the packet's peer label SID
4684 *
4685 * Description:
4686 * Check the various different forms of network peer labeling and determine
4687 * the peer label/SID for the packet; most of the magic actually occurs in
4688 * the security server function security_net_peersid_cmp(). The function
4689 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4690 * or -EACCES if @sid is invalid due to inconsistencies with the different
4691 * peer labels.
4692 *
4693 */
4694static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4695{
4696 int err;
4697 u32 xfrm_sid;
4698 u32 nlbl_sid;
4699 u32 nlbl_type;
4700
4701 err = selinux_xfrm_skb_sid(skb, sid: &xfrm_sid);
4702 if (unlikely(err))
4703 return -EACCES;
4704 err = selinux_netlbl_skbuff_getsid(skb, family, type: &nlbl_type, sid: &nlbl_sid);
4705 if (unlikely(err))
4706 return -EACCES;
4707
4708 err = security_net_peersid_resolve(nlbl_sid,
4709 nlbl_type, xfrm_sid, peer_sid: sid);
4710 if (unlikely(err)) {
4711 pr_warn(
4712 "SELinux: failure in selinux_skb_peerlbl_sid(),"
4713 " unable to determine packet's peer label\n");
4714 return -EACCES;
4715 }
4716
4717 return 0;
4718}
4719
4720/**
4721 * selinux_conn_sid - Determine the child socket label for a connection
4722 * @sk_sid: the parent socket's SID
4723 * @skb_sid: the packet's SID
4724 * @conn_sid: the resulting connection SID
4725 *
4726 * If @skb_sid is valid then the user:role:type information from @sk_sid is
4727 * combined with the MLS information from @skb_sid in order to create
4728 * @conn_sid. If @skb_sid is not valid then @conn_sid is simply a copy
4729 * of @sk_sid. Returns zero on success, negative values on failure.
4730 *
4731 */
4732static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4733{
4734 int err = 0;
4735
4736 if (skb_sid != SECSID_NULL)
4737 err = security_sid_mls_copy(sid: sk_sid, mls_sid: skb_sid,
4738 new_sid: conn_sid);
4739 else
4740 *conn_sid = sk_sid;
4741
4742 return err;
4743}
4744
4745/* socket security operations */
4746
4747static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4748 u16 secclass, u32 *socksid)
4749{
4750 if (tsec->sockcreate_sid > SECSID_NULL) {
4751 *socksid = tsec->sockcreate_sid;
4752 return 0;
4753 }
4754
4755 return security_transition_sid(ssid: tsec->sid, tsid: tsec->sid,
4756 tclass: secclass, NULL, out_sid: socksid);
4757}
4758
4759static bool sock_skip_has_perm(u32 sid)
4760{
4761 if (sid == SECINITSID_KERNEL)
4762 return true;
4763
4764 /*
4765 * Before POLICYDB_CAP_USERSPACE_INITIAL_CONTEXT, sockets that
4766 * inherited the kernel context from early boot used to be skipped
4767 * here, so preserve that behavior unless the capability is set.
4768 *
4769 * By setting the capability the policy signals that it is ready
4770 * for this quirk to be fixed. Note that sockets created by a kernel
4771 * thread or a usermode helper executed without a transition will
4772 * still be skipped in this check regardless of the policycap
4773 * setting.
4774 */
4775 if (!selinux_policycap_userspace_initial_context() &&
4776 sid == SECINITSID_INIT)
4777 return true;
4778 return false;
4779}
4780
4781
4782static int sock_has_perm(struct sock *sk, u32 perms)
4783{
4784 struct sk_security_struct *sksec = sk->sk_security;
4785 struct common_audit_data ad;
4786 struct lsm_network_audit net;
4787
4788 if (sock_skip_has_perm(sid: sksec->sid))
4789 return 0;
4790
4791 ad_net_init_from_sk(ad: &ad, net: &net, sk);
4792
4793 return avc_has_perm(ssid: current_sid(), tsid: sksec->sid, tclass: sksec->sclass, requested: perms,
4794 auditdata: &ad);
4795}
4796
4797static int selinux_socket_create(int family, int type,
4798 int protocol, int kern)
4799{
4800 const struct task_security_struct *tsec = selinux_cred(current_cred());
4801 u32 newsid;
4802 u16 secclass;
4803 int rc;
4804
4805 if (kern)
4806 return 0;
4807
4808 secclass = socket_type_to_security_class(family, type, protocol);
4809 rc = socket_sockcreate_sid(tsec, secclass, socksid: &newsid);
4810 if (rc)
4811 return rc;
4812
4813 return avc_has_perm(ssid: tsec->sid, tsid: newsid, tclass: secclass, SOCKET__CREATE, NULL);
4814}
4815
4816static int selinux_socket_post_create(struct socket *sock, int family,
4817 int type, int protocol, int kern)
4818{
4819 const struct task_security_struct *tsec = selinux_cred(current_cred());
4820 struct inode_security_struct *isec = inode_security_novalidate(inode: SOCK_INODE(socket: sock));
4821 struct sk_security_struct *sksec;
4822 u16 sclass = socket_type_to_security_class(family, type, protocol);
4823 u32 sid = SECINITSID_KERNEL;
4824 int err = 0;
4825
4826 if (!kern) {
4827 err = socket_sockcreate_sid(tsec, secclass: sclass, socksid: &sid);
4828 if (err)
4829 return err;
4830 }
4831
4832 isec->sclass = sclass;
4833 isec->sid = sid;
4834 isec->initialized = LABEL_INITIALIZED;
4835
4836 if (sock->sk) {
4837 sksec = selinux_sock(sock: sock->sk);
4838 sksec->sclass = sclass;
4839 sksec->sid = sid;
4840 /* Allows detection of the first association on this socket */
4841 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4842 sksec->sctp_assoc_state = SCTP_ASSOC_UNSET;
4843
4844 err = selinux_netlbl_socket_post_create(sk: sock->sk, family);
4845 }
4846
4847 return err;
4848}
4849
4850static int selinux_socket_socketpair(struct socket *socka,
4851 struct socket *sockb)
4852{
4853 struct sk_security_struct *sksec_a = selinux_sock(sock: socka->sk);
4854 struct sk_security_struct *sksec_b = selinux_sock(sock: sockb->sk);
4855
4856 sksec_a->peer_sid = sksec_b->sid;
4857 sksec_b->peer_sid = sksec_a->sid;
4858
4859 return 0;
4860}
4861
4862/* Range of port numbers used to automatically bind.
4863 Need to determine whether we should perform a name_bind
4864 permission check between the socket and the port number. */
4865
4866static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4867{
4868 struct sock *sk = sock->sk;
4869 struct sk_security_struct *sksec = selinux_sock(sock: sk);
4870 u16 family;
4871 int err;
4872
4873 err = sock_has_perm(sk, SOCKET__BIND);
4874 if (err)
4875 goto out;
4876
4877 /* If PF_INET or PF_INET6, check name_bind permission for the port. */
4878 family = sk->sk_family;
4879 if (family == PF_INET || family == PF_INET6) {
4880 char *addrp;
4881 struct common_audit_data ad;
4882 struct lsm_network_audit net = {0,};
4883 struct sockaddr_in *addr4 = NULL;
4884 struct sockaddr_in6 *addr6 = NULL;
4885 u16 family_sa;
4886 unsigned short snum;
4887 u32 sid, node_perm;
4888
4889 /*
4890 * sctp_bindx(3) calls via selinux_sctp_bind_connect()
4891 * that validates multiple binding addresses. Because of this
4892 * need to check address->sa_family as it is possible to have
4893 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4894 */
4895 if (addrlen < offsetofend(struct sockaddr, sa_family))
4896 return -EINVAL;
4897 family_sa = address->sa_family;
4898 switch (family_sa) {
4899 case AF_UNSPEC:
4900 case AF_INET:
4901 if (addrlen < sizeof(struct sockaddr_in))
4902 return -EINVAL;
4903 addr4 = (struct sockaddr_in *)address;
4904 if (family_sa == AF_UNSPEC) {
4905 if (family == PF_INET6) {
4906 /* Length check from inet6_bind_sk() */
4907 if (addrlen < SIN6_LEN_RFC2133)
4908 return -EINVAL;
4909 /* Family check from __inet6_bind() */
4910 goto err_af;
4911 }
4912 /* see __inet_bind(), we only want to allow
4913 * AF_UNSPEC if the address is INADDR_ANY
4914 */
4915 if (addr4->sin_addr.s_addr != htonl(INADDR_ANY))
4916 goto err_af;
4917 family_sa = AF_INET;
4918 }
4919 snum = ntohs(addr4->sin_port);
4920 addrp = (char *)&addr4->sin_addr.s_addr;
4921 break;
4922 case AF_INET6:
4923 if (addrlen < SIN6_LEN_RFC2133)
4924 return -EINVAL;
4925 addr6 = (struct sockaddr_in6 *)address;
4926 snum = ntohs(addr6->sin6_port);
4927 addrp = (char *)&addr6->sin6_addr.s6_addr;
4928 break;
4929 default:
4930 goto err_af;
4931 }
4932
4933 ad.type = LSM_AUDIT_DATA_NET;
4934 ad.u.net = &net;
4935 ad.u.net->sport = htons(snum);
4936 ad.u.net->family = family_sa;
4937
4938 if (snum) {
4939 int low, high;
4940
4941 inet_get_local_port_range(net: sock_net(sk), low: &low, high: &high);
4942
4943 if (inet_port_requires_bind_service(net: sock_net(sk), port: snum) ||
4944 snum < low || snum > high) {
4945 err = sel_netport_sid(protocol: sk->sk_protocol,
4946 pnum: snum, sid: &sid);
4947 if (err)
4948 goto out;
4949 err = avc_has_perm(ssid: sksec->sid, tsid: sid,
4950 tclass: sksec->sclass,
4951 SOCKET__NAME_BIND, auditdata: &ad);
4952 if (err)
4953 goto out;
4954 }
4955 }
4956
4957 switch (sksec->sclass) {
4958 case SECCLASS_TCP_SOCKET:
4959 node_perm = TCP_SOCKET__NODE_BIND;
4960 break;
4961
4962 case SECCLASS_UDP_SOCKET:
4963 node_perm = UDP_SOCKET__NODE_BIND;
4964 break;
4965
4966 case SECCLASS_SCTP_SOCKET:
4967 node_perm = SCTP_SOCKET__NODE_BIND;
4968 break;
4969
4970 default:
4971 node_perm = RAWIP_SOCKET__NODE_BIND;
4972 break;
4973 }
4974
4975 err = sel_netnode_sid(addr: addrp, family: family_sa, sid: &sid);
4976 if (err)
4977 goto out;
4978
4979 if (family_sa == AF_INET)
4980 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4981 else
4982 ad.u.net->v6info.saddr = addr6->sin6_addr;
4983
4984 err = avc_has_perm(ssid: sksec->sid, tsid: sid,
4985 tclass: sksec->sclass, requested: node_perm, auditdata: &ad);
4986 if (err)
4987 goto out;
4988 }
4989out:
4990 return err;
4991err_af:
4992 /* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */
4993 if (sk->sk_protocol == IPPROTO_SCTP)
4994 return -EINVAL;
4995 return -EAFNOSUPPORT;
4996}
4997
4998/* This supports connect(2) and SCTP connect services such as sctp_connectx(3)
4999 * and sctp_sendmsg(3) as described in Documentation/security/SCTP.rst
5000 */
5001static int selinux_socket_connect_helper(struct socket *sock,
5002 struct sockaddr *address, int addrlen)
5003{
5004 struct sock *sk = sock->sk;
5005 struct sk_security_struct *sksec = selinux_sock(sock: sk);
5006 int err;
5007
5008 err = sock_has_perm(sk, SOCKET__CONNECT);
5009 if (err)
5010 return err;
5011 if (addrlen < offsetofend(struct sockaddr, sa_family))
5012 return -EINVAL;
5013
5014 /* connect(AF_UNSPEC) has special handling, as it is a documented
5015 * way to disconnect the socket
5016 */
5017 if (address->sa_family == AF_UNSPEC)
5018 return 0;
5019
5020 /*
5021 * If a TCP or SCTP socket, check name_connect permission
5022 * for the port.
5023 */
5024 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
5025 sksec->sclass == SECCLASS_SCTP_SOCKET) {
5026 struct common_audit_data ad;
5027 struct lsm_network_audit net = {0,};
5028 struct sockaddr_in *addr4 = NULL;
5029 struct sockaddr_in6 *addr6 = NULL;
5030 unsigned short snum;
5031 u32 sid, perm;
5032
5033 /* sctp_connectx(3) calls via selinux_sctp_bind_connect()
5034 * that validates multiple connect addresses. Because of this
5035 * need to check address->sa_family as it is possible to have
5036 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
5037 */
5038 switch (address->sa_family) {
5039 case AF_INET:
5040 addr4 = (struct sockaddr_in *)address;
5041 if (addrlen < sizeof(struct sockaddr_in))
5042 return -EINVAL;
5043 snum = ntohs(addr4->sin_port);
5044 break;
5045 case AF_INET6:
5046 addr6 = (struct sockaddr_in6 *)address;
5047 if (addrlen < SIN6_LEN_RFC2133)
5048 return -EINVAL;
5049 snum = ntohs(addr6->sin6_port);
5050 break;
5051 default:
5052 /* Note that SCTP services expect -EINVAL, whereas
5053 * others expect -EAFNOSUPPORT.
