Lines Matching +full:un +full:- +full:approved
1 // SPDX-License-Identifier: GPL-2.0-only
3 * Security-Enhanced Linux (SELinux) security module
13 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <[email protected]>
15 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
17 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
18 * Paul Moore <paul@paul-moore.com>
72 #include <linux/un.h> /* for Unix socket types */
82 #include <linux/posix-timers.h>
156 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
173 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
216 tsec = selinux_cred(unrcu_pointer(current->real_cred)); in cred_init_security()
217 tsec->osid = tsec->sid = SECINITSID_KERNEL; in cred_init_security()
228 return tsec->sid; in cred_sid()
235 ad->type = LSM_AUDIT_DATA_NET; in __ad_net_init()
236 ad->u.net = net; in __ad_net_init()
237 net->netif = ifindex; in __ad_net_init()
238 net->sk = sk; in __ad_net_init()
239 net->family = family; in __ad_net_init()
274 * allowed; when set to false, returns -ECHILD when the label is
286 * The check of isec->initialized below is racy but in __inode_security_revalidate()
288 * isec->lock held. in __inode_security_revalidate()
291 data_race(isec->initialized != LABEL_INITIALIZED)) { in __inode_security_revalidate()
293 return -ECHILD; in __inode_security_revalidate()
354 sbsec = selinux_superblock(inode->i_sb); in inode_free_security()
365 if (!list_empty_careful(&isec->list)) { in inode_free_security()
366 spin_lock(&sbsec->isec_lock); in inode_free_security()
367 list_del_init(&isec->list); in inode_free_security()
368 spin_unlock(&sbsec->isec_lock); in inode_free_security()
385 Opt_error = -1,
393 #define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg}
436 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, in may_context_mount_sb_relabel()
441 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM, in may_context_mount_sb_relabel()
452 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, in may_context_mount_inode_relabel()
457 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, in may_context_mount_inode_relabel()
464 /* Special handling. Genfs but also in-core setxattr handler */ in selinux_is_genfs_special_handling()
465 return !strcmp(sb->s_type->name, "sysfs") || in selinux_is_genfs_special_handling()
466 !strcmp(sb->s_type->name, "pstore") || in selinux_is_genfs_special_handling()
467 !strcmp(sb->s_type->name, "debugfs") || in selinux_is_genfs_special_handling()
468 !strcmp(sb->s_type->name, "tracefs") || in selinux_is_genfs_special_handling()
469 !strcmp(sb->s_type->name, "rootfs") || in selinux_is_genfs_special_handling()
471 (!strcmp(sb->s_type->name, "cgroup") || in selinux_is_genfs_special_handling()
472 !strcmp(sb->s_type->name, "cgroup2"))); in selinux_is_genfs_special_handling()
480 * IMPORTANT: Double-check logic in this function when adding a new in selinux_is_sblabel_mnt()
485 switch (sbsec->behavior) { in selinux_is_sblabel_mnt()
506 struct dentry *root = sb->s_root; in sb_check_xattr_support()
513 * error other than -ENODATA is returned by getxattr on in sb_check_xattr_support()
514 * the root directory. -ENODATA is ok, as this may be in sb_check_xattr_support()
518 if (!(root_inode->i_opflags & IOP_XATTR)) { in sb_check_xattr_support()
520 sb->s_id, sb->s_type->name); in sb_check_xattr_support()
525 if (rc < 0 && rc != -ENODATA) { in sb_check_xattr_support()
526 if (rc == -EOPNOTSUPP) { in sb_check_xattr_support()
528 sb->s_id, sb->s_type->name); in sb_check_xattr_support()
532 sb->s_id, sb->s_type->name, -rc); in sb_check_xattr_support()
539 /* No xattr support - try to fallback to genfs if possible. */ in sb_check_xattr_support()
540 rc = security_genfs_sid(sb->s_type->name, "/", in sb_check_xattr_support()
543 return -EOPNOTSUPP; in sb_check_xattr_support()
546 sb->s_id, sb->s_type->name); in sb_check_xattr_support()
547 sbsec->behavior = SECURITY_FS_USE_GENFS; in sb_check_xattr_support()
548 sbsec->sid = sid; in sb_check_xattr_support()
555 struct dentry *root = sb->s_root; in sb_finish_set_opts()
559 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { in sb_finish_set_opts()
565 sbsec->flags |= SE_SBINITIALIZED; in sb_finish_set_opts()
573 sbsec->flags |= SBLABEL_MNT; in sb_finish_set_opts()
575 sbsec->flags &= ~SBLABEL_MNT; in sb_finish_set_opts()
584 spin_lock(&sbsec->isec_lock); in sb_finish_set_opts()
585 while (!list_empty(&sbsec->isec_head)) { in sb_finish_set_opts()
587 list_first_entry(&sbsec->isec_head, in sb_finish_set_opts()
589 struct inode *inode = isec->inode; in sb_finish_set_opts()
590 list_del_init(&isec->list); in sb_finish_set_opts()
591 spin_unlock(&sbsec->isec_lock); in sb_finish_set_opts()
598 spin_lock(&sbsec->isec_lock); in sb_finish_set_opts()
600 spin_unlock(&sbsec->isec_lock); in sb_finish_set_opts()
607 char mnt_flags = sbsec->flags & SE_MNTMASK; in bad_option()
610 if (sbsec->flags & SE_SBINITIALIZED) in bad_option()
611 if (!(sbsec->flags & flag) || in bad_option()
618 if (!(sbsec->flags & SE_SBINITIALIZED)) in bad_option()
635 struct dentry *root = sb->s_root; in selinux_set_mnt_opts()
647 return -EINVAL; in selinux_set_mnt_opts()
649 mutex_lock(&sbsec->lock); in selinux_set_mnt_opts()
657 sbsec->flags |= SE_SBNATIVE; in selinux_set_mnt_opts()
662 rc = -EINVAL; in selinux_set_mnt_opts()
679 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) in selinux_set_mnt_opts()
691 if (opts->fscontext_sid) { in selinux_set_mnt_opts()
692 fscontext_sid = opts->fscontext_sid; in selinux_set_mnt_opts()
693 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, in selinux_set_mnt_opts()
696 sbsec->flags |= FSCONTEXT_MNT; in selinux_set_mnt_opts()
698 if (opts->context_sid) { in selinux_set_mnt_opts()
699 context_sid = opts->context_sid; in selinux_set_mnt_opts()
700 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, in selinux_set_mnt_opts()
703 sbsec->flags |= CONTEXT_MNT; in selinux_set_mnt_opts()
705 if (opts->rootcontext_sid) { in selinux_set_mnt_opts()
706 rootcontext_sid = opts->rootcontext_sid; in selinux_set_mnt_opts()
707 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, in selinux_set_mnt_opts()
710 sbsec->flags |= ROOTCONTEXT_MNT; in selinux_set_mnt_opts()
712 if (opts->defcontext_sid) { in selinux_set_mnt_opts()
713 defcontext_sid = opts->defcontext_sid; in selinux_set_mnt_opts()
714 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, in selinux_set_mnt_opts()
717 sbsec->flags |= DEFCONTEXT_MNT; in selinux_set_mnt_opts()
721 if (sbsec->flags & SE_SBINITIALIZED) { in selinux_set_mnt_opts()
723 if ((sbsec->flags & SE_MNTMASK) && !opts) in selinux_set_mnt_opts()
729 if (strcmp(sb->s_type->name, "proc") == 0) in selinux_set_mnt_opts()
730 sbsec->flags |= SE_SBPROC | SE_SBGENFS; in selinux_set_mnt_opts()
732 if (!strcmp(sb->s_type->name, "debugfs") || in selinux_set_mnt_opts()
733 !strcmp(sb->s_type->name, "tracefs") || in selinux_set_mnt_opts()
734 !strcmp(sb->s_type->name, "binder") || in selinux_set_mnt_opts()
735 !strcmp(sb->s_type->name, "bpf") || in selinux_set_mnt_opts()
736 !strcmp(sb->s_type->name, "pstore") || in selinux_set_mnt_opts()
737 !strcmp(sb->s_type->name, "securityfs")) in selinux_set_mnt_opts()
738 sbsec->flags |= SE_SBGENFS; in selinux_set_mnt_opts()
740 if (!strcmp(sb->s_type->name, "sysfs") || in selinux_set_mnt_opts()
741 !strcmp(sb->s_type->name, "cgroup") || in selinux_set_mnt_opts()
742 !strcmp(sb->s_type->name, "cgroup2")) in selinux_set_mnt_opts()
743 sbsec->flags |= SE_SBGENFS | SE_SBGENFS_XATTR; in selinux_set_mnt_opts()
745 if (!sbsec->behavior) { in selinux_set_mnt_opts()
753 __func__, sb->s_type->name, rc); in selinux_set_mnt_opts()
763 if (sb->s_user_ns != &init_user_ns && in selinux_set_mnt_opts()
764 strcmp(sb->s_type->name, "tmpfs") && in selinux_set_mnt_opts()
765 strcmp(sb->s_type->name, "ramfs") && in selinux_set_mnt_opts()
766 strcmp(sb->s_type->name, "devpts") && in selinux_set_mnt_opts()
767 strcmp(sb->s_type->name, "overlay")) { in selinux_set_mnt_opts()
