2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@tycho.nsa.gov>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul@paul-moore.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 * Copyright (C) 2016 Mellanox Technologies
22 * This program is free software; you can redistribute it and/or modify
23 * it under the terms of the GNU General Public License version 2,
24 * as published by the Free Software Foundation.
27 #include <linux/init.h>
29 #include <linux/kernel.h>
30 #include <linux/tracehook.h>
31 #include <linux/errno.h>
32 #include <linux/sched/signal.h>
33 #include <linux/sched/task.h>
34 #include <linux/lsm_hooks.h>
35 #include <linux/xattr.h>
36 #include <linux/capability.h>
37 #include <linux/unistd.h>
39 #include <linux/mman.h>
40 #include <linux/slab.h>
41 #include <linux/pagemap.h>
42 #include <linux/proc_fs.h>
43 #include <linux/swap.h>
44 #include <linux/spinlock.h>
45 #include <linux/syscalls.h>
46 #include <linux/dcache.h>
47 #include <linux/file.h>
48 #include <linux/fdtable.h>
49 #include <linux/namei.h>
50 #include <linux/mount.h>
51 #include <linux/netfilter_ipv4.h>
52 #include <linux/netfilter_ipv6.h>
53 #include <linux/tty.h>
55 #include <net/ip.h> /* for local_port_range[] */
56 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
57 #include <net/inet_connection_sock.h>
58 #include <net/net_namespace.h>
59 #include <net/netlabel.h>
60 #include <linux/uaccess.h>
61 #include <asm/ioctls.h>
62 #include <linux/atomic.h>
63 #include <linux/bitops.h>
64 #include <linux/interrupt.h>
65 #include <linux/netdevice.h> /* for network interface checks */
66 #include <net/netlink.h>
67 #include <linux/tcp.h>
68 #include <linux/udp.h>
69 #include <linux/dccp.h>
70 #include <linux/sctp.h>
71 #include <net/sctp/structs.h>
72 #include <linux/quota.h>
73 #include <linux/un.h> /* for Unix socket types */
74 #include <net/af_unix.h> /* for Unix socket types */
75 #include <linux/parser.h>
76 #include <linux/nfs_mount.h>
78 #include <linux/hugetlb.h>
79 #include <linux/personality.h>
80 #include <linux/audit.h>
81 #include <linux/string.h>
82 #include <linux/mutex.h>
83 #include <linux/posix-timers.h>
84 #include <linux/syslog.h>
85 #include <linux/user_namespace.h>
86 #include <linux/export.h>
87 #include <linux/msg.h>
88 #include <linux/shm.h>
89 #include <linux/bpf.h>
90 #include <uapi/linux/mount.h>
103 struct selinux_state selinux_state;
105 /* SECMARK reference count */
106 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
108 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
109 static int selinux_enforcing_boot;
111 static int __init enforcing_setup(char *str)
113 unsigned long enforcing;
114 if (!kstrtoul(str, 0, &enforcing))
115 selinux_enforcing_boot = enforcing ? 1 : 0;
118 __setup("enforcing=", enforcing_setup);
120 #define selinux_enforcing_boot 1
123 int selinux_enabled __lsm_ro_after_init = 1;
124 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
125 static int __init selinux_enabled_setup(char *str)
127 unsigned long enabled;
128 if (!kstrtoul(str, 0, &enabled))
129 selinux_enabled = enabled ? 1 : 0;
132 __setup("selinux=", selinux_enabled_setup);
135 static unsigned int selinux_checkreqprot_boot =
136 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
138 static int __init checkreqprot_setup(char *str)
140 unsigned long checkreqprot;
142 if (!kstrtoul(str, 0, &checkreqprot))
143 selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
146 __setup("checkreqprot=", checkreqprot_setup);
149 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
152 * This function checks the SECMARK reference counter to see if any SECMARK
153 * targets are currently configured, if the reference counter is greater than
154 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
155 * enabled, false (0) if SECMARK is disabled. If the always_check_network
156 * policy capability is enabled, SECMARK is always considered enabled.
159 static int selinux_secmark_enabled(void)
161 return (selinux_policycap_alwaysnetwork() ||
162 atomic_read(&selinux_secmark_refcount));
166 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
169 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
170 * (1) if any are enabled or false (0) if neither are enabled. If the
171 * always_check_network policy capability is enabled, peer labeling
172 * is always considered enabled.
175 static int selinux_peerlbl_enabled(void)
177 return (selinux_policycap_alwaysnetwork() ||
178 netlbl_enabled() || selinux_xfrm_enabled());
181 static int selinux_netcache_avc_callback(u32 event)
183 if (event == AVC_CALLBACK_RESET) {
192 static int selinux_lsm_notifier_avc_callback(u32 event)
194 if (event == AVC_CALLBACK_RESET) {
196 call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
203 * initialise the security for the init task
205 static void cred_init_security(void)
207 struct cred *cred = (struct cred *) current->real_cred;
208 struct task_security_struct *tsec;
210 tsec = selinux_cred(cred);
211 tsec->osid = tsec->sid = SECINITSID_KERNEL;
215 * get the security ID of a set of credentials
217 static inline u32 cred_sid(const struct cred *cred)
219 const struct task_security_struct *tsec;
221 tsec = selinux_cred(cred);
226 * get the objective security ID of a task
228 static inline u32 task_sid(const struct task_struct *task)
233 sid = cred_sid(__task_cred(task));
238 /* Allocate and free functions for each kind of security blob. */
240 static int inode_alloc_security(struct inode *inode)
242 struct inode_security_struct *isec = selinux_inode(inode);
243 u32 sid = current_sid();
245 spin_lock_init(&isec->lock);
246 INIT_LIST_HEAD(&isec->list);
248 isec->sid = SECINITSID_UNLABELED;
249 isec->sclass = SECCLASS_FILE;
250 isec->task_sid = sid;
251 isec->initialized = LABEL_INVALID;
256 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
259 * Try reloading inode security labels that have been marked as invalid. The
260 * @may_sleep parameter indicates when sleeping and thus reloading labels is
261 * allowed; when set to false, returns -ECHILD when the label is
262 * invalid. The @dentry parameter should be set to a dentry of the inode.
264 static int __inode_security_revalidate(struct inode *inode,
265 struct dentry *dentry,
268 struct inode_security_struct *isec = selinux_inode(inode);
270 might_sleep_if(may_sleep);
272 if (selinux_state.initialized &&
273 isec->initialized != LABEL_INITIALIZED) {
278 * Try reloading the inode security label. This will fail if
279 * @opt_dentry is NULL and no dentry for this inode can be
280 * found; in that case, continue using the old label.
282 inode_doinit_with_dentry(inode, dentry);
287 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
289 return selinux_inode(inode);
292 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
296 error = __inode_security_revalidate(inode, NULL, !rcu);
298 return ERR_PTR(error);
299 return selinux_inode(inode);
303 * Get the security label of an inode.
305 static struct inode_security_struct *inode_security(struct inode *inode)
307 __inode_security_revalidate(inode, NULL, true);
308 return selinux_inode(inode);
311 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
313 struct inode *inode = d_backing_inode(dentry);
315 return selinux_inode(inode);
319 * Get the security label of a dentry's backing inode.
321 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
323 struct inode *inode = d_backing_inode(dentry);
325 __inode_security_revalidate(inode, dentry, true);
326 return selinux_inode(inode);
329 static void inode_free_security(struct inode *inode)
331 struct inode_security_struct *isec = selinux_inode(inode);
332 struct superblock_security_struct *sbsec;
336 sbsec = inode->i_sb->s_security;
338 * As not all inode security structures are in a list, we check for
339 * empty list outside of the lock to make sure that we won't waste
340 * time taking a lock doing nothing.
342 * The list_del_init() function can be safely called more than once.
343 * It should not be possible for this function to be called with
344 * concurrent list_add(), but for better safety against future changes
345 * in the code, we use list_empty_careful() here.
