2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@tycho.nsa.gov>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul@paul-moore.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 * Copyright (C) 2016 Mellanox Technologies
22 * This program is free software; you can redistribute it and/or modify
23 * it under the terms of the GNU General Public License version 2,
24 * as published by the Free Software Foundation.
27 #include <linux/init.h>
29 #include <linux/kernel.h>
30 #include <linux/tracehook.h>
31 #include <linux/errno.h>
32 #include <linux/sched/signal.h>
33 #include <linux/sched/task.h>
34 #include <linux/lsm_hooks.h>
35 #include <linux/xattr.h>
36 #include <linux/capability.h>
37 #include <linux/unistd.h>
39 #include <linux/mman.h>
40 #include <linux/slab.h>
41 #include <linux/pagemap.h>
42 #include <linux/proc_fs.h>
43 #include <linux/swap.h>
44 #include <linux/spinlock.h>
45 #include <linux/syscalls.h>
46 #include <linux/dcache.h>
47 #include <linux/file.h>
48 #include <linux/fdtable.h>
49 #include <linux/namei.h>
50 #include <linux/mount.h>
51 #include <linux/netfilter_ipv4.h>
52 #include <linux/netfilter_ipv6.h>
53 #include <linux/tty.h>
55 #include <net/ip.h> /* for local_port_range[] */
56 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
57 #include <net/inet_connection_sock.h>
58 #include <net/net_namespace.h>
59 #include <net/netlabel.h>
60 #include <linux/uaccess.h>
61 #include <asm/ioctls.h>
62 #include <linux/atomic.h>
63 #include <linux/bitops.h>
64 #include <linux/interrupt.h>
65 #include <linux/netdevice.h> /* for network interface checks */
66 #include <net/netlink.h>
67 #include <linux/tcp.h>
68 #include <linux/udp.h>
69 #include <linux/dccp.h>
70 #include <linux/sctp.h>
71 #include <net/sctp/structs.h>
72 #include <linux/quota.h>
73 #include <linux/un.h> /* for Unix socket types */
74 #include <net/af_unix.h> /* for Unix socket types */
75 #include <linux/parser.h>
76 #include <linux/nfs_mount.h>
78 #include <linux/hugetlb.h>
79 #include <linux/personality.h>
80 #include <linux/audit.h>
81 #include <linux/string.h>
82 #include <linux/mutex.h>
83 #include <linux/posix-timers.h>
84 #include <linux/syslog.h>
85 #include <linux/user_namespace.h>
86 #include <linux/export.h>
87 #include <linux/msg.h>
88 #include <linux/shm.h>
89 #include <linux/bpf.h>
90 #include <uapi/linux/mount.h>
103 struct selinux_state selinux_state;
105 /* SECMARK reference count */
106 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
108 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
109 static int selinux_enforcing_boot;
111 static int __init enforcing_setup(char *str)
113 unsigned long enforcing;
114 if (!kstrtoul(str, 0, &enforcing))
115 selinux_enforcing_boot = enforcing ? 1 : 0;
118 __setup("enforcing=", enforcing_setup);
120 #define selinux_enforcing_boot 1
123 int selinux_enabled __lsm_ro_after_init = 1;
124 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
125 static int __init selinux_enabled_setup(char *str)
127 unsigned long enabled;
128 if (!kstrtoul(str, 0, &enabled))
129 selinux_enabled = enabled ? 1 : 0;
132 __setup("selinux=", selinux_enabled_setup);
135 static unsigned int selinux_checkreqprot_boot =
136 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
138 static int __init checkreqprot_setup(char *str)
140 unsigned long checkreqprot;
142 if (!kstrtoul(str, 0, &checkreqprot))
143 selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
146 __setup("checkreqprot=", checkreqprot_setup);
149 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
152 * This function checks the SECMARK reference counter to see if any SECMARK
153 * targets are currently configured, if the reference counter is greater than
154 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
155 * enabled, false (0) if SECMARK is disabled. If the always_check_network
156 * policy capability is enabled, SECMARK is always considered enabled.
159 static int selinux_secmark_enabled(void)
161 return (selinux_policycap_alwaysnetwork() ||
162 atomic_read(&selinux_secmark_refcount));
166 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
169 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
170 * (1) if any are enabled or false (0) if neither are enabled. If the
171 * always_check_network policy capability is enabled, peer labeling
172 * is always considered enabled.
175 static int selinux_peerlbl_enabled(void)
177 return (selinux_policycap_alwaysnetwork() ||
178 netlbl_enabled() || selinux_xfrm_enabled());
181 static int selinux_netcache_avc_callback(u32 event)
183 if (event == AVC_CALLBACK_RESET) {
192 static int selinux_lsm_notifier_avc_callback(u32 event)
194 if (event == AVC_CALLBACK_RESET) {
196 call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
203 * initialise the security for the init task
205 static void cred_init_security(void)
207 struct cred *cred = (struct cred *) current->real_cred;
208 struct task_security_struct *tsec;
210 tsec = selinux_cred(cred);
211 tsec->osid = tsec->sid = SECINITSID_KERNEL;
215 * get the security ID of a set of credentials
217 static inline u32 cred_sid(const struct cred *cred)
219 const struct task_security_struct *tsec;
221 tsec = selinux_cred(cred);
226 * get the objective security ID of a task
228 static inline u32 task_sid(const struct task_struct *task)
233 sid = cred_sid(__task_cred(task));
238 /* Allocate and free functions for each kind of security blob. */
240 static int inode_alloc_security(struct inode *inode)
242 struct inode_security_struct *isec = selinux_inode(inode);
243 u32 sid = current_sid();
245 spin_lock_init(&isec->lock);
246 INIT_LIST_HEAD(&isec->list);
248 isec->sid = SECINITSID_UNLABELED;
249 isec->sclass = SECCLASS_FILE;
250 isec->task_sid = sid;
251 isec->initialized = LABEL_INVALID;
256 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
259 * Try reloading inode security labels that have been marked as invalid. The
260 * @may_sleep parameter indicates when sleeping and thus reloading labels is
261 * allowed; when set to false, returns -ECHILD when the label is
262 * invalid. The @dentry parameter should be set to a dentry of the inode.
264 static int __inode_security_revalidate(struct inode *inode,
265 struct dentry *dentry,
268 struct inode_security_struct *isec = selinux_inode(inode);
270 might_sleep_if(may_sleep);
272 if (selinux_state.initialized &&
273 isec->initialized != LABEL_INITIALIZED) {
278 * Try reloading the inode security label. This will fail if
279 * @opt_dentry is NULL and no dentry for this inode can be
280 * found; in that case, continue using the old label.
282 inode_doinit_with_dentry(inode, dentry);
287 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
289 return selinux_inode(inode);
292 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
296 error = __inode_security_revalidate(inode, NULL, !rcu);
298 return ERR_PTR(error);
299 return selinux_inode(inode);
303 * Get the security label of an inode.
305 static struct inode_security_struct *inode_security(struct inode *inode)
307 __inode_security_revalidate(inode, NULL, true);
308 return selinux_inode(inode);
311 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
313 struct inode *inode = d_backing_inode(dentry);
315 return selinux_inode(inode);
319 * Get the security label of a dentry's backing inode.
321 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
323 struct inode *inode = d_backing_inode(dentry);
325 __inode_security_revalidate(inode, dentry, true);
326 return selinux_inode(inode);
329 static void inode_free_security(struct inode *inode)
331 struct inode_security_struct *isec = selinux_inode(inode);
332 struct superblock_security_struct *sbsec;
336 sbsec = inode->i_sb->s_security;
338 * As not all inode security structures are in a list, we check for
339 * empty list outside of the lock to make sure that we won't waste
340 * time taking a lock doing nothing.
342 * The list_del_init() function can be safely called more than once.
343 * It should not be possible for this function to be called with
344 * concurrent list_add(), but for better safety against future changes
345 * in the code, we use list_empty_careful() here.
347 if (!list_empty_careful(&isec->list)) {
348 spin_lock(&sbsec->isec_lock);
349 list_del_init(&isec->list);
350 spin_unlock(&sbsec->isec_lock);
354 static int file_alloc_security(struct file *file)
356 struct file_security_struct *fsec = selinux_file(file);
357 u32 sid = current_sid();
360 fsec->fown_sid = sid;
365 static int superblock_alloc_security(struct super_block *sb)
367 struct superblock_security_struct *sbsec;
369 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
373 mutex_init(&sbsec->lock);
374 INIT_LIST_HEAD(&sbsec->isec_head);
375 spin_lock_init(&sbsec->isec_lock);
377 sbsec->sid = SECINITSID_UNLABELED;
378 sbsec->def_sid = SECINITSID_FILE;
379 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
380 sb->s_security = sbsec;
385 static void superblock_free_security(struct super_block *sb)
387 struct superblock_security_struct *sbsec = sb->s_security;
388 sb->s_security = NULL;
392 struct selinux_mnt_opts {
393 const char *fscontext, *context, *rootcontext, *defcontext;
396 static void selinux_free_mnt_opts(void *mnt_opts)
398 struct selinux_mnt_opts *opts = mnt_opts;
399 kfree(opts->fscontext);
400 kfree(opts->context);
401 kfree(opts->rootcontext);
402 kfree(opts->defcontext);
406 static inline int inode_doinit(struct inode *inode)
408 return inode_doinit_with_dentry(inode, NULL);
420 #define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg}
430 A(rootcontext, true),
435 static int match_opt_prefix(char *s, int l, char **arg)
439 for (i = 0; i < ARRAY_SIZE(tokens); i++) {
440 size_t len = tokens[i].len;
441 if (len > l || memcmp(s, tokens[i].name, len))
443 if (tokens[i].has_arg) {
444 if (len == l || s[len] != '=')
449 return tokens[i].opt;
454 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
456 static int may_context_mount_sb_relabel(u32 sid,
457 struct superblock_security_struct *sbsec,
458 const struct cred *cred)
460 const struct task_security_struct *tsec = selinux_cred(cred);
463 rc = avc_has_perm(&selinux_state,
464 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
465 FILESYSTEM__RELABELFROM, NULL);
469 rc = avc_has_perm(&selinux_state,
470 tsec->sid, sid, SECCLASS_FILESYSTEM,
471 FILESYSTEM__RELABELTO, NULL);
475 static int may_context_mount_inode_relabel(u32 sid,
476 struct superblock_security_struct *sbsec,
477 const struct cred *cred)
479 const struct task_security_struct *tsec = selinux_cred(cred);
481 rc = avc_has_perm(&selinux_state,
482 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
483 FILESYSTEM__RELABELFROM, NULL);
487 rc = avc_has_perm(&selinux_state,
488 sid, sbsec->sid, SECCLASS_FILESYSTEM,
489 FILESYSTEM__ASSOCIATE, NULL);
493 static int selinux_is_genfs_special_handling(struct super_block *sb)
495 /* Special handling. Genfs but also in-core setxattr handler */
496 return !strcmp(sb->s_type->name, "sysfs") ||
497 !strcmp(sb->s_type->name, "pstore") ||
498 !strcmp(sb->s_type->name, "debugfs") ||
499 !strcmp(sb->s_type->name, "tracefs") ||
500 !strcmp(sb->s_type->name, "rootfs") ||
501 (selinux_policycap_cgroupseclabel() &&
502 (!strcmp(sb->s_type->name, "cgroup") ||
503 !strcmp(sb->s_type->name, "cgroup2")));
506 static int selinux_is_sblabel_mnt(struct super_block *sb)
508 struct superblock_security_struct *sbsec = sb->s_security;
511 * IMPORTANT: Double-check logic in this function when adding a new
512 * SECURITY_FS_USE_* definition!
514 BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7);
516 switch (sbsec->behavior) {
517 case SECURITY_FS_USE_XATTR:
518 case SECURITY_FS_USE_TRANS:
519 case SECURITY_FS_USE_TASK:
520 case SECURITY_FS_USE_NATIVE:
523 case SECURITY_FS_USE_GENFS:
524 return selinux_is_genfs_special_handling(sb);
526 /* Never allow relabeling on context mounts */
527 case SECURITY_FS_USE_MNTPOINT:
528 case SECURITY_FS_USE_NONE:
534 static int sb_finish_set_opts(struct super_block *sb)
536 struct superblock_security_struct *sbsec = sb->s_security;
537 struct dentry *root = sb->s_root;
538 struct inode *root_inode = d_backing_inode(root);
541 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
542 /* Make sure that the xattr handler exists and that no
543 error other than -ENODATA is returned by getxattr on
544 the root directory. -ENODATA is ok, as this may be
545 the first boot of the SELinux kernel before we have
546 assigned xattr values to the filesystem. */
547 if (!(root_inode->i_opflags & IOP_XATTR)) {
548 pr_warn("SELinux: (dev %s, type %s) has no "
549 "xattr support\n", sb->s_id, sb->s_type->name);
554 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
555 if (rc < 0 && rc != -ENODATA) {
556 if (rc == -EOPNOTSUPP)
557 pr_warn("SELinux: (dev %s, type "
558 "%s) has no security xattr handler\n",
559 sb->s_id, sb->s_type->name);
561 pr_warn("SELinux: (dev %s, type "
562 "%s) getxattr errno %d\n", sb->s_id,
563 sb->s_type->name, -rc);
568 sbsec->flags |= SE_SBINITIALIZED;
571 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
572 * leave the flag untouched because sb_clone_mnt_opts might be handing
573 * us a superblock that needs the flag to be cleared.
575 if (selinux_is_sblabel_mnt(sb))
576 sbsec->flags |= SBLABEL_MNT;
578 sbsec->flags &= ~SBLABEL_MNT;
580 /* Initialize the root inode. */
581 rc = inode_doinit_with_dentry(root_inode, root);
583 /* Initialize any other inodes associated with the superblock, e.g.
584 inodes created prior to initial policy load or inodes created
585 during get_sb by a pseudo filesystem that directly
587 spin_lock(&sbsec->isec_lock);
588 while (!list_empty(&sbsec->isec_head)) {
589 struct inode_security_struct *isec =
590 list_first_entry(&sbsec->isec_head,
591 struct inode_security_struct, list);
592 struct inode *inode = isec->inode;
593 list_del_init(&isec->list);
594 spin_unlock(&sbsec->isec_lock);
595 inode = igrab(inode);
597 if (!IS_PRIVATE(inode))
601 spin_lock(&sbsec->isec_lock);
603 spin_unlock(&sbsec->isec_lock);
608 static int bad_option(struct superblock_security_struct *sbsec, char flag,
609 u32 old_sid, u32 new_sid)
611 char mnt_flags = sbsec->flags & SE_MNTMASK;
613 /* check if the old mount command had the same options */
614 if (sbsec->flags & SE_SBINITIALIZED)
615 if (!(sbsec->flags & flag) ||
616 (old_sid != new_sid))
619 /* check if we were passed the same options twice,
620 * aka someone passed context=a,context=b
622 if (!(sbsec->flags & SE_SBINITIALIZED))
623 if (mnt_flags & flag)
628 static int parse_sid(struct super_block *sb, const char *s, u32 *sid)
630 int rc = security_context_str_to_sid(&selinux_state, s,
633 pr_warn("SELinux: security_context_str_to_sid"
634 "(%s) failed for (dev %s, type %s) errno=%d\n",
635 s, sb->s_id, sb->s_type->name, rc);
640 * Allow filesystems with binary mount data to explicitly set mount point
641 * labeling information.
643 static int selinux_set_mnt_opts(struct super_block *sb,
645 unsigned long kern_flags,
646 unsigned long *set_kern_flags)
648 const struct cred *cred = current_cred();
649 struct superblock_security_struct *sbsec = sb->s_security;
650 struct dentry *root = sbsec->sb->s_root;
651 struct selinux_mnt_opts *opts = mnt_opts;
652 struct inode_security_struct *root_isec;
653 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
654 u32 defcontext_sid = 0;
657 mutex_lock(&sbsec->lock);
659 if (!selinux_state.initialized) {
661 /* Defer initialization until selinux_complete_init,
662 after the initial policy is loaded and the security
663 server is ready to handle calls. */
667 pr_warn("SELinux: Unable to set superblock options "
668 "before the security server is initialized\n");
671 if (kern_flags && !set_kern_flags) {
672 /* Specifying internal flags without providing a place to
673 * place the results is not allowed */
679 * Binary mount data FS will come through this function twice. Once
680 * from an explicit call and once from the generic calls from the vfs.
681 * Since the generic VFS calls will not contain any security mount data
682 * we need to skip the double mount verification.
684 * This does open a hole in which we will not notice if the first
685 * mount using this sb set explict options and a second mount using
686 * this sb does not set any security options. (The first options
687 * will be used for both mounts)
689 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
693 root_isec = backing_inode_security_novalidate(root);
696 * parse the mount options, check if they are valid sids.
697 * also check if someone is trying to mount the same sb more
698 * than once with different security options.
701 if (opts->fscontext) {
702 rc = parse_sid(sb, opts->fscontext, &fscontext_sid);
705 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
707 goto out_double_mount;
708 sbsec->flags |= FSCONTEXT_MNT;
711 rc = parse_sid(sb, opts->context, &context_sid);
714 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
716 goto out_double_mount;
717 sbsec->flags |= CONTEXT_MNT;
719 if (opts->rootcontext) {
720 rc = parse_sid(sb, opts->rootcontext, &rootcontext_sid);
723 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
725 goto out_double_mount;
726 sbsec->flags |= ROOTCONTEXT_MNT;
728 if (opts->defcontext) {
729 rc = parse_sid(sb, opts->defcontext, &defcontext_sid);
732 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
734 goto out_double_mount;
735 sbsec->flags |= DEFCONTEXT_MNT;
739 if (sbsec->flags & SE_SBINITIALIZED) {
740 /* previously mounted with options, but not on this attempt? */
741 if ((sbsec->flags & SE_MNTMASK) && !opts)
742 goto out_double_mount;
747 if (strcmp(sb->s_type->name, "proc") == 0)
748 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
750 if (!strcmp(sb->s_type->name, "debugfs") ||
751 !strcmp(sb->s_type->name, "tracefs") ||
752 !strcmp(sb->s_type->name, "sysfs") ||
753 !strcmp(sb->s_type->name, "pstore") ||
754 !strcmp(sb->s_type->name, "cgroup") ||
755 !strcmp(sb->s_type->name, "cgroup2"))
756 sbsec->flags |= SE_SBGENFS;
758 if (!sbsec->behavior) {
760 * Determine the labeling behavior to use for this
763 rc = security_fs_use(&selinux_state, sb);
765 pr_warn("%s: security_fs_use(%s) returned %d\n",
766 __func__, sb->s_type->name, rc);
772 * If this is a user namespace mount and the filesystem type is not
773 * explicitly whitelisted, then no contexts are allowed on the command
774 * line and security labels must be ignored.
776 if (sb->s_user_ns != &init_user_ns &&
777 strcmp(sb->s_type->name, "tmpfs") &&
778 strcmp(sb->s_type->name, "ramfs") &&
779 strcmp(sb->s_type->name, "devpts")) {
780 if (context_sid || fscontext_sid || rootcontext_sid ||
785 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
786 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
787 rc = security_transition_sid(&selinux_state,
791 &sbsec->mntpoint_sid);
798 /* sets the context of the superblock for the fs being mounted. */
800 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
804 sbsec->sid = fscontext_sid;
808 * Switch to using mount point labeling behavior.
809 * sets the label used on all file below the mountpoint, and will set
810 * the superblock context if not already set.
