]> Git Repo - linux.git/blame - security/selinux/hooks.c
projects / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel...
[linux.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
7efbb60b 6 * Authors: Stephen Smalley, <[email protected]>
828dfe1d
EP		 7 * Chris Vance, <[email protected]>
8 * Wayne Salamon, <[email protected]>
9 * James Morris <[email protected]>
1da177e4
LT		 10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
2069f457
EP		 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <[email protected]>
13 * Eric Paris <[email protected]>
1da177e4 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
828dfe1d 15 * <[email protected]>
ed6d76e4 16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
82c21bfa 17 * Paul Moore <[email protected]>
788e7dd4 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
828dfe1d 19 * Yuichi Nakamura <[email protected]>
3a976fa6 20 * Copyright (C) 2016 Mellanox Technologies
1da177e4
LT		 21 *
22 * This program is free software; you can redistribute it and/or modify
23 * it under the terms of the GNU General Public License version 2,
828dfe1d 24 * as published by the Free Software Foundation.
1da177e4
LT		 25 */
26
1da177e4 27#include <linux/init.h>
0b24dcb7 28#include <linux/kd.h>
1da177e4 29#include <linux/kernel.h>
0d094efe 30#include <linux/tracehook.h>
1da177e4 31#include <linux/errno.h>
3f07c014 32#include <linux/sched/signal.h>
29930025 33#include <linux/sched/task.h>
3c4ed7bd 34#include <linux/lsm_hooks.h>
1da177e4
LT		 35#include <linux/xattr.h>
36#include <linux/capability.h>
37#include <linux/unistd.h>
38#include <linux/mm.h>
39#include <linux/mman.h>
40#include <linux/slab.h>
41#include <linux/pagemap.h>
0b24dcb7 42#include <linux/proc_fs.h>
1da177e4 43#include <linux/swap.h>
1da177e4
LT		 44#include <linux/spinlock.h>
45#include <linux/syscalls.h>
2a7dba39 46#include <linux/dcache.h>
1da177e4 47#include <linux/file.h>
9f3acc31 48#include <linux/fdtable.h>
1da177e4
LT		 49#include <linux/namei.h>
50#include <linux/mount.h>
1da177e4
LT		 51#include <linux/netfilter_ipv4.h>
52#include <linux/netfilter_ipv6.h>
53#include <linux/tty.h>
54#include <net/icmp.h>
227b60f5 55#include <net/ip.h> /* for local_port_range[] */
1da177e4 56#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
47180068 57#include <net/inet_connection_sock.h>
220deb96 58#include <net/net_namespace.h>
d621d35e 59#include <net/netlabel.h>
f5269710 60#include <linux/uaccess.h>
1da177e4 61#include <asm/ioctls.h>
60063497 62#include <linux/atomic.h>
1da177e4
LT		 63#include <linux/bitops.h>
64#include <linux/interrupt.h>
65#include <linux/netdevice.h> /* for network interface checks */
77954983 66#include <net/netlink.h>
1da177e4
LT		 67#include <linux/tcp.h>
68#include <linux/udp.h>
2ee92d46 69#include <linux/dccp.h>
d452930f
RH		 70#include <linux/sctp.h>
71#include <net/sctp/structs.h>
1da177e4
LT		 72#include <linux/quota.h>
73#include <linux/un.h> /* for Unix socket types */
74#include <net/af_unix.h> /* for Unix socket types */
75#include <linux/parser.h>
76#include <linux/nfs_mount.h>
77#include <net/ipv6.h>
78#include <linux/hugetlb.h>
79#include <linux/personality.h>
1da177e4 80#include <linux/audit.h>
6931dfc9 81#include <linux/string.h>
877ce7c1 82#include <linux/selinux.h>
23970741 83#include <linux/mutex.h>
f06febc9 84#include <linux/posix-timers.h>
00234592 85#include <linux/syslog.h>
3486740a 86#include <linux/user_namespace.h>
44fc7ea0 87#include <linux/export.h>
40401530
AV		 88#include <linux/msg.h>
89#include <linux/shm.h>
ec27c356 90#include <linux/bpf.h>
1da177e4
LT		 91
92#include "avc.h"
93#include "objsec.h"
94#include "netif.h"
224dfbd8 95#include "netnode.h"
3e112172 96#include "netport.h"
409dcf31 97#include "ibpkey.h"
d28d1e08 98#include "xfrm.h"
c60475bf 99#include "netlabel.h"
9d57a7f9 100#include "audit.h"
7b98a585 101#include "avc_ss.h"
1da177e4 102
aa8e712c
SS		 103struct selinux_state selinux_state;
104
d621d35e 105/* SECMARK reference count */
56a4ca99 106static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
d621d35e 107
1da177e4 108#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
aa8e712c 109static int selinux_enforcing_boot;
1da177e4
LT		 110
111static int __init enforcing_setup(char *str)
112{
f5269710 113 unsigned long enforcing;
29707b20 114 if (!kstrtoul(str, 0, &enforcing))
aa8e712c 115 selinux_enforcing_boot = enforcing ? 1 : 0;
1da177e4
LT		 116 return 1;
117}
118__setup("enforcing=", enforcing_setup);
aa8e712c
SS		 119#else
120#define selinux_enforcing_boot 1
1da177e4
LT		 121#endif
122
123#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
124int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
125
126static int __init selinux_enabled_setup(char *str)
127{
f5269710 128 unsigned long enabled;
29707b20 129 if (!kstrtoul(str, 0, &enabled))
f5269710 130 selinux_enabled = enabled ? 1 : 0;
1da177e4
LT		 131 return 1;
132}
133__setup("selinux=", selinux_enabled_setup);
30d55280
SS		 134#else
135int selinux_enabled = 1;
1da177e4
LT		 136#endif
137
aa8e712c
SS		 138static unsigned int selinux_checkreqprot_boot =
139 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
140
141static int __init checkreqprot_setup(char *str)
142{
143 unsigned long checkreqprot;
144
145 if (!kstrtoul(str, 0, &checkreqprot))
146 selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
147 return 1;
148}
149__setup("checkreqprot=", checkreqprot_setup);
150
e18b890b 151static struct kmem_cache *sel_inode_cache;
63205654 152static struct kmem_cache *file_security_cache;
7cae7e26 153
d621d35e
PM		 154/**
155 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
156 *
157 * Description:
158 * This function checks the SECMARK reference counter to see if any SECMARK
159 * targets are currently configured, if the reference counter is greater than
160 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
2be4d74f
CP		 161 * enabled, false (0) if SECMARK is disabled. If the always_check_network
162 * policy capability is enabled, SECMARK is always considered enabled.
d621d35e
PM		 163 *
164 */
165static int selinux_secmark_enabled(void)
166{
aa8e712c
SS		 167 return (selinux_policycap_alwaysnetwork() ||
168 atomic_read(&selinux_secmark_refcount));
2be4d74f
CP		 169}
170
171/**
172 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
173 *
174 * Description:
175 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
176 * (1) if any are enabled or false (0) if neither are enabled. If the
177 * always_check_network policy capability is enabled, peer labeling
178 * is always considered enabled.
179 *
180 */
181static int selinux_peerlbl_enabled(void)
182{
aa8e712c
SS		 183 return (selinux_policycap_alwaysnetwork() ||
184 netlbl_enabled() || selinux_xfrm_enabled());
d621d35e
PM		 185}
186
615e51fd
PM		 187static int selinux_netcache_avc_callback(u32 event)
188{
189 if (event == AVC_CALLBACK_RESET) {
190 sel_netif_flush();
191 sel_netnode_flush();
192 sel_netport_flush();
193 synchronize_net();
194 }
195 return 0;
196}
197
8f408ab6
DJ		 198static int selinux_lsm_notifier_avc_callback(u32 event)
199{
409dcf31
DJ		 200 if (event == AVC_CALLBACK_RESET) {
201 sel_ib_pkey_flush();
8f408ab6 202 call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
409dcf31 203 }
8f408ab6
DJ		 204
205 return 0;
206}
207
d84f4f99
DH		 208/*
209 * initialise the security for the init task
210 */
211static void cred_init_security(void)
1da177e4 212{
3b11a1de 213 struct cred *cred = (struct cred *) current->real_cred;
1da177e4
LT		 214 struct task_security_struct *tsec;
215
89d155ef 216 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
1da177e4 217 if (!tsec)
d84f4f99 218 panic("SELinux: Failed to initialize initial task.\n");
1da177e4 219
d84f4f99 220 tsec->osid = tsec->sid = SECINITSID_KERNEL;
f1752eec 221 cred->security = tsec;
1da177e4
LT		 222}
223
88e67f3b
DH		 224/*
225 * get the security ID of a set of credentials
226 */
227static inline u32 cred_sid(const struct cred *cred)
228{
229 const struct task_security_struct *tsec;
230
231 tsec = cred->security;
232 return tsec->sid;
233}
234
275bb41e 235/*
3b11a1de 236 * get the objective security ID of a task
275bb41e
DH		 237 */
238static inline u32 task_sid(const struct task_struct *task)
239{
275bb41e
DH		 240 u32 sid;
241
242 rcu_read_lock();
88e67f3b 243 sid = cred_sid(__task_cred(task));
275bb41e
DH		 244 rcu_read_unlock();
245 return sid;
246}
247
88e67f3b
DH		 248/* Allocate and free functions for each kind of security blob. */
249
1da177e4
LT		 250static int inode_alloc_security(struct inode *inode)
251{
1da177e4 252 struct inode_security_struct *isec;
275bb41e 253 u32 sid = current_sid();
1da177e4 254
a02fe132 255 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
1da177e4
LT		 256 if (!isec)
257 return -ENOMEM;
258
9287aed2 259 spin_lock_init(&isec->lock);
1da177e4 260 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 261 isec->inode = inode;
262 isec->sid = SECINITSID_UNLABELED;
263 isec->sclass = SECCLASS_FILE;
275bb41e 264 isec->task_sid = sid;
42059112 265 isec->initialized = LABEL_INVALID;
1da177e4
LT		 266 inode->i_security = isec;
267
268 return 0;
269}
270
5d226df4
AG		 271static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
272
273/*
274 * Try reloading inode security labels that have been marked as invalid. The
275 * @may_sleep parameter indicates when sleeping and thus reloading labels is
42059112 276 * allowed; when set to false, returns -ECHILD when the label is
e9193288 277 * invalid. The @dentry parameter should be set to a dentry of the inode.
5d226df4
AG		 278 */
279static int __inode_security_revalidate(struct inode *inode,
e9193288 280 struct dentry *dentry,
5d226df4
AG		 281 bool may_sleep)
282{
283 struct inode_security_struct *isec = inode->i_security;
284
285 might_sleep_if(may_sleep);
286
aa8e712c
SS		 287 if (selinux_state.initialized &&
288 isec->initialized != LABEL_INITIALIZED) {
5d226df4
AG		 289 if (!may_sleep)
290 return -ECHILD;
291
292 /*
293 * Try reloading the inode security label. This will fail if
294 * @opt_dentry is NULL and no dentry for this inode can be
295 * found; in that case, continue using the old label.
296 */
e9193288 297 inode_doinit_with_dentry(inode, dentry);
5d226df4
AG		 298 }
299 return 0;
300}
301
5d226df4
AG		 302static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
303{
304 return inode->i_security;
305}
306
307static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
308{
309 int error;
310
311 error = __inode_security_revalidate(inode, NULL, !rcu);
312 if (error)
313 return ERR_PTR(error);
314 return inode->i_security;
315}
316
83da53c5
AG		 317/*
318 * Get the security label of an inode.
319 */
320static struct inode_security_struct *inode_security(struct inode *inode)
321{
5d226df4 322 __inode_security_revalidate(inode, NULL, true);
83da53c5
AG		 323 return inode->i_security;
324}
325
2c97165b
PM		 326static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
327{
328 struct inode *inode = d_backing_inode(dentry);
329
330 return inode->i_security;
331}
332
83da53c5
AG		 333/*
334 * Get the security label of a dentry's backing inode.
335 */
336static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
337{
338 struct inode *inode = d_backing_inode(dentry);
339
5d226df4 340 __inode_security_revalidate(inode, dentry, true);
83da53c5
AG		 341 return inode->i_security;
342}
343
3dc91d43
SR		 344static void inode_free_rcu(struct rcu_head *head)
345{
346 struct inode_security_struct *isec;
347
348 isec = container_of(head, struct inode_security_struct, rcu);
349 kmem_cache_free(sel_inode_cache, isec);
350}
351
1da177e4
LT		 352static void inode_free_security(struct inode *inode)
353{
354 struct inode_security_struct *isec = inode->i_security;
355 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
356
9629d04a
WL		 357 /*
358 * As not all inode security structures are in a list, we check for
359 * empty list outside of the lock to make sure that we won't waste
360 * time taking a lock doing nothing.
361 *
362 * The list_del_init() function can be safely called more than once.
363 * It should not be possible for this function to be called with
364 * concurrent list_add(), but for better safety against future changes
365 * in the code, we use list_empty_careful() here.
366 */
367 if (!list_empty_careful(&isec->list)) {
368 spin_lock(&sbsec->isec_lock);
1da177e4 369 list_del_init(&isec->list);
9629d04a
WL		 370 spin_unlock(&sbsec->isec_lock);
371 }
1da177e4 372
3dc91d43
SR		 373 /*
374 * The inode may still be referenced in a path walk and
375 * a call to selinux_inode_permission() can be made
376 * after inode_free_security() is called. Ideally, the VFS
377 * wouldn't do this, but fixing that is a much harder
378 * job. For now, simply free the i_security via RCU, and
379 * leave the current inode->i_security pointer intact.
380 * The inode will be freed after the RCU grace period too.
381 */
382 call_rcu(&isec->rcu, inode_free_rcu);
1da177e4
LT		 383}
384
385static int file_alloc_security(struct file *file)
386{
1da177e4 387 struct file_security_struct *fsec;
275bb41e 388 u32 sid = current_sid();
1da177e4 389
63205654 390 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
1da177e4
LT		 391 if (!fsec)
392 return -ENOMEM;
393
275bb41e
DH		 394 fsec->sid = sid;
395 fsec->fown_sid = sid;
1da177e4
LT		 396 file->f_security = fsec;
397
398 return 0;
399}
400
401static void file_free_security(struct file *file)
402{
403 struct file_security_struct *fsec = file->f_security;
1da177e4 404 file->f_security = NULL;
63205654 405 kmem_cache_free(file_security_cache, fsec);
1da177e4
LT		 406}
407
408static int superblock_alloc_security(struct super_block *sb)
409{
410 struct superblock_security_struct *sbsec;
411
89d155ef 412 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 413 if (!sbsec)
414 return -ENOMEM;
415
bc7e982b 416 mutex_init(&sbsec->lock);
1da177e4
LT		 417 INIT_LIST_HEAD(&sbsec->isec_head);
418 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 419 sbsec->sb = sb;
420 sbsec->sid = SECINITSID_UNLABELED;
421 sbsec->def_sid = SECINITSID_FILE;
c312feb2 422 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 423 sb->s_security = sbsec;
424
425 return 0;
426}
427
428static void superblock_free_security(struct super_block *sb)
429{
430 struct superblock_security_struct *sbsec = sb->s_security;
1da177e4
LT		 431 sb->s_security = NULL;
432 kfree(sbsec);
433}
434
1da177e4
LT		 435static inline int inode_doinit(struct inode *inode)
436{
437 return inode_doinit_with_dentry(inode, NULL);
438}
439
440enum {
31e87930 441 Opt_error = -1,
1da177e4
LT		 442 Opt_context = 1,
443 Opt_fscontext = 2,
c9180a57
EP		 444 Opt_defcontext = 3,
445 Opt_rootcontext = 4,
11689d47 446 Opt_labelsupport = 5,
d355987f 447 Opt_nextmntopt = 6,
1da177e4
LT		 448};
449
d355987f
EP		 450#define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
451
a447c093 452static const match_table_t tokens = {
832cbd9a
EP		 453 {Opt_context, CONTEXT_STR "%s"},
454 {Opt_fscontext, FSCONTEXT_STR "%s"},
455 {Opt_defcontext, DEFCONTEXT_STR "%s"},
456 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
11689d47 457 {Opt_labelsupport, LABELSUPP_STR},
31e87930 458 {Opt_error, NULL},
1da177e4
LT		 459};
460
461#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
462
c312feb2
EP		 463static int may_context_mount_sb_relabel(u32 sid,
464 struct superblock_security_struct *sbsec,
275bb41e 465 const struct cred *cred)
c312feb2 466{
275bb41e 467 const struct task_security_struct *tsec = cred->security;
c312feb2
EP		 468 int rc;
469
6b6bc620
SS		 470 rc = avc_has_perm(&selinux_state,
471 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
c312feb2
EP		 472 FILESYSTEM__RELABELFROM, NULL);
473 if (rc)
474 return rc;
475
6b6bc620
SS		 476 rc = avc_has_perm(&selinux_state,
477 tsec->sid, sid, SECCLASS_FILESYSTEM,
c312feb2
EP		 478 FILESYSTEM__RELABELTO, NULL);
479 return rc;
480}
481
0808925e
EP		 482static int may_context_mount_inode_relabel(u32 sid,
483 struct superblock_security_struct *sbsec,
275bb41e 484 const struct cred *cred)
0808925e 485{
275bb41e 486 const struct task_security_struct *tsec = cred->security;
0808925e 487 int rc;
6b6bc620
SS		 488 rc = avc_has_perm(&selinux_state,
489 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
0808925e
EP		 490 FILESYSTEM__RELABELFROM, NULL);
491 if (rc)
492 return rc;
493
6b6bc620
SS		 494 rc = avc_has_perm(&selinux_state,
495 sid, sbsec->sid, SECCLASS_FILESYSTEM,
0808925e
EP		 496 FILESYSTEM__ASSOCIATE, NULL);
497 return rc;
498}
499
b43e725d
EP		 500static int selinux_is_sblabel_mnt(struct super_block *sb)
501{
502 struct superblock_security_struct *sbsec = sb->s_security;
503
d5f3a5f6
MS		 504 return sbsec->behavior == SECURITY_FS_USE_XATTR ||
505 sbsec->behavior == SECURITY_FS_USE_TRANS ||
506 sbsec->behavior == SECURITY_FS_USE_TASK ||
9fc2b4b4 507 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
d5f3a5f6
MS		 508 /* Special handling. Genfs but also in-core setxattr handler */
509 !strcmp(sb->s_type->name, "sysfs") ||
510 !strcmp(sb->s_type->name, "pstore") ||
511 !strcmp(sb->s_type->name, "debugfs") ||
a2c7c6fb 512 !strcmp(sb->s_type->name, "tracefs") ||
2651225b 513 !strcmp(sb->s_type->name, "rootfs") ||
aa8e712c 514 (selinux_policycap_cgroupseclabel() &&
2651225b
SS		 515 (!strcmp(sb->s_type->name, "cgroup") ||
516 !strcmp(sb->s_type->name, "cgroup2")));
b43e725d
EP		 517}
518
c9180a57 519static int sb_finish_set_opts(struct super_block *sb)
1da177e4 520{
1da177e4 521 struct superblock_security_struct *sbsec = sb->s_security;
c9180a57 522 struct dentry *root = sb->s_root;
c6f493d6 523 struct inode *root_inode = d_backing_inode(root);
c9180a57 524 int rc = 0;
1da177e4 525
c9180a57
EP		 526 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
527 /* Make sure that the xattr handler exists and that no
528 error other than -ENODATA is returned by getxattr on
529 the root directory. -ENODATA is ok, as this may be
530 the first boot of the SELinux kernel before we have
531 assigned xattr values to the filesystem. */
5d6c3191 532 if (!(root_inode->i_opflags & IOP_XATTR)) {
c103a91e 533 pr_warn("SELinux: (dev %s, type %s) has no "
29b1deb2 534 "xattr support\n", sb->s_id, sb->s_type->name);
c9180a57
EP		 535 rc = -EOPNOTSUPP;
536 goto out;
537 }
5d6c3191
AG		 538
539 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
c9180a57
EP		 540 if (rc < 0 && rc != -ENODATA) {
541 if (rc == -EOPNOTSUPP)
c103a91e 542 pr_warn("SELinux: (dev %s, type "
29b1deb2
LT		 543 "%s) has no security xattr handler\n",
544 sb->s_id, sb->s_type->name);
c9180a57 545 else
c103a91e 546 pr_warn("SELinux: (dev %s, type "
29b1deb2
LT		 547 "%s) getxattr errno %d\n", sb->s_id,
548 sb->s_type->name, -rc);
c9180a57
EP		 549 goto out;
550 }
551 }
1da177e4 552
eadcabc6 553 sbsec->flags |= SE_SBINITIALIZED;
0b4d3452
SM		 554
555 /*
556 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
557 * leave the flag untouched because sb_clone_mnt_opts might be handing
558 * us a superblock that needs the flag to be cleared.