5054 */
5055 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
5056 return -EINVAL;
5057 else
5058 return -EAFNOSUPPORT;
5059 }
5060
5061 err = sel_netport_sid(protocol: sk->sk_protocol, pnum: snum, sid: &sid);
5062 if (err)
5063 return err;
5064
5065 switch (sksec->sclass) {
5066 case SECCLASS_TCP_SOCKET:
5067 perm = TCP_SOCKET__NAME_CONNECT;
5068 break;
5069 case SECCLASS_SCTP_SOCKET:
5070 perm = SCTP_SOCKET__NAME_CONNECT;
5071 break;
5072 }
5073
5074 ad.type = LSM_AUDIT_DATA_NET;
5075 ad.u.net = &net;
5076 ad.u.net->dport = htons(snum);
5077 ad.u.net->family = address->sa_family;
5078 err = avc_has_perm(ssid: sksec->sid, tsid: sid, tclass: sksec->sclass, requested: perm, auditdata: &ad);
5079 if (err)
5080 return err;
5081 }
5082
5083 return 0;
5084}
5085
5086/* Supports connect(2), see comments in selinux_socket_connect_helper() */
5087static int selinux_socket_connect(struct socket *sock,
5088 struct sockaddr *address, int addrlen)
5089{
5090 int err;
5091 struct sock *sk = sock->sk;
5092
5093 err = selinux_socket_connect_helper(sock, address, addrlen);
5094 if (err)
5095 return err;
5096
5097 return selinux_netlbl_socket_connect(sk, addr: address);
5098}
5099
5100static int selinux_socket_listen(struct socket *sock, int backlog)
5101{
5102 return sock_has_perm(sk: sock->sk, SOCKET__LISTEN);
5103}
5104
5105static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
5106{
5107 int err;
5108 struct inode_security_struct *isec;
5109 struct inode_security_struct *newisec;
5110 u16 sclass;
5111 u32 sid;
5112
5113 err = sock_has_perm(sk: sock->sk, SOCKET__ACCEPT);
5114 if (err)
5115 return err;
5116
5117 isec = inode_security_novalidate(inode: SOCK_INODE(socket: sock));
5118 spin_lock(lock: &isec->lock);
5119 sclass = isec->sclass;
5120 sid = isec->sid;
5121 spin_unlock(lock: &isec->lock);
5122
5123 newisec = inode_security_novalidate(inode: SOCK_INODE(socket: newsock));
5124 newisec->sclass = sclass;
5125 newisec->sid = sid;
5126 newisec->initialized = LABEL_INITIALIZED;
5127
5128 return 0;
5129}
5130
5131static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
5132 int size)
5133{
5134 return sock_has_perm(sk: sock->sk, SOCKET__WRITE);
5135}
5136
5137static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
5138 int size, int flags)
5139{
5140 return sock_has_perm(sk: sock->sk, SOCKET__READ);
5141}
5142
5143static int selinux_socket_getsockname(struct socket *sock)
5144{
5145 return sock_has_perm(sk: sock->sk, SOCKET__GETATTR);
5146}
5147
5148static int selinux_socket_getpeername(struct socket *sock)
5149{
5150 return sock_has_perm(sk: sock->sk, SOCKET__GETATTR);
5151}
5152
5153static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
5154{
5155 int err;
5156
5157 err = sock_has_perm(sk: sock->sk, SOCKET__SETOPT);
5158 if (err)
5159 return err;
5160
5161 return selinux_netlbl_socket_setsockopt(sock, level, optname);
5162}
5163
5164static int selinux_socket_getsockopt(struct socket *sock, int level,
5165 int optname)
5166{
5167 return sock_has_perm(sk: sock->sk, SOCKET__GETOPT);
5168}
5169
5170static int selinux_socket_shutdown(struct socket *sock, int how)
5171{
5172 return sock_has_perm(sk: sock->sk, SOCKET__SHUTDOWN);
5173}
5174
5175static int selinux_socket_unix_stream_connect(struct sock *sock,
5176 struct sock *other,
5177 struct sock *newsk)
5178{
5179 struct sk_security_struct *sksec_sock = selinux_sock(sock);
5180 struct sk_security_struct *sksec_other = selinux_sock(sock: other);
5181 struct sk_security_struct *sksec_new = selinux_sock(sock: newsk);
5182 struct common_audit_data ad;
5183 struct lsm_network_audit net;
5184 int err;
5185
5186 ad_net_init_from_sk(ad: &ad, net: &net, sk: other);
5187
5188 err = avc_has_perm(ssid: sksec_sock->sid, tsid: sksec_other->sid,
5189 tclass: sksec_other->sclass,
5190 UNIX_STREAM_SOCKET__CONNECTTO, auditdata: &ad);
5191 if (err)
5192 return err;
5193
5194 /* server child socket */
5195 sksec_new->peer_sid = sksec_sock->sid;
5196 err = security_sid_mls_copy(sid: sksec_other->sid,
5197 mls_sid: sksec_sock->sid, new_sid: &sksec_new->sid);
5198 if (err)
5199 return err;
5200
5201 /* connecting socket */
5202 sksec_sock->peer_sid = sksec_new->sid;
5203
5204 return 0;
5205}
5206
5207static int selinux_socket_unix_may_send(struct socket *sock,
5208 struct socket *other)
5209{
5210 struct sk_security_struct *ssec = selinux_sock(sock: sock->sk);
5211 struct sk_security_struct *osec = selinux_sock(sock: other->sk);
5212 struct common_audit_data ad;
5213 struct lsm_network_audit net;
5214
5215 ad_net_init_from_sk(ad: &ad, net: &net, sk: other->sk);
5216
5217 return avc_has_perm(ssid: ssec->sid, tsid: osec->sid, tclass: osec->sclass, SOCKET__SENDTO,
5218 auditdata: &ad);
5219}
5220
5221static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
5222 char *addrp, u16 family, u32 peer_sid,
5223 struct common_audit_data *ad)
5224{
5225 int err;
5226 u32 if_sid;
5227 u32 node_sid;
5228
5229 err = sel_netif_sid(ns, ifindex, sid: &if_sid);
5230 if (err)
5231 return err;
5232 err = avc_has_perm(ssid: peer_sid, tsid: if_sid,
5233 SECCLASS_NETIF, NETIF__INGRESS, auditdata: ad);
5234 if (err)
5235 return err;
5236
5237 err = sel_netnode_sid(addr: addrp, family, sid: &node_sid);
5238 if (err)
5239 return err;
5240 return avc_has_perm(ssid: peer_sid, tsid: node_sid,
5241 SECCLASS_NODE, NODE__RECVFROM, auditdata: ad);
5242}
5243
5244static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
5245 u16 family)
5246{
5247 int err = 0;
5248 struct sk_security_struct *sksec = selinux_sock(sock: sk);
5249 u32 sk_sid = sksec->sid;
5250 struct common_audit_data ad;
5251 struct lsm_network_audit net;
5252 char *addrp;
5253
5254 ad_net_init_from_iif(ad: &ad, net: &net, ifindex: skb->skb_iif, family);
5255 err = selinux_parse_skb(skb, ad: &ad, addrp: &addrp, src: 1, NULL);
5256 if (err)
5257 return err;
5258
5259 if (selinux_secmark_enabled()) {
5260 err = avc_has_perm(ssid: sk_sid, tsid: skb->secmark, SECCLASS_PACKET,
5261 PACKET__RECV, auditdata: &ad);
5262 if (err)
5263 return err;
5264 }
5265
5266 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, ad: &ad);
5267 if (err)
5268 return err;
5269 err = selinux_xfrm_sock_rcv_skb(sk_sid: sksec->sid, skb, ad: &ad);
5270
5271 return err;
5272}
5273
5274static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
5275{
5276 int err, peerlbl_active, secmark_active;
5277 struct sk_security_struct *sksec = selinux_sock(sock: sk);
5278 u16 family = sk->sk_family;
5279 u32 sk_sid = sksec->sid;
5280 struct common_audit_data ad;
5281 struct lsm_network_audit net;
5282 char *addrp;
5283
5284 if (family != PF_INET && family != PF_INET6)
5285 return 0;
5286
5287 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
5288 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5289 family = PF_INET;
5290
5291 /* If any sort of compatibility mode is enabled then handoff processing
5292 * to the selinux_sock_rcv_skb_compat() function to deal with the
5293 * special handling. We do this in an attempt to keep this function
5294 * as fast and as clean as possible. */
5295 if (!selinux_policycap_netpeer())
5296 return selinux_sock_rcv_skb_compat(sk, skb, family);
5297
5298 secmark_active = selinux_secmark_enabled();
5299 peerlbl_active = selinux_peerlbl_enabled();
5300 if (!secmark_active && !peerlbl_active)
5301 return 0;
5302
5303 ad_net_init_from_iif(ad: &ad, net: &net, ifindex: skb->skb_iif, family);
5304 err = selinux_parse_skb(skb, ad: &ad, addrp: &addrp, src: 1, NULL);
5305 if (err)
5306 return err;
5307
5308 if (peerlbl_active) {
5309 u32 peer_sid;
5310
5311 err = selinux_skb_peerlbl_sid(skb, family, sid: &peer_sid);
5312 if (err)
5313 return err;
5314 err = selinux_inet_sys_rcv_skb(ns: sock_net(sk), ifindex: skb->skb_iif,
5315 addrp, family, peer_sid, ad: &ad);
5316 if (err) {
5317 selinux_netlbl_err(skb, family, error: err, gateway: 0);
5318 return err;
5319 }
5320 err = avc_has_perm(ssid: sk_sid, tsid: peer_sid, SECCLASS_PEER,
5321 PEER__RECV, auditdata: &ad);
5322 if (err) {
5323 selinux_netlbl_err(skb, family, error: err, gateway: 0);
5324 return err;
5325 }
5326 }
5327
5328 if (secmark_active) {
5329 err = avc_has_perm(ssid: sk_sid, tsid: skb->secmark, SECCLASS_PACKET,
5330 PACKET__RECV, auditdata: &ad);
5331 if (err)
5332 return err;
5333 }
5334
5335 return err;
5336}
5337
5338static int selinux_socket_getpeersec_stream(struct socket *sock,
5339 sockptr_t optval, sockptr_t optlen,
5340 unsigned int len)
5341{
5342 int err = 0;
5343 char *scontext = NULL;
5344 u32 scontext_len;
5345 struct sk_security_struct *sksec = selinux_sock(sock: sock->sk);
5346 u32 peer_sid = SECSID_NULL;
5347
5348 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
5349 sksec->sclass == SECCLASS_TCP_SOCKET ||
5350 sksec->sclass == SECCLASS_SCTP_SOCKET)
5351 peer_sid = sksec->peer_sid;
5352 if (peer_sid == SECSID_NULL)
5353 return -ENOPROTOOPT;
5354
5355 err = security_sid_to_context(sid: peer_sid, scontext: &scontext,
5356 scontext_len: &scontext_len);
5357 if (err)
5358 return err;
5359 if (scontext_len > len) {
5360 err = -ERANGE;
5361 goto out_len;
5362 }
5363
5364 if (copy_to_sockptr(dst: optval, src: scontext, size: scontext_len))
5365 err = -EFAULT;
5366out_len:
5367 if (copy_to_sockptr(dst: optlen, src: &scontext_len, size: sizeof(scontext_len)))
5368 err = -EFAULT;
5369 kfree(objp: scontext);
5370 return err;
5371}
5372
5373static int selinux_socket_getpeersec_dgram(struct socket *sock,
5374 struct sk_buff *skb, u32 *secid)
5375{
5376 u32 peer_secid = SECSID_NULL;
5377 u16 family;
5378
5379 if (skb && skb->protocol == htons(ETH_P_IP))
5380 family = PF_INET;
5381 else if (skb && skb->protocol == htons(ETH_P_IPV6))
5382 family = PF_INET6;
5383 else if (sock)
5384 family = sock->sk->sk_family;
5385 else {
5386 *secid = SECSID_NULL;
5387 return -EINVAL;
5388 }
5389
5390 if (sock && family == PF_UNIX) {
5391 struct inode_security_struct *isec;
5392 isec = inode_security_novalidate(inode: SOCK_INODE(socket: sock));
5393 peer_secid = isec->sid;
5394 } else if (skb)
5395 selinux_skb_peerlbl_sid(skb, family, sid: &peer_secid);
5396
5397 *secid = peer_secid;
5398 if (peer_secid == SECSID_NULL)
5399 return -ENOPROTOOPT;
5400 return 0;
5401}
5402
5403static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
5404{
5405 struct sk_security_struct *sksec = selinux_sock(sock: sk);
5406
5407 sksec->peer_sid = SECINITSID_UNLABELED;
5408 sksec->sid = SECINITSID_UNLABELED;
5409 sksec->sclass = SECCLASS_SOCKET;
5410 selinux_netlbl_sk_security_reset(sksec);
5411
5412 return 0;
5413}
5414
5415static void selinux_sk_free_security(struct sock *sk)
5416{
5417 struct sk_security_struct *sksec = selinux_sock(sock: sk);
5418
5419 selinux_netlbl_sk_security_free(sksec);
5420}
5421
5422static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
5423{
5424 struct sk_security_struct *sksec = selinux_sock(sock: sk);
5425 struct sk_security_struct *newsksec = selinux_sock(sock: newsk);
5426
5427 newsksec->sid = sksec->sid;
5428 newsksec->peer_sid = sksec->peer_sid;
5429 newsksec->sclass = sksec->sclass;
5430
5431 selinux_netlbl_sk_security_reset(sksec: newsksec);
5432}
5433
5434static void selinux_sk_getsecid(const struct sock *sk, u32 *secid)
5435{
5436 if (!sk)
5437 *secid = SECINITSID_ANY_SOCKET;
5438 else {
5439 const struct sk_security_struct *sksec = selinux_sock(sock: sk);
5440
5441 *secid = sksec->sid;
5442 }
5443}
5444
5445static void selinux_sock_graft(struct sock *sk, struct socket *parent)
5446{
5447 struct inode_security_struct *isec =
5448 inode_security_novalidate(inode: SOCK_INODE(socket: parent));
5449 struct sk_security_struct *sksec = selinux_sock(sock: sk);
5450
5451 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
5452 sk->sk_family == PF_UNIX)
5453 isec->sid = sksec->sid;
5454 sksec->sclass = isec->sclass;
5455}
5456
5457/*
5458 * Determines peer_secid for the asoc and updates socket's peer label
5459 * if it's the first association on the socket.
