]> Git Repo - linux.git/blame - security/selinux/hooks.c
projects / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
selinux: genheaders should fail if too many permissions are defined
[linux.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <[email protected]>
828dfe1d
EP		 7 * Chris Vance, <[email protected]>
8 * Wayne Salamon, <[email protected]>
9 * James Morris <[email protected]>
1da177e4
LT		 10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
2069f457
EP		 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <[email protected]>
13 * Eric Paris <[email protected]>
1da177e4 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
828dfe1d 15 * <[email protected]>
ed6d76e4 16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
82c21bfa 17 * Paul Moore <[email protected]>
788e7dd4 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
828dfe1d 19 * Yuichi Nakamura <[email protected]>
3a976fa6 20 * Copyright (C) 2016 Mellanox Technologies
1da177e4
LT		 21 *
22 * This program is free software; you can redistribute it and/or modify
23 * it under the terms of the GNU General Public License version 2,
828dfe1d 24 * as published by the Free Software Foundation.
1da177e4
LT		 25 */
26
1da177e4 27#include <linux/init.h>
0b24dcb7 28#include <linux/kd.h>
1da177e4 29#include <linux/kernel.h>
0d094efe 30#include <linux/tracehook.h>
1da177e4 31#include <linux/errno.h>
3f07c014 32#include <linux/sched/signal.h>
29930025 33#include <linux/sched/task.h>
3c4ed7bd 34#include <linux/lsm_hooks.h>
1da177e4
LT		 35#include <linux/xattr.h>
36#include <linux/capability.h>
37#include <linux/unistd.h>
38#include <linux/mm.h>
39#include <linux/mman.h>
40#include <linux/slab.h>
41#include <linux/pagemap.h>
0b24dcb7 42#include <linux/proc_fs.h>
1da177e4 43#include <linux/swap.h>
1da177e4
LT		 44#include <linux/spinlock.h>
45#include <linux/syscalls.h>
2a7dba39 46#include <linux/dcache.h>
1da177e4 47#include <linux/file.h>
9f3acc31 48#include <linux/fdtable.h>
1da177e4
LT		 49#include <linux/namei.h>
50#include <linux/mount.h>
1da177e4
LT		 51#include <linux/netfilter_ipv4.h>
52#include <linux/netfilter_ipv6.h>
53#include <linux/tty.h>
54#include <net/icmp.h>
227b60f5 55#include <net/ip.h> /* for local_port_range[] */
1da177e4 56#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
47180068 57#include <net/inet_connection_sock.h>
220deb96 58#include <net/net_namespace.h>
d621d35e 59#include <net/netlabel.h>
f5269710 60#include <linux/uaccess.h>
1da177e4 61#include <asm/ioctls.h>
60063497 62#include <linux/atomic.h>
1da177e4
LT		 63#include <linux/bitops.h>
64#include <linux/interrupt.h>
65#include <linux/netdevice.h> /* for network interface checks */
77954983 66#include <net/netlink.h>
1da177e4
LT		 67#include <linux/tcp.h>
68#include <linux/udp.h>
2ee92d46 69#include <linux/dccp.h>
1da177e4
LT		 70#include <linux/quota.h>
71#include <linux/un.h> /* for Unix socket types */
72#include <net/af_unix.h> /* for Unix socket types */
73#include <linux/parser.h>
74#include <linux/nfs_mount.h>
75#include <net/ipv6.h>
76#include <linux/hugetlb.h>
77#include <linux/personality.h>
1da177e4 78#include <linux/audit.h>
6931dfc9 79#include <linux/string.h>
877ce7c1 80#include <linux/selinux.h>
23970741 81#include <linux/mutex.h>
f06febc9 82#include <linux/posix-timers.h>
00234592 83#include <linux/syslog.h>
3486740a 84#include <linux/user_namespace.h>
44fc7ea0 85#include <linux/export.h>
40401530
AV		 86#include <linux/msg.h>
87#include <linux/shm.h>
1da177e4
LT		 88
89#include "avc.h"
90#include "objsec.h"
91#include "netif.h"
224dfbd8 92#include "netnode.h"
3e112172 93#include "netport.h"
409dcf31 94#include "ibpkey.h"
d28d1e08 95#include "xfrm.h"
c60475bf 96#include "netlabel.h"
9d57a7f9 97#include "audit.h"
7b98a585 98#include "avc_ss.h"
1da177e4 99
d621d35e 100/* SECMARK reference count */
56a4ca99 101static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
d621d35e 102
1da177e4 103#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
828dfe1d 104int selinux_enforcing;
1da177e4
LT		 105
106static int __init enforcing_setup(char *str)
107{
f5269710 108 unsigned long enforcing;
29707b20 109 if (!kstrtoul(str, 0, &enforcing))
f5269710 110 selinux_enforcing = enforcing ? 1 : 0;
1da177e4
LT		 111 return 1;
112}
113__setup("enforcing=", enforcing_setup);
114#endif
115
116#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
117int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
118
119static int __init selinux_enabled_setup(char *str)
120{
f5269710 121 unsigned long enabled;
29707b20 122 if (!kstrtoul(str, 0, &enabled))
f5269710 123 selinux_enabled = enabled ? 1 : 0;
1da177e4
LT		 124 return 1;
125}
126__setup("selinux=", selinux_enabled_setup);
30d55280
SS		 127#else
128int selinux_enabled = 1;
1da177e4
LT		 129#endif
130
e18b890b 131static struct kmem_cache *sel_inode_cache;
63205654 132static struct kmem_cache *file_security_cache;
7cae7e26 133
d621d35e
PM		 134/**
135 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
136 *
137 * Description:
138 * This function checks the SECMARK reference counter to see if any SECMARK
139 * targets are currently configured, if the reference counter is greater than
140 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
2be4d74f
CP		 141 * enabled, false (0) if SECMARK is disabled. If the always_check_network
142 * policy capability is enabled, SECMARK is always considered enabled.
d621d35e
PM		 143 *
144 */
145static int selinux_secmark_enabled(void)
146{
2be4d74f
CP		 147 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
148}
149
150/**
151 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
152 *
153 * Description:
154 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
155 * (1) if any are enabled or false (0) if neither are enabled. If the
156 * always_check_network policy capability is enabled, peer labeling
157 * is always considered enabled.
158 *
159 */
160static int selinux_peerlbl_enabled(void)
161{
162 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
d621d35e
PM		 163}
164
615e51fd
PM		 165static int selinux_netcache_avc_callback(u32 event)
166{
167 if (event == AVC_CALLBACK_RESET) {
168 sel_netif_flush();
169 sel_netnode_flush();
170 sel_netport_flush();
171 synchronize_net();
172 }
173 return 0;
174}
175
8f408ab6
DJ		 176static int selinux_lsm_notifier_avc_callback(u32 event)
177{
409dcf31
DJ		 178 if (event == AVC_CALLBACK_RESET) {
179 sel_ib_pkey_flush();
8f408ab6 180 call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
409dcf31 181 }
8f408ab6
DJ		 182
183 return 0;
184}
185
d84f4f99
DH		 186/*
187 * initialise the security for the init task
188 */
189static void cred_init_security(void)
1da177e4 190{
3b11a1de 191 struct cred *cred = (struct cred *) current->real_cred;
1da177e4
LT		 192 struct task_security_struct *tsec;
193
89d155ef 194 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
1da177e4 195 if (!tsec)
d84f4f99 196 panic("SELinux: Failed to initialize initial task.\n");
1da177e4 197
d84f4f99 198 tsec->osid = tsec->sid = SECINITSID_KERNEL;
f1752eec 199 cred->security = tsec;
1da177e4
LT		 200}
201
88e67f3b
DH		 202/*
203 * get the security ID of a set of credentials
204 */
205static inline u32 cred_sid(const struct cred *cred)
206{
207 const struct task_security_struct *tsec;
208
209 tsec = cred->security;
210 return tsec->sid;
211}
212
275bb41e 213/*
3b11a1de 214 * get the objective security ID of a task
275bb41e
DH		 215 */
216static inline u32 task_sid(const struct task_struct *task)
217{
275bb41e
DH		 218 u32 sid;
219
220 rcu_read_lock();
88e67f3b 221 sid = cred_sid(__task_cred(task));
275bb41e
DH		 222 rcu_read_unlock();
223 return sid;
224}
225
88e67f3b
DH		 226/* Allocate and free functions for each kind of security blob. */
227
1da177e4
LT		 228static int inode_alloc_security(struct inode *inode)
229{
1da177e4 230 struct inode_security_struct *isec;
275bb41e 231 u32 sid = current_sid();
1da177e4 232
a02fe132 233 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
1da177e4
LT		 234 if (!isec)
235 return -ENOMEM;
236
9287aed2 237 spin_lock_init(&isec->lock);
1da177e4 238 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 239 isec->inode = inode;
240 isec->sid = SECINITSID_UNLABELED;
241 isec->sclass = SECCLASS_FILE;
275bb41e 242 isec->task_sid = sid;
42059112 243 isec->initialized = LABEL_INVALID;
1da177e4
LT		 244 inode->i_security = isec;
245
246 return 0;
247}
248
5d226df4
AG		 249static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
250
251/*
252 * Try reloading inode security labels that have been marked as invalid. The
253 * @may_sleep parameter indicates when sleeping and thus reloading labels is
42059112 254 * allowed; when set to false, returns -ECHILD when the label is
5d226df4
AG		 255 * invalid. The @opt_dentry parameter should be set to a dentry of the inode;
256 * when no dentry is available, set it to NULL instead.
