2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul@paul-moore.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 * Copyright (C) 2016 Mellanox Technologies
22 * This program is free software; you can redistribute it and/or modify
23 * it under the terms of the GNU General Public License version 2,
24 * as published by the Free Software Foundation.
27 #include <linux/init.h>
29 #include <linux/kernel.h>
30 #include <linux/tracehook.h>
31 #include <linux/errno.h>
32 #include <linux/sched/signal.h>
33 #include <linux/sched/task.h>
34 #include <linux/lsm_hooks.h>
35 #include <linux/xattr.h>
36 #include <linux/capability.h>
37 #include <linux/unistd.h>
39 #include <linux/mman.h>
40 #include <linux/slab.h>
41 #include <linux/pagemap.h>
42 #include <linux/proc_fs.h>
43 #include <linux/swap.h>
44 #include <linux/spinlock.h>
45 #include <linux/syscalls.h>
46 #include <linux/dcache.h>
47 #include <linux/file.h>
48 #include <linux/fdtable.h>
49 #include <linux/namei.h>
50 #include <linux/mount.h>
51 #include <linux/netfilter_ipv4.h>
52 #include <linux/netfilter_ipv6.h>
53 #include <linux/tty.h>
55 #include <net/ip.h> /* for local_port_range[] */
56 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
57 #include <net/inet_connection_sock.h>
58 #include <net/net_namespace.h>
59 #include <net/netlabel.h>
60 #include <linux/uaccess.h>
61 #include <asm/ioctls.h>
62 #include <linux/atomic.h>
63 #include <linux/bitops.h>
64 #include <linux/interrupt.h>
65 #include <linux/netdevice.h> /* for network interface checks */
66 #include <net/netlink.h>
67 #include <linux/tcp.h>
68 #include <linux/udp.h>
69 #include <linux/dccp.h>
70 #include <linux/quota.h>
71 #include <linux/un.h> /* for Unix socket types */
72 #include <net/af_unix.h> /* for Unix socket types */
73 #include <linux/parser.h>
74 #include <linux/nfs_mount.h>
76 #include <linux/hugetlb.h>
77 #include <linux/personality.h>
78 #include <linux/audit.h>
79 #include <linux/string.h>
80 #include <linux/selinux.h>
81 #include <linux/mutex.h>
82 #include <linux/posix-timers.h>
83 #include <linux/syslog.h>
84 #include <linux/user_namespace.h>
85 #include <linux/export.h>
86 #include <linux/msg.h>
87 #include <linux/shm.h>
100 /* SECMARK reference count */
101 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
103 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
104 int selinux_enforcing;
106 static int __init enforcing_setup(char *str)
108 unsigned long enforcing;
109 if (!kstrtoul(str, 0, &enforcing))
110 selinux_enforcing = enforcing ? 1 : 0;
113 __setup("enforcing=", enforcing_setup);
116 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
117 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
119 static int __init selinux_enabled_setup(char *str)
121 unsigned long enabled;
122 if (!kstrtoul(str, 0, &enabled))
123 selinux_enabled = enabled ? 1 : 0;
126 __setup("selinux=", selinux_enabled_setup);
128 int selinux_enabled = 1;
131 static struct kmem_cache *sel_inode_cache;
132 static struct kmem_cache *file_security_cache;
135 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
138 * This function checks the SECMARK reference counter to see if any SECMARK
139 * targets are currently configured, if the reference counter is greater than
140 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
141 * enabled, false (0) if SECMARK is disabled. If the always_check_network
142 * policy capability is enabled, SECMARK is always considered enabled.
145 static int selinux_secmark_enabled(void)
147 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
151 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
154 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
155 * (1) if any are enabled or false (0) if neither are enabled. If the
156 * always_check_network policy capability is enabled, peer labeling
157 * is always considered enabled.
160 static int selinux_peerlbl_enabled(void)
162 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
165 static int selinux_netcache_avc_callback(u32 event)
167 if (event == AVC_CALLBACK_RESET) {
176 static int selinux_lsm_notifier_avc_callback(u32 event)
178 if (event == AVC_CALLBACK_RESET) {
180 call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
187 * initialise the security for the init task
189 static void cred_init_security(void)
191 struct cred *cred = (struct cred *) current->real_cred;
192 struct task_security_struct *tsec;
194 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
196 panic("SELinux: Failed to initialize initial task.\n");
198 tsec->osid = tsec->sid = SECINITSID_KERNEL;
199 cred->security = tsec;
203 * get the security ID of a set of credentials
205 static inline u32 cred_sid(const struct cred *cred)
207 const struct task_security_struct *tsec;
209 tsec = cred->security;
214 * get the objective security ID of a task
216 static inline u32 task_sid(const struct task_struct *task)
221 sid = cred_sid(__task_cred(task));
226 /* Allocate and free functions for each kind of security blob. */
228 static int inode_alloc_security(struct inode *inode)
230 struct inode_security_struct *isec;
231 u32 sid = current_sid();
233 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
237 spin_lock_init(&isec->lock);
238 INIT_LIST_HEAD(&isec->list);
240 isec->sid = SECINITSID_UNLABELED;
241 isec->sclass = SECCLASS_FILE;
242 isec->task_sid = sid;
243 isec->initialized = LABEL_INVALID;
244 inode->i_security = isec;
249 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
252 * Try reloading inode security labels that have been marked as invalid. The
253 * @may_sleep parameter indicates when sleeping and thus reloading labels is
254 * allowed; when set to false, returns -ECHILD when the label is
255 * invalid. The @opt_dentry parameter should be set to a dentry of the inode;
256 * when no dentry is available, set it to NULL instead.
258 static int __inode_security_revalidate(struct inode *inode,
259 struct dentry *opt_dentry,
262 struct inode_security_struct *isec = inode->i_security;
264 might_sleep_if(may_sleep);
266 if (ss_initialized && isec->initialized != LABEL_INITIALIZED) {
271 * Try reloading the inode security label. This will fail if
272 * @opt_dentry is NULL and no dentry for this inode can be
273 * found; in that case, continue using the old label.
275 inode_doinit_with_dentry(inode, opt_dentry);
280 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
282 return inode->i_security;
285 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
289 error = __inode_security_revalidate(inode, NULL, !rcu);
291 return ERR_PTR(error);
292 return inode->i_security;
296 * Get the security label of an inode.
298 static struct inode_security_struct *inode_security(struct inode *inode)
300 __inode_security_revalidate(inode, NULL, true);
301 return inode->i_security;
304 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
306 struct inode *inode = d_backing_inode(dentry);
308 return inode->i_security;
312 * Get the security label of a dentry's backing inode.
314 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
316 struct inode *inode = d_backing_inode(dentry);
318 __inode_security_revalidate(inode, dentry, true);
319 return inode->i_security;
322 static void inode_free_rcu(struct rcu_head *head)
324 struct inode_security_struct *isec;
326 isec = container_of(head, struct inode_security_struct, rcu);
327 kmem_cache_free(sel_inode_cache, isec);
330 static void inode_free_security(struct inode *inode)
332 struct inode_security_struct *isec = inode->i_security;
333 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
336 * As not all inode security structures are in a list, we check for
337 * empty list outside of the lock to make sure that we won't waste
338 * time taking a lock doing nothing.
340 * The list_del_init() function can be safely called more than once.
341 * It should not be possible for this function to be called with
342 * concurrent list_add(), but for better safety against future changes
343 * in the code, we use list_empty_careful() here.
345 if (!list_empty_careful(&isec->list)) {
346 spin_lock(&sbsec->isec_lock);
347 list_del_init(&isec->list);
348 spin_unlock(&sbsec->isec_lock);
352 * The inode may still be referenced in a path walk and
353 * a call to selinux_inode_permission() can be made
354 * after inode_free_security() is called. Ideally, the VFS
355 * wouldn't do this, but fixing that is a much harder
356 * job. For now, simply free the i_security via RCU, and
357 * leave the current inode->i_security pointer intact.
358 * The inode will be freed after the RCU grace period too.