559 */
b43e725d 560 if (selinux_is_sblabel_mnt(sb))
12f348b9 561 sbsec->flags |= SBLABEL_MNT;
0b4d3452
SM		 562 else
563 sbsec->flags &= ~SBLABEL_MNT;
ddd29ec6 564
c9180a57
EP		 565 /* Initialize the root inode. */
566 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 567
c9180a57
EP		 568 /* Initialize any other inodes associated with the superblock, e.g.
569 inodes created prior to initial policy load or inodes created
570 during get_sb by a pseudo filesystem that directly
571 populates itself. */
572 spin_lock(&sbsec->isec_lock);
573next_inode:
574 if (!list_empty(&sbsec->isec_head)) {
575 struct inode_security_struct *isec =
576 list_entry(sbsec->isec_head.next,
577 struct inode_security_struct, list);
578 struct inode *inode = isec->inode;
923190d3 579 list_del_init(&isec->list);
c9180a57
EP		 580 spin_unlock(&sbsec->isec_lock);
581 inode = igrab(inode);
582 if (inode) {
583 if (!IS_PRIVATE(inode))
584 inode_doinit(inode);
585 iput(inode);
586 }
587 spin_lock(&sbsec->isec_lock);
c9180a57
EP		 588 goto next_inode;
589 }
590 spin_unlock(&sbsec->isec_lock);
591out:
592 return rc;
593}
1da177e4 594
c9180a57
EP		 595/*
596 * This function should allow an FS to ask what it's mount security
597 * options were so it can use those later for submounts, displaying
598 * mount options, or whatever.
599 */
600static int selinux_get_mnt_opts(const struct super_block *sb,
e0007529 601 struct security_mnt_opts *opts)
c9180a57
EP		 602{
603 int rc = 0, i;
604 struct superblock_security_struct *sbsec = sb->s_security;
605 char *context = NULL;
606 u32 len;
607 char tmp;
1da177e4 608
e0007529 609 security_init_mnt_opts(opts);
1da177e4 610
0d90a7ec 611 if (!(sbsec->flags & SE_SBINITIALIZED))
c9180a57 612 return -EINVAL;
1da177e4 613
aa8e712c 614 if (!selinux_state.initialized)
c9180a57 615 return -EINVAL;
1da177e4 616
af8e50cc
EP		 617 /* make sure we always check enough bits to cover the mask */
618 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
619
0d90a7ec 620 tmp = sbsec->flags & SE_MNTMASK;
c9180a57 621 /* count the number of mount options for this sb */
af8e50cc 622 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
c9180a57 623 if (tmp & 0x01)
e0007529 624 opts->num_mnt_opts++;
c9180a57
EP		 625 tmp >>= 1;
626 }
11689d47 627 /* Check if the Label support flag is set */
0b4bdb35 628 if (sbsec->flags & SBLABEL_MNT)
11689d47 629 opts->num_mnt_opts++;
1da177e4 630
e0007529
EP		 631 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
632 if (!opts->mnt_opts) {
c9180a57
EP		 633 rc = -ENOMEM;
634 goto out_free;
635 }
1da177e4 636
e0007529
EP		 637 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
638 if (!opts->mnt_opts_flags) {
c9180a57
EP		 639 rc = -ENOMEM;
640 goto out_free;
641 }
1da177e4 642
c9180a57
EP		 643 i = 0;
644 if (sbsec->flags & FSCONTEXT_MNT) {
aa8e712c
SS		 645 rc = security_sid_to_context(&selinux_state, sbsec->sid,
646 &context, &len);
c9180a57
EP		 647 if (rc)
648 goto out_free;
e0007529
EP		 649 opts->mnt_opts[i] = context;
650 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
c9180a57
EP		 651 }
652 if (sbsec->flags & CONTEXT_MNT) {
aa8e712c
SS		 653 rc = security_sid_to_context(&selinux_state,
654 sbsec->mntpoint_sid,
655 &context, &len);
c9180a57
EP		 656 if (rc)
657 goto out_free;
e0007529
EP		 658 opts->mnt_opts[i] = context;
659 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
c9180a57
EP		 660 }
661 if (sbsec->flags & DEFCONTEXT_MNT) {
aa8e712c
SS		 662 rc = security_sid_to_context(&selinux_state, sbsec->def_sid,
663 &context, &len);
c9180a57
EP		 664 if (rc)
665 goto out_free;
e0007529
EP		 666 opts->mnt_opts[i] = context;
667 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
c9180a57
EP		 668 }
669 if (sbsec->flags & ROOTCONTEXT_MNT) {
83da53c5
AG		 670 struct dentry *root = sbsec->sb->s_root;
671 struct inode_security_struct *isec = backing_inode_security(root);
0808925e 672
aa8e712c
SS		 673 rc = security_sid_to_context(&selinux_state, isec->sid,
674 &context, &len);
c9180a57
EP		 675 if (rc)
676 goto out_free;
e0007529
EP		 677 opts->mnt_opts[i] = context;
678 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
c9180a57 679 }
12f348b9 680 if (sbsec->flags & SBLABEL_MNT) {
11689d47 681 opts->mnt_opts[i] = NULL;
12f348b9 682 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
11689d47 683 }
1da177e4 684
e0007529 685 BUG_ON(i != opts->num_mnt_opts);
1da177e4 686
c9180a57
EP		 687 return 0;
688
689out_free:
e0007529 690 security_free_mnt_opts(opts);
c9180a57
EP		 691 return rc;
692}
1da177e4 693
c9180a57
EP		 694static int bad_option(struct superblock_security_struct *sbsec, char flag,
695 u32 old_sid, u32 new_sid)
696{
0d90a7ec
DQ		 697 char mnt_flags = sbsec->flags & SE_MNTMASK;
698
c9180a57 699 /* check if the old mount command had the same options */
0d90a7ec 700 if (sbsec->flags & SE_SBINITIALIZED)
c9180a57
EP		 701 if (!(sbsec->flags & flag) ||
702 (old_sid != new_sid))
703 return 1;
704
705 /* check if we were passed the same options twice,
706 * aka someone passed context=a,context=b
707 */
0d90a7ec
DQ		 708 if (!(sbsec->flags & SE_SBINITIALIZED))
709 if (mnt_flags & flag)
c9180a57
EP		 710 return 1;
711 return 0;
712}
e0007529 713
c9180a57
EP		 714/*
715 * Allow filesystems with binary mount data to explicitly set mount point
716 * labeling information.
717 */
e0007529 718static int selinux_set_mnt_opts(struct super_block *sb,
649f6e77
DQ		 719 struct security_mnt_opts *opts,
720 unsigned long kern_flags,
721 unsigned long *set_kern_flags)
c9180a57 722{
275bb41e 723 const struct cred *cred = current_cred();
c9180a57 724 int rc = 0, i;
c9180a57 725 struct superblock_security_struct *sbsec = sb->s_security;
29b1deb2 726 const char *name = sb->s_type->name;
83da53c5 727 struct dentry *root = sbsec->sb->s_root;
2c97165b 728 struct inode_security_struct *root_isec;
c9180a57
EP		 729 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
730 u32 defcontext_sid = 0;
e0007529
EP		 731 char **mount_options = opts->mnt_opts;
732 int *flags = opts->mnt_opts_flags;
733 int num_opts = opts->num_mnt_opts;
c9180a57
EP		 734
735 mutex_lock(&sbsec->lock);
736
aa8e712c 737 if (!selinux_state.initialized) {
c9180a57
EP		 738 if (!num_opts) {
739 /* Defer initialization until selinux_complete_init,
740 after the initial policy is loaded and the security
741 server is ready to handle calls. */
c9180a57
EP		 742 goto out;
743 }
744 rc = -EINVAL;
c103a91e 745 pr_warn("SELinux: Unable to set superblock options "
744ba35e 746 "before the security server is initialized\n");
1da177e4 747 goto out;
c9180a57 748 }
649f6e77
DQ		 749 if (kern_flags && !set_kern_flags) {
750 /* Specifying internal flags without providing a place to
751 * place the results is not allowed */
752 rc = -EINVAL;
753 goto out;
754 }
1da177e4 755
e0007529
EP		 756 /*
757 * Binary mount data FS will come through this function twice. Once
758 * from an explicit call and once from the generic calls from the vfs.
759 * Since the generic VFS calls will not contain any security mount data
760 * we need to skip the double mount verification.
761 *
762 * This does open a hole in which we will not notice if the first
763 * mount using this sb set explict options and a second mount using
764 * this sb does not set any security options. (The first options
765 * will be used for both mounts)
766 */
0d90a7ec 767 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
e0007529 768 && (num_opts == 0))
f5269710 769 goto out;
e0007529 770
2c97165b
PM		 771 root_isec = backing_inode_security_novalidate(root);
772
c9180a57
EP		 773 /*
774 * parse the mount options, check if they are valid sids.
775 * also check if someone is trying to mount the same sb more
776 * than once with different security options.
777 */
778 for (i = 0; i < num_opts; i++) {
779 u32 sid;
11689d47 780
12f348b9 781 if (flags[i] == SBLABEL_MNT)
11689d47 782 continue;
aa8e712c
SS		 783 rc = security_context_str_to_sid(&selinux_state,
784 mount_options[i], &sid,
785 GFP_KERNEL);
1da177e4 786 if (rc) {
c103a91e 787 pr_warn("SELinux: security_context_str_to_sid"
29b1deb2
LT		 788 "(%s) failed for (dev %s, type %s) errno=%d\n",
789 mount_options[i], sb->s_id, name, rc);
c9180a57
EP		 790 goto out;
791 }
792 switch (flags[i]) {
793 case FSCONTEXT_MNT:
794 fscontext_sid = sid;
795
796 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
797 fscontext_sid))
798 goto out_double_mount;
799
800 sbsec->flags |= FSCONTEXT_MNT;
801 break;
802 case CONTEXT_MNT:
803 context_sid = sid;
804
805 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
806 context_sid))
807 goto out_double_mount;
808
809 sbsec->flags |= CONTEXT_MNT;
810 break;
811 case ROOTCONTEXT_MNT:
812 rootcontext_sid = sid;
813
814 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
815 rootcontext_sid))
816 goto out_double_mount;
817
818 sbsec->flags |= ROOTCONTEXT_MNT;
819
820 break;
821 case DEFCONTEXT_MNT:
822 defcontext_sid = sid;
823
824 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
825 defcontext_sid))
826 goto out_double_mount;
827
828 sbsec->flags |= DEFCONTEXT_MNT;
829
830 break;
831 default:
832 rc = -EINVAL;
833 goto out;
1da177e4 834 }
c9180a57
EP		 835 }
836
0d90a7ec 837 if (sbsec->flags & SE_SBINITIALIZED) {
c9180a57 838 /* previously mounted with options, but not on this attempt? */
0d90a7ec 839 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
c9180a57
EP		 840 goto out_double_mount;
841 rc = 0;
842 goto out;
843 }
844
089be43e 845 if (strcmp(sb->s_type->name, "proc") == 0)
134509d5
SS		 846 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
847
8e014720 848 if (!strcmp(sb->s_type->name, "debugfs") ||
6a391183 849 !strcmp(sb->s_type->name, "tracefs") ||
8e014720 850 !strcmp(sb->s_type->name, "sysfs") ||
901ef845
AM		 851 !strcmp(sb->s_type->name, "pstore") ||
852 !strcmp(sb->s_type->name, "cgroup") ||
853 !strcmp(sb->s_type->name, "cgroup2"))
134509d5 854 sbsec->flags |= SE_SBGENFS;
c9180a57 855
eb9ae686
DQ		 856 if (!sbsec->behavior) {
857 /*
858 * Determine the labeling behavior to use for this
859 * filesystem type.
860 */
aa8e712c 861 rc = security_fs_use(&selinux_state, sb);
eb9ae686 862 if (rc) {
c103a91e 863 pr_warn("%s: security_fs_use(%s) returned %d\n",
eb9ae686
DQ		 864 __func__, sb->s_type->name, rc);
865 goto out;
866 }
c9180a57 867 }
aad82892
SF		 868
869 /*
01593d32
SS		 870 * If this is a user namespace mount and the filesystem type is not
871 * explicitly whitelisted, then no contexts are allowed on the command
872 * line and security labels must be ignored.
aad82892 873 */
01593d32
SS		 874 if (sb->s_user_ns != &init_user_ns &&
875 strcmp(sb->s_type->name, "tmpfs") &&
876 strcmp(sb->s_type->name, "ramfs") &&
877 strcmp(sb->s_type->name, "devpts")) {
aad82892
SF		 878 if (context_sid || fscontext_sid || rootcontext_sid ||
879 defcontext_sid) {
880 rc = -EACCES;
881 goto out;
882 }
883 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
884 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
aa8e712c
SS		 885 rc = security_transition_sid(&selinux_state,
886 current_sid(),
887 current_sid(),
aad82892
SF		 888 SECCLASS_FILE, NULL,
889 &sbsec->mntpoint_sid);
890 if (rc)
891 goto out;
892 }
893 goto out_set_opts;
894 }
895
c9180a57
EP		 896 /* sets the context of the superblock for the fs being mounted. */
897 if (fscontext_sid) {
275bb41e 898 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
1da177e4 899 if (rc)
c9180a57 900 goto out;
1da177e4 901
c9180a57 902 sbsec->sid = fscontext_sid;
c312feb2
EP		 903 }
904
905 /*
906 * Switch to using mount point labeling behavior.
907 * sets the label used on all file below the mountpoint, and will set
908 * the superblock context if not already set.
