// SPDX-License-Identifier: GPL-2.0-only /* * Security-Enhanced Linux (SELinux) security module * * This file contains the SELinux hook function implementations. * * Authors: Stephen Smalley, <[email protected]> * Chris Vance, <[email protected]> * Wayne Salamon, <[email protected]> * James Morris <[email protected]> * * Copyright (C) 2001,2002 Networks Associates Technology, Inc. * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <[email protected]> * Eric Paris <[email protected]> * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. * <[email protected]> * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P. * Paul Moore <[email protected]> * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd. * Yuichi Nakamura <[email protected]> * Copyright (C) 2016 Mellanox Technologies */ #include <linux/init.h> #include <linux/kd.h> #include <linux/kernel.h> #include <linux/kernel_read_file.h> #include <linux/errno.h> #include <linux/sched/signal.h> #include <linux/sched/task.h> #include <linux/lsm_hooks.h> #include <linux/xattr.h> #include <linux/capability.h> #include <linux/unistd.h> #include <linux/mm.h> #include <linux/mman.h> #include <linux/slab.h> #include <linux/pagemap.h> #include <linux/proc_fs.h> #include <linux/swap.h> #include <linux/spinlock.h> #include <linux/syscalls.h> #include <linux/dcache.h> #include <linux/file.h> #include <linux/fdtable.h> #include <linux/namei.h> #include <linux/mount.h> #include <linux/fs_context.h> #include <linux/fs_parser.h> #include <linux/netfilter_ipv4.h> #include <linux/netfilter_ipv6.h> #include <linux/tty.h> #include <net/icmp.h> #include <net/ip.h> /* for local_port_range[] */ #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */ #include <net/inet_connection_sock.h> #include <net/net_namespace.h> #include <net/netlabel.h> #include <linux/uaccess.h> #include <asm/ioctls.h> #include <linux/atomic.h> #include <linux/bitops.h> #include <linux/interrupt.h> #include <linux/netdevice.h> /* for network interface checks */ #include <net/netlink.h> #include <linux/tcp.h> #include <linux/udp.h> #include <linux/dccp.h> #include <linux/sctp.h> #include <net/sctp/structs.h> #include <linux/quota.h> #include <linux/un.h> /* for Unix socket types */ #include <net/af_unix.h> /* for Unix socket types */ #include <linux/parser.h> #include <linux/nfs_mount.h> #include <net/ipv6.h> #include <linux/hugetlb.h> #include <linux/personality.h> #include <linux/audit.h> #include <linux/string.h> #include <linux/mutex.h> #include <linux/posix-timers.h> #include <linux/syslog.h> #include <linux/user_namespace.h> #include <linux/export.h> #include <linux/msg.h> #include <linux/shm.h> #include <uapi/linux/shm.h> #include <linux/bpf.h> #include <linux/kernfs.h> #include <linux/stringhash.h> /* for hashlen_string() */ #include <uapi/linux/mount.h> #include <linux/fsnotify.h> #include <linux/fanotify.h> #include <linux/io_uring/cmd.h> #include <uapi/linux/lsm.h> #include "avc.h" #include "objsec.h" #include "netif.h" #include "netnode.h" #include "netport.h" #include "ibpkey.h" #include "xfrm.h" #include "netlabel.h" #include "audit.h" #include "avc_ss.h" #define SELINUX_INODE_INIT_XATTRS … struct selinux_state selinux_state; /* SECMARK reference count */ static atomic_t selinux_secmark_refcount = …; #ifdef CONFIG_SECURITY_SELINUX_DEVELOP static int selinux_enforcing_boot __initdata; static int __init enforcing_setup(char *str) { … } __setup(…); #else #define selinux_enforcing_boot … #endif int selinux_enabled_boot __initdata = …; #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM static int __init selinux_enabled_setup(char *str) { … } __setup(…); #endif static int __init checkreqprot_setup(char *str) { … } __setup(…); /** * selinux_secmark_enabled - Check to see if SECMARK is currently enabled * * Description: * This function checks the SECMARK reference counter to see if any SECMARK * targets are currently configured, if the reference counter is greater than * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is * enabled, false (0) if SECMARK is disabled. If the always_check_network * policy capability is enabled, SECMARK is always considered enabled. * */ static int selinux_secmark_enabled(void) { … } /** * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled * * Description: * This function checks if NetLabel or labeled IPSEC is enabled. Returns true * (1) if any are enabled or false (0) if neither are enabled. If the * always_check_network policy capability is enabled, peer labeling * is always considered enabled. * */ static int selinux_peerlbl_enabled(void) { … } static int selinux_netcache_avc_callback(u32 event) { … } static int selinux_lsm_notifier_avc_callback(u32 event) { … } /* * initialise the security for the init task */ static void cred_init_security(void) { … } /* * get the security ID of a set of credentials */ static inline