1
// SPDX-License-Identifier: GPL-2.0-only
2
/*
3
 *  Security-Enhanced Linux (SELinux) security module
4
 *
5
 *  This file contains the SELinux hook function implementations.
6
 *
7
 *  Authors:  Stephen Smalley, <[email protected]>
8
 *	      Chris Vance, <[email protected]>
9
 *	      Wayne Salamon, <[email protected]>
10
 *	      James Morris <[email protected]>
11
 *
12
 *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
13
 *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <[email protected]>
14
 *					   Eric Paris <[email protected]>
15
 *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
16
 *			    <[email protected]>
17
 *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
18
 *	Paul Moore <[email protected]>
19
 *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
20
 *		       Yuichi Nakamura <[email protected]>
21
 *  Copyright (C) 2016 Mellanox Technologies
22
 */
23

24
#include <linux/init.h>
25
#include <linux/kd.h>
26
#include <linux/kernel.h>
27
#include <linux/kernel_read_file.h>
28
#include <linux/errno.h>
29
#include <linux/sched/signal.h>
30
#include <linux/sched/task.h>
31
#include <linux/lsm_hooks.h>
32
#include <linux/xattr.h>
33
#include <linux/capability.h>
34
#include <linux/unistd.h>
35
#include <linux/mm.h>
36
#include <linux/mman.h>
37
#include <linux/slab.h>
38
#include <linux/pagemap.h>
39
#include <linux/proc_fs.h>
40
#include <linux/swap.h>
41
#include <linux/spinlock.h>
42
#include <linux/syscalls.h>
43
#include <linux/dcache.h>
44
#include <linux/file.h>
45
#include <linux/fdtable.h>
46
#include <linux/namei.h>
47
#include <linux/mount.h>
48
#include <linux/fs_context.h>
49
#include <linux/fs_parser.h>
50
#include <linux/netfilter_ipv4.h>
51
#include <linux/netfilter_ipv6.h>
52
#include <linux/tty.h>
53
#include <net/icmp.h>
54
#include <net/ip.h>		/* for local_port_range[] */
55
#include <net/tcp.h>		/* struct or_callable used in sock_rcv_skb */
56
#include <net/inet_connection_sock.h>
57
#include <net/net_namespace.h>
58
#include <net/netlabel.h>
59
#include <linux/uaccess.h>
60
#include <asm/ioctls.h>
61
#include <linux/atomic.h>
62
#include <linux/bitops.h>
63
#include <linux/interrupt.h>
64
#include <linux/netdevice.h>	/* for network interface checks */
65
#include <net/netlink.h>
66
#include <linux/tcp.h>
67
#include <linux/udp.h>
68
#include <linux/sctp.h>
69
#include <net/sctp/structs.h>
70
#include <linux/quota.h>
71
#include <linux/un.h>		/* for Unix socket types */
72
#include <net/af_unix.h>	/* for Unix socket types */
73
#include <linux/parser.h>
74
#include <linux/nfs_mount.h>
75
#include <net/ipv6.h>
76
#include <linux/hugetlb.h>
77
#include <linux/personality.h>
78
#include <linux/audit.h>
79
#include <linux/string.h>
80
#include <linux/mutex.h>
81
#include <linux/posix-timers.h>
82
#include <linux/syslog.h>
83
#include <linux/user_namespace.h>
84
#include <linux/export.h>
85
#include <linux/msg.h>
86
#include <linux/shm.h>
87
#include <uapi/linux/shm.h>
88
#include <linux/bpf.h>
89
#include <linux/kernfs.h>
90
#include <linux/stringhash.h>	/* for hashlen_string() */
91
#include <uapi/linux/mount.h>
92
#include <linux/fsnotify.h>
93
#include <linux/fanotify.h>
94
#include <linux/io_uring/cmd.h>
95
#include <uapi/linux/lsm.h>
96

97
#include "avc.h"
98
#include "objsec.h"
99
#include "netif.h"
100
#include "netnode.h"
101
#include "netport.h"
102
#include "ibpkey.h"
103
#include "xfrm.h"
104
#include "netlabel.h"
105
#include "audit.h"
106
#include "avc_ss.h"
107

108
#define SELINUX_INODE_INIT_XATTRS 1
109

110
struct selinux_state selinux_state;
111

112
/* SECMARK reference count */
113
static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
114

115
#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
116
static int selinux_enforcing_boot __initdata;
117

118
static int __init enforcing_setup(char *str)
119
{
120
	unsigned long enforcing;
121
	if (!kstrtoul(str, 0, &enforcing))
122
		selinux_enforcing_boot = enforcing ? 1 : 0;
123
	return 1;
124
}
125
__setup("enforcing=", enforcing_setup);
126
#else
127
#define selinux_enforcing_boot 1
128
#endif
129

130
int selinux_enabled_boot __initdata = 1;
131
#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
132
static int __init selinux_enabled_setup(char *str)
133
{
134
	unsigned long enabled;
135
	if (!kstrtoul(str, 0, &enabled))
136
		selinux_enabled_boot = enabled ? 1 : 0;
137
	return 1;
138
}
139
__setup("selinux=", selinux_enabled_setup);
140
#endif
141

142
static int __init checkreqprot_setup(char *str)
143
{
144
	unsigned long checkreqprot;
145

146
	if (!kstrtoul(str, 0, &checkreqprot)) {
147
		if (checkreqprot)
148
			pr_err("SELinux: checkreqprot set to 1 via kernel parameter.  This is no longer supported.\n");
149
	}
150
	return 1;
151
}
152
__setup("checkreqprot=", checkreqprot_setup);
153

154
/**
155
 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
156
 *
157
 * Description:
158
 * This function checks the SECMARK reference counter to see if any SECMARK
159
 * targets are currently configured, if the reference counter is greater than
160
 * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
161
 * enabled, false (0) if SECMARK is disabled.  If the always_check_network
162
 * policy capability is enabled, SECMARK is always considered enabled.
163
 *
164
 */
165
static int selinux_secmark_enabled(void)
166
{
167
	return (selinux_policycap_alwaysnetwork() ||
168
		atomic_read(&selinux_secmark_refcount));
169
}
170

171
/**
172
 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
173
 *
174
 * Description:
175
 * This function checks if NetLabel or labeled IPSEC is enabled.  Returns true
176
 * (1) if any are enabled or false (0) if neither are enabled.  If the
177
 * always_check_network policy capability is enabled, peer labeling
178
 * is always considered enabled.
179
 *
180
 */
181
static int selinux_peerlbl_enabled(void)
182
{
183
	return (selinux_policycap_alwaysnetwork() ||
184
		netlbl_enabled() || selinux_xfrm_enabled());
185
}
186

187
static int selinux_netcache_avc_callback(u32 event)
188
{
189
	if (event == AVC_CALLBACK_RESET) {
190
		sel_netif_flush();
191
		sel_netnode_flush();
192
		sel_netport_flush();
193
		synchronize_net();
194
	}
195
	return 0;
196
}
197

198
static int selinux_lsm_notifier_avc_callback(u32 event)
199
{
200
	if (event == AVC_CALLBACK_RESET) {
201
		sel_ib_pkey_flush();
202
		call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL);
203
	}
204

205
	return 0;
206
}
207

208
/*
209
 * initialise the security for the init task
210
 */
211
static void cred_init_security(void)
212
{
213
	struct task_security_struct *tsec;
214

215
	/* NOTE: the lsm framework zeros out the buffer on allocation */
216

217
	tsec = selinux_cred(unrcu_pointer(current->real_cred));
218
	tsec->osid = tsec->sid = tsec->avdcache.sid = SECINITSID_KERNEL;
219
}
220

221
/*
222
 * get the security ID of a set of credentials
223
 */
224
static inline u32 cred_sid(const struct cred *cred)
225
{
226
	const struct task_security_struct *tsec;
227

228
	tsec = selinux_cred(cred);
229
	return tsec->sid;
230
}
231

232
static void __ad_net_init(struct common_audit_data *ad,
233
			  struct lsm_network_audit *net,
234
			  int ifindex, struct sock *sk, u16 family)
235
{
236
	ad->type = LSM_AUDIT_DATA_NET;
237
	ad->u.net = net;
238
	net->netif = ifindex;
239
	net->sk = sk;
240
	net->family = family;
241
}
242

243
static void ad_net_init_from_sk(struct common_audit_data *ad,
244
				struct lsm_network_audit *net,
245
				struct sock *sk)
246
{
247
	__ad_net_init(ad, net, 0, sk, 0);
248
}
249

250
static void ad_net_init_from_iif(struct common_audit_data *ad,
251
				 struct lsm_network_audit *net,
252
				 int ifindex, u16 family)
253
{
254
	__ad_net_init(ad, net, ifindex, NULL, family);
255
}
256

257
/*
258
 * get the objective security ID of a task
259
 */
260
static inline u32 task_sid_obj(const struct task_struct *task)
261
{
262
	u32 sid;
263

264
	rcu_read_lock();
265
	sid = cred_sid(__task_cred(task));
266
	rcu_read_unlock();
267
	return sid;
268
}
269

270
static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
271

272
/*
273
 * Try reloading inode security labels that have been marked as invalid.  The
274
 * @may_sleep parameter indicates when sleeping and thus reloading labels is
275
 * allowed; when set to false, returns -ECHILD when the label is
276
 * invalid.  The @dentry parameter should be set to a dentry of the inode.
277
 */
278
static int __inode_security_revalidate(struct inode *inode,
279
				       struct dentry *dentry,
280
				       bool may_sleep)
281
{
282
	if (!selinux_initialized())
283
		return 0;
284

285
	if (may_sleep)
286
		might_sleep();
287
	else
288
		return -ECHILD;
289

290
	/*
291
	 * Check to ensure that an inode's SELinux state is valid and try
292
	 * reloading the inode security label if necessary.  This will fail if
293
	 * @dentry is NULL and no dentry for this inode can be found; in that
294
	 * case, continue using the old label.
295
	 */
296
	inode_doinit_with_dentry(inode, dentry);
297
	return 0;
298
}
299

300
static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
301
{
302
	return selinux_inode(inode);
303
}
304

305
static inline struct inode_security_struct *inode_security_rcu(struct inode *inode,
306
							       bool rcu)
307
{
308
	int rc;
309
	struct inode_security_struct *isec = selinux_inode(inode);
310

311
	/* check below is racy, but revalidate will recheck with lock held */
312
	if (data_race(likely(isec->initialized == LABEL_INITIALIZED)))
313
		return isec;
314
	rc = __inode_security_revalidate(inode, NULL, !rcu);
315
	if (rc)
316
		return ERR_PTR(rc);
317
	return isec;
318
}
319

320
/*
321
 * Get the security label of an inode.
322
 */
323
static inline struct inode_security_struct *inode_security(struct inode *inode)
324
{
325
	struct inode_security_struct *isec = selinux_inode(inode);
326

327
	/* check below is racy, but revalidate will recheck with lock held */
328
	if (data_race(likely(isec->initialized == LABEL_INITIALIZED)))
329
		return isec;
330
	__inode_security_revalidate(inode, NULL, true);
331
	return isec;
332
}
333

334
static inline struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
335
{
336
	return selinux_inode(d_backing_inode(dentry));
337
}
338

339
/*
340
 * Get the security label of a dentry's backing inode.
341
 */
342
static inline struct inode_security_struct *backing_inode_security(struct dentry *dentry)
343
{
344
	struct inode *inode = d_backing_inode(dentry);
345
	struct inode_security_struct *isec = selinux_inode(inode);
346

347
	/* check below is racy, but revalidate will recheck with lock held */
348
	if (data_race(likely(isec->initialized == LABEL_INITIALIZED)))
349
		return isec;
350
	__inode_security_revalidate(inode, dentry, true);
351
	return isec;
352
}
353

354
static void inode_free_security(struct inode *inode)
355
{
356
	struct inode_security_struct *isec = selinux_inode(inode);
357
	struct superblock_security_struct *sbsec;
358

359
	if (!isec)
360
		return;
361
	sbsec = selinux_superblock(inode->i_sb);
362
	/*
363
	 * As not all inode security structures are in a list, we check for
364
	 * empty list outside of the lock to make sure that we won't waste
365
	 * time taking a lock doing nothing.
366
	 *
367
	 * The list_del_init() function can be safely called more than once.
368
	 * It should not be possible for this function to be called with
369
	 * concurrent list_add(), but for better safety against future changes
370
	 * in the code, we use list_empty_careful() here.
371
	 */
372
	if (!list_empty_careful(&isec->list)) {
373
		spin_lock(&sbsec->isec_lock);
374
		list_del_init(&isec->list);
375
		spin_unlock(&sbsec->isec_lock);
376
	}
377
}
378

379
struct selinux_mnt_opts {
380
	u32 fscontext_sid;
381
	u32 context_sid;
382
	u32 rootcontext_sid;
383
	u32 defcontext_sid;
384
};
385

386
static void selinux_free_mnt_opts(void *mnt_opts)
387
{
388
	kfree(mnt_opts);
389
}
390

391
enum {
392
	Opt_error = -1,
393
	Opt_context = 0,
394
	Opt_defcontext = 1,
395
	Opt_fscontext = 2,
396
	Opt_rootcontext = 3,
397
	Opt_seclabel = 4,
398
};
399

400
#define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg}
401
static const struct {
402
	const char *name;
403
	int len;
404
	int opt;
405
	bool has_arg;
406
} tokens[] = {
407
	A(context, true),
408
	A(fscontext, true),
409
	A(defcontext, true),
410
	A(rootcontext, true),
411
	A(seclabel, false),
412
};
413
#undef A
414

415
static int match_opt_prefix(char *s, int l, char **arg)
416
{
417
	unsigned int i;
418

419
	for (i = 0; i < ARRAY_SIZE(tokens); i++) {
420
		size_t len = tokens[i].len;
421
		if (len > l || memcmp(s, tokens[i].name, len))
422
			continue;
423
		if (tokens[i].has_arg) {
424
			if (len == l || s[len] != '=')
425
				continue;
426
			*arg = s + len + 1;
427
		} else if (len != l)
428
			continue;
429
		return tokens[i].opt;
430
	}
431
	return Opt_error;
432
}
433

434
#define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
435

436
static int may_context_mount_sb_relabel(u32 sid,
437
			struct superblock_security_struct *sbsec,
438
			const struct cred *cred)
439
{
440
	const struct task_security_struct *tsec = selinux_cred(cred);
441
	int rc;
442

443
	rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
444
			  FILESYSTEM__RELABELFROM, NULL);
445
	if (rc)
446
		return rc;
447

448
	rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
449
			  FILESYSTEM__RELABELTO, NULL);
450
	return rc;
451
}
452

453
static int may_context_mount_inode_relabel(u32 sid,
454
			struct superblock_security_struct *sbsec,
455
			const struct cred *cred)
456
{
457
	const struct task_security_struct *tsec = selinux_cred(cred);
458
	int rc;
459
	rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
460
			  FILESYSTEM__RELABELFROM, NULL);
461
	if (rc)
462
		return rc;
463

464
	rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
465
			  FILESYSTEM__ASSOCIATE, NULL);
466
	return rc;
467
}
468

469
static int selinux_is_genfs_special_handling(struct super_block *sb)
470
{
471
	/* Special handling. Genfs but also in-core setxattr handler */
472
	return	!strcmp(sb->s_type->name, "sysfs") ||
473
		!strcmp(sb->s_type->name, "pstore") ||
474
		!strcmp(sb->s_type->name, "debugfs") ||
475
		!strcmp(sb->s_type->name, "tracefs") ||
476
		!strcmp(sb->s_type->name, "rootfs") ||
477
		(selinux_policycap_cgroupseclabel() &&
478
		 (!strcmp(sb->s_type->name, "cgroup") ||
479
		  !strcmp(sb->s_type->name, "cgroup2")));
480
}
481

482
static int selinux_is_sblabel_mnt(struct super_block *sb)
483
{
484
	struct superblock_security_struct *sbsec = selinux_superblock(sb);
485

486
	/*
487
	 * IMPORTANT: Double-check logic in this function when adding a new
488
	 * SECURITY_FS_USE_* definition!
489
	 */
490
	BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7);
491

492
	switch (sbsec->behavior) {
493
	case SECURITY_FS_USE_XATTR:
494
	case SECURITY_FS_USE_TRANS:
495
	case SECURITY_FS_USE_TASK:
496
	case SECURITY_FS_USE_NATIVE:
497
		return 1;
498

499
	case SECURITY_FS_USE_GENFS:
500
		return selinux_is_genfs_special_handling(sb);
501

502
	/* Never allow relabeling on context mounts */
503
	case SECURITY_FS_USE_MNTPOINT:
504
	case SECURITY_FS_USE_NONE:
505
	default:
506
		return 0;
507
	}
508
}
509

510
static int sb_check_xattr_support(struct super_block *sb)
511
{
512
	struct superblock_security_struct *sbsec = selinux_superblock(sb);
513
	struct dentry *root = sb->s_root;
514
	struct inode *root_inode = d_backing_inode(root);
515
	u32 sid;
516
	int rc;
517

518
	/*
519
	 * Make sure that the xattr handler exists and that no
520
	 * error other than -ENODATA is returned by getxattr on
521
	 * the root directory.  -ENODATA is ok, as this may be
522
	 * the first boot of the SELinux kernel before we have
523
	 * assigned xattr values to the filesystem.
524
	 */
525
	if (!(root_inode->i_opflags & IOP_XATTR)) {
526
		pr_warn("SELinux: (dev %s, type %s) has no xattr support\n",
527
			sb->s_id, sb->s_type->name);
528
		goto fallback;
529
	}
530

531
	rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
532
	if (rc < 0 && rc != -ENODATA) {
533
		if (rc == -EOPNOTSUPP) {
534
			pr_warn("SELinux: (dev %s, type %s) has no security xattr handler\n",
535
				sb->s_id, sb->s_type->name);
536
			goto fallback;
537
		} else {
538
			pr_warn("SELinux: (dev %s, type %s) getxattr errno %d\n",
539
				sb->s_id, sb->s_type->name, -rc);
540
			return rc;
541
		}
542
	}
543
	return 0;
544

545
fallback:
546
	/* No xattr support - try to fallback to genfs if possible. */
547
	rc = security_genfs_sid(sb->s_type->name, "/",
548
				SECCLASS_DIR, &sid);
549
	if (rc)
550
		return -EOPNOTSUPP;
551

552
	pr_warn("SELinux: (dev %s, type %s) falling back to genfs\n",
553
		sb->s_id, sb->s_type->name);
554
	sbsec->behavior = SECURITY_FS_USE_GENFS;
555
	sbsec->sid = sid;
556
	return 0;
557
}
558

559
static int sb_finish_set_opts(struct super_block *sb)
560
{
561
	struct superblock_security_struct *sbsec = selinux_superblock(sb);
562
	struct dentry *root = sb->s_root;
563
	struct inode *root_inode = d_backing_inode(root);
564
	int rc = 0;
565

566
	if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
567
		rc = sb_check_xattr_support(sb);
568
		if (rc)
569
			return rc;
570
	}
571

572
	sbsec->flags |= SE_SBINITIALIZED;
573

574
	/*
575
	 * Explicitly set or clear SBLABEL_MNT.  It's not sufficient to simply
576
	 * leave the flag untouched because sb_clone_mnt_opts might be handing
577
	 * us a superblock that needs the flag to be cleared.
578
	 */
579
	if (selinux_is_sblabel_mnt(sb))
580
		sbsec->flags |= SBLABEL_MNT;
581
	else
582
		sbsec->flags &= ~SBLABEL_MNT;
583

584
	/* Initialize the root inode. */
585
	rc = inode_doinit_with_dentry(root_inode, root);
586

587
	/* Initialize any other inodes associated with the superblock, e.g.
588
	   inodes created prior to initial policy load or inodes created
589
	   during get_sb by a pseudo filesystem that directly
590
	   populates itself. */
591
	spin_lock(&sbsec->isec_lock);
592
	while (!list_empty(&sbsec->isec_head)) {
593
		struct inode_security_struct *isec =
594
				list_first_entry(&sbsec->isec_head,
595
					   struct inode_security_struct, list);
596
		struct inode *inode = isec->inode;
597
		list_del_init(&isec->list);
598
		spin_unlock(&sbsec->isec_lock);
599
		inode = igrab(inode);
600
		if (inode) {
601
			if (!IS_PRIVATE(inode))
602
				inode_doinit_with_dentry(inode, NULL);
603
			iput(inode);
604
		}
605
		spin_lock(&sbsec->isec_lock);
606
	}
607
	spin_unlock(&sbsec->isec_lock);
608
	return rc;
609
}
610

611
static int bad_option(struct superblock_security_struct *sbsec, char flag,
612
		      u32 old_sid, u32 new_sid)
613
{
614
	char mnt_flags = sbsec->flags & SE_MNTMASK;
615

616
	/* check if the old mount command had the same options */
617
	if (sbsec->flags & SE_SBINITIALIZED)
618
		if (!(sbsec->flags & flag) ||
619
		    (old_sid != new_sid))
620
			return 1;
621

622
	/* check if we were passed the same options twice,
623
	 * aka someone passed context=a,context=b
624
	 */
625
	if (!(sbsec->flags & SE_SBINITIALIZED))
626
		if (mnt_flags & flag)
627
			return 1;
628
	return 0;
629
}
630

631
/*
632
 * Allow filesystems with binary mount data to explicitly set mount point
633
 * labeling information.
634
 */
635
static int selinux_set_mnt_opts(struct super_block *sb,
636
				void *mnt_opts,
637
				unsigned long kern_flags,
638
				unsigned long *set_kern_flags)
639
{
640
	const struct cred *cred = current_cred();
641
	struct superblock_security_struct *sbsec = selinux_superblock(sb);
642
	struct dentry *root = sb->s_root;
643
	struct selinux_mnt_opts *opts = mnt_opts;
644
	struct inode_security_struct *root_isec;
645
	u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
646
	u32 defcontext_sid = 0;
647
	int rc = 0;
648

649
	/*
650
	 * Specifying internal flags without providing a place to
651
	 * place the results is not allowed
652
	 */
653
	if (kern_flags && !set_kern_flags)
654
		return -EINVAL;
655

656
	mutex_lock(&sbsec->lock);
657

658
	if (!selinux_initialized()) {
659
		if (!opts) {
660
			/* Defer initialization until selinux_complete_init,
661
			   after the initial policy is loaded and the security
662
			   server is ready to handle calls. */
663
			if (kern_flags & SECURITY_LSM_NATIVE_LABELS) {
664
				sbsec->flags |= SE_SBNATIVE;
665
				*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
666
			}
667
			goto out;
668
		}
669
		rc = -EINVAL;
670
		pr_warn("SELinux: Unable to set superblock options "
671
			"before the security server is initialized\n");
672
		goto out;
673
	}
674

675
	/*
676
	 * Binary mount data FS will come through this function twice.  Once
677
	 * from an explicit call and once from the generic calls from the vfs.
678
	 * Since the generic VFS calls will not contain any security mount data
679
	 * we need to skip the double mount verification.
680
	 *
681
	 * This does open a hole in which we will not notice if the first
682
	 * mount using this sb set explicit options and a second mount using
683
	 * this sb does not set any security options.  (The first options
684
	 * will be used for both mounts)
685
	 */
686
	if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
687
	    && !opts)
688
		goto out;
689

690
	root_isec = backing_inode_security_novalidate(root);
691

692
	/*
693
	 * parse the mount options, check if they are valid sids.
694
	 * also check if someone is trying to mount the same sb more
695
	 * than once with different security options.
696
	 */
697
	if (opts) {
698
		if (opts->fscontext_sid) {
699
			fscontext_sid = opts->fscontext_sid;
700
			if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
701
					fscontext_sid))
702
				goto out_double_mount;
703
			sbsec->flags |= FSCONTEXT_MNT;
704
		}
705
		if (opts->context_sid) {
706
			context_sid = opts->context_sid;
707
			if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
708
					context_sid))
709
				goto out_double_mount;
710
			sbsec->flags |= CONTEXT_MNT;
711
		}
712
		if (opts->rootcontext_sid) {
713
			rootcontext_sid = opts->rootcontext_sid;
714
			if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
715
					rootcontext_sid))
716
				goto out_double_mount;
717
			sbsec->flags |= ROOTCONTEXT_MNT;
718
		}
719
		if (opts->defcontext_sid) {
720
			defcontext_sid = opts->defcontext_sid;
721
			if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
722
					defcontext_sid))
723
				goto out_double_mount;
724
			sbsec->flags |= DEFCONTEXT_MNT;
725
		}
726
	}
727

728
	if (sbsec->flags & SE_SBINITIALIZED) {
729
		/* previously mounted with options, but not on this attempt? */
730
		if ((sbsec->flags & SE_MNTMASK) && !opts)
731
			goto out_double_mount;
732
		rc = 0;
733
		goto out;
734
	}
735

736
	if (strcmp(sb->s_type->name, "proc") == 0)
737
		sbsec->flags |= SE_SBPROC | SE_SBGENFS;
738

739
	if (!strcmp(sb->s_type->name, "debugfs") ||
740
	    !strcmp(sb->s_type->name, "tracefs") ||
741
	    !strcmp(sb->s_type->name, "binder") ||
742
	    !strcmp(sb->s_type->name, "bpf") ||
743
	    !strcmp(sb->s_type->name, "pstore") ||
744
	    !strcmp(sb->s_type->name, "securityfs"))
745
		sbsec->flags |= SE_SBGENFS;
746

747
	if (!strcmp(sb->s_type->name, "sysfs") ||
748
	    !strcmp(sb->s_type->name, "cgroup") ||
749
	    !strcmp(sb->s_type->name, "cgroup2"))
750
		sbsec->flags |= SE_SBGENFS | SE_SBGENFS_XATTR;
751

752
	if (!sbsec->behavior) {
753
		/*
754
		 * Determine the labeling behavior to use for this
755
		 * filesystem type.
756
		 */
757
		rc = security_fs_use(sb);
758
		if (rc) {
759
			pr_warn("%s: security_fs_use(%s) returned %d\n",
760
					__func__, sb->s_type->name, rc);
761
			goto out;
762
		}
763
	}
764

765
	/*
766
	 * If this is a user namespace mount and the filesystem type is not
767
	 * explicitly whitelisted, then no contexts are allowed on the command
768
	 * line and security labels must be ignored.
769
	 */
770
	if (sb->s_user_ns != &init_user_ns &&
771
	    strcmp(sb->s_type->name, "tmpfs") &&
772
	    strcmp(sb->s_type->name, "ramfs") &&
773
	    strcmp(sb->s_type->name, "devpts") &&
774
	    strcmp(sb->s_type->name, "overlay")) {
775
		if (context_sid || fscontext_sid || rootcontext_sid ||
776
		    defcontext_sid) {
777
			rc = -EACCES;
778
			goto out;
779
		}
780
		if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
781
			sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
782
			rc = security_transition_sid(current_sid(),
783
						     current_sid(),
784
						     SECCLASS_FILE, NULL,
785
						     &sbsec->mntpoint_sid);
786
			if (rc)
787
				goto out;
788
		}
789
		goto out_set_opts;
790
	}
791

792
	/* sets the context of the superblock for the fs being mounted. */
793
	if (fscontext_sid) {
794
		rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
795
		if (rc)
796
			goto out;
797

798
		sbsec->sid = fscontext_sid;
799
	}
800

801
	/*
802
	 * Switch to using mount point labeling behavior.
803
	 * sets the label used on all file below the mountpoint, and will set
804
	 * the superblock context if not already set.
805
	 */
806
	if (sbsec->flags & SE_SBNATIVE) {
807
		/*
808
		 * This means we are initializing a superblock that has been
809
		 * mounted before the SELinux was initialized and the
810
		 * filesystem requested native labeling. We had already
811
		 * returned SECURITY_LSM_NATIVE_LABELS in *set_kern_flags
812
		 * in the original mount attempt, so now we just need to set
813
		 * the SECURITY_FS_USE_NATIVE behavior.
814
		 */
815
		sbsec->behavior = SECURITY_FS_USE_NATIVE;
816
	} else if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
817
		sbsec->behavior = SECURITY_FS_USE_NATIVE;
818
		*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
819
	}
820

821
	if (context_sid) {
822
		if (!fscontext_sid) {
823
			rc = may_context_mount_sb_relabel(context_sid, sbsec,
824
							  cred);
825
			if (rc)
826
				goto out;
827
			sbsec->sid = context_sid;
828
		} else {
829
			rc = may_context_mount_inode_relabel(context_sid, sbsec,
830
							     cred);
831
			if (rc)
832
				goto out;
833
		}
834
		if (!rootcontext_sid)
835
			rootcontext_sid = context_sid;
836

837
		sbsec->mntpoint_sid = context_sid;
838
		sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
839
	}
840

841
	if (rootcontext_sid) {
842
		rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
843
						     cred);
844
		if (rc)
845
			goto out;
846

847
		root_isec->sid = rootcontext_sid;
848
		root_isec->initialized = LABEL_INITIALIZED;
849
	}
850

851
	if (defcontext_sid) {
852
		if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
853
			sbsec->behavior != SECURITY_FS_USE_NATIVE) {
854
			rc = -EINVAL;
855
			pr_warn("SELinux: defcontext option is "
856
			       "invalid for this filesystem type\n");
857
			goto out;
858
		}
859

860
		if (defcontext_sid != sbsec->def_sid) {
861
			rc = may_context_mount_inode_relabel(defcontext_sid,
862
							     sbsec, cred);
863
			if (rc)
864
				goto out;
865
		}
866

867
		sbsec->def_sid = defcontext_sid;
868
	}
869

870
out_set_opts:
871
	rc = sb_finish_set_opts(sb);
872
out:
873
	mutex_unlock(&sbsec->lock);
874
	return rc;
875
out_double_mount:
876
	rc = -EINVAL;
877
	pr_warn("SELinux: mount invalid.  Same superblock, different "
878
	       "security settings for (dev %s, type %s)\n", sb->s_id,
879
	       sb->s_type->name);
880
	goto out;
881
}
882

883
static int selinux_cmp_sb_context(const struct super_block *oldsb,
884
				    const struct super_block *newsb)
885
{
886
	struct superblock_security_struct *old = selinux_superblock(oldsb);
887
	struct superblock_security_struct *new = selinux_superblock(newsb);
888
	char oldflags = old->flags & SE_MNTMASK;
889
	char newflags = new->flags & SE_MNTMASK;
890

891
	if (oldflags != newflags)
892
		goto mismatch;
893
	if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
894
		goto mismatch;
895
	if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
896
		goto mismatch;
897
	if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
898
		goto mismatch;
899
	if (oldflags & ROOTCONTEXT_MNT) {
900
		struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
901
		struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
902
		if (oldroot->sid != newroot->sid)
903
			goto mismatch;
904
	}
905
	return 0;
906
mismatch:
907
	pr_warn("SELinux: mount invalid.  Same superblock, "
908
			    "different security settings for (dev %s, "
909
			    "type %s)\n", newsb->s_id, newsb->s_type->name);
910
	return -EBUSY;
911
}
912

913
static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
914
					struct super_block *newsb,
915
					unsigned long kern_flags,
916
					unsigned long *set_kern_flags)
917
{
918
	int rc = 0;
919
	const struct superblock_security_struct *oldsbsec =
920
						selinux_superblock(oldsb);
921
	struct superblock_security_struct *newsbsec = selinux_superblock(newsb);
922

923
	int set_fscontext =	(oldsbsec->flags & FSCONTEXT_MNT);
924
	int set_context =	(oldsbsec->flags & CONTEXT_MNT);
925
	int set_rootcontext =	(oldsbsec->flags & ROOTCONTEXT_MNT);
926

927
	/*
928
	 * Specifying internal flags without providing a place to
929
	 * place the results is not allowed.
930
	 */
931
	if (kern_flags && !set_kern_flags)
932
		return -EINVAL;
933

934
	mutex_lock(&newsbsec->lock);
935

936
	/*
937
	 * if the parent was able to be mounted it clearly had no special lsm
938
	 * mount options.  thus we can safely deal with this superblock later
939
	 */
940
	if (!selinux_initialized()) {
941
		if (kern_flags & SECURITY_LSM_NATIVE_LABELS) {
942
			newsbsec->flags |= SE_SBNATIVE;
943
			*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
944
		}
945
		goto out;
946
	}
947

948
	/* how can we clone if the old one wasn't set up?? */
949
	BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
950

951
	/* if fs is reusing a sb, make sure that the contexts match */
952
	if (newsbsec->flags & SE_SBINITIALIZED) {
953
		mutex_unlock(&newsbsec->lock);
954
		if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context)
955
			*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
956
		return selinux_cmp_sb_context(oldsb, newsb);
957
	}
958

959
	newsbsec->flags = oldsbsec->flags;
960

961
	newsbsec->sid = oldsbsec->sid;
962
	newsbsec->def_sid = oldsbsec->def_sid;
963
	newsbsec->behavior = oldsbsec->behavior;
964

965
	if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
966
		!(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
967
		rc = security_fs_use(newsb);
968
		if (rc)
969
			goto out;
970
	}
971

972
	if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
973
		newsbsec->behavior = SECURITY_FS_USE_NATIVE;
974
		*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
975
	}
976

977
	if (set_context) {
978
		u32 sid = oldsbsec->mntpoint_sid;
979

980
		if (!set_fscontext)
981
			newsbsec->sid = sid;
982
		if (!set_rootcontext) {
983
			struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
984
			newisec->sid = sid;
985
		}
986
		newsbsec->mntpoint_sid = sid;
987
	}
988
	if (set_rootcontext) {
989
		const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
990
		struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
991