812 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
813 sbsec->behavior = SECURITY_FS_USE_NATIVE;
814 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
818 if (!fscontext_sid) {
819 rc = may_context_mount_sb_relabel(context_sid, sbsec,
823 sbsec->sid = context_sid;
825 rc = may_context_mount_inode_relabel(context_sid, sbsec,
830 if (!rootcontext_sid)
831 rootcontext_sid = context_sid;
833 sbsec->mntpoint_sid = context_sid;
834 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
837 if (rootcontext_sid) {
838 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
843 root_isec->sid = rootcontext_sid;
844 root_isec->initialized = LABEL_INITIALIZED;
847 if (defcontext_sid) {
848 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
849 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
851 pr_warn("SELinux: defcontext option is "
852 "invalid for this filesystem type\n");
856 if (defcontext_sid != sbsec->def_sid) {
857 rc = may_context_mount_inode_relabel(defcontext_sid,
863 sbsec->def_sid = defcontext_sid;
867 rc = sb_finish_set_opts(sb);
869 mutex_unlock(&sbsec->lock);
873 pr_warn("SELinux: mount invalid. Same superblock, different "
874 "security settings for (dev %s, type %s)\n", sb->s_id,
879 static int selinux_cmp_sb_context(const struct super_block *oldsb,
880 const struct super_block *newsb)
882 struct superblock_security_struct *old = oldsb->s_security;
883 struct superblock_security_struct *new = newsb->s_security;
884 char oldflags = old->flags & SE_MNTMASK;
885 char newflags = new->flags & SE_MNTMASK;
887 if (oldflags != newflags)
889 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
891 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
893 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
895 if (oldflags & ROOTCONTEXT_MNT) {
896 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
897 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
898 if (oldroot->sid != newroot->sid)
903 pr_warn("SELinux: mount invalid. Same superblock, "
904 "different security settings for (dev %s, "
905 "type %s)\n", newsb->s_id, newsb->s_type->name);
909 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
910 struct super_block *newsb,
911 unsigned long kern_flags,
912 unsigned long *set_kern_flags)
915 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
916 struct superblock_security_struct *newsbsec = newsb->s_security;
918 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
919 int set_context = (oldsbsec->flags & CONTEXT_MNT);
920 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
923 * if the parent was able to be mounted it clearly had no special lsm
924 * mount options. thus we can safely deal with this superblock later
926 if (!selinux_state.initialized)
930 * Specifying internal flags without providing a place to
931 * place the results is not allowed.
933 if (kern_flags && !set_kern_flags)
936 /* how can we clone if the old one wasn't set up?? */
937 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
939 /* if fs is reusing a sb, make sure that the contexts match */
940 if (newsbsec->flags & SE_SBINITIALIZED)
941 return selinux_cmp_sb_context(oldsb, newsb);
943 mutex_lock(&newsbsec->lock);
945 newsbsec->flags = oldsbsec->flags;
947 newsbsec->sid = oldsbsec->sid;
948 newsbsec->def_sid = oldsbsec->def_sid;
949 newsbsec->behavior = oldsbsec->behavior;
951 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
952 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
953 rc = security_fs_use(&selinux_state, newsb);
958 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
959 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
960 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
964 u32 sid = oldsbsec->mntpoint_sid;
968 if (!set_rootcontext) {
969 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
972 newsbsec->mntpoint_sid = sid;
974 if (set_rootcontext) {
975 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
976 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
978 newisec->sid = oldisec->sid;
981 sb_finish_set_opts(newsb);
983 mutex_unlock(&newsbsec->lock);
987 static int selinux_add_opt(int token, const char *s, void **mnt_opts)
989 struct selinux_mnt_opts *opts = *mnt_opts;
991 if (token == Opt_seclabel) /* eaten and completely ignored */
995 opts = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL);
1004 if (opts->context || opts->defcontext)
1009 if (opts->fscontext)
1011 opts->fscontext = s;
1013 case Opt_rootcontext:
1014 if (opts->rootcontext)
1016 opts->rootcontext = s;
1018 case Opt_defcontext:
1019 if (opts->context || opts->defcontext)
1021 opts->defcontext = s;
1026 pr_warn(SEL_MOUNT_FAIL_MSG);
1030 static int selinux_add_mnt_opt(const char *option, const char *val, int len,
1033 int token = Opt_error;
1036 for (i = 0; i < ARRAY_SIZE(tokens); i++) {
1037 if (strcmp(option, tokens[i].name) == 0) {
1038 token = tokens[i].opt;
1043 if (token == Opt_error)
1046 if (token != Opt_seclabel)
1047 val = kmemdup_nul(val, len, GFP_KERNEL);
1048 rc = selinux_add_opt(token, val, mnt_opts);
1052 selinux_free_mnt_opts(*mnt_opts);
1059 static int show_sid(struct seq_file *m, u32 sid)
1061 char *context = NULL;
1065 rc = security_sid_to_context(&selinux_state, sid,
1068 bool has_comma = context && strchr(context, ',');
1072 seq_escape(m, context, "\"\n\\");
1080 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1082 struct superblock_security_struct *sbsec = sb->s_security;
1085 if (!(sbsec->flags & SE_SBINITIALIZED))
1088 if (!selinux_state.initialized)
1091 if (sbsec->flags & FSCONTEXT_MNT) {
1093 seq_puts(m, FSCONTEXT_STR);
1094 rc = show_sid(m, sbsec->sid);
1098 if (sbsec->flags & CONTEXT_MNT) {
1100 seq_puts(m, CONTEXT_STR);
1101 rc = show_sid(m, sbsec->mntpoint_sid);
1105 if (sbsec->flags & DEFCONTEXT_MNT) {
1107 seq_puts(m, DEFCONTEXT_STR);
1108 rc = show_sid(m, sbsec->def_sid);
1112 if (sbsec->flags & ROOTCONTEXT_MNT) {
1113 struct dentry *root = sbsec->sb->s_root;
1114 struct inode_security_struct *isec = backing_inode_security(root);
1116 seq_puts(m, ROOTCONTEXT_STR);
1117 rc = show_sid(m, isec->sid);
1121 if (sbsec->flags & SBLABEL_MNT) {
1123 seq_puts(m, LABELSUPP_STR);
1128 static inline u16 inode_mode_to_security_class(umode_t mode)
1130 switch (mode & S_IFMT) {
1132 return SECCLASS_SOCK_FILE;
1134 return SECCLASS_LNK_FILE;
1136 return SECCLASS_FILE;
1138 return SECCLASS_BLK_FILE;
1140 return SECCLASS_DIR;
1142 return SECCLASS_CHR_FILE;
1144 return SECCLASS_FIFO_FILE;
1148 return SECCLASS_FILE;
1151 static inline int default_protocol_stream(int protocol)
1153 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1156 static inline int default_protocol_dgram(int protocol)
1158 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1161 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1163 int extsockclass = selinux_policycap_extsockclass();
1169 case SOCK_SEQPACKET:
1170 return SECCLASS_UNIX_STREAM_SOCKET;
1173 return SECCLASS_UNIX_DGRAM_SOCKET;
1180 case SOCK_SEQPACKET:
1181 if (default_protocol_stream(protocol))
1182 return SECCLASS_TCP_SOCKET;
1183 else if (extsockclass && protocol == IPPROTO_SCTP)
1184 return SECCLASS_SCTP_SOCKET;
1186 return SECCLASS_RAWIP_SOCKET;
1188 if (default_protocol_dgram(protocol))
1189 return SECCLASS_UDP_SOCKET;
1190 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1191 protocol == IPPROTO_ICMPV6))
1192 return SECCLASS_ICMP_SOCKET;
1194 return SECCLASS_RAWIP_SOCKET;
1196 return SECCLASS_DCCP_SOCKET;
1198 return SECCLASS_RAWIP_SOCKET;
1204 return SECCLASS_NETLINK_ROUTE_SOCKET;
1205 case NETLINK_SOCK_DIAG:
1206 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1208 return SECCLASS_NETLINK_NFLOG_SOCKET;
1210 return SECCLASS_NETLINK_XFRM_SOCKET;
1211 case NETLINK_SELINUX:
1212 return SECCLASS_NETLINK_SELINUX_SOCKET;
1214 return SECCLASS_NETLINK_ISCSI_SOCKET;
1216 return SECCLASS_NETLINK_AUDIT_SOCKET;
1217 case NETLINK_FIB_LOOKUP:
1218 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1219 case NETLINK_CONNECTOR:
1220 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1221 case NETLINK_NETFILTER:
1222 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1223 case NETLINK_DNRTMSG:
1224 return SECCLASS_NETLINK_DNRT_SOCKET;
1225 case NETLINK_KOBJECT_UEVENT:
1226 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1227 case NETLINK_GENERIC:
1228 return SECCLASS_NETLINK_GENERIC_SOCKET;
1229 case NETLINK_SCSITRANSPORT:
1230 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1232 return SECCLASS_NETLINK_RDMA_SOCKET;
1233 case NETLINK_CRYPTO:
1234 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1236 return SECCLASS_NETLINK_SOCKET;
1239 return SECCLASS_PACKET_SOCKET;
1241 return SECCLASS_KEY_SOCKET;
1243 return SECCLASS_APPLETALK_SOCKET;
1249 return SECCLASS_AX25_SOCKET;
1251 return SECCLASS_IPX_SOCKET;
1253 return SECCLASS_NETROM_SOCKET;
1255 return SECCLASS_ATMPVC_SOCKET;
1257 return SECCLASS_X25_SOCKET;
1259 return SECCLASS_ROSE_SOCKET;
1261 return SECCLASS_DECNET_SOCKET;
1263 return SECCLASS_ATMSVC_SOCKET;
1265 return SECCLASS_RDS_SOCKET;
1267 return SECCLASS_IRDA_SOCKET;
1269 return SECCLASS_PPPOX_SOCKET;
1271 return SECCLASS_LLC_SOCKET;
1273 return SECCLASS_CAN_SOCKET;
1275 return SECCLASS_TIPC_SOCKET;
1277 return SECCLASS_BLUETOOTH_SOCKET;
1279 return SECCLASS_IUCV_SOCKET;
1281 return SECCLASS_RXRPC_SOCKET;
1283 return SECCLASS_ISDN_SOCKET;
1285 return SECCLASS_PHONET_SOCKET;
1287 return SECCLASS_IEEE802154_SOCKET;
1289 return SECCLASS_CAIF_SOCKET;
1291 return SECCLASS_ALG_SOCKET;
1293 return SECCLASS_NFC_SOCKET;
1295 return SECCLASS_VSOCK_SOCKET;
1297 return SECCLASS_KCM_SOCKET;
1299 return SECCLASS_QIPCRTR_SOCKET;
1301 return SECCLASS_SMC_SOCKET;
1303 return SECCLASS_XDP_SOCKET;
1305 #error New address family defined, please update this function.
1310 return SECCLASS_SOCKET;
1313 static int selinux_genfs_get_sid(struct dentry *dentry,
1319 struct super_block *sb = dentry->d_sb;
1320 char *buffer, *path;
1322 buffer = (char *)__get_free_page(GFP_KERNEL);
1326 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1330 if (flags & SE_SBPROC) {
1331 /* each process gets a /proc/PID/ entry. Strip off the
1332 * PID part to get a valid selinux labeling.
1333 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1334 while (path[1] >= '0' && path[1] <= '9') {
1339 rc = security_genfs_sid(&selinux_state, sb->s_type->name,
1341 if (rc == -ENOENT) {
1342 /* No match in policy, mark as unlabeled. */
1343 *sid = SECINITSID_UNLABELED;
1347 free_page((unsigned long)buffer);
1351 /* The inode's security attributes must be initialized before first use. */
1352 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1354 struct superblock_security_struct *sbsec = NULL;
1355 struct inode_security_struct *isec = selinux_inode(inode);
1356 u32 task_sid, sid = 0;
1358 struct dentry *dentry;
1359 #define INITCONTEXTLEN 255
1360 char *context = NULL;
1364 if (isec->initialized == LABEL_INITIALIZED)
1367 spin_lock(&isec->lock);
1368 if (isec->initialized == LABEL_INITIALIZED)
1371 if (isec->sclass == SECCLASS_FILE)
1372 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1374 sbsec = inode->i_sb->s_security;
1375 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1376 /* Defer initialization until selinux_complete_init,
1377 after the initial policy is loaded and the security
1378 server is ready to handle calls. */
1379 spin_lock(&sbsec->isec_lock);
1380 if (list_empty(&isec->list))
1381 list_add(&isec->list, &sbsec->isec_head);
1382 spin_unlock(&sbsec->isec_lock);
1386 sclass = isec->sclass;
1387 task_sid = isec->task_sid;
1389 isec->initialized = LABEL_PENDING;
1390 spin_unlock(&isec->lock);
1392 switch (sbsec->behavior) {
1393 case SECURITY_FS_USE_NATIVE:
1395 case SECURITY_FS_USE_XATTR:
1396 if (!(inode->i_opflags & IOP_XATTR)) {
1397 sid = sbsec->def_sid;
1400 /* Need a dentry, since the xattr API requires one.
1401 Life would be simpler if we could just pass the inode. */
1403 /* Called from d_instantiate or d_splice_alias. */
1404 dentry = dget(opt_dentry);
1407 * Called from selinux_complete_init, try to find a dentry.
1408 * Some filesystems really want a connected one, so try
1409 * that first. We could split SECURITY_FS_USE_XATTR in
1410 * two, depending upon that...
1412 dentry = d_find_alias(inode);
1414 dentry = d_find_any_alias(inode);
1418 * this is can be hit on boot when a file is accessed
1419 * before the policy is loaded. When we load policy we
1420 * may find inodes that have no dentry on the
1421 * sbsec->isec_head list. No reason to complain as these
1422 * will get fixed up the next time we go through
1423 * inode_doinit with a dentry, before these inodes could
1424 * be used again by userspace.
1429 len = INITCONTEXTLEN;
1430 context = kmalloc(len+1, GFP_NOFS);
1436 context[len] = '\0';
1437 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1438 if (rc == -ERANGE) {
1441 /* Need a larger buffer. Query for the right size. */
1442 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1448 context = kmalloc(len+1, GFP_NOFS);
1454 context[len] = '\0';
1455 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1459 if (rc != -ENODATA) {
1460 pr_warn("SELinux: %s: getxattr returned "
1461 "%d for dev=%s ino=%ld\n", __func__,
1462 -rc, inode->i_sb->s_id, inode->i_ino);
1466 /* Map ENODATA to the default file SID */
1467 sid = sbsec->def_sid;
1470 rc = security_context_to_sid_default(&selinux_state,
1475 char *dev = inode->i_sb->s_id;
1476 unsigned long ino = inode->i_ino;
1478 if (rc == -EINVAL) {
1479 if (printk_ratelimit())
1480 pr_notice("SELinux: inode=%lu on dev=%s was found to have an invalid "
1481 "context=%s. This indicates you may need to relabel the inode or the "
1482 "filesystem in question.\n", ino, dev, context);
1484 pr_warn("SELinux: %s: context_to_sid(%s) "
1485 "returned %d for dev=%s ino=%ld\n",
1486 __func__, context, -rc, dev, ino);
1489 /* Leave with the unlabeled SID */
1496 case SECURITY_FS_USE_TASK:
1499 case SECURITY_FS_USE_TRANS:
1500 /* Default to the fs SID. */
1503 /* Try to obtain a transition SID. */
1504 rc = security_transition_sid(&selinux_state, task_sid, sid,
1505 sclass, NULL, &sid);
1509 case SECURITY_FS_USE_MNTPOINT:
1510 sid = sbsec->mntpoint_sid;
1513 /* Default to the fs superblock SID. */
1516 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1517 /* We must have a dentry to determine the label on
1520 /* Called from d_instantiate or
1521 * d_splice_alias. */
1522 dentry = dget(opt_dentry);
1524 /* Called from selinux_complete_init, try to
1525 * find a dentry. Some filesystems really want
1526 * a connected one, so try that first.
1528 dentry = d_find_alias(inode);
1530 dentry = d_find_any_alias(inode);
1533 * This can be hit on boot when a file is accessed
1534 * before the policy is loaded. When we load policy we
1535 * may find inodes that have no dentry on the
1536 * sbsec->isec_head list. No reason to complain as
1537 * these will get fixed up the next time we go through
1538 * inode_doinit() with a dentry, before these inodes
1539 * could be used again by userspace.
1543 rc = selinux_genfs_get_sid(dentry, sclass,
1544 sbsec->flags, &sid);
1553 spin_lock(&isec->lock);
1554 if (isec->initialized == LABEL_PENDING) {
1556 isec->initialized = LABEL_INVALID;
1560 isec->initialized = LABEL_INITIALIZED;
1565 spin_unlock(&isec->lock);
1569 /* Convert a Linux signal to an access vector. */
1570 static inline u32 signal_to_av(int sig)
1576 /* Commonly granted from child to parent. */
1577 perm = PROCESS__SIGCHLD;
1580 /* Cannot be caught or ignored */
1581 perm = PROCESS__SIGKILL;
1584 /* Cannot be caught or ignored */
1585 perm = PROCESS__SIGSTOP;
1588 /* All other signals. */
1589 perm = PROCESS__SIGNAL;
1596 #if CAP_LAST_CAP > 63
1597 #error Fix SELinux to handle capabilities > 63.
1600 /* Check whether a task is allowed to use a capability. */
1601 static int cred_has_capability(const struct cred *cred,
1602 int cap, unsigned int opts, bool initns)
1604 struct common_audit_data ad;
1605 struct av_decision avd;
1607 u32 sid = cred_sid(cred);
1608 u32 av = CAP_TO_MASK(cap);
1611 ad.type = LSM_AUDIT_DATA_CAP;
1614 switch (CAP_TO_INDEX(cap)) {
1616 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1619 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1622 pr_err("SELinux: out of range capability %d\n", cap);
1627 rc = avc_has_perm_noaudit(&selinux_state,
1628 sid, sid, sclass, av, 0, &avd);
1629 if (!(opts & CAP_OPT_NOAUDIT)) {
1630 int rc2 = avc_audit(&selinux_state,
1631 sid, sid, sclass, av, &avd, rc, &ad, 0);
1638 /* Check whether a task has a particular permission to an inode.
1639 The 'adp' parameter is optional and allows other audit
1640 data to be passed (e.g. the dentry). */
1641 static int inode_has_perm(const struct cred *cred,
1642 struct inode *inode,
1644 struct common_audit_data *adp)
1646 struct inode_security_struct *isec;
1649 validate_creds(cred);
1651 if (unlikely(IS_PRIVATE(inode)))
1654 sid = cred_sid(cred);
1655 isec = selinux_inode(inode);
1657 return avc_has_perm(&selinux_state,
1658 sid, isec->sid, isec->sclass, perms, adp);
1661 /* Same as inode_has_perm, but pass explicit audit data containing
1662 the dentry to help the auditing code to more easily generate the
1663 pathname if needed. */
1664 static inline int dentry_has_perm(const struct cred *cred,
1665 struct dentry *dentry,
1668 struct inode *inode = d_backing_inode(dentry);
1669 struct common_audit_data ad;
1671 ad.type = LSM_AUDIT_DATA_DENTRY;
1672 ad.u.dentry = dentry;
1673 __inode_security_revalidate(inode, dentry, true);
1674 return inode_has_perm(cred, inode, av, &ad);
1677 /* Same as inode_has_perm, but pass explicit audit data containing
1678 the path to help the auditing code to more easily generate the
1679 pathname if needed. */
1680 static inline int path_has_perm(const struct cred *cred,
1681 const struct path *path,
1684 struct inode *inode = d_backing_inode(path->dentry);
1685 struct common_audit_data ad;
1687 ad.type = LSM_AUDIT_DATA_PATH;
1689 __inode_security_revalidate(inode, path->dentry, true);
1690 return inode_has_perm(cred, inode, av, &ad);
1693 /* Same as path_has_perm, but uses the inode from the file struct. */
1694 static inline int file_path_has_perm(const struct cred *cred,
1698 struct common_audit_data ad;
1700 ad.type = LSM_AUDIT_DATA_FILE;
1702 return inode_has_perm(cred, file_inode(file), av, &ad);
1705 #ifdef CONFIG_BPF_SYSCALL
1706 static int bpf_fd_pass(struct file *file, u32 sid);
1709 /* Check whether a task can use an open file descriptor to
1710 access an inode in a given way. Check access to the
1711 descriptor itself, and then use dentry_has_perm to
1712 check a particular permission to the file.