u32 cred_sid(const struct cred *cred) { … } static void __ad_net_init(struct common_audit_data *ad, struct lsm_network_audit *net, int ifindex, struct sock *sk, u16 family) { … } static void ad_net_init_from_sk(struct common_audit_data *ad, struct lsm_network_audit *net, struct sock *sk) { … } static void ad_net_init_from_iif(struct common_audit_data *ad, struct lsm_network_audit *net, int ifindex, u16 family) { … } /* * get the objective security ID of a task */ static inline u32 task_sid_obj(const struct task_struct *task) { … } static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry); /* * Try reloading inode security labels that have been marked as invalid. The * @may_sleep parameter indicates when sleeping and thus reloading labels is * allowed; when set to false, returns -ECHILD when the label is * invalid. The @dentry parameter should be set to a dentry of the inode. */ static int __inode_security_revalidate(struct inode *inode, struct dentry *dentry, bool may_sleep) { … } static struct inode_security_struct *inode_security_novalidate(struct inode *inode) { … } static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu) { … } /* * Get the security label of an inode. */ static struct inode_security_struct *inode_security(struct inode *inode) { … } static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry) { … } /* * Get the security label of a dentry's backing inode. */ static struct inode_security_struct *backing_inode_security(struct dentry *dentry) { … } static void inode_free_security(struct inode *inode) { … } struct selinux_mnt_opts { … }; static void selinux_free_mnt_opts(void *mnt_opts) { … } enum { … }; #define A … static const struct { … } tokens[] = …; #undef A static int match_opt_prefix(char *s, int l, char **arg) { … } #define SEL_MOUNT_FAIL_MSG … static int may_context_mount_sb_relabel(u32 sid, struct superblock_security_struct *sbsec, const struct cred *cred) { … } static int may_context_mount_inode_relabel(u32 sid, struct superblock_security_struct *sbsec, const struct cred *cred) { … } static int selinux_is_genfs_special_handling(struct super_block *sb) { … } static int selinux_is_sblabel_mnt(struct super_block *sb) { … } static int sb_check_xattr_support(struct super_block *sb) { … } static int sb_finish_set_opts(struct super_block *sb) { … } static int bad_option(struct superblock_security_struct *sbsec, char flag, u32 old_sid, u32 new_sid) { … } /* * Allow filesystems with binary mount data to explicitly set mount point * labeling information. */ static int selinux_set_mnt_opts(struct super_block *sb, void *mnt_opts, unsigned long kern_flags, unsigned long *set_kern_flags) { … } static int selinux_cmp_sb_context(const struct super_block *oldsb, const struct super_block *newsb) { … } static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb, struct super_block *newsb, unsigned long kern_flags, unsigned long *set_kern_flags) { … } /* * NOTE: the caller is responsible for freeing the memory even if on error. */ static int selinux_add_opt(int token, const char *s, void **mnt_opts) { … } static int show_sid(struct seq_file *m, u32 sid) { … } static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb) { … } static inline u16 inode_mode_to_security_class(umode_t mode) { … } static inline int default_protocol_stream(int protocol) { … } static inline int default_protocol_dgram(int protocol) { … } static inline u16 socket_type_to_security_class(int family, int type, int protocol) { … } static int selinux_genfs_get_sid(struct dentry *dentry, u16 tclass, u16 flags, u32 *sid) { … } static int inode_doinit_use_xattr(struct inode *inode, struct dentry *dentry, u32 def_sid, u32 *sid) { … } /* The inode's security attributes must be initialized before first use. */ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry) { … } /* Convert a Linux signal to an access vector. */ static inline u32 signal_to_av(int sig) { … } #if CAP_LAST_CAP > 63 #error Fix SELinux to handle capabilities > 63. #endif /* Check whether a task is allowed to use a capability. */ static int cred_has_capability(const struct cred *cred, int cap, unsigned int opts, bool initns) { … } /* Check whether a task has a particular permission to an inode. The 'adp' parameter is optional and allows other audit data to be passed (e.g. the dentry). */ static int inode_has_perm(const struct cred *cred, struct inode *inode, u32 perms, struct common_audit_data *adp) { … } /* Same as inode_has_perm, but pass explicit audit data containing the dentry to help the auditing code to more easily generate the pathname if needed. */ static inline int dentry_has_perm(const struct cred *cred, struct dentry *dentry, u32 av) { … } /* Same as inode_has_perm, but pass explicit audit data containing the path to help the auditing code to more easily generate the pathname if needed. */ static inline int