1
// SPDX-License-Identifier: GPL-2.0-only
2
/*
3
 *  Security-Enhanced Linux (SELinux) security module
4
 *
5
 *  This file contains the SELinux hook function implementations.
6
 *
7
 *  Authors:  Stephen Smalley, <[email protected]>
8
 *	      Chris Vance, <[email protected]>
9
 *	      Wayne Salamon, <[email protected]>
10
 *	      James Morris <[email protected]>
11
 *
12
 *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
13
 *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <[email protected]>
14
 *					   Eric Paris <[email protected]>
15
 *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
16
 *			    <[email protected]>
17
 *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
18
 *	Paul Moore <[email protected]>
19
 *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
20
 *		       Yuichi Nakamura <[email protected]>
21
 *  Copyright (C) 2016 Mellanox Technologies
22
 */
23

24
#include <linux/init.h>
25
#include <linux/kd.h>
26
#include <linux/kernel.h>
27
#include <linux/kernel_read_file.h>
28
#include <linux/errno.h>
29
#include <linux/sched/signal.h>
30
#include <linux/sched/task.h>
31
#include <linux/lsm_hooks.h>
32
#include <linux/xattr.h>
33
#include <linux/capability.h>
34
#include <linux/unistd.h>
35
#include <linux/mm.h>
36
#include <linux/mman.h>
37
#include <linux/slab.h>
38
#include <linux/pagemap.h>
39
#include <linux/proc_fs.h>
40
#include <linux/swap.h>
41
#include <linux/spinlock.h>
42
#include <linux/syscalls.h>
43
#include <linux/dcache.h>
44
#include <linux/file.h>
45
#include <linux/fdtable.h>
46
#include <linux/namei.h>
47
#include <linux/mount.h>
48
#include <linux/fs_context.h>
49
#include <linux/fs_parser.h>
50
#include <linux/netfilter_ipv4.h>
51
#include <linux/netfilter_ipv6.h>
52
#include <linux/tty.h>
53
#include <net/icmp.h>
54
#include <net/ip.h>		/* for local_port_range[] */
55
#include <net/tcp.h>		/* struct or_callable used in sock_rcv_skb */
56
#include <net/inet_connection_sock.h>
57
#include <net/net_namespace.h>
58
#include <net/netlabel.h>
59
#include <linux/uaccess.h>
60
#include <asm/ioctls.h>
61
#include <linux/atomic.h>
62
#include <linux/bitops.h>
63
#include <linux/interrupt.h>
64
#include <linux/netdevice.h>	/* for network interface checks */
65
#include <net/netlink.h>
66
#include <linux/tcp.h>
67
#include <linux/udp.h>
68
#include <linux/sctp.h>
69
#include <net/sctp/structs.h>
70
#include <linux/quota.h>
71
#include <linux/un.h>		/* for Unix socket types */
72
#include <net/af_unix.h>	/* for Unix socket types */
73
#include <linux/parser.h>
74
#include <linux/nfs_mount.h>
75
#include <net/ipv6.h>
76
#include <linux/hugetlb.h>
77
#include <linux/personality.h>
78
#include <linux/audit.h>
79
#include <linux/string.h>
80
#include <linux/mutex.h>
81
#include <linux/posix-timers.h>
82
#include <linux/syslog.h>
83
#include <linux/user_namespace.h>
84
#include <linux/export.h>
85
#include <linux/msg.h>
86
#include <linux/shm.h>
87
#include <uapi/linux/shm.h>
88
#include <linux/bpf.h>
89
#include <linux/kernfs.h>
90
#include <linux/stringhash.h>	/* for hashlen_string() */
91
#include <uapi/linux/mount.h>
92
#include <linux/fsnotify.h>
93
#include <linux/fanotify.h>
94
#include <linux/io_uring/cmd.h>
95
#include <uapi/linux/lsm.h>
96

97
#include "avc.h"
98
#include "objsec.h"
99
#include "netif.h"
100
#include "netnode.h"
101
#include "netport.h"
102
#include "ibpkey.h"
103
#include "xfrm.h"
104
#include "netlabel.h"
105
#include "audit.h"
106
#include "avc_ss.h"
107

108
#define SELINUX_INODE_INIT_XATTRS 1
109

110
struct selinux_state selinux_state;
111

112
/* SECMARK reference count */
113
static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
114

115
#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
116
static int selinux_enforcing_boot __initdata;
117

118
static int __init enforcing_setup(char *str)
119
{
120
	unsigned long enforcing;
121
	if (!kstrtoul(str, 0, &enforcing))
122
		selinux_enforcing_boot = enforcing ? 1 : 0;
123
	return 1;
124
}
125
__setup("enforcing=", enforcing_setup);
126
#else
127
#define selinux_enforcing_boot 1
128
#endif
129

130
int selinux_enabled_boot __initdata = 1;
131
#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
132
static int __init selinux_enabled_setup(char *str)
133
{
134
	unsigned long enabled;
135
	if (!kstrtoul(str, 0, &enabled))
136
		selinux_enabled_boot = enabled ? 1 : 0;
137
	return 1;
138
}
139
__setup("selinux=", selinux_enabled_setup);
140
#endif
141

142
static int __init checkreqprot_setup(char *str)
143
{
144
	unsigned long checkreqprot;
145

146
	if (!kstrtoul(str, 0, &checkreqprot)) {
147
		if (checkreqprot)
148
			pr_err("SELinux: checkreqprot set to 1 via kernel parameter.  This is no longer supported.\n");
149
	}
150
	return 1;
151
}
152
__setup("checkreqprot=", checkreqprot_setup);
153

154
/**
155
 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
156
 *
157
 * Description:
158
 * This function checks the SECMARK reference counter to see if any SECMARK
159
 * targets are currently configured, if the reference counter is greater than
160
 * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
161
 * enabled, false (0) if SECMARK is disabled.  If the always_check_network
162
 * policy capability is enabled, SECMARK is always considered enabled.
163
 *
164
 */
165
static int selinux_secmark_enabled(void)
166
{
167
	return (selinux_policycap_alwaysnetwork() ||
168
		atomic_read(&selinux_secmark_refcount));
169
}
170

171
/**
172
 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
173
 *
174
 * Description:
175
 * This function checks if NetLabel or labeled IPSEC is enabled.  Returns true
176
 * (1) if any are enabled or false (0) if neither are enabled.  If the
177
 * always_check_network policy capability is enabled, peer labeling
178
 * is always considered enabled.
179
 *
180
 */
181
static int selinux_peerlbl_enabled(void)
182
{
183
	return (selinux_policycap_alwaysnetwork() ||
184
		netlbl_enabled() || selinux_xfrm_enabled());
185
}
186

187
static int selinux_netcache_avc_callback(u32 event)
188
{
189
	if (event == AVC_CALLBACK_RESET) {
190
		sel_netif_flush();
191
		sel_netnode_flush();
192
		sel_netport_flush();
193
		synchronize_net();
194
	}
195
	return 0;
196
}
197

198
static int selinux_lsm_notifier_avc_callback(u32 event)
199
{
200
	if (event == AVC_CALLBACK_RESET) {
201
		sel_ib_pkey_flush();
202
		call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL);
203
	}
204

205
	return 0;
206
}
207

208
/*
209
 * initialise the security for the init task
210
 */
211
static void cred_init_security(void)
212
{
213
	struct task_security_struct *tsec;
214

215
	/* NOTE: the lsm framework zeros out the buffer on allocation */
216

217
	tsec = selinux_cred(unrcu_pointer(current->real_cred));
218
	tsec->osid = tsec->sid = tsec->avdcache.sid = SECINITSID_KERNEL;
219
}
220

221
/*
222
 * get the security ID of a set of credentials
223
 */
224
static inline u32 cred_sid(const struct cred *cred)
225
{
226
	const struct task_security_struct *tsec;
227

228
	tsec = selinux_cred(cred);
229
	return tsec->sid;
230
}
231

232
static void __ad_net_init(struct common_audit_data *ad,
233
			  struct lsm_network_audit *net,
234
			  int ifindex, struct sock *sk, u16 family)
235
{
236
	ad->type = LSM_AUDIT_DATA_NET;
237
	ad->u.net = net;
238
	net->netif = ifindex;
239
	net->sk = sk;
240
	net->family = family;
241
}
242

243
static void ad_net_init_from_sk(struct common_audit_data *ad,
244
				struct lsm_network_audit *net,
245
				struct sock *sk)
246
{
247
	__ad_net_init(ad, net, 0, sk, 0);
248
}
249

250
static void ad_net_init_from_iif(struct common_audit_data *ad,
251
				 struct lsm_network_audit *net,
252
				 int ifindex, u16 family)
253
{
254
	__ad_net_init(ad, net, ifindex, NULL, family);
255
}
256

257
/*
258
 * get the objective security ID of a task
259
 */
260
static inline u32 task_sid_obj(const struct task_struct *task)
261
{
262
	u32 sid;
263

264
	rcu_read_lock();
265
	sid = cred_sid(__task_cred(task));
266
	rcu_read_unlock();
267
	return sid;
268
}
269

270
static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
271

272
/*
273
 * Try reloading inode security labels that have been marked as invalid.  The
274
 * @may_sleep parameter indicates when sleeping and thus reloading labels is
275
 * allowed; when set to false, returns -ECHILD when the label is
276
 * invalid.  The @dentry parameter should be set to a dentry of the inode.
277
 */
278
static int __inode_security_revalidate(struct inode *inode,
279
				       struct dentry *dentry,
280
				       bool may_sleep)
281
{
282
	if (!selinux_initialized())
283
		return 0;
284

285
	if (may_sleep)
286
		might_sleep();
287
	else
288
		return -ECHILD;
289

290
	/*
291
	 * Check to ensure that an inode's SELinux state is valid and try
292
	 * reloading the inode security label if necessary.  This will fail if
293
	 * @dentry is NULL and no dentry for this inode can be found; in that
294
	 * case, continue using the old label.
295
	 */
296
	inode_doinit_with_dentry(inode, dentry);
297
	return 0;
298
}
299

300
static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
301
{
302
	return selinux_inode(inode);
303
}
304

305
static inline struct inode_security_struct *inode_security_rcu(struct inode *inode,
306
							       bool rcu)
307
{
308
	int rc;
309
	struct inode_security_struct *isec = selinux_inode(inode);
310

311
	/* check below is racy, but revalidate will recheck with lock held */
312
	if (data_race(likely(isec->initialized == LABEL_INITIALIZED)))
313
		return isec;
314
	rc = __inode_security_revalidate(inode, NULL, !rcu);
315
	if (rc)
316
		return ERR_PTR(rc);
317
	return isec;
318
}
319

320
/*
321
 * Get the security label of an inode.
322
 */
323
static inline struct inode_security_struct *inode_security(struct inode *inode)
324
{
325
	struct inode_security_struct *isec = selinux_inode(inode);
326

327
	/* check below is racy, but revalidate will recheck with lock held */
328
	if (data_race(likely(isec->initialized == LABEL_INITIALIZED)))
329
		return isec;
330
	__inode_security_revalidate(inode, NULL, true);
331
	return isec;
332
}
333

334
static inline struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
335
{
336
	return selinux_inode(d_backing_inode(dentry));
337
}
338

339
/*
340
 * Get the security label of a dentry's backing inode.
341
 */
342
static inline struct inode_security_struct *backing_inode_security(struct dentry *dentry)
343
{
344
	struct inode *inode = d_backing_inode(dentry);
345
	struct inode_security_struct *isec = selinux_inode(inode);
346

347
	/* check below is racy, but revalidate will recheck with lock held */
348
	if (data_race(likely(isec->initialized == LABEL_INITIALIZED)))
349
		return isec;
350
	__inode_security_revalidate(inode, dentry, true);
351
	return isec;
352
}
353

354
static void inode_free_security(struct inode *inode)
355
{
356
	struct inode_security_struct *isec = selinux_inode(inode);
357
	struct superblock_security_struct *sbsec;
358

359
	if (!isec)
360
		return;
361
	sbsec = selinux_superblock(inode->i_sb);
362
	/*
363
	 * As not all inode security structures are in a list, we check for
364
	 * empty list outside of the lock to make sure that we won't waste
365
	 * time taking a lock doing nothing.
366
	 *
367
	 * The list_del_init() function can be safely called more than once.
368
	 * It should not be possible for this function to be called with
369
	 * concurrent list_add(), but for better safety against future changes
370
	 * in the code, we use list_empty_careful() here.
371
	 */
372
	if (!list_empty_careful(&isec->list)) {
373
		spin_lock(&sbsec->isec_lock);
374
		list_del_init(&isec->list);
375
		spin_unlock(&sbsec->isec_lock);
376
	}
377
}
378

379
struct selinux_mnt_opts {
380
	u32 fscontext_sid;
381
	u32 context_sid;
382
	u32 rootcontext_sid;
383
	u32 defcontext_sid;
384
};
385

386
static void selinux_free_mnt_opts(void *mnt_opts)
387
{
388
	kfree(mnt_opts);
389
}
390

391
enum {
392
	Opt_error = -1,
393
	Opt_context = 0,
394
	Opt_defcontext = 1,
395
	Opt_fscontext = 2,
396
	Opt_rootcontext = 3,
397
	Opt_seclabel = 4,
398
};
399

400
#define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg}
401
static const struct {
402
	const char *name;
403
	int len;
404
	int opt;
405
	bool has_arg;
406
} tokens[] = {
407
	A(context, true),
408
	A(fscontext, true),
409
	A(defcontext, true),
410
	A(rootcontext, true),
411
	A(seclabel, false),
412
};
413
#undef A
414

415
static int match_opt_prefix(char *s, int l, char **arg)
416
{
417
	unsigned int i;
418

419
	for (i = 0; i < ARRAY_SIZE(tokens); i++) {
420
		size_t len = tokens[i].len;
421
		if (len > l || memcmp(s, tokens[i].name, len))
422
			continue;
423
		if (tokens[i].has_arg) {
424
			if (len == l || s[len] != '=')
425
				continue;
426
			*arg = s + len + 1;
427
		} else if (len != l)
428
			continue;
429
		return tokens[i].opt;
430
	}
431
	return Opt_error;
432
}
433

434
#define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
435

436
static int may_context_mount_sb_relabel(u32 sid,
437
			struct superblock_security_struct *sbsec,
438
			const struct cred *cred)
439
{
440
	const struct task_security_struct *tsec = selinux_cred(cred);
441
	int rc;
442

443
	rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
444
			  FILESYSTEM__RELABELFROM, NULL);
445
	if (rc)
446
		return rc;
447

448
	rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
449
			  FILESYSTEM__RELABELTO, NULL);
450
	return rc;
451
}
452

453
static int may_context_mount_inode_relabel(u32 sid,
454
			struct superblock_security_struct *sbsec,
455
			const struct cred *cred)
456
{
457
	const struct task_security_struct *tsec = selinux_cred(cred);
458
	int rc;
459
	rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
460
			  FILESYSTEM__RELABELFROM, NULL);
461
	if (rc)
462
		return rc;
463

464
	rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
465
			  FILESYSTEM__ASSOCIATE, NULL);
466
	return rc;
467
}
468

469
static int selinux_is_genfs_special_handling(struct super_block *sb)
470
{
471
	/* Special handling. Genfs but also in-core setxattr handler */
472
	return	!strcmp(sb->s_type->name, "sysfs") ||
473
		!strcmp(sb->s_type->name, "pstore") ||
474
		!strcmp(sb->s_type->name, "debugfs") ||
475
		!strcmp(sb->s_type->name, "tracefs") ||
476
		!strcmp(sb->s_type->name, "rootfs") ||
477
		(selinux_policycap_cgroupseclabel() &&
478
		 (!strcmp(sb->s_type->name, "cgroup") ||
479
		  !strcmp(sb->s_type->name, "cgroup2"))) ||
480
		(selinux_policycap_functionfs_seclabel() &&
481
		 !strcmp(sb->s_type->name, "functionfs"));
482
}
483

484
static int selinux_is_sblabel_mnt(struct super_block *sb)
485
{
486
	struct superblock_security_struct *sbsec = selinux_superblock(sb);
487

488
	/*
489
	 * IMPORTANT: Double-check logic in this function when adding a new
490
	 * SECURITY_FS_USE_* definition!
491
	 */
492
	BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7);
493

494
	switch (sbsec->behavior) {
495
	case SECURITY_FS_USE_XATTR:
496
	case SECURITY_FS_USE_TRANS:
497
	case SECURITY_FS_USE_TASK:
498
	case SECURITY_FS_USE_NATIVE:
499
		return 1;
500

501
	case SECURITY_FS_USE_GENFS:
502
		return selinux_is_genfs_special_handling(sb);
503

504
	/* Never allow relabeling on context mounts */
505
	case SECURITY_FS_USE_MNTPOINT:
506
	case SECURITY_FS_USE_NONE:
507
	default:
508
		return 0;
509
	}
510
}
511

512
static int sb_check_xattr_support(struct super_block *sb)
513
{
514
	struct superblock_security_struct *sbsec = selinux_superblock(sb);
515
	struct dentry *root = sb->s_root;
516
	struct inode *root_inode = d_backing_inode(root);
517
	u32 sid;
518
	int rc;
519

520
	/*
521
	 * Make sure that the xattr handler exists and that no
522
	 * error other than -ENODATA is returned by getxattr on
523
	 * the root directory.  -ENODATA is ok, as this may be
524
	 * the first boot of the SELinux kernel before we have
525
	 * assigned xattr values to the filesystem.
526
	 */
527
	if (!(root_inode->i_opflags & IOP_XATTR)) {
528
		pr_warn("SELinux: (dev %s, type %s) has no xattr support\n",
529
			sb->s_id, sb->s_type->name);
530
		goto fallback;
531
	}
532

533
	rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
534
	if (rc < 0 && rc != -ENODATA) {
535
		if (rc == -EOPNOTSUPP) {
536
			pr_warn("SELinux: (dev %s, type %s) has no security xattr handler\n",
537
				sb->s_id, sb->s_type->name);
538
			goto fallback;
539
		} else {
540
			pr_warn("SELinux: (dev %s, type %s) getxattr errno %d\n",
541
				sb->s_id, sb->s_type->name, -rc);
542
			return rc;
543
		}
544
	}
545
	return 0;
546

547
fallback:
548
	/* No xattr support - try to fallback to genfs if possible. */
549
	rc = security_genfs_sid(sb->s_type->name, "/",
550
				SECCLASS_DIR, &sid);
551
	if (rc)
552
		return -EOPNOTSUPP;
553

554
	pr_warn("SELinux: (dev %s, type %s) falling back to genfs\n",
555
		sb->s_id, sb->s_type->name);
556
	sbsec->behavior = SECURITY_FS_USE_GENFS;
557
	sbsec->sid = sid;
558
	return 0;
559
}
560

561
static int sb_finish_set_opts(struct super_block *sb)
562
{
563
	struct superblock_security_struct *sbsec = selinux_superblock(sb);
564
	struct dentry *root = sb->s_root;
565
	struct inode *root_inode = d_backing_inode(root);
566
	int rc = 0;
567

568
	if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
569
		rc = sb_check_xattr_support(sb);
570
		if (rc)
571
			return rc;
572
	}
573

574
	sbsec->flags |= SE_SBINITIALIZED;
575

576
	/*
577
	 * Explicitly set or clear SBLABEL_MNT.  It's not sufficient to simply
578
	 * leave the flag untouched because sb_clone_mnt_opts might be handing
579
	 * us a superblock that needs the flag to be cleared.
580
	 */
581
	if (selinux_is_sblabel_mnt(sb))
582
		sbsec->flags |= SBLABEL_MNT;
583
	else
584
		sbsec->flags &= ~SBLABEL_MNT;
585

586
	/* Initialize the root inode. */
587
	rc = inode_doinit_with_dentry(root_inode, root);
588

589
	/* Initialize any other inodes associated with the superblock, e.g.
590
	   inodes created prior to initial policy load or inodes created
591
	   during get_sb by a pseudo filesystem that directly
592
	   populates itself. */
593
	spin_lock(&sbsec->isec_lock);
594
	while (!list_empty(&sbsec->isec_head)) {
595
		struct inode_security_struct *isec =
596
				list_first_entry(&sbsec->isec_head,
597
					   struct inode_security_struct, list);
598
		struct inode *inode = isec->inode;
599
		list_del_init(&isec->list);
600
		spin_unlock(&sbsec->isec_lock);
601
		inode = igrab(inode);
602
		if (inode) {
603
			if (!IS_PRIVATE(inode))
604
				inode_doinit_with_dentry(inode, NULL);
605
			iput(inode);
606
		}
607
		spin_lock(&sbsec->isec_lock);
608
	}
609
	spin_unlock(&sbsec->isec_lock);
610
	return rc;
611
}
612

613
static int bad_option(struct superblock_security_struct *sbsec, char flag,
614
		      u32 old_sid, u32 new_sid)
615
{
616
	char mnt_flags = sbsec->flags & SE_MNTMASK;
617

618
	/* check if the old mount command had the same options */
619
	if (sbsec->flags & SE_SBINITIALIZED)
620
		if (!(sbsec->flags & flag) ||
621
		    (old_sid != new_sid))
622
			return 1;
623

624
	/* check if we were passed the same options twice,
625
	 * aka someone passed context=a,context=b
626
	 */
627
	if (!(sbsec->flags & SE_SBINITIALIZED))
628
		if (mnt_flags & flag)
629
			return 1;
630
	return 0;
631
}
632

633
/*
634
 * Allow filesystems with binary mount data to explicitly set mount point
635
 * labeling information.
636
 */
637
static int selinux_set_mnt_opts(struct super_block *sb,
638
				void *mnt_opts,
639
				unsigned long kern_flags,
640
				unsigned long *set_kern_flags)
641
{
642
	const struct cred *cred = current_cred();
643
	struct superblock_security_struct *sbsec = selinux_superblock(sb);
644
	struct dentry *root = sb->s_root;
645
	struct selinux_mnt_opts *opts = mnt_opts;
646
	struct inode_security_struct *root_isec;
647
	u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
648
	u32 defcontext_sid = 0;
649
	int rc = 0;
650

651
	/*
652
	 * Specifying internal flags without providing a place to
653
	 * place the results is not allowed
654
	 */
655
	if (kern_flags && !set_kern_flags)
656
		return -EINVAL;
657

658
	mutex_lock(&sbsec->lock);
659

660
	if (!selinux_initialized()) {
661
		if (!opts) {
662
			/* Defer initialization until selinux_complete_init,
663
			   after the initial policy is loaded and the security
664
			   server is ready to handle calls. */
665
			if (kern_flags & SECURITY_LSM_NATIVE_LABELS) {
666
				sbsec->flags |= SE_SBNATIVE;
667
				*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
668
			}
669
			goto out;
670
		}
671
		rc = -EINVAL;
672
		pr_warn("SELinux: Unable to set superblock options "
673
			"before the security server is initialized\n");
674
		goto out;
675
	}
676

677
	/*
678
	 * Binary mount data FS will come through this function twice.  Once
679
	 * from an explicit call and once from the generic calls from the vfs.
680
	 * Since the generic VFS calls will not contain any security mount data
681
	 * we need to skip the double mount verification.
682
	 *
683
	 * This does open a hole in which we will not notice if the first
684
	 * mount using this sb set explicit options and a second mount using
685
	 * this sb does not set any security options.  (The first options
686
	 * will be used for both mounts)
687
	 */
688
	if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
689
	    && !opts)
690
		goto out;
691

692
	root_isec = backing_inode_security_novalidate(root);
693

694
	/*
695
	 * parse the mount options, check if they are valid sids.
696
	 * also check if someone is trying to mount the same sb more
697
	 * than once with different security options.
698
	 */
699
	if (opts) {
700
		if (opts->fscontext_sid) {
701
			fscontext_sid = opts->fscontext_sid;
702
			if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
703
					fscontext_sid))
704
				goto out_double_mount;
705
			sbsec->flags |= FSCONTEXT_MNT;
706
		}
707
		if (opts->context_sid) {
708
			context_sid = opts->context_sid;
709
			if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
710
					context_sid))
711
				goto out_double_mount;
712
			sbsec->flags |= CONTEXT_MNT;
713
		}
714
		if (opts->rootcontext_sid) {
715
			rootcontext_sid = opts->rootcontext_sid;
716
			if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
717
					rootcontext_sid))
718
				goto out_double_mount;
719
			sbsec->flags |= ROOTCONTEXT_MNT;
720
		}
721
		if (opts->defcontext_sid) {
722
			defcontext_sid = opts->defcontext_sid;
723
			if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
724
					defcontext_sid))
725
				goto out_double_mount;
726
			sbsec->flags |= DEFCONTEXT_MNT;
727
		}
728
	}
729

730
	if (sbsec->flags & SE_SBINITIALIZED) {
731
		/* previously mounted with options, but not on this attempt? */
732
		if ((sbsec->flags & SE_MNTMASK) && !opts)
733
			goto out_double_mount;
734
		rc = 0;
735
		goto out;
736
	}
737

738
	if (strcmp(sb->s_type->name, "proc") == 0)
739
		sbsec->flags |= SE_SBPROC | SE_SBGENFS;
740

741
	if (!strcmp(sb->s_type->name, "debugfs") ||
742
	    !strcmp(sb->s_type->name, "tracefs") ||
743
	    !strcmp(sb->s_type->name, "binder") ||
744
	    !strcmp(sb->s_type->name, "bpf") ||
745
	    !strcmp(sb->s_type->name, "pstore") ||
746
	    !strcmp(sb->s_type->name, "securityfs") ||
747
	    (selinux_policycap_functionfs_seclabel() &&
748
	     !strcmp(sb->s_type->name, "functionfs")))
749
		sbsec->flags |= SE_SBGENFS;
750

751
	if (!strcmp(sb->s_type->name, "sysfs") ||
752
	    !strcmp(sb->s_type->name, "cgroup") ||
753
	    !strcmp(sb->s_type->name, "cgroup2"))
754
		sbsec->flags |= SE_SBGENFS | SE_SBGENFS_XATTR;
755

756
	if (!sbsec->behavior) {
757
		/*
758
		 * Determine the labeling behavior to use for this
759
		 * filesystem type.
760
		 */
761
		rc = security_fs_use(sb);
762
		if (rc) {
763
			pr_warn("%s: security_fs_use(%s) returned %d\n",
764
					__func__, sb->s_type->name, rc);
765
			goto out;
766
		}
767
	}
768

769
	/*
770
	 * If this is a user namespace mount and the filesystem type is not
771
	 * explicitly whitelisted, then no contexts are allowed on the command
772
	 * line and security labels must be ignored.
773
	 */
774
	if (sb->s_user_ns != &init_user_ns &&
775
	    strcmp(sb->s_type->name, "tmpfs") &&
776
	    strcmp(sb->s_type->name, "ramfs") &&
777
	    strcmp(sb->s_type->name, "devpts") &&
778
	    strcmp(sb->s_type->name, "overlay")) {
779
		if (context_sid || fscontext_sid || rootcontext_sid ||
780
		    defcontext_sid) {
781
			rc = -EACCES;
782
			goto out;
783
		}
784
		if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
785
			sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
786
			rc = security_transition_sid(current_sid(),
787
						     current_sid(),
788
						     SECCLASS_FILE, NULL,
789
						     &sbsec->mntpoint_sid);
790
			if (rc)
791
				goto out;
792
		}
793
		goto out_set_opts;
794
	}
795

796
	/* sets the context of the superblock for the fs being mounted. */
797
	if (fscontext_sid) {
798
		rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
799
		if (rc)
800
			goto out;
801

802
		sbsec->sid = fscontext_sid;
803
	}
804

805
	/*
806
	 * Switch to using mount point labeling behavior.
807
	 * sets the label used on all file below the mountpoint, and will set
808
	 * the superblock context if not already set.
809
	 */
810
	if (sbsec->flags & SE_SBNATIVE) {
811
		/*
812
		 * This means we are initializing a superblock that has been
813
		 * mounted before the SELinux was initialized and the
814
		 * filesystem requested native labeling. We had already
815
		 * returned SECURITY_LSM_NATIVE_LABELS in *set_kern_flags
816
		 * in the original mount attempt, so now we just need to set
817
		 * the SECURITY_FS_USE_NATIVE behavior.
818
		 */
819
		sbsec->behavior = SECURITY_FS_USE_NATIVE;
820
	} else if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
821
		sbsec->behavior = SECURITY_FS_USE_NATIVE;
822
		*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
823
	}
824

825
	if (context_sid) {
826
		if (!fscontext_sid) {
827
			rc = may_context_mount_sb_relabel(context_sid, sbsec,
828
							  cred);
829
			if (rc)
830
				goto out;
831
			sbsec->sid = context_sid;
832
		} else {
833
			rc = may_context_mount_inode_relabel(context_sid, sbsec,
834
							     cred);
835
			if (rc)
836
				goto out;
837
		}
838
		if (!rootcontext_sid)
839
			rootcontext_sid = context_sid;
840

841
		sbsec->mntpoint_sid = context_sid;
842
		sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
843
	}
844

845
	if (rootcontext_sid) {
846
		rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
847
						     cred);
848
		if (rc)
849
			goto out;
850

851
		root_isec->sid = rootcontext_sid;
852
		root_isec->initialized = LABEL_INITIALIZED;
853
	}
854

855
	if (defcontext_sid) {
856
		if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
857
			sbsec->behavior != SECURITY_FS_USE_NATIVE) {
858
			rc = -EINVAL;
859
			pr_warn("SELinux: defcontext option is "
860
			       "invalid for this filesystem type\n");
861
			goto out;
862
		}
863

864
		if (defcontext_sid != sbsec->def_sid) {
865
			rc = may_context_mount_inode_relabel(defcontext_sid,
866
							     sbsec, cred);
867
			if (rc)
868
				goto out;
869
		}
870

871
		sbsec->def_sid = defcontext_sid;
872
	}
873

874
out_set_opts:
875
	rc = sb_finish_set_opts(sb);
876
out:
877
	mutex_unlock(&sbsec->lock);
878
	return rc;
879
out_double_mount:
880
	rc = -EINVAL;
881
	pr_warn("SELinux: mount invalid.  Same superblock, different "
882
	       "security settings for (dev %s, type %s)\n", sb->s_id,
883
	       sb->s_type->name);
884
	goto out;
885
}
886

887
static int selinux_cmp_sb_context(const struct super_block *oldsb,
888
				    const struct super_block *newsb)
889
{
890
	struct superblock_security_struct *old = selinux_superblock(oldsb);
891
	struct superblock_security_struct *new = selinux_superblock(newsb);
892
	char oldflags = old->flags & SE_MNTMASK;
893
	char newflags = new->flags & SE_MNTMASK;
894

895
	if (oldflags != newflags)
896
		goto mismatch;
897
	if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
898
		goto mismatch;
899
	if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
900
		goto mismatch;
901
	if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
902
		goto mismatch;
903
	if (oldflags & ROOTCONTEXT_MNT) {
904
		struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
905
		struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
906
		if (oldroot->sid != newroot->sid)
907
			goto mismatch;
908
	}
909
	return 0;
910
mismatch:
911
	pr_warn("SELinux: mount invalid.  Same superblock, "
912
			    "different security settings for (dev %s, "
913
			    "type %s)\n", newsb->s_id, newsb->s_type->name);
914
	return -EBUSY;
915
}
916

917
static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
918
					struct super_block *newsb,
919
					unsigned long kern_flags,
920
					unsigned long *set_kern_flags)
921
{
922
	int rc = 0;
923
	const struct superblock_security_struct *oldsbsec =
924
						selinux_superblock(oldsb);
925
	struct superblock_security_struct *newsbsec = selinux_superblock(newsb);
926

927
	int set_fscontext =	(oldsbsec->flags & FSCONTEXT_MNT);
928
	int set_context =	(oldsbsec->flags & CONTEXT_MNT);
929
	int set_rootcontext =	(oldsbsec->flags & ROOTCONTEXT_MNT);
930

931
	/*
932
	 * Specifying internal flags without providing a place to
933
	 * place the results is not allowed.
934
	 */
935
	if (kern_flags && !set_kern_flags)
936
		return -EINVAL;
937

938
	mutex_lock(&newsbsec->lock);
939

940
	/*
941
	 * if the parent was able to be mounted it clearly had no special lsm
942
	 * mount options.  thus we can safely deal with this superblock later
943
	 */
944
	if (!selinux_initialized()) {
945
		if (kern_flags & SECURITY_LSM_NATIVE_LABELS) {
946
			newsbsec->flags |= SE_SBNATIVE;
947
			*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
948
		}
949
		goto out;
950
	}
951

952
	/* how can we clone if the old one wasn't set up?? */
953
	BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
954

955
	/* if fs is reusing a sb, make sure that the contexts match */
956
	if (newsbsec->flags & SE_SBINITIALIZED) {
957
		mutex_unlock(&newsbsec->lock);
958
		if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context)
959
			*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
960
		return selinux_cmp_sb_context(oldsb, newsb);
961
	}
962

963
	newsbsec->flags = oldsbsec->flags;
964

965
	newsbsec->sid = oldsbsec->sid;
966
	newsbsec->def_sid = oldsbsec->def_sid;
967
	newsbsec->behavior = oldsbsec->behavior;
968

969
	if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
970
		!(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
971
		rc = security_fs_use(newsb);
972
		if (rc)
973
			goto out;
974
	}
975

976
	if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
977
		newsbsec->behavior = SECURITY_FS_USE_NATIVE;
978
		*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
979
	}
980