1713 Access to the descriptor is implicitly granted if it
1714 has the same SID as the process. If av is zero, then
1715 access to the file is not checked, e.g. for cases
1716 where only the descriptor is affected like seek. */
1717 static int file_has_perm(const struct cred *cred,
1721 struct file_security_struct *fsec = selinux_file(file);
1722 struct inode *inode = file_inode(file);
1723 struct common_audit_data ad;
1724 u32 sid = cred_sid(cred);
1727 ad.type = LSM_AUDIT_DATA_FILE;
1730 if (sid != fsec->sid) {
1731 rc = avc_has_perm(&selinux_state,
1740 #ifdef CONFIG_BPF_SYSCALL
1741 rc = bpf_fd_pass(file, cred_sid(cred));
1746 /* av is zero if only checking access to the descriptor. */
1749 rc = inode_has_perm(cred, inode, av, &ad);
1756 * Determine the label for an inode that might be unioned.
1759 selinux_determine_inode_label(const struct task_security_struct *tsec,
1761 const struct qstr *name, u16 tclass,
1764 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1766 if ((sbsec->flags & SE_SBINITIALIZED) &&
1767 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1768 *_new_isid = sbsec->mntpoint_sid;
1769 } else if ((sbsec->flags & SBLABEL_MNT) &&
1771 *_new_isid = tsec->create_sid;
1773 const struct inode_security_struct *dsec = inode_security(dir);
1774 return security_transition_sid(&selinux_state, tsec->sid,
1782 /* Check whether a task can create a file. */
1783 static int may_create(struct inode *dir,
1784 struct dentry *dentry,
1787 const struct task_security_struct *tsec = selinux_cred(current_cred());
1788 struct inode_security_struct *dsec;
1789 struct superblock_security_struct *sbsec;
1791 struct common_audit_data ad;
1794 dsec = inode_security(dir);
1795 sbsec = dir->i_sb->s_security;
1799 ad.type = LSM_AUDIT_DATA_DENTRY;
1800 ad.u.dentry = dentry;
1802 rc = avc_has_perm(&selinux_state,
1803 sid, dsec->sid, SECCLASS_DIR,
1804 DIR__ADD_NAME | DIR__SEARCH,
1809 rc = selinux_determine_inode_label(selinux_cred(current_cred()), dir,
1810 &dentry->d_name, tclass, &newsid);
1814 rc = avc_has_perm(&selinux_state,
1815 sid, newsid, tclass, FILE__CREATE, &ad);
1819 return avc_has_perm(&selinux_state,
1821 SECCLASS_FILESYSTEM,
1822 FILESYSTEM__ASSOCIATE, &ad);
1826 #define MAY_UNLINK 1
1829 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1830 static int may_link(struct inode *dir,
1831 struct dentry *dentry,
1835 struct inode_security_struct *dsec, *isec;
1836 struct common_audit_data ad;
1837 u32 sid = current_sid();
1841 dsec = inode_security(dir);
1842 isec = backing_inode_security(dentry);
1844 ad.type = LSM_AUDIT_DATA_DENTRY;
1845 ad.u.dentry = dentry;
1848 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1849 rc = avc_has_perm(&selinux_state,
1850 sid, dsec->sid, SECCLASS_DIR, av, &ad);
1865 pr_warn("SELinux: %s: unrecognized kind %d\n",
1870 rc = avc_has_perm(&selinux_state,
1871 sid, isec->sid, isec->sclass, av, &ad);
1875 static inline int may_rename(struct inode *old_dir,
1876 struct dentry *old_dentry,
1877 struct inode *new_dir,
1878 struct dentry *new_dentry)
1880 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1881 struct common_audit_data ad;
1882 u32 sid = current_sid();
1884 int old_is_dir, new_is_dir;
1887 old_dsec = inode_security(old_dir);
1888 old_isec = backing_inode_security(old_dentry);
1889 old_is_dir = d_is_dir(old_dentry);
1890 new_dsec = inode_security(new_dir);
1892 ad.type = LSM_AUDIT_DATA_DENTRY;
1894 ad.u.dentry = old_dentry;
1895 rc = avc_has_perm(&selinux_state,
1896 sid, old_dsec->sid, SECCLASS_DIR,
1897 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1900 rc = avc_has_perm(&selinux_state,
1902 old_isec->sclass, FILE__RENAME, &ad);
1905 if (old_is_dir && new_dir != old_dir) {
1906 rc = avc_has_perm(&selinux_state,
1908 old_isec->sclass, DIR__REPARENT, &ad);
1913 ad.u.dentry = new_dentry;
1914 av = DIR__ADD_NAME | DIR__SEARCH;
1915 if (d_is_positive(new_dentry))
1916 av |= DIR__REMOVE_NAME;
1917 rc = avc_has_perm(&selinux_state,
1918 sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1921 if (d_is_positive(new_dentry)) {
1922 new_isec = backing_inode_security(new_dentry);
1923 new_is_dir = d_is_dir(new_dentry);
1924 rc = avc_has_perm(&selinux_state,
1927 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1935 /* Check whether a task can perform a filesystem operation. */
1936 static int superblock_has_perm(const struct cred *cred,
1937 struct super_block *sb,
1939 struct common_audit_data *ad)
1941 struct superblock_security_struct *sbsec;
1942 u32 sid = cred_sid(cred);
1944 sbsec = sb->s_security;
1945 return avc_has_perm(&selinux_state,
1946 sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1949 /* Convert a Linux mode and permission mask to an access vector. */
1950 static inline u32 file_mask_to_av(int mode, int mask)
1954 if (!S_ISDIR(mode)) {
1955 if (mask & MAY_EXEC)
1956 av |= FILE__EXECUTE;
1957 if (mask & MAY_READ)
1960 if (mask & MAY_APPEND)
1962 else if (mask & MAY_WRITE)
1966 if (mask & MAY_EXEC)
1968 if (mask & MAY_WRITE)
1970 if (mask & MAY_READ)
1977 /* Convert a Linux file to an access vector. */
1978 static inline u32 file_to_av(struct file *file)
1982 if (file->f_mode & FMODE_READ)
1984 if (file->f_mode & FMODE_WRITE) {
1985 if (file->f_flags & O_APPEND)
1992 * Special file opened with flags 3 for ioctl-only use.
2001 * Convert a file to an access vector and include the correct open
2004 static inline u32 open_file_to_av(struct file *file)
2006 u32 av = file_to_av(file);
2007 struct inode *inode = file_inode(file);
2009 if (selinux_policycap_openperm() &&
2010 inode->i_sb->s_magic != SOCKFS_MAGIC)
2016 /* Hook functions begin here. */
2018 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2020 u32 mysid = current_sid();
2021 u32 mgrsid = task_sid(mgr);
2023 return avc_has_perm(&selinux_state,
2024 mysid, mgrsid, SECCLASS_BINDER,
2025 BINDER__SET_CONTEXT_MGR, NULL);
2028 static int selinux_binder_transaction(struct task_struct *from,
2029 struct task_struct *to)
2031 u32 mysid = current_sid();
2032 u32 fromsid = task_sid(from);
2033 u32 tosid = task_sid(to);
2036 if (mysid != fromsid) {
2037 rc = avc_has_perm(&selinux_state,
2038 mysid, fromsid, SECCLASS_BINDER,
2039 BINDER__IMPERSONATE, NULL);
2044 return avc_has_perm(&selinux_state,
2045 fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2049 static int selinux_binder_transfer_binder(struct task_struct *from,
2050 struct task_struct *to)
2052 u32 fromsid = task_sid(from);
2053 u32 tosid = task_sid(to);
2055 return avc_has_perm(&selinux_state,
2056 fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2060 static int selinux_binder_transfer_file(struct task_struct *from,
2061 struct task_struct *to,
2064 u32 sid = task_sid(to);
2065 struct file_security_struct *fsec = selinux_file(file);
2066 struct dentry *dentry = file->f_path.dentry;
2067 struct inode_security_struct *isec;
2068 struct common_audit_data ad;
2071 ad.type = LSM_AUDIT_DATA_PATH;
2072 ad.u.path = file->f_path;
2074 if (sid != fsec->sid) {
2075 rc = avc_has_perm(&selinux_state,
2084 #ifdef CONFIG_BPF_SYSCALL
2085 rc = bpf_fd_pass(file, sid);
2090 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2093 isec = backing_inode_security(dentry);
2094 return avc_has_perm(&selinux_state,
2095 sid, isec->sid, isec->sclass, file_to_av(file),
2099 static int selinux_ptrace_access_check(struct task_struct *child,
2102 u32 sid = current_sid();
2103 u32 csid = task_sid(child);
2105 if (mode & PTRACE_MODE_READ)
2106 return avc_has_perm(&selinux_state,
2107 sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2109 return avc_has_perm(&selinux_state,
2110 sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2113 static int selinux_ptrace_traceme(struct task_struct *parent)
2115 return avc_has_perm(&selinux_state,
2116 task_sid(parent), current_sid(), SECCLASS_PROCESS,
2117 PROCESS__PTRACE, NULL);
2120 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2121 kernel_cap_t *inheritable, kernel_cap_t *permitted)
2123 return avc_has_perm(&selinux_state,
2124 current_sid(), task_sid(target), SECCLASS_PROCESS,
2125 PROCESS__GETCAP, NULL);
2128 static int selinux_capset(struct cred *new, const struct cred *old,
2129 const kernel_cap_t *effective,
2130 const kernel_cap_t *inheritable,
2131 const kernel_cap_t *permitted)
2133 return avc_has_perm(&selinux_state,
2134 cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2135 PROCESS__SETCAP, NULL);
2139 * (This comment used to live with the selinux_task_setuid hook,
2140 * which was removed).
2142 * Since setuid only affects the current process, and since the SELinux
2143 * controls are not based on the Linux identity attributes, SELinux does not
2144 * need to control this operation. However, SELinux does control the use of
2145 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2148 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2149 int cap, unsigned int opts)
2151 return cred_has_capability(cred, cap, opts, ns == &init_user_ns);
2154 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2156 const struct cred *cred = current_cred();
2168 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2173 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2176 rc = 0; /* let the kernel handle invalid cmds */
2182 static int selinux_quota_on(struct dentry *dentry)
2184 const struct cred *cred = current_cred();
2186 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2189 static int selinux_syslog(int type)
2192 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2193 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2194 return avc_has_perm(&selinux_state,
2195 current_sid(), SECINITSID_KERNEL,
2196 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2197 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2198 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2199 /* Set level of messages printed to console */
2200 case SYSLOG_ACTION_CONSOLE_LEVEL:
2201 return avc_has_perm(&selinux_state,
2202 current_sid(), SECINITSID_KERNEL,
2203 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2206 /* All other syslog types */
2207 return avc_has_perm(&selinux_state,
2208 current_sid(), SECINITSID_KERNEL,
2209 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2213 * Check that a process has enough memory to allocate a new virtual
2214 * mapping. 0 means there is enough memory for the allocation to
2215 * succeed and -ENOMEM implies there is not.
2217 * Do not audit the selinux permission check, as this is applied to all
2218 * processes that allocate mappings.
2220 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2222 int rc, cap_sys_admin = 0;
2224 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2225 CAP_OPT_NOAUDIT, true);
2229 return cap_sys_admin;
2232 /* binprm security operations */
2234 static u32 ptrace_parent_sid(void)
2237 struct task_struct *tracer;
2240 tracer = ptrace_parent(current);
2242 sid = task_sid(tracer);
2248 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2249 const struct task_security_struct *old_tsec,
2250 const struct task_security_struct *new_tsec)
2252 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2253 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2257 if (!nnp && !nosuid)
2258 return 0; /* neither NNP nor nosuid */
2260 if (new_tsec->sid == old_tsec->sid)
2261 return 0; /* No change in credentials */
2264 * If the policy enables the nnp_nosuid_transition policy capability,
2265 * then we permit transitions under NNP or nosuid if the
2266 * policy allows the corresponding permission between
2267 * the old and new contexts.
2269 if (selinux_policycap_nnp_nosuid_transition()) {
2272 av |= PROCESS2__NNP_TRANSITION;
2274 av |= PROCESS2__NOSUID_TRANSITION;
2275 rc = avc_has_perm(&selinux_state,
2276 old_tsec->sid, new_tsec->sid,
2277 SECCLASS_PROCESS2, av, NULL);
2283 * We also permit NNP or nosuid transitions to bounded SIDs,
2284 * i.e. SIDs that are guaranteed to only be allowed a subset
2285 * of the permissions of the current SID.
2287 rc = security_bounded_transition(&selinux_state, old_tsec->sid,
2293 * On failure, preserve the errno values for NNP vs nosuid.
2294 * NNP: Operation not permitted for caller.
2295 * nosuid: Permission denied to file.
2302 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2304 const struct task_security_struct *old_tsec;
2305 struct task_security_struct *new_tsec;
2306 struct inode_security_struct *isec;
2307 struct common_audit_data ad;
2308 struct inode *inode = file_inode(bprm->file);
2311 /* SELinux context only depends on initial program or script and not
2312 * the script interpreter */
2313 if (bprm->called_set_creds)
2316 old_tsec = selinux_cred(current_cred());
2317 new_tsec = selinux_cred(bprm->cred);
2318 isec = inode_security(inode);
2320 /* Default to the current task SID. */
2321 new_tsec->sid = old_tsec->sid;
2322 new_tsec->osid = old_tsec->sid;
2324 /* Reset fs, key, and sock SIDs on execve. */
2325 new_tsec->create_sid = 0;
2326 new_tsec->keycreate_sid = 0;
2327 new_tsec->sockcreate_sid = 0;
2329 if (old_tsec->exec_sid) {
2330 new_tsec->sid = old_tsec->exec_sid;
2331 /* Reset exec SID on execve. */
2332 new_tsec->exec_sid = 0;
2334 /* Fail on NNP or nosuid if not an allowed transition. */
2335 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2339 /* Check for a default transition on this program. */
2340 rc = security_transition_sid(&selinux_state, old_tsec->sid,
2341 isec->sid, SECCLASS_PROCESS, NULL,
2347 * Fallback to old SID on NNP or nosuid if not an allowed
2350 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2352 new_tsec->sid = old_tsec->sid;
2355 ad.type = LSM_AUDIT_DATA_FILE;
2356 ad.u.file = bprm->file;
2358 if (new_tsec->sid == old_tsec->sid) {
2359 rc = avc_has_perm(&selinux_state,
2360 old_tsec->sid, isec->sid,
2361 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2365 /* Check permissions for the transition. */
2366 rc = avc_has_perm(&selinux_state,
2367 old_tsec->sid, new_tsec->sid,
2368 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2372 rc = avc_has_perm(&selinux_state,
2373 new_tsec->sid, isec->sid,
2374 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2378 /* Check for shared state */
2379 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2380 rc = avc_has_perm(&selinux_state,
2381 old_tsec->sid, new_tsec->sid,
2382 SECCLASS_PROCESS, PROCESS__SHARE,
2388 /* Make sure that anyone attempting to ptrace over a task that
2389 * changes its SID has the appropriate permit */
2390 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2391 u32 ptsid = ptrace_parent_sid();
2393 rc = avc_has_perm(&selinux_state,
2394 ptsid, new_tsec->sid,
2396 PROCESS__PTRACE, NULL);
2402 /* Clear any possibly unsafe personality bits on exec: */
2403 bprm->per_clear |= PER_CLEAR_ON_SETID;
2405 /* Enable secure mode for SIDs transitions unless
2406 the noatsecure permission is granted between
2407 the two SIDs, i.e. ahp returns 0. */
2408 rc = avc_has_perm(&selinux_state,
2409 old_tsec->sid, new_tsec->sid,
2410 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2412 bprm->secureexec |= !!rc;
2418 static int match_file(const void *p, struct file *file, unsigned fd)
2420 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2423 /* Derived from fs/exec.c:flush_old_files. */
2424 static inline void flush_unauthorized_files(const struct cred *cred,
2425 struct files_struct *files)
2427 struct file *file, *devnull = NULL;
2428 struct tty_struct *tty;
2432 tty = get_current_tty();
2434 spin_lock(&tty->files_lock);
2435 if (!list_empty(&tty->tty_files)) {
2436 struct tty_file_private *file_priv;
2438 /* Revalidate access to controlling tty.
2439 Use file_path_has_perm on the tty path directly
2440 rather than using file_has_perm, as this particular
2441 open file may belong to another process and we are
2442 only interested in the inode-based check here. */
2443 file_priv = list_first_entry(&tty->tty_files,
2444 struct tty_file_private, list);
2445 file = file_priv->file;
2446 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2449 spin_unlock(&tty->files_lock);
2452 /* Reset controlling tty. */
2456 /* Revalidate access to inherited open files. */
2457 n = iterate_fd(files, 0, match_file, cred);
2458 if (!n) /* none found? */
2461 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2462 if (IS_ERR(devnull))
2464 /* replace all the matching ones with this */
2466 replace_fd(n - 1, devnull, 0);
2467 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2473 * Prepare a process for imminent new credential changes due to exec
2475 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2477 struct task_security_struct *new_tsec;
2478 struct rlimit *rlim, *initrlim;
2481 new_tsec = selinux_cred(bprm->cred);
2482 if (new_tsec->sid == new_tsec->osid)
2485 /* Close files for which the new task SID is not authorized. */
2486 flush_unauthorized_files(bprm->cred, current->files);
2488 /* Always clear parent death signal on SID transitions. */
2489 current->pdeath_signal = 0;
2491 /* Check whether the new SID can inherit resource limits from the old
2492 * SID. If not, reset all soft limits to the lower of the current
2493 * task's hard limit and the init task's soft limit.
2495 * Note that the setting of hard limits (even to lower them) can be
2496 * controlled by the setrlimit check. The inclusion of the init task's
2497 * soft limit into the computation is to avoid resetting soft limits
2498 * higher than the default soft limit for cases where the default is
2499 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2501 rc = avc_has_perm(&selinux_state,
2502 new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2503 PROCESS__RLIMITINH, NULL);
2505 /* protect against do_prlimit() */
2507 for (i = 0; i < RLIM_NLIMITS; i++) {
2508 rlim = current->signal->rlim + i;
2509 initrlim = init_task.signal->rlim + i;
2510 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2512 task_unlock(current);
2513 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2514 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2519 * Clean up the process immediately after the installation of new credentials
2522 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2524 const struct task_security_struct *tsec = selinux_cred(current_cred());
2525 struct itimerval itimer;
2535 /* Check whether the new SID can inherit signal state from the old SID.
2536 * If not, clear itimers to avoid subsequent signal generation and
2537 * flush and unblock signals.
2539 * This must occur _after_ the task SID has been updated so that any
2540 * kill done after the flush will be checked against the new SID.