5460 */
5461static int selinux_sctp_process_new_assoc(struct sctp_association *asoc,
5462 struct sk_buff *skb)
5463{
5464 struct sock *sk = asoc->base.sk;
5465 u16 family = sk->sk_family;
5466 struct sk_security_struct *sksec = selinux_sock(sock: sk);
5467 struct common_audit_data ad;
5468 struct lsm_network_audit net;
5469 int err;
5470
5471 /* handle mapped IPv4 packets arriving via IPv6 sockets */
5472 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5473 family = PF_INET;
5474
5475 if (selinux_peerlbl_enabled()) {
5476 asoc->peer_secid = SECSID_NULL;
5477
5478 /* This will return peer_sid = SECSID_NULL if there are
5479 * no peer labels, see security_net_peersid_resolve().
5480 */
5481 err = selinux_skb_peerlbl_sid(skb, family, sid: &asoc->peer_secid);
5482 if (err)
5483 return err;
5484
5485 if (asoc->peer_secid == SECSID_NULL)
5486 asoc->peer_secid = SECINITSID_UNLABELED;
5487 } else {
5488 asoc->peer_secid = SECINITSID_UNLABELED;
5489 }
5490
5491 if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) {
5492 sksec->sctp_assoc_state = SCTP_ASSOC_SET;
5493
5494 /* Here as first association on socket. As the peer SID
5495 * was allowed by peer recv (and the netif/node checks),
5496 * then it is approved by policy and used as the primary
5497 * peer SID for getpeercon(3).
5498 */
5499 sksec->peer_sid = asoc->peer_secid;
5500 } else if (sksec->peer_sid != asoc->peer_secid) {
5501 /* Other association peer SIDs are checked to enforce
5502 * consistency among the peer SIDs.
5503 */
5504 ad_net_init_from_sk(ad: &ad, net: &net, sk: asoc->base.sk);
5505 err = avc_has_perm(ssid: sksec->peer_sid, tsid: asoc->peer_secid,
5506 tclass: sksec->sclass, SCTP_SOCKET__ASSOCIATION,
5507 auditdata: &ad);
5508 if (err)
5509 return err;
5510 }
5511 return 0;
5512}
5513
5514/* Called whenever SCTP receives an INIT or COOKIE ECHO chunk. This
5515 * happens on an incoming connect(2), sctp_connectx(3) or
5516 * sctp_sendmsg(3) (with no association already present).
5517 */
5518static int selinux_sctp_assoc_request(struct sctp_association *asoc,
5519 struct sk_buff *skb)
5520{
5521 struct sk_security_struct *sksec = selinux_sock(sock: asoc->base.sk);
5522 u32 conn_sid;
5523 int err;
5524
5525 if (!selinux_policycap_extsockclass())
5526 return 0;
5527
5528 err = selinux_sctp_process_new_assoc(asoc, skb);
5529 if (err)
5530 return err;
5531
5532 /* Compute the MLS component for the connection and store
5533 * the information in asoc. This will be used by SCTP TCP type
5534 * sockets and peeled off connections as they cause a new
5535 * socket to be generated. selinux_sctp_sk_clone() will then
5536 * plug this into the new socket.
5537 */
5538 err = selinux_conn_sid(sk_sid: sksec->sid, skb_sid: asoc->peer_secid, conn_sid: &conn_sid);
5539 if (err)
5540 return err;
5541
5542 asoc->secid = conn_sid;
5543
5544 /* Set any NetLabel labels including CIPSO/CALIPSO options. */
5545 return selinux_netlbl_sctp_assoc_request(asoc, skb);
5546}
5547
5548/* Called when SCTP receives a COOKIE ACK chunk as the final
5549 * response to an association request (initited by us).
5550 */
5551static int selinux_sctp_assoc_established(struct sctp_association *asoc,
5552 struct sk_buff *skb)
5553{
5554 struct sk_security_struct *sksec = selinux_sock(sock: asoc->base.sk);
5555
5556 if (!selinux_policycap_extsockclass())
5557 return 0;
5558
5559 /* Inherit secid from the parent socket - this will be picked up
5560 * by selinux_sctp_sk_clone() if the association gets peeled off
5561 * into a new socket.
5562 */
5563 asoc->secid = sksec->sid;
5564
5565 return selinux_sctp_process_new_assoc(asoc, skb);
5566}
5567
5568/* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting
5569 * based on their @optname.
5570 */
5571static int selinux_sctp_bind_connect(struct sock *sk, int optname,
5572 struct sockaddr *address,
5573 int addrlen)
5574{
5575 int len, err = 0, walk_size = 0;
5576 void *addr_buf;
5577 struct sockaddr *addr;
5578 struct socket *sock;
5579
5580 if (!selinux_policycap_extsockclass())
5581 return 0;
5582
5583 /* Process one or more addresses that may be IPv4 or IPv6 */
5584 sock = sk->sk_socket;
5585 addr_buf = address;
5586
5587 while (walk_size < addrlen) {
5588 if (walk_size + sizeof(sa_family_t) > addrlen)
5589 return -EINVAL;
5590
5591 addr = addr_buf;
5592 switch (addr->sa_family) {
5593 case AF_UNSPEC:
5594 case AF_INET:
5595 len = sizeof(struct sockaddr_in);
5596 break;
5597 case AF_INET6:
5598 len = sizeof(struct sockaddr_in6);
5599 break;
5600 default:
5601 return -EINVAL;
5602 }
5603
5604 if (walk_size + len > addrlen)
5605 return -EINVAL;
5606
5607 err = -EINVAL;
5608 switch (optname) {
5609 /* Bind checks */
5610 case SCTP_PRIMARY_ADDR:
5611 case SCTP_SET_PEER_PRIMARY_ADDR:
5612 case SCTP_SOCKOPT_BINDX_ADD:
5613 err = selinux_socket_bind(sock, address: addr, addrlen: len);
5614 break;
5615 /* Connect checks */
5616 case SCTP_SOCKOPT_CONNECTX:
5617 case SCTP_PARAM_SET_PRIMARY:
5618 case SCTP_PARAM_ADD_IP:
5619 case SCTP_SENDMSG_CONNECT:
5620 err = selinux_socket_connect_helper(sock, address: addr, addrlen: len);
5621 if (err)
5622 return err;
5623
5624 /* As selinux_sctp_bind_connect() is called by the
5625 * SCTP protocol layer, the socket is already locked,
5626 * therefore selinux_netlbl_socket_connect_locked()
5627 * is called here. The situations handled are:
5628 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2),
5629 * whenever a new IP address is added or when a new
5630 * primary address is selected.
5631 * Note that an SCTP connect(2) call happens before
5632 * the SCTP protocol layer and is handled via
5633 * selinux_socket_connect().
5634 */
5635 err = selinux_netlbl_socket_connect_locked(sk, addr);
5636 break;
5637 }
5638
5639 if (err)
5640 return err;
5641
5642 addr_buf += len;
5643 walk_size += len;
5644 }
5645
5646 return 0;
5647}
5648
5649/* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */
5650static void selinux_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk,
5651 struct sock *newsk)
5652{
5653 struct sk_security_struct *sksec = selinux_sock(sock: sk);
5654 struct sk_security_struct *newsksec = selinux_sock(sock: newsk);
5655
5656 /* If policy does not support SECCLASS_SCTP_SOCKET then call
5657 * the non-sctp clone version.
5658 */
5659 if (!selinux_policycap_extsockclass())
5660 return selinux_sk_clone_security(sk, newsk);
5661
5662 newsksec->sid = asoc->secid;
5663 newsksec->peer_sid = asoc->peer_secid;
5664 newsksec->sclass = sksec->sclass;
5665 selinux_netlbl_sctp_sk_clone(sk, newsk);
5666}
5667
5668static int selinux_mptcp_add_subflow(struct sock *sk, struct sock *ssk)
5669{
5670 struct sk_security_struct *ssksec = selinux_sock(sock: ssk);
5671 struct sk_security_struct *sksec = selinux_sock(sock: sk);
5672
5673 ssksec->sclass = sksec->sclass;
5674 ssksec->sid = sksec->sid;
5675
5676 /* replace the existing subflow label deleting the existing one
5677 * and re-recreating a new label using the updated context
5678 */
5679 selinux_netlbl_sk_security_free(sksec: ssksec);
5680 return selinux_netlbl_socket_post_create(sk: ssk, family: ssk->sk_family);
5681}
5682
5683static int selinux_inet_conn_request(const struct sock *sk, struct sk_buff *skb,
5684 struct request_sock *req)
5685{
5686 struct sk_security_struct *sksec = selinux_sock(sock: sk);
5687 int err;
5688 u16 family = req->rsk_ops->family;
5689 u32 connsid;
5690 u32 peersid;
5691
5692 err = selinux_skb_peerlbl_sid(skb, family, sid: &peersid);
5693 if (err)
5694 return err;
5695 err = selinux_conn_sid(sk_sid: sksec->sid, skb_sid: peersid, conn_sid: &connsid);
5696 if (err)
5697 return err;
5698 req->secid = connsid;
5699 req->peer_secid = peersid;
5700
5701 return selinux_netlbl_inet_conn_request(req, family);
5702}
5703
5704static void selinux_inet_csk_clone(struct sock *newsk,
5705 const struct request_sock *req)
5706{
5707 struct sk_security_struct *newsksec = selinux_sock(sock: newsk);
5708
5709 newsksec->sid = req->secid;
5710 newsksec->peer_sid = req->peer_secid;
5711 /* NOTE: Ideally, we should also get the isec->sid for the
5712 new socket in sync, but we don't have the isec available yet.