992
		newisec->sid = oldisec->sid;
993
	}
994

995
	sb_finish_set_opts(newsb);
996
out:
997
	mutex_unlock(&newsbsec->lock);
998
	return rc;
999
}
1000

1001
/*
1002
 * NOTE: the caller is responsible for freeing the memory even if on error.
1003
 */
1004
static int selinux_add_opt(int token, const char *s, void **mnt_opts)
1005
{
1006
	struct selinux_mnt_opts *opts = *mnt_opts;
1007
	u32 *dst_sid;
1008
	int rc;
1009

1010
	if (token == Opt_seclabel)
1011
		/* eaten and completely ignored */
1012
		return 0;
1013
	if (!s)
1014
		return -EINVAL;
1015

1016
	if (!selinux_initialized()) {
1017
		pr_warn("SELinux: Unable to set superblock options before the security server is initialized\n");
1018
		return -EINVAL;
1019
	}
1020

1021
	if (!opts) {
1022
		opts = kzalloc(sizeof(*opts), GFP_KERNEL);
1023
		if (!opts)
1024
			return -ENOMEM;
1025
		*mnt_opts = opts;
1026
	}
1027

1028
	switch (token) {
1029
	case Opt_context:
1030
		if (opts->context_sid || opts->defcontext_sid)
1031
			goto err;
1032
		dst_sid = &opts->context_sid;
1033
		break;
1034
	case Opt_fscontext:
1035
		if (opts->fscontext_sid)
1036
			goto err;
1037
		dst_sid = &opts->fscontext_sid;
1038
		break;
1039
	case Opt_rootcontext:
1040
		if (opts->rootcontext_sid)
1041
			goto err;
1042
		dst_sid = &opts->rootcontext_sid;
1043
		break;
1044
	case Opt_defcontext:
1045
		if (opts->context_sid || opts->defcontext_sid)
1046
			goto err;
1047
		dst_sid = &opts->defcontext_sid;
1048
		break;
1049
	default:
1050
		WARN_ON(1);
1051
		return -EINVAL;
1052
	}
1053
	rc = security_context_str_to_sid(s, dst_sid, GFP_KERNEL);
1054
	if (rc)
1055
		pr_warn("SELinux: security_context_str_to_sid (%s) failed with errno=%d\n",
1056
			s, rc);
1057
	return rc;
1058

1059
err:
1060
	pr_warn(SEL_MOUNT_FAIL_MSG);
1061
	return -EINVAL;
1062
}
1063

1064
static int show_sid(struct seq_file *m, u32 sid)
1065
{
1066
	char *context = NULL;
1067
	u32 len;
1068
	int rc;
1069

1070
	rc = security_sid_to_context(sid, &context, &len);
1071
	if (!rc) {
1072
		bool has_comma = strchr(context, ',');
1073

1074
		seq_putc(m, '=');
1075
		if (has_comma)
1076
			seq_putc(m, '\"');
1077
		seq_escape(m, context, "\"\n\\");
1078
		if (has_comma)
1079
			seq_putc(m, '\"');
1080
	}
1081
	kfree(context);
1082
	return rc;
1083
}
1084

1085
static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1086
{
1087
	struct superblock_security_struct *sbsec = selinux_superblock(sb);
1088
	int rc;
1089

1090
	if (!(sbsec->flags & SE_SBINITIALIZED))
1091
		return 0;
1092

1093
	if (!selinux_initialized())
1094
		return 0;
1095

1096
	if (sbsec->flags & FSCONTEXT_MNT) {
1097
		seq_putc(m, ',');
1098
		seq_puts(m, FSCONTEXT_STR);
1099
		rc = show_sid(m, sbsec->sid);
1100
		if (rc)
1101
			return rc;
1102
	}
1103
	if (sbsec->flags & CONTEXT_MNT) {
1104
		seq_putc(m, ',');
1105
		seq_puts(m, CONTEXT_STR);
1106
		rc = show_sid(m, sbsec->mntpoint_sid);
1107
		if (rc)
1108
			return rc;
1109
	}
1110
	if (sbsec->flags & DEFCONTEXT_MNT) {
1111
		seq_putc(m, ',');
1112
		seq_puts(m, DEFCONTEXT_STR);
1113
		rc = show_sid(m, sbsec->def_sid);
1114
		if (rc)
1115
			return rc;
1116
	}
1117
	if (sbsec->flags & ROOTCONTEXT_MNT) {
1118
		struct dentry *root = sb->s_root;
1119
		struct inode_security_struct *isec = backing_inode_security(root);
1120
		seq_putc(m, ',');
1121
		seq_puts(m, ROOTCONTEXT_STR);
1122
		rc = show_sid(m, isec->sid);
1123
		if (rc)
1124
			return rc;
1125
	}
1126
	if (sbsec->flags & SBLABEL_MNT) {
1127
		seq_putc(m, ',');
1128
		seq_puts(m, SECLABEL_STR);
1129
	}
1130
	return 0;
1131
}
1132

1133
static inline u16 inode_mode_to_security_class(umode_t mode)
1134
{
1135
	switch (mode & S_IFMT) {
1136
	case S_IFSOCK:
1137
		return SECCLASS_SOCK_FILE;
1138
	case S_IFLNK:
1139
		return SECCLASS_LNK_FILE;
1140
	case S_IFREG:
1141
		return SECCLASS_FILE;
1142
	case S_IFBLK:
1143
		return SECCLASS_BLK_FILE;
1144
	case S_IFDIR:
1145
		return SECCLASS_DIR;
1146
	case S_IFCHR:
1147
		return SECCLASS_CHR_FILE;
1148
	case S_IFIFO:
1149
		return SECCLASS_FIFO_FILE;
1150

1151
	}
1152

1153
	return SECCLASS_FILE;
1154
}
1155

1156
static inline int default_protocol_stream(int protocol)
1157
{
1158
	return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP ||
1159
		protocol == IPPROTO_MPTCP);
1160
}
1161

1162
static inline int default_protocol_dgram(int protocol)
1163
{
1164
	return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1165
}
1166

1167
static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1168
{
1169
	bool extsockclass = selinux_policycap_extsockclass();
1170

1171
	switch (family) {
1172
	case PF_UNIX:
1173
		switch (type) {
1174
		case SOCK_STREAM:
1175
		case SOCK_SEQPACKET:
1176
			return SECCLASS_UNIX_STREAM_SOCKET;
1177
		case SOCK_DGRAM:
1178
		case SOCK_RAW:
1179
			return SECCLASS_UNIX_DGRAM_SOCKET;
1180
		}
1181
		break;
1182
	case PF_INET:
1183
	case PF_INET6:
1184
		switch (type) {
1185
		case SOCK_STREAM:
1186
		case SOCK_SEQPACKET:
1187
			if (default_protocol_stream(protocol))
1188
				return SECCLASS_TCP_SOCKET;
1189
			else if (extsockclass && protocol == IPPROTO_SCTP)
1190
				return SECCLASS_SCTP_SOCKET;
1191
			else
1192
				return SECCLASS_RAWIP_SOCKET;
1193
		case SOCK_DGRAM:
1194
			if (default_protocol_dgram(protocol))
1195
				return SECCLASS_UDP_SOCKET;
1196
			else if (extsockclass && (protocol == IPPROTO_ICMP ||
1197
						  protocol == IPPROTO_ICMPV6))
1198
				return SECCLASS_ICMP_SOCKET;
1199
			else
1200
				return SECCLASS_RAWIP_SOCKET;
1201
		default:
1202
			return SECCLASS_RAWIP_SOCKET;
1203
		}
1204
		break;
1205
	case PF_NETLINK:
1206
		switch (protocol) {
1207
		case NETLINK_ROUTE:
1208
			return SECCLASS_NETLINK_ROUTE_SOCKET;
1209
		case NETLINK_SOCK_DIAG:
1210
			return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1211
		case NETLINK_NFLOG:
1212
			return SECCLASS_NETLINK_NFLOG_SOCKET;
1213
		case NETLINK_XFRM:
1214
			return SECCLASS_NETLINK_XFRM_SOCKET;
1215
		case NETLINK_SELINUX:
1216
			return SECCLASS_NETLINK_SELINUX_SOCKET;
1217
		case NETLINK_ISCSI:
1218
			return SECCLASS_NETLINK_ISCSI_SOCKET;
1219
		case NETLINK_AUDIT:
1220
			return SECCLASS_NETLINK_AUDIT_SOCKET;
1221
		case NETLINK_FIB_LOOKUP:
1222
			return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1223
		case NETLINK_CONNECTOR:
1224
			return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1225
		case NETLINK_NETFILTER:
1226
			return SECCLASS_NETLINK_NETFILTER_SOCKET;
1227
		case NETLINK_DNRTMSG:
1228
			return SECCLASS_NETLINK_DNRT_SOCKET;
1229
		case NETLINK_KOBJECT_UEVENT:
1230
			return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1231
		case NETLINK_GENERIC:
1232
			return SECCLASS_NETLINK_GENERIC_SOCKET;
1233
		case NETLINK_SCSITRANSPORT:
1234
			return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1235
		case NETLINK_RDMA:
1236
			return SECCLASS_NETLINK_RDMA_SOCKET;
1237
		case NETLINK_CRYPTO:
1238
			return SECCLASS_NETLINK_CRYPTO_SOCKET;
1239
		default:
1240
			return SECCLASS_NETLINK_SOCKET;
1241
		}
1242
	case PF_PACKET:
1243
		return SECCLASS_PACKET_SOCKET;
1244
	case PF_KEY:
1245
		return SECCLASS_KEY_SOCKET;
1246
	case PF_APPLETALK:
1247
		return SECCLASS_APPLETALK_SOCKET;
1248
	}
1249

1250
	if (extsockclass) {
1251
		switch (family) {
1252
		case PF_AX25:
1253
			return SECCLASS_AX25_SOCKET;
1254
		case PF_IPX:
1255
			return SECCLASS_IPX_SOCKET;
1256
		case PF_NETROM:
1257
			return SECCLASS_NETROM_SOCKET;
1258
		case PF_ATMPVC:
1259
			return SECCLASS_ATMPVC_SOCKET;
1260
		case PF_X25:
1261
			return SECCLASS_X25_SOCKET;
1262
		case PF_ROSE:
1263
			return SECCLASS_ROSE_SOCKET;
1264
		case PF_DECnet:
1265
			return SECCLASS_DECNET_SOCKET;
1266
		case PF_ATMSVC:
1267
			return SECCLASS_ATMSVC_SOCKET;
1268
		case PF_RDS:
1269
			return SECCLASS_RDS_SOCKET;
1270
		case PF_IRDA:
1271
			return SECCLASS_IRDA_SOCKET;
1272
		case PF_PPPOX:
1273
			return SECCLASS_PPPOX_SOCKET;
1274
		case PF_LLC:
1275
			return SECCLASS_LLC_SOCKET;
1276
		case PF_CAN:
1277
			return SECCLASS_CAN_SOCKET;
1278
		case PF_TIPC:
1279
			return SECCLASS_TIPC_SOCKET;
1280
		case PF_BLUETOOTH:
1281
			return SECCLASS_BLUETOOTH_SOCKET;
1282
		case PF_IUCV:
1283
			return SECCLASS_IUCV_SOCKET;
1284
		case PF_RXRPC:
1285
			return SECCLASS_RXRPC_SOCKET;
1286
		case PF_ISDN:
1287
			return SECCLASS_ISDN_SOCKET;
1288
		case PF_PHONET:
1289
			return SECCLASS_PHONET_SOCKET;
1290
		case PF_IEEE802154:
1291
			return SECCLASS_IEEE802154_SOCKET;
1292
		case PF_CAIF:
1293
			return SECCLASS_CAIF_SOCKET;
1294
		case PF_ALG:
1295
			return SECCLASS_ALG_SOCKET;
1296
		case PF_NFC:
1297
			return SECCLASS_NFC_SOCKET;
1298
		case PF_VSOCK:
1299
			return SECCLASS_VSOCK_SOCKET;
1300
		case PF_KCM:
1301
			return SECCLASS_KCM_SOCKET;
1302
		case PF_QIPCRTR:
1303
			return SECCLASS_QIPCRTR_SOCKET;
1304
		case PF_SMC:
1305
			return SECCLASS_SMC_SOCKET;
1306
		case PF_XDP:
1307
			return SECCLASS_XDP_SOCKET;
1308
		case PF_MCTP:
1309
			return SECCLASS_MCTP_SOCKET;
1310
#if PF_MAX > 46
1311
#error New address family defined, please update this function.
1312
#endif
1313
		}
1314
	}
1315

1316
	return SECCLASS_SOCKET;
1317
}
1318

1319
static int selinux_genfs_get_sid(struct dentry *dentry,
1320
				 u16 tclass,
1321
				 u16 flags,
1322
				 u32 *sid)
1323
{
1324
	int rc;
1325
	struct super_block *sb = dentry->d_sb;
1326
	char *buffer, *path;
1327

1328
	buffer = (char *)__get_free_page(GFP_KERNEL);
1329
	if (!buffer)
1330
		return -ENOMEM;
1331

1332
	path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1333
	if (IS_ERR(path))
1334
		rc = PTR_ERR(path);
1335
	else {
1336
		if (flags & SE_SBPROC) {
1337
			/* each process gets a /proc/PID/ entry. Strip off the
1338
			 * PID part to get a valid selinux labeling.
1339
			 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1340
			while (path[1] >= '0' && path[1] <= '9') {
1341
				path[1] = '/';
1342
				path++;
1343
			}
1344
		}
1345
		rc = security_genfs_sid(sb->s_type->name,
1346
					path, tclass, sid);
1347
		if (rc == -ENOENT) {
1348
			/* No match in policy, mark as unlabeled. */
1349
			*sid = SECINITSID_UNLABELED;
1350
			rc = 0;
1351
		}
1352
	}
1353
	free_page((unsigned long)buffer);
1354
	return rc;
1355
}
1356

1357
static int inode_doinit_use_xattr(struct inode *inode, struct dentry *dentry,
1358
				  u32 def_sid, u32 *sid)
1359
{
1360
#define INITCONTEXTLEN 255
1361
	char *context;
1362
	unsigned int len;
1363
	int rc;
1364

1365
	len = INITCONTEXTLEN;
1366
	context = kmalloc(len + 1, GFP_NOFS);
1367
	if (!context)
1368
		return -ENOMEM;
1369

1370
	context[len] = '\0';
1371
	rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1372
	if (rc == -ERANGE) {
1373
		kfree(context);
1374

1375
		/* Need a larger buffer.  Query for the right size. */
1376
		rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1377
		if (rc < 0)
1378
			return rc;
1379

1380
		len = rc;
1381
		context = kmalloc(len + 1, GFP_NOFS);
1382
		if (!context)
1383
			return -ENOMEM;
1384

1385
		context[len] = '\0';
1386
		rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX,
1387
				    context, len);
1388
	}
1389
	if (rc < 0) {
1390
		kfree(context);
1391
		if (rc != -ENODATA) {
1392
			pr_warn("SELinux: %s:  getxattr returned %d for dev=%s ino=%ld\n",
1393
				__func__, -rc, inode->i_sb->s_id, inode->i_ino);
1394
			return rc;
1395
		}
1396
		*sid = def_sid;
1397
		return 0;
1398
	}
1399

1400
	rc = security_context_to_sid_default(context, rc, sid,
1401
					     def_sid, GFP_NOFS);
1402
	if (rc) {
1403
		char *dev = inode->i_sb->s_id;
1404
		unsigned long ino = inode->i_ino;
1405

1406
		if (rc == -EINVAL) {
1407
			pr_notice_ratelimited("SELinux: inode=%lu on dev=%s was found to have an invalid context=%s.  This indicates you may need to relabel the inode or the filesystem in question.\n",
1408
					      ino, dev, context);
1409
		} else {
1410
			pr_warn("SELinux: %s:  context_to_sid(%s) returned %d for dev=%s ino=%ld\n",
1411
				__func__, context, -rc, dev, ino);
1412
		}
1413
	}
1414
	kfree(context);
1415
	return 0;
1416
}
1417

1418
/* The inode's security attributes must be initialized before first use. */
1419
static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1420
{
1421
	struct superblock_security_struct *sbsec = NULL;
1422
	struct inode_security_struct *isec = selinux_inode(inode);
1423
	u32 task_sid, sid = 0;
1424
	u16 sclass;
1425
	struct dentry *dentry;
1426
	int rc = 0;
1427

1428
	if (isec->initialized == LABEL_INITIALIZED)
1429
		return 0;
1430

1431
	spin_lock(&isec->lock);
1432
	if (isec->initialized == LABEL_INITIALIZED)
1433
		goto out_unlock;
1434

1435
	if (isec->sclass == SECCLASS_FILE)
1436
		isec->sclass = inode_mode_to_security_class(inode->i_mode);
1437

1438
	sbsec = selinux_superblock(inode->i_sb);
1439
	if (!(sbsec->flags & SE_SBINITIALIZED)) {
1440
		/* Defer initialization until selinux_complete_init,
1441
		   after the initial policy is loaded and the security
1442
		   server is ready to handle calls. */
1443
		spin_lock(&sbsec->isec_lock);
1444
		if (list_empty(&isec->list))
1445
			list_add(&isec->list, &sbsec->isec_head);
1446
		spin_unlock(&sbsec->isec_lock);
1447
		goto out_unlock;
1448
	}
1449

1450
	sclass = isec->sclass;
1451
	task_sid = isec->task_sid;
1452
	sid = isec->sid;
1453
	isec->initialized = LABEL_PENDING;
1454
	spin_unlock(&isec->lock);
1455

1456
	switch (sbsec->behavior) {
1457
	/*
1458
	 * In case of SECURITY_FS_USE_NATIVE we need to re-fetch the labels
1459
	 * via xattr when called from delayed_superblock_init().
1460
	 */
1461
	case SECURITY_FS_USE_NATIVE:
1462
	case SECURITY_FS_USE_XATTR:
1463
		if (!(inode->i_opflags & IOP_XATTR)) {
1464
			sid = sbsec->def_sid;
1465
			break;
1466
		}
1467
		/* Need a dentry, since the xattr API requires one.
1468
		   Life would be simpler if we could just pass the inode. */
1469
		if (opt_dentry) {
1470
			/* Called from d_instantiate or d_splice_alias. */
1471
			dentry = dget(opt_dentry);
1472
		} else {
1473
			/*
1474
			 * Called from selinux_complete_init, try to find a dentry.
1475
			 * Some filesystems really want a connected one, so try
1476
			 * that first.  We could split SECURITY_FS_USE_XATTR in
1477
			 * two, depending upon that...
1478
			 */
1479
			dentry = d_find_alias(inode);
1480
			if (!dentry)
1481
				dentry = d_find_any_alias(inode);
1482
		}
1483
		if (!dentry) {
1484
			/*
1485
			 * this is can be hit on boot when a file is accessed
1486
			 * before the policy is loaded.  When we load policy we
1487
			 * may find inodes that have no dentry on the
1488
			 * sbsec->isec_head list.  No reason to complain as these
1489
			 * will get fixed up the next time we go through
1490
			 * inode_doinit with a dentry, before these inodes could
1491
			 * be used again by userspace.
1492
			 */
1493
			goto out_invalid;
1494
		}
1495

1496
		rc = inode_doinit_use_xattr(inode, dentry, sbsec->def_sid,
1497
					    &sid);
1498
		dput(dentry);
1499
		if (rc)
1500
			goto out;
1501
		break;
1502
	case SECURITY_FS_USE_TASK:
1503
		sid = task_sid;
1504
		break;
1505
	case SECURITY_FS_USE_TRANS:
1506
		/* Default to the fs SID. */
1507
		sid = sbsec->sid;
1508

1509
		/* Try to obtain a transition SID. */
1510
		rc = security_transition_sid(task_sid, sid,
1511
					     sclass, NULL, &sid);
1512
		if (rc)
1513
			goto out;
1514
		break;
1515
	case SECURITY_FS_USE_MNTPOINT:
1516
		sid = sbsec->mntpoint_sid;
1517
		break;
1518
	default:
1519
		/* Default to the fs superblock SID. */
1520
		sid = sbsec->sid;
1521

1522
		if ((sbsec->flags & SE_SBGENFS) &&
1523
		     (!S_ISLNK(inode->i_mode) ||
1524
		      selinux_policycap_genfs_seclabel_symlinks())) {
1525
			/* We must have a dentry to determine the label on
1526
			 * procfs inodes */
1527
			if (opt_dentry) {
1528
				/* Called from d_instantiate or
1529
				 * d_splice_alias. */
1530
				dentry = dget(opt_dentry);
1531
			} else {
1532
				/* Called from selinux_complete_init, try to
1533
				 * find a dentry.  Some filesystems really want
1534
				 * a connected one, so try that first.
1535
				 */
1536
				dentry = d_find_alias(inode);
1537
				if (!dentry)
1538
					dentry = d_find_any_alias(inode);
1539
			}
1540
			/*
1541
			 * This can be hit on boot when a file is accessed
1542
			 * before the policy is loaded.  When we load policy we
1543
			 * may find inodes that have no dentry on the
1544
			 * sbsec->isec_head list.  No reason to complain as
1545
			 * these will get fixed up the next time we go through
1546
			 * inode_doinit() with a dentry, before these inodes
1547
			 * could be used again by userspace.
1548
			 */
1549
			if (!dentry)
1550
				goto out_invalid;
1551
			rc = selinux_genfs_get_sid(dentry, sclass,
1552
						   sbsec->flags, &sid);
1553
			if (rc) {
1554
				dput(dentry);
1555
				goto out;
1556
			}
1557

1558
			if ((sbsec->flags & SE_SBGENFS_XATTR) &&
1559
			    (inode->i_opflags & IOP_XATTR)) {
1560
				rc = inode_doinit_use_xattr(inode, dentry,
1561
							    sid, &sid);
1562
				if (rc) {
1563
					dput(dentry);
1564
					goto out;
1565
				}
1566
			}
1567
			dput(dentry);
1568
		}
1569
		break;
1570
	}
1571

1572
out:
1573
	spin_lock(&isec->lock);
1574
	if (isec->initialized == LABEL_PENDING) {
1575
		if (rc) {
1576
			isec->initialized = LABEL_INVALID;
1577
			goto out_unlock;
1578
		}
1579
		isec->initialized = LABEL_INITIALIZED;
1580
		isec->sid = sid;
1581
	}
1582

1583
out_unlock:
1584
	spin_unlock(&isec->lock);
1585
	return rc;
1586

1587
out_invalid:
1588
	spin_lock(&isec->lock);
1589
	if (isec->initialized == LABEL_PENDING) {
1590
		isec->initialized = LABEL_INVALID;
1591
		isec->sid = sid;
1592
	}
1593
	spin_unlock(&isec->lock);
1594
	return 0;
1595
}
1596

1597
/* Convert a Linux signal to an access vector. */
1598
static inline u32 signal_to_av(int sig)
1599
{
1600
	u32 perm = 0;
1601

1602
	switch (sig) {
1603
	case SIGCHLD:
1604
		/* Commonly granted from child to parent. */
1605
		perm = PROCESS__SIGCHLD;
1606
		break;
1607
	case SIGKILL:
1608
		/* Cannot be caught or ignored */
1609
		perm = PROCESS__SIGKILL;
1610
		break;
1611
	case SIGSTOP:
1612
		/* Cannot be caught or ignored */
1613
		perm = PROCESS__SIGSTOP;
1614
		break;
1615
	default:
1616
		/* All other signals. */
1617
		perm = PROCESS__SIGNAL;
1618
		break;
1619
	}
1620

1621
	return perm;
1622
}
1623

1624
#if CAP_LAST_CAP > 63
1625
#error Fix SELinux to handle capabilities > 63.
1626
#endif
1627

1628
/* Check whether a task is allowed to use a capability. */
1629
static int cred_has_capability(const struct cred *cred,
1630
			       int cap, unsigned int opts, bool initns)
1631
{
1632
	struct common_audit_data ad;
1633
	struct av_decision avd;
1634
	u16 sclass;
1635
	u32 sid = cred_sid(cred);
1636
	u32 av = CAP_TO_MASK(cap);
1637
	int rc;
1638

1639
	ad.type = LSM_AUDIT_DATA_CAP;
1640
	ad.u.cap = cap;
1641

1642
	switch (CAP_TO_INDEX(cap)) {
1643
	case 0:
1644
		sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1645
		break;
1646
	case 1:
1647
		sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1648
		break;
1649
	default:
1650
		pr_err("SELinux:  out of range capability %d\n", cap);
1651
		BUG();
1652
		return -EINVAL;
1653
	}
1654

1655
	rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1656
	if (!(opts & CAP_OPT_NOAUDIT)) {
1657
		int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
1658
		if (rc2)
1659
			return rc2;
1660
	}
1661
	return rc;
1662
}
1663

1664
/* Check whether a task has a particular permission to an inode.
1665
   The 'adp' parameter is optional and allows other audit
1666
   data to be passed (e.g. the dentry). */
1667
static int inode_has_perm(const struct cred *cred,
1668
			  struct inode *inode,
1669
			  u32 perms,
1670
			  struct common_audit_data *adp)
1671
{
1672
	struct inode_security_struct *isec;
1673
	u32 sid;
1674

1675
	if (unlikely(IS_PRIVATE(inode)))
1676
		return 0;
1677

1678
	sid = cred_sid(cred);
1679
	isec = selinux_inode(inode);
1680

1681
	return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1682
}
1683

1684
/* Same as inode_has_perm, but pass explicit audit data containing
1685
   the dentry to help the auditing code to more easily generate the
1686
   pathname if needed. */
1687
static inline int dentry_has_perm(const struct cred *cred,
1688
				  struct dentry *dentry,
1689
				  u32 av)
1690
{
1691
	struct common_audit_data ad;
1692
	struct inode *inode = d_backing_inode(dentry);
1693
	struct inode_security_struct *isec = selinux_inode(inode);
1694

1695
	ad.type = LSM_AUDIT_DATA_DENTRY;
1696
	ad.u.dentry = dentry;
1697
	/* check below is racy, but revalidate will recheck with lock held */
1698
	if (data_race(unlikely(isec->initialized != LABEL_INITIALIZED)))
1699
		__inode_security_revalidate(inode, dentry, true);
1700
	return inode_has_perm(cred, inode, av, &ad);
1701
}
1702

1703
/* Same as inode_has_perm, but pass explicit audit data containing
1704
   the path to help the auditing code to more easily generate the
1705
   pathname if needed. */
1706
static inline int path_has_perm(const struct cred *cred,
1707
				const struct path *path,
1708
				u32 av)
1709
{
1710
	struct common_audit_data ad;
1711
	struct inode *inode = d_backing_inode(path->dentry);
1712
	struct inode_security_struct *isec = selinux_inode(inode);
1713

1714
	ad.type = LSM_AUDIT_DATA_PATH;
1715
	ad.u.path = *path;
1716
	/* check below is racy, but revalidate will recheck with lock held */
1717
	if (data_race(unlikely(isec->initialized != LABEL_INITIALIZED)))
1718
		__inode_security_revalidate(inode, path->dentry, true);
1719
	return inode_has_perm(cred, inode, av, &ad);
1720
}
1721

1722
/* Same as path_has_perm, but uses the inode from the file struct. */
1723
static inline int file_path_has_perm(const struct cred *cred,
1724
				     struct file *file,
1725
				     u32 av)
1726
{
1727
	struct common_audit_data ad;
1728

1729
	ad.type = LSM_AUDIT_DATA_FILE;
1730
	ad.u.file = file;
1731
	return inode_has_perm(cred, file_inode(file), av, &ad);
1732
}
1733

1734
#ifdef CONFIG_BPF_SYSCALL
1735
static int bpf_fd_pass(const struct file *file, u32 sid);
1736
#endif
1737

1738
/* Check whether a task can use an open file descriptor to
1739
   access an inode in a given way.  Check access to the
1740
   descriptor itself, and then use dentry_has_perm to
1741
   check a particular permission to the file.
1742
   Access to the descriptor is implicitly granted if it
1743
   has the same SID as the process.  If av is zero, then
1744
   access to the file is not checked, e.g. for cases
1745
   where only the descriptor is affected like seek. */
1746
static int file_has_perm(const struct cred *cred,
1747
			 struct file *file,
1748
			 u32 av)
1749
{
1750
	struct file_security_struct *fsec = selinux_file(file);
1751
	struct inode *inode = file_inode(file);
1752
	struct common_audit_data ad;
1753
	u32 sid = cred_sid(cred);
1754
	int rc;
1755

1756
	ad.type = LSM_AUDIT_DATA_FILE;
1757
	ad.u.file = file;
1758

1759
	if (sid != fsec->sid) {
1760
		rc = avc_has_perm(sid, fsec->sid,
1761
				  SECCLASS_FD,
1762
				  FD__USE,
1763
				  &ad);
1764
		if (rc)
1765
			goto out;
1766
	}
1767

1768
#ifdef CONFIG_BPF_SYSCALL
1769
	rc = bpf_fd_pass(file, cred_sid(cred));
1770
	if (rc)
1771
		return rc;
1772
#endif
1773

1774
	/* av is zero if only checking access to the descriptor. */
1775
	rc = 0;
1776
	if (av)
1777
		rc = inode_has_perm(cred, inode, av, &ad);
1778

1779
out:
1780
	return rc;
1781
}
1782

1783
/*
1784
 * Determine the label for an inode that might be unioned.
1785
 */
1786
static int
1787
selinux_determine_inode_label(const struct task_security_struct *tsec,
1788
				 struct inode *dir,
1789
				 const struct qstr *name, u16 tclass,
1790
				 u32 *_new_isid)
1791
{
1792
	const struct superblock_security_struct *sbsec =
1793
						selinux_superblock(dir->i_sb);
1794

1795
	if ((sbsec->flags & SE_SBINITIALIZED) &&
1796
	    (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1797
		*_new_isid = sbsec->mntpoint_sid;
1798
	} else if ((sbsec->flags & SBLABEL_MNT) &&
1799
		   tsec->create_sid) {
1800
		*_new_isid = tsec->create_sid;
1801
	} else {
1802
		const struct inode_security_struct *dsec = inode_security(dir);
1803
		return security_transition_sid(tsec->sid,
1804
					       dsec->sid, tclass,
1805
					       name, _new_isid);
1806
	}
1807

1808
	return 0;
1809
}
1810

1811
/* Check whether a task can create a file. */
1812
static int may_create(struct inode *dir,
1813
		      struct dentry *dentry,
1814
		      u16 tclass)
1815
{
1816
	const struct task_security_struct *tsec = selinux_cred(current_cred());
1817
	struct inode_security_struct *dsec;
1818
	struct superblock_security_struct *sbsec;
1819
	u32 sid, newsid;
1820
	struct common_audit_data ad;
1821
	int rc;
1822

1823
	dsec = inode_security(dir);
1824
	sbsec = selinux_superblock(dir->i_sb);
1825

1826
	sid = tsec->sid;
1827

1828
	ad.type = LSM_AUDIT_DATA_DENTRY;
1829
	ad.u.dentry = dentry;
1830

1831
	rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1832
			  DIR__ADD_NAME | DIR__SEARCH,
1833
			  &ad);
1834
	if (rc)
1835
		return rc;
1836

1837
	rc = selinux_determine_inode_label(tsec, dir, &dentry->d_name, tclass,
1838
					   &newsid);
1839
	if (rc)
1840
		return rc;
1841

1842
	rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1843
	if (rc)
1844
		return rc;
1845

1846
	return avc_has_perm(newsid, sbsec->sid,
1847
			    SECCLASS_FILESYSTEM,
1848
			    FILESYSTEM__ASSOCIATE, &ad);
1849
}
1850

1851
#define MAY_LINK	0
1852
#define MAY_UNLINK	1
1853
#define MAY_RMDIR	2
1854

1855
/* Check whether a task can link, unlink, or rmdir a file/directory. */
1856
static int may_link(struct inode *dir,
1857
		    struct dentry *dentry,
1858
		    int kind)
1859

1860
{
1861
	struct inode_security_struct *dsec, *isec;
1862
	struct common_audit_data ad;
1863
	u32 sid = current_sid();
1864
	u32 av;
1865
	int rc;
1866

1867
	dsec = inode_security(dir);
1868
	isec = backing_inode_security(dentry);
1869

1870
	ad.type = LSM_AUDIT_DATA_DENTRY;
1871
	ad.u.dentry = dentry;
1872

1873
	av = DIR__SEARCH;
1874
	av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1875
	rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1876
	if (rc)
1877
		return rc;
1878

1879
	switch (kind) {
1880
	case MAY_LINK:
1881
		av = FILE__LINK;
1882
		break;
1883
	case MAY_UNLINK:
1884
		av = FILE__UNLINK;
1885
		break;
1886
	case MAY_RMDIR:
1887
		av = DIR__RMDIR;
1888
		break;
1889
	default:
1890
		pr_warn("SELinux: %s:  unrecognized kind %d\n",
1891
			__func__, kind);
1892
		return 0;
1893
	}
1894

1895
	rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1896
	return rc;
1897
}
1898

1899
static inline int may_rename(struct inode *old_dir,
1900
			     struct dentry *old_dentry,
1901
			     struct inode *new_dir,
1902
			     struct dentry *new_dentry)
1903
{
1904
	struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1905
	struct common_audit_data ad;
1906
	u32 sid = current_sid();
1907
	u32 av;
1908
	int old_is_dir, new_is_dir;
1909
	int rc;
1910

1911
	old_dsec = inode_security(old_dir);
1912
	old_isec = backing_inode_security(old_dentry);
1913
	old_is_dir = d_is_dir(old_dentry);
1914
	new_dsec = inode_security(new_dir);
1915