981
	if (set_context) {
982
		u32 sid = oldsbsec->mntpoint_sid;
983

984
		if (!set_fscontext)
985
			newsbsec->sid = sid;
986
		if (!set_rootcontext) {
987
			struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
988
			newisec->sid = sid;
989
		}
990
		newsbsec->mntpoint_sid = sid;
991
	}
992
	if (set_rootcontext) {
993
		const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
994
		struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
995

996
		newisec->sid = oldisec->sid;
997
	}
998

999
	sb_finish_set_opts(newsb);
1000
out:
1001
	mutex_unlock(&newsbsec->lock);
1002
	return rc;
1003
}
1004

1005
/*
1006
 * NOTE: the caller is responsible for freeing the memory even if on error.
1007
 */
1008
static int selinux_add_opt(int token, const char *s, void **mnt_opts)
1009
{
1010
	struct selinux_mnt_opts *opts = *mnt_opts;
1011
	u32 *dst_sid;
1012
	int rc;
1013

1014
	if (token == Opt_seclabel)
1015
		/* eaten and completely ignored */
1016
		return 0;
1017
	if (!s)
1018
		return -EINVAL;
1019

1020
	if (!selinux_initialized()) {
1021
		pr_warn("SELinux: Unable to set superblock options before the security server is initialized\n");
1022
		return -EINVAL;
1023
	}
1024

1025
	if (!opts) {
1026
		opts = kzalloc(sizeof(*opts), GFP_KERNEL);
1027
		if (!opts)
1028
			return -ENOMEM;
1029
		*mnt_opts = opts;
1030
	}
1031

1032
	switch (token) {
1033
	case Opt_context:
1034
		if (opts->context_sid || opts->defcontext_sid)
1035
			goto err;
1036
		dst_sid = &opts->context_sid;
1037
		break;
1038
	case Opt_fscontext:
1039
		if (opts->fscontext_sid)
1040
			goto err;
1041
		dst_sid = &opts->fscontext_sid;
1042
		break;
1043
	case Opt_rootcontext:
1044
		if (opts->rootcontext_sid)
1045
			goto err;
1046
		dst_sid = &opts->rootcontext_sid;
1047
		break;
1048
	case Opt_defcontext:
1049
		if (opts->context_sid || opts->defcontext_sid)
1050
			goto err;
1051
		dst_sid = &opts->defcontext_sid;
1052
		break;
1053
	default:
1054
		WARN_ON(1);
1055
		return -EINVAL;
1056
	}
1057
	rc = security_context_str_to_sid(s, dst_sid, GFP_KERNEL);
1058
	if (rc)
1059
		pr_warn("SELinux: security_context_str_to_sid (%s) failed with errno=%d\n",
1060
			s, rc);
1061
	return rc;
1062

1063
err:
1064
	pr_warn(SEL_MOUNT_FAIL_MSG);
1065
	return -EINVAL;
1066
}
1067

1068
static int show_sid(struct seq_file *m, u32 sid)
1069
{
1070
	char *context = NULL;
1071
	u32 len;
1072
	int rc;
1073

1074
	rc = security_sid_to_context(sid, &context, &len);
1075
	if (!rc) {
1076
		bool has_comma = strchr(context, ',');
1077

1078
		seq_putc(m, '=');
1079
		if (has_comma)
1080
			seq_putc(m, '\"');
1081
		seq_escape(m, context, "\"\n\\");
1082
		if (has_comma)
1083
			seq_putc(m, '\"');
1084
	}
1085
	kfree(context);
1086
	return rc;
1087
}
1088

1089
static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1090
{
1091
	struct superblock_security_struct *sbsec = selinux_superblock(sb);
1092
	int rc;
1093

1094
	if (!(sbsec->flags & SE_SBINITIALIZED))
1095
		return 0;
1096

1097
	if (!selinux_initialized())
1098
		return 0;
1099

1100
	if (sbsec->flags & FSCONTEXT_MNT) {
1101
		seq_putc(m, ',');
1102
		seq_puts(m, FSCONTEXT_STR);
1103
		rc = show_sid(m, sbsec->sid);
1104
		if (rc)
1105
			return rc;
1106
	}
1107
	if (sbsec->flags & CONTEXT_MNT) {
1108
		seq_putc(m, ',');
1109
		seq_puts(m, CONTEXT_STR);
1110
		rc = show_sid(m, sbsec->mntpoint_sid);
1111
		if (rc)
1112
			return rc;
1113
	}
1114
	if (sbsec->flags & DEFCONTEXT_MNT) {
1115
		seq_putc(m, ',');
1116
		seq_puts(m, DEFCONTEXT_STR);
1117
		rc = show_sid(m, sbsec->def_sid);
1118
		if (rc)
1119
			return rc;
1120
	}
1121
	if (sbsec->flags & ROOTCONTEXT_MNT) {
1122
		struct dentry *root = sb->s_root;
1123
		struct inode_security_struct *isec = backing_inode_security(root);
1124
		seq_putc(m, ',');
1125
		seq_puts(m, ROOTCONTEXT_STR);
1126
		rc = show_sid(m, isec->sid);
1127
		if (rc)
1128
			return rc;
1129
	}
1130
	if (sbsec->flags & SBLABEL_MNT) {
1131
		seq_putc(m, ',');
1132
		seq_puts(m, SECLABEL_STR);
1133
	}
1134
	return 0;
1135
}
1136

1137
static inline u16 inode_mode_to_security_class(umode_t mode)
1138
{
1139
	switch (mode & S_IFMT) {
1140
	case S_IFSOCK:
1141
		return SECCLASS_SOCK_FILE;
1142
	case S_IFLNK:
1143
		return SECCLASS_LNK_FILE;
1144
	case S_IFREG:
1145
		return SECCLASS_FILE;
1146
	case S_IFBLK:
1147
		return SECCLASS_BLK_FILE;
1148
	case S_IFDIR:
1149
		return SECCLASS_DIR;
1150
	case S_IFCHR:
1151
		return SECCLASS_CHR_FILE;
1152
	case S_IFIFO:
1153
		return SECCLASS_FIFO_FILE;
1154

1155
	}
1156

1157
	return SECCLASS_FILE;
1158
}
1159

1160
static inline int default_protocol_stream(int protocol)
1161
{
1162
	return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP ||
1163
		protocol == IPPROTO_MPTCP);
1164
}
1165

1166
static inline int default_protocol_dgram(int protocol)
1167
{
1168
	return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1169
}
1170

1171
static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1172
{
1173
	bool extsockclass = selinux_policycap_extsockclass();
1174

1175
	switch (family) {
1176
	case PF_UNIX:
1177
		switch (type) {
1178
		case SOCK_STREAM:
1179
		case SOCK_SEQPACKET:
1180
			return SECCLASS_UNIX_STREAM_SOCKET;
1181
		case SOCK_DGRAM:
1182
		case SOCK_RAW:
1183
			return SECCLASS_UNIX_DGRAM_SOCKET;
1184
		}
1185
		break;
1186
	case PF_INET:
1187
	case PF_INET6:
1188
		switch (type) {
1189
		case SOCK_STREAM:
1190
		case SOCK_SEQPACKET:
1191
			if (default_protocol_stream(protocol))
1192
				return SECCLASS_TCP_SOCKET;
1193
			else if (extsockclass && protocol == IPPROTO_SCTP)
1194
				return SECCLASS_SCTP_SOCKET;
1195
			else
1196
				return SECCLASS_RAWIP_SOCKET;
1197
		case SOCK_DGRAM:
1198
			if (default_protocol_dgram(protocol))
1199
				return SECCLASS_UDP_SOCKET;
1200
			else if (extsockclass && (protocol == IPPROTO_ICMP ||
1201
						  protocol == IPPROTO_ICMPV6))
1202
				return SECCLASS_ICMP_SOCKET;
1203
			else
1204
				return SECCLASS_RAWIP_SOCKET;
1205
		default:
1206
			return SECCLASS_RAWIP_SOCKET;
1207
		}
1208
		break;
1209
	case PF_NETLINK:
1210
		switch (protocol) {
1211
		case NETLINK_ROUTE:
1212
			return SECCLASS_NETLINK_ROUTE_SOCKET;
1213
		case NETLINK_SOCK_DIAG:
1214
			return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1215
		case NETLINK_NFLOG:
1216
			return SECCLASS_NETLINK_NFLOG_SOCKET;
1217
		case NETLINK_XFRM:
1218
			return SECCLASS_NETLINK_XFRM_SOCKET;
1219
		case NETLINK_SELINUX:
1220
			return SECCLASS_NETLINK_SELINUX_SOCKET;
1221
		case NETLINK_ISCSI:
1222
			return SECCLASS_NETLINK_ISCSI_SOCKET;
1223
		case NETLINK_AUDIT:
1224
			return SECCLASS_NETLINK_AUDIT_SOCKET;
1225
		case NETLINK_FIB_LOOKUP:
1226
			return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1227
		case NETLINK_CONNECTOR:
1228
			return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1229
		case NETLINK_NETFILTER:
1230
			return SECCLASS_NETLINK_NETFILTER_SOCKET;
1231
		case NETLINK_DNRTMSG:
1232
			return SECCLASS_NETLINK_DNRT_SOCKET;
1233
		case NETLINK_KOBJECT_UEVENT:
1234
			return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1235
		case NETLINK_GENERIC:
1236
			return SECCLASS_NETLINK_GENERIC_SOCKET;
1237
		case NETLINK_SCSITRANSPORT:
1238
			return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1239
		case NETLINK_RDMA:
1240
			return SECCLASS_NETLINK_RDMA_SOCKET;
1241
		case NETLINK_CRYPTO:
1242
			return SECCLASS_NETLINK_CRYPTO_SOCKET;
1243
		default:
1244
			return SECCLASS_NETLINK_SOCKET;
1245
		}
1246
	case PF_PACKET:
1247
		return SECCLASS_PACKET_SOCKET;
1248
	case PF_KEY:
1249
		return SECCLASS_KEY_SOCKET;
1250
	case PF_APPLETALK:
1251
		return SECCLASS_APPLETALK_SOCKET;
1252
	}
1253

1254
	if (extsockclass) {
1255
		switch (family) {
1256
		case PF_AX25:
1257
			return SECCLASS_AX25_SOCKET;
1258
		case PF_IPX:
1259
			return SECCLASS_IPX_SOCKET;
1260
		case PF_NETROM:
1261
			return SECCLASS_NETROM_SOCKET;
1262
		case PF_ATMPVC:
1263
			return SECCLASS_ATMPVC_SOCKET;
1264
		case PF_X25:
1265
			return SECCLASS_X25_SOCKET;
1266
		case PF_ROSE:
1267
			return SECCLASS_ROSE_SOCKET;
1268
		case PF_DECnet:
1269
			return SECCLASS_DECNET_SOCKET;
1270
		case PF_ATMSVC:
1271
			return SECCLASS_ATMSVC_SOCKET;
1272
		case PF_RDS:
1273
			return SECCLASS_RDS_SOCKET;
1274
		case PF_IRDA:
1275
			return SECCLASS_IRDA_SOCKET;
1276
		case PF_PPPOX:
1277
			return SECCLASS_PPPOX_SOCKET;
1278
		case PF_LLC:
1279
			return SECCLASS_LLC_SOCKET;
1280
		case PF_CAN:
1281
			return SECCLASS_CAN_SOCKET;
1282
		case PF_TIPC:
1283
			return SECCLASS_TIPC_SOCKET;
1284
		case PF_BLUETOOTH:
1285
			return SECCLASS_BLUETOOTH_SOCKET;
1286
		case PF_IUCV:
1287
			return SECCLASS_IUCV_SOCKET;
1288
		case PF_RXRPC:
1289
			return SECCLASS_RXRPC_SOCKET;
1290
		case PF_ISDN:
1291
			return SECCLASS_ISDN_SOCKET;
1292
		case PF_PHONET:
1293
			return SECCLASS_PHONET_SOCKET;
1294
		case PF_IEEE802154:
1295
			return SECCLASS_IEEE802154_SOCKET;
1296
		case PF_CAIF:
1297
			return SECCLASS_CAIF_SOCKET;
1298
		case PF_ALG:
1299
			return SECCLASS_ALG_SOCKET;
1300
		case PF_NFC:
1301
			return SECCLASS_NFC_SOCKET;
1302
		case PF_VSOCK:
1303
			return SECCLASS_VSOCK_SOCKET;
1304
		case PF_KCM:
1305
			return SECCLASS_KCM_SOCKET;
1306
		case PF_QIPCRTR:
1307
			return SECCLASS_QIPCRTR_SOCKET;
1308
		case PF_SMC:
1309
			return SECCLASS_SMC_SOCKET;
1310
		case PF_XDP:
1311
			return SECCLASS_XDP_SOCKET;
1312
		case PF_MCTP:
1313
			return SECCLASS_MCTP_SOCKET;
1314
#if PF_MAX > 46
1315
#error New address family defined, please update this function.
1316
#endif
1317
		}
1318
	}
1319

1320
	return SECCLASS_SOCKET;
1321
}
1322

1323
static int selinux_genfs_get_sid(struct dentry *dentry,
1324
				 u16 tclass,
1325
				 u16 flags,
1326
				 u32 *sid)
1327
{
1328
	int rc;
1329
	struct super_block *sb = dentry->d_sb;
1330
	char *buffer, *path;
1331

1332
	buffer = (char *)__get_free_page(GFP_KERNEL);
1333
	if (!buffer)
1334
		return -ENOMEM;
1335

1336
	path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1337
	if (IS_ERR(path))
1338
		rc = PTR_ERR(path);
1339
	else {
1340
		if (flags & SE_SBPROC) {
1341
			/* each process gets a /proc/PID/ entry. Strip off the
1342
			 * PID part to get a valid selinux labeling.
1343
			 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1344
			while (path[1] >= '0' && path[1] <= '9') {
1345
				path[1] = '/';
1346
				path++;
1347
			}
1348
		}
1349
		rc = security_genfs_sid(sb->s_type->name,
1350
					path, tclass, sid);
1351
		if (rc == -ENOENT) {
1352
			/* No match in policy, mark as unlabeled. */
1353
			*sid = SECINITSID_UNLABELED;
1354
			rc = 0;
1355
		}
1356
	}
1357
	free_page((unsigned long)buffer);
1358
	return rc;
1359
}
1360

1361
static int inode_doinit_use_xattr(struct inode *inode, struct dentry *dentry,
1362
				  u32 def_sid, u32 *sid)
1363
{
1364
#define INITCONTEXTLEN 255
1365
	char *context;
1366
	unsigned int len;
1367
	int rc;
1368

1369
	len = INITCONTEXTLEN;
1370
	context = kmalloc(len + 1, GFP_NOFS);
1371
	if (!context)
1372
		return -ENOMEM;
1373

1374
	context[len] = '\0';
1375
	rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1376
	if (rc == -ERANGE) {
1377
		kfree(context);
1378

1379
		/* Need a larger buffer.  Query for the right size. */
1380
		rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1381
		if (rc < 0)
1382
			return rc;
1383

1384
		len = rc;
1385
		context = kmalloc(len + 1, GFP_NOFS);
1386
		if (!context)
1387
			return -ENOMEM;
1388

1389
		context[len] = '\0';
1390
		rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX,
1391
				    context, len);
1392
	}
1393
	if (rc < 0) {
1394
		kfree(context);
1395
		if (rc != -ENODATA) {
1396
			pr_warn("SELinux: %s:  getxattr returned %d for dev=%s ino=%ld\n",
1397
				__func__, -rc, inode->i_sb->s_id, inode->i_ino);
1398
			return rc;
1399
		}
1400
		*sid = def_sid;
1401
		return 0;
1402
	}
1403

1404
	rc = security_context_to_sid_default(context, rc, sid,
1405
					     def_sid, GFP_NOFS);
1406
	if (rc) {
1407
		char *dev = inode->i_sb->s_id;
1408
		unsigned long ino = inode->i_ino;
1409

1410
		if (rc == -EINVAL) {
1411
			pr_notice_ratelimited("SELinux: inode=%lu on dev=%s was found to have an invalid context=%s.  This indicates you may need to relabel the inode or the filesystem in question.\n",
1412
					      ino, dev, context);
1413
		} else {
1414
			pr_warn("SELinux: %s:  context_to_sid(%s) returned %d for dev=%s ino=%ld\n",
1415
				__func__, context, -rc, dev, ino);
1416
		}
1417
	}
1418
	kfree(context);
1419
	return 0;
1420
}
1421

1422
/* The inode's security attributes must be initialized before first use. */
1423
static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1424
{
1425
	struct superblock_security_struct *sbsec = NULL;
1426
	struct inode_security_struct *isec = selinux_inode(inode);
1427
	u32 task_sid, sid = 0;
1428
	u16 sclass;
1429
	struct dentry *dentry;
1430
	int rc = 0;
1431

1432
	if (isec->initialized == LABEL_INITIALIZED)
1433
		return 0;
1434

1435
	spin_lock(&isec->lock);
1436
	if (isec->initialized == LABEL_INITIALIZED)
1437
		goto out_unlock;
1438

1439
	if (isec->sclass == SECCLASS_FILE)
1440
		isec->sclass = inode_mode_to_security_class(inode->i_mode);
1441

1442
	sbsec = selinux_superblock(inode->i_sb);
1443
	if (!(sbsec->flags & SE_SBINITIALIZED)) {
1444
		/* Defer initialization until selinux_complete_init,
1445
		   after the initial policy is loaded and the security
1446
		   server is ready to handle calls. */
1447
		spin_lock(&sbsec->isec_lock);
1448
		if (list_empty(&isec->list))
1449
			list_add(&isec->list, &sbsec->isec_head);
1450
		spin_unlock(&sbsec->isec_lock);
1451
		goto out_unlock;
1452
	}
1453

1454
	sclass = isec->sclass;
1455
	task_sid = isec->task_sid;
1456
	sid = isec->sid;
1457
	isec->initialized = LABEL_PENDING;
1458
	spin_unlock(&isec->lock);
1459

1460
	switch (sbsec->behavior) {
1461
	/*
1462
	 * In case of SECURITY_FS_USE_NATIVE we need to re-fetch the labels
1463
	 * via xattr when called from delayed_superblock_init().
1464
	 */
1465
	case SECURITY_FS_USE_NATIVE:
1466
	case SECURITY_FS_USE_XATTR:
1467
		if (!(inode->i_opflags & IOP_XATTR)) {
1468
			sid = sbsec->def_sid;
1469
			break;
1470
		}
1471
		/* Need a dentry, since the xattr API requires one.
1472
		   Life would be simpler if we could just pass the inode. */
1473
		if (opt_dentry) {
1474
			/* Called from d_instantiate or d_splice_alias. */
1475
			dentry = dget(opt_dentry);
1476
		} else {
1477
			/*
1478
			 * Called from selinux_complete_init, try to find a dentry.
1479
			 * Some filesystems really want a connected one, so try
1480
			 * that first.  We could split SECURITY_FS_USE_XATTR in
1481
			 * two, depending upon that...
1482
			 */
1483
			dentry = d_find_alias(inode);
1484
			if (!dentry)
1485
				dentry = d_find_any_alias(inode);
1486
		}
1487
		if (!dentry) {
1488
			/*
1489
			 * this is can be hit on boot when a file is accessed
1490
			 * before the policy is loaded.  When we load policy we
1491
			 * may find inodes that have no dentry on the
1492
			 * sbsec->isec_head list.  No reason to complain as these
1493
			 * will get fixed up the next time we go through
1494
			 * inode_doinit with a dentry, before these inodes could
1495
			 * be used again by userspace.
1496
			 */
1497
			goto out_invalid;
1498
		}
1499

1500
		rc = inode_doinit_use_xattr(inode, dentry, sbsec->def_sid,
1501
					    &sid);
1502
		dput(dentry);
1503
		if (rc)
1504
			goto out;
1505
		break;
1506
	case SECURITY_FS_USE_TASK:
1507
		sid = task_sid;
1508
		break;
1509
	case SECURITY_FS_USE_TRANS:
1510
		/* Default to the fs SID. */
1511
		sid = sbsec->sid;
1512

1513
		/* Try to obtain a transition SID. */
1514
		rc = security_transition_sid(task_sid, sid,
1515
					     sclass, NULL, &sid);
1516
		if (rc)
1517
			goto out;
1518
		break;
1519
	case SECURITY_FS_USE_MNTPOINT:
1520
		sid = sbsec->mntpoint_sid;
1521
		break;
1522
	default:
1523
		/* Default to the fs superblock SID. */
1524
		sid = sbsec->sid;
1525

1526
		if ((sbsec->flags & SE_SBGENFS) &&
1527
		     (!S_ISLNK(inode->i_mode) ||
1528
		      selinux_policycap_genfs_seclabel_symlinks())) {
1529
			/* We must have a dentry to determine the label on
1530
			 * procfs inodes */
1531
			if (opt_dentry) {
1532
				/* Called from d_instantiate or
1533
				 * d_splice_alias. */
1534
				dentry = dget(opt_dentry);
1535
			} else {
1536
				/* Called from selinux_complete_init, try to
1537
				 * find a dentry.  Some filesystems really want
1538
				 * a connected one, so try that first.
1539
				 */
1540
				dentry = d_find_alias(inode);
1541
				if (!dentry)
1542
					dentry = d_find_any_alias(inode);
1543
			}
1544
			/*
1545
			 * This can be hit on boot when a file is accessed
1546
			 * before the policy is loaded.  When we load policy we
1547
			 * may find inodes that have no dentry on the
1548
			 * sbsec->isec_head list.  No reason to complain as
1549
			 * these will get fixed up the next time we go through
1550
			 * inode_doinit() with a dentry, before these inodes
1551
			 * could be used again by userspace.
1552
			 */
1553
			if (!dentry)
1554
				goto out_invalid;
1555
			rc = selinux_genfs_get_sid(dentry, sclass,
1556
						   sbsec->flags, &sid);
1557
			if (rc) {
1558
				dput(dentry);
1559
				goto out;
1560
			}
1561

1562
			if ((sbsec->flags & SE_SBGENFS_XATTR) &&
1563
			    (inode->i_opflags & IOP_XATTR)) {
1564
				rc = inode_doinit_use_xattr(inode, dentry,
1565
							    sid, &sid);
1566
				if (rc) {
1567
					dput(dentry);
1568
					goto out;
1569
				}
1570
			}
1571
			dput(dentry);
1572
		}
1573
		break;
1574
	}
1575

1576
out:
1577
	spin_lock(&isec->lock);
1578
	if (isec->initialized == LABEL_PENDING) {
1579
		if (rc) {
1580
			isec->initialized = LABEL_INVALID;
1581
			goto out_unlock;
1582
		}
1583
		isec->initialized = LABEL_INITIALIZED;
1584
		isec->sid = sid;
1585
	}
1586

1587
out_unlock:
1588
	spin_unlock(&isec->lock);
1589
	return rc;
1590

1591
out_invalid:
1592
	spin_lock(&isec->lock);
1593
	if (isec->initialized == LABEL_PENDING) {
1594
		isec->initialized = LABEL_INVALID;
1595
		isec->sid = sid;
1596
	}
1597
	spin_unlock(&isec->lock);
1598
	return 0;
1599
}
1600

1601
/* Convert a Linux signal to an access vector. */
1602
static inline u32 signal_to_av(int sig)
1603
{
1604
	u32 perm = 0;
1605

1606
	switch (sig) {
1607
	case SIGCHLD:
1608
		/* Commonly granted from child to parent. */
1609
		perm = PROCESS__SIGCHLD;
1610
		break;
1611
	case SIGKILL:
1612
		/* Cannot be caught or ignored */
1613
		perm = PROCESS__SIGKILL;
1614
		break;
1615
	case SIGSTOP:
1616
		/* Cannot be caught or ignored */
1617
		perm = PROCESS__SIGSTOP;
1618
		break;
1619
	default:
1620
		/* All other signals. */
1621
		perm = PROCESS__SIGNAL;
1622
		break;
1623
	}
1624

1625
	return perm;
1626
}
1627

1628
#if CAP_LAST_CAP > 63
1629
#error Fix SELinux to handle capabilities > 63.
1630
#endif
1631

1632
/* Check whether a task is allowed to use a capability. */
1633
static int cred_has_capability(const struct cred *cred,
1634
			       int cap, unsigned int opts, bool initns)
1635
{
1636
	struct common_audit_data ad;
1637
	struct av_decision avd;
1638
	u16 sclass;
1639
	u32 sid = cred_sid(cred);
1640
	u32 av = CAP_TO_MASK(cap);
1641
	int rc;
1642

1643
	ad.type = LSM_AUDIT_DATA_CAP;
1644
	ad.u.cap = cap;
1645

1646
	switch (CAP_TO_INDEX(cap)) {
1647
	case 0:
1648
		sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1649
		break;
1650
	case 1:
1651
		sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1652
		break;
1653
	default:
1654
		pr_err("SELinux:  out of range capability %d\n", cap);
1655
		BUG();
1656
		return -EINVAL;
1657
	}
1658

1659
	rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1660
	if (!(opts & CAP_OPT_NOAUDIT)) {
1661
		int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
1662
		if (rc2)
1663
			return rc2;
1664
	}
1665
	return rc;
1666
}
1667

1668
/* Check whether a task has a particular permission to an inode.
1669
   The 'adp' parameter is optional and allows other audit
1670
   data to be passed (e.g. the dentry). */
1671
static int inode_has_perm(const struct cred *cred,
1672
			  struct inode *inode,
1673
			  u32 perms,
1674
			  struct common_audit_data *adp)
1675
{
1676
	struct inode_security_struct *isec;
1677
	u32 sid;
1678

1679
	if (unlikely(IS_PRIVATE(inode)))
1680
		return 0;
1681

1682
	sid = cred_sid(cred);
1683
	isec = selinux_inode(inode);
1684

1685
	return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1686
}
1687

1688
/* Same as inode_has_perm, but pass explicit audit data containing
1689
   the dentry to help the auditing code to more easily generate the
1690
   pathname if needed. */
1691
static inline int dentry_has_perm(const struct cred *cred,
1692
				  struct dentry *dentry,
1693
				  u32 av)
1694
{
1695
	struct common_audit_data ad;
1696
	struct inode *inode = d_backing_inode(dentry);
1697
	struct inode_security_struct *isec = selinux_inode(inode);
1698

1699
	ad.type = LSM_AUDIT_DATA_DENTRY;
1700
	ad.u.dentry = dentry;
1701
	/* check below is racy, but revalidate will recheck with lock held */
1702
	if (data_race(unlikely(isec->initialized != LABEL_INITIALIZED)))
1703
		__inode_security_revalidate(inode, dentry, true);
1704
	return inode_has_perm(cred, inode, av, &ad);
1705
}
1706

1707
/* Same as inode_has_perm, but pass explicit audit data containing
1708
   the path to help the auditing code to more easily generate the
1709
   pathname if needed. */
1710
static inline int path_has_perm(const struct cred *cred,
1711
				const struct path *path,
1712
				u32 av)
1713
{
1714
	struct common_audit_data ad;
1715
	struct inode *inode = d_backing_inode(path->dentry);
1716
	struct inode_security_struct *isec = selinux_inode(inode);
1717

1718
	ad.type = LSM_AUDIT_DATA_PATH;
1719
	ad.u.path = *path;
1720
	/* check below is racy, but revalidate will recheck with lock held */
1721
	if (data_race(unlikely(isec->initialized != LABEL_INITIALIZED)))
1722
		__inode_security_revalidate(inode, path->dentry, true);
1723
	return inode_has_perm(cred, inode, av, &ad);
1724
}
1725

1726
/* Same as path_has_perm, but uses the inode from the file struct. */
1727
static inline int file_path_has_perm(const struct cred *cred,
1728
				     struct file *file,
1729
				     u32 av)
1730
{
1731
	struct common_audit_data ad;
1732

1733
	ad.type = LSM_AUDIT_DATA_FILE;
1734
	ad.u.file = file;
1735
	return inode_has_perm(cred, file_inode(file), av, &ad);
1736
}
1737

1738
#ifdef CONFIG_BPF_SYSCALL
1739
static int bpf_fd_pass(const struct file *file, u32 sid);
1740
#endif
1741

1742
/* Check whether a task can use an open file descriptor to
1743
   access an inode in a given way.  Check access to the
1744
   descriptor itself, and then use dentry_has_perm to
1745
   check a particular permission to the file.
1746
   Access to the descriptor is implicitly granted if it
1747
   has the same SID as the process.  If av is zero, then
1748
   access to the file is not checked, e.g. for cases
1749
   where only the descriptor is affected like seek. */
1750
static int file_has_perm(const struct cred *cred,
1751
			 struct file *file,
1752
			 u32 av)
1753
{
1754
	struct file_security_struct *fsec = selinux_file(file);
1755
	struct inode *inode = file_inode(file);
1756
	struct common_audit_data ad;
1757
	u32 sid = cred_sid(cred);
1758
	int rc;
1759

1760
	ad.type = LSM_AUDIT_DATA_FILE;
1761
	ad.u.file = file;
1762

1763
	if (sid != fsec->sid) {
1764
		rc = avc_has_perm(sid, fsec->sid,
1765
				  SECCLASS_FD,
1766
				  FD__USE,
1767
				  &ad);
1768
		if (rc)
1769
			goto out;
1770
	}
1771

1772
#ifdef CONFIG_BPF_SYSCALL
1773
	rc = bpf_fd_pass(file, cred_sid(cred));
1774
	if (rc)
1775
		return rc;
1776
#endif
1777

1778
	/* av is zero if only checking access to the descriptor. */
1779
	rc = 0;
1780
	if (av)
1781
		rc = inode_has_perm(cred, inode, av, &ad);
1782

1783
out:
1784
	return rc;
1785
}
1786

1787
/*
1788
 * Determine the label for an inode that might be unioned.
1789
 */
1790
static int
1791
selinux_determine_inode_label(const struct task_security_struct *tsec,
1792
				 struct inode *dir,
1793
				 const struct qstr *name, u16 tclass,
1794
				 u32 *_new_isid)
1795
{
1796
	const struct superblock_security_struct *sbsec =
1797
						selinux_superblock(dir->i_sb);
1798

1799
	if ((sbsec->flags & SE_SBINITIALIZED) &&
1800
	    (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1801
		*_new_isid = sbsec->mntpoint_sid;
1802
	} else if ((sbsec->flags & SBLABEL_MNT) &&
1803
		   tsec->create_sid) {
1804
		*_new_isid = tsec->create_sid;
1805
	} else {
1806
		const struct inode_security_struct *dsec = inode_security(dir);
1807
		return security_transition_sid(tsec->sid,
1808
					       dsec->sid, tclass,
1809
					       name, _new_isid);
1810
	}
1811

1812
	return 0;
1813
}
1814

1815
/* Check whether a task can create a file. */
1816
static int may_create(struct inode *dir,
1817
		      struct dentry *dentry,
1818
		      u16 tclass)
1819
{
1820
	const struct task_security_struct *tsec = selinux_cred(current_cred());
1821
	struct inode_security_struct *dsec;
1822
	struct superblock_security_struct *sbsec;
1823
	u32 sid, newsid;
1824
	struct common_audit_data ad;
1825
	int rc;
1826

1827
	dsec = inode_security(dir);
1828
	sbsec = selinux_superblock(dir->i_sb);
1829

1830
	sid = tsec->sid;
1831

1832
	ad.type = LSM_AUDIT_DATA_DENTRY;
1833
	ad.u.dentry = dentry;
1834

1835
	rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1836
			  DIR__ADD_NAME | DIR__SEARCH,
1837
			  &ad);
1838
	if (rc)
1839
		return rc;
1840

1841
	rc = selinux_determine_inode_label(tsec, dir, &dentry->d_name, tclass,
1842
					   &newsid);
1843
	if (rc)
1844
		return rc;
1845

1846
	rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1847
	if (rc)
1848
		return rc;
1849

1850
	return avc_has_perm(newsid, sbsec->sid,
1851
			    SECCLASS_FILESYSTEM,
1852
			    FILESYSTEM__ASSOCIATE, &ad);
1853
}
1854

1855
#define MAY_LINK	0
1856
#define MAY_UNLINK	1
1857
#define MAY_RMDIR	2
1858

1859
/* Check whether a task can link, unlink, or rmdir a file/directory. */
1860
static int may_link(struct inode *dir,
1861
		    struct dentry *dentry,
1862
		    int kind)
1863

1864
{
1865
	struct inode_security_struct *dsec, *isec;
1866
	struct common_audit_data ad;
1867
	u32 sid = current_sid();
1868
	u32 av;
1869
	int rc;
1870

1871
	dsec = inode_security(dir);
1872
	isec = backing_inode_security(dentry);
1873

1874
	ad.type = LSM_AUDIT_DATA_DENTRY;
1875
	ad.u.dentry = dentry;
1876

1877
	av = DIR__SEARCH;
1878
	av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1879
	rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1880
	if (rc)
1881
		return rc;
1882

1883
	switch (kind) {
1884
	case MAY_LINK:
1885
		av = FILE__LINK;
1886
		break;
1887
	case MAY_UNLINK:
1888
		av = FILE__UNLINK;
1889
		break;
1890
	case MAY_RMDIR:
1891
		av = DIR__RMDIR;
1892
		break;
1893
	default:
1894
		pr_warn("SELinux: %s:  unrecognized kind %d\n",
1895
			__func__, kind);
1896
		return 0;
1897
	}
1898

1899
	rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1900
	return rc;
1901
}
1902

1903
static inline int may_rename(struct inode *old_dir,
1904
			     struct dentry *old_dentry,
1905
			     struct inode *new_dir,
1906
			     struct dentry *new_dentry)
1907
{
1908
	struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1909
	struct common_audit_data ad;
1910
	u32 sid = current_sid();
1911
	u32 av;
1912
	int old_is_dir, new_is_dir;
1913
	int rc;
1914