360 call_rcu(&isec->rcu, inode_free_rcu);
363 static int file_alloc_security(struct file *file)
365 struct file_security_struct *fsec;
366 u32 sid = current_sid();
368 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
373 fsec->fown_sid = sid;
374 file->f_security = fsec;
379 static void file_free_security(struct file *file)
381 struct file_security_struct *fsec = file->f_security;
382 file->f_security = NULL;
383 kmem_cache_free(file_security_cache, fsec);
386 static int superblock_alloc_security(struct super_block *sb)
388 struct superblock_security_struct *sbsec;
390 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
394 mutex_init(&sbsec->lock);
395 INIT_LIST_HEAD(&sbsec->isec_head);
396 spin_lock_init(&sbsec->isec_lock);
398 sbsec->sid = SECINITSID_UNLABELED;
399 sbsec->def_sid = SECINITSID_FILE;
400 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
401 sb->s_security = sbsec;
406 static void superblock_free_security(struct super_block *sb)
408 struct superblock_security_struct *sbsec = sb->s_security;
409 sb->s_security = NULL;
413 static inline int inode_doinit(struct inode *inode)
415 return inode_doinit_with_dentry(inode, NULL);
424 Opt_labelsupport = 5,
428 #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
430 static const match_table_t tokens = {
431 {Opt_context, CONTEXT_STR "%s"},
432 {Opt_fscontext, FSCONTEXT_STR "%s"},
433 {Opt_defcontext, DEFCONTEXT_STR "%s"},
434 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
435 {Opt_labelsupport, LABELSUPP_STR},
439 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
441 static int may_context_mount_sb_relabel(u32 sid,
442 struct superblock_security_struct *sbsec,
443 const struct cred *cred)
445 const struct task_security_struct *tsec = cred->security;
448 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
449 FILESYSTEM__RELABELFROM, NULL);
453 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
454 FILESYSTEM__RELABELTO, NULL);
458 static int may_context_mount_inode_relabel(u32 sid,
459 struct superblock_security_struct *sbsec,
460 const struct cred *cred)
462 const struct task_security_struct *tsec = cred->security;
464 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
465 FILESYSTEM__RELABELFROM, NULL);
469 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
470 FILESYSTEM__ASSOCIATE, NULL);
474 static int selinux_is_sblabel_mnt(struct super_block *sb)
476 struct superblock_security_struct *sbsec = sb->s_security;
478 return sbsec->behavior == SECURITY_FS_USE_XATTR ||
479 sbsec->behavior == SECURITY_FS_USE_TRANS ||
480 sbsec->behavior == SECURITY_FS_USE_TASK ||
481 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
482 /* Special handling. Genfs but also in-core setxattr handler */
483 !strcmp(sb->s_type->name, "sysfs") ||
484 !strcmp(sb->s_type->name, "pstore") ||
485 !strcmp(sb->s_type->name, "debugfs") ||
486 !strcmp(sb->s_type->name, "tracefs") ||
487 !strcmp(sb->s_type->name, "rootfs") ||
488 (selinux_policycap_cgroupseclabel &&
489 (!strcmp(sb->s_type->name, "cgroup") ||
490 !strcmp(sb->s_type->name, "cgroup2")));
493 static int sb_finish_set_opts(struct super_block *sb)
495 struct superblock_security_struct *sbsec = sb->s_security;
496 struct dentry *root = sb->s_root;
497 struct inode *root_inode = d_backing_inode(root);
500 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
501 /* Make sure that the xattr handler exists and that no
502 error other than -ENODATA is returned by getxattr on
503 the root directory. -ENODATA is ok, as this may be
504 the first boot of the SELinux kernel before we have
505 assigned xattr values to the filesystem. */
506 if (!(root_inode->i_opflags & IOP_XATTR)) {
507 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
508 "xattr support\n", sb->s_id, sb->s_type->name);
513 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
514 if (rc < 0 && rc != -ENODATA) {
515 if (rc == -EOPNOTSUPP)
516 printk(KERN_WARNING "SELinux: (dev %s, type "
517 "%s) has no security xattr handler\n",
518 sb->s_id, sb->s_type->name);
520 printk(KERN_WARNING "SELinux: (dev %s, type "
521 "%s) getxattr errno %d\n", sb->s_id,
522 sb->s_type->name, -rc);
527 sbsec->flags |= SE_SBINITIALIZED;
530 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
531 * leave the flag untouched because sb_clone_mnt_opts might be handing
532 * us a superblock that needs the flag to be cleared.
534 if (selinux_is_sblabel_mnt(sb))
535 sbsec->flags |= SBLABEL_MNT;
537 sbsec->flags &= ~SBLABEL_MNT;
539 /* Initialize the root inode. */
540 rc = inode_doinit_with_dentry(root_inode, root);
542 /* Initialize any other inodes associated with the superblock, e.g.
543 inodes created prior to initial policy load or inodes created
544 during get_sb by a pseudo filesystem that directly
546 spin_lock(&sbsec->isec_lock);
548 if (!list_empty(&sbsec->isec_head)) {
549 struct inode_security_struct *isec =
550 list_entry(sbsec->isec_head.next,
551 struct inode_security_struct, list);
552 struct inode *inode = isec->inode;
553 list_del_init(&isec->list);
554 spin_unlock(&sbsec->isec_lock);
555 inode = igrab(inode);
557 if (!IS_PRIVATE(inode))
561 spin_lock(&sbsec->isec_lock);
564 spin_unlock(&sbsec->isec_lock);
570 * This function should allow an FS to ask what it's mount security
571 * options were so it can use those later for submounts, displaying
572 * mount options, or whatever.
574 static int selinux_get_mnt_opts(const struct super_block *sb,
575 struct security_mnt_opts *opts)
578 struct superblock_security_struct *sbsec = sb->s_security;
579 char *context = NULL;
583 security_init_mnt_opts(opts);
585 if (!(sbsec->flags & SE_SBINITIALIZED))
591 /* make sure we always check enough bits to cover the mask */
592 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
594 tmp = sbsec->flags & SE_MNTMASK;
595 /* count the number of mount options for this sb */
596 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
598 opts->num_mnt_opts++;
601 /* Check if the Label support flag is set */
602 if (sbsec->flags & SBLABEL_MNT)
603 opts->num_mnt_opts++;
605 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
606 if (!opts->mnt_opts) {
611 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
612 if (!opts->mnt_opts_flags) {
618 if (sbsec->flags & FSCONTEXT_MNT) {
619 rc = security_sid_to_context(sbsec->sid, &context, &len);
622 opts->mnt_opts[i] = context;
623 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
625 if (sbsec->flags & CONTEXT_MNT) {
626 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
629 opts->mnt_opts[i] = context;
630 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
632 if (sbsec->flags & DEFCONTEXT_MNT) {
633 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
636 opts->mnt_opts[i] = context;
637 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
639 if (sbsec->flags & ROOTCONTEXT_MNT) {
640 struct dentry *root = sbsec->sb->s_root;
641 struct inode_security_struct *isec = backing_inode_security(root);
643 rc = security_sid_to_context(isec->sid, &context, &len);
646 opts->mnt_opts[i] = context;
647 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
649 if (sbsec->flags & SBLABEL_MNT) {
650 opts->mnt_opts[i] = NULL;
651 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
654 BUG_ON(i != opts->num_mnt_opts);
659 security_free_mnt_opts(opts);
663 static int bad_option(struct superblock_security_struct *sbsec, char flag,
664 u32 old_sid, u32 new_sid)
666 char mnt_flags = sbsec->flags & SE_MNTMASK;
668 /* check if the old mount command had the same options */
669 if (sbsec->flags & SE_SBINITIALIZED)
670 if (!(sbsec->flags & flag) ||
671 (old_sid != new_sid))
674 /* check if we were passed the same options twice,
675 * aka someone passed context=a,context=b
677 if (!(sbsec->flags & SE_SBINITIALIZED))
678 if (mnt_flags & flag)
684 * Allow filesystems with binary mount data to explicitly set mount point
685 * labeling information.
687 static int selinux_set_mnt_opts(struct super_block *sb,
688 struct security_mnt_opts *opts,
689 unsigned long kern_flags,
690 unsigned long *set_kern_flags)
692 const struct cred *cred = current_cred();
694 struct superblock_security_struct *sbsec = sb->s_security;
695 const char *name = sb->s_type->name;
696 struct dentry *root = sbsec->sb->s_root;
697 struct inode_security_struct *root_isec;
698 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
699 u32 defcontext_sid = 0;
700 char **mount_options = opts->mnt_opts;
701 int *flags = opts->mnt_opts_flags;
702 int num_opts = opts->num_mnt_opts;
704 mutex_lock(&sbsec->lock);
706 if (!ss_initialized) {
708 /* Defer initialization until selinux_complete_init,
709 after the initial policy is loaded and the security
710 server is ready to handle calls. */
714 printk(KERN_WARNING "SELinux: Unable to set superblock options "
715 "before the security server is initialized\n");
718 if (kern_flags && !set_kern_flags) {
719 /* Specifying internal flags without providing a place to
720 * place the results is not allowed */
726 * Binary mount data FS will come through this function twice. Once
727 * from an explicit call and once from the generic calls from the vfs.
728 * Since the generic VFS calls will not contain any security mount data
729 * we need to skip the double mount verification.
731 * This does open a hole in which we will not notice if the first
732 * mount using this sb set explict options and a second mount using
733 * this sb does not set any security options. (The first options
734 * will be used for both mounts)
736 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
740 root_isec = backing_inode_security_novalidate(root);
743 * parse the mount options, check if they are valid sids.