1916
	ad.type = LSM_AUDIT_DATA_DENTRY;
1917

1918
	ad.u.dentry = old_dentry;
1919
	rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1920
			  DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1921
	if (rc)
1922
		return rc;
1923
	rc = avc_has_perm(sid, old_isec->sid,
1924
			  old_isec->sclass, FILE__RENAME, &ad);
1925
	if (rc)
1926
		return rc;
1927
	if (old_is_dir && new_dir != old_dir) {
1928
		rc = avc_has_perm(sid, old_isec->sid,
1929
				  old_isec->sclass, DIR__REPARENT, &ad);
1930
		if (rc)
1931
			return rc;
1932
	}
1933

1934
	ad.u.dentry = new_dentry;
1935
	av = DIR__ADD_NAME | DIR__SEARCH;
1936
	if (d_is_positive(new_dentry))
1937
		av |= DIR__REMOVE_NAME;
1938
	rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1939
	if (rc)
1940
		return rc;
1941
	if (d_is_positive(new_dentry)) {
1942
		new_isec = backing_inode_security(new_dentry);
1943
		new_is_dir = d_is_dir(new_dentry);
1944
		rc = avc_has_perm(sid, new_isec->sid,
1945
				  new_isec->sclass,
1946
				  (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1947
		if (rc)
1948
			return rc;
1949
	}
1950

1951
	return 0;
1952
}
1953

1954
/* Check whether a task can perform a filesystem operation. */
1955
static int superblock_has_perm(const struct cred *cred,
1956
			       const struct super_block *sb,
1957
			       u32 perms,
1958
			       struct common_audit_data *ad)
1959
{
1960
	struct superblock_security_struct *sbsec;
1961
	u32 sid = cred_sid(cred);
1962

1963
	sbsec = selinux_superblock(sb);
1964
	return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1965
}
1966

1967
/* Convert a Linux mode and permission mask to an access vector. */
1968
static inline u32 file_mask_to_av(int mode, int mask)
1969
{
1970
	u32 av = 0;
1971

1972
	if (!S_ISDIR(mode)) {
1973
		if (mask & MAY_EXEC)
1974
			av |= FILE__EXECUTE;
1975
		if (mask & MAY_READ)
1976
			av |= FILE__READ;
1977

1978
		if (mask & MAY_APPEND)
1979
			av |= FILE__APPEND;
1980
		else if (mask & MAY_WRITE)
1981
			av |= FILE__WRITE;
1982

1983
	} else {
1984
		if (mask & MAY_EXEC)
1985
			av |= DIR__SEARCH;
1986
		if (mask & MAY_WRITE)
1987
			av |= DIR__WRITE;
1988
		if (mask & MAY_READ)
1989
			av |= DIR__READ;
1990
	}
1991

1992
	return av;
1993
}
1994

1995
/* Convert a Linux file to an access vector. */
1996
static inline u32 file_to_av(const struct file *file)
1997
{
1998
	u32 av = 0;
1999

2000
	if (file->f_mode & FMODE_READ)
2001
		av |= FILE__READ;
2002
	if (file->f_mode & FMODE_WRITE) {
2003
		if (file->f_flags & O_APPEND)
2004
			av |= FILE__APPEND;
2005
		else
2006
			av |= FILE__WRITE;
2007
	}
2008
	if (!av) {
2009
		/*
2010
		 * Special file opened with flags 3 for ioctl-only use.
2011
		 */
2012
		av = FILE__IOCTL;
2013
	}
2014

2015
	return av;
2016
}
2017

2018
/*
2019
 * Convert a file to an access vector and include the correct
2020
 * open permission.
2021
 */
2022
static inline u32 open_file_to_av(struct file *file)
2023
{
2024
	u32 av = file_to_av(file);
2025
	struct inode *inode = file_inode(file);
2026

2027
	if (selinux_policycap_openperm() &&
2028
	    inode->i_sb->s_magic != SOCKFS_MAGIC)
2029
		av |= FILE__OPEN;
2030

2031
	return av;
2032
}
2033

2034
/* Hook functions begin here. */
2035

2036
static int selinux_binder_set_context_mgr(const struct cred *mgr)
2037
{
2038
	return avc_has_perm(current_sid(), cred_sid(mgr), SECCLASS_BINDER,
2039
			    BINDER__SET_CONTEXT_MGR, NULL);
2040
}
2041

2042
static int selinux_binder_transaction(const struct cred *from,
2043
				      const struct cred *to)
2044
{
2045
	u32 mysid = current_sid();
2046
	u32 fromsid = cred_sid(from);
2047
	u32 tosid = cred_sid(to);
2048
	int rc;
2049

2050
	if (mysid != fromsid) {
2051
		rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2052
				  BINDER__IMPERSONATE, NULL);
2053
		if (rc)
2054
			return rc;
2055
	}
2056

2057
	return avc_has_perm(fromsid, tosid,
2058
			    SECCLASS_BINDER, BINDER__CALL, NULL);
2059
}
2060

2061
static int selinux_binder_transfer_binder(const struct cred *from,
2062
					  const struct cred *to)
2063
{
2064
	return avc_has_perm(cred_sid(from), cred_sid(to),
2065
			    SECCLASS_BINDER, BINDER__TRANSFER,
2066
			    NULL);
2067
}
2068

2069
static int selinux_binder_transfer_file(const struct cred *from,
2070
					const struct cred *to,
2071
					const struct file *file)
2072
{
2073
	u32 sid = cred_sid(to);
2074
	struct file_security_struct *fsec = selinux_file(file);
2075
	struct dentry *dentry = file->f_path.dentry;
2076
	struct inode_security_struct *isec;
2077
	struct common_audit_data ad;
2078
	int rc;
2079

2080
	ad.type = LSM_AUDIT_DATA_PATH;
2081
	ad.u.path = file->f_path;
2082

2083
	if (sid != fsec->sid) {
2084
		rc = avc_has_perm(sid, fsec->sid,
2085
				  SECCLASS_FD,
2086
				  FD__USE,
2087
				  &ad);
2088
		if (rc)
2089
			return rc;
2090
	}
2091

2092
#ifdef CONFIG_BPF_SYSCALL
2093
	rc = bpf_fd_pass(file, sid);
2094
	if (rc)
2095
		return rc;
2096
#endif
2097

2098
	if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2099
		return 0;
2100

2101
	isec = backing_inode_security(dentry);
2102
	return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2103
			    &ad);
2104
}
2105

2106
static int selinux_ptrace_access_check(struct task_struct *child,
2107
				       unsigned int mode)
2108
{
2109
	u32 sid = current_sid();
2110
	u32 csid = task_sid_obj(child);
2111

2112
	if (mode & PTRACE_MODE_READ)
2113
		return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ,
2114
				NULL);
2115

2116
	return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE,
2117
			NULL);
2118
}
2119

2120
static int selinux_ptrace_traceme(struct task_struct *parent)
2121
{
2122
	return avc_has_perm(task_sid_obj(parent), task_sid_obj(current),
2123
			    SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2124
}
2125

2126
static int selinux_capget(const struct task_struct *target, kernel_cap_t *effective,
2127
			  kernel_cap_t *inheritable, kernel_cap_t *permitted)
2128
{
2129
	return avc_has_perm(current_sid(), task_sid_obj(target),
2130
			SECCLASS_PROCESS, PROCESS__GETCAP, NULL);
2131
}
2132

2133
static int selinux_capset(struct cred *new, const struct cred *old,
2134
			  const kernel_cap_t *effective,
2135
			  const kernel_cap_t *inheritable,
2136
			  const kernel_cap_t *permitted)
2137
{
2138
	return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2139
			    PROCESS__SETCAP, NULL);
2140
}
2141

2142
/*
2143
 * (This comment used to live with the selinux_task_setuid hook,
2144
 * which was removed).
2145
 *
2146
 * Since setuid only affects the current process, and since the SELinux
2147
 * controls are not based on the Linux identity attributes, SELinux does not
2148
 * need to control this operation.  However, SELinux does control the use of
2149
 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2150
 */
2151

2152
static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2153
			   int cap, unsigned int opts)
2154
{
2155
	return cred_has_capability(cred, cap, opts, ns == &init_user_ns);
2156
}
2157

2158
static int selinux_quotactl(int cmds, int type, int id, const struct super_block *sb)
2159
{
2160
	const struct cred *cred = current_cred();
2161
	int rc = 0;
2162

2163
	if (!sb)
2164
		return 0;
2165

2166
	switch (cmds) {
2167
	case Q_SYNC:
2168
	case Q_QUOTAON:
2169
	case Q_QUOTAOFF:
2170
	case Q_SETINFO:
2171
	case Q_SETQUOTA:
2172
	case Q_XQUOTAOFF:
2173
	case Q_XQUOTAON:
2174
	case Q_XSETQLIM:
2175
		rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2176
		break;
2177
	case Q_GETFMT:
2178
	case Q_GETINFO:
2179
	case Q_GETQUOTA:
2180
	case Q_XGETQUOTA:
2181
	case Q_XGETQSTAT:
2182
	case Q_XGETQSTATV:
2183
	case Q_XGETNEXTQUOTA:
2184
		rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2185
		break;
2186
	default:
2187
		rc = 0;  /* let the kernel handle invalid cmds */
2188
		break;
2189
	}
2190
	return rc;
2191
}
2192

2193
static int selinux_quota_on(struct dentry *dentry)
2194
{
2195
	const struct cred *cred = current_cred();
2196

2197
	return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2198
}
2199

2200
static int selinux_syslog(int type)
2201
{
2202
	switch (type) {
2203
	case SYSLOG_ACTION_READ_ALL:	/* Read last kernel messages */
2204
	case SYSLOG_ACTION_SIZE_BUFFER:	/* Return size of the log buffer */
2205
		return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2206
				    SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2207
	case SYSLOG_ACTION_CONSOLE_OFF:	/* Disable logging to console */
2208
	case SYSLOG_ACTION_CONSOLE_ON:	/* Enable logging to console */
2209
	/* Set level of messages printed to console */
2210
	case SYSLOG_ACTION_CONSOLE_LEVEL:
2211
		return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2212
				    SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2213
				    NULL);
2214
	}
2215
	/* All other syslog types */
2216
	return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2217
			    SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2218
}
2219

2220
/*
2221
 * Check permission for allocating a new virtual mapping. Returns
2222
 * 0 if permission is granted, negative error code if not.
2223
 *
2224
 * Do not audit the selinux permission check, as this is applied to all
2225
 * processes that allocate mappings.
2226
 */
2227
static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2228
{
2229
	return cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2230
				   CAP_OPT_NOAUDIT, true);
2231
}
2232

2233
/* binprm security operations */
2234

2235
static u32 ptrace_parent_sid(void)
2236
{
2237
	u32 sid = 0;
2238
	struct task_struct *tracer;
2239

2240
	rcu_read_lock();
2241
	tracer = ptrace_parent(current);
2242
	if (tracer)
2243
		sid = task_sid_obj(tracer);
2244
	rcu_read_unlock();
2245

2246
	return sid;
2247
}
2248

2249
static int check_nnp_nosuid(const struct linux_binprm *bprm,
2250
			    const struct task_security_struct *old_tsec,
2251
			    const struct task_security_struct *new_tsec)
2252
{
2253
	int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2254
	int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2255
	int rc;
2256
	u32 av;
2257

2258
	if (!nnp && !nosuid)
2259
		return 0; /* neither NNP nor nosuid */
2260

2261
	if (new_tsec->sid == old_tsec->sid)
2262
		return 0; /* No change in credentials */
2263

2264
	/*
2265
	 * If the policy enables the nnp_nosuid_transition policy capability,
2266
	 * then we permit transitions under NNP or nosuid if the
2267
	 * policy allows the corresponding permission between
2268
	 * the old and new contexts.
2269
	 */
2270
	if (selinux_policycap_nnp_nosuid_transition()) {
2271
		av = 0;
2272
		if (nnp)
2273
			av |= PROCESS2__NNP_TRANSITION;
2274
		if (nosuid)
2275
			av |= PROCESS2__NOSUID_TRANSITION;
2276
		rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2277
				  SECCLASS_PROCESS2, av, NULL);
2278
		if (!rc)
2279
			return 0;
2280
	}
2281

2282
	/*
2283
	 * We also permit NNP or nosuid transitions to bounded SIDs,
2284
	 * i.e. SIDs that are guaranteed to only be allowed a subset
2285
	 * of the permissions of the current SID.
2286
	 */
2287
	rc = security_bounded_transition(old_tsec->sid,
2288
					 new_tsec->sid);
2289
	if (!rc)
2290
		return 0;
2291

2292
	/*
2293
	 * On failure, preserve the errno values for NNP vs nosuid.
2294
	 * NNP:  Operation not permitted for caller.
2295
	 * nosuid:  Permission denied to file.
2296
	 */
2297
	if (nnp)
2298
		return -EPERM;
2299
	return -EACCES;
2300
}
2301

2302
static int selinux_bprm_creds_for_exec(struct linux_binprm *bprm)
2303
{
2304
	const struct task_security_struct *old_tsec;
2305
	struct task_security_struct *new_tsec;
2306
	struct inode_security_struct *isec;
2307
	struct common_audit_data ad;
2308
	struct inode *inode = file_inode(bprm->file);
2309
	int rc;
2310

2311
	/* SELinux context only depends on initial program or script and not
2312
	 * the script interpreter */
2313

2314
	old_tsec = selinux_cred(current_cred());
2315
	new_tsec = selinux_cred(bprm->cred);
2316
	isec = inode_security(inode);
2317

2318
	/* Default to the current task SID. */
2319
	new_tsec->sid = old_tsec->sid;
2320
	new_tsec->osid = old_tsec->sid;
2321

2322
	/* Reset fs, key, and sock SIDs on execve. */
2323
	new_tsec->create_sid = 0;
2324
	new_tsec->keycreate_sid = 0;
2325
	new_tsec->sockcreate_sid = 0;
2326

2327
	/*
2328
	 * Before policy is loaded, label any task outside kernel space
2329
	 * as SECINITSID_INIT, so that any userspace tasks surviving from
2330
	 * early boot end up with a label different from SECINITSID_KERNEL
2331
	 * (if the policy chooses to set SECINITSID_INIT != SECINITSID_KERNEL).
2332
	 */
2333
	if (!selinux_initialized()) {
2334
		new_tsec->sid = SECINITSID_INIT;
2335
		/* also clear the exec_sid just in case */
2336
		new_tsec->exec_sid = 0;
2337
		return 0;
2338
	}
2339

2340
	if (old_tsec->exec_sid) {
2341
		new_tsec->sid = old_tsec->exec_sid;
2342
		/* Reset exec SID on execve. */
2343
		new_tsec->exec_sid = 0;
2344

2345
		/* Fail on NNP or nosuid if not an allowed transition. */
2346
		rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2347
		if (rc)
2348
			return rc;
2349
	} else {
2350
		/* Check for a default transition on this program. */
2351
		rc = security_transition_sid(old_tsec->sid,
2352
					     isec->sid, SECCLASS_PROCESS, NULL,
2353
					     &new_tsec->sid);
2354
		if (rc)
2355
			return rc;
2356

2357
		/*
2358
		 * Fallback to old SID on NNP or nosuid if not an allowed
2359
		 * transition.
2360
		 */
2361
		rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2362
		if (rc)
2363
			new_tsec->sid = old_tsec->sid;
2364
	}
2365

2366
	ad.type = LSM_AUDIT_DATA_FILE;
2367
	ad.u.file = bprm->file;
2368

2369
	if (new_tsec->sid == old_tsec->sid) {
2370
		rc = avc_has_perm(old_tsec->sid, isec->sid,
2371
				  SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2372
		if (rc)
2373
			return rc;
2374
	} else {
2375
		/* Check permissions for the transition. */
2376
		rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2377
				  SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2378
		if (rc)
2379
			return rc;
2380

2381
		rc = avc_has_perm(new_tsec->sid, isec->sid,
2382
				  SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2383
		if (rc)
2384
			return rc;
2385

2386
		/* Check for shared state */
2387
		if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2388
			rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2389
					  SECCLASS_PROCESS, PROCESS__SHARE,
2390
					  NULL);
2391
			if (rc)
2392
				return -EPERM;
2393
		}
2394

2395
		/* Make sure that anyone attempting to ptrace over a task that
2396
		 * changes its SID has the appropriate permit */
2397
		if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2398
			u32 ptsid = ptrace_parent_sid();
2399
			if (ptsid != 0) {
2400
				rc = avc_has_perm(ptsid, new_tsec->sid,
2401
						  SECCLASS_PROCESS,
2402
						  PROCESS__PTRACE, NULL);
2403
				if (rc)
2404
					return -EPERM;
2405
			}
2406
		}
2407

2408
		/* Clear any possibly unsafe personality bits on exec: */
2409
		bprm->per_clear |= PER_CLEAR_ON_SETID;
2410

2411
		/* Enable secure mode for SIDs transitions unless
2412
		   the noatsecure permission is granted between
2413
		   the two SIDs, i.e. ahp returns 0. */
2414
		rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2415
				  SECCLASS_PROCESS, PROCESS__NOATSECURE,
2416
				  NULL);
2417
		bprm->secureexec |= !!rc;
2418
	}
2419

2420
	return 0;
2421
}
2422

2423
static int match_file(const void *p, struct file *file, unsigned fd)
2424
{
2425
	return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2426
}
2427

2428
/* Derived from fs/exec.c:flush_old_files. */
2429
static inline void flush_unauthorized_files(const struct cred *cred,
2430
					    struct files_struct *files)
2431
{
2432
	struct file *file, *devnull = NULL;
2433
	struct tty_struct *tty;
2434
	int drop_tty = 0;
2435
	unsigned n;
2436

2437
	tty = get_current_tty();
2438
	if (tty) {
2439
		spin_lock(&tty->files_lock);
2440
		if (!list_empty(&tty->tty_files)) {
2441
			struct tty_file_private *file_priv;
2442

2443
			/* Revalidate access to controlling tty.
2444
			   Use file_path_has_perm on the tty path directly
2445
			   rather than using file_has_perm, as this particular
2446
			   open file may belong to another process and we are
2447
			   only interested in the inode-based check here. */
2448
			file_priv = list_first_entry(&tty->tty_files,
2449
						struct tty_file_private, list);
2450
			file = file_priv->file;
2451
			if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2452
				drop_tty = 1;
2453
		}
2454
		spin_unlock(&tty->files_lock);
2455
		tty_kref_put(tty);
2456
	}
2457
	/* Reset controlling tty. */
2458
	if (drop_tty)
2459
		no_tty();
2460

2461
	/* Revalidate access to inherited open files. */
2462
	n = iterate_fd(files, 0, match_file, cred);
2463
	if (!n) /* none found? */
2464
		return;
2465

2466
	devnull = dentry_open(&selinux_null, O_RDWR, cred);
2467
	if (IS_ERR(devnull))
2468
		devnull = NULL;
2469
	/* replace all the matching ones with this */
2470
	do {
2471
		replace_fd(n - 1, devnull, 0);
2472
	} while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2473
	if (devnull)
2474
		fput(devnull);
2475
}
2476

2477
/*
2478
 * Prepare a process for imminent new credential changes due to exec
2479
 */
2480
static void selinux_bprm_committing_creds(const struct linux_binprm *bprm)
2481
{
2482
	struct task_security_struct *new_tsec;
2483
	struct rlimit *rlim, *initrlim;
2484
	int rc, i;
2485

2486
	new_tsec = selinux_cred(bprm->cred);
2487
	if (new_tsec->sid == new_tsec->osid)
2488
		return;
2489

2490
	/* Close files for which the new task SID is not authorized. */
2491
	flush_unauthorized_files(bprm->cred, current->files);
2492

2493
	/* Always clear parent death signal on SID transitions. */
2494
	current->pdeath_signal = 0;
2495

2496
	/* Check whether the new SID can inherit resource limits from the old
2497
	 * SID.  If not, reset all soft limits to the lower of the current
2498
	 * task's hard limit and the init task's soft limit.
2499
	 *
2500
	 * Note that the setting of hard limits (even to lower them) can be
2501
	 * controlled by the setrlimit check.  The inclusion of the init task's
2502
	 * soft limit into the computation is to avoid resetting soft limits
2503
	 * higher than the default soft limit for cases where the default is
2504
	 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2505
	 */
2506
	rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2507
			  PROCESS__RLIMITINH, NULL);
2508
	if (rc) {
2509
		/* protect against do_prlimit() */
2510
		task_lock(current);
2511
		for (i = 0; i < RLIM_NLIMITS; i++) {
2512
			rlim = current->signal->rlim + i;
2513
			initrlim = init_task.signal->rlim + i;
2514
			rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2515
		}
2516
		task_unlock(current);
2517
		if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2518
			update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2519
	}
2520
}
2521

2522
/*
2523
 * Clean up the process immediately after the installation of new credentials
2524
 * due to exec
2525
 */
2526
static void selinux_bprm_committed_creds(const struct linux_binprm *bprm)
2527
{
2528
	const struct task_security_struct *tsec = selinux_cred(current_cred());
2529
	u32 osid, sid;
2530
	int rc;
2531

2532
	osid = tsec->osid;
2533
	sid = tsec->sid;
2534

2535
	if (sid == osid)
2536
		return;
2537

2538
	/* Check whether the new SID can inherit signal state from the old SID.
2539
	 * If not, clear itimers to avoid subsequent signal generation and
2540
	 * flush and unblock signals.
2541
	 *
2542
	 * This must occur _after_ the task SID has been updated so that any
2543
	 * kill done after the flush will be checked against the new SID.
2544
	 */
2545
	rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2546
	if (rc) {
2547
		clear_itimer();
2548

2549
		spin_lock_irq(&unrcu_pointer(current->sighand)->siglock);
2550
		if (!fatal_signal_pending(current)) {
2551
			flush_sigqueue(&current->pending);
2552
			flush_sigqueue(&current->signal->shared_pending);
2553
			flush_signal_handlers(current, 1);
2554
			sigemptyset(&current->blocked);
2555
			recalc_sigpending();
2556
		}
2557
		spin_unlock_irq(&unrcu_pointer(current->sighand)->siglock);
2558
	}
2559

2560
	/* Wake up the parent if it is waiting so that it can recheck
2561
	 * wait permission to the new task SID. */
2562
	read_lock(&tasklist_lock);
2563
	__wake_up_parent(current, unrcu_pointer(current->real_parent));
2564
	read_unlock(&tasklist_lock);
2565
}
2566

2567
/* superblock security operations */
2568

2569
static int selinux_sb_alloc_security(struct super_block *sb)
2570
{
2571
	struct superblock_security_struct *sbsec = selinux_superblock(sb);
2572

2573
	mutex_init(&sbsec->lock);
2574
	INIT_LIST_HEAD(&sbsec->isec_head);
2575
	spin_lock_init(&sbsec->isec_lock);
2576
	sbsec->sid = SECINITSID_UNLABELED;
2577
	sbsec->def_sid = SECINITSID_FILE;
2578
	sbsec->mntpoint_sid = SECINITSID_UNLABELED;
2579

2580
	return 0;
2581
}
2582

2583
static inline int opt_len(const char *s)
2584
{
2585
	bool open_quote = false;
2586
	int len;
2587
	char c;
2588

2589
	for (len = 0; (c = s[len]) != '\0'; len++) {
2590
		if (c == '"')
2591
			open_quote = !open_quote;
2592
		if (c == ',' && !open_quote)
2593
			break;
2594
	}
2595
	return len;
2596
}
2597

2598
static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts)
2599
{
2600
	char *from = options;
2601
	char *to = options;
2602
	bool first = true;
2603
	int rc;
2604

2605
	while (1) {
2606
		int len = opt_len(from);
2607
		int token;
2608
		char *arg = NULL;
2609

2610
		token = match_opt_prefix(from, len, &arg);
2611

2612
		if (token != Opt_error) {
2613
			char *p, *q;
2614

2615
			/* strip quotes */
2616
			if (arg) {
2617
				for (p = q = arg; p < from + len; p++) {
2618
					char c = *p;
2619
					if (c != '"')
2620
						*q++ = c;
2621
				}
2622
				arg = kmemdup_nul(arg, q - arg, GFP_KERNEL);
2623
				if (!arg) {
2624
					rc = -ENOMEM;
2625
					goto free_opt;
2626
				}
2627
			}
2628
			rc = selinux_add_opt(token, arg, mnt_opts);
2629
			kfree(arg);
2630
			arg = NULL;
2631
			if (unlikely(rc)) {
2632
				goto free_opt;
2633
			}
2634
		} else {
2635
			if (!first) {	// copy with preceding comma
2636
				from--;
2637
				len++;
2638
			}
2639
			if (to != from)
2640
				memmove(to, from, len);
2641
			to += len;
2642
			first = false;
2643
		}
2644
		if (!from[len])
2645
			break;
2646
		from += len + 1;
2647
	}
2648
	*to = '\0';
2649
	return 0;
2650

2651
free_opt:
2652
	if (*mnt_opts) {
2653
		selinux_free_mnt_opts(*mnt_opts);
2654
		*mnt_opts = NULL;
2655
	}
2656
	return rc;
2657
}
2658

2659
static int selinux_sb_mnt_opts_compat(struct super_block *sb, void *mnt_opts)
2660
{
2661
	struct selinux_mnt_opts *opts = mnt_opts;
2662
	struct superblock_security_struct *sbsec = selinux_superblock(sb);
2663

2664
	/*
2665
	 * Superblock not initialized (i.e. no options) - reject if any
2666
	 * options specified, otherwise accept.
2667
	 */
2668
	if (!(sbsec->flags & SE_SBINITIALIZED))
2669
		return opts ? 1 : 0;
2670

2671
	/*
2672
	 * Superblock initialized and no options specified - reject if
2673
	 * superblock has any options set, otherwise accept.
2674
	 */
2675
	if (!opts)
2676
		return (sbsec->flags & SE_MNTMASK) ? 1 : 0;
2677

2678
	if (opts->fscontext_sid) {
2679
		if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
2680
			       opts->fscontext_sid))
2681
			return 1;
2682
	}
2683
	if (opts->context_sid) {
2684
		if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
2685
			       opts->context_sid))
2686
			return 1;
2687
	}
2688
	if (opts->rootcontext_sid) {
2689
		struct inode_security_struct *root_isec;
2690

2691
		root_isec = backing_inode_security(sb->s_root);
2692
		if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
2693
			       opts->rootcontext_sid))
2694
			return 1;
2695
	}
2696
	if (opts->defcontext_sid) {
2697
		if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
2698
			       opts->defcontext_sid))
2699
			return 1;
2700
	}
2701
	return 0;
2702
}
2703

2704
static int selinux_sb_remount(struct super_block *sb, void *mnt_opts)
2705
{
2706
	struct selinux_mnt_opts *opts = mnt_opts;
2707
	struct superblock_security_struct *sbsec = selinux_superblock(sb);
2708

2709
	if (!(sbsec->flags & SE_SBINITIALIZED))
2710
		return 0;
2711

2712
	if (!opts)
2713
		return 0;
2714

2715
	if (opts->fscontext_sid) {
2716
		if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
2717
			       opts->fscontext_sid))
2718
			goto out_bad_option;
2719
	}
2720
	if (opts->context_sid) {
2721
		if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
2722
			       opts->context_sid))
2723
			goto out_bad_option;
2724
	}
2725
	if (opts->rootcontext_sid) {
2726
		struct inode_security_struct *root_isec;
2727
		root_isec = backing_inode_security(sb->s_root);
2728
		if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
2729
			       opts->rootcontext_sid))
2730
			goto out_bad_option;
2731
	}
2732
	if (opts->defcontext_sid) {
2733
		if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
2734
			       opts->defcontext_sid))
2735
			goto out_bad_option;
2736
	}
2737
	return 0;
2738

2739
out_bad_option:
2740
	pr_warn("SELinux: unable to change security options "
2741
	       "during remount (dev %s, type=%s)\n", sb->s_id,
2742
	       sb->s_type->name);
2743
	return -EINVAL;
2744
}
2745

2746
static int selinux_sb_kern_mount(const struct super_block *sb)
2747
{
2748
	const struct cred *cred = current_cred();
2749
	struct common_audit_data ad;
2750

2751
	ad.type = LSM_AUDIT_DATA_DENTRY;
2752
	ad.u.dentry = sb->s_root;
2753
	return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2754
}
2755

2756
static int selinux_sb_statfs(struct dentry *dentry)
2757
{
2758
	const struct cred *cred = current_cred();
2759
	struct common_audit_data ad;
2760

2761
	ad.type = LSM_AUDIT_DATA_DENTRY;
2762
	ad.u.dentry = dentry->d_sb->s_root;
2763
	return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2764
}
2765

2766
static int selinux_mount(const char *dev_name,
2767
			 const struct path *path,
2768
			 const char *type,
2769
			 unsigned long flags,
2770
			 void *data)
2771
{
2772
	const struct cred *cred = current_cred();
2773

2774
	if (flags & MS_REMOUNT)
2775
		return superblock_has_perm(cred, path->dentry->d_sb,
2776
					   FILESYSTEM__REMOUNT, NULL);
2777
	else
2778
		return path_has_perm(cred, path, FILE__MOUNTON);
2779
}
2780

2781
static int selinux_move_mount(const struct path *from_path,
2782
			      const struct path *to_path)
2783
{
2784
	const struct cred *cred = current_cred();
2785

2786
	return path_has_perm(cred, to_path, FILE__MOUNTON);
2787
}
2788

2789
static int selinux_umount(struct vfsmount *mnt, int flags)
2790
{
2791
	const struct cred *cred = current_cred();
2792

2793
	return superblock_has_perm(cred, mnt->mnt_sb,
2794
				   FILESYSTEM__UNMOUNT, NULL);
2795
}
2796

2797
static int selinux_fs_context_submount(struct fs_context *fc,
2798
				   struct super_block *reference)
2799
{
2800
	const struct superblock_security_struct *sbsec = selinux_superblock(reference);
2801
	struct selinux_mnt_opts *opts;
2802

2803
	/*
2804
	 * Ensure that fc->security remains NULL when no options are set
2805
	 * as expected by selinux_set_mnt_opts().
2806
	 */
2807
	if (!(sbsec->flags & (FSCONTEXT_MNT|CONTEXT_MNT|DEFCONTEXT_MNT)))
2808
		return 0;
2809

2810
	opts = kzalloc(sizeof(*opts), GFP_KERNEL);
2811
	if (!opts)
2812
		return -ENOMEM;
2813

2814
	if (sbsec->flags & FSCONTEXT_MNT)
2815
		opts->fscontext_sid = sbsec->sid;
2816
	if (sbsec->flags & CONTEXT_MNT)
2817
		opts->context_sid = sbsec->mntpoint_sid;
2818
	if (sbsec->flags & DEFCONTEXT_MNT)
2819
		opts->defcontext_sid = sbsec->def_sid;
2820
	fc->security = opts;
2821
	return 0;
2822
}
2823

2824
static int selinux_fs_context_dup(struct fs_context *fc,
2825
				  struct fs_context *src_fc)
2826
{
2827
	const struct selinux_mnt_opts *src = src_fc->security;
2828

2829
	if (!src)
2830
		return 0;
2831

2832
	fc->security = kmemdup(src, sizeof(*src), GFP_KERNEL);
2833
	return fc->security ? 0 : -ENOMEM;
2834
}
2835

2836
static const struct fs_parameter_spec selinux_fs_parameters[] = {
2837
	fsparam_string(CONTEXT_STR,	Opt_context),
2838
	fsparam_string(DEFCONTEXT_STR,	Opt_defcontext),
2839
	fsparam_string(FSCONTEXT_STR,	Opt_fscontext),
2840
	fsparam_string(ROOTCONTEXT_STR,	Opt_rootcontext),
2841
	fsparam_flag  (SECLABEL_STR,	Opt_seclabel),
2842
	{}
2843
};
2844

2845
static int selinux_fs_context_parse_param(struct fs_context *fc,
2846
					  struct fs_parameter *param)
2847
{
2848
	struct fs_parse_result result;
2849
	int opt;
2850

2851
	opt = fs_parse(fc, selinux_fs_parameters, param, &result);
2852
	if (opt < 0)
2853
		return opt;
2854

2855
	return selinux_add_opt(opt, param->string, &fc->security);
2856
}
2857

2858
/* inode security operations */
2859

2860
static int selinux_inode_alloc_security(struct inode *inode)
2861
{
2862
	struct inode_security_struct *isec = selinux_inode(inode);
2863
	u32 sid = current_sid();
2864

2865
	spin_lock_init(&isec->lock);
2866
	INIT_LIST_HEAD(&isec->list);
2867
	isec->inode = inode;
2868
	isec->sid = SECINITSID_UNLABELED;
2869
	isec->sclass = SECCLASS_FILE;
2870
	isec->task_sid = sid;
2871
	isec->initialized = LABEL_INVALID;
2872

2873
	return 0;
2874
}
2875

2876
static void selinux_inode_free_security(struct inode *inode)
2877
{
2878
	inode_free_security(inode);
2879
}
2880

2881
static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2882
					const struct qstr *name,
2883
					const char **xattr_name,
2884
					struct lsm_context *cp)
2885
{
2886
	u32 newsid;
2887
	int rc;
2888

2889
	rc = selinux_determine_inode_label(selinux_cred(current_cred()),
2890
					   d_inode(dentry->d_parent), name,
2891
					   inode_mode_to_security_class(mode),
2892
					   &newsid);
2893
	if (rc)
2894
		return rc;
2895

2896
	if (xattr_name)
2897
		*xattr_name = XATTR_NAME_SELINUX;
2898

2899
	cp->id = LSM_ID_SELINUX;
2900
	return security_sid_to_context(newsid, &cp->context, &cp->len);
2901
}
2902