770 rc = -EACCES; in selinux_set_mnt_opts()
773 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { in selinux_set_mnt_opts()
774 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; in selinux_set_mnt_opts()
778 &sbsec->mntpoint_sid); in selinux_set_mnt_opts()
791 sbsec->sid = fscontext_sid; in selinux_set_mnt_opts()
799 if (sbsec->flags & SE_SBNATIVE) { in selinux_set_mnt_opts()
808 sbsec->behavior = SECURITY_FS_USE_NATIVE; in selinux_set_mnt_opts()
810 sbsec->behavior = SECURITY_FS_USE_NATIVE; in selinux_set_mnt_opts()
820 sbsec->sid = context_sid; in selinux_set_mnt_opts()
830 sbsec->mntpoint_sid = context_sid; in selinux_set_mnt_opts()
831 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; in selinux_set_mnt_opts()
840 root_isec->sid = rootcontext_sid; in selinux_set_mnt_opts()
841 root_isec->initialized = LABEL_INITIALIZED; in selinux_set_mnt_opts()
845 if (sbsec->behavior != SECURITY_FS_USE_XATTR && in selinux_set_mnt_opts()
846 sbsec->behavior != SECURITY_FS_USE_NATIVE) { in selinux_set_mnt_opts()
847 rc = -EINVAL; in selinux_set_mnt_opts()
853 if (defcontext_sid != sbsec->def_sid) { in selinux_set_mnt_opts()
860 sbsec->def_sid = defcontext_sid; in selinux_set_mnt_opts()
866 mutex_unlock(&sbsec->lock); in selinux_set_mnt_opts()
869 rc = -EINVAL; in selinux_set_mnt_opts()
871 "security settings for (dev %s, type %s)\n", sb->s_id, in selinux_set_mnt_opts()
872 sb->s_type->name); in selinux_set_mnt_opts()
881 char oldflags = old->flags & SE_MNTMASK; in selinux_cmp_sb_context()
882 char newflags = new->flags & SE_MNTMASK; in selinux_cmp_sb_context()
886 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid) in selinux_cmp_sb_context()
888 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid) in selinux_cmp_sb_context()
890 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid) in selinux_cmp_sb_context()
893 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root); in selinux_cmp_sb_context()
894 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root); in selinux_cmp_sb_context()
895 if (oldroot->sid != newroot->sid) in selinux_cmp_sb_context()
902 "type %s)\n", newsb->s_id, newsb->s_type->name); in selinux_cmp_sb_context()
903 return -EBUSY; in selinux_cmp_sb_context()
916 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT); in selinux_sb_clone_mnt_opts()
917 int set_context = (oldsbsec->flags & CONTEXT_MNT); in selinux_sb_clone_mnt_opts()
918 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT); in selinux_sb_clone_mnt_opts()
925 return -EINVAL; in selinux_sb_clone_mnt_opts()
927 mutex_lock(&newsbsec->lock); in selinux_sb_clone_mnt_opts()
935 newsbsec->flags |= SE_SBNATIVE; in selinux_sb_clone_mnt_opts()
942 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED)); in selinux_sb_clone_mnt_opts()
945 if (newsbsec->flags & SE_SBINITIALIZED) { in selinux_sb_clone_mnt_opts()
946 mutex_unlock(&newsbsec->lock); in selinux_sb_clone_mnt_opts()
952 newsbsec->flags = oldsbsec->flags; in selinux_sb_clone_mnt_opts()
954 newsbsec->sid = oldsbsec->sid; in selinux_sb_clone_mnt_opts()
955 newsbsec->def_sid = oldsbsec->def_sid; in selinux_sb_clone_mnt_opts()
956 newsbsec->behavior = oldsbsec->behavior; in selinux_sb_clone_mnt_opts()
958 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE && in selinux_sb_clone_mnt_opts()
966 newsbsec->behavior = SECURITY_FS_USE_NATIVE; in selinux_sb_clone_mnt_opts()
971 u32 sid = oldsbsec->mntpoint_sid; in selinux_sb_clone_mnt_opts()
974 newsbsec->sid = sid; in selinux_sb_clone_mnt_opts()
976 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root); in selinux_sb_clone_mnt_opts()
977 newisec->sid = sid; in selinux_sb_clone_mnt_opts()
979 newsbsec->mntpoint_sid = sid; in selinux_sb_clone_mnt_opts()
982 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root); in selinux_sb_clone_mnt_opts()
983 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root); in selinux_sb_clone_mnt_opts()
985 newisec->sid = oldisec->sid; in selinux_sb_clone_mnt_opts()
990 mutex_unlock(&newsbsec->lock); in selinux_sb_clone_mnt_opts()
1007 return -EINVAL; in selinux_add_opt()
1011 return -EINVAL; in selinux_add_opt()
1017 return -ENOMEM; in selinux_add_opt()
1023 if (opts->context_sid || opts->defcontext_sid) in selinux_add_opt()
1025 dst_sid = &opts->context_sid; in selinux_add_opt()
1028 if (opts->fscontext_sid) in selinux_add_opt()
1030 dst_sid = &opts->fscontext_sid; in selinux_add_opt()
1033 if (opts->rootcontext_sid) in selinux_add_opt()
1035 dst_sid = &opts->rootcontext_sid; in selinux_add_opt()
1038 if (opts->context_sid || opts->defcontext_sid) in selinux_add_opt()
1040 dst_sid = &opts->defcontext_sid; in selinux_add_opt()
1044 return -EINVAL; in selinux_add_opt()
1054 return -EINVAL; in selinux_add_opt()
1083 if (!(sbsec->flags & SE_SBINITIALIZED)) in selinux_sb_show_options()
1089 if (sbsec->flags & FSCONTEXT_MNT) { in selinux_sb_show_options()
1092 rc = show_sid(m, sbsec->sid); in selinux_sb_show_options()
1096 if (sbsec->flags & CONTEXT_MNT) { in selinux_sb_show_options()
1099 rc = show_sid(m, sbsec->mntpoint_sid); in selinux_sb_show_options()
1103 if (sbsec->flags & DEFCONTEXT_MNT) { in selinux_sb_show_options()
1106 rc = show_sid(m, sbsec->def_sid); in selinux_sb_show_options()
1110 if (sbsec->flags & ROOTCONTEXT_MNT) { in selinux_sb_show_options()
1111 struct dentry *root = sb->s_root; in selinux_sb_show_options()
1115 rc = show_sid(m, isec->sid); in selinux_sb_show_options()
1119 if (sbsec->flags & SBLABEL_MNT) { in selinux_sb_show_options()
1320 struct super_block *sb = dentry->d_sb; in selinux_genfs_get_sid()
1325 return -ENOMEM; in selinux_genfs_get_sid()
1334 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */ in selinux_genfs_get_sid()
1340 rc = security_genfs_sid(sb->s_type->name, in selinux_genfs_get_sid()
1342 if (rc == -ENOENT) { in selinux_genfs_get_sid()
1363 return -ENOMEM; in inode_doinit_use_xattr()
1367 if (rc == -ERANGE) { in inode_doinit_use_xattr()
1378 return -ENOMEM; in inode_doinit_use_xattr()
1386 if (rc != -ENODATA) { in inode_doinit_use_xattr()
1388 __func__, -rc, inode->i_sb->s_id, inode->i_ino); in inode_doinit_use_xattr()
1398 char *dev = inode->i_sb->s_id; in inode_doinit_use_xattr()
1399 unsigned long ino = inode->i_ino; in inode_doinit_use_xattr()
1401 if (rc == -EINVAL) { in inode_doinit_use_xattr()
1406 __func__, context, -rc, dev, ino); in inode_doinit_use_xattr()
1423 if (isec->initialized == LABEL_INITIALIZED) in inode_doinit_with_dentry()
1426 spin_lock(&isec->lock); in inode_doinit_with_dentry()
1427 if (isec->initialized == LABEL_INITIALIZED) in inode_doinit_with_dentry()
1430 if (isec->sclass == SECCLASS_FILE) in inode_doinit_with_dentry()
1431 isec->sclass = inode_mode_to_security_class(inode->i_mode); in inode_doinit_with_dentry()
1433 sbsec = selinux_superblock(inode->i_sb); in inode_doinit_with_dentry()
1434 if (!(sbsec->flags & SE_SBINITIALIZED)) { in inode_doinit_with_dentry()
1438 spin_lock(&sbsec->isec_lock); in inode_doinit_with_dentry()
1439 if (list_empty(&isec->list)) in inode_doinit_with_dentry()
1440 list_add(&isec->list, &sbsec->isec_head); in inode_doinit_with_dentry()
1441 spin_unlock(&sbsec->isec_lock); in inode_doinit_with_dentry()
1445 sclass = isec->sclass; in inode_doinit_with_dentry()
1446 task_sid = isec->task_sid; in inode_doinit_with_dentry()
1447 sid = isec->sid; in inode_doinit_with_dentry()
1448 isec->initialized = LABEL_PENDING; in inode_doinit_with_dentry()
1449 spin_unlock(&isec->lock); in inode_doinit_with_dentry()
1451 switch (sbsec->behavior) { in inode_doinit_with_dentry()
1453 * In case of SECURITY_FS_USE_NATIVE we need to re-fetch the labels in inode_doinit_with_dentry()
1458 if (!(inode->i_opflags & IOP_XATTR)) { in inode_doinit_with_dentry()
1459 sid = sbsec->def_sid; in inode_doinit_with_dentry()
1483 * sbsec->isec_head list. No reason to complain as these in inode_doinit_with_dentry()
1491 rc = inode_doinit_use_xattr(inode, dentry, sbsec->def_sid, in inode_doinit_with_dentry()
1502 sid = sbsec->sid; in inode_doinit_with_dentry()