5713 So we will wait until sock_graft to do it, by which
5714 time it will have been created and available. */
5715
5716 /* We don't need to take any sort of lock here as we are the only
5717 * thread with access to newsksec */
5718 selinux_netlbl_inet_csk_clone(sk: newsk, family: req->rsk_ops->family);
5719}
5720
5721static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
5722{
5723 u16 family = sk->sk_family;
5724 struct sk_security_struct *sksec = selinux_sock(sock: sk);
5725
5726 /* handle mapped IPv4 packets arriving via IPv6 sockets */
5727 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5728 family = PF_INET;
5729
5730 selinux_skb_peerlbl_sid(skb, family, sid: &sksec->peer_sid);
5731}
5732
5733static int selinux_secmark_relabel_packet(u32 sid)
5734{
5735 return avc_has_perm(ssid: current_sid(), tsid: sid, SECCLASS_PACKET, PACKET__RELABELTO,
5736 NULL);
5737}
5738
5739static void selinux_secmark_refcount_inc(void)
5740{
5741 atomic_inc(v: &selinux_secmark_refcount);
5742}
5743
5744static void selinux_secmark_refcount_dec(void)
5745{
5746 atomic_dec(v: &selinux_secmark_refcount);
5747}
5748
5749static void selinux_req_classify_flow(const struct request_sock *req,
5750 struct flowi_common *flic)
5751{
5752 flic->flowic_secid = req->secid;
5753}
5754
5755static int selinux_tun_dev_alloc_security(void *security)
5756{
5757 struct tun_security_struct *tunsec = selinux_tun_dev(security);
5758
5759 tunsec->sid = current_sid();
5760 return 0;
5761}
5762
5763static int selinux_tun_dev_create(void)
5764{
5765 u32 sid = current_sid();
5766
5767 /* we aren't taking into account the "sockcreate" SID since the socket
5768 * that is being created here is not a socket in the traditional sense,
5769 * instead it is a private sock, accessible only to the kernel, and
5770 * representing a wide range of network traffic spanning multiple
5771 * connections unlike traditional sockets - check the TUN driver to
5772 * get a better understanding of why this socket is special */
5773
5774 return avc_has_perm(ssid: sid, tsid: sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5775 NULL);
5776}
5777
5778static int selinux_tun_dev_attach_queue(void *security)
5779{
5780 struct tun_security_struct *tunsec = selinux_tun_dev(security);
5781
5782 return avc_has_perm(ssid: current_sid(), tsid: tunsec->sid, SECCLASS_TUN_SOCKET,
5783 TUN_SOCKET__ATTACH_QUEUE, NULL);
5784}
5785
5786static int selinux_tun_dev_attach(struct sock *sk, void *security)
5787{
5788 struct tun_security_struct *tunsec = selinux_tun_dev(security);
5789 struct sk_security_struct *sksec = selinux_sock(sock: sk);
5790
5791 /* we don't currently perform any NetLabel based labeling here and it
5792 * isn't clear that we would want to do so anyway; while we could apply
5793 * labeling without the support of the TUN user the resulting labeled
5794 * traffic from the other end of the connection would almost certainly
5795 * cause confusion to the TUN user that had no idea network labeling
5796 * protocols were being used */
5797
5798 sksec->sid = tunsec->sid;
5799 sksec->sclass = SECCLASS_TUN_SOCKET;
5800
5801 return 0;
5802}
5803
5804static int selinux_tun_dev_open(void *security)
5805{
5806 struct tun_security_struct *tunsec = selinux_tun_dev(security);
5807 u32 sid = current_sid();
5808 int err;
5809
5810 err = avc_has_perm(ssid: sid, tsid: tunsec->sid, SECCLASS_TUN_SOCKET,
5811 TUN_SOCKET__RELABELFROM, NULL);
5812 if (err)
5813 return err;
5814 err = avc_has_perm(ssid: sid, tsid: sid, SECCLASS_TUN_SOCKET,
5815 TUN_SOCKET__RELABELTO, NULL);
5816 if (err)
5817 return err;
5818 tunsec->sid = sid;
5819
5820 return 0;
5821}
5822
5823#ifdef CONFIG_NETFILTER
5824
5825static unsigned int selinux_ip_forward(void *priv, struct sk_buff *skb,
5826 const struct nf_hook_state *state)
5827{
5828 int ifindex;
5829 u16 family;
5830 char *addrp;
5831 u32 peer_sid;
5832 struct common_audit_data ad;
5833 struct lsm_network_audit net;
5834 int secmark_active, peerlbl_active;
5835
5836 if (!selinux_policycap_netpeer())
5837 return NF_ACCEPT;
5838
5839 secmark_active = selinux_secmark_enabled();
5840 peerlbl_active = selinux_peerlbl_enabled();
5841 if (!secmark_active && !peerlbl_active)
5842 return NF_ACCEPT;
5843
5844 family = state->pf;
5845 if (selinux_skb_peerlbl_sid(skb, family, sid: &peer_sid) != 0)
5846 return NF_DROP;
5847
5848 ifindex = state->in->ifindex;
5849 ad_net_init_from_iif(ad: &ad, net: &net, ifindex, family);
5850 if (selinux_parse_skb(skb, ad: &ad, addrp: &addrp, src: 1, NULL) != 0)
5851 return NF_DROP;
5852
5853 if (peerlbl_active) {
5854 int err;
5855
5856 err = selinux_inet_sys_rcv_skb(ns: state->net, ifindex,
5857 addrp, family, peer_sid, ad: &ad);
5858 if (err) {
5859 selinux_netlbl_err(skb, family, error: err, gateway: 1);
5860 return NF_DROP;
5861 }
5862 }
5863
5864 if (secmark_active)
5865 if (avc_has_perm(ssid: peer_sid, tsid: skb->secmark,
5866 SECCLASS_PACKET, PACKET__FORWARD_IN, auditdata: &ad))
5867 return NF_DROP;
5868
5869 if (netlbl_enabled())
5870 /* we do this in the FORWARD path and not the POST_ROUTING
5871 * path because we want to make sure we apply the necessary
5872 * labeling before IPsec is applied so we can leverage AH
5873 * protection */
5874 if (selinux_netlbl_skbuff_setsid(skb, family, sid: peer_sid) != 0)
5875 return NF_DROP;
5876
5877 return NF_ACCEPT;
5878}
5879
5880static unsigned int selinux_ip_output(void *priv, struct sk_buff *skb,
5881 const struct nf_hook_state *state)
5882{
5883 struct sock *sk;
5884 u32 sid;
5885
5886 if (!netlbl_enabled())
5887 return NF_ACCEPT;
5888
5889 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5890 * because we want to make sure we apply the necessary labeling
5891 * before IPsec is applied so we can leverage AH protection */
5892 sk = skb_to_full_sk(skb);
5893 if (sk) {
5894 struct sk_security_struct *sksec;
5895
5896 if (sk_listener(sk))
5897 /* if the socket is the listening state then this
5898 * packet is a SYN-ACK packet which means it needs to
5899 * be labeled based on the connection/request_sock and
5900 * not the parent socket. unfortunately, we can't
5901 * lookup the request_sock yet as it isn't queued on
5902 * the parent socket until after the SYN-ACK is sent.
5903 * the "solution" is to simply pass the packet as-is
5904 * as any IP option based labeling should be copied
5905 * from the initial connection request (in the IP
5906 * layer). it is far from ideal, but until we get a
5907 * security label in the packet itself this is the
5908 * best we can do. */
5909 return NF_ACCEPT;
5910
5911 /* standard practice, label using the parent socket */
5912 sksec = selinux_sock(sock: sk);
5913 sid = sksec->sid;
5914 } else
5915 sid = SECINITSID_KERNEL;
5916 if (selinux_netlbl_skbuff_setsid(skb, family: state->pf, sid) != 0)
5917 return NF_DROP;
5918
5919 return NF_ACCEPT;
5920}
5921
5922
5923static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5924 const struct nf_hook_state *state)
5925{
5926 struct sock *sk;
5927 struct sk_security_struct *sksec;
5928 struct common_audit_data ad;
5929 struct lsm_network_audit net;
5930 u8 proto = 0;
5931
5932 sk = skb_to_full_sk(skb);
5933 if (sk == NULL)
5934 return NF_ACCEPT;
5935 sksec = selinux_sock(sock: sk);
5936
5937 ad_net_init_from_iif(ad: &ad, net: &net, ifindex: state->out->ifindex, family: state->pf);
5938 if (selinux_parse_skb(skb, ad: &ad, NULL, src: 0, proto: &proto))
5939 return NF_DROP;
5940
5941 if (selinux_secmark_enabled())
5942 if (avc_has_perm(ssid: sksec->sid, tsid: skb->secmark,
5943 SECCLASS_PACKET, PACKET__SEND, auditdata: &ad))
5944 return NF_DROP_ERR(-ECONNREFUSED);
5945
5946 if (selinux_xfrm_postroute_last(sk_sid: sksec->sid, skb, ad: &ad, proto))
5947 return NF_DROP_ERR(-ECONNREFUSED);
5948
5949 return NF_ACCEPT;
5950}
5951
5952static unsigned int selinux_ip_postroute(void *priv,
5953 struct sk_buff *skb,
5954 const struct nf_hook_state *state)
5955{
5956 u16 family;
5957 u32 secmark_perm;
5958 u32 peer_sid;
5959 int ifindex;
5960 struct sock *sk;
5961 struct common_audit_data ad;
5962 struct lsm_network_audit net;
5963 char *addrp;
5964 int secmark_active, peerlbl_active;
5965
5966 /* If any sort of compatibility mode is enabled then handoff processing
5967 * to the selinux_ip_postroute_compat() function to deal with the
5968 * special handling. We do this in an attempt to keep this function
5969 * as fast and as clean as possible. */
5970 if (!selinux_policycap_netpeer())
5971 return selinux_ip_postroute_compat(skb, state);
5972
5973 secmark_active = selinux_secmark_enabled();
5974 peerlbl_active = selinux_peerlbl_enabled();
5975 if (!secmark_active && !peerlbl_active)
5976 return NF_ACCEPT;
5977
5978 sk = skb_to_full_sk(skb);
5979
5980#ifdef CONFIG_XFRM
5981 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5982 * packet transformation so allow the packet to pass without any checks
5983 * since we'll have another chance to perform access control checks
5984 * when the packet is on it's final way out.
5985 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5986 * is NULL, in this case go ahead and apply access control.
5987 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5988 * TCP listening state we cannot wait until the XFRM processing
5989 * is done as we will miss out on the SA label if we do;
5990 * unfortunately, this means more work, but it is only once per
5991 * connection. */
5992 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5993 !(sk && sk_listener(sk)))
5994 return NF_ACCEPT;
5995#endif
5996
5997 family = state->pf;
5998 if (sk == NULL) {
5999 /* Without an associated socket the packet is either coming
6000 * from the kernel or it is being forwarded; check the packet
6001 * to determine which and if the packet is being forwarded
6002 * query the packet directly to determine the security label. */
6003 if (skb->skb_iif) {
6004 secmark_perm = PACKET__FORWARD_OUT;
6005 if (selinux_skb_peerlbl_sid(skb, family, sid: &peer_sid))
6006 return NF_DROP;
6007 } else {
6008 secmark_perm = PACKET__SEND;
6009 peer_sid = SECINITSID_KERNEL;
6010 }
6011 } else if (sk_listener(sk)) {
6012 /* Locally generated packet but the associated socket is in the
6013 * listening state which means this is a SYN-ACK packet. In
6014 * this particular case the correct security label is assigned
6015 * to the connection/request_sock but unfortunately we can't
6016 * query the request_sock as it isn't queued on the parent
6017 * socket until after the SYN-ACK packet is sent; the only
6018 * viable choice is to regenerate the label like we do in
6019 * selinux_inet_conn_request(). See also selinux_ip_output()
6020 * for similar problems. */
6021 u32 skb_sid;
6022 struct sk_security_struct *sksec;
6023
6024 sksec = selinux_sock(sock: sk);
6025 if (selinux_skb_peerlbl_sid(skb, family, sid: &skb_sid))
6026 return NF_DROP;
6027 /* At this point, if the returned skb peerlbl is SECSID_NULL
6028 * and the packet has been through at least one XFRM
6029 * transformation then we must be dealing with the "final"
6030 * form of labeled IPsec packet; since we've already applied
6031 * all of our access controls on this packet we can safely
6032 * pass the packet. */
6033 if (skb_sid == SECSID_NULL) {
6034 switch (family) {
6035 case PF_INET:
6036 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
6037 return NF_ACCEPT;
6038 break;
6039 case PF_INET6:
6040 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
6041 return NF_ACCEPT;
6042 break;
6043 default:
6044 return NF_DROP_ERR(-ECONNREFUSED);
6045 }
6046 }
6047 if (selinux_conn_sid(sk_sid: sksec->sid, skb_sid, conn_sid: &peer_sid))
6048 return NF_DROP;
6049 secmark_perm = PACKET__SEND;
6050 } else {
6051 /* Locally generated packet, fetch the security label from the
6052 * associated socket. */
6053 struct sk_security_struct *sksec = selinux_sock(sock: sk);
6054 peer_sid = sksec->sid;
6055 secmark_perm = PACKET__SEND;
6056 }
6057
6058 ifindex = state->out->ifindex;
6059 ad_net_init_from_iif(ad: &ad, net: &net, ifindex, family);
6060 if (selinux_parse_skb(skb, ad: &ad, addrp: &addrp, src: 0, NULL))
6061 return NF_DROP;
6062
6063 if (secmark_active)
6064 if (avc_has_perm(ssid: peer_sid, tsid: skb->secmark,
6065 SECCLASS_PACKET, requested: secmark_perm, auditdata: &ad))
6066 return NF_DROP_ERR(-ECONNREFUSED);
6067
6068 if (peerlbl_active) {
6069 u32 if_sid;
6070 u32 node_sid;
6071
6072 if (sel_netif_sid(ns: state->net, ifindex, sid: &if_sid))
6073 return NF_DROP;
6074 if (avc_has_perm(ssid: peer_sid, tsid: if_sid,
6075 SECCLASS_NETIF, NETIF__EGRESS, auditdata: &ad))
6076 return NF_DROP_ERR(-ECONNREFUSED);
6077
6078 if (sel_netnode_sid(addr: addrp, family, sid: &node_sid))
6079 return NF_DROP;
6080 if (avc_has_perm(ssid: peer_sid, tsid: node_sid,
6081 SECCLASS_NODE, NODE__SENDTO, auditdata: &ad))
6082 return NF_DROP_ERR(-ECONNREFUSED);
6083 }
6084
6085 return NF_ACCEPT;
6086}
6087#endif /* CONFIG_NETFILTER */
6088
6089static int nlmsg_sock_has_extended_perms(struct sock *sk, u32 perms, u16 nlmsg_type)
6090{
6091 struct sk_security_struct *sksec = sk->sk_security;
6092 struct common_audit_data ad;
6093 u8 driver;
6094 u8 xperm;
6095
6096 if (sock_skip_has_perm(sid: sksec->sid))
6097 return 0;