path_has_perm(const struct cred *cred, const struct path *path, u32 av) { … } /* Same as path_has_perm, but uses the inode from the file struct. */ static inline int file_path_has_perm(const struct cred *cred, struct file *file, u32 av) { … } #ifdef CONFIG_BPF_SYSCALL static int bpf_fd_pass(const struct file *file, u32 sid); #endif /* Check whether a task can use an open file descriptor to access an inode in a given way. Check access to the descriptor itself, and then use dentry_has_perm to check a particular permission to the file. Access to the descriptor is implicitly granted if it has the same SID as the process. If av is zero, then access to the file is not checked, e.g. for cases where only the descriptor is affected like seek. */ static int file_has_perm(const struct cred *cred, struct file *file, u32 av) { … } /* * Determine the label for an inode that might be unioned. */ static int selinux_determine_inode_label(const struct task_security_struct *tsec, struct inode *dir, const struct qstr *name, u16 tclass, u32 *_new_isid) { … } /* Check whether a task can create a file. */ static int may_create(struct inode *dir, struct dentry *dentry, u16 tclass) { … } #define MAY_LINK … #define MAY_UNLINK … #define MAY_RMDIR … /* Check whether a task can link, unlink, or rmdir a file/directory. */ static int may_link(struct inode *dir, struct dentry *dentry, int kind) { … } static inline int may_rename(struct inode *old_dir, struct dentry *old_dentry, struct inode *new_dir, struct dentry *new_dentry) { … } /* Check whether a task can perform a filesystem operation. */ static int superblock_has_perm(const struct cred *cred, const struct super_block *sb, u32 perms, struct common_audit_data *ad) { … } /* Convert a Linux mode and permission mask to an access vector. */ static inline u32 file_mask_to_av(int mode, int mask) { … } /* Convert a Linux file to an access vector. */ static inline u32 file_to_av(const struct file *file) { … } /* * Convert a file to an access vector and include the correct * open permission. */ static inline u32 open_file_to_av(struct file *file) { … } /* Hook functions begin here. */ static int selinux_binder_set_context_mgr(const struct cred *mgr) { … } static int selinux_binder_transaction(const struct cred *from, const struct cred *to) { … } static int selinux_binder_transfer_binder(const struct cred *from, const struct cred *to) { … } static int selinux_binder_transfer_file(const struct cred *from, const struct cred *to, const struct file *file) { … } static int selinux_ptrace_access_check(struct task_struct *child, unsigned int mode) { … } static int selinux_ptrace_traceme(struct task_struct *parent) { … } static int selinux_capget(const struct task_struct *target, kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted) { … } static int selinux_capset(struct cred *new, const struct cred *old, const kernel_cap_t *effective, const kernel_cap_t *inheritable, const kernel_cap_t *permitted) { … } /* * (This comment used to live with the selinux_task_setuid hook, * which was removed). * * Since setuid only affects the current process, and since the SELinux * controls are not based on the Linux identity attributes, SELinux does not * need to control this operation. However, SELinux does control the use of * the CAP_SETUID and CAP_SETGID capabilities using the capable hook. */ static int selinux_capable(const struct cred *cred, struct user_namespace *ns, int cap, unsigned int opts) { … } static int selinux_quotactl(int cmds, int type, int id, const struct super_block *sb) { … } static int selinux_quota_on(struct dentry *dentry) { … } static int selinux_syslog(int type) { … } /* * Check that a process has enough memory to allocate a new virtual * mapping. 0 means there is enough memory for the allocation to * succeed and -ENOMEM implies there is not. * * Do not audit the selinux permission check, as this is applied to all * processes that allocate mappings. */ static int selinux_vm_enough_memory(struct mm_struct *mm, long pages) { … } /* binprm security operations */ static u32 ptrace_parent_sid(void) { … } static int check_nnp_nosuid(const struct linux_binprm *bprm, const struct task_security_struct *old_tsec, const struct task_security_struct *new_tsec) { … } static int selinux_bprm_creds_for_exec(struct linux_binprm *bprm) { … } static int match_file(const void *p, struct file *file, unsigned fd) { … } /* Derived from fs/exec.c:flush_old_files. */ static inline void flush_unauthorized_files(const struct cred *cred, struct files_struct *files) { … } /* * Prepare a process for imminent new credential changes due to exec */ static void selinux_bprm_committing_creds(const struct linux_binprm *bprm) { … } /* * Clean up the process immediately after the installation of new credentials * due to exec */ static void selinux_bprm_committed_creds(const struct linux_binprm *bprm) { … } /* superblock security operations */ static int selinux_sb_alloc_security(struct super_block *sb) { … } static inline int opt_len(const char *s) { … } static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts) { … } static int selinux_sb_mnt_opts_compat(struct super_block *sb, void *mnt_opts) { … } static int selinux_sb_remount(struct super_block *sb, void *mnt_opts) { … } static int selinux_sb_kern_mount(const struct super_block *sb) { … } static int selinux_sb_statfs(struct dentry *dentry) { … } static int selinux_mount(const char *dev_name, const struct path *path, const char *type, unsigned long flags, void *data) { … } static int selinux_move_mount(const struct path *from_path, const struct path *to_path) { … } static int selinux_umount(struct vfsmount *mnt, int flags) { … } static int selinux_fs_context_submount(struct fs_context *fc, struct super_block *reference) { … } static int selinux_fs_context_dup(struct fs_context *fc, struct fs_context *src_fc) { … } static const struct fs_parameter_spec selinux_fs_parameters[] = …; static int selinux_fs_context_parse_param(struct fs_context *fc, struct fs_parameter *param) { … } /* inode security operations */ static int selinux_inode_alloc_security(struct inode *inode) { … } static void selinux_inode_free_security(struct inode *inode) { … } static int selinux_dentry_init_security(struct dentry *dentry, int mode, const struct qstr *name, const char **xattr_name, void **ctx, u32 *ctxlen) { … } static int selinux_dentry_create_files_as(struct dentry *dentry, int mode, struct qstr *name, const struct cred *old, struct cred *new) { … } static int selinux_inode_init_security(struct inode *inode, struct inode *dir, const struct qstr *qstr, struct xattr *xattrs, int *xattr_count) { … } static int selinux_inode_init_security_anon(struct inode *inode, const struct qstr *name, const struct inode *context_inode) { … } static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode) { … } static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry) { … } static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry) { … } static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name) { … } static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask) { … } static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry) { … } static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev) { … } static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry, struct inode *new_inode, struct dentry *new_dentry) { … } static int selinux_inode_readlink(struct dentry *dentry) { … } static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode, bool rcu) { … } static noinline int audit_inode_permission(struct inode *inode, u32 perms, u32 audited, u32 denied, int result) { … } static int selinux_inode_permission(struct inode *inode, int mask) { … } static int selinux_inode_setattr(struct mnt_idmap *idmap, struct dentry *dentry, struct iattr *iattr) { … } static int selinux_inode_getattr(const struct path *path) { … } static bool has_cap_mac_admin(bool audit) { … } /** * selinux_inode_xattr_skipcap - Skip the xattr capability checks? * @name: name of the xattr * * Returns 1 to indicate that SELinux "owns" the access control rights to xattrs * named @name; the LSM layer should avoid enforcing any traditional * capability based access controls on this xattr. Returns 0 to indicate that * SELinux does not "own" the access control rights to xattrs named @name and is * deferring to the LSM layer for further access controls, including capability * based controls. */ static int selinux_inode_xattr_skipcap(const char *name) { … } static int selinux_inode_setxattr(struct mnt_idmap *idmap, struct dentry *dentry, const char *name, const void *value, size_t size, int flags) { … } static int selinux_inode_set_acl(struct mnt_idmap *idmap, struct dentry *dentry, const char *acl_name, struct posix_acl *kacl) { … } static int selinux_inode_get_acl(struct mnt_idmap *idmap, struct dentry *dentry, const char *acl_name) { … } static int selinux_inode_remove_acl(struct mnt_idmap *idmap, struct dentry *dentry, const char *acl_name) { … } static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name, const void *value, size_t size, int flags) { … } static int selinux_inode_getxattr(struct dentry *dentry, const char *name) { … } static int selinux_inode_listxattr(struct dentry *dentry) { … } static int selinux_inode_removexattr(struct mnt_idmap *idmap, struct dentry *dentry, const char *name) { … } static int selinux_path_notify(const struct path *path, u64 mask, unsigned int obj_type) { … } /* * Copy the inode security context value to the user. * * Permission check is handled by selinux_inode_getxattr hook. */ static int selinux_inode_getsecurity(struct mnt_idmap *idmap, struct inode *inode, const char *name, void **buffer, bool alloc) { … } static