1915
	old_dsec = inode_security(old_dir);
1916
	old_isec = backing_inode_security(old_dentry);
1917
	old_is_dir = d_is_dir(old_dentry);
1918
	new_dsec = inode_security(new_dir);
1919

1920
	ad.type = LSM_AUDIT_DATA_DENTRY;
1921

1922
	ad.u.dentry = old_dentry;
1923
	rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1924
			  DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1925
	if (rc)
1926
		return rc;
1927
	rc = avc_has_perm(sid, old_isec->sid,
1928
			  old_isec->sclass, FILE__RENAME, &ad);
1929
	if (rc)
1930
		return rc;
1931
	if (old_is_dir && new_dir != old_dir) {
1932
		rc = avc_has_perm(sid, old_isec->sid,
1933
				  old_isec->sclass, DIR__REPARENT, &ad);
1934
		if (rc)
1935
			return rc;
1936
	}
1937

1938
	ad.u.dentry = new_dentry;
1939
	av = DIR__ADD_NAME | DIR__SEARCH;
1940
	if (d_is_positive(new_dentry))
1941
		av |= DIR__REMOVE_NAME;
1942
	rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1943
	if (rc)
1944
		return rc;
1945
	if (d_is_positive(new_dentry)) {
1946
		new_isec = backing_inode_security(new_dentry);
1947
		new_is_dir = d_is_dir(new_dentry);
1948
		rc = avc_has_perm(sid, new_isec->sid,
1949
				  new_isec->sclass,
1950
				  (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1951
		if (rc)
1952
			return rc;
1953
	}
1954

1955
	return 0;
1956
}
1957

1958
/* Check whether a task can perform a filesystem operation. */
1959
static int superblock_has_perm(const struct cred *cred,
1960
			       const struct super_block *sb,
1961
			       u32 perms,
1962
			       struct common_audit_data *ad)
1963
{
1964
	struct superblock_security_struct *sbsec;
1965
	u32 sid = cred_sid(cred);
1966

1967
	sbsec = selinux_superblock(sb);
1968
	return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1969
}
1970

1971
/* Convert a Linux mode and permission mask to an access vector. */
1972
static inline u32 file_mask_to_av(int mode, int mask)
1973
{
1974
	u32 av = 0;
1975

1976
	if (!S_ISDIR(mode)) {
1977
		if (mask & MAY_EXEC)
1978
			av |= FILE__EXECUTE;
1979
		if (mask & MAY_READ)
1980
			av |= FILE__READ;
1981

1982
		if (mask & MAY_APPEND)
1983
			av |= FILE__APPEND;
1984
		else if (mask & MAY_WRITE)
1985
			av |= FILE__WRITE;
1986

1987
	} else {
1988
		if (mask & MAY_EXEC)
1989
			av |= DIR__SEARCH;
1990
		if (mask & MAY_WRITE)
1991
			av |= DIR__WRITE;
1992
		if (mask & MAY_READ)
1993
			av |= DIR__READ;
1994
	}
1995

1996
	return av;
1997
}
1998

1999
/* Convert a Linux file to an access vector. */
2000
static inline u32 file_to_av(const struct file *file)
2001
{
2002
	u32 av = 0;
2003

2004
	if (file->f_mode & FMODE_READ)
2005
		av |= FILE__READ;
2006
	if (file->f_mode & FMODE_WRITE) {
2007
		if (file->f_flags & O_APPEND)
2008
			av |= FILE__APPEND;
2009
		else
2010
			av |= FILE__WRITE;
2011
	}
2012
	if (!av) {
2013
		/*
2014
		 * Special file opened with flags 3 for ioctl-only use.
2015
		 */
2016
		av = FILE__IOCTL;
2017
	}
2018

2019
	return av;
2020
}
2021

2022
/*
2023
 * Convert a file to an access vector and include the correct
2024
 * open permission.
2025
 */
2026
static inline u32 open_file_to_av(struct file *file)
2027
{
2028
	u32 av = file_to_av(file);
2029
	struct inode *inode = file_inode(file);
2030

2031
	if (selinux_policycap_openperm() &&
2032
	    inode->i_sb->s_magic != SOCKFS_MAGIC)
2033
		av |= FILE__OPEN;
2034

2035
	return av;
2036
}
2037

2038
/* Hook functions begin here. */
2039

2040
static int selinux_binder_set_context_mgr(const struct cred *mgr)
2041
{
2042
	return avc_has_perm(current_sid(), cred_sid(mgr), SECCLASS_BINDER,
2043
			    BINDER__SET_CONTEXT_MGR, NULL);
2044
}
2045

2046
static int selinux_binder_transaction(const struct cred *from,
2047
				      const struct cred *to)
2048
{
2049
	u32 mysid = current_sid();
2050
	u32 fromsid = cred_sid(from);
2051
	u32 tosid = cred_sid(to);
2052
	int rc;
2053

2054
	if (mysid != fromsid) {
2055
		rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2056
				  BINDER__IMPERSONATE, NULL);
2057
		if (rc)
2058
			return rc;
2059
	}
2060

2061
	return avc_has_perm(fromsid, tosid,
2062
			    SECCLASS_BINDER, BINDER__CALL, NULL);
2063
}
2064

2065
static int selinux_binder_transfer_binder(const struct cred *from,
2066
					  const struct cred *to)
2067
{
2068
	return avc_has_perm(cred_sid(from), cred_sid(to),
2069
			    SECCLASS_BINDER, BINDER__TRANSFER,
2070
			    NULL);
2071
}
2072

2073
static int selinux_binder_transfer_file(const struct cred *from,
2074
					const struct cred *to,
2075
					const struct file *file)
2076
{
2077
	u32 sid = cred_sid(to);
2078
	struct file_security_struct *fsec = selinux_file(file);
2079
	struct dentry *dentry = file->f_path.dentry;
2080
	struct inode_security_struct *isec;
2081
	struct common_audit_data ad;
2082
	int rc;
2083

2084
	ad.type = LSM_AUDIT_DATA_PATH;
2085
	ad.u.path = file->f_path;
2086

2087
	if (sid != fsec->sid) {
2088
		rc = avc_has_perm(sid, fsec->sid,
2089
				  SECCLASS_FD,
2090
				  FD__USE,
2091
				  &ad);
2092
		if (rc)
2093
			return rc;
2094
	}
2095

2096
#ifdef CONFIG_BPF_SYSCALL
2097
	rc = bpf_fd_pass(file, sid);
2098
	if (rc)
2099
		return rc;
2100
#endif
2101

2102
	if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2103
		return 0;
2104

2105
	isec = backing_inode_security(dentry);
2106
	return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2107
			    &ad);
2108
}
2109

2110
static int selinux_ptrace_access_check(struct task_struct *child,
2111
				       unsigned int mode)
2112
{
2113
	u32 sid = current_sid();
2114
	u32 csid = task_sid_obj(child);
2115

2116
	if (mode & PTRACE_MODE_READ)
2117
		return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ,
2118
				NULL);
2119

2120
	return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE,
2121
			NULL);
2122
}
2123

2124
static int selinux_ptrace_traceme(struct task_struct *parent)
2125
{
2126
	return avc_has_perm(task_sid_obj(parent), task_sid_obj(current),
2127
			    SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2128
}
2129

2130
static int selinux_capget(const struct task_struct *target, kernel_cap_t *effective,
2131
			  kernel_cap_t *inheritable, kernel_cap_t *permitted)
2132
{
2133
	return avc_has_perm(current_sid(), task_sid_obj(target),
2134
			SECCLASS_PROCESS, PROCESS__GETCAP, NULL);
2135
}
2136

2137
static int selinux_capset(struct cred *new, const struct cred *old,
2138
			  const kernel_cap_t *effective,
2139
			  const kernel_cap_t *inheritable,
2140
			  const kernel_cap_t *permitted)
2141
{
2142
	return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2143
			    PROCESS__SETCAP, NULL);
2144
}
2145

2146
/*
2147
 * (This comment used to live with the selinux_task_setuid hook,
2148
 * which was removed).
2149
 *
2150
 * Since setuid only affects the current process, and since the SELinux
2151
 * controls are not based on the Linux identity attributes, SELinux does not
2152
 * need to control this operation.  However, SELinux does control the use of
2153
 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2154
 */
2155

2156
static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2157
			   int cap, unsigned int opts)
2158
{
2159
	return cred_has_capability(cred, cap, opts, ns == &init_user_ns);
2160
}
2161

2162
static int selinux_quotactl(int cmds, int type, int id, const struct super_block *sb)
2163
{
2164
	const struct cred *cred = current_cred();
2165
	int rc = 0;
2166

2167
	if (!sb)
2168
		return 0;
2169

2170
	switch (cmds) {
2171
	case Q_SYNC:
2172
	case Q_QUOTAON:
2173
	case Q_QUOTAOFF:
2174
	case Q_SETINFO:
2175
	case Q_SETQUOTA:
2176
	case Q_XQUOTAOFF:
2177
	case Q_XQUOTAON:
2178
	case Q_XSETQLIM:
2179
		rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2180
		break;
2181
	case Q_GETFMT:
2182
	case Q_GETINFO:
2183
	case Q_GETQUOTA:
2184
	case Q_XGETQUOTA:
2185
	case Q_XGETQSTAT:
2186
	case Q_XGETQSTATV:
2187
	case Q_XGETNEXTQUOTA:
2188
		rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2189
		break;
2190
	default:
2191
		rc = 0;  /* let the kernel handle invalid cmds */
2192
		break;
2193
	}
2194
	return rc;
2195
}
2196

2197
static int selinux_quota_on(struct dentry *dentry)
2198
{
2199
	const struct cred *cred = current_cred();
2200

2201
	return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2202
}
2203

2204
static int selinux_syslog(int type)
2205
{
2206
	switch (type) {
2207
	case SYSLOG_ACTION_READ_ALL:	/* Read last kernel messages */
2208
	case SYSLOG_ACTION_SIZE_BUFFER:	/* Return size of the log buffer */
2209
		return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2210
				    SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2211
	case SYSLOG_ACTION_CONSOLE_OFF:	/* Disable logging to console */
2212
	case SYSLOG_ACTION_CONSOLE_ON:	/* Enable logging to console */
2213
	/* Set level of messages printed to console */
2214
	case SYSLOG_ACTION_CONSOLE_LEVEL:
2215
		return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2216
				    SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2217
				    NULL);
2218
	}
2219
	/* All other syslog types */
2220
	return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2221
			    SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2222
}
2223

2224
/*
2225
 * Check permission for allocating a new virtual mapping. Returns
2226
 * 0 if permission is granted, negative error code if not.
2227
 *
2228
 * Do not audit the selinux permission check, as this is applied to all
2229
 * processes that allocate mappings.
2230
 */
2231
static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2232
{
2233
	return cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2234
				   CAP_OPT_NOAUDIT, true);
2235
}
2236

2237
/* binprm security operations */
2238

2239
static u32 ptrace_parent_sid(void)
2240
{
2241
	u32 sid = 0;
2242
	struct task_struct *tracer;
2243

2244
	rcu_read_lock();
2245
	tracer = ptrace_parent(current);
2246
	if (tracer)
2247
		sid = task_sid_obj(tracer);
2248
	rcu_read_unlock();
2249

2250
	return sid;
2251
}
2252

2253
static int check_nnp_nosuid(const struct linux_binprm *bprm,
2254
			    const struct task_security_struct *old_tsec,
2255
			    const struct task_security_struct *new_tsec)
2256
{
2257
	int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2258
	int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2259
	int rc;
2260
	u32 av;
2261

2262
	if (!nnp && !nosuid)
2263
		return 0; /* neither NNP nor nosuid */
2264

2265
	if (new_tsec->sid == old_tsec->sid)
2266
		return 0; /* No change in credentials */
2267

2268
	/*
2269
	 * If the policy enables the nnp_nosuid_transition policy capability,
2270
	 * then we permit transitions under NNP or nosuid if the
2271
	 * policy allows the corresponding permission between
2272
	 * the old and new contexts.
2273
	 */
2274
	if (selinux_policycap_nnp_nosuid_transition()) {
2275
		av = 0;
2276
		if (nnp)
2277
			av |= PROCESS2__NNP_TRANSITION;
2278
		if (nosuid)
2279
			av |= PROCESS2__NOSUID_TRANSITION;
2280
		rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2281
				  SECCLASS_PROCESS2, av, NULL);
2282
		if (!rc)
2283
			return 0;
2284
	}
2285

2286
	/*
2287
	 * We also permit NNP or nosuid transitions to bounded SIDs,
2288
	 * i.e. SIDs that are guaranteed to only be allowed a subset
2289
	 * of the permissions of the current SID.
2290
	 */
2291
	rc = security_bounded_transition(old_tsec->sid,
2292
					 new_tsec->sid);
2293
	if (!rc)
2294
		return 0;
2295

2296
	/*
2297
	 * On failure, preserve the errno values for NNP vs nosuid.
2298
	 * NNP:  Operation not permitted for caller.
2299
	 * nosuid:  Permission denied to file.
2300
	 */
2301
	if (nnp)
2302
		return -EPERM;
2303
	return -EACCES;
2304
}
2305

2306
static int selinux_bprm_creds_for_exec(struct linux_binprm *bprm)
2307
{
2308
	const struct task_security_struct *old_tsec;
2309
	struct task_security_struct *new_tsec;
2310
	struct inode_security_struct *isec;
2311
	struct common_audit_data ad;
2312
	struct inode *inode = file_inode(bprm->file);
2313
	int rc;
2314

2315
	/* SELinux context only depends on initial program or script and not
2316
	 * the script interpreter */
2317

2318
	old_tsec = selinux_cred(current_cred());
2319
	new_tsec = selinux_cred(bprm->cred);
2320
	isec = inode_security(inode);
2321

2322
	/* Default to the current task SID. */
2323
	new_tsec->sid = old_tsec->sid;
2324
	new_tsec->osid = old_tsec->sid;
2325

2326
	/* Reset fs, key, and sock SIDs on execve. */
2327
	new_tsec->create_sid = 0;
2328
	new_tsec->keycreate_sid = 0;
2329
	new_tsec->sockcreate_sid = 0;
2330

2331
	/*
2332
	 * Before policy is loaded, label any task outside kernel space
2333
	 * as SECINITSID_INIT, so that any userspace tasks surviving from
2334
	 * early boot end up with a label different from SECINITSID_KERNEL
2335
	 * (if the policy chooses to set SECINITSID_INIT != SECINITSID_KERNEL).
2336
	 */
2337
	if (!selinux_initialized()) {
2338
		new_tsec->sid = SECINITSID_INIT;
2339
		/* also clear the exec_sid just in case */
2340
		new_tsec->exec_sid = 0;
2341
		return 0;
2342
	}
2343

2344
	if (old_tsec->exec_sid) {
2345
		new_tsec->sid = old_tsec->exec_sid;
2346
		/* Reset exec SID on execve. */
2347
		new_tsec->exec_sid = 0;
2348

2349
		/* Fail on NNP or nosuid if not an allowed transition. */
2350
		rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2351
		if (rc)
2352
			return rc;
2353
	} else {
2354
		/* Check for a default transition on this program. */
2355
		rc = security_transition_sid(old_tsec->sid,
2356
					     isec->sid, SECCLASS_PROCESS, NULL,
2357
					     &new_tsec->sid);
2358
		if (rc)
2359
			return rc;
2360

2361
		/*
2362
		 * Fallback to old SID on NNP or nosuid if not an allowed
2363
		 * transition.
2364
		 */
2365
		rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2366
		if (rc)
2367
			new_tsec->sid = old_tsec->sid;
2368
	}
2369

2370
	ad.type = LSM_AUDIT_DATA_FILE;
2371
	ad.u.file = bprm->file;
2372

2373
	if (new_tsec->sid == old_tsec->sid) {
2374
		rc = avc_has_perm(old_tsec->sid, isec->sid,
2375
				  SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2376
		if (rc)
2377
			return rc;
2378
	} else {
2379
		/* Check permissions for the transition. */
2380
		rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2381
				  SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2382
		if (rc)
2383
			return rc;
2384

2385
		rc = avc_has_perm(new_tsec->sid, isec->sid,
2386
				  SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2387
		if (rc)
2388
			return rc;
2389

2390
		/* Check for shared state */
2391
		if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2392
			rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2393
					  SECCLASS_PROCESS, PROCESS__SHARE,
2394
					  NULL);
2395
			if (rc)
2396
				return -EPERM;
2397
		}
2398

2399
		/* Make sure that anyone attempting to ptrace over a task that
2400
		 * changes its SID has the appropriate permit */
2401
		if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2402
			u32 ptsid = ptrace_parent_sid();
2403
			if (ptsid != 0) {
2404
				rc = avc_has_perm(ptsid, new_tsec->sid,
2405
						  SECCLASS_PROCESS,
2406
						  PROCESS__PTRACE, NULL);
2407
				if (rc)
2408
					return -EPERM;
2409
			}
2410
		}
2411

2412
		/* Clear any possibly unsafe personality bits on exec: */
2413
		bprm->per_clear |= PER_CLEAR_ON_SETID;
2414

2415
		/* Enable secure mode for SIDs transitions unless
2416
		   the noatsecure permission is granted between
2417
		   the two SIDs, i.e. ahp returns 0. */
2418
		rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2419
				  SECCLASS_PROCESS, PROCESS__NOATSECURE,
2420
				  NULL);
2421
		bprm->secureexec |= !!rc;
2422
	}
2423

2424
	return 0;
2425
}
2426

2427
static int match_file(const void *p, struct file *file, unsigned fd)
2428
{
2429
	return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2430
}
2431

2432
/* Derived from fs/exec.c:flush_old_files. */
2433
static inline void flush_unauthorized_files(const struct cred *cred,
2434
					    struct files_struct *files)
2435
{
2436
	struct file *file, *devnull = NULL;
2437
	struct tty_struct *tty;
2438
	int drop_tty = 0;
2439
	unsigned n;
2440

2441
	tty = get_current_tty();
2442
	if (tty) {
2443
		spin_lock(&tty->files_lock);
2444
		if (!list_empty(&tty->tty_files)) {
2445
			struct tty_file_private *file_priv;
2446

2447
			/* Revalidate access to controlling tty.
2448
			   Use file_path_has_perm on the tty path directly
2449
			   rather than using file_has_perm, as this particular
2450
			   open file may belong to another process and we are
2451
			   only interested in the inode-based check here. */
2452
			file_priv = list_first_entry(&tty->tty_files,
2453
						struct tty_file_private, list);
2454
			file = file_priv->file;
2455
			if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2456
				drop_tty = 1;
2457
		}
2458
		spin_unlock(&tty->files_lock);
2459
		tty_kref_put(tty);
2460
	}
2461
	/* Reset controlling tty. */
2462
	if (drop_tty)
2463
		no_tty();
2464

2465
	/* Revalidate access to inherited open files. */
2466
	n = iterate_fd(files, 0, match_file, cred);
2467
	if (!n) /* none found? */
2468
		return;
2469

2470
	devnull = dentry_open(&selinux_null, O_RDWR, cred);
2471
	if (IS_ERR(devnull))
2472
		devnull = NULL;
2473
	/* replace all the matching ones with this */
2474
	do {
2475
		replace_fd(n - 1, devnull, 0);
2476
	} while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2477
	if (devnull)
2478
		fput(devnull);
2479
}
2480

2481
/*
2482
 * Prepare a process for imminent new credential changes due to exec
2483
 */
2484
static void selinux_bprm_committing_creds(const struct linux_binprm *bprm)
2485
{
2486
	struct task_security_struct *new_tsec;
2487
	struct rlimit *rlim, *initrlim;
2488
	int rc, i;
2489

2490
	new_tsec = selinux_cred(bprm->cred);
2491
	if (new_tsec->sid == new_tsec->osid)
2492
		return;
2493

2494
	/* Close files for which the new task SID is not authorized. */
2495
	flush_unauthorized_files(bprm->cred, current->files);
2496

2497
	/* Always clear parent death signal on SID transitions. */
2498
	current->pdeath_signal = 0;
2499

2500
	/* Check whether the new SID can inherit resource limits from the old
2501
	 * SID.  If not, reset all soft limits to the lower of the current
2502
	 * task's hard limit and the init task's soft limit.
2503
	 *
2504
	 * Note that the setting of hard limits (even to lower them) can be
2505
	 * controlled by the setrlimit check.  The inclusion of the init task's
2506
	 * soft limit into the computation is to avoid resetting soft limits
2507
	 * higher than the default soft limit for cases where the default is
2508
	 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2509
	 */
2510
	rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2511
			  PROCESS__RLIMITINH, NULL);
2512
	if (rc) {
2513
		/* protect against do_prlimit() */
2514
		task_lock(current);
2515
		for (i = 0; i < RLIM_NLIMITS; i++) {
2516
			rlim = current->signal->rlim + i;
2517
			initrlim = init_task.signal->rlim + i;
2518
			rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2519
		}
2520
		task_unlock(current);
2521
		if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2522
			update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2523
	}
2524
}
2525

2526
/*
2527
 * Clean up the process immediately after the installation of new credentials
2528
 * due to exec
2529
 */
2530
static void selinux_bprm_committed_creds(const struct linux_binprm *bprm)
2531
{
2532
	const struct task_security_struct *tsec = selinux_cred(current_cred());
2533
	u32 osid, sid;
2534
	int rc;
2535

2536
	osid = tsec->osid;
2537
	sid = tsec->sid;
2538

2539
	if (sid == osid)
2540
		return;
2541

2542
	/* Check whether the new SID can inherit signal state from the old SID.
2543
	 * If not, clear itimers to avoid subsequent signal generation and
2544
	 * flush and unblock signals.
2545
	 *
2546
	 * This must occur _after_ the task SID has been updated so that any
2547
	 * kill done after the flush will be checked against the new SID.
2548
	 */
2549
	rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2550
	if (rc) {
2551
		clear_itimer();
2552

2553
		spin_lock_irq(&unrcu_pointer(current->sighand)->siglock);
2554
		if (!fatal_signal_pending(current)) {
2555
			flush_sigqueue(&current->pending);
2556
			flush_sigqueue(&current->signal->shared_pending);
2557
			flush_signal_handlers(current, 1);
2558
			sigemptyset(&current->blocked);
2559
			recalc_sigpending();
2560
		}
2561
		spin_unlock_irq(&unrcu_pointer(current->sighand)->siglock);
2562
	}
2563

2564
	/* Wake up the parent if it is waiting so that it can recheck
2565
	 * wait permission to the new task SID. */
2566
	read_lock(&tasklist_lock);
2567
	__wake_up_parent(current, unrcu_pointer(current->real_parent));
2568
	read_unlock(&tasklist_lock);
2569
}
2570

2571
/* superblock security operations */
2572

2573
static int selinux_sb_alloc_security(struct super_block *sb)
2574
{
2575
	struct superblock_security_struct *sbsec = selinux_superblock(sb);
2576

2577
	mutex_init(&sbsec->lock);
2578
	INIT_LIST_HEAD(&sbsec->isec_head);
2579
	spin_lock_init(&sbsec->isec_lock);
2580
	sbsec->sid = SECINITSID_UNLABELED;
2581
	sbsec->def_sid = SECINITSID_FILE;
2582
	sbsec->mntpoint_sid = SECINITSID_UNLABELED;
2583

2584
	return 0;
2585
}
2586

2587
static inline int opt_len(const char *s)
2588
{
2589
	bool open_quote = false;
2590
	int len;
2591
	char c;
2592

2593
	for (len = 0; (c = s[len]) != '\0'; len++) {
2594
		if (c == '"')
2595
			open_quote = !open_quote;
2596
		if (c == ',' && !open_quote)
2597
			break;
2598
	}
2599
	return len;
2600
}
2601

2602
static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts)
2603
{
2604
	char *from = options;
2605
	char *to = options;
2606
	bool first = true;
2607
	int rc;
2608

2609
	while (1) {
2610
		int len = opt_len(from);
2611
		int token;
2612
		char *arg = NULL;
2613

2614
		token = match_opt_prefix(from, len, &arg);
2615

2616
		if (token != Opt_error) {
2617
			char *p, *q;
2618

2619
			/* strip quotes */
2620
			if (arg) {
2621
				for (p = q = arg; p < from + len; p++) {
2622
					char c = *p;
2623
					if (c != '"')
2624
						*q++ = c;
2625
				}
2626
				arg = kmemdup_nul(arg, q - arg, GFP_KERNEL);
2627
				if (!arg) {
2628
					rc = -ENOMEM;
2629
					goto free_opt;
2630
				}
2631
			}
2632
			rc = selinux_add_opt(token, arg, mnt_opts);
2633
			kfree(arg);
2634
			arg = NULL;
2635
			if (unlikely(rc)) {
2636
				goto free_opt;
2637
			}
2638
		} else {
2639
			if (!first) {	// copy with preceding comma
2640
				from--;
2641
				len++;
2642
			}
2643
			if (to != from)
2644
				memmove(to, from, len);
2645
			to += len;
2646
			first = false;
2647
		}
2648
		if (!from[len])
2649
			break;
2650
		from += len + 1;
2651
	}
2652
	*to = '\0';
2653
	return 0;
2654

2655
free_opt:
2656
	if (*mnt_opts) {
2657
		selinux_free_mnt_opts(*mnt_opts);
2658
		*mnt_opts = NULL;
2659
	}
2660
	return rc;
2661
}
2662

2663
static int selinux_sb_mnt_opts_compat(struct super_block *sb, void *mnt_opts)
2664
{
2665
	struct selinux_mnt_opts *opts = mnt_opts;
2666
	struct superblock_security_struct *sbsec = selinux_superblock(sb);
2667

2668
	/*
2669
	 * Superblock not initialized (i.e. no options) - reject if any
2670
	 * options specified, otherwise accept.
2671
	 */
2672
	if (!(sbsec->flags & SE_SBINITIALIZED))
2673
		return opts ? 1 : 0;
2674

2675
	/*
2676
	 * Superblock initialized and no options specified - reject if
2677
	 * superblock has any options set, otherwise accept.
2678
	 */
2679
	if (!opts)
2680
		return (sbsec->flags & SE_MNTMASK) ? 1 : 0;
2681

2682
	if (opts->fscontext_sid) {
2683
		if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
2684
			       opts->fscontext_sid))
2685
			return 1;
2686
	}
2687
	if (opts->context_sid) {
2688
		if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
2689
			       opts->context_sid))
2690
			return 1;
2691
	}
2692
	if (opts->rootcontext_sid) {
2693
		struct inode_security_struct *root_isec;
2694

2695
		root_isec = backing_inode_security(sb->s_root);
2696
		if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
2697
			       opts->rootcontext_sid))
2698
			return 1;
2699
	}
2700
	if (opts->defcontext_sid) {
2701
		if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
2702
			       opts->defcontext_sid))
2703
			return 1;
2704
	}
2705
	return 0;
2706
}
2707

2708
static int selinux_sb_remount(struct super_block *sb, void *mnt_opts)
2709
{
2710
	struct selinux_mnt_opts *opts = mnt_opts;
2711
	struct superblock_security_struct *sbsec = selinux_superblock(sb);
2712

2713
	if (!(sbsec->flags & SE_SBINITIALIZED))
2714
		return 0;
2715

2716
	if (!opts)
2717
		return 0;
2718

2719
	if (opts->fscontext_sid) {
2720
		if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
2721
			       opts->fscontext_sid))
2722
			goto out_bad_option;
2723
	}
2724
	if (opts->context_sid) {
2725
		if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
2726
			       opts->context_sid))
2727
			goto out_bad_option;
2728
	}
2729
	if (opts->rootcontext_sid) {
2730
		struct inode_security_struct *root_isec;
2731
		root_isec = backing_inode_security(sb->s_root);
2732
		if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
2733
			       opts->rootcontext_sid))
2734
			goto out_bad_option;
2735
	}
2736
	if (opts->defcontext_sid) {
2737
		if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
2738
			       opts->defcontext_sid))
2739
			goto out_bad_option;
2740
	}
2741
	return 0;
2742

2743
out_bad_option:
2744
	pr_warn("SELinux: unable to change security options "
2745
	       "during remount (dev %s, type=%s)\n", sb->s_id,
2746
	       sb->s_type->name);
2747
	return -EINVAL;
2748
}
2749

2750
static int selinux_sb_kern_mount(const struct super_block *sb)
2751
{
2752
	const struct cred *cred = current_cred();
2753
	struct common_audit_data ad;
2754

2755
	ad.type = LSM_AUDIT_DATA_DENTRY;
2756
	ad.u.dentry = sb->s_root;
2757
	return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2758
}
2759

2760
static int selinux_sb_statfs(struct dentry *dentry)
2761
{
2762
	const struct cred *cred = current_cred();
2763
	struct common_audit_data ad;
2764

2765
	ad.type = LSM_AUDIT_DATA_DENTRY;
2766
	ad.u.dentry = dentry->d_sb->s_root;
2767
	return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2768
}
2769

2770
static int selinux_mount(const char *dev_name,
2771
			 const struct path *path,
2772
			 const char *type,
2773
			 unsigned long flags,
2774
			 void *data)
2775
{
2776
	const struct cred *cred = current_cred();
2777

2778
	if (flags & MS_REMOUNT)
2779
		return superblock_has_perm(cred, path->dentry->d_sb,
2780
					   FILESYSTEM__REMOUNT, NULL);
2781
	else
2782
		return path_has_perm(cred, path, FILE__MOUNTON);
2783
}
2784

2785
static int selinux_move_mount(const struct path *from_path,
2786
			      const struct path *to_path)
2787
{
2788
	const struct cred *cred = current_cred();
2789

2790
	return path_has_perm(cred, to_path, FILE__MOUNTON);
2791
}
2792

2793
static int selinux_umount(struct vfsmount *mnt, int flags)
2794
{
2795
	const struct cred *cred = current_cred();
2796

2797
	return superblock_has_perm(cred, mnt->mnt_sb,
2798
				   FILESYSTEM__UNMOUNT, NULL);
2799
}
2800

2801
static int selinux_fs_context_submount(struct fs_context *fc,
2802
				   struct super_block *reference)
2803
{
2804
	const struct superblock_security_struct *sbsec = selinux_superblock(reference);
2805
	struct selinux_mnt_opts *opts;
2806

2807
	/*
2808
	 * Ensure that fc->security remains NULL when no options are set
2809
	 * as expected by selinux_set_mnt_opts().
2810
	 */
2811
	if (!(sbsec->flags & (FSCONTEXT_MNT|CONTEXT_MNT|DEFCONTEXT_MNT)))
2812
		return 0;
2813

2814
	opts = kzalloc(sizeof(*opts), GFP_KERNEL);
2815
	if (!opts)
2816
		return -ENOMEM;
2817

2818
	if (sbsec->flags & FSCONTEXT_MNT)
2819
		opts->fscontext_sid = sbsec->sid;
2820
	if (sbsec->flags & CONTEXT_MNT)
2821
		opts->context_sid = sbsec->mntpoint_sid;
2822
	if (sbsec->flags & DEFCONTEXT_MNT)
2823
		opts->defcontext_sid = sbsec->def_sid;
2824
	fc->security = opts;
2825
	return 0;
2826
}
2827

2828
static int selinux_fs_context_dup(struct fs_context *fc,
2829
				  struct fs_context *src_fc)
2830
{
2831
	const struct selinux_mnt_opts *src = src_fc->security;
2832

2833
	if (!src)
2834
		return 0;
2835

2836
	fc->security = kmemdup(src, sizeof(*src), GFP_KERNEL);
2837
	return fc->security ? 0 : -ENOMEM;
2838
}
2839

2840
static const struct fs_parameter_spec selinux_fs_parameters[] = {
2841
	fsparam_string(CONTEXT_STR,	Opt_context),
2842
	fsparam_string(DEFCONTEXT_STR,	Opt_defcontext),
2843
	fsparam_string(FSCONTEXT_STR,	Opt_fscontext),
2844
	fsparam_string(ROOTCONTEXT_STR,	Opt_rootcontext),
2845
	fsparam_flag  (SECLABEL_STR,	Opt_seclabel),
2846
	{}
2847
};
2848

2849
static int selinux_fs_context_parse_param(struct fs_context *fc,
2850
					  struct fs_parameter *param)
2851
{
2852
	struct fs_parse_result result;
2853
	int opt;
2854

2855
	opt = fs_parse(fc, selinux_fs_parameters, param, &result);
2856
	if (opt < 0)
2857
		return opt;
2858

2859
	return selinux_add_opt(opt, param->string, &fc->security);
2860
}
2861

2862
/* inode security operations */
2863

2864
static int selinux_inode_alloc_security(struct inode *inode)
2865
{
2866
	struct inode_security_struct *isec = selinux_inode(inode);
2867
	u32 sid = current_sid();
2868

2869
	spin_lock_init(&isec->lock);
2870
	INIT_LIST_HEAD(&isec->list);
2871
	isec->inode = inode;
2872
	isec->sid = SECINITSID_UNLABELED;
2873
	isec->sclass = SECCLASS_FILE;
2874
	isec->task_sid = sid;
2875
	isec->initialized = LABEL_INVALID;
2876

2877
	return 0;
2878
}
2879

2880
static void selinux_inode_free_security(struct inode *inode)
2881
{
2882
	inode_free_security(inode);
2883
}
2884

2885
static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2886
					const struct qstr *name,
2887
					const char **xattr_name,
2888
					struct lsm_context *cp)
2889
{
2890
	u32 newsid;
2891
	int rc;
2892

2893
	rc = selinux_determine_inode_label(selinux_cred(current_cred()),
2894
					   d_inode(dentry->d_parent), name,
2895
					   inode_mode_to_security_class(mode),
2896
					   &newsid);
2897
	if (rc)
2898
		return rc;
2899