6098
6099 ad.type = LSM_AUDIT_DATA_NLMSGTYPE;
6100 ad.u.nlmsg_type = nlmsg_type;
6101
6102 driver = nlmsg_type >> 8;
6103 xperm = nlmsg_type & 0xff;
6104
6105 return avc_has_extended_perms(ssid: current_sid(), tsid: sksec->sid, tclass: sksec->sclass,
6106 requested: perms, driver, AVC_EXT_NLMSG, perm: xperm, ad: &ad);
6107}
6108
6109static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
6110{
6111 int rc = 0;
6112 unsigned int msg_len;
6113 unsigned int data_len = skb->len;
6114 unsigned char *data = skb->data;
6115 struct nlmsghdr *nlh;
6116 struct sk_security_struct *sksec = selinux_sock(sock: sk);
6117 u16 sclass = sksec->sclass;
6118 u32 perm;
6119
6120 while (data_len >= nlmsg_total_size(payload: 0)) {
6121 nlh = (struct nlmsghdr *)data;
6122
6123 /* NOTE: the nlmsg_len field isn't reliably set by some netlink
6124 * users which means we can't reject skb's with bogus
6125 * length fields; our solution is to follow what
6126 * netlink_rcv_skb() does and simply skip processing at
6127 * messages with length fields that are clearly junk
6128 */
6129 if (nlh->nlmsg_len < NLMSG_HDRLEN || nlh->nlmsg_len > data_len)
6130 return 0;
6131
6132 rc = selinux_nlmsg_lookup(sclass, nlmsg_type: nlh->nlmsg_type, perm: &perm);
6133 if (rc == 0) {
6134 if (selinux_policycap_netlink_xperm()) {
6135 rc = nlmsg_sock_has_extended_perms(
6136 sk, perms: perm, nlmsg_type: nlh->nlmsg_type);
6137 } else {
6138 rc = sock_has_perm(sk, perms: perm);
6139 }
6140 if (rc)
6141 return rc;
6142 } else if (rc == -EINVAL) {
6143 /* -EINVAL is a missing msg/perm mapping */
6144 pr_warn_ratelimited("SELinux: unrecognized netlink"
6145 " message: protocol=%hu nlmsg_type=%hu sclass=%s"
6146 " pid=%d comm=%s\n",
6147 sk->sk_protocol, nlh->nlmsg_type,
6148 secclass_map[sclass - 1].name,
6149 task_pid_nr(current), current->comm);
6150 if (enforcing_enabled() &&
6151 !security_get_allow_unknown())
6152 return rc;
6153 rc = 0;
6154 } else if (rc == -ENOENT) {
6155 /* -ENOENT is a missing socket/class mapping, ignore */
6156 rc = 0;
6157 } else {
6158 return rc;
6159 }
6160
6161 /* move to the next message after applying netlink padding */
6162 msg_len = NLMSG_ALIGN(nlh->nlmsg_len);
6163 if (msg_len >= data_len)
6164 return 0;
6165 data_len -= msg_len;
6166 data += msg_len;
6167 }
6168
6169 return rc;
6170}
6171
6172static void ipc_init_security(struct ipc_security_struct *isec, u16 sclass)
6173{
6174 isec->sclass = sclass;
6175 isec->sid = current_sid();
6176}
6177
6178static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
6179 u32 perms)
6180{
6181 struct ipc_security_struct *isec;
6182 struct common_audit_data ad;
6183 u32 sid = current_sid();
6184
6185 isec = selinux_ipc(ipc: ipc_perms);
6186
6187 ad.type = LSM_AUDIT_DATA_IPC;
6188 ad.u.ipc_id = ipc_perms->key;
6189
6190 return avc_has_perm(ssid: sid, tsid: isec->sid, tclass: isec->sclass, requested: perms, auditdata: &ad);
6191}
6192
6193static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
6194{
6195 struct msg_security_struct *msec;
6196
6197 msec = selinux_msg_msg(msg_msg: msg);
6198 msec->sid = SECINITSID_UNLABELED;
6199
6200 return 0;
6201}
6202
6203/* message queue security operations */
6204static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq)
6205{
6206 struct ipc_security_struct *isec;
6207 struct common_audit_data ad;
6208 u32 sid = current_sid();
6209
6210 isec = selinux_ipc(ipc: msq);
6211 ipc_init_security(isec, SECCLASS_MSGQ);
6212
6213 ad.type = LSM_AUDIT_DATA_IPC;
6214 ad.u.ipc_id = msq->key;
6215
6216 return avc_has_perm(ssid: sid, tsid: isec->sid, SECCLASS_MSGQ,
6217 MSGQ__CREATE, auditdata: &ad);
6218}
6219
6220static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
6221{
6222 struct ipc_security_struct *isec;
6223 struct common_audit_data ad;
6224 u32 sid = current_sid();
6225
6226 isec = selinux_ipc(ipc: msq);
6227
6228 ad.type = LSM_AUDIT_DATA_IPC;
6229 ad.u.ipc_id = msq->key;
6230
6231 return avc_has_perm(ssid: sid, tsid: isec->sid, SECCLASS_MSGQ,
6232 MSGQ__ASSOCIATE, auditdata: &ad);
6233}
6234
6235static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)
6236{
6237 u32 perms;
6238
6239 switch (cmd) {
6240 case IPC_INFO:
6241 case MSG_INFO:
6242 /* No specific object, just general system-wide information. */
6243 return avc_has_perm(ssid: current_sid(), SECINITSID_KERNEL,
6244 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6245 case IPC_STAT:
6246 case MSG_STAT:
6247 case MSG_STAT_ANY:
6248 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
6249 break;
6250 case IPC_SET:
6251 perms = MSGQ__SETATTR;
6252 break;
6253 case IPC_RMID:
6254 perms = MSGQ__DESTROY;
6255 break;
6256 default:
6257 return 0;
6258 }
6259
6260 return ipc_has_perm(ipc_perms: msq, perms);
6261}
6262
6263static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg)
6264{
6265 struct ipc_security_struct *isec;
6266 struct msg_security_struct *msec;
6267 struct common_audit_data ad;
6268 u32 sid = current_sid();
6269 int rc;
6270
6271 isec = selinux_ipc(ipc: msq);
6272 msec = selinux_msg_msg(msg_msg: msg);
6273
6274 /*
6275 * First time through, need to assign label to the message
6276 */
6277 if (msec->sid == SECINITSID_UNLABELED) {
6278 /*
6279 * Compute new sid based on current process and
6280 * message queue this message will be stored in
6281 */
6282 rc = security_transition_sid(ssid: sid, tsid: isec->sid,
6283 SECCLASS_MSG, NULL, out_sid: &msec->sid);
6284 if (rc)
6285 return rc;
6286 }
6287
6288 ad.type = LSM_AUDIT_DATA_IPC;
6289 ad.u.ipc_id = msq->key;
6290
6291 /* Can this process write to the queue? */
6292 rc = avc_has_perm(ssid: sid, tsid: isec->sid, SECCLASS_MSGQ,
6293 MSGQ__WRITE, auditdata: &ad);
6294 if (!rc)
6295 /* Can this process send the message */
6296 rc = avc_has_perm(ssid: sid, tsid: msec->sid, SECCLASS_MSG,
6297 MSG__SEND, auditdata: &ad);
6298 if (!rc)
6299 /* Can the message be put in the queue? */
6300 rc = avc_has_perm(ssid: msec->sid, tsid: isec->sid, SECCLASS_MSGQ,
6301 MSGQ__ENQUEUE, auditdata: &ad);
6302
6303 return rc;
6304}
6305
6306static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg,
6307 struct task_struct *target,
6308 long type, int mode)
6309{
6310 struct ipc_security_struct *isec;
6311 struct msg_security_struct *msec;
6312 struct common_audit_data ad;
6313 u32 sid = task_sid_obj(task: target);
6314 int rc;
6315
6316 isec = selinux_ipc(ipc: msq);
6317 msec = selinux_msg_msg(msg_msg: msg);
6318
6319 ad.type = LSM_AUDIT_DATA_IPC;
6320 ad.u.ipc_id = msq->key;
6321
6322 rc = avc_has_perm(ssid: sid, tsid: isec->sid,
6323 SECCLASS_MSGQ, MSGQ__READ, auditdata: &ad);
6324 if (!rc)
6325 rc = avc_has_perm(ssid: sid, tsid: msec->sid,
6326 SECCLASS_MSG, MSG__RECEIVE, auditdata: &ad);
6327 return rc;
6328}
6329
6330/* Shared Memory security operations */
6331static int selinux_shm_alloc_security(struct kern_ipc_perm *shp)
6332{
6333 struct ipc_security_struct *isec;
6334 struct common_audit_data ad;
6335 u32 sid = current_sid();
6336
6337 isec = selinux_ipc(ipc: shp);
6338 ipc_init_security(isec, SECCLASS_SHM);
6339
6340 ad.type = LSM_AUDIT_DATA_IPC;
6341 ad.u.ipc_id = shp->key;
6342
6343 return avc_has_perm(ssid: sid, tsid: isec->sid, SECCLASS_SHM,
6344 SHM__CREATE, auditdata: &ad);
6345}
6346
6347static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg)
6348{
6349 struct ipc_security_struct *isec;
6350 struct common_audit_data ad;
6351 u32 sid = current_sid();
6352
6353 isec = selinux_ipc(ipc: shp);
6354
6355 ad.type = LSM_AUDIT_DATA_IPC;
6356 ad.u.ipc_id = shp->key;
6357
6358 return avc_has_perm(ssid: sid, tsid: isec->sid, SECCLASS_SHM,
6359 SHM__ASSOCIATE, auditdata: &ad);
6360}
6361
6362/* Note, at this point, shp is locked down */
6363static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd)
6364{
6365 u32 perms;
6366
6367 switch (cmd) {
6368 case IPC_INFO:
6369 case SHM_INFO:
6370 /* No specific object, just general system-wide information. */
6371 return avc_has_perm(ssid: current_sid(), SECINITSID_KERNEL,
6372 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6373 case IPC_STAT:
6374 case SHM_STAT:
6375 case SHM_STAT_ANY:
6376 perms = SHM__GETATTR | SHM__ASSOCIATE;
6377 break;
6378 case IPC_SET:
6379 perms = SHM__SETATTR;
6380 break;
6381 case SHM_LOCK:
6382 case SHM_UNLOCK:
6383 perms = SHM__LOCK;
6384 break;
6385 case IPC_RMID:
6386 perms = SHM__DESTROY;
6387 break;
6388 default:
6389 return 0;
6390 }
6391
6392 return ipc_has_perm(ipc_perms: shp, perms);
6393}
6394
6395static int selinux_shm_shmat(struct kern_ipc_perm *shp,
6396 char __user *shmaddr, int shmflg)
6397{
6398 u32 perms;
6399
6400 if (shmflg & SHM_RDONLY)
6401 perms = SHM__READ;
6402 else
6403 perms = SHM__READ | SHM__WRITE;
6404
6405 return ipc_has_perm(ipc_perms: shp, perms);
6406}
6407
6408/* Semaphore security operations */
6409static int selinux_sem_alloc_security(struct kern_ipc_perm *sma)
6410{
6411 struct ipc_security_struct *isec;
6412 struct common_audit_data ad;
6413 u32 sid = current_sid();
6414
6415 isec = selinux_ipc(ipc: sma);
6416 ipc_init_security(isec, SECCLASS_SEM);
6417
6418 ad.type = LSM_AUDIT_DATA_IPC;
6419 ad.u.ipc_id = sma->key;
6420
6421 return avc_has_perm(ssid: sid, tsid: isec->sid, SECCLASS_SEM,
6422 SEM__CREATE, auditdata: &ad);
6423}
6424
6425static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg)
6426{
6427 struct ipc_security_struct *isec;
6428 struct common_audit_data ad;
6429 u32 sid = current_sid();
6430
6431 isec = selinux_ipc(ipc: sma);
6432
6433 ad.type = LSM_AUDIT_DATA_IPC;
6434 ad.u.ipc_id = sma->key;
6435
6436 return avc_has_perm(ssid: sid, tsid: isec->sid, SECCLASS_SEM,
6437 SEM__ASSOCIATE, auditdata: &ad);
6438}
6439
6440/* Note, at this point, sma is locked down */
6441static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd)
6442{
6443 int err;
6444 u32 perms;
6445
6446 switch (cmd) {
6447 case IPC_INFO:
6448 case SEM_INFO:
6449 /* No specific object, just general system-wide information. */
6450 return avc_has_perm(ssid: current_sid(), SECINITSID_KERNEL,
6451 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6452 case GETPID:
6453 case GETNCNT:
6454 case GETZCNT:
6455 perms = SEM__GETATTR;
6456 break;
6457 case GETVAL:
6458 case GETALL:
6459 perms = SEM__READ;
6460 break;
6461 case SETVAL:
6462 case SETALL:
6463 perms = SEM__WRITE;
6464 break;
6465 case IPC_RMID:
6466 perms = SEM__DESTROY;
6467 break;
6468 case IPC_SET:
6469 perms = SEM__SETATTR;
6470 break;
6471 case IPC_STAT:
6472 case SEM_STAT:
6473 case SEM_STAT_ANY:
6474 perms = SEM__GETATTR | SEM__ASSOCIATE;
6475 break;
6476 default:
6477 return 0;
6478 }
6479
6480 err = ipc_has_perm(ipc_perms: sma, perms);
6481 return err;
6482}
6483
6484static int selinux_sem_semop(struct kern_ipc_perm *sma,
6485 struct sembuf *sops, unsigned nsops, int alter)
6486{
6487 u32 perms;
6488
6489 if (alter)
6490 perms = SEM__READ | SEM__WRITE;
6491 else
6492 perms = SEM__READ;
6493
6494 return ipc_has_perm(ipc_perms: sma, perms);
6495}
6496
6497static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
6498{
6499 u32 av = 0;
6500
6501 av = 0;
6502 if (flag & S_IRUGO)
6503 av |= IPC__UNIX_READ;
6504 if (flag & S_IWUGO)
6505 av |= IPC__UNIX_WRITE;
6506
6507 if (av == 0)
6508 return 0;
6509
6510 return ipc_has_perm(ipc_perms: ipcp, perms: av);
6511}
6512
6513static void selinux_ipc_getlsmprop(struct kern_ipc_perm *ipcp,
6514 struct lsm_prop *prop)
6515{
6516 struct ipc_security_struct *isec = selinux_ipc(ipc: ipcp);
6517 prop->selinux.secid = isec->sid;
6518}
6519
6520static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
6521{
6522 if (inode)
6523 inode_doinit_with_dentry(inode, opt_dentry: dentry);
6524}
6525
6526static int selinux_lsm_getattr(unsigned int attr, struct task_struct *p,
6527 char **value)
6528{
6529 const struct task_security_struct *tsec;
6530 int error;
6531 u32 sid;
6532 u32 len;
6533
6534 rcu_read_lock();
6535 tsec = selinux_cred(__task_cred(p));
6536 if (p != current) {
6537 error = avc_has_perm(ssid: current_sid(), tsid: tsec->sid,
6538 SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
6539 if (error)
6540 goto err_unlock;
6541 }
6542 switch (attr) {
6543 case LSM_ATTR_CURRENT:
6544 sid = tsec->sid;
6545 break;
6546 case LSM_ATTR_PREV:
6547 sid = tsec->osid;
6548 break;
6549 case LSM_ATTR_EXEC:
6550 sid = tsec->exec_sid;
6551 break;
6552 case LSM_ATTR_FSCREATE:
6553 sid = tsec->create_sid;
6554 break;
6555 case LSM_ATTR_KEYCREATE:
6556 sid = tsec->keycreate_sid;
6557 break;
6558 case LSM_ATTR_SOCKCREATE:
6559 sid = tsec->sockcreate_sid;
6560 break;
6561 default:
6562 error = -EOPNOTSUPP;
6563 goto err_unlock;
6564 }
6565 rcu_read_unlock();
6566
6567 if (sid == SECSID_NULL) {
6568 *value = NULL;
6569 return 0;
6570 }
6571
6572 error = security_sid_to_context(sid, scontext: value, scontext_len: &len);
6573 if (error)
6574 return error;
6575 return len;
6576
6577err_unlock:
6578 rcu_read_unlock();
6579 return error;
6580}
6581
6582static int selinux_lsm_setattr(u64 attr, void *value, size_t size)
6583{
6584 struct task_security_struct *tsec;
6585 struct cred *new;
6586 u32 mysid = current_sid(), sid = 0, ptsid;
6587 int error;
6588 char *str = value;
6589
6590 /*
6591 * Basic control over ability to set these attributes at all.