int selinux_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags) { … } static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size) { … } static void selinux_inode_getsecid(struct inode *inode, u32 *secid) { … } static int selinux_inode_copy_up(struct dentry *src, struct cred **new) { … } static int selinux_inode_copy_up_xattr(struct dentry *dentry, const char *name) { … } /* kernfs node operations */ static int selinux_kernfs_init_security(struct kernfs_node *kn_dir, struct kernfs_node *kn) { … } /* file security operations */ static int selinux_revalidate_file_permission(struct file *file, int mask) { … } static int selinux_file_permission(struct file *file, int mask) { … } static int selinux_file_alloc_security(struct file *file) { … } /* * Check whether a task has the ioctl permission and cmd * operation to an inode. */ static int ioctl_has_perm(const struct cred *cred, struct file *file, u32 requested, u16 cmd) { … } static int selinux_file_ioctl(struct file *file, unsigned int cmd, unsigned long arg) { … } static int selinux_file_ioctl_compat(struct file *file, unsigned int cmd, unsigned long arg) { … } static int default_noexec __ro_after_init; static int file_map_prot_check(struct file *file, unsigned long prot, int shared) { … } static int selinux_mmap_addr(unsigned long addr) { … } static int selinux_mmap_file(struct file *file, unsigned long reqprot __always_unused, unsigned long prot, unsigned long flags) { … } static int selinux_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot __always_unused, unsigned long prot) { … } static int selinux_file_lock(struct file *file, unsigned int cmd) { … } static int selinux_file_fcntl(struct file *file, unsigned int cmd, unsigned long arg) { … } static void selinux_file_set_fowner(struct file *file) { … } static int selinux_file_send_sigiotask(struct task_struct *tsk, struct fown_struct *fown, int signum) { … } static int selinux_file_receive(struct file *file) { … } static int selinux_file_open(struct file *file) { … } /* task security operations */ static int selinux_task_alloc(struct task_struct *task, unsigned long clone_flags) { … } /* * prepare a new set of credentials for modification */ static int selinux_cred_prepare(struct cred *new, const struct cred *old, gfp_t gfp) { … } /* * transfer the SELinux data to a blank set of creds */ static void selinux_cred_transfer(struct cred *new, const struct cred *old) { … } static void selinux_cred_getsecid(const struct cred *c, u32 *secid) { … } /* * set the security data for a kernel service * - all the creation contexts are set to unlabelled */ static int selinux_kernel_act_as(struct cred *new, u32 secid) { … } /* * set the file creation context in a security record to the same as the * objective context of the specified inode */ static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode) { … } static int selinux_kernel_module_request(char *kmod_name) { … } static int selinux_kernel_module_from_file(struct file *file) { … } static int selinux_kernel_read_file(struct file *file, enum kernel_read_file_id id, bool contents) { … } static int selinux_kernel_load_data(enum kernel_load_data_id id, bool contents) { … } static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) { … } static int selinux_task_getpgid(struct task_struct *p) { … } static int selinux_task_getsid(struct task_struct *p) { … } static void selinux_current_getsecid_subj(u32 *secid) { … } static void selinux_task_getsecid_obj(struct task_struct *p, u32 *secid) { … } static int selinux_task_setnice(struct task_struct *p, int nice) { … } static int selinux_task_setioprio(struct task_struct *p, int ioprio) { … } static int selinux_task_getioprio(struct task_struct *p) { … } static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred, unsigned int flags) { … } static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource, struct rlimit *new_rlim) { … } static int selinux_task_setscheduler(struct task_struct *p) { … } static int selinux_task_getscheduler(struct task_struct *p) { … } static int selinux_task_movememory(struct task_struct *p) { … } static int selinux_task_kill(struct task_struct *p, struct kernel_siginfo *info, int sig, const struct cred *cred) { … } static void selinux_task_to_inode(struct task_struct *p, struct inode *inode) { … } static int selinux_userns_create(const struct cred *cred) { … } /* Returns error only if unable to parse addresses */ static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct common_audit_data *ad, u8 *proto) { … } #if IS_ENABLED(CONFIG_IPV6) /* Returns error only if unable to parse addresses */ static int selinux_parse_skb_ipv6(struct sk_buff *skb, struct common_audit_data *ad, u8 *proto) { … } #endif /* IPV6 */ static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad, char **_addrp, int src, u8 *proto) { … } /** * selinux_skb_peerlbl_sid - Determine the peer label of a packet * @skb: the packet * @family: protocol family * @sid: the packet's peer label SID * * Description: * Check the various different forms of network peer labeling and determine * the peer label/SID for the packet; most of the magic actually occurs in * the security server function security_net_peersid_cmp(). The function * returns zero if the value in @sid is valid (although it may be SECSID_NULL) * or -EACCES if @sid is invalid due to inconsistencies with the different * peer labels. * */ static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid) { … } /** * selinux_conn_sid - Determine the child socket label for a connection * @sk_sid: the parent socket's SID * @skb_sid: the packet's SID * @conn_sid: the resulting connection SID * * If @skb_sid is valid then the user:role:type information from @sk_sid is * combined with the MLS information from @skb_sid in order to create * @conn_sid. If @skb_sid is not valid then @conn_sid is simply a copy * of @sk_sid. Returns zero on success, negative values on failure. * */ static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid) { … } /* socket security operations */ static int socket_sockcreate_sid(const struct task_security_struct *tsec, u16 secclass, u32 *socksid) { … } static int sock_has_perm(struct sock *sk, u32 perms) { … } static int selinux_socket_create(int family, int type, int protocol, int kern) { … } static int selinux_socket_post_create(struct socket *sock, int family, int type, int protocol, int kern) { … } static int selinux_socket_socketpair(struct socket *socka, struct socket *sockb) { … } /* Range of port numbers used to automatically bind. Need to determine whether we should perform a name_bind permission check between the socket and the port number. */ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen) { … } /* This supports connect(2) and SCTP connect services such as sctp_connectx(3) * and sctp_sendmsg(3) as described in Documentation/security/SCTP.rst */ static int selinux_socket_connect_helper(struct socket *sock, struct sockaddr *address, int addrlen) { … } /* Supports connect(2), see comments in selinux_socket_connect_helper() */ static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen) { … } static int selinux_socket_listen(struct socket *sock, int backlog) { … } static int selinux_socket_accept(struct socket *sock, struct socket *newsock) { … } static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg, int size) { … } static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg, int size, int flags) { … } static int selinux_socket_getsockname(struct socket *sock) { … } static int selinux_socket_getpeername(struct socket *sock) { … } static int selinux_socket_setsockopt(struct socket *sock, int level, int optname) { … } static int selinux_socket_getsockopt(struct socket *sock, int level, int optname) { … } static int selinux_socket_shutdown(struct socket *sock, int how) { … } static int selinux_socket_unix_stream_connect(struct sock *sock, struct sock *other, struct sock *newsk) { … } static int selinux_socket_unix_may_send(struct socket *sock, struct socket *other) { … } static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex, char *addrp, u16 family, u32 peer_sid, struct common_audit_data *ad) { … } static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, u16 family) { … } static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) { … } static int selinux_socket_getpeersec_stream(struct socket *sock, sockptr_t optval, sockptr_t optlen, unsigned int len) { … } static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid) { … } static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority) { … } static void selinux_sk_free_security(struct sock *sk) { … } static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk) { … } static void selinux_sk_getsecid(const struct sock *sk, u32 *secid) { … } static void selinux_sock_graft(struct sock *sk, struct socket *parent) { … } /* * Determines peer_secid for the asoc and updates socket's peer label * if it's the first association on the socket. */ static int selinux_sctp_process_new_assoc(struct sctp_association *asoc, struct sk_buff *skb) { … } /* Called whenever SCTP receives an INIT or COOKIE ECHO chunk. This * happens on an incoming connect(2), sctp_connectx(3) or * sctp_sendmsg(3) (with no association already present). */ static int selinux_sctp_assoc_request(struct sctp_association *asoc, struct sk_buff *skb) { … } /* Called when SCTP receives a COOKIE ACK chunk as the final * response to an association request (initited by us). */ static int selinux_sctp_assoc_established(struct sctp_association *asoc, struct sk_buff *skb) { … } /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting * based on their @optname. */ static int selinux_sctp_bind_connect(struct sock *sk, int optname, struct