347 if (!list_empty_careful(&isec->list)) {
348 spin_lock(&sbsec->isec_lock);
349 list_del_init(&isec->list);
350 spin_unlock(&sbsec->isec_lock);
354 static int file_alloc_security(struct file *file)
356 struct file_security_struct *fsec = selinux_file(file);
357 u32 sid = current_sid();
360 fsec->fown_sid = sid;
365 static int superblock_alloc_security(struct super_block *sb)
367 struct superblock_security_struct *sbsec;
369 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
373 mutex_init(&sbsec->lock);
374 INIT_LIST_HEAD(&sbsec->isec_head);
375 spin_lock_init(&sbsec->isec_lock);
377 sbsec->sid = SECINITSID_UNLABELED;
378 sbsec->def_sid = SECINITSID_FILE;
379 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
380 sb->s_security = sbsec;
385 static void superblock_free_security(struct super_block *sb)
387 struct superblock_security_struct *sbsec = sb->s_security;
388 sb->s_security = NULL;
392 struct selinux_mnt_opts {
393 const char *fscontext, *context, *rootcontext, *defcontext;
396 static void selinux_free_mnt_opts(void *mnt_opts)
398 struct selinux_mnt_opts *opts = mnt_opts;
399 kfree(opts->fscontext);
400 kfree(opts->context);
401 kfree(opts->rootcontext);
402 kfree(opts->defcontext);
406 static inline int inode_doinit(struct inode *inode)
408 return inode_doinit_with_dentry(inode, NULL);
420 #define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg}
430 A(rootcontext, true),
435 static int match_opt_prefix(char *s, int l, char **arg)
439 for (i = 0; i < ARRAY_SIZE(tokens); i++) {
440 size_t len = tokens[i].len;
441 if (len > l || memcmp(s, tokens[i].name, len))
443 if (tokens[i].has_arg) {
444 if (len == l || s[len] != '=')
449 return tokens[i].opt;
454 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
456 static int may_context_mount_sb_relabel(u32 sid,
457 struct superblock_security_struct *sbsec,
458 const struct cred *cred)
460 const struct task_security_struct *tsec = selinux_cred(cred);
463 rc = avc_has_perm(&selinux_state,
464 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
465 FILESYSTEM__RELABELFROM, NULL);
469 rc = avc_has_perm(&selinux_state,
470 tsec->sid, sid, SECCLASS_FILESYSTEM,
471 FILESYSTEM__RELABELTO, NULL);
475 static int may_context_mount_inode_relabel(u32 sid,
476 struct superblock_security_struct *sbsec,
477 const struct cred *cred)
479 const struct task_security_struct *tsec = selinux_cred(cred);
481 rc = avc_has_perm(&selinux_state,
482 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
483 FILESYSTEM__RELABELFROM, NULL);
487 rc = avc_has_perm(&selinux_state,
488 sid, sbsec->sid, SECCLASS_FILESYSTEM,
489 FILESYSTEM__ASSOCIATE, NULL);
493 static int selinux_is_genfs_special_handling(struct super_block *sb)
495 /* Special handling. Genfs but also in-core setxattr handler */
496 return !strcmp(sb->s_type->name, "sysfs") ||
497 !strcmp(sb->s_type->name, "pstore") ||
498 !strcmp(sb->s_type->name, "debugfs") ||
499 !strcmp(sb->s_type->name, "tracefs") ||
500 !strcmp(sb->s_type->name, "rootfs") ||
501 (selinux_policycap_cgroupseclabel() &&
502 (!strcmp(sb->s_type->name, "cgroup") ||
503 !strcmp(sb->s_type->name, "cgroup2")));
506 static int selinux_is_sblabel_mnt(struct super_block *sb)
508 struct superblock_security_struct *sbsec = sb->s_security;
511 * IMPORTANT: Double-check logic in this function when adding a new
512 * SECURITY_FS_USE_* definition!
514 BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7);
516 switch (sbsec->behavior) {
517 case SECURITY_FS_USE_XATTR:
518 case SECURITY_FS_USE_TRANS:
519 case SECURITY_FS_USE_TASK:
520 case SECURITY_FS_USE_NATIVE:
523 case SECURITY_FS_USE_GENFS:
524 return selinux_is_genfs_special_handling(sb);
526 /* Never allow relabeling on context mounts */
527 case SECURITY_FS_USE_MNTPOINT:
528 case SECURITY_FS_USE_NONE:
534 static int sb_finish_set_opts(struct super_block *sb)
536 struct superblock_security_struct *sbsec = sb->s_security;
537 struct dentry *root = sb->s_root;
538 struct inode *root_inode = d_backing_inode(root);
541 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
542 /* Make sure that the xattr handler exists and that no
543 error other than -ENODATA is returned by getxattr on
544 the root directory. -ENODATA is ok, as this may be
545 the first boot of the SELinux kernel before we have
546 assigned xattr values to the filesystem. */
547 if (!(root_inode->i_opflags & IOP_XATTR)) {
548 pr_warn("SELinux: (dev %s, type %s) has no "
549 "xattr support\n", sb->s_id, sb->s_type->name);
554 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
555 if (rc < 0 && rc != -ENODATA) {
556 if (rc == -EOPNOTSUPP)
557 pr_warn("SELinux: (dev %s, type "
558 "%s) has no security xattr handler\n",
559 sb->s_id, sb->s_type->name);
561 pr_warn("SELinux: (dev %s, type "
562 "%s) getxattr errno %d\n", sb->s_id,
563 sb->s_type->name, -rc);
568 sbsec->flags |= SE_SBINITIALIZED;
571 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
572 * leave the flag untouched because sb_clone_mnt_opts might be handing
573 * us a superblock that needs the flag to be cleared.
575 if (selinux_is_sblabel_mnt(sb))
576 sbsec->flags |= SBLABEL_MNT;
578 sbsec->flags &= ~SBLABEL_MNT;
580 /* Initialize the root inode. */
581 rc = inode_doinit_with_dentry(root_inode, root);
583 /* Initialize any other inodes associated with the superblock, e.g.
584 inodes created prior to initial policy load or inodes created
585 during get_sb by a pseudo filesystem that directly
587 spin_lock(&sbsec->isec_lock);
588 while (!list_empty(&sbsec->isec_head)) {
589 struct inode_security_struct *isec =
590 list_first_entry(&sbsec->isec_head,
591 struct inode_security_struct, list);
592 struct inode *inode = isec->inode;
593 list_del_init(&isec->list);
594 spin_unlock(&sbsec->isec_lock);
595 inode = igrab(inode);
597 if (!IS_PRIVATE(inode))
601 spin_lock(&sbsec->isec_lock);
603 spin_unlock(&sbsec->isec_lock);
608 static int bad_option(struct superblock_security_struct *sbsec, char flag,
609 u32 old_sid, u32 new_sid)
611 char mnt_flags = sbsec->flags & SE_MNTMASK;
613 /* check if the old mount command had the same options */
614 if (sbsec->flags & SE_SBINITIALIZED)
615 if (!(sbsec->flags & flag) ||
616 (old_sid != new_sid))
619 /* check if we were passed the same options twice,
620 * aka someone passed context=a,context=b
622 if (!(sbsec->flags & SE_SBINITIALIZED))
623 if (mnt_flags & flag)
628 static int parse_sid(struct super_block *sb, const char *s, u32 *sid)
630 int rc = security_context_str_to_sid(&selinux_state, s,
633 pr_warn("SELinux: security_context_str_to_sid"
634 "(%s) failed for (dev %s, type %s) errno=%d\n",
635 s, sb->s_id, sb->s_type->name, rc);
640 * Allow filesystems with binary mount data to explicitly set mount point
641 * labeling information.
643 static int selinux_set_mnt_opts(struct super_block *sb,
645 unsigned long kern_flags,
646 unsigned long *set_kern_flags)
648 const struct cred *cred = current_cred();
649 struct superblock_security_struct *sbsec = sb->s_security;
650 struct dentry *root = sbsec->sb->s_root;
651 struct selinux_mnt_opts *opts = mnt_opts;
652 struct inode_security_struct *root_isec;
653 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
654 u32 defcontext_sid = 0;
657 mutex_lock(&sbsec->lock);
659 if (!selinux_state.initialized) {
661 /* Defer initialization until selinux_complete_init,
662 after the initial policy is loaded and the security
663 server is ready to handle calls. */
667 pr_warn("SELinux: Unable to set superblock options "
668 "before the security server is initialized\n");
671 if (kern_flags && !set_kern_flags) {
672 /* Specifying internal flags without providing a place to
673 * place the results is not allowed */
679 * Binary mount data FS will come through this function twice. Once
680 * from an explicit call and once from the generic calls from the vfs.
681 * Since the generic VFS calls will not contain any security mount data
682 * we need to skip the double mount verification.
684 * This does open a hole in which we will not notice if the first
685 * mount using this sb set explict options and a second mount using
686 * this sb does not set any security options. (The first options
687 * will be used for both mounts)
689 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
693 root_isec = backing_inode_security_novalidate(root);
696 * parse the mount options, check if they are valid sids.
697 * also check if someone is trying to mount the same sb more
698 * than once with different security options.
701 if (opts->fscontext) {
702 rc = parse_sid(sb, opts->fscontext, &fscontext_sid);
705 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
707 goto out_double_mount;
708 sbsec->flags |= FSCONTEXT_MNT;
711 rc = parse_sid(sb, opts->context, &context_sid);
714 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
716 goto out_double_mount;
717 sbsec->flags |= CONTEXT_MNT;
719 if (opts->rootcontext) {
720 rc = parse_sid(sb, opts->rootcontext, &rootcontext_sid);
723 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
725 goto out_double_mount;
726 sbsec->flags |= ROOTCONTEXT_MNT;
728 if (opts->defcontext) {
729 rc = parse_sid(sb, opts->defcontext, &defcontext_sid);
732 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
734 goto out_double_mount;
735 sbsec->flags |= DEFCONTEXT_MNT;
739 if (sbsec->flags & SE_SBINITIALIZED) {
740 /* previously mounted with options, but not on this attempt? */
741 if ((sbsec->flags & SE_MNTMASK) && !opts)
742 goto out_double_mount;
747 if (strcmp(sb->s_type->name, "proc") == 0)
748 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
750 if (!strcmp(sb->s_type->name, "debugfs") ||
751 !strcmp(sb->s_type->name, "tracefs") ||
752 !strcmp(sb->s_type->name, "sysfs") ||
753 !strcmp(sb->s_type->name, "pstore") ||
754 !strcmp(sb->s_type->name, "cgroup") ||
755 !strcmp(sb->s_type->name, "cgroup2"))
756 sbsec->flags |= SE_SBGENFS;
758 if (!sbsec->behavior) {
760 * Determine the labeling behavior to use for this
763 rc = security_fs_use(&selinux_state, sb);
765 pr_warn("%s: security_fs_use(%s) returned %d\n",
766 __func__, sb->s_type->name, rc);
772 * If this is a user namespace mount and the filesystem type is not
773 * explicitly whitelisted, then no contexts are allowed on the command
774 * line and security labels must be ignored.