6592 */
6593 switch (attr) {
6594 case LSM_ATTR_EXEC:
6595 error = avc_has_perm(ssid: mysid, tsid: mysid, SECCLASS_PROCESS,
6596 PROCESS__SETEXEC, NULL);
6597 break;
6598 case LSM_ATTR_FSCREATE:
6599 error = avc_has_perm(ssid: mysid, tsid: mysid, SECCLASS_PROCESS,
6600 PROCESS__SETFSCREATE, NULL);
6601 break;
6602 case LSM_ATTR_KEYCREATE:
6603 error = avc_has_perm(ssid: mysid, tsid: mysid, SECCLASS_PROCESS,
6604 PROCESS__SETKEYCREATE, NULL);
6605 break;
6606 case LSM_ATTR_SOCKCREATE:
6607 error = avc_has_perm(ssid: mysid, tsid: mysid, SECCLASS_PROCESS,
6608 PROCESS__SETSOCKCREATE, NULL);
6609 break;
6610 case LSM_ATTR_CURRENT:
6611 error = avc_has_perm(ssid: mysid, tsid: mysid, SECCLASS_PROCESS,
6612 PROCESS__SETCURRENT, NULL);
6613 break;
6614 default:
6615 error = -EOPNOTSUPP;
6616 break;
6617 }
6618 if (error)
6619 return error;
6620
6621 /* Obtain a SID for the context, if one was specified. */
6622 if (size && str[0] && str[0] != '\n') {
6623 if (str[size-1] == '\n') {
6624 str[size-1] = 0;
6625 size--;
6626 }
6627 error = security_context_to_sid(scontext: value, scontext_len: size,
6628 out_sid: &sid, GFP_KERNEL);
6629 if (error == -EINVAL && attr == LSM_ATTR_FSCREATE) {
6630 if (!has_cap_mac_admin(audit: true)) {
6631 struct audit_buffer *ab;
6632 size_t audit_size;
6633
6634 /* We strip a nul only if it is at the end,
6635 * otherwise the context contains a nul and
6636 * we should audit that */
6637 if (str[size - 1] == '\0')
6638 audit_size = size - 1;
6639 else
6640 audit_size = size;
6641 ab = audit_log_start(ctx: audit_context(),
6642 GFP_ATOMIC,
6643 AUDIT_SELINUX_ERR);
6644 if (!ab)
6645 return error;
6646 audit_log_format(ab, fmt: "op=fscreate invalid_context=");
6647 audit_log_n_untrustedstring(ab, string: value,
6648 n: audit_size);
6649 audit_log_end(ab);
6650
6651 return error;
6652 }
6653 error = security_context_to_sid_force(scontext: value, scontext_len: size,
6654 sid: &sid);
6655 }
6656 if (error)
6657 return error;
6658 }
6659
6660 new = prepare_creds();
6661 if (!new)
6662 return -ENOMEM;
6663
6664 /* Permission checking based on the specified context is
6665 performed during the actual operation (execve,
6666 open/mkdir/...), when we know the full context of the
6667 operation. See selinux_bprm_creds_for_exec for the execve
6668 checks and may_create for the file creation checks. The
6669 operation will then fail if the context is not permitted. */
6670 tsec = selinux_cred(cred: new);
6671 if (attr == LSM_ATTR_EXEC) {
6672 tsec->exec_sid = sid;
6673 } else if (attr == LSM_ATTR_FSCREATE) {
6674 tsec->create_sid = sid;
6675 } else if (attr == LSM_ATTR_KEYCREATE) {
6676 if (sid) {
6677 error = avc_has_perm(ssid: mysid, tsid: sid,
6678 SECCLASS_KEY, KEY__CREATE, NULL);
6679 if (error)
6680 goto abort_change;
6681 }
6682 tsec->keycreate_sid = sid;
6683 } else if (attr == LSM_ATTR_SOCKCREATE) {
6684 tsec->sockcreate_sid = sid;
6685 } else if (attr == LSM_ATTR_CURRENT) {
6686 error = -EINVAL;
6687 if (sid == 0)
6688 goto abort_change;
6689
6690 if (!current_is_single_threaded()) {
6691 error = security_bounded_transition(old_sid: tsec->sid, new_sid: sid);
6692 if (error)
6693 goto abort_change;
6694 }
6695
6696 /* Check permissions for the transition. */
6697 error = avc_has_perm(ssid: tsec->sid, tsid: sid, SECCLASS_PROCESS,
6698 PROCESS__DYNTRANSITION, NULL);
6699 if (error)
6700 goto abort_change;
6701
6702 /* Check for ptracing, and update the task SID if ok.
6703 Otherwise, leave SID unchanged and fail. */
6704 ptsid = ptrace_parent_sid();
6705 if (ptsid != 0) {
6706 error = avc_has_perm(ssid: ptsid, tsid: sid, SECCLASS_PROCESS,
6707 PROCESS__PTRACE, NULL);
6708 if (error)
6709 goto abort_change;
6710 }
6711
6712 tsec->sid = sid;
6713 } else {
6714 error = -EINVAL;
6715 goto abort_change;
6716 }
6717
6718 commit_creds(new);
6719 return size;
6720
6721abort_change:
6722 abort_creds(new);
6723 return error;
6724}
6725
6726/**
6727 * selinux_getselfattr - Get SELinux current task attributes
6728 * @attr: the requested attribute
6729 * @ctx: buffer to receive the result
6730 * @size: buffer size (input), buffer size used (output)
6731 * @flags: unused
6732 *
6733 * Fill the passed user space @ctx with the details of the requested
6734 * attribute.
6735 *
6736 * Returns the number of attributes on success, an error code otherwise.
6737 * There will only ever be one attribute.
6738 */
6739static int selinux_getselfattr(unsigned int attr, struct lsm_ctx __user *ctx,
6740 u32 *size, u32 flags)
6741{
6742 int rc;
6743 char *val = NULL;
6744 int val_len;
6745
6746 val_len = selinux_lsm_getattr(attr, current, value: &val);
6747 if (val_len < 0)
6748 return val_len;
6749 rc = lsm_fill_user_ctx(uctx: ctx, uctx_len: size, val, val_len, LSM_ID_SELINUX, flags: 0);
6750 kfree(objp: val);
6751 return (!rc ? 1 : rc);
6752}
6753
6754static int selinux_setselfattr(unsigned int attr, struct lsm_ctx *ctx,
6755 u32 size, u32 flags)
6756{
6757 int rc;
6758
6759 rc = selinux_lsm_setattr(attr, value: ctx->ctx, size: ctx->ctx_len);
6760 if (rc > 0)
6761 return 0;
6762 return rc;
6763}
6764
6765static int selinux_getprocattr(struct task_struct *p,
6766 const char *name, char **value)
6767{
6768 unsigned int attr = lsm_name_to_attr(name);
6769 int rc;
6770
6771 if (attr) {
6772 rc = selinux_lsm_getattr(attr, p, value);
6773 if (rc != -EOPNOTSUPP)
6774 return rc;
6775 }
6776
6777 return -EINVAL;
6778}
6779
6780static int selinux_setprocattr(const char *name, void *value, size_t size)
6781{
6782 int attr = lsm_name_to_attr(name);
6783
6784 if (attr)
6785 return selinux_lsm_setattr(attr, value, size);
6786 return -EINVAL;
6787}
6788
6789static int selinux_ismaclabel(const char *name)
6790{
6791 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
6792}
6793
6794static int selinux_secid_to_secctx(u32 secid, struct lsm_context *cp)
6795{
6796 u32 seclen;
6797 int ret;
6798
6799 if (cp) {
6800 cp->id = LSM_ID_SELINUX;
6801 ret = security_sid_to_context(sid: secid, scontext: &cp->context, scontext_len: &cp->len);
6802 if (ret < 0)
6803 return ret;
6804 return cp->len;
6805 }
6806 ret = security_sid_to_context(sid: secid, NULL, scontext_len: &seclen);
6807 if (ret < 0)
6808 return ret;
6809 return seclen;
6810}
6811
6812static int selinux_lsmprop_to_secctx(struct lsm_prop *prop,
6813 struct lsm_context *cp)
6814{
6815 return selinux_secid_to_secctx(secid: prop->selinux.secid, cp);
6816}
6817
6818static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
6819{
6820 return security_context_to_sid(scontext: secdata, scontext_len: seclen,
6821 out_sid: secid, GFP_KERNEL);
6822}
6823
6824static void selinux_release_secctx(struct lsm_context *cp)
6825{
6826 if (cp->id == LSM_ID_SELINUX) {
6827 kfree(objp: cp->context);
6828 cp->context = NULL;
6829 cp->id = LSM_ID_UNDEF;
6830 }
6831}
6832
6833static void selinux_inode_invalidate_secctx(struct inode *inode)
6834{
6835 struct inode_security_struct *isec = selinux_inode(inode);
6836
6837 spin_lock(lock: &isec->lock);
6838 isec->initialized = LABEL_INVALID;
6839 spin_unlock(lock: &isec->lock);
6840}
6841
6842/*
6843 * called with inode->i_mutex locked
6844 */
6845static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
6846{
6847 int rc = selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX,
6848 value: ctx, size: ctxlen, flags: 0);
6849 /* Do not return error when suppressing label (SBLABEL_MNT not set). */
6850 return rc == -EOPNOTSUPP ? 0 : rc;
6851}
6852
6853/*
6854 * called with inode->i_mutex locked
6855 */
6856static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
6857{
6858 return __vfs_setxattr_locked(&nop_mnt_idmap, dentry, XATTR_NAME_SELINUX,
6859 ctx, ctxlen, 0, NULL);
6860}
6861
6862static int selinux_inode_getsecctx(struct inode *inode, struct lsm_context *cp)
6863{
6864 int len;
6865 len = selinux_inode_getsecurity(idmap: &nop_mnt_idmap, inode,
6866 XATTR_SELINUX_SUFFIX,
6867 buffer: (void **)&cp->context, alloc: true);
6868 if (len < 0)
6869 return len;
6870 cp->len = len;
6871 cp->id = LSM_ID_SELINUX;
6872 return 0;
6873}
6874#ifdef CONFIG_KEYS
6875
6876static int selinux_key_alloc(struct key *k, const struct cred *cred,
6877 unsigned long flags)
6878{
6879 const struct task_security_struct *tsec;
6880 struct key_security_struct *ksec = selinux_key(key: k);
6881
6882 tsec = selinux_cred(cred);
6883 if (tsec->keycreate_sid)
6884 ksec->sid = tsec->keycreate_sid;
6885 else
6886 ksec->sid = tsec->sid;
6887
6888 return 0;
6889}
6890
6891static int selinux_key_permission(key_ref_t key_ref,
6892 const struct cred *cred,
6893 enum key_need_perm need_perm)
6894{
6895 struct key *key;
6896 struct key_security_struct *ksec;
6897 u32 perm, sid;
6898
6899 switch (need_perm) {
6900 case KEY_NEED_VIEW:
6901 perm = KEY__VIEW;
6902 break;
6903 case KEY_NEED_READ:
6904 perm = KEY__READ;
6905 break;
6906 case KEY_NEED_WRITE:
6907 perm = KEY__WRITE;
6908 break;
6909 case KEY_NEED_SEARCH:
6910 perm = KEY__SEARCH;
6911 break;
6912 case KEY_NEED_LINK:
6913 perm = KEY__LINK;
6914 break;
6915 case KEY_NEED_SETATTR:
6916 perm = KEY__SETATTR;
6917 break;
6918 case KEY_NEED_UNLINK:
6919 case KEY_SYSADMIN_OVERRIDE:
6920 case KEY_AUTHTOKEN_OVERRIDE:
6921 case KEY_DEFER_PERM_CHECK:
6922 return 0;
6923 default:
6924 WARN_ON(1);
6925 return -EPERM;
6926
6927 }
6928
6929 sid = cred_sid(cred);
6930 key = key_ref_to_ptr(key_ref);
6931 ksec = selinux_key(key);
6932
6933 return avc_has_perm(ssid: sid, tsid: ksec->sid, SECCLASS_KEY, requested: perm, NULL);
6934}
6935
6936static int selinux_key_getsecurity(struct key *key, char **_buffer)
6937{
6938 struct key_security_struct *ksec = selinux_key(key);
6939 char *context = NULL;
6940 unsigned len;
6941 int rc;
6942
6943 rc = security_sid_to_context(sid: ksec->sid,
6944 scontext: &context, scontext_len: &len);
6945 if (!rc)
6946 rc = len;
6947 *_buffer = context;
6948 return rc;
6949}
6950
6951#ifdef CONFIG_KEY_NOTIFICATIONS
6952static int selinux_watch_key(struct key *key)
6953{
6954 struct key_security_struct *ksec = selinux_key(key);
6955 u32 sid = current_sid();
6956
6957 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, KEY__VIEW, NULL);
6958}
6959#endif
6960#endif
6961
6962#ifdef CONFIG_SECURITY_INFINIBAND
6963static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6964{
6965 struct common_audit_data ad;
6966 int err;
6967 u32 sid = 0;
6968 struct ib_security_struct *sec = ib_sec;
6969 struct lsm_ibpkey_audit ibpkey;
6970
6971 err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
6972 if (err)
6973 return err;
6974
6975 ad.type = LSM_AUDIT_DATA_IBPKEY;
6976 ibpkey.subnet_prefix = subnet_prefix;
6977 ibpkey.pkey = pkey_val;
6978 ad.u.ibpkey = &ibpkey;
6979 return avc_has_perm(sec->sid, sid,
6980 SECCLASS_INFINIBAND_PKEY,
6981 INFINIBAND_PKEY__ACCESS, &ad);
6982}
6983
6984static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6985 u8 port_num)
6986{
6987 struct common_audit_data ad;
6988 int err;
6989 u32 sid = 0;
6990 struct ib_security_struct *sec = ib_sec;
6991 struct lsm_ibendport_audit ibendport;
6992
6993 err = security_ib_endport_sid(dev_name, port_num,
6994 &sid);
6995
6996 if (err)
6997 return err;
6998
6999 ad.type = LSM_AUDIT_DATA_IBENDPORT;
7000 ibendport.dev_name = dev_name;
7001 ibendport.port = port_num;
7002 ad.u.ibendport = &ibendport;
7003 return avc_has_perm(sec->sid, sid,
7004 SECCLASS_INFINIBAND_ENDPORT,
7005 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
7006}
7007
7008static int selinux_ib_alloc_security(void *ib_sec)
7009{
7010 struct ib_security_struct *sec = selinux_ib(ib_sec);
7011
7012 sec->sid = current_sid();
7013 return 0;
7014}
7015#endif
7016
7017#ifdef CONFIG_BPF_SYSCALL
7018static int selinux_bpf(int cmd, union bpf_attr *attr,
7019 unsigned int size, bool kernel)
7020{
7021 u32 sid = current_sid();
7022 int ret;
7023
7024 switch (cmd) {
7025 case BPF_MAP_CREATE:
7026 ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
7027 NULL);
7028 break;
7029 case BPF_PROG_LOAD:
7030 ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
7031 NULL);
7032 break;
7033 default:
7034 ret = 0;
7035 break;
7036 }
7037
7038 return ret;
7039}
7040
7041static u32 bpf_map_fmode_to_av(fmode_t fmode)
7042{
7043 u32 av = 0;
7044
7045 if (fmode & FMODE_READ)
7046 av |= BPF__MAP_READ;
7047 if (fmode & FMODE_WRITE)
7048 av |= BPF__MAP_WRITE;
7049 return av;
7050}
7051
7052/* This function will check the file pass through unix socket or binder to see
7053 * if it is a bpf related object. And apply corresponding checks on the bpf
7054 * object based on the type. The bpf maps and programs, not like other files and
7055 * socket, are using a shared anonymous inode inside the kernel as their inode.