257 */
258static int __inode_security_revalidate(struct inode *inode,
259 struct dentry *opt_dentry,
260 bool may_sleep)
261{
262 struct inode_security_struct *isec = inode->i_security;
263
264 might_sleep_if(may_sleep);
265
1ac42476 266 if (ss_initialized && isec->initialized != LABEL_INITIALIZED) {
5d226df4
AG		 267 if (!may_sleep)
268 return -ECHILD;
269
270 /*
271 * Try reloading the inode security label. This will fail if
272 * @opt_dentry is NULL and no dentry for this inode can be
273 * found; in that case, continue using the old label.
274 */
275 inode_doinit_with_dentry(inode, opt_dentry);
276 }
277 return 0;
278}
279
5d226df4
AG		 280static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
281{
282 return inode->i_security;
283}
284
285static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
286{
287 int error;
288
289 error = __inode_security_revalidate(inode, NULL, !rcu);
290 if (error)
291 return ERR_PTR(error);
292 return inode->i_security;
293}
294
83da53c5
AG		 295/*
296 * Get the security label of an inode.
297 */
298static struct inode_security_struct *inode_security(struct inode *inode)
299{
5d226df4 300 __inode_security_revalidate(inode, NULL, true);
83da53c5
AG		 301 return inode->i_security;
302}
303
2c97165b
PM		 304static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
305{
306 struct inode *inode = d_backing_inode(dentry);
307
308 return inode->i_security;
309}
310
83da53c5
AG		 311/*
312 * Get the security label of a dentry's backing inode.
313 */
314static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
315{
316 struct inode *inode = d_backing_inode(dentry);
317
5d226df4 318 __inode_security_revalidate(inode, dentry, true);
83da53c5
AG		 319 return inode->i_security;
320}
321
3dc91d43
SR		 322static void inode_free_rcu(struct rcu_head *head)
323{
324 struct inode_security_struct *isec;
325
326 isec = container_of(head, struct inode_security_struct, rcu);
327 kmem_cache_free(sel_inode_cache, isec);
328}
329
1da177e4
LT		 330static void inode_free_security(struct inode *inode)
331{
332 struct inode_security_struct *isec = inode->i_security;
333 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
334
9629d04a
WL		 335 /*
336 * As not all inode security structures are in a list, we check for
337 * empty list outside of the lock to make sure that we won't waste
338 * time taking a lock doing nothing.
339 *
340 * The list_del_init() function can be safely called more than once.
341 * It should not be possible for this function to be called with
342 * concurrent list_add(), but for better safety against future changes
343 * in the code, we use list_empty_careful() here.
344 */
345 if (!list_empty_careful(&isec->list)) {
346 spin_lock(&sbsec->isec_lock);
1da177e4 347 list_del_init(&isec->list);
9629d04a
WL		 348 spin_unlock(&sbsec->isec_lock);
349 }
1da177e4 350
3dc91d43
SR		 351 /*
352 * The inode may still be referenced in a path walk and
353 * a call to selinux_inode_permission() can be made
354 * after inode_free_security() is called. Ideally, the VFS
355 * wouldn't do this, but fixing that is a much harder
356 * job. For now, simply free the i_security via RCU, and
357 * leave the current inode->i_security pointer intact.
358 * The inode will be freed after the RCU grace period too.
359 */
360 call_rcu(&isec->rcu, inode_free_rcu);
1da177e4
LT		 361}
362
363static int file_alloc_security(struct file *file)
364{
1da177e4 365 struct file_security_struct *fsec;
275bb41e 366 u32 sid = current_sid();
1da177e4 367
63205654 368 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
1da177e4
LT		 369 if (!fsec)
370 return -ENOMEM;
371
275bb41e
DH		 372 fsec->sid = sid;
373 fsec->fown_sid = sid;
1da177e4
LT		 374 file->f_security = fsec;
375
376 return 0;
377}
378
379static void file_free_security(struct file *file)
380{
381 struct file_security_struct *fsec = file->f_security;
1da177e4 382 file->f_security = NULL;
63205654 383 kmem_cache_free(file_security_cache, fsec);
1da177e4
LT		 384}
385
386static int superblock_alloc_security(struct super_block *sb)
387{
388 struct superblock_security_struct *sbsec;
389
89d155ef 390 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 391 if (!sbsec)
392 return -ENOMEM;
393
bc7e982b 394 mutex_init(&sbsec->lock);
1da177e4
LT		 395 INIT_LIST_HEAD(&sbsec->isec_head);
396 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 397 sbsec->sb = sb;
398 sbsec->sid = SECINITSID_UNLABELED;
399 sbsec->def_sid = SECINITSID_FILE;
c312feb2 400 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 401 sb->s_security = sbsec;
402
403 return 0;
404}
405
406static void superblock_free_security(struct super_block *sb)
407{
408 struct superblock_security_struct *sbsec = sb->s_security;
1da177e4
LT		 409 sb->s_security = NULL;
410 kfree(sbsec);
411}
412
1da177e4
LT		 413static inline int inode_doinit(struct inode *inode)
414{
415 return inode_doinit_with_dentry(inode, NULL);
416}
417
418enum {
31e87930 419 Opt_error = -1,
1da177e4
LT		 420 Opt_context = 1,
421 Opt_fscontext = 2,
c9180a57
EP		 422 Opt_defcontext = 3,
423 Opt_rootcontext = 4,
11689d47 424 Opt_labelsupport = 5,
d355987f 425 Opt_nextmntopt = 6,
1da177e4
LT		 426};
427
d355987f
EP		 428#define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
429
a447c093 430static const match_table_t tokens = {
832cbd9a
EP		 431 {Opt_context, CONTEXT_STR "%s"},
432 {Opt_fscontext, FSCONTEXT_STR "%s"},
433 {Opt_defcontext, DEFCONTEXT_STR "%s"},
434 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
11689d47 435 {Opt_labelsupport, LABELSUPP_STR},
31e87930 436 {Opt_error, NULL},
1da177e4
LT		 437};
438
439#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
440
c312feb2
EP		 441static int may_context_mount_sb_relabel(u32 sid,
442 struct superblock_security_struct *sbsec,
275bb41e 443 const struct cred *cred)
c312feb2 444{
275bb41e 445 const struct task_security_struct *tsec = cred->security;
c312feb2
EP		 446 int rc;
447
448 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
449 FILESYSTEM__RELABELFROM, NULL);
450 if (rc)
451 return rc;
452
453 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
454 FILESYSTEM__RELABELTO, NULL);
455 return rc;
456}
457
0808925e
EP		 458static int may_context_mount_inode_relabel(u32 sid,
459 struct superblock_security_struct *sbsec,
275bb41e 460 const struct cred *cred)
0808925e 461{
275bb41e 462 const struct task_security_struct *tsec = cred->security;
0808925e
EP		 463 int rc;
464 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
465 FILESYSTEM__RELABELFROM, NULL);
466 if (rc)
467 return rc;
468
469 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
470 FILESYSTEM__ASSOCIATE, NULL);
471 return rc;
472}
473
b43e725d
EP		 474static int selinux_is_sblabel_mnt(struct super_block *sb)
475{
476 struct superblock_security_struct *sbsec = sb->s_security;
477
d5f3a5f6
MS		 478 return sbsec->behavior == SECURITY_FS_USE_XATTR ||
479 sbsec->behavior == SECURITY_FS_USE_TRANS ||
480 sbsec->behavior == SECURITY_FS_USE_TASK ||
9fc2b4b4 481 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
d5f3a5f6
MS		 482 /* Special handling. Genfs but also in-core setxattr handler */
483 !strcmp(sb->s_type->name, "sysfs") ||
484 !strcmp(sb->s_type->name, "pstore") ||
485 !strcmp(sb->s_type->name, "debugfs") ||
a2c7c6fb 486 !strcmp(sb->s_type->name, "tracefs") ||
2651225b
SS		 487 !strcmp(sb->s_type->name, "rootfs") ||
488 (selinux_policycap_cgroupseclabel &&
489 (!strcmp(sb->s_type->name, "cgroup") ||
490 !strcmp(sb->s_type->name, "cgroup2")));
b43e725d
EP		 491}
492
c9180a57 493static int sb_finish_set_opts(struct super_block *sb)
1da177e4 494{
1da177e4 495 struct superblock_security_struct *sbsec = sb->s_security;
c9180a57 496 struct dentry *root = sb->s_root;
c6f493d6 497 struct inode *root_inode = d_backing_inode(root);
c9180a57 498 int rc = 0;
1da177e4 499
c9180a57
EP		 500 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
501 /* Make sure that the xattr handler exists and that no
502 error other than -ENODATA is returned by getxattr on
503 the root directory. -ENODATA is ok, as this may be
504 the first boot of the SELinux kernel before we have
505 assigned xattr values to the filesystem. */
5d6c3191 506 if (!(root_inode->i_opflags & IOP_XATTR)) {
29b1deb2
LT		 507 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
508 "xattr support\n", sb->s_id, sb->s_type->name);
c9180a57
EP		 509 rc = -EOPNOTSUPP;
510 goto out;
511 }
5d6c3191
AG		 512
513 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
c9180a57
EP		 514 if (rc < 0 && rc != -ENODATA) {
515 if (rc == -EOPNOTSUPP)
516 printk(KERN_WARNING "SELinux: (dev %s, type "
29b1deb2
LT		 517 "%s) has no security xattr handler\n",
518 sb->s_id, sb->s_type->name);
c9180a57
EP		 519 else
520 printk(KERN_WARNING "SELinux: (dev %s, type "
29b1deb2
LT		 521 "%s) getxattr errno %d\n", sb->s_id,
522 sb->s_type->name, -rc);
c9180a57
EP		 523 goto out;
524 }
525 }
1da177e4 526
eadcabc6 527 sbsec->flags |= SE_SBINITIALIZED;
0b4d3452
SM		 528
529 /*
530 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
531 * leave the flag untouched because sb_clone_mnt_opts might be handing
532 * us a superblock that needs the flag to be cleared.