2900
	if (xattr_name)
2901
		*xattr_name = XATTR_NAME_SELINUX;
2902

2903
	cp->id = LSM_ID_SELINUX;
2904
	return security_sid_to_context(newsid, &cp->context, &cp->len);
2905
}
2906

2907
static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2908
					  const struct qstr *name,
2909
					  const struct cred *old,
2910
					  struct cred *new)
2911
{
2912
	u32 newsid;
2913
	int rc;
2914
	struct task_security_struct *tsec;
2915

2916
	rc = selinux_determine_inode_label(selinux_cred(old),
2917
					   d_inode(dentry->d_parent), name,
2918
					   inode_mode_to_security_class(mode),
2919
					   &newsid);
2920
	if (rc)
2921
		return rc;
2922

2923
	tsec = selinux_cred(new);
2924
	tsec->create_sid = newsid;
2925
	return 0;
2926
}
2927

2928
static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2929
				       const struct qstr *qstr,
2930
				       struct xattr *xattrs, int *xattr_count)
2931
{
2932
	const struct task_security_struct *tsec = selinux_cred(current_cred());
2933
	struct superblock_security_struct *sbsec;
2934
	struct xattr *xattr = lsm_get_xattr_slot(xattrs, xattr_count);
2935
	u32 newsid, clen;
2936
	u16 newsclass;
2937
	int rc;
2938
	char *context;
2939

2940
	sbsec = selinux_superblock(dir->i_sb);
2941

2942
	newsid = tsec->create_sid;
2943
	newsclass = inode_mode_to_security_class(inode->i_mode);
2944
	rc = selinux_determine_inode_label(tsec, dir, qstr, newsclass, &newsid);
2945
	if (rc)
2946
		return rc;
2947

2948
	/* Possibly defer initialization to selinux_complete_init. */
2949
	if (sbsec->flags & SE_SBINITIALIZED) {
2950
		struct inode_security_struct *isec = selinux_inode(inode);
2951
		isec->sclass = newsclass;
2952
		isec->sid = newsid;
2953
		isec->initialized = LABEL_INITIALIZED;
2954
	}
2955

2956
	if (!selinux_initialized() ||
2957
	    !(sbsec->flags & SBLABEL_MNT))
2958
		return -EOPNOTSUPP;
2959

2960
	if (xattr) {
2961
		rc = security_sid_to_context_force(newsid,
2962
						   &context, &clen);
2963
		if (rc)
2964
			return rc;
2965
		xattr->value = context;
2966
		xattr->value_len = clen;
2967
		xattr->name = XATTR_SELINUX_SUFFIX;
2968
	}
2969

2970
	return 0;
2971
}
2972

2973
static int selinux_inode_init_security_anon(struct inode *inode,
2974
					    const struct qstr *name,
2975
					    const struct inode *context_inode)
2976
{
2977
	u32 sid = current_sid();
2978
	struct common_audit_data ad;
2979
	struct inode_security_struct *isec;
2980
	int rc;
2981

2982
	if (unlikely(!selinux_initialized()))
2983
		return 0;
2984

2985
	isec = selinux_inode(inode);
2986

2987
	/*
2988
	 * We only get here once per ephemeral inode.  The inode has
2989
	 * been initialized via inode_alloc_security but is otherwise
2990
	 * untouched.
2991
	 */
2992

2993
	if (context_inode) {
2994
		struct inode_security_struct *context_isec =
2995
			selinux_inode(context_inode);
2996
		if (context_isec->initialized != LABEL_INITIALIZED) {
2997
			pr_err("SELinux:  context_inode is not initialized\n");
2998
			return -EACCES;
2999
		}
3000

3001
		isec->sclass = context_isec->sclass;
3002
		isec->sid = context_isec->sid;
3003
	} else {
3004
		isec->sclass = SECCLASS_ANON_INODE;
3005
		rc = security_transition_sid(
3006
			sid, sid,
3007
			isec->sclass, name, &isec->sid);
3008
		if (rc)
3009
			return rc;
3010
	}
3011

3012
	isec->initialized = LABEL_INITIALIZED;
3013
	/*
3014
	 * Now that we've initialized security, check whether we're
3015
	 * allowed to actually create this type of anonymous inode.
3016
	 */
3017

3018
	ad.type = LSM_AUDIT_DATA_ANONINODE;
3019
	ad.u.anonclass = name ? (const char *)name->name : "?";
3020

3021
	return avc_has_perm(sid,
3022
			    isec->sid,
3023
			    isec->sclass,
3024
			    FILE__CREATE,
3025
			    &ad);
3026
}
3027

3028
static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
3029
{
3030
	return may_create(dir, dentry, SECCLASS_FILE);
3031
}
3032

3033
static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
3034
{
3035
	return may_link(dir, old_dentry, MAY_LINK);
3036
}
3037

3038
static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
3039
{
3040
	return may_link(dir, dentry, MAY_UNLINK);
3041
}
3042

3043
static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
3044
{
3045
	return may_create(dir, dentry, SECCLASS_LNK_FILE);
3046
}
3047

3048
static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
3049
{
3050
	return may_create(dir, dentry, SECCLASS_DIR);
3051
}
3052

3053
static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
3054
{
3055
	return may_link(dir, dentry, MAY_RMDIR);
3056
}
3057

3058
static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
3059
{
3060
	return may_create(dir, dentry, inode_mode_to_security_class(mode));
3061
}
3062

3063
static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
3064
				struct inode *new_inode, struct dentry *new_dentry)
3065
{
3066
	return may_rename(old_inode, old_dentry, new_inode, new_dentry);
3067
}
3068

3069
static int selinux_inode_readlink(struct dentry *dentry)
3070
{
3071
	const struct cred *cred = current_cred();
3072

3073
	return dentry_has_perm(cred, dentry, FILE__READ);
3074
}
3075

3076
static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3077
				     bool rcu)
3078
{
3079
	struct common_audit_data ad;
3080
	struct inode_security_struct *isec;
3081
	u32 sid = current_sid();
3082

3083
	ad.type = LSM_AUDIT_DATA_DENTRY;
3084
	ad.u.dentry = dentry;
3085
	isec = inode_security_rcu(inode, rcu);
3086
	if (IS_ERR(isec))
3087
		return PTR_ERR(isec);
3088

3089
	return avc_has_perm(sid, isec->sid, isec->sclass, FILE__READ, &ad);
3090
}
3091

3092
static noinline int audit_inode_permission(struct inode *inode,
3093
					   u32 perms, u32 audited, u32 denied,
3094
					   int result)
3095
{
3096
	struct common_audit_data ad;
3097
	struct inode_security_struct *isec = selinux_inode(inode);
3098

3099
	ad.type = LSM_AUDIT_DATA_INODE;
3100
	ad.u.inode = inode;
3101

3102
	return slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
3103
			    audited, denied, result, &ad);
3104
}
3105

3106
/**
3107
 * task_avdcache_reset - Reset the task's AVD cache
3108
 * @tsec: the task's security state
3109
 *
3110
 * Clear the task's AVD cache in @tsec and reset it to the current policy's
3111
 * and task's info.
3112
 */
3113
static inline void task_avdcache_reset(struct task_security_struct *tsec)
3114
{
3115
	memset(&tsec->avdcache.dir, 0, sizeof(tsec->avdcache.dir));
3116
	tsec->avdcache.sid = tsec->sid;
3117
	tsec->avdcache.seqno = avc_policy_seqno();
3118
	tsec->avdcache.dir_spot = TSEC_AVDC_DIR_SIZE - 1;
3119
}
3120

3121
/**
3122
 * task_avdcache_search - Search the task's AVD cache
3123
 * @tsec: the task's security state
3124
 * @isec: the inode to search for in the cache
3125
 * @avdc: matching avd cache entry returned to the caller
3126
 *
3127
 * Search @tsec for a AVD cache entry that matches @isec and return it to the
3128
 * caller via @avdc.  Returns 0 if a match is found, negative values otherwise.
3129
 */
3130
static inline int task_avdcache_search(struct task_security_struct *tsec,
3131
				       struct inode_security_struct *isec,
3132
				       struct avdc_entry **avdc)
3133
{
3134
	int orig, iter;
3135

3136
	/* focused on path walk optimization, only cache directories */
3137
	if (isec->sclass != SECCLASS_DIR)
3138
		return -ENOENT;
3139

3140
	if (unlikely(tsec->sid != tsec->avdcache.sid ||
3141
		     tsec->avdcache.seqno != avc_policy_seqno())) {
3142
		task_avdcache_reset(tsec);
3143
		return -ENOENT;
3144
	}
3145

3146
	orig = iter = tsec->avdcache.dir_spot;
3147
	do {
3148
		if (tsec->avdcache.dir[iter].isid == isec->sid) {
3149
			/* cache hit */
3150
			tsec->avdcache.dir_spot = iter;
3151
			*avdc = &tsec->avdcache.dir[iter];
3152
			return 0;
3153
		}
3154
		iter = (iter - 1) & (TSEC_AVDC_DIR_SIZE - 1);
3155
	} while (iter != orig);
3156

3157
	return -ENOENT;
3158
}
3159

3160
/**
3161
 * task_avdcache_update - Update the task's AVD cache
3162
 * @tsec: the task's security state
3163
 * @isec: the inode associated with the cache entry
3164
 * @avd: the AVD to cache
3165
 * @audited: the permission audit bitmask to cache
3166
 *
3167
 * Update the AVD cache in @tsec with the @avdc and @audited info associated
3168
 * with @isec.
3169
 */
3170
static inline void task_avdcache_update(struct task_security_struct *tsec,
3171
					struct inode_security_struct *isec,
3172
					struct av_decision *avd,
3173
					u32 audited)
3174
{
3175
	int spot;
3176

3177
	/* focused on path walk optimization, only cache directories */
3178
	if (isec->sclass != SECCLASS_DIR)
3179
		return;
3180

3181
	/* update cache */
3182
	spot = (tsec->avdcache.dir_spot + 1) & (TSEC_AVDC_DIR_SIZE - 1);
3183
	tsec->avdcache.dir_spot = spot;
3184
	tsec->avdcache.dir[spot].isid = isec->sid;
3185
	tsec->avdcache.dir[spot].audited = audited;
3186
	tsec->avdcache.dir[spot].allowed = avd->allowed;
3187
	tsec->avdcache.dir[spot].permissive = avd->flags & AVD_FLAGS_PERMISSIVE;
3188
	tsec->avdcache.permissive_neveraudit =
3189
		(avd->flags == (AVD_FLAGS_PERMISSIVE|AVD_FLAGS_NEVERAUDIT));
3190
}
3191

3192
/**
3193
 * selinux_inode_permission - Check if the current task can access an inode
3194
 * @inode: the inode that is being accessed
3195
 * @requested: the accesses being requested
3196
 *
3197
 * Check if the current task is allowed to access @inode according to
3198
 * @requested.  Returns 0 if allowed, negative values otherwise.
3199
 */
3200
static int selinux_inode_permission(struct inode *inode, int requested)
3201
{
3202
	int mask;
3203
	u32 perms;
3204
	struct task_security_struct *tsec;
3205
	struct inode_security_struct *isec;
3206
	struct avdc_entry *avdc;
3207
	int rc, rc2;
3208
	u32 audited, denied;
3209

3210
	mask = requested & (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3211

3212
	/* No permission to check.  Existence test. */
3213
	if (!mask)
3214
		return 0;
3215

3216
	tsec = selinux_cred(current_cred());
3217
	if (task_avdcache_permnoaudit(tsec))
3218
		return 0;
3219

3220
	isec = inode_security_rcu(inode, requested & MAY_NOT_BLOCK);
3221
	if (IS_ERR(isec))
3222
		return PTR_ERR(isec);
3223
	perms = file_mask_to_av(inode->i_mode, mask);
3224

3225
	rc = task_avdcache_search(tsec, isec, &avdc);
3226
	if (likely(!rc)) {
3227
		/* Cache hit. */
3228
		audited = perms & avdc->audited;
3229
		denied = perms & ~avdc->allowed;
3230
		if (unlikely(denied && enforcing_enabled() &&
3231
			     !avdc->permissive))
3232
			rc = -EACCES;
3233
	} else {
3234
		struct av_decision avd;
3235

3236
		/* Cache miss. */
3237
		rc = avc_has_perm_noaudit(tsec->sid, isec->sid, isec->sclass,
3238
					  perms, 0, &avd);
3239
		audited = avc_audit_required(perms, &avd, rc,
3240
			(requested & MAY_ACCESS) ? FILE__AUDIT_ACCESS : 0,
3241
			&denied);
3242
		task_avdcache_update(tsec, isec, &avd, audited);
3243
	}
3244

3245
	if (likely(!audited))
3246
		return rc;
3247

3248
	rc2 = audit_inode_permission(inode, perms, audited, denied, rc);
3249
	if (rc2)
3250
		return rc2;
3251

3252
	return rc;
3253
}
3254

3255
static int selinux_inode_setattr(struct mnt_idmap *idmap, struct dentry *dentry,
3256
				 struct iattr *iattr)
3257
{
3258
	const struct cred *cred = current_cred();
3259
	struct inode *inode = d_backing_inode(dentry);
3260
	unsigned int ia_valid = iattr->ia_valid;
3261
	u32 av = FILE__WRITE;
3262

3263
	/* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3264
	if (ia_valid & ATTR_FORCE) {
3265
		ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3266
			      ATTR_FORCE);
3267
		if (!ia_valid)
3268
			return 0;
3269
	}
3270

3271
	if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3272
			ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3273
		return dentry_has_perm(cred, dentry, FILE__SETATTR);
3274

3275
	if (selinux_policycap_openperm() &&
3276
	    inode->i_sb->s_magic != SOCKFS_MAGIC &&
3277
	    (ia_valid & ATTR_SIZE) &&
3278
	    !(ia_valid & ATTR_FILE))
3279
		av |= FILE__OPEN;
3280

3281
	return dentry_has_perm(cred, dentry, av);
3282
}
3283

3284
static int selinux_inode_getattr(const struct path *path)
3285
{
3286
	struct task_security_struct *tsec;
3287

3288
	tsec = selinux_cred(current_cred());
3289

3290
	if (task_avdcache_permnoaudit(tsec))
3291
		return 0;
3292

3293
	return path_has_perm(current_cred(), path, FILE__GETATTR);
3294
}
3295

3296
static bool has_cap_mac_admin(bool audit)
3297
{
3298
	const struct cred *cred = current_cred();
3299
	unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT;
3300

3301
	if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts))
3302
		return false;
3303
	if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true))
3304
		return false;
3305
	return true;
3306
}
3307

3308
/**
3309
 * selinux_inode_xattr_skipcap - Skip the xattr capability checks?
3310
 * @name: name of the xattr
3311
 *
3312
 * Returns 1 to indicate that SELinux "owns" the access control rights to xattrs
3313
 * named @name; the LSM layer should avoid enforcing any traditional
3314
 * capability based access controls on this xattr.  Returns 0 to indicate that
3315
 * SELinux does not "own" the access control rights to xattrs named @name and is
3316
 * deferring to the LSM layer for further access controls, including capability
3317
 * based controls.
3318
 */
3319
static int selinux_inode_xattr_skipcap(const char *name)
3320
{
3321
	/* require capability check if not a selinux xattr */
3322
	return !strcmp(name, XATTR_NAME_SELINUX);
3323
}
3324

3325
static int selinux_inode_setxattr(struct mnt_idmap *idmap,
3326
				  struct dentry *dentry, const char *name,
3327
				  const void *value, size_t size, int flags)
3328
{
3329
	struct inode *inode = d_backing_inode(dentry);
3330
	struct inode_security_struct *isec;
3331
	struct superblock_security_struct *sbsec;
3332
	struct common_audit_data ad;
3333
	u32 newsid, sid = current_sid();
3334
	int rc = 0;
3335

3336
	/* if not a selinux xattr, only check the ordinary setattr perm */
3337
	if (strcmp(name, XATTR_NAME_SELINUX))
3338
		return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3339

3340
	if (!selinux_initialized())
3341
		return (inode_owner_or_capable(idmap, inode) ? 0 : -EPERM);
3342

3343
	sbsec = selinux_superblock(inode->i_sb);
3344
	if (!(sbsec->flags & SBLABEL_MNT))
3345
		return -EOPNOTSUPP;
3346

3347
	if (!inode_owner_or_capable(idmap, inode))
3348
		return -EPERM;
3349

3350
	ad.type = LSM_AUDIT_DATA_DENTRY;
3351
	ad.u.dentry = dentry;
3352

3353
	isec = backing_inode_security(dentry);
3354
	rc = avc_has_perm(sid, isec->sid, isec->sclass,
3355
			  FILE__RELABELFROM, &ad);
3356
	if (rc)
3357
		return rc;
3358

3359
	rc = security_context_to_sid(value, size, &newsid,
3360
				     GFP_KERNEL);
3361
	if (rc == -EINVAL) {
3362
		if (!has_cap_mac_admin(true)) {
3363
			struct audit_buffer *ab;
3364
			size_t audit_size;
3365

3366
			/* We strip a nul only if it is at the end, otherwise the
3367
			 * context contains a nul and we should audit that */
3368
			if (value) {
3369
				const char *str = value;
3370

3371
				if (str[size - 1] == '\0')
3372
					audit_size = size - 1;
3373
				else
3374
					audit_size = size;
3375
			} else {
3376
				audit_size = 0;
3377
			}
3378
			ab = audit_log_start(audit_context(),
3379
					     GFP_ATOMIC, AUDIT_SELINUX_ERR);
3380
			if (!ab)
3381
				return rc;
3382
			audit_log_format(ab, "op=setxattr invalid_context=");
3383
			audit_log_n_untrustedstring(ab, value, audit_size);
3384
			audit_log_end(ab);
3385

3386
			return rc;
3387
		}
3388
		rc = security_context_to_sid_force(value,
3389
						   size, &newsid);
3390
	}
3391
	if (rc)
3392
		return rc;
3393

3394
	rc = avc_has_perm(sid, newsid, isec->sclass,
3395
			  FILE__RELABELTO, &ad);
3396
	if (rc)
3397
		return rc;
3398

3399
	rc = security_validate_transition(isec->sid, newsid,
3400
					  sid, isec->sclass);
3401
	if (rc)
3402
		return rc;
3403

3404
	return avc_has_perm(newsid,
3405
			    sbsec->sid,
3406
			    SECCLASS_FILESYSTEM,
3407
			    FILESYSTEM__ASSOCIATE,
3408
			    &ad);
3409
}
3410

3411
static int selinux_inode_set_acl(struct mnt_idmap *idmap,
3412
				 struct dentry *dentry, const char *acl_name,
3413
				 struct posix_acl *kacl)
3414
{
3415
	return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3416
}
3417

3418
static int selinux_inode_get_acl(struct mnt_idmap *idmap,
3419
				 struct dentry *dentry, const char *acl_name)
3420
{
3421
	return dentry_has_perm(current_cred(), dentry, FILE__GETATTR);
3422
}
3423

3424
static int selinux_inode_remove_acl(struct mnt_idmap *idmap,
3425
				    struct dentry *dentry, const char *acl_name)
3426
{
3427
	return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3428
}
3429

3430
static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3431
					const void *value, size_t size,
3432
					int flags)
3433
{
3434
	struct inode *inode = d_backing_inode(dentry);
3435
	struct inode_security_struct *isec;
3436
	u32 newsid;
3437
	int rc;
3438

3439
	if (strcmp(name, XATTR_NAME_SELINUX)) {
3440
		/* Not an attribute we recognize, so nothing to do. */
3441
		return;
3442
	}
3443

3444
	if (!selinux_initialized()) {
3445
		/* If we haven't even been initialized, then we can't validate
3446
		 * against a policy, so leave the label as invalid. It may
3447
		 * resolve to a valid label on the next revalidation try if
3448
		 * we've since initialized.
3449
		 */
3450
		return;
3451
	}
3452

3453
	rc = security_context_to_sid_force(value, size,
3454
					   &newsid);
3455
	if (rc) {
3456
		pr_err("SELinux:  unable to map context to SID"
3457
		       "for (%s, %lu), rc=%d\n",
3458
		       inode->i_sb->s_id, inode->i_ino, -rc);
3459
		return;
3460
	}
3461

3462
	isec = backing_inode_security(dentry);
3463
	spin_lock(&isec->lock);
3464
	isec->sclass = inode_mode_to_security_class(inode->i_mode);
3465
	isec->sid = newsid;
3466
	isec->initialized = LABEL_INITIALIZED;
3467
	spin_unlock(&isec->lock);
3468
}
3469

3470
static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3471
{
3472
	const struct cred *cred = current_cred();
3473

3474
	return dentry_has_perm(cred, dentry, FILE__GETATTR);
3475
}
3476

3477
static int selinux_inode_listxattr(struct dentry *dentry)
3478
{
3479
	const struct cred *cred = current_cred();
3480

3481
	return dentry_has_perm(cred, dentry, FILE__GETATTR);
3482
}
3483

3484
static int selinux_inode_removexattr(struct mnt_idmap *idmap,
3485
				     struct dentry *dentry, const char *name)
3486
{
3487
	/* if not a selinux xattr, only check the ordinary setattr perm */
3488
	if (strcmp(name, XATTR_NAME_SELINUX))
3489
		return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3490

3491
	if (!selinux_initialized())
3492
		return 0;
3493

3494
	/* No one is allowed to remove a SELinux security label.
3495
	   You can change the label, but all data must be labeled. */
3496
	return -EACCES;
3497
}
3498

3499
static int selinux_inode_file_setattr(struct dentry *dentry,
3500
				      struct file_kattr *fa)
3501
{
3502
	return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3503
}
3504

3505
static int selinux_inode_file_getattr(struct dentry *dentry,
3506
				      struct file_kattr *fa)
3507
{
3508
	return dentry_has_perm(current_cred(), dentry, FILE__GETATTR);
3509
}
3510

3511
static int selinux_path_notify(const struct path *path, u64 mask,
3512
						unsigned int obj_type)
3513
{
3514
	int ret;
3515
	u32 perm;
3516

3517
	struct common_audit_data ad;
3518

3519
	ad.type = LSM_AUDIT_DATA_PATH;
3520
	ad.u.path = *path;
3521

3522
	/*
3523
	 * Set permission needed based on the type of mark being set.
3524
	 * Performs an additional check for sb watches.
3525
	 */
3526
	switch (obj_type) {
3527
	case FSNOTIFY_OBJ_TYPE_VFSMOUNT:
3528
		perm = FILE__WATCH_MOUNT;
3529
		break;
3530
	case FSNOTIFY_OBJ_TYPE_SB:
3531
		perm = FILE__WATCH_SB;
3532
		ret = superblock_has_perm(current_cred(), path->dentry->d_sb,
3533
						FILESYSTEM__WATCH, &ad);
3534
		if (ret)
3535
			return ret;
3536
		break;
3537
	case FSNOTIFY_OBJ_TYPE_INODE:
3538
		perm = FILE__WATCH;
3539
		break;
3540
	case FSNOTIFY_OBJ_TYPE_MNTNS:
3541
		perm = FILE__WATCH_MOUNTNS;
3542
		break;
3543
	default:
3544
		return -EINVAL;
3545
	}
3546

3547
	/* blocking watches require the file:watch_with_perm permission */
3548
	if (mask & (ALL_FSNOTIFY_PERM_EVENTS))
3549
		perm |= FILE__WATCH_WITH_PERM;
3550

3551
	/* watches on read-like events need the file:watch_reads permission */
3552
	if (mask & (FS_ACCESS | FS_ACCESS_PERM | FS_PRE_ACCESS |
3553
		    FS_CLOSE_NOWRITE))
3554
		perm |= FILE__WATCH_READS;
3555

3556
	return path_has_perm(current_cred(), path, perm);
3557
}
3558

3559
/*
3560
 * Copy the inode security context value to the user.
3561
 *
3562
 * Permission check is handled by selinux_inode_getxattr hook.
3563
 */
3564
static int selinux_inode_getsecurity(struct mnt_idmap *idmap,
3565
				     struct inode *inode, const char *name,
3566
				     void **buffer, bool alloc)
3567
{
3568
	u32 size;
3569
	int error;
3570
	char *context = NULL;
3571
	struct inode_security_struct *isec;
3572

3573
	/*
3574
	 * If we're not initialized yet, then we can't validate contexts, so
3575
	 * just let vfs_getxattr fall back to using the on-disk xattr.
3576
	 */
3577
	if (!selinux_initialized() ||
3578
	    strcmp(name, XATTR_SELINUX_SUFFIX))
3579
		return -EOPNOTSUPP;
3580

3581
	/*
3582
	 * If the caller has CAP_MAC_ADMIN, then get the raw context
3583
	 * value even if it is not defined by current policy; otherwise,
3584
	 * use the in-core value under current policy.
3585
	 * Use the non-auditing forms of the permission checks since
3586
	 * getxattr may be called by unprivileged processes commonly
3587
	 * and lack of permission just means that we fall back to the
3588
	 * in-core context value, not a denial.
3589
	 */
3590
	isec = inode_security(inode);
3591
	if (has_cap_mac_admin(false))
3592
		error = security_sid_to_context_force(isec->sid, &context,
3593
						      &size);
3594
	else
3595
		error = security_sid_to_context(isec->sid,
3596
						&context, &size);
3597
	if (error)
3598
		return error;
3599
	error = size;
3600
	if (alloc) {
3601
		*buffer = context;
3602
		goto out_nofree;
3603
	}
3604
	kfree(context);
3605
out_nofree:
3606
	return error;
3607
}
3608

3609
static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3610
				     const void *value, size_t size, int flags)
3611
{
3612
	struct inode_security_struct *isec = inode_security_novalidate(inode);
3613
	struct superblock_security_struct *sbsec;
3614
	u32 newsid;
3615
	int rc;
3616

3617
	if (strcmp(name, XATTR_SELINUX_SUFFIX))
3618
		return -EOPNOTSUPP;
3619

3620
	sbsec = selinux_superblock(inode->i_sb);
3621
	if (!(sbsec->flags & SBLABEL_MNT))
3622
		return -EOPNOTSUPP;
3623

3624
	if (!value || !size)
3625
		return -EACCES;
3626

3627
	rc = security_context_to_sid(value, size, &newsid,
3628
				     GFP_KERNEL);
3629
	if (rc)
3630
		return rc;
3631

3632
	spin_lock(&isec->lock);
3633
	isec->sclass = inode_mode_to_security_class(inode->i_mode);
3634
	isec->sid = newsid;
3635
	isec->initialized = LABEL_INITIALIZED;
3636
	spin_unlock(&isec->lock);
3637
	return 0;
3638
}
3639

3640
static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3641
{
3642
	const int len = sizeof(XATTR_NAME_SELINUX);
3643

3644
	if (!selinux_initialized())
3645
		return 0;
3646

3647
	if (buffer && len <= buffer_size)
3648
		memcpy(buffer, XATTR_NAME_SELINUX, len);
3649
	return len;
3650
}
3651

3652
static void selinux_inode_getlsmprop(struct inode *inode, struct lsm_prop *prop)
3653
{
3654
	struct inode_security_struct *isec = inode_security_novalidate(inode);
3655

3656
	prop->selinux.secid = isec->sid;
3657
}
3658

3659
static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3660
{
3661
	struct lsm_prop prop;
3662
	struct task_security_struct *tsec;
3663
	struct cred *new_creds = *new;
3664

3665
	if (new_creds == NULL) {
3666
		new_creds = prepare_creds();
3667
		if (!new_creds)
3668
			return -ENOMEM;
3669
	}
3670

3671
	tsec = selinux_cred(new_creds);
3672
	/* Get label from overlay inode and set it in create_sid */
3673
	selinux_inode_getlsmprop(d_inode(src), &prop);
3674
	tsec->create_sid = prop.selinux.secid;
3675
	*new = new_creds;
3676
	return 0;
3677
}
3678

3679
static int selinux_inode_copy_up_xattr(struct dentry *dentry, const char *name)
3680
{
3681
	/* The copy_up hook above sets the initial context on an inode, but we
3682
	 * don't then want to overwrite it by blindly copying all the lower
3683
	 * xattrs up.  Instead, filter out SELinux-related xattrs following
3684
	 * policy load.
3685
	 */
3686
	if (selinux_initialized() && !strcmp(name, XATTR_NAME_SELINUX))
3687
		return -ECANCELED; /* Discard */
3688
	/*
3689
	 * Any other attribute apart from SELINUX is not claimed, supported
3690
	 * by selinux.
3691
	 */
3692
	return -EOPNOTSUPP;
3693
}
3694

3695
/* kernfs node operations */
3696

3697
static int selinux_kernfs_init_security(struct kernfs_node *kn_dir,
3698
					struct kernfs_node *kn)
3699
{
3700
	const struct task_security_struct *tsec = selinux_cred(current_cred());
3701
	u32 parent_sid, newsid, clen;
3702
	int rc;
3703
	char *context;
3704

3705
	rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, NULL, 0);
3706
	if (rc == -ENODATA)
3707
		return 0;
3708
	else if (rc < 0)
3709
		return rc;
3710

3711
	clen = (u32)rc;
3712
	context = kmalloc(clen, GFP_KERNEL);
3713
	if (!context)
3714
		return -ENOMEM;
3715

3716
	rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, context, clen);
3717
	if (rc < 0) {
3718
		kfree(context);
3719
		return rc;
3720
	}
3721

3722
	rc = security_context_to_sid(context, clen, &parent_sid,
3723
				     GFP_KERNEL);
3724
	kfree(context);
3725
	if (rc)
3726
		return rc;
3727

3728
	if (tsec->create_sid) {
3729
		newsid = tsec->create_sid;
3730
	} else {
3731
		u16 secclass = inode_mode_to_security_class(kn->mode);
3732
		const char *kn_name;
3733
		struct qstr q;
3734

3735
		/* kn is fresh, can't be renamed, name goes not away */
3736
		kn_name = rcu_dereference_check(kn->name, true);
3737
		q.name = kn_name;
3738
		q.hash_len = hashlen_string(kn_dir, kn_name);
3739

3740
		rc = security_transition_sid(tsec->sid,
3741
					     parent_sid, secclass, &q,
3742
					     &newsid);
3743
		if (rc)
3744
			return rc;
3745
	}
3746

3747
	rc = security_sid_to_context_force(newsid,
3748
					   &context, &clen);
3749
	if (rc)
3750
		return rc;
3751

3752
	rc = kernfs_xattr_set(kn, XATTR_NAME_SELINUX, context, clen,
3753
			      XATTR_CREATE);
3754
	kfree(context);
3755
	return rc;
3756
}
3757

3758

3759
/* file security operations */
3760

3761
static int selinux_revalidate_file_permission(struct file *file, int mask)
3762
{
3763
	const struct cred *cred = current_cred();
3764
	struct inode *inode = file_inode(file);
3765

3766
	/* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3767
	if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3768
		mask |= MAY_APPEND;
3769

3770
	return file_has_perm(cred, file,
3771
			     file_mask_to_av(inode->i_mode, mask));
3772
}
3773

3774
static int selinux_file_permission(struct file *file, int mask)
3775
{
3776
	struct inode *inode = file_inode(file);
3777
	struct file_security_struct *fsec = selinux_file(file);
3778
	struct inode_security_struct *isec;
3779
	u32 sid = current_sid();
3780

3781
	if (!mask)
3782
		/* No permission to check.  Existence test. */
3783
		return 0;
3784

3785
	isec = inode_security(inode);
3786
	if (sid == fsec->sid && fsec->isid == isec->sid &&
3787
	    fsec->pseqno == avc_policy_seqno())
3788
		/* No change since file_open check. */
3789
		return 0;
3790

3791
	return selinux_revalidate_file_permission(file, mask);
3792
}
3793

3794
static int selinux_file_alloc_security(struct file *file)
3795
{
3796
	struct file_security_struct *fsec = selinux_file(file);
3797
	u32 sid = current_sid();
3798

3799
	fsec->sid = sid;
3800
	fsec->fown_sid = sid;
3801

3802
	return 0;
3803
}
3804

3805
/*
3806
 * Check whether a task has the ioctl permission and cmd
3807
 * operation to an inode.
3808
 */
3809
static int ioctl_has_perm(const struct cred *cred, struct file *file,
3810
		u32 requested, u16 cmd)
3811
{
3812
	struct common_audit_data ad;
3813
	struct file_security_struct *fsec = selinux_file(file);
3814
	struct inode *inode = file_inode(file);
3815
	struct inode_security_struct *isec;
3816
	struct lsm_ioctlop_audit ioctl;
3817
	u32 ssid = cred_sid(cred);
3818
	int rc;
3819
	u8 driver = cmd >> 8;
3820
	u8 xperm = cmd & 0xff;
3821

3822
	ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3823
	ad.u.op = &ioctl;
3824
	ad.u.op->cmd = cmd;
3825
	ad.u.op->path = file->f_path;
3826

3827
	if (ssid != fsec->sid) {
3828
		rc = avc_has_perm(ssid, fsec->sid,
3829
				SECCLASS_FD,
3830
				FD__USE,
3831
				&ad);
3832
		if (rc)
3833
			goto out;
3834
	}
3835

3836
	if (unlikely(IS_PRIVATE(inode)))
3837
		return 0;
3838

3839
	isec = inode_security(inode);
3840
	rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass, requested,
3841
				    driver, AVC_EXT_IOCTL, xperm, &ad);
3842
out:
3843
	return rc;
3844
}
3845

3846
static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3847
			      unsigned long arg)
3848
{
3849
	const struct cred *cred = current_cred();
3850
	int error = 0;
3851