744 * also check if someone is trying to mount the same sb more
745 * than once with different security options.
747 for (i = 0; i < num_opts; i++) {
750 if (flags[i] == SBLABEL_MNT)
752 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
754 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
755 "(%s) failed for (dev %s, type %s) errno=%d\n",
756 mount_options[i], sb->s_id, name, rc);
763 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
765 goto out_double_mount;
767 sbsec->flags |= FSCONTEXT_MNT;
772 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
774 goto out_double_mount;
776 sbsec->flags |= CONTEXT_MNT;
778 case ROOTCONTEXT_MNT:
779 rootcontext_sid = sid;
781 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
783 goto out_double_mount;
785 sbsec->flags |= ROOTCONTEXT_MNT;
789 defcontext_sid = sid;
791 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
793 goto out_double_mount;
795 sbsec->flags |= DEFCONTEXT_MNT;
804 if (sbsec->flags & SE_SBINITIALIZED) {
805 /* previously mounted with options, but not on this attempt? */
806 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
807 goto out_double_mount;
812 if (strcmp(sb->s_type->name, "proc") == 0)
813 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
815 if (!strcmp(sb->s_type->name, "debugfs") ||
816 !strcmp(sb->s_type->name, "tracefs") ||
817 !strcmp(sb->s_type->name, "sysfs") ||
818 !strcmp(sb->s_type->name, "pstore"))
819 sbsec->flags |= SE_SBGENFS;
821 if (!sbsec->behavior) {
823 * Determine the labeling behavior to use for this
826 rc = security_fs_use(sb);
829 "%s: security_fs_use(%s) returned %d\n",
830 __func__, sb->s_type->name, rc);
836 * If this is a user namespace mount and the filesystem type is not
837 * explicitly whitelisted, then no contexts are allowed on the command
838 * line and security labels must be ignored.
840 if (sb->s_user_ns != &init_user_ns &&
841 strcmp(sb->s_type->name, "tmpfs") &&
842 strcmp(sb->s_type->name, "ramfs") &&
843 strcmp(sb->s_type->name, "devpts")) {
844 if (context_sid || fscontext_sid || rootcontext_sid ||
849 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
850 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
851 rc = security_transition_sid(current_sid(), current_sid(),
853 &sbsec->mntpoint_sid);
860 /* sets the context of the superblock for the fs being mounted. */
862 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
866 sbsec->sid = fscontext_sid;
870 * Switch to using mount point labeling behavior.
871 * sets the label used on all file below the mountpoint, and will set
872 * the superblock context if not already set.
874 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
875 sbsec->behavior = SECURITY_FS_USE_NATIVE;
876 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
880 if (!fscontext_sid) {
881 rc = may_context_mount_sb_relabel(context_sid, sbsec,
885 sbsec->sid = context_sid;
887 rc = may_context_mount_inode_relabel(context_sid, sbsec,
892 if (!rootcontext_sid)
893 rootcontext_sid = context_sid;
895 sbsec->mntpoint_sid = context_sid;
896 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
899 if (rootcontext_sid) {
900 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
905 root_isec->sid = rootcontext_sid;
906 root_isec->initialized = LABEL_INITIALIZED;
909 if (defcontext_sid) {
910 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
911 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
913 printk(KERN_WARNING "SELinux: defcontext option is "
914 "invalid for this filesystem type\n");
918 if (defcontext_sid != sbsec->def_sid) {
919 rc = may_context_mount_inode_relabel(defcontext_sid,
925 sbsec->def_sid = defcontext_sid;
929 rc = sb_finish_set_opts(sb);
931 mutex_unlock(&sbsec->lock);
935 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
936 "security settings for (dev %s, type %s)\n", sb->s_id, name);
940 static int selinux_cmp_sb_context(const struct super_block *oldsb,
941 const struct super_block *newsb)
943 struct superblock_security_struct *old = oldsb->s_security;
944 struct superblock_security_struct *new = newsb->s_security;
945 char oldflags = old->flags & SE_MNTMASK;
946 char newflags = new->flags & SE_MNTMASK;
948 if (oldflags != newflags)
950 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
952 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
954 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
956 if (oldflags & ROOTCONTEXT_MNT) {
957 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
958 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
959 if (oldroot->sid != newroot->sid)
964 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
965 "different security settings for (dev %s, "
966 "type %s)\n", newsb->s_id, newsb->s_type->name);
970 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
971 struct super_block *newsb,
972 unsigned long kern_flags,
973 unsigned long *set_kern_flags)
976 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
977 struct superblock_security_struct *newsbsec = newsb->s_security;
979 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
980 int set_context = (oldsbsec->flags & CONTEXT_MNT);
981 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
984 * if the parent was able to be mounted it clearly had no special lsm
985 * mount options. thus we can safely deal with this superblock later
991 * Specifying internal flags without providing a place to
992 * place the results is not allowed.
994 if (kern_flags && !set_kern_flags)
997 /* how can we clone if the old one wasn't set up?? */
998 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
1000 /* if fs is reusing a sb, make sure that the contexts match */
1001 if (newsbsec->flags & SE_SBINITIALIZED)
1002 return selinux_cmp_sb_context(oldsb, newsb);
1004 mutex_lock(&newsbsec->lock);
1006 newsbsec->flags = oldsbsec->flags;
1008 newsbsec->sid = oldsbsec->sid;
1009 newsbsec->def_sid = oldsbsec->def_sid;
1010 newsbsec->behavior = oldsbsec->behavior;
1012 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
1013 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
1014 rc = security_fs_use(newsb);
1019 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
1020 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
1021 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
1025 u32 sid = oldsbsec->mntpoint_sid;
1028 newsbsec->sid = sid;
1029 if (!set_rootcontext) {
1030 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1033 newsbsec->mntpoint_sid = sid;
1035 if (set_rootcontext) {
1036 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
1037 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1039 newisec->sid = oldisec->sid;
1042 sb_finish_set_opts(newsb);
1044 mutex_unlock(&newsbsec->lock);
1048 static int selinux_parse_opts_str(char *options,
1049 struct security_mnt_opts *opts)
1052 char *context = NULL, *defcontext = NULL;
1053 char *fscontext = NULL, *rootcontext = NULL;
1054 int rc, num_mnt_opts = 0;
1056 opts->num_mnt_opts = 0;
1058 /* Standard string-based options. */
1059 while ((p = strsep(&options, "|")) != NULL) {
1061 substring_t args[MAX_OPT_ARGS];
1066 token = match_token(p, tokens, args);
1070 if (context || defcontext) {
1072 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1075 context = match_strdup(&args[0]);
1085 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1088 fscontext = match_strdup(&args[0]);
1095 case Opt_rootcontext:
1098 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1101 rootcontext = match_strdup(&args[0]);
1108 case Opt_defcontext:
1109 if (context || defcontext) {
1111 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1114 defcontext = match_strdup(&args[0]);
1120 case Opt_labelsupport:
1124 printk(KERN_WARNING "SELinux: unknown mount option\n");
1131 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
1132 if (!opts->mnt_opts)
1135 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
1137 if (!opts->mnt_opts_flags)
1141 opts->mnt_opts[num_mnt_opts] = fscontext;
1142 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1145 opts->mnt_opts[num_mnt_opts] = context;
1146 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1149 opts->mnt_opts[num_mnt_opts] = rootcontext;
1150 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1153 opts->mnt_opts[num_mnt_opts] = defcontext;
1154 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1157 opts->num_mnt_opts = num_mnt_opts;
1161 security_free_mnt_opts(opts);
1169 * string mount options parsing and call set the sbsec
1171 static int superblock_doinit(struct super_block *sb, void *data)
1174 char *options = data;
1175 struct security_mnt_opts opts;
1177 security_init_mnt_opts(&opts);
1182 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1184 rc = selinux_parse_opts_str(options, &opts);
1189 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1192 security_free_mnt_opts(&opts);
1196 static void selinux_write_opts(struct seq_file *m,
1197 struct security_mnt_opts *opts)
1202 for (i = 0; i < opts->num_mnt_opts; i++) {
1205 if (opts->mnt_opts[i])
1206 has_comma = strchr(opts->mnt_opts[i], ',');