776 if (sb->s_user_ns != &init_user_ns &&
777 strcmp(sb->s_type->name, "tmpfs") &&
778 strcmp(sb->s_type->name, "ramfs") &&
779 strcmp(sb->s_type->name, "devpts")) {
780 if (context_sid || fscontext_sid || rootcontext_sid ||
785 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
786 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
787 rc = security_transition_sid(&selinux_state,
791 &sbsec->mntpoint_sid);
798 /* sets the context of the superblock for the fs being mounted. */
800 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
804 sbsec->sid = fscontext_sid;
808 * Switch to using mount point labeling behavior.
809 * sets the label used on all file below the mountpoint, and will set
810 * the superblock context if not already set.
812 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
813 sbsec->behavior = SECURITY_FS_USE_NATIVE;
814 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
818 if (!fscontext_sid) {
819 rc = may_context_mount_sb_relabel(context_sid, sbsec,
823 sbsec->sid = context_sid;
825 rc = may_context_mount_inode_relabel(context_sid, sbsec,
830 if (!rootcontext_sid)
831 rootcontext_sid = context_sid;
833 sbsec->mntpoint_sid = context_sid;
834 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
837 if (rootcontext_sid) {
838 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
843 root_isec->sid = rootcontext_sid;
844 root_isec->initialized = LABEL_INITIALIZED;
847 if (defcontext_sid) {
848 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
849 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
851 pr_warn("SELinux: defcontext option is "
852 "invalid for this filesystem type\n");
856 if (defcontext_sid != sbsec->def_sid) {
857 rc = may_context_mount_inode_relabel(defcontext_sid,
863 sbsec->def_sid = defcontext_sid;
867 rc = sb_finish_set_opts(sb);
869 mutex_unlock(&sbsec->lock);
873 pr_warn("SELinux: mount invalid. Same superblock, different "
874 "security settings for (dev %s, type %s)\n", sb->s_id,
879 static int selinux_cmp_sb_context(const struct super_block *oldsb,
880 const struct super_block *newsb)
882 struct superblock_security_struct *old = oldsb->s_security;
883 struct superblock_security_struct *new = newsb->s_security;
884 char oldflags = old->flags & SE_MNTMASK;
885 char newflags = new->flags & SE_MNTMASK;
887 if (oldflags != newflags)
889 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
891 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
893 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
895 if (oldflags & ROOTCONTEXT_MNT) {
896 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
897 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
898 if (oldroot->sid != newroot->sid)
903 pr_warn("SELinux: mount invalid. Same superblock, "
904 "different security settings for (dev %s, "
905 "type %s)\n", newsb->s_id, newsb->s_type->name);
909 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
910 struct super_block *newsb,
911 unsigned long kern_flags,
912 unsigned long *set_kern_flags)
915 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
916 struct superblock_security_struct *newsbsec = newsb->s_security;
918 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
919 int set_context = (oldsbsec->flags & CONTEXT_MNT);
920 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
923 * if the parent was able to be mounted it clearly had no special lsm
924 * mount options. thus we can safely deal with this superblock later
926 if (!selinux_state.initialized)
930 * Specifying internal flags without providing a place to
931 * place the results is not allowed.
933 if (kern_flags && !set_kern_flags)
936 /* how can we clone if the old one wasn't set up?? */
937 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
939 /* if fs is reusing a sb, make sure that the contexts match */
940 if (newsbsec->flags & SE_SBINITIALIZED)
941 return selinux_cmp_sb_context(oldsb, newsb);
943 mutex_lock(&newsbsec->lock);
945 newsbsec->flags = oldsbsec->flags;
947 newsbsec->sid = oldsbsec->sid;
948 newsbsec->def_sid = oldsbsec->def_sid;
949 newsbsec->behavior = oldsbsec->behavior;
951 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
952 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
953 rc = security_fs_use(&selinux_state, newsb);
958 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
959 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
960 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
964 u32 sid = oldsbsec->mntpoint_sid;
968 if (!set_rootcontext) {
969 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
972 newsbsec->mntpoint_sid = sid;
974 if (set_rootcontext) {
975 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
976 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
978 newisec->sid = oldisec->sid;
981 sb_finish_set_opts(newsb);
983 mutex_unlock(&newsbsec->lock);
987 static int selinux_add_opt(int token, const char *s, void **mnt_opts)
989 struct selinux_mnt_opts *opts = *mnt_opts;
991 if (token == Opt_seclabel) /* eaten and completely ignored */
995 opts = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL);
1004 if (opts->context || opts->defcontext)
1009 if (opts->fscontext)
1011 opts->fscontext = s;
1013 case Opt_rootcontext:
1014 if (opts->rootcontext)
1016 opts->rootcontext = s;
1018 case Opt_defcontext:
1019 if (opts->context || opts->defcontext)
1021 opts->defcontext = s;
1026 pr_warn(SEL_MOUNT_FAIL_MSG);
1030 static int selinux_add_mnt_opt(const char *option, const char *val, int len,
1033 int token = Opt_error;
1036 for (i = 0; i < ARRAY_SIZE(tokens); i++) {
1037 if (strcmp(option, tokens[i].name) == 0) {
1038 token = tokens[i].opt;
1043 if (token == Opt_error)
1046 if (token != Opt_seclabel)
1047 val = kmemdup_nul(val, len, GFP_KERNEL);
1048 rc = selinux_add_opt(token, val, mnt_opts);
1052 selinux_free_mnt_opts(*mnt_opts);
1059 static int show_sid(struct seq_file *m, u32 sid)
1061 char *context = NULL;
1065 rc = security_sid_to_context(&selinux_state, sid,
1068 bool has_comma = context && strchr(context, ',');
1072 seq_escape(m, context, "\"\n\\");
1080 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1082 struct superblock_security_struct *sbsec = sb->s_security;
1085 if (!(sbsec->flags & SE_SBINITIALIZED))
1088 if (!selinux_state.initialized)
1091 if (sbsec->flags & FSCONTEXT_MNT) {
1093 seq_puts(m, FSCONTEXT_STR);
1094 rc = show_sid(m, sbsec->sid);
1098 if (sbsec->flags & CONTEXT_MNT) {
1100 seq_puts(m, CONTEXT_STR);
1101 rc = show_sid(m, sbsec->mntpoint_sid);
1105 if (sbsec->flags & DEFCONTEXT_MNT) {
1107 seq_puts(m, DEFCONTEXT_STR);
1108 rc = show_sid(m, sbsec->def_sid);
1112 if (sbsec->flags & ROOTCONTEXT_MNT) {
1113 struct dentry *root = sbsec->sb->s_root;
1114 struct inode_security_struct *isec = backing_inode_security(root);
1116 seq_puts(m, ROOTCONTEXT_STR);
1117 rc = show_sid(m, isec->sid);
1121 if (sbsec->flags & SBLABEL_MNT) {
1123 seq_puts(m, LABELSUPP_STR);
1128 static inline u16 inode_mode_to_security_class(umode_t mode)
1130 switch (mode & S_IFMT) {
1132 return SECCLASS_SOCK_FILE;
1134 return SECCLASS_LNK_FILE;
1136 return SECCLASS_FILE;
1138 return SECCLASS_BLK_FILE;
1140 return SECCLASS_DIR;
1142 return SECCLASS_CHR_FILE;
1144 return SECCLASS_FIFO_FILE;
1148 return SECCLASS_FILE;
1151 static inline int default_protocol_stream(int protocol)
1153 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1156 static inline int default_protocol_dgram(int protocol)
1158 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1161 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1163 int extsockclass = selinux_policycap_extsockclass();
1169 case SOCK_SEQPACKET:
1170 return SECCLASS_UNIX_STREAM_SOCKET;
1173 return SECCLASS_UNIX_DGRAM_SOCKET;
1180 case SOCK_SEQPACKET:
1181 if (default_protocol_stream(protocol))
1182 return SECCLASS_TCP_SOCKET;
1183 else if (extsockclass && protocol == IPPROTO_SCTP)
1184 return SECCLASS_SCTP_SOCKET;
1186 return SECCLASS_RAWIP_SOCKET;
1188 if (default_protocol_dgram(protocol))
1189 return SECCLASS_UDP_SOCKET;
1190 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1191 protocol == IPPROTO_ICMPV6))
1192 return SECCLASS_ICMP_SOCKET;
1194 return SECCLASS_RAWIP_SOCKET;
1196 return SECCLASS_DCCP_SOCKET;
1198 return SECCLASS_RAWIP_SOCKET;
1204 return SECCLASS_NETLINK_ROUTE_SOCKET;
1205 case NETLINK_SOCK_DIAG:
1206 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1208 return SECCLASS_NETLINK_NFLOG_SOCKET;
1210 return SECCLASS_NETLINK_XFRM_SOCKET;
1211 case NETLINK_SELINUX:
1212 return SECCLASS_NETLINK_SELINUX_SOCKET;
1214 return SECCLASS_NETLINK_ISCSI_SOCKET;
1216 return SECCLASS_NETLINK_AUDIT_SOCKET;
1217 case NETLINK_FIB_LOOKUP:
1218 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1219 case NETLINK_CONNECTOR:
1220 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1221 case NETLINK_NETFILTER:
1222 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1223 case NETLINK_DNRTMSG:
1224 return SECCLASS_NETLINK_DNRT_SOCKET;
1225 case NETLINK_KOBJECT_UEVENT:
1226 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1227 case NETLINK_GENERIC:
1228 return SECCLASS_NETLINK_GENERIC_SOCKET;
1229 case NETLINK_SCSITRANSPORT:
1230 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1232 return SECCLASS_NETLINK_RDMA_SOCKET;
1233 case NETLINK_CRYPTO:
1234 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1236 return SECCLASS_NETLINK_SOCKET;
1239 return SECCLASS_PACKET_SOCKET;
1241 return SECCLASS_KEY_SOCKET;
1243 return SECCLASS_APPLETALK_SOCKET;
1249 return SECCLASS_AX25_SOCKET;
1251 return SECCLASS_IPX_SOCKET;
1253 return SECCLASS_NETROM_SOCKET;
1255 return SECCLASS_ATMPVC_SOCKET;
1257 return SECCLASS_X25_SOCKET;
1259 return SECCLASS_ROSE_SOCKET;
1261 return SECCLASS_DECNET_SOCKET;
1263 return SECCLASS_ATMSVC_SOCKET;
1265 return SECCLASS_RDS_SOCKET;
1267 return SECCLASS_IRDA_SOCKET;
1269 return SECCLASS_PPPOX_SOCKET;
1271 return SECCLASS_LLC_SOCKET;
1273 return SECCLASS_CAN_SOCKET;
1275 return SECCLASS_TIPC_SOCKET;
1277 return SECCLASS_BLUETOOTH_SOCKET;
1279 return SECCLASS_IUCV_SOCKET;
1281 return SECCLASS_RXRPC_SOCKET;
1283 return SECCLASS_ISDN_SOCKET;
1285 return SECCLASS_PHONET_SOCKET;
1287 return SECCLASS_IEEE802154_SOCKET;
1289 return SECCLASS_CAIF_SOCKET;
1291 return SECCLASS_ALG_SOCKET;
1293 return SECCLASS_NFC_SOCKET;
1295 return SECCLASS_VSOCK_SOCKET;
1297 return SECCLASS_KCM_SOCKET;
1299 return SECCLASS_QIPCRTR_SOCKET;
1301 return SECCLASS_SMC_SOCKET;
1303 return SECCLASS_XDP_SOCKET;
1305 #error New address family defined, please update this function.