3852
	switch (cmd) {
3853
	case FIONREAD:
3854
	case FIBMAP:
3855
	case FIGETBSZ:
3856
	case FS_IOC_GETFLAGS:
3857
	case FS_IOC_GETVERSION:
3858
		error = file_has_perm(cred, file, FILE__GETATTR);
3859
		break;
3860

3861
	case FS_IOC_SETFLAGS:
3862
	case FS_IOC_SETVERSION:
3863
		error = file_has_perm(cred, file, FILE__SETATTR);
3864
		break;
3865

3866
	/* sys_ioctl() checks */
3867
	case FIONBIO:
3868
	case FIOASYNC:
3869
		error = file_has_perm(cred, file, 0);
3870
		break;
3871

3872
	case KDSKBENT:
3873
	case KDSKBSENT:
3874
		error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3875
					    CAP_OPT_NONE, true);
3876
		break;
3877

3878
	case FIOCLEX:
3879
	case FIONCLEX:
3880
		if (!selinux_policycap_ioctl_skip_cloexec())
3881
			error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3882
		break;
3883

3884
	/* default case assumes that the command will go
3885
	 * to the file's ioctl() function.
3886
	 */
3887
	default:
3888
		error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3889
	}
3890
	return error;
3891
}
3892

3893
static int selinux_file_ioctl_compat(struct file *file, unsigned int cmd,
3894
			      unsigned long arg)
3895
{
3896
	/*
3897
	 * If we are in a 64-bit kernel running 32-bit userspace, we need to
3898
	 * make sure we don't compare 32-bit flags to 64-bit flags.
3899
	 */
3900
	switch (cmd) {
3901
	case FS_IOC32_GETFLAGS:
3902
		cmd = FS_IOC_GETFLAGS;
3903
		break;
3904
	case FS_IOC32_SETFLAGS:
3905
		cmd = FS_IOC_SETFLAGS;
3906
		break;
3907
	case FS_IOC32_GETVERSION:
3908
		cmd = FS_IOC_GETVERSION;
3909
		break;
3910
	case FS_IOC32_SETVERSION:
3911
		cmd = FS_IOC_SETVERSION;
3912
		break;
3913
	default:
3914
		break;
3915
	}
3916

3917
	return selinux_file_ioctl(file, cmd, arg);
3918
}
3919

3920
static int default_noexec __ro_after_init;
3921

3922
static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3923
{
3924
	const struct cred *cred = current_cred();
3925
	u32 sid = cred_sid(cred);
3926
	int rc = 0;
3927

3928
	if (default_noexec &&
3929
	    (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3930
				   (!shared && (prot & PROT_WRITE)))) {
3931
		/*
3932
		 * We are making executable an anonymous mapping or a
3933
		 * private file mapping that will also be writable.
3934
		 * This has an additional check.
3935
		 */
3936
		rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3937
				  PROCESS__EXECMEM, NULL);
3938
		if (rc)
3939
			goto error;
3940
	}
3941

3942
	if (file) {
3943
		/* read access is always possible with a mapping */
3944
		u32 av = FILE__READ;
3945

3946
		/* write access only matters if the mapping is shared */
3947
		if (shared && (prot & PROT_WRITE))
3948
			av |= FILE__WRITE;
3949

3950
		if (prot & PROT_EXEC)
3951
			av |= FILE__EXECUTE;
3952

3953
		return file_has_perm(cred, file, av);
3954
	}
3955

3956
error:
3957
	return rc;
3958
}
3959

3960
static int selinux_mmap_addr(unsigned long addr)
3961
{
3962
	int rc = 0;
3963

3964
	if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3965
		u32 sid = current_sid();
3966
		rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3967
				  MEMPROTECT__MMAP_ZERO, NULL);
3968
	}
3969

3970
	return rc;
3971
}
3972

3973
static int selinux_mmap_file(struct file *file,
3974
			     unsigned long reqprot __always_unused,
3975
			     unsigned long prot, unsigned long flags)
3976
{
3977
	struct common_audit_data ad;
3978
	int rc;
3979

3980
	if (file) {
3981
		ad.type = LSM_AUDIT_DATA_FILE;
3982
		ad.u.file = file;
3983
		rc = inode_has_perm(current_cred(), file_inode(file),
3984
				    FILE__MAP, &ad);
3985
		if (rc)
3986
			return rc;
3987
	}
3988

3989
	return file_map_prot_check(file, prot,
3990
				   (flags & MAP_TYPE) == MAP_SHARED);
3991
}
3992

3993
static int selinux_file_mprotect(struct vm_area_struct *vma,
3994
				 unsigned long reqprot __always_unused,
3995
				 unsigned long prot)
3996
{
3997
	const struct cred *cred = current_cred();
3998
	u32 sid = cred_sid(cred);
3999

4000
	if (default_noexec &&
4001
	    (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
4002
		int rc = 0;
4003
		/*
4004
		 * We don't use the vma_is_initial_heap() helper as it has
4005
		 * a history of problems and is currently broken on systems
4006
		 * where there is no heap, e.g. brk == start_brk.  Before
4007
		 * replacing the conditional below with vma_is_initial_heap(),
4008
		 * or something similar, please ensure that the logic is the
4009
		 * same as what we have below or you have tested every possible
4010
		 * corner case you can think to test.
4011
		 */
4012
		if (vma->vm_start >= vma->vm_mm->start_brk &&
4013
		    vma->vm_end <= vma->vm_mm->brk) {
4014
			rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
4015
					  PROCESS__EXECHEAP, NULL);
4016
		} else if (!vma->vm_file && (vma_is_initial_stack(vma) ||
4017
			    vma_is_stack_for_current(vma))) {
4018
			rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
4019
					  PROCESS__EXECSTACK, NULL);
4020
		} else if (vma->vm_file && vma->anon_vma) {
4021
			/*
4022
			 * We are making executable a file mapping that has
4023
			 * had some COW done. Since pages might have been
4024
			 * written, check ability to execute the possibly
4025
			 * modified content.  This typically should only
4026
			 * occur for text relocations.
4027
			 */
4028
			rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
4029
		}
4030
		if (rc)
4031
			return rc;
4032
	}
4033

4034
	return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
4035
}
4036

4037
static int selinux_file_lock(struct file *file, unsigned int cmd)
4038
{
4039
	const struct cred *cred = current_cred();
4040

4041
	return file_has_perm(cred, file, FILE__LOCK);
4042
}
4043

4044
static int selinux_file_fcntl(struct file *file, unsigned int cmd,
4045
			      unsigned long arg)
4046
{
4047
	const struct cred *cred = current_cred();
4048
	int err = 0;
4049

4050
	switch (cmd) {
4051
	case F_SETFL:
4052
		if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
4053
			err = file_has_perm(cred, file, FILE__WRITE);
4054
			break;
4055
		}
4056
		fallthrough;
4057
	case F_SETOWN:
4058
	case F_SETSIG:
4059
	case F_GETFL:
4060
	case F_GETOWN:
4061
	case F_GETSIG:
4062
	case F_GETOWNER_UIDS:
4063
		/* Just check FD__USE permission */
4064
		err = file_has_perm(cred, file, 0);
4065
		break;
4066
	case F_GETLK:
4067
	case F_SETLK:
4068
	case F_SETLKW:
4069
	case F_OFD_GETLK:
4070
	case F_OFD_SETLK:
4071
	case F_OFD_SETLKW:
4072
#if BITS_PER_LONG == 32
4073
	case F_GETLK64:
4074
	case F_SETLK64:
4075
	case F_SETLKW64:
4076
#endif
4077
		err = file_has_perm(cred, file, FILE__LOCK);
4078
		break;
4079
	}
4080

4081
	return err;
4082
}
4083

4084
static void selinux_file_set_fowner(struct file *file)
4085
{
4086
	struct file_security_struct *fsec;
4087

4088
	fsec = selinux_file(file);
4089
	fsec->fown_sid = current_sid();
4090
}
4091

4092
static int selinux_file_send_sigiotask(struct task_struct *tsk,
4093
				       struct fown_struct *fown, int signum)
4094
{
4095
	struct file *file;
4096
	u32 sid = task_sid_obj(tsk);
4097
	u32 perm;
4098
	struct file_security_struct *fsec;
4099

4100
	/* struct fown_struct is never outside the context of a struct file */
4101
	file = fown->file;
4102

4103
	fsec = selinux_file(file);
4104

4105
	if (!signum)
4106
		perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
4107
	else
4108
		perm = signal_to_av(signum);
4109

4110
	return avc_has_perm(fsec->fown_sid, sid,
4111
			    SECCLASS_PROCESS, perm, NULL);
4112
}
4113

4114
static int selinux_file_receive(struct file *file)
4115
{
4116
	const struct cred *cred = current_cred();
4117

4118
	return file_has_perm(cred, file, file_to_av(file));
4119
}
4120

4121
static int selinux_file_open(struct file *file)
4122
{
4123
	struct file_security_struct *fsec;
4124
	struct inode_security_struct *isec;
4125

4126
	fsec = selinux_file(file);
4127
	isec = inode_security(file_inode(file));
4128
	/*
4129
	 * Save inode label and policy sequence number
4130
	 * at open-time so that selinux_file_permission
4131
	 * can determine whether revalidation is necessary.
4132
	 * Task label is already saved in the file security
4133
	 * struct as its SID.
4134
	 */
4135
	fsec->isid = isec->sid;
4136
	fsec->pseqno = avc_policy_seqno();
4137
	/*
4138
	 * Since the inode label or policy seqno may have changed
4139
	 * between the selinux_inode_permission check and the saving
4140
	 * of state above, recheck that access is still permitted.
4141
	 * Otherwise, access might never be revalidated against the
4142
	 * new inode label or new policy.
4143
	 * This check is not redundant - do not remove.
4144
	 */
4145
	return file_path_has_perm(file->f_cred, file, open_file_to_av(file));
4146
}
4147

4148
/* task security operations */
4149

4150
static int selinux_task_alloc(struct task_struct *task,
4151
			      u64 clone_flags)
4152
{
4153
	u32 sid = current_sid();
4154

4155
	return avc_has_perm(sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
4156
}
4157

4158
/*
4159
 * prepare a new set of credentials for modification
4160
 */
4161
static int selinux_cred_prepare(struct cred *new, const struct cred *old,
4162
				gfp_t gfp)
4163
{
4164
	const struct task_security_struct *old_tsec = selinux_cred(old);
4165
	struct task_security_struct *tsec = selinux_cred(new);
4166

4167
	*tsec = *old_tsec;
4168
	return 0;
4169
}
4170

4171
/*
4172
 * transfer the SELinux data to a blank set of creds
4173
 */
4174
static void selinux_cred_transfer(struct cred *new, const struct cred *old)
4175
{
4176
	const struct task_security_struct *old_tsec = selinux_cred(old);
4177
	struct task_security_struct *tsec = selinux_cred(new);
4178

4179
	*tsec = *old_tsec;
4180
}
4181

4182
static void selinux_cred_getsecid(const struct cred *c, u32 *secid)
4183
{
4184
	*secid = cred_sid(c);
4185
}
4186

4187
static void selinux_cred_getlsmprop(const struct cred *c, struct lsm_prop *prop)
4188
{
4189
	prop->selinux.secid = cred_sid(c);
4190
}
4191

4192
/*
4193
 * set the security data for a kernel service
4194
 * - all the creation contexts are set to unlabelled
4195
 */
4196
static int selinux_kernel_act_as(struct cred *new, u32 secid)
4197
{
4198
	struct task_security_struct *tsec = selinux_cred(new);
4199
	u32 sid = current_sid();
4200
	int ret;
4201

4202
	ret = avc_has_perm(sid, secid,
4203
			   SECCLASS_KERNEL_SERVICE,
4204
			   KERNEL_SERVICE__USE_AS_OVERRIDE,
4205
			   NULL);
4206
	if (ret == 0) {
4207
		tsec->sid = secid;
4208
		tsec->create_sid = 0;
4209
		tsec->keycreate_sid = 0;
4210
		tsec->sockcreate_sid = 0;
4211
	}
4212
	return ret;
4213
}
4214

4215
/*
4216
 * set the file creation context in a security record to the same as the
4217
 * objective context of the specified inode
4218
 */
4219
static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
4220
{
4221
	struct inode_security_struct *isec = inode_security(inode);
4222
	struct task_security_struct *tsec = selinux_cred(new);
4223
	u32 sid = current_sid();
4224
	int ret;
4225

4226
	ret = avc_has_perm(sid, isec->sid,
4227
			   SECCLASS_KERNEL_SERVICE,
4228
			   KERNEL_SERVICE__CREATE_FILES_AS,
4229
			   NULL);
4230

4231
	if (ret == 0)
4232
		tsec->create_sid = isec->sid;
4233
	return ret;
4234
}
4235

4236
static int selinux_kernel_module_request(char *kmod_name)
4237
{
4238
	struct common_audit_data ad;
4239

4240
	ad.type = LSM_AUDIT_DATA_KMOD;
4241
	ad.u.kmod_name = kmod_name;
4242

4243
	return avc_has_perm(current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
4244
			    SYSTEM__MODULE_REQUEST, &ad);
4245
}
4246

4247
static int selinux_kernel_load_from_file(struct file *file, u32 requested)
4248
{
4249
	struct common_audit_data ad;
4250
	struct inode_security_struct *isec;
4251
	struct file_security_struct *fsec;
4252
	u32 sid = current_sid();
4253
	int rc;
4254

4255
	if (file == NULL)
4256
		return avc_has_perm(sid, sid, SECCLASS_SYSTEM, requested, NULL);
4257

4258
	ad.type = LSM_AUDIT_DATA_FILE;
4259
	ad.u.file = file;
4260

4261
	fsec = selinux_file(file);
4262
	if (sid != fsec->sid) {
4263
		rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
4264
		if (rc)
4265
			return rc;
4266
	}
4267

4268
	isec = inode_security(file_inode(file));
4269
	return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM, requested, &ad);
4270
}
4271

4272
static int selinux_kernel_read_file(struct file *file,
4273
				    enum kernel_read_file_id id,
4274
				    bool contents)
4275
{
4276
	int rc = 0;
4277

4278
	BUILD_BUG_ON_MSG(READING_MAX_ID > 7,
4279
			 "New kernel_read_file_id introduced; update SELinux!");
4280

4281
	switch (id) {
4282
	case READING_FIRMWARE:
4283
		rc = selinux_kernel_load_from_file(file, SYSTEM__FIRMWARE_LOAD);
4284
		break;
4285
	case READING_MODULE:
4286
		rc = selinux_kernel_load_from_file(file, SYSTEM__MODULE_LOAD);
4287
		break;
4288
	case READING_KEXEC_IMAGE:
4289
		rc = selinux_kernel_load_from_file(file,
4290
						   SYSTEM__KEXEC_IMAGE_LOAD);
4291
		break;
4292
	case READING_KEXEC_INITRAMFS:
4293
		rc = selinux_kernel_load_from_file(file,
4294
						SYSTEM__KEXEC_INITRAMFS_LOAD);
4295
		break;
4296
	case READING_POLICY:
4297
		rc = selinux_kernel_load_from_file(file, SYSTEM__POLICY_LOAD);
4298
		break;
4299
	case READING_X509_CERTIFICATE:
4300
		rc = selinux_kernel_load_from_file(file,
4301
						SYSTEM__X509_CERTIFICATE_LOAD);
4302
		break;
4303
	default:
4304
		break;
4305
	}
4306

4307
	return rc;
4308
}
4309

4310
static int selinux_kernel_load_data(enum kernel_load_data_id id, bool contents)
4311
{
4312
	int rc = 0;
4313

4314
	BUILD_BUG_ON_MSG(LOADING_MAX_ID > 7,
4315
			 "New kernel_load_data_id introduced; update SELinux!");
4316

4317
	switch (id) {
4318
	case LOADING_FIRMWARE:
4319
		rc = selinux_kernel_load_from_file(NULL, SYSTEM__FIRMWARE_LOAD);
4320
		break;
4321
	case LOADING_MODULE:
4322
		rc = selinux_kernel_load_from_file(NULL, SYSTEM__MODULE_LOAD);
4323
		break;
4324
	case LOADING_KEXEC_IMAGE:
4325
		rc = selinux_kernel_load_from_file(NULL,
4326
						   SYSTEM__KEXEC_IMAGE_LOAD);
4327
		break;
4328
	case LOADING_KEXEC_INITRAMFS:
4329
		rc = selinux_kernel_load_from_file(NULL,
4330
						SYSTEM__KEXEC_INITRAMFS_LOAD);
4331
		break;
4332
	case LOADING_POLICY:
4333
		rc = selinux_kernel_load_from_file(NULL,
4334
						   SYSTEM__POLICY_LOAD);
4335
		break;
4336
	case LOADING_X509_CERTIFICATE:
4337
		rc = selinux_kernel_load_from_file(NULL,
4338
						SYSTEM__X509_CERTIFICATE_LOAD);
4339
		break;
4340
	default:
4341
		break;
4342
	}
4343

4344
	return rc;
4345
}
4346

4347
static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
4348
{
4349
	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4350
			    PROCESS__SETPGID, NULL);
4351
}
4352

4353
static int selinux_task_getpgid(struct task_struct *p)
4354
{
4355
	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4356
			    PROCESS__GETPGID, NULL);
4357
}
4358

4359
static int selinux_task_getsid(struct task_struct *p)
4360
{
4361
	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4362
			    PROCESS__GETSESSION, NULL);
4363
}
4364

4365
static void selinux_current_getlsmprop_subj(struct lsm_prop *prop)
4366
{
4367
	prop->selinux.secid = current_sid();
4368
}
4369

4370
static void selinux_task_getlsmprop_obj(struct task_struct *p,
4371
					struct lsm_prop *prop)
4372
{
4373
	prop->selinux.secid = task_sid_obj(p);
4374
}
4375

4376
static int selinux_task_setnice(struct task_struct *p, int nice)
4377
{
4378
	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4379
			    PROCESS__SETSCHED, NULL);
4380
}
4381

4382
static int selinux_task_setioprio(struct task_struct *p, int ioprio)
4383
{
4384
	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4385
			    PROCESS__SETSCHED, NULL);
4386
}
4387

4388
static int selinux_task_getioprio(struct task_struct *p)
4389
{
4390
	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4391
			    PROCESS__GETSCHED, NULL);
4392
}
4393

4394
static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
4395
				unsigned int flags)
4396
{
4397
	u32 av = 0;
4398

4399
	if (!flags)
4400
		return 0;
4401
	if (flags & LSM_PRLIMIT_WRITE)
4402
		av |= PROCESS__SETRLIMIT;
4403
	if (flags & LSM_PRLIMIT_READ)
4404
		av |= PROCESS__GETRLIMIT;
4405
	return avc_has_perm(cred_sid(cred), cred_sid(tcred),
4406
			    SECCLASS_PROCESS, av, NULL);
4407
}
4408

4409
static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4410
		struct rlimit *new_rlim)
4411
{
4412
	struct rlimit *old_rlim = p->signal->rlim + resource;
4413

4414
	/* Control the ability to change the hard limit (whether
4415
	   lowering or raising it), so that the hard limit can
4416
	   later be used as a safe reset point for the soft limit
4417
	   upon context transitions.  See selinux_bprm_committing_creds. */
4418
	if (old_rlim->rlim_max != new_rlim->rlim_max)
4419
		return avc_has_perm(current_sid(), task_sid_obj(p),
4420
				    SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
4421

4422
	return 0;
4423
}
4424

4425
static int selinux_task_setscheduler(struct task_struct *p)
4426
{
4427
	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4428
			    PROCESS__SETSCHED, NULL);
4429
}
4430

4431
static int selinux_task_getscheduler(struct task_struct *p)
4432
{
4433
	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4434
			    PROCESS__GETSCHED, NULL);
4435
}
4436

4437
static int selinux_task_movememory(struct task_struct *p)
4438
{
4439
	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4440
			    PROCESS__SETSCHED, NULL);
4441
}
4442

4443
static int selinux_task_kill(struct task_struct *p, struct kernel_siginfo *info,
4444
				int sig, const struct cred *cred)
4445
{
4446
	u32 secid;
4447
	u32 perm;
4448

4449
	if (!sig)
4450
		perm = PROCESS__SIGNULL; /* null signal; existence test */
4451
	else
4452
		perm = signal_to_av(sig);
4453
	if (!cred)
4454
		secid = current_sid();
4455
	else
4456
		secid = cred_sid(cred);
4457
	return avc_has_perm(secid, task_sid_obj(p), SECCLASS_PROCESS, perm, NULL);
4458
}
4459

4460
static void selinux_task_to_inode(struct task_struct *p,
4461
				  struct inode *inode)
4462
{
4463
	struct inode_security_struct *isec = selinux_inode(inode);
4464
	u32 sid = task_sid_obj(p);
4465

4466
	spin_lock(&isec->lock);
4467
	isec->sclass = inode_mode_to_security_class(inode->i_mode);
4468
	isec->sid = sid;
4469
	isec->initialized = LABEL_INITIALIZED;
4470
	spin_unlock(&isec->lock);
4471
}
4472

4473
static int selinux_userns_create(const struct cred *cred)
4474
{
4475
	u32 sid = current_sid();
4476

4477
	return avc_has_perm(sid, sid, SECCLASS_USER_NAMESPACE,
4478
			USER_NAMESPACE__CREATE, NULL);
4479
}
4480

4481
/* Returns error only if unable to parse addresses */
4482
static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4483
			struct common_audit_data *ad, u8 *proto)
4484
{
4485
	int offset, ihlen, ret = -EINVAL;
4486
	struct iphdr _iph, *ih;
4487

4488
	offset = skb_network_offset(skb);
4489
	ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
4490
	if (ih == NULL)
4491
		goto out;
4492

4493
	ihlen = ih->ihl * 4;
4494
	if (ihlen < sizeof(_iph))
4495
		goto out;
4496

4497
	ad->u.net->v4info.saddr = ih->saddr;
4498
	ad->u.net->v4info.daddr = ih->daddr;
4499
	ret = 0;
4500

4501
	if (proto)
4502
		*proto = ih->protocol;
4503

4504
	switch (ih->protocol) {
4505
	case IPPROTO_TCP: {
4506
		struct tcphdr _tcph, *th;
4507

4508
		if (ntohs(ih->frag_off) & IP_OFFSET)
4509
			break;
4510

4511
		offset += ihlen;
4512
		th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4513
		if (th == NULL)
4514
			break;
4515

4516
		ad->u.net->sport = th->source;
4517
		ad->u.net->dport = th->dest;
4518
		break;
4519
	}
4520

4521
	case IPPROTO_UDP: {
4522
		struct udphdr _udph, *uh;
4523

4524
		if (ntohs(ih->frag_off) & IP_OFFSET)
4525
			break;
4526

4527
		offset += ihlen;
4528
		uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4529
		if (uh == NULL)
4530
			break;
4531

4532
		ad->u.net->sport = uh->source;
4533
		ad->u.net->dport = uh->dest;
4534
		break;
4535
	}
4536

4537
#if IS_ENABLED(CONFIG_IP_SCTP)
4538
	case IPPROTO_SCTP: {
4539
		struct sctphdr _sctph, *sh;
4540

4541
		if (ntohs(ih->frag_off) & IP_OFFSET)
4542
			break;
4543

4544
		offset += ihlen;
4545
		sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4546
		if (sh == NULL)
4547
			break;
4548

4549
		ad->u.net->sport = sh->source;
4550
		ad->u.net->dport = sh->dest;
4551
		break;
4552
	}
4553
#endif
4554
	default:
4555
		break;
4556
	}
4557
out:
4558
	return ret;
4559
}
4560

4561
#if IS_ENABLED(CONFIG_IPV6)
4562

4563
/* Returns error only if unable to parse addresses */
4564
static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4565
			struct common_audit_data *ad, u8 *proto)
4566
{
4567
	u8 nexthdr;
4568
	int ret = -EINVAL, offset;
4569
	struct ipv6hdr _ipv6h, *ip6;
4570
	__be16 frag_off;
4571

4572
	offset = skb_network_offset(skb);
4573
	ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4574
	if (ip6 == NULL)
4575
		goto out;
4576

4577
	ad->u.net->v6info.saddr = ip6->saddr;
4578
	ad->u.net->v6info.daddr = ip6->daddr;
4579
	ret = 0;
4580

4581
	nexthdr = ip6->nexthdr;
4582
	offset += sizeof(_ipv6h);
4583
	offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4584
	if (offset < 0)
4585
		goto out;
4586

4587
	if (proto)
4588
		*proto = nexthdr;
4589

4590
	switch (nexthdr) {
4591
	case IPPROTO_TCP: {
4592
		struct tcphdr _tcph, *th;
4593

4594
		th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4595
		if (th == NULL)
4596
			break;
4597

4598
		ad->u.net->sport = th->source;
4599
		ad->u.net->dport = th->dest;
4600
		break;
4601
	}
4602

4603
	case IPPROTO_UDP: {
4604
		struct udphdr _udph, *uh;
4605

4606
		uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4607
		if (uh == NULL)
4608
			break;
4609

4610
		ad->u.net->sport = uh->source;
4611
		ad->u.net->dport = uh->dest;
4612
		break;
4613
	}
4614

4615
#if IS_ENABLED(CONFIG_IP_SCTP)
4616
	case IPPROTO_SCTP: {
4617
		struct sctphdr _sctph, *sh;
4618

4619
		sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4620
		if (sh == NULL)
4621
			break;
4622

4623
		ad->u.net->sport = sh->source;
4624
		ad->u.net->dport = sh->dest;
4625
		break;
4626
	}
4627
#endif
4628
	/* includes fragments */
4629
	default:
4630
		break;
4631
	}
4632
out:
4633
	return ret;
4634
}
4635

4636
#endif /* IPV6 */
4637

4638
static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4639
			     char **_addrp, int src, u8 *proto)
4640
{
4641
	char *addrp;
4642
	int ret;
4643

4644
	switch (ad->u.net->family) {
4645
	case PF_INET:
4646
		ret = selinux_parse_skb_ipv4(skb, ad, proto);
4647
		if (ret)
4648
			goto parse_error;
4649
		addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4650
				       &ad->u.net->v4info.daddr);
4651
		goto okay;
4652

4653
#if IS_ENABLED(CONFIG_IPV6)
4654
	case PF_INET6:
4655
		ret = selinux_parse_skb_ipv6(skb, ad, proto);
4656
		if (ret)
4657
			goto parse_error;
4658
		addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4659
				       &ad->u.net->v6info.daddr);
4660
		goto okay;
4661
#endif	/* IPV6 */
4662
	default:
4663
		addrp = NULL;
4664
		goto okay;
4665
	}
4666

4667
parse_error:
4668
	pr_warn(
4669
	       "SELinux: failure in selinux_parse_skb(),"
4670
	       " unable to parse packet\n");
4671
	return ret;
4672

4673
okay:
4674
	if (_addrp)
4675
		*_addrp = addrp;
4676
	return 0;
4677
}
4678

4679
/**
4680
 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4681
 * @skb: the packet
4682
 * @family: protocol family
4683
 * @sid: the packet's peer label SID
4684
 *
4685
 * Description:
4686
 * Check the various different forms of network peer labeling and determine
4687
 * the peer label/SID for the packet; most of the magic actually occurs in
4688
 * the security server function security_net_peersid_cmp().  The function
4689
 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4690
 * or -EACCES if @sid is invalid due to inconsistencies with the different
4691
 * peer labels.
4692
 *
4693
 */
4694
static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4695
{
4696
	int err;
4697
	u32 xfrm_sid;
4698
	u32 nlbl_sid;
4699
	u32 nlbl_type;
4700

4701
	err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4702
	if (unlikely(err))
4703
		return -EACCES;
4704
	err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4705
	if (unlikely(err))
4706
		return -EACCES;
4707

4708
	err = security_net_peersid_resolve(nlbl_sid,
4709
					   nlbl_type, xfrm_sid, sid);
4710
	if (unlikely(err)) {
4711
		pr_warn(
4712
		       "SELinux: failure in selinux_skb_peerlbl_sid(),"
4713
		       " unable to determine packet's peer label\n");
4714
		return -EACCES;
4715
	}
4716

4717
	return 0;
4718
}
4719

4720
/**
4721
 * selinux_conn_sid - Determine the child socket label for a connection
4722
 * @sk_sid: the parent socket's SID
4723
 * @skb_sid: the packet's SID
4724
 * @conn_sid: the resulting connection SID
4725
 *
4726
 * If @skb_sid is valid then the user:role:type information from @sk_sid is
4727
 * combined with the MLS information from @skb_sid in order to create
4728
 * @conn_sid.  If @skb_sid is not valid then @conn_sid is simply a copy
4729
 * of @sk_sid.  Returns zero on success, negative values on failure.
4730
 *
4731
 */
4732
static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4733
{
4734
	int err = 0;
4735

4736
	if (skb_sid != SECSID_NULL)
4737
		err = security_sid_mls_copy(sk_sid, skb_sid,
4738
					    conn_sid);
4739
	else
4740
		*conn_sid = sk_sid;
4741

4742
	return err;
4743
}
4744

4745
/* socket security operations */
4746

4747
static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4748
				 u16 secclass, u32 *socksid)
4749
{
4750
	if (tsec->sockcreate_sid > SECSID_NULL) {
4751
		*socksid = tsec->sockcreate_sid;
4752
		return 0;
4753
	}
4754

4755
	return security_transition_sid(tsec->sid, tsec->sid,
4756
				       secclass, NULL, socksid);
4757
}
4758

4759
static bool sock_skip_has_perm(u32 sid)
4760
{
4761
	if (sid == SECINITSID_KERNEL)
4762
		return true;
4763

4764
	/*
4765
	 * Before POLICYDB_CAP_USERSPACE_INITIAL_CONTEXT, sockets that
4766
	 * inherited the kernel context from early boot used to be skipped
4767
	 * here, so preserve that behavior unless the capability is set.
4768
	 *
4769
	 * By setting the capability the policy signals that it is ready
4770
	 * for this quirk to be fixed. Note that sockets created by a kernel
4771
	 * thread or a usermode helper executed without a transition will
4772
	 * still be skipped in this check regardless of the policycap
4773
	 * setting.
4774
	 */
4775
	if (!selinux_policycap_userspace_initial_context() &&
4776
	    sid == SECINITSID_INIT)
4777
		return true;
4778
	return false;
4779
}
4780

4781

4782
static int sock_has_perm(struct sock *sk, u32 perms)
4783
{
4784
	struct sk_security_struct *sksec = sk->sk_security;
4785
	struct common_audit_data ad;
4786
	struct lsm_network_audit net;
4787

4788
	if (sock_skip_has_perm(sksec->sid))
4789
		return 0;
4790

4791
	ad_net_init_from_sk(&ad, &net, sk);
4792

4793
	return avc_has_perm(current_sid(), sksec->sid, sksec->sclass, perms,
4794
			    &ad);
4795
}
4796

4797
static int selinux_socket_create(int family, int type,
4798
				 int protocol, int kern)
4799
{
4800
	const struct task_security_struct *tsec = selinux_cred(current_cred());
4801
	u32 newsid;
4802
	u16 secclass;
4803
	int rc;
4804

4805
	if (kern)
4806
		return 0;
4807

4808
	secclass = socket_type_to_security_class(family, type, protocol);
4809
	rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4810
	if (rc)
4811
		return rc;
4812

4813
	return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4814
}
4815

4816
static int selinux_socket_post_create(struct socket *sock, int family,
4817
				      int type, int protocol, int kern)
4818
{
4819
	const struct task_security_struct *tsec = selinux_cred(current_cred());
4820
	struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4821
	struct sk_security_struct *sksec;
4822
	u16 sclass = socket_type_to_security_class(family, type, protocol);
4823
	u32 sid = SECINITSID_KERNEL;
4824
	int err = 0;
4825

4826
	if (!kern) {
4827
		err = socket_sockcreate_sid(tsec, sclass, &sid);
4828
		if (err)
4829
			return err;
4830
	}
4831

4832
	isec->sclass = sclass;
4833
	isec->sid = sid;
4834
	isec->initialized = LABEL_INITIALIZED;
4835

4836
	if (sock->sk) {
4837
		sksec = selinux_sock(sock->sk);
4838
		sksec->sclass = sclass;
4839
		sksec->sid = sid;
4840
		/* Allows detection of the first association on this socket */
4841
		if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4842
			sksec->sctp_assoc_state = SCTP_ASSOC_UNSET;
4843

4844
		err = selinux_netlbl_socket_post_create(sock->sk, family);
4845
	}
4846

4847
	return err;
4848
}
4849

4850
static int selinux_socket_socketpair(struct socket *socka,
4851
				     struct socket *sockb)
4852
{
4853
	struct sk_security_struct *sksec_a = selinux_sock(socka->sk);
4854
	struct sk_security_struct *sksec_b = selinux_sock(sockb->sk);
4855

4856
	sksec_a->peer_sid = sksec_b->sid;
4857
	sksec_b->peer_sid = sksec_a->sid;
4858

4859
	return 0;
4860
}
4861

4862
/* Range of port numbers used to automatically bind.
4863
   Need to determine whether we should perform a name_bind
4864
   permission check between the socket and the port number. */
4865

4866
static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4867
{
4868
	struct sock *sk = sock->sk;
4869
	struct sk_security_struct *sksec = selinux_sock(sk);
4870
	u16 family;
4871
	int err;
4872

4873
	err = sock_has_perm(sk, SOCKET__BIND);
4874
	if (err)
4875
		goto out;
4876