533 */
b43e725d 534 if (selinux_is_sblabel_mnt(sb))
12f348b9 535 sbsec->flags |= SBLABEL_MNT;
0b4d3452
SM		 536 else
537 sbsec->flags &= ~SBLABEL_MNT;
ddd29ec6 538
c9180a57
EP		 539 /* Initialize the root inode. */
540 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 541
c9180a57
EP		 542 /* Initialize any other inodes associated with the superblock, e.g.
543 inodes created prior to initial policy load or inodes created
544 during get_sb by a pseudo filesystem that directly
545 populates itself. */
546 spin_lock(&sbsec->isec_lock);
547next_inode:
548 if (!list_empty(&sbsec->isec_head)) {
549 struct inode_security_struct *isec =
550 list_entry(sbsec->isec_head.next,
551 struct inode_security_struct, list);
552 struct inode *inode = isec->inode;
923190d3 553 list_del_init(&isec->list);
c9180a57
EP		 554 spin_unlock(&sbsec->isec_lock);
555 inode = igrab(inode);
556 if (inode) {
557 if (!IS_PRIVATE(inode))
558 inode_doinit(inode);
559 iput(inode);
560 }
561 spin_lock(&sbsec->isec_lock);
c9180a57
EP		 562 goto next_inode;
563 }
564 spin_unlock(&sbsec->isec_lock);
565out:
566 return rc;
567}
1da177e4 568
c9180a57
EP		 569/*
570 * This function should allow an FS to ask what it's mount security
571 * options were so it can use those later for submounts, displaying
572 * mount options, or whatever.
573 */
574static int selinux_get_mnt_opts(const struct super_block *sb,
e0007529 575 struct security_mnt_opts *opts)
c9180a57
EP		 576{
577 int rc = 0, i;
578 struct superblock_security_struct *sbsec = sb->s_security;
579 char *context = NULL;
580 u32 len;
581 char tmp;
1da177e4 582
e0007529 583 security_init_mnt_opts(opts);
1da177e4 584
0d90a7ec 585 if (!(sbsec->flags & SE_SBINITIALIZED))
c9180a57 586 return -EINVAL;
1da177e4 587
c9180a57
EP		 588 if (!ss_initialized)
589 return -EINVAL;
1da177e4 590
af8e50cc
EP		 591 /* make sure we always check enough bits to cover the mask */
592 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
593
0d90a7ec 594 tmp = sbsec->flags & SE_MNTMASK;
c9180a57 595 /* count the number of mount options for this sb */
af8e50cc 596 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
c9180a57 597 if (tmp & 0x01)
e0007529 598 opts->num_mnt_opts++;
c9180a57
EP		 599 tmp >>= 1;
600 }
11689d47 601 /* Check if the Label support flag is set */
0b4bdb35 602 if (sbsec->flags & SBLABEL_MNT)
11689d47 603 opts->num_mnt_opts++;
1da177e4 604
e0007529
EP		 605 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
606 if (!opts->mnt_opts) {
c9180a57
EP		 607 rc = -ENOMEM;
608 goto out_free;
609 }
1da177e4 610
e0007529
EP		 611 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
612 if (!opts->mnt_opts_flags) {
c9180a57
EP		 613 rc = -ENOMEM;
614 goto out_free;
615 }
1da177e4 616
c9180a57
EP		 617 i = 0;
618 if (sbsec->flags & FSCONTEXT_MNT) {
619 rc = security_sid_to_context(sbsec->sid, &context, &len);
620 if (rc)
621 goto out_free;
e0007529
EP		 622 opts->mnt_opts[i] = context;
623 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
c9180a57
EP		 624 }
625 if (sbsec->flags & CONTEXT_MNT) {
626 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
627 if (rc)
628 goto out_free;
e0007529
EP		 629 opts->mnt_opts[i] = context;
630 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
c9180a57
EP		 631 }
632 if (sbsec->flags & DEFCONTEXT_MNT) {
633 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
634 if (rc)
635 goto out_free;
e0007529
EP		 636 opts->mnt_opts[i] = context;
637 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
c9180a57
EP		 638 }
639 if (sbsec->flags & ROOTCONTEXT_MNT) {
83da53c5
AG		 640 struct dentry *root = sbsec->sb->s_root;
641 struct inode_security_struct *isec = backing_inode_security(root);
0808925e 642
c9180a57
EP		 643 rc = security_sid_to_context(isec->sid, &context, &len);
644 if (rc)
645 goto out_free;
e0007529
EP		 646 opts->mnt_opts[i] = context;
647 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
c9180a57 648 }
12f348b9 649 if (sbsec->flags & SBLABEL_MNT) {
11689d47 650 opts->mnt_opts[i] = NULL;
12f348b9 651 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
11689d47 652 }
1da177e4 653
e0007529 654 BUG_ON(i != opts->num_mnt_opts);
1da177e4 655
c9180a57
EP		 656 return 0;
657
658out_free:
e0007529 659 security_free_mnt_opts(opts);
c9180a57
EP		 660 return rc;
661}
1da177e4 662
c9180a57
EP		 663static int bad_option(struct superblock_security_struct *sbsec, char flag,
664 u32 old_sid, u32 new_sid)
665{
0d90a7ec
DQ		 666 char mnt_flags = sbsec->flags & SE_MNTMASK;
667
c9180a57 668 /* check if the old mount command had the same options */
0d90a7ec 669 if (sbsec->flags & SE_SBINITIALIZED)
c9180a57
EP		 670 if (!(sbsec->flags & flag) ||
671 (old_sid != new_sid))
672 return 1;
673
674 /* check if we were passed the same options twice,
675 * aka someone passed context=a,context=b
676 */
0d90a7ec
DQ		 677 if (!(sbsec->flags & SE_SBINITIALIZED))
678 if (mnt_flags & flag)
c9180a57
EP		 679 return 1;
680 return 0;
681}
e0007529 682
c9180a57
EP		 683/*
684 * Allow filesystems with binary mount data to explicitly set mount point
685 * labeling information.
686 */
e0007529 687static int selinux_set_mnt_opts(struct super_block *sb,
649f6e77
DQ		 688 struct security_mnt_opts *opts,
689 unsigned long kern_flags,
690 unsigned long *set_kern_flags)
c9180a57 691{
275bb41e 692 const struct cred *cred = current_cred();
c9180a57 693 int rc = 0, i;
c9180a57 694 struct superblock_security_struct *sbsec = sb->s_security;
29b1deb2 695 const char *name = sb->s_type->name;
83da53c5 696 struct dentry *root = sbsec->sb->s_root;
2c97165b 697 struct inode_security_struct *root_isec;
c9180a57
EP		 698 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
699 u32 defcontext_sid = 0;
e0007529
EP		 700 char **mount_options = opts->mnt_opts;
701 int *flags = opts->mnt_opts_flags;
702 int num_opts = opts->num_mnt_opts;
c9180a57
EP		 703
704 mutex_lock(&sbsec->lock);
705
706 if (!ss_initialized) {
707 if (!num_opts) {
708 /* Defer initialization until selinux_complete_init,
709 after the initial policy is loaded and the security
710 server is ready to handle calls. */
c9180a57
EP		 711 goto out;
712 }
713 rc = -EINVAL;
744ba35e
EP		 714 printk(KERN_WARNING "SELinux: Unable to set superblock options "
715 "before the security server is initialized\n");
1da177e4 716 goto out;
c9180a57 717 }
649f6e77
DQ		 718 if (kern_flags && !set_kern_flags) {
719 /* Specifying internal flags without providing a place to
720 * place the results is not allowed */
721 rc = -EINVAL;
722 goto out;
723 }
1da177e4 724
e0007529
EP		 725 /*
726 * Binary mount data FS will come through this function twice. Once
727 * from an explicit call and once from the generic calls from the vfs.
728 * Since the generic VFS calls will not contain any security mount data
729 * we need to skip the double mount verification.
730 *
731 * This does open a hole in which we will not notice if the first
732 * mount using this sb set explict options and a second mount using
733 * this sb does not set any security options. (The first options
734 * will be used for both mounts)
735 */
0d90a7ec 736 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
e0007529 737 && (num_opts == 0))
f5269710 738 goto out;
e0007529 739
2c97165b
PM		 740 root_isec = backing_inode_security_novalidate(root);
741
c9180a57
EP		 742 /*
743 * parse the mount options, check if they are valid sids.
744 * also check if someone is trying to mount the same sb more
745 * than once with different security options.