1310 return SECCLASS_SOCKET;
1313 static int selinux_genfs_get_sid(struct dentry *dentry,
1319 struct super_block *sb = dentry->d_sb;
1320 char *buffer, *path;
1322 buffer = (char *)__get_free_page(GFP_KERNEL);
1326 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1330 if (flags & SE_SBPROC) {
1331 /* each process gets a /proc/PID/ entry. Strip off the
1332 * PID part to get a valid selinux labeling.
1333 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1334 while (path[1] >= '0' && path[1] <= '9') {
1339 rc = security_genfs_sid(&selinux_state, sb->s_type->name,
1341 if (rc == -ENOENT) {
1342 /* No match in policy, mark as unlabeled. */
1343 *sid = SECINITSID_UNLABELED;
1347 free_page((unsigned long)buffer);
1351 /* The inode's security attributes must be initialized before first use. */
1352 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1354 struct superblock_security_struct *sbsec = NULL;
1355 struct inode_security_struct *isec = selinux_inode(inode);
1356 u32 task_sid, sid = 0;
1358 struct dentry *dentry;
1359 #define INITCONTEXTLEN 255
1360 char *context = NULL;
1364 if (isec->initialized == LABEL_INITIALIZED)
1367 spin_lock(&isec->lock);
1368 if (isec->initialized == LABEL_INITIALIZED)
1371 if (isec->sclass == SECCLASS_FILE)
1372 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1374 sbsec = inode->i_sb->s_security;
1375 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1376 /* Defer initialization until selinux_complete_init,
1377 after the initial policy is loaded and the security
1378 server is ready to handle calls. */
1379 spin_lock(&sbsec->isec_lock);
1380 if (list_empty(&isec->list))
1381 list_add(&isec->list, &sbsec->isec_head);
1382 spin_unlock(&sbsec->isec_lock);
1386 sclass = isec->sclass;
1387 task_sid = isec->task_sid;
1389 isec->initialized = LABEL_PENDING;
1390 spin_unlock(&isec->lock);
1392 switch (sbsec->behavior) {
1393 case SECURITY_FS_USE_NATIVE:
1395 case SECURITY_FS_USE_XATTR:
1396 if (!(inode->i_opflags & IOP_XATTR)) {
1397 sid = sbsec->def_sid;
1400 /* Need a dentry, since the xattr API requires one.
1401 Life would be simpler if we could just pass the inode. */
1403 /* Called from d_instantiate or d_splice_alias. */
1404 dentry = dget(opt_dentry);
1407 * Called from selinux_complete_init, try to find a dentry.
1408 * Some filesystems really want a connected one, so try
1409 * that first. We could split SECURITY_FS_USE_XATTR in
1410 * two, depending upon that...
1412 dentry = d_find_alias(inode);
1414 dentry = d_find_any_alias(inode);
1418 * this is can be hit on boot when a file is accessed
1419 * before the policy is loaded. When we load policy we
1420 * may find inodes that have no dentry on the
1421 * sbsec->isec_head list. No reason to complain as these
1422 * will get fixed up the next time we go through
1423 * inode_doinit with a dentry, before these inodes could
1424 * be used again by userspace.
1429 len = INITCONTEXTLEN;
1430 context = kmalloc(len+1, GFP_NOFS);
1436 context[len] = '\0';
1437 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1438 if (rc == -ERANGE) {
1441 /* Need a larger buffer. Query for the right size. */
1442 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1448 context = kmalloc(len+1, GFP_NOFS);
1454 context[len] = '\0';
1455 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1459 if (rc != -ENODATA) {
1460 pr_warn("SELinux: %s: getxattr returned "
1461 "%d for dev=%s ino=%ld\n", __func__,
1462 -rc, inode->i_sb->s_id, inode->i_ino);
1466 /* Map ENODATA to the default file SID */
1467 sid = sbsec->def_sid;
1470 rc = security_context_to_sid_default(&selinux_state,
1475 char *dev = inode->i_sb->s_id;
1476 unsigned long ino = inode->i_ino;
1478 if (rc == -EINVAL) {
1479 if (printk_ratelimit())
1480 pr_notice("SELinux: inode=%lu on dev=%s was found to have an invalid "
1481 "context=%s. This indicates you may need to relabel the inode or the "
1482 "filesystem in question.\n", ino, dev, context);
1484 pr_warn("SELinux: %s: context_to_sid(%s) "
1485 "returned %d for dev=%s ino=%ld\n",
1486 __func__, context, -rc, dev, ino);
1489 /* Leave with the unlabeled SID */
1496 case SECURITY_FS_USE_TASK:
1499 case SECURITY_FS_USE_TRANS:
1500 /* Default to the fs SID. */
1503 /* Try to obtain a transition SID. */
1504 rc = security_transition_sid(&selinux_state, task_sid, sid,
1505 sclass, NULL, &sid);
1509 case SECURITY_FS_USE_MNTPOINT:
1510 sid = sbsec->mntpoint_sid;
1513 /* Default to the fs superblock SID. */
1516 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1517 /* We must have a dentry to determine the label on
1520 /* Called from d_instantiate or
1521 * d_splice_alias. */
1522 dentry = dget(opt_dentry);
1524 /* Called from selinux_complete_init, try to
1525 * find a dentry. Some filesystems really want
1526 * a connected one, so try that first.
1528 dentry = d_find_alias(inode);
1530 dentry = d_find_any_alias(inode);
1533 * This can be hit on boot when a file is accessed
1534 * before the policy is loaded. When we load policy we
1535 * may find inodes that have no dentry on the
1536 * sbsec->isec_head list. No reason to complain as
1537 * these will get fixed up the next time we go through
1538 * inode_doinit() with a dentry, before these inodes
1539 * could be used again by userspace.
1543 rc = selinux_genfs_get_sid(dentry, sclass,
1544 sbsec->flags, &sid);
1553 spin_lock(&isec->lock);
1554 if (isec->initialized == LABEL_PENDING) {
1556 isec->initialized = LABEL_INVALID;
1560 isec->initialized = LABEL_INITIALIZED;
1565 spin_unlock(&isec->lock);
1569 /* Convert a Linux signal to an access vector. */
1570 static inline u32 signal_to_av(int sig)
1576 /* Commonly granted from child to parent. */
1577 perm = PROCESS__SIGCHLD;
1580 /* Cannot be caught or ignored */
1581 perm = PROCESS__SIGKILL;
1584 /* Cannot be caught or ignored */
1585 perm = PROCESS__SIGSTOP;
1588 /* All other signals. */
1589 perm = PROCESS__SIGNAL;
1596 #if CAP_LAST_CAP > 63
1597 #error Fix SELinux to handle capabilities > 63.