7056 * So checking that inode cannot identify if the process have privilege to
7057 * access the bpf object and that's why we have to add this additional check in
7058 * selinux_file_receive and selinux_binder_transfer_files.
7059 */
7060static int bpf_fd_pass(const struct file *file, u32 sid)
7061{
7062 struct bpf_security_struct *bpfsec;
7063 struct bpf_prog *prog;
7064 struct bpf_map *map;
7065 int ret;
7066
7067 if (file->f_op == &bpf_map_fops) {
7068 map = file->private_data;
7069 bpfsec = selinux_bpf_map_security(map);
7070 ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
7071 bpf_map_fmode_to_av(file->f_mode), NULL);
7072 if (ret)
7073 return ret;
7074 } else if (file->f_op == &bpf_prog_fops) {
7075 prog = file->private_data;
7076 bpfsec = selinux_bpf_prog_security(prog);
7077 ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
7078 BPF__PROG_RUN, NULL);
7079 if (ret)
7080 return ret;
7081 }
7082 return 0;
7083}
7084
7085static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)
7086{
7087 u32 sid = current_sid();
7088 struct bpf_security_struct *bpfsec;
7089
7090 bpfsec = selinux_bpf_map_security(map);
7091 return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
7092 bpf_map_fmode_to_av(fmode), NULL);
7093}
7094
7095static int selinux_bpf_prog(struct bpf_prog *prog)
7096{
7097 u32 sid = current_sid();
7098 struct bpf_security_struct *bpfsec;
7099
7100 bpfsec = selinux_bpf_prog_security(prog);
7101 return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
7102 BPF__PROG_RUN, NULL);
7103}
7104
7105static int selinux_bpf_map_create(struct bpf_map *map, union bpf_attr *attr,
7106 struct bpf_token *token, bool kernel)
7107{
7108 struct bpf_security_struct *bpfsec;
7109
7110 bpfsec = selinux_bpf_map_security(map);
7111 bpfsec->sid = current_sid();
7112
7113 return 0;
7114}
7115
7116static int selinux_bpf_prog_load(struct bpf_prog *prog, union bpf_attr *attr,
7117 struct bpf_token *token, bool kernel)
7118{
7119 struct bpf_security_struct *bpfsec;
7120
7121 bpfsec = selinux_bpf_prog_security(prog);
7122 bpfsec->sid = current_sid();
7123
7124 return 0;
7125}
7126
7127static int selinux_bpf_token_create(struct bpf_token *token, union bpf_attr *attr,
7128 const struct path *path)
7129{
7130 struct bpf_security_struct *bpfsec;
7131
7132 bpfsec = selinux_bpf_token_security(token);
7133 bpfsec->sid = current_sid();
7134
7135 return 0;
7136}
7137#endif
7138
7139struct lsm_blob_sizes selinux_blob_sizes __ro_after_init = {
7140 .lbs_cred = sizeof(struct task_security_struct),
7141 .lbs_file = sizeof(struct file_security_struct),
7142 .lbs_inode = sizeof(struct inode_security_struct),
7143 .lbs_ipc = sizeof(struct ipc_security_struct),
7144 .lbs_key = sizeof(struct key_security_struct),
7145 .lbs_msg_msg = sizeof(struct msg_security_struct),
7146#ifdef CONFIG_PERF_EVENTS
7147 .lbs_perf_event = sizeof(struct perf_event_security_struct),
7148#endif
7149 .lbs_sock = sizeof(struct sk_security_struct),
7150 .lbs_superblock = sizeof(struct superblock_security_struct),
7151 .lbs_xattr_count = SELINUX_INODE_INIT_XATTRS,
7152 .lbs_tun_dev = sizeof(struct tun_security_struct),
7153 .lbs_ib = sizeof(struct ib_security_struct),
7154 .lbs_bpf_map = sizeof(struct bpf_security_struct),
7155 .lbs_bpf_prog = sizeof(struct bpf_security_struct),
7156 .lbs_bpf_token = sizeof(struct bpf_security_struct),
7157};
7158
7159#ifdef CONFIG_PERF_EVENTS
7160static int selinux_perf_event_open(int type)
7161{
7162 u32 requested, sid = current_sid();
7163
7164 if (type == PERF_SECURITY_OPEN)
7165 requested = PERF_EVENT__OPEN;
7166 else if (type == PERF_SECURITY_CPU)
7167 requested = PERF_EVENT__CPU;
7168 else if (type == PERF_SECURITY_KERNEL)
7169 requested = PERF_EVENT__KERNEL;
7170 else if (type == PERF_SECURITY_TRACEPOINT)
7171 requested = PERF_EVENT__TRACEPOINT;
7172 else
7173 return -EINVAL;
7174
7175 return avc_has_perm(ssid: sid, tsid: sid, SECCLASS_PERF_EVENT,
7176 requested, NULL);
7177}
7178
7179static int selinux_perf_event_alloc(struct perf_event *event)
7180{
7181 struct perf_event_security_struct *perfsec;
7182
7183 perfsec = selinux_perf_event(perf_event: event->security);
7184 perfsec->sid = current_sid();
7185
7186 return 0;
7187}
7188
7189static int selinux_perf_event_read(struct perf_event *event)
7190{
7191 struct perf_event_security_struct *perfsec = event->security;
7192 u32 sid = current_sid();
7193
7194 return avc_has_perm(ssid: sid, tsid: perfsec->sid,
7195 SECCLASS_PERF_EVENT, PERF_EVENT__READ, NULL);
7196}
7197
7198static int selinux_perf_event_write(struct perf_event *event)
7199{
7200 struct perf_event_security_struct *perfsec = event->security;
7201 u32 sid = current_sid();
7202
7203 return avc_has_perm(ssid: sid, tsid: perfsec->sid,
7204 SECCLASS_PERF_EVENT, PERF_EVENT__WRITE, NULL);
7205}
7206#endif
7207
7208#ifdef CONFIG_IO_URING
7209/**
7210 * selinux_uring_override_creds - check the requested cred override
7211 * @new: the target creds
7212 *
7213 * Check to see if the current task is allowed to override it's credentials
7214 * to service an io_uring operation.
7215 */
7216static int selinux_uring_override_creds(const struct cred *new)
7217{
7218 return avc_has_perm(ssid: current_sid(), tsid: cred_sid(cred: new),
7219 SECCLASS_IO_URING, IO_URING__OVERRIDE_CREDS, NULL);
7220}
7221
7222/**
7223 * selinux_uring_sqpoll - check if a io_uring polling thread can be created
7224 *
7225 * Check to see if the current task is allowed to create a new io_uring
7226 * kernel polling thread.
7227 */
7228static int selinux_uring_sqpoll(void)
7229{
7230 u32 sid = current_sid();
7231
7232 return avc_has_perm(ssid: sid, tsid: sid,
7233 SECCLASS_IO_URING, IO_URING__SQPOLL, NULL);
7234}
7235
7236/**
7237 * selinux_uring_cmd - check if IORING_OP_URING_CMD is allowed
7238 * @ioucmd: the io_uring command structure
7239 *
7240 * Check to see if the current domain is allowed to execute an
7241 * IORING_OP_URING_CMD against the device/file specified in @ioucmd.
7242 *
7243 */
7244static int selinux_uring_cmd(struct io_uring_cmd *ioucmd)
7245{
7246 struct file *file = ioucmd->file;
7247 struct inode *inode = file_inode(f: file);
7248 struct inode_security_struct *isec = selinux_inode(inode);
7249 struct common_audit_data ad;
7250
7251 ad.type = LSM_AUDIT_DATA_FILE;
7252 ad.u.file = file;
7253
7254 return avc_has_perm(ssid: current_sid(), tsid: isec->sid,
7255 SECCLASS_IO_URING, IO_URING__CMD, auditdata: &ad);
7256}
7257
7258/**
7259 * selinux_uring_allowed - check if io_uring_setup() can be called
7260 *
7261 * Check to see if the current task is allowed to call io_uring_setup().
7262 */
7263static int selinux_uring_allowed(void)
7264{
7265 u32 sid = current_sid();
7266
7267 return avc_has_perm(ssid: sid, tsid: sid, SECCLASS_IO_URING, IO_URING__ALLOWED,
7268 NULL);
7269}
7270#endif /* CONFIG_IO_URING */
7271
7272static const struct lsm_id selinux_lsmid = {
7273 .name = "selinux",
7274 .id = LSM_ID_SELINUX,
7275};
7276
7277/*
7278 * IMPORTANT NOTE: When adding new hooks, please be careful to keep this order:
7279 * 1. any hooks that don't belong to (2.) or (3.) below,
7280 * 2. hooks that both access structures allocated by other hooks, and allocate
7281 * structures that can be later accessed by other hooks (mostly "cloning"
7282 * hooks),
7283 * 3. hooks that only allocate structures that can be later accessed by other
7284 * hooks ("allocating" hooks).
7285 *
7286 * Please follow block comment delimiters in the list to keep this order.