746 */
747 for (i = 0; i < num_opts; i++) {
748 u32 sid;
11689d47 749
12f348b9 750 if (flags[i] == SBLABEL_MNT)
11689d47 751 continue;
44be2f65 752 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
1da177e4 753 if (rc) {
44be2f65 754 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
29b1deb2
LT		 755 "(%s) failed for (dev %s, type %s) errno=%d\n",
756 mount_options[i], sb->s_id, name, rc);
c9180a57
EP		 757 goto out;
758 }
759 switch (flags[i]) {
760 case FSCONTEXT_MNT:
761 fscontext_sid = sid;
762
763 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
764 fscontext_sid))
765 goto out_double_mount;
766
767 sbsec->flags |= FSCONTEXT_MNT;
768 break;
769 case CONTEXT_MNT:
770 context_sid = sid;
771
772 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
773 context_sid))
774 goto out_double_mount;
775
776 sbsec->flags |= CONTEXT_MNT;
777 break;
778 case ROOTCONTEXT_MNT:
779 rootcontext_sid = sid;
780
781 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
782 rootcontext_sid))
783 goto out_double_mount;
784
785 sbsec->flags |= ROOTCONTEXT_MNT;
786
787 break;
788 case DEFCONTEXT_MNT:
789 defcontext_sid = sid;
790
791 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
792 defcontext_sid))
793 goto out_double_mount;
794
795 sbsec->flags |= DEFCONTEXT_MNT;
796
797 break;
798 default:
799 rc = -EINVAL;
800 goto out;
1da177e4 801 }
c9180a57
EP		 802 }
803
0d90a7ec 804 if (sbsec->flags & SE_SBINITIALIZED) {
c9180a57 805 /* previously mounted with options, but not on this attempt? */
0d90a7ec 806 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
c9180a57
EP		 807 goto out_double_mount;
808 rc = 0;
809 goto out;
810 }
811
089be43e 812 if (strcmp(sb->s_type->name, "proc") == 0)
134509d5
SS		 813 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
814
8e014720 815 if (!strcmp(sb->s_type->name, "debugfs") ||
6a391183 816 !strcmp(sb->s_type->name, "tracefs") ||
8e014720
SS		 817 !strcmp(sb->s_type->name, "sysfs") ||
818 !strcmp(sb->s_type->name, "pstore"))
134509d5 819 sbsec->flags |= SE_SBGENFS;
c9180a57 820
eb9ae686
DQ		 821 if (!sbsec->behavior) {
822 /*
823 * Determine the labeling behavior to use for this
824 * filesystem type.
825 */
98f700f3 826 rc = security_fs_use(sb);
eb9ae686
DQ		 827 if (rc) {
828 printk(KERN_WARNING
829 "%s: security_fs_use(%s) returned %d\n",
830 __func__, sb->s_type->name, rc);
831 goto out;
832 }
c9180a57 833 }
aad82892
SF		 834
835 /*
01593d32
SS		 836 * If this is a user namespace mount and the filesystem type is not
837 * explicitly whitelisted, then no contexts are allowed on the command
838 * line and security labels must be ignored.
aad82892 839 */
01593d32
SS		 840 if (sb->s_user_ns != &init_user_ns &&
841 strcmp(sb->s_type->name, "tmpfs") &&
842 strcmp(sb->s_type->name, "ramfs") &&
843 strcmp(sb->s_type->name, "devpts")) {
aad82892
SF		 844 if (context_sid || fscontext_sid || rootcontext_sid ||
845 defcontext_sid) {
846 rc = -EACCES;
847 goto out;
848 }
849 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
850 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
851 rc = security_transition_sid(current_sid(), current_sid(),
852 SECCLASS_FILE, NULL,
853 &sbsec->mntpoint_sid);
854 if (rc)
855 goto out;
856 }
857 goto out_set_opts;
858 }
859
c9180a57
EP		 860 /* sets the context of the superblock for the fs being mounted. */
861 if (fscontext_sid) {
275bb41e 862 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
1da177e4 863 if (rc)
c9180a57 864 goto out;
1da177e4 865
c9180a57 866 sbsec->sid = fscontext_sid;
c312feb2
EP		 867 }
868
869 /*
870 * Switch to using mount point labeling behavior.
871 * sets the label used on all file below the mountpoint, and will set
872 * the superblock context if not already set.
873 */
eb9ae686
DQ		 874 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
875 sbsec->behavior = SECURITY_FS_USE_NATIVE;
876 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
877 }
878
c9180a57
EP		 879 if (context_sid) {
880 if (!fscontext_sid) {
275bb41e
DH		 881 rc = may_context_mount_sb_relabel(context_sid, sbsec,
882 cred);
b04ea3ce 883 if (rc)
c9180a57
EP		 884 goto out;
885 sbsec->sid = context_sid;
b04ea3ce 886 } else {
275bb41e
DH		 887 rc = may_context_mount_inode_relabel(context_sid, sbsec,
888 cred);
b04ea3ce 889 if (rc)
c9180a57 890 goto out;
b04ea3ce 891 }
c9180a57
EP		 892 if (!rootcontext_sid)
893 rootcontext_sid = context_sid;
1da177e4 894
c9180a57 895 sbsec->mntpoint_sid = context_sid;
c312feb2 896 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 897 }
898
c9180a57 899 if (rootcontext_sid) {
275bb41e
DH		 900 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
901 cred);
0808925e 902 if (rc)
c9180a57 903 goto out;
0808925e 904
c9180a57 905 root_isec->sid = rootcontext_sid;
6f3be9f5 906 root_isec->initialized = LABEL_INITIALIZED;
0808925e
EP		 907 }
908
c9180a57 909 if (defcontext_sid) {
eb9ae686
DQ		 910 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
911 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
c9180a57
EP		 912 rc = -EINVAL;
913 printk(KERN_WARNING "SELinux: defcontext option is "
914 "invalid for this filesystem type\n");
915 goto out;
1da177e4
LT		 916 }
917
c9180a57
EP		 918 if (defcontext_sid != sbsec->def_sid) {
919 rc = may_context_mount_inode_relabel(defcontext_sid,
275bb41e 920 sbsec, cred);
c9180a57
EP		 921 if (rc)
922 goto out;
923 }
1da177e4 924
c9180a57 925 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 926 }
927
aad82892 928out_set_opts:
c9180a57 929 rc = sb_finish_set_opts(sb);
1da177e4 930out:
c9180a57 931 mutex_unlock(&sbsec->lock);
1da177e4 932 return rc;
c9180a57
EP		 933out_double_mount:
934 rc = -EINVAL;
935 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
29b1deb2 936 "security settings for (dev %s, type %s)\n", sb->s_id, name);
c9180a57 937 goto out;
1da177e4
LT		 938}
939
094f7b69
JL		 940static int selinux_cmp_sb_context(const struct super_block *oldsb,
941 const struct super_block *newsb)
942{
943 struct superblock_security_struct *old = oldsb->s_security;
944 struct superblock_security_struct *new = newsb->s_security;
945 char oldflags = old->flags & SE_MNTMASK;
946 char newflags = new->flags & SE_MNTMASK;
947
948 if (oldflags != newflags)
949 goto mismatch;
950 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
951 goto mismatch;
952 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
953 goto mismatch;
954 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
955 goto mismatch;
956 if (oldflags & ROOTCONTEXT_MNT) {
83da53c5
AG		 957 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
958 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
094f7b69
JL		 959 if (oldroot->sid != newroot->sid)
960 goto mismatch;
961 }
962 return 0;
963mismatch:
964 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
965 "different security settings for (dev %s, "
966 "type %s)\n", newsb->s_id, newsb->s_type->name);
967 return -EBUSY;
968}
969
970static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
0b4d3452
SM		 971 struct super_block *newsb,
972 unsigned long kern_flags,
973 unsigned long *set_kern_flags)
1da177e4 974{
0b4d3452 975 int rc = 0;
c9180a57
EP		 976 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
977 struct superblock_security_struct *newsbsec = newsb->s_security;
1da177e4 978
c9180a57
EP		 979 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
980 int set_context = (oldsbsec->flags & CONTEXT_MNT);
981 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 982
0f5e6420
EP		 983 /*
984 * if the parent was able to be mounted it clearly had no special lsm
e8c26255 985 * mount options. thus we can safely deal with this superblock later
0f5e6420 986 */
e8c26255 987 if (!ss_initialized)
094f7b69 988 return 0;
c9180a57 989
0b4d3452
SM		 990 /*
991 * Specifying internal flags without providing a place to
992 * place the results is not allowed.