1210 switch (opts->mnt_opts_flags[i]) {
1212 prefix = CONTEXT_STR;
1215 prefix = FSCONTEXT_STR;
1217 case ROOTCONTEXT_MNT:
1218 prefix = ROOTCONTEXT_STR;
1220 case DEFCONTEXT_MNT:
1221 prefix = DEFCONTEXT_STR;
1225 seq_puts(m, LABELSUPP_STR);
1231 /* we need a comma before each option */
1233 seq_puts(m, prefix);
1236 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
1242 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1244 struct security_mnt_opts opts;
1247 rc = selinux_get_mnt_opts(sb, &opts);
1249 /* before policy load we may get EINVAL, don't show anything */
1255 selinux_write_opts(m, &opts);
1257 security_free_mnt_opts(&opts);
1262 static inline u16 inode_mode_to_security_class(umode_t mode)
1264 switch (mode & S_IFMT) {
1266 return SECCLASS_SOCK_FILE;
1268 return SECCLASS_LNK_FILE;
1270 return SECCLASS_FILE;
1272 return SECCLASS_BLK_FILE;
1274 return SECCLASS_DIR;
1276 return SECCLASS_CHR_FILE;
1278 return SECCLASS_FIFO_FILE;
1282 return SECCLASS_FILE;
1285 static inline int default_protocol_stream(int protocol)
1287 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1290 static inline int default_protocol_dgram(int protocol)
1292 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1295 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1297 int extsockclass = selinux_policycap_extsockclass;
1303 case SOCK_SEQPACKET:
1304 return SECCLASS_UNIX_STREAM_SOCKET;
1306 return SECCLASS_UNIX_DGRAM_SOCKET;
1313 case SOCK_SEQPACKET:
1314 if (default_protocol_stream(protocol))
1315 return SECCLASS_TCP_SOCKET;
1316 else if (extsockclass && protocol == IPPROTO_SCTP)
1317 return SECCLASS_SCTP_SOCKET;
1319 return SECCLASS_RAWIP_SOCKET;
1321 if (default_protocol_dgram(protocol))
1322 return SECCLASS_UDP_SOCKET;
1323 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1324 protocol == IPPROTO_ICMPV6))
1325 return SECCLASS_ICMP_SOCKET;
1327 return SECCLASS_RAWIP_SOCKET;
1329 return SECCLASS_DCCP_SOCKET;
1331 return SECCLASS_RAWIP_SOCKET;
1337 return SECCLASS_NETLINK_ROUTE_SOCKET;
1338 case NETLINK_SOCK_DIAG:
1339 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1341 return SECCLASS_NETLINK_NFLOG_SOCKET;
1343 return SECCLASS_NETLINK_XFRM_SOCKET;
1344 case NETLINK_SELINUX:
1345 return SECCLASS_NETLINK_SELINUX_SOCKET;
1347 return SECCLASS_NETLINK_ISCSI_SOCKET;
1349 return SECCLASS_NETLINK_AUDIT_SOCKET;
1350 case NETLINK_FIB_LOOKUP:
1351 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1352 case NETLINK_CONNECTOR:
1353 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1354 case NETLINK_NETFILTER:
1355 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1356 case NETLINK_DNRTMSG:
1357 return SECCLASS_NETLINK_DNRT_SOCKET;
1358 case NETLINK_KOBJECT_UEVENT:
1359 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1360 case NETLINK_GENERIC:
1361 return SECCLASS_NETLINK_GENERIC_SOCKET;
1362 case NETLINK_SCSITRANSPORT:
1363 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1365 return SECCLASS_NETLINK_RDMA_SOCKET;
1366 case NETLINK_CRYPTO:
1367 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1369 return SECCLASS_NETLINK_SOCKET;
1372 return SECCLASS_PACKET_SOCKET;
1374 return SECCLASS_KEY_SOCKET;
1376 return SECCLASS_APPLETALK_SOCKET;
1382 return SECCLASS_AX25_SOCKET;
1384 return SECCLASS_IPX_SOCKET;
1386 return SECCLASS_NETROM_SOCKET;
1388 return SECCLASS_ATMPVC_SOCKET;
1390 return SECCLASS_X25_SOCKET;
1392 return SECCLASS_ROSE_SOCKET;
1394 return SECCLASS_DECNET_SOCKET;
1396 return SECCLASS_ATMSVC_SOCKET;
1398 return SECCLASS_RDS_SOCKET;
1400 return SECCLASS_IRDA_SOCKET;
1402 return SECCLASS_PPPOX_SOCKET;
1404 return SECCLASS_LLC_SOCKET;
1406 return SECCLASS_CAN_SOCKET;
1408 return SECCLASS_TIPC_SOCKET;
1410 return SECCLASS_BLUETOOTH_SOCKET;
1412 return SECCLASS_IUCV_SOCKET;
1414 return SECCLASS_RXRPC_SOCKET;
1416 return SECCLASS_ISDN_SOCKET;
1418 return SECCLASS_PHONET_SOCKET;
1420 return SECCLASS_IEEE802154_SOCKET;
1422 return SECCLASS_CAIF_SOCKET;
1424 return SECCLASS_ALG_SOCKET;
1426 return SECCLASS_NFC_SOCKET;
1428 return SECCLASS_VSOCK_SOCKET;
1430 return SECCLASS_KCM_SOCKET;
1432 return SECCLASS_QIPCRTR_SOCKET;
1434 return SECCLASS_SMC_SOCKET;
1436 #error New address family defined, please update this function.
1441 return SECCLASS_SOCKET;
1444 static int selinux_genfs_get_sid(struct dentry *dentry,
1450 struct super_block *sb = dentry->d_sb;
1451 char *buffer, *path;
1453 buffer = (char *)__get_free_page(GFP_KERNEL);
1457 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1461 if (flags & SE_SBPROC) {
1462 /* each process gets a /proc/PID/ entry. Strip off the
1463 * PID part to get a valid selinux labeling.
1464 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1465 while (path[1] >= '0' && path[1] <= '9') {
1470 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
1472 free_page((unsigned long)buffer);
1476 /* The inode's security attributes must be initialized before first use. */
1477 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1479 struct superblock_security_struct *sbsec = NULL;
1480 struct inode_security_struct *isec = inode->i_security;
1481 u32 task_sid, sid = 0;
1483 struct dentry *dentry;
1484 #define INITCONTEXTLEN 255
1485 char *context = NULL;
1489 if (isec->initialized == LABEL_INITIALIZED)
1492 spin_lock(&isec->lock);
1493 if (isec->initialized == LABEL_INITIALIZED)
1496 if (isec->sclass == SECCLASS_FILE)
1497 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1499 sbsec = inode->i_sb->s_security;
1500 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1501 /* Defer initialization until selinux_complete_init,
1502 after the initial policy is loaded and the security
1503 server is ready to handle calls. */
1504 spin_lock(&sbsec->isec_lock);
1505 if (list_empty(&isec->list))
1506 list_add(&isec->list, &sbsec->isec_head);
1507 spin_unlock(&sbsec->isec_lock);
1511 sclass = isec->sclass;
1512 task_sid = isec->task_sid;
1514 isec->initialized = LABEL_PENDING;
1515 spin_unlock(&isec->lock);
1517 switch (sbsec->behavior) {
1518 case SECURITY_FS_USE_NATIVE:
1520 case SECURITY_FS_USE_XATTR:
1521 if (!(inode->i_opflags & IOP_XATTR)) {
1522 sid = sbsec->def_sid;
1525 /* Need a dentry, since the xattr API requires one.
1526 Life would be simpler if we could just pass the inode. */
1528 /* Called from d_instantiate or d_splice_alias. */
1529 dentry = dget(opt_dentry);
1531 /* Called from selinux_complete_init, try to find a dentry. */
1532 dentry = d_find_alias(inode);
1536 * this is can be hit on boot when a file is accessed
1537 * before the policy is loaded. When we load policy we
1538 * may find inodes that have no dentry on the
1539 * sbsec->isec_head list. No reason to complain as these
1540 * will get fixed up the next time we go through
1541 * inode_doinit with a dentry, before these inodes could
1542 * be used again by userspace.
1547 len = INITCONTEXTLEN;
1548 context = kmalloc(len+1, GFP_NOFS);
1554 context[len] = '\0';
1555 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1556 if (rc == -ERANGE) {
1559 /* Need a larger buffer. Query for the right size. */
1560 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1566 context = kmalloc(len+1, GFP_NOFS);
1572 context[len] = '\0';
1573 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1577 if (rc != -ENODATA) {
1578 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1579 "%d for dev=%s ino=%ld\n", __func__,
1580 -rc, inode->i_sb->s_id, inode->i_ino);
1584 /* Map ENODATA to the default file SID */
1585 sid = sbsec->def_sid;
1588 rc = security_context_to_sid_default(context, rc, &sid,
1592 char *dev = inode->i_sb->s_id;
1593 unsigned long ino = inode->i_ino;
1595 if (rc == -EINVAL) {
1596 if (printk_ratelimit())
1597 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1598 "context=%s. This indicates you may need to relabel the inode or the "
1599 "filesystem in question.\n", ino, dev, context);
1601 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1602 "returned %d for dev=%s ino=%ld\n",
1603 __func__, context, -rc, dev, ino);
1606 /* Leave with the unlabeled SID */
1613 case SECURITY_FS_USE_TASK:
1616 case SECURITY_FS_USE_TRANS:
1617 /* Default to the fs SID. */
1620 /* Try to obtain a transition SID. */
1621 rc = security_transition_sid(task_sid, sid, sclass, NULL, &sid);
1625 case SECURITY_FS_USE_MNTPOINT:
1626 sid = sbsec->mntpoint_sid;
1629 /* Default to the fs superblock SID. */
1632 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1633 /* We must have a dentry to determine the label on
1636 /* Called from d_instantiate or
1637 * d_splice_alias. */
1638 dentry = dget(opt_dentry);
1640 /* Called from selinux_complete_init, try to
1642 dentry = d_find_alias(inode);
1644 * This can be hit on boot when a file is accessed
1645 * before the policy is loaded. When we load policy we
1646 * may find inodes that have no dentry on the
1647 * sbsec->isec_head list. No reason to complain as
1648 * these will get fixed up the next time we go through
1649 * inode_doinit() with a dentry, before these inodes
1650 * could be used again by userspace.