1600 /* Check whether a task is allowed to use a capability. */
1601 static int cred_has_capability(const struct cred *cred,
1602 int cap, unsigned int opts, bool initns)
1604 struct common_audit_data ad;
1605 struct av_decision avd;
1607 u32 sid = cred_sid(cred);
1608 u32 av = CAP_TO_MASK(cap);
1611 ad.type = LSM_AUDIT_DATA_CAP;
1614 switch (CAP_TO_INDEX(cap)) {
1616 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1619 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1622 pr_err("SELinux: out of range capability %d\n", cap);
1627 rc = avc_has_perm_noaudit(&selinux_state,
1628 sid, sid, sclass, av, 0, &avd);
1629 if (!(opts & CAP_OPT_NOAUDIT)) {
1630 int rc2 = avc_audit(&selinux_state,
1631 sid, sid, sclass, av, &avd, rc, &ad, 0);
1638 /* Check whether a task has a particular permission to an inode.
1639 The 'adp' parameter is optional and allows other audit
1640 data to be passed (e.g. the dentry). */
1641 static int inode_has_perm(const struct cred *cred,
1642 struct inode *inode,
1644 struct common_audit_data *adp)
1646 struct inode_security_struct *isec;
1649 validate_creds(cred);
1651 if (unlikely(IS_PRIVATE(inode)))
1654 sid = cred_sid(cred);
1655 isec = selinux_inode(inode);
1657 return avc_has_perm(&selinux_state,
1658 sid, isec->sid, isec->sclass, perms, adp);
1661 /* Same as inode_has_perm, but pass explicit audit data containing
1662 the dentry to help the auditing code to more easily generate the
1663 pathname if needed. */
1664 static inline int dentry_has_perm(const struct cred *cred,
1665 struct dentry *dentry,
1668 struct inode *inode = d_backing_inode(dentry);
1669 struct common_audit_data ad;
1671 ad.type = LSM_AUDIT_DATA_DENTRY;
1672 ad.u.dentry = dentry;
1673 __inode_security_revalidate(inode, dentry, true);
1674 return inode_has_perm(cred, inode, av, &ad);
1677 /* Same as inode_has_perm, but pass explicit audit data containing
1678 the path to help the auditing code to more easily generate the
1679 pathname if needed. */
1680 static inline int path_has_perm(const struct cred *cred,
1681 const struct path *path,
1684 struct inode *inode = d_backing_inode(path->dentry);
1685 struct common_audit_data ad;
1687 ad.type = LSM_AUDIT_DATA_PATH;
1689 __inode_security_revalidate(inode, path->dentry, true);
1690 return inode_has_perm(cred, inode, av, &ad);
1693 /* Same as path_has_perm, but uses the inode from the file struct. */
1694 static inline int file_path_has_perm(const struct cred *cred,
1698 struct common_audit_data ad;
1700 ad.type = LSM_AUDIT_DATA_FILE;
1702 return inode_has_perm(cred, file_inode(file), av, &ad);
1705 #ifdef CONFIG_BPF_SYSCALL
1706 static int bpf_fd_pass(struct file *file, u32 sid);
1709 /* Check whether a task can use an open file descriptor to
1710 access an inode in a given way. Check access to the
1711 descriptor itself, and then use dentry_has_perm to
1712 check a particular permission to the file.
1713 Access to the descriptor is implicitly granted if it
1714 has the same SID as the process. If av is zero, then
1715 access to the file is not checked, e.g. for cases
1716 where only the descriptor is affected like seek. */
1717 static int file_has_perm(const struct cred *cred,
1721 struct file_security_struct *fsec = selinux_file(file);
1722 struct inode *inode = file_inode(file);
1723 struct common_audit_data ad;
1724 u32 sid = cred_sid(cred);
1727 ad.type = LSM_AUDIT_DATA_FILE;
1730 if (sid != fsec->sid) {
1731 rc = avc_has_perm(&selinux_state,
1740 #ifdef CONFIG_BPF_SYSCALL
1741 rc = bpf_fd_pass(file, cred_sid(cred));
1746 /* av is zero if only checking access to the descriptor. */
1749 rc = inode_has_perm(cred, inode, av, &ad);
1756 * Determine the label for an inode that might be unioned.
1759 selinux_determine_inode_label(const struct task_security_struct *tsec,
1761 const struct qstr *name, u16 tclass,
1764 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1766 if ((sbsec->flags & SE_SBINITIALIZED) &&
1767 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1768 *_new_isid = sbsec->mntpoint_sid;
1769 } else if ((sbsec->flags & SBLABEL_MNT) &&
1771 *_new_isid = tsec->create_sid;
1773 const struct inode_security_struct *dsec = inode_security(dir);
1774 return security_transition_sid(&selinux_state, tsec->sid,
1782 /* Check whether a task can create a file. */
1783 static int may_create(struct inode *dir,
1784 struct dentry *dentry,
1787 const struct task_security_struct *tsec = selinux_cred(current_cred());
1788 struct inode_security_struct *dsec;
1789 struct superblock_security_struct *sbsec;
1791 struct common_audit_data ad;
1794 dsec = inode_security(dir);
1795 sbsec = dir->i_sb->s_security;
1799 ad.type = LSM_AUDIT_DATA_DENTRY;
1800 ad.u.dentry = dentry;
1802 rc = avc_has_perm(&selinux_state,
1803 sid, dsec->sid, SECCLASS_DIR,
1804 DIR__ADD_NAME | DIR__SEARCH,
1809 rc = selinux_determine_inode_label(selinux_cred(current_cred()), dir,
1810 &dentry->d_name, tclass, &newsid);
1814 rc = avc_has_perm(&selinux_state,
1815 sid, newsid, tclass, FILE__CREATE, &ad);
1819 return avc_has_perm(&selinux_state,
1821 SECCLASS_FILESYSTEM,
1822 FILESYSTEM__ASSOCIATE, &ad);
1826 #define MAY_UNLINK 1
1829 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1830 static int may_link(struct inode *dir,
1831 struct dentry *dentry,
1835 struct inode_security_struct *dsec, *isec;
1836 struct common_audit_data ad;
1837 u32 sid = current_sid();
1841 dsec = inode_security(dir);
1842 isec = backing_inode_security(dentry);
1844 ad.type = LSM_AUDIT_DATA_DENTRY;
1845 ad.u.dentry = dentry;
1848 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1849 rc = avc_has_perm(&selinux_state,
1850 sid, dsec->sid, SECCLASS_DIR, av, &ad);
1865 pr_warn("SELinux: %s: unrecognized kind %d\n",
1870 rc = avc_has_perm(&selinux_state,
1871 sid, isec->sid, isec->sclass, av, &ad);
1875 static inline int may_rename(struct inode *old_dir,
1876 struct dentry *old_dentry,
1877 struct inode *new_dir,
1878 struct dentry *new_dentry)
1880 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1881 struct common_audit_data ad;
1882 u32 sid = current_sid();
1884 int old_is_dir, new_is_dir;
1887 old_dsec = inode_security(old_dir);
1888 old_isec = backing_inode_security(old_dentry);
1889 old_is_dir = d_is_dir(old_dentry);
1890 new_dsec = inode_security(new_dir);
1892 ad.type = LSM_AUDIT_DATA_DENTRY;
1894 ad.u.dentry = old_dentry;
1895 rc = avc_has_perm(&selinux_state,
1896 sid, old_dsec->sid, SECCLASS_DIR,
1897 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1900 rc = avc_has_perm(&selinux_state,
1902 old_isec->sclass, FILE__RENAME, &ad);
1905 if (old_is_dir && new_dir != old_dir) {
1906 rc = avc_has_perm(&selinux_state,
1908 old_isec->sclass, DIR__REPARENT, &ad);
1913 ad.u.dentry = new_dentry;
1914 av = DIR__ADD_NAME | DIR__SEARCH;
1915 if (d_is_positive(new_dentry))
1916 av |= DIR__REMOVE_NAME;
1917 rc = avc_has_perm(&selinux_state,
1918 sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1921 if (d_is_positive(new_dentry)) {
1922 new_isec = backing_inode_security(new_dentry);
1923 new_is_dir = d_is_dir(new_dentry);
1924 rc = avc_has_perm(&selinux_state,
1927 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1935 /* Check whether a task can perform a filesystem operation. */
1936 static int superblock_has_perm(const struct cred *cred,
1937 struct super_block *sb,
1939 struct common_audit_data *ad)
1941 struct superblock_security_struct *sbsec;
1942 u32 sid = cred_sid(cred);
1944 sbsec = sb->s_security;
1945 return avc_has_perm(&selinux_state,
1946 sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1949 /* Convert a Linux mode and permission mask to an access vector. */
1950 static inline u32 file_mask_to_av(int mode, int mask)
1954 if (!S_ISDIR(mode)) {
1955 if (mask & MAY_EXEC)
1956 av |= FILE__EXECUTE;
1957 if (mask & MAY_READ)
1960 if (mask & MAY_APPEND)
1962 else if (mask & MAY_WRITE)
1966 if (mask & MAY_EXEC)
1968 if (mask & MAY_WRITE)
1970 if (mask & MAY_READ)
1977 /* Convert a Linux file to an access vector. */
1978 static inline u32 file_to_av(struct file *file)
1982 if (file->f_mode & FMODE_READ)
1984 if (file->f_mode & FMODE_WRITE) {
1985 if (file->f_flags & O_APPEND)
1992 * Special file opened with flags 3 for ioctl-only use.