993 */
994 if (kern_flags && !set_kern_flags)
995 return -EINVAL;
996
c9180a57 997 /* how can we clone if the old one wasn't set up?? */
0d90a7ec 998 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
c9180a57 999
094f7b69 1000 /* if fs is reusing a sb, make sure that the contexts match */
0d90a7ec 1001 if (newsbsec->flags & SE_SBINITIALIZED)
094f7b69 1002 return selinux_cmp_sb_context(oldsb, newsb);
5a552617 1003
c9180a57
EP		 1004 mutex_lock(&newsbsec->lock);
1005
1006 newsbsec->flags = oldsbsec->flags;
1007
1008 newsbsec->sid = oldsbsec->sid;
1009 newsbsec->def_sid = oldsbsec->def_sid;
1010 newsbsec->behavior = oldsbsec->behavior;
1011
0b4d3452
SM		 1012 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
1013 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
1014 rc = security_fs_use(newsb);
1015 if (rc)
1016 goto out;
1017 }
1018
1019 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
1020 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
1021 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
1022 }
1023
c9180a57
EP		 1024 if (set_context) {
1025 u32 sid = oldsbsec->mntpoint_sid;
1026
1027 if (!set_fscontext)
1028 newsbsec->sid = sid;
1029 if (!set_rootcontext) {
83da53c5 1030 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
c9180a57
EP		 1031 newisec->sid = sid;
1032 }
1033 newsbsec->mntpoint_sid = sid;
1da177e4 1034 }
c9180a57 1035 if (set_rootcontext) {
83da53c5
AG		 1036 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
1037 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1da177e4 1038
c9180a57 1039 newisec->sid = oldisec->sid;
1da177e4
LT		 1040 }
1041
c9180a57 1042 sb_finish_set_opts(newsb);
0b4d3452 1043out:
c9180a57 1044 mutex_unlock(&newsbsec->lock);
0b4d3452 1045 return rc;
c9180a57
EP		 1046}
1047
2e1479d9
AB		 1048static int selinux_parse_opts_str(char *options,
1049 struct security_mnt_opts *opts)
c9180a57 1050{
e0007529 1051 char *p;
c9180a57
EP		 1052 char *context = NULL, *defcontext = NULL;
1053 char *fscontext = NULL, *rootcontext = NULL;
e0007529 1054 int rc, num_mnt_opts = 0;
1da177e4 1055
e0007529 1056 opts->num_mnt_opts = 0;
1da177e4 1057
c9180a57
EP		 1058 /* Standard string-based options. */
1059 while ((p = strsep(&options, "|")) != NULL) {
1060 int token;
1061 substring_t args[MAX_OPT_ARGS];
1da177e4 1062
c9180a57
EP		 1063 if (!*p)
1064 continue;
1da177e4 1065
c9180a57 1066 token = match_token(p, tokens, args);
1da177e4 1067
c9180a57
EP		 1068 switch (token) {
1069 case Opt_context:
1070 if (context || defcontext) {
1071 rc = -EINVAL;
1072 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1073 goto out_err;
1074 }
1075 context = match_strdup(&args[0]);
1076 if (!context) {
1077 rc = -ENOMEM;
1078 goto out_err;
1079 }
1080 break;
1081
1082 case Opt_fscontext:
1083 if (fscontext) {
1084 rc = -EINVAL;
1085 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1086 goto out_err;
1087 }
1088 fscontext = match_strdup(&args[0]);
1089 if (!fscontext) {
1090 rc = -ENOMEM;
1091 goto out_err;
1092 }
1093 break;
1094
1095 case Opt_rootcontext:
1096 if (rootcontext) {
1097 rc = -EINVAL;
1098 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1099 goto out_err;
1100 }
1101 rootcontext = match_strdup(&args[0]);
1102 if (!rootcontext) {
1103 rc = -ENOMEM;
1104 goto out_err;
1105 }
1106 break;
1107
1108 case Opt_defcontext:
1109 if (context || defcontext) {
1110 rc = -EINVAL;
1111 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1112 goto out_err;
1113 }
1114 defcontext = match_strdup(&args[0]);
1115 if (!defcontext) {
1116 rc = -ENOMEM;
1117 goto out_err;
1118 }
1119 break;
11689d47
DQ		 1120 case Opt_labelsupport:
1121 break;
c9180a57
EP		 1122 default:
1123 rc = -EINVAL;
1124 printk(KERN_WARNING "SELinux: unknown mount option\n");
1125 goto out_err;
1da177e4 1126
1da177e4 1127 }
1da177e4 1128 }
c9180a57 1129
e0007529 1130 rc = -ENOMEM;
8931c3bd 1131 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
e0007529
EP		 1132 if (!opts->mnt_opts)
1133 goto out_err;
1134
8931c3bd
TH		 1135 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
1136 GFP_KERNEL);
023f108d 1137 if (!opts->mnt_opts_flags)
e0007529 1138 goto out_err;
e0007529 1139
c9180a57 1140 if (fscontext) {
e0007529
EP		 1141 opts->mnt_opts[num_mnt_opts] = fscontext;
1142 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
c9180a57
EP		 1143 }
1144 if (context) {
e0007529
EP		 1145 opts->mnt_opts[num_mnt_opts] = context;
1146 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
c9180a57
EP		 1147 }
1148 if (rootcontext) {
e0007529
EP		 1149 opts->mnt_opts[num_mnt_opts] = rootcontext;
1150 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
c9180a57
EP		 1151 }
1152 if (defcontext) {
e0007529
EP		 1153 opts->mnt_opts[num_mnt_opts] = defcontext;
1154 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
c9180a57
EP		 1155 }
1156
e0007529
EP		 1157 opts->num_mnt_opts = num_mnt_opts;
1158 return 0;
1159
c9180a57 1160out_err:
023f108d 1161 security_free_mnt_opts(opts);
c9180a57
EP		 1162 kfree(context);
1163 kfree(defcontext);
1164 kfree(fscontext);
1165 kfree(rootcontext);
1da177e4
LT		 1166 return rc;
1167}
e0007529
EP		 1168/*
1169 * string mount options parsing and call set the sbsec
1170 */
1171static int superblock_doinit(struct super_block *sb, void *data)
1172{
1173 int rc = 0;
1174 char *options = data;
1175 struct security_mnt_opts opts;
1176
1177 security_init_mnt_opts(&opts);
1178
1179 if (!data)
1180 goto out;
1181
1182 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1183
1184 rc = selinux_parse_opts_str(options, &opts);
1185 if (rc)
1186 goto out_err;
1187
1188out:
649f6e77 1189 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
e0007529
EP		 1190
1191out_err:
1192 security_free_mnt_opts(&opts);
1193 return rc;
1194}
1da177e4 1195
3583a711
AB		 1196static void selinux_write_opts(struct seq_file *m,
1197 struct security_mnt_opts *opts)
2069f457
EP		 1198{
1199 int i;
1200 char *prefix;
1201
1202 for (i = 0; i < opts->num_mnt_opts; i++) {
11689d47
DQ		 1203 char *has_comma;
1204
1205 if (opts->mnt_opts[i])
1206 has_comma = strchr(opts->mnt_opts[i], ',');
1207 else
1208 has_comma = NULL;
2069f457
EP		 1209
1210 switch (opts->mnt_opts_flags[i]) {
1211 case CONTEXT_MNT:
1212 prefix = CONTEXT_STR;
1213 break;
1214 case FSCONTEXT_MNT:
1215 prefix = FSCONTEXT_STR;
1216 break;
1217 case ROOTCONTEXT_MNT:
1218 prefix = ROOTCONTEXT_STR;
1219 break;
1220 case DEFCONTEXT_MNT:
1221 prefix = DEFCONTEXT_STR;
1222 break;
12f348b9 1223 case SBLABEL_MNT:
11689d47
DQ		 1224 seq_putc(m, ',');
1225 seq_puts(m, LABELSUPP_STR);
1226 continue;
2069f457
EP		 1227 default:
1228 BUG();
a35c6c83 1229 return;
2069f457
EP		 1230 };
1231 /* we need a comma before each option */
1232 seq_putc(m, ',');
1233 seq_puts(m, prefix);
1234 if (has_comma)
1235 seq_putc(m, '\"');
a068acf2 1236 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
2069f457
EP		 1237 if (has_comma)
1238 seq_putc(m, '\"');
1239 }
1240}
1241
1242static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1243{
1244 struct security_mnt_opts opts;
1245 int rc;
1246
1247 rc = selinux_get_mnt_opts(sb, &opts);
383795c2
EP		 1248 if (rc) {
1249 /* before policy load we may get EINVAL, don't show anything */
1250 if (rc == -EINVAL)
1251 rc = 0;
2069f457 1252 return rc;
383795c2 1253 }
2069f457
EP		 1254
1255 selinux_write_opts(m, &opts);
1256
1257 security_free_mnt_opts(&opts);
1258
1259 return rc;
1260}
1261
1da177e4
LT		 1262static inline u16 inode_mode_to_security_class(umode_t mode)
1263{
1264 switch (mode & S_IFMT) {
1265 case S_IFSOCK:
1266 return SECCLASS_SOCK_FILE;
1267 case S_IFLNK:
1268 return SECCLASS_LNK_FILE;
1269 case S_IFREG:
1270 return SECCLASS_FILE;
1271 case S_IFBLK:
1272 return SECCLASS_BLK_FILE;
1273 case S_IFDIR:
1274 return SECCLASS_DIR;
1275 case S_IFCHR:
1276 return SECCLASS_CHR_FILE;
1277 case S_IFIFO:
1278 return SECCLASS_FIFO_FILE;
1279
1280 }
1281
1282 return SECCLASS_FILE;