1511 sid = sbsec->mntpoint_sid; in inode_doinit_with_dentry()
1515 sid = sbsec->sid; in inode_doinit_with_dentry()
1517 if ((sbsec->flags & SE_SBGENFS) && in inode_doinit_with_dentry()
1518 (!S_ISLNK(inode->i_mode) || in inode_doinit_with_dentry()
1539 * sbsec->isec_head list. No reason to complain as in inode_doinit_with_dentry()
1547 sbsec->flags, &sid); in inode_doinit_with_dentry()
1553 if ((sbsec->flags & SE_SBGENFS_XATTR) && in inode_doinit_with_dentry()
1554 (inode->i_opflags & IOP_XATTR)) { in inode_doinit_with_dentry()
1568 spin_lock(&isec->lock); in inode_doinit_with_dentry()
1569 if (isec->initialized == LABEL_PENDING) { in inode_doinit_with_dentry()
1571 isec->initialized = LABEL_INVALID; in inode_doinit_with_dentry()
1574 isec->initialized = LABEL_INITIALIZED; in inode_doinit_with_dentry()
1575 isec->sid = sid; in inode_doinit_with_dentry()
1579 spin_unlock(&isec->lock); in inode_doinit_with_dentry()
1583 spin_lock(&isec->lock); in inode_doinit_with_dentry()
1584 if (isec->initialized == LABEL_PENDING) { in inode_doinit_with_dentry()
1585 isec->initialized = LABEL_INVALID; in inode_doinit_with_dentry()
1586 isec->sid = sid; in inode_doinit_with_dentry()
1588 spin_unlock(&isec->lock); in inode_doinit_with_dentry()
1647 return -EINVAL; in cred_has_capability()
1676 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp); in inode_has_perm()
1702 struct inode *inode = d_backing_inode(path->dentry); in path_has_perm()
1707 __inode_security_revalidate(inode, path->dentry, true); in path_has_perm()
1748 if (sid != fsec->sid) { in file_has_perm()
1749 rc = avc_has_perm(sid, fsec->sid, in file_has_perm()
1782 selinux_superblock(dir->i_sb); in selinux_determine_inode_label()
1784 if ((sbsec->flags & SE_SBINITIALIZED) && in selinux_determine_inode_label()
1785 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) { in selinux_determine_inode_label()
1786 *_new_isid = sbsec->mntpoint_sid; in selinux_determine_inode_label()
1787 } else if ((sbsec->flags & SBLABEL_MNT) && in selinux_determine_inode_label()
1788 tsec->create_sid) { in selinux_determine_inode_label()
1789 *_new_isid = tsec->create_sid; in selinux_determine_inode_label()
1792 return security_transition_sid(tsec->sid, in selinux_determine_inode_label()
1793 dsec->sid, tclass, in selinux_determine_inode_label()
1813 sbsec = selinux_superblock(dir->i_sb); in may_create()
1815 sid = tsec->sid; in may_create()
1820 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, in may_create()
1826 rc = selinux_determine_inode_label(tsec, dir, &dentry->d_name, tclass, in may_create()
1835 return avc_has_perm(newsid, sbsec->sid, in may_create()
1864 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad); in may_link()
1884 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad); in may_link()
1908 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR, in may_rename()
1912 rc = avc_has_perm(sid, old_isec->sid, in may_rename()
1913 old_isec->sclass, FILE__RENAME, &ad); in may_rename()
1917 rc = avc_has_perm(sid, old_isec->sid, in may_rename()
1918 old_isec->sclass, DIR__REPARENT, &ad); in may_rename()
1927 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad); in may_rename()
1933 rc = avc_has_perm(sid, new_isec->sid, in may_rename()
1934 new_isec->sclass, in may_rename()
1953 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad); in superblock_has_perm()
1989 if (file->f_mode & FMODE_READ) in file_to_av()
1991 if (file->f_mode & FMODE_WRITE) { in file_to_av()
1992 if (file->f_flags & O_APPEND) in file_to_av()
1999 * Special file opened with flags 3 for ioctl-only use. in file_to_av()
2017 inode->i_sb->s_magic != SOCKFS_MAGIC) in open_file_to_av()
2064 struct dentry *dentry = file->f_path.dentry; in selinux_binder_transfer_file()
2070 ad.u.path = file->f_path; in selinux_binder_transfer_file()
2072 if (sid != fsec->sid) { in selinux_binder_transfer_file()
2073 rc = avc_has_perm(sid, fsec->sid, in selinux_binder_transfer_file()
2091 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file), in selinux_binder_transfer_file()
2242 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS); in check_nnp_nosuid()
2243 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt); in check_nnp_nosuid()
2250 if (new_tsec->sid == old_tsec->sid) in check_nnp_nosuid()
2265 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, in check_nnp_nosuid()
2276 rc = security_bounded_transition(old_tsec->sid, in check_nnp_nosuid()
2277 new_tsec->sid); in check_nnp_nosuid()
2287 return -EPERM; in check_nnp_nosuid()
2288 return -EACCES; in check_nnp_nosuid()
2297 struct inode *inode = file_inode(bprm->file); in selinux_bprm_creds_for_exec()
2304 new_tsec = selinux_cred(bprm->cred); in selinux_bprm_creds_for_exec()
2308 new_tsec->sid = old_tsec->sid; in selinux_bprm_creds_for_exec()
2309 new_tsec->osid = old_tsec->sid; in selinux_bprm_creds_for_exec()
2312 new_tsec->create_sid = 0; in selinux_bprm_creds_for_exec()
2313 new_tsec->keycreate_sid = 0; in selinux_bprm_creds_for_exec()
2314 new_tsec->sockcreate_sid = 0; in selinux_bprm_creds_for_exec()
2323 new_tsec->sid = SECINITSID_INIT; in selinux_bprm_creds_for_exec()
2325 new_tsec->exec_sid = 0; in selinux_bprm_creds_for_exec()
2329 if (old_tsec->exec_sid) { in selinux_bprm_creds_for_exec()
2330 new_tsec->sid = old_tsec->exec_sid; in selinux_bprm_creds_for_exec()
2332 new_tsec->exec_sid = 0; in selinux_bprm_creds_for_exec()
2340 rc = security_transition_sid(old_tsec->sid, in selinux_bprm_creds_for_exec()
2341 isec->sid, SECCLASS_PROCESS, NULL, in selinux_bprm_creds_for_exec()
2342 &new_tsec->sid); in selinux_bprm_creds_for_exec()
2352 new_tsec->sid = old_tsec->sid; in selinux_bprm_creds_for_exec()
2356 ad.u.file = bprm->file; in selinux_bprm_creds_for_exec()
2358 if (new_tsec->sid == old_tsec->sid) { in selinux_bprm_creds_for_exec()
2359 rc = avc_has_perm(old_tsec->sid, isec->sid, in selinux_bprm_creds_for_exec()
2365 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, in selinux_bprm_creds_for_exec()
2370 rc = avc_has_perm(new_tsec->sid, isec->sid, in selinux_bprm_creds_for_exec()
2376 if (bprm->unsafe & LSM_UNSAFE_SHARE) { in selinux_bprm_creds_for_exec()
2377 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, in selinux_bprm_creds_for_exec()
2381 return -EPERM; in selinux_bprm_creds_for_exec()
2386 if (bprm->unsafe & LSM_UNSAFE_PTRACE) { in selinux_bprm_creds_for_exec()
2389 rc = avc_has_perm(ptsid, new_tsec->sid, in selinux_bprm_creds_for_exec()
2393 return -EPERM; in selinux_bprm_creds_for_exec()
2398 bprm->per_clear |= PER_CLEAR_ON_SETID; in selinux_bprm_creds_for_exec()
2403 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, in selinux_bprm_creds_for_exec()
2406 bprm->secureexec |= !!rc; in selinux_bprm_creds_for_exec()
2428 spin_lock(&tty->files_lock); in flush_unauthorized_files()
2429 if (!list_empty(&tty->tty_files)) { in flush_unauthorized_files()
2436 only interested in the inode-based check here. */ in flush_unauthorized_files()
2437 file_priv = list_first_entry(&tty->tty_files, in flush_unauthorized_files()
2439 file = file_priv->file; in flush_unauthorized_files()
2443 spin_unlock(&tty->files_lock); in flush_unauthorized_files()
2460 replace_fd(n - 1, devnull, 0); in flush_unauthorized_files()
2475 new_tsec = selinux_cred(bprm->cred); in selinux_bprm_committing_creds()
2476 if (new_tsec->sid == new_tsec->osid) in selinux_bprm_committing_creds()
2480 flush_unauthorized_files(bprm->cred, current->files); in selinux_bprm_committing_creds()
2483 current->pdeath_signal = 0; in selinux_bprm_committing_creds()
2495 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS, in selinux_bprm_committing_creds()
2501 rlim = current->signal->rlim + i; in selinux_bprm_committing_creds()
2502 initrlim = init_task.signal->rlim + i; in selinux_bprm_committing_creds()
2503 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur); in selinux_bprm_committing_creds()
2521 osid = tsec->osid; in selinux_bprm_committed_creds()
2522 sid = tsec->sid; in selinux_bprm_committed_creds()