2001 * Convert a file to an access vector and include the correct open
2004 static inline u32 open_file_to_av(struct file *file)
2006 u32 av = file_to_av(file);
2007 struct inode *inode = file_inode(file);
2009 if (selinux_policycap_openperm() &&
2010 inode->i_sb->s_magic != SOCKFS_MAGIC)
2016 /* Hook functions begin here. */
2018 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2020 u32 mysid = current_sid();
2021 u32 mgrsid = task_sid(mgr);
2023 return avc_has_perm(&selinux_state,
2024 mysid, mgrsid, SECCLASS_BINDER,
2025 BINDER__SET_CONTEXT_MGR, NULL);
2028 static int selinux_binder_transaction(struct task_struct *from,
2029 struct task_struct *to)
2031 u32 mysid = current_sid();
2032 u32 fromsid = task_sid(from);
2033 u32 tosid = task_sid(to);
2036 if (mysid != fromsid) {
2037 rc = avc_has_perm(&selinux_state,
2038 mysid, fromsid, SECCLASS_BINDER,
2039 BINDER__IMPERSONATE, NULL);
2044 return avc_has_perm(&selinux_state,
2045 fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2049 static int selinux_binder_transfer_binder(struct task_struct *from,
2050 struct task_struct *to)
2052 u32 fromsid = task_sid(from);
2053 u32 tosid = task_sid(to);
2055 return avc_has_perm(&selinux_state,
2056 fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2060 static int selinux_binder_transfer_file(struct task_struct *from,
2061 struct task_struct *to,
2064 u32 sid = task_sid(to);
2065 struct file_security_struct *fsec = selinux_file(file);
2066 struct dentry *dentry = file->f_path.dentry;
2067 struct inode_security_struct *isec;
2068 struct common_audit_data ad;
2071 ad.type = LSM_AUDIT_DATA_PATH;
2072 ad.u.path = file->f_path;
2074 if (sid != fsec->sid) {
2075 rc = avc_has_perm(&selinux_state,
2084 #ifdef CONFIG_BPF_SYSCALL
2085 rc = bpf_fd_pass(file, sid);
2090 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2093 isec = backing_inode_security(dentry);
2094 return avc_has_perm(&selinux_state,
2095 sid, isec->sid, isec->sclass, file_to_av(file),
2099 static int selinux_ptrace_access_check(struct task_struct *child,
2102 u32 sid = current_sid();
2103 u32 csid = task_sid(child);
2105 if (mode & PTRACE_MODE_READ)
2106 return avc_has_perm(&selinux_state,
2107 sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2109 return avc_has_perm(&selinux_state,
2110 sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2113 static int selinux_ptrace_traceme(struct task_struct *parent)
2115 return avc_has_perm(&selinux_state,
2116 task_sid(parent), current_sid(), SECCLASS_PROCESS,
2117 PROCESS__PTRACE, NULL);
2120 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2121 kernel_cap_t *inheritable, kernel_cap_t *permitted)
2123 return avc_has_perm(&selinux_state,
2124 current_sid(), task_sid(target), SECCLASS_PROCESS,
2125 PROCESS__GETCAP, NULL);
2128 static int selinux_capset(struct cred *new, const struct cred *old,
2129 const kernel_cap_t *effective,
2130 const kernel_cap_t *inheritable,
2131 const kernel_cap_t *permitted)
2133 return avc_has_perm(&selinux_state,
2134 cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2135 PROCESS__SETCAP, NULL);
2139 * (This comment used to live with the selinux_task_setuid hook,
2140 * which was removed).
2142 * Since setuid only affects the current process, and since the SELinux
2143 * controls are not based on the Linux identity attributes, SELinux does not
2144 * need to control this operation. However, SELinux does control the use of
2145 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2148 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2149 int cap, unsigned int opts)
2151 return cred_has_capability(cred, cap, opts, ns == &init_user_ns);
2154 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2156 const struct cred *cred = current_cred();
2168 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2173 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2176 rc = 0; /* let the kernel handle invalid cmds */
2182 static int selinux_quota_on(struct dentry *dentry)
2184 const struct cred *cred = current_cred();
2186 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2189 static int selinux_syslog(int type)
2192 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2193 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2194 return avc_has_perm(&selinux_state,
2195 current_sid(), SECINITSID_KERNEL,
2196 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2197 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2198 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2199 /* Set level of messages printed to console */
2200 case SYSLOG_ACTION_CONSOLE_LEVEL:
2201 return avc_has_perm(&selinux_state,
2202 current_sid(), SECINITSID_KERNEL,
2203 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2206 /* All other syslog types */
2207 return avc_has_perm(&selinux_state,
2208 current_sid(), SECINITSID_KERNEL,
2209 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2213 * Check that a process has enough memory to allocate a new virtual
2214 * mapping. 0 means there is enough memory for the allocation to
2215 * succeed and -ENOMEM implies there is not.
2217 * Do not audit the selinux permission check, as this is applied to all
2218 * processes that allocate mappings.
2220 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2222 int rc, cap_sys_admin = 0;
2224 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2225 CAP_OPT_NOAUDIT, true);
2229 return cap_sys_admin;
2232 /* binprm security operations */
2234 static u32 ptrace_parent_sid(void)
2237 struct task_struct *tracer;
2240 tracer = ptrace_parent(current);
2242 sid = task_sid(tracer);
2248 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2249 const struct task_security_struct *old_tsec,
2250 const struct task_security_struct *new_tsec)
2252 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2253 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2257 if (!nnp && !nosuid)
2258 return 0; /* neither NNP nor nosuid */
2260 if (new_tsec->sid == old_tsec->sid)
2261 return 0; /* No change in credentials */
2264 * If the policy enables the nnp_nosuid_transition policy capability,
2265 * then we permit transitions under NNP or nosuid if the
2266 * policy allows the corresponding permission between
2267 * the old and new contexts.
2269 if (selinux_policycap_nnp_nosuid_transition()) {
2272 av |= PROCESS2__NNP_TRANSITION;
2274 av |= PROCESS2__NOSUID_TRANSITION;
2275 rc = avc_has_perm(&selinux_state,
2276 old_tsec->sid, new_tsec->sid,
2277 SECCLASS_PROCESS2, av, NULL);
2283 * We also permit NNP or nosuid transitions to bounded SIDs,
2284 * i.e. SIDs that are guaranteed to only be allowed a subset
2285 * of the permissions of the current SID.
2287 rc = security_bounded_transition(&selinux_state, old_tsec->sid,
2293 * On failure, preserve the errno values for NNP vs nosuid.
2294 * NNP: Operation not permitted for caller.
2295 * nosuid: Permission denied to file.
2302 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2304 const struct task_security_struct *old_tsec;
2305 struct task_security_struct *new_tsec;
2306 struct inode_security_struct *isec;
2307 struct common_audit_data ad;
2308 struct inode *inode = file_inode(bprm->file);
2311 /* SELinux context only depends on initial program or script and not
2312 * the script interpreter */
2313 if (bprm->called_set_creds)
2316 old_tsec = selinux_cred(current_cred());
2317 new_tsec = selinux_cred(bprm->cred);
2318 isec = inode_security(inode);
2320 /* Default to the current task SID. */
2321 new_tsec->sid = old_tsec->sid;
2322 new_tsec->osid = old_tsec->sid;
2324 /* Reset fs, key, and sock SIDs on execve. */
2325 new_tsec->create_sid = 0;
2326 new_tsec->keycreate_sid = 0;
2327 new_tsec->sockcreate_sid = 0;
2329 if (old_tsec->exec_sid) {
2330 new_tsec->sid = old_tsec->exec_sid;
2331 /* Reset exec SID on execve. */
2332 new_tsec->exec_sid = 0;
2334 /* Fail on NNP or nosuid if not an allowed transition. */
2335 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2339 /* Check for a default transition on this program. */
2340 rc = security_transition_sid(&selinux_state, old_tsec->sid,
2341 isec->sid, SECCLASS_PROCESS, NULL,
2347 * Fallback to old SID on NNP or nosuid if not an allowed
2350 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2352 new_tsec->sid = old_tsec->sid;
2355 ad.type = LSM_AUDIT_DATA_FILE;
2356 ad.u.file = bprm->file;
2358 if (new_tsec->sid == old_tsec->sid) {
2359 rc = avc_has_perm(&selinux_state,
2360 old_tsec->sid, isec->sid,
2361 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2365 /* Check permissions for the transition. */
2366 rc = avc_has_perm(&selinux_state,
2367 old_tsec->sid, new_tsec->sid,
2368 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2372 rc = avc_has_perm(&selinux_state,
2373 new_tsec->sid, isec->sid,
2374 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2378 /* Check for shared state */
2379 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2380 rc = avc_has_perm(&selinux_state,
2381 old_tsec->sid, new_tsec->sid,
2382 SECCLASS_PROCESS, PROCESS__SHARE,
2388 /* Make sure that anyone attempting to ptrace over a task that
2389 * changes its SID has the appropriate permit */
2390 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2391 u32 ptsid = ptrace_parent_sid();
2393 rc = avc_has_perm(&selinux_state,
2394 ptsid, new_tsec->sid,
2396 PROCESS__PTRACE, NULL);
2402 /* Clear any possibly unsafe personality bits on exec: */
2403 bprm->per_clear |= PER_CLEAR_ON_SETID;
2405 /* Enable secure mode for SIDs transitions unless
2406 the noatsecure permission is granted between
2407 the two SIDs, i.e. ahp returns 0. */
2408 rc = avc_has_perm(&selinux_state,
2409 old_tsec->sid, new_tsec->sid,
2410 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2412 bprm->secureexec |= !!rc;
2418 static int match_file(const void *p, struct file *file, unsigned fd)
2420 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2423 /* Derived from fs/exec.c:flush_old_files. */
2424 static inline void flush_unauthorized_files(const struct cred *cred,
2425 struct files_struct *files)
2427 struct file *file, *devnull = NULL;
2428 struct tty_struct *tty;
2432 tty = get_current_tty();
2434 spin_lock(&tty->files_lock);
2435 if (!list_empty(&tty->tty_files)) {
2436 struct tty_file_private *file_priv;
2438 /* Revalidate access to controlling tty.