4877
	/* If PF_INET or PF_INET6, check name_bind permission for the port. */
4878
	family = sk->sk_family;
4879
	if (family == PF_INET || family == PF_INET6) {
4880
		char *addrp;
4881
		struct common_audit_data ad;
4882
		struct lsm_network_audit net = {0,};
4883
		struct sockaddr_in *addr4 = NULL;
4884
		struct sockaddr_in6 *addr6 = NULL;
4885
		u16 family_sa;
4886
		unsigned short snum;
4887
		u32 sid, node_perm;
4888

4889
		/*
4890
		 * sctp_bindx(3) calls via selinux_sctp_bind_connect()
4891
		 * that validates multiple binding addresses. Because of this
4892
		 * need to check address->sa_family as it is possible to have
4893
		 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4894
		 */
4895
		if (addrlen < offsetofend(struct sockaddr, sa_family))
4896
			return -EINVAL;
4897
		family_sa = address->sa_family;
4898
		switch (family_sa) {
4899
		case AF_UNSPEC:
4900
		case AF_INET:
4901
			if (addrlen < sizeof(struct sockaddr_in))
4902
				return -EINVAL;
4903
			addr4 = (struct sockaddr_in *)address;
4904
			if (family_sa == AF_UNSPEC) {
4905
				if (family == PF_INET6) {
4906
					/* Length check from inet6_bind_sk() */
4907
					if (addrlen < SIN6_LEN_RFC2133)
4908
						return -EINVAL;
4909
					/* Family check from __inet6_bind() */
4910
					goto err_af;
4911
				}
4912
				/* see __inet_bind(), we only want to allow
4913
				 * AF_UNSPEC if the address is INADDR_ANY
4914
				 */
4915
				if (addr4->sin_addr.s_addr != htonl(INADDR_ANY))
4916
					goto err_af;
4917
				family_sa = AF_INET;
4918
			}
4919
			snum = ntohs(addr4->sin_port);
4920
			addrp = (char *)&addr4->sin_addr.s_addr;
4921
			break;
4922
		case AF_INET6:
4923
			if (addrlen < SIN6_LEN_RFC2133)
4924
				return -EINVAL;
4925
			addr6 = (struct sockaddr_in6 *)address;
4926
			snum = ntohs(addr6->sin6_port);
4927
			addrp = (char *)&addr6->sin6_addr.s6_addr;
4928
			break;
4929
		default:
4930
			goto err_af;
4931
		}
4932

4933
		ad.type = LSM_AUDIT_DATA_NET;
4934
		ad.u.net = &net;
4935
		ad.u.net->sport = htons(snum);
4936
		ad.u.net->family = family_sa;
4937

4938
		if (snum) {
4939
			int low, high;
4940

4941
			inet_get_local_port_range(sock_net(sk), &low, &high);
4942

4943
			if (inet_port_requires_bind_service(sock_net(sk), snum) ||
4944
			    snum < low || snum > high) {
4945
				err = sel_netport_sid(sk->sk_protocol,
4946
						      snum, &sid);
4947
				if (err)
4948
					goto out;
4949
				err = avc_has_perm(sksec->sid, sid,
4950
						   sksec->sclass,
4951
						   SOCKET__NAME_BIND, &ad);
4952
				if (err)
4953
					goto out;
4954
			}
4955
		}
4956

4957
		switch (sksec->sclass) {
4958
		case SECCLASS_TCP_SOCKET:
4959
			node_perm = TCP_SOCKET__NODE_BIND;
4960
			break;
4961

4962
		case SECCLASS_UDP_SOCKET:
4963
			node_perm = UDP_SOCKET__NODE_BIND;
4964
			break;
4965

4966
		case SECCLASS_SCTP_SOCKET:
4967
			node_perm = SCTP_SOCKET__NODE_BIND;
4968
			break;
4969

4970
		default:
4971
			node_perm = RAWIP_SOCKET__NODE_BIND;
4972
			break;
4973
		}
4974

4975
		err = sel_netnode_sid(addrp, family_sa, &sid);
4976
		if (err)
4977
			goto out;
4978

4979
		if (family_sa == AF_INET)
4980
			ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4981
		else
4982
			ad.u.net->v6info.saddr = addr6->sin6_addr;
4983

4984
		err = avc_has_perm(sksec->sid, sid,
4985
				   sksec->sclass, node_perm, &ad);
4986
		if (err)
4987
			goto out;
4988
	}
4989
out:
4990
	return err;
4991
err_af:
4992
	/* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */
4993
	if (sk->sk_protocol == IPPROTO_SCTP)
4994
		return -EINVAL;
4995
	return -EAFNOSUPPORT;
4996
}
4997

4998
/* This supports connect(2) and SCTP connect services such as sctp_connectx(3)
4999
 * and sctp_sendmsg(3) as described in Documentation/security/SCTP.rst
5000
 */
5001
static int selinux_socket_connect_helper(struct socket *sock,
5002
					 struct sockaddr *address, int addrlen)
5003
{
5004
	struct sock *sk = sock->sk;
5005
	struct sk_security_struct *sksec = selinux_sock(sk);
5006
	int err;
5007

5008
	err = sock_has_perm(sk, SOCKET__CONNECT);
5009
	if (err)
5010
		return err;
5011
	if (addrlen < offsetofend(struct sockaddr, sa_family))
5012
		return -EINVAL;
5013

5014
	/* connect(AF_UNSPEC) has special handling, as it is a documented
5015
	 * way to disconnect the socket
5016
	 */
5017
	if (address->sa_family == AF_UNSPEC)
5018
		return 0;
5019

5020
	/*
5021
	 * If a TCP or SCTP socket, check name_connect permission
5022
	 * for the port.
5023
	 */
5024
	if (sksec->sclass == SECCLASS_TCP_SOCKET ||
5025
	    sksec->sclass == SECCLASS_SCTP_SOCKET) {
5026
		struct common_audit_data ad;
5027
		struct lsm_network_audit net = {0,};
5028
		struct sockaddr_in *addr4 = NULL;
5029
		struct sockaddr_in6 *addr6 = NULL;
5030
		unsigned short snum;
5031
		u32 sid, perm;
5032

5033
		/* sctp_connectx(3) calls via selinux_sctp_bind_connect()
5034
		 * that validates multiple connect addresses. Because of this
5035
		 * need to check address->sa_family as it is possible to have
5036
		 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
5037
		 */
5038
		switch (address->sa_family) {
5039
		case AF_INET:
5040
			addr4 = (struct sockaddr_in *)address;
5041
			if (addrlen < sizeof(struct sockaddr_in))
5042
				return -EINVAL;
5043
			snum = ntohs(addr4->sin_port);
5044
			break;
5045
		case AF_INET6:
5046
			addr6 = (struct sockaddr_in6 *)address;
5047
			if (addrlen < SIN6_LEN_RFC2133)
5048
				return -EINVAL;
5049
			snum = ntohs(addr6->sin6_port);
5050
			break;
5051
		default:
5052
			/* Note that SCTP services expect -EINVAL, whereas
5053
			 * others expect -EAFNOSUPPORT.
5054
			 */
5055
			if (sksec->sclass == SECCLASS_SCTP_SOCKET)
5056
				return -EINVAL;
5057
			else
5058
				return -EAFNOSUPPORT;
5059
		}
5060

5061
		err = sel_netport_sid(sk->sk_protocol, snum, &sid);
5062
		if (err)
5063
			return err;
5064

5065
		switch (sksec->sclass) {
5066
		case SECCLASS_TCP_SOCKET:
5067
			perm = TCP_SOCKET__NAME_CONNECT;
5068
			break;
5069
		case SECCLASS_SCTP_SOCKET:
5070
			perm = SCTP_SOCKET__NAME_CONNECT;
5071
			break;
5072
		}
5073

5074
		ad.type = LSM_AUDIT_DATA_NET;
5075
		ad.u.net = &net;
5076
		ad.u.net->dport = htons(snum);
5077
		ad.u.net->family = address->sa_family;
5078
		err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
5079
		if (err)
5080
			return err;
5081
	}
5082

5083
	return 0;
5084
}
5085

5086
/* Supports connect(2), see comments in selinux_socket_connect_helper() */
5087
static int selinux_socket_connect(struct socket *sock,
5088
				  struct sockaddr *address, int addrlen)
5089
{
5090
	int err;
5091
	struct sock *sk = sock->sk;
5092

5093
	err = selinux_socket_connect_helper(sock, address, addrlen);
5094
	if (err)
5095
		return err;
5096

5097
	return selinux_netlbl_socket_connect(sk, address);
5098
}
5099

5100
static int selinux_socket_listen(struct socket *sock, int backlog)
5101
{
5102
	return sock_has_perm(sock->sk, SOCKET__LISTEN);
5103
}
5104

5105
static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
5106
{
5107
	int err;
5108
	struct inode_security_struct *isec;
5109
	struct inode_security_struct *newisec;
5110
	u16 sclass;
5111
	u32 sid;
5112

5113
	err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
5114
	if (err)
5115
		return err;
5116

5117
	isec = inode_security_novalidate(SOCK_INODE(sock));
5118
	spin_lock(&isec->lock);
5119
	sclass = isec->sclass;
5120
	sid = isec->sid;
5121
	spin_unlock(&isec->lock);
5122

5123
	newisec = inode_security_novalidate(SOCK_INODE(newsock));
5124
	newisec->sclass = sclass;
5125
	newisec->sid = sid;
5126
	newisec->initialized = LABEL_INITIALIZED;
5127

5128
	return 0;
5129
}
5130

5131
static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
5132
				  int size)
5133
{
5134
	return sock_has_perm(sock->sk, SOCKET__WRITE);
5135
}
5136

5137
static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
5138
				  int size, int flags)
5139
{
5140
	return sock_has_perm(sock->sk, SOCKET__READ);
5141
}
5142

5143
static int selinux_socket_getsockname(struct socket *sock)
5144
{
5145
	return sock_has_perm(sock->sk, SOCKET__GETATTR);
5146
}
5147

5148
static int selinux_socket_getpeername(struct socket *sock)
5149
{
5150
	return sock_has_perm(sock->sk, SOCKET__GETATTR);
5151
}
5152

5153
static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
5154
{
5155
	int err;
5156

5157
	err = sock_has_perm(sock->sk, SOCKET__SETOPT);
5158
	if (err)
5159
		return err;
5160

5161
	return selinux_netlbl_socket_setsockopt(sock, level, optname);
5162
}
5163

5164
static int selinux_socket_getsockopt(struct socket *sock, int level,
5165
				     int optname)
5166
{
5167
	return sock_has_perm(sock->sk, SOCKET__GETOPT);
5168
}
5169

5170
static int selinux_socket_shutdown(struct socket *sock, int how)
5171
{
5172
	return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
5173
}
5174

5175
static int selinux_socket_unix_stream_connect(struct sock *sock,
5176
					      struct sock *other,
5177
					      struct sock *newsk)
5178
{
5179
	struct sk_security_struct *sksec_sock = selinux_sock(sock);
5180
	struct sk_security_struct *sksec_other = selinux_sock(other);
5181
	struct sk_security_struct *sksec_new = selinux_sock(newsk);
5182
	struct common_audit_data ad;
5183
	struct lsm_network_audit net;
5184
	int err;
5185

5186
	ad_net_init_from_sk(&ad, &net, other);
5187

5188
	err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
5189
			   sksec_other->sclass,
5190
			   UNIX_STREAM_SOCKET__CONNECTTO, &ad);
5191
	if (err)
5192
		return err;
5193

5194
	/* server child socket */
5195
	sksec_new->peer_sid = sksec_sock->sid;
5196
	err = security_sid_mls_copy(sksec_other->sid,
5197
				    sksec_sock->sid, &sksec_new->sid);
5198
	if (err)
5199
		return err;
5200

5201
	/* connecting socket */
5202
	sksec_sock->peer_sid = sksec_new->sid;
5203

5204
	return 0;
5205
}
5206

5207
static int selinux_socket_unix_may_send(struct socket *sock,
5208
					struct socket *other)
5209
{
5210
	struct sk_security_struct *ssec = selinux_sock(sock->sk);
5211
	struct sk_security_struct *osec = selinux_sock(other->sk);
5212
	struct common_audit_data ad;
5213
	struct lsm_network_audit net;
5214

5215
	ad_net_init_from_sk(&ad, &net, other->sk);
5216

5217
	return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
5218
			    &ad);
5219
}
5220

5221
static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
5222
				    char *addrp, u16 family, u32 peer_sid,
5223
				    struct common_audit_data *ad)
5224
{
5225
	int err;
5226
	u32 if_sid;
5227
	u32 node_sid;
5228

5229
	err = sel_netif_sid(ns, ifindex, &if_sid);
5230
	if (err)
5231
		return err;
5232
	err = avc_has_perm(peer_sid, if_sid,
5233
			   SECCLASS_NETIF, NETIF__INGRESS, ad);
5234
	if (err)
5235
		return err;
5236

5237
	err = sel_netnode_sid(addrp, family, &node_sid);
5238
	if (err)
5239
		return err;
5240
	return avc_has_perm(peer_sid, node_sid,
5241
			    SECCLASS_NODE, NODE__RECVFROM, ad);
5242
}
5243

5244
static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
5245
				       u16 family)
5246
{
5247
	int err = 0;
5248
	struct sk_security_struct *sksec = selinux_sock(sk);
5249
	u32 sk_sid = sksec->sid;
5250
	struct common_audit_data ad;
5251
	struct lsm_network_audit net;
5252
	char *addrp;
5253

5254
	ad_net_init_from_iif(&ad, &net, skb->skb_iif, family);
5255
	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5256
	if (err)
5257
		return err;
5258

5259
	if (selinux_secmark_enabled()) {
5260
		err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
5261
				   PACKET__RECV, &ad);
5262
		if (err)
5263
			return err;
5264
	}
5265

5266
	err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
5267
	if (err)
5268
		return err;
5269
	err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
5270

5271
	return err;
5272
}
5273

5274
static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
5275
{
5276
	int err, peerlbl_active, secmark_active;
5277
	struct sk_security_struct *sksec = selinux_sock(sk);
5278
	u16 family = sk->sk_family;
5279
	u32 sk_sid = sksec->sid;
5280
	struct common_audit_data ad;
5281
	struct lsm_network_audit net;
5282
	char *addrp;
5283

5284
	if (family != PF_INET && family != PF_INET6)
5285
		return 0;
5286

5287
	/* Handle mapped IPv4 packets arriving via IPv6 sockets */
5288
	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5289
		family = PF_INET;
5290

5291
	/* If any sort of compatibility mode is enabled then handoff processing
5292
	 * to the selinux_sock_rcv_skb_compat() function to deal with the
5293
	 * special handling.  We do this in an attempt to keep this function
5294
	 * as fast and as clean as possible. */
5295
	if (!selinux_policycap_netpeer())
5296
		return selinux_sock_rcv_skb_compat(sk, skb, family);
5297

5298
	secmark_active = selinux_secmark_enabled();
5299
	peerlbl_active = selinux_peerlbl_enabled();
5300
	if (!secmark_active && !peerlbl_active)
5301
		return 0;
5302

5303
	ad_net_init_from_iif(&ad, &net, skb->skb_iif, family);
5304
	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5305
	if (err)
5306
		return err;
5307

5308
	if (peerlbl_active) {
5309
		u32 peer_sid;
5310

5311
		err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
5312
		if (err)
5313
			return err;
5314
		err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
5315
					       addrp, family, peer_sid, &ad);
5316
		if (err) {
5317
			selinux_netlbl_err(skb, family, err, 0);
5318
			return err;
5319
		}
5320
		err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
5321
				   PEER__RECV, &ad);
5322
		if (err) {
5323
			selinux_netlbl_err(skb, family, err, 0);
5324
			return err;
5325
		}
5326
	}
5327

5328
	if (secmark_active) {
5329
		err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
5330
				   PACKET__RECV, &ad);
5331
		if (err)
5332
			return err;
5333
	}
5334

5335
	return err;
5336
}
5337

5338
static int selinux_socket_getpeersec_stream(struct socket *sock,
5339
					    sockptr_t optval, sockptr_t optlen,
5340
					    unsigned int len)
5341
{
5342
	int err = 0;
5343
	char *scontext = NULL;
5344
	u32 scontext_len;
5345
	struct sk_security_struct *sksec = selinux_sock(sock->sk);
5346
	u32 peer_sid = SECSID_NULL;
5347

5348
	if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
5349
	    sksec->sclass == SECCLASS_TCP_SOCKET ||
5350
	    sksec->sclass == SECCLASS_SCTP_SOCKET)
5351
		peer_sid = sksec->peer_sid;
5352
	if (peer_sid == SECSID_NULL)
5353
		return -ENOPROTOOPT;
5354

5355
	err = security_sid_to_context(peer_sid, &scontext,
5356
				      &scontext_len);
5357
	if (err)
5358
		return err;
5359
	if (scontext_len > len) {
5360
		err = -ERANGE;
5361
		goto out_len;
5362
	}
5363

5364
	if (copy_to_sockptr(optval, scontext, scontext_len))
5365
		err = -EFAULT;
5366
out_len:
5367
	if (copy_to_sockptr(optlen, &scontext_len, sizeof(scontext_len)))
5368
		err = -EFAULT;
5369
	kfree(scontext);
5370
	return err;
5371
}
5372

5373
static int selinux_socket_getpeersec_dgram(struct socket *sock,
5374
					   struct sk_buff *skb, u32 *secid)
5375
{
5376
	u32 peer_secid = SECSID_NULL;
5377
	u16 family;
5378

5379
	if (skb && skb->protocol == htons(ETH_P_IP))
5380
		family = PF_INET;
5381
	else if (skb && skb->protocol == htons(ETH_P_IPV6))
5382
		family = PF_INET6;
5383
	else if (sock)
5384
		family = sock->sk->sk_family;
5385
	else {
5386
		*secid = SECSID_NULL;
5387
		return -EINVAL;
5388
	}
5389

5390
	if (sock && family == PF_UNIX) {
5391
		struct inode_security_struct *isec;
5392
		isec = inode_security_novalidate(SOCK_INODE(sock));
5393
		peer_secid = isec->sid;
5394
	} else if (skb)
5395
		selinux_skb_peerlbl_sid(skb, family, &peer_secid);
5396

5397
	*secid = peer_secid;
5398
	if (peer_secid == SECSID_NULL)
5399
		return -ENOPROTOOPT;
5400
	return 0;
5401
}
5402

5403
static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
5404
{
5405
	struct sk_security_struct *sksec = selinux_sock(sk);
5406

5407
	sksec->peer_sid = SECINITSID_UNLABELED;
5408
	sksec->sid = SECINITSID_UNLABELED;
5409
	sksec->sclass = SECCLASS_SOCKET;
5410
	selinux_netlbl_sk_security_reset(sksec);
5411

5412
	return 0;
5413
}
5414

5415
static void selinux_sk_free_security(struct sock *sk)
5416
{
5417
	struct sk_security_struct *sksec = selinux_sock(sk);
5418

5419
	selinux_netlbl_sk_security_free(sksec);
5420
}
5421

5422
static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
5423
{
5424
	struct sk_security_struct *sksec = selinux_sock(sk);
5425
	struct sk_security_struct *newsksec = selinux_sock(newsk);
5426

5427
	newsksec->sid = sksec->sid;
5428
	newsksec->peer_sid = sksec->peer_sid;
5429
	newsksec->sclass = sksec->sclass;
5430

5431
	selinux_netlbl_sk_security_reset(newsksec);
5432
}
5433

5434
static void selinux_sk_getsecid(const struct sock *sk, u32 *secid)
5435
{
5436
	if (!sk)
5437
		*secid = SECINITSID_ANY_SOCKET;
5438
	else {
5439
		const struct sk_security_struct *sksec = selinux_sock(sk);
5440

5441
		*secid = sksec->sid;
5442
	}
5443
}
5444

5445
static void selinux_sock_graft(struct sock *sk, struct socket *parent)
5446
{
5447
	struct inode_security_struct *isec =
5448
		inode_security_novalidate(SOCK_INODE(parent));
5449
	struct sk_security_struct *sksec = selinux_sock(sk);
5450

5451
	if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
5452
	    sk->sk_family == PF_UNIX)
5453
		isec->sid = sksec->sid;
5454
	sksec->sclass = isec->sclass;
5455
}
5456

5457
/*
5458
 * Determines peer_secid for the asoc and updates socket's peer label
5459
 * if it's the first association on the socket.
5460
 */
5461
static int selinux_sctp_process_new_assoc(struct sctp_association *asoc,
5462
					  struct sk_buff *skb)
5463
{
5464
	struct sock *sk = asoc->base.sk;
5465
	u16 family = sk->sk_family;
5466
	struct sk_security_struct *sksec = selinux_sock(sk);
5467
	struct common_audit_data ad;
5468
	struct lsm_network_audit net;
5469
	int err;
5470

5471
	/* handle mapped IPv4 packets arriving via IPv6 sockets */
5472
	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5473
		family = PF_INET;
5474

5475
	if (selinux_peerlbl_enabled()) {
5476
		asoc->peer_secid = SECSID_NULL;
5477

5478
		/* This will return peer_sid = SECSID_NULL if there are
5479
		 * no peer labels, see security_net_peersid_resolve().
5480
		 */
5481
		err = selinux_skb_peerlbl_sid(skb, family, &asoc->peer_secid);
5482
		if (err)
5483
			return err;
5484

5485
		if (asoc->peer_secid == SECSID_NULL)
5486
			asoc->peer_secid = SECINITSID_UNLABELED;
5487
	} else {
5488
		asoc->peer_secid = SECINITSID_UNLABELED;
5489
	}
5490

5491
	if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) {
5492
		sksec->sctp_assoc_state = SCTP_ASSOC_SET;
5493

5494
		/* Here as first association on socket. As the peer SID
5495
		 * was allowed by peer recv (and the netif/node checks),
5496
		 * then it is approved by policy and used as the primary
5497
		 * peer SID for getpeercon(3).
5498
		 */
5499
		sksec->peer_sid = asoc->peer_secid;
5500
	} else if (sksec->peer_sid != asoc->peer_secid) {
5501
		/* Other association peer SIDs are checked to enforce
5502
		 * consistency among the peer SIDs.
5503
		 */
5504
		ad_net_init_from_sk(&ad, &net, asoc->base.sk);
5505
		err = avc_has_perm(sksec->peer_sid, asoc->peer_secid,
5506
				   sksec->sclass, SCTP_SOCKET__ASSOCIATION,
5507
				   &ad);
5508
		if (err)
5509
			return err;
5510
	}
5511
	return 0;
5512
}
5513

5514
/* Called whenever SCTP receives an INIT or COOKIE ECHO chunk. This
5515
 * happens on an incoming connect(2), sctp_connectx(3) or
5516
 * sctp_sendmsg(3) (with no association already present).
5517
 */
5518
static int selinux_sctp_assoc_request(struct sctp_association *asoc,
5519
				      struct sk_buff *skb)
5520
{
5521
	struct sk_security_struct *sksec = selinux_sock(asoc->base.sk);
5522
	u32 conn_sid;
5523
	int err;
5524

5525
	if (!selinux_policycap_extsockclass())
5526
		return 0;
5527

5528
	err = selinux_sctp_process_new_assoc(asoc, skb);
5529
	if (err)
5530
		return err;
5531

5532
	/* Compute the MLS component for the connection and store
5533
	 * the information in asoc. This will be used by SCTP TCP type
5534
	 * sockets and peeled off connections as they cause a new
5535
	 * socket to be generated. selinux_sctp_sk_clone() will then
5536
	 * plug this into the new socket.
5537
	 */
5538
	err = selinux_conn_sid(sksec->sid, asoc->peer_secid, &conn_sid);
5539
	if (err)
5540
		return err;
5541

5542
	asoc->secid = conn_sid;
5543

5544
	/* Set any NetLabel labels including CIPSO/CALIPSO options. */
5545
	return selinux_netlbl_sctp_assoc_request(asoc, skb);
5546
}
5547

5548
/* Called when SCTP receives a COOKIE ACK chunk as the final
5549
 * response to an association request (initited by us).
5550
 */
5551
static int selinux_sctp_assoc_established(struct sctp_association *asoc,
5552
					  struct sk_buff *skb)
5553
{
5554
	struct sk_security_struct *sksec = selinux_sock(asoc->base.sk);
5555

5556
	if (!selinux_policycap_extsockclass())
5557
		return 0;
5558

5559
	/* Inherit secid from the parent socket - this will be picked up
5560
	 * by selinux_sctp_sk_clone() if the association gets peeled off
5561
	 * into a new socket.
5562
	 */
5563
	asoc->secid = sksec->sid;
5564

5565
	return selinux_sctp_process_new_assoc(asoc, skb);
5566
}
5567

5568
/* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting
5569
 * based on their @optname.
5570
 */
5571
static int selinux_sctp_bind_connect(struct sock *sk, int optname,
5572
				     struct sockaddr *address,
5573
				     int addrlen)
5574
{
5575
	int len, err = 0, walk_size = 0;
5576
	void *addr_buf;
5577
	struct sockaddr *addr;
5578
	struct socket *sock;
5579

5580
	if (!selinux_policycap_extsockclass())
5581
		return 0;
5582

5583
	/* Process one or more addresses that may be IPv4 or IPv6 */
5584
	sock = sk->sk_socket;
5585
	addr_buf = address;
5586

5587
	while (walk_size < addrlen) {
5588
		if (walk_size + sizeof(sa_family_t) > addrlen)
5589
			return -EINVAL;
5590

5591
		addr = addr_buf;
5592
		switch (addr->sa_family) {
5593
		case AF_UNSPEC:
5594
		case AF_INET:
5595
			len = sizeof(struct sockaddr_in);
5596
			break;
5597
		case AF_INET6:
5598
			len = sizeof(struct sockaddr_in6);
5599
			break;
5600
		default:
5601
			return -EINVAL;
5602
		}
5603

5604
		if (walk_size + len > addrlen)
5605
			return -EINVAL;
5606

5607
		err = -EINVAL;
5608
		switch (optname) {
5609
		/* Bind checks */
5610
		case SCTP_PRIMARY_ADDR:
5611
		case SCTP_SET_PEER_PRIMARY_ADDR:
5612
		case SCTP_SOCKOPT_BINDX_ADD:
5613
			err = selinux_socket_bind(sock, addr, len);
5614
			break;
5615
		/* Connect checks */
5616
		case SCTP_SOCKOPT_CONNECTX:
5617
		case SCTP_PARAM_SET_PRIMARY:
5618
		case SCTP_PARAM_ADD_IP:
5619
		case SCTP_SENDMSG_CONNECT:
5620
			err = selinux_socket_connect_helper(sock, addr, len);
5621
			if (err)
5622
				return err;
5623

5624
			/* As selinux_sctp_bind_connect() is called by the
5625
			 * SCTP protocol layer, the socket is already locked,
5626
			 * therefore selinux_netlbl_socket_connect_locked()
5627
			 * is called here. The situations handled are:
5628
			 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2),
5629
			 * whenever a new IP address is added or when a new
5630
			 * primary address is selected.
5631
			 * Note that an SCTP connect(2) call happens before
5632
			 * the SCTP protocol layer and is handled via
5633
			 * selinux_socket_connect().
5634
			 */
5635
			err = selinux_netlbl_socket_connect_locked(sk, addr);
5636
			break;
5637
		}
5638

5639
		if (err)
5640
			return err;
5641

5642
		addr_buf += len;
5643
		walk_size += len;
5644
	}
5645

5646
	return 0;
5647
}
5648

5649
/* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */
5650
static void selinux_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk,
5651
				  struct sock *newsk)
5652
{
5653
	struct sk_security_struct *sksec = selinux_sock(sk);
5654
	struct sk_security_struct *newsksec = selinux_sock(newsk);
5655

5656
	/* If policy does not support SECCLASS_SCTP_SOCKET then call
5657
	 * the non-sctp clone version.
5658
	 */
5659
	if (!selinux_policycap_extsockclass())
5660
		return selinux_sk_clone_security(sk, newsk);
5661

5662
	newsksec->sid = asoc->secid;
5663
	newsksec->peer_sid = asoc->peer_secid;
5664
	newsksec->sclass = sksec->sclass;
5665
	selinux_netlbl_sctp_sk_clone(sk, newsk);
5666
}
5667

5668
static int selinux_mptcp_add_subflow(struct sock *sk, struct sock *ssk)
5669
{
5670
	struct sk_security_struct *ssksec = selinux_sock(ssk);
5671
	struct sk_security_struct *sksec = selinux_sock(sk);
5672

5673
	ssksec->sclass = sksec->sclass;
5674
	ssksec->sid = sksec->sid;
5675

5676
	/* replace the existing subflow label deleting the existing one
5677
	 * and re-recreating a new label using the updated context
5678
	 */
5679
	selinux_netlbl_sk_security_free(ssksec);
5680
	return selinux_netlbl_socket_post_create(ssk, ssk->sk_family);
5681
}
5682

5683
static int selinux_inet_conn_request(const struct sock *sk, struct sk_buff *skb,
5684
				     struct request_sock *req)
5685
{
5686
	struct sk_security_struct *sksec = selinux_sock(sk);
5687
	int err;
5688
	u16 family = req->rsk_ops->family;
5689
	u32 connsid;
5690
	u32 peersid;
5691

5692
	err = selinux_skb_peerlbl_sid(skb, family, &peersid);
5693
	if (err)
5694
		return err;
5695
	err = selinux_conn_sid(sksec->sid, peersid, &connsid);
5696
	if (err)
5697
		return err;
5698
	req->secid = connsid;
5699
	req->peer_secid = peersid;
5700

5701
	return selinux_netlbl_inet_conn_request(req, family);
5702
}
5703

5704
static void selinux_inet_csk_clone(struct sock *newsk,
5705
				   const struct request_sock *req)
5706
{
5707
	struct sk_security_struct *newsksec = selinux_sock(newsk);
5708

5709
	newsksec->sid = req->secid;
5710
	newsksec->peer_sid = req->peer_secid;
5711
	/* NOTE: Ideally, we should also get the isec->sid for the
5712
	   new socket in sync, but we don't have the isec available yet.
5713
	   So we will wait until sock_graft to do it, by which
5714
	   time it will have been created and available. */
5715

5716
	/* We don't need to take any sort of lock here as we are the only
5717
	 * thread with access to newsksec */
5718
	selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
5719
}
5720

5721
static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
5722
{
5723
	u16 family = sk->sk_family;
5724
	struct sk_security_struct *sksec = selinux_sock(sk);
5725

5726
	/* handle mapped IPv4 packets arriving via IPv6 sockets */
5727
	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5728
		family = PF_INET;
5729

5730
	selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
5731
}
5732

5733
static int selinux_secmark_relabel_packet(u32 sid)
5734
{
5735
	return avc_has_perm(current_sid(), sid, SECCLASS_PACKET, PACKET__RELABELTO,
5736
			    NULL);
5737
}
5738

5739
static void selinux_secmark_refcount_inc(void)
5740
{
5741
	atomic_inc(&selinux_secmark_refcount);
5742
}
5743

5744
static void selinux_secmark_refcount_dec(void)
5745
{
5746
	atomic_dec(&selinux_secmark_refcount);
5747
}
5748

5749
static void selinux_req_classify_flow(const struct request_sock *req,
5750
				      struct flowi_common *flic)
5751
{
5752
	flic->flowic_secid = req->secid;
5753
}
5754

5755
static int selinux_tun_dev_alloc_security(void *security)
5756
{
5757
	struct tun_security_struct *tunsec = selinux_tun_dev(security);
5758

5759
	tunsec->sid = current_sid();
5760
	return 0;
5761
}
5762

5763
static int selinux_tun_dev_create(void)
5764
{
5765
	u32 sid = current_sid();
5766

5767
	/* we aren't taking into account the "sockcreate" SID since the socket
5768
	 * that is being created here is not a socket in the traditional sense,
5769
	 * instead it is a private sock, accessible only to the kernel, and
5770
	 * representing a wide range of network traffic spanning multiple
5771
	 * connections unlike traditional sockets - check the TUN driver to
5772
	 * get a better understanding of why this socket is special */
5773

5774
	return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5775
			    NULL);
5776
}
5777

5778
static int selinux_tun_dev_attach_queue(void *security)
5779
{
5780
	struct tun_security_struct *tunsec = selinux_tun_dev(security);
5781

5782
	return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5783
			    TUN_SOCKET__ATTACH_QUEUE, NULL);
5784
}
5785

5786
static int selinux_tun_dev_attach(struct sock *sk, void *security)
5787
{
5788
	struct tun_security_struct *tunsec = selinux_tun_dev(security);
5789
	struct sk_security_struct *sksec = selinux_sock(sk);
5790

5791
	/* we don't currently perform any NetLabel based labeling here and it
5792
	 * isn't clear that we would want to do so anyway; while we could apply
5793
	 * labeling without the support of the TUN user the resulting labeled
5794
	 * traffic from the other end of the connection would almost certainly
5795
	 * cause confusion to the TUN user that had no idea network labeling
5796
	 * protocols were being used */
5797

5798
	sksec->sid = tunsec->sid;
5799
	sksec->sclass = SECCLASS_TUN_SOCKET;
5800

5801
	return 0;
5802
}
5803

5804
static int selinux_tun_dev_open(void *security)
5805
{
5806
	struct tun_security_struct *tunsec = selinux_tun_dev(security);
5807
	u32 sid = current_sid();
5808
	int err;
5809

5810
	err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5811
			   TUN_SOCKET__RELABELFROM, NULL);
5812
	if (err)
5813
		return err;
5814
	err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
5815
			   TUN_SOCKET__RELABELTO, NULL);
5816
	if (err)
5817
		return err;
5818
	tunsec->sid = sid;
5819