909 */
eb9ae686
DQ		 910 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
911 sbsec->behavior = SECURITY_FS_USE_NATIVE;
912 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
913 }
914
c9180a57
EP		 915 if (context_sid) {
916 if (!fscontext_sid) {
275bb41e
DH		 917 rc = may_context_mount_sb_relabel(context_sid, sbsec,
918 cred);
b04ea3ce 919 if (rc)
c9180a57
EP		 920 goto out;
921 sbsec->sid = context_sid;
b04ea3ce 922 } else {
275bb41e
DH		 923 rc = may_context_mount_inode_relabel(context_sid, sbsec,
924 cred);
b04ea3ce 925 if (rc)
c9180a57 926 goto out;
b04ea3ce 927 }
c9180a57
EP		 928 if (!rootcontext_sid)
929 rootcontext_sid = context_sid;
1da177e4 930
c9180a57 931 sbsec->mntpoint_sid = context_sid;
c312feb2 932 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 933 }
934
c9180a57 935 if (rootcontext_sid) {
275bb41e
DH		 936 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
937 cred);
0808925e 938 if (rc)
c9180a57 939 goto out;
0808925e 940
c9180a57 941 root_isec->sid = rootcontext_sid;
6f3be9f5 942 root_isec->initialized = LABEL_INITIALIZED;
0808925e
EP		 943 }
944
c9180a57 945 if (defcontext_sid) {
eb9ae686
DQ		 946 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
947 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
c9180a57 948 rc = -EINVAL;
c103a91e 949 pr_warn("SELinux: defcontext option is "
c9180a57
EP		 950 "invalid for this filesystem type\n");
951 goto out;
1da177e4
LT		 952 }
953
c9180a57
EP		 954 if (defcontext_sid != sbsec->def_sid) {
955 rc = may_context_mount_inode_relabel(defcontext_sid,
275bb41e 956 sbsec, cred);
c9180a57
EP		 957 if (rc)
958 goto out;
959 }
1da177e4 960
c9180a57 961 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 962 }
963
aad82892 964out_set_opts:
c9180a57 965 rc = sb_finish_set_opts(sb);
1da177e4 966out:
c9180a57 967 mutex_unlock(&sbsec->lock);
1da177e4 968 return rc;
c9180a57
EP		 969out_double_mount:
970 rc = -EINVAL;
c103a91e 971 pr_warn("SELinux: mount invalid. Same superblock, different "
29b1deb2 972 "security settings for (dev %s, type %s)\n", sb->s_id, name);
c9180a57 973 goto out;
1da177e4
LT		 974}
975
094f7b69
JL		 976static int selinux_cmp_sb_context(const struct super_block *oldsb,
977 const struct super_block *newsb)
978{
979 struct superblock_security_struct *old = oldsb->s_security;
980 struct superblock_security_struct *new = newsb->s_security;
981 char oldflags = old->flags & SE_MNTMASK;
982 char newflags = new->flags & SE_MNTMASK;
983
984 if (oldflags != newflags)
985 goto mismatch;
986 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
987 goto mismatch;
988 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
989 goto mismatch;
990 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
991 goto mismatch;
992 if (oldflags & ROOTCONTEXT_MNT) {
83da53c5
AG		 993 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
994 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
094f7b69
JL		 995 if (oldroot->sid != newroot->sid)
996 goto mismatch;
997 }
998 return 0;
999mismatch:
c103a91e 1000 pr_warn("SELinux: mount invalid. Same superblock, "
094f7b69
JL		 1001 "different security settings for (dev %s, "
1002 "type %s)\n", newsb->s_id, newsb->s_type->name);
1003 return -EBUSY;
1004}
1005
1006static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
0b4d3452
SM		 1007 struct super_block *newsb,
1008 unsigned long kern_flags,
1009 unsigned long *set_kern_flags)
1da177e4 1010{
0b4d3452 1011 int rc = 0;
c9180a57
EP		 1012 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
1013 struct superblock_security_struct *newsbsec = newsb->s_security;
1da177e4 1014
c9180a57
EP		 1015 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
1016 int set_context = (oldsbsec->flags & CONTEXT_MNT);
1017 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 1018
0f5e6420
EP		 1019 /*
1020 * if the parent was able to be mounted it clearly had no special lsm
e8c26255 1021 * mount options. thus we can safely deal with this superblock later
0f5e6420 1022 */
aa8e712c 1023 if (!selinux_state.initialized)
094f7b69 1024 return 0;
c9180a57 1025
0b4d3452
SM		 1026 /*
1027 * Specifying internal flags without providing a place to
1028 * place the results is not allowed.
1029 */
1030 if (kern_flags && !set_kern_flags)
1031 return -EINVAL;
1032
c9180a57 1033 /* how can we clone if the old one wasn't set up?? */
0d90a7ec 1034 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
c9180a57 1035
094f7b69 1036 /* if fs is reusing a sb, make sure that the contexts match */
0d90a7ec 1037 if (newsbsec->flags & SE_SBINITIALIZED)
094f7b69 1038 return selinux_cmp_sb_context(oldsb, newsb);
5a552617 1039
c9180a57
EP		 1040 mutex_lock(&newsbsec->lock);
1041
1042 newsbsec->flags = oldsbsec->flags;
1043
1044 newsbsec->sid = oldsbsec->sid;
1045 newsbsec->def_sid = oldsbsec->def_sid;
1046 newsbsec->behavior = oldsbsec->behavior;
1047
0b4d3452
SM		 1048 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
1049 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
aa8e712c 1050 rc = security_fs_use(&selinux_state, newsb);
0b4d3452
SM		 1051 if (rc)
1052 goto out;
1053 }
1054
1055 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
1056 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
1057 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
1058 }
1059
c9180a57
EP		 1060 if (set_context) {
1061 u32 sid = oldsbsec->mntpoint_sid;
1062
1063 if (!set_fscontext)
1064 newsbsec->sid = sid;
1065 if (!set_rootcontext) {
83da53c5 1066 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
c9180a57
EP		 1067 newisec->sid = sid;
1068 }
1069 newsbsec->mntpoint_sid = sid;
1da177e4 1070 }
c9180a57 1071 if (set_rootcontext) {
83da53c5
AG		 1072 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
1073 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1da177e4 1074
c9180a57 1075 newisec->sid = oldisec->sid;
1da177e4
LT		 1076 }
1077
c9180a57 1078 sb_finish_set_opts(newsb);
0b4d3452 1079out:
c9180a57 1080 mutex_unlock(&newsbsec->lock);
0b4d3452 1081 return rc;
c9180a57
EP		 1082}
1083
2e1479d9
AB		 1084static int selinux_parse_opts_str(char *options,
1085 struct security_mnt_opts *opts)
c9180a57 1086{
e0007529 1087 char *p;
c9180a57
EP		 1088 char *context = NULL, *defcontext = NULL;
1089 char *fscontext = NULL, *rootcontext = NULL;
e0007529 1090 int rc, num_mnt_opts = 0;
1da177e4 1091
e0007529 1092 opts->num_mnt_opts = 0;
1da177e4 1093
c9180a57
EP		 1094 /* Standard string-based options. */
1095 while ((p = strsep(&options, "|")) != NULL) {
1096 int token;
1097 substring_t args[MAX_OPT_ARGS];
1da177e4 1098
c9180a57
EP		 1099 if (!*p)
1100 continue;
1da177e4 1101
c9180a57 1102 token = match_token(p, tokens, args);
1da177e4 1103
c9180a57
EP		 1104 switch (token) {
1105 case Opt_context:
1106 if (context || defcontext) {
1107 rc = -EINVAL;
c103a91e 1108 pr_warn(SEL_MOUNT_FAIL_MSG);
c9180a57
EP		 1109 goto out_err;
1110 }
1111 context = match_strdup(&args[0]);
1112 if (!context) {
1113 rc = -ENOMEM;
1114 goto out_err;
1115 }
1116 break;
1117
1118 case Opt_fscontext:
1119 if (fscontext) {
1120 rc = -EINVAL;
c103a91e 1121 pr_warn(SEL_MOUNT_FAIL_MSG);
c9180a57
EP		 1122 goto out_err;
1123 }
1124 fscontext = match_strdup(&args[0]);
1125 if (!fscontext) {
1126 rc = -ENOMEM;
1127 goto out_err;
1128 }
1129 break;
1130
1131 case Opt_rootcontext:
1132 if (rootcontext) {
1133 rc = -EINVAL;
c103a91e 1134 pr_warn(SEL_MOUNT_FAIL_MSG);
c9180a57
EP		 1135 goto out_err;
1136 }
1137 rootcontext = match_strdup(&args[0]);
1138 if (!rootcontext) {
1139 rc = -ENOMEM;
1140 goto out_err;
1141 }
1142 break;
1143
1144 case Opt_defcontext:
1145 if (context || defcontext) {
1146 rc = -EINVAL;
c103a91e 1147 pr_warn(SEL_MOUNT_FAIL_MSG);
c9180a57
EP		 1148 goto out_err;
1149 }
1150 defcontext = match_strdup(&args[0]);
1151 if (!defcontext) {
1152 rc = -ENOMEM;
1153 goto out_err;
1154 }
1155 break;
11689d47
DQ		 1156 case Opt_labelsupport:
1157 break;
c9180a57
EP		 1158 default:
1159 rc = -EINVAL;
c103a91e 1160 pr_warn("SELinux: unknown mount option\n");
c9180a57 1161 goto out_err;
1da177e4 1162
1da177e4 1163 }
1da177e4 1164 }
c9180a57 1165
e0007529 1166 rc = -ENOMEM;
8931c3bd 1167 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
e0007529
EP		 1168 if (!opts->mnt_opts)
1169 goto out_err;
1170
8931c3bd
TH		 1171 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
1172 GFP_KERNEL);
023f108d 1173 if (!opts->mnt_opts_flags)
e0007529 1174 goto out_err;
e0007529 1175
c9180a57 1176 if (fscontext) {
e0007529
EP		 1177 opts->mnt_opts[num_mnt_opts] = fscontext;
1178 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
c9180a57
EP		 1179 }
1180 if (context) {
e0007529
EP		 1181 opts->mnt_opts[num_mnt_opts] = context;
1182 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
c9180a57
EP		 1183 }
1184 if (rootcontext) {
e0007529
EP		 1185 opts->mnt_opts[num_mnt_opts] = rootcontext;
1186 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
c9180a57
EP		 1187 }
1188 if (defcontext) {
e0007529
EP		 1189 opts->mnt_opts[num_mnt_opts] = defcontext;
1190 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
c9180a57
EP		 1191 }
1192
e0007529
EP		 1193 opts->num_mnt_opts = num_mnt_opts;
1194 return 0;
1195
c9180a57 1196out_err:
023f108d 1197 security_free_mnt_opts(opts);
c9180a57
EP		 1198 kfree(context);
1199 kfree(defcontext);
1200 kfree(fscontext);
1201 kfree(rootcontext);
1da177e4
LT		 1202 return rc;
1203}
e0007529
EP		 1204/*
1205 * string mount options parsing and call set the sbsec
1206 */
1207static int superblock_doinit(struct super_block *sb, void *data)
1208{
1209 int rc = 0;
1210 char *options = data;
1211 struct security_mnt_opts opts;
1212
1213 security_init_mnt_opts(&opts);
1214
1215 if (!data)
1216 goto out;
1217
1218 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1219
1220 rc = selinux_parse_opts_str(options, &opts);
1221 if (rc)
1222 goto out_err;
1223
1224out:
649f6e77 1225 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
e0007529
EP		 1226
1227out_err:
1228 security_free_mnt_opts(&opts);
1229 return rc;
1230}
1da177e4 1231
3583a711
AB		 1232static void selinux_write_opts(struct seq_file *m,
1233 struct security_mnt_opts *opts)
2069f457
EP		 1234{
1235 int i;
1236 char *prefix;
1237
1238 for (i = 0; i < opts->num_mnt_opts; i++) {
11689d47
DQ		 1239 char *has_comma;
1240
1241 if (opts->mnt_opts[i])
1242 has_comma = strchr(opts->mnt_opts[i], ',');
1243 else
1244 has_comma = NULL;
2069f457
EP		 1245
1246 switch (opts->mnt_opts_flags[i]) {
1247 case CONTEXT_MNT:
1248 prefix = CONTEXT_STR;
1249 break;
1250 case FSCONTEXT_MNT:
1251 prefix = FSCONTEXT_STR;
1252 break;
1253 case ROOTCONTEXT_MNT:
1254 prefix = ROOTCONTEXT_STR;
1255 break;
1256 case DEFCONTEXT_MNT:
1257 prefix = DEFCONTEXT_STR;
1258 break;
12f348b9 1259 case SBLABEL_MNT:
11689d47
DQ		 1260 seq_putc(m, ',');
1261 seq_puts(m, LABELSUPP_STR);
1262 continue;
2069f457
EP		 1263 default:
1264 BUG();
a35c6c83 1265 return;
2069f457
EP		 1266 };
1267 /* we need a comma before each option */
1268 seq_putc(m, ',');
1269 seq_puts(m, prefix);
1270 if (has_comma)
1271 seq_putc(m, '\"');
a068acf2 1272 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
2069f457
EP		 1273 if (has_comma)
1274 seq_putc(m, '\"');
1275 }
1276}
1277
1278static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1279{
1280 struct security_mnt_opts opts;
1281 int rc;
1282
1283 rc = selinux_get_mnt_opts(sb, &opts);
383795c2
EP		 1284 if (rc) {
1285 /* before policy load we may get EINVAL, don't show anything */
1286 if (rc == -EINVAL)
1287 rc = 0;
2069f457 1288 return rc;
383795c2 1289 }
2069f457
EP		 1290
1291 selinux_write_opts(m, &opts);
1292
1293 security_free_mnt_opts(&opts);
1294
1295 return rc;
1296}
1297
1da177e4
LT		 1298static inline u16 inode_mode_to_security_class(umode_t mode)
1299{
1300 switch (mode & S_IFMT) {
1301 case S_IFSOCK:
1302 return SECCLASS_SOCK_FILE;
1303 case S_IFLNK:
1304 return SECCLASS_LNK_FILE;
1305 case S_IFREG:
1306 return SECCLASS_FILE;
1307 case S_IFBLK:
1308 return SECCLASS_BLK_FILE;
1309 case S_IFDIR:
1310 return SECCLASS_DIR;
1311 case S_IFCHR:
1312 return SECCLASS_CHR_FILE;
1313 case S_IFIFO:
1314 return SECCLASS_FIFO_FILE;
1315
1316 }
1317
1318 return SECCLASS_FILE;
1319}
1320
13402580
JM		 1321static inline int default_protocol_stream(int protocol)
1322{
1323 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1324}
1325
1326static inline int default_protocol_dgram(int protocol)
1327{
1328 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1329}
1330
1da177e4
LT		 1331static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1332{
aa8e712c 1333 int extsockclass = selinux_policycap_extsockclass();
da69a530 1334
1da177e4
LT		 1335 switch (family) {
1336 case PF_UNIX:
1337 switch (type) {
1338 case SOCK_STREAM:
1339 case SOCK_SEQPACKET:
1340 return SECCLASS_UNIX_STREAM_SOCKET;
1341 case SOCK_DGRAM:
2a764b52 1342 case SOCK_RAW:
1da177e4
LT		 1343 return SECCLASS_UNIX_DGRAM_SOCKET;
1344 }
1345 break;
1346 case PF_INET:
1347 case PF_INET6:
1348 switch (type) {
1349 case SOCK_STREAM:
da69a530 1350 case SOCK_SEQPACKET:
13402580
JM		 1351 if (default_protocol_stream(protocol))
1352 return SECCLASS_TCP_SOCKET;
da69a530
SS		 1353 else if (extsockclass && protocol == IPPROTO_SCTP)
1354 return SECCLASS_SCTP_SOCKET;
13402580
JM		 1355 else
1356 return SECCLASS_RAWIP_SOCKET;
1da177e4 1357 case SOCK_DGRAM:
13402580
JM		 1358 if (default_protocol_dgram(protocol))
1359 return SECCLASS_UDP_SOCKET;
ef37979a
SS		 1360 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1361 protocol == IPPROTO_ICMPV6))
da69a530 1362 return SECCLASS_ICMP_SOCKET;
13402580
JM		 1363 else
1364 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 1365 case SOCK_DCCP:
1366 return SECCLASS_DCCP_SOCKET;
13402580 1367 default:
1da177e4
LT		 1368 return SECCLASS_RAWIP_SOCKET;
1369 }
1370 break;
1371 case PF_NETLINK:
1372 switch (protocol) {
1373 case NETLINK_ROUTE:
1374 return SECCLASS_NETLINK_ROUTE_SOCKET;
7f1fb60c 1375 case NETLINK_SOCK_DIAG:
1da177e4
LT		 1376 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1377 case NETLINK_NFLOG:
1378 return SECCLASS_NETLINK_NFLOG_SOCKET;
1379 case NETLINK_XFRM:
1380 return SECCLASS_NETLINK_XFRM_SOCKET;
1381 case NETLINK_SELINUX:
1382 return SECCLASS_NETLINK_SELINUX_SOCKET;
6c6d2e9b
SS		 1383 case NETLINK_ISCSI:
1384 return SECCLASS_NETLINK_ISCSI_SOCKET;
1da177e4
LT		 1385 case NETLINK_AUDIT:
1386 return SECCLASS_NETLINK_AUDIT_SOCKET;
6c6d2e9b
SS		 1387 case NETLINK_FIB_LOOKUP:
1388 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1389 case NETLINK_CONNECTOR:
1390 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1391 case NETLINK_NETFILTER:
1392 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1da177e4
LT		 1393 case NETLINK_DNRTMSG:
1394 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1395 case NETLINK_KOBJECT_UEVENT:
1396 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
6c6d2e9b
SS		 1397 case NETLINK_GENERIC:
1398 return SECCLASS_NETLINK_GENERIC_SOCKET;
1399 case NETLINK_SCSITRANSPORT:
1400 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1401 case NETLINK_RDMA:
1402 return SECCLASS_NETLINK_RDMA_SOCKET;
1403 case NETLINK_CRYPTO:
1404 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1da177e4
LT		 1405 default:
1406 return SECCLASS_NETLINK_SOCKET;
1407 }
1408 case PF_PACKET:
1409 return SECCLASS_PACKET_SOCKET;
1410 case PF_KEY:
1411 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1412 case PF_APPLETALK:
1413 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1414 }
1415
da69a530
SS		 1416 if (extsockclass) {
1417 switch (family) {
1418 case PF_AX25:
1419 return SECCLASS_AX25_SOCKET;
1420 case PF_IPX:
1421 return SECCLASS_IPX_SOCKET;
1422 case PF_NETROM:
1423 return SECCLASS_NETROM_SOCKET;
da69a530
SS		 1424 case PF_ATMPVC:
1425 return SECCLASS_ATMPVC_SOCKET;
1426 case PF_X25:
1427 return SECCLASS_X25_SOCKET;
1428 case PF_ROSE:
1429 return SECCLASS_ROSE_SOCKET;
1430 case PF_DECnet:
1431 return SECCLASS_DECNET_SOCKET;
1432 case PF_ATMSVC:
1433 return SECCLASS_ATMSVC_SOCKET;
1434 case PF_RDS:
1435 return SECCLASS_RDS_SOCKET;
1436 case PF_IRDA:
1437 return SECCLASS_IRDA_SOCKET;
1438 case PF_PPPOX:
1439 return SECCLASS_PPPOX_SOCKET;
1440 case PF_LLC:
1441 return SECCLASS_LLC_SOCKET;
da69a530
SS		 1442 case PF_CAN:
1443 return SECCLASS_CAN_SOCKET;
1444 case PF_TIPC:
1445 return SECCLASS_TIPC_SOCKET;
1446 case PF_BLUETOOTH:
1447 return SECCLASS_BLUETOOTH_SOCKET;
1448 case PF_IUCV:
1449 return SECCLASS_IUCV_SOCKET;
1450 case PF_RXRPC:
1451 return SECCLASS_RXRPC_SOCKET;
1452 case PF_ISDN:
1453 return SECCLASS_ISDN_SOCKET;
1454 case PF_PHONET:
1455 return SECCLASS_PHONET_SOCKET;
1456 case PF_IEEE802154:
1457 return SECCLASS_IEEE802154_SOCKET;
1458 case PF_CAIF:
1459 return SECCLASS_CAIF_SOCKET;
1460 case PF_ALG:
1461 return SECCLASS_ALG_SOCKET;
1462 case PF_NFC:
1463 return SECCLASS_NFC_SOCKET;
1464 case PF_VSOCK:
1465 return SECCLASS_VSOCK_SOCKET;
1466 case PF_KCM:
1467 return SECCLASS_KCM_SOCKET;
1468 case PF_QIPCRTR:
1469 return SECCLASS_QIPCRTR_SOCKET;
3051bf36
LT		 1470 case PF_SMC:
1471 return SECCLASS_SMC_SOCKET;
68e8b849
BT		 1472 case PF_XDP:
1473 return SECCLASS_XDP_SOCKET;
1474#if PF_MAX > 45
da69a530
SS		 1475#error New address family defined, please update this function.