2439 Use file_path_has_perm on the tty path directly
2440 rather than using file_has_perm, as this particular
2441 open file may belong to another process and we are
2442 only interested in the inode-based check here. */
2443 file_priv = list_first_entry(&tty->tty_files,
2444 struct tty_file_private, list);
2445 file = file_priv->file;
2446 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2449 spin_unlock(&tty->files_lock);
2452 /* Reset controlling tty. */
2456 /* Revalidate access to inherited open files. */
2457 n = iterate_fd(files, 0, match_file, cred);
2458 if (!n) /* none found? */
2461 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2462 if (IS_ERR(devnull))
2464 /* replace all the matching ones with this */
2466 replace_fd(n - 1, devnull, 0);
2467 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2473 * Prepare a process for imminent new credential changes due to exec
2475 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2477 struct task_security_struct *new_tsec;
2478 struct rlimit *rlim, *initrlim;
2481 new_tsec = selinux_cred(bprm->cred);
2482 if (new_tsec->sid == new_tsec->osid)
2485 /* Close files for which the new task SID is not authorized. */
2486 flush_unauthorized_files(bprm->cred, current->files);
2488 /* Always clear parent death signal on SID transitions. */
2489 current->pdeath_signal = 0;
2491 /* Check whether the new SID can inherit resource limits from the old
2492 * SID. If not, reset all soft limits to the lower of the current
2493 * task's hard limit and the init task's soft limit.
2495 * Note that the setting of hard limits (even to lower them) can be
2496 * controlled by the setrlimit check. The inclusion of the init task's
2497 * soft limit into the computation is to avoid resetting soft limits
2498 * higher than the default soft limit for cases where the default is
2499 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2501 rc = avc_has_perm(&selinux_state,
2502 new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2503 PROCESS__RLIMITINH, NULL);
2505 /* protect against do_prlimit() */
2507 for (i = 0; i < RLIM_NLIMITS; i++) {
2508 rlim = current->signal->rlim + i;
2509 initrlim = init_task.signal->rlim + i;
2510 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2512 task_unlock(current);
2513 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2514 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2519 * Clean up the process immediately after the installation of new credentials
2522 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2524 const struct task_security_struct *tsec = selinux_cred(current_cred());
2525 struct itimerval itimer;
2535 /* Check whether the new SID can inherit signal state from the old SID.
2536 * If not, clear itimers to avoid subsequent signal generation and
2537 * flush and unblock signals.
2539 * This must occur _after_ the task SID has been updated so that any
2540 * kill done after the flush will be checked against the new SID.
2542 rc = avc_has_perm(&selinux_state,
2543 osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2545 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2546 memset(&itimer, 0, sizeof itimer);
2547 for (i = 0; i < 3; i++)
2548 do_setitimer(i, &itimer, NULL);
2550 spin_lock_irq(¤t->sighand->siglock);
2551 if (!fatal_signal_pending(current)) {
2552 flush_sigqueue(¤t->pending);
2553 flush_sigqueue(¤t->signal->shared_pending);
2554 flush_signal_handlers(current, 1);
2555 sigemptyset(¤t->blocked);
2556 recalc_sigpending();
2558 spin_unlock_irq(¤t->sighand->siglock);
2561 /* Wake up the parent if it is waiting so that it can recheck
2562 * wait permission to the new task SID. */
2563 read_lock(&tasklist_lock);
2564 __wake_up_parent(current, current->real_parent);
2565 read_unlock(&tasklist_lock);
2568 /* superblock security operations */
2570 static int selinux_sb_alloc_security(struct super_block *sb)
2572 return superblock_alloc_security(sb);
2575 static void selinux_sb_free_security(struct super_block *sb)
2577 superblock_free_security(sb);
2580 static inline int opt_len(const char *s)
2582 bool open_quote = false;
2586 for (len = 0; (c = s[len]) != '\0'; len++) {
2588 open_quote = !open_quote;
2589 if (c == ',' && !open_quote)
2595 static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts)
2597 char *from = options;
2602 int len = opt_len(from);
2606 token = match_opt_prefix(from, len, &arg);
2608 if (token != Opt_error) {
2613 for (p = q = arg; p < from + len; p++) {
2618 arg = kmemdup_nul(arg, q - arg, GFP_KERNEL);
2620 rc = selinux_add_opt(token, arg, mnt_opts);
2624 selinux_free_mnt_opts(*mnt_opts);
2630 if (!first) { // copy with preceding comma
2635 memmove(to, from, len);
2647 static int selinux_sb_remount(struct super_block *sb, void *mnt_opts)
2649 struct selinux_mnt_opts *opts = mnt_opts;
2650 struct superblock_security_struct *sbsec = sb->s_security;
2654 if (!(sbsec->flags & SE_SBINITIALIZED))
2660 if (opts->fscontext) {
2661 rc = parse_sid(sb, opts->fscontext, &sid);
2664 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2665 goto out_bad_option;
2667 if (opts->context) {
2668 rc = parse_sid(sb, opts->context, &sid);
2671 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2672 goto out_bad_option;
2674 if (opts->rootcontext) {
2675 struct inode_security_struct *root_isec;
2676 root_isec = backing_inode_security(sb->s_root);
2677 rc = parse_sid(sb, opts->rootcontext, &sid);
2680 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2681 goto out_bad_option;
2683 if (opts->defcontext) {
2684 rc = parse_sid(sb, opts->defcontext, &sid);
2687 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2688 goto out_bad_option;
2693 pr_warn("SELinux: unable to change security options "
2694 "during remount (dev %s, type=%s)\n", sb->s_id,
2699 static int selinux_sb_kern_mount(struct super_block *sb)
2701 const struct cred *cred = current_cred();
2702 struct common_audit_data ad;
2704 ad.type = LSM_AUDIT_DATA_DENTRY;
2705 ad.u.dentry = sb->s_root;
2706 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2709 static int selinux_sb_statfs(struct dentry *dentry)
2711 const struct cred *cred = current_cred();
2712 struct common_audit_data ad;
2714 ad.type = LSM_AUDIT_DATA_DENTRY;
2715 ad.u.dentry = dentry->d_sb->s_root;
2716 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2719 static int selinux_mount(const char *dev_name,
2720 const struct path *path,
2722 unsigned long flags,
2725 const struct cred *cred = current_cred();
2727 if (flags & MS_REMOUNT)
2728 return superblock_has_perm(cred, path->dentry->d_sb,
2729 FILESYSTEM__REMOUNT, NULL);
2731 return path_has_perm(cred, path, FILE__MOUNTON);
2734 static int selinux_umount(struct vfsmount *mnt, int flags)
2736 const struct cred *cred = current_cred();
2738 return superblock_has_perm(cred, mnt->mnt_sb,
2739 FILESYSTEM__UNMOUNT, NULL);
2742 /* inode security operations */
2744 static int selinux_inode_alloc_security(struct inode *inode)
2746 return inode_alloc_security(inode);
2749 static void selinux_inode_free_security(struct inode *inode)
2751 inode_free_security(inode);
2754 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2755 const struct qstr *name, void **ctx,
2761 rc = selinux_determine_inode_label(selinux_cred(current_cred()),
2762 d_inode(dentry->d_parent), name,
2763 inode_mode_to_security_class(mode),
2768 return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
2772 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2774 const struct cred *old,
2779 struct task_security_struct *tsec;
2781 rc = selinux_determine_inode_label(selinux_cred(old),
2782 d_inode(dentry->d_parent), name,
2783 inode_mode_to_security_class(mode),
2788 tsec = selinux_cred(new);
2789 tsec->create_sid = newsid;
2793 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2794 const struct qstr *qstr,
2796 void **value, size_t *len)
2798 const struct task_security_struct *tsec = selinux_cred(current_cred());
2799 struct superblock_security_struct *sbsec;
2804 sbsec = dir->i_sb->s_security;
2806 newsid = tsec->create_sid;
2808 rc = selinux_determine_inode_label(selinux_cred(current_cred()),
2810 inode_mode_to_security_class(inode->i_mode),
2815 /* Possibly defer initialization to selinux_complete_init. */
2816 if (sbsec->flags & SE_SBINITIALIZED) {
2817 struct inode_security_struct *isec = selinux_inode(inode);
2818 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2820 isec->initialized = LABEL_INITIALIZED;
2823 if (!selinux_state.initialized || !(sbsec->flags & SBLABEL_MNT))
2827 *name = XATTR_SELINUX_SUFFIX;
2830 rc = security_sid_to_context_force(&selinux_state, newsid,
2841 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2843 return may_create(dir, dentry, SECCLASS_FILE);
2846 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2848 return may_link(dir, old_dentry, MAY_LINK);
2851 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2853 return may_link(dir, dentry, MAY_UNLINK);
2856 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2858 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2861 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2863 return may_create(dir, dentry, SECCLASS_DIR);
2866 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2868 return may_link(dir, dentry, MAY_RMDIR);
2871 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2873 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2876 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2877 struct inode *new_inode, struct dentry *new_dentry)