2903
static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2904
					  struct qstr *name,
2905
					  const struct cred *old,
2906
					  struct cred *new)
2907
{
2908
	u32 newsid;
2909
	int rc;
2910
	struct task_security_struct *tsec;
2911

2912
	rc = selinux_determine_inode_label(selinux_cred(old),
2913
					   d_inode(dentry->d_parent), name,
2914
					   inode_mode_to_security_class(mode),
2915
					   &newsid);
2916
	if (rc)
2917
		return rc;
2918

2919
	tsec = selinux_cred(new);
2920
	tsec->create_sid = newsid;
2921
	return 0;
2922
}
2923

2924
static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2925
				       const struct qstr *qstr,
2926
				       struct xattr *xattrs, int *xattr_count)
2927
{
2928
	const struct task_security_struct *tsec = selinux_cred(current_cred());
2929
	struct superblock_security_struct *sbsec;
2930
	struct xattr *xattr = lsm_get_xattr_slot(xattrs, xattr_count);
2931
	u32 newsid, clen;
2932
	u16 newsclass;
2933
	int rc;
2934
	char *context;
2935

2936
	sbsec = selinux_superblock(dir->i_sb);
2937

2938
	newsid = tsec->create_sid;
2939
	newsclass = inode_mode_to_security_class(inode->i_mode);
2940
	rc = selinux_determine_inode_label(tsec, dir, qstr, newsclass, &newsid);
2941
	if (rc)
2942
		return rc;
2943

2944
	/* Possibly defer initialization to selinux_complete_init. */
2945
	if (sbsec->flags & SE_SBINITIALIZED) {
2946
		struct inode_security_struct *isec = selinux_inode(inode);
2947
		isec->sclass = newsclass;
2948
		isec->sid = newsid;
2949
		isec->initialized = LABEL_INITIALIZED;
2950
	}
2951

2952
	if (!selinux_initialized() ||
2953
	    !(sbsec->flags & SBLABEL_MNT))
2954
		return -EOPNOTSUPP;
2955

2956
	if (xattr) {
2957
		rc = security_sid_to_context_force(newsid,
2958
						   &context, &clen);
2959
		if (rc)
2960
			return rc;
2961
		xattr->value = context;
2962
		xattr->value_len = clen;
2963
		xattr->name = XATTR_SELINUX_SUFFIX;
2964
	}
2965

2966
	return 0;
2967
}
2968

2969
static int selinux_inode_init_security_anon(struct inode *inode,
2970
					    const struct qstr *name,
2971
					    const struct inode *context_inode)
2972
{
2973
	u32 sid = current_sid();
2974
	struct common_audit_data ad;
2975
	struct inode_security_struct *isec;
2976
	int rc;
2977

2978
	if (unlikely(!selinux_initialized()))
2979
		return 0;
2980

2981
	isec = selinux_inode(inode);
2982

2983
	/*
2984
	 * We only get here once per ephemeral inode.  The inode has
2985
	 * been initialized via inode_alloc_security but is otherwise
2986
	 * untouched.
2987
	 */
2988

2989
	if (context_inode) {
2990
		struct inode_security_struct *context_isec =
2991
			selinux_inode(context_inode);
2992
		if (context_isec->initialized != LABEL_INITIALIZED) {
2993
			pr_err("SELinux:  context_inode is not initialized\n");
2994
			return -EACCES;
2995
		}
2996

2997
		isec->sclass = context_isec->sclass;
2998
		isec->sid = context_isec->sid;
2999
	} else {
3000
		isec->sclass = SECCLASS_ANON_INODE;
3001
		rc = security_transition_sid(
3002
			sid, sid,
3003
			isec->sclass, name, &isec->sid);
3004
		if (rc)
3005
			return rc;
3006
	}
3007

3008
	isec->initialized = LABEL_INITIALIZED;
3009
	/*
3010
	 * Now that we've initialized security, check whether we're
3011
	 * allowed to actually create this type of anonymous inode.
3012
	 */
3013

3014
	ad.type = LSM_AUDIT_DATA_ANONINODE;
3015
	ad.u.anonclass = name ? (const char *)name->name : "?";
3016

3017
	return avc_has_perm(sid,
3018
			    isec->sid,
3019
			    isec->sclass,
3020
			    FILE__CREATE,
3021
			    &ad);
3022
}
3023

3024
static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
3025
{
3026
	return may_create(dir, dentry, SECCLASS_FILE);
3027
}
3028

3029
static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
3030
{
3031
	return may_link(dir, old_dentry, MAY_LINK);
3032
}
3033

3034
static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
3035
{
3036
	return may_link(dir, dentry, MAY_UNLINK);
3037
}
3038

3039
static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
3040
{
3041
	return may_create(dir, dentry, SECCLASS_LNK_FILE);
3042
}
3043

3044
static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
3045
{
3046
	return may_create(dir, dentry, SECCLASS_DIR);
3047
}
3048

3049
static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
3050
{
3051
	return may_link(dir, dentry, MAY_RMDIR);
3052
}
3053

3054
static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
3055
{
3056
	return may_create(dir, dentry, inode_mode_to_security_class(mode));
3057
}
3058

3059
static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
3060
				struct inode *new_inode, struct dentry *new_dentry)
3061
{
3062
	return may_rename(old_inode, old_dentry, new_inode, new_dentry);
3063
}
3064

3065
static int selinux_inode_readlink(struct dentry *dentry)
3066
{
3067
	const struct cred *cred = current_cred();
3068

3069
	return dentry_has_perm(cred, dentry, FILE__READ);
3070
}
3071

3072
static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3073
				     bool rcu)
3074
{
3075
	struct common_audit_data ad;
3076
	struct inode_security_struct *isec;
3077
	u32 sid = current_sid();
3078

3079
	ad.type = LSM_AUDIT_DATA_DENTRY;
3080
	ad.u.dentry = dentry;
3081
	isec = inode_security_rcu(inode, rcu);
3082
	if (IS_ERR(isec))
3083
		return PTR_ERR(isec);
3084

3085
	return avc_has_perm(sid, isec->sid, isec->sclass, FILE__READ, &ad);
3086
}
3087

3088
static noinline int audit_inode_permission(struct inode *inode,
3089
					   u32 perms, u32 audited, u32 denied,
3090
					   int result)
3091
{
3092
	struct common_audit_data ad;
3093
	struct inode_security_struct *isec = selinux_inode(inode);
3094

3095
	ad.type = LSM_AUDIT_DATA_INODE;
3096
	ad.u.inode = inode;
3097

3098
	return slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
3099
			    audited, denied, result, &ad);
3100
}
3101

3102
/**
3103
 * task_avdcache_reset - Reset the task's AVD cache
3104
 * @tsec: the task's security state
3105
 *
3106
 * Clear the task's AVD cache in @tsec and reset it to the current policy's
3107
 * and task's info.
3108
 */
3109
static inline void task_avdcache_reset(struct task_security_struct *tsec)
3110
{
3111
	memset(&tsec->avdcache.dir, 0, sizeof(tsec->avdcache.dir));
3112
	tsec->avdcache.sid = tsec->sid;
3113
	tsec->avdcache.seqno = avc_policy_seqno();
3114
	tsec->avdcache.dir_spot = TSEC_AVDC_DIR_SIZE - 1;
3115
}
3116

3117
/**
3118
 * task_avdcache_search - Search the task's AVD cache
3119
 * @tsec: the task's security state
3120
 * @isec: the inode to search for in the cache
3121
 * @avdc: matching avd cache entry returned to the caller
3122
 *
3123
 * Search @tsec for a AVD cache entry that matches @isec and return it to the
3124
 * caller via @avdc.  Returns 0 if a match is found, negative values otherwise.
3125
 */
3126
static inline int task_avdcache_search(struct task_security_struct *tsec,
3127
				       struct inode_security_struct *isec,
3128
				       struct avdc_entry **avdc)
3129
{
3130
	int orig, iter;
3131

3132
	/* focused on path walk optimization, only cache directories */
3133
	if (isec->sclass != SECCLASS_DIR)
3134
		return -ENOENT;
3135

3136
	if (unlikely(tsec->sid != tsec->avdcache.sid ||
3137
		     tsec->avdcache.seqno != avc_policy_seqno())) {
3138
		task_avdcache_reset(tsec);
3139
		return -ENOENT;
3140
	}
3141

3142
	orig = iter = tsec->avdcache.dir_spot;
3143
	do {
3144
		if (tsec->avdcache.dir[iter].isid == isec->sid) {
3145
			/* cache hit */
3146
			tsec->avdcache.dir_spot = iter;
3147
			*avdc = &tsec->avdcache.dir[iter];
3148
			return 0;
3149
		}
3150
		iter = (iter - 1) & (TSEC_AVDC_DIR_SIZE - 1);
3151
	} while (iter != orig);
3152

3153
	return -ENOENT;
3154
}
3155

3156
/**
3157
 * task_avdcache_update - Update the task's AVD cache
3158
 * @tsec: the task's security state
3159
 * @isec: the inode associated with the cache entry
3160
 * @avd: the AVD to cache
3161
 * @audited: the permission audit bitmask to cache
3162
 *
3163
 * Update the AVD cache in @tsec with the @avdc and @audited info associated
3164
 * with @isec.
3165
 */
3166
static inline void task_avdcache_update(struct task_security_struct *tsec,
3167
					struct inode_security_struct *isec,
3168
					struct av_decision *avd,
3169
					u32 audited)
3170
{
3171
	int spot;
3172

3173
	/* focused on path walk optimization, only cache directories */
3174
	if (isec->sclass != SECCLASS_DIR)
3175
		return;
3176

3177
	/* update cache */
3178
	spot = (tsec->avdcache.dir_spot + 1) & (TSEC_AVDC_DIR_SIZE - 1);
3179
	tsec->avdcache.dir_spot = spot;
3180
	tsec->avdcache.dir[spot].isid = isec->sid;
3181
	tsec->avdcache.dir[spot].audited = audited;
3182
	tsec->avdcache.dir[spot].allowed = avd->allowed;
3183
	tsec->avdcache.dir[spot].permissive = avd->flags & AVD_FLAGS_PERMISSIVE;
3184
	tsec->avdcache.permissive_neveraudit =
3185
		(avd->flags == (AVD_FLAGS_PERMISSIVE|AVD_FLAGS_NEVERAUDIT));
3186
}
3187

3188
/**
3189
 * selinux_inode_permission - Check if the current task can access an inode
3190
 * @inode: the inode that is being accessed
3191
 * @requested: the accesses being requested
3192
 *
3193
 * Check if the current task is allowed to access @inode according to
3194
 * @requested.  Returns 0 if allowed, negative values otherwise.
3195
 */
3196
static int selinux_inode_permission(struct inode *inode, int requested)
3197
{
3198
	int mask;
3199
	u32 perms;
3200
	struct task_security_struct *tsec;
3201
	struct inode_security_struct *isec;
3202
	struct avdc_entry *avdc;
3203
	int rc, rc2;
3204
	u32 audited, denied;
3205

3206
	mask = requested & (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3207

3208
	/* No permission to check.  Existence test. */
3209
	if (!mask)
3210
		return 0;
3211

3212
	tsec = selinux_cred(current_cred());
3213
	if (task_avdcache_permnoaudit(tsec))
3214
		return 0;
3215

3216
	isec = inode_security_rcu(inode, requested & MAY_NOT_BLOCK);
3217
	if (IS_ERR(isec))
3218
		return PTR_ERR(isec);
3219
	perms = file_mask_to_av(inode->i_mode, mask);
3220

3221
	rc = task_avdcache_search(tsec, isec, &avdc);
3222
	if (likely(!rc)) {
3223
		/* Cache hit. */
3224
		audited = perms & avdc->audited;
3225
		denied = perms & ~avdc->allowed;
3226
		if (unlikely(denied && enforcing_enabled() &&
3227
			     !avdc->permissive))
3228
			rc = -EACCES;
3229
	} else {
3230
		struct av_decision avd;
3231

3232
		/* Cache miss. */
3233
		rc = avc_has_perm_noaudit(tsec->sid, isec->sid, isec->sclass,
3234
					  perms, 0, &avd);
3235
		audited = avc_audit_required(perms, &avd, rc,
3236
			(requested & MAY_ACCESS) ? FILE__AUDIT_ACCESS : 0,
3237
			&denied);
3238
		task_avdcache_update(tsec, isec, &avd, audited);
3239
	}
3240

3241
	if (likely(!audited))
3242
		return rc;
3243

3244
	rc2 = audit_inode_permission(inode, perms, audited, denied, rc);
3245
	if (rc2)
3246
		return rc2;
3247

3248
	return rc;
3249
}
3250

3251
static int selinux_inode_setattr(struct mnt_idmap *idmap, struct dentry *dentry,
3252
				 struct iattr *iattr)
3253
{
3254
	const struct cred *cred = current_cred();
3255
	struct inode *inode = d_backing_inode(dentry);
3256
	unsigned int ia_valid = iattr->ia_valid;
3257
	u32 av = FILE__WRITE;
3258

3259
	/* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3260
	if (ia_valid & ATTR_FORCE) {
3261
		ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3262
			      ATTR_FORCE);
3263
		if (!ia_valid)
3264
			return 0;
3265
	}
3266

3267
	if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3268
			ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3269
		return dentry_has_perm(cred, dentry, FILE__SETATTR);
3270

3271
	if (selinux_policycap_openperm() &&
3272
	    inode->i_sb->s_magic != SOCKFS_MAGIC &&
3273
	    (ia_valid & ATTR_SIZE) &&
3274
	    !(ia_valid & ATTR_FILE))
3275
		av |= FILE__OPEN;
3276

3277
	return dentry_has_perm(cred, dentry, av);
3278
}
3279

3280
static int selinux_inode_getattr(const struct path *path)
3281
{
3282
	struct task_security_struct *tsec;
3283

3284
	tsec = selinux_cred(current_cred());
3285

3286
	if (task_avdcache_permnoaudit(tsec))
3287
		return 0;
3288

3289
	return path_has_perm(current_cred(), path, FILE__GETATTR);
3290
}
3291

3292
static bool has_cap_mac_admin(bool audit)
3293
{
3294
	const struct cred *cred = current_cred();
3295
	unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT;
3296

3297
	if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts))
3298
		return false;
3299
	if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true))
3300
		return false;
3301
	return true;
3302
}
3303

3304
/**
3305
 * selinux_inode_xattr_skipcap - Skip the xattr capability checks?
3306
 * @name: name of the xattr
3307
 *
3308
 * Returns 1 to indicate that SELinux "owns" the access control rights to xattrs
3309
 * named @name; the LSM layer should avoid enforcing any traditional
3310
 * capability based access controls on this xattr.  Returns 0 to indicate that
3311
 * SELinux does not "own" the access control rights to xattrs named @name and is
3312
 * deferring to the LSM layer for further access controls, including capability
3313
 * based controls.
3314
 */
3315
static int selinux_inode_xattr_skipcap(const char *name)
3316
{
3317
	/* require capability check if not a selinux xattr */
3318
	return !strcmp(name, XATTR_NAME_SELINUX);
3319
}
3320

3321
static int selinux_inode_setxattr(struct mnt_idmap *idmap,
3322
				  struct dentry *dentry, const char *name,
3323
				  const void *value, size_t size, int flags)
3324
{
3325
	struct inode *inode = d_backing_inode(dentry);
3326
	struct inode_security_struct *isec;
3327
	struct superblock_security_struct *sbsec;
3328
	struct common_audit_data ad;
3329
	u32 newsid, sid = current_sid();
3330
	int rc = 0;
3331

3332
	/* if not a selinux xattr, only check the ordinary setattr perm */
3333
	if (strcmp(name, XATTR_NAME_SELINUX))
3334
		return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3335

3336
	if (!selinux_initialized())
3337
		return (inode_owner_or_capable(idmap, inode) ? 0 : -EPERM);
3338

3339
	sbsec = selinux_superblock(inode->i_sb);
3340
	if (!(sbsec->flags & SBLABEL_MNT))
3341
		return -EOPNOTSUPP;
3342

3343
	if (!inode_owner_or_capable(idmap, inode))
3344
		return -EPERM;
3345

3346
	ad.type = LSM_AUDIT_DATA_DENTRY;
3347
	ad.u.dentry = dentry;
3348

3349
	isec = backing_inode_security(dentry);
3350
	rc = avc_has_perm(sid, isec->sid, isec->sclass,
3351
			  FILE__RELABELFROM, &ad);
3352
	if (rc)
3353
		return rc;
3354

3355
	rc = security_context_to_sid(value, size, &newsid,
3356
				     GFP_KERNEL);
3357
	if (rc == -EINVAL) {
3358
		if (!has_cap_mac_admin(true)) {
3359
			struct audit_buffer *ab;
3360
			size_t audit_size;
3361

3362
			/* We strip a nul only if it is at the end, otherwise the
3363
			 * context contains a nul and we should audit that */
3364
			if (value) {
3365
				const char *str = value;
3366

3367
				if (str[size - 1] == '\0')
3368
					audit_size = size - 1;
3369
				else
3370
					audit_size = size;
3371
			} else {
3372
				audit_size = 0;
3373
			}
3374
			ab = audit_log_start(audit_context(),
3375
					     GFP_ATOMIC, AUDIT_SELINUX_ERR);
3376
			if (!ab)
3377
				return rc;
3378
			audit_log_format(ab, "op=setxattr invalid_context=");
3379
			audit_log_n_untrustedstring(ab, value, audit_size);
3380
			audit_log_end(ab);
3381

3382
			return rc;
3383
		}
3384
		rc = security_context_to_sid_force(value,
3385
						   size, &newsid);
3386
	}
3387
	if (rc)
3388
		return rc;
3389

3390
	rc = avc_has_perm(sid, newsid, isec->sclass,
3391
			  FILE__RELABELTO, &ad);
3392
	if (rc)
3393
		return rc;
3394

3395
	rc = security_validate_transition(isec->sid, newsid,
3396
					  sid, isec->sclass);
3397
	if (rc)
3398
		return rc;
3399

3400
	return avc_has_perm(newsid,
3401
			    sbsec->sid,
3402
			    SECCLASS_FILESYSTEM,
3403
			    FILESYSTEM__ASSOCIATE,
3404
			    &ad);
3405
}
3406

3407
static int selinux_inode_set_acl(struct mnt_idmap *idmap,
3408
				 struct dentry *dentry, const char *acl_name,
3409
				 struct posix_acl *kacl)
3410
{
3411
	return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3412
}
3413

3414
static int selinux_inode_get_acl(struct mnt_idmap *idmap,
3415
				 struct dentry *dentry, const char *acl_name)
3416
{
3417
	return dentry_has_perm(current_cred(), dentry, FILE__GETATTR);
3418
}
3419

3420
static int selinux_inode_remove_acl(struct mnt_idmap *idmap,
3421
				    struct dentry *dentry, const char *acl_name)
3422
{
3423
	return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3424
}
3425

3426
static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3427
					const void *value, size_t size,
3428
					int flags)
3429
{
3430
	struct inode *inode = d_backing_inode(dentry);
3431
	struct inode_security_struct *isec;
3432
	u32 newsid;
3433
	int rc;
3434

3435
	if (strcmp(name, XATTR_NAME_SELINUX)) {
3436
		/* Not an attribute we recognize, so nothing to do. */
3437
		return;
3438
	}
3439

3440
	if (!selinux_initialized()) {
3441
		/* If we haven't even been initialized, then we can't validate
3442
		 * against a policy, so leave the label as invalid. It may
3443
		 * resolve to a valid label on the next revalidation try if
3444
		 * we've since initialized.
3445
		 */
3446
		return;
3447
	}
3448

3449
	rc = security_context_to_sid_force(value, size,
3450
					   &newsid);
3451
	if (rc) {
3452
		pr_err("SELinux:  unable to map context to SID"
3453
		       "for (%s, %lu), rc=%d\n",
3454
		       inode->i_sb->s_id, inode->i_ino, -rc);
3455
		return;
3456
	}
3457

3458
	isec = backing_inode_security(dentry);
3459
	spin_lock(&isec->lock);
3460
	isec->sclass = inode_mode_to_security_class(inode->i_mode);
3461
	isec->sid = newsid;
3462
	isec->initialized = LABEL_INITIALIZED;
3463
	spin_unlock(&isec->lock);
3464
}
3465

3466
static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3467
{
3468
	const struct cred *cred = current_cred();
3469

3470
	return dentry_has_perm(cred, dentry, FILE__GETATTR);
3471
}
3472

3473
static int selinux_inode_listxattr(struct dentry *dentry)
3474
{
3475
	const struct cred *cred = current_cred();
3476

3477
	return dentry_has_perm(cred, dentry, FILE__GETATTR);
3478
}
3479

3480
static int selinux_inode_removexattr(struct mnt_idmap *idmap,
3481
				     struct dentry *dentry, const char *name)
3482
{
3483
	/* if not a selinux xattr, only check the ordinary setattr perm */
3484
	if (strcmp(name, XATTR_NAME_SELINUX))
3485
		return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3486

3487
	if (!selinux_initialized())
3488
		return 0;
3489

3490
	/* No one is allowed to remove a SELinux security label.
3491
	   You can change the label, but all data must be labeled. */
3492
	return -EACCES;
3493
}
3494

3495
static int selinux_inode_file_setattr(struct dentry *dentry,
3496
				      struct file_kattr *fa)
3497
{
3498
	return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3499
}
3500

3501
static int selinux_inode_file_getattr(struct dentry *dentry,
3502
				      struct file_kattr *fa)
3503
{
3504
	return dentry_has_perm(current_cred(), dentry, FILE__GETATTR);
3505
}
3506

3507
static int selinux_path_notify(const struct path *path, u64 mask,
3508
						unsigned int obj_type)
3509
{
3510
	int ret;
3511
	u32 perm;
3512

3513
	struct common_audit_data ad;
3514

3515
	ad.type = LSM_AUDIT_DATA_PATH;
3516
	ad.u.path = *path;
3517

3518
	/*
3519
	 * Set permission needed based on the type of mark being set.
3520
	 * Performs an additional check for sb watches.
3521
	 */
3522
	switch (obj_type) {
3523
	case FSNOTIFY_OBJ_TYPE_VFSMOUNT:
3524
		perm = FILE__WATCH_MOUNT;
3525
		break;
3526
	case FSNOTIFY_OBJ_TYPE_SB:
3527
		perm = FILE__WATCH_SB;
3528
		ret = superblock_has_perm(current_cred(), path->dentry->d_sb,
3529
						FILESYSTEM__WATCH, &ad);
3530
		if (ret)
3531
			return ret;
3532
		break;
3533
	case FSNOTIFY_OBJ_TYPE_INODE:
3534
		perm = FILE__WATCH;
3535
		break;
3536
	case FSNOTIFY_OBJ_TYPE_MNTNS:
3537
		perm = FILE__WATCH_MOUNTNS;
3538
		break;
3539
	default:
3540
		return -EINVAL;
3541
	}
3542

3543
	/* blocking watches require the file:watch_with_perm permission */
3544
	if (mask & (ALL_FSNOTIFY_PERM_EVENTS))
3545
		perm |= FILE__WATCH_WITH_PERM;
3546

3547
	/* watches on read-like events need the file:watch_reads permission */
3548
	if (mask & (FS_ACCESS | FS_ACCESS_PERM | FS_PRE_ACCESS |
3549
		    FS_CLOSE_NOWRITE))
3550
		perm |= FILE__WATCH_READS;
3551

3552
	return path_has_perm(current_cred(), path, perm);
3553
}
3554

3555
/*
3556
 * Copy the inode security context value to the user.
3557
 *
3558
 * Permission check is handled by selinux_inode_getxattr hook.
3559
 */
3560
static int selinux_inode_getsecurity(struct mnt_idmap *idmap,
3561
				     struct inode *inode, const char *name,
3562
				     void **buffer, bool alloc)
3563
{
3564
	u32 size;
3565
	int error;
3566
	char *context = NULL;
3567
	struct inode_security_struct *isec;
3568

3569
	/*
3570
	 * If we're not initialized yet, then we can't validate contexts, so
3571
	 * just let vfs_getxattr fall back to using the on-disk xattr.
3572
	 */
3573
	if (!selinux_initialized() ||
3574
	    strcmp(name, XATTR_SELINUX_SUFFIX))
3575
		return -EOPNOTSUPP;
3576

3577
	/*
3578
	 * If the caller has CAP_MAC_ADMIN, then get the raw context
3579
	 * value even if it is not defined by current policy; otherwise,
3580
	 * use the in-core value under current policy.
3581
	 * Use the non-auditing forms of the permission checks since
3582
	 * getxattr may be called by unprivileged processes commonly
3583
	 * and lack of permission just means that we fall back to the
3584
	 * in-core context value, not a denial.
3585
	 */
3586
	isec = inode_security(inode);
3587
	if (has_cap_mac_admin(false))
3588
		error = security_sid_to_context_force(isec->sid, &context,
3589
						      &size);
3590
	else
3591
		error = security_sid_to_context(isec->sid,
3592
						&context, &size);
3593
	if (error)
3594
		return error;
3595
	error = size;
3596
	if (alloc) {
3597
		*buffer = context;
3598
		goto out_nofree;
3599
	}
3600
	kfree(context);
3601
out_nofree:
3602
	return error;
3603
}
3604

3605
static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3606
				     const void *value, size_t size, int flags)
3607
{
3608
	struct inode_security_struct *isec = inode_security_novalidate(inode);
3609
	struct superblock_security_struct *sbsec;
3610
	u32 newsid;
3611
	int rc;
3612

3613
	if (strcmp(name, XATTR_SELINUX_SUFFIX))
3614
		return -EOPNOTSUPP;
3615

3616
	sbsec = selinux_superblock(inode->i_sb);
3617
	if (!(sbsec->flags & SBLABEL_MNT))
3618
		return -EOPNOTSUPP;
3619

3620
	if (!value || !size)
3621
		return -EACCES;
3622

3623
	rc = security_context_to_sid(value, size, &newsid,
3624
				     GFP_KERNEL);
3625
	if (rc)
3626
		return rc;
3627

3628
	spin_lock(&isec->lock);
3629
	isec->sclass = inode_mode_to_security_class(inode->i_mode);
3630
	isec->sid = newsid;
3631
	isec->initialized = LABEL_INITIALIZED;
3632
	spin_unlock(&isec->lock);
3633
	return 0;
3634
}
3635

3636
static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3637
{
3638
	const int len = sizeof(XATTR_NAME_SELINUX);
3639

3640
	if (!selinux_initialized())
3641
		return 0;
3642

3643
	if (buffer && len <= buffer_size)
3644
		memcpy(buffer, XATTR_NAME_SELINUX, len);
3645
	return len;
3646
}
3647

3648
static void selinux_inode_getlsmprop(struct inode *inode, struct lsm_prop *prop)
3649
{
3650
	struct inode_security_struct *isec = inode_security_novalidate(inode);
3651

3652
	prop->selinux.secid = isec->sid;
3653
}
3654

3655
static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3656
{
3657
	struct lsm_prop prop;
3658
	struct task_security_struct *tsec;
3659
	struct cred *new_creds = *new;
3660

3661
	if (new_creds == NULL) {
3662
		new_creds = prepare_creds();
3663
		if (!new_creds)
3664
			return -ENOMEM;
3665
	}
3666

3667
	tsec = selinux_cred(new_creds);
3668
	/* Get label from overlay inode and set it in create_sid */
3669
	selinux_inode_getlsmprop(d_inode(src), &prop);
3670
	tsec->create_sid = prop.selinux.secid;
3671
	*new = new_creds;
3672
	return 0;
3673
}
3674

3675
static int selinux_inode_copy_up_xattr(struct dentry *dentry, const char *name)
3676
{
3677
	/* The copy_up hook above sets the initial context on an inode, but we
3678
	 * don't then want to overwrite it by blindly copying all the lower
3679
	 * xattrs up.  Instead, filter out SELinux-related xattrs following
3680
	 * policy load.
3681
	 */
3682
	if (selinux_initialized() && !strcmp(name, XATTR_NAME_SELINUX))
3683
		return -ECANCELED; /* Discard */
3684
	/*
3685
	 * Any other attribute apart from SELINUX is not claimed, supported
3686
	 * by selinux.
3687
	 */
3688
	return -EOPNOTSUPP;
3689
}
3690

3691
/* kernfs node operations */
3692

3693
static int selinux_kernfs_init_security(struct kernfs_node *kn_dir,
3694
					struct kernfs_node *kn)
3695
{
3696
	const struct task_security_struct *tsec = selinux_cred(current_cred());
3697
	u32 parent_sid, newsid, clen;
3698
	int rc;
3699
	char *context;
3700

3701
	rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, NULL, 0);
3702
	if (rc == -ENODATA)
3703
		return 0;
3704
	else if (rc < 0)
3705
		return rc;
3706

3707
	clen = (u32)rc;
3708
	context = kmalloc(clen, GFP_KERNEL);
3709
	if (!context)
3710
		return -ENOMEM;
3711

3712
	rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, context, clen);
3713
	if (rc < 0) {
3714
		kfree(context);
3715
		return rc;
3716
	}
3717

3718
	rc = security_context_to_sid(context, clen, &parent_sid,
3719
				     GFP_KERNEL);
3720
	kfree(context);
3721
	if (rc)
3722
		return rc;
3723

3724
	if (tsec->create_sid) {
3725
		newsid = tsec->create_sid;
3726
	} else {
3727
		u16 secclass = inode_mode_to_security_class(kn->mode);
3728
		const char *kn_name;
3729
		struct qstr q;
3730

3731
		/* kn is fresh, can't be renamed, name goes not away */
3732
		kn_name = rcu_dereference_check(kn->name, true);
3733
		q.name = kn_name;
3734
		q.hash_len = hashlen_string(kn_dir, kn_name);
3735

3736
		rc = security_transition_sid(tsec->sid,
3737
					     parent_sid, secclass, &q,
3738
					     &newsid);
3739
		if (rc)
3740
			return rc;
3741
	}
3742

3743
	rc = security_sid_to_context_force(newsid,
3744
					   &context, &clen);
3745
	if (rc)
3746
		return rc;
3747

3748
	rc = kernfs_xattr_set(kn, XATTR_NAME_SELINUX, context, clen,
3749
			      XATTR_CREATE);
3750
	kfree(context);
3751
	return rc;
3752
}
3753

3754

3755
/* file security operations */
3756

3757
static int selinux_revalidate_file_permission(struct file *file, int mask)
3758
{
3759
	const struct cred *cred = current_cred();
3760
	struct inode *inode = file_inode(file);
3761

3762
	/* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3763
	if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3764
		mask |= MAY_APPEND;
3765

3766
	return file_has_perm(cred, file,
3767
			     file_mask_to_av(inode->i_mode, mask));
3768
}
3769

3770
static int selinux_file_permission(struct file *file, int mask)
3771
{
3772
	struct inode *inode = file_inode(file);
3773
	struct file_security_struct *fsec = selinux_file(file);
3774
	struct inode_security_struct *isec;
3775
	u32 sid = current_sid();
3776

3777
	if (!mask)
3778
		/* No permission to check.  Existence test. */
3779
		return 0;
3780

3781
	isec = inode_security(inode);
3782
	if (sid == fsec->sid && fsec->isid == isec->sid &&
3783
	    fsec->pseqno == avc_policy_seqno())
3784
		/* No change since file_open check. */
3785
		return 0;
3786

3787
	return selinux_revalidate_file_permission(file, mask);
3788
}
3789

3790
static int selinux_file_alloc_security(struct file *file)
3791
{
3792
	struct file_security_struct *fsec = selinux_file(file);
3793
	u32 sid = current_sid();
3794

3795
	fsec->sid = sid;
3796
	fsec->fown_sid = sid;
3797

3798
	return 0;
3799
}
3800

3801
/*
3802
 * Check whether a task has the ioctl permission and cmd
3803
 * operation to an inode.
3804
 */
3805
static int ioctl_has_perm(const struct cred *cred, struct file *file,
3806
		u32 requested, u16 cmd)
3807
{
3808
	struct common_audit_data ad;
3809
	struct file_security_struct *fsec = selinux_file(file);
3810
	struct inode *inode = file_inode(file);
3811
	struct inode_security_struct *isec;
3812
	struct lsm_ioctlop_audit ioctl;
3813
	u32 ssid = cred_sid(cred);
3814
	int rc;
3815
	u8 driver = cmd >> 8;
3816
	u8 xperm = cmd & 0xff;
3817

3818
	ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3819
	ad.u.op = &ioctl;
3820
	ad.u.op->cmd = cmd;
3821
	ad.u.op->path = file->f_path;
3822

3823
	if (ssid != fsec->sid) {
3824
		rc = avc_has_perm(ssid, fsec->sid,
3825
				SECCLASS_FD,
3826
				FD__USE,
3827
				&ad);
3828
		if (rc)
3829
			goto out;
3830
	}
3831

3832
	if (unlikely(IS_PRIVATE(inode)))
3833
		return 0;
3834

3835
	isec = inode_security(inode);
3836
	rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass, requested,
3837
				    driver, AVC_EXT_IOCTL, xperm, &ad);
3838
out:
3839
	return rc;
3840
}
3841

3842
static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3843
			      unsigned long arg)
3844
{
3845
	const struct cred *cred = current_cred();
3846
	int error = 0;
3847

3848
	switch (cmd) {
3849
	case FIONREAD:
3850
	case FIBMAP:
3851
	case FIGETBSZ:
3852
	case FS_IOC_GETFLAGS:
3853
	case FS_IOC_GETVERSION:
3854
		error = file_has_perm(cred, file, FILE__GETATTR);
3855
		break;
3856

3857
	case FS_IOC_SETFLAGS:
3858
	case FS_IOC_SETVERSION:
3859
		error = file_has_perm(cred, file, FILE__SETATTR);
3860
		break;
3861