1476#endif
1477 }
1478 }
1479
1da177e4
LT		 1480 return SECCLASS_SOCKET;
1481}
1482
134509d5
SS		 1483static int selinux_genfs_get_sid(struct dentry *dentry,
1484 u16 tclass,
1485 u16 flags,
1486 u32 *sid)
1da177e4 1487{
8e6c9693 1488 int rc;
fc64005c 1489 struct super_block *sb = dentry->d_sb;
8e6c9693 1490 char *buffer, *path;
1da177e4 1491
828dfe1d 1492 buffer = (char *)__get_free_page(GFP_KERNEL);
1da177e4
LT		 1493 if (!buffer)
1494 return -ENOMEM;
1495
8e6c9693
LAG		 1496 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1497 if (IS_ERR(path))
1498 rc = PTR_ERR(path);
1499 else {
134509d5
SS		 1500 if (flags & SE_SBPROC) {
1501 /* each process gets a /proc/PID/ entry. Strip off the
1502 * PID part to get a valid selinux labeling.
1503 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1504 while (path[1] >= '0' && path[1] <= '9') {
1505 path[1] = '/';
1506 path++;
1507 }
8e6c9693 1508 }
aa8e712c
SS		 1509 rc = security_genfs_sid(&selinux_state, sb->s_type->name,
1510 path, tclass, sid);
7bb185ed
SS		 1511 if (rc == -ENOENT) {
1512 /* No match in policy, mark as unlabeled. */
1513 *sid = SECINITSID_UNLABELED;
1514 rc = 0;
1515 }
1da177e4 1516 }
1da177e4
LT		 1517 free_page((unsigned long)buffer);
1518 return rc;
1519}
1da177e4
LT		 1520
1521/* The inode's security attributes must be initialized before first use. */
1522static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1523{
1524 struct superblock_security_struct *sbsec = NULL;
1525 struct inode_security_struct *isec = inode->i_security;
9287aed2
AG		 1526 u32 task_sid, sid = 0;
1527 u16 sclass;
1da177e4
LT		 1528 struct dentry *dentry;
1529#define INITCONTEXTLEN 255
1530 char *context = NULL;
1531 unsigned len = 0;
1532 int rc = 0;
1da177e4 1533
6f3be9f5 1534 if (isec->initialized == LABEL_INITIALIZED)
13457d07 1535 return 0;
1da177e4 1536
9287aed2 1537 spin_lock(&isec->lock);
6f3be9f5 1538 if (isec->initialized == LABEL_INITIALIZED)
23970741 1539 goto out_unlock;
1da177e4 1540
13457d07
AG		 1541 if (isec->sclass == SECCLASS_FILE)
1542 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1543
1da177e4 1544 sbsec = inode->i_sb->s_security;
0d90a7ec 1545 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1da177e4
LT		 1546 /* Defer initialization until selinux_complete_init,
1547 after the initial policy is loaded and the security
1548 server is ready to handle calls. */
1549 spin_lock(&sbsec->isec_lock);
1550 if (list_empty(&isec->list))
1551 list_add(&isec->list, &sbsec->isec_head);
1552 spin_unlock(&sbsec->isec_lock);
23970741 1553 goto out_unlock;
1da177e4
LT		 1554 }
1555
9287aed2
AG		 1556 sclass = isec->sclass;
1557 task_sid = isec->task_sid;
1558 sid = isec->sid;
1559 isec->initialized = LABEL_PENDING;
1560 spin_unlock(&isec->lock);
1561
1da177e4 1562 switch (sbsec->behavior) {
eb9ae686
DQ		 1563 case SECURITY_FS_USE_NATIVE:
1564 break;
1da177e4 1565 case SECURITY_FS_USE_XATTR:
5d6c3191 1566 if (!(inode->i_opflags & IOP_XATTR)) {
9287aed2 1567 sid = sbsec->def_sid;
1da177e4
LT		 1568 break;
1569 }
1da177e4
LT		 1570 /* Need a dentry, since the xattr API requires one.
1571 Life would be simpler if we could just pass the inode. */
1572 if (opt_dentry) {
1573 /* Called from d_instantiate or d_splice_alias. */
1574 dentry = dget(opt_dentry);
1575 } else {
b127125d
AV		 1576 /*
1577 * Called from selinux_complete_init, try to find a dentry.
1578 * Some filesystems really want a connected one, so try
1579 * that first. We could split SECURITY_FS_USE_XATTR in
1580 * two, depending upon that...
1581 */
1da177e4 1582 dentry = d_find_alias(inode);
b127125d
AV		 1583 if (!dentry)
1584 dentry = d_find_any_alias(inode);
1da177e4
LT		 1585 }
1586 if (!dentry) {
df7f54c0
EP		 1587 /*
1588 * this is can be hit on boot when a file is accessed
1589 * before the policy is loaded. When we load policy we
1590 * may find inodes that have no dentry on the
1591 * sbsec->isec_head list. No reason to complain as these
1592 * will get fixed up the next time we go through
1593 * inode_doinit with a dentry, before these inodes could
1594 * be used again by userspace.
1595 */
9287aed2 1596 goto out;
1da177e4
LT		 1597 }
1598
1599 len = INITCONTEXTLEN;
4cb912f1 1600 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1601 if (!context) {
1602 rc = -ENOMEM;
1603 dput(dentry);
9287aed2 1604 goto out;
1da177e4 1605 }
4cb912f1 1606 context[len] = '\0';
5d6c3191 1607 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1da177e4 1608 if (rc == -ERANGE) {
314dabb8
JM		 1609 kfree(context);
1610
1da177e4 1611 /* Need a larger buffer. Query for the right size. */
5d6c3191 1612 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1da177e4
LT		 1613 if (rc < 0) {
1614 dput(dentry);
9287aed2 1615 goto out;
1da177e4 1616 }
1da177e4 1617 len = rc;
4cb912f1 1618 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1619 if (!context) {
1620 rc = -ENOMEM;
1621 dput(dentry);
9287aed2 1622 goto out;
1da177e4 1623 }
4cb912f1 1624 context[len] = '\0';
5d6c3191 1625 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1da177e4
LT		 1626 }
1627 dput(dentry);
1628 if (rc < 0) {
1629 if (rc != -ENODATA) {
c103a91e 1630 pr_warn("SELinux: %s: getxattr returned "
dd6f953a 1631 "%d for dev=%s ino=%ld\n", __func__,
1da177e4
LT		 1632 -rc, inode->i_sb->s_id, inode->i_ino);
1633 kfree(context);
9287aed2 1634 goto out;
1da177e4
LT		 1635 }
1636 /* Map ENODATA to the default file SID */
1637 sid = sbsec->def_sid;
1638 rc = 0;
1639 } else {
aa8e712c
SS		 1640 rc = security_context_to_sid_default(&selinux_state,
1641 context, rc, &sid,
869ab514
SS		 1642 sbsec->def_sid,
1643 GFP_NOFS);
1da177e4 1644 if (rc) {
4ba0a8ad
EP		 1645 char *dev = inode->i_sb->s_id;
1646 unsigned long ino = inode->i_ino;
1647
1648 if (rc == -EINVAL) {
1649 if (printk_ratelimit())
c103a91e 1650 pr_notice("SELinux: inode=%lu on dev=%s was found to have an invalid "
4ba0a8ad
EP		 1651 "context=%s. This indicates you may need to relabel the inode or the "
1652 "filesystem in question.\n", ino, dev, context);
1653 } else {
c103a91e 1654 pr_warn("SELinux: %s: context_to_sid(%s) "
4ba0a8ad
EP		 1655 "returned %d for dev=%s ino=%ld\n",
1656 __func__, context, -rc, dev, ino);
1657 }
1da177e4
LT		 1658 kfree(context);
1659 /* Leave with the unlabeled SID */
1660 rc = 0;
1661 break;
1662 }
1663 }
1664 kfree(context);
1da177e4
LT		 1665 break;
1666 case SECURITY_FS_USE_TASK:
9287aed2 1667 sid = task_sid;
1da177e4
LT		 1668 break;
1669 case SECURITY_FS_USE_TRANS:
1670 /* Default to the fs SID. */
9287aed2 1671 sid = sbsec->sid;
1da177e4
LT		 1672
1673 /* Try to obtain a transition SID. */
aa8e712c
SS		 1674 rc = security_transition_sid(&selinux_state, task_sid, sid,
1675 sclass, NULL, &sid);
1da177e4 1676 if (rc)
9287aed2 1677 goto out;
1da177e4 1678 break;
c312feb2 1679 case SECURITY_FS_USE_MNTPOINT:
9287aed2 1680 sid = sbsec->mntpoint_sid;
c312feb2 1681 break;
1da177e4 1682 default:
c312feb2 1683 /* Default to the fs superblock SID. */
9287aed2 1684 sid = sbsec->sid;
1da177e4 1685
134509d5 1686 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
f64410ec
PM		 1687 /* We must have a dentry to determine the label on
1688 * procfs inodes */
b127125d 1689 if (opt_dentry) {
f64410ec
PM		 1690 /* Called from d_instantiate or
1691 * d_splice_alias. */
1692 dentry = dget(opt_dentry);
b127125d 1693 } else {
f64410ec 1694 /* Called from selinux_complete_init, try to
b127125d
AV		 1695 * find a dentry. Some filesystems really want
1696 * a connected one, so try that first.
1697 */
f64410ec 1698 dentry = d_find_alias(inode);
b127125d
AV		 1699 if (!dentry)
1700 dentry = d_find_any_alias(inode);
1701 }
f64410ec
PM		 1702 /*
1703 * This can be hit on boot when a file is accessed
1704 * before the policy is loaded. When we load policy we
1705 * may find inodes that have no dentry on the
1706 * sbsec->isec_head list. No reason to complain as
1707 * these will get fixed up the next time we go through
1708 * inode_doinit() with a dentry, before these inodes
1709 * could be used again by userspace.
1710 */
1711 if (!dentry)
9287aed2
AG		 1712 goto out;
1713 rc = selinux_genfs_get_sid(dentry, sclass,
134509d5 1714 sbsec->flags, &sid);
f64410ec
PM		 1715 dput(dentry);
1716 if (rc)
9287aed2 1717 goto out;
1da177e4
LT		 1718 }
1719 break;
1720 }
1721
9287aed2
AG		 1722out:
1723 spin_lock(&isec->lock);
1724 if (isec->initialized == LABEL_PENDING) {
1725 if (!sid || rc) {
1726 isec->initialized = LABEL_INVALID;
1727 goto out_unlock;
1728 }
1729
1730 isec->initialized = LABEL_INITIALIZED;
1731 isec->sid = sid;
1732 }
1da177e4 1733
23970741 1734out_unlock:
9287aed2 1735 spin_unlock(&isec->lock);
1da177e4
LT		 1736 return rc;
1737}
1738
1739/* Convert a Linux signal to an access vector. */
1740static inline u32 signal_to_av(int sig)
1741{
1742 u32 perm = 0;
1743
1744 switch (sig) {
1745 case SIGCHLD:
1746 /* Commonly granted from child to parent. */
1747 perm = PROCESS__SIGCHLD;
1748 break;
1749 case SIGKILL:
1750 /* Cannot be caught or ignored */
1751 perm = PROCESS__SIGKILL;
1752 break;
1753 case SIGSTOP:
1754 /* Cannot be caught or ignored */
1755 perm = PROCESS__SIGSTOP;
1756 break;
1757 default:
1758 /* All other signals. */
1759 perm = PROCESS__SIGNAL;
1760 break;
1761 }
1762
1763 return perm;
1764}
1765
b68e418c
SS		 1766#if CAP_LAST_CAP > 63
1767#error Fix SELinux to handle capabilities > 63.
1768#endif
1769
1da177e4 1770/* Check whether a task is allowed to use a capability. */
6a9de491 1771static int cred_has_capability(const struct cred *cred,
8e4ff6f2 1772 int cap, int audit, bool initns)
1da177e4 1773{
2bf49690 1774 struct common_audit_data ad;
06112163 1775 struct av_decision avd;
b68e418c 1776 u16 sclass;
3699c53c 1777 u32 sid = cred_sid(cred);
b68e418c 1778 u32 av = CAP_TO_MASK(cap);
06112163 1779 int rc;
1da177e4 1780
50c205f5 1781 ad.type = LSM_AUDIT_DATA_CAP;
1da177e4
LT		 1782 ad.u.cap = cap;
1783
b68e418c
SS		 1784 switch (CAP_TO_INDEX(cap)) {
1785 case 0:
8e4ff6f2 1786 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
b68e418c
SS		 1787 break;
1788 case 1:
8e4ff6f2 1789 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
b68e418c
SS		 1790 break;
1791 default:
c103a91e 1792 pr_err("SELinux: out of range capability %d\n", cap);
b68e418c 1793 BUG();
a35c6c83 1794 return -EINVAL;
b68e418c 1795 }
06112163 1796
6b6bc620
SS		 1797 rc = avc_has_perm_noaudit(&selinux_state,
1798 sid, sid, sclass, av, 0, &avd);
9ade0cf4 1799 if (audit == SECURITY_CAP_AUDIT) {
6b6bc620
SS		 1800 int rc2 = avc_audit(&selinux_state,
1801 sid, sid, sclass, av, &avd, rc, &ad, 0);
9ade0cf4
EP		 1802 if (rc2)
1803 return rc2;
1804 }
06112163 1805 return rc;
1da177e4
LT		 1806}
1807
1da177e4
LT		 1808/* Check whether a task has a particular permission to an inode.
1809 The 'adp' parameter is optional and allows other audit
1810 data to be passed (e.g. the dentry). */
88e67f3b 1811static int inode_has_perm(const struct cred *cred,
1da177e4
LT		 1812 struct inode *inode,
1813 u32 perms,
19e49834 1814 struct common_audit_data *adp)
1da177e4 1815{
1da177e4 1816 struct inode_security_struct *isec;
275bb41e 1817 u32 sid;
1da177e4 1818
e0e81739
DH		 1819 validate_creds(cred);
1820
828dfe1d 1821 if (unlikely(IS_PRIVATE(inode)))
bbaca6c2
SS		 1822 return 0;
1823
88e67f3b 1824 sid = cred_sid(cred);
1da177e4
LT		 1825 isec = inode->i_security;
1826
6b6bc620
SS		 1827 return avc_has_perm(&selinux_state,
1828 sid, isec->sid, isec->sclass, perms, adp);
1da177e4
LT		 1829}
1830
1831/* Same as inode_has_perm, but pass explicit audit data containing
1832 the dentry to help the auditing code to more easily generate the
1833 pathname if needed. */
88e67f3b 1834static inline int dentry_has_perm(const struct cred *cred,
1da177e4
LT		 1835 struct dentry *dentry,
1836 u32 av)
1837{
c6f493d6 1838 struct inode *inode = d_backing_inode(dentry);
2bf49690 1839 struct common_audit_data ad;
88e67f3b 1840
50c205f5 1841 ad.type = LSM_AUDIT_DATA_DENTRY;
2875fa00 1842 ad.u.dentry = dentry;
5d226df4 1843 __inode_security_revalidate(inode, dentry, true);
19e49834 1844 return inode_has_perm(cred, inode, av, &ad);
2875fa00
EP		 1845}
1846
1847/* Same as inode_has_perm, but pass explicit audit data containing
1848 the path to help the auditing code to more easily generate the
1849 pathname if needed. */
1850static inline int path_has_perm(const struct cred *cred,
3f7036a0 1851 const struct path *path,
2875fa00
EP		 1852 u32 av)
1853{
c6f493d6 1854 struct inode *inode = d_backing_inode(path->dentry);
2875fa00
EP		 1855 struct common_audit_data ad;
1856
50c205f5 1857 ad.type = LSM_AUDIT_DATA_PATH;
2875fa00 1858 ad.u.path = *path;
5d226df4 1859 __inode_security_revalidate(inode, path->dentry, true);
19e49834 1860 return inode_has_perm(cred, inode, av, &ad);
1da177e4
LT		 1861}
1862
13f8e981
DH		 1863/* Same as path_has_perm, but uses the inode from the file struct. */
1864static inline int file_path_has_perm(const struct cred *cred,
1865 struct file *file,
1866 u32 av)
1867{
1868 struct common_audit_data ad;
1869
43af5de7
VG		 1870 ad.type = LSM_AUDIT_DATA_FILE;
1871 ad.u.file = file;
19e49834 1872 return inode_has_perm(cred, file_inode(file), av, &ad);
13f8e981
DH		 1873}
1874
f66e448c
CF		 1875#ifdef CONFIG_BPF_SYSCALL
1876static int bpf_fd_pass(struct file *file, u32 sid);
1877#endif
1878
1da177e4
LT		 1879/* Check whether a task can use an open file descriptor to
1880 access an inode in a given way. Check access to the
1881 descriptor itself, and then use dentry_has_perm to
1882 check a particular permission to the file.