1283}
1284
13402580
JM		 1285static inline int default_protocol_stream(int protocol)
1286{
1287 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1288}
1289
1290static inline int default_protocol_dgram(int protocol)
1291{
1292 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1293}
1294
1da177e4
LT		 1295static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1296{
da69a530
SS		 1297 int extsockclass = selinux_policycap_extsockclass;
1298
1da177e4
LT		 1299 switch (family) {
1300 case PF_UNIX:
1301 switch (type) {
1302 case SOCK_STREAM:
1303 case SOCK_SEQPACKET:
1304 return SECCLASS_UNIX_STREAM_SOCKET;
1305 case SOCK_DGRAM:
2a764b52 1306 case SOCK_RAW:
1da177e4
LT		 1307 return SECCLASS_UNIX_DGRAM_SOCKET;
1308 }
1309 break;
1310 case PF_INET:
1311 case PF_INET6:
1312 switch (type) {
1313 case SOCK_STREAM:
da69a530 1314 case SOCK_SEQPACKET:
13402580
JM		 1315 if (default_protocol_stream(protocol))
1316 return SECCLASS_TCP_SOCKET;
da69a530
SS		 1317 else if (extsockclass && protocol == IPPROTO_SCTP)
1318 return SECCLASS_SCTP_SOCKET;
13402580
JM		 1319 else
1320 return SECCLASS_RAWIP_SOCKET;
1da177e4 1321 case SOCK_DGRAM:
13402580
JM		 1322 if (default_protocol_dgram(protocol))
1323 return SECCLASS_UDP_SOCKET;
ef37979a
SS		 1324 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1325 protocol == IPPROTO_ICMPV6))
da69a530 1326 return SECCLASS_ICMP_SOCKET;
13402580
JM		 1327 else
1328 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 1329 case SOCK_DCCP:
1330 return SECCLASS_DCCP_SOCKET;
13402580 1331 default:
1da177e4
LT		 1332 return SECCLASS_RAWIP_SOCKET;
1333 }
1334 break;
1335 case PF_NETLINK:
1336 switch (protocol) {
1337 case NETLINK_ROUTE:
1338 return SECCLASS_NETLINK_ROUTE_SOCKET;
7f1fb60c 1339 case NETLINK_SOCK_DIAG:
1da177e4
LT		 1340 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1341 case NETLINK_NFLOG:
1342 return SECCLASS_NETLINK_NFLOG_SOCKET;
1343 case NETLINK_XFRM:
1344 return SECCLASS_NETLINK_XFRM_SOCKET;
1345 case NETLINK_SELINUX:
1346 return SECCLASS_NETLINK_SELINUX_SOCKET;
6c6d2e9b
SS		 1347 case NETLINK_ISCSI:
1348 return SECCLASS_NETLINK_ISCSI_SOCKET;
1da177e4
LT		 1349 case NETLINK_AUDIT:
1350 return SECCLASS_NETLINK_AUDIT_SOCKET;
6c6d2e9b
SS		 1351 case NETLINK_FIB_LOOKUP:
1352 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1353 case NETLINK_CONNECTOR:
1354 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1355 case NETLINK_NETFILTER:
1356 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1da177e4
LT		 1357 case NETLINK_DNRTMSG:
1358 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1359 case NETLINK_KOBJECT_UEVENT:
1360 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
6c6d2e9b
SS		 1361 case NETLINK_GENERIC:
1362 return SECCLASS_NETLINK_GENERIC_SOCKET;
1363 case NETLINK_SCSITRANSPORT:
1364 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1365 case NETLINK_RDMA:
1366 return SECCLASS_NETLINK_RDMA_SOCKET;
1367 case NETLINK_CRYPTO:
1368 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1da177e4
LT		 1369 default:
1370 return SECCLASS_NETLINK_SOCKET;
1371 }
1372 case PF_PACKET:
1373 return SECCLASS_PACKET_SOCKET;
1374 case PF_KEY:
1375 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1376 case PF_APPLETALK:
1377 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1378 }
1379
da69a530
SS		 1380 if (extsockclass) {
1381 switch (family) {
1382 case PF_AX25:
1383 return SECCLASS_AX25_SOCKET;
1384 case PF_IPX:
1385 return SECCLASS_IPX_SOCKET;
1386 case PF_NETROM:
1387 return SECCLASS_NETROM_SOCKET;
da69a530
SS		 1388 case PF_ATMPVC:
1389 return SECCLASS_ATMPVC_SOCKET;
1390 case PF_X25:
1391 return SECCLASS_X25_SOCKET;
1392 case PF_ROSE:
1393 return SECCLASS_ROSE_SOCKET;
1394 case PF_DECnet:
1395 return SECCLASS_DECNET_SOCKET;
1396 case PF_ATMSVC:
1397 return SECCLASS_ATMSVC_SOCKET;
1398 case PF_RDS:
1399 return SECCLASS_RDS_SOCKET;
1400 case PF_IRDA:
1401 return SECCLASS_IRDA_SOCKET;
1402 case PF_PPPOX:
1403 return SECCLASS_PPPOX_SOCKET;
1404 case PF_LLC:
1405 return SECCLASS_LLC_SOCKET;
da69a530
SS		 1406 case PF_CAN:
1407 return SECCLASS_CAN_SOCKET;
1408 case PF_TIPC:
1409 return SECCLASS_TIPC_SOCKET;
1410 case PF_BLUETOOTH:
1411 return SECCLASS_BLUETOOTH_SOCKET;
1412 case PF_IUCV:
1413 return SECCLASS_IUCV_SOCKET;
1414 case PF_RXRPC:
1415 return SECCLASS_RXRPC_SOCKET;
1416 case PF_ISDN:
1417 return SECCLASS_ISDN_SOCKET;
1418 case PF_PHONET:
1419 return SECCLASS_PHONET_SOCKET;
1420 case PF_IEEE802154:
1421 return SECCLASS_IEEE802154_SOCKET;
1422 case PF_CAIF:
1423 return SECCLASS_CAIF_SOCKET;
1424 case PF_ALG:
1425 return SECCLASS_ALG_SOCKET;
1426 case PF_NFC:
1427 return SECCLASS_NFC_SOCKET;
1428 case PF_VSOCK:
1429 return SECCLASS_VSOCK_SOCKET;
1430 case PF_KCM:
1431 return SECCLASS_KCM_SOCKET;
1432 case PF_QIPCRTR:
1433 return SECCLASS_QIPCRTR_SOCKET;
3051bf36
LT		 1434 case PF_SMC:
1435 return SECCLASS_SMC_SOCKET;
1436#if PF_MAX > 44
da69a530
SS		 1437#error New address family defined, please update this function.
1438#endif
1439 }
1440 }
1441
1da177e4
LT		 1442 return SECCLASS_SOCKET;
1443}
1444
134509d5
SS		 1445static int selinux_genfs_get_sid(struct dentry *dentry,
1446 u16 tclass,
1447 u16 flags,
1448 u32 *sid)
1da177e4 1449{
8e6c9693 1450 int rc;
fc64005c 1451 struct super_block *sb = dentry->d_sb;
8e6c9693 1452 char *buffer, *path;
1da177e4 1453
828dfe1d 1454 buffer = (char *)__get_free_page(GFP_KERNEL);
1da177e4
LT		 1455 if (!buffer)
1456 return -ENOMEM;
1457
8e6c9693
LAG		 1458 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1459 if (IS_ERR(path))
1460 rc = PTR_ERR(path);
1461 else {
134509d5
SS		 1462 if (flags & SE_SBPROC) {
1463 /* each process gets a /proc/PID/ entry. Strip off the
1464 * PID part to get a valid selinux labeling.
1465 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1466 while (path[1] >= '0' && path[1] <= '9') {
1467 path[1] = '/';
1468 path++;
1469 }
8e6c9693 1470 }
134509d5 1471 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
1da177e4 1472 }
1da177e4
LT		 1473 free_page((unsigned long)buffer);
1474 return rc;
1475}
1da177e4
LT		 1476
1477/* The inode's security attributes must be initialized before first use. */
1478static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1479{
1480 struct superblock_security_struct *sbsec = NULL;
1481 struct inode_security_struct *isec = inode->i_security;
9287aed2
AG		 1482 u32 task_sid, sid = 0;
1483 u16 sclass;
1da177e4
LT		 1484 struct dentry *dentry;
1485#define INITCONTEXTLEN 255
1486 char *context = NULL;
1487 unsigned len = 0;
1488 int rc = 0;
1da177e4 1489
6f3be9f5 1490 if (isec->initialized == LABEL_INITIALIZED)
13457d07 1491 return 0;
1da177e4 1492
9287aed2 1493 spin_lock(&isec->lock);
6f3be9f5 1494 if (isec->initialized == LABEL_INITIALIZED)
23970741 1495 goto out_unlock;
1da177e4 1496
13457d07
AG		 1497 if (isec->sclass == SECCLASS_FILE)
1498 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1499
1da177e4 1500 sbsec = inode->i_sb->s_security;
0d90a7ec 1501 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1da177e4
LT		 1502 /* Defer initialization until selinux_complete_init,
1503 after the initial policy is loaded and the security
1504 server is ready to handle calls. */
1505 spin_lock(&sbsec->isec_lock);
1506 if (list_empty(&isec->list))
1507 list_add(&isec->list, &sbsec->isec_head);
1508 spin_unlock(&sbsec->isec_lock);
23970741 1509 goto out_unlock;
1da177e4
LT		 1510 }
1511
9287aed2
AG		 1512 sclass = isec->sclass;
1513 task_sid = isec->task_sid;
1514 sid = isec->sid;
1515 isec->initialized = LABEL_PENDING;
1516 spin_unlock(&isec->lock);
1517
1da177e4 1518 switch (sbsec->behavior) {
eb9ae686
DQ		 1519 case SECURITY_FS_USE_NATIVE:
1520 break;
1da177e4 1521 case SECURITY_FS_USE_XATTR:
5d6c3191 1522 if (!(inode->i_opflags & IOP_XATTR)) {
9287aed2 1523 sid = sbsec->def_sid;
1da177e4
LT		 1524 break;
1525 }
1da177e4
LT		 1526 /* Need a dentry, since the xattr API requires one.