3862
	/* sys_ioctl() checks */
3863
	case FIONBIO:
3864
	case FIOASYNC:
3865
		error = file_has_perm(cred, file, 0);
3866
		break;
3867

3868
	case KDSKBENT:
3869
	case KDSKBSENT:
3870
		error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3871
					    CAP_OPT_NONE, true);
3872
		break;
3873

3874
	case FIOCLEX:
3875
	case FIONCLEX:
3876
		if (!selinux_policycap_ioctl_skip_cloexec())
3877
			error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3878
		break;
3879

3880
	/* default case assumes that the command will go
3881
	 * to the file's ioctl() function.
3882
	 */
3883
	default:
3884
		error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3885
	}
3886
	return error;
3887
}
3888

3889
static int selinux_file_ioctl_compat(struct file *file, unsigned int cmd,
3890
			      unsigned long arg)
3891
{
3892
	/*
3893
	 * If we are in a 64-bit kernel running 32-bit userspace, we need to
3894
	 * make sure we don't compare 32-bit flags to 64-bit flags.
3895
	 */
3896
	switch (cmd) {
3897
	case FS_IOC32_GETFLAGS:
3898
		cmd = FS_IOC_GETFLAGS;
3899
		break;
3900
	case FS_IOC32_SETFLAGS:
3901
		cmd = FS_IOC_SETFLAGS;
3902
		break;
3903
	case FS_IOC32_GETVERSION:
3904
		cmd = FS_IOC_GETVERSION;
3905
		break;
3906
	case FS_IOC32_SETVERSION:
3907
		cmd = FS_IOC_SETVERSION;
3908
		break;
3909
	default:
3910
		break;
3911
	}
3912

3913
	return selinux_file_ioctl(file, cmd, arg);
3914
}
3915

3916
static int default_noexec __ro_after_init;
3917

3918
static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3919
{
3920
	const struct cred *cred = current_cred();
3921
	u32 sid = cred_sid(cred);
3922
	int rc = 0;
3923

3924
	if (default_noexec &&
3925
	    (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3926
				   (!shared && (prot & PROT_WRITE)))) {
3927
		/*
3928
		 * We are making executable an anonymous mapping or a
3929
		 * private file mapping that will also be writable.
3930
		 * This has an additional check.
3931
		 */
3932
		rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3933
				  PROCESS__EXECMEM, NULL);
3934
		if (rc)
3935
			goto error;
3936
	}
3937

3938
	if (file) {
3939
		/* read access is always possible with a mapping */
3940
		u32 av = FILE__READ;
3941

3942
		/* write access only matters if the mapping is shared */
3943
		if (shared && (prot & PROT_WRITE))
3944
			av |= FILE__WRITE;
3945

3946
		if (prot & PROT_EXEC)
3947
			av |= FILE__EXECUTE;
3948

3949
		return file_has_perm(cred, file, av);
3950
	}
3951

3952
error:
3953
	return rc;
3954
}
3955

3956
static int selinux_mmap_addr(unsigned long addr)
3957
{
3958
	int rc = 0;
3959

3960
	if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3961
		u32 sid = current_sid();
3962
		rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3963
				  MEMPROTECT__MMAP_ZERO, NULL);
3964
	}
3965

3966
	return rc;
3967
}
3968

3969
static int selinux_mmap_file(struct file *file,
3970
			     unsigned long reqprot __always_unused,
3971
			     unsigned long prot, unsigned long flags)
3972
{
3973
	struct common_audit_data ad;
3974
	int rc;
3975

3976
	if (file) {
3977
		ad.type = LSM_AUDIT_DATA_FILE;
3978
		ad.u.file = file;
3979
		rc = inode_has_perm(current_cred(), file_inode(file),
3980
				    FILE__MAP, &ad);
3981
		if (rc)
3982
			return rc;
3983
	}
3984

3985
	return file_map_prot_check(file, prot,
3986
				   (flags & MAP_TYPE) == MAP_SHARED);
3987
}
3988

3989
static int selinux_file_mprotect(struct vm_area_struct *vma,
3990
				 unsigned long reqprot __always_unused,
3991
				 unsigned long prot)
3992
{
3993
	const struct cred *cred = current_cred();
3994
	u32 sid = cred_sid(cred);
3995

3996
	if (default_noexec &&
3997
	    (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3998
		int rc = 0;
3999
		/*
4000
		 * We don't use the vma_is_initial_heap() helper as it has
4001
		 * a history of problems and is currently broken on systems
4002
		 * where there is no heap, e.g. brk == start_brk.  Before
4003
		 * replacing the conditional below with vma_is_initial_heap(),
4004
		 * or something similar, please ensure that the logic is the
4005
		 * same as what we have below or you have tested every possible
4006
		 * corner case you can think to test.
4007
		 */
4008
		if (vma->vm_start >= vma->vm_mm->start_brk &&
4009
		    vma->vm_end <= vma->vm_mm->brk) {
4010
			rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
4011
					  PROCESS__EXECHEAP, NULL);
4012
		} else if (!vma->vm_file && (vma_is_initial_stack(vma) ||
4013
			    vma_is_stack_for_current(vma))) {
4014
			rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
4015
					  PROCESS__EXECSTACK, NULL);
4016
		} else if (vma->vm_file && vma->anon_vma) {
4017
			/*
4018
			 * We are making executable a file mapping that has
4019
			 * had some COW done. Since pages might have been
4020
			 * written, check ability to execute the possibly
4021
			 * modified content.  This typically should only
4022
			 * occur for text relocations.
4023
			 */
4024
			rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
4025
		}
4026
		if (rc)
4027
			return rc;
4028
	}
4029

4030
	return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
4031
}
4032

4033
static int selinux_file_lock(struct file *file, unsigned int cmd)
4034
{
4035
	const struct cred *cred = current_cred();
4036

4037
	return file_has_perm(cred, file, FILE__LOCK);
4038
}
4039

4040
static int selinux_file_fcntl(struct file *file, unsigned int cmd,
4041
			      unsigned long arg)
4042
{
4043
	const struct cred *cred = current_cred();
4044
	int err = 0;
4045

4046
	switch (cmd) {
4047
	case F_SETFL:
4048
		if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
4049
			err = file_has_perm(cred, file, FILE__WRITE);
4050
			break;
4051
		}
4052
		fallthrough;
4053
	case F_SETOWN:
4054
	case F_SETSIG:
4055
	case F_GETFL:
4056
	case F_GETOWN:
4057
	case F_GETSIG:
4058
	case F_GETOWNER_UIDS:
4059
		/* Just check FD__USE permission */
4060
		err = file_has_perm(cred, file, 0);
4061
		break;
4062
	case F_GETLK:
4063
	case F_SETLK:
4064
	case F_SETLKW:
4065
	case F_OFD_GETLK:
4066
	case F_OFD_SETLK:
4067
	case F_OFD_SETLKW:
4068
#if BITS_PER_LONG == 32
4069
	case F_GETLK64:
4070
	case F_SETLK64:
4071
	case F_SETLKW64:
4072
#endif
4073
		err = file_has_perm(cred, file, FILE__LOCK);
4074
		break;
4075
	}
4076

4077
	return err;
4078
}
4079

4080
static void selinux_file_set_fowner(struct file *file)
4081
{
4082
	struct file_security_struct *fsec;
4083

4084
	fsec = selinux_file(file);
4085
	fsec->fown_sid = current_sid();
4086
}
4087

4088
static int selinux_file_send_sigiotask(struct task_struct *tsk,
4089
				       struct fown_struct *fown, int signum)
4090
{
4091
	struct file *file;
4092
	u32 sid = task_sid_obj(tsk);
4093
	u32 perm;
4094
	struct file_security_struct *fsec;
4095

4096
	/* struct fown_struct is never outside the context of a struct file */
4097
	file = fown->file;
4098

4099
	fsec = selinux_file(file);
4100

4101
	if (!signum)
4102
		perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
4103
	else
4104
		perm = signal_to_av(signum);
4105

4106
	return avc_has_perm(fsec->fown_sid, sid,
4107
			    SECCLASS_PROCESS, perm, NULL);
4108
}
4109

4110
static int selinux_file_receive(struct file *file)
4111
{
4112
	const struct cred *cred = current_cred();
4113

4114
	return file_has_perm(cred, file, file_to_av(file));
4115
}
4116

4117
static int selinux_file_open(struct file *file)
4118
{
4119
	struct file_security_struct *fsec;
4120
	struct inode_security_struct *isec;
4121

4122
	fsec = selinux_file(file);
4123
	isec = inode_security(file_inode(file));
4124
	/*
4125
	 * Save inode label and policy sequence number
4126
	 * at open-time so that selinux_file_permission
4127
	 * can determine whether revalidation is necessary.
4128
	 * Task label is already saved in the file security
4129
	 * struct as its SID.
4130
	 */
4131
	fsec->isid = isec->sid;
4132
	fsec->pseqno = avc_policy_seqno();
4133
	/*
4134
	 * Since the inode label or policy seqno may have changed
4135
	 * between the selinux_inode_permission check and the saving
4136
	 * of state above, recheck that access is still permitted.
4137
	 * Otherwise, access might never be revalidated against the
4138
	 * new inode label or new policy.
4139
	 * This check is not redundant - do not remove.
4140
	 */
4141
	return file_path_has_perm(file->f_cred, file, open_file_to_av(file));
4142
}
4143

4144
/* task security operations */
4145

4146
static int selinux_task_alloc(struct task_struct *task,
4147
			      unsigned long clone_flags)
4148
{
4149
	u32 sid = current_sid();
4150

4151
	return avc_has_perm(sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
4152
}
4153

4154
/*
4155
 * prepare a new set of credentials for modification
4156
 */
4157
static int selinux_cred_prepare(struct cred *new, const struct cred *old,
4158
				gfp_t gfp)
4159
{
4160
	const struct task_security_struct *old_tsec = selinux_cred(old);
4161
	struct task_security_struct *tsec = selinux_cred(new);
4162

4163
	*tsec = *old_tsec;
4164
	return 0;
4165
}
4166

4167
/*
4168
 * transfer the SELinux data to a blank set of creds
4169
 */
4170
static void selinux_cred_transfer(struct cred *new, const struct cred *old)
4171
{
4172
	const struct task_security_struct *old_tsec = selinux_cred(old);
4173
	struct task_security_struct *tsec = selinux_cred(new);
4174

4175
	*tsec = *old_tsec;
4176
}
4177

4178
static void selinux_cred_getsecid(const struct cred *c, u32 *secid)
4179
{
4180
	*secid = cred_sid(c);
4181
}
4182

4183
static void selinux_cred_getlsmprop(const struct cred *c, struct lsm_prop *prop)
4184
{
4185
	prop->selinux.secid = cred_sid(c);
4186
}
4187

4188
/*
4189
 * set the security data for a kernel service
4190
 * - all the creation contexts are set to unlabelled
4191
 */
4192
static int selinux_kernel_act_as(struct cred *new, u32 secid)
4193
{
4194
	struct task_security_struct *tsec = selinux_cred(new);
4195
	u32 sid = current_sid();
4196
	int ret;
4197

4198
	ret = avc_has_perm(sid, secid,
4199
			   SECCLASS_KERNEL_SERVICE,
4200
			   KERNEL_SERVICE__USE_AS_OVERRIDE,
4201
			   NULL);
4202
	if (ret == 0) {
4203
		tsec->sid = secid;
4204
		tsec->create_sid = 0;
4205
		tsec->keycreate_sid = 0;
4206
		tsec->sockcreate_sid = 0;
4207
	}
4208
	return ret;
4209
}
4210

4211
/*
4212
 * set the file creation context in a security record to the same as the
4213
 * objective context of the specified inode
4214
 */
4215
static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
4216
{
4217
	struct inode_security_struct *isec = inode_security(inode);
4218
	struct task_security_struct *tsec = selinux_cred(new);
4219
	u32 sid = current_sid();
4220
	int ret;
4221

4222
	ret = avc_has_perm(sid, isec->sid,
4223
			   SECCLASS_KERNEL_SERVICE,
4224
			   KERNEL_SERVICE__CREATE_FILES_AS,
4225
			   NULL);
4226

4227
	if (ret == 0)
4228
		tsec->create_sid = isec->sid;
4229
	return ret;
4230
}
4231

4232
static int selinux_kernel_module_request(char *kmod_name)
4233
{
4234
	struct common_audit_data ad;
4235

4236
	ad.type = LSM_AUDIT_DATA_KMOD;
4237
	ad.u.kmod_name = kmod_name;
4238

4239
	return avc_has_perm(current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
4240
			    SYSTEM__MODULE_REQUEST, &ad);
4241
}
4242

4243
static int selinux_kernel_load_from_file(struct file *file, u32 requested)
4244
{
4245
	struct common_audit_data ad;
4246
	struct inode_security_struct *isec;
4247
	struct file_security_struct *fsec;
4248
	u32 sid = current_sid();
4249
	int rc;
4250

4251
	if (file == NULL)
4252
		return avc_has_perm(sid, sid, SECCLASS_SYSTEM, requested, NULL);
4253

4254
	ad.type = LSM_AUDIT_DATA_FILE;
4255
	ad.u.file = file;
4256

4257
	fsec = selinux_file(file);
4258
	if (sid != fsec->sid) {
4259
		rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
4260
		if (rc)
4261
			return rc;
4262
	}
4263

4264
	isec = inode_security(file_inode(file));
4265
	return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM, requested, &ad);
4266
}
4267

4268
static int selinux_kernel_read_file(struct file *file,
4269
				    enum kernel_read_file_id id,
4270
				    bool contents)
4271
{
4272
	int rc = 0;
4273

4274
	BUILD_BUG_ON_MSG(READING_MAX_ID > 7,
4275
			 "New kernel_read_file_id introduced; update SELinux!");
4276

4277
	switch (id) {
4278
	case READING_FIRMWARE:
4279
		rc = selinux_kernel_load_from_file(file, SYSTEM__FIRMWARE_LOAD);
4280
		break;
4281
	case READING_MODULE:
4282
		rc = selinux_kernel_load_from_file(file, SYSTEM__MODULE_LOAD);
4283
		break;
4284
	case READING_KEXEC_IMAGE:
4285
		rc = selinux_kernel_load_from_file(file,
4286
						   SYSTEM__KEXEC_IMAGE_LOAD);
4287
		break;
4288
	case READING_KEXEC_INITRAMFS:
4289
		rc = selinux_kernel_load_from_file(file,
4290
						SYSTEM__KEXEC_INITRAMFS_LOAD);
4291
		break;
4292
	case READING_POLICY:
4293
		rc = selinux_kernel_load_from_file(file, SYSTEM__POLICY_LOAD);
4294
		break;
4295
	case READING_X509_CERTIFICATE:
4296
		rc = selinux_kernel_load_from_file(file,
4297
						SYSTEM__X509_CERTIFICATE_LOAD);
4298
		break;
4299
	default:
4300
		break;
4301
	}
4302

4303
	return rc;
4304
}
4305

4306
static int selinux_kernel_load_data(enum kernel_load_data_id id, bool contents)
4307
{
4308
	int rc = 0;
4309

4310
	BUILD_BUG_ON_MSG(LOADING_MAX_ID > 7,
4311
			 "New kernel_load_data_id introduced; update SELinux!");
4312

4313
	switch (id) {
4314
	case LOADING_FIRMWARE:
4315
		rc = selinux_kernel_load_from_file(NULL, SYSTEM__FIRMWARE_LOAD);
4316
		break;
4317
	case LOADING_MODULE:
4318
		rc = selinux_kernel_load_from_file(NULL, SYSTEM__MODULE_LOAD);
4319
		break;
4320
	case LOADING_KEXEC_IMAGE:
4321
		rc = selinux_kernel_load_from_file(NULL,
4322
						   SYSTEM__KEXEC_IMAGE_LOAD);
4323
		break;
4324
	case LOADING_KEXEC_INITRAMFS:
4325
		rc = selinux_kernel_load_from_file(NULL,
4326
						SYSTEM__KEXEC_INITRAMFS_LOAD);
4327
		break;
4328
	case LOADING_POLICY:
4329
		rc = selinux_kernel_load_from_file(NULL,
4330
						   SYSTEM__POLICY_LOAD);
4331
		break;
4332
	case LOADING_X509_CERTIFICATE:
4333
		rc = selinux_kernel_load_from_file(NULL,
4334
						SYSTEM__X509_CERTIFICATE_LOAD);
4335
		break;
4336
	default:
4337
		break;
4338
	}
4339

4340
	return rc;
4341
}
4342

4343
static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
4344
{
4345
	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4346
			    PROCESS__SETPGID, NULL);
4347
}
4348

4349
static int selinux_task_getpgid(struct task_struct *p)
4350
{
4351
	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4352
			    PROCESS__GETPGID, NULL);
4353
}
4354

4355
static int selinux_task_getsid(struct task_struct *p)
4356
{
4357
	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4358
			    PROCESS__GETSESSION, NULL);
4359
}
4360

4361
static void selinux_current_getlsmprop_subj(struct lsm_prop *prop)
4362
{
4363
	prop->selinux.secid = current_sid();
4364
}
4365

4366
static void selinux_task_getlsmprop_obj(struct task_struct *p,
4367
					struct lsm_prop *prop)
4368
{
4369
	prop->selinux.secid = task_sid_obj(p);
4370
}
4371

4372
static int selinux_task_setnice(struct task_struct *p, int nice)
4373
{
4374
	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4375
			    PROCESS__SETSCHED, NULL);
4376
}
4377

4378
static int selinux_task_setioprio(struct task_struct *p, int ioprio)
4379
{
4380
	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4381
			    PROCESS__SETSCHED, NULL);
4382
}
4383

4384
static int selinux_task_getioprio(struct task_struct *p)
4385
{
4386
	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4387
			    PROCESS__GETSCHED, NULL);
4388
}
4389

4390
static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
4391
				unsigned int flags)
4392
{
4393
	u32 av = 0;
4394

4395
	if (!flags)
4396
		return 0;
4397
	if (flags & LSM_PRLIMIT_WRITE)
4398
		av |= PROCESS__SETRLIMIT;
4399
	if (flags & LSM_PRLIMIT_READ)
4400
		av |= PROCESS__GETRLIMIT;
4401
	return avc_has_perm(cred_sid(cred), cred_sid(tcred),
4402
			    SECCLASS_PROCESS, av, NULL);
4403
}
4404

4405
static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4406
		struct rlimit *new_rlim)
4407
{
4408
	struct rlimit *old_rlim = p->signal->rlim + resource;
4409

4410
	/* Control the ability to change the hard limit (whether
4411
	   lowering or raising it), so that the hard limit can
4412
	   later be used as a safe reset point for the soft limit
4413
	   upon context transitions.  See selinux_bprm_committing_creds. */
4414
	if (old_rlim->rlim_max != new_rlim->rlim_max)
4415
		return avc_has_perm(current_sid(), task_sid_obj(p),
4416
				    SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
4417

4418
	return 0;
4419
}
4420

4421
static int selinux_task_setscheduler(struct task_struct *p)
4422
{
4423
	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4424
			    PROCESS__SETSCHED, NULL);
4425
}
4426

4427
static int selinux_task_getscheduler(struct task_struct *p)
4428
{
4429
	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4430
			    PROCESS__GETSCHED, NULL);
4431
}
4432

4433
static int selinux_task_movememory(struct task_struct *p)
4434
{
4435
	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4436
			    PROCESS__SETSCHED, NULL);
4437
}
4438

4439
static int selinux_task_kill(struct task_struct *p, struct kernel_siginfo *info,
4440
				int sig, const struct cred *cred)
4441
{
4442
	u32 secid;
4443
	u32 perm;
4444

4445
	if (!sig)
4446
		perm = PROCESS__SIGNULL; /* null signal; existence test */
4447
	else
4448
		perm = signal_to_av(sig);
4449
	if (!cred)
4450
		secid = current_sid();
4451
	else
4452
		secid = cred_sid(cred);
4453
	return avc_has_perm(secid, task_sid_obj(p), SECCLASS_PROCESS, perm, NULL);
4454
}
4455

4456
static void selinux_task_to_inode(struct task_struct *p,
4457
				  struct inode *inode)
4458
{
4459
	struct inode_security_struct *isec = selinux_inode(inode);
4460
	u32 sid = task_sid_obj(p);
4461

4462
	spin_lock(&isec->lock);
4463
	isec->sclass = inode_mode_to_security_class(inode->i_mode);
4464
	isec->sid = sid;
4465
	isec->initialized = LABEL_INITIALIZED;
4466
	spin_unlock(&isec->lock);
4467
}
4468

4469
static int selinux_userns_create(const struct cred *cred)
4470
{
4471
	u32 sid = current_sid();
4472

4473
	return avc_has_perm(sid, sid, SECCLASS_USER_NAMESPACE,
4474
			USER_NAMESPACE__CREATE, NULL);
4475
}
4476

4477
/* Returns error only if unable to parse addresses */
4478
static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4479
			struct common_audit_data *ad, u8 *proto)
4480
{
4481
	int offset, ihlen, ret = -EINVAL;
4482
	struct iphdr _iph, *ih;
4483

4484
	offset = skb_network_offset(skb);
4485
	ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
4486
	if (ih == NULL)
4487
		goto out;
4488

4489
	ihlen = ih->ihl * 4;
4490
	if (ihlen < sizeof(_iph))
4491
		goto out;
4492

4493
	ad->u.net->v4info.saddr = ih->saddr;
4494
	ad->u.net->v4info.daddr = ih->daddr;
4495
	ret = 0;
4496

4497
	if (proto)
4498
		*proto = ih->protocol;
4499

4500
	switch (ih->protocol) {
4501
	case IPPROTO_TCP: {
4502
		struct tcphdr _tcph, *th;
4503

4504
		if (ntohs(ih->frag_off) & IP_OFFSET)
4505
			break;
4506

4507
		offset += ihlen;
4508
		th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4509
		if (th == NULL)
4510
			break;
4511

4512
		ad->u.net->sport = th->source;
4513
		ad->u.net->dport = th->dest;
4514
		break;
4515
	}
4516

4517
	case IPPROTO_UDP: {
4518
		struct udphdr _udph, *uh;
4519

4520
		if (ntohs(ih->frag_off) & IP_OFFSET)
4521
			break;
4522

4523
		offset += ihlen;
4524
		uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4525
		if (uh == NULL)
4526
			break;
4527

4528
		ad->u.net->sport = uh->source;
4529
		ad->u.net->dport = uh->dest;
4530
		break;
4531
	}
4532

4533
#if IS_ENABLED(CONFIG_IP_SCTP)
4534
	case IPPROTO_SCTP: {
4535
		struct sctphdr _sctph, *sh;
4536

4537
		if (ntohs(ih->frag_off) & IP_OFFSET)
4538
			break;
4539

4540
		offset += ihlen;
4541
		sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4542
		if (sh == NULL)
4543
			break;
4544

4545
		ad->u.net->sport = sh->source;
4546
		ad->u.net->dport = sh->dest;
4547
		break;
4548
	}
4549
#endif
4550
	default:
4551
		break;
4552
	}
4553
out:
4554
	return ret;
4555
}
4556

4557
#if IS_ENABLED(CONFIG_IPV6)
4558

4559
/* Returns error only if unable to parse addresses */
4560
static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4561
			struct common_audit_data *ad, u8 *proto)
4562
{
4563
	u8 nexthdr;
4564
	int ret = -EINVAL, offset;
4565
	struct ipv6hdr _ipv6h, *ip6;
4566
	__be16 frag_off;
4567

4568
	offset = skb_network_offset(skb);
4569
	ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4570
	if (ip6 == NULL)
4571
		goto out;
4572

4573
	ad->u.net->v6info.saddr = ip6->saddr;
4574
	ad->u.net->v6info.daddr = ip6->daddr;
4575
	ret = 0;
4576

4577
	nexthdr = ip6->nexthdr;
4578
	offset += sizeof(_ipv6h);
4579
	offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4580
	if (offset < 0)
4581
		goto out;
4582

4583
	if (proto)
4584
		*proto = nexthdr;
4585

4586
	switch (nexthdr) {
4587
	case IPPROTO_TCP: {
4588
		struct tcphdr _tcph, *th;
4589

4590
		th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4591
		if (th == NULL)
4592
			break;
4593

4594
		ad->u.net->sport = th->source;
4595
		ad->u.net->dport = th->dest;
4596
		break;
4597
	}
4598

4599
	case IPPROTO_UDP: {
4600
		struct udphdr _udph, *uh;
4601

4602
		uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4603
		if (uh == NULL)
4604
			break;
4605

4606
		ad->u.net->sport = uh->source;
4607
		ad->u.net->dport = uh->dest;
4608
		break;
4609
	}
4610

4611
#if IS_ENABLED(CONFIG_IP_SCTP)
4612
	case IPPROTO_SCTP: {
4613
		struct sctphdr _sctph, *sh;
4614

4615
		sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4616
		if (sh == NULL)
4617
			break;
4618

4619
		ad->u.net->sport = sh->source;
4620
		ad->u.net->dport = sh->dest;
4621
		break;
4622
	}
4623
#endif
4624
	/* includes fragments */
4625
	default:
4626
		break;
4627
	}
4628
out:
4629
	return ret;
4630
}
4631

4632
#endif /* IPV6 */
4633

4634
static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4635
			     char **_addrp, int src, u8 *proto)
4636
{
4637
	char *addrp;
4638
	int ret;
4639

4640
	switch (ad->u.net->family) {
4641
	case PF_INET:
4642
		ret = selinux_parse_skb_ipv4(skb, ad, proto);
4643
		if (ret)
4644
			goto parse_error;
4645
		addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4646
				       &ad->u.net->v4info.daddr);
4647
		goto okay;
4648

4649
#if IS_ENABLED(CONFIG_IPV6)
4650
	case PF_INET6:
4651
		ret = selinux_parse_skb_ipv6(skb, ad, proto);
4652
		if (ret)
4653
			goto parse_error;
4654
		addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4655
				       &ad->u.net->v6info.daddr);
4656
		goto okay;
4657
#endif	/* IPV6 */
4658
	default:
4659
		addrp = NULL;
4660
		goto okay;
4661
	}
4662

4663
parse_error:
4664
	pr_warn(
4665
	       "SELinux: failure in selinux_parse_skb(),"
4666
	       " unable to parse packet\n");
4667
	return ret;
4668

4669
okay:
4670
	if (_addrp)
4671
		*_addrp = addrp;
4672
	return 0;
4673
}
4674

4675
/**
4676
 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4677
 * @skb: the packet
4678
 * @family: protocol family
4679
 * @sid: the packet's peer label SID
4680
 *
4681
 * Description:
4682
 * Check the various different forms of network peer labeling and determine
4683
 * the peer label/SID for the packet; most of the magic actually occurs in
4684
 * the security server function security_net_peersid_cmp().  The function
4685
 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4686
 * or -EACCES if @sid is invalid due to inconsistencies with the different
4687
 * peer labels.
4688
 *
4689
 */
4690
static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4691
{
4692
	int err;
4693
	u32 xfrm_sid;
4694
	u32 nlbl_sid;
4695
	u32 nlbl_type;
4696

4697
	err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4698
	if (unlikely(err))
4699
		return -EACCES;
4700
	err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4701
	if (unlikely(err))
4702
		return -EACCES;
4703

4704
	err = security_net_peersid_resolve(nlbl_sid,
4705
					   nlbl_type, xfrm_sid, sid);
4706
	if (unlikely(err)) {
4707
		pr_warn(
4708
		       "SELinux: failure in selinux_skb_peerlbl_sid(),"
4709
		       " unable to determine packet's peer label\n");
4710
		return -EACCES;
4711
	}
4712

4713
	return 0;
4714
}
4715

4716
/**
4717
 * selinux_conn_sid - Determine the child socket label for a connection
4718
 * @sk_sid: the parent socket's SID
4719
 * @skb_sid: the packet's SID
4720
 * @conn_sid: the resulting connection SID
4721
 *
4722
 * If @skb_sid is valid then the user:role:type information from @sk_sid is
4723
 * combined with the MLS information from @skb_sid in order to create
4724
 * @conn_sid.  If @skb_sid is not valid then @conn_sid is simply a copy
4725
 * of @sk_sid.  Returns zero on success, negative values on failure.
4726
 *
4727
 */
4728
static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4729
{
4730
	int err = 0;
4731

4732
	if (skb_sid != SECSID_NULL)
4733
		err = security_sid_mls_copy(sk_sid, skb_sid,
4734
					    conn_sid);
4735
	else
4736
		*conn_sid = sk_sid;
4737

4738
	return err;
4739
}
4740

4741
/* socket security operations */
4742

4743
static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4744
				 u16 secclass, u32 *socksid)
4745
{
4746
	if (tsec->sockcreate_sid > SECSID_NULL) {
4747
		*socksid = tsec->sockcreate_sid;
4748
		return 0;
4749
	}
4750

4751
	return security_transition_sid(tsec->sid, tsec->sid,
4752
				       secclass, NULL, socksid);
4753
}
4754

4755
static bool sock_skip_has_perm(u32 sid)
4756
{
4757
	if (sid == SECINITSID_KERNEL)
4758
		return true;
4759

4760
	/*
4761
	 * Before POLICYDB_CAP_USERSPACE_INITIAL_CONTEXT, sockets that
4762
	 * inherited the kernel context from early boot used to be skipped
4763
	 * here, so preserve that behavior unless the capability is set.
4764
	 *
4765
	 * By setting the capability the policy signals that it is ready
4766
	 * for this quirk to be fixed. Note that sockets created by a kernel
4767
	 * thread or a usermode helper executed without a transition will
4768
	 * still be skipped in this check regardless of the policycap
4769
	 * setting.
4770
	 */
4771
	if (!selinux_policycap_userspace_initial_context() &&
4772
	    sid == SECINITSID_INIT)
4773
		return true;
4774
	return false;
4775
}
4776

4777

4778
static int sock_has_perm(struct sock *sk, u32 perms)
4779
{
4780
	struct sk_security_struct *sksec = sk->sk_security;
4781
	struct common_audit_data ad;
4782
	struct lsm_network_audit net;
4783

4784
	if (sock_skip_has_perm(sksec->sid))
4785
		return 0;
4786

4787
	ad_net_init_from_sk(&ad, &net, sk);
4788

4789
	return avc_has_perm(current_sid(), sksec->sid, sksec->sclass, perms,
4790
			    &ad);
4791
}
4792

4793
static int selinux_socket_create(int family, int type,
4794
				 int protocol, int kern)
4795
{
4796
	const struct task_security_struct *tsec = selinux_cred(current_cred());
4797
	u32 newsid;
4798
	u16 secclass;
4799
	int rc;
4800

4801
	if (kern)
4802
		return 0;
4803

4804
	secclass = socket_type_to_security_class(family, type, protocol);
4805
	rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4806
	if (rc)
4807
		return rc;
4808

4809
	return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4810
}
4811

4812
static int selinux_socket_post_create(struct socket *sock, int family,
4813
				      int type, int protocol, int kern)
4814
{
4815
	const struct task_security_struct *tsec = selinux_cred(current_cred());
4816
	struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4817
	struct sk_security_struct *sksec;
4818
	u16 sclass = socket_type_to_security_class(family, type, protocol);
4819
	u32 sid = SECINITSID_KERNEL;
4820
	int err = 0;
4821

4822
	if (!kern) {
4823
		err = socket_sockcreate_sid(tsec, sclass, &sid);
4824
		if (err)
4825
			return err;
4826
	}
4827

4828
	isec->sclass = sclass;
4829
	isec->sid = sid;
4830
	isec->initialized = LABEL_INITIALIZED;
4831

4832
	if (sock->sk) {
4833
		sksec = selinux_sock(sock->sk);
4834
		sksec->sclass = sclass;
4835
		sksec->sid = sid;
4836
		/* Allows detection of the first association on this socket */
4837
		if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4838
			sksec->sctp_assoc_state = SCTP_ASSOC_UNSET;
4839

4840
		err = selinux_netlbl_socket_post_create(sock->sk, family);
4841
	}
4842

4843
	return err;
4844
}
4845

4846
static int selinux_socket_socketpair(struct socket *socka,
4847
				     struct socket *sockb)
4848
{
4849
	struct sk_security_struct *sksec_a = selinux_sock(socka->sk);
4850
	struct sk_security_struct *sksec_b = selinux_sock(sockb->sk);
4851

4852
	sksec_a->peer_sid = sksec_b->sid;
4853
	sksec_b->peer_sid = sksec_a->sid;
4854

4855
	return 0;
4856
}
4857

4858
/* Range of port numbers used to automatically bind.
4859
   Need to determine whether we should perform a name_bind
4860
   permission check between the socket and the port number. */
4861

4862
static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4863
{
4864
	struct sock *sk = sock->sk;
4865
	struct sk_security_struct *sksec = selinux_sock(sk);
4866
	u16 family;
4867
	int err;
4868

4869
	err = sock_has_perm(sk, SOCKET__BIND);
4870
	if (err)
4871
		goto out;
4872

4873
	/* If PF_INET or PF_INET6, check name_bind permission for the port. */
4874
	family = sk->sk_family;
4875
	if (family == PF_INET || family == PF_INET6) {
4876
		char *addrp;
4877
		struct common_audit_data ad;
4878
		struct lsm_network_audit net = {0,};
4879
		struct sockaddr_in *addr4 = NULL;
4880
		struct sockaddr_in6 *addr6 = NULL;
4881
		u16 family_sa;
4882
		unsigned short snum;
4883
		u32 sid, node_perm;
4884