2538 spin_lock_irq(&unrcu_pointer(current->sighand)->siglock); in selinux_bprm_committed_creds()
2540 flush_sigqueue(¤t->pending); in selinux_bprm_committed_creds()
2541 flush_sigqueue(¤t->signal->shared_pending); in selinux_bprm_committed_creds()
2543 sigemptyset(¤t->blocked); in selinux_bprm_committed_creds()
2546 spin_unlock_irq(&unrcu_pointer(current->sighand)->siglock); in selinux_bprm_committed_creds()
2552 __wake_up_parent(current, unrcu_pointer(current->real_parent)); in selinux_bprm_committed_creds()
2562 mutex_init(&sbsec->lock); in selinux_sb_alloc_security()
2563 INIT_LIST_HEAD(&sbsec->isec_head); in selinux_sb_alloc_security()
2564 spin_lock_init(&sbsec->isec_lock); in selinux_sb_alloc_security()
2565 sbsec->sid = SECINITSID_UNLABELED; in selinux_sb_alloc_security()
2566 sbsec->def_sid = SECINITSID_FILE; in selinux_sb_alloc_security()
2567 sbsec->mntpoint_sid = SECINITSID_UNLABELED; in selinux_sb_alloc_security()
2611 arg = kmemdup_nul(arg, q - arg, GFP_KERNEL); in selinux_sb_eat_lsm_opts()
2613 rc = -ENOMEM; in selinux_sb_eat_lsm_opts()
2625 from--; in selinux_sb_eat_lsm_opts()
2654 * Superblock not initialized (i.e. no options) - reject if any in selinux_sb_mnt_opts_compat()
2657 if (!(sbsec->flags & SE_SBINITIALIZED)) in selinux_sb_mnt_opts_compat()
2661 * Superblock initialized and no options specified - reject if in selinux_sb_mnt_opts_compat()
2665 return (sbsec->flags & SE_MNTMASK) ? 1 : 0; in selinux_sb_mnt_opts_compat()
2667 if (opts->fscontext_sid) { in selinux_sb_mnt_opts_compat()
2668 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, in selinux_sb_mnt_opts_compat()
2669 opts->fscontext_sid)) in selinux_sb_mnt_opts_compat()
2672 if (opts->context_sid) { in selinux_sb_mnt_opts_compat()
2673 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, in selinux_sb_mnt_opts_compat()
2674 opts->context_sid)) in selinux_sb_mnt_opts_compat()
2677 if (opts->rootcontext_sid) { in selinux_sb_mnt_opts_compat()
2680 root_isec = backing_inode_security(sb->s_root); in selinux_sb_mnt_opts_compat()
2681 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, in selinux_sb_mnt_opts_compat()
2682 opts->rootcontext_sid)) in selinux_sb_mnt_opts_compat()
2685 if (opts->defcontext_sid) { in selinux_sb_mnt_opts_compat()
2686 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, in selinux_sb_mnt_opts_compat()
2687 opts->defcontext_sid)) in selinux_sb_mnt_opts_compat()
2698 if (!(sbsec->flags & SE_SBINITIALIZED)) in selinux_sb_remount()
2704 if (opts->fscontext_sid) { in selinux_sb_remount()
2705 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, in selinux_sb_remount()
2706 opts->fscontext_sid)) in selinux_sb_remount()
2709 if (opts->context_sid) { in selinux_sb_remount()
2710 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, in selinux_sb_remount()
2711 opts->context_sid)) in selinux_sb_remount()
2714 if (opts->rootcontext_sid) { in selinux_sb_remount()
2716 root_isec = backing_inode_security(sb->s_root); in selinux_sb_remount()
2717 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, in selinux_sb_remount()
2718 opts->rootcontext_sid)) in selinux_sb_remount()
2721 if (opts->defcontext_sid) { in selinux_sb_remount()
2722 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, in selinux_sb_remount()
2723 opts->defcontext_sid)) in selinux_sb_remount()
2730 "during remount (dev %s, type=%s)\n", sb->s_id, in selinux_sb_remount()
2731 sb->s_type->name); in selinux_sb_remount()
2732 return -EINVAL; in selinux_sb_remount()
2741 ad.u.dentry = sb->s_root; in selinux_sb_kern_mount()
2751 ad.u.dentry = dentry->d_sb->s_root; in selinux_sb_statfs()
2752 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad); in selinux_sb_statfs()
2764 return superblock_has_perm(cred, path->dentry->d_sb, in selinux_mount()
2782 return superblock_has_perm(cred, mnt->mnt_sb, in selinux_umount()
2793 * Ensure that fc->security remains NULL when no options are set in selinux_fs_context_submount()
2796 if (!(sbsec->flags & (FSCONTEXT_MNT|CONTEXT_MNT|DEFCONTEXT_MNT))) in selinux_fs_context_submount()
2801 return -ENOMEM; in selinux_fs_context_submount()
2803 if (sbsec->flags & FSCONTEXT_MNT) in selinux_fs_context_submount()
2804 opts->fscontext_sid = sbsec->sid; in selinux_fs_context_submount()
2805 if (sbsec->flags & CONTEXT_MNT) in selinux_fs_context_submount()
2806 opts->context_sid = sbsec->mntpoint_sid; in selinux_fs_context_submount()
2807 if (sbsec->flags & DEFCONTEXT_MNT) in selinux_fs_context_submount()
2808 opts->defcontext_sid = sbsec->def_sid; in selinux_fs_context_submount()
2809 fc->security = opts; in selinux_fs_context_submount()
2816 const struct selinux_mnt_opts *src = src_fc->security; in selinux_fs_context_dup()
2821 fc->security = kmemdup(src, sizeof(*src), GFP_KERNEL); in selinux_fs_context_dup()
2822 return fc->security ? 0 : -ENOMEM; in selinux_fs_context_dup()
2844 return selinux_add_opt(opt, param->string, &fc->security); in selinux_fs_context_parse_param()
2854 spin_lock_init(&isec->lock); in selinux_inode_alloc_security()
2855 INIT_LIST_HEAD(&isec->list); in selinux_inode_alloc_security()
2856 isec->inode = inode; in selinux_inode_alloc_security()
2857 isec->sid = SECINITSID_UNLABELED; in selinux_inode_alloc_security()
2858 isec->sclass = SECCLASS_FILE; in selinux_inode_alloc_security()
2859 isec->task_sid = sid; in selinux_inode_alloc_security()
2860 isec->initialized = LABEL_INVALID; in selinux_inode_alloc_security()
2879 d_inode(dentry->d_parent), name, in selinux_dentry_init_security()
2888 cp->id = LSM_ID_SELINUX; in selinux_dentry_init_security()
2889 return security_sid_to_context(newsid, &cp->context, &cp->len); in selinux_dentry_init_security()
2902 d_inode(dentry->d_parent), name, in selinux_dentry_create_files_as()
2909 tsec->create_sid = newsid; in selinux_dentry_create_files_as()
2925 sbsec = selinux_superblock(dir->i_sb); in selinux_inode_init_security()
2927 newsid = tsec->create_sid; in selinux_inode_init_security()
2928 newsclass = inode_mode_to_security_class(inode->i_mode); in selinux_inode_init_security()
2934 if (sbsec->flags & SE_SBINITIALIZED) { in selinux_inode_init_security()
2936 isec->sclass = newsclass; in selinux_inode_init_security()
2937 isec->sid = newsid; in selinux_inode_init_security()
2938 isec->initialized = LABEL_INITIALIZED; in selinux_inode_init_security()
2942 !(sbsec->flags & SBLABEL_MNT)) in selinux_inode_init_security()
2943 return -EOPNOTSUPP; in selinux_inode_init_security()
2950 xattr->value = context; in selinux_inode_init_security()
2951 xattr->value_len = clen; in selinux_inode_init_security()
2952 xattr->name = XATTR_SELINUX_SUFFIX; in selinux_inode_init_security()
2981 if (context_isec->initialized != LABEL_INITIALIZED) { in selinux_inode_init_security_anon()
2983 return -EACCES; in selinux_inode_init_security_anon()
2986 isec->sclass = context_isec->sclass; in selinux_inode_init_security_anon()
2987 isec->sid = context_isec->sid; in selinux_inode_init_security_anon()
2989 isec->sclass = SECCLASS_ANON_INODE; in selinux_inode_init_security_anon()
2992 isec->sclass, name, &isec->sid); in selinux_inode_init_security_anon()
2997 isec->initialized = LABEL_INITIALIZED; in selinux_inode_init_security_anon()
3004 ad.u.anonclass = name ? (const char *)name->name : "?"; in selinux_inode_init_security_anon()
3007 isec->sid, in selinux_inode_init_security_anon()
3008 isec->sclass, in selinux_inode_init_security_anon()
3074 return avc_has_perm(sid, isec->sid, isec->sclass, FILE__READ, &ad); in selinux_inode_follow_link()
3087 return slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms, in audit_inode_permission()
3112 perms = file_mask_to_av(inode->i_mode, mask); in selinux_inode_permission()
3118 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, in selinux_inode_permission()
3137 unsigned int ia_valid = iattr->ia_valid; in selinux_inode_setattr()
3153 inode->i_sb->s_magic != SOCKFS_MAGIC && in selinux_inode_setattr()
3179 * selinux_inode_xattr_skipcap - Skip the xattr capability checks?