sockaddr *address, int addrlen) { … } /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */ static void selinux_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk, struct sock *newsk) { … } static int selinux_mptcp_add_subflow(struct sock *sk, struct sock *ssk) { … } static int selinux_inet_conn_request(const struct sock *sk, struct sk_buff *skb, struct request_sock *req) { … } static void selinux_inet_csk_clone(struct sock *newsk, const struct request_sock *req) { … } static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb) { … } static int selinux_secmark_relabel_packet(u32 sid) { … } static void selinux_secmark_refcount_inc(void) { … } static void selinux_secmark_refcount_dec(void) { … } static void selinux_req_classify_flow(const struct request_sock *req, struct flowi_common *flic) { … } static int selinux_tun_dev_alloc_security(void **security) { … } static void selinux_tun_dev_free_security(void *security) { … } static int selinux_tun_dev_create(void) { … } static int selinux_tun_dev_attach_queue(void *security) { … } static int selinux_tun_dev_attach(struct sock *sk, void *security) { … } static int selinux_tun_dev_open(void *security) { … } #ifdef CONFIG_NETFILTER static unsigned int selinux_ip_forward(void *priv, struct sk_buff *skb, const struct nf_hook_state *state) { … } static unsigned int selinux_ip_output(void *priv, struct sk_buff *skb, const struct nf_hook_state *state) { … } static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, const struct nf_hook_state *state) { … } static unsigned int selinux_ip_postroute(void *priv, struct sk_buff *skb, const struct nf_hook_state *state) { … } #endif /* CONFIG_NETFILTER */ static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) { … } static void ipc_init_security(struct ipc_security_struct *isec, u16 sclass) { … } static int ipc_has_perm(struct kern_ipc_perm *ipc_perms, u32 perms) { … } static int selinux_msg_msg_alloc_security(struct msg_msg *msg) { … } /* message queue security operations */ static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq) { … } static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg) { … } static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd) { … } static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg) { … } static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg, struct task_struct *target, long type, int mode) { … } /* Shared Memory security operations */ static int selinux_shm_alloc_security(struct kern_ipc_perm *shp) { … } static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg) { … } /* Note, at this point, shp is locked down */ static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd) { … } static int selinux_shm_shmat(struct kern_ipc_perm *shp, char __user *shmaddr, int shmflg) { … } /* Semaphore security operations */ static int selinux_sem_alloc_security(struct kern_ipc_perm *sma) { … } static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg) { … } /* Note, at this point, sma is locked down */ static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd) { … } static int selinux_sem_semop(struct kern_ipc_perm *sma, struct sembuf *sops, unsigned nsops, int alter) { … } static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag) { … } static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) { … } static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode) { … } static int selinux_lsm_getattr(unsigned int attr, struct task_struct *p, char **value) { … } static int selinux_lsm_setattr(u64 attr, void *value, size_t size) { … } /** * selinux_getselfattr - Get SELinux current task attributes * @attr: the requested attribute * @ctx: buffer to receive the result * @size: buffer size (input), buffer size used (output) * @flags: unused * * Fill the passed user space @ctx with the details of the requested * attribute. * * Returns the number of attributes on success, an error code otherwise. * There will only ever be one attribute. */ static int selinux_getselfattr(unsigned int attr, struct lsm_ctx __user *ctx, u32 *size, u32 flags) { … } static int selinux_setselfattr(unsigned int attr, struct lsm_ctx *ctx, u32 size, u32 flags) { … } static int selinux_getprocattr(struct task_struct *p, const char *name, char **value) { … } static int selinux_setprocattr(const char *name, void *value, size_t size) { … } static int selinux_ismaclabel(const char *name) { … } static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) { … } static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) { … } static void selinux_release_secctx(char *secdata, u32 seclen) { … } static void selinux_inode_invalidate_secctx(struct inode *inode) { … } /* * called with inode->i_mutex locked */ static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) { … } /* * called with inode->i_mutex locked */ static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) { … } static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) { … } #ifdef CONFIG_KEYS static int selinux_key_alloc(struct key *k, const struct cred *cred, unsigned long flags) { … } static void selinux_key_free(struct key *k) { … } static int selinux_key_permission(key_ref_t key_ref, const struct cred *cred, enum key_need_perm need_perm) { … } static int selinux_key_getsecurity(struct key *key, char **_buffer) { … } #ifdef CONFIG_KEY_NOTIFICATIONS static int selinux_watch_key(struct key *key) { … } #endif #endif #ifdef CONFIG_SECURITY_INFINIBAND static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val) { … } static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name, u8 port_num) { … } static int selinux_ib_alloc_security(void **ib_sec) { … } static void selinux_ib_free_security(void *ib_sec) { … } #endif #ifdef CONFIG_BPF_SYSCALL static int selinux_bpf(int cmd, union bpf_attr *attr, unsigned int size) { … } static u32 bpf_map_fmode_to_av(fmode_t fmode) { … } /* This function will check the file pass through unix socket or binder to see * if it is a bpf related object. And apply corresponding checks on the bpf * object based on the type. The bpf maps and programs, not like other files and * socket, are using a shared anonymous inode inside the kernel as their inode. * So checking that inode cannot identify if the process have privilege to * access the bpf object and that's why we have to add this additional check in * selinux_file_receive and selinux_binder_transfer_files. */ static int bpf_fd_pass(const struct file *file, u32 sid) { … } static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode) { … } static int selinux_bpf_prog(struct bpf_prog *prog) { … } static int selinux_bpf_map_create(struct bpf_map *map, union bpf_attr *attr, struct bpf_token *token) { … } static void selinux_bpf_map_free(struct bpf_map *map) { … } static int selinux_bpf_prog_load(struct bpf_prog *prog, union bpf_attr *attr, struct bpf_token *token) { … } static void selinux_bpf_prog_free(struct bpf_prog *prog) { … } static int selinux_bpf_token_create(struct bpf_token *token, union bpf_attr *attr, struct path *path) { … } static void selinux_bpf_token_free(struct bpf_token *token) { … } #endif struct lsm_blob_sizes selinux_blob_sizes __ro_after_init = …; #ifdef CONFIG_PERF_EVENTS static int selinux_perf_event_open(struct perf_event_attr *attr, int type) { … } static int selinux_perf_event_alloc(struct perf_event *event) { … } static void selinux_perf_event_free(struct perf_event *event) { … } static int selinux_perf_event_read(struct perf_event *event) { … } static int selinux_perf_event_write(struct perf_event *event) { … } #endif #ifdef CONFIG_IO_URING /** * selinux_uring_override_creds - check the requested cred override * @new: the target creds * * Check to see if the current task is allowed to override it's credentials * to service an io_uring operation. */ static int selinux_uring_override_creds(const struct cred *new) { … } /** * selinux_uring_sqpoll - check if a io_uring polling thread can be created * * Check to see if the current task is allowed to create a new io_uring * kernel polling thread. */ static int selinux_uring_sqpoll(void) { … } /** * selinux_uring_cmd - check if IORING_OP_URING_CMD is allowed * @ioucmd: the io_uring command structure * * Check to see if the current domain is allowed to execute an * IORING_OP_URING_CMD against the device/file specified in @ioucmd. * */ static int selinux_uring_cmd(struct io_uring_cmd *ioucmd) { … } #endif /* CONFIG_IO_URING */ static const struct lsm_id selinux_lsmid = …; /* * IMPORTANT NOTE: When adding new hooks, please be careful to keep this order: * 1. any hooks that don't belong to (2.) or (3.) below, * 2. hooks that both access structures allocated by other hooks, and allocate * structures that can be later accessed by other hooks (mostly "cloning" * hooks), * 3. hooks that only allocate structures that can be later accessed by other * hooks ("allocating" hooks). * * Please follow block comment delimiters in the list to keep this order. */ static struct security_hook_list selinux_hooks[] __ro_after_init = …; static __init int selinux_init(void) { … } static void delayed_superblock_init(struct super_block *sb, void *unused) { … } void selinux_complete_init(void) { … } /* SELinux requires early initialization in order to label all processes and objects when they are created. */ DEFINE_LSM(selinux) = …; #if defined(CONFIG_NETFILTER) static const struct nf_hook_ops selinux_nf_ops[] = …; static int __net_init selinux_nf_register(struct net *net) { … } static void __net_exit selinux_nf_unregister(struct net *net) { … } static struct pernet_operations selinux_net_ops = …; static int __init selinux_nf_ip_init(void) { … } __initcall(selinux_nf_ip_init); #endif /* CONFIG_NETFILTER */
Codebase Browser
linux