4885
		/*
4886
		 * sctp_bindx(3) calls via selinux_sctp_bind_connect()
4887
		 * that validates multiple binding addresses. Because of this
4888
		 * need to check address->sa_family as it is possible to have
4889
		 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4890
		 */
4891
		if (addrlen < offsetofend(struct sockaddr, sa_family))
4892
			return -EINVAL;
4893
		family_sa = address->sa_family;
4894
		switch (family_sa) {
4895
		case AF_UNSPEC:
4896
		case AF_INET:
4897
			if (addrlen < sizeof(struct sockaddr_in))
4898
				return -EINVAL;
4899
			addr4 = (struct sockaddr_in *)address;
4900
			if (family_sa == AF_UNSPEC) {
4901
				if (family == PF_INET6) {
4902
					/* Length check from inet6_bind_sk() */
4903
					if (addrlen < SIN6_LEN_RFC2133)
4904
						return -EINVAL;
4905
					/* Family check from __inet6_bind() */
4906
					goto err_af;
4907
				}
4908
				/* see __inet_bind(), we only want to allow
4909
				 * AF_UNSPEC if the address is INADDR_ANY
4910
				 */
4911
				if (addr4->sin_addr.s_addr != htonl(INADDR_ANY))
4912
					goto err_af;
4913
				family_sa = AF_INET;
4914
			}
4915
			snum = ntohs(addr4->sin_port);
4916
			addrp = (char *)&addr4->sin_addr.s_addr;
4917
			break;
4918
		case AF_INET6:
4919
			if (addrlen < SIN6_LEN_RFC2133)
4920
				return -EINVAL;
4921
			addr6 = (struct sockaddr_in6 *)address;
4922
			snum = ntohs(addr6->sin6_port);
4923
			addrp = (char *)&addr6->sin6_addr.s6_addr;
4924
			break;
4925
		default:
4926
			goto err_af;
4927
		}
4928

4929
		ad.type = LSM_AUDIT_DATA_NET;
4930
		ad.u.net = &net;
4931
		ad.u.net->sport = htons(snum);
4932
		ad.u.net->family = family_sa;
4933

4934
		if (snum) {
4935
			int low, high;
4936

4937
			inet_get_local_port_range(sock_net(sk), &low, &high);
4938

4939
			if (inet_port_requires_bind_service(sock_net(sk), snum) ||
4940
			    snum < low || snum > high) {
4941
				err = sel_netport_sid(sk->sk_protocol,
4942
						      snum, &sid);
4943
				if (err)
4944
					goto out;
4945
				err = avc_has_perm(sksec->sid, sid,
4946
						   sksec->sclass,
4947
						   SOCKET__NAME_BIND, &ad);
4948
				if (err)
4949
					goto out;
4950
			}
4951
		}
4952

4953
		switch (sksec->sclass) {
4954
		case SECCLASS_TCP_SOCKET:
4955
			node_perm = TCP_SOCKET__NODE_BIND;
4956
			break;
4957

4958
		case SECCLASS_UDP_SOCKET:
4959
			node_perm = UDP_SOCKET__NODE_BIND;
4960
			break;
4961

4962
		case SECCLASS_SCTP_SOCKET:
4963
			node_perm = SCTP_SOCKET__NODE_BIND;
4964
			break;
4965

4966
		default:
4967
			node_perm = RAWIP_SOCKET__NODE_BIND;
4968
			break;
4969
		}
4970

4971
		err = sel_netnode_sid(addrp, family_sa, &sid);
4972
		if (err)
4973
			goto out;
4974

4975
		if (family_sa == AF_INET)
4976
			ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4977
		else
4978
			ad.u.net->v6info.saddr = addr6->sin6_addr;
4979

4980
		err = avc_has_perm(sksec->sid, sid,
4981
				   sksec->sclass, node_perm, &ad);
4982
		if (err)
4983
			goto out;
4984
	}
4985
out:
4986
	return err;
4987
err_af:
4988
	/* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */
4989
	if (sk->sk_protocol == IPPROTO_SCTP)
4990
		return -EINVAL;
4991
	return -EAFNOSUPPORT;
4992
}
4993

4994
/* This supports connect(2) and SCTP connect services such as sctp_connectx(3)
4995
 * and sctp_sendmsg(3) as described in Documentation/security/SCTP.rst
4996
 */
4997
static int selinux_socket_connect_helper(struct socket *sock,
4998
					 struct sockaddr *address, int addrlen)
4999
{
5000
	struct sock *sk = sock->sk;
5001
	struct sk_security_struct *sksec = selinux_sock(sk);
5002
	int err;
5003

5004
	err = sock_has_perm(sk, SOCKET__CONNECT);
5005
	if (err)
5006
		return err;
5007
	if (addrlen < offsetofend(struct sockaddr, sa_family))
5008
		return -EINVAL;
5009

5010
	/* connect(AF_UNSPEC) has special handling, as it is a documented
5011
	 * way to disconnect the socket
5012
	 */
5013
	if (address->sa_family == AF_UNSPEC)
5014
		return 0;
5015

5016
	/*
5017
	 * If a TCP or SCTP socket, check name_connect permission
5018
	 * for the port.
5019
	 */
5020
	if (sksec->sclass == SECCLASS_TCP_SOCKET ||
5021
	    sksec->sclass == SECCLASS_SCTP_SOCKET) {
5022
		struct common_audit_data ad;
5023
		struct lsm_network_audit net = {0,};
5024
		struct sockaddr_in *addr4 = NULL;
5025
		struct sockaddr_in6 *addr6 = NULL;
5026
		unsigned short snum;
5027
		u32 sid, perm;
5028

5029
		/* sctp_connectx(3) calls via selinux_sctp_bind_connect()
5030
		 * that validates multiple connect addresses. Because of this
5031
		 * need to check address->sa_family as it is possible to have
5032
		 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
5033
		 */
5034
		switch (address->sa_family) {
5035
		case AF_INET:
5036
			addr4 = (struct sockaddr_in *)address;
5037
			if (addrlen < sizeof(struct sockaddr_in))
5038
				return -EINVAL;
5039
			snum = ntohs(addr4->sin_port);
5040
			break;
5041
		case AF_INET6:
5042
			addr6 = (struct sockaddr_in6 *)address;
5043
			if (addrlen < SIN6_LEN_RFC2133)
5044
				return -EINVAL;
5045
			snum = ntohs(addr6->sin6_port);
5046
			break;
5047
		default:
5048
			/* Note that SCTP services expect -EINVAL, whereas
5049
			 * others expect -EAFNOSUPPORT.
5050
			 */
5051
			if (sksec->sclass == SECCLASS_SCTP_SOCKET)
5052
				return -EINVAL;
5053
			else
5054
				return -EAFNOSUPPORT;
5055
		}
5056

5057
		err = sel_netport_sid(sk->sk_protocol, snum, &sid);
5058
		if (err)
5059
			return err;
5060

5061
		switch (sksec->sclass) {
5062
		case SECCLASS_TCP_SOCKET:
5063
			perm = TCP_SOCKET__NAME_CONNECT;
5064
			break;
5065
		case SECCLASS_SCTP_SOCKET:
5066
			perm = SCTP_SOCKET__NAME_CONNECT;
5067
			break;
5068
		}
5069

5070
		ad.type = LSM_AUDIT_DATA_NET;
5071
		ad.u.net = &net;
5072
		ad.u.net->dport = htons(snum);
5073
		ad.u.net->family = address->sa_family;
5074
		err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
5075
		if (err)
5076
			return err;
5077
	}
5078

5079
	return 0;
5080
}
5081

5082
/* Supports connect(2), see comments in selinux_socket_connect_helper() */
5083
static int selinux_socket_connect(struct socket *sock,
5084
				  struct sockaddr *address, int addrlen)
5085
{
5086
	int err;
5087
	struct sock *sk = sock->sk;
5088

5089
	err = selinux_socket_connect_helper(sock, address, addrlen);
5090
	if (err)
5091
		return err;
5092

5093
	return selinux_netlbl_socket_connect(sk, address);
5094
}
5095

5096
static int selinux_socket_listen(struct socket *sock, int backlog)
5097
{
5098
	return sock_has_perm(sock->sk, SOCKET__LISTEN);
5099
}
5100

5101
static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
5102
{
5103
	int err;
5104
	struct inode_security_struct *isec;
5105
	struct inode_security_struct *newisec;
5106
	u16 sclass;
5107
	u32 sid;
5108

5109
	err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
5110
	if (err)
5111
		return err;
5112

5113
	isec = inode_security_novalidate(SOCK_INODE(sock));
5114
	spin_lock(&isec->lock);
5115
	sclass = isec->sclass;
5116
	sid = isec->sid;
5117
	spin_unlock(&isec->lock);
5118

5119
	newisec = inode_security_novalidate(SOCK_INODE(newsock));
5120
	newisec->sclass = sclass;
5121
	newisec->sid = sid;
5122
	newisec->initialized = LABEL_INITIALIZED;
5123

5124
	return 0;
5125
}
5126

5127
static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
5128
				  int size)
5129
{
5130
	return sock_has_perm(sock->sk, SOCKET__WRITE);
5131
}
5132

5133
static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
5134
				  int size, int flags)
5135
{
5136
	return sock_has_perm(sock->sk, SOCKET__READ);
5137
}
5138

5139
static int selinux_socket_getsockname(struct socket *sock)
5140
{
5141
	return sock_has_perm(sock->sk, SOCKET__GETATTR);
5142
}
5143

5144
static int selinux_socket_getpeername(struct socket *sock)
5145
{
5146
	return sock_has_perm(sock->sk, SOCKET__GETATTR);
5147
}
5148

5149
static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
5150
{
5151
	int err;
5152

5153
	err = sock_has_perm(sock->sk, SOCKET__SETOPT);
5154
	if (err)
5155
		return err;
5156

5157
	return selinux_netlbl_socket_setsockopt(sock, level, optname);
5158
}
5159

5160
static int selinux_socket_getsockopt(struct socket *sock, int level,
5161
				     int optname)
5162
{
5163
	return sock_has_perm(sock->sk, SOCKET__GETOPT);
5164
}
5165

5166
static int selinux_socket_shutdown(struct socket *sock, int how)
5167
{
5168
	return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
5169
}
5170

5171
static int selinux_socket_unix_stream_connect(struct sock *sock,
5172
					      struct sock *other,
5173
					      struct sock *newsk)
5174
{
5175
	struct sk_security_struct *sksec_sock = selinux_sock(sock);
5176
	struct sk_security_struct *sksec_other = selinux_sock(other);
5177
	struct sk_security_struct *sksec_new = selinux_sock(newsk);
5178
	struct common_audit_data ad;
5179
	struct lsm_network_audit net;
5180
	int err;
5181

5182
	ad_net_init_from_sk(&ad, &net, other);
5183

5184
	err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
5185
			   sksec_other->sclass,
5186
			   UNIX_STREAM_SOCKET__CONNECTTO, &ad);
5187
	if (err)
5188
		return err;
5189

5190
	/* server child socket */
5191
	sksec_new->peer_sid = sksec_sock->sid;
5192
	err = security_sid_mls_copy(sksec_other->sid,
5193
				    sksec_sock->sid, &sksec_new->sid);
5194
	if (err)
5195
		return err;
5196

5197
	/* connecting socket */
5198
	sksec_sock->peer_sid = sksec_new->sid;
5199

5200
	return 0;
5201
}
5202

5203
static int selinux_socket_unix_may_send(struct socket *sock,
5204
					struct socket *other)
5205
{
5206
	struct sk_security_struct *ssec = selinux_sock(sock->sk);
5207
	struct sk_security_struct *osec = selinux_sock(other->sk);
5208
	struct common_audit_data ad;
5209
	struct lsm_network_audit net;
5210

5211
	ad_net_init_from_sk(&ad, &net, other->sk);
5212

5213
	return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
5214
			    &ad);
5215
}
5216

5217
static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
5218
				    char *addrp, u16 family, u32 peer_sid,
5219
				    struct common_audit_data *ad)
5220
{
5221
	int err;
5222
	u32 if_sid;
5223
	u32 node_sid;
5224

5225
	err = sel_netif_sid(ns, ifindex, &if_sid);
5226
	if (err)
5227
		return err;
5228
	err = avc_has_perm(peer_sid, if_sid,
5229
			   SECCLASS_NETIF, NETIF__INGRESS, ad);
5230
	if (err)
5231
		return err;
5232

5233
	err = sel_netnode_sid(addrp, family, &node_sid);
5234
	if (err)
5235
		return err;
5236
	return avc_has_perm(peer_sid, node_sid,
5237
			    SECCLASS_NODE, NODE__RECVFROM, ad);
5238
}
5239

5240
static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
5241
				       u16 family)
5242
{
5243
	int err = 0;
5244
	struct sk_security_struct *sksec = selinux_sock(sk);
5245
	u32 sk_sid = sksec->sid;
5246
	struct common_audit_data ad;
5247
	struct lsm_network_audit net;
5248
	char *addrp;
5249

5250
	ad_net_init_from_iif(&ad, &net, skb->skb_iif, family);
5251
	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5252
	if (err)
5253
		return err;
5254

5255
	if (selinux_secmark_enabled()) {
5256
		err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
5257
				   PACKET__RECV, &ad);
5258
		if (err)
5259
			return err;
5260
	}
5261

5262
	err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
5263
	if (err)
5264
		return err;
5265
	err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
5266

5267
	return err;
5268
}
5269

5270
static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
5271
{
5272
	int err, peerlbl_active, secmark_active;
5273
	struct sk_security_struct *sksec = selinux_sock(sk);
5274
	u16 family = sk->sk_family;
5275
	u32 sk_sid = sksec->sid;
5276
	struct common_audit_data ad;
5277
	struct lsm_network_audit net;
5278
	char *addrp;
5279

5280
	if (family != PF_INET && family != PF_INET6)
5281
		return 0;
5282

5283
	/* Handle mapped IPv4 packets arriving via IPv6 sockets */
5284
	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5285
		family = PF_INET;
5286

5287
	/* If any sort of compatibility mode is enabled then handoff processing
5288
	 * to the selinux_sock_rcv_skb_compat() function to deal with the
5289
	 * special handling.  We do this in an attempt to keep this function
5290
	 * as fast and as clean as possible. */
5291
	if (!selinux_policycap_netpeer())
5292
		return selinux_sock_rcv_skb_compat(sk, skb, family);
5293

5294
	secmark_active = selinux_secmark_enabled();
5295
	peerlbl_active = selinux_peerlbl_enabled();
5296
	if (!secmark_active && !peerlbl_active)
5297
		return 0;
5298

5299
	ad_net_init_from_iif(&ad, &net, skb->skb_iif, family);
5300
	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5301
	if (err)
5302
		return err;
5303

5304
	if (peerlbl_active) {
5305
		u32 peer_sid;
5306

5307
		err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
5308
		if (err)
5309
			return err;
5310
		err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
5311
					       addrp, family, peer_sid, &ad);
5312
		if (err) {
5313
			selinux_netlbl_err(skb, family, err, 0);
5314
			return err;
5315
		}
5316
		err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
5317
				   PEER__RECV, &ad);
5318
		if (err) {
5319
			selinux_netlbl_err(skb, family, err, 0);
5320
			return err;
5321
		}
5322
	}
5323

5324
	if (secmark_active) {
5325
		err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
5326
				   PACKET__RECV, &ad);
5327
		if (err)
5328
			return err;
5329
	}
5330

5331
	return err;
5332
}
5333

5334
static int selinux_socket_getpeersec_stream(struct socket *sock,
5335
					    sockptr_t optval, sockptr_t optlen,
5336
					    unsigned int len)
5337
{
5338
	int err = 0;
5339
	char *scontext = NULL;
5340
	u32 scontext_len;
5341
	struct sk_security_struct *sksec = selinux_sock(sock->sk);
5342
	u32 peer_sid = SECSID_NULL;
5343

5344
	if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
5345
	    sksec->sclass == SECCLASS_TCP_SOCKET ||
5346
	    sksec->sclass == SECCLASS_SCTP_SOCKET)
5347
		peer_sid = sksec->peer_sid;
5348
	if (peer_sid == SECSID_NULL)
5349
		return -ENOPROTOOPT;
5350

5351
	err = security_sid_to_context(peer_sid, &scontext,
5352
				      &scontext_len);
5353
	if (err)
5354
		return err;
5355
	if (scontext_len > len) {
5356
		err = -ERANGE;
5357
		goto out_len;
5358
	}
5359

5360
	if (copy_to_sockptr(optval, scontext, scontext_len))
5361
		err = -EFAULT;
5362
out_len:
5363
	if (copy_to_sockptr(optlen, &scontext_len, sizeof(scontext_len)))
5364
		err = -EFAULT;
5365
	kfree(scontext);
5366
	return err;
5367
}
5368

5369
static int selinux_socket_getpeersec_dgram(struct socket *sock,
5370
					   struct sk_buff *skb, u32 *secid)
5371
{
5372
	u32 peer_secid = SECSID_NULL;
5373
	u16 family;
5374

5375
	if (skb && skb->protocol == htons(ETH_P_IP))
5376
		family = PF_INET;
5377
	else if (skb && skb->protocol == htons(ETH_P_IPV6))
5378
		family = PF_INET6;
5379
	else if (sock)
5380
		family = sock->sk->sk_family;
5381
	else {
5382
		*secid = SECSID_NULL;
5383
		return -EINVAL;
5384
	}
5385

5386
	if (sock && family == PF_UNIX) {
5387
		struct inode_security_struct *isec;
5388
		isec = inode_security_novalidate(SOCK_INODE(sock));
5389
		peer_secid = isec->sid;
5390
	} else if (skb)
5391
		selinux_skb_peerlbl_sid(skb, family, &peer_secid);
5392

5393
	*secid = peer_secid;
5394
	if (peer_secid == SECSID_NULL)
5395
		return -ENOPROTOOPT;
5396
	return 0;
5397
}
5398

5399
static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
5400
{
5401
	struct sk_security_struct *sksec = selinux_sock(sk);
5402

5403
	sksec->peer_sid = SECINITSID_UNLABELED;
5404
	sksec->sid = SECINITSID_UNLABELED;
5405
	sksec->sclass = SECCLASS_SOCKET;
5406
	selinux_netlbl_sk_security_reset(sksec);
5407

5408
	return 0;
5409
}
5410

5411
static void selinux_sk_free_security(struct sock *sk)
5412
{
5413
	struct sk_security_struct *sksec = selinux_sock(sk);
5414

5415
	selinux_netlbl_sk_security_free(sksec);
5416
}
5417

5418
static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
5419
{
5420
	struct sk_security_struct *sksec = selinux_sock(sk);
5421
	struct sk_security_struct *newsksec = selinux_sock(newsk);
5422

5423
	newsksec->sid = sksec->sid;
5424
	newsksec->peer_sid = sksec->peer_sid;
5425
	newsksec->sclass = sksec->sclass;
5426

5427
	selinux_netlbl_sk_security_reset(newsksec);
5428
}
5429

5430
static void selinux_sk_getsecid(const struct sock *sk, u32 *secid)
5431
{
5432
	if (!sk)
5433
		*secid = SECINITSID_ANY_SOCKET;
5434
	else {
5435
		const struct sk_security_struct *sksec = selinux_sock(sk);
5436

5437
		*secid = sksec->sid;
5438
	}
5439
}
5440

5441
static void selinux_sock_graft(struct sock *sk, struct socket *parent)
5442
{
5443
	struct inode_security_struct *isec =
5444
		inode_security_novalidate(SOCK_INODE(parent));
5445
	struct sk_security_struct *sksec = selinux_sock(sk);
5446

5447
	if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
5448
	    sk->sk_family == PF_UNIX)
5449
		isec->sid = sksec->sid;
5450
	sksec->sclass = isec->sclass;
5451
}
5452

5453
/*
5454
 * Determines peer_secid for the asoc and updates socket's peer label
5455
 * if it's the first association on the socket.
5456
 */
5457
static int selinux_sctp_process_new_assoc(struct sctp_association *asoc,
5458
					  struct sk_buff *skb)
5459
{
5460
	struct sock *sk = asoc->base.sk;
5461
	u16 family = sk->sk_family;
5462
	struct sk_security_struct *sksec = selinux_sock(sk);
5463
	struct common_audit_data ad;
5464
	struct lsm_network_audit net;
5465
	int err;
5466

5467
	/* handle mapped IPv4 packets arriving via IPv6 sockets */
5468
	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5469
		family = PF_INET;
5470

5471
	if (selinux_peerlbl_enabled()) {
5472
		asoc->peer_secid = SECSID_NULL;
5473

5474
		/* This will return peer_sid = SECSID_NULL if there are
5475
		 * no peer labels, see security_net_peersid_resolve().
5476
		 */
5477
		err = selinux_skb_peerlbl_sid(skb, family, &asoc->peer_secid);
5478
		if (err)
5479
			return err;
5480

5481
		if (asoc->peer_secid == SECSID_NULL)
5482
			asoc->peer_secid = SECINITSID_UNLABELED;
5483
	} else {
5484
		asoc->peer_secid = SECINITSID_UNLABELED;
5485
	}
5486

5487
	if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) {
5488
		sksec->sctp_assoc_state = SCTP_ASSOC_SET;
5489

5490
		/* Here as first association on socket. As the peer SID
5491
		 * was allowed by peer recv (and the netif/node checks),
5492
		 * then it is approved by policy and used as the primary
5493
		 * peer SID for getpeercon(3).
5494
		 */
5495
		sksec->peer_sid = asoc->peer_secid;
5496
	} else if (sksec->peer_sid != asoc->peer_secid) {
5497
		/* Other association peer SIDs are checked to enforce
5498
		 * consistency among the peer SIDs.
5499
		 */
5500
		ad_net_init_from_sk(&ad, &net, asoc->base.sk);
5501
		err = avc_has_perm(sksec->peer_sid, asoc->peer_secid,
5502
				   sksec->sclass, SCTP_SOCKET__ASSOCIATION,
5503
				   &ad);
5504
		if (err)
5505
			return err;
5506
	}
5507
	return 0;
5508
}
5509

5510
/* Called whenever SCTP receives an INIT or COOKIE ECHO chunk. This
5511
 * happens on an incoming connect(2), sctp_connectx(3) or
5512
 * sctp_sendmsg(3) (with no association already present).
5513
 */
5514
static int selinux_sctp_assoc_request(struct sctp_association *asoc,
5515
				      struct sk_buff *skb)
5516
{
5517
	struct sk_security_struct *sksec = selinux_sock(asoc->base.sk);
5518
	u32 conn_sid;
5519
	int err;
5520

5521
	if (!selinux_policycap_extsockclass())
5522
		return 0;
5523

5524
	err = selinux_sctp_process_new_assoc(asoc, skb);
5525
	if (err)
5526
		return err;
5527

5528
	/* Compute the MLS component for the connection and store
5529
	 * the information in asoc. This will be used by SCTP TCP type
5530
	 * sockets and peeled off connections as they cause a new
5531
	 * socket to be generated. selinux_sctp_sk_clone() will then
5532
	 * plug this into the new socket.
5533
	 */
5534
	err = selinux_conn_sid(sksec->sid, asoc->peer_secid, &conn_sid);
5535
	if (err)
5536
		return err;
5537

5538
	asoc->secid = conn_sid;
5539

5540
	/* Set any NetLabel labels including CIPSO/CALIPSO options. */
5541
	return selinux_netlbl_sctp_assoc_request(asoc, skb);
5542
}
5543

5544
/* Called when SCTP receives a COOKIE ACK chunk as the final
5545
 * response to an association request (initited by us).
5546
 */
5547
static int selinux_sctp_assoc_established(struct sctp_association *asoc,
5548
					  struct sk_buff *skb)
5549
{
5550
	struct sk_security_struct *sksec = selinux_sock(asoc->base.sk);
5551

5552
	if (!selinux_policycap_extsockclass())
5553
		return 0;
5554

5555
	/* Inherit secid from the parent socket - this will be picked up
5556
	 * by selinux_sctp_sk_clone() if the association gets peeled off
5557
	 * into a new socket.
5558
	 */
5559
	asoc->secid = sksec->sid;
5560

5561
	return selinux_sctp_process_new_assoc(asoc, skb);
5562
}
5563

5564
/* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting
5565
 * based on their @optname.
5566
 */
5567
static int selinux_sctp_bind_connect(struct sock *sk, int optname,
5568
				     struct sockaddr *address,
5569
				     int addrlen)
5570
{
5571
	int len, err = 0, walk_size = 0;
5572
	void *addr_buf;
5573
	struct sockaddr *addr;
5574
	struct socket *sock;
5575

5576
	if (!selinux_policycap_extsockclass())
5577
		return 0;
5578

5579
	/* Process one or more addresses that may be IPv4 or IPv6 */
5580
	sock = sk->sk_socket;
5581
	addr_buf = address;
5582

5583
	while (walk_size < addrlen) {
5584
		if (walk_size + sizeof(sa_family_t) > addrlen)
5585
			return -EINVAL;
5586

5587
		addr = addr_buf;
5588
		switch (addr->sa_family) {
5589
		case AF_UNSPEC:
5590
		case AF_INET:
5591
			len = sizeof(struct sockaddr_in);
5592
			break;
5593
		case AF_INET6:
5594
			len = sizeof(struct sockaddr_in6);
5595
			break;
5596
		default:
5597
			return -EINVAL;
5598
		}
5599

5600
		if (walk_size + len > addrlen)
5601
			return -EINVAL;
5602

5603
		err = -EINVAL;
5604
		switch (optname) {
5605
		/* Bind checks */
5606
		case SCTP_PRIMARY_ADDR:
5607
		case SCTP_SET_PEER_PRIMARY_ADDR:
5608
		case SCTP_SOCKOPT_BINDX_ADD:
5609
			err = selinux_socket_bind(sock, addr, len);
5610
			break;
5611
		/* Connect checks */
5612
		case SCTP_SOCKOPT_CONNECTX:
5613
		case SCTP_PARAM_SET_PRIMARY:
5614
		case SCTP_PARAM_ADD_IP:
5615
		case SCTP_SENDMSG_CONNECT:
5616
			err = selinux_socket_connect_helper(sock, addr, len);
5617
			if (err)
5618
				return err;
5619

5620
			/* As selinux_sctp_bind_connect() is called by the
5621
			 * SCTP protocol layer, the socket is already locked,
5622
			 * therefore selinux_netlbl_socket_connect_locked()
5623
			 * is called here. The situations handled are:
5624
			 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2),
5625
			 * whenever a new IP address is added or when a new
5626
			 * primary address is selected.
5627
			 * Note that an SCTP connect(2) call happens before
5628
			 * the SCTP protocol layer and is handled via
5629
			 * selinux_socket_connect().
5630
			 */
5631
			err = selinux_netlbl_socket_connect_locked(sk, addr);
5632
			break;
5633
		}
5634

5635
		if (err)
5636
			return err;
5637

5638
		addr_buf += len;
5639
		walk_size += len;
5640
	}
5641

5642
	return 0;
5643
}
5644

5645
/* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */
5646
static void selinux_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk,
5647
				  struct sock *newsk)
5648
{
5649
	struct sk_security_struct *sksec = selinux_sock(sk);
5650
	struct sk_security_struct *newsksec = selinux_sock(newsk);
5651

5652
	/* If policy does not support SECCLASS_SCTP_SOCKET then call
5653
	 * the non-sctp clone version.
5654
	 */
5655
	if (!selinux_policycap_extsockclass())
5656
		return selinux_sk_clone_security(sk, newsk);
5657

5658
	newsksec->sid = asoc->secid;
5659
	newsksec->peer_sid = asoc->peer_secid;
5660
	newsksec->sclass = sksec->sclass;
5661
	selinux_netlbl_sctp_sk_clone(sk, newsk);
5662
}
5663

5664
static int selinux_mptcp_add_subflow(struct sock *sk, struct sock *ssk)
5665
{
5666
	struct sk_security_struct *ssksec = selinux_sock(ssk);
5667
	struct sk_security_struct *sksec = selinux_sock(sk);
5668

5669
	ssksec->sclass = sksec->sclass;
5670
	ssksec->sid = sksec->sid;
5671

5672
	/* replace the existing subflow label deleting the existing one
5673
	 * and re-recreating a new label using the updated context
5674
	 */
5675
	selinux_netlbl_sk_security_free(ssksec);
5676
	return selinux_netlbl_socket_post_create(ssk, ssk->sk_family);
5677
}
5678

5679
static int selinux_inet_conn_request(const struct sock *sk, struct sk_buff *skb,
5680
				     struct request_sock *req)
5681
{
5682
	struct sk_security_struct *sksec = selinux_sock(sk);
5683
	int err;
5684
	u16 family = req->rsk_ops->family;
5685
	u32 connsid;
5686
	u32 peersid;
5687

5688
	err = selinux_skb_peerlbl_sid(skb, family, &peersid);
5689
	if (err)
5690
		return err;
5691
	err = selinux_conn_sid(sksec->sid, peersid, &connsid);
5692
	if (err)
5693
		return err;
5694
	req->secid = connsid;
5695
	req->peer_secid = peersid;
5696

5697
	return selinux_netlbl_inet_conn_request(req, family);
5698
}
5699

5700
static void selinux_inet_csk_clone(struct sock *newsk,
5701
				   const struct request_sock *req)
5702
{
5703
	struct sk_security_struct *newsksec = selinux_sock(newsk);
5704

5705
	newsksec->sid = req->secid;
5706
	newsksec->peer_sid = req->peer_secid;
5707
	/* NOTE: Ideally, we should also get the isec->sid for the
5708
	   new socket in sync, but we don't have the isec available yet.
5709
	   So we will wait until sock_graft to do it, by which
5710
	   time it will have been created and available. */
5711

5712
	/* We don't need to take any sort of lock here as we are the only
5713
	 * thread with access to newsksec */
5714
	selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
5715
}
5716

5717
static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
5718
{
5719
	u16 family = sk->sk_family;
5720
	struct sk_security_struct *sksec = selinux_sock(sk);
5721

5722
	/* handle mapped IPv4 packets arriving via IPv6 sockets */
5723
	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5724
		family = PF_INET;
5725

5726
	selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
5727
}
5728

5729
static int selinux_secmark_relabel_packet(u32 sid)
5730
{
5731
	return avc_has_perm(current_sid(), sid, SECCLASS_PACKET, PACKET__RELABELTO,
5732
			    NULL);
5733
}
5734

5735
static void selinux_secmark_refcount_inc(void)
5736
{
5737
	atomic_inc(&selinux_secmark_refcount);
5738
}
5739

5740
static void selinux_secmark_refcount_dec(void)
5741
{
5742
	atomic_dec(&selinux_secmark_refcount);
5743
}
5744

5745
static void selinux_req_classify_flow(const struct request_sock *req,
5746
				      struct flowi_common *flic)
5747
{
5748
	flic->flowic_secid = req->secid;
5749
}
5750

5751
static int selinux_tun_dev_alloc_security(void *security)
5752
{
5753
	struct tun_security_struct *tunsec = selinux_tun_dev(security);
5754

5755
	tunsec->sid = current_sid();
5756
	return 0;
5757
}
5758

5759
static int selinux_tun_dev_create(void)
5760
{
5761
	u32 sid = current_sid();
5762

5763
	/* we aren't taking into account the "sockcreate" SID since the socket
5764
	 * that is being created here is not a socket in the traditional sense,
5765
	 * instead it is a private sock, accessible only to the kernel, and
5766
	 * representing a wide range of network traffic spanning multiple
5767
	 * connections unlike traditional sockets - check the TUN driver to
5768
	 * get a better understanding of why this socket is special */
5769

5770
	return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5771
			    NULL);
5772
}
5773

5774
static int selinux_tun_dev_attach_queue(void *security)
5775
{
5776
	struct tun_security_struct *tunsec = selinux_tun_dev(security);
5777

5778
	return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5779
			    TUN_SOCKET__ATTACH_QUEUE, NULL);
5780
}
5781

5782
static int selinux_tun_dev_attach(struct sock *sk, void *security)
5783
{
5784
	struct tun_security_struct *tunsec = selinux_tun_dev(security);
5785
	struct sk_security_struct *sksec = selinux_sock(sk);
5786

5787
	/* we don't currently perform any NetLabel based labeling here and it
5788
	 * isn't clear that we would want to do so anyway; while we could apply
5789
	 * labeling without the support of the TUN user the resulting labeled
5790
	 * traffic from the other end of the connection would almost certainly
5791
	 * cause confusion to the TUN user that had no idea network labeling
5792
	 * protocols were being used */
5793

5794
	sksec->sid = tunsec->sid;
5795
	sksec->sclass = SECCLASS_TUN_SOCKET;
5796

5797
	return 0;
5798
}
5799

5800
static int selinux_tun_dev_open(void *security)
5801
{
5802
	struct tun_security_struct *tunsec = selinux_tun_dev(security);
5803
	u32 sid = current_sid();
5804
	int err;
5805

5806
	err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5807
			   TUN_SOCKET__RELABELFROM, NULL);
5808
	if (err)
5809
		return err;
5810
	err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
5811
			   TUN_SOCKET__RELABELTO, NULL);
5812
	if (err)
5813
		return err;
5814
	tunsec->sid = sid;
5815

5816
	return 0;
5817
}
5818

5819
#ifdef CONFIG_NETFILTER
5820

5821
static unsigned int selinux_ip_forward(void *priv, struct sk_buff *skb,
5822
				       const struct nf_hook_state *state)
5823
{
5824
	int ifindex;
5825
	u16 family;
5826
	char *addrp;
5827
	u32 peer_sid;
5828
	struct common_audit_data ad;
5829
	struct lsm_network_audit net;
5830
	int secmark_active, peerlbl_active;
5831

5832
	if (!selinux_policycap_netpeer())
5833
		return NF_ACCEPT;
5834

5835
	secmark_active = selinux_secmark_enabled();
5836
	peerlbl_active = selinux_peerlbl_enabled();
5837
	if (!secmark_active && !peerlbl_active)
5838
		return NF_ACCEPT;
5839