3211 return (inode_owner_or_capable(idmap, inode) ? 0 : -EPERM); in selinux_inode_setxattr()
3213 sbsec = selinux_superblock(inode->i_sb); in selinux_inode_setxattr()
3214 if (!(sbsec->flags & SBLABEL_MNT)) in selinux_inode_setxattr()
3215 return -EOPNOTSUPP; in selinux_inode_setxattr()
3218 return -EPERM; in selinux_inode_setxattr()
3224 rc = avc_has_perm(sid, isec->sid, isec->sclass, in selinux_inode_setxattr()
3231 if (rc == -EINVAL) { in selinux_inode_setxattr()
3241 if (str[size - 1] == '\0') in selinux_inode_setxattr()
3242 audit_size = size - 1; in selinux_inode_setxattr()
3264 rc = avc_has_perm(sid, newsid, isec->sclass, in selinux_inode_setxattr()
3269 rc = security_validate_transition(isec->sid, newsid, in selinux_inode_setxattr()
3270 sid, isec->sclass); in selinux_inode_setxattr()
3275 sbsec->sid, in selinux_inode_setxattr()
3328 inode->i_sb->s_id, inode->i_ino, -rc); in selinux_inode_post_setxattr()
3333 spin_lock(&isec->lock); in selinux_inode_post_setxattr()
3334 isec->sclass = inode_mode_to_security_class(inode->i_mode); in selinux_inode_post_setxattr()
3335 isec->sid = newsid; in selinux_inode_post_setxattr()
3336 isec->initialized = LABEL_INITIALIZED; in selinux_inode_post_setxattr()
3337 spin_unlock(&isec->lock); in selinux_inode_post_setxattr()
3366 return -EACCES; in selinux_inode_removexattr()
3390 ret = superblock_has_perm(current_cred(), path->dentry->d_sb, in selinux_path_notify()
3399 return -EINVAL; in selinux_path_notify()
3406 /* watches on read-like events need the file:watch_reads permission */ in selinux_path_notify()
3430 * just let vfs_getxattr fall back to using the on-disk xattr. in selinux_inode_getsecurity()
3434 return -EOPNOTSUPP; in selinux_inode_getsecurity()
3439 * use the in-core value under current policy. in selinux_inode_getsecurity()
3440 * Use the non-auditing forms of the permission checks since in selinux_inode_getsecurity()
3443 * in-core context value, not a denial. in selinux_inode_getsecurity()
3447 error = security_sid_to_context_force(isec->sid, &context, in selinux_inode_getsecurity()
3450 error = security_sid_to_context(isec->sid, in selinux_inode_getsecurity()
3473 return -EOPNOTSUPP; in selinux_inode_setsecurity()
3475 sbsec = selinux_superblock(inode->i_sb); in selinux_inode_setsecurity()
3476 if (!(sbsec->flags & SBLABEL_MNT)) in selinux_inode_setsecurity()
3477 return -EOPNOTSUPP; in selinux_inode_setsecurity()
3480 return -EACCES; in selinux_inode_setsecurity()
3487 spin_lock(&isec->lock); in selinux_inode_setsecurity()
3488 isec->sclass = inode_mode_to_security_class(inode->i_mode); in selinux_inode_setsecurity()
3489 isec->sid = newsid; in selinux_inode_setsecurity()
3490 isec->initialized = LABEL_INITIALIZED; in selinux_inode_setsecurity()
3491 spin_unlock(&isec->lock); in selinux_inode_setsecurity()
3511 prop->selinux.secid = isec->sid; in selinux_inode_getlsmprop()
3523 return -ENOMEM; in selinux_inode_copy_up()
3529 tsec->create_sid = prop.selinux.secid; in selinux_inode_copy_up()
3538 * xattrs up. Instead, filter out SELinux-related xattrs following in selinux_inode_copy_up_xattr()
3542 return -ECANCELED; /* Discard */ in selinux_inode_copy_up_xattr()
3547 return -EOPNOTSUPP; in selinux_inode_copy_up_xattr()
3561 if (rc == -ENODATA) in selinux_kernfs_init_security()
3569 return -ENOMEM; in selinux_kernfs_init_security()
3583 if (tsec->create_sid) { in selinux_kernfs_init_security()
3584 newsid = tsec->create_sid; in selinux_kernfs_init_security()
3586 u16 secclass = inode_mode_to_security_class(kn->mode); in selinux_kernfs_init_security()
3589 q.name = kn->name; in selinux_kernfs_init_security()
3590 q.hash_len = hashlen_string(kn_dir, kn->name); in selinux_kernfs_init_security()
3592 rc = security_transition_sid(tsec->sid, in selinux_kernfs_init_security()
3619 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE)) in selinux_revalidate_file_permission()
3623 file_mask_to_av(inode->i_mode, mask)); in selinux_revalidate_file_permission()
3638 if (sid == fsec->sid && fsec->isid == isec->sid && in selinux_file_permission()
3639 fsec->pseqno == avc_policy_seqno()) in selinux_file_permission()
3651 fsec->sid = sid; in selinux_file_alloc_security()
3652 fsec->fown_sid = sid; in selinux_file_alloc_security()
3676 ad.u.op->cmd = cmd; in ioctl_has_perm()
3677 ad.u.op->path = file->f_path; in ioctl_has_perm()
3679 if (ssid != fsec->sid) { in ioctl_has_perm()
3680 rc = avc_has_perm(ssid, fsec->sid, in ioctl_has_perm()
3692 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass, requested, in ioctl_has_perm()
3749 * If we are in a 64-bit kernel running 32-bit userspace, we need to in selinux_file_ioctl_compat()
3750 * make sure we don't compare 32-bit flags to 64-bit flags. in selinux_file_ioctl_compat()
3853 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) { in selinux_file_mprotect()
3864 if (vma->vm_start >= vma->vm_mm->start_brk && in selinux_file_mprotect()
3865 vma->vm_end <= vma->vm_mm->brk) { in selinux_file_mprotect()
3868 } else if (!vma->vm_file && (vma_is_initial_stack(vma) || in selinux_file_mprotect()
3872 } else if (vma->vm_file && vma->anon_vma) { in selinux_file_mprotect()
3880 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD); in selinux_file_mprotect()
3886 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED); in selinux_file_mprotect()
3904 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) { in selinux_file_fcntl()
3941 fsec->fown_sid = current_sid(); in selinux_file_set_fowner()
3953 file = fown->file; in selinux_file_send_sigiotask()
3962 return avc_has_perm(fsec->fown_sid, sid, in selinux_file_send_sigiotask()
3982 * at open-time so that selinux_file_permission in selinux_file_open()
3987 fsec->isid = isec->sid; in selinux_file_open()
3988 fsec->pseqno = avc_policy_seqno(); in selinux_file_open()
3995 * This check is not redundant - do not remove. in selinux_file_open()
3997 return file_path_has_perm(file->f_cred, file, open_file_to_av(file)); in selinux_file_open()
4041 prop->selinux.secid = cred_sid(c); in selinux_cred_getlsmprop()
4046 * - all the creation contexts are set to unlabelled
4059 tsec->sid = secid; in selinux_kernel_act_as()
4060 tsec->create_sid = 0; in selinux_kernel_act_as()
4061 tsec->keycreate_sid = 0; in selinux_kernel_act_as()
4062 tsec->sockcreate_sid = 0; in selinux_kernel_act_as()
4078 ret = avc_has_perm(sid, isec->sid, in selinux_kernel_create_files_as()
4084 tsec->create_sid = isec->sid; in selinux_kernel_create_files_as()
4118 if (sid != fsec->sid) { in selinux_kernel_module_from_file()
4119 rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad); in selinux_kernel_module_from_file()
4125 return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM, in selinux_kernel_module_from_file()
4181 prop->selinux.secid = current_sid(); in selinux_current_getlsmprop_subj()
4187 prop->selinux.secid = task_sid_obj(p); in selinux_task_getlsmprop_obj()
4226 struct rlimit *old_rlim = p->signal->rlim + resource; in selinux_task_setrlimit()
4232 if (old_rlim->rlim_max != new_rlim->rlim_max) in selinux_task_setrlimit()
4280 spin_lock(&isec->lock); in selinux_task_to_inode()
4281 isec->sclass = inode_mode_to_security_class(inode->i_mode); in selinux_task_to_inode()
4282 isec->sid = sid; in selinux_task_to_inode()
4283 isec->initialized = LABEL_INITIALIZED; in selinux_task_to_inode()
4284 spin_unlock(&isec->lock); in selinux_task_to_inode()
4299 int offset, ihlen, ret = -EINVAL; in selinux_parse_skb_ipv4()
4307 ihlen = ih->ihl * 4; in selinux_parse_skb_ipv4()
4311 ad->u.net->v4info.saddr = ih->saddr; in selinux_parse_skb_ipv4()
4312 ad->u.net->v4info.daddr = ih->daddr; in selinux_parse_skb_ipv4()
4316 *proto = ih->protocol; in selinux_parse_skb_ipv4()
4318 switch (ih->protocol) { in selinux_parse_skb_ipv4()
4322 if (ntohs(ih->frag_off) & IP_OFFSET) in selinux_parse_skb_ipv4()
4330 ad->u.net->sport = th->source; in selinux_parse_skb_ipv4()
4331 ad->u.net->dport = th->dest; in selinux_parse_skb_ipv4()
4338 if (ntohs(ih->frag_off) & IP_OFFSET) in selinux_parse_skb_ipv4()
4346 ad->u.net->sport = uh->source; in selinux_parse_skb_ipv4()
4347 ad->u.net->dport = uh->dest; in selinux_parse_skb_ipv4()
4354 if (ntohs(ih->frag_off) & IP_OFFSET) in selinux_parse_skb_ipv4()
4362 ad->u.net->sport = dh->dccph_sport; in selinux_parse_skb_ipv4()
4363 ad->u.net->dport = dh->dccph_dport; in selinux_parse_skb_ipv4()
4371 if (ntohs(ih->frag_off) & IP_OFFSET) in selinux_parse_skb_ipv4()
4379 ad->u.net->sport = sh->source; in selinux_parse_skb_ipv4()
4380 ad->u.net->dport = sh->dest; in selinux_parse_skb_ipv4()
4398 int ret = -EINVAL, offset; in selinux_parse_skb_ipv6()
4407 ad->u.net->v6info.saddr = ip6->saddr; in selinux_parse_skb_ipv6()
4408 ad->u.net->v6info.daddr = ip6->daddr; in selinux_parse_skb_ipv6()
4411 nexthdr = ip6->nexthdr; in selinux_parse_skb_ipv6()
4428 ad->u.net->sport = th->source; in selinux_parse_skb_ipv6()
4429 ad->u.net->dport = th->dest; in selinux_parse_skb_ipv6()
4440 ad->u.net->sport = uh->source; in selinux_parse_skb_ipv6()
4441 ad->u.net->dport = uh->dest; in selinux_parse_skb_ipv6()
4452 ad->u.net->sport = dh->dccph_sport; in selinux_parse_skb_ipv6()