5820
	return 0;
5821
}
5822

5823
#ifdef CONFIG_NETFILTER
5824

5825
static unsigned int selinux_ip_forward(void *priv, struct sk_buff *skb,
5826
				       const struct nf_hook_state *state)
5827
{
5828
	int ifindex;
5829
	u16 family;
5830
	char *addrp;
5831
	u32 peer_sid;
5832
	struct common_audit_data ad;
5833
	struct lsm_network_audit net;
5834
	int secmark_active, peerlbl_active;
5835

5836
	if (!selinux_policycap_netpeer())
5837
		return NF_ACCEPT;
5838

5839
	secmark_active = selinux_secmark_enabled();
5840
	peerlbl_active = selinux_peerlbl_enabled();
5841
	if (!secmark_active && !peerlbl_active)
5842
		return NF_ACCEPT;
5843

5844
	family = state->pf;
5845
	if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5846
		return NF_DROP;
5847

5848
	ifindex = state->in->ifindex;
5849
	ad_net_init_from_iif(&ad, &net, ifindex, family);
5850
	if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5851
		return NF_DROP;
5852

5853
	if (peerlbl_active) {
5854
		int err;
5855

5856
		err = selinux_inet_sys_rcv_skb(state->net, ifindex,
5857
					       addrp, family, peer_sid, &ad);
5858
		if (err) {
5859
			selinux_netlbl_err(skb, family, err, 1);
5860
			return NF_DROP;
5861
		}
5862
	}
5863

5864
	if (secmark_active)
5865
		if (avc_has_perm(peer_sid, skb->secmark,
5866
				 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5867
			return NF_DROP;
5868

5869
	if (netlbl_enabled())
5870
		/* we do this in the FORWARD path and not the POST_ROUTING
5871
		 * path because we want to make sure we apply the necessary
5872
		 * labeling before IPsec is applied so we can leverage AH
5873
		 * protection */
5874
		if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5875
			return NF_DROP;
5876

5877
	return NF_ACCEPT;
5878
}
5879

5880
static unsigned int selinux_ip_output(void *priv, struct sk_buff *skb,
5881
				      const struct nf_hook_state *state)
5882
{
5883
	struct sock *sk;
5884
	u32 sid;
5885

5886
	if (!netlbl_enabled())
5887
		return NF_ACCEPT;
5888

5889
	/* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5890
	 * because we want to make sure we apply the necessary labeling
5891
	 * before IPsec is applied so we can leverage AH protection */
5892
	sk = skb_to_full_sk(skb);
5893
	if (sk) {
5894
		struct sk_security_struct *sksec;
5895

5896
		if (sk_listener(sk))
5897
			/* if the socket is the listening state then this
5898
			 * packet is a SYN-ACK packet which means it needs to
5899
			 * be labeled based on the connection/request_sock and
5900
			 * not the parent socket.  unfortunately, we can't
5901
			 * lookup the request_sock yet as it isn't queued on
5902
			 * the parent socket until after the SYN-ACK is sent.
5903
			 * the "solution" is to simply pass the packet as-is
5904
			 * as any IP option based labeling should be copied
5905
			 * from the initial connection request (in the IP
5906
			 * layer).  it is far from ideal, but until we get a
5907
			 * security label in the packet itself this is the
5908
			 * best we can do. */
5909
			return NF_ACCEPT;
5910

5911
		/* standard practice, label using the parent socket */
5912
		sksec = selinux_sock(sk);
5913
		sid = sksec->sid;
5914
	} else
5915
		sid = SECINITSID_KERNEL;
5916
	if (selinux_netlbl_skbuff_setsid(skb, state->pf, sid) != 0)
5917
		return NF_DROP;
5918

5919
	return NF_ACCEPT;
5920
}
5921

5922

5923
static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5924
					const struct nf_hook_state *state)
5925
{
5926
	struct sock *sk;
5927
	struct sk_security_struct *sksec;
5928
	struct common_audit_data ad;
5929
	struct lsm_network_audit net;
5930
	u8 proto = 0;
5931

5932
	sk = skb_to_full_sk(skb);
5933
	if (sk == NULL)
5934
		return NF_ACCEPT;
5935
	sksec = selinux_sock(sk);
5936

5937
	ad_net_init_from_iif(&ad, &net, state->out->ifindex, state->pf);
5938
	if (selinux_parse_skb(skb, &ad, NULL, 0, &proto))
5939
		return NF_DROP;
5940

5941
	if (selinux_secmark_enabled())
5942
		if (avc_has_perm(sksec->sid, skb->secmark,
5943
				 SECCLASS_PACKET, PACKET__SEND, &ad))
5944
			return NF_DROP_ERR(-ECONNREFUSED);
5945

5946
	if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5947
		return NF_DROP_ERR(-ECONNREFUSED);
5948

5949
	return NF_ACCEPT;
5950
}
5951

5952
static unsigned int selinux_ip_postroute(void *priv,
5953
					 struct sk_buff *skb,
5954
					 const struct nf_hook_state *state)
5955
{
5956
	u16 family;
5957
	u32 secmark_perm;
5958
	u32 peer_sid;
5959
	int ifindex;
5960
	struct sock *sk;
5961
	struct common_audit_data ad;
5962
	struct lsm_network_audit net;
5963
	char *addrp;
5964
	int secmark_active, peerlbl_active;
5965

5966
	/* If any sort of compatibility mode is enabled then handoff processing
5967
	 * to the selinux_ip_postroute_compat() function to deal with the
5968
	 * special handling.  We do this in an attempt to keep this function
5969
	 * as fast and as clean as possible. */
5970
	if (!selinux_policycap_netpeer())
5971
		return selinux_ip_postroute_compat(skb, state);
5972

5973
	secmark_active = selinux_secmark_enabled();
5974
	peerlbl_active = selinux_peerlbl_enabled();
5975
	if (!secmark_active && !peerlbl_active)
5976
		return NF_ACCEPT;
5977

5978
	sk = skb_to_full_sk(skb);
5979

5980
#ifdef CONFIG_XFRM
5981
	/* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5982
	 * packet transformation so allow the packet to pass without any checks
5983
	 * since we'll have another chance to perform access control checks
5984
	 * when the packet is on it's final way out.
5985
	 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5986
	 *       is NULL, in this case go ahead and apply access control.
5987
	 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5988
	 *       TCP listening state we cannot wait until the XFRM processing
5989
	 *       is done as we will miss out on the SA label if we do;
5990
	 *       unfortunately, this means more work, but it is only once per
5991
	 *       connection. */
5992
	if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5993
	    !(sk && sk_listener(sk)))
5994
		return NF_ACCEPT;
5995
#endif
5996

5997
	family = state->pf;
5998
	if (sk == NULL) {
5999
		/* Without an associated socket the packet is either coming
6000
		 * from the kernel or it is being forwarded; check the packet
6001
		 * to determine which and if the packet is being forwarded
6002
		 * query the packet directly to determine the security label. */
6003
		if (skb->skb_iif) {
6004
			secmark_perm = PACKET__FORWARD_OUT;
6005
			if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
6006
				return NF_DROP;
6007
		} else {
6008
			secmark_perm = PACKET__SEND;
6009
			peer_sid = SECINITSID_KERNEL;
6010
		}
6011
	} else if (sk_listener(sk)) {
6012
		/* Locally generated packet but the associated socket is in the
6013
		 * listening state which means this is a SYN-ACK packet.  In
6014
		 * this particular case the correct security label is assigned
6015
		 * to the connection/request_sock but unfortunately we can't
6016
		 * query the request_sock as it isn't queued on the parent
6017
		 * socket until after the SYN-ACK packet is sent; the only
6018
		 * viable choice is to regenerate the label like we do in
6019
		 * selinux_inet_conn_request().  See also selinux_ip_output()
6020
		 * for similar problems. */
6021
		u32 skb_sid;
6022
		struct sk_security_struct *sksec;
6023

6024
		sksec = selinux_sock(sk);
6025
		if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
6026
			return NF_DROP;
6027
		/* At this point, if the returned skb peerlbl is SECSID_NULL
6028
		 * and the packet has been through at least one XFRM
6029
		 * transformation then we must be dealing with the "final"
6030
		 * form of labeled IPsec packet; since we've already applied
6031
		 * all of our access controls on this packet we can safely
6032
		 * pass the packet. */
6033
		if (skb_sid == SECSID_NULL) {
6034
			switch (family) {
6035
			case PF_INET:
6036
				if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
6037
					return NF_ACCEPT;
6038
				break;
6039
			case PF_INET6:
6040
				if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
6041
					return NF_ACCEPT;
6042
				break;
6043
			default:
6044
				return NF_DROP_ERR(-ECONNREFUSED);
6045
			}
6046
		}
6047
		if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
6048
			return NF_DROP;
6049
		secmark_perm = PACKET__SEND;
6050
	} else {
6051
		/* Locally generated packet, fetch the security label from the
6052
		 * associated socket. */
6053
		struct sk_security_struct *sksec = selinux_sock(sk);
6054
		peer_sid = sksec->sid;
6055
		secmark_perm = PACKET__SEND;
6056
	}
6057

6058
	ifindex = state->out->ifindex;
6059
	ad_net_init_from_iif(&ad, &net, ifindex, family);
6060
	if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
6061
		return NF_DROP;
6062

6063
	if (secmark_active)
6064
		if (avc_has_perm(peer_sid, skb->secmark,
6065
				 SECCLASS_PACKET, secmark_perm, &ad))
6066
			return NF_DROP_ERR(-ECONNREFUSED);
6067

6068
	if (peerlbl_active) {
6069
		u32 if_sid;
6070
		u32 node_sid;
6071

6072
		if (sel_netif_sid(state->net, ifindex, &if_sid))
6073
			return NF_DROP;
6074
		if (avc_has_perm(peer_sid, if_sid,
6075
				 SECCLASS_NETIF, NETIF__EGRESS, &ad))
6076
			return NF_DROP_ERR(-ECONNREFUSED);
6077

6078
		if (sel_netnode_sid(addrp, family, &node_sid))
6079
			return NF_DROP;
6080
		if (avc_has_perm(peer_sid, node_sid,
6081
				 SECCLASS_NODE, NODE__SENDTO, &ad))
6082
			return NF_DROP_ERR(-ECONNREFUSED);
6083
	}
6084

6085
	return NF_ACCEPT;
6086
}
6087
#endif	/* CONFIG_NETFILTER */
6088

6089
static int nlmsg_sock_has_extended_perms(struct sock *sk, u32 perms, u16 nlmsg_type)
6090
{
6091
	struct sk_security_struct *sksec = sk->sk_security;
6092
	struct common_audit_data ad;
6093
	u8 driver;
6094
	u8 xperm;
6095

6096
	if (sock_skip_has_perm(sksec->sid))
6097
		return 0;
6098

6099
	ad.type = LSM_AUDIT_DATA_NLMSGTYPE;
6100
	ad.u.nlmsg_type = nlmsg_type;
6101

6102
	driver = nlmsg_type >> 8;
6103
	xperm = nlmsg_type & 0xff;
6104

6105
	return avc_has_extended_perms(current_sid(), sksec->sid, sksec->sclass,
6106
				      perms, driver, AVC_EXT_NLMSG, xperm, &ad);
6107
}
6108

6109
static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
6110
{
6111
	int rc = 0;
6112
	unsigned int msg_len;
6113
	unsigned int data_len = skb->len;
6114
	unsigned char *data = skb->data;
6115
	struct nlmsghdr *nlh;
6116
	struct sk_security_struct *sksec = selinux_sock(sk);
6117
	u16 sclass = sksec->sclass;
6118
	u32 perm;
6119

6120
	while (data_len >= nlmsg_total_size(0)) {
6121
		nlh = (struct nlmsghdr *)data;
6122

6123
		/* NOTE: the nlmsg_len field isn't reliably set by some netlink
6124
		 *       users which means we can't reject skb's with bogus
6125
		 *       length fields; our solution is to follow what
6126
		 *       netlink_rcv_skb() does and simply skip processing at
6127
		 *       messages with length fields that are clearly junk
6128
		 */
6129
		if (nlh->nlmsg_len < NLMSG_HDRLEN || nlh->nlmsg_len > data_len)
6130
			return 0;
6131

6132
		rc = selinux_nlmsg_lookup(sclass, nlh->nlmsg_type, &perm);
6133
		if (rc == 0) {
6134
			if (selinux_policycap_netlink_xperm()) {
6135
				rc = nlmsg_sock_has_extended_perms(
6136
					sk, perm, nlh->nlmsg_type);
6137
			} else {
6138
				rc = sock_has_perm(sk, perm);
6139
			}
6140
			if (rc)
6141
				return rc;
6142
		} else if (rc == -EINVAL) {
6143
			/* -EINVAL is a missing msg/perm mapping */
6144
			pr_warn_ratelimited("SELinux: unrecognized netlink"
6145
				" message: protocol=%hu nlmsg_type=%hu sclass=%s"
6146
				" pid=%d comm=%s\n",
6147
				sk->sk_protocol, nlh->nlmsg_type,
6148
				secclass_map[sclass - 1].name,
6149
				task_pid_nr(current), current->comm);
6150
			if (enforcing_enabled() &&
6151
			    !security_get_allow_unknown())
6152
				return rc;
6153
			rc = 0;
6154
		} else if (rc == -ENOENT) {
6155
			/* -ENOENT is a missing socket/class mapping, ignore */
6156
			rc = 0;
6157
		} else {
6158
			return rc;
6159
		}
6160

6161
		/* move to the next message after applying netlink padding */
6162
		msg_len = NLMSG_ALIGN(nlh->nlmsg_len);
6163
		if (msg_len >= data_len)
6164
			return 0;
6165
		data_len -= msg_len;
6166
		data += msg_len;
6167
	}
6168

6169
	return rc;
6170
}
6171

6172
static void ipc_init_security(struct ipc_security_struct *isec, u16 sclass)
6173
{
6174
	isec->sclass = sclass;
6175
	isec->sid = current_sid();
6176
}
6177

6178
static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
6179
			u32 perms)
6180
{
6181
	struct ipc_security_struct *isec;
6182
	struct common_audit_data ad;
6183
	u32 sid = current_sid();
6184

6185
	isec = selinux_ipc(ipc_perms);
6186

6187
	ad.type = LSM_AUDIT_DATA_IPC;
6188
	ad.u.ipc_id = ipc_perms->key;
6189

6190
	return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
6191
}
6192

6193
static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
6194
{
6195
	struct msg_security_struct *msec;
6196

6197
	msec = selinux_msg_msg(msg);
6198
	msec->sid = SECINITSID_UNLABELED;
6199

6200
	return 0;
6201
}
6202

6203
/* message queue security operations */
6204
static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq)
6205
{
6206
	struct ipc_security_struct *isec;
6207
	struct common_audit_data ad;
6208
	u32 sid = current_sid();
6209

6210
	isec = selinux_ipc(msq);
6211
	ipc_init_security(isec, SECCLASS_MSGQ);
6212

6213
	ad.type = LSM_AUDIT_DATA_IPC;
6214
	ad.u.ipc_id = msq->key;
6215

6216
	return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
6217
			    MSGQ__CREATE, &ad);
6218
}
6219

6220
static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
6221
{
6222
	struct ipc_security_struct *isec;
6223
	struct common_audit_data ad;
6224
	u32 sid = current_sid();
6225

6226
	isec = selinux_ipc(msq);
6227

6228
	ad.type = LSM_AUDIT_DATA_IPC;
6229
	ad.u.ipc_id = msq->key;
6230

6231
	return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
6232
			    MSGQ__ASSOCIATE, &ad);
6233
}
6234

6235
static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)
6236
{
6237
	u32 perms;
6238

6239
	switch (cmd) {
6240
	case IPC_INFO:
6241
	case MSG_INFO:
6242
		/* No specific object, just general system-wide information. */
6243
		return avc_has_perm(current_sid(), SECINITSID_KERNEL,
6244
				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6245
	case IPC_STAT:
6246
	case MSG_STAT:
6247
	case MSG_STAT_ANY:
6248
		perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
6249
		break;
6250
	case IPC_SET:
6251
		perms = MSGQ__SETATTR;
6252
		break;
6253
	case IPC_RMID:
6254
		perms = MSGQ__DESTROY;
6255
		break;
6256
	default:
6257
		return 0;
6258
	}
6259

6260
	return ipc_has_perm(msq, perms);
6261
}
6262

6263
static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg)
6264
{
6265
	struct ipc_security_struct *isec;
6266
	struct msg_security_struct *msec;
6267
	struct common_audit_data ad;
6268
	u32 sid = current_sid();
6269
	int rc;
6270

6271
	isec = selinux_ipc(msq);
6272
	msec = selinux_msg_msg(msg);
6273

6274
	/*
6275
	 * First time through, need to assign label to the message
6276
	 */
6277
	if (msec->sid == SECINITSID_UNLABELED) {
6278
		/*
6279
		 * Compute new sid based on current process and
6280
		 * message queue this message will be stored in
6281
		 */
6282
		rc = security_transition_sid(sid, isec->sid,
6283
					     SECCLASS_MSG, NULL, &msec->sid);
6284
		if (rc)
6285
			return rc;
6286
	}
6287

6288
	ad.type = LSM_AUDIT_DATA_IPC;
6289
	ad.u.ipc_id = msq->key;
6290

6291
	/* Can this process write to the queue? */
6292
	rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
6293
			  MSGQ__WRITE, &ad);
6294
	if (!rc)
6295
		/* Can this process send the message */
6296
		rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
6297
				  MSG__SEND, &ad);
6298
	if (!rc)
6299
		/* Can the message be put in the queue? */
6300
		rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
6301
				  MSGQ__ENQUEUE, &ad);
6302

6303
	return rc;
6304
}
6305

6306
static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg,
6307
				    struct task_struct *target,
6308
				    long type, int mode)
6309
{
6310
	struct ipc_security_struct *isec;
6311
	struct msg_security_struct *msec;
6312
	struct common_audit_data ad;
6313
	u32 sid = task_sid_obj(target);
6314
	int rc;
6315

6316
	isec = selinux_ipc(msq);
6317
	msec = selinux_msg_msg(msg);
6318

6319
	ad.type = LSM_AUDIT_DATA_IPC;
6320
	ad.u.ipc_id = msq->key;
6321

6322
	rc = avc_has_perm(sid, isec->sid,
6323
			  SECCLASS_MSGQ, MSGQ__READ, &ad);
6324
	if (!rc)
6325
		rc = avc_has_perm(sid, msec->sid,
6326
				  SECCLASS_MSG, MSG__RECEIVE, &ad);
6327
	return rc;
6328
}
6329

6330
/* Shared Memory security operations */
6331
static int selinux_shm_alloc_security(struct kern_ipc_perm *shp)
6332
{
6333
	struct ipc_security_struct *isec;
6334
	struct common_audit_data ad;
6335
	u32 sid = current_sid();
6336

6337
	isec = selinux_ipc(shp);
6338
	ipc_init_security(isec, SECCLASS_SHM);
6339

6340
	ad.type = LSM_AUDIT_DATA_IPC;
6341
	ad.u.ipc_id = shp->key;
6342

6343
	return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
6344
			    SHM__CREATE, &ad);
6345
}
6346

6347
static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg)
6348
{
6349
	struct ipc_security_struct *isec;
6350
	struct common_audit_data ad;
6351
	u32 sid = current_sid();
6352

6353
	isec = selinux_ipc(shp);
6354

6355
	ad.type = LSM_AUDIT_DATA_IPC;
6356
	ad.u.ipc_id = shp->key;
6357

6358
	return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
6359
			    SHM__ASSOCIATE, &ad);
6360
}
6361

6362
/* Note, at this point, shp is locked down */
6363
static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd)
6364
{
6365
	u32 perms;
6366

6367
	switch (cmd) {
6368
	case IPC_INFO:
6369
	case SHM_INFO:
6370
		/* No specific object, just general system-wide information. */
6371
		return avc_has_perm(current_sid(), SECINITSID_KERNEL,
6372
				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6373
	case IPC_STAT:
6374
	case SHM_STAT:
6375
	case SHM_STAT_ANY:
6376
		perms = SHM__GETATTR | SHM__ASSOCIATE;
6377
		break;
6378
	case IPC_SET:
6379
		perms = SHM__SETATTR;
6380
		break;
6381
	case SHM_LOCK:
6382
	case SHM_UNLOCK:
6383
		perms = SHM__LOCK;
6384
		break;
6385
	case IPC_RMID:
6386
		perms = SHM__DESTROY;
6387
		break;
6388
	default:
6389
		return 0;
6390
	}
6391

6392
	return ipc_has_perm(shp, perms);
6393
}
6394

6395
static int selinux_shm_shmat(struct kern_ipc_perm *shp,
6396
			     char __user *shmaddr, int shmflg)
6397
{
6398
	u32 perms;
6399

6400
	if (shmflg & SHM_RDONLY)
6401
		perms = SHM__READ;
6402
	else
6403
		perms = SHM__READ | SHM__WRITE;
6404

6405
	return ipc_has_perm(shp, perms);
6406
}
6407

6408
/* Semaphore security operations */
6409
static int selinux_sem_alloc_security(struct kern_ipc_perm *sma)
6410
{
6411
	struct ipc_security_struct *isec;
6412
	struct common_audit_data ad;
6413
	u32 sid = current_sid();
6414

6415
	isec = selinux_ipc(sma);
6416
	ipc_init_security(isec, SECCLASS_SEM);
6417

6418
	ad.type = LSM_AUDIT_DATA_IPC;
6419
	ad.u.ipc_id = sma->key;
6420

6421
	return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
6422
			    SEM__CREATE, &ad);
6423
}
6424

6425
static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg)
6426
{
6427
	struct ipc_security_struct *isec;
6428
	struct common_audit_data ad;
6429
	u32 sid = current_sid();
6430

6431
	isec = selinux_ipc(sma);
6432

6433
	ad.type = LSM_AUDIT_DATA_IPC;
6434
	ad.u.ipc_id = sma->key;
6435

6436
	return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
6437
			    SEM__ASSOCIATE, &ad);
6438
}
6439

6440
/* Note, at this point, sma is locked down */
6441
static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd)
6442
{
6443
	int err;
6444
	u32 perms;
6445

6446
	switch (cmd) {
6447
	case IPC_INFO:
6448
	case SEM_INFO:
6449
		/* No specific object, just general system-wide information. */
6450
		return avc_has_perm(current_sid(), SECINITSID_KERNEL,
6451
				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6452
	case GETPID:
6453
	case GETNCNT:
6454
	case GETZCNT:
6455
		perms = SEM__GETATTR;
6456
		break;
6457
	case GETVAL:
6458
	case GETALL:
6459
		perms = SEM__READ;
6460
		break;
6461
	case SETVAL:
6462
	case SETALL:
6463
		perms = SEM__WRITE;
6464
		break;
6465
	case IPC_RMID:
6466
		perms = SEM__DESTROY;
6467
		break;
6468
	case IPC_SET:
6469
		perms = SEM__SETATTR;
6470
		break;
6471
	case IPC_STAT:
6472
	case SEM_STAT:
6473
	case SEM_STAT_ANY:
6474
		perms = SEM__GETATTR | SEM__ASSOCIATE;
6475
		break;
6476
	default:
6477
		return 0;
6478
	}
6479

6480
	err = ipc_has_perm(sma, perms);
6481
	return err;
6482
}
6483

6484
static int selinux_sem_semop(struct kern_ipc_perm *sma,
6485
			     struct sembuf *sops, unsigned nsops, int alter)
6486
{
6487
	u32 perms;
6488

6489
	if (alter)
6490
		perms = SEM__READ | SEM__WRITE;
6491
	else
6492
		perms = SEM__READ;
6493

6494
	return ipc_has_perm(sma, perms);
6495
}
6496

6497
static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
6498
{
6499
	u32 av = 0;
6500

6501
	av = 0;
6502
	if (flag & S_IRUGO)
6503
		av |= IPC__UNIX_READ;
6504
	if (flag & S_IWUGO)
6505
		av |= IPC__UNIX_WRITE;
6506

6507
	if (av == 0)
6508
		return 0;
6509

6510
	return ipc_has_perm(ipcp, av);
6511
}
6512

6513
static void selinux_ipc_getlsmprop(struct kern_ipc_perm *ipcp,
6514
				   struct lsm_prop *prop)
6515
{
6516
	struct ipc_security_struct *isec = selinux_ipc(ipcp);
6517
	prop->selinux.secid = isec->sid;
6518
}
6519

6520
static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
6521
{
6522
	if (inode)
6523
		inode_doinit_with_dentry(inode, dentry);
6524
}
6525

6526
static int selinux_lsm_getattr(unsigned int attr, struct task_struct *p,
6527
			       char **value)
6528
{
6529
	const struct task_security_struct *tsec;
6530
	int error;
6531
	u32 sid;
6532
	u32 len;
6533

6534
	rcu_read_lock();
6535
	tsec = selinux_cred(__task_cred(p));
6536
	if (p != current) {
6537
		error = avc_has_perm(current_sid(), tsec->sid,
6538
				     SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
6539
		if (error)
6540
			goto err_unlock;
6541
	}
6542
	switch (attr) {
6543
	case LSM_ATTR_CURRENT:
6544
		sid = tsec->sid;
6545
		break;
6546
	case LSM_ATTR_PREV:
6547
		sid = tsec->osid;
6548
		break;
6549
	case LSM_ATTR_EXEC:
6550
		sid = tsec->exec_sid;
6551
		break;
6552
	case LSM_ATTR_FSCREATE:
6553
		sid = tsec->create_sid;
6554
		break;
6555
	case LSM_ATTR_KEYCREATE:
6556
		sid = tsec->keycreate_sid;
6557
		break;
6558
	case LSM_ATTR_SOCKCREATE:
6559
		sid = tsec->sockcreate_sid;
6560
		break;
6561
	default:
6562
		error = -EOPNOTSUPP;
6563
		goto err_unlock;
6564
	}
6565
	rcu_read_unlock();
6566

6567
	if (sid == SECSID_NULL) {
6568
		*value = NULL;
6569
		return 0;
6570
	}
6571

6572
	error = security_sid_to_context(sid, value, &len);
6573
	if (error)
6574
		return error;
6575
	return len;
6576

6577
err_unlock:
6578
	rcu_read_unlock();
6579
	return error;
6580
}
6581

6582
static int selinux_lsm_setattr(u64 attr, void *value, size_t size)
6583
{
6584
	struct task_security_struct *tsec;
6585
	struct cred *new;
6586
	u32 mysid = current_sid(), sid = 0, ptsid;
6587
	int error;
6588
	char *str = value;
6589

6590
	/*
6591
	 * Basic control over ability to set these attributes at all.
6592
	 */
6593
	switch (attr) {
6594
	case LSM_ATTR_EXEC:
6595
		error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
6596
				     PROCESS__SETEXEC, NULL);
6597
		break;
6598
	case LSM_ATTR_FSCREATE:
6599
		error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
6600
				     PROCESS__SETFSCREATE, NULL);
6601
		break;
6602
	case LSM_ATTR_KEYCREATE:
6603
		error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
6604
				     PROCESS__SETKEYCREATE, NULL);
6605
		break;
6606
	case LSM_ATTR_SOCKCREATE:
6607
		error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
6608
				     PROCESS__SETSOCKCREATE, NULL);
6609
		break;
6610
	case LSM_ATTR_CURRENT:
6611
		error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
6612
				     PROCESS__SETCURRENT, NULL);
6613
		break;
6614
	default:
6615
		error = -EOPNOTSUPP;
6616
		break;
6617
	}
6618
	if (error)
6619
		return error;
6620

6621
	/* Obtain a SID for the context, if one was specified. */
6622
	if (size && str[0] && str[0] != '\n') {
6623
		if (str[size-1] == '\n') {
6624
			str[size-1] = 0;
6625
			size--;
6626
		}
6627
		error = security_context_to_sid(value, size,
6628
						&sid, GFP_KERNEL);
6629
		if (error == -EINVAL && attr == LSM_ATTR_FSCREATE) {
6630
			if (!has_cap_mac_admin(true)) {
6631
				struct audit_buffer *ab;
6632
				size_t audit_size;
6633

6634
				/* We strip a nul only if it is at the end,
6635
				 * otherwise the context contains a nul and
6636
				 * we should audit that */
6637
				if (str[size - 1] == '\0')
6638
					audit_size = size - 1;
6639
				else
6640
					audit_size = size;
6641
				ab = audit_log_start(audit_context(),
6642
						     GFP_ATOMIC,
6643
						     AUDIT_SELINUX_ERR);
6644
				if (!ab)
6645
					return error;
6646
				audit_log_format(ab, "op=fscreate invalid_context=");
6647
				audit_log_n_untrustedstring(ab, value,
6648
							    audit_size);
6649
				audit_log_end(ab);
6650

6651
				return error;
6652
			}
6653
			error = security_context_to_sid_force(value, size,
6654
							&sid);
6655
		}
6656
		if (error)
6657
			return error;
6658
	}
6659

6660
	new = prepare_creds();
6661
	if (!new)
6662
		return -ENOMEM;
6663

6664
	/* Permission checking based on the specified context is
6665
	   performed during the actual operation (execve,
6666
	   open/mkdir/...), when we know the full context of the
6667
	   operation.  See selinux_bprm_creds_for_exec for the execve
6668
	   checks and may_create for the file creation checks. The
6669
	   operation will then fail if the context is not permitted. */
6670
	tsec = selinux_cred(new);
6671
	if (attr == LSM_ATTR_EXEC) {
6672
		tsec->exec_sid = sid;
6673
	} else if (attr == LSM_ATTR_FSCREATE) {
6674
		tsec->create_sid = sid;
6675
	} else if (attr == LSM_ATTR_KEYCREATE) {
6676
		if (sid) {
6677
			error = avc_has_perm(mysid, sid,
6678
					     SECCLASS_KEY, KEY__CREATE, NULL);
6679
			if (error)
6680
				goto abort_change;
6681
		}
6682
		tsec->keycreate_sid = sid;
6683
	} else if (attr == LSM_ATTR_SOCKCREATE) {
6684
		tsec->sockcreate_sid = sid;
6685
	} else if (attr == LSM_ATTR_CURRENT) {
6686
		error = -EINVAL;
6687
		if (sid == 0)
6688
			goto abort_change;
6689

6690
		if (!current_is_single_threaded()) {
6691
			error = security_bounded_transition(tsec->sid, sid);
6692
			if (error)
6693
				goto abort_change;
6694
		}
6695

6696
		/* Check permissions for the transition. */
6697
		error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
6698
				     PROCESS__DYNTRANSITION, NULL);
6699
		if (error)
6700
			goto abort_change;
6701

6702
		/* Check for ptracing, and update the task SID if ok.
6703
		   Otherwise, leave SID unchanged and fail. */
6704
		ptsid = ptrace_parent_sid();
6705
		if (ptsid != 0) {
6706
			error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
6707
					     PROCESS__PTRACE, NULL);
6708
			if (error)
6709
				goto abort_change;
6710
		}
6711

6712
		tsec->sid = sid;
6713
	} else {
6714
		error = -EINVAL;
6715
		goto abort_change;
6716
	}
6717

6718
	commit_creds(new);
6719
	return size;
6720

6721
abort_change:
6722
	abort_creds(new);
6723
	return error;
6724
}
6725

6726
/**
6727
 * selinux_getselfattr - Get SELinux current task attributes
6728
 * @attr: the requested attribute
6729
 * @ctx: buffer to receive the result
6730
 * @size: buffer size (input), buffer size used (output)
6731
 * @flags: unused
6732
 *
6733
 * Fill the passed user space @ctx with the details of the requested
6734
 * attribute.
6735
 *
6736
 * Returns the number of attributes on success, an error code otherwise.
6737
 * There will only ever be one attribute.
6738
 */
6739
static int selinux_getselfattr(unsigned int attr, struct lsm_ctx __user *ctx,
6740
			       u32 *size, u32 flags)
6741
{
6742
	int rc;
6743
	char *val = NULL;
6744
	int val_len;
6745

6746
	val_len = selinux_lsm_getattr(attr, current, &val);
6747
	if (val_len < 0)
6748
		return val_len;
6749
	rc = lsm_fill_user_ctx(ctx, size, val, val_len, LSM_ID_SELINUX, 0);
6750
	kfree(val);
6751
	return (!rc ? 1 : rc);
6752
}
6753

6754
static int selinux_setselfattr(unsigned int attr, struct lsm_ctx *ctx,
6755
			       u32 size, u32 flags)
6756
{
6757
	int rc;
6758

6759
	rc = selinux_lsm_setattr(attr, ctx->ctx, ctx->ctx_len);
6760
	if (rc > 0)
6761
		return 0;
6762
	return rc;
6763
}
6764

6765
static int selinux_getprocattr(struct task_struct *p,
6766
			       const char *name, char **value)
6767
{
6768
	unsigned int attr = lsm_name_to_attr(name);
6769
	int rc;
6770

6771
	if (attr) {
6772
		rc = selinux_lsm_getattr(attr, p, value);
6773
		if (rc != -EOPNOTSUPP)
6774
			return rc;
6775
	}
6776

6777
	return -EINVAL;
6778
}
6779

6780
static int selinux_setprocattr(const char *name, void *value, size_t size)
6781
{
6782
	int attr = lsm_name_to_attr(name);
6783

6784
	if (attr)
6785
		return selinux_lsm_setattr(attr, value, size);
6786
	return -EINVAL;
6787
}
6788

6789
static int selinux_ismaclabel(const char *name)
6790
{
6791
	return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
6792
}
6793

6794
static int selinux_secid_to_secctx(u32 secid, struct lsm_context *cp)
6795
{
6796
	u32 seclen;
6797
	int ret;
6798