1654 rc = selinux_genfs_get_sid(dentry, sclass,
1655 sbsec->flags, &sid);
1664 spin_lock(&isec->lock);
1665 if (isec->initialized == LABEL_PENDING) {
1667 isec->initialized = LABEL_INVALID;
1671 isec->initialized = LABEL_INITIALIZED;
1676 spin_unlock(&isec->lock);
1680 /* Convert a Linux signal to an access vector. */
1681 static inline u32 signal_to_av(int sig)
1687 /* Commonly granted from child to parent. */
1688 perm = PROCESS__SIGCHLD;
1691 /* Cannot be caught or ignored */
1692 perm = PROCESS__SIGKILL;
1695 /* Cannot be caught or ignored */
1696 perm = PROCESS__SIGSTOP;
1699 /* All other signals. */
1700 perm = PROCESS__SIGNAL;
1707 #if CAP_LAST_CAP > 63
1708 #error Fix SELinux to handle capabilities > 63.
1711 /* Check whether a task is allowed to use a capability. */
1712 static int cred_has_capability(const struct cred *cred,
1713 int cap, int audit, bool initns)
1715 struct common_audit_data ad;
1716 struct av_decision avd;
1718 u32 sid = cred_sid(cred);
1719 u32 av = CAP_TO_MASK(cap);
1722 ad.type = LSM_AUDIT_DATA_CAP;
1725 switch (CAP_TO_INDEX(cap)) {
1727 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1730 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1734 "SELinux: out of range capability %d\n", cap);
1739 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1740 if (audit == SECURITY_CAP_AUDIT) {
1741 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1748 /* Check whether a task has a particular permission to an inode.
1749 The 'adp' parameter is optional and allows other audit
1750 data to be passed (e.g. the dentry). */
1751 static int inode_has_perm(const struct cred *cred,
1752 struct inode *inode,
1754 struct common_audit_data *adp)
1756 struct inode_security_struct *isec;
1759 validate_creds(cred);
1761 if (unlikely(IS_PRIVATE(inode)))
1764 sid = cred_sid(cred);
1765 isec = inode->i_security;
1767 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1770 /* Same as inode_has_perm, but pass explicit audit data containing
1771 the dentry to help the auditing code to more easily generate the
1772 pathname if needed. */
1773 static inline int dentry_has_perm(const struct cred *cred,
1774 struct dentry *dentry,
1777 struct inode *inode = d_backing_inode(dentry);
1778 struct common_audit_data ad;
1780 ad.type = LSM_AUDIT_DATA_DENTRY;
1781 ad.u.dentry = dentry;
1782 __inode_security_revalidate(inode, dentry, true);
1783 return inode_has_perm(cred, inode, av, &ad);
1786 /* Same as inode_has_perm, but pass explicit audit data containing
1787 the path to help the auditing code to more easily generate the
1788 pathname if needed. */
1789 static inline int path_has_perm(const struct cred *cred,
1790 const struct path *path,
1793 struct inode *inode = d_backing_inode(path->dentry);
1794 struct common_audit_data ad;
1796 ad.type = LSM_AUDIT_DATA_PATH;
1798 __inode_security_revalidate(inode, path->dentry, true);
1799 return inode_has_perm(cred, inode, av, &ad);
1802 /* Same as path_has_perm, but uses the inode from the file struct. */
1803 static inline int file_path_has_perm(const struct cred *cred,
1807 struct common_audit_data ad;
1809 ad.type = LSM_AUDIT_DATA_FILE;
1811 return inode_has_perm(cred, file_inode(file), av, &ad);
1814 /* Check whether a task can use an open file descriptor to
1815 access an inode in a given way. Check access to the
1816 descriptor itself, and then use dentry_has_perm to
1817 check a particular permission to the file.
1818 Access to the descriptor is implicitly granted if it
1819 has the same SID as the process. If av is zero, then
1820 access to the file is not checked, e.g. for cases
1821 where only the descriptor is affected like seek. */
1822 static int file_has_perm(const struct cred *cred,
1826 struct file_security_struct *fsec = file->f_security;
1827 struct inode *inode = file_inode(file);
1828 struct common_audit_data ad;
1829 u32 sid = cred_sid(cred);
1832 ad.type = LSM_AUDIT_DATA_FILE;
1835 if (sid != fsec->sid) {
1836 rc = avc_has_perm(sid, fsec->sid,
1844 /* av is zero if only checking access to the descriptor. */
1847 rc = inode_has_perm(cred, inode, av, &ad);
1854 * Determine the label for an inode that might be unioned.
1857 selinux_determine_inode_label(const struct task_security_struct *tsec,
1859 const struct qstr *name, u16 tclass,
1862 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1864 if ((sbsec->flags & SE_SBINITIALIZED) &&
1865 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1866 *_new_isid = sbsec->mntpoint_sid;
1867 } else if ((sbsec->flags & SBLABEL_MNT) &&
1869 *_new_isid = tsec->create_sid;
1871 const struct inode_security_struct *dsec = inode_security(dir);
1872 return security_transition_sid(tsec->sid, dsec->sid, tclass,
1879 /* Check whether a task can create a file. */
1880 static int may_create(struct inode *dir,
1881 struct dentry *dentry,
1884 const struct task_security_struct *tsec = current_security();
1885 struct inode_security_struct *dsec;
1886 struct superblock_security_struct *sbsec;
1888 struct common_audit_data ad;
1891 dsec = inode_security(dir);
1892 sbsec = dir->i_sb->s_security;
1896 ad.type = LSM_AUDIT_DATA_DENTRY;
1897 ad.u.dentry = dentry;
1899 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1900 DIR__ADD_NAME | DIR__SEARCH,
1905 rc = selinux_determine_inode_label(current_security(), dir,
1906 &dentry->d_name, tclass, &newsid);
1910 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1914 return avc_has_perm(newsid, sbsec->sid,
1915 SECCLASS_FILESYSTEM,
1916 FILESYSTEM__ASSOCIATE, &ad);
1920 #define MAY_UNLINK 1
1923 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1924 static int may_link(struct inode *dir,
1925 struct dentry *dentry,
1929 struct inode_security_struct *dsec, *isec;
1930 struct common_audit_data ad;
1931 u32 sid = current_sid();
1935 dsec = inode_security(dir);
1936 isec = backing_inode_security(dentry);
1938 ad.type = LSM_AUDIT_DATA_DENTRY;
1939 ad.u.dentry = dentry;
1942 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1943 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1958 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1963 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1967 static inline int may_rename(struct inode *old_dir,
1968 struct dentry *old_dentry,
1969 struct inode *new_dir,
1970 struct dentry *new_dentry)
1972 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1973 struct common_audit_data ad;
1974 u32 sid = current_sid();
1976 int old_is_dir, new_is_dir;
1979 old_dsec = inode_security(old_dir);
1980 old_isec = backing_inode_security(old_dentry);
1981 old_is_dir = d_is_dir(old_dentry);
1982 new_dsec = inode_security(new_dir);
1984 ad.type = LSM_AUDIT_DATA_DENTRY;
1986 ad.u.dentry = old_dentry;
1987 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1988 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1991 rc = avc_has_perm(sid, old_isec->sid,
1992 old_isec->sclass, FILE__RENAME, &ad);
1995 if (old_is_dir && new_dir != old_dir) {
1996 rc = avc_has_perm(sid, old_isec->sid,
1997 old_isec->sclass, DIR__REPARENT, &ad);
2002 ad.u.dentry = new_dentry;
2003 av = DIR__ADD_NAME | DIR__SEARCH;
2004 if (d_is_positive(new_dentry))
2005 av |= DIR__REMOVE_NAME;
2006 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
2009 if (d_is_positive(new_dentry)) {
2010 new_isec = backing_inode_security(new_dentry);
2011 new_is_dir = d_is_dir(new_dentry);
2012 rc = avc_has_perm(sid, new_isec->sid,
2014 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
2022 /* Check whether a task can perform a filesystem operation. */
2023 static int superblock_has_perm(const struct cred *cred,
2024 struct super_block *sb,
2026 struct common_audit_data *ad)
2028 struct superblock_security_struct *sbsec;
2029 u32 sid = cred_sid(cred);
2031 sbsec = sb->s_security;
2032 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
2035 /* Convert a Linux mode and permission mask to an access vector. */
2036 static inline u32 file_mask_to_av(int mode, int mask)
2040 if (!S_ISDIR(mode)) {
2041 if (mask & MAY_EXEC)
2042 av |= FILE__EXECUTE;
2043 if (mask & MAY_READ)
2046 if (mask & MAY_APPEND)
2048 else if (mask & MAY_WRITE)
2052 if (mask & MAY_EXEC)
2054 if (mask & MAY_WRITE)
2056 if (mask & MAY_READ)
2063 /* Convert a Linux file to an access vector. */
2064 static inline u32 file_to_av(struct file *file)
2068 if (file->f_mode & FMODE_READ)
2070 if (file->f_mode & FMODE_WRITE) {
2071 if (file->f_flags & O_APPEND)
2078 * Special file opened with flags 3 for ioctl-only use.