4453 ad->u.net->dport = dh->dccph_dport; in selinux_parse_skb_ipv6()
4465 ad->u.net->sport = sh->source; in selinux_parse_skb_ipv6()
4466 ad->u.net->dport = sh->dest; in selinux_parse_skb_ipv6()
4486 switch (ad->u.net->family) { in selinux_parse_skb()
4491 addrp = (char *)(src ? &ad->u.net->v4info.saddr : in selinux_parse_skb()
4492 &ad->u.net->v4info.daddr); in selinux_parse_skb()
4500 addrp = (char *)(src ? &ad->u.net->v6info.saddr : in selinux_parse_skb()
4501 &ad->u.net->v6info.daddr); in selinux_parse_skb()
4522 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4532 * or -EACCES if @sid is invalid due to inconsistencies with the different
4545 return -EACCES; in selinux_skb_peerlbl_sid()
4548 return -EACCES; in selinux_skb_peerlbl_sid()
4556 return -EACCES; in selinux_skb_peerlbl_sid()
4563 * selinux_conn_sid - Determine the child socket label for a connection
4592 if (tsec->sockcreate_sid > SECSID_NULL) { in socket_sockcreate_sid()
4593 *socksid = tsec->sockcreate_sid; in socket_sockcreate_sid()
4597 return security_transition_sid(tsec->sid, tsec->sid, in socket_sockcreate_sid()
4626 struct sk_security_struct *sksec = sk->sk_security; in sock_has_perm()
4630 if (sock_skip_has_perm(sksec->sid)) in sock_has_perm()
4635 return avc_has_perm(current_sid(), sksec->sid, sksec->sclass, perms, in sock_has_perm()
4655 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL); in selinux_socket_create()
4674 isec->sclass = sclass; in selinux_socket_post_create()
4675 isec->sid = sid; in selinux_socket_post_create()
4676 isec->initialized = LABEL_INITIALIZED; in selinux_socket_post_create()
4678 if (sock->sk) { in selinux_socket_post_create()
4679 sksec = selinux_sock(sock->sk); in selinux_socket_post_create()
4680 sksec->sclass = sclass; in selinux_socket_post_create()
4681 sksec->sid = sid; in selinux_socket_post_create()
4683 if (sksec->sclass == SECCLASS_SCTP_SOCKET) in selinux_socket_post_create()
4684 sksec->sctp_assoc_state = SCTP_ASSOC_UNSET; in selinux_socket_post_create()
4686 err = selinux_netlbl_socket_post_create(sock->sk, family); in selinux_socket_post_create()
4695 struct sk_security_struct *sksec_a = selinux_sock(socka->sk); in selinux_socket_socketpair()
4696 struct sk_security_struct *sksec_b = selinux_sock(sockb->sk); in selinux_socket_socketpair()
4698 sksec_a->peer_sid = sksec_b->sid; in selinux_socket_socketpair()
4699 sksec_b->peer_sid = sksec_a->sid; in selinux_socket_socketpair()
4710 struct sock *sk = sock->sk; in selinux_socket_bind()
4720 family = sk->sk_family; in selinux_socket_bind()
4734 * need to check address->sa_family as it is possible to have in selinux_socket_bind()
4735 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET. in selinux_socket_bind()
4738 return -EINVAL; in selinux_socket_bind()
4739 family_sa = address->sa_family; in selinux_socket_bind()
4744 return -EINVAL; in selinux_socket_bind()
4750 return -EINVAL; in selinux_socket_bind()
4757 if (addr4->sin_addr.s_addr != htonl(INADDR_ANY)) in selinux_socket_bind()
4761 snum = ntohs(addr4->sin_port); in selinux_socket_bind()
4762 addrp = (char *)&addr4->sin_addr.s_addr; in selinux_socket_bind()
4766 return -EINVAL; in selinux_socket_bind()
4768 snum = ntohs(addr6->sin6_port); in selinux_socket_bind()
4769 addrp = (char *)&addr6->sin6_addr.s6_addr; in selinux_socket_bind()
4777 ad.u.net->sport = htons(snum); in selinux_socket_bind()
4778 ad.u.net->family = family_sa; in selinux_socket_bind()
4787 err = sel_netport_sid(sk->sk_protocol, in selinux_socket_bind()
4791 err = avc_has_perm(sksec->sid, sid, in selinux_socket_bind()
4792 sksec->sclass, in selinux_socket_bind()
4799 switch (sksec->sclass) { in selinux_socket_bind()
4826 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr; in selinux_socket_bind()
4828 ad.u.net->v6info.saddr = addr6->sin6_addr; in selinux_socket_bind()
4830 err = avc_has_perm(sksec->sid, sid, in selinux_socket_bind()
4831 sksec->sclass, node_perm, &ad); in selinux_socket_bind()
4838 /* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */ in selinux_socket_bind()
4839 if (sk->sk_protocol == IPPROTO_SCTP) in selinux_socket_bind()
4840 return -EINVAL; in selinux_socket_bind()
4841 return -EAFNOSUPPORT; in selinux_socket_bind()
4850 struct sock *sk = sock->sk; in selinux_socket_connect_helper()
4858 return -EINVAL; in selinux_socket_connect_helper()
4863 if (address->sa_family == AF_UNSPEC) in selinux_socket_connect_helper()
4870 if (sksec->sclass == SECCLASS_TCP_SOCKET || in selinux_socket_connect_helper()
4871 sksec->sclass == SECCLASS_DCCP_SOCKET || in selinux_socket_connect_helper()
4872 sksec->sclass == SECCLASS_SCTP_SOCKET) { in selinux_socket_connect_helper()
4882 * need to check address->sa_family as it is possible to have in selinux_socket_connect_helper()
4883 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET. in selinux_socket_connect_helper()
4885 switch (address->sa_family) { in selinux_socket_connect_helper()
4889 return -EINVAL; in selinux_socket_connect_helper()
4890 snum = ntohs(addr4->sin_port); in selinux_socket_connect_helper()
4895 return -EINVAL; in selinux_socket_connect_helper()
4896 snum = ntohs(addr6->sin6_port); in selinux_socket_connect_helper()
4899 /* Note that SCTP services expect -EINVAL, whereas in selinux_socket_connect_helper()
4900 * others expect -EAFNOSUPPORT. in selinux_socket_connect_helper()
4902 if (sksec->sclass == SECCLASS_SCTP_SOCKET) in selinux_socket_connect_helper()
4903 return -EINVAL; in selinux_socket_connect_helper()
4905 return -EAFNOSUPPORT; in selinux_socket_connect_helper()
4908 err = sel_netport_sid(sk->sk_protocol, snum, &sid); in selinux_socket_connect_helper()
4912 switch (sksec->sclass) { in selinux_socket_connect_helper()
4926 ad.u.net->dport = htons(snum); in selinux_socket_connect_helper()
4927 ad.u.net->family = address->sa_family; in selinux_socket_connect_helper()
4928 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad); in selinux_socket_connect_helper()
4941 struct sock *sk = sock->sk; in selinux_socket_connect()
4952 return sock_has_perm(sock->sk, SOCKET__LISTEN); in selinux_socket_listen()
4963 err = sock_has_perm(sock->sk, SOCKET__ACCEPT); in selinux_socket_accept()
4968 spin_lock(&isec->lock); in selinux_socket_accept()
4969 sclass = isec->sclass; in selinux_socket_accept()
4970 sid = isec->sid; in selinux_socket_accept()
4971 spin_unlock(&isec->lock); in selinux_socket_accept()
4974 newisec->sclass = sclass; in selinux_socket_accept()
4975 newisec->sid = sid; in selinux_socket_accept()
4976 newisec->initialized = LABEL_INITIALIZED; in selinux_socket_accept()
4984 return sock_has_perm(sock->sk, SOCKET__WRITE); in selinux_socket_sendmsg()
4990 return sock_has_perm(sock->sk, SOCKET__READ); in selinux_socket_recvmsg()
4995 return sock_has_perm(sock->sk, SOCKET__GETATTR); in selinux_socket_getsockname()
5000 return sock_has_perm(sock->sk, SOCKET__GETATTR); in selinux_socket_getpeername()
5007 err = sock_has_perm(sock->sk, SOCKET__SETOPT); in selinux_socket_setsockopt()
5017 return sock_has_perm(sock->sk, SOCKET__GETOPT); in selinux_socket_getsockopt()
5022 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN); in selinux_socket_shutdown()
5038 err = avc_has_perm(sksec_sock->sid, sksec_other->sid, in selinux_socket_unix_stream_connect()
5039 sksec_other->sclass, in selinux_socket_unix_stream_connect()
5045 sksec_new->peer_sid = sksec_sock->sid; in selinux_socket_unix_stream_connect()
5046 err = security_sid_mls_copy(sksec_other->sid, in selinux_socket_unix_stream_connect()
5047 sksec_sock->sid, &sksec_new->sid); in selinux_socket_unix_stream_connect()
5052 sksec_sock->peer_sid = sksec_new->sid; in selinux_socket_unix_stream_connect()
5060 struct sk_security_struct *ssec = selinux_sock(sock->sk); in selinux_socket_unix_may_send()
5061 struct sk_security_struct *osec = selinux_sock(other->sk); in selinux_socket_unix_may_send()
5065 ad_net_init_from_sk(&ad, &net, other->sk); in selinux_socket_unix_may_send()
5067 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO, in selinux_socket_unix_may_send()
5099 u32 sk_sid = sksec->sid; in selinux_sock_rcv_skb_compat()
5104 ad_net_init_from_iif(&ad, &net, skb->skb_iif, family); in selinux_sock_rcv_skb_compat()
5110 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, in selinux_sock_rcv_skb_compat()
5119 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad); in selinux_sock_rcv_skb_compat()
5128 u16 family = sk->sk_family; in selinux_socket_sock_rcv_skb()
5129 u32 sk_sid = sksec->sid; in selinux_socket_sock_rcv_skb()
5138 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) in selinux_socket_sock_rcv_skb()
5153 ad_net_init_from_iif(&ad, &net, skb->skb_iif, family); in selinux_socket_sock_rcv_skb()
5164 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif, in selinux_socket_sock_rcv_skb()
5179 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, in selinux_socket_sock_rcv_skb()
5195 struct sk_security_struct *sksec = selinux_sock(sock->sk); in selinux_socket_getpeersec_stream()
5198 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET || in selinux_socket_getpeersec_stream()