5840
	family = state->pf;
5841
	if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5842
		return NF_DROP;
5843

5844
	ifindex = state->in->ifindex;
5845
	ad_net_init_from_iif(&ad, &net, ifindex, family);
5846
	if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5847
		return NF_DROP;
5848

5849
	if (peerlbl_active) {
5850
		int err;
5851

5852
		err = selinux_inet_sys_rcv_skb(state->net, ifindex,
5853
					       addrp, family, peer_sid, &ad);
5854
		if (err) {
5855
			selinux_netlbl_err(skb, family, err, 1);
5856
			return NF_DROP;
5857
		}
5858
	}
5859

5860
	if (secmark_active)
5861
		if (avc_has_perm(peer_sid, skb->secmark,
5862
				 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5863
			return NF_DROP;
5864

5865
	if (netlbl_enabled())
5866
		/* we do this in the FORWARD path and not the POST_ROUTING
5867
		 * path because we want to make sure we apply the necessary
5868
		 * labeling before IPsec is applied so we can leverage AH
5869
		 * protection */
5870
		if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5871
			return NF_DROP;
5872

5873
	return NF_ACCEPT;
5874
}
5875

5876
static unsigned int selinux_ip_output(void *priv, struct sk_buff *skb,
5877
				      const struct nf_hook_state *state)
5878
{
5879
	struct sock *sk;
5880
	u32 sid;
5881

5882
	if (!netlbl_enabled())
5883
		return NF_ACCEPT;
5884

5885
	/* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5886
	 * because we want to make sure we apply the necessary labeling
5887
	 * before IPsec is applied so we can leverage AH protection */
5888
	sk = sk_to_full_sk(skb->sk);
5889
	if (sk) {
5890
		struct sk_security_struct *sksec;
5891

5892
		if (sk_listener(sk))
5893
			/* if the socket is the listening state then this
5894
			 * packet is a SYN-ACK packet which means it needs to
5895
			 * be labeled based on the connection/request_sock and
5896
			 * not the parent socket.  unfortunately, we can't
5897
			 * lookup the request_sock yet as it isn't queued on
5898
			 * the parent socket until after the SYN-ACK is sent.
5899
			 * the "solution" is to simply pass the packet as-is
5900
			 * as any IP option based labeling should be copied
5901
			 * from the initial connection request (in the IP
5902
			 * layer).  it is far from ideal, but until we get a
5903
			 * security label in the packet itself this is the
5904
			 * best we can do. */
5905
			return NF_ACCEPT;
5906

5907
		/* standard practice, label using the parent socket */
5908
		sksec = selinux_sock(sk);
5909
		sid = sksec->sid;
5910
	} else
5911
		sid = SECINITSID_KERNEL;
5912
	if (selinux_netlbl_skbuff_setsid(skb, state->pf, sid) != 0)
5913
		return NF_DROP;
5914

5915
	return NF_ACCEPT;
5916
}
5917

5918

5919
static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5920
					const struct nf_hook_state *state)
5921
{
5922
	struct sock *sk;
5923
	struct sk_security_struct *sksec;
5924
	struct common_audit_data ad;
5925
	struct lsm_network_audit net;
5926
	u8 proto = 0;
5927

5928
	sk = skb_to_full_sk(skb);
5929
	if (sk == NULL)
5930
		return NF_ACCEPT;
5931
	sksec = selinux_sock(sk);
5932

5933
	ad_net_init_from_iif(&ad, &net, state->out->ifindex, state->pf);
5934
	if (selinux_parse_skb(skb, &ad, NULL, 0, &proto))
5935
		return NF_DROP;
5936

5937
	if (selinux_secmark_enabled())
5938
		if (avc_has_perm(sksec->sid, skb->secmark,
5939
				 SECCLASS_PACKET, PACKET__SEND, &ad))
5940
			return NF_DROP_ERR(-ECONNREFUSED);
5941

5942
	if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5943
		return NF_DROP_ERR(-ECONNREFUSED);
5944

5945
	return NF_ACCEPT;
5946
}
5947

5948
static unsigned int selinux_ip_postroute(void *priv,
5949
					 struct sk_buff *skb,
5950
					 const struct nf_hook_state *state)
5951
{
5952
	u16 family;
5953
	u32 secmark_perm;
5954
	u32 peer_sid;
5955
	int ifindex;
5956
	struct sock *sk;
5957
	struct common_audit_data ad;
5958
	struct lsm_network_audit net;
5959
	char *addrp;
5960
	int secmark_active, peerlbl_active;
5961

5962
	/* If any sort of compatibility mode is enabled then handoff processing
5963
	 * to the selinux_ip_postroute_compat() function to deal with the
5964
	 * special handling.  We do this in an attempt to keep this function
5965
	 * as fast and as clean as possible. */
5966
	if (!selinux_policycap_netpeer())
5967
		return selinux_ip_postroute_compat(skb, state);
5968

5969
	secmark_active = selinux_secmark_enabled();
5970
	peerlbl_active = selinux_peerlbl_enabled();
5971
	if (!secmark_active && !peerlbl_active)
5972
		return NF_ACCEPT;
5973

5974
	sk = skb_to_full_sk(skb);
5975

5976
#ifdef CONFIG_XFRM
5977
	/* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5978
	 * packet transformation so allow the packet to pass without any checks
5979
	 * since we'll have another chance to perform access control checks
5980
	 * when the packet is on it's final way out.
5981
	 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5982
	 *       is NULL, in this case go ahead and apply access control.
5983
	 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5984
	 *       TCP listening state we cannot wait until the XFRM processing
5985
	 *       is done as we will miss out on the SA label if we do;
5986
	 *       unfortunately, this means more work, but it is only once per
5987
	 *       connection. */
5988
	if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5989
	    !(sk && sk_listener(sk)))
5990
		return NF_ACCEPT;
5991
#endif
5992

5993
	family = state->pf;
5994
	if (sk == NULL) {
5995
		/* Without an associated socket the packet is either coming
5996
		 * from the kernel or it is being forwarded; check the packet
5997
		 * to determine which and if the packet is being forwarded
5998
		 * query the packet directly to determine the security label. */
5999
		if (skb->skb_iif) {
6000
			secmark_perm = PACKET__FORWARD_OUT;
6001
			if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
6002
				return NF_DROP;
6003
		} else {
6004
			secmark_perm = PACKET__SEND;
6005
			peer_sid = SECINITSID_KERNEL;
6006
		}
6007
	} else if (sk_listener(sk)) {
6008
		/* Locally generated packet but the associated socket is in the
6009
		 * listening state which means this is a SYN-ACK packet.  In
6010
		 * this particular case the correct security label is assigned
6011
		 * to the connection/request_sock but unfortunately we can't
6012
		 * query the request_sock as it isn't queued on the parent
6013
		 * socket until after the SYN-ACK packet is sent; the only
6014
		 * viable choice is to regenerate the label like we do in
6015
		 * selinux_inet_conn_request().  See also selinux_ip_output()
6016
		 * for similar problems. */
6017
		u32 skb_sid;
6018
		struct sk_security_struct *sksec;
6019

6020
		sksec = selinux_sock(sk);
6021
		if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
6022
			return NF_DROP;
6023
		/* At this point, if the returned skb peerlbl is SECSID_NULL
6024
		 * and the packet has been through at least one XFRM
6025
		 * transformation then we must be dealing with the "final"
6026
		 * form of labeled IPsec packet; since we've already applied
6027
		 * all of our access controls on this packet we can safely
6028
		 * pass the packet. */
6029
		if (skb_sid == SECSID_NULL) {
6030
			switch (family) {
6031
			case PF_INET:
6032
				if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
6033
					return NF_ACCEPT;
6034
				break;
6035
			case PF_INET6:
6036
				if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
6037
					return NF_ACCEPT;
6038
				break;
6039
			default:
6040
				return NF_DROP_ERR(-ECONNREFUSED);
6041
			}
6042
		}
6043
		if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
6044
			return NF_DROP;
6045
		secmark_perm = PACKET__SEND;
6046
	} else {
6047
		/* Locally generated packet, fetch the security label from the
6048
		 * associated socket. */
6049
		struct sk_security_struct *sksec = selinux_sock(sk);
6050
		peer_sid = sksec->sid;
6051
		secmark_perm = PACKET__SEND;
6052
	}
6053

6054
	ifindex = state->out->ifindex;
6055
	ad_net_init_from_iif(&ad, &net, ifindex, family);
6056
	if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
6057
		return NF_DROP;
6058

6059
	if (secmark_active)
6060
		if (avc_has_perm(peer_sid, skb->secmark,
6061
				 SECCLASS_PACKET, secmark_perm, &ad))
6062
			return NF_DROP_ERR(-ECONNREFUSED);
6063

6064
	if (peerlbl_active) {
6065
		u32 if_sid;
6066
		u32 node_sid;
6067

6068
		if (sel_netif_sid(state->net, ifindex, &if_sid))
6069
			return NF_DROP;
6070
		if (avc_has_perm(peer_sid, if_sid,
6071
				 SECCLASS_NETIF, NETIF__EGRESS, &ad))
6072
			return NF_DROP_ERR(-ECONNREFUSED);
6073

6074
		if (sel_netnode_sid(addrp, family, &node_sid))
6075
			return NF_DROP;
6076
		if (avc_has_perm(peer_sid, node_sid,
6077
				 SECCLASS_NODE, NODE__SENDTO, &ad))
6078
			return NF_DROP_ERR(-ECONNREFUSED);
6079
	}
6080

6081
	return NF_ACCEPT;
6082
}
6083
#endif	/* CONFIG_NETFILTER */
6084

6085
static int nlmsg_sock_has_extended_perms(struct sock *sk, u32 perms, u16 nlmsg_type)
6086
{
6087
	struct sk_security_struct *sksec = sk->sk_security;
6088
	struct common_audit_data ad;
6089
	u8 driver;
6090
	u8 xperm;
6091

6092
	if (sock_skip_has_perm(sksec->sid))
6093
		return 0;
6094

6095
	ad.type = LSM_AUDIT_DATA_NLMSGTYPE;
6096
	ad.u.nlmsg_type = nlmsg_type;
6097

6098
	driver = nlmsg_type >> 8;
6099
	xperm = nlmsg_type & 0xff;
6100

6101
	return avc_has_extended_perms(current_sid(), sksec->sid, sksec->sclass,
6102
				      perms, driver, AVC_EXT_NLMSG, xperm, &ad);
6103
}
6104

6105
static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
6106
{
6107
	int rc = 0;
6108
	unsigned int msg_len;
6109
	unsigned int data_len = skb->len;
6110
	unsigned char *data = skb->data;
6111
	struct nlmsghdr *nlh;
6112
	struct sk_security_struct *sksec = selinux_sock(sk);
6113
	u16 sclass = sksec->sclass;
6114
	u32 perm;
6115

6116
	while (data_len >= nlmsg_total_size(0)) {
6117
		nlh = (struct nlmsghdr *)data;
6118

6119
		/* NOTE: the nlmsg_len field isn't reliably set by some netlink
6120
		 *       users which means we can't reject skb's with bogus
6121
		 *       length fields; our solution is to follow what
6122
		 *       netlink_rcv_skb() does and simply skip processing at
6123
		 *       messages with length fields that are clearly junk
6124
		 */
6125
		if (nlh->nlmsg_len < NLMSG_HDRLEN || nlh->nlmsg_len > data_len)
6126
			return 0;
6127

6128
		rc = selinux_nlmsg_lookup(sclass, nlh->nlmsg_type, &perm);
6129
		if (rc == 0) {
6130
			if (selinux_policycap_netlink_xperm()) {
6131
				rc = nlmsg_sock_has_extended_perms(
6132
					sk, perm, nlh->nlmsg_type);
6133
			} else {
6134
				rc = sock_has_perm(sk, perm);
6135
			}
6136
			if (rc)
6137
				return rc;
6138
		} else if (rc == -EINVAL) {
6139
			/* -EINVAL is a missing msg/perm mapping */
6140
			pr_warn_ratelimited("SELinux: unrecognized netlink"
6141
				" message: protocol=%hu nlmsg_type=%hu sclass=%s"
6142
				" pid=%d comm=%s\n",
6143
				sk->sk_protocol, nlh->nlmsg_type,
6144
				secclass_map[sclass - 1].name,
6145
				task_pid_nr(current), current->comm);
6146
			if (enforcing_enabled() &&
6147
			    !security_get_allow_unknown())
6148
				return rc;
6149
			rc = 0;
6150
		} else if (rc == -ENOENT) {
6151
			/* -ENOENT is a missing socket/class mapping, ignore */
6152
			rc = 0;
6153
		} else {
6154
			return rc;
6155
		}
6156

6157
		/* move to the next message after applying netlink padding */
6158
		msg_len = NLMSG_ALIGN(nlh->nlmsg_len);
6159
		if (msg_len >= data_len)
6160
			return 0;
6161
		data_len -= msg_len;
6162
		data += msg_len;
6163
	}
6164

6165
	return rc;
6166
}
6167

6168
static void ipc_init_security(struct ipc_security_struct *isec, u16 sclass)
6169
{
6170
	isec->sclass = sclass;
6171
	isec->sid = current_sid();
6172
}
6173

6174
static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
6175
			u32 perms)
6176
{
6177
	struct ipc_security_struct *isec;
6178
	struct common_audit_data ad;
6179
	u32 sid = current_sid();
6180

6181
	isec = selinux_ipc(ipc_perms);
6182

6183
	ad.type = LSM_AUDIT_DATA_IPC;
6184
	ad.u.ipc_id = ipc_perms->key;
6185

6186
	return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
6187
}
6188

6189
static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
6190
{
6191
	struct msg_security_struct *msec;
6192

6193
	msec = selinux_msg_msg(msg);
6194
	msec->sid = SECINITSID_UNLABELED;
6195

6196
	return 0;
6197
}
6198

6199
/* message queue security operations */
6200
static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq)
6201
{
6202
	struct ipc_security_struct *isec;
6203
	struct common_audit_data ad;
6204
	u32 sid = current_sid();
6205

6206
	isec = selinux_ipc(msq);
6207
	ipc_init_security(isec, SECCLASS_MSGQ);
6208

6209
	ad.type = LSM_AUDIT_DATA_IPC;
6210
	ad.u.ipc_id = msq->key;
6211

6212
	return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
6213
			    MSGQ__CREATE, &ad);
6214
}
6215

6216
static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
6217
{
6218
	struct ipc_security_struct *isec;
6219
	struct common_audit_data ad;
6220
	u32 sid = current_sid();
6221

6222
	isec = selinux_ipc(msq);
6223

6224
	ad.type = LSM_AUDIT_DATA_IPC;
6225
	ad.u.ipc_id = msq->key;
6226

6227
	return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
6228
			    MSGQ__ASSOCIATE, &ad);
6229
}
6230

6231
static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)
6232
{
6233
	u32 perms;
6234

6235
	switch (cmd) {
6236
	case IPC_INFO:
6237
	case MSG_INFO:
6238
		/* No specific object, just general system-wide information. */
6239
		return avc_has_perm(current_sid(), SECINITSID_KERNEL,
6240
				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6241
	case IPC_STAT:
6242
	case MSG_STAT:
6243
	case MSG_STAT_ANY:
6244
		perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
6245
		break;
6246
	case IPC_SET:
6247
		perms = MSGQ__SETATTR;
6248
		break;
6249
	case IPC_RMID:
6250
		perms = MSGQ__DESTROY;
6251
		break;
6252
	default:
6253
		return 0;
6254
	}
6255

6256
	return ipc_has_perm(msq, perms);
6257
}
6258

6259
static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg)
6260
{
6261
	struct ipc_security_struct *isec;
6262
	struct msg_security_struct *msec;
6263
	struct common_audit_data ad;
6264
	u32 sid = current_sid();
6265
	int rc;
6266

6267
	isec = selinux_ipc(msq);
6268
	msec = selinux_msg_msg(msg);
6269

6270
	/*
6271
	 * First time through, need to assign label to the message
6272
	 */
6273
	if (msec->sid == SECINITSID_UNLABELED) {
6274
		/*
6275
		 * Compute new sid based on current process and
6276
		 * message queue this message will be stored in
6277
		 */
6278
		rc = security_transition_sid(sid, isec->sid,
6279
					     SECCLASS_MSG, NULL, &msec->sid);
6280
		if (rc)
6281
			return rc;
6282
	}
6283

6284
	ad.type = LSM_AUDIT_DATA_IPC;
6285
	ad.u.ipc_id = msq->key;
6286

6287
	/* Can this process write to the queue? */
6288
	rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
6289
			  MSGQ__WRITE, &ad);
6290
	if (!rc)
6291
		/* Can this process send the message */
6292
		rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
6293
				  MSG__SEND, &ad);
6294
	if (!rc)
6295
		/* Can the message be put in the queue? */
6296
		rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
6297
				  MSGQ__ENQUEUE, &ad);
6298

6299
	return rc;
6300
}
6301

6302
static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg,
6303
				    struct task_struct *target,
6304
				    long type, int mode)
6305
{
6306
	struct ipc_security_struct *isec;
6307
	struct msg_security_struct *msec;
6308
	struct common_audit_data ad;
6309
	u32 sid = task_sid_obj(target);
6310
	int rc;
6311

6312
	isec = selinux_ipc(msq);
6313
	msec = selinux_msg_msg(msg);
6314

6315
	ad.type = LSM_AUDIT_DATA_IPC;
6316
	ad.u.ipc_id = msq->key;
6317

6318
	rc = avc_has_perm(sid, isec->sid,
6319
			  SECCLASS_MSGQ, MSGQ__READ, &ad);
6320
	if (!rc)
6321
		rc = avc_has_perm(sid, msec->sid,
6322
				  SECCLASS_MSG, MSG__RECEIVE, &ad);
6323
	return rc;
6324
}
6325

6326
/* Shared Memory security operations */
6327
static int selinux_shm_alloc_security(struct kern_ipc_perm *shp)
6328
{
6329
	struct ipc_security_struct *isec;
6330
	struct common_audit_data ad;
6331
	u32 sid = current_sid();
6332

6333
	isec = selinux_ipc(shp);
6334
	ipc_init_security(isec, SECCLASS_SHM);
6335

6336
	ad.type = LSM_AUDIT_DATA_IPC;
6337
	ad.u.ipc_id = shp->key;
6338

6339
	return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
6340
			    SHM__CREATE, &ad);
6341
}
6342

6343
static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg)
6344
{
6345
	struct ipc_security_struct *isec;
6346
	struct common_audit_data ad;
6347
	u32 sid = current_sid();
6348

6349
	isec = selinux_ipc(shp);
6350

6351
	ad.type = LSM_AUDIT_DATA_IPC;
6352
	ad.u.ipc_id = shp->key;
6353

6354
	return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
6355
			    SHM__ASSOCIATE, &ad);
6356
}
6357

6358
/* Note, at this point, shp is locked down */
6359
static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd)
6360
{
6361
	u32 perms;
6362

6363
	switch (cmd) {
6364
	case IPC_INFO:
6365
	case SHM_INFO:
6366
		/* No specific object, just general system-wide information. */
6367
		return avc_has_perm(current_sid(), SECINITSID_KERNEL,
6368
				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6369
	case IPC_STAT:
6370
	case SHM_STAT:
6371
	case SHM_STAT_ANY:
6372
		perms = SHM__GETATTR | SHM__ASSOCIATE;
6373
		break;
6374
	case IPC_SET:
6375
		perms = SHM__SETATTR;
6376
		break;
6377
	case SHM_LOCK:
6378
	case SHM_UNLOCK:
6379
		perms = SHM__LOCK;
6380
		break;
6381
	case IPC_RMID:
6382
		perms = SHM__DESTROY;
6383
		break;
6384
	default:
6385
		return 0;
6386
	}
6387

6388
	return ipc_has_perm(shp, perms);
6389
}
6390

6391
static int selinux_shm_shmat(struct kern_ipc_perm *shp,
6392
			     char __user *shmaddr, int shmflg)
6393
{
6394
	u32 perms;
6395

6396
	if (shmflg & SHM_RDONLY)
6397
		perms = SHM__READ;
6398
	else
6399
		perms = SHM__READ | SHM__WRITE;
6400

6401
	return ipc_has_perm(shp, perms);
6402
}
6403

6404
/* Semaphore security operations */
6405
static int selinux_sem_alloc_security(struct kern_ipc_perm *sma)
6406
{
6407
	struct ipc_security_struct *isec;
6408
	struct common_audit_data ad;
6409
	u32 sid = current_sid();
6410

6411
	isec = selinux_ipc(sma);
6412
	ipc_init_security(isec, SECCLASS_SEM);
6413

6414
	ad.type = LSM_AUDIT_DATA_IPC;
6415
	ad.u.ipc_id = sma->key;
6416

6417
	return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
6418
			    SEM__CREATE, &ad);
6419
}
6420

6421
static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg)
6422
{
6423
	struct ipc_security_struct *isec;
6424
	struct common_audit_data ad;
6425
	u32 sid = current_sid();
6426

6427
	isec = selinux_ipc(sma);
6428

6429
	ad.type = LSM_AUDIT_DATA_IPC;
6430
	ad.u.ipc_id = sma->key;
6431

6432
	return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
6433
			    SEM__ASSOCIATE, &ad);
6434
}
6435

6436
/* Note, at this point, sma is locked down */
6437
static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd)
6438
{
6439
	int err;
6440
	u32 perms;
6441

6442
	switch (cmd) {
6443
	case IPC_INFO:
6444
	case SEM_INFO:
6445
		/* No specific object, just general system-wide information. */
6446
		return avc_has_perm(current_sid(), SECINITSID_KERNEL,
6447
				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6448
	case GETPID:
6449
	case GETNCNT:
6450
	case GETZCNT:
6451
		perms = SEM__GETATTR;
6452
		break;
6453
	case GETVAL:
6454
	case GETALL:
6455
		perms = SEM__READ;
6456
		break;
6457
	case SETVAL:
6458
	case SETALL:
6459
		perms = SEM__WRITE;
6460
		break;
6461
	case IPC_RMID:
6462
		perms = SEM__DESTROY;
6463
		break;
6464
	case IPC_SET:
6465
		perms = SEM__SETATTR;
6466
		break;
6467
	case IPC_STAT:
6468
	case SEM_STAT:
6469
	case SEM_STAT_ANY:
6470
		perms = SEM__GETATTR | SEM__ASSOCIATE;
6471
		break;
6472
	default:
6473
		return 0;
6474
	}
6475

6476
	err = ipc_has_perm(sma, perms);
6477
	return err;
6478
}
6479

6480
static int selinux_sem_semop(struct kern_ipc_perm *sma,
6481
			     struct sembuf *sops, unsigned nsops, int alter)
6482
{
6483
	u32 perms;
6484

6485
	if (alter)
6486
		perms = SEM__READ | SEM__WRITE;
6487
	else
6488
		perms = SEM__READ;
6489

6490
	return ipc_has_perm(sma, perms);
6491
}
6492

6493
static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
6494
{
6495
	u32 av = 0;
6496

6497
	av = 0;
6498
	if (flag & S_IRUGO)
6499
		av |= IPC__UNIX_READ;
6500
	if (flag & S_IWUGO)
6501
		av |= IPC__UNIX_WRITE;
6502

6503
	if (av == 0)
6504
		return 0;
6505

6506
	return ipc_has_perm(ipcp, av);
6507
}
6508

6509
static void selinux_ipc_getlsmprop(struct kern_ipc_perm *ipcp,
6510
				   struct lsm_prop *prop)
6511
{
6512
	struct ipc_security_struct *isec = selinux_ipc(ipcp);
6513
	prop->selinux.secid = isec->sid;
6514
}
6515

6516
static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
6517
{
6518
	if (inode)
6519
		inode_doinit_with_dentry(inode, dentry);
6520
}
6521

6522
static int selinux_lsm_getattr(unsigned int attr, struct task_struct *p,
6523
			       char **value)
6524
{
6525
	const struct task_security_struct *tsec;
6526
	int error;
6527
	u32 sid;
6528
	u32 len;
6529

6530
	rcu_read_lock();
6531
	tsec = selinux_cred(__task_cred(p));
6532
	if (p != current) {
6533
		error = avc_has_perm(current_sid(), tsec->sid,
6534
				     SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
6535
		if (error)
6536
			goto err_unlock;
6537
	}
6538
	switch (attr) {
6539
	case LSM_ATTR_CURRENT:
6540
		sid = tsec->sid;
6541
		break;
6542
	case LSM_ATTR_PREV:
6543
		sid = tsec->osid;
6544
		break;
6545
	case LSM_ATTR_EXEC:
6546
		sid = tsec->exec_sid;
6547
		break;
6548
	case LSM_ATTR_FSCREATE:
6549
		sid = tsec->create_sid;
6550
		break;
6551
	case LSM_ATTR_KEYCREATE:
6552
		sid = tsec->keycreate_sid;
6553
		break;
6554
	case LSM_ATTR_SOCKCREATE:
6555
		sid = tsec->sockcreate_sid;
6556
		break;
6557
	default:
6558
		error = -EOPNOTSUPP;
6559
		goto err_unlock;
6560
	}
6561
	rcu_read_unlock();
6562

6563
	if (sid == SECSID_NULL) {
6564
		*value = NULL;
6565
		return 0;
6566
	}
6567

6568
	error = security_sid_to_context(sid, value, &len);
6569
	if (error)
6570
		return error;
6571
	return len;
6572

6573
err_unlock:
6574
	rcu_read_unlock();
6575
	return error;
6576
}
6577

6578
static int selinux_lsm_setattr(u64 attr, void *value, size_t size)
6579
{
6580
	struct task_security_struct *tsec;
6581
	struct cred *new;
6582
	u32 mysid = current_sid(), sid = 0, ptsid;
6583
	int error;
6584
	char *str = value;
6585

6586
	/*
6587
	 * Basic control over ability to set these attributes at all.
6588
	 */
6589
	switch (attr) {
6590
	case LSM_ATTR_EXEC:
6591
		error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
6592
				     PROCESS__SETEXEC, NULL);
6593
		break;
6594
	case LSM_ATTR_FSCREATE:
6595
		error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
6596
				     PROCESS__SETFSCREATE, NULL);
6597
		break;
6598
	case LSM_ATTR_KEYCREATE:
6599
		error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
6600
				     PROCESS__SETKEYCREATE, NULL);
6601
		break;
6602
	case LSM_ATTR_SOCKCREATE:
6603
		error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
6604
				     PROCESS__SETSOCKCREATE, NULL);
6605
		break;
6606
	case LSM_ATTR_CURRENT:
6607
		error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
6608
				     PROCESS__SETCURRENT, NULL);
6609
		break;
6610
	default:
6611
		error = -EOPNOTSUPP;
6612
		break;
6613
	}
6614
	if (error)
6615
		return error;
6616

6617
	/* Obtain a SID for the context, if one was specified. */
6618
	if (size && str[0] && str[0] != '\n') {
6619
		if (str[size-1] == '\n') {
6620
			str[size-1] = 0;
6621
			size--;
6622
		}
6623
		error = security_context_to_sid(value, size,
6624
						&sid, GFP_KERNEL);
6625
		if (error == -EINVAL && attr == LSM_ATTR_FSCREATE) {
6626
			if (!has_cap_mac_admin(true)) {
6627
				struct audit_buffer *ab;
6628
				size_t audit_size;
6629

6630
				/* We strip a nul only if it is at the end,
6631
				 * otherwise the context contains a nul and
6632
				 * we should audit that */
6633
				if (str[size - 1] == '\0')
6634
					audit_size = size - 1;
6635
				else
6636
					audit_size = size;
6637
				ab = audit_log_start(audit_context(),
6638
						     GFP_ATOMIC,
6639
						     AUDIT_SELINUX_ERR);
6640
				if (!ab)
6641
					return error;
6642
				audit_log_format(ab, "op=fscreate invalid_context=");
6643
				audit_log_n_untrustedstring(ab, value,
6644
							    audit_size);
6645
				audit_log_end(ab);
6646

6647
				return error;
6648
			}
6649
			error = security_context_to_sid_force(value, size,
6650
							&sid);
6651
		}
6652
		if (error)
6653
			return error;
6654
	}
6655

6656
	new = prepare_creds();
6657
	if (!new)
6658
		return -ENOMEM;
6659

6660
	/* Permission checking based on the specified context is
6661
	   performed during the actual operation (execve,
6662
	   open/mkdir/...), when we know the full context of the
6663
	   operation.  See selinux_bprm_creds_for_exec for the execve
6664
	   checks and may_create for the file creation checks. The
6665
	   operation will then fail if the context is not permitted. */
6666
	tsec = selinux_cred(new);
6667
	if (attr == LSM_ATTR_EXEC) {
6668
		tsec->exec_sid = sid;
6669
	} else if (attr == LSM_ATTR_FSCREATE) {
6670
		tsec->create_sid = sid;
6671
	} else if (attr == LSM_ATTR_KEYCREATE) {
6672
		if (sid) {
6673
			error = avc_has_perm(mysid, sid,
6674
					     SECCLASS_KEY, KEY__CREATE, NULL);
6675
			if (error)
6676
				goto abort_change;
6677
		}
6678
		tsec->keycreate_sid = sid;
6679
	} else if (attr == LSM_ATTR_SOCKCREATE) {
6680
		tsec->sockcreate_sid = sid;
6681
	} else if (attr == LSM_ATTR_CURRENT) {
6682
		error = -EINVAL;
6683
		if (sid == 0)
6684
			goto abort_change;
6685

6686
		if (!current_is_single_threaded()) {
6687
			error = security_bounded_transition(tsec->sid, sid);
6688
			if (error)
6689
				goto abort_change;
6690
		}
6691

6692
		/* Check permissions for the transition. */
6693
		error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
6694
				     PROCESS__DYNTRANSITION, NULL);
6695
		if (error)
6696
			goto abort_change;
6697

6698
		/* Check for ptracing, and update the task SID if ok.
6699
		   Otherwise, leave SID unchanged and fail. */
6700
		ptsid = ptrace_parent_sid();
6701
		if (ptsid != 0) {
6702
			error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
6703
					     PROCESS__PTRACE, NULL);
6704
			if (error)
6705
				goto abort_change;
6706
		}
6707

6708
		tsec->sid = sid;
6709
	} else {
6710
		error = -EINVAL;
6711
		goto abort_change;
6712
	}
6713

6714
	commit_creds(new);
6715
	return size;
6716

6717
abort_change:
6718
	abort_creds(new);
6719
	return error;
6720
}
6721

6722
/**
6723
 * selinux_getselfattr - Get SELinux current task attributes
6724
 * @attr: the requested attribute
6725
 * @ctx: buffer to receive the result
6726
 * @size: buffer size (input), buffer size used (output)
6727
 * @flags: unused
6728
 *
6729
 * Fill the passed user space @ctx with the details of the requested
6730
 * attribute.
6731
 *
6732
 * Returns the number of attributes on success, an error code otherwise.
6733
 * There will only ever be one attribute.
6734
 */
6735
static int selinux_getselfattr(unsigned int attr, struct lsm_ctx __user *ctx,
6736
			       u32 *size, u32 flags)
6737
{
6738
	int rc;
6739
	char *val = NULL;
6740
	int val_len;
6741

6742
	val_len = selinux_lsm_getattr(attr, current, &val);
6743
	if (val_len < 0)
6744
		return val_len;
6745
	rc = lsm_fill_user_ctx(ctx, size, val, val_len, LSM_ID_SELINUX, 0);
6746
	kfree(val);
6747
	return (!rc ? 1 : rc);
6748
}
6749

6750
static int selinux_setselfattr(unsigned int attr, struct lsm_ctx *ctx,
6751
			       u32 size, u32 flags)
6752
{
6753
	int rc;
6754

6755
	rc = selinux_lsm_setattr(attr, ctx->ctx, ctx->ctx_len);
6756
	if (rc > 0)
6757
		return 0;
6758
	return rc;
6759
}
6760

6761
static int selinux_getprocattr(struct task_struct *p,
6762
			       const char *name, char **value)
6763
{
6764
	unsigned int attr = lsm_name_to_attr(name);
6765
	int rc;
6766

6767
	if (attr) {
6768
		rc = selinux_lsm_getattr(attr, p, value);
6769
		if (rc != -EOPNOTSUPP)
6770
			return rc;
6771
	}
6772

6773
	return -EINVAL;
6774
}
6775

6776
static int selinux_setprocattr(const char *name, void *value, size_t size)
6777
{
6778
	int attr = lsm_name_to_attr(name);
6779

6780
	if (attr)
6781
		return selinux_lsm_setattr(attr, value, size);
6782
	return -EINVAL;
6783
}
6784

6785
static int selinux_ismaclabel(const char *name)
6786
{
6787
	return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
6788
}
6789

6790
static int selinux_secid_to_secctx(u32 secid, struct lsm_context *cp)
6791
{
6792
	u32 seclen;
6793
	int ret;
6794

6795
	if (cp) {
6796
		cp->id = LSM_ID_SELINUX;
6797
		ret = security_sid_to_context(secid, &cp->context, &cp->len);
6798
		if (ret < 0)
6799
			return ret;
6800
		return cp->len;
6801
	}
6802
	ret = security_sid_to_context(secid, NULL, &seclen);
6803
	if (ret < 0)
6804
		return ret;
6805
	return seclen;
6806
}
6807

6808
static int selinux_lsmprop_to_secctx(struct lsm_prop *prop,
6809
				     struct lsm_context *cp)
6810
{
6811
	return selinux_secid_to_secctx(prop->selinux.secid, cp);
6812
}
6813