1883 Access to the descriptor is implicitly granted if it
1884 has the same SID as the process. If av is zero, then
1885 access to the file is not checked, e.g. for cases
1886 where only the descriptor is affected like seek. */
88e67f3b
DH		 1887static int file_has_perm(const struct cred *cred,
1888 struct file *file,
1889 u32 av)
1da177e4 1890{
1da177e4 1891 struct file_security_struct *fsec = file->f_security;
496ad9aa 1892 struct inode *inode = file_inode(file);
2bf49690 1893 struct common_audit_data ad;
88e67f3b 1894 u32 sid = cred_sid(cred);
1da177e4
LT		 1895 int rc;
1896
43af5de7
VG		 1897 ad.type = LSM_AUDIT_DATA_FILE;
1898 ad.u.file = file;
1da177e4 1899
275bb41e 1900 if (sid != fsec->sid) {
6b6bc620
SS		 1901 rc = avc_has_perm(&selinux_state,
1902 sid, fsec->sid,
1da177e4
LT		 1903 SECCLASS_FD,
1904 FD__USE,
1905 &ad);
1906 if (rc)
88e67f3b 1907 goto out;
1da177e4
LT		 1908 }
1909
f66e448c
CF		 1910#ifdef CONFIG_BPF_SYSCALL
1911 rc = bpf_fd_pass(file, cred_sid(cred));
1912 if (rc)
1913 return rc;
1914#endif
1915
1da177e4 1916 /* av is zero if only checking access to the descriptor. */
88e67f3b 1917 rc = 0;
1da177e4 1918 if (av)
19e49834 1919 rc = inode_has_perm(cred, inode, av, &ad);
1da177e4 1920
88e67f3b
DH		 1921out:
1922 return rc;
1da177e4
LT		 1923}
1924
c3c188b2
DH		 1925/*
1926 * Determine the label for an inode that might be unioned.
1927 */
c957f6df
VG		 1928static int
1929selinux_determine_inode_label(const struct task_security_struct *tsec,
1930 struct inode *dir,
1931 const struct qstr *name, u16 tclass,
1932 u32 *_new_isid)
c3c188b2
DH		 1933{
1934 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
c3c188b2
DH		 1935
1936 if ((sbsec->flags & SE_SBINITIALIZED) &&
1937 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1938 *_new_isid = sbsec->mntpoint_sid;
1939 } else if ((sbsec->flags & SBLABEL_MNT) &&
1940 tsec->create_sid) {
1941 *_new_isid = tsec->create_sid;
1942 } else {
20cdef8d 1943 const struct inode_security_struct *dsec = inode_security(dir);
aa8e712c
SS		 1944 return security_transition_sid(&selinux_state, tsec->sid,
1945 dsec->sid, tclass,
c3c188b2
DH		 1946 name, _new_isid);
1947 }
1948
1949 return 0;
1950}
1951
1da177e4
LT		 1952/* Check whether a task can create a file. */
1953static int may_create(struct inode *dir,
1954 struct dentry *dentry,
1955 u16 tclass)
1956{
5fb49870 1957 const struct task_security_struct *tsec = current_security();
1da177e4
LT		 1958 struct inode_security_struct *dsec;
1959 struct superblock_security_struct *sbsec;
275bb41e 1960 u32 sid, newsid;
2bf49690 1961 struct common_audit_data ad;
1da177e4
LT		 1962 int rc;
1963
83da53c5 1964 dsec = inode_security(dir);
1da177e4
LT		 1965 sbsec = dir->i_sb->s_security;
1966
275bb41e 1967 sid = tsec->sid;
275bb41e 1968
50c205f5 1969 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1970 ad.u.dentry = dentry;
1da177e4 1971
6b6bc620
SS		 1972 rc = avc_has_perm(&selinux_state,
1973 sid, dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1974 DIR__ADD_NAME | DIR__SEARCH,
1975 &ad);
1976 if (rc)
1977 return rc;
1978
c957f6df
VG		 1979 rc = selinux_determine_inode_label(current_security(), dir,
1980 &dentry->d_name, tclass, &newsid);
c3c188b2
DH		 1981 if (rc)
1982 return rc;
1da177e4 1983
6b6bc620
SS		 1984 rc = avc_has_perm(&selinux_state,
1985 sid, newsid, tclass, FILE__CREATE, &ad);
1da177e4
LT		 1986 if (rc)
1987 return rc;
1988
6b6bc620
SS		 1989 return avc_has_perm(&selinux_state,
1990 newsid, sbsec->sid,
1da177e4
LT		 1991 SECCLASS_FILESYSTEM,
1992 FILESYSTEM__ASSOCIATE, &ad);
1993}
1994
828dfe1d
EP		 1995#define MAY_LINK 0
1996#define MAY_UNLINK 1
1997#define MAY_RMDIR 2
1da177e4
LT		 1998
1999/* Check whether a task can link, unlink, or rmdir a file/directory. */
2000static int may_link(struct inode *dir,
2001 struct dentry *dentry,
2002 int kind)
2003
2004{
1da177e4 2005 struct inode_security_struct *dsec, *isec;
2bf49690 2006 struct common_audit_data ad;
275bb41e 2007 u32 sid = current_sid();
1da177e4
LT		 2008 u32 av;
2009 int rc;
2010
83da53c5
AG		 2011 dsec = inode_security(dir);
2012 isec = backing_inode_security(dentry);
1da177e4 2013
50c205f5 2014 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2015 ad.u.dentry = dentry;
1da177e4
LT		 2016
2017 av = DIR__SEARCH;
2018 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
6b6bc620
SS		 2019 rc = avc_has_perm(&selinux_state,
2020 sid, dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 2021 if (rc)
2022 return rc;
2023
2024 switch (kind) {
2025 case MAY_LINK:
2026 av = FILE__LINK;
2027 break;
2028 case MAY_UNLINK:
2029 av = FILE__UNLINK;
2030 break;
2031 case MAY_RMDIR:
2032 av = DIR__RMDIR;
2033 break;
2034 default:
c103a91e 2035 pr_warn("SELinux: %s: unrecognized kind %d\n",
744ba35e 2036 __func__, kind);
1da177e4
LT		 2037 return 0;
2038 }
2039
6b6bc620
SS		 2040 rc = avc_has_perm(&selinux_state,
2041 sid, isec->sid, isec->sclass, av, &ad);
1da177e4
LT		 2042 return rc;
2043}
2044
2045static inline int may_rename(struct inode *old_dir,
2046 struct dentry *old_dentry,
2047 struct inode *new_dir,
2048 struct dentry *new_dentry)
2049{
1da177e4 2050 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2bf49690 2051 struct common_audit_data ad;
275bb41e 2052 u32 sid = current_sid();
1da177e4
LT		 2053 u32 av;
2054 int old_is_dir, new_is_dir;
2055 int rc;
2056
83da53c5
AG		 2057 old_dsec = inode_security(old_dir);
2058 old_isec = backing_inode_security(old_dentry);
e36cb0b8 2059 old_is_dir = d_is_dir(old_dentry);
83da53c5 2060 new_dsec = inode_security(new_dir);
1da177e4 2061
50c205f5 2062 ad.type = LSM_AUDIT_DATA_DENTRY;
1da177e4 2063
a269434d 2064 ad.u.dentry = old_dentry;
6b6bc620
SS		 2065 rc = avc_has_perm(&selinux_state,
2066 sid, old_dsec->sid, SECCLASS_DIR,
1da177e4
LT		 2067 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
2068 if (rc)
2069 return rc;
6b6bc620
SS		 2070 rc = avc_has_perm(&selinux_state,
2071 sid, old_isec->sid,
1da177e4
LT		 2072 old_isec->sclass, FILE__RENAME, &ad);
2073 if (rc)
2074 return rc;
2075 if (old_is_dir && new_dir != old_dir) {
6b6bc620
SS		 2076 rc = avc_has_perm(&selinux_state,
2077 sid, old_isec->sid,
1da177e4
LT		 2078 old_isec->sclass, DIR__REPARENT, &ad);
2079 if (rc)
2080 return rc;
2081 }
2082
a269434d 2083 ad.u.dentry = new_dentry;
1da177e4 2084 av = DIR__ADD_NAME | DIR__SEARCH;
2c616d4d 2085 if (d_is_positive(new_dentry))
1da177e4 2086 av |= DIR__REMOVE_NAME;
6b6bc620
SS		 2087 rc = avc_has_perm(&selinux_state,
2088 sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 2089 if (rc)
2090 return rc;
2c616d4d 2091 if (d_is_positive(new_dentry)) {
83da53c5 2092 new_isec = backing_inode_security(new_dentry);
e36cb0b8 2093 new_is_dir = d_is_dir(new_dentry);
6b6bc620
SS		 2094 rc = avc_has_perm(&selinux_state,
2095 sid, new_isec->sid,
1da177e4
LT		 2096 new_isec->sclass,
2097 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
2098 if (rc)
2099 return rc;
2100 }
2101
2102 return 0;
2103}
2104
2105/* Check whether a task can perform a filesystem operation. */
88e67f3b 2106static int superblock_has_perm(const struct cred *cred,
1da177e4
LT		 2107 struct super_block *sb,
2108 u32 perms,
2bf49690 2109 struct common_audit_data *ad)
1da177e4 2110{
1da177e4 2111 struct superblock_security_struct *sbsec;
88e67f3b 2112 u32 sid = cred_sid(cred);
1da177e4 2113
1da177e4 2114 sbsec = sb->s_security;
6b6bc620
SS		 2115 return avc_has_perm(&selinux_state,
2116 sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1da177e4
LT		 2117}
2118
2119/* Convert a Linux mode and permission mask to an access vector. */
2120static inline u32 file_mask_to_av(int mode, int mask)
2121{
2122 u32 av = 0;
2123
dba19c60 2124 if (!S_ISDIR(mode)) {
1da177e4
LT		 2125 if (mask & MAY_EXEC)
2126 av |= FILE__EXECUTE;
2127 if (mask & MAY_READ)
2128 av |= FILE__READ;
2129
2130 if (mask & MAY_APPEND)
2131 av |= FILE__APPEND;
2132 else if (mask & MAY_WRITE)
2133 av |= FILE__WRITE;
2134
2135 } else {
2136 if (mask & MAY_EXEC)
2137 av |= DIR__SEARCH;
2138 if (mask & MAY_WRITE)
2139 av |= DIR__WRITE;
2140 if (mask & MAY_READ)
2141 av |= DIR__READ;
2142 }
2143
2144 return av;
2145}
2146
8b6a5a37
EP		 2147/* Convert a Linux file to an access vector. */
2148static inline u32 file_to_av(struct file *file)
2149{
2150 u32 av = 0;
2151
2152 if (file->f_mode & FMODE_READ)
2153 av |= FILE__READ;
2154 if (file->f_mode & FMODE_WRITE) {
2155 if (file->f_flags & O_APPEND)
2156 av |= FILE__APPEND;
2157 else
2158 av |= FILE__WRITE;
2159 }
2160 if (!av) {
2161 /*
2162 * Special file opened with flags 3 for ioctl-only use.
2163 */
2164 av = FILE__IOCTL;
2165 }
2166
2167 return av;
2168}
2169
b0c636b9 2170/*
8b6a5a37 2171 * Convert a file to an access vector and include the correct open
b0c636b9
EP		 2172 * open permission.
2173 */
8b6a5a37 2174static inline u32 open_file_to_av(struct file *file)
b0c636b9 2175{
8b6a5a37 2176 u32 av = file_to_av(file);
ccb54478 2177 struct inode *inode = file_inode(file);
b0c636b9 2178
aa8e712c
SS		 2179 if (selinux_policycap_openperm() &&
2180 inode->i_sb->s_magic != SOCKFS_MAGIC)
49b7b8de
EP		 2181 av |= FILE__OPEN;
2182
b0c636b9
EP		 2183 return av;
2184}
2185
1da177e4
LT		 2186/* Hook functions begin here. */
2187
79af7307
SS		 2188static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2189{
2190 u32 mysid = current_sid();
2191 u32 mgrsid = task_sid(mgr);
2192
6b6bc620
SS		 2193 return avc_has_perm(&selinux_state,
2194 mysid, mgrsid, SECCLASS_BINDER,
79af7307
SS		 2195 BINDER__SET_CONTEXT_MGR, NULL);
2196}
2197
2198static int selinux_binder_transaction(struct task_struct *from,
2199 struct task_struct *to)
2200{
2201 u32 mysid = current_sid();
2202 u32 fromsid = task_sid(from);
2203 u32 tosid = task_sid(to);
2204 int rc;
2205
2206 if (mysid != fromsid) {
6b6bc620
SS		 2207 rc = avc_has_perm(&selinux_state,
2208 mysid, fromsid, SECCLASS_BINDER,
79af7307
SS		 2209 BINDER__IMPERSONATE, NULL);
2210 if (rc)
2211 return rc;
2212 }
2213
6b6bc620
SS		 2214 return avc_has_perm(&selinux_state,
2215 fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
79af7307
SS		 2216 NULL);
2217}
2218
2219static int selinux_binder_transfer_binder(struct task_struct *from,
2220 struct task_struct *to)
2221{
2222 u32 fromsid = task_sid(from);
2223 u32 tosid = task_sid(to);
2224
6b6bc620
SS		 2225 return avc_has_perm(&selinux_state,
2226 fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
79af7307
SS		 2227 NULL);
2228}
2229
2230static int selinux_binder_transfer_file(struct task_struct *from,
2231 struct task_struct *to,
2232 struct file *file)
2233{
2234 u32 sid = task_sid(to);
2235 struct file_security_struct *fsec = file->f_security;
83da53c5 2236 struct dentry *dentry = file->f_path.dentry;
20cdef8d 2237 struct inode_security_struct *isec;
79af7307
SS		 2238 struct common_audit_data ad;
2239 int rc;
2240
2241 ad.type = LSM_AUDIT_DATA_PATH;
2242 ad.u.path = file->f_path;
2243
2244 if (sid != fsec->sid) {
6b6bc620
SS		 2245 rc = avc_has_perm(&selinux_state,
2246 sid, fsec->sid,
79af7307
SS		 2247 SECCLASS_FD,
2248 FD__USE,
2249 &ad);
2250 if (rc)
2251 return rc;
2252 }
2253
f66e448c
CF		 2254#ifdef CONFIG_BPF_SYSCALL
2255 rc = bpf_fd_pass(file, sid);
2256 if (rc)
2257 return rc;
2258#endif
2259
83da53c5 2260 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
79af7307
SS		 2261 return 0;
2262
20cdef8d 2263 isec = backing_inode_security(dentry);
6b6bc620
SS		 2264 return avc_has_perm(&selinux_state,
2265 sid, isec->sid, isec->sclass, file_to_av(file),
79af7307
SS		 2266 &ad);
2267}
2268
9e48858f 2269static int selinux_ptrace_access_check(struct task_struct *child,
5cd9c58f 2270 unsigned int mode)
1da177e4 2271{
be0554c9
SS		 2272 u32 sid = current_sid();
2273 u32 csid = task_sid(child);
2274
2275 if (mode & PTRACE_MODE_READ)
6b6bc620
SS		 2276 return avc_has_perm(&selinux_state,
2277 sid, csid, SECCLASS_FILE, FILE__READ, NULL);
006ebb40 2278
6b6bc620
SS		 2279 return avc_has_perm(&selinux_state,
2280 sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
5cd9c58f
DH		 2281}
2282
2283static int selinux_ptrace_traceme(struct task_struct *parent)
2284{
6b6bc620
SS		 2285 return avc_has_perm(&selinux_state,
2286 task_sid(parent), current_sid(), SECCLASS_PROCESS,
be0554c9 2287 PROCESS__PTRACE, NULL);
1da177e4
LT		 2288}
2289
2290static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
828dfe1d 2291 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4 2292{
6b6bc620
SS		 2293 return avc_has_perm(&selinux_state,
2294 current_sid(), task_sid(target), SECCLASS_PROCESS,
be0554c9 2295 PROCESS__GETCAP, NULL);
1da177e4
LT		 2296}
2297
d84f4f99
DH		 2298static int selinux_capset(struct cred *new, const struct cred *old,
2299 const kernel_cap_t *effective,
2300 const kernel_cap_t *inheritable,
2301 const kernel_cap_t *permitted)
1da177e4 2302{
6b6bc620
SS		 2303 return avc_has_perm(&selinux_state,
2304 cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
be0554c9 2305 PROCESS__SETCAP, NULL);
1da177e4
LT		 2306}
2307
5626d3e8
JM		 2308/*
2309 * (This comment used to live with the selinux_task_setuid hook,
2310 * which was removed).