2879 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2882 static int selinux_inode_readlink(struct dentry *dentry)
2884 const struct cred *cred = current_cred();
2886 return dentry_has_perm(cred, dentry, FILE__READ);
2889 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
2892 const struct cred *cred = current_cred();
2893 struct common_audit_data ad;
2894 struct inode_security_struct *isec;
2897 validate_creds(cred);
2899 ad.type = LSM_AUDIT_DATA_DENTRY;
2900 ad.u.dentry = dentry;
2901 sid = cred_sid(cred);
2902 isec = inode_security_rcu(inode, rcu);
2904 return PTR_ERR(isec);
2906 return avc_has_perm(&selinux_state,
2907 sid, isec->sid, isec->sclass, FILE__READ, &ad);
2910 static noinline int audit_inode_permission(struct inode *inode,
2911 u32 perms, u32 audited, u32 denied,
2915 struct common_audit_data ad;
2916 struct inode_security_struct *isec = selinux_inode(inode);
2919 ad.type = LSM_AUDIT_DATA_INODE;
2922 rc = slow_avc_audit(&selinux_state,
2923 current_sid(), isec->sid, isec->sclass, perms,
2924 audited, denied, result, &ad, flags);
2930 static int selinux_inode_permission(struct inode *inode, int mask)
2932 const struct cred *cred = current_cred();
2935 unsigned flags = mask & MAY_NOT_BLOCK;
2936 struct inode_security_struct *isec;
2938 struct av_decision avd;
2940 u32 audited, denied;
2942 from_access = mask & MAY_ACCESS;
2943 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2945 /* No permission to check. Existence test. */
2949 validate_creds(cred);
2951 if (unlikely(IS_PRIVATE(inode)))
2954 perms = file_mask_to_av(inode->i_mode, mask);
2956 sid = cred_sid(cred);
2957 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
2959 return PTR_ERR(isec);
2961 rc = avc_has_perm_noaudit(&selinux_state,
2962 sid, isec->sid, isec->sclass, perms,
2963 (flags & MAY_NOT_BLOCK) ? AVC_NONBLOCKING : 0,
2965 audited = avc_audit_required(perms, &avd, rc,
2966 from_access ? FILE__AUDIT_ACCESS : 0,
2968 if (likely(!audited))
2971 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
2977 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2979 const struct cred *cred = current_cred();
2980 struct inode *inode = d_backing_inode(dentry);
2981 unsigned int ia_valid = iattr->ia_valid;
2982 __u32 av = FILE__WRITE;
2984 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2985 if (ia_valid & ATTR_FORCE) {
2986 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2992 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2993 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2994 return dentry_has_perm(cred, dentry, FILE__SETATTR);
2996 if (selinux_policycap_openperm() &&
2997 inode->i_sb->s_magic != SOCKFS_MAGIC &&
2998 (ia_valid & ATTR_SIZE) &&
2999 !(ia_valid & ATTR_FILE))
3002 return dentry_has_perm(cred, dentry, av);
3005 static int selinux_inode_getattr(const struct path *path)
3007 return path_has_perm(current_cred(), path, FILE__GETATTR);
3010 static bool has_cap_mac_admin(bool audit)
3012 const struct cred *cred = current_cred();
3013 unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT;
3015 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts))
3017 if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true))
3022 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3023 const void *value, size_t size, int flags)
3025 struct inode *inode = d_backing_inode(dentry);
3026 struct inode_security_struct *isec;
3027 struct superblock_security_struct *sbsec;
3028 struct common_audit_data ad;
3029 u32 newsid, sid = current_sid();
3032 if (strcmp(name, XATTR_NAME_SELINUX)) {
3033 rc = cap_inode_setxattr(dentry, name, value, size, flags);
3037 /* Not an attribute we recognize, so just check the
3038 ordinary setattr permission. */
3039 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3042 sbsec = inode->i_sb->s_security;
3043 if (!(sbsec->flags & SBLABEL_MNT))
3046 if (!inode_owner_or_capable(inode))
3049 ad.type = LSM_AUDIT_DATA_DENTRY;
3050 ad.u.dentry = dentry;
3052 isec = backing_inode_security(dentry);
3053 rc = avc_has_perm(&selinux_state,
3054 sid, isec->sid, isec->sclass,
3055 FILE__RELABELFROM, &ad);
3059 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3061 if (rc == -EINVAL) {
3062 if (!has_cap_mac_admin(true)) {
3063 struct audit_buffer *ab;
3066 /* We strip a nul only if it is at the end, otherwise the
3067 * context contains a nul and we should audit that */
3069 const char *str = value;
3071 if (str[size - 1] == '\0')
3072 audit_size = size - 1;
3078 ab = audit_log_start(audit_context(),
3079 GFP_ATOMIC, AUDIT_SELINUX_ERR);
3080 audit_log_format(ab, "op=setxattr invalid_context=");
3081 audit_log_n_untrustedstring(ab, value, audit_size);
3086 rc = security_context_to_sid_force(&selinux_state, value,
3092 rc = avc_has_perm(&selinux_state,
3093 sid, newsid, isec->sclass,
3094 FILE__RELABELTO, &ad);
3098 rc = security_validate_transition(&selinux_state, isec->sid, newsid,
3103 return avc_has_perm(&selinux_state,
3106 SECCLASS_FILESYSTEM,
3107 FILESYSTEM__ASSOCIATE,
3111 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3112 const void *value, size_t size,
3115 struct inode *inode = d_backing_inode(dentry);
3116 struct inode_security_struct *isec;
3120 if (strcmp(name, XATTR_NAME_SELINUX)) {
3121 /* Not an attribute we recognize, so nothing to do. */
3125 rc = security_context_to_sid_force(&selinux_state, value, size,
3128 pr_err("SELinux: unable to map context to SID"
3129 "for (%s, %lu), rc=%d\n",
3130 inode->i_sb->s_id, inode->i_ino, -rc);
3134 isec = backing_inode_security(dentry);
3135 spin_lock(&isec->lock);
3136 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3138 isec->initialized = LABEL_INITIALIZED;
3139 spin_unlock(&isec->lock);
3144 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3146 const struct cred *cred = current_cred();
3148 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3151 static int selinux_inode_listxattr(struct dentry *dentry)
3153 const struct cred *cred = current_cred();
3155 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3158 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3160 if (strcmp(name, XATTR_NAME_SELINUX)) {
3161 int rc = cap_inode_removexattr(dentry, name);
3165 /* Not an attribute we recognize, so just check the
3166 ordinary setattr permission. */
3167 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3170 /* No one is allowed to remove a SELinux security label.
3171 You can change the label, but all data must be labeled. */
3176 * Copy the inode security context value to the user.
3178 * Permission check is handled by selinux_inode_getxattr hook.
3180 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
3184 char *context = NULL;
3185 struct inode_security_struct *isec;
3187 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3191 * If the caller has CAP_MAC_ADMIN, then get the raw context
3192 * value even if it is not defined by current policy; otherwise,
3193 * use the in-core value under current policy.
3194 * Use the non-auditing forms of the permission checks since
3195 * getxattr may be called by unprivileged processes commonly
3196 * and lack of permission just means that we fall back to the
3197 * in-core context value, not a denial.
3199 isec = inode_security(inode);
3200 if (has_cap_mac_admin(false))
3201 error = security_sid_to_context_force(&selinux_state,
3202 isec->sid, &context,
3205 error = security_sid_to_context(&selinux_state, isec->sid,
3219 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3220 const void *value, size_t size, int flags)
3222 struct inode_security_struct *isec = inode_security_novalidate(inode);
3223 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
3227 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3230 if (!(sbsec->flags & SBLABEL_MNT))
3233 if (!value || !size)
3236 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3241 spin_lock(&isec->lock);
3242 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3244 isec->initialized = LABEL_INITIALIZED;
3245 spin_unlock(&isec->lock);
3249 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3251 const int len = sizeof(XATTR_NAME_SELINUX);
3252 if (buffer && len <= buffer_size)
3253 memcpy(buffer, XATTR_NAME_SELINUX, len);
3257 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3259 struct inode_security_struct *isec = inode_security_novalidate(inode);
3263 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3266 struct task_security_struct *tsec;
3267 struct cred *new_creds = *new;
3269 if (new_creds == NULL) {
3270 new_creds = prepare_creds();
3275 tsec = selinux_cred(new_creds);
3276 /* Get label from overlay inode and set it in create_sid */
3277 selinux_inode_getsecid(d_inode(src), &sid);
3278 tsec->create_sid = sid;
3283 static int selinux_inode_copy_up_xattr(const char *name)
3285 /* The copy_up hook above sets the initial context on an inode, but we
3286 * don't then want to overwrite it by blindly copying all the lower
3287 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3289 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3290 return 1; /* Discard */
3292 * Any other attribute apart from SELINUX is not claimed, supported
3298 /* file security operations */
3300 static int selinux_revalidate_file_permission(struct file *file, int mask)
git.codelabs.ch / muen / linux.git / blob