6814
static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
6815
{
6816
	return security_context_to_sid(secdata, seclen,
6817
				       secid, GFP_KERNEL);
6818
}
6819

6820
static void selinux_release_secctx(struct lsm_context *cp)
6821
{
6822
	if (cp->id == LSM_ID_SELINUX) {
6823
		kfree(cp->context);
6824
		cp->context = NULL;
6825
		cp->id = LSM_ID_UNDEF;
6826
	}
6827
}
6828

6829
static void selinux_inode_invalidate_secctx(struct inode *inode)
6830
{
6831
	struct inode_security_struct *isec = selinux_inode(inode);
6832

6833
	spin_lock(&isec->lock);
6834
	isec->initialized = LABEL_INVALID;
6835
	spin_unlock(&isec->lock);
6836
}
6837

6838
/*
6839
 *	called with inode->i_mutex locked
6840
 */
6841
static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
6842
{
6843
	int rc = selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX,
6844
					   ctx, ctxlen, 0);
6845
	/* Do not return error when suppressing label (SBLABEL_MNT not set). */
6846
	return rc == -EOPNOTSUPP ? 0 : rc;
6847
}
6848

6849
/*
6850
 *	called with inode->i_mutex locked
6851
 */
6852
static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
6853
{
6854
	return __vfs_setxattr_locked(&nop_mnt_idmap, dentry, XATTR_NAME_SELINUX,
6855
				     ctx, ctxlen, 0, NULL);
6856
}
6857

6858
static int selinux_inode_getsecctx(struct inode *inode, struct lsm_context *cp)
6859
{
6860
	int len;
6861
	len = selinux_inode_getsecurity(&nop_mnt_idmap, inode,
6862
					XATTR_SELINUX_SUFFIX,
6863
					(void **)&cp->context, true);
6864
	if (len < 0)
6865
		return len;
6866
	cp->len = len;
6867
	cp->id = LSM_ID_SELINUX;
6868
	return 0;
6869
}
6870
#ifdef CONFIG_KEYS
6871

6872
static int selinux_key_alloc(struct key *k, const struct cred *cred,
6873
			     unsigned long flags)
6874
{
6875
	const struct task_security_struct *tsec;
6876
	struct key_security_struct *ksec = selinux_key(k);
6877

6878
	tsec = selinux_cred(cred);
6879
	if (tsec->keycreate_sid)
6880
		ksec->sid = tsec->keycreate_sid;
6881
	else
6882
		ksec->sid = tsec->sid;
6883

6884
	return 0;
6885
}
6886

6887
static int selinux_key_permission(key_ref_t key_ref,
6888
				  const struct cred *cred,
6889
				  enum key_need_perm need_perm)
6890
{
6891
	struct key *key;
6892
	struct key_security_struct *ksec;
6893
	u32 perm, sid;
6894

6895
	switch (need_perm) {
6896
	case KEY_NEED_VIEW:
6897
		perm = KEY__VIEW;
6898
		break;
6899
	case KEY_NEED_READ:
6900
		perm = KEY__READ;
6901
		break;
6902
	case KEY_NEED_WRITE:
6903
		perm = KEY__WRITE;
6904
		break;
6905
	case KEY_NEED_SEARCH:
6906
		perm = KEY__SEARCH;
6907
		break;
6908
	case KEY_NEED_LINK:
6909
		perm = KEY__LINK;
6910
		break;
6911
	case KEY_NEED_SETATTR:
6912
		perm = KEY__SETATTR;
6913
		break;
6914
	case KEY_NEED_UNLINK:
6915
	case KEY_SYSADMIN_OVERRIDE:
6916
	case KEY_AUTHTOKEN_OVERRIDE:
6917
	case KEY_DEFER_PERM_CHECK:
6918
		return 0;
6919
	default:
6920
		WARN_ON(1);
6921
		return -EPERM;
6922

6923
	}
6924

6925
	sid = cred_sid(cred);
6926
	key = key_ref_to_ptr(key_ref);
6927
	ksec = selinux_key(key);
6928

6929
	return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6930
}
6931

6932
static int selinux_key_getsecurity(struct key *key, char **_buffer)
6933
{
6934
	struct key_security_struct *ksec = selinux_key(key);
6935
	char *context = NULL;
6936
	unsigned len;
6937
	int rc;
6938

6939
	rc = security_sid_to_context(ksec->sid,
6940
				     &context, &len);
6941
	if (!rc)
6942
		rc = len;
6943
	*_buffer = context;
6944
	return rc;
6945
}
6946

6947
#ifdef CONFIG_KEY_NOTIFICATIONS
6948
static int selinux_watch_key(struct key *key)
6949
{
6950
	struct key_security_struct *ksec = selinux_key(key);
6951
	u32 sid = current_sid();
6952

6953
	return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, KEY__VIEW, NULL);
6954
}
6955
#endif
6956
#endif
6957

6958
#ifdef CONFIG_SECURITY_INFINIBAND
6959
static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6960
{
6961
	struct common_audit_data ad;
6962
	int err;
6963
	u32 sid = 0;
6964
	struct ib_security_struct *sec = ib_sec;
6965
	struct lsm_ibpkey_audit ibpkey;
6966

6967
	err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
6968
	if (err)
6969
		return err;
6970

6971
	ad.type = LSM_AUDIT_DATA_IBPKEY;
6972
	ibpkey.subnet_prefix = subnet_prefix;
6973
	ibpkey.pkey = pkey_val;
6974
	ad.u.ibpkey = &ibpkey;
6975
	return avc_has_perm(sec->sid, sid,
6976
			    SECCLASS_INFINIBAND_PKEY,
6977
			    INFINIBAND_PKEY__ACCESS, &ad);
6978
}
6979

6980
static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6981
					    u8 port_num)
6982
{
6983
	struct common_audit_data ad;
6984
	int err;
6985
	u32 sid = 0;
6986
	struct ib_security_struct *sec = ib_sec;
6987
	struct lsm_ibendport_audit ibendport;
6988

6989
	err = security_ib_endport_sid(dev_name, port_num,
6990
				      &sid);
6991

6992
	if (err)
6993
		return err;
6994

6995
	ad.type = LSM_AUDIT_DATA_IBENDPORT;
6996
	ibendport.dev_name = dev_name;
6997
	ibendport.port = port_num;
6998
	ad.u.ibendport = &ibendport;
6999
	return avc_has_perm(sec->sid, sid,
7000
			    SECCLASS_INFINIBAND_ENDPORT,
7001
			    INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
7002
}
7003

7004
static int selinux_ib_alloc_security(void *ib_sec)
7005
{
7006
	struct ib_security_struct *sec = selinux_ib(ib_sec);
7007

7008
	sec->sid = current_sid();
7009
	return 0;
7010
}
7011
#endif
7012

7013
#ifdef CONFIG_BPF_SYSCALL
7014
static int selinux_bpf(int cmd, union bpf_attr *attr,
7015
		       unsigned int size, bool kernel)
7016
{
7017
	u32 sid = current_sid();
7018
	int ret;
7019

7020
	switch (cmd) {
7021
	case BPF_MAP_CREATE:
7022
		ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
7023
				   NULL);
7024
		break;
7025
	case BPF_PROG_LOAD:
7026
		ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
7027
				   NULL);
7028
		break;
7029
	default:
7030
		ret = 0;
7031
		break;
7032
	}
7033

7034
	return ret;
7035
}
7036

7037
static u32 bpf_map_fmode_to_av(fmode_t fmode)
7038
{
7039
	u32 av = 0;
7040

7041
	if (fmode & FMODE_READ)
7042
		av |= BPF__MAP_READ;
7043
	if (fmode & FMODE_WRITE)
7044
		av |= BPF__MAP_WRITE;
7045
	return av;
7046
}
7047

7048
/* This function will check the file pass through unix socket or binder to see
7049
 * if it is a bpf related object. And apply corresponding checks on the bpf
7050
 * object based on the type. The bpf maps and programs, not like other files and
7051
 * socket, are using a shared anonymous inode inside the kernel as their inode.
7052
 * So checking that inode cannot identify if the process have privilege to
7053
 * access the bpf object and that's why we have to add this additional check in
7054
 * selinux_file_receive and selinux_binder_transfer_files.
7055
 */
7056
static int bpf_fd_pass(const struct file *file, u32 sid)
7057
{
7058
	struct bpf_security_struct *bpfsec;
7059
	struct bpf_prog *prog;
7060
	struct bpf_map *map;
7061
	int ret;
7062

7063
	if (file->f_op == &bpf_map_fops) {
7064
		map = file->private_data;
7065
		bpfsec = map->security;
7066
		ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
7067
				   bpf_map_fmode_to_av(file->f_mode), NULL);
7068
		if (ret)
7069
			return ret;
7070
	} else if (file->f_op == &bpf_prog_fops) {
7071
		prog = file->private_data;
7072
		bpfsec = prog->aux->security;
7073
		ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
7074
				   BPF__PROG_RUN, NULL);
7075
		if (ret)
7076
			return ret;
7077
	}
7078
	return 0;
7079
}
7080

7081
static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)
7082
{
7083
	u32 sid = current_sid();
7084
	struct bpf_security_struct *bpfsec;
7085

7086
	bpfsec = map->security;
7087
	return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
7088
			    bpf_map_fmode_to_av(fmode), NULL);
7089
}
7090

7091
static int selinux_bpf_prog(struct bpf_prog *prog)
7092
{
7093
	u32 sid = current_sid();
7094
	struct bpf_security_struct *bpfsec;
7095

7096
	bpfsec = prog->aux->security;
7097
	return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
7098
			    BPF__PROG_RUN, NULL);
7099
}
7100

7101
static int selinux_bpf_map_create(struct bpf_map *map, union bpf_attr *attr,
7102
				  struct bpf_token *token, bool kernel)
7103
{
7104
	struct bpf_security_struct *bpfsec;
7105

7106
	bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
7107
	if (!bpfsec)
7108
		return -ENOMEM;
7109

7110
	bpfsec->sid = current_sid();
7111
	map->security = bpfsec;
7112

7113
	return 0;
7114
}
7115

7116
static void selinux_bpf_map_free(struct bpf_map *map)
7117
{
7118
	struct bpf_security_struct *bpfsec = map->security;
7119

7120
	map->security = NULL;
7121
	kfree(bpfsec);
7122
}
7123

7124
static int selinux_bpf_prog_load(struct bpf_prog *prog, union bpf_attr *attr,
7125
				 struct bpf_token *token, bool kernel)
7126
{
7127
	struct bpf_security_struct *bpfsec;
7128

7129
	bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
7130
	if (!bpfsec)
7131
		return -ENOMEM;
7132

7133
	bpfsec->sid = current_sid();
7134
	prog->aux->security = bpfsec;
7135

7136
	return 0;
7137
}
7138

7139
static void selinux_bpf_prog_free(struct bpf_prog *prog)
7140
{
7141
	struct bpf_security_struct *bpfsec = prog->aux->security;
7142

7143
	prog->aux->security = NULL;
7144
	kfree(bpfsec);
7145
}
7146

7147
static int selinux_bpf_token_create(struct bpf_token *token, union bpf_attr *attr,
7148
				    const struct path *path)
7149
{
7150
	struct bpf_security_struct *bpfsec;
7151

7152
	bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
7153
	if (!bpfsec)
7154
		return -ENOMEM;
7155

7156
	bpfsec->sid = current_sid();
7157
	token->security = bpfsec;
7158

7159
	return 0;
7160
}
7161

7162
static void selinux_bpf_token_free(struct bpf_token *token)
7163
{
7164
	struct bpf_security_struct *bpfsec = token->security;
7165

7166
	token->security = NULL;
7167
	kfree(bpfsec);
7168
}
7169
#endif
7170

7171
struct lsm_blob_sizes selinux_blob_sizes __ro_after_init = {
7172
	.lbs_cred = sizeof(struct task_security_struct),
7173
	.lbs_file = sizeof(struct file_security_struct),
7174
	.lbs_inode = sizeof(struct inode_security_struct),
7175
	.lbs_ipc = sizeof(struct ipc_security_struct),
7176
	.lbs_key = sizeof(struct key_security_struct),
7177
	.lbs_msg_msg = sizeof(struct msg_security_struct),
7178
#ifdef CONFIG_PERF_EVENTS
7179
	.lbs_perf_event = sizeof(struct perf_event_security_struct),
7180
#endif
7181
	.lbs_sock = sizeof(struct sk_security_struct),
7182
	.lbs_superblock = sizeof(struct superblock_security_struct),
7183
	.lbs_xattr_count = SELINUX_INODE_INIT_XATTRS,
7184
	.lbs_tun_dev = sizeof(struct tun_security_struct),
7185
	.lbs_ib = sizeof(struct ib_security_struct),
7186
};
7187

7188
#ifdef CONFIG_PERF_EVENTS
7189
static int selinux_perf_event_open(int type)
7190
{
7191
	u32 requested, sid = current_sid();
7192

7193
	if (type == PERF_SECURITY_OPEN)
7194
		requested = PERF_EVENT__OPEN;
7195
	else if (type == PERF_SECURITY_CPU)
7196
		requested = PERF_EVENT__CPU;
7197
	else if (type == PERF_SECURITY_KERNEL)
7198
		requested = PERF_EVENT__KERNEL;
7199
	else if (type == PERF_SECURITY_TRACEPOINT)
7200
		requested = PERF_EVENT__TRACEPOINT;
7201
	else
7202
		return -EINVAL;
7203

7204
	return avc_has_perm(sid, sid, SECCLASS_PERF_EVENT,
7205
			    requested, NULL);
7206
}
7207

7208
static int selinux_perf_event_alloc(struct perf_event *event)
7209
{
7210
	struct perf_event_security_struct *perfsec;
7211

7212
	perfsec = selinux_perf_event(event->security);
7213
	perfsec->sid = current_sid();
7214

7215
	return 0;
7216
}
7217

7218
static int selinux_perf_event_read(struct perf_event *event)
7219
{
7220
	struct perf_event_security_struct *perfsec = event->security;
7221
	u32 sid = current_sid();
7222

7223
	return avc_has_perm(sid, perfsec->sid,
7224
			    SECCLASS_PERF_EVENT, PERF_EVENT__READ, NULL);
7225
}
7226

7227
static int selinux_perf_event_write(struct perf_event *event)
7228
{
7229
	struct perf_event_security_struct *perfsec = event->security;
7230
	u32 sid = current_sid();
7231

7232
	return avc_has_perm(sid, perfsec->sid,
7233
			    SECCLASS_PERF_EVENT, PERF_EVENT__WRITE, NULL);
7234
}
7235
#endif
7236

7237
#ifdef CONFIG_IO_URING
7238
/**
7239
 * selinux_uring_override_creds - check the requested cred override
7240
 * @new: the target creds
7241
 *
7242
 * Check to see if the current task is allowed to override it's credentials
7243
 * to service an io_uring operation.
7244
 */
7245
static int selinux_uring_override_creds(const struct cred *new)
7246
{
7247
	return avc_has_perm(current_sid(), cred_sid(new),
7248
			    SECCLASS_IO_URING, IO_URING__OVERRIDE_CREDS, NULL);
7249
}
7250

7251
/**
7252
 * selinux_uring_sqpoll - check if a io_uring polling thread can be created
7253
 *
7254
 * Check to see if the current task is allowed to create a new io_uring
7255
 * kernel polling thread.
7256
 */
7257
static int selinux_uring_sqpoll(void)
7258
{
7259
	u32 sid = current_sid();
7260

7261
	return avc_has_perm(sid, sid,
7262
			    SECCLASS_IO_URING, IO_URING__SQPOLL, NULL);
7263
}
7264

7265
/**
7266
 * selinux_uring_cmd - check if IORING_OP_URING_CMD is allowed
7267
 * @ioucmd: the io_uring command structure
7268
 *
7269
 * Check to see if the current domain is allowed to execute an
7270
 * IORING_OP_URING_CMD against the device/file specified in @ioucmd.
7271
 *
7272
 */
7273
static int selinux_uring_cmd(struct io_uring_cmd *ioucmd)
7274
{
7275
	struct file *file = ioucmd->file;
7276
	struct inode *inode = file_inode(file);
7277
	struct inode_security_struct *isec = selinux_inode(inode);
7278
	struct common_audit_data ad;
7279

7280
	ad.type = LSM_AUDIT_DATA_FILE;
7281
	ad.u.file = file;
7282

7283
	return avc_has_perm(current_sid(), isec->sid,
7284
			    SECCLASS_IO_URING, IO_URING__CMD, &ad);
7285
}
7286

7287
/**
7288
 * selinux_uring_allowed - check if io_uring_setup() can be called
7289
 *
7290
 * Check to see if the current task is allowed to call io_uring_setup().
7291
 */
7292
static int selinux_uring_allowed(void)
7293
{
7294
	u32 sid = current_sid();
7295

7296
	return avc_has_perm(sid, sid, SECCLASS_IO_URING, IO_URING__ALLOWED,
7297
			    NULL);
7298
}
7299
#endif /* CONFIG_IO_URING */
7300

7301
static const struct lsm_id selinux_lsmid = {
7302
	.name = "selinux",
7303
	.id = LSM_ID_SELINUX,
7304
};
7305

7306
/*
7307
 * IMPORTANT NOTE: When adding new hooks, please be careful to keep this order:
7308
 * 1. any hooks that don't belong to (2.) or (3.) below,
7309
 * 2. hooks that both access structures allocated by other hooks, and allocate
7310
 *    structures that can be later accessed by other hooks (mostly "cloning"
7311
 *    hooks),
7312
 * 3. hooks that only allocate structures that can be later accessed by other
7313
 *    hooks ("allocating" hooks).
7314
 *
7315
 * Please follow block comment delimiters in the list to keep this order.
7316
 */
7317
static struct security_hook_list selinux_hooks[] __ro_after_init = {
7318
	LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
7319
	LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
7320
	LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
7321
	LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
7322

7323
	LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
7324
	LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
7325
	LSM_HOOK_INIT(capget, selinux_capget),
7326
	LSM_HOOK_INIT(capset, selinux_capset),
7327
	LSM_HOOK_INIT(capable, selinux_capable),
7328
	LSM_HOOK_INIT(quotactl, selinux_quotactl),
7329
	LSM_HOOK_INIT(quota_on, selinux_quota_on),
7330
	LSM_HOOK_INIT(syslog, selinux_syslog),
7331
	LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
7332

7333
	LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
7334

7335
	LSM_HOOK_INIT(bprm_creds_for_exec, selinux_bprm_creds_for_exec),
7336
	LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
7337
	LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
7338

7339
	LSM_HOOK_INIT(sb_free_mnt_opts, selinux_free_mnt_opts),
7340
	LSM_HOOK_INIT(sb_mnt_opts_compat, selinux_sb_mnt_opts_compat),
7341
	LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
7342
	LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
7343
	LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
7344
	LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
7345
	LSM_HOOK_INIT(sb_mount, selinux_mount),
7346
	LSM_HOOK_INIT(sb_umount, selinux_umount),
7347
	LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
7348
	LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
7349

7350
	LSM_HOOK_INIT(move_mount, selinux_move_mount),
7351

7352
	LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
7353
	LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
7354

7355
	LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
7356
	LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
7357
	LSM_HOOK_INIT(inode_init_security_anon, selinux_inode_init_security_anon),
7358
	LSM_HOOK_INIT(inode_create, selinux_inode_create),
7359
	LSM_HOOK_INIT(inode_link, selinux_inode_link),
7360
	LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
7361
	LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
7362
	LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
7363
	LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
7364
	LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
7365
	LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
7366
	LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
7367
	LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
7368
	LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
7369
	LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
7370
	LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
7371
	LSM_HOOK_INIT(inode_xattr_skipcap, selinux_inode_xattr_skipcap),
7372
	LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
7373
	LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
7374
	LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
7375
	LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
7376
	LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
7377
	LSM_HOOK_INIT(inode_file_getattr, selinux_inode_file_getattr),
7378
	LSM_HOOK_INIT(inode_file_setattr, selinux_inode_file_setattr),
7379
	LSM_HOOK_INIT(inode_set_acl, selinux_inode_set_acl),
7380
	LSM_HOOK_INIT(inode_get_acl, selinux_inode_get_acl),
7381
	LSM_HOOK_INIT(inode_remove_acl, selinux_inode_remove_acl),
7382
	LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
7383
	LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
7384
	LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
7385
	LSM_HOOK_INIT(inode_getlsmprop, selinux_inode_getlsmprop),
7386
	LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
7387
	LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
7388
	LSM_HOOK_INIT(path_notify, selinux_path_notify),
7389

7390
	LSM_HOOK_INIT(kernfs_init_security, selinux_kernfs_init_security),
7391

7392
	LSM_HOOK_INIT(file_permission, selinux_file_permission),
7393
	LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
7394
	LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
7395
	LSM_HOOK_INIT(file_ioctl_compat, selinux_file_ioctl_compat),
7396
	LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
7397
	LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
7398
	LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
7399
	LSM_HOOK_INIT(file_lock, selinux_file_lock),
7400
	LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
7401
	LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
7402
	LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
7403
	LSM_HOOK_INIT(file_receive, selinux_file_receive),
7404

7405
	LSM_HOOK_INIT(file_open, selinux_file_open),
7406

7407
	LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
7408
	LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
7409
	LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
7410
	LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid),
7411
	LSM_HOOK_INIT(cred_getlsmprop, selinux_cred_getlsmprop),
7412
	LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
7413
	LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
7414
	LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
7415
	LSM_HOOK_INIT(kernel_load_data, selinux_kernel_load_data),
7416
	LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
7417
	LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
7418
	LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
7419
	LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
7420
	LSM_HOOK_INIT(current_getlsmprop_subj, selinux_current_getlsmprop_subj),
7421
	LSM_HOOK_INIT(task_getlsmprop_obj, selinux_task_getlsmprop_obj),
7422
	LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
7423
	LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
7424
	LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
7425
	LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
7426
	LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
7427
	LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
7428
	LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
7429
	LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
7430
	LSM_HOOK_INIT(task_kill, selinux_task_kill),
7431
	LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
7432
	LSM_HOOK_INIT(userns_create, selinux_userns_create),
7433

7434
	LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
7435
	LSM_HOOK_INIT(ipc_getlsmprop, selinux_ipc_getlsmprop),
7436

7437
	LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
7438
	LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
7439
	LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
7440
	LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
7441

7442
	LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
7443
	LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
7444
	LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
7445

7446
	LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
7447
	LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
7448
	LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
7449

7450
	LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
7451

7452
	LSM_HOOK_INIT(getselfattr, selinux_getselfattr),
7453
	LSM_HOOK_INIT(setselfattr, selinux_setselfattr),
7454
	LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
7455
	LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
7456

7457
	LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
7458
	LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
7459
	LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
7460
	LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
7461
	LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
7462
	LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
7463

7464
	LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
7465
	LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
7466

7467
	LSM_HOOK_INIT(socket_create, selinux_socket_create),
7468
	LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
7469
	LSM_HOOK_INIT(socket_socketpair, selinux_socket_socketpair),
7470
	LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
7471
	LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
7472
	LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
7473
	LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
7474
	LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
7475
	LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
7476
	LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
7477
	LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
7478
	LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
7479
	LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
7480
	LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
7481
	LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
7482
	LSM_HOOK_INIT(socket_getpeersec_stream,
7483
			selinux_socket_getpeersec_stream),
7484
	LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
7485
	LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
7486
	LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
7487
	LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
7488
	LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
7489
	LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request),
7490
	LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone),
7491
	LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect),
7492
	LSM_HOOK_INIT(sctp_assoc_established, selinux_sctp_assoc_established),
7493
	LSM_HOOK_INIT(mptcp_add_subflow, selinux_mptcp_add_subflow),
7494
	LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
7495
	LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
7496
	LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
7497
	LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
7498
	LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
7499
	LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
7500
	LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
7501
	LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
7502
	LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
7503
	LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
7504
	LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
7505
#ifdef CONFIG_SECURITY_INFINIBAND
7506
	LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
7507
	LSM_HOOK_INIT(ib_endport_manage_subnet,
7508
		      selinux_ib_endport_manage_subnet),
7509
#endif
7510
#ifdef CONFIG_SECURITY_NETWORK_XFRM
7511
	LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
7512
	LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
7513
	LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
7514
	LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
7515
	LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
7516
	LSM_HOOK_INIT(xfrm_state_pol_flow_match,
7517
			selinux_xfrm_state_pol_flow_match),
7518
	LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
7519
#endif
7520

7521
#ifdef CONFIG_KEYS
7522
	LSM_HOOK_INIT(key_permission, selinux_key_permission),
7523
	LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
7524
#ifdef CONFIG_KEY_NOTIFICATIONS
7525
	LSM_HOOK_INIT(watch_key, selinux_watch_key),
7526
#endif
7527
#endif
7528

7529
#ifdef CONFIG_AUDIT
7530
	LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
7531
	LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
7532
	LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
7533
#endif
7534

7535
#ifdef CONFIG_BPF_SYSCALL
7536
	LSM_HOOK_INIT(bpf, selinux_bpf),
7537
	LSM_HOOK_INIT(bpf_map, selinux_bpf_map),
7538
	LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog),
7539
	LSM_HOOK_INIT(bpf_map_free, selinux_bpf_map_free),
7540
	LSM_HOOK_INIT(bpf_prog_free, selinux_bpf_prog_free),
7541
	LSM_HOOK_INIT(bpf_token_free, selinux_bpf_token_free),
7542
#endif
7543

7544
#ifdef CONFIG_PERF_EVENTS
7545
	LSM_HOOK_INIT(perf_event_open, selinux_perf_event_open),
7546
	LSM_HOOK_INIT(perf_event_read, selinux_perf_event_read),
7547
	LSM_HOOK_INIT(perf_event_write, selinux_perf_event_write),
7548
#endif
7549

7550
#ifdef CONFIG_IO_URING
7551
	LSM_HOOK_INIT(uring_override_creds, selinux_uring_override_creds),
7552
	LSM_HOOK_INIT(uring_sqpoll, selinux_uring_sqpoll),
7553
	LSM_HOOK_INIT(uring_cmd, selinux_uring_cmd),
7554
	LSM_HOOK_INIT(uring_allowed, selinux_uring_allowed),
7555
#endif
7556

7557
	/*
7558
	 * PUT "CLONING" (ACCESSING + ALLOCATING) HOOKS HERE
7559
	 */
7560
	LSM_HOOK_INIT(fs_context_submount, selinux_fs_context_submount),
7561
	LSM_HOOK_INIT(fs_context_dup, selinux_fs_context_dup),
7562
	LSM_HOOK_INIT(fs_context_parse_param, selinux_fs_context_parse_param),
7563
	LSM_HOOK_INIT(sb_eat_lsm_opts, selinux_sb_eat_lsm_opts),
7564
#ifdef CONFIG_SECURITY_NETWORK_XFRM
7565
	LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
7566
#endif
7567

7568
	/*
7569
	 * PUT "ALLOCATING" HOOKS HERE
7570
	 */
7571
	LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
7572
	LSM_HOOK_INIT(msg_queue_alloc_security,
7573
		      selinux_msg_queue_alloc_security),
7574
	LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
7575
	LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
7576
	LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
7577
	LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
7578
	LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
7579
	LSM_HOOK_INIT(lsmprop_to_secctx, selinux_lsmprop_to_secctx),
7580
	LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
7581
	LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
7582
	LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
7583
#ifdef CONFIG_SECURITY_INFINIBAND
7584
	LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
7585
#endif
7586
#ifdef CONFIG_SECURITY_NETWORK_XFRM
7587
	LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
7588
	LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
7589
	LSM_HOOK_INIT(xfrm_state_alloc_acquire,
7590
		      selinux_xfrm_state_alloc_acquire),
7591
#endif
7592
#ifdef CONFIG_KEYS
7593
	LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
7594
#endif
7595
#ifdef CONFIG_AUDIT
7596
	LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
7597
#endif
7598
#ifdef CONFIG_BPF_SYSCALL
7599
	LSM_HOOK_INIT(bpf_map_create, selinux_bpf_map_create),
7600
	LSM_HOOK_INIT(bpf_prog_load, selinux_bpf_prog_load),
7601
	LSM_HOOK_INIT(bpf_token_create, selinux_bpf_token_create),
7602
#endif
7603
#ifdef CONFIG_PERF_EVENTS
7604
	LSM_HOOK_INIT(perf_event_alloc, selinux_perf_event_alloc),
7605
#endif
7606
};
7607

7608
static __init int selinux_init(void)
7609
{
7610
	pr_info("SELinux:  Initializing.\n");
7611

7612
	memset(&selinux_state, 0, sizeof(selinux_state));
7613
	enforcing_set(selinux_enforcing_boot);
7614
	selinux_avc_init();
7615
	mutex_init(&selinux_state.status_lock);
7616
	mutex_init(&selinux_state.policy_mutex);
7617

7618
	/* Set the security state for the initial task. */
7619
	cred_init_security();
7620

7621
	default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
7622
	if (!default_noexec)
7623
		pr_notice("SELinux:  virtual memory is executable by default\n");
7624

7625
	avc_init();
7626

7627
	avtab_cache_init();
7628

7629
	ebitmap_cache_init();
7630

7631
	hashtab_cache_init();
7632

7633
	security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks),
7634
			   &selinux_lsmid);
7635

7636
	if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
7637
		panic("SELinux: Unable to register AVC netcache callback\n");
7638

7639
	if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
7640
		panic("SELinux: Unable to register AVC LSM notifier callback\n");
7641

7642
	if (selinux_enforcing_boot)
7643
		pr_debug("SELinux:  Starting in enforcing mode\n");
7644
	else
7645
		pr_debug("SELinux:  Starting in permissive mode\n");
7646

7647
	fs_validate_description("selinux", selinux_fs_parameters);
7648

7649
	return 0;
7650
}
7651

7652
static void delayed_superblock_init(struct super_block *sb, void *unused)
7653
{
7654
	selinux_set_mnt_opts(sb, NULL, 0, NULL);
7655
}
7656

7657
void selinux_complete_init(void)
7658
{
7659
	pr_debug("SELinux:  Completing initialization.\n");
7660

7661
	/* Set up any superblocks initialized prior to the policy load. */
7662
	pr_debug("SELinux:  Setting up existing superblocks.\n");
7663
	iterate_supers(delayed_superblock_init, NULL);
7664
}
7665

7666
/* SELinux requires early initialization in order to label
7667
   all processes and objects when they are created. */
7668
DEFINE_LSM(selinux) = {
7669
	.name = "selinux",
7670
	.flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE,
7671
	.enabled = &selinux_enabled_boot,
7672
	.blobs = &selinux_blob_sizes,
7673
	.init = selinux_init,
7674
};
7675

7676
#if defined(CONFIG_NETFILTER)
7677
static const struct nf_hook_ops selinux_nf_ops[] = {
7678
	{
7679
		.hook =		selinux_ip_postroute,
7680
		.pf =		NFPROTO_IPV4,
7681
		.hooknum =	NF_INET_POST_ROUTING,
7682
		.priority =	NF_IP_PRI_SELINUX_LAST,
7683
	},
7684
	{
7685
		.hook =		selinux_ip_forward,
7686
		.pf =		NFPROTO_IPV4,
7687
		.hooknum =	NF_INET_FORWARD,
7688
		.priority =	NF_IP_PRI_SELINUX_FIRST,
7689
	},
7690
	{
7691
		.hook =		selinux_ip_output,
7692
		.pf =		NFPROTO_IPV4,
7693
		.hooknum =	NF_INET_LOCAL_OUT,
7694
		.priority =	NF_IP_PRI_SELINUX_FIRST,
7695
	},
7696
#if IS_ENABLED(CONFIG_IPV6)
7697
	{
7698
		.hook =		selinux_ip_postroute,
7699
		.pf =		NFPROTO_IPV6,
7700
		.hooknum =	NF_INET_POST_ROUTING,
7701
		.priority =	NF_IP6_PRI_SELINUX_LAST,
7702
	},
7703
	{
7704
		.hook =		selinux_ip_forward,
7705
		.pf =		NFPROTO_IPV6,
7706
		.hooknum =	NF_INET_FORWARD,
7707
		.priority =	NF_IP6_PRI_SELINUX_FIRST,
7708
	},
7709
	{
7710
		.hook =		selinux_ip_output,
7711
		.pf =		NFPROTO_IPV6,
7712
		.hooknum =	NF_INET_LOCAL_OUT,
7713
		.priority =	NF_IP6_PRI_SELINUX_FIRST,
7714
	},
7715
#endif	/* IPV6 */
7716
};
7717

7718
static int __net_init selinux_nf_register(struct net *net)
7719
{
7720
	return nf_register_net_hooks(net, selinux_nf_ops,
7721
				     ARRAY_SIZE(selinux_nf_ops));
7722
}
7723

7724
static void __net_exit selinux_nf_unregister(struct net *net)
7725
{
7726
	nf_unregister_net_hooks(net, selinux_nf_ops,
7727
				ARRAY_SIZE(selinux_nf_ops));
7728
}
7729

7730
static struct pernet_operations selinux_net_ops = {
7731
	.init = selinux_nf_register,
7732
	.exit = selinux_nf_unregister,
7733
};
7734

7735
static int __init selinux_nf_ip_init(void)
7736
{
7737
	int err;
7738

7739
	if (!selinux_enabled_boot)
7740
		return 0;
7741

7742
	pr_debug("SELinux:  Registering netfilter hooks\n");
7743

7744
	err = register_pernet_subsys(&selinux_net_ops);
7745
	if (err)
7746
		panic("SELinux: register_pernet_subsys: error %d\n", err);
7747

7748
	return 0;
7749
}
7750
__initcall(selinux_nf_ip_init);
7751
#endif /* CONFIG_NETFILTER */
7752

7753