2542 rc = avc_has_perm(&selinux_state,
2543 osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2545 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2546 memset(&itimer, 0, sizeof itimer);
2547 for (i = 0; i < 3; i++)
2548 do_setitimer(i, &itimer, NULL);
2550 spin_lock_irq(¤t->sighand->siglock);
2551 if (!fatal_signal_pending(current)) {
2552 flush_sigqueue(¤t->pending);
2553 flush_sigqueue(¤t->signal->shared_pending);
2554 flush_signal_handlers(current, 1);
2555 sigemptyset(¤t->blocked);
2556 recalc_sigpending();
2558 spin_unlock_irq(¤t->sighand->siglock);
2561 /* Wake up the parent if it is waiting so that it can recheck
2562 * wait permission to the new task SID. */
2563 read_lock(&tasklist_lock);
2564 __wake_up_parent(current, current->real_parent);
2565 read_unlock(&tasklist_lock);
2568 /* superblock security operations */
2570 static int selinux_sb_alloc_security(struct super_block *sb)
2572 return superblock_alloc_security(sb);
2575 static void selinux_sb_free_security(struct super_block *sb)
2577 superblock_free_security(sb);
2580 static inline int opt_len(const char *s)
2582 bool open_quote = false;
2586 for (len = 0; (c = s[len]) != '\0'; len++) {
2588 open_quote = !open_quote;
2589 if (c == ',' && !open_quote)
2595 static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts)
2597 char *from = options;
2602 int len = opt_len(from);
2606 token = match_opt_prefix(from, len, &arg);
2608 if (token != Opt_error) {
2613 for (p = q = arg; p < from + len; p++) {
2618 arg = kmemdup_nul(arg, q - arg, GFP_KERNEL);
2620 rc = selinux_add_opt(token, arg, mnt_opts);
2624 selinux_free_mnt_opts(*mnt_opts);
2630 if (!first) { // copy with preceding comma
2635 memmove(to, from, len);
2647 static int selinux_sb_remount(struct super_block *sb, void *mnt_opts)
2649 struct selinux_mnt_opts *opts = mnt_opts;
2650 struct superblock_security_struct *sbsec = sb->s_security;
2654 if (!(sbsec->flags & SE_SBINITIALIZED))
2660 if (opts->fscontext) {
2661 rc = parse_sid(sb, opts->fscontext, &sid);
2664 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2665 goto out_bad_option;
2667 if (opts->context) {
2668 rc = parse_sid(sb, opts->context, &sid);
2671 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2672 goto out_bad_option;
2674 if (opts->rootcontext) {
2675 struct inode_security_struct *root_isec;
2676 root_isec = backing_inode_security(sb->s_root);
2677 rc = parse_sid(sb, opts->rootcontext, &sid);
2680 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2681 goto out_bad_option;
2683 if (opts->defcontext) {
2684 rc = parse_sid(sb, opts->defcontext, &sid);
2687 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2688 goto out_bad_option;
2693 pr_warn("SELinux: unable to change security options "
2694 "during remount (dev %s, type=%s)\n", sb->s_id,
2699 static int selinux_sb_kern_mount(struct super_block *sb)
2701 const struct cred *cred = current_cred();
2702 struct common_audit_data ad;
2704 ad.type = LSM_AUDIT_DATA_DENTRY;
2705 ad.u.dentry = sb->s_root;
2706 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2709 static int selinux_sb_statfs(struct dentry *dentry)
2711 const struct cred *cred = current_cred();
2712 struct common_audit_data ad;
2714 ad.type = LSM_AUDIT_DATA_DENTRY;
2715 ad.u.dentry = dentry->d_sb->s_root;
2716 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2719 static int selinux_mount(const char *dev_name,
2720 const struct path *path,
2722 unsigned long flags,
2725 const struct cred *cred = current_cred();
2727 if (flags & MS_REMOUNT)
2728 return superblock_has_perm(cred, path->dentry->d_sb,
2729 FILESYSTEM__REMOUNT, NULL);
2731 return path_has_perm(cred, path, FILE__MOUNTON);
2734 static int selinux_umount(struct vfsmount *mnt, int flags)
2736 const struct cred *cred = current_cred();
2738 return superblock_has_perm(cred, mnt->mnt_sb,
2739 FILESYSTEM__UNMOUNT, NULL);
2742 /* inode security operations */
2744 static int selinux_inode_alloc_security(struct inode *inode)
2746 return inode_alloc_security(inode);
2749 static void selinux_inode_free_security(struct inode *inode)
2751 inode_free_security(inode);
2754 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2755 const struct qstr *name, void **ctx,
2761 rc = selinux_determine_inode_label(selinux_cred(current_cred()),
2762 d_inode(dentry->d_parent), name,
2763 inode_mode_to_security_class(mode),
2768 return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
2772 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2774 const struct cred *old,
2779 struct task_security_struct *tsec;
2781 rc = selinux_determine_inode_label(selinux_cred(old),
2782 d_inode(dentry->d_parent), name,
2783 inode_mode_to_security_class(mode),
2788 tsec = selinux_cred(new);
2789 tsec->create_sid = newsid;
2793 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2794 const struct qstr *qstr,
2796 void **value, size_t *len)
2798 const struct task_security_struct *tsec = selinux_cred(current_cred());
2799 struct superblock_security_struct *sbsec;
2804 sbsec = dir->i_sb->s_security;
2806 newsid = tsec->create_sid;
2808 rc = selinux_determine_inode_label(selinux_cred(current_cred()),
2810 inode_mode_to_security_class(inode->i_mode),
2815 /* Possibly defer initialization to selinux_complete_init. */
2816 if (sbsec->flags & SE_SBINITIALIZED) {
2817 struct inode_security_struct *isec = selinux_inode(inode);
2818 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2820 isec->initialized = LABEL_INITIALIZED;
2823 if (!selinux_state.initialized || !(sbsec->flags & SBLABEL_MNT))
2827 *name = XATTR_SELINUX_SUFFIX;
2830 rc = security_sid_to_context_force(&selinux_state, newsid,
2841 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2843 return may_create(dir, dentry, SECCLASS_FILE);
2846 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2848 return may_link(dir, old_dentry, MAY_LINK);
2851 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2853 return may_link(dir, dentry, MAY_UNLINK);
2856 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2858 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2861 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2863 return may_create(dir, dentry, SECCLASS_DIR);
2866 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2868 return may_link(dir, dentry, MAY_RMDIR);
2871 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2873 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2876 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2877 struct inode *new_inode, struct dentry *new_dentry)
2879 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2882 static int selinux_inode_readlink(struct dentry *dentry)
2884 const struct cred *cred = current_cred();
2886 return dentry_has_perm(cred, dentry, FILE__READ);
2889 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
2892 const struct cred *cred = current_cred();
2893 struct common_audit_data ad;
2894 struct inode_security_struct *isec;
2897 validate_creds(cred);
2899 ad.type = LSM_AUDIT_DATA_DENTRY;
2900 ad.u.dentry = dentry;
2901 sid = cred_sid(cred);
2902 isec = inode_security_rcu(inode, rcu);
2904 return PTR_ERR(isec);
2906 return avc_has_perm(&selinux_state,
2907 sid, isec->sid, isec->sclass, FILE__READ, &ad);
2910 static noinline int audit_inode_permission(struct inode *inode,
2911 u32 perms, u32 audited, u32 denied,
2915 struct common_audit_data ad;
2916 struct inode_security_struct *isec = selinux_inode(inode);
2919 ad.type = LSM_AUDIT_DATA_INODE;
2922 rc = slow_avc_audit(&selinux_state,
2923 current_sid(), isec->sid, isec->sclass, perms,
2924 audited, denied, result, &ad, flags);
2930 static int selinux_inode_permission(struct inode *inode, int mask)
2932 const struct cred *cred = current_cred();
2935 unsigned flags = mask & MAY_NOT_BLOCK;
2936 struct inode_security_struct *isec;
2938 struct av_decision avd;
2940 u32 audited, denied;
2942 from_access = mask & MAY_ACCESS;
2943 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2945 /* No permission to check. Existence test. */
2949 validate_creds(cred);
2951 if (unlikely(IS_PRIVATE(inode)))
2954 perms = file_mask_to_av(inode->i_mode, mask);
2956 sid = cred_sid(cred);
2957 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
2959 return PTR_ERR(isec);
2961 rc = avc_has_perm_noaudit(&selinux_state,
2962 sid, isec->sid, isec->sclass, perms,
2963 (flags & MAY_NOT_BLOCK) ? AVC_NONBLOCKING : 0,
2965 audited = avc_audit_required(perms, &avd, rc,
2966 from_access ? FILE__AUDIT_ACCESS : 0,
2968 if (likely(!audited))
2971 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
2977 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2979 const struct cred *cred = current_cred();
2980 struct inode *inode = d_backing_inode(dentry);
2981 unsigned int ia_valid = iattr->ia_valid;
2982 __u32 av = FILE__WRITE;
2984 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2985 if (ia_valid & ATTR_FORCE) {
2986 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2992 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2993 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2994 return dentry_has_perm(cred, dentry, FILE__SETATTR);
2996 if (selinux_policycap_openperm() &&
2997 inode->i_sb->s_magic != SOCKFS_MAGIC &&
2998 (ia_valid & ATTR_SIZE) &&
2999 !(ia_valid & ATTR_FILE))
3002 return dentry_has_perm(cred, dentry, av);
3005 static int selinux_inode_getattr(const struct path *path)
3007 return path_has_perm(current_cred(), path, FILE__GETATTR);
3010 static bool has_cap_mac_admin(bool audit)
3012 const struct cred *cred = current_cred();
3013 unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT;
3015 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts))
3017 if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true))
3022 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3023 const void *value, size_t size, int flags)
3025 struct inode *inode = d_backing_inode(dentry);
3026 struct inode_security_struct *isec;
3027 struct superblock_security_struct *sbsec;
3028 struct common_audit_data ad;
3029 u32 newsid, sid = current_sid();
3032 if (strcmp(name, XATTR_NAME_SELINUX)) {
3033 rc = cap_inode_setxattr(dentry, name, value, size, flags);
3037 /* Not an attribute we recognize, so just check the
3038 ordinary setattr permission. */
3039 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3042 sbsec = inode->i_sb->s_security;
3043 if (!(sbsec->flags & SBLABEL_MNT))
3046 if (!inode_owner_or_capable(inode))
3049 ad.type = LSM_AUDIT_DATA_DENTRY;
3050 ad.u.dentry = dentry;
3052 isec = backing_inode_security(dentry);
3053 rc = avc_has_perm(&selinux_state,
3054 sid, isec->sid, isec->sclass,
3055 FILE__RELABELFROM, &ad);
3059 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3061 if (rc == -EINVAL) {
3062 if (!has_cap_mac_admin(true)) {
3063 struct audit_buffer *ab;
3066 /* We strip a nul only if it is at the end, otherwise the
3067 * context contains a nul and we should audit that */
3069 const char *str = value;
3071 if (str[size - 1] == '\0')
3072 audit_size = size - 1;
3078 ab = audit_log_start(audit_context(),
3079 GFP_ATOMIC, AUDIT_SELINUX_ERR);
3080 audit_log_format(ab, "op=setxattr invalid_context=");
3081 audit_log_n_untrustedstring(ab, value, audit_size);
3086 rc = security_context_to_sid_force(&selinux_state, value,
3092 rc = avc_has_perm(&selinux_state,
3093 sid, newsid, isec->sclass,
3094 FILE__RELABELTO, &ad);
3098 rc = security_validate_transition(&selinux_state, isec->sid, newsid,
3103 return avc_has_perm(&selinux_state,
3106 SECCLASS_FILESYSTEM,
3107 FILESYSTEM__ASSOCIATE,
3111 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3112 const void *value, size_t size,
3115 struct inode *inode = d_backing_inode(dentry);
3116 struct inode_security_struct *isec;
3120 if (strcmp(name, XATTR_NAME_SELINUX)) {
3121 /* Not an attribute we recognize, so nothing to do. */
3125 rc = security_context_to_sid_force(&selinux_state, value, size,
3128 pr_err("SELinux: unable to map context to SID"
3129 "for (%s, %lu), rc=%d\n",
3130 inode->i_sb->s_id, inode->i_ino, -rc);
3134 isec = backing_inode_security(dentry);
3135 spin_lock(&isec->lock);
3136 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3138 isec->initialized = LABEL_INITIALIZED;
3139 spin_unlock(&isec->lock);
3144 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3146 const struct cred *cred = current_cred();
3148 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3151 static int selinux_inode_listxattr(struct dentry *dentry)
3153 const struct cred *cred = current_cred();
3155 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3158 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3160 if (strcmp(name, XATTR_NAME_SELINUX)) {
3161 int rc = cap_inode_removexattr(dentry, name);
3165 /* Not an attribute we recognize, so just check the
3166 ordinary setattr permission. */
3167 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3170 /* No one is allowed to remove a SELinux security label.
3171 You can change the label, but all data must be labeled. */
3176 * Copy the inode security context value to the user.
3178 * Permission check is handled by selinux_inode_getxattr hook.
3180 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
3184 char *context = NULL;
3185 struct inode_security_struct *isec;
3187 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3191 * If the caller has CAP_MAC_ADMIN, then get the raw context
3192 * value even if it is not defined by current policy; otherwise,
3193 * use the in-core value under current policy.
3194 * Use the non-auditing forms of the permission checks since
3195 * getxattr may be called by unprivileged processes commonly
3196 * and lack of permission just means that we fall back to the
3197 * in-core context value, not a denial.
3199 isec = inode_security(inode);
3200 if (has_cap_mac_admin(false))
3201 error = security_sid_to_context_force(&selinux_state,
3202 isec->sid, &context,
3205 error = security_sid_to_context(&selinux_state, isec->sid,
3219 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3220 const void *value, size_t size, int flags)
3222 struct inode_security_struct *isec = inode_security_novalidate(inode);
3223 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
3227 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3230 if (!(sbsec->flags & SBLABEL_MNT))
3233 if (!value || !size)
3236 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3241 spin_lock(&isec->lock);
3242 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3244 isec->initialized = LABEL_INITIALIZED;
3245 spin_unlock(&isec->lock);
3249 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3251 const int len = sizeof(XATTR_NAME_SELINUX);
3252 if (buffer && len <= buffer_size)
3253 memcpy(buffer, XATTR_NAME_SELINUX, len);
3257 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3259 struct inode_security_struct *isec = inode_security_novalidate(inode);
3263 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3266 struct task_security_struct *tsec;
3267 struct cred *new_creds = *new;
3269 if (new_creds == NULL) {
3270 new_creds = prepare_creds();
3275 tsec = selinux_cred(new_creds);
3276 /* Get label from overlay inode and set it in create_sid */
3277 selinux_inode_getsecid(d_inode(src), &sid);
3278 tsec->create_sid = sid;
3283 static int selinux_inode_copy_up_xattr(const char *name)
3285 /* The copy_up hook above sets the initial context on an inode, but we
3286 * don't then want to overwrite it by blindly copying all the lower
3287 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3289 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3290 return 1; /* Discard */
3292 * Any other attribute apart from SELINUX is not claimed, supported
3298 /* file security operations */
3300 static int selinux_revalidate_file_permission(struct file *file, int mask)
3302 const struct cred *cred = current_cred();
3303 struct inode *inode = file_inode(file);
3305 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3306 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3309 return file_has_perm(cred, file,
3310 file_mask_to_av(inode->i_mode, mask));
3313 static int selinux_file_permission(struct file *file, int mask)
3315 struct inode *inode = file_inode(file);
3316 struct file_security_struct *fsec = selinux_file(file);
3317 struct inode_security_struct *isec;
3318 u32 sid = current_sid();
3321 /* No permission to check. Existence test. */
3324 isec = inode_security(inode);
3325 if (sid == fsec->sid && fsec->isid == isec->sid &&
3326 fsec->pseqno == avc_policy_seqno(&selinux_state))
3327 /* No change since file_open check. */
3330 return selinux_revalidate_file_permission(file, mask);
3333 static int selinux_file_alloc_security(struct file *file)
3335 return file_alloc_security(file);
3339 * Check whether a task has the ioctl permission and cmd
3340 * operation to an inode.
3342 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3343 u32 requested, u16 cmd)
3345 struct common_audit_data ad;
3346 struct file_security_struct *fsec = selinux_file(file);
3347 struct inode *inode = file_inode(file);
3348 struct inode_security_struct *isec;
3349 struct lsm_ioctlop_audit ioctl;
3350 u32 ssid = cred_sid(cred);
3352 u8 driver = cmd >> 8;
3353 u8 xperm = cmd & 0xff;
3355 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3358 ad.u.op->path = file->f_path;
3360 if (ssid != fsec->sid) {
3361 rc = avc_has_perm(&selinux_state,
3370 if (unlikely(IS_PRIVATE(inode)))
3373 isec = inode_security(inode);
3374 rc = avc_has_extended_perms(&selinux_state,
3375 ssid, isec->sid, isec->sclass,
3376 requested, driver, xperm, &ad);
3381 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3384 const struct cred *cred = current_cred();
3394 case FS_IOC_GETFLAGS:
3396 case FS_IOC_GETVERSION:
3397 error = file_has_perm(cred, file, FILE__GETATTR);
3400 case FS_IOC_SETFLAGS:
3402 case FS_IOC_SETVERSION:
3403 error = file_has_perm(cred, file, FILE__SETATTR);
3406 /* sys_ioctl() checks */
3410 error = file_has_perm(cred, file, 0);
3415 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3416 CAP_OPT_NONE, true);
3419 /* default case assumes that the command will go
3420 * to the file's ioctl() function.
3423 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3428 static int default_noexec;
3430 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3432 const struct cred *cred = current_cred();
3433 u32 sid = cred_sid(cred);
3436 if (default_noexec &&
3437 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3438 (!shared && (prot & PROT_WRITE)))) {
3440 * We are making executable an anonymous mapping or a
3441 * private file mapping that will also be writable.
3442 * This has an additional check.
3444 rc = avc_has_perm(&selinux_state,
3445 sid, sid, SECCLASS_PROCESS,
3446 PROCESS__EXECMEM, NULL);
3452 /* read access is always possible with a mapping */
3453 u32 av = FILE__READ;
3455 /* write access only matters if the mapping is shared */
3456 if (shared && (prot & PROT_WRITE))
3459 if (prot & PROT_EXEC)
3460 av |= FILE__EXECUTE;
3462 return file_has_perm(cred, file, av);
3469 static int selinux_mmap_addr(unsigned long addr)
3473 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3474 u32 sid = current_sid();
3475 rc = avc_has_perm(&selinux_state,
3476 sid, sid, SECCLASS_MEMPROTECT,
3477 MEMPROTECT__MMAP_ZERO, NULL);
3483 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3484 unsigned long prot, unsigned long flags)
3486 struct common_audit_data ad;
3490 ad.type = LSM_AUDIT_DATA_FILE;
3492 rc = inode_has_perm(current_cred(), file_inode(file),
3498 if (selinux_state.checkreqprot)
3501 return file_map_prot_check(file, prot,
3502 (flags & MAP_TYPE) == MAP_SHARED);
3505 static int selinux_file_mprotect(struct vm_area_struct *vma,
3506 unsigned long reqprot,
3509 const struct cred *cred = current_cred();
3510 u32 sid = cred_sid(cred);
3512 if (selinux_state.checkreqprot)
3515 if (default_noexec &&
3516 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3518 if (vma->vm_start >= vma->vm_mm->start_brk &&
3519 vma->vm_end <= vma->vm_mm->brk) {
3520 rc = avc_has_perm(&selinux_state,
3521 sid, sid, SECCLASS_PROCESS,
3522 PROCESS__EXECHEAP, NULL);
3523 } else if (!vma->vm_file &&
3524 ((vma->vm_start <= vma->vm_mm->start_stack &&
3525 vma->vm_end >= vma->vm_mm->start_stack) ||
3526 vma_is_stack_for_current(vma))) {
3527 rc = avc_has_perm(&selinux_state,
3528 sid, sid, SECCLASS_PROCESS,
3529 PROCESS__EXECSTACK, NULL);
3530 } else if (vma->vm_file && vma->anon_vma) {
3532 * We are making executable a file mapping that has
3533 * had some COW done. Since pages might have been
3534 * written, check ability to execute the possibly
3535 * modified content. This typically should only
3536 * occur for text relocations.