2087 * Convert a file to an access vector and include the correct open
2090 static inline u32 open_file_to_av(struct file *file)
2092 u32 av = file_to_av(file);
2093 struct inode *inode = file_inode(file);
2095 if (selinux_policycap_openperm && inode->i_sb->s_magic != SOCKFS_MAGIC)
2101 /* Hook functions begin here. */
2103 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2105 u32 mysid = current_sid();
2106 u32 mgrsid = task_sid(mgr);
2108 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
2109 BINDER__SET_CONTEXT_MGR, NULL);
2112 static int selinux_binder_transaction(struct task_struct *from,
2113 struct task_struct *to)
2115 u32 mysid = current_sid();
2116 u32 fromsid = task_sid(from);
2117 u32 tosid = task_sid(to);
2120 if (mysid != fromsid) {
2121 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2122 BINDER__IMPERSONATE, NULL);
2127 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2131 static int selinux_binder_transfer_binder(struct task_struct *from,
2132 struct task_struct *to)
2134 u32 fromsid = task_sid(from);
2135 u32 tosid = task_sid(to);
2137 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2141 static int selinux_binder_transfer_file(struct task_struct *from,
2142 struct task_struct *to,
2145 u32 sid = task_sid(to);
2146 struct file_security_struct *fsec = file->f_security;
2147 struct dentry *dentry = file->f_path.dentry;
2148 struct inode_security_struct *isec;
2149 struct common_audit_data ad;
2152 ad.type = LSM_AUDIT_DATA_PATH;
2153 ad.u.path = file->f_path;
2155 if (sid != fsec->sid) {
2156 rc = avc_has_perm(sid, fsec->sid,
2164 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2167 isec = backing_inode_security(dentry);
2168 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2172 static int selinux_ptrace_access_check(struct task_struct *child,
2175 u32 sid = current_sid();
2176 u32 csid = task_sid(child);
2178 if (mode & PTRACE_MODE_READ)
2179 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2181 return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2184 static int selinux_ptrace_traceme(struct task_struct *parent)
2186 return avc_has_perm(task_sid(parent), current_sid(), SECCLASS_PROCESS,
2187 PROCESS__PTRACE, NULL);
2190 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2191 kernel_cap_t *inheritable, kernel_cap_t *permitted)
2193 return avc_has_perm(current_sid(), task_sid(target), SECCLASS_PROCESS,
2194 PROCESS__GETCAP, NULL);
2197 static int selinux_capset(struct cred *new, const struct cred *old,
2198 const kernel_cap_t *effective,
2199 const kernel_cap_t *inheritable,
2200 const kernel_cap_t *permitted)
2202 return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2203 PROCESS__SETCAP, NULL);
2207 * (This comment used to live with the selinux_task_setuid hook,
2208 * which was removed).
2210 * Since setuid only affects the current process, and since the SELinux
2211 * controls are not based on the Linux identity attributes, SELinux does not
2212 * need to control this operation. However, SELinux does control the use of
2213 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2216 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2219 return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
2222 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2224 const struct cred *cred = current_cred();
2236 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2241 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2244 rc = 0; /* let the kernel handle invalid cmds */
2250 static int selinux_quota_on(struct dentry *dentry)
2252 const struct cred *cred = current_cred();
2254 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2257 static int selinux_syslog(int type)
2260 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2261 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2262 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2263 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2264 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2265 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2266 /* Set level of messages printed to console */
2267 case SYSLOG_ACTION_CONSOLE_LEVEL:
2268 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2269 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2272 /* All other syslog types */
2273 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2274 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2278 * Check that a process has enough memory to allocate a new virtual
2279 * mapping. 0 means there is enough memory for the allocation to
2280 * succeed and -ENOMEM implies there is not.
2282 * Do not audit the selinux permission check, as this is applied to all
2283 * processes that allocate mappings.
2285 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2287 int rc, cap_sys_admin = 0;
2289 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2290 SECURITY_CAP_NOAUDIT, true);
2294 return cap_sys_admin;
2297 /* binprm security operations */
2299 static u32 ptrace_parent_sid(void)
2302 struct task_struct *tracer;
2305 tracer = ptrace_parent(current);
2307 sid = task_sid(tracer);
2313 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2314 const struct task_security_struct *old_tsec,
2315 const struct task_security_struct *new_tsec)
2317 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2318 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2321 if (!nnp && !nosuid)
2322 return 0; /* neither NNP nor nosuid */
2324 if (new_tsec->sid == old_tsec->sid)
2325 return 0; /* No change in credentials */
2328 * The only transitions we permit under NNP or nosuid
2329 * are transitions to bounded SIDs, i.e. SIDs that are
2330 * guaranteed to only be allowed a subset of the permissions
2331 * of the current SID.
2333 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2336 * On failure, preserve the errno values for NNP vs nosuid.
2337 * NNP: Operation not permitted for caller.
2338 * nosuid: Permission denied to file.
2348 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2350 const struct task_security_struct *old_tsec;
2351 struct task_security_struct *new_tsec;
2352 struct inode_security_struct *isec;
2353 struct common_audit_data ad;
2354 struct inode *inode = file_inode(bprm->file);
2357 /* SELinux context only depends on initial program or script and not
2358 * the script interpreter */
2359 if (bprm->called_set_creds)
2362 old_tsec = current_security();
2363 new_tsec = bprm->cred->security;
2364 isec = inode_security(inode);
2366 /* Default to the current task SID. */
2367 new_tsec->sid = old_tsec->sid;
2368 new_tsec->osid = old_tsec->sid;
2370 /* Reset fs, key, and sock SIDs on execve. */
2371 new_tsec->create_sid = 0;
2372 new_tsec->keycreate_sid = 0;
2373 new_tsec->sockcreate_sid = 0;
2375 if (old_tsec->exec_sid) {
2376 new_tsec->sid = old_tsec->exec_sid;
2377 /* Reset exec SID on execve. */
2378 new_tsec->exec_sid = 0;
2380 /* Fail on NNP or nosuid if not an allowed transition. */
2381 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2385 /* Check for a default transition on this program. */
2386 rc = security_transition_sid(old_tsec->sid, isec->sid,
2387 SECCLASS_PROCESS, NULL,
2393 * Fallback to old SID on NNP or nosuid if not an allowed
2396 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2398 new_tsec->sid = old_tsec->sid;
2401 ad.type = LSM_AUDIT_DATA_FILE;
2402 ad.u.file = bprm->file;
2404 if (new_tsec->sid == old_tsec->sid) {
2405 rc = avc_has_perm(old_tsec->sid, isec->sid,
2406 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2410 /* Check permissions for the transition. */
2411 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2412 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2416 rc = avc_has_perm(new_tsec->sid, isec->sid,
2417 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2421 /* Check for shared state */
2422 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2423 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2424 SECCLASS_PROCESS, PROCESS__SHARE,
2430 /* Make sure that anyone attempting to ptrace over a task that
2431 * changes its SID has the appropriate permit */
2432 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2433 u32 ptsid = ptrace_parent_sid();
2435 rc = avc_has_perm(ptsid, new_tsec->sid,
2437 PROCESS__PTRACE, NULL);
2443 /* Clear any possibly unsafe personality bits on exec: */
2444 bprm->per_clear |= PER_CLEAR_ON_SETID;
2446 /* Enable secure mode for SIDs transitions unless
2447 the noatsecure permission is granted between
2448 the two SIDs, i.e. ahp returns 0. */
2449 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2450 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2452 bprm->secureexec |= !!rc;
2458 static int match_file(const void *p, struct file *file, unsigned fd)
2460 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2463 /* Derived from fs/exec.c:flush_old_files. */
2464 static inline void flush_unauthorized_files(const struct cred *cred,
2465 struct files_struct *files)
2467 struct file *file, *devnull = NULL;
2468 struct tty_struct *tty;
2472 tty = get_current_tty();
2474 spin_lock(&tty->files_lock);
2475 if (!list_empty(&tty->tty_files)) {
2476 struct tty_file_private *file_priv;
2478 /* Revalidate access to controlling tty.