7287 */
7288static struct security_hook_list selinux_hooks[] __ro_after_init = {
7289 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
7290 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
7291 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
7292 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
7293
7294 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
7295 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
7296 LSM_HOOK_INIT(capget, selinux_capget),
7297 LSM_HOOK_INIT(capset, selinux_capset),
7298 LSM_HOOK_INIT(capable, selinux_capable),
7299 LSM_HOOK_INIT(quotactl, selinux_quotactl),
7300 LSM_HOOK_INIT(quota_on, selinux_quota_on),
7301 LSM_HOOK_INIT(syslog, selinux_syslog),
7302 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
7303
7304 LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
7305
7306 LSM_HOOK_INIT(bprm_creds_for_exec, selinux_bprm_creds_for_exec),
7307 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
7308 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
7309
7310 LSM_HOOK_INIT(sb_free_mnt_opts, selinux_free_mnt_opts),
7311 LSM_HOOK_INIT(sb_mnt_opts_compat, selinux_sb_mnt_opts_compat),
7312 LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
7313 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
7314 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
7315 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
7316 LSM_HOOK_INIT(sb_mount, selinux_mount),
7317 LSM_HOOK_INIT(sb_umount, selinux_umount),
7318 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
7319 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
7320
7321 LSM_HOOK_INIT(move_mount, selinux_move_mount),
7322
7323 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
7324 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
7325
7326 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
7327 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
7328 LSM_HOOK_INIT(inode_init_security_anon, selinux_inode_init_security_anon),
7329 LSM_HOOK_INIT(inode_create, selinux_inode_create),
7330 LSM_HOOK_INIT(inode_link, selinux_inode_link),
7331 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
7332 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
7333 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
7334 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
7335 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
7336 LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
7337 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
7338 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
7339 LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
7340 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
7341 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
7342 LSM_HOOK_INIT(inode_xattr_skipcap, selinux_inode_xattr_skipcap),
7343 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
7344 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
7345 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
7346 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
7347 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
7348 LSM_HOOK_INIT(inode_file_getattr, selinux_inode_file_getattr),
7349 LSM_HOOK_INIT(inode_file_setattr, selinux_inode_file_setattr),
7350 LSM_HOOK_INIT(inode_set_acl, selinux_inode_set_acl),
7351 LSM_HOOK_INIT(inode_get_acl, selinux_inode_get_acl),
7352 LSM_HOOK_INIT(inode_remove_acl, selinux_inode_remove_acl),
7353 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
7354 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
7355 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
7356 LSM_HOOK_INIT(inode_getlsmprop, selinux_inode_getlsmprop),
7357 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
7358 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
7359 LSM_HOOK_INIT(path_notify, selinux_path_notify),
7360
7361 LSM_HOOK_INIT(kernfs_init_security, selinux_kernfs_init_security),
7362
7363 LSM_HOOK_INIT(file_permission, selinux_file_permission),
7364 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
7365 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
7366 LSM_HOOK_INIT(file_ioctl_compat, selinux_file_ioctl_compat),
7367 LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
7368 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
7369 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
7370 LSM_HOOK_INIT(file_lock, selinux_file_lock),
7371 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
7372 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
7373 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
7374 LSM_HOOK_INIT(file_receive, selinux_file_receive),
7375
7376 LSM_HOOK_INIT(file_open, selinux_file_open),
7377
7378 LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
7379 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
7380 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
7381 LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid),
7382 LSM_HOOK_INIT(cred_getlsmprop, selinux_cred_getlsmprop),
7383 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
7384 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
7385 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
7386 LSM_HOOK_INIT(kernel_load_data, selinux_kernel_load_data),
7387 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
7388 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
7389 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
7390 LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
7391 LSM_HOOK_INIT(current_getlsmprop_subj, selinux_current_getlsmprop_subj),
7392 LSM_HOOK_INIT(task_getlsmprop_obj, selinux_task_getlsmprop_obj),
7393 LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
7394 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
7395 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
7396 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
7397 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
7398 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
7399 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
7400 LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
7401 LSM_HOOK_INIT(task_kill, selinux_task_kill),
7402 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
7403 LSM_HOOK_INIT(userns_create, selinux_userns_create),
7404
7405 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
7406 LSM_HOOK_INIT(ipc_getlsmprop, selinux_ipc_getlsmprop),
7407
7408 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
7409 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
7410 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
7411 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
7412
7413 LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
7414 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
7415 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
7416
7417 LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
7418 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
7419 LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
7420
7421 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
7422
7423 LSM_HOOK_INIT(getselfattr, selinux_getselfattr),
7424 LSM_HOOK_INIT(setselfattr, selinux_setselfattr),
7425 LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
7426 LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
7427
7428 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
7429 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
7430 LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
7431 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
7432 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
7433 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
7434
7435 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
7436 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
7437
7438 LSM_HOOK_INIT(socket_create, selinux_socket_create),
7439 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
7440 LSM_HOOK_INIT(socket_socketpair, selinux_socket_socketpair),
7441 LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
7442 LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
7443 LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
7444 LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
7445 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
7446 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
7447 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
7448 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
7449 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
7450 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
7451 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
7452 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
7453 LSM_HOOK_INIT(socket_getpeersec_stream,
7454 selinux_socket_getpeersec_stream),
7455 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
7456 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
7457 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
7458 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
7459 LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
7460 LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request),
7461 LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone),
7462 LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect),
7463 LSM_HOOK_INIT(sctp_assoc_established, selinux_sctp_assoc_established),
7464 LSM_HOOK_INIT(mptcp_add_subflow, selinux_mptcp_add_subflow),
7465 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
7466 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
7467 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
7468 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
7469 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
7470 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
7471 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
7472 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
7473 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
7474 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
7475 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
7476#ifdef CONFIG_SECURITY_INFINIBAND
7477 LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
7478 LSM_HOOK_INIT(ib_endport_manage_subnet,
7479 selinux_ib_endport_manage_subnet),
7480#endif
7481#ifdef CONFIG_SECURITY_NETWORK_XFRM
7482 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
7483 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
7484 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
7485 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
7486 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
7487 LSM_HOOK_INIT(xfrm_state_pol_flow_match,
7488 selinux_xfrm_state_pol_flow_match),
7489 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
7490#endif
7491
7492#ifdef CONFIG_KEYS
7493 LSM_HOOK_INIT(key_permission, selinux_key_permission),
7494 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
7495#ifdef CONFIG_KEY_NOTIFICATIONS
7496 LSM_HOOK_INIT(watch_key, selinux_watch_key),
7497#endif
7498#endif
7499
7500#ifdef CONFIG_AUDIT
7501 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
7502 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
7503 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
7504#endif
7505
7506#ifdef CONFIG_BPF_SYSCALL
7507 LSM_HOOK_INIT(bpf, selinux_bpf),
7508 LSM_HOOK_INIT(bpf_map, selinux_bpf_map),
7509 LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog),
7510#endif
7511
7512#ifdef CONFIG_PERF_EVENTS
7513 LSM_HOOK_INIT(perf_event_open, selinux_perf_event_open),
7514 LSM_HOOK_INIT(perf_event_read, selinux_perf_event_read),
7515 LSM_HOOK_INIT(perf_event_write, selinux_perf_event_write),
7516#endif
7517
7518#ifdef CONFIG_IO_URING
7519 LSM_HOOK_INIT(uring_override_creds, selinux_uring_override_creds),
7520 LSM_HOOK_INIT(uring_sqpoll, selinux_uring_sqpoll),
7521 LSM_HOOK_INIT(uring_cmd, selinux_uring_cmd),
7522 LSM_HOOK_INIT(uring_allowed, selinux_uring_allowed),
7523#endif
7524
7525 /*
7526 * PUT "CLONING" (ACCESSING + ALLOCATING) HOOKS HERE
7527 */
7528 LSM_HOOK_INIT(fs_context_submount, selinux_fs_context_submount),
7529 LSM_HOOK_INIT(fs_context_dup, selinux_fs_context_dup),
7530 LSM_HOOK_INIT(fs_context_parse_param, selinux_fs_context_parse_param),
7531 LSM_HOOK_INIT(sb_eat_lsm_opts, selinux_sb_eat_lsm_opts),
7532#ifdef CONFIG_SECURITY_NETWORK_XFRM
7533 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
7534#endif
7535
7536 /*
7537 * PUT "ALLOCATING" HOOKS HERE
7538 */
7539 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
7540 LSM_HOOK_INIT(msg_queue_alloc_security,
7541 selinux_msg_queue_alloc_security),
7542 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
7543 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
7544 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
7545 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
7546 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
7547 LSM_HOOK_INIT(lsmprop_to_secctx, selinux_lsmprop_to_secctx),
7548 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
7549 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
7550 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
7551#ifdef CONFIG_SECURITY_INFINIBAND
7552 LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
7553#endif
7554#ifdef CONFIG_SECURITY_NETWORK_XFRM
7555 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
7556 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
7557 LSM_HOOK_INIT(xfrm_state_alloc_acquire,
7558 selinux_xfrm_state_alloc_acquire),
7559#endif
7560#ifdef CONFIG_KEYS
7561 LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
7562#endif
7563#ifdef CONFIG_AUDIT
7564 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
7565#endif
7566#ifdef CONFIG_BPF_SYSCALL
7567 LSM_HOOK_INIT(bpf_map_create, selinux_bpf_map_create),
7568 LSM_HOOK_INIT(bpf_prog_load, selinux_bpf_prog_load),
7569 LSM_HOOK_INIT(bpf_token_create, selinux_bpf_token_create),
7570#endif
7571#ifdef CONFIG_PERF_EVENTS
7572 LSM_HOOK_INIT(perf_event_alloc, selinux_perf_event_alloc),
7573#endif
7574};
7575
7576static __init int selinux_init(void)
7577{
7578 pr_info("SELinux: Initializing.\n");
7579
7580 memset(s: &selinux_state, c: 0, n: sizeof(selinux_state));
7581 enforcing_set(value: selinux_enforcing_boot);
7582 selinux_avc_init();
7583 mutex_init(&selinux_state.status_lock);
7584 mutex_init(&selinux_state.policy_mutex);
7585
7586 /* Set the security state for the initial task. */
7587 cred_init_security();
7588
7589 /* Inform the audit system that secctx is used */
7590 audit_cfg_lsm(lsmid: &selinux_lsmid,
7591 AUDIT_CFG_LSM_SECCTX_SUBJECT |
7592 AUDIT_CFG_LSM_SECCTX_OBJECT);
7593
7594 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
7595 if (!default_noexec)
7596 pr_notice("SELinux: virtual memory is executable by default\n");
7597
7598 avc_init();
7599
7600 avtab_cache_init();
7601
7602 ebitmap_cache_init();
7603
7604 hashtab_cache_init();
7605
7606 security_add_hooks(hooks: selinux_hooks, ARRAY_SIZE(selinux_hooks),
7607 lsmid: &selinux_lsmid);
7608
7609 if (avc_add_callback(callback: selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
7610 panic(fmt: "SELinux: Unable to register AVC netcache callback\n");
7611
7612 if (avc_add_callback(callback: selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
7613 panic(fmt: "SELinux: Unable to register AVC LSM notifier callback\n");
7614
7615 if (selinux_enforcing_boot)
7616 pr_debug("SELinux: Starting in enforcing mode\n");
7617 else
7618 pr_debug("SELinux: Starting in permissive mode\n");
7619
7620 fs_validate_description(name: "selinux", desc: selinux_fs_parameters);
7621
7622 return 0;
7623}
7624
7625static void delayed_superblock_init(struct super_block *sb, void *unused)
7626{
7627 selinux_set_mnt_opts(sb, NULL, kern_flags: 0, NULL);
7628}
7629
7630void selinux_complete_init(void)
7631{
7632 pr_debug("SELinux: Completing initialization.\n");
7633
7634 /* Set up any superblocks initialized prior to the policy load. */
7635 pr_debug("SELinux: Setting up existing superblocks.\n");
7636 iterate_supers(f: delayed_superblock_init, NULL);
7637}
7638
7639/* SELinux requires early initialization in order to label
7640 all processes and objects when they are created. */
7641DEFINE_LSM(selinux) = {
7642 .name = "selinux",
7643 .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE,
7644 .enabled = &selinux_enabled_boot,
7645 .blobs = &selinux_blob_sizes,
7646 .init = selinux_init,
7647};
7648
7649#if defined(CONFIG_NETFILTER)
7650static const struct nf_hook_ops selinux_nf_ops[] = {
7651 {
7652 .hook = selinux_ip_postroute,
7653 .pf = NFPROTO_IPV4,
7654 .hooknum = NF_INET_POST_ROUTING,
7655 .priority = NF_IP_PRI_SELINUX_LAST,
7656 },
7657 {
7658 .hook = selinux_ip_forward,
7659 .pf = NFPROTO_IPV4,
7660 .hooknum = NF_INET_FORWARD,
7661 .priority = NF_IP_PRI_SELINUX_FIRST,
7662 },
7663 {
7664 .hook = selinux_ip_output,
7665 .pf = NFPROTO_IPV4,
7666 .hooknum = NF_INET_LOCAL_OUT,
7667 .priority = NF_IP_PRI_SELINUX_FIRST,
7668 },
7669#if IS_ENABLED(CONFIG_IPV6)
7670 {
7671 .hook = selinux_ip_postroute,
7672 .pf = NFPROTO_IPV6,
7673 .hooknum = NF_INET_POST_ROUTING,
7674 .priority = NF_IP6_PRI_SELINUX_LAST,
7675 },
7676 {
7677 .hook = selinux_ip_forward,
7678 .pf = NFPROTO_IPV6,
7679 .hooknum = NF_INET_FORWARD,
7680 .priority = NF_IP6_PRI_SELINUX_FIRST,
7681 },
7682 {
7683 .hook = selinux_ip_output,
7684 .pf = NFPROTO_IPV6,
7685 .hooknum = NF_INET_LOCAL_OUT,
7686 .priority = NF_IP6_PRI_SELINUX_FIRST,
7687 },
7688#endif /* IPV6 */
7689};
7690
7691static int __net_init selinux_nf_register(struct net *net)
7692{
7693 return nf_register_net_hooks(net, reg: selinux_nf_ops,
7694 ARRAY_SIZE(selinux_nf_ops));
7695}
7696
7697static void __net_exit selinux_nf_unregister(struct net *net)
7698{
7699 nf_unregister_net_hooks(net, reg: selinux_nf_ops,
7700 ARRAY_SIZE(selinux_nf_ops));
7701}
7702
7703static struct pernet_operations selinux_net_ops = {
7704 .init = selinux_nf_register,
7705 .exit = selinux_nf_unregister,
7706};
7707
7708static int __init selinux_nf_ip_init(void)
7709{
7710 int err;
7711
7712 if (!selinux_enabled_boot)
7713 return 0;
7714
7715 pr_debug("SELinux: Registering netfilter hooks\n");
7716
7717 err = register_pernet_subsys(&selinux_net_ops);
7718 if (err)
7719 panic(fmt: "SELinux: register_pernet_subsys: error %d\n", err);
7720
7721 return 0;
7722}
7723__initcall(selinux_nf_ip_init);
7724#endif /* CONFIG_NETFILTER */
7725