3538 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3544 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3547 static int selinux_file_lock(struct file *file, unsigned int cmd)
3549 const struct cred *cred = current_cred();
3551 return file_has_perm(cred, file, FILE__LOCK);
3554 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3557 const struct cred *cred = current_cred();
3562 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3563 err = file_has_perm(cred, file, FILE__WRITE);
3572 case F_GETOWNER_UIDS:
3573 /* Just check FD__USE permission */
3574 err = file_has_perm(cred, file, 0);
3582 #if BITS_PER_LONG == 32
3587 err = file_has_perm(cred, file, FILE__LOCK);
3594 static void selinux_file_set_fowner(struct file *file)
3596 struct file_security_struct *fsec;
3598 fsec = selinux_file(file);
3599 fsec->fown_sid = current_sid();
3602 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3603 struct fown_struct *fown, int signum)
3606 u32 sid = task_sid(tsk);
3608 struct file_security_struct *fsec;
3610 /* struct fown_struct is never outside the context of a struct file */
3611 file = container_of(fown, struct file, f_owner);
3613 fsec = selinux_file(file);
3616 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3618 perm = signal_to_av(signum);
3620 return avc_has_perm(&selinux_state,
3621 fsec->fown_sid, sid,
3622 SECCLASS_PROCESS, perm, NULL);
3625 static int selinux_file_receive(struct file *file)
3627 const struct cred *cred = current_cred();
3629 return file_has_perm(cred, file, file_to_av(file));
3632 static int selinux_file_open(struct file *file)
3634 struct file_security_struct *fsec;
3635 struct inode_security_struct *isec;
3637 fsec = selinux_file(file);
3638 isec = inode_security(file_inode(file));
3640 * Save inode label and policy sequence number
3641 * at open-time so that selinux_file_permission
3642 * can determine whether revalidation is necessary.
3643 * Task label is already saved in the file security
3644 * struct as its SID.
3646 fsec->isid = isec->sid;
3647 fsec->pseqno = avc_policy_seqno(&selinux_state);
3649 * Since the inode label or policy seqno may have changed
3650 * between the selinux_inode_permission check and the saving
3651 * of state above, recheck that access is still permitted.
3652 * Otherwise, access might never be revalidated against the
3653 * new inode label or new policy.
3654 * This check is not redundant - do not remove.
3656 return file_path_has_perm(file->f_cred, file, open_file_to_av(file));
3659 /* task security operations */
3661 static int selinux_task_alloc(struct task_struct *task,
3662 unsigned long clone_flags)
3664 u32 sid = current_sid();
3666 return avc_has_perm(&selinux_state,
3667 sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
3671 * prepare a new set of credentials for modification
3673 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3676 const struct task_security_struct *old_tsec = selinux_cred(old);
3677 struct task_security_struct *tsec = selinux_cred(new);
3684 * transfer the SELinux data to a blank set of creds
3686 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3688 const struct task_security_struct *old_tsec = selinux_cred(old);
3689 struct task_security_struct *tsec = selinux_cred(new);
3694 static void selinux_cred_getsecid(const struct cred *c, u32 *secid)
3696 *secid = cred_sid(c);
3700 * set the security data for a kernel service
3701 * - all the creation contexts are set to unlabelled
3703 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3705 struct task_security_struct *tsec = selinux_cred(new);
3706 u32 sid = current_sid();
3709 ret = avc_has_perm(&selinux_state,
3711 SECCLASS_KERNEL_SERVICE,
3712 KERNEL_SERVICE__USE_AS_OVERRIDE,
3716 tsec->create_sid = 0;
3717 tsec->keycreate_sid = 0;
3718 tsec->sockcreate_sid = 0;
3724 * set the file creation context in a security record to the same as the
3725 * objective context of the specified inode
3727 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3729 struct inode_security_struct *isec = inode_security(inode);
3730 struct task_security_struct *tsec = selinux_cred(new);
3731 u32 sid = current_sid();
3734 ret = avc_has_perm(&selinux_state,
3736 SECCLASS_KERNEL_SERVICE,
3737 KERNEL_SERVICE__CREATE_FILES_AS,
3741 tsec->create_sid = isec->sid;
3745 static int selinux_kernel_module_request(char *kmod_name)
3747 struct common_audit_data ad;
3749 ad.type = LSM_AUDIT_DATA_KMOD;
3750 ad.u.kmod_name = kmod_name;
3752 return avc_has_perm(&selinux_state,
3753 current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
3754 SYSTEM__MODULE_REQUEST, &ad);
3757 static int selinux_kernel_module_from_file(struct file *file)
3759 struct common_audit_data ad;
3760 struct inode_security_struct *isec;
3761 struct file_security_struct *fsec;
3762 u32 sid = current_sid();
3767 return avc_has_perm(&selinux_state,
3768 sid, sid, SECCLASS_SYSTEM,
3769 SYSTEM__MODULE_LOAD, NULL);
3773 ad.type = LSM_AUDIT_DATA_FILE;
3776 fsec = selinux_file(file);
3777 if (sid != fsec->sid) {
3778 rc = avc_has_perm(&selinux_state,
3779 sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
3784 isec = inode_security(file_inode(file));
3785 return avc_has_perm(&selinux_state,
3786 sid, isec->sid, SECCLASS_SYSTEM,
3787 SYSTEM__MODULE_LOAD, &ad);
3790 static int selinux_kernel_read_file(struct file *file,
3791 enum kernel_read_file_id id)
3796 case READING_MODULE:
3797 rc = selinux_kernel_module_from_file(file);
3806 static int selinux_kernel_load_data(enum kernel_load_data_id id)
3811 case LOADING_MODULE:
3812 rc = selinux_kernel_module_from_file(NULL);
3820 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3822 return avc_has_perm(&selinux_state,
3823 current_sid(), task_sid(p), SECCLASS_PROCESS,
3824 PROCESS__SETPGID, NULL);
3827 static int selinux_task_getpgid(struct task_struct *p)
3829 return avc_has_perm(&selinux_state,
3830 current_sid(), task_sid(p), SECCLASS_PROCESS,
3831 PROCESS__GETPGID, NULL);
3834 static int selinux_task_getsid(struct task_struct *p)
3836 return avc_has_perm(&selinux_state,
3837 current_sid(), task_sid(p), SECCLASS_PROCESS,
3838 PROCESS__GETSESSION, NULL);
3841 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3843 *secid = task_sid(p);
3846 static int selinux_task_setnice(struct task_struct *p, int nice)
3848 return avc_has_perm(&selinux_state,
3849 current_sid(), task_sid(p), SECCLASS_PROCESS,
3850 PROCESS__SETSCHED, NULL);
3853 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3855 return avc_has_perm(&selinux_state,
3856 current_sid(), task_sid(p), SECCLASS_PROCESS,
3857 PROCESS__SETSCHED, NULL);
3860 static int selinux_task_getioprio(struct task_struct *p)
3862 return avc_has_perm(&selinux_state,
3863 current_sid(), task_sid(p), SECCLASS_PROCESS,
3864 PROCESS__GETSCHED, NULL);
3867 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
3874 if (flags & LSM_PRLIMIT_WRITE)
3875 av |= PROCESS__SETRLIMIT;
3876 if (flags & LSM_PRLIMIT_READ)
3877 av |= PROCESS__GETRLIMIT;
3878 return avc_has_perm(&selinux_state,
3879 cred_sid(cred), cred_sid(tcred),
3880 SECCLASS_PROCESS, av, NULL);
3883 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3884 struct rlimit *new_rlim)
3886 struct rlimit *old_rlim = p->signal->rlim + resource;
3888 /* Control the ability to change the hard limit (whether
3889 lowering or raising it), so that the hard limit can
3890 later be used as a safe reset point for the soft limit
3891 upon context transitions. See selinux_bprm_committing_creds. */
3892 if (old_rlim->rlim_max != new_rlim->rlim_max)
3893 return avc_has_perm(&selinux_state,
3894 current_sid(), task_sid(p),
3895 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
3900 static int selinux_task_setscheduler(struct task_struct *p)
3902 return avc_has_perm(&selinux_state,
3903 current_sid(), task_sid(p), SECCLASS_PROCESS,
3904 PROCESS__SETSCHED, NULL);
3907 static int selinux_task_getscheduler(struct task_struct *p)
3909 return avc_has_perm(&selinux_state,
3910 current_sid(), task_sid(p), SECCLASS_PROCESS,
3911 PROCESS__GETSCHED, NULL);
3914 static int selinux_task_movememory(struct task_struct *p)
3916 return avc_has_perm(&selinux_state,
3917 current_sid(), task_sid(p), SECCLASS_PROCESS,
3918 PROCESS__SETSCHED, NULL);
3921 static int selinux_task_kill(struct task_struct *p, struct kernel_siginfo *info,
3922 int sig, const struct cred *cred)
3928 perm = PROCESS__SIGNULL; /* null signal; existence test */
3930 perm = signal_to_av(sig);
3932 secid = current_sid();
3934 secid = cred_sid(cred);
3935 return avc_has_perm(&selinux_state,
3936 secid, task_sid(p), SECCLASS_PROCESS, perm, NULL);
3939 static void selinux_task_to_inode(struct task_struct *p,
3940 struct inode *inode)
3942 struct inode_security_struct *isec = selinux_inode(inode);
3943 u32 sid = task_sid(p);
3945 spin_lock(&isec->lock);
3946 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3948 isec->initialized = LABEL_INITIALIZED;
3949 spin_unlock(&isec->lock);
3952 /* Returns error only if unable to parse addresses */
3953 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3954 struct common_audit_data *ad, u8 *proto)
3956 int offset, ihlen, ret = -EINVAL;
3957 struct iphdr _iph, *ih;
3959 offset = skb_network_offset(skb);
3960 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3964 ihlen = ih->ihl * 4;
3965 if (ihlen < sizeof(_iph))
3968 ad->u.net->v4info.saddr = ih->saddr;
3969 ad->u.net->v4info.daddr = ih->daddr;
3973 *proto = ih->protocol;
3975 switch (ih->protocol) {
3977 struct tcphdr _tcph, *th;
3979 if (ntohs(ih->frag_off) & IP_OFFSET)
3983 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3987 ad->u.net->sport = th->source;
3988 ad->u.net->dport = th->dest;
3993 struct udphdr _udph, *uh;
3995 if (ntohs(ih->frag_off) & IP_OFFSET)
3999 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4003 ad->u.net->sport = uh->source;
4004 ad->u.net->dport = uh->dest;
4008 case IPPROTO_DCCP: {
4009 struct dccp_hdr _dccph, *dh;
4011 if (ntohs(ih->frag_off) & IP_OFFSET)
4015 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4019 ad->u.net->sport = dh->dccph_sport;
4020 ad->u.net->dport = dh->dccph_dport;
4024 #if IS_ENABLED(CONFIG_IP_SCTP)
4025 case IPPROTO_SCTP: {
4026 struct sctphdr _sctph, *sh;
4028 if (ntohs(ih->frag_off) & IP_OFFSET)
4032 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4036 ad->u.net->sport = sh->source;
4037 ad->u.net->dport = sh->dest;
4048 #if IS_ENABLED(CONFIG_IPV6)
4050 /* Returns error only if unable to parse addresses */
4051 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4052 struct common_audit_data *ad, u8 *proto)
4055 int ret = -EINVAL, offset;
4056 struct ipv6hdr _ipv6h, *ip6;
4059 offset = skb_network_offset(skb);
4060 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4064 ad->u.net->v6info.saddr = ip6->saddr;
4065 ad->u.net->v6info.daddr = ip6->daddr;
4068 nexthdr = ip6->nexthdr;
4069 offset += sizeof(_ipv6h);
4070 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4079 struct tcphdr _tcph, *th;
4081 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4085 ad->u.net->sport = th->source;
4086 ad->u.net->dport = th->dest;
4091 struct udphdr _udph, *uh;
4093 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4097 ad->u.net->sport = uh->source;
4098 ad->u.net->dport = uh->dest;
4102 case IPPROTO_DCCP: {
4103 struct dccp_hdr _dccph, *dh;
4105 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4109 ad->u.net->sport = dh->dccph_sport;
4110 ad->u.net->dport = dh->dccph_dport;
4114 #if IS_ENABLED(CONFIG_IP_SCTP)
4115 case IPPROTO_SCTP: {
4116 struct sctphdr _sctph, *sh;
4118 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4122 ad->u.net->sport = sh->source;
4123 ad->u.net->dport = sh->dest;
4127 /* includes fragments */
4137 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4138 char **_addrp, int src, u8 *proto)
4143 switch (ad->u.net->family) {
4145 ret = selinux_parse_skb_ipv4(skb, ad, proto);
4148 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4149 &ad->u.net->v4info.daddr);
4152 #if IS_ENABLED(CONFIG_IPV6)
4154 ret = selinux_parse_skb_ipv6(skb, ad, proto);
4157 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4158 &ad->u.net->v6info.daddr);
4168 "SELinux: failure in selinux_parse_skb(),"
4169 " unable to parse packet\n");
4179 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4181 * @family: protocol family
4182 * @sid: the packet's peer label SID
4185 * Check the various different forms of network peer labeling and determine
4186 * the peer label/SID for the packet; most of the magic actually occurs in
4187 * the security server function security_net_peersid_cmp(). The function
4188 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4189 * or -EACCES if @sid is invalid due to inconsistencies with the different
4193 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4200 err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4203 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4207 err = security_net_peersid_resolve(&selinux_state, nlbl_sid,
4208 nlbl_type, xfrm_sid, sid);
4209 if (unlikely(err)) {
4211 "SELinux: failure in selinux_skb_peerlbl_sid(),"
4212 " unable to determine packet's peer label\n");
4220 * selinux_conn_sid - Determine the child socket label for a connection
4221 * @sk_sid: the parent socket's SID
4222 * @skb_sid: the packet's SID
4223 * @conn_sid: the resulting connection SID
4225 * If @skb_sid is valid then the user:role:type information from @sk_sid is
4226 * combined with the MLS information from @skb_sid in order to create
4227 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy
4228 * of @sk_sid. Returns zero on success, negative values on failure.
4231 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4235 if (skb_sid != SECSID_NULL)
4236 err = security_sid_mls_copy(&selinux_state, sk_sid, skb_sid,
4244 /* socket security operations */
4246 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4247 u16 secclass, u32 *socksid)
4249 if (tsec->sockcreate_sid > SECSID_NULL) {
4250 *socksid = tsec->sockcreate_sid;
4254 return security_transition_sid(&selinux_state, tsec->sid, tsec->sid,
4255 secclass, NULL, socksid);
4258 static int sock_has_perm(struct sock *sk, u32 perms)
4260 struct sk_security_struct *sksec = sk->sk_security;
4261 struct common_audit_data ad;
4262 struct lsm_network_audit net = {0,};
4264 if (sksec->sid == SECINITSID_KERNEL)
4267 ad.type = LSM_AUDIT_DATA_NET;
4271 return avc_has_perm(&selinux_state,
4272 current_sid(), sksec->sid, sksec->sclass, perms,
4276 static int selinux_socket_create(int family, int type,
4277 int protocol, int kern)
4279 const struct task_security_struct *tsec = selinux_cred(current_cred());
4287 secclass = socket_type_to_security_class(family, type, protocol);
4288 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4292 return avc_has_perm(&selinux_state,
4293 tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4296 static int selinux_socket_post_create(struct socket *sock, int family,
4297 int type, int protocol, int kern)
4299 const struct task_security_struct *tsec = selinux_cred(current_cred());
4300 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4301 struct sk_security_struct *sksec;
4302 u16 sclass = socket_type_to_security_class(family, type, protocol);
4303 u32 sid = SECINITSID_KERNEL;
4307 err = socket_sockcreate_sid(tsec, sclass, &sid);
4312 isec->sclass = sclass;
4314 isec->initialized = LABEL_INITIALIZED;
4317 sksec = sock->sk->sk_security;
4318 sksec->sclass = sclass;
4320 /* Allows detection of the first association on this socket */
4321 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4322 sksec->sctp_assoc_state = SCTP_ASSOC_UNSET;
4324 err = selinux_netlbl_socket_post_create(sock->sk, family);
4330 static int selinux_socket_socketpair(struct socket *socka,
4331 struct socket *sockb)
4333 struct sk_security_struct *sksec_a = socka->sk->sk_security;
4334 struct sk_security_struct *sksec_b = sockb->sk->sk_security;
4336 sksec_a->peer_sid = sksec_b->sid;
4337 sksec_b->peer_sid = sksec_a->sid;
4342 /* Range of port numbers used to automatically bind.