2311 *
2312 * Since setuid only affects the current process, and since the SELinux
2313 * controls are not based on the Linux identity attributes, SELinux does not
2314 * need to control this operation. However, SELinux does control the use of
2315 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2316 */
2317
6a9de491
EP		 2318static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2319 int cap, int audit)
1da177e4 2320{
8e4ff6f2 2321 return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
1da177e4
LT		 2322}
2323
1da177e4
LT		 2324static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2325{
88e67f3b 2326 const struct cred *cred = current_cred();
1da177e4
LT		 2327 int rc = 0;
2328
2329 if (!sb)
2330 return 0;
2331
2332 switch (cmds) {
828dfe1d
EP		 2333 case Q_SYNC:
2334 case Q_QUOTAON:
2335 case Q_QUOTAOFF:
2336 case Q_SETINFO:
2337 case Q_SETQUOTA:
88e67f3b 2338 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
828dfe1d
EP		 2339 break;
2340 case Q_GETFMT:
2341 case Q_GETINFO:
2342 case Q_GETQUOTA:
88e67f3b 2343 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
828dfe1d
EP		 2344 break;
2345 default:
2346 rc = 0; /* let the kernel handle invalid cmds */
2347 break;
1da177e4
LT		 2348 }
2349 return rc;
2350}
2351
2352static int selinux_quota_on(struct dentry *dentry)
2353{
88e67f3b
DH		 2354 const struct cred *cred = current_cred();
2355
2875fa00 2356 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1da177e4
LT		 2357}
2358
12b3052c 2359static int selinux_syslog(int type)
1da177e4 2360{
1da177e4 2361 switch (type) {
d78ca3cd
KC		 2362 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2363 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
6b6bc620
SS		 2364 return avc_has_perm(&selinux_state,
2365 current_sid(), SECINITSID_KERNEL,
be0554c9 2366 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
d78ca3cd
KC		 2367 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2368 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2369 /* Set level of messages printed to console */
2370 case SYSLOG_ACTION_CONSOLE_LEVEL:
6b6bc620
SS		 2371 return avc_has_perm(&selinux_state,
2372 current_sid(), SECINITSID_KERNEL,
be0554c9
SS		 2373 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2374 NULL);
1da177e4 2375 }
be0554c9 2376 /* All other syslog types */
6b6bc620
SS		 2377 return avc_has_perm(&selinux_state,
2378 current_sid(), SECINITSID_KERNEL,
be0554c9 2379 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
1da177e4
LT		 2380}
2381
2382/*
2383 * Check that a process has enough memory to allocate a new virtual
2384 * mapping. 0 means there is enough memory for the allocation to
2385 * succeed and -ENOMEM implies there is not.
2386 *
1da177e4
LT		 2387 * Do not audit the selinux permission check, as this is applied to all
2388 * processes that allocate mappings.
2389 */
34b4e4aa 2390static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 2391{
2392 int rc, cap_sys_admin = 0;
1da177e4 2393
b1d9e6b0 2394 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
8e4ff6f2 2395 SECURITY_CAP_NOAUDIT, true);
1da177e4
LT		 2396 if (rc == 0)
2397 cap_sys_admin = 1;
2398
b1d9e6b0 2399 return cap_sys_admin;
1da177e4
LT		 2400}
2401
2402/* binprm security operations */
2403
be0554c9 2404static u32 ptrace_parent_sid(void)
0c6181cb
PM		 2405{
2406 u32 sid = 0;
2407 struct task_struct *tracer;
2408
2409 rcu_read_lock();
be0554c9 2410 tracer = ptrace_parent(current);
0c6181cb
PM		 2411 if (tracer)
2412 sid = task_sid(tracer);
2413 rcu_read_unlock();
2414
2415 return sid;
2416}
2417
7b0d0b40
SS		 2418static int check_nnp_nosuid(const struct linux_binprm *bprm,
2419 const struct task_security_struct *old_tsec,
2420 const struct task_security_struct *new_tsec)
2421{
2422 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
380cf5ba 2423 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
7b0d0b40 2424 int rc;
af63f419 2425 u32 av;
7b0d0b40
SS		 2426
2427 if (!nnp && !nosuid)
2428 return 0; /* neither NNP nor nosuid */
2429
2430 if (new_tsec->sid == old_tsec->sid)
2431 return 0; /* No change in credentials */
2432
2433 /*
af63f419
SS		 2434 * If the policy enables the nnp_nosuid_transition policy capability,
2435 * then we permit transitions under NNP or nosuid if the
2436 * policy allows the corresponding permission between
2437 * the old and new contexts.
7b0d0b40 2438 */
aa8e712c 2439 if (selinux_policycap_nnp_nosuid_transition()) {
af63f419 2440 av = 0;
7b0d0b40 2441 if (nnp)
af63f419
SS		 2442 av |= PROCESS2__NNP_TRANSITION;
2443 if (nosuid)
2444 av |= PROCESS2__NOSUID_TRANSITION;
6b6bc620
SS		 2445 rc = avc_has_perm(&selinux_state,
2446 old_tsec->sid, new_tsec->sid,
af63f419
SS		 2447 SECCLASS_PROCESS2, av, NULL);
2448 if (!rc)
2449 return 0;
7b0d0b40 2450 }
af63f419
SS		 2451
2452 /*
2453 * We also permit NNP or nosuid transitions to bounded SIDs,
2454 * i.e. SIDs that are guaranteed to only be allowed a subset
2455 * of the permissions of the current SID.
2456 */
aa8e712c
SS		 2457 rc = security_bounded_transition(&selinux_state, old_tsec->sid,
2458 new_tsec->sid);
af63f419
SS		 2459 if (!rc)
2460 return 0;
2461
2462 /*
2463 * On failure, preserve the errno values for NNP vs nosuid.
2464 * NNP: Operation not permitted for caller.
2465 * nosuid: Permission denied to file.
2466 */
2467 if (nnp)
2468 return -EPERM;
2469 return -EACCES;
7b0d0b40
SS		 2470}
2471
a6f76f23 2472static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1da177e4 2473{
a6f76f23
DH		 2474 const struct task_security_struct *old_tsec;
2475 struct task_security_struct *new_tsec;
1da177e4 2476 struct inode_security_struct *isec;
2bf49690 2477 struct common_audit_data ad;
496ad9aa 2478 struct inode *inode = file_inode(bprm->file);
1da177e4
LT		 2479 int rc;
2480
a6f76f23
DH		 2481 /* SELinux context only depends on initial program or script and not
2482 * the script interpreter */
ddb4a144 2483 if (bprm->called_set_creds)
1da177e4
LT		 2484 return 0;
2485
a6f76f23
DH		 2486 old_tsec = current_security();
2487 new_tsec = bprm->cred->security;
83da53c5 2488 isec = inode_security(inode);
1da177e4
LT		 2489
2490 /* Default to the current task SID. */
a6f76f23
DH		 2491 new_tsec->sid = old_tsec->sid;
2492 new_tsec->osid = old_tsec->sid;
1da177e4 2493
28eba5bf 2494 /* Reset fs, key, and sock SIDs on execve. */
a6f76f23
DH		 2495 new_tsec->create_sid = 0;
2496 new_tsec->keycreate_sid = 0;
2497 new_tsec->sockcreate_sid = 0;
1da177e4 2498
a6f76f23
DH		 2499 if (old_tsec->exec_sid) {
2500 new_tsec->sid = old_tsec->exec_sid;
1da177e4 2501 /* Reset exec SID on execve. */
a6f76f23 2502 new_tsec->exec_sid = 0;
259e5e6c 2503
7b0d0b40
SS		 2504 /* Fail on NNP or nosuid if not an allowed transition. */
2505 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2506 if (rc)
2507 return rc;
1da177e4
LT		 2508 } else {
2509 /* Check for a default transition on this program. */
aa8e712c
SS		 2510 rc = security_transition_sid(&selinux_state, old_tsec->sid,
2511 isec->sid, SECCLASS_PROCESS, NULL,
652bb9b0 2512 &new_tsec->sid);
1da177e4
LT		 2513 if (rc)
2514 return rc;
7b0d0b40
SS		 2515
2516 /*
2517 * Fallback to old SID on NNP or nosuid if not an allowed
2518 * transition.
2519 */
2520 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2521 if (rc)
2522 new_tsec->sid = old_tsec->sid;
1da177e4
LT		 2523 }
2524
43af5de7
VG		 2525 ad.type = LSM_AUDIT_DATA_FILE;
2526 ad.u.file = bprm->file;
1da177e4 2527
a6f76f23 2528 if (new_tsec->sid == old_tsec->sid) {
6b6bc620
SS		 2529 rc = avc_has_perm(&selinux_state,
2530 old_tsec->sid, isec->sid,
1da177e4
LT		 2531 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2532 if (rc)
2533 return rc;
2534 } else {
2535 /* Check permissions for the transition. */
6b6bc620
SS		 2536 rc = avc_has_perm(&selinux_state,
2537 old_tsec->sid, new_tsec->sid,
1da177e4
LT		 2538 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2539 if (rc)
2540 return rc;
2541
6b6bc620
SS		 2542 rc = avc_has_perm(&selinux_state,
2543 new_tsec->sid, isec->sid,
1da177e4
LT		 2544 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2545 if (rc)
2546 return rc;
2547
a6f76f23
DH		 2548 /* Check for shared state */
2549 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
6b6bc620
SS		 2550 rc = avc_has_perm(&selinux_state,
2551 old_tsec->sid, new_tsec->sid,
a6f76f23
DH		 2552 SECCLASS_PROCESS, PROCESS__SHARE,
2553 NULL);
2554 if (rc)
2555 return -EPERM;
2556 }
2557
2558 /* Make sure that anyone attempting to ptrace over a task that
2559 * changes its SID has the appropriate permit */
9227dd2a 2560 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
be0554c9 2561 u32 ptsid = ptrace_parent_sid();
a6f76f23 2562 if (ptsid != 0) {
6b6bc620
SS		 2563 rc = avc_has_perm(&selinux_state,
2564 ptsid, new_tsec->sid,
a6f76f23
DH		 2565 SECCLASS_PROCESS,
2566 PROCESS__PTRACE, NULL);
2567 if (rc)
2568 return -EPERM;
2569 }
2570 }
1da177e4 2571
a6f76f23
DH		 2572 /* Clear any possibly unsafe personality bits on exec: */
2573 bprm->per_clear |= PER_CLEAR_ON_SETID;
275bb41e 2574
1da177e4
LT		 2575 /* Enable secure mode for SIDs transitions unless
2576 the noatsecure permission is granted between
2577 the two SIDs, i.e. ahp returns 0. */
6b6bc620
SS		 2578 rc = avc_has_perm(&selinux_state,
2579 old_tsec->sid, new_tsec->sid,
62874c3a
KC		 2580 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2581 NULL);
2582 bprm->secureexec |= !!rc;
1da177e4
LT		 2583 }
2584
62874c3a 2585 return 0;
1da177e4
LT		 2586}
2587
c3c073f8
AV		 2588static int match_file(const void *p, struct file *file, unsigned fd)
2589{
2590 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2591}
2592
1da177e4 2593/* Derived from fs/exec.c:flush_old_files. */
745ca247
DH		 2594static inline void flush_unauthorized_files(const struct cred *cred,
2595 struct files_struct *files)
1da177e4 2596{
1da177e4 2597 struct file *file, *devnull = NULL;
b20c8122 2598 struct tty_struct *tty;
24ec839c 2599 int drop_tty = 0;
c3c073f8 2600 unsigned n;
1da177e4 2601
24ec839c 2602 tty = get_current_tty();
1da177e4 2603 if (tty) {
4a510969 2604 spin_lock(&tty->files_lock);
37dd0bd0 2605 if (!list_empty(&tty->tty_files)) {
d996b62a 2606 struct tty_file_private *file_priv;
37dd0bd0 2607
1da177e4 2608 /* Revalidate access to controlling tty.
13f8e981
DH		 2609 Use file_path_has_perm on the tty path directly
2610 rather than using file_has_perm, as this particular
2611 open file may belong to another process and we are
2612 only interested in the inode-based check here. */
d996b62a
NP		 2613 file_priv = list_first_entry(&tty->tty_files,
2614 struct tty_file_private, list);
2615 file = file_priv->file;
13f8e981 2616 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
24ec839c 2617 drop_tty = 1;
1da177e4 2618 }
4a510969 2619 spin_unlock(&tty->files_lock);
452a00d2 2620 tty_kref_put(tty);
1da177e4 2621 }
98a27ba4
EB		 2622 /* Reset controlling tty. */
2623 if (drop_tty)
2624 no_tty();
1da177e4
LT		 2625
2626 /* Revalidate access to inherited open files. */
c3c073f8
AV		 2627 n = iterate_fd(files, 0, match_file, cred);
2628 if (!n) /* none found? */
2629 return;
1da177e4 2630
c3c073f8 2631 devnull = dentry_open(&selinux_null, O_RDWR, cred);
45525b26
AV		 2632 if (IS_ERR(devnull))
2633 devnull = NULL;
2634 /* replace all the matching ones with this */
2635 do {
2636 replace_fd(n - 1, devnull, 0);
2637 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2638 if (devnull)
c3c073f8 2639 fput(devnull);
1da177e4
LT		 2640}
2641
a6f76f23
DH		 2642/*
2643 * Prepare a process for imminent new credential changes due to exec
2644 */
2645static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
1da177e4 2646{
a6f76f23
DH		 2647 struct task_security_struct *new_tsec;
2648 struct rlimit *rlim, *initrlim;
2649 int rc, i;
d84f4f99 2650
a6f76f23
DH		 2651 new_tsec = bprm->cred->security;
2652 if (new_tsec->sid == new_tsec->osid)
2653 return;
1da177e4 2654
a6f76f23
DH		 2655 /* Close files for which the new task SID is not authorized. */
2656 flush_unauthorized_files(bprm->cred, current->files);
0356357c 2657
a6f76f23
DH		 2658 /* Always clear parent death signal on SID transitions. */
2659 current->pdeath_signal = 0;
0356357c 2660
a6f76f23
DH		 2661 /* Check whether the new SID can inherit resource limits from the old
2662 * SID. If not, reset all soft limits to the lower of the current
2663 * task's hard limit and the init task's soft limit.
2664 *
2665 * Note that the setting of hard limits (even to lower them) can be
2666 * controlled by the setrlimit check. The inclusion of the init task's
2667 * soft limit into the computation is to avoid resetting soft limits
2668 * higher than the default soft limit for cases where the default is
2669 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2670 */
6b6bc620
SS		 2671 rc = avc_has_perm(&selinux_state,
2672 new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
a6f76f23
DH		 2673 PROCESS__RLIMITINH, NULL);
2674 if (rc) {
eb2d55a3
ON		 2675 /* protect against do_prlimit() */
2676 task_lock(current);
a6f76f23
DH		 2677 for (i = 0; i < RLIM_NLIMITS; i++) {
2678 rlim = current->signal->rlim + i;
2679 initrlim = init_task.signal->rlim + i;
2680 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
1da177e4 2681 }
eb2d55a3 2682 task_unlock(current);
baa73d9e
NP		 2683 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2684 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
1da177e4
LT		 2685 }
2686}
2687
2688/*
a6f76f23
DH		 2689 * Clean up the process immediately after the installation of new credentials
2690 * due to exec
1da177e4 2691 */
a6f76f23 2692static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
1da177e4 2693{
a6f76f23 2694 const struct task_security_struct *tsec = current_security();
1da177e4 2695 struct itimerval itimer;
a6f76f23 2696 u32 osid, sid;
1da177e4
LT		 2697 int rc, i;
2698
a6f76f23
DH		 2699 osid = tsec->osid;
2700 sid = tsec->sid;
2701
2702 if (sid == osid)
1da177e4
LT		 2703 return;
2704
a6f76f23
DH		 2705 /* Check whether the new SID can inherit signal state from the old SID.
2706 * If not, clear itimers to avoid subsequent signal generation and
2707 * flush and unblock signals.
2708 *
2709 * This must occur _after_ the task SID has been updated so that any
2710 * kill done after the flush will be checked against the new SID.