6799
	if (cp) {
6800
		cp->id = LSM_ID_SELINUX;
6801
		ret = security_sid_to_context(secid, &cp->context, &cp->len);
6802
		if (ret < 0)
6803
			return ret;
6804
		return cp->len;
6805
	}
6806
	ret = security_sid_to_context(secid, NULL, &seclen);
6807
	if (ret < 0)
6808
		return ret;
6809
	return seclen;
6810
}
6811

6812
static int selinux_lsmprop_to_secctx(struct lsm_prop *prop,
6813
				     struct lsm_context *cp)
6814
{
6815
	return selinux_secid_to_secctx(prop->selinux.secid, cp);
6816
}
6817

6818
static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
6819
{
6820
	return security_context_to_sid(secdata, seclen,
6821
				       secid, GFP_KERNEL);
6822
}
6823

6824
static void selinux_release_secctx(struct lsm_context *cp)
6825
{
6826
	if (cp->id == LSM_ID_SELINUX) {
6827
		kfree(cp->context);
6828
		cp->context = NULL;
6829
		cp->id = LSM_ID_UNDEF;
6830
	}
6831
}
6832

6833
static void selinux_inode_invalidate_secctx(struct inode *inode)
6834
{
6835
	struct inode_security_struct *isec = selinux_inode(inode);
6836

6837
	spin_lock(&isec->lock);
6838
	isec->initialized = LABEL_INVALID;
6839
	spin_unlock(&isec->lock);
6840
}
6841

6842
/*
6843
 *	called with inode->i_mutex locked
6844
 */
6845
static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
6846
{
6847
	int rc = selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX,
6848
					   ctx, ctxlen, 0);
6849
	/* Do not return error when suppressing label (SBLABEL_MNT not set). */
6850
	return rc == -EOPNOTSUPP ? 0 : rc;
6851
}
6852

6853
/*
6854
 *	called with inode->i_mutex locked
6855
 */
6856
static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
6857
{
6858
	return __vfs_setxattr_locked(&nop_mnt_idmap, dentry, XATTR_NAME_SELINUX,
6859
				     ctx, ctxlen, 0, NULL);
6860
}
6861

6862
static int selinux_inode_getsecctx(struct inode *inode, struct lsm_context *cp)
6863
{
6864
	int len;
6865
	len = selinux_inode_getsecurity(&nop_mnt_idmap, inode,
6866
					XATTR_SELINUX_SUFFIX,
6867
					(void **)&cp->context, true);
6868
	if (len < 0)
6869
		return len;
6870
	cp->len = len;
6871
	cp->id = LSM_ID_SELINUX;
6872
	return 0;
6873
}
6874
#ifdef CONFIG_KEYS
6875

6876
static int selinux_key_alloc(struct key *k, const struct cred *cred,
6877
			     unsigned long flags)
6878
{
6879
	const struct task_security_struct *tsec;
6880
	struct key_security_struct *ksec = selinux_key(k);
6881

6882
	tsec = selinux_cred(cred);
6883
	if (tsec->keycreate_sid)
6884
		ksec->sid = tsec->keycreate_sid;
6885
	else
6886
		ksec->sid = tsec->sid;
6887

6888
	return 0;
6889
}
6890

6891
static int selinux_key_permission(key_ref_t key_ref,
6892
				  const struct cred *cred,
6893
				  enum key_need_perm need_perm)
6894
{
6895
	struct key *key;
6896
	struct key_security_struct *ksec;
6897
	u32 perm, sid;
6898

6899
	switch (need_perm) {
6900
	case KEY_NEED_VIEW:
6901
		perm = KEY__VIEW;
6902
		break;
6903
	case KEY_NEED_READ:
6904
		perm = KEY__READ;
6905
		break;
6906
	case KEY_NEED_WRITE:
6907
		perm = KEY__WRITE;
6908
		break;
6909
	case KEY_NEED_SEARCH:
6910
		perm = KEY__SEARCH;
6911
		break;
6912
	case KEY_NEED_LINK:
6913
		perm = KEY__LINK;
6914
		break;
6915
	case KEY_NEED_SETATTR:
6916
		perm = KEY__SETATTR;
6917
		break;
6918
	case KEY_NEED_UNLINK:
6919
	case KEY_SYSADMIN_OVERRIDE:
6920
	case KEY_AUTHTOKEN_OVERRIDE:
6921
	case KEY_DEFER_PERM_CHECK:
6922
		return 0;
6923
	default:
6924
		WARN_ON(1);
6925
		return -EPERM;
6926

6927
	}
6928

6929
	sid = cred_sid(cred);
6930
	key = key_ref_to_ptr(key_ref);
6931
	ksec = selinux_key(key);
6932

6933
	return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6934
}
6935

6936
static int selinux_key_getsecurity(struct key *key, char **_buffer)
6937
{
6938
	struct key_security_struct *ksec = selinux_key(key);
6939
	char *context = NULL;
6940
	unsigned len;
6941
	int rc;
6942

6943
	rc = security_sid_to_context(ksec->sid,
6944
				     &context, &len);
6945
	if (!rc)
6946
		rc = len;
6947
	*_buffer = context;
6948
	return rc;
6949
}
6950

6951
#ifdef CONFIG_KEY_NOTIFICATIONS
6952
static int selinux_watch_key(struct key *key)
6953
{
6954
	struct key_security_struct *ksec = selinux_key(key);
6955
	u32 sid = current_sid();
6956

6957
	return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, KEY__VIEW, NULL);
6958
}
6959
#endif
6960
#endif
6961

6962
#ifdef CONFIG_SECURITY_INFINIBAND
6963
static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6964
{
6965
	struct common_audit_data ad;
6966
	int err;
6967
	u32 sid = 0;
6968
	struct ib_security_struct *sec = ib_sec;
6969
	struct lsm_ibpkey_audit ibpkey;
6970

6971
	err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
6972
	if (err)
6973
		return err;
6974

6975
	ad.type = LSM_AUDIT_DATA_IBPKEY;
6976
	ibpkey.subnet_prefix = subnet_prefix;
6977
	ibpkey.pkey = pkey_val;
6978
	ad.u.ibpkey = &ibpkey;
6979
	return avc_has_perm(sec->sid, sid,
6980
			    SECCLASS_INFINIBAND_PKEY,
6981
			    INFINIBAND_PKEY__ACCESS, &ad);
6982
}
6983

6984
static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6985
					    u8 port_num)
6986
{
6987
	struct common_audit_data ad;
6988
	int err;
6989
	u32 sid = 0;
6990
	struct ib_security_struct *sec = ib_sec;
6991
	struct lsm_ibendport_audit ibendport;
6992

6993
	err = security_ib_endport_sid(dev_name, port_num,
6994
				      &sid);
6995

6996
	if (err)
6997
		return err;
6998

6999
	ad.type = LSM_AUDIT_DATA_IBENDPORT;
7000
	ibendport.dev_name = dev_name;
7001
	ibendport.port = port_num;
7002
	ad.u.ibendport = &ibendport;
7003
	return avc_has_perm(sec->sid, sid,
7004
			    SECCLASS_INFINIBAND_ENDPORT,
7005
			    INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
7006
}
7007

7008
static int selinux_ib_alloc_security(void *ib_sec)
7009
{
7010
	struct ib_security_struct *sec = selinux_ib(ib_sec);
7011

7012
	sec->sid = current_sid();
7013
	return 0;
7014
}
7015
#endif
7016

7017
#ifdef CONFIG_BPF_SYSCALL
7018
static int selinux_bpf(int cmd, union bpf_attr *attr,
7019
		       unsigned int size, bool kernel)
7020
{
7021
	u32 sid = current_sid();
7022
	int ret;
7023

7024
	switch (cmd) {
7025
	case BPF_MAP_CREATE:
7026
		ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
7027
				   NULL);
7028
		break;
7029
	case BPF_PROG_LOAD:
7030
		ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
7031
				   NULL);
7032
		break;
7033
	default:
7034
		ret = 0;
7035
		break;
7036
	}
7037

7038
	return ret;
7039
}
7040

7041
static u32 bpf_map_fmode_to_av(fmode_t fmode)
7042
{
7043
	u32 av = 0;
7044

7045
	if (fmode & FMODE_READ)
7046
		av |= BPF__MAP_READ;
7047
	if (fmode & FMODE_WRITE)
7048
		av |= BPF__MAP_WRITE;
7049
	return av;
7050
}
7051

7052
/* This function will check the file pass through unix socket or binder to see
7053
 * if it is a bpf related object. And apply corresponding checks on the bpf
7054
 * object based on the type. The bpf maps and programs, not like other files and
7055
 * socket, are using a shared anonymous inode inside the kernel as their inode.
7056
 * So checking that inode cannot identify if the process have privilege to
7057
 * access the bpf object and that's why we have to add this additional check in
7058
 * selinux_file_receive and selinux_binder_transfer_files.
7059
 */
7060
static int bpf_fd_pass(const struct file *file, u32 sid)
7061
{
7062
	struct bpf_security_struct *bpfsec;
7063
	struct bpf_prog *prog;
7064
	struct bpf_map *map;
7065
	int ret;
7066

7067
	if (file->f_op == &bpf_map_fops) {
7068
		map = file->private_data;
7069
		bpfsec = selinux_bpf_map_security(map);
7070
		ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
7071
				   bpf_map_fmode_to_av(file->f_mode), NULL);
7072
		if (ret)
7073
			return ret;
7074
	} else if (file->f_op == &bpf_prog_fops) {
7075
		prog = file->private_data;
7076
		bpfsec = selinux_bpf_prog_security(prog);
7077
		ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
7078
				   BPF__PROG_RUN, NULL);
7079
		if (ret)
7080
			return ret;
7081
	}
7082
	return 0;
7083
}
7084

7085
static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)
7086
{
7087
	u32 sid = current_sid();
7088
	struct bpf_security_struct *bpfsec;
7089

7090
	bpfsec = selinux_bpf_map_security(map);
7091
	return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
7092
			    bpf_map_fmode_to_av(fmode), NULL);
7093
}
7094

7095
static int selinux_bpf_prog(struct bpf_prog *prog)
7096
{
7097
	u32 sid = current_sid();
7098
	struct bpf_security_struct *bpfsec;
7099

7100
	bpfsec = selinux_bpf_prog_security(prog);
7101
	return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
7102
			    BPF__PROG_RUN, NULL);
7103
}
7104

7105
static int selinux_bpf_map_create(struct bpf_map *map, union bpf_attr *attr,
7106
				  struct bpf_token *token, bool kernel)
7107
{
7108
	struct bpf_security_struct *bpfsec;
7109

7110
	bpfsec = selinux_bpf_map_security(map);
7111
	bpfsec->sid = current_sid();
7112

7113
	return 0;
7114
}
7115

7116
static int selinux_bpf_prog_load(struct bpf_prog *prog, union bpf_attr *attr,
7117
				 struct bpf_token *token, bool kernel)
7118
{
7119
	struct bpf_security_struct *bpfsec;
7120

7121
	bpfsec = selinux_bpf_prog_security(prog);
7122
	bpfsec->sid = current_sid();
7123

7124
	return 0;
7125
}
7126

7127
static int selinux_bpf_token_create(struct bpf_token *token, union bpf_attr *attr,
7128
				    const struct path *path)
7129
{
7130
	struct bpf_security_struct *bpfsec;
7131

7132
	bpfsec = selinux_bpf_token_security(token);
7133
	bpfsec->sid = current_sid();
7134

7135
	return 0;
7136
}
7137
#endif
7138

7139
struct lsm_blob_sizes selinux_blob_sizes __ro_after_init = {
7140
	.lbs_cred = sizeof(struct task_security_struct),
7141
	.lbs_file = sizeof(struct file_security_struct),
7142
	.lbs_inode = sizeof(struct inode_security_struct),
7143
	.lbs_ipc = sizeof(struct ipc_security_struct),
7144
	.lbs_key = sizeof(struct key_security_struct),
7145
	.lbs_msg_msg = sizeof(struct msg_security_struct),
7146
#ifdef CONFIG_PERF_EVENTS
7147
	.lbs_perf_event = sizeof(struct perf_event_security_struct),
7148
#endif
7149
	.lbs_sock = sizeof(struct sk_security_struct),
7150
	.lbs_superblock = sizeof(struct superblock_security_struct),
7151
	.lbs_xattr_count = SELINUX_INODE_INIT_XATTRS,
7152
	.lbs_tun_dev = sizeof(struct tun_security_struct),
7153
	.lbs_ib = sizeof(struct ib_security_struct),
7154
	.lbs_bpf_map = sizeof(struct bpf_security_struct),
7155
	.lbs_bpf_prog = sizeof(struct bpf_security_struct),
7156
	.lbs_bpf_token = sizeof(struct bpf_security_struct),
7157
};
7158

7159
#ifdef CONFIG_PERF_EVENTS
7160
static int selinux_perf_event_open(int type)
7161
{
7162
	u32 requested, sid = current_sid();
7163

7164
	if (type == PERF_SECURITY_OPEN)
7165
		requested = PERF_EVENT__OPEN;
7166
	else if (type == PERF_SECURITY_CPU)
7167
		requested = PERF_EVENT__CPU;
7168
	else if (type == PERF_SECURITY_KERNEL)
7169
		requested = PERF_EVENT__KERNEL;
7170
	else if (type == PERF_SECURITY_TRACEPOINT)
7171
		requested = PERF_EVENT__TRACEPOINT;
7172
	else
7173
		return -EINVAL;
7174

7175
	return avc_has_perm(sid, sid, SECCLASS_PERF_EVENT,
7176
			    requested, NULL);
7177
}
7178

7179
static int selinux_perf_event_alloc(struct perf_event *event)
7180
{
7181
	struct perf_event_security_struct *perfsec;
7182

7183
	perfsec = selinux_perf_event(event->security);
7184
	perfsec->sid = current_sid();
7185

7186
	return 0;
7187
}
7188

7189
static int selinux_perf_event_read(struct perf_event *event)
7190
{
7191
	struct perf_event_security_struct *perfsec = event->security;
7192
	u32 sid = current_sid();
7193

7194
	return avc_has_perm(sid, perfsec->sid,
7195
			    SECCLASS_PERF_EVENT, PERF_EVENT__READ, NULL);
7196
}
7197

7198
static int selinux_perf_event_write(struct perf_event *event)
7199
{
7200
	struct perf_event_security_struct *perfsec = event->security;
7201
	u32 sid = current_sid();
7202

7203
	return avc_has_perm(sid, perfsec->sid,
7204
			    SECCLASS_PERF_EVENT, PERF_EVENT__WRITE, NULL);
7205
}
7206
#endif
7207

7208
#ifdef CONFIG_IO_URING
7209
/**
7210
 * selinux_uring_override_creds - check the requested cred override
7211
 * @new: the target creds
7212
 *
7213
 * Check to see if the current task is allowed to override it's credentials
7214
 * to service an io_uring operation.
7215
 */
7216
static int selinux_uring_override_creds(const struct cred *new)
7217
{
7218
	return avc_has_perm(current_sid(), cred_sid(new),
7219
			    SECCLASS_IO_URING, IO_URING__OVERRIDE_CREDS, NULL);
7220
}
7221

7222
/**
7223
 * selinux_uring_sqpoll - check if a io_uring polling thread can be created
7224
 *
7225
 * Check to see if the current task is allowed to create a new io_uring
7226
 * kernel polling thread.
7227
 */
7228
static int selinux_uring_sqpoll(void)
7229
{
7230
	u32 sid = current_sid();
7231

7232
	return avc_has_perm(sid, sid,
7233
			    SECCLASS_IO_URING, IO_URING__SQPOLL, NULL);
7234
}
7235

7236
/**
7237
 * selinux_uring_cmd - check if IORING_OP_URING_CMD is allowed
7238
 * @ioucmd: the io_uring command structure
7239
 *
7240
 * Check to see if the current domain is allowed to execute an
7241
 * IORING_OP_URING_CMD against the device/file specified in @ioucmd.
7242
 *
7243
 */
7244
static int selinux_uring_cmd(struct io_uring_cmd *ioucmd)
7245
{
7246
	struct file *file = ioucmd->file;
7247
	struct inode *inode = file_inode(file);
7248
	struct inode_security_struct *isec = selinux_inode(inode);
7249
	struct common_audit_data ad;
7250

7251
	ad.type = LSM_AUDIT_DATA_FILE;
7252
	ad.u.file = file;
7253

7254
	return avc_has_perm(current_sid(), isec->sid,
7255
			    SECCLASS_IO_URING, IO_URING__CMD, &ad);
7256
}
7257

7258
/**
7259
 * selinux_uring_allowed - check if io_uring_setup() can be called
7260
 *
7261
 * Check to see if the current task is allowed to call io_uring_setup().
7262
 */
7263
static int selinux_uring_allowed(void)
7264
{
7265
	u32 sid = current_sid();
7266

7267
	return avc_has_perm(sid, sid, SECCLASS_IO_URING, IO_URING__ALLOWED,
7268
			    NULL);
7269
}
7270
#endif /* CONFIG_IO_URING */
7271

7272
static const struct lsm_id selinux_lsmid = {
7273
	.name = "selinux",
7274
	.id = LSM_ID_SELINUX,
7275
};
7276

7277
/*
7278
 * IMPORTANT NOTE: When adding new hooks, please be careful to keep this order:
7279
 * 1. any hooks that don't belong to (2.) or (3.) below,
7280
 * 2. hooks that both access structures allocated by other hooks, and allocate
7281
 *    structures that can be later accessed by other hooks (mostly "cloning"
7282
 *    hooks),
7283
 * 3. hooks that only allocate structures that can be later accessed by other
7284
 *    hooks ("allocating" hooks).
7285
 *
7286
 * Please follow block comment delimiters in the list to keep this order.
7287
 */
7288
static struct security_hook_list selinux_hooks[] __ro_after_init = {
7289
	LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
7290
	LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
7291
	LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
7292
	LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
7293

7294
	LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
7295
	LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
7296
	LSM_HOOK_INIT(capget, selinux_capget),
7297
	LSM_HOOK_INIT(capset, selinux_capset),
7298
	LSM_HOOK_INIT(capable, selinux_capable),
7299
	LSM_HOOK_INIT(quotactl, selinux_quotactl),
7300
	LSM_HOOK_INIT(quota_on, selinux_quota_on),
7301
	LSM_HOOK_INIT(syslog, selinux_syslog),
7302
	LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
7303

7304
	LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
7305

7306
	LSM_HOOK_INIT(bprm_creds_for_exec, selinux_bprm_creds_for_exec),
7307
	LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
7308
	LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
7309

7310
	LSM_HOOK_INIT(sb_free_mnt_opts, selinux_free_mnt_opts),
7311
	LSM_HOOK_INIT(sb_mnt_opts_compat, selinux_sb_mnt_opts_compat),
7312
	LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
7313
	LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
7314
	LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
7315
	LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
7316
	LSM_HOOK_INIT(sb_mount, selinux_mount),
7317
	LSM_HOOK_INIT(sb_umount, selinux_umount),
7318
	LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
7319
	LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
7320

7321
	LSM_HOOK_INIT(move_mount, selinux_move_mount),
7322

7323
	LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
7324
	LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
7325

7326
	LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
7327
	LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
7328
	LSM_HOOK_INIT(inode_init_security_anon, selinux_inode_init_security_anon),
7329
	LSM_HOOK_INIT(inode_create, selinux_inode_create),
7330
	LSM_HOOK_INIT(inode_link, selinux_inode_link),
7331
	LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
7332
	LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
7333
	LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
7334
	LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
7335
	LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
7336
	LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
7337
	LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
7338
	LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
7339
	LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
7340
	LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
7341
	LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
7342
	LSM_HOOK_INIT(inode_xattr_skipcap, selinux_inode_xattr_skipcap),
7343
	LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
7344
	LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
7345
	LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
7346
	LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
7347
	LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
7348
	LSM_HOOK_INIT(inode_file_getattr, selinux_inode_file_getattr),
7349
	LSM_HOOK_INIT(inode_file_setattr, selinux_inode_file_setattr),
7350
	LSM_HOOK_INIT(inode_set_acl, selinux_inode_set_acl),
7351
	LSM_HOOK_INIT(inode_get_acl, selinux_inode_get_acl),
7352
	LSM_HOOK_INIT(inode_remove_acl, selinux_inode_remove_acl),
7353
	LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
7354
	LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
7355
	LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
7356
	LSM_HOOK_INIT(inode_getlsmprop, selinux_inode_getlsmprop),
7357
	LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
7358
	LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
7359
	LSM_HOOK_INIT(path_notify, selinux_path_notify),
7360

7361
	LSM_HOOK_INIT(kernfs_init_security, selinux_kernfs_init_security),
7362

7363
	LSM_HOOK_INIT(file_permission, selinux_file_permission),
7364
	LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
7365
	LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
7366
	LSM_HOOK_INIT(file_ioctl_compat, selinux_file_ioctl_compat),
7367
	LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
7368
	LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
7369
	LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
7370
	LSM_HOOK_INIT(file_lock, selinux_file_lock),
7371
	LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
7372
	LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
7373
	LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
7374
	LSM_HOOK_INIT(file_receive, selinux_file_receive),
7375

7376
	LSM_HOOK_INIT(file_open, selinux_file_open),
7377

7378
	LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
7379
	LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
7380
	LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
7381
	LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid),
7382
	LSM_HOOK_INIT(cred_getlsmprop, selinux_cred_getlsmprop),
7383
	LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
7384
	LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
7385
	LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
7386
	LSM_HOOK_INIT(kernel_load_data, selinux_kernel_load_data),
7387
	LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
7388
	LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
7389
	LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
7390
	LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
7391
	LSM_HOOK_INIT(current_getlsmprop_subj, selinux_current_getlsmprop_subj),
7392
	LSM_HOOK_INIT(task_getlsmprop_obj, selinux_task_getlsmprop_obj),
7393
	LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
7394
	LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
7395
	LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
7396
	LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
7397
	LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
7398
	LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
7399
	LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
7400
	LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
7401
	LSM_HOOK_INIT(task_kill, selinux_task_kill),
7402
	LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
7403
	LSM_HOOK_INIT(userns_create, selinux_userns_create),
7404

7405
	LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
7406
	LSM_HOOK_INIT(ipc_getlsmprop, selinux_ipc_getlsmprop),
7407

7408
	LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
7409
	LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
7410
	LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
7411
	LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
7412

7413
	LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
7414
	LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
7415
	LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
7416

7417
	LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
7418
	LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
7419
	LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
7420

7421
	LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
7422

7423
	LSM_HOOK_INIT(getselfattr, selinux_getselfattr),
7424
	LSM_HOOK_INIT(setselfattr, selinux_setselfattr),
7425
	LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
7426
	LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
7427

7428
	LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
7429
	LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
7430
	LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
7431
	LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
7432
	LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
7433
	LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
7434

7435
	LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
7436
	LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
7437

7438
	LSM_HOOK_INIT(socket_create, selinux_socket_create),
7439
	LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
7440
	LSM_HOOK_INIT(socket_socketpair, selinux_socket_socketpair),
7441
	LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
7442
	LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
7443
	LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
7444
	LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
7445
	LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
7446
	LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
7447
	LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
7448
	LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
7449
	LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
7450
	LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
7451
	LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
7452
	LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
7453
	LSM_HOOK_INIT(socket_getpeersec_stream,
7454
			selinux_socket_getpeersec_stream),
7455
	LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
7456
	LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
7457
	LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
7458
	LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
7459
	LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
7460
	LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request),
7461
	LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone),
7462
	LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect),
7463
	LSM_HOOK_INIT(sctp_assoc_established, selinux_sctp_assoc_established),
7464
	LSM_HOOK_INIT(mptcp_add_subflow, selinux_mptcp_add_subflow),
7465
	LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
7466
	LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
7467
	LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
7468
	LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
7469
	LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
7470
	LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
7471
	LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
7472
	LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
7473
	LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
7474
	LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
7475
	LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
7476
#ifdef CONFIG_SECURITY_INFINIBAND
7477
	LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
7478
	LSM_HOOK_INIT(ib_endport_manage_subnet,
7479
		      selinux_ib_endport_manage_subnet),
7480
#endif
7481
#ifdef CONFIG_SECURITY_NETWORK_XFRM
7482
	LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
7483
	LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
7484
	LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
7485
	LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
7486
	LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
7487
	LSM_HOOK_INIT(xfrm_state_pol_flow_match,
7488
			selinux_xfrm_state_pol_flow_match),
7489
	LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
7490
#endif
7491

7492
#ifdef CONFIG_KEYS
7493
	LSM_HOOK_INIT(key_permission, selinux_key_permission),
7494
	LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
7495
#ifdef CONFIG_KEY_NOTIFICATIONS
7496
	LSM_HOOK_INIT(watch_key, selinux_watch_key),
7497
#endif
7498
#endif
7499

7500
#ifdef CONFIG_AUDIT
7501
	LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
7502
	LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
7503
	LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
7504
#endif
7505

7506
#ifdef CONFIG_BPF_SYSCALL
7507
	LSM_HOOK_INIT(bpf, selinux_bpf),
7508
	LSM_HOOK_INIT(bpf_map, selinux_bpf_map),
7509
	LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog),
7510
#endif
7511

7512
#ifdef CONFIG_PERF_EVENTS
7513
	LSM_HOOK_INIT(perf_event_open, selinux_perf_event_open),
7514
	LSM_HOOK_INIT(perf_event_read, selinux_perf_event_read),
7515
	LSM_HOOK_INIT(perf_event_write, selinux_perf_event_write),
7516
#endif
7517

7518
#ifdef CONFIG_IO_URING
7519
	LSM_HOOK_INIT(uring_override_creds, selinux_uring_override_creds),
7520
	LSM_HOOK_INIT(uring_sqpoll, selinux_uring_sqpoll),
7521
	LSM_HOOK_INIT(uring_cmd, selinux_uring_cmd),
7522
	LSM_HOOK_INIT(uring_allowed, selinux_uring_allowed),
7523
#endif
7524

7525
	/*
7526
	 * PUT "CLONING" (ACCESSING + ALLOCATING) HOOKS HERE
7527
	 */
7528
	LSM_HOOK_INIT(fs_context_submount, selinux_fs_context_submount),
7529
	LSM_HOOK_INIT(fs_context_dup, selinux_fs_context_dup),
7530
	LSM_HOOK_INIT(fs_context_parse_param, selinux_fs_context_parse_param),
7531
	LSM_HOOK_INIT(sb_eat_lsm_opts, selinux_sb_eat_lsm_opts),
7532
#ifdef CONFIG_SECURITY_NETWORK_XFRM
7533
	LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
7534
#endif
7535

7536
	/*
7537
	 * PUT "ALLOCATING" HOOKS HERE
7538
	 */
7539
	LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
7540
	LSM_HOOK_INIT(msg_queue_alloc_security,
7541
		      selinux_msg_queue_alloc_security),
7542
	LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
7543
	LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
7544
	LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
7545
	LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
7546
	LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
7547
	LSM_HOOK_INIT(lsmprop_to_secctx, selinux_lsmprop_to_secctx),
7548
	LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
7549
	LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
7550
	LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
7551
#ifdef CONFIG_SECURITY_INFINIBAND
7552
	LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
7553
#endif
7554
#ifdef CONFIG_SECURITY_NETWORK_XFRM
7555
	LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
7556
	LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
7557
	LSM_HOOK_INIT(xfrm_state_alloc_acquire,
7558
		      selinux_xfrm_state_alloc_acquire),
7559
#endif
7560
#ifdef CONFIG_KEYS
7561
	LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
7562
#endif
7563
#ifdef CONFIG_AUDIT
7564
	LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
7565
#endif
7566
#ifdef CONFIG_BPF_SYSCALL
7567
	LSM_HOOK_INIT(bpf_map_create, selinux_bpf_map_create),
7568
	LSM_HOOK_INIT(bpf_prog_load, selinux_bpf_prog_load),
7569
	LSM_HOOK_INIT(bpf_token_create, selinux_bpf_token_create),
7570
#endif
7571
#ifdef CONFIG_PERF_EVENTS
7572
	LSM_HOOK_INIT(perf_event_alloc, selinux_perf_event_alloc),
7573
#endif
7574
};
7575

7576
static __init int selinux_init(void)
7577
{
7578
	pr_info("SELinux:  Initializing.\n");
7579

7580
	memset(&selinux_state, 0, sizeof(selinux_state));
7581
	enforcing_set(selinux_enforcing_boot);
7582
	selinux_avc_init();
7583
	mutex_init(&selinux_state.status_lock);
7584
	mutex_init(&selinux_state.policy_mutex);
7585

7586
	/* Set the security state for the initial task. */
7587
	cred_init_security();
7588

7589
	/* Inform the audit system that secctx is used */
7590
	audit_cfg_lsm(&selinux_lsmid,
7591
		      AUDIT_CFG_LSM_SECCTX_SUBJECT |
7592
		      AUDIT_CFG_LSM_SECCTX_OBJECT);
7593

7594
	default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
7595
	if (!default_noexec)
7596
		pr_notice("SELinux:  virtual memory is executable by default\n");
7597

7598
	avc_init();
7599

7600
	avtab_cache_init();
7601

7602
	ebitmap_cache_init();
7603

7604
	hashtab_cache_init();
7605

7606
	security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks),
7607
			   &selinux_lsmid);
7608

7609
	if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
7610
		panic("SELinux: Unable to register AVC netcache callback\n");
7611

7612
	if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
7613
		panic("SELinux: Unable to register AVC LSM notifier callback\n");
7614

7615
	if (selinux_enforcing_boot)
7616
		pr_debug("SELinux:  Starting in enforcing mode\n");
7617
	else
7618
		pr_debug("SELinux:  Starting in permissive mode\n");
7619

7620
	fs_validate_description("selinux", selinux_fs_parameters);
7621

7622
	return 0;
7623
}
7624

7625
static void delayed_superblock_init(struct super_block *sb, void *unused)
7626
{
7627
	selinux_set_mnt_opts(sb, NULL, 0, NULL);
7628
}
7629

7630
void selinux_complete_init(void)
7631
{
7632
	pr_debug("SELinux:  Completing initialization.\n");
7633

7634
	/* Set up any superblocks initialized prior to the policy load. */
7635
	pr_debug("SELinux:  Setting up existing superblocks.\n");
7636
	iterate_supers(delayed_superblock_init, NULL);
7637
}
7638

7639
/* SELinux requires early initialization in order to label
7640
   all processes and objects when they are created. */
7641
DEFINE_LSM(selinux) = {
7642
	.name = "selinux",
7643
	.flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE,
7644
	.enabled = &selinux_enabled_boot,
7645
	.blobs = &selinux_blob_sizes,
7646
	.init = selinux_init,
7647
};
7648

7649
#if defined(CONFIG_NETFILTER)
7650
static const struct nf_hook_ops selinux_nf_ops[] = {
7651
	{
7652
		.hook =		selinux_ip_postroute,
7653
		.pf =		NFPROTO_IPV4,
7654
		.hooknum =	NF_INET_POST_ROUTING,
7655
		.priority =	NF_IP_PRI_SELINUX_LAST,
7656
	},
7657
	{
7658
		.hook =		selinux_ip_forward,
7659
		.pf =		NFPROTO_IPV4,
7660
		.hooknum =	NF_INET_FORWARD,
7661
		.priority =	NF_IP_PRI_SELINUX_FIRST,
7662
	},
7663
	{
7664
		.hook =		selinux_ip_output,
7665
		.pf =		NFPROTO_IPV4,
7666
		.hooknum =	NF_INET_LOCAL_OUT,
7667
		.priority =	NF_IP_PRI_SELINUX_FIRST,
7668
	},
7669
#if IS_ENABLED(CONFIG_IPV6)
7670
	{
7671
		.hook =		selinux_ip_postroute,
7672
		.pf =		NFPROTO_IPV6,
7673
		.hooknum =	NF_INET_POST_ROUTING,
7674
		.priority =	NF_IP6_PRI_SELINUX_LAST,
7675
	},
7676
	{
7677
		.hook =		selinux_ip_forward,
7678
		.pf =		NFPROTO_IPV6,
7679
		.hooknum =	NF_INET_FORWARD,
7680
		.priority =	NF_IP6_PRI_SELINUX_FIRST,
7681
	},
7682
	{
7683
		.hook =		selinux_ip_output,
7684
		.pf =		NFPROTO_IPV6,
7685
		.hooknum =	NF_INET_LOCAL_OUT,
7686
		.priority =	NF_IP6_PRI_SELINUX_FIRST,
7687
	},
7688
#endif	/* IPV6 */
7689
};
7690

7691
static int __net_init selinux_nf_register(struct net *net)
7692
{
7693
	return nf_register_net_hooks(net, selinux_nf_ops,
7694
				     ARRAY_SIZE(selinux_nf_ops));
7695
}
7696

7697
static void __net_exit selinux_nf_unregister(struct net *net)
7698
{
7699
	nf_unregister_net_hooks(net, selinux_nf_ops,
7700
				ARRAY_SIZE(selinux_nf_ops));
7701
}
7702

7703
static struct pernet_operations selinux_net_ops = {
7704
	.init = selinux_nf_register,
7705
	.exit = selinux_nf_unregister,
7706
};
7707

7708
static int __init selinux_nf_ip_init(void)
7709
{
7710
	int err;
7711

7712
	if (!selinux_enabled_boot)
7713
		return 0;
7714

7715
	pr_debug("SELinux:  Registering netfilter hooks\n");
7716

7717
	err = register_pernet_subsys(&selinux_net_ops);
7718
	if (err)
7719
		panic("SELinux: register_pernet_subsys: error %d\n", err);
7720

7721
	return 0;
7722
}
7723
__initcall(selinux_nf_ip_init);
7724
#endif /* CONFIG_NETFILTER */
7725

7726