4343 Need to determine whether we should perform a name_bind
4344 permission check between the socket and the port number. */
4346 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4348 struct sock *sk = sock->sk;
4349 struct sk_security_struct *sksec = sk->sk_security;
4353 err = sock_has_perm(sk, SOCKET__BIND);
4357 /* If PF_INET or PF_INET6, check name_bind permission for the port. */
4358 family = sk->sk_family;
4359 if (family == PF_INET || family == PF_INET6) {
4361 struct common_audit_data ad;
4362 struct lsm_network_audit net = {0,};
4363 struct sockaddr_in *addr4 = NULL;
4364 struct sockaddr_in6 *addr6 = NULL;
4365 u16 family_sa = address->sa_family;
4366 unsigned short snum;
4370 * sctp_bindx(3) calls via selinux_sctp_bind_connect()
4371 * that validates multiple binding addresses. Because of this
4372 * need to check address->sa_family as it is possible to have
4373 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4375 switch (family_sa) {
4378 if (addrlen < sizeof(struct sockaddr_in))
4380 addr4 = (struct sockaddr_in *)address;
4381 if (family_sa == AF_UNSPEC) {
4382 /* see __inet_bind(), we only want to allow
4383 * AF_UNSPEC if the address is INADDR_ANY
4385 if (addr4->sin_addr.s_addr != htonl(INADDR_ANY))
4387 family_sa = AF_INET;
4389 snum = ntohs(addr4->sin_port);
4390 addrp = (char *)&addr4->sin_addr.s_addr;
4393 if (addrlen < SIN6_LEN_RFC2133)
4395 addr6 = (struct sockaddr_in6 *)address;
4396 snum = ntohs(addr6->sin6_port);
4397 addrp = (char *)&addr6->sin6_addr.s6_addr;
4403 ad.type = LSM_AUDIT_DATA_NET;
4405 ad.u.net->sport = htons(snum);
4406 ad.u.net->family = family_sa;
4411 inet_get_local_port_range(sock_net(sk), &low, &high);
4413 if (snum < max(inet_prot_sock(sock_net(sk)), low) ||
4415 err = sel_netport_sid(sk->sk_protocol,
4419 err = avc_has_perm(&selinux_state,
4422 SOCKET__NAME_BIND, &ad);
4428 switch (sksec->sclass) {
4429 case SECCLASS_TCP_SOCKET:
4430 node_perm = TCP_SOCKET__NODE_BIND;
4433 case SECCLASS_UDP_SOCKET:
4434 node_perm = UDP_SOCKET__NODE_BIND;
4437 case SECCLASS_DCCP_SOCKET:
4438 node_perm = DCCP_SOCKET__NODE_BIND;
4441 case SECCLASS_SCTP_SOCKET:
4442 node_perm = SCTP_SOCKET__NODE_BIND;
4446 node_perm = RAWIP_SOCKET__NODE_BIND;
4450 err = sel_netnode_sid(addrp, family_sa, &sid);
4454 if (family_sa == AF_INET)
4455 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4457 ad.u.net->v6info.saddr = addr6->sin6_addr;
4459 err = avc_has_perm(&selinux_state,
4461 sksec->sclass, node_perm, &ad);
4468 /* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */
4469 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4471 return -EAFNOSUPPORT;
4474 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3)
4475 * and sctp_sendmsg(3) as described in Documentation/security/SCTP.rst
4477 static int selinux_socket_connect_helper(struct socket *sock,
4478 struct sockaddr *address, int addrlen)
4480 struct sock *sk = sock->sk;
4481 struct sk_security_struct *sksec = sk->sk_security;
4484 err = sock_has_perm(sk, SOCKET__CONNECT);
4489 * If a TCP, DCCP or SCTP socket, check name_connect permission
4492 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4493 sksec->sclass == SECCLASS_DCCP_SOCKET ||
4494 sksec->sclass == SECCLASS_SCTP_SOCKET) {
4495 struct common_audit_data ad;
4496 struct lsm_network_audit net = {0,};
4497 struct sockaddr_in *addr4 = NULL;
4498 struct sockaddr_in6 *addr6 = NULL;
4499 unsigned short snum;
4502 /* sctp_connectx(3) calls via selinux_sctp_bind_connect()
4503 * that validates multiple connect addresses. Because of this
4504 * need to check address->sa_family as it is possible to have
4505 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4507 switch (address->sa_family) {
4509 addr4 = (struct sockaddr_in *)address;
4510 if (addrlen < sizeof(struct sockaddr_in))
4512 snum = ntohs(addr4->sin_port);
4515 addr6 = (struct sockaddr_in6 *)address;
4516 if (addrlen < SIN6_LEN_RFC2133)
4518 snum = ntohs(addr6->sin6_port);
4521 /* Note that SCTP services expect -EINVAL, whereas
4522 * others expect -EAFNOSUPPORT.
4524 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4527 return -EAFNOSUPPORT;
4530 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4534 switch (sksec->sclass) {
4535 case SECCLASS_TCP_SOCKET:
4536 perm = TCP_SOCKET__NAME_CONNECT;
4538 case SECCLASS_DCCP_SOCKET:
4539 perm = DCCP_SOCKET__NAME_CONNECT;
4541 case SECCLASS_SCTP_SOCKET:
4542 perm = SCTP_SOCKET__NAME_CONNECT;
4546 ad.type = LSM_AUDIT_DATA_NET;
4548 ad.u.net->dport = htons(snum);
4549 ad.u.net->family = address->sa_family;
4550 err = avc_has_perm(&selinux_state,
4551 sksec->sid, sid, sksec->sclass, perm, &ad);
4559 /* Supports connect(2), see comments in selinux_socket_connect_helper() */
4560 static int selinux_socket_connect(struct socket *sock,
4561 struct sockaddr *address, int addrlen)
4564 struct sock *sk = sock->sk;
4566 err = selinux_socket_connect_helper(sock, address, addrlen);
4570 return selinux_netlbl_socket_connect(sk, address);
4573 static int selinux_socket_listen(struct socket *sock, int backlog)
4575 return sock_has_perm(sock->sk, SOCKET__LISTEN);
4578 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4581 struct inode_security_struct *isec;
4582 struct inode_security_struct *newisec;
4586 err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
4590 isec = inode_security_novalidate(SOCK_INODE(sock));
4591 spin_lock(&isec->lock);
4592 sclass = isec->sclass;
4594 spin_unlock(&isec->lock);
4596 newisec = inode_security_novalidate(SOCK_INODE(newsock));
4597 newisec->sclass = sclass;
4599 newisec->initialized = LABEL_INITIALIZED;
4604 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4607 return sock_has_perm(sock->sk, SOCKET__WRITE);
4610 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4611 int size, int flags)
4613 return sock_has_perm(sock->sk, SOCKET__READ);
4616 static int selinux_socket_getsockname(struct socket *sock)
4618 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4621 static int selinux_socket_getpeername(struct socket *sock)
4623 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4626 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4630 err = sock_has_perm(sock->sk, SOCKET__SETOPT);
4634 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4637 static int selinux_socket_getsockopt(struct socket *sock, int level,
4640 return sock_has_perm(sock->sk, SOCKET__GETOPT);
4643 static int selinux_socket_shutdown(struct socket *sock, int how)
4645 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
4648 static int selinux_socket_unix_stream_connect(struct sock *sock,
4652 struct sk_security_struct *sksec_sock = sock->sk_security;
4653 struct sk_security_struct *sksec_other = other->sk_security;
4654 struct sk_security_struct *sksec_new = newsk->sk_security;
4655 struct common_audit_data ad;
4656 struct lsm_network_audit net = {0,};
4659 ad.type = LSM_AUDIT_DATA_NET;
4661 ad.u.net->sk = other;
4663 err = avc_has_perm(&selinux_state,
4664 sksec_sock->sid, sksec_other->sid,
4665 sksec_other->sclass,
4666 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4670 /* server child socket */
4671 sksec_new->peer_sid = sksec_sock->sid;
4672 err = security_sid_mls_copy(&selinux_state, sksec_other->sid,
4673 sksec_sock->sid, &sksec_new->sid);
4677 /* connecting socket */
4678 sksec_sock->peer_sid = sksec_new->sid;
4683 static int selinux_socket_unix_may_send(struct socket *sock,
4684 struct socket *other)
4686 struct sk_security_struct *ssec = sock->sk->sk_security;
4687 struct sk_security_struct *osec = other->sk->sk_security;
4688 struct common_audit_data ad;
4689 struct lsm_network_audit net = {0,};
4691 ad.type = LSM_AUDIT_DATA_NET;
4693 ad.u.net->sk = other->sk;
4695 return avc_has_perm(&selinux_state,
4696 ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4700 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4701 char *addrp, u16 family, u32 peer_sid,
4702 struct common_audit_data *ad)
4708 err = sel_netif_sid(ns, ifindex, &if_sid);
4711 err = avc_has_perm(&selinux_state,
4713 SECCLASS_NETIF, NETIF__INGRESS, ad);
4717 err = sel_netnode_sid(addrp, family, &node_sid);
4720 return avc_has_perm(&selinux_state,
4722 SECCLASS_NODE, NODE__RECVFROM, ad);
4725 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4729 struct sk_security_struct *sksec = sk->sk_security;
4730 u32 sk_sid = sksec->sid;
4731 struct common_audit_data ad;
4732 struct lsm_network_audit net = {0,};
4735 ad.type = LSM_AUDIT_DATA_NET;
4737 ad.u.net->netif = skb->skb_iif;
4738 ad.u.net->family = family;
4739 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4743 if (selinux_secmark_enabled()) {
4744 err = avc_has_perm(&selinux_state,
4745 sk_sid, skb->secmark, SECCLASS_PACKET,
4751 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4754 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4759 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4762 struct sk_security_struct *sksec = sk->sk_security;
4763 u16 family = sk->sk_family;
4764 u32 sk_sid = sksec->sid;
4765 struct common_audit_data ad;
4766 struct lsm_network_audit net = {0,};
4771 if (family != PF_INET && family != PF_INET6)
4774 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4775 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4778 /* If any sort of compatibility mode is enabled then handoff processing
4779 * to the selinux_sock_rcv_skb_compat() function to deal with the
4780 * special handling. We do this in an attempt to keep this function
4781 * as fast and as clean as possible. */
4782 if (!selinux_policycap_netpeer())
4783 return selinux_sock_rcv_skb_compat(sk, skb, family);
4785 secmark_active = selinux_secmark_enabled();
4786 peerlbl_active = selinux_peerlbl_enabled();
4787 if (!secmark_active && !peerlbl_active)
4790 ad.type = LSM_AUDIT_DATA_NET;
4792 ad.u.net->netif = skb->skb_iif;
4793 ad.u.net->family = family;
4794 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4798 if (peerlbl_active) {
4801 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4804 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
4805 addrp, family, peer_sid, &ad);
4807 selinux_netlbl_err(skb, family, err, 0);
4810 err = avc_has_perm(&selinux_state,
4811 sk_sid, peer_sid, SECCLASS_PEER,
4814 selinux_netlbl_err(skb, family, err, 0);
4819 if (secmark_active) {
4820 err = avc_has_perm(&selinux_state,
4821 sk_sid, skb->secmark, SECCLASS_PACKET,
4830 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4831 int __user *optlen, unsigned len)
4836 struct sk_security_struct *sksec = sock->sk->sk_security;
4837 u32 peer_sid = SECSID_NULL;
4839 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4840 sksec->sclass == SECCLASS_TCP_SOCKET ||
4841 sksec->sclass == SECCLASS_SCTP_SOCKET)
4842 peer_sid = sksec->peer_sid;
4843 if (peer_sid == SECSID_NULL)
4844 return -ENOPROTOOPT;
4846 err = security_sid_to_context(&selinux_state, peer_sid, &scontext,
4851 if (scontext_len > len) {
4856 if (copy_to_user(optval, scontext, scontext_len))
4860 if (put_user(scontext_len, optlen))
4866 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4868 u32 peer_secid = SECSID_NULL;
4870 struct inode_security_struct *isec;
4872 if (skb && skb->protocol == htons(ETH_P_IP))
4874 else if (skb && skb->protocol == htons(ETH_P_IPV6))
4877 family = sock->sk->sk_family;
4881 if (sock && family == PF_UNIX) {
4882 isec = inode_security_novalidate(SOCK_INODE(sock));
4883 peer_secid = isec->sid;
4885 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4888 *secid = peer_secid;
4889 if (peer_secid == SECSID_NULL)
4894 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4896 struct sk_security_struct *sksec;
4898 sksec = kzalloc(sizeof(*sksec), priority);
4902 sksec->peer_sid = SECINITSID_UNLABELED;
4903 sksec->sid = SECINITSID_UNLABELED;
4904 sksec->sclass = SECCLASS_SOCKET;
4905 selinux_netlbl_sk_security_reset(sksec);
4906 sk->sk_security = sksec;
4911 static void selinux_sk_free_security(struct sock *sk)
4913 struct sk_security_struct *sksec = sk->sk_security;
4915 sk->sk_security = NULL;
4916 selinux_netlbl_sk_security_free(sksec);
4920 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4922 struct sk_security_struct *sksec = sk->sk_security;
4923 struct sk_security_struct *newsksec = newsk->sk_security;
4925 newsksec->sid = sksec->sid;
4926 newsksec->peer_sid = sksec->peer_sid;
4927 newsksec->sclass = sksec->sclass;
4929 selinux_netlbl_sk_security_reset(newsksec);
4932 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4935 *secid = SECINITSID_ANY_SOCKET;
4937 struct sk_security_struct *sksec = sk->sk_security;
4939 *secid = sksec->sid;
4943 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4945 struct inode_security_struct *isec =
4946 inode_security_novalidate(SOCK_INODE(parent));
4947 struct sk_security_struct *sksec = sk->sk_security;
4949 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4950 sk->sk_family == PF_UNIX)
4951 isec->sid = sksec->sid;
4952 sksec->sclass = isec->sclass;
4955 /* Called whenever SCTP receives an INIT chunk. This happens when an incoming
4956 * connect(2), sctp_connectx(3) or sctp_sendmsg(3) (with no association
4959 static int selinux_sctp_assoc_request(struct sctp_endpoint *ep,
4960 struct sk_buff *skb)
4962 struct sk_security_struct *sksec = ep->base.sk->sk_security;
4963 struct common_audit_data ad;
4964 struct lsm_network_audit net = {0,};
4966 u32 peer_sid = SECINITSID_UNLABELED;
4970 if (!selinux_policycap_extsockclass())
4973 peerlbl_active = selinux_peerlbl_enabled();
4975 if (peerlbl_active) {
4976 /* This will return peer_sid = SECSID_NULL if there are
4977 * no peer labels, see security_net_peersid_resolve().
4979 err = selinux_skb_peerlbl_sid(skb, ep->base.sk->sk_family,
4984 if (peer_sid == SECSID_NULL)
4985 peer_sid = SECINITSID_UNLABELED;
4988 if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) {
4989 sksec->sctp_assoc_state = SCTP_ASSOC_SET;
4991 /* Here as first association on socket. As the peer SID
4992 * was allowed by peer recv (and the netif/node checks),
4993 * then it is approved by policy and used as the primary
4994 * peer SID for getpeercon(3).
4996 sksec->peer_sid = peer_sid;
4997 } else if (sksec->peer_sid != peer_sid) {
4998 /* Other association peer SIDs are checked to enforce
4999 * consistency among the peer SIDs.
5001 ad.type = LSM_AUDIT_DATA_NET;
5003 ad.u.net->sk = ep->base.sk;
5004 err = avc_has_perm(&selinux_state,
5005 sksec->peer_sid, peer_sid, sksec->sclass,
5006 SCTP_SOCKET__ASSOCIATION, &ad);
5011 /* Compute the MLS component for the connection and store
5012 * the information in ep. This will be used by SCTP TCP type
5013 * sockets and peeled off connections as they cause a new
5014 * socket to be generated. selinux_sctp_sk_clone() will then
5015 * plug this into the new socket.
5017 err = selinux_conn_sid(sksec->sid, peer_sid, &conn_sid);
5021 ep->secid = conn_sid;
5022 ep->peer_secid = peer_sid;
5024 /* Set any NetLabel labels including CIPSO/CALIPSO options. */
5025 return selinux_netlbl_sctp_assoc_request(ep, skb);
5028 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting
5029 * based on their @optname.
5031 static int selinux_sctp_bind_connect(struct sock *sk, int optname,
5032 struct sockaddr *address,
5035 int len, err = 0, walk_size = 0;
5037 struct sockaddr *addr;
5038 struct socket *sock;
5040 if (!selinux_policycap_extsockclass())
5043 /* Process one or more addresses that may be IPv4 or IPv6 */
5044 sock = sk->sk_socket;
5047 while (walk_size < addrlen) {
5048 if (walk_size + sizeof(sa_family_t) > addrlen)
5052 switch (addr->sa_family) {
5055 len = sizeof(struct sockaddr_in);
5058 len = sizeof(struct sockaddr_in6);
5067 case SCTP_PRIMARY_ADDR:
5068 case SCTP_SET_PEER_PRIMARY_ADDR:
5069 case SCTP_SOCKOPT_BINDX_ADD:
5070 err = selinux_socket_bind(sock, addr, len);
5072 /* Connect checks */
5073 case SCTP_SOCKOPT_CONNECTX:
5074 case SCTP_PARAM_SET_PRIMARY:
5075 case SCTP_PARAM_ADD_IP:
5076 case SCTP_SENDMSG_CONNECT:
5077 err = selinux_socket_connect_helper(sock, addr, len);
5081 /* As selinux_sctp_bind_connect() is called by the
5082 * SCTP protocol layer, the socket is already locked,
5083 * therefore selinux_netlbl_socket_connect_locked() is
5084 * is called here. The situations handled are:
5085 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2),
5086 * whenever a new IP address is added or when a new
5087 * primary address is selected.
5088 * Note that an SCTP connect(2) call happens before
5089 * the SCTP protocol layer and is handled via
5090 * selinux_socket_connect().
5092 err = selinux_netlbl_socket_connect_locked(sk, addr);
5106 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */
5107 static void selinux_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk,
5110 struct sk_security_struct *sksec = sk->sk_security;
5111 struct sk_security_struct *newsksec = newsk->sk_security;
5113 /* If policy does not support SECCLASS_SCTP_SOCKET then call
5114 * the non-sctp clone version.
5116 if (!selinux_policycap_extsockclass())
5117 return selinux_sk_clone_security(sk, newsk);
5119 newsksec->sid = ep->secid;
5120 newsksec->peer_sid = ep->peer_secid;
5121 newsksec->sclass = sksec->sclass;
5122 selinux_netlbl_sctp_sk_clone(sk, newsk);
5125 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
5126 struct request_sock *req)
5128 struct sk_security_struct *sksec = sk->sk_security;
5130 u16 family = req->rsk_ops->family;
5134 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
5137 err = selinux_conn_sid(sksec->sid, peersid, &connsid);
5140 req->secid = connsid;
5141 req->peer_secid = peersid;
5143 return selinux_netlbl_inet_conn_request(req, family);
5146 static void selinux_inet_csk_clone(struct sock *newsk,
5147 const struct request_sock *req)
5149 struct sk_security_struct *newsksec = newsk->sk_security;
5151 newsksec->sid = req->secid;
5152 newsksec->peer_sid = req->peer_secid;
5153 /* NOTE: Ideally, we should also get the isec->sid for the
5154 new socket in sync, but we don't have the isec available yet.