1527 Life would be simpler if we could just pass the inode. */
1528 if (opt_dentry) {
1529 /* Called from d_instantiate or d_splice_alias. */
1530 dentry = dget(opt_dentry);
1531 } else {
1532 /* Called from selinux_complete_init, try to find a dentry. */
1533 dentry = d_find_alias(inode);
1534 }
1535 if (!dentry) {
df7f54c0
EP		 1536 /*
1537 * this is can be hit on boot when a file is accessed
1538 * before the policy is loaded. When we load policy we
1539 * may find inodes that have no dentry on the
1540 * sbsec->isec_head list. No reason to complain as these
1541 * will get fixed up the next time we go through
1542 * inode_doinit with a dentry, before these inodes could
1543 * be used again by userspace.
1544 */
9287aed2 1545 goto out;
1da177e4
LT		 1546 }
1547
1548 len = INITCONTEXTLEN;
4cb912f1 1549 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1550 if (!context) {
1551 rc = -ENOMEM;
1552 dput(dentry);
9287aed2 1553 goto out;
1da177e4 1554 }
4cb912f1 1555 context[len] = '\0';
5d6c3191 1556 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1da177e4 1557 if (rc == -ERANGE) {
314dabb8
JM		 1558 kfree(context);
1559
1da177e4 1560 /* Need a larger buffer. Query for the right size. */
5d6c3191 1561 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1da177e4
LT		 1562 if (rc < 0) {
1563 dput(dentry);
9287aed2 1564 goto out;
1da177e4 1565 }
1da177e4 1566 len = rc;
4cb912f1 1567 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1568 if (!context) {
1569 rc = -ENOMEM;
1570 dput(dentry);
9287aed2 1571 goto out;
1da177e4 1572 }
4cb912f1 1573 context[len] = '\0';
5d6c3191 1574 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1da177e4
LT		 1575 }
1576 dput(dentry);
1577 if (rc < 0) {
1578 if (rc != -ENODATA) {
744ba35e 1579 printk(KERN_WARNING "SELinux: %s: getxattr returned "
dd6f953a 1580 "%d for dev=%s ino=%ld\n", __func__,
1da177e4
LT		 1581 -rc, inode->i_sb->s_id, inode->i_ino);
1582 kfree(context);
9287aed2 1583 goto out;
1da177e4
LT		 1584 }
1585 /* Map ENODATA to the default file SID */
1586 sid = sbsec->def_sid;
1587 rc = 0;
1588 } else {
f5c1d5b2 1589 rc = security_context_to_sid_default(context, rc, &sid,
869ab514
SS		 1590 sbsec->def_sid,
1591 GFP_NOFS);
1da177e4 1592 if (rc) {
4ba0a8ad
EP		 1593 char *dev = inode->i_sb->s_id;
1594 unsigned long ino = inode->i_ino;
1595
1596 if (rc == -EINVAL) {
1597 if (printk_ratelimit())
1598 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1599 "context=%s. This indicates you may need to relabel the inode or the "
1600 "filesystem in question.\n", ino, dev, context);
1601 } else {
1602 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1603 "returned %d for dev=%s ino=%ld\n",
1604 __func__, context, -rc, dev, ino);
1605 }
1da177e4
LT		 1606 kfree(context);
1607 /* Leave with the unlabeled SID */
1608 rc = 0;
1609 break;
1610 }
1611 }
1612 kfree(context);
1da177e4
LT		 1613 break;
1614 case SECURITY_FS_USE_TASK:
9287aed2 1615 sid = task_sid;
1da177e4
LT		 1616 break;
1617 case SECURITY_FS_USE_TRANS:
1618 /* Default to the fs SID. */
9287aed2 1619 sid = sbsec->sid;
1da177e4
LT		 1620
1621 /* Try to obtain a transition SID. */
9287aed2 1622 rc = security_transition_sid(task_sid, sid, sclass, NULL, &sid);
1da177e4 1623 if (rc)
9287aed2 1624 goto out;
1da177e4 1625 break;
c312feb2 1626 case SECURITY_FS_USE_MNTPOINT:
9287aed2 1627 sid = sbsec->mntpoint_sid;
c312feb2 1628 break;
1da177e4 1629 default:
c312feb2 1630 /* Default to the fs superblock SID. */
9287aed2 1631 sid = sbsec->sid;
1da177e4 1632
134509d5 1633 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
f64410ec
PM		 1634 /* We must have a dentry to determine the label on
1635 * procfs inodes */
1636 if (opt_dentry)
1637 /* Called from d_instantiate or
1638 * d_splice_alias. */
1639 dentry = dget(opt_dentry);
1640 else
1641 /* Called from selinux_complete_init, try to
1642 * find a dentry. */
1643 dentry = d_find_alias(inode);
1644 /*
1645 * This can be hit on boot when a file is accessed
1646 * before the policy is loaded. When we load policy we
1647 * may find inodes that have no dentry on the
1648 * sbsec->isec_head list. No reason to complain as
1649 * these will get fixed up the next time we go through
1650 * inode_doinit() with a dentry, before these inodes
1651 * could be used again by userspace.
1652 */
1653 if (!dentry)
9287aed2
AG		 1654 goto out;
1655 rc = selinux_genfs_get_sid(dentry, sclass,
134509d5 1656 sbsec->flags, &sid);
f64410ec
PM		 1657 dput(dentry);
1658 if (rc)
9287aed2 1659 goto out;
1da177e4
LT		 1660 }
1661 break;
1662 }
1663
9287aed2
AG		 1664out:
1665 spin_lock(&isec->lock);
1666 if (isec->initialized == LABEL_PENDING) {
1667 if (!sid || rc) {
1668 isec->initialized = LABEL_INVALID;
1669 goto out_unlock;
1670 }
1671
1672 isec->initialized = LABEL_INITIALIZED;
1673 isec->sid = sid;
1674 }
1da177e4 1675
23970741 1676out_unlock:
9287aed2 1677 spin_unlock(&isec->lock);
1da177e4
LT		 1678 return rc;
1679}
1680
1681/* Convert a Linux signal to an access vector. */
1682static inline u32 signal_to_av(int sig)
1683{
1684 u32 perm = 0;
1685
1686 switch (sig) {
1687 case SIGCHLD:
1688 /* Commonly granted from child to parent. */
1689 perm = PROCESS__SIGCHLD;
1690 break;
1691 case SIGKILL:
1692 /* Cannot be caught or ignored */
1693 perm = PROCESS__SIGKILL;
1694 break;
1695 case SIGSTOP:
1696 /* Cannot be caught or ignored */
1697 perm = PROCESS__SIGSTOP;
1698 break;
1699 default:
1700 /* All other signals. */
1701 perm = PROCESS__SIGNAL;
1702 break;
1703 }
1704
1705 return perm;
1706}
1707
b68e418c
SS		 1708#if CAP_LAST_CAP > 63
1709#error Fix SELinux to handle capabilities > 63.
1710#endif
1711
1da177e4 1712/* Check whether a task is allowed to use a capability. */
6a9de491 1713static int cred_has_capability(const struct cred *cred,
8e4ff6f2 1714 int cap, int audit, bool initns)
1da177e4 1715{
2bf49690 1716 struct common_audit_data ad;
06112163 1717 struct av_decision avd;
b68e418c 1718 u16 sclass;
3699c53c 1719 u32 sid = cred_sid(cred);
b68e418c 1720 u32 av = CAP_TO_MASK(cap);
06112163 1721 int rc;
1da177e4 1722
50c205f5 1723 ad.type = LSM_AUDIT_DATA_CAP;
1da177e4
LT		 1724 ad.u.cap = cap;
1725
b68e418c
SS		 1726 switch (CAP_TO_INDEX(cap)) {
1727 case 0:
8e4ff6f2 1728 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
b68e418c
SS		 1729 break;
1730 case 1:
8e4ff6f2 1731 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
b68e418c
SS		 1732 break;
1733 default:
1734 printk(KERN_ERR
1735 "SELinux: out of range capability %d\n", cap);
1736 BUG();
a35c6c83 1737 return -EINVAL;
b68e418c 1738 }
06112163 1739
275bb41e 1740 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
9ade0cf4 1741 if (audit == SECURITY_CAP_AUDIT) {
7b20ea25 1742 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
9ade0cf4
EP		 1743 if (rc2)
1744 return rc2;
1745 }
06112163 1746 return rc;
1da177e4
LT		 1747}
1748
1da177e4
LT		 1749/* Check whether a task has a particular permission to an inode.