2711 */
6b6bc620
SS		 2712 rc = avc_has_perm(&selinux_state,
2713 osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
1da177e4 2714 if (rc) {
baa73d9e
NP		 2715 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2716 memset(&itimer, 0, sizeof itimer);
2717 for (i = 0; i < 3; i++)
2718 do_setitimer(i, &itimer, NULL);
2719 }
1da177e4 2720 spin_lock_irq(&current->sighand->siglock);
9e7c8f8c
ON		 2721 if (!fatal_signal_pending(current)) {
2722 flush_sigqueue(&current->pending);
2723 flush_sigqueue(&current->signal->shared_pending);
3bcac026
DH		 2724 flush_signal_handlers(current, 1);
2725 sigemptyset(&current->blocked);
9e7c8f8c 2726 recalc_sigpending();
3bcac026 2727 }
1da177e4
LT		 2728 spin_unlock_irq(&current->sighand->siglock);
2729 }
2730
a6f76f23
DH		 2731 /* Wake up the parent if it is waiting so that it can recheck
2732 * wait permission to the new task SID. */
ecd6de3c 2733 read_lock(&tasklist_lock);
0b7570e7 2734 __wake_up_parent(current, current->real_parent);
ecd6de3c 2735 read_unlock(&tasklist_lock);
1da177e4
LT		 2736}
2737
2738/* superblock security operations */
2739
2740static int selinux_sb_alloc_security(struct super_block *sb)
2741{
2742 return superblock_alloc_security(sb);
2743}
2744
2745static void selinux_sb_free_security(struct super_block *sb)
2746{
2747 superblock_free_security(sb);
2748}
2749
2750static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2751{
2752 if (plen > olen)
2753 return 0;
2754
2755 return !memcmp(prefix, option, plen);
2756}
2757
2758static inline int selinux_option(char *option, int len)
2759{
832cbd9a
EP		 2760 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2761 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2762 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
11689d47
DQ		 2763 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2764 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
1da177e4
LT		 2765}
2766
2767static inline void take_option(char **to, char *from, int *first, int len)
2768{
2769 if (!*first) {
2770 **to = ',';
2771 *to += 1;
3528a953 2772 } else
1da177e4
LT		 2773 *first = 0;
2774 memcpy(*to, from, len);
2775 *to += len;
2776}
2777
828dfe1d
EP		 2778static inline void take_selinux_option(char **to, char *from, int *first,
2779 int len)
3528a953
CO		 2780{
2781 int current_size = 0;
2782
2783 if (!*first) {
2784 **to = '|';
2785 *to += 1;
828dfe1d 2786 } else
3528a953
CO		 2787 *first = 0;
2788
2789 while (current_size < len) {
2790 if (*from != '"') {
2791 **to = *from;
2792 *to += 1;
2793 }
2794 from += 1;
2795 current_size += 1;
2796 }
2797}
2798
e0007529 2799static int selinux_sb_copy_data(char *orig, char *copy)
1da177e4
LT		 2800{
2801 int fnosec, fsec, rc = 0;
2802 char *in_save, *in_curr, *in_end;
2803 char *sec_curr, *nosec_save, *nosec;
3528a953 2804 int open_quote = 0;
1da177e4
LT		 2805
2806 in_curr = orig;
2807 sec_curr = copy;
2808
1da177e4
LT		 2809 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2810 if (!nosec) {
2811 rc = -ENOMEM;
2812 goto out;
2813 }
2814
2815 nosec_save = nosec;
2816 fnosec = fsec = 1;
2817 in_save = in_end = orig;
2818
2819 do {
3528a953
CO		 2820 if (*in_end == '"')
2821 open_quote = !open_quote;
2822 if ((*in_end == ',' && open_quote == 0) ||
2823 *in_end == '\0') {
1da177e4
LT		 2824 int len = in_end - in_curr;
2825
2826 if (selinux_option(in_curr, len))
3528a953 2827 take_selinux_option(&sec_curr, in_curr, &fsec, len);
1da177e4
LT		 2828 else
2829 take_option(&nosec, in_curr, &fnosec, len);
2830
2831 in_curr = in_end + 1;
2832 }
2833 } while (*in_end++);
2834
6931dfc9 2835 strcpy(in_save, nosec_save);
da3caa20 2836 free_page((unsigned long)nosec_save);
1da177e4
LT		 2837out:
2838 return rc;
2839}
2840
026eb167
EP		 2841static int selinux_sb_remount(struct super_block *sb, void *data)
2842{
2843 int rc, i, *flags;
2844 struct security_mnt_opts opts;
2845 char *secdata, **mount_options;
2846 struct superblock_security_struct *sbsec = sb->s_security;
2847
2848 if (!(sbsec->flags & SE_SBINITIALIZED))
2849 return 0;
2850
2851 if (!data)
2852 return 0;
2853
2854 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2855 return 0;
2856
2857 security_init_mnt_opts(&opts);
2858 secdata = alloc_secdata();
2859 if (!secdata)
2860 return -ENOMEM;
2861 rc = selinux_sb_copy_data(data, secdata);
2862 if (rc)
2863 goto out_free_secdata;
2864
2865 rc = selinux_parse_opts_str(secdata, &opts);
2866 if (rc)
2867 goto out_free_secdata;
2868
2869 mount_options = opts.mnt_opts;
2870 flags = opts.mnt_opts_flags;
2871
2872 for (i = 0; i < opts.num_mnt_opts; i++) {
2873 u32 sid;
026eb167 2874
12f348b9 2875 if (flags[i] == SBLABEL_MNT)
026eb167 2876 continue;
aa8e712c
SS		 2877 rc = security_context_str_to_sid(&selinux_state,
2878 mount_options[i], &sid,
2879 GFP_KERNEL);
026eb167 2880 if (rc) {
c103a91e 2881 pr_warn("SELinux: security_context_str_to_sid"
29b1deb2
LT		 2882 "(%s) failed for (dev %s, type %s) errno=%d\n",
2883 mount_options[i], sb->s_id, sb->s_type->name, rc);
026eb167
EP		 2884 goto out_free_opts;
2885 }
2886 rc = -EINVAL;
2887 switch (flags[i]) {
2888 case FSCONTEXT_MNT:
2889 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2890 goto out_bad_option;
2891 break;
2892 case CONTEXT_MNT:
2893 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2894 goto out_bad_option;
2895 break;
2896 case ROOTCONTEXT_MNT: {
2897 struct inode_security_struct *root_isec;
83da53c5 2898 root_isec = backing_inode_security(sb->s_root);
026eb167
EP		 2899
2900 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2901 goto out_bad_option;
2902 break;
2903 }
2904 case DEFCONTEXT_MNT:
2905 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2906 goto out_bad_option;
2907 break;
2908 default:
2909 goto out_free_opts;
2910 }
2911 }
2912
2913 rc = 0;
2914out_free_opts:
2915 security_free_mnt_opts(&opts);
2916out_free_secdata:
2917 free_secdata(secdata);
2918 return rc;
2919out_bad_option:
c103a91e 2920 pr_warn("SELinux: unable to change security options "
29b1deb2
LT		 2921 "during remount (dev %s, type=%s)\n", sb->s_id,
2922 sb->s_type->name);
026eb167
EP		 2923 goto out_free_opts;
2924}
2925
12204e24 2926static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
1da177e4 2927{
88e67f3b 2928 const struct cred *cred = current_cred();
2bf49690 2929 struct common_audit_data ad;
1da177e4
LT		 2930 int rc;
2931
2932 rc = superblock_doinit(sb, data);
2933 if (rc)
2934 return rc;
2935
74192246
JM		 2936 /* Allow all mounts performed by the kernel */
2937 if (flags & MS_KERNMOUNT)
2938 return 0;
2939
50c205f5 2940 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2941 ad.u.dentry = sb->s_root;
88e67f3b 2942 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
1da177e4
LT		 2943}
2944
726c3342 2945static int selinux_sb_statfs(struct dentry *dentry)
1da177e4 2946{
88e67f3b 2947 const struct cred *cred = current_cred();
2bf49690 2948 struct common_audit_data ad;
1da177e4 2949
50c205f5 2950 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2951 ad.u.dentry = dentry->d_sb->s_root;
88e67f3b 2952 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2953}
2954
808d4e3c 2955static int selinux_mount(const char *dev_name,
8a04c43b 2956 const struct path *path,
808d4e3c 2957 const char *type,
828dfe1d
EP		 2958 unsigned long flags,
2959 void *data)
1da177e4 2960{
88e67f3b 2961 const struct cred *cred = current_cred();
1da177e4
LT		 2962
2963 if (flags & MS_REMOUNT)
d8c9584e 2964 return superblock_has_perm(cred, path->dentry->d_sb,
828dfe1d 2965 FILESYSTEM__REMOUNT, NULL);
1da177e4 2966 else
2875fa00 2967 return path_has_perm(cred, path, FILE__MOUNTON);
1da177e4
LT		 2968}
2969
2970static int selinux_umount(struct vfsmount *mnt, int flags)
2971{
88e67f3b 2972 const struct cred *cred = current_cred();
1da177e4 2973
88e67f3b 2974 return superblock_has_perm(cred, mnt->mnt_sb,
828dfe1d 2975 FILESYSTEM__UNMOUNT, NULL);
1da177e4
LT		 2976}
2977
2978/* inode security operations */
2979
2980static int selinux_inode_alloc_security(struct inode *inode)
2981{
2982 return inode_alloc_security(inode);
2983}
2984
2985static void selinux_inode_free_security(struct inode *inode)
2986{
2987 inode_free_security(inode);
2988}
2989
d47be3df 2990static int selinux_dentry_init_security(struct dentry *dentry, int mode,
4f3ccd76 2991 const struct qstr *name, void **ctx,
d47be3df
DQ		 2992 u32 *ctxlen)
2993{
d47be3df
DQ		 2994 u32 newsid;
2995 int rc;
2996
c957f6df
VG		 2997 rc = selinux_determine_inode_label(current_security(),
2998 d_inode(dentry->d_parent), name,
c3c188b2
DH		 2999 inode_mode_to_security_class(mode),
3000 &newsid);
3001 if (rc)
3002 return rc;
d47be3df 3003
aa8e712c
SS		 3004 return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
3005 ctxlen);
d47be3df
DQ		 3006}
3007
a518b0a5
VG		 3008static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
3009 struct qstr *name,
3010 const struct cred *old,
3011 struct cred *new)
3012{
3013 u32 newsid;
3014 int rc;
3015 struct task_security_struct *tsec;
3016
3017 rc = selinux_determine_inode_label(old->security,
3018 d_inode(dentry->d_parent), name,
3019 inode_mode_to_security_class(mode),
3020 &newsid);
3021 if (rc)
3022 return rc;
3023
3024 tsec = new->security;
3025 tsec->create_sid = newsid;
3026 return 0;
3027}
3028
5e41ff9e 3029static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
9548906b
TH		 3030 const struct qstr *qstr,
3031 const char **name,
2a7dba39 3032 void **value, size_t *len)
5e41ff9e 3033{
5fb49870 3034 const struct task_security_struct *tsec = current_security();
5e41ff9e 3035 struct superblock_security_struct *sbsec;
c0d4f464 3036 u32 newsid, clen;
5e41ff9e 3037 int rc;
9548906b 3038 char *context;
5e41ff9e 3039
5e41ff9e 3040 sbsec = dir->i_sb->s_security;
5e41ff9e 3041
275bb41e
DH		 3042 newsid = tsec->create_sid;
3043
c957f6df 3044 rc = selinux_determine_inode_label(current_security(),
c3c188b2
DH		 3045 dir, qstr,
3046 inode_mode_to_security_class(inode->i_mode),
3047 &newsid);
3048 if (rc)
3049 return rc;
5e41ff9e 3050
296fddf7 3051 /* Possibly defer initialization to selinux_complete_init. */
0d90a7ec 3052 if (sbsec->flags & SE_SBINITIALIZED) {
296fddf7
EP		 3053 struct inode_security_struct *isec = inode->i_security;
3054 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3055 isec->sid = newsid;
6f3be9f5 3056 isec->initialized = LABEL_INITIALIZED;
296fddf7 3057 }
5e41ff9e 3058
aa8e712c 3059 if (!selinux_state.initialized || !(sbsec->flags & SBLABEL_MNT))
25a74f3b
SS		 3060 return -EOPNOTSUPP;
3061
9548906b
TH		 3062 if (name)
3063 *name = XATTR_SELINUX_SUFFIX;
5e41ff9e 3064
570bc1c2 3065 if (value && len) {
aa8e712c
SS		 3066 rc = security_sid_to_context_force(&selinux_state, newsid,
3067 &context, &clen);
9548906b 3068 if (rc)
570bc1c2 3069 return rc;
570bc1c2
SS		 3070 *value = context;
3071 *len = clen;
5e41ff9e 3072 }
5e41ff9e 3073
5e41ff9e
SS		 3074 return 0;
3075}
3076
4acdaf27 3077static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
1da177e4
LT		 3078{
3079 return may_create(dir, dentry, SECCLASS_FILE);
3080}
3081
1da177e4
LT		 3082static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
3083{
1da177e4
LT		 3084 return may_link(dir, old_dentry, MAY_LINK);
3085}
3086
1da177e4
LT		 3087static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
3088{
1da177e4
LT		 3089 return may_link(dir, dentry, MAY_UNLINK);
3090}
3091
3092static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
3093{
3094 return may_create(dir, dentry, SECCLASS_LNK_FILE);
3095}
3096
18bb1db3 3097static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
1da177e4
LT		 3098{
3099 return may_create(dir, dentry, SECCLASS_DIR);
3100}
3101
1da177e4
LT		 3102static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
3103{
3104 return may_link(dir, dentry, MAY_RMDIR);
3105}
3106
1a67aafb 3107static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
1da177e4 3108{
1da177e4
LT		 3109 return may_create(dir, dentry, inode_mode_to_security_class(mode));
3110}
3111
1da177e4 3112static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
828dfe1d 3113 struct inode *new_inode, struct dentry *new_dentry)
1da177e4
LT		 3114{
3115 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
3116}
3117
1da177e4
LT		 3118static int selinux_inode_readlink(struct dentry *dentry)
3119{
88e67f3b
DH		 3120 const struct cred *cred = current_cred();
3121
2875fa00 3122 return dentry_has_perm(cred, dentry, FILE__READ);
1da177e4
LT		 3123}
3124
bda0be7a
N		 3125static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3126 bool rcu)
1da177e4 3127{
88e67f3b 3128 const struct cred *cred = current_cred();
bda0be7a
N		 3129 struct common_audit_data ad;
3130 struct inode_security_struct *isec;
3131 u32 sid;
1da177e4 3132
bda0be7a
N		 3133 validate_creds(cred);
3134
3135 ad.type = LSM_AUDIT_DATA_DENTRY;
3136 ad.u.dentry = dentry;
3137 sid = cred_sid(cred);
5d226df4
AG		 3138 isec = inode_security_rcu(inode, rcu);
3139 if (IS_ERR(isec))
3140 return PTR_ERR(isec);
bda0be7a 3141
6b6bc620
SS		 3142 return avc_has_perm_flags(&selinux_state,
3143 sid, isec->sid, isec->sclass, FILE__READ, &ad,
bda0be7a 3144 rcu ? MAY_NOT_BLOCK : 0);
1da177e4
LT		 3145}
3146
d4cf970d
EP		 3147static noinline int audit_inode_permission(struct inode *inode,
3148 u32 perms, u32 audited, u32 denied,
626b9740 3149 int result,
d4cf970d 3150 unsigned flags)
1da177e4 3151{
b782e0a6 3152 struct common_audit_data ad;
d4cf970d
EP		 3153 struct inode_security_struct *isec = inode->i_security;
3154 int rc;
3155
50c205f5 3156 ad.type = LSM_AUDIT_DATA_INODE;
d4cf970d
EP		 3157 ad.u.inode = inode;
3158
6b6bc620
SS		 3159 rc = slow_avc_audit(&selinux_state,
3160 current_sid(), isec->sid, isec->sclass, perms,
626b9740 3161 audited, denied, result, &ad, flags);
d4cf970d
EP		 3162 if (rc)
3163 return rc;
3164 return 0;
3165}
3166
e74f71eb 3167static int selinux_inode_permission(struct inode *inode, int mask)
1da177e4 3168{
88e67f3b 3169 const struct cred *cred = current_cred();
b782e0a6
EP		 3170 u32 perms;
3171 bool from_access;
cf1dd1da 3172 unsigned flags = mask & MAY_NOT_BLOCK;
2e334057
EP		 3173 struct inode_security_struct *isec;
3174 u32 sid;
3175 struct av_decision avd;
3176 int rc, rc2;
3177 u32 audited, denied;
1da177e4 3178
b782e0a6 3179 from_access = mask & MAY_ACCESS;
d09ca739
EP		 3180 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3181
b782e0a6
EP		 3182 /* No permission to check. Existence test. */
3183 if (!mask)
1da177e4 3184 return 0;
1da177e4 3185
2e334057 3186 validate_creds(cred);
b782e0a6 3187
2e334057
EP		 3188 if (unlikely(IS_PRIVATE(inode)))
3189 return 0;
b782e0a6
EP		 3190
3191 perms = file_mask_to_av(inode->i_mode, mask);
3192
2e334057 3193 sid = cred_sid(cred);
5d226df4
AG		 3194 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3195 if (IS_ERR(isec))
3196 return PTR_ERR(isec);
2e334057 3197
6b6bc620
SS		 3198 rc = avc_has_perm_noaudit(&selinux_state,
3199 sid, isec->sid, isec->sclass, perms, 0, &avd);
2e334057
EP		 3200 audited = avc_audit_required(perms, &avd, rc,
3201 from_access ? FILE__AUDIT_ACCESS : 0,
3202 &denied);
3203 if (likely(!audited))
3204 return rc;
3205
626b9740 3206 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
2e334057
EP		 3207 if (rc2)
3208 return rc2;
3209 return rc;
1da177e4
LT		 3210}
3211
3212static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3213{
88e67f3b 3214 const struct cred *cred = current_cred();
ccb54478 3215 struct inode *inode = d_backing_inode(dentry);
bc6a6008 3216 unsigned int ia_valid = iattr->ia_valid;
95dbf739 3217 __u32 av = FILE__WRITE;
1da177e4 3218
bc6a6008
AW		 3219 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3220 if (ia_valid & ATTR_FORCE) {
3221 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3222 ATTR_FORCE);
3223 if (!ia_valid)
3224 return 0;
3225 }
1da177e4 3226
bc6a6008
AW		 3227 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3228 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2875fa00 3229 return dentry_has_perm(cred, dentry, FILE__SETATTR);
1da177e4 3230
aa8e712c 3231 if (selinux_policycap_openperm() &&
ccb54478
SS		 3232 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3233 (ia_valid & ATTR_SIZE) &&
3234 !(ia_valid & ATTR_FILE))
95dbf739
EP		 3235 av |= FILE__OPEN;
3236
3237 return dentry_has_perm(cred, dentry, av);
1da177e4
LT		 3238}
3239
3f7036a0 3240static int selinux_inode_getattr(const struct path *path)
1da177e4 3241{
3f7036a0 3242 return path_has_perm(current_cred(), path, FILE__GETATTR);
1da177e4
LT		 3243}
3244
db59000a
SS		 3245static bool has_cap_mac_admin(bool audit)
3246{
3247 const struct cred *cred = current_cred();
3248 int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT;
3249
3250 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit))
3251 return false;
3252 if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true))
3253 return false;
3254 return true;
3255}
3256
8f0cfa52
DH		 3257static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3258 const void *value, size_t size, int flags)
1da177e4 3259{
c6f493d6 3260 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3261 struct inode_security_struct *isec;
1da177e4 3262 struct superblock_security_struct *sbsec;
2bf49690 3263 struct common_audit_data ad;
275bb41e 3264 u32 newsid, sid = current_sid();
1da177e4
LT		 3265 int rc = 0;
3266
6b240306
EB		 3267 if (strcmp(name, XATTR_NAME_SELINUX)) {
3268 rc = cap_inode_setxattr(dentry, name, value, size, flags);
3269 if (rc)
3270 return rc;
3271
3272 /* Not an attribute we recognize, so just check the
3273 ordinary setattr permission. */
3274 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3275 }
1da177e4
LT		 3276
3277 sbsec = inode->i_sb->s_security;
12f348b9 3278 if (!(sbsec->flags & SBLABEL_MNT))
1da177e4
LT		 3279 return -EOPNOTSUPP;
3280
2e149670 3281 if (!inode_owner_or_capable(inode))
1da177e4
LT		 3282 return -EPERM;
3283
50c205f5 3284 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 3285 ad.u.dentry = dentry;
1da177e4 3286
20cdef8d 3287 isec = backing_inode_security(dentry);
6b6bc620
SS		 3288 rc = avc_has_perm(&selinux_state,
3289 sid, isec->sid, isec->sclass,
1da177e4
LT		 3290 FILE__RELABELFROM, &ad);
3291 if (rc)
3292 return rc;
3293
aa8e712c
SS		 3294 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3295 GFP_KERNEL);
12b29f34 3296 if (rc == -EINVAL) {
db59000a 3297 if (!has_cap_mac_admin(true)) {
d6ea83ec
EP		 3298 struct audit_buffer *ab;
3299 size_t audit_size;
d6ea83ec
EP		 3300
3301 /* We strip a nul only if it is at the end, otherwise the
3302 * context contains a nul and we should audit that */
e3fea3f7 3303 if (value) {
add24372
CIK		 3304 const char *str = value;
3305
e3fea3f7
AV		 3306 if (str[size - 1] == '\0')
3307 audit_size = size - 1;
3308 else
3309 audit_size = size;
3310 } else {
e3fea3f7
AV		 3311 audit_size = 0;
3312 }
cdfb6b34
RGB		 3313 ab = audit_log_start(audit_context(),
3314 GFP_ATOMIC, AUDIT_SELINUX_ERR);
d6ea83ec
EP		 3315 audit_log_format(ab, "op=setxattr invalid_context=");
3316 audit_log_n_untrustedstring(ab, value, audit_size);
3317 audit_log_end(ab);
3318
12b29f34 3319 return rc;
d6ea83ec 3320 }
aa8e712c
SS		 3321 rc = security_context_to_sid_force(&selinux_state, value,
3322 size, &newsid);
12b29f34 3323 }
1da177e4
LT		 3324 if (rc)
3325 return rc;
3326
6b6bc620
SS		 3327 rc = avc_has_perm(&selinux_state,
3328 sid, newsid, isec->sclass,
1da177e4
LT		 3329 FILE__RELABELTO, &ad);
3330 if (rc)
3331 return rc;
3332
aa8e712c
SS		 3333 rc = security_validate_transition(&selinux_state, isec->sid, newsid,
3334 sid, isec->sclass);
1da177e4
LT		 3335 if (rc)
3336 return rc;
3337
6b6bc620
SS		 3338 return avc_has_perm(&selinux_state,
3339 newsid,
1da177e4
LT		 3340 sbsec->sid,
3341 SECCLASS_FILESYSTEM,
3342 FILESYSTEM__ASSOCIATE,
3343 &ad);
3344}
3345
8f0cfa52 3346static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
f5269710 3347 const void *value, size_t size,
8f0cfa52 3348 int flags)
1da177e4 3349{
c6f493d6 3350 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3351 struct inode_security_struct *isec;
1da177e4
LT		 3352 u32 newsid;
3353 int rc;
3354
3355 if (strcmp(name, XATTR_NAME_SELINUX)) {
3356 /* Not an attribute we recognize, so nothing to do. */
3357 return;
3358 }
3359
aa8e712c
SS		 3360 rc = security_context_to_sid_force(&selinux_state, value, size,
3361 &newsid);
1da177e4 3362 if (rc) {
c103a91e 3363 pr_err("SELinux: unable to map context to SID"
12b29f34
SS		 3364 "for (%s, %lu), rc=%d\n",
3365 inode->i_sb->s_id, inode->i_ino, -rc);
1da177e4
LT		 3366 return;
3367 }
3368
20cdef8d 3369 isec = backing_inode_security(dentry);
9287aed2 3370 spin_lock(&isec->lock);
aa9c2669 3371 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3372 isec->sid = newsid;
6f3be9f5 3373 isec->initialized = LABEL_INITIALIZED;
9287aed2 3374 spin_unlock(&isec->lock);
aa9c2669 3375
1da177e4
LT		 3376 return;
3377}
3378
8f0cfa52 3379static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
1da177e4 3380{
88e67f3b
DH		 3381 const struct cred *cred = current_cred();
3382
2875fa00 3383 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3384}
3385
828dfe1d 3386static int selinux_inode_listxattr(struct dentry *dentry)
1da177e4 3387{
88e67f3b
DH		 3388 const struct cred *cred = current_cred();
3389
2875fa00 3390 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3391}
3392
8f0cfa52 3393static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
1da177e4 3394{
6b240306
EB		 3395 if (strcmp(name, XATTR_NAME_SELINUX)) {
3396 int rc = cap_inode_removexattr(dentry, name);
3397 if (rc)
3398 return rc;
3399
3400 /* Not an attribute we recognize, so just check the
3401 ordinary setattr permission. */
3402 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3403 }
1da177e4
LT		 3404
3405 /* No one is allowed to remove a SELinux security label.