5155 So we will wait until sock_graft to do it, by which
5156 time it will have been created and available. */
5158 /* We don't need to take any sort of lock here as we are the only
5159 * thread with access to newsksec */
5160 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
5163 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
5165 u16 family = sk->sk_family;
5166 struct sk_security_struct *sksec = sk->sk_security;
5168 /* handle mapped IPv4 packets arriving via IPv6 sockets */
5169 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5172 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
5175 static int selinux_secmark_relabel_packet(u32 sid)
5177 const struct task_security_struct *__tsec;
5180 __tsec = selinux_cred(current_cred());
5183 return avc_has_perm(&selinux_state,
5184 tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO,
5188 static void selinux_secmark_refcount_inc(void)
5190 atomic_inc(&selinux_secmark_refcount);
5193 static void selinux_secmark_refcount_dec(void)
5195 atomic_dec(&selinux_secmark_refcount);
5198 static void selinux_req_classify_flow(const struct request_sock *req,
5201 fl->flowi_secid = req->secid;
5204 static int selinux_tun_dev_alloc_security(void **security)
5206 struct tun_security_struct *tunsec;
5208 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
5211 tunsec->sid = current_sid();
5217 static void selinux_tun_dev_free_security(void *security)
5222 static int selinux_tun_dev_create(void)
5224 u32 sid = current_sid();
5226 /* we aren't taking into account the "sockcreate" SID since the socket
5227 * that is being created here is not a socket in the traditional sense,
5228 * instead it is a private sock, accessible only to the kernel, and
5229 * representing a wide range of network traffic spanning multiple
5230 * connections unlike traditional sockets - check the TUN driver to
5231 * get a better understanding of why this socket is special */
5233 return avc_has_perm(&selinux_state,
5234 sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5238 static int selinux_tun_dev_attach_queue(void *security)
5240 struct tun_security_struct *tunsec = security;
5242 return avc_has_perm(&selinux_state,
5243 current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5244 TUN_SOCKET__ATTACH_QUEUE, NULL);
5247 static int selinux_tun_dev_attach(struct sock *sk, void *security)
5249 struct tun_security_struct *tunsec = security;
5250 struct sk_security_struct *sksec = sk->sk_security;
5252 /* we don't currently perform any NetLabel based labeling here and it
5253 * isn't clear that we would want to do so anyway; while we could apply
5254 * labeling without the support of the TUN user the resulting labeled
5255 * traffic from the other end of the connection would almost certainly
5256 * cause confusion to the TUN user that had no idea network labeling
5257 * protocols were being used */
5259 sksec->sid = tunsec->sid;
5260 sksec->sclass = SECCLASS_TUN_SOCKET;
5265 static int selinux_tun_dev_open(void *security)
5267 struct tun_security_struct *tunsec = security;
5268 u32 sid = current_sid();
5271 err = avc_has_perm(&selinux_state,
5272 sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5273 TUN_SOCKET__RELABELFROM, NULL);
5276 err = avc_has_perm(&selinux_state,
5277 sid, sid, SECCLASS_TUN_SOCKET,
5278 TUN_SOCKET__RELABELTO, NULL);
5286 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
5290 struct nlmsghdr *nlh;
5291 struct sk_security_struct *sksec = sk->sk_security;
5293 if (skb->len < NLMSG_HDRLEN) {
5297 nlh = nlmsg_hdr(skb);
5299 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
5301 if (err == -EINVAL) {
5302 pr_warn_ratelimited("SELinux: unrecognized netlink"
5303 " message: protocol=%hu nlmsg_type=%hu sclass=%s"
5304 " pig=%d comm=%s\n",
5305 sk->sk_protocol, nlh->nlmsg_type,
5306 secclass_map[sksec->sclass - 1].name,
5307 task_pid_nr(current), current->comm);
5308 if (!enforcing_enabled(&selinux_state) ||
5309 security_get_allow_unknown(&selinux_state))
5319 err = sock_has_perm(sk, perm);
5324 #ifdef CONFIG_NETFILTER
5326 static unsigned int selinux_ip_forward(struct sk_buff *skb,
5327 const struct net_device *indev,
5333 struct common_audit_data ad;
5334 struct lsm_network_audit net = {0,};
5339 if (!selinux_policycap_netpeer())
5342 secmark_active = selinux_secmark_enabled();
5343 netlbl_active = netlbl_enabled();
5344 peerlbl_active = selinux_peerlbl_enabled();
5345 if (!secmark_active && !peerlbl_active)
5348 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5351 ad.type = LSM_AUDIT_DATA_NET;
5353 ad.u.net->netif = indev->ifindex;
5354 ad.u.net->family = family;
5355 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5358 if (peerlbl_active) {
5359 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
5360 addrp, family, peer_sid, &ad);
5362 selinux_netlbl_err(skb, family, err, 1);
5368 if (avc_has_perm(&selinux_state,
5369 peer_sid, skb->secmark,
5370 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5374 /* we do this in the FORWARD path and not the POST_ROUTING
5375 * path because we want to make sure we apply the necessary
5376 * labeling before IPsec is applied so we can leverage AH
5378 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5384 static unsigned int selinux_ipv4_forward(void *priv,
5385 struct sk_buff *skb,
5386 const struct nf_hook_state *state)
5388 return selinux_ip_forward(skb, state->in, PF_INET);
5391 #if IS_ENABLED(CONFIG_IPV6)
5392 static unsigned int selinux_ipv6_forward(void *priv,
5393 struct sk_buff *skb,
5394 const struct nf_hook_state *state)
5396 return selinux_ip_forward(skb, state->in, PF_INET6);
5400 static unsigned int selinux_ip_output(struct sk_buff *skb,
5406 if (!netlbl_enabled())
5409 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5410 * because we want to make sure we apply the necessary labeling
5411 * before IPsec is applied so we can leverage AH protection */
5414 struct sk_security_struct *sksec;
5416 if (sk_listener(sk))
5417 /* if the socket is the listening state then this
5418 * packet is a SYN-ACK packet which means it needs to
5419 * be labeled based on the connection/request_sock and
5420 * not the parent socket. unfortunately, we can't
5421 * lookup the request_sock yet as it isn't queued on
5422 * the parent socket until after the SYN-ACK is sent.
5423 * the "solution" is to simply pass the packet as-is
5424 * as any IP option based labeling should be copied
5425 * from the initial connection request (in the IP
5426 * layer). it is far from ideal, but until we get a
5427 * security label in the packet itself this is the
5428 * best we can do. */
5431 /* standard practice, label using the parent socket */
5432 sksec = sk->sk_security;
5435 sid = SECINITSID_KERNEL;
5436 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
5442 static unsigned int selinux_ipv4_output(void *priv,
5443 struct sk_buff *skb,
5444 const struct nf_hook_state *state)
5446 return selinux_ip_output(skb, PF_INET);
5449 #if IS_ENABLED(CONFIG_IPV6)
5450 static unsigned int selinux_ipv6_output(void *priv,
5451 struct sk_buff *skb,
5452 const struct nf_hook_state *state)
5454 return selinux_ip_output(skb, PF_INET6);
5458 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5462 struct sock *sk = skb_to_full_sk(skb);
5463 struct sk_security_struct *sksec;
5464 struct common_audit_data ad;
5465 struct lsm_network_audit net = {0,};
5471 sksec = sk->sk_security;
5473 ad.type = LSM_AUDIT_DATA_NET;
5475 ad.u.net->netif = ifindex;
5476 ad.u.net->family = family;
5477 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
5480 if (selinux_secmark_enabled())
5481 if (avc_has_perm(&selinux_state,
5482 sksec->sid, skb->secmark,
5483 SECCLASS_PACKET, PACKET__SEND, &ad))
5484 return NF_DROP_ERR(-ECONNREFUSED);
5486 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5487 return NF_DROP_ERR(-ECONNREFUSED);
5492 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5493 const struct net_device *outdev,
5498 int ifindex = outdev->ifindex;
5500 struct common_audit_data ad;
5501 struct lsm_network_audit net = {0,};
5506 /* If any sort of compatibility mode is enabled then handoff processing
5507 * to the selinux_ip_postroute_compat() function to deal with the
5508 * special handling. We do this in an attempt to keep this function
5509 * as fast and as clean as possible. */
5510 if (!selinux_policycap_netpeer())
5511 return selinux_ip_postroute_compat(skb, ifindex, family);
5513 secmark_active = selinux_secmark_enabled();
5514 peerlbl_active = selinux_peerlbl_enabled();
5515 if (!secmark_active && !peerlbl_active)
5518 sk = skb_to_full_sk(skb);
5521 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5522 * packet transformation so allow the packet to pass without any checks
5523 * since we'll have another chance to perform access control checks
5524 * when the packet is on it's final way out.
5525 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5526 * is NULL, in this case go ahead and apply access control.
5527 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5528 * TCP listening state we cannot wait until the XFRM processing
5529 * is done as we will miss out on the SA label if we do;
5530 * unfortunately, this means more work, but it is only once per
5532 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5533 !(sk && sk_listener(sk)))
5538 /* Without an associated socket the packet is either coming
5539 * from the kernel or it is being forwarded; check the packet
5540 * to determine which and if the packet is being forwarded
5541 * query the packet directly to determine the security label. */
5543 secmark_perm = PACKET__FORWARD_OUT;
5544 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5547 secmark_perm = PACKET__SEND;
5548 peer_sid = SECINITSID_KERNEL;
5550 } else if (sk_listener(sk)) {
5551 /* Locally generated packet but the associated socket is in the
5552 * listening state which means this is a SYN-ACK packet. In
5553 * this particular case the correct security label is assigned
5554 * to the connection/request_sock but unfortunately we can't
5555 * query the request_sock as it isn't queued on the parent
5556 * socket until after the SYN-ACK packet is sent; the only
5557 * viable choice is to regenerate the label like we do in
5558 * selinux_inet_conn_request(). See also selinux_ip_output()
5559 * for similar problems. */
5561 struct sk_security_struct *sksec;
5563 sksec = sk->sk_security;
5564 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5566 /* At this point, if the returned skb peerlbl is SECSID_NULL
5567 * and the packet has been through at least one XFRM
5568 * transformation then we must be dealing with the "final"
5569 * form of labeled IPsec packet; since we've already applied
5570 * all of our access controls on this packet we can safely
5571 * pass the packet. */
5572 if (skb_sid == SECSID_NULL) {
5575 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5579 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5583 return NF_DROP_ERR(-ECONNREFUSED);
5586 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5588 secmark_perm = PACKET__SEND;
5590 /* Locally generated packet, fetch the security label from the
5591 * associated socket. */
5592 struct sk_security_struct *sksec = sk->sk_security;
5593 peer_sid = sksec->sid;
5594 secmark_perm = PACKET__SEND;
5597 ad.type = LSM_AUDIT_DATA_NET;
5599 ad.u.net->netif = ifindex;
5600 ad.u.net->family = family;
5601 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5605 if (avc_has_perm(&selinux_state,
5606 peer_sid, skb->secmark,
5607 SECCLASS_PACKET, secmark_perm, &ad))
5608 return NF_DROP_ERR(-ECONNREFUSED);
5610 if (peerlbl_active) {
5614 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5616 if (avc_has_perm(&selinux_state,
5618 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5619 return NF_DROP_ERR(-ECONNREFUSED);
5621 if (sel_netnode_sid(addrp, family, &node_sid))
5623 if (avc_has_perm(&selinux_state,
5625 SECCLASS_NODE, NODE__SENDTO, &ad))
5626 return NF_DROP_ERR(-ECONNREFUSED);
5632 static unsigned int selinux_ipv4_postroute(void *priv,
5633 struct sk_buff *skb,
5634 const struct nf_hook_state *state)
5636 return selinux_ip_postroute(skb, state->out, PF_INET);
5639 #if IS_ENABLED(CONFIG_IPV6)
5640 static unsigned int selinux_ipv6_postroute(void *priv,
5641 struct sk_buff *skb,
5642 const struct nf_hook_state *state)
5644 return selinux_ip_postroute(skb, state->out, PF_INET6);
5648 #endif /* CONFIG_NETFILTER */
5650 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5652 return selinux_nlmsg_perm(sk, skb);
5655 static void ipc_init_security(struct ipc_security_struct *isec, u16 sclass)
5657 isec->sclass = sclass;
5658 isec->sid = current_sid();
5661 static int msg_msg_alloc_security(struct msg_msg *msg)
5663 struct msg_security_struct *msec;
5665 msec = selinux_msg_msg(msg);
5666 msec->sid = SECINITSID_UNLABELED;
5671 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5674 struct ipc_security_struct *isec;
5675 struct common_audit_data ad;
5676 u32 sid = current_sid();
5678 isec = selinux_ipc(ipc_perms);
5680 ad.type = LSM_AUDIT_DATA_IPC;
5681 ad.u.ipc_id = ipc_perms->key;
5683 return avc_has_perm(&selinux_state,
5684 sid, isec->sid, isec->sclass, perms, &ad);
5687 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5689 return msg_msg_alloc_security(msg);
5692 /* message queue security operations */
5693 static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq)
5695 struct ipc_security_struct *isec;
5696 struct common_audit_data ad;
5697 u32 sid = current_sid();
5700 isec = selinux_ipc(msq);
5701 ipc_init_security(isec, SECCLASS_MSGQ);
5703 ad.type = LSM_AUDIT_DATA_IPC;
5704 ad.u.ipc_id = msq->key;
5706 rc = avc_has_perm(&selinux_state,
5707 sid, isec->sid, SECCLASS_MSGQ,
5712 static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
5714 struct ipc_security_struct *isec;
5715 struct common_audit_data ad;
5716 u32 sid = current_sid();
5718 isec = selinux_ipc(msq);
5720 ad.type = LSM_AUDIT_DATA_IPC;
5721 ad.u.ipc_id = msq->key;
5723 return avc_has_perm(&selinux_state,
5724 sid, isec->sid, SECCLASS_MSGQ,
5725 MSGQ__ASSOCIATE, &ad);
5728 static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)
5736 /* No specific object, just general system-wide information. */
5737 return avc_has_perm(&selinux_state,
5738 current_sid(), SECINITSID_KERNEL,
5739 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5743 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5746 perms = MSGQ__SETATTR;
5749 perms = MSGQ__DESTROY;
5755 err = ipc_has_perm(msq, perms);
5759 static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg)
5761 struct ipc_security_struct *isec;
5762 struct msg_security_struct *msec;
5763 struct common_audit_data ad;
5764 u32 sid = current_sid();
5767 isec = selinux_ipc(msq);
5768 msec = selinux_msg_msg(msg);
5771 * First time through, need to assign label to the message
5773 if (msec->sid == SECINITSID_UNLABELED) {
5775 * Compute new sid based on current process and
5776 * message queue this message will be stored in
5778 rc = security_transition_sid(&selinux_state, sid, isec->sid,
5779 SECCLASS_MSG, NULL, &msec->sid);
5784 ad.type = LSM_AUDIT_DATA_IPC;
5785 ad.u.ipc_id = msq->key;
5787 /* Can this process write to the queue? */
5788 rc = avc_has_perm(&selinux_state,
5789 sid, isec->sid, SECCLASS_MSGQ,
5792 /* Can this process send the message */
5793 rc = avc_has_perm(&selinux_state,
5794 sid, msec->sid, SECCLASS_MSG,
5797 /* Can the message be put in the queue? */
5798 rc = avc_has_perm(&selinux_state,
5799 msec->sid, isec->sid, SECCLASS_MSGQ,
5800 MSGQ__ENQUEUE, &ad);
5805 static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg,
5806 struct task_struct *target,
5807 long type, int mode)
5809 struct ipc_security_struct *isec;
5810 struct msg_security_struct *msec;
5811 struct common_audit_data ad;
5812 u32 sid = task_sid(target);
5815 isec = selinux_ipc(msq);
5816 msec = selinux_msg_msg(msg);
5818 ad.type = LSM_AUDIT_DATA_IPC;
5819 ad.u.ipc_id = msq->key;
5821 rc = avc_has_perm(&selinux_state,
5823 SECCLASS_MSGQ, MSGQ__READ, &ad);
5825 rc = avc_has_perm(&selinux_state,
5827 SECCLASS_MSG, MSG__RECEIVE, &ad);
5831 /* Shared Memory security operations */
5832 static int selinux_shm_alloc_security(struct kern_ipc_perm *shp)
5834 struct ipc_security_struct *isec;
5835 struct common_audit_data ad;
5836 u32 sid = current_sid();
5839 isec = selinux_ipc(shp);
5840 ipc_init_security(isec, SECCLASS_SHM);
5842 ad.type = LSM_AUDIT_DATA_IPC;
5843 ad.u.ipc_id = shp->key;
5845 rc = avc_has_perm(&selinux_state,
5846 sid, isec->sid, SECCLASS_SHM,
5851 static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg)
5853 struct ipc_security_struct *isec;
5854 struct common_audit_data ad;
5855 u32 sid = current_sid();
5857 isec = selinux_ipc(shp);
5859 ad.type = LSM_AUDIT_DATA_IPC;
5860 ad.u.ipc_id = shp->key;
5862 return avc_has_perm(&selinux_state,
5863 sid, isec->sid, SECCLASS_SHM,
5864 SHM__ASSOCIATE, &ad);
5867 /* Note, at this point, shp is locked down */
5868 static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd)
5876 /* No specific object, just general system-wide information. */
5877 return avc_has_perm(&selinux_state,
5878 current_sid(), SECINITSID_KERNEL,
5879 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5883 perms = SHM__GETATTR | SHM__ASSOCIATE;
5886 perms = SHM__SETATTR;
5893 perms = SHM__DESTROY;
5899 err = ipc_has_perm(shp, perms);
5903 static int selinux_shm_shmat(struct kern_ipc_perm *shp,
5904 char __user *shmaddr, int shmflg)
5908 if (shmflg & SHM_RDONLY)
5911 perms = SHM__READ | SHM__WRITE;
5913 return ipc_has_perm(shp, perms);
5916 /* Semaphore security operations */
5917 static int selinux_sem_alloc_security(struct kern_ipc_perm *sma)
5919 struct ipc_security_struct *isec;
5920 struct common_audit_data ad;
5921 u32 sid = current_sid();
5924 isec = selinux_ipc(sma);
5925 ipc_init_security(isec, SECCLASS_SEM);
5927 ad.type = LSM_AUDIT_DATA_IPC;
5928 ad.u.ipc_id = sma->key;
5930 rc = avc_has_perm(&selinux_state,
5931 sid, isec->sid, SECCLASS_SEM,
5936 static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg)
5938 struct ipc_security_struct *isec;
5939 struct common_audit_data ad;
5940 u32 sid = current_sid();
5942 isec = selinux_ipc(sma);
5944 ad.type = LSM_AUDIT_DATA_IPC;
5945 ad.u.ipc_id = sma->key;
5947 return avc_has_perm(&selinux_state,
5948 sid, isec->sid, SECCLASS_SEM,
5949 SEM__ASSOCIATE, &ad);
5952 /* Note, at this point, sma is locked down */
5953 static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd)
5961 /* No specific object, just general system-wide information. */
5962 return avc_has_perm(&selinux_state,
5963 current_sid(), SECINITSID_KERNEL,
5964 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5968 perms = SEM__GETATTR;
5979 perms = SEM__DESTROY;
5982 perms = SEM__SETATTR;
5987 perms = SEM__GETATTR | SEM__ASSOCIATE;
5993 err = ipc_has_perm(sma, perms);
5997 static int selinux_sem_semop(struct kern_ipc_perm *sma,
5998 struct sembuf *sops, unsigned nsops, int alter)
6003 perms = SEM__READ | SEM__WRITE;
6007 return ipc_has_perm(sma, perms);
6010 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
6016 av |= IPC__UNIX_READ;
6018 av |= IPC__UNIX_WRITE;
6023 return ipc_has_perm(ipcp, av);
6026 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
6028 struct ipc_security_struct *isec = selinux_ipc(ipcp);
6032 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
6035 inode_doinit_with_dentry(inode, dentry);
6038 static int selinux_getprocattr(struct task_struct *p,
6039 char *name, char **value)
6041 const struct task_security_struct *__tsec;
6047 __tsec = selinux_cred(__task_cred(p));
6050 error = avc_has_perm(&selinux_state,
6051 current_sid(), __tsec->sid,
6052 SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
6057 if (!strcmp(name, "current"))
6059 else if (!strcmp(name, "prev"))
6061 else if (!strcmp(name, "exec"))
6062 sid = __tsec->exec_sid;
6063 else if (!strcmp(name, "fscreate"))
6064 sid = __tsec->create_sid;
6065 else if (!strcmp(name, "keycreate"))
6066 sid = __tsec->keycreate_sid;
6067 else if (!strcmp(name, "sockcreate"))
6068 sid = __tsec->sockcreate_sid;
6078 error = security_sid_to_context(&selinux_state, sid, value, &len);
6088 static int selinux_setprocattr(const char *name, void *value, size_t size)
6090 struct task_security_struct *tsec;
6092 u32 mysid = current_sid(), sid = 0, ptsid;
6097 * Basic control over ability to set these attributes at all.