2479 Use file_path_has_perm on the tty path directly
2480 rather than using file_has_perm, as this particular
2481 open file may belong to another process and we are
2482 only interested in the inode-based check here. */
2483 file_priv = list_first_entry(&tty->tty_files,
2484 struct tty_file_private, list);
2485 file = file_priv->file;
2486 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2489 spin_unlock(&tty->files_lock);
2492 /* Reset controlling tty. */
2496 /* Revalidate access to inherited open files. */
2497 n = iterate_fd(files, 0, match_file, cred);
2498 if (!n) /* none found? */
2501 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2502 if (IS_ERR(devnull))
2504 /* replace all the matching ones with this */
2506 replace_fd(n - 1, devnull, 0);
2507 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2513 * Prepare a process for imminent new credential changes due to exec
2515 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2517 struct task_security_struct *new_tsec;
2518 struct rlimit *rlim, *initrlim;
2521 new_tsec = bprm->cred->security;
2522 if (new_tsec->sid == new_tsec->osid)
2525 /* Close files for which the new task SID is not authorized. */
2526 flush_unauthorized_files(bprm->cred, current->files);
2528 /* Always clear parent death signal on SID transitions. */
2529 current->pdeath_signal = 0;
2531 /* Check whether the new SID can inherit resource limits from the old
2532 * SID. If not, reset all soft limits to the lower of the current
2533 * task's hard limit and the init task's soft limit.
2535 * Note that the setting of hard limits (even to lower them) can be
2536 * controlled by the setrlimit check. The inclusion of the init task's
2537 * soft limit into the computation is to avoid resetting soft limits
2538 * higher than the default soft limit for cases where the default is
2539 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2541 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2542 PROCESS__RLIMITINH, NULL);
2544 /* protect against do_prlimit() */
2546 for (i = 0; i < RLIM_NLIMITS; i++) {
2547 rlim = current->signal->rlim + i;
2548 initrlim = init_task.signal->rlim + i;
2549 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2551 task_unlock(current);
2552 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2553 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2558 * Clean up the process immediately after the installation of new credentials
2561 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2563 const struct task_security_struct *tsec = current_security();
2564 struct itimerval itimer;
2574 /* Check whether the new SID can inherit signal state from the old SID.
2575 * If not, clear itimers to avoid subsequent signal generation and
2576 * flush and unblock signals.
2578 * This must occur _after_ the task SID has been updated so that any
2579 * kill done after the flush will be checked against the new SID.
2581 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2583 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2584 memset(&itimer, 0, sizeof itimer);
2585 for (i = 0; i < 3; i++)
2586 do_setitimer(i, &itimer, NULL);
2588 spin_lock_irq(¤t->sighand->siglock);
2589 if (!fatal_signal_pending(current)) {
2590 flush_sigqueue(¤t->pending);
2591 flush_sigqueue(¤t->signal->shared_pending);
2592 flush_signal_handlers(current, 1);
2593 sigemptyset(¤t->blocked);
2594 recalc_sigpending();
2596 spin_unlock_irq(¤t->sighand->siglock);
2599 /* Wake up the parent if it is waiting so that it can recheck
2600 * wait permission to the new task SID. */
2601 read_lock(&tasklist_lock);
2602 __wake_up_parent(current, current->real_parent);
2603 read_unlock(&tasklist_lock);
2606 /* superblock security operations */
2608 static int selinux_sb_alloc_security(struct super_block *sb)
2610 return superblock_alloc_security(sb);
2613 static void selinux_sb_free_security(struct super_block *sb)
2615 superblock_free_security(sb);
2618 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2623 return !memcmp(prefix, option, plen);
2626 static inline int selinux_option(char *option, int len)
2628 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2629 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2630 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2631 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2632 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2635 static inline void take_option(char **to, char *from, int *first, int len)
2642 memcpy(*to, from, len);
2646 static inline void take_selinux_option(char **to, char *from, int *first,
2649 int current_size = 0;
2657 while (current_size < len) {
2667 static int selinux_sb_copy_data(char *orig, char *copy)
2669 int fnosec, fsec, rc = 0;
2670 char *in_save, *in_curr, *in_end;
2671 char *sec_curr, *nosec_save, *nosec;
2677 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2685 in_save = in_end = orig;
2689 open_quote = !open_quote;
2690 if ((*in_end == ',' && open_quote == 0) ||
2692 int len = in_end - in_curr;
2694 if (selinux_option(in_curr, len))
2695 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2697 take_option(&nosec, in_curr, &fnosec, len);
2699 in_curr = in_end + 1;
2701 } while (*in_end++);
2703 strcpy(in_save, nosec_save);
2704 free_page((unsigned long)nosec_save);
2709 static int selinux_sb_remount(struct super_block *sb, void *data)
2712 struct security_mnt_opts opts;
2713 char *secdata, **mount_options;
2714 struct superblock_security_struct *sbsec = sb->s_security;
2716 if (!(sbsec->flags & SE_SBINITIALIZED))
2722 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2725 security_init_mnt_opts(&opts);
2726 secdata = alloc_secdata();
2729 rc = selinux_sb_copy_data(data, secdata);
2731 goto out_free_secdata;
2733 rc = selinux_parse_opts_str(secdata, &opts);
2735 goto out_free_secdata;
2737 mount_options = opts.mnt_opts;
2738 flags = opts.mnt_opts_flags;
2740 for (i = 0; i < opts.num_mnt_opts; i++) {
2743 if (flags[i] == SBLABEL_MNT)
2745 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
2747 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
2748 "(%s) failed for (dev %s, type %s) errno=%d\n",
2749 mount_options[i], sb->s_id, sb->s_type->name, rc);
2755 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2756 goto out_bad_option;
2759 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2760 goto out_bad_option;
2762 case ROOTCONTEXT_MNT: {
2763 struct inode_security_struct *root_isec;
2764 root_isec = backing_inode_security(sb->s_root);
2766 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2767 goto out_bad_option;
2770 case DEFCONTEXT_MNT:
2771 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2772 goto out_bad_option;
2781 security_free_mnt_opts(&opts);
2783 free_secdata(secdata);
2786 printk(KERN_WARNING "SELinux: unable to change security options "
2787 "during remount (dev %s, type=%s)\n", sb->s_id,
2792 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2794 const struct cred *cred = current_cred();
2795 struct common_audit_data ad;
2798 rc = superblock_doinit(sb, data);
2802 /* Allow all mounts performed by the kernel */
2803 if (flags & MS_KERNMOUNT)
2806 ad.type = LSM_AUDIT_DATA_DENTRY;
2807 ad.u.dentry = sb->s_root;
2808 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2811 static int selinux_sb_statfs(struct dentry *dentry)
2813 const struct cred *cred = current_cred();
2814 struct common_audit_data ad;
2816 ad.type = LSM_AUDIT_DATA_DENTRY;
2817 ad.u.dentry = dentry->d_sb->s_root;
2818 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2821 static int selinux_mount(const char *dev_name,
2822 const struct path *path,
2824 unsigned long flags,
2827 const struct cred *cred = current_cred();
2829 if (flags & MS_REMOUNT)
2830 return superblock_has_perm(cred, path->dentry->d_sb,
2831 FILESYSTEM__REMOUNT, NULL);
2833 return path_has_perm(cred, path, FILE__MOUNTON);
2836 static int selinux_umount(struct vfsmount *mnt, int flags)
2838 const struct cred *cred = current_cred();
2840 return superblock_has_perm(cred, mnt->mnt_sb,
2841 FILESYSTEM__UNMOUNT, NULL);
2844 /* inode security operations */
2846 static int selinux_inode_alloc_security(struct inode *inode)
2848 return inode_alloc_security(inode);
2851 static void selinux_inode_free_security(struct inode *inode)
2853 inode_free_security(inode);
2856 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2857 const struct qstr *name, void **ctx,
2863 rc = selinux_determine_inode_label(current_security(),
2864 d_inode(dentry->d_parent), name,
2865 inode_mode_to_security_class(mode),
2870 return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2873 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2875 const struct cred *old,
2880 struct task_security_struct *tsec;
2882 rc = selinux_determine_inode_label(old->security,
2883 d_inode(dentry->d_parent), name,
2884 inode_mode_to_security_class(mode),
2889 tsec = new->security;
2890 tsec->create_sid = newsid;
2894 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2895 const struct qstr *qstr,
2897 void **value, size_t *len)
2899 const struct task_security_struct *tsec = current_security();
2900 struct superblock_security_struct *sbsec;
2901 u32 sid, newsid, clen;