3406 You can change the label, but all data must be labeled. */
3407 return -EACCES;
3408}
3409
d381d8a9 3410/*
abc69bb6 3411 * Copy the inode security context value to the user.
d381d8a9
JM		 3412 *
3413 * Permission check is handled by selinux_inode_getxattr hook.
3414 */
ea861dfd 3415static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
1da177e4 3416{
42492594
DQ		 3417 u32 size;
3418 int error;
3419 char *context = NULL;
20cdef8d 3420 struct inode_security_struct *isec;
d381d8a9 3421
8c8570fb
DK		 3422 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3423 return -EOPNOTSUPP;
d381d8a9 3424
abc69bb6
SS		 3425 /*
3426 * If the caller has CAP_MAC_ADMIN, then get the raw context
3427 * value even if it is not defined by current policy; otherwise,
3428 * use the in-core value under current policy.
3429 * Use the non-auditing forms of the permission checks since
3430 * getxattr may be called by unprivileged processes commonly
3431 * and lack of permission just means that we fall back to the
3432 * in-core context value, not a denial.
3433 */
20cdef8d 3434 isec = inode_security(inode);
db59000a 3435 if (has_cap_mac_admin(false))
aa8e712c
SS		 3436 error = security_sid_to_context_force(&selinux_state,
3437 isec->sid, &context,
abc69bb6
SS		 3438 &size);
3439 else
aa8e712c
SS		 3440 error = security_sid_to_context(&selinux_state, isec->sid,
3441 &context, &size);
42492594
DQ		 3442 if (error)
3443 return error;
3444 error = size;
3445 if (alloc) {
3446 *buffer = context;
3447 goto out_nofree;
3448 }
3449 kfree(context);
3450out_nofree:
3451 return error;
1da177e4
LT		 3452}
3453
3454static int selinux_inode_setsecurity(struct inode *inode, const char *name,
828dfe1d 3455 const void *value, size_t size, int flags)
1da177e4 3456{
2c97165b 3457 struct inode_security_struct *isec = inode_security_novalidate(inode);
1da177e4
LT		 3458 u32 newsid;
3459 int rc;
3460
3461 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3462 return -EOPNOTSUPP;
3463
3464 if (!value || !size)
3465 return -EACCES;
3466
aa8e712c
SS		 3467 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3468 GFP_KERNEL);
1da177e4
LT		 3469 if (rc)
3470 return rc;
3471
9287aed2 3472 spin_lock(&isec->lock);
aa9c2669 3473 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3474 isec->sid = newsid;
6f3be9f5 3475 isec->initialized = LABEL_INITIALIZED;
9287aed2 3476 spin_unlock(&isec->lock);
1da177e4
LT		 3477 return 0;
3478}
3479
3480static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3481{
3482 const int len = sizeof(XATTR_NAME_SELINUX);
3483 if (buffer && len <= buffer_size)
3484 memcpy(buffer, XATTR_NAME_SELINUX, len);
3485 return len;
3486}
3487
d6335d77 3488static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
713a04ae 3489{
e817c2f3 3490 struct inode_security_struct *isec = inode_security_novalidate(inode);
713a04ae
AD		 3491 *secid = isec->sid;
3492}
3493
56909eb3
VG		 3494static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3495{
3496 u32 sid;
3497 struct task_security_struct *tsec;
3498 struct cred *new_creds = *new;
3499
3500 if (new_creds == NULL) {
3501 new_creds = prepare_creds();
3502 if (!new_creds)
3503 return -ENOMEM;
3504 }
3505
3506 tsec = new_creds->security;
3507 /* Get label from overlay inode and set it in create_sid */
3508 selinux_inode_getsecid(d_inode(src), &sid);
3509 tsec->create_sid = sid;
3510 *new = new_creds;
3511 return 0;
3512}
3513
19472b69
VG		 3514static int selinux_inode_copy_up_xattr(const char *name)
3515{
3516 /* The copy_up hook above sets the initial context on an inode, but we
3517 * don't then want to overwrite it by blindly copying all the lower
3518 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3519 */
3520 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3521 return 1; /* Discard */
3522 /*
3523 * Any other attribute apart from SELINUX is not claimed, supported
3524 * by selinux.
3525 */
3526 return -EOPNOTSUPP;
3527}
3528
1da177e4
LT		 3529/* file security operations */
3530
788e7dd4 3531static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 3532{
88e67f3b 3533 const struct cred *cred = current_cred();
496ad9aa 3534 struct inode *inode = file_inode(file);
1da177e4 3535
1da177e4
LT		 3536 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3537 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3538 mask |= MAY_APPEND;
3539
389fb800
PM		 3540 return file_has_perm(cred, file,
3541 file_mask_to_av(inode->i_mode, mask));
1da177e4
LT		 3542}
3543
788e7dd4
YN		 3544static int selinux_file_permission(struct file *file, int mask)
3545{
496ad9aa 3546 struct inode *inode = file_inode(file);
20dda18b 3547 struct file_security_struct *fsec = file->f_security;
b197367e 3548 struct inode_security_struct *isec;
20dda18b
SS		 3549 u32 sid = current_sid();
3550
389fb800 3551 if (!mask)
788e7dd4
YN		 3552 /* No permission to check. Existence test. */
3553 return 0;
788e7dd4 3554
b197367e 3555 isec = inode_security(inode);
20dda18b 3556 if (sid == fsec->sid && fsec->isid == isec->sid &&
6b6bc620 3557 fsec->pseqno == avc_policy_seqno(&selinux_state))
83d49856 3558 /* No change since file_open check. */
20dda18b
SS		 3559 return 0;
3560
788e7dd4
YN		 3561 return selinux_revalidate_file_permission(file, mask);
3562}
3563
1da177e4
LT		 3564static int selinux_file_alloc_security(struct file *file)
3565{
3566 return file_alloc_security(file);
3567}
3568
3569static void selinux_file_free_security(struct file *file)
3570{
3571 file_free_security(file);
3572}
3573
fa1aa143
JVS		 3574/*
3575 * Check whether a task has the ioctl permission and cmd
3576 * operation to an inode.
3577 */
1d2a168a 3578static int ioctl_has_perm(const struct cred *cred, struct file *file,
fa1aa143
JVS		 3579 u32 requested, u16 cmd)
3580{
3581 struct common_audit_data ad;
3582 struct file_security_struct *fsec = file->f_security;
3583 struct inode *inode = file_inode(file);
20cdef8d 3584 struct inode_security_struct *isec;
fa1aa143
JVS		 3585 struct lsm_ioctlop_audit ioctl;
3586 u32 ssid = cred_sid(cred);
3587 int rc;
3588 u8 driver = cmd >> 8;
3589 u8 xperm = cmd & 0xff;
3590
3591 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3592 ad.u.op = &ioctl;
3593 ad.u.op->cmd = cmd;
3594 ad.u.op->path = file->f_path;
3595
3596 if (ssid != fsec->sid) {
6b6bc620
SS		 3597 rc = avc_has_perm(&selinux_state,
3598 ssid, fsec->sid,
fa1aa143
JVS		 3599 SECCLASS_FD,
3600 FD__USE,
3601 &ad);
3602 if (rc)
3603 goto out;
3604 }
3605
3606 if (unlikely(IS_PRIVATE(inode)))
3607 return 0;
3608
20cdef8d 3609 isec = inode_security(inode);
6b6bc620
SS		 3610 rc = avc_has_extended_perms(&selinux_state,
3611 ssid, isec->sid, isec->sclass,
3612 requested, driver, xperm, &ad);
fa1aa143
JVS		 3613out:
3614 return rc;
3615}
3616
1da177e4
LT		 3617static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3618 unsigned long arg)
3619{
88e67f3b 3620 const struct cred *cred = current_cred();
0b24dcb7 3621 int error = 0;
1da177e4 3622
0b24dcb7
EP		 3623 switch (cmd) {
3624 case FIONREAD:
3625 /* fall through */
3626 case FIBMAP:
3627 /* fall through */
3628 case FIGETBSZ:
3629 /* fall through */
2f99c369 3630 case FS_IOC_GETFLAGS:
0b24dcb7 3631 /* fall through */
2f99c369 3632 case FS_IOC_GETVERSION:
0b24dcb7
EP		 3633 error = file_has_perm(cred, file, FILE__GETATTR);
3634 break;
1da177e4 3635
2f99c369 3636 case FS_IOC_SETFLAGS:
0b24dcb7 3637 /* fall through */
2f99c369 3638 case FS_IOC_SETVERSION:
0b24dcb7
EP		 3639 error = file_has_perm(cred, file, FILE__SETATTR);
3640 break;
3641
3642 /* sys_ioctl() checks */
3643 case FIONBIO:
3644 /* fall through */
3645 case FIOASYNC:
3646 error = file_has_perm(cred, file, 0);
3647 break;
1da177e4 3648
0b24dcb7
EP		 3649 case KDSKBENT:
3650 case KDSKBSENT:
6a9de491 3651 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
8e4ff6f2 3652 SECURITY_CAP_AUDIT, true);
0b24dcb7
EP		 3653 break;
3654
3655 /* default case assumes that the command will go
3656 * to the file's ioctl() function.
3657 */
3658 default:
fa1aa143 3659 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
0b24dcb7
EP		 3660 }
3661 return error;
1da177e4
LT		 3662}
3663
fcaaade1
SS		 3664static int default_noexec;
3665
1da177e4
LT		 3666static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3667{
88e67f3b 3668 const struct cred *cred = current_cred();
be0554c9 3669 u32 sid = cred_sid(cred);
d84f4f99 3670 int rc = 0;
88e67f3b 3671
fcaaade1 3672 if (default_noexec &&
892e8cac
SS		 3673 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3674 (!shared && (prot & PROT_WRITE)))) {
1da177e4
LT		 3675 /*
3676 * We are making executable an anonymous mapping or a
3677 * private file mapping that will also be writable.
3678 * This has an additional check.
3679 */
6b6bc620
SS		 3680 rc = avc_has_perm(&selinux_state,
3681 sid, sid, SECCLASS_PROCESS,
be0554c9 3682 PROCESS__EXECMEM, NULL);
1da177e4 3683 if (rc)
d84f4f99 3684 goto error;
1da177e4 3685 }
1da177e4
LT		 3686
3687 if (file) {
3688 /* read access is always possible with a mapping */
3689 u32 av = FILE__READ;
3690
3691 /* write access only matters if the mapping is shared */
3692 if (shared && (prot & PROT_WRITE))
3693 av |= FILE__WRITE;
3694
3695 if (prot & PROT_EXEC)
3696 av |= FILE__EXECUTE;
3697
88e67f3b 3698 return file_has_perm(cred, file, av);
1da177e4 3699 }
d84f4f99
DH		 3700
3701error:
3702 return rc;
1da177e4
LT		 3703}
3704
e5467859 3705static int selinux_mmap_addr(unsigned long addr)
1da177e4 3706{
b1d9e6b0 3707 int rc = 0;
1da177e4 3708
a2551df7 3709 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
98883bfd 3710 u32 sid = current_sid();
6b6bc620
SS		 3711 rc = avc_has_perm(&selinux_state,
3712 sid, sid, SECCLASS_MEMPROTECT,
ed032189 3713 MEMPROTECT__MMAP_ZERO, NULL);
84336d1a
EP		 3714 }
3715
98883bfd 3716 return rc;
e5467859 3717}
1da177e4 3718
e5467859
AV		 3719static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3720 unsigned long prot, unsigned long flags)
3721{
3ba4bf5f
SS		 3722 struct common_audit_data ad;
3723 int rc;
3724
3725 if (file) {
3726 ad.type = LSM_AUDIT_DATA_FILE;
3727 ad.u.file = file;
3728 rc = inode_has_perm(current_cred(), file_inode(file),
3729 FILE__MAP, &ad);
3730 if (rc)
3731 return rc;
3732 }
3733
aa8e712c 3734 if (selinux_state.checkreqprot)
1da177e4
LT		 3735 prot = reqprot;
3736
3737 return file_map_prot_check(file, prot,
3738 (flags & MAP_TYPE) == MAP_SHARED);
3739}
3740
3741static int selinux_file_mprotect(struct vm_area_struct *vma,
3742 unsigned long reqprot,
3743 unsigned long prot)
3744{
88e67f3b 3745 const struct cred *cred = current_cred();
be0554c9 3746 u32 sid = cred_sid(cred);
1da177e4 3747
aa8e712c 3748 if (selinux_state.checkreqprot)
1da177e4
LT		 3749 prot = reqprot;
3750
fcaaade1
SS		 3751 if (default_noexec &&
3752 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
d541bbee 3753 int rc = 0;
db4c9641
SS		 3754 if (vma->vm_start >= vma->vm_mm->start_brk &&
3755 vma->vm_end <= vma->vm_mm->brk) {
6b6bc620
SS		 3756 rc = avc_has_perm(&selinux_state,
3757 sid, sid, SECCLASS_PROCESS,
be0554c9 3758 PROCESS__EXECHEAP, NULL);
db4c9641 3759 } else if (!vma->vm_file &&
c2316dbf
SS		 3760 ((vma->vm_start <= vma->vm_mm->start_stack &&
3761 vma->vm_end >= vma->vm_mm->start_stack) ||
d17af505 3762 vma_is_stack_for_current(vma))) {
6b6bc620
SS		 3763 rc = avc_has_perm(&selinux_state,
3764 sid, sid, SECCLASS_PROCESS,
be0554c9 3765 PROCESS__EXECSTACK, NULL);
db4c9641
SS		 3766 } else if (vma->vm_file && vma->anon_vma) {
3767 /*
3768 * We are making executable a file mapping that has
3769 * had some COW done. Since pages might have been
3770 * written, check ability to execute the possibly
3771 * modified content. This typically should only
3772 * occur for text relocations.
3773 */
d84f4f99 3774 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
db4c9641 3775 }