5199 sksec->sclass == SECCLASS_TCP_SOCKET || in selinux_socket_getpeersec_stream()
5200 sksec->sclass == SECCLASS_SCTP_SOCKET) in selinux_socket_getpeersec_stream()
5201 peer_sid = sksec->peer_sid; in selinux_socket_getpeersec_stream()
5203 return -ENOPROTOOPT; in selinux_socket_getpeersec_stream()
5210 err = -ERANGE; in selinux_socket_getpeersec_stream()
5215 err = -EFAULT; in selinux_socket_getpeersec_stream()
5218 err = -EFAULT; in selinux_socket_getpeersec_stream()
5229 if (skb && skb->protocol == htons(ETH_P_IP)) in selinux_socket_getpeersec_dgram()
5231 else if (skb && skb->protocol == htons(ETH_P_IPV6)) in selinux_socket_getpeersec_dgram()
5234 family = sock->sk->sk_family; in selinux_socket_getpeersec_dgram()
5237 return -EINVAL; in selinux_socket_getpeersec_dgram()
5243 peer_secid = isec->sid; in selinux_socket_getpeersec_dgram()
5249 return -ENOPROTOOPT; in selinux_socket_getpeersec_dgram()
5257 sksec->peer_sid = SECINITSID_UNLABELED; in selinux_sk_alloc_security()
5258 sksec->sid = SECINITSID_UNLABELED; in selinux_sk_alloc_security()
5259 sksec->sclass = SECCLASS_SOCKET; in selinux_sk_alloc_security()
5277 newsksec->sid = sksec->sid; in selinux_sk_clone_security()
5278 newsksec->peer_sid = sksec->peer_sid; in selinux_sk_clone_security()
5279 newsksec->sclass = sksec->sclass; in selinux_sk_clone_security()
5291 *secid = sksec->sid; in selinux_sk_getsecid()
5301 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 || in selinux_sock_graft()
5302 sk->sk_family == PF_UNIX) in selinux_sock_graft()
5303 isec->sid = sksec->sid; in selinux_sock_graft()
5304 sksec->sclass = isec->sclass; in selinux_sock_graft()
5314 struct sock *sk = asoc->base.sk; in selinux_sctp_process_new_assoc()
5315 u16 family = sk->sk_family; in selinux_sctp_process_new_assoc()
5322 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) in selinux_sctp_process_new_assoc()
5326 asoc->peer_secid = SECSID_NULL; in selinux_sctp_process_new_assoc()
5331 err = selinux_skb_peerlbl_sid(skb, family, &asoc->peer_secid); in selinux_sctp_process_new_assoc()
5335 if (asoc->peer_secid == SECSID_NULL) in selinux_sctp_process_new_assoc()
5336 asoc->peer_secid = SECINITSID_UNLABELED; in selinux_sctp_process_new_assoc()
5338 asoc->peer_secid = SECINITSID_UNLABELED; in selinux_sctp_process_new_assoc()
5341 if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) { in selinux_sctp_process_new_assoc()
5342 sksec->sctp_assoc_state = SCTP_ASSOC_SET; in selinux_sctp_process_new_assoc()
5346 * then it is approved by policy and used as the primary in selinux_sctp_process_new_assoc()
5349 sksec->peer_sid = asoc->peer_secid; in selinux_sctp_process_new_assoc()
5350 } else if (sksec->peer_sid != asoc->peer_secid) { in selinux_sctp_process_new_assoc()
5354 ad_net_init_from_sk(&ad, &net, asoc->base.sk); in selinux_sctp_process_new_assoc()
5355 err = avc_has_perm(sksec->peer_sid, asoc->peer_secid, in selinux_sctp_process_new_assoc()
5356 sksec->sclass, SCTP_SOCKET__ASSOCIATION, in selinux_sctp_process_new_assoc()
5371 struct sk_security_struct *sksec = selinux_sock(asoc->base.sk); in selinux_sctp_assoc_request()
5388 err = selinux_conn_sid(sksec->sid, asoc->peer_secid, &conn_sid); in selinux_sctp_assoc_request()
5392 asoc->secid = conn_sid; in selinux_sctp_assoc_request()
5404 struct sk_security_struct *sksec = selinux_sock(asoc->base.sk); in selinux_sctp_assoc_established()
5409 /* Inherit secid from the parent socket - this will be picked up in selinux_sctp_assoc_established()
5413 asoc->secid = sksec->sid; in selinux_sctp_assoc_established()
5434 sock = sk->sk_socket; in selinux_sctp_bind_connect()
5439 return -EINVAL; in selinux_sctp_bind_connect()
5442 switch (addr->sa_family) { in selinux_sctp_bind_connect()
5451 return -EINVAL; in selinux_sctp_bind_connect()
5455 return -EINVAL; in selinux_sctp_bind_connect()
5457 err = -EINVAL; in selinux_sctp_bind_connect()
5507 * the non-sctp clone version. in selinux_sctp_sk_clone()
5512 newsksec->sid = asoc->secid; in selinux_sctp_sk_clone()
5513 newsksec->peer_sid = asoc->peer_secid; in selinux_sctp_sk_clone()
5514 newsksec->sclass = sksec->sclass; in selinux_sctp_sk_clone()
5523 ssksec->sclass = sksec->sclass; in selinux_mptcp_add_subflow()
5524 ssksec->sid = sksec->sid; in selinux_mptcp_add_subflow()
5527 * and re-recreating a new label using the updated context in selinux_mptcp_add_subflow()
5530 return selinux_netlbl_socket_post_create(ssk, ssk->sk_family); in selinux_mptcp_add_subflow()
5538 u16 family = req->rsk_ops->family; in selinux_inet_conn_request()
5545 err = selinux_conn_sid(sksec->sid, peersid, &connsid); in selinux_inet_conn_request()
5548 req->secid = connsid; in selinux_inet_conn_request()
5549 req->peer_secid = peersid; in selinux_inet_conn_request()
5559 newsksec->sid = req->secid; in selinux_inet_csk_clone()
5560 newsksec->peer_sid = req->peer_secid; in selinux_inet_csk_clone()
5561 /* NOTE: Ideally, we should also get the isec->sid for the in selinux_inet_csk_clone()
5568 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family); in selinux_inet_csk_clone()
5573 u16 family = sk->sk_family; in selinux_inet_conn_established()
5577 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) in selinux_inet_conn_established()
5580 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid); in selinux_inet_conn_established()
5602 flic->flowic_secid = req->secid; in selinux_req_classify_flow()
5609 tunsec->sid = current_sid(); in selinux_tun_dev_alloc_security()
5621 * connections unlike traditional sockets - check the TUN driver to in selinux_tun_dev_create()
5632 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET, in selinux_tun_dev_attach_queue()
5648 sksec->sid = tunsec->sid; in selinux_tun_dev_attach()
5649 sksec->sclass = SECCLASS_TUN_SOCKET; in selinux_tun_dev_attach()
5660 err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET, in selinux_tun_dev_open()
5668 tunsec->sid = sid; in selinux_tun_dev_open()
5694 family = state->pf; in selinux_ip_forward()
5698 ifindex = state->in->ifindex; in selinux_ip_forward()
5706 err = selinux_inet_sys_rcv_skb(state->net, ifindex, in selinux_ip_forward()
5715 if (avc_has_perm(peer_sid, skb->secmark, in selinux_ip_forward()
5742 sk = sk_to_full_sk(skb->sk); in selinux_ip_output()
5748 * packet is a SYN-ACK packet which means it needs to in selinux_ip_output()
5752 * the parent socket until after the SYN-ACK is sent. in selinux_ip_output()
5753 * the "solution" is to simply pass the packet as-is in selinux_ip_output()
5763 sid = sksec->sid; in selinux_ip_output()
5766 if (selinux_netlbl_skbuff_setsid(skb, state->pf, sid) != 0) in selinux_ip_output()
5787 ad_net_init_from_iif(&ad, &net, state->out->ifindex, state->pf); in selinux_ip_postroute_compat()
5792 if (avc_has_perm(sksec->sid, skb->secmark, in selinux_ip_postroute_compat()
5794 return NF_DROP_ERR(-ECONNREFUSED); in selinux_ip_postroute_compat()
5796 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto)) in selinux_ip_postroute_compat()
5797 return NF_DROP_ERR(-ECONNREFUSED); in selinux_ip_postroute_compat()
5831 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec in selinux_ip_postroute()
5835 * NOTE: there appear to be some IPv6 multicast cases where skb->dst in selinux_ip_postroute()
5837 * NOTE: if this is a local socket (skb->sk != NULL) that is in the in selinux_ip_postroute()
5842 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL && in selinux_ip_postroute()
5847 family = state->pf; in selinux_ip_postroute()
5853 if (skb->skb_iif) { in selinux_ip_postroute()
5863 * listening state which means this is a SYN-ACK packet. In in selinux_ip_postroute()
5867 * socket until after the SYN-ACK packet is sent; the only in selinux_ip_postroute()
5886 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED) in selinux_ip_postroute()
5890 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) in selinux_ip_postroute()
5894 return NF_DROP_ERR(-ECONNREFUSED); in selinux_ip_postroute()
5897 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid)) in selinux_ip_postroute()
5904 peer_sid = sksec->sid; in selinux_ip_postroute()
5908 ifindex = state->out->ifindex; in selinux_ip_postroute()
5914 if (avc_has_perm(peer_sid, skb->secmark, in selinux_ip_postroute()
5916 return NF_DROP_ERR(-ECONNREFUSED); in selinux_ip_postroute()
5922 if (sel_netif_sid(state->net, ifindex, &if_sid)) in selinux_ip_postroute()
5926 return NF_DROP_ERR(-ECONNREFUSED); in selinux_ip_postroute()
5932 return NF_DROP_ERR(-ECONNREFUSED); in selinux_ip_postroute()
5941 struct sk_security_struct *sksec = sk->sk_security; in nlmsg_sock_has_extended_perms()
5946 if (sock_skip_has_perm(sksec->sid)) in nlmsg_sock_has_extended_perms()
5955 return avc_has_extended_perms(current_sid(), sksec->sid, sksec->sclass, in nlmsg_sock_has_extended_perms()
5963 unsigned int data_len = skb->len; in selinux_netlink_send()
5964 unsigned char *data = skb->data; in selinux_netlink_send()
5967 u16 sclass = sksec->sclass; in selinux_netlink_send()
5979 if (nlh->nlmsg_len < NLMSG_HDRLEN || nlh->nlmsg_len > data_len) in selinux_netlink_send()