2905 sbsec = dir->i_sb->s_security;
2908 newsid = tsec->create_sid;
2910 rc = selinux_determine_inode_label(current_security(),
2912 inode_mode_to_security_class(inode->i_mode),
2917 /* Possibly defer initialization to selinux_complete_init. */
2918 if (sbsec->flags & SE_SBINITIALIZED) {
2919 struct inode_security_struct *isec = inode->i_security;
2920 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2922 isec->initialized = LABEL_INITIALIZED;
2925 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
2929 *name = XATTR_SELINUX_SUFFIX;
2932 rc = security_sid_to_context_force(newsid, &context, &clen);
2942 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2944 return may_create(dir, dentry, SECCLASS_FILE);
2947 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2949 return may_link(dir, old_dentry, MAY_LINK);
2952 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2954 return may_link(dir, dentry, MAY_UNLINK);
2957 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2959 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2962 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2964 return may_create(dir, dentry, SECCLASS_DIR);
2967 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2969 return may_link(dir, dentry, MAY_RMDIR);
2972 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2974 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2977 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2978 struct inode *new_inode, struct dentry *new_dentry)
2980 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2983 static int selinux_inode_readlink(struct dentry *dentry)
2985 const struct cred *cred = current_cred();
2987 return dentry_has_perm(cred, dentry, FILE__READ);
2990 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
2993 const struct cred *cred = current_cred();
2994 struct common_audit_data ad;
2995 struct inode_security_struct *isec;
2998 validate_creds(cred);
3000 ad.type = LSM_AUDIT_DATA_DENTRY;
3001 ad.u.dentry = dentry;
3002 sid = cred_sid(cred);
3003 isec = inode_security_rcu(inode, rcu);
3005 return PTR_ERR(isec);
3007 return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad,
3008 rcu ? MAY_NOT_BLOCK : 0);
3011 static noinline int audit_inode_permission(struct inode *inode,
3012 u32 perms, u32 audited, u32 denied,
3016 struct common_audit_data ad;
3017 struct inode_security_struct *isec = inode->i_security;
3020 ad.type = LSM_AUDIT_DATA_INODE;
3023 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
3024 audited, denied, result, &ad, flags);
3030 static int selinux_inode_permission(struct inode *inode, int mask)
3032 const struct cred *cred = current_cred();
3035 unsigned flags = mask & MAY_NOT_BLOCK;
3036 struct inode_security_struct *isec;
3038 struct av_decision avd;
3040 u32 audited, denied;
3042 from_access = mask & MAY_ACCESS;
3043 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3045 /* No permission to check. Existence test. */
3049 validate_creds(cred);
3051 if (unlikely(IS_PRIVATE(inode)))
3054 perms = file_mask_to_av(inode->i_mode, mask);
3056 sid = cred_sid(cred);
3057 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3059 return PTR_ERR(isec);
3061 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
3062 audited = avc_audit_required(perms, &avd, rc,
3063 from_access ? FILE__AUDIT_ACCESS : 0,
3065 if (likely(!audited))
3068 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
3074 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3076 const struct cred *cred = current_cred();
3077 struct inode *inode = d_backing_inode(dentry);
3078 unsigned int ia_valid = iattr->ia_valid;
3079 __u32 av = FILE__WRITE;
3081 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3082 if (ia_valid & ATTR_FORCE) {
3083 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3089 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3090 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3091 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3093 if (selinux_policycap_openperm &&
3094 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3095 (ia_valid & ATTR_SIZE) &&
3096 !(ia_valid & ATTR_FILE))
3099 return dentry_has_perm(cred, dentry, av);
3102 static int selinux_inode_getattr(const struct path *path)
3104 return path_has_perm(current_cred(), path, FILE__GETATTR);
3107 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
3109 const struct cred *cred = current_cred();
3111 if (!strncmp(name, XATTR_SECURITY_PREFIX,
3112 sizeof XATTR_SECURITY_PREFIX - 1)) {
3113 if (!strcmp(name, XATTR_NAME_CAPS)) {
3114 if (!capable(CAP_SETFCAP))
3116 } else if (!capable(CAP_SYS_ADMIN)) {
3117 /* A different attribute in the security namespace.
3118 Restrict to administrator. */
3123 /* Not an attribute we recognize, so just check the
3124 ordinary setattr permission. */
3125 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3128 static bool has_cap_mac_admin(bool audit)
3130 const struct cred *cred = current_cred();
3131 int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT;
3133 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit))
3135 if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true))
3140 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3141 const void *value, size_t size, int flags)
3143 struct inode *inode = d_backing_inode(dentry);
3144 struct inode_security_struct *isec;
3145 struct superblock_security_struct *sbsec;
3146 struct common_audit_data ad;
3147 u32 newsid, sid = current_sid();
3150 if (strcmp(name, XATTR_NAME_SELINUX))
3151 return selinux_inode_setotherxattr(dentry, name);
3153 sbsec = inode->i_sb->s_security;
3154 if (!(sbsec->flags & SBLABEL_MNT))
3157 if (!inode_owner_or_capable(inode))
3160 ad.type = LSM_AUDIT_DATA_DENTRY;
3161 ad.u.dentry = dentry;
3163 isec = backing_inode_security(dentry);
3164 rc = avc_has_perm(sid, isec->sid, isec->sclass,
3165 FILE__RELABELFROM, &ad);
3169 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3170 if (rc == -EINVAL) {
3171 if (!has_cap_mac_admin(true)) {
3172 struct audit_buffer *ab;
3176 /* We strip a nul only if it is at the end, otherwise the
3177 * context contains a nul and we should audit that */
3180 if (str[size - 1] == '\0')
3181 audit_size = size - 1;
3188 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3189 audit_log_format(ab, "op=setxattr invalid_context=");
3190 audit_log_n_untrustedstring(ab, value, audit_size);
3195 rc = security_context_to_sid_force(value, size, &newsid);
3200 rc = avc_has_perm(sid, newsid, isec->sclass,
3201 FILE__RELABELTO, &ad);
3205 rc = security_validate_transition(isec->sid, newsid, sid,
3210 return avc_has_perm(newsid,
3212 SECCLASS_FILESYSTEM,
3213 FILESYSTEM__ASSOCIATE,
3217 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3218 const void *value, size_t size,
3221 struct inode *inode = d_backing_inode(dentry);
3222 struct inode_security_struct *isec;
3226 if (strcmp(name, XATTR_NAME_SELINUX)) {
3227 /* Not an attribute we recognize, so nothing to do. */
3231 rc = security_context_to_sid_force(value, size, &newsid);
3233 printk(KERN_ERR "SELinux: unable to map context to SID"
3234 "for (%s, %lu), rc=%d\n",
3235 inode->i_sb->s_id, inode->i_ino, -rc);
3239 isec = backing_inode_security(dentry);
3240 spin_lock(&isec->lock);
3241 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3243 isec->initialized = LABEL_INITIALIZED;
3244 spin_unlock(&isec->lock);
3249 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3251 const struct cred *cred = current_cred();
3253 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3256 static int selinux_inode_listxattr(struct dentry *dentry)
3258 const struct cred *cred = current_cred();
3260 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3263 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3265 if (strcmp(name, XATTR_NAME_SELINUX))
3266 return selinux_inode_setotherxattr(dentry, name);
3268 /* No one is allowed to remove a SELinux security label.
3269 You can change the label, but all data must be labeled. */
3274 * Copy the inode security context value to the user.
3276 * Permission check is handled by selinux_inode_getxattr hook.
3278 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
3282 char *context = NULL;
3283 struct inode_security_struct *isec;
3285 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3289 * If the caller has CAP_MAC_ADMIN, then get the raw context
3290 * value even if it is not defined by current policy; otherwise,
3291 * use the in-core value under current policy.
3292 * Use the non-auditing forms of the permission checks since
3293 * getxattr may be called by unprivileged processes commonly
3294 * and lack of permission just means that we fall back to the
3295 * in-core context value, not a denial.
3297 isec = inode_security(inode);
3298 if (has_cap_mac_admin(false))
3299 error = security_sid_to_context_force(isec->sid, &context,
3302 error = security_sid_to_context(isec->sid, &context, &size);
3315 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3316 const void *value, size_t size, int flags)
3318 struct inode_security_struct *isec = inode_security_novalidate(inode);
3322 if (strcmp(name, XATTR_SELINUX_SUFFIX))
git.codelabs.ch / muen / linux.git / blob