6099 if (!strcmp(name, "exec"))
6100 error = avc_has_perm(&selinux_state,
6101 mysid, mysid, SECCLASS_PROCESS,
6102 PROCESS__SETEXEC, NULL);
6103 else if (!strcmp(name, "fscreate"))
6104 error = avc_has_perm(&selinux_state,
6105 mysid, mysid, SECCLASS_PROCESS,
6106 PROCESS__SETFSCREATE, NULL);
6107 else if (!strcmp(name, "keycreate"))
6108 error = avc_has_perm(&selinux_state,
6109 mysid, mysid, SECCLASS_PROCESS,
6110 PROCESS__SETKEYCREATE, NULL);
6111 else if (!strcmp(name, "sockcreate"))
6112 error = avc_has_perm(&selinux_state,
6113 mysid, mysid, SECCLASS_PROCESS,
6114 PROCESS__SETSOCKCREATE, NULL);
6115 else if (!strcmp(name, "current"))
6116 error = avc_has_perm(&selinux_state,
6117 mysid, mysid, SECCLASS_PROCESS,
6118 PROCESS__SETCURRENT, NULL);
6124 /* Obtain a SID for the context, if one was specified. */
6125 if (size && str[0] && str[0] != '\n') {
6126 if (str[size-1] == '\n') {
6130 error = security_context_to_sid(&selinux_state, value, size,
6132 if (error == -EINVAL && !strcmp(name, "fscreate")) {
6133 if (!has_cap_mac_admin(true)) {
6134 struct audit_buffer *ab;
6137 /* We strip a nul only if it is at the end, otherwise the
6138 * context contains a nul and we should audit that */
6139 if (str[size - 1] == '\0')
6140 audit_size = size - 1;
6143 ab = audit_log_start(audit_context(),
6146 audit_log_format(ab, "op=fscreate invalid_context=");
6147 audit_log_n_untrustedstring(ab, value, audit_size);
6152 error = security_context_to_sid_force(
6160 new = prepare_creds();
6164 /* Permission checking based on the specified context is
6165 performed during the actual operation (execve,
6166 open/mkdir/...), when we know the full context of the
6167 operation. See selinux_bprm_set_creds for the execve
6168 checks and may_create for the file creation checks. The
6169 operation will then fail if the context is not permitted. */
6170 tsec = selinux_cred(new);
6171 if (!strcmp(name, "exec")) {
6172 tsec->exec_sid = sid;
6173 } else if (!strcmp(name, "fscreate")) {
6174 tsec->create_sid = sid;
6175 } else if (!strcmp(name, "keycreate")) {
6176 error = avc_has_perm(&selinux_state,
6177 mysid, sid, SECCLASS_KEY, KEY__CREATE,
6181 tsec->keycreate_sid = sid;
6182 } else if (!strcmp(name, "sockcreate")) {
6183 tsec->sockcreate_sid = sid;
6184 } else if (!strcmp(name, "current")) {
6189 /* Only allow single threaded processes to change context */
6191 if (!current_is_single_threaded()) {
6192 error = security_bounded_transition(&selinux_state,
6198 /* Check permissions for the transition. */
6199 error = avc_has_perm(&selinux_state,
6200 tsec->sid, sid, SECCLASS_PROCESS,
6201 PROCESS__DYNTRANSITION, NULL);
6205 /* Check for ptracing, and update the task SID if ok.
6206 Otherwise, leave SID unchanged and fail. */
6207 ptsid = ptrace_parent_sid();
6209 error = avc_has_perm(&selinux_state,
6210 ptsid, sid, SECCLASS_PROCESS,
6211 PROCESS__PTRACE, NULL);
6230 static int selinux_ismaclabel(const char *name)
6232 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
6235 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
6237 return security_sid_to_context(&selinux_state, secid,
6241 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
6243 return security_context_to_sid(&selinux_state, secdata, seclen,
6247 static void selinux_release_secctx(char *secdata, u32 seclen)
6252 static void selinux_inode_invalidate_secctx(struct inode *inode)
6254 struct inode_security_struct *isec = selinux_inode(inode);
6256 spin_lock(&isec->lock);
6257 isec->initialized = LABEL_INVALID;
6258 spin_unlock(&isec->lock);
6262 * called with inode->i_mutex locked
6264 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
6266 int rc = selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX,
6268 /* Do not return error when suppressing label (SBLABEL_MNT not set). */
6269 return rc == -EOPNOTSUPP ? 0 : rc;
6273 * called with inode->i_mutex locked
6275 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
6277 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
6280 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
6283 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
6292 static int selinux_key_alloc(struct key *k, const struct cred *cred,
6293 unsigned long flags)
6295 const struct task_security_struct *tsec;
6296 struct key_security_struct *ksec;
6298 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
6302 tsec = selinux_cred(cred);
6303 if (tsec->keycreate_sid)
6304 ksec->sid = tsec->keycreate_sid;
6306 ksec->sid = tsec->sid;
6312 static void selinux_key_free(struct key *k)
6314 struct key_security_struct *ksec = k->security;
6320 static int selinux_key_permission(key_ref_t key_ref,
6321 const struct cred *cred,
6325 struct key_security_struct *ksec;
6328 /* if no specific permissions are requested, we skip the
6329 permission check. No serious, additional covert channels
6330 appear to be created. */
6334 sid = cred_sid(cred);
6336 key = key_ref_to_ptr(key_ref);
6337 ksec = key->security;
6339 return avc_has_perm(&selinux_state,
6340 sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6343 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6345 struct key_security_struct *ksec = key->security;
6346 char *context = NULL;
6350 rc = security_sid_to_context(&selinux_state, ksec->sid,
6359 #ifdef CONFIG_SECURITY_INFINIBAND
6360 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6362 struct common_audit_data ad;
6365 struct ib_security_struct *sec = ib_sec;
6366 struct lsm_ibpkey_audit ibpkey;
6368 err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
6372 ad.type = LSM_AUDIT_DATA_IBPKEY;
6373 ibpkey.subnet_prefix = subnet_prefix;
6374 ibpkey.pkey = pkey_val;
6375 ad.u.ibpkey = &ibpkey;
6376 return avc_has_perm(&selinux_state,
6378 SECCLASS_INFINIBAND_PKEY,
6379 INFINIBAND_PKEY__ACCESS, &ad);
6382 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6385 struct common_audit_data ad;
6388 struct ib_security_struct *sec = ib_sec;
6389 struct lsm_ibendport_audit ibendport;
6391 err = security_ib_endport_sid(&selinux_state, dev_name, port_num,
6397 ad.type = LSM_AUDIT_DATA_IBENDPORT;
6398 strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name));
6399 ibendport.port = port_num;
6400 ad.u.ibendport = &ibendport;
6401 return avc_has_perm(&selinux_state,
6403 SECCLASS_INFINIBAND_ENDPORT,
6404 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
6407 static int selinux_ib_alloc_security(void **ib_sec)
6409 struct ib_security_struct *sec;
6411 sec = kzalloc(sizeof(*sec), GFP_KERNEL);
6414 sec->sid = current_sid();
6420 static void selinux_ib_free_security(void *ib_sec)
6426 #ifdef CONFIG_BPF_SYSCALL
6427 static int selinux_bpf(int cmd, union bpf_attr *attr,
6430 u32 sid = current_sid();
6434 case BPF_MAP_CREATE:
6435 ret = avc_has_perm(&selinux_state,
6436 sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
6440 ret = avc_has_perm(&selinux_state,
6441 sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
6452 static u32 bpf_map_fmode_to_av(fmode_t fmode)
6456 if (fmode & FMODE_READ)
6457 av |= BPF__MAP_READ;
6458 if (fmode & FMODE_WRITE)
6459 av |= BPF__MAP_WRITE;
6463 /* This function will check the file pass through unix socket or binder to see
6464 * if it is a bpf related object. And apply correspinding checks on the bpf
6465 * object based on the type. The bpf maps and programs, not like other files and
6466 * socket, are using a shared anonymous inode inside the kernel as their inode.
6467 * So checking that inode cannot identify if the process have privilege to
6468 * access the bpf object and that's why we have to add this additional check in
6469 * selinux_file_receive and selinux_binder_transfer_files.
6471 static int bpf_fd_pass(struct file *file, u32 sid)
6473 struct bpf_security_struct *bpfsec;
6474 struct bpf_prog *prog;
6475 struct bpf_map *map;
6478 if (file->f_op == &bpf_map_fops) {
6479 map = file->private_data;
6480 bpfsec = map->security;
6481 ret = avc_has_perm(&selinux_state,
6482 sid, bpfsec->sid, SECCLASS_BPF,
6483 bpf_map_fmode_to_av(file->f_mode), NULL);
6486 } else if (file->f_op == &bpf_prog_fops) {
6487 prog = file->private_data;
6488 bpfsec = prog->aux->security;
6489 ret = avc_has_perm(&selinux_state,
6490 sid, bpfsec->sid, SECCLASS_BPF,
6491 BPF__PROG_RUN, NULL);
6498 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)
6500 u32 sid = current_sid();
6501 struct bpf_security_struct *bpfsec;
6503 bpfsec = map->security;
6504 return avc_has_perm(&selinux_state,
6505 sid, bpfsec->sid, SECCLASS_BPF,
6506 bpf_map_fmode_to_av(fmode), NULL);
6509 static int selinux_bpf_prog(struct bpf_prog *prog)
6511 u32 sid = current_sid();
6512 struct bpf_security_struct *bpfsec;
6514 bpfsec = prog->aux->security;
6515 return avc_has_perm(&selinux_state,
6516 sid, bpfsec->sid, SECCLASS_BPF,
6517 BPF__PROG_RUN, NULL);
6520 static int selinux_bpf_map_alloc(struct bpf_map *map)
6522 struct bpf_security_struct *bpfsec;
6524 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6528 bpfsec->sid = current_sid();
6529 map->security = bpfsec;
6534 static void selinux_bpf_map_free(struct bpf_map *map)
6536 struct bpf_security_struct *bpfsec = map->security;
6538 map->security = NULL;
6542 static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux)
6544 struct bpf_security_struct *bpfsec;
6546 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6550 bpfsec->sid = current_sid();
6551 aux->security = bpfsec;
6556 static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
6558 struct bpf_security_struct *bpfsec = aux->security;
6560 aux->security = NULL;
6565 struct lsm_blob_sizes selinux_blob_sizes __lsm_ro_after_init = {
6566 .lbs_cred = sizeof(struct task_security_struct),
6567 .lbs_file = sizeof(struct file_security_struct),
6568 .lbs_inode = sizeof(struct inode_security_struct),
6569 .lbs_ipc = sizeof(struct ipc_security_struct),
6570 .lbs_msg_msg = sizeof(struct msg_security_struct),
6573 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
6574 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
6575 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
6576 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
6577 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
6579 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
6580 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
6581 LSM_HOOK_INIT(capget, selinux_capget),
6582 LSM_HOOK_INIT(capset, selinux_capset),
6583 LSM_HOOK_INIT(capable, selinux_capable),
6584 LSM_HOOK_INIT(quotactl, selinux_quotactl),
6585 LSM_HOOK_INIT(quota_on, selinux_quota_on),
6586 LSM_HOOK_INIT(syslog, selinux_syslog),
6587 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
6589 LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
6591 LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
6592 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
6593 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
6595 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
6596 LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
6597 LSM_HOOK_INIT(sb_eat_lsm_opts, selinux_sb_eat_lsm_opts),
6598 LSM_HOOK_INIT(sb_free_mnt_opts, selinux_free_mnt_opts),
6599 LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
6600 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
6601 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
6602 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
6603 LSM_HOOK_INIT(sb_mount, selinux_mount),
6604 LSM_HOOK_INIT(sb_umount, selinux_umount),
6605 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
6606 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
6607 LSM_HOOK_INIT(sb_add_mnt_opt, selinux_add_mnt_opt),
6609 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
6610 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
6612 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
6613 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
6614 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
6615 LSM_HOOK_INIT(inode_create, selinux_inode_create),
6616 LSM_HOOK_INIT(inode_link, selinux_inode_link),
6617 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
6618 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
6619 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
6620 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
6621 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
6622 LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
6623 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
6624 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
6625 LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
6626 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
6627 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
6628 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
6629 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
6630 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
6631 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
6632 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
6633 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
6634 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
6635 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
6636 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
6637 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
6638 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
6640 LSM_HOOK_INIT(file_permission, selinux_file_permission),
6641 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
6642 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
6643 LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
6644 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
6645 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
6646 LSM_HOOK_INIT(file_lock, selinux_file_lock),
6647 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
6648 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
6649 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
6650 LSM_HOOK_INIT(file_receive, selinux_file_receive),
6652 LSM_HOOK_INIT(file_open, selinux_file_open),
6654 LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
6655 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
6656 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
6657 LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid),
6658 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
6659 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
6660 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
6661 LSM_HOOK_INIT(kernel_load_data, selinux_kernel_load_data),
6662 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
6663 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
6664 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
6665 LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
6666 LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
6667 LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
6668 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
6669 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
6670 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
6671 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
6672 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
6673 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
6674 LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
6675 LSM_HOOK_INIT(task_kill, selinux_task_kill),
6676 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
6678 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
6679 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
6681 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
6683 LSM_HOOK_INIT(msg_queue_alloc_security,
6684 selinux_msg_queue_alloc_security),
6685 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
6686 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
6687 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
6688 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
6690 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
6691 LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
6692 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
6693 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
6695 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
6696 LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
6697 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
6698 LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
6700 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
6702 LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
6703 LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
6705 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
6706 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
6707 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
6708 LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
6709 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
6710 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
6711 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
6712 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
6714 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
6715 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
6717 LSM_HOOK_INIT(socket_create, selinux_socket_create),
6718 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
6719 LSM_HOOK_INIT(socket_socketpair, selinux_socket_socketpair),
6720 LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
6721 LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
6722 LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
6723 LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
6724 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
6725 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
6726 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
6727 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
6728 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
6729 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
6730 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
6731 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
6732 LSM_HOOK_INIT(socket_getpeersec_stream,
6733 selinux_socket_getpeersec_stream),
6734 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
6735 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
6736 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
6737 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
6738 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
6739 LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
6740 LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request),
6741 LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone),
6742 LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect),
6743 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
6744 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
6745 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
6746 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
6747 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
6748 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
6749 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
6750 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
6751 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
6752 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
6753 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
6754 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
6755 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
6756 #ifdef CONFIG_SECURITY_INFINIBAND
6757 LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
6758 LSM_HOOK_INIT(ib_endport_manage_subnet,
6759 selinux_ib_endport_manage_subnet),
6760 LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
6761 LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
6763 #ifdef CONFIG_SECURITY_NETWORK_XFRM
6764 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
6765 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
6766 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
6767 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
6768 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
6769 LSM_HOOK_INIT(xfrm_state_alloc_acquire,
6770 selinux_xfrm_state_alloc_acquire),
6771 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
6772 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
6773 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
6774 LSM_HOOK_INIT(xfrm_state_pol_flow_match,
6775 selinux_xfrm_state_pol_flow_match),
6776 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
6780 LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
6781 LSM_HOOK_INIT(key_free, selinux_key_free),
6782 LSM_HOOK_INIT(key_permission, selinux_key_permission),
6783 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
6787 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
6788 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
6789 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
6790 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
6793 #ifdef CONFIG_BPF_SYSCALL
6794 LSM_HOOK_INIT(bpf, selinux_bpf),
6795 LSM_HOOK_INIT(bpf_map, selinux_bpf_map),
6796 LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog),
6797 LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc),
6798 LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc),
6799 LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free),
6800 LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free),
6804 static __init int selinux_init(void)
6806 pr_info("SELinux: Initializing.\n");
6808 memset(&selinux_state, 0, sizeof(selinux_state));
6809 enforcing_set(&selinux_state, selinux_enforcing_boot);
6810 selinux_state.checkreqprot = selinux_checkreqprot_boot;
6811 selinux_ss_init(&selinux_state.ss);
6812 selinux_avc_init(&selinux_state.avc);
6814 /* Set the security state for the initial task. */
6815 cred_init_security();
6817 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
6823 ebitmap_cache_init();
6825 hashtab_cache_init();
6827 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
6829 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
6830 panic("SELinux: Unable to register AVC netcache callback\n");
6832 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
6833 panic("SELinux: Unable to register AVC LSM notifier callback\n");
6835 if (selinux_enforcing_boot)
6836 pr_debug("SELinux: Starting in enforcing mode\n");
6838 pr_debug("SELinux: Starting in permissive mode\n");
6843 static void delayed_superblock_init(struct super_block *sb, void *unused)
6845 selinux_set_mnt_opts(sb, NULL, 0, NULL);
6848 void selinux_complete_init(void)
6850 pr_debug("SELinux: Completing initialization.\n");
6852 /* Set up any superblocks initialized prior to the policy load. */
6853 pr_debug("SELinux: Setting up existing superblocks.\n");
6854 iterate_supers(delayed_superblock_init, NULL);
6857 /* SELinux requires early initialization in order to label
6858 all processes and objects when they are created. */
6859 DEFINE_LSM(selinux) = {
6861 .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE,
6862 .enabled = &selinux_enabled,
6863 .blobs = &selinux_blob_sizes,
6864 .init = selinux_init,
6867 #if defined(CONFIG_NETFILTER)
6869 static const struct nf_hook_ops selinux_nf_ops[] = {
6871 .hook = selinux_ipv4_postroute,
6873 .hooknum = NF_INET_POST_ROUTING,
6874 .priority = NF_IP_PRI_SELINUX_LAST,
6877 .hook = selinux_ipv4_forward,
6879 .hooknum = NF_INET_FORWARD,
6880 .priority = NF_IP_PRI_SELINUX_FIRST,
6883 .hook = selinux_ipv4_output,
6885 .hooknum = NF_INET_LOCAL_OUT,
6886 .priority = NF_IP_PRI_SELINUX_FIRST,
6888 #if IS_ENABLED(CONFIG_IPV6)
6890 .hook = selinux_ipv6_postroute,
6892 .hooknum = NF_INET_POST_ROUTING,
6893 .priority = NF_IP6_PRI_SELINUX_LAST,
6896 .hook = selinux_ipv6_forward,
6898 .hooknum = NF_INET_FORWARD,
6899 .priority = NF_IP6_PRI_SELINUX_FIRST,
6902 .hook = selinux_ipv6_output,
6904 .hooknum = NF_INET_LOCAL_OUT,
6905 .priority = NF_IP6_PRI_SELINUX_FIRST,
6910 static int __net_init selinux_nf_register(struct net *net)
6912 return nf_register_net_hooks(net, selinux_nf_ops,
6913 ARRAY_SIZE(selinux_nf_ops));
6916 static void __net_exit selinux_nf_unregister(struct net *net)
6918 nf_unregister_net_hooks(net, selinux_nf_ops,
6919 ARRAY_SIZE(selinux_nf_ops));
6922 static struct pernet_operations selinux_net_ops = {
6923 .init = selinux_nf_register,
6924 .exit = selinux_nf_unregister,
6927 static int __init selinux_nf_ip_init(void)
6931 if (!selinux_enabled)
6934 pr_debug("SELinux: Registering netfilter hooks\n");
6936 err = register_pernet_subsys(&selinux_net_ops);
6938 panic("SELinux: register_pernet_subsys: error %d\n", err);
6942 __initcall(selinux_nf_ip_init);
6944 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6945 static void selinux_nf_ip_exit(void)
6947 pr_debug("SELinux: Unregistering netfilter hooks\n");
6949 unregister_pernet_subsys(&selinux_net_ops);
6953 #else /* CONFIG_NETFILTER */
6955 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6956 #define selinux_nf_ip_exit()
6959 #endif /* CONFIG_NETFILTER */
6961 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6962 int selinux_disable(struct selinux_state *state)
6964 if (state->initialized) {
6965 /* Not permitted after initial policy load. */
6969 if (state->disabled) {
6970 /* Only do this once. */
6974 state->disabled = 1;
6976 pr_info("SELinux: Disabled at runtime.\n");
6978 selinux_enabled = 0;
6980 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
6982 /* Try to destroy the avc node cache */
6985 /* Unregister netfilter hooks. */
6986 selinux_nf_ip_exit();
6988 /* Unregister selinuxfs. */