5982 rc = selinux_nlmsg_lookup(sclass, nlh->nlmsg_type, &perm); in selinux_netlink_send()
5986 sk, perm, nlh->nlmsg_type); in selinux_netlink_send()
5992 } else if (rc == -EINVAL) { in selinux_netlink_send()
5993 /* -EINVAL is a missing msg/perm mapping */ in selinux_netlink_send()
5997 sk->sk_protocol, nlh->nlmsg_type, in selinux_netlink_send()
5998 secclass_map[sclass - 1].name, in selinux_netlink_send()
5999 task_pid_nr(current), current->comm); in selinux_netlink_send()
6004 } else if (rc == -ENOENT) { in selinux_netlink_send()
6005 /* -ENOENT is a missing socket/class mapping, ignore */ in selinux_netlink_send()
6012 msg_len = NLMSG_ALIGN(nlh->nlmsg_len); in selinux_netlink_send()
6015 data_len -= msg_len; in selinux_netlink_send()
6024 isec->sclass = sclass; in ipc_init_security()
6025 isec->sid = current_sid(); in ipc_init_security()
6038 ad.u.ipc_id = ipc_perms->key; in ipc_has_perm()
6040 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad); in ipc_has_perm()
6048 msec->sid = SECINITSID_UNLABELED; in selinux_msg_msg_alloc_security()
6064 ad.u.ipc_id = msq->key; in selinux_msg_queue_alloc_security()
6066 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, in selinux_msg_queue_alloc_security()
6079 ad.u.ipc_id = msq->key; in selinux_msg_queue_associate()
6081 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, in selinux_msg_queue_associate()
6092 /* No specific object, just general system-wide information. */ in selinux_msg_queue_msgctl()
6127 if (msec->sid == SECINITSID_UNLABELED) { in selinux_msg_queue_msgsnd()
6132 rc = security_transition_sid(sid, isec->sid, in selinux_msg_queue_msgsnd()
6133 SECCLASS_MSG, NULL, &msec->sid); in selinux_msg_queue_msgsnd()
6139 ad.u.ipc_id = msq->key; in selinux_msg_queue_msgsnd()
6142 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, in selinux_msg_queue_msgsnd()
6146 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG, in selinux_msg_queue_msgsnd()
6150 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ, in selinux_msg_queue_msgsnd()
6170 ad.u.ipc_id = msq->key; in selinux_msg_queue_msgrcv()
6172 rc = avc_has_perm(sid, isec->sid, in selinux_msg_queue_msgrcv()
6175 rc = avc_has_perm(sid, msec->sid, in selinux_msg_queue_msgrcv()
6191 ad.u.ipc_id = shp->key; in selinux_shm_alloc_security()
6193 return avc_has_perm(sid, isec->sid, SECCLASS_SHM, in selinux_shm_alloc_security()
6206 ad.u.ipc_id = shp->key; in selinux_shm_associate()
6208 return avc_has_perm(sid, isec->sid, SECCLASS_SHM, in selinux_shm_associate()
6220 /* No specific object, just general system-wide information. */ in selinux_shm_shmctl()
6269 ad.u.ipc_id = sma->key; in selinux_sem_alloc_security()
6271 return avc_has_perm(sid, isec->sid, SECCLASS_SEM, in selinux_sem_alloc_security()
6284 ad.u.ipc_id = sma->key; in selinux_sem_associate()
6286 return avc_has_perm(sid, isec->sid, SECCLASS_SEM, in selinux_sem_associate()
6299 /* No specific object, just general system-wide information. */ in selinux_sem_semctl()
6367 prop->selinux.secid = isec->sid; in selinux_ipc_getlsmprop()
6387 error = avc_has_perm(current_sid(), tsec->sid, in selinux_lsm_getattr()
6394 sid = tsec->sid; in selinux_lsm_getattr()
6397 sid = tsec->osid; in selinux_lsm_getattr()
6400 sid = tsec->exec_sid; in selinux_lsm_getattr()
6403 sid = tsec->create_sid; in selinux_lsm_getattr()
6406 sid = tsec->keycreate_sid; in selinux_lsm_getattr()
6409 sid = tsec->sockcreate_sid; in selinux_lsm_getattr()
6412 error = -EOPNOTSUPP; in selinux_lsm_getattr()
6465 error = -EOPNOTSUPP; in selinux_lsm_setattr()
6473 if (str[size-1] == '\n') { in selinux_lsm_setattr()
6474 str[size-1] = 0; in selinux_lsm_setattr()
6475 size--; in selinux_lsm_setattr()
6479 if (error == -EINVAL && attr == LSM_ATTR_FSCREATE) { in selinux_lsm_setattr()
6487 if (str[size - 1] == '\0') in selinux_lsm_setattr()
6488 audit_size = size - 1; in selinux_lsm_setattr()
6512 return -ENOMEM; in selinux_lsm_setattr()
6522 tsec->exec_sid = sid; in selinux_lsm_setattr()
6524 tsec->create_sid = sid; in selinux_lsm_setattr()
6532 tsec->keycreate_sid = sid; in selinux_lsm_setattr()
6534 tsec->sockcreate_sid = sid; in selinux_lsm_setattr()
6536 error = -EINVAL; in selinux_lsm_setattr()
6541 error = security_bounded_transition(tsec->sid, sid); in selinux_lsm_setattr()
6547 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS, in selinux_lsm_setattr()
6562 tsec->sid = sid; in selinux_lsm_setattr()
6564 error = -EINVAL; in selinux_lsm_setattr()
6577 * selinux_getselfattr - Get SELinux current task attributes
6609 rc = selinux_lsm_setattr(attr, ctx->ctx, ctx->ctx_len); in selinux_setselfattr()
6623 if (rc != -EOPNOTSUPP) in selinux_getprocattr()
6627 return -EINVAL; in selinux_getprocattr()
6636 return -EINVAL; in selinux_setprocattr()
6650 cp->id = LSM_ID_SELINUX; in selinux_secid_to_secctx()
6651 ret = security_sid_to_context(secid, &cp->context, &cp->len); in selinux_secid_to_secctx()
6654 return cp->len; in selinux_secid_to_secctx()
6665 return selinux_secid_to_secctx(prop->selinux.secid, cp); in selinux_lsmprop_to_secctx()
6676 if (cp->id == LSM_ID_SELINUX) { in selinux_release_secctx()
6677 kfree(cp->context); in selinux_release_secctx()
6678 cp->context = NULL; in selinux_release_secctx()
6679 cp->id = LSM_ID_UNDEF; in selinux_release_secctx()
6687 spin_lock(&isec->lock); in selinux_inode_invalidate_secctx()
6688 isec->initialized = LABEL_INVALID; in selinux_inode_invalidate_secctx()
6689 spin_unlock(&isec->lock); in selinux_inode_invalidate_secctx()
6693 * called with inode->i_mutex locked
6700 return rc == -EOPNOTSUPP ? 0 : rc; in selinux_inode_notifysecctx()
6704 * called with inode->i_mutex locked
6717 (void **)&cp->context, true); in selinux_inode_getsecctx()
6720 cp->len = len; in selinux_inode_getsecctx()
6721 cp->id = LSM_ID_SELINUX; in selinux_inode_getsecctx()
6733 if (tsec->keycreate_sid) in selinux_key_alloc()
6734 ksec->sid = tsec->keycreate_sid; in selinux_key_alloc()
6736 ksec->sid = tsec->sid; in selinux_key_alloc()
6775 return -EPERM; in selinux_key_permission()
6783 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL); in selinux_key_permission()
6793 rc = security_sid_to_context(ksec->sid, in selinux_key_getsecurity()
6807 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, KEY__VIEW, NULL); in selinux_watch_key()
6829 return avc_has_perm(sec->sid, sid, in selinux_ib_pkey_access()
6853 return avc_has_perm(sec->sid, sid, in selinux_ib_endport_manage_subnet()
6862 sec->sid = current_sid(); in selinux_ib_alloc_security()
6917 if (file->f_op == &bpf_map_fops) { in bpf_fd_pass()
6918 map = file->private_data; in bpf_fd_pass()
6919 bpfsec = map->security; in bpf_fd_pass()
6920 ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, in bpf_fd_pass()
6921 bpf_map_fmode_to_av(file->f_mode), NULL); in bpf_fd_pass()
6924 } else if (file->f_op == &bpf_prog_fops) { in bpf_fd_pass()
6925 prog = file->private_data; in bpf_fd_pass()
6926 bpfsec = prog->aux->security; in bpf_fd_pass()
6927 ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, in bpf_fd_pass()
6940 bpfsec = map->security; in selinux_bpf_map()
6941 return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, in selinux_bpf_map()
6950 bpfsec = prog->aux->security; in selinux_bpf_prog()
6951 return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, in selinux_bpf_prog()
6962 return -ENOMEM; in selinux_bpf_map_create()
6964 bpfsec->sid = current_sid(); in selinux_bpf_map_create()
6965 map->security = bpfsec; in selinux_bpf_map_create()
6972 struct bpf_security_struct *bpfsec = map->security; in selinux_bpf_map_free()
6974 map->security = NULL; in selinux_bpf_map_free()
6985 return -ENOMEM; in selinux_bpf_prog_load()
6987 bpfsec->sid = current_sid(); in selinux_bpf_prog_load()
6988 prog->aux->security = bpfsec; in selinux_bpf_prog_load()
6995 struct bpf_security_struct *bpfsec = prog->aux->security; in selinux_bpf_prog_free()
6997 prog->aux->security = NULL; in selinux_bpf_prog_free()
7008 return -ENOMEM; in selinux_bpf_token_create()
7010 bpfsec->sid = current_sid(); in selinux_bpf_token_create()
7011 token->security = bpfsec; in selinux_bpf_token_create()
7018 struct bpf_security_struct *bpfsec = token->security; in selinux_bpf_token_free()
7020 token->security = NULL; in selinux_bpf_token_free()
7056 return -EINVAL; in selinux_perf_event_open()
7066 perfsec = selinux_perf_event(event->security); in selinux_perf_event_alloc()
7067 perfsec->sid = current_sid(); in selinux_perf_event_alloc()
7074 struct perf_event_security_struct *perfsec = event->security; in selinux_perf_event_read()
7077 return avc_has_perm(sid, perfsec->sid, in selinux_perf_event_read()
7083 struct perf_event_security_struct *perfsec = event->security; in selinux_perf_event_write()
7086 return avc_has_perm(sid, perfsec->sid, in selinux_perf_event_write()
7093 * selinux_uring_override_creds - check the requested cred override
7106 * selinux_uring_sqpoll - check if a io_uring polling thread can be created
7120 * selinux_uring_cmd - check if IORING_OP_URING_CMD is allowed
7129 struct file *file = ioucmd->file; in selinux_uring_cmd()
7137 return avc_has_perm(current_sid(), isec->sid, in selinux_uring_cmd()