1750 The 'adp' parameter is optional and allows other audit
1751 data to be passed (e.g. the dentry). */
88e67f3b 1752static int inode_has_perm(const struct cred *cred,
1da177e4
LT		 1753 struct inode *inode,
1754 u32 perms,
19e49834 1755 struct common_audit_data *adp)
1da177e4 1756{
1da177e4 1757 struct inode_security_struct *isec;
275bb41e 1758 u32 sid;
1da177e4 1759
e0e81739
DH		 1760 validate_creds(cred);
1761
828dfe1d 1762 if (unlikely(IS_PRIVATE(inode)))
bbaca6c2
SS		 1763 return 0;
1764
88e67f3b 1765 sid = cred_sid(cred);
1da177e4
LT		 1766 isec = inode->i_security;
1767
19e49834 1768 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1da177e4
LT		 1769}
1770
1771/* Same as inode_has_perm, but pass explicit audit data containing
1772 the dentry to help the auditing code to more easily generate the
1773 pathname if needed. */
88e67f3b 1774static inline int dentry_has_perm(const struct cred *cred,
1da177e4
LT		 1775 struct dentry *dentry,
1776 u32 av)
1777{
c6f493d6 1778 struct inode *inode = d_backing_inode(dentry);
2bf49690 1779 struct common_audit_data ad;
88e67f3b 1780
50c205f5 1781 ad.type = LSM_AUDIT_DATA_DENTRY;
2875fa00 1782 ad.u.dentry = dentry;
5d226df4 1783 __inode_security_revalidate(inode, dentry, true);
19e49834 1784 return inode_has_perm(cred, inode, av, &ad);
2875fa00
EP		 1785}
1786
1787/* Same as inode_has_perm, but pass explicit audit data containing
1788 the path to help the auditing code to more easily generate the
1789 pathname if needed. */
1790static inline int path_has_perm(const struct cred *cred,
3f7036a0 1791 const struct path *path,
2875fa00
EP		 1792 u32 av)
1793{
c6f493d6 1794 struct inode *inode = d_backing_inode(path->dentry);
2875fa00
EP		 1795 struct common_audit_data ad;
1796
50c205f5 1797 ad.type = LSM_AUDIT_DATA_PATH;
2875fa00 1798 ad.u.path = *path;
5d226df4 1799 __inode_security_revalidate(inode, path->dentry, true);
19e49834 1800 return inode_has_perm(cred, inode, av, &ad);
1da177e4
LT		 1801}
1802
13f8e981
DH		 1803/* Same as path_has_perm, but uses the inode from the file struct. */
1804static inline int file_path_has_perm(const struct cred *cred,
1805 struct file *file,
1806 u32 av)
1807{
1808 struct common_audit_data ad;
1809
43af5de7
VG		 1810 ad.type = LSM_AUDIT_DATA_FILE;
1811 ad.u.file = file;
19e49834 1812 return inode_has_perm(cred, file_inode(file), av, &ad);
13f8e981
DH		 1813}
1814
1da177e4
LT		 1815/* Check whether a task can use an open file descriptor to
1816 access an inode in a given way. Check access to the
1817 descriptor itself, and then use dentry_has_perm to
1818 check a particular permission to the file.
1819 Access to the descriptor is implicitly granted if it
1820 has the same SID as the process. If av is zero, then
1821 access to the file is not checked, e.g. for cases
1822 where only the descriptor is affected like seek. */
88e67f3b
DH		 1823static int file_has_perm(const struct cred *cred,
1824 struct file *file,
1825 u32 av)
1da177e4 1826{
1da177e4 1827 struct file_security_struct *fsec = file->f_security;
496ad9aa 1828 struct inode *inode = file_inode(file);
2bf49690 1829 struct common_audit_data ad;
88e67f3b 1830 u32 sid = cred_sid(cred);
1da177e4
LT		 1831 int rc;
1832
43af5de7
VG		 1833 ad.type = LSM_AUDIT_DATA_FILE;
1834 ad.u.file = file;
1da177e4 1835
275bb41e
DH		 1836 if (sid != fsec->sid) {
1837 rc = avc_has_perm(sid, fsec->sid,
1da177e4
LT		 1838 SECCLASS_FD,
1839 FD__USE,
1840 &ad);
1841 if (rc)
88e67f3b 1842 goto out;
1da177e4
LT		 1843 }
1844
1845 /* av is zero if only checking access to the descriptor. */
88e67f3b 1846 rc = 0;
1da177e4 1847 if (av)
19e49834 1848 rc = inode_has_perm(cred, inode, av, &ad);
1da177e4 1849
88e67f3b
DH		 1850out:
1851 return rc;
1da177e4
LT		 1852}
1853
c3c188b2
DH		 1854/*
1855 * Determine the label for an inode that might be unioned.
1856 */
c957f6df
VG		 1857static int
1858selinux_determine_inode_label(const struct task_security_struct *tsec,
1859 struct inode *dir,
1860 const struct qstr *name, u16 tclass,
1861 u32 *_new_isid)
c3c188b2
DH		 1862{
1863 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
c3c188b2
DH		 1864
1865 if ((sbsec->flags & SE_SBINITIALIZED) &&
1866 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1867 *_new_isid = sbsec->mntpoint_sid;
1868 } else if ((sbsec->flags & SBLABEL_MNT) &&
1869 tsec->create_sid) {
1870 *_new_isid = tsec->create_sid;
1871 } else {
20cdef8d 1872 const struct inode_security_struct *dsec = inode_security(dir);
c3c188b2
DH		 1873 return security_transition_sid(tsec->sid, dsec->sid, tclass,
1874 name, _new_isid);
1875 }
1876
1877 return 0;
1878}
1879
1da177e4
LT		 1880/* Check whether a task can create a file. */
1881static int may_create(struct inode *dir,
1882 struct dentry *dentry,
1883 u16 tclass)
1884{
5fb49870 1885 const struct task_security_struct *tsec = current_security();
1da177e4
LT		 1886 struct inode_security_struct *dsec;
1887 struct superblock_security_struct *sbsec;
275bb41e 1888 u32 sid, newsid;
2bf49690 1889 struct common_audit_data ad;
1da177e4
LT		 1890 int rc;
1891
83da53c5 1892 dsec = inode_security(dir);
1da177e4
LT		 1893 sbsec = dir->i_sb->s_security;
1894
275bb41e 1895 sid = tsec->sid;
275bb41e 1896
50c205f5 1897 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1898 ad.u.dentry = dentry;
1da177e4 1899
275bb41e 1900 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1901 DIR__ADD_NAME | DIR__SEARCH,
1902 &ad);
1903 if (rc)
1904 return rc;
1905
c957f6df
VG		 1906 rc = selinux_determine_inode_label(current_security(), dir,
1907 &dentry->d_name, tclass, &newsid);
c3c188b2
DH		 1908 if (rc)
1909 return rc;
1da177e4 1910
275bb41e 1911 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1da177e4
LT		 1912 if (rc)
1913 return rc;
1914
1915 return avc_has_perm(newsid, sbsec->sid,
1916 SECCLASS_FILESYSTEM,
1917 FILESYSTEM__ASSOCIATE, &ad);
1918}
1919
828dfe1d
EP		 1920#define MAY_LINK 0
1921#define MAY_UNLINK 1
1922#define MAY_RMDIR 2
1da177e4
LT		 1923
1924/* Check whether a task can link, unlink, or rmdir a file/directory. */
1925static int may_link(struct inode *dir,
1926 struct dentry *dentry,
1927 int kind)
1928
1929{
1da177e4 1930 struct inode_security_struct *dsec, *isec;
2bf49690 1931 struct common_audit_data ad;
275bb41e 1932 u32 sid = current_sid();
1da177e4
LT		 1933 u32 av;
1934 int rc;
1935
83da53c5
AG		 1936 dsec = inode_security(dir);
1937 isec = backing_inode_security(dentry);
1da177e4 1938
50c205f5 1939 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1940 ad.u.dentry = dentry;
1da177e4
LT		 1941
1942 av = DIR__SEARCH;
1943 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
275bb41e 1944 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1945 if (rc)
1946 return rc;
1947
1948 switch (kind) {
1949 case MAY_LINK:
1950 av = FILE__LINK;
1951 break;
1952 case MAY_UNLINK:
1953 av = FILE__UNLINK;
1954 break;
1955 case MAY_RMDIR:
1956 av = DIR__RMDIR;
1957 break;
1958 default:
744ba35e
EP		 1959 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1960 __func__, kind);
1da177e4
LT		 1961 return 0;
1962 }
1963
275bb41e 1964 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1da177e4
LT		 1965 return rc;
1966}
1967
1968static inline int may_rename(struct inode *old_dir,
1969 struct dentry *old_dentry,
1970 struct inode *new_dir,
1971 struct dentry *new_dentry)
1972{
1da177e4 1973 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2bf49690 1974 struct common_audit_data ad;
275bb41e 1975 u32 sid = current_sid();
1da177e4
LT		 1976 u32 av;
1977 int old_is_dir, new_is_dir;
1978 int rc;
1979
83da53c5
AG		 1980 old_dsec = inode_security(old_dir);
1981 old_isec = backing_inode_security(old_dentry);
e36cb0b8 1982 old_is_dir = d_is_dir(old_dentry);
83da53c5 1983 new_dsec = inode_security(new_dir);
1da177e4 1984
50c205f5 1985 ad.type = LSM_AUDIT_DATA_DENTRY;
1da177e4 1986
a269434d 1987 ad.u.dentry = old_dentry;
275bb41e 1988 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1989 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1990 if (rc)
1991 return rc;
275bb41e 1992 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1993 old_isec->sclass, FILE__RENAME, &ad);
1994 if (rc)
1995 return rc;
1996 if (old_is_dir && new_dir != old_dir) {
275bb41e 1997 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1998 old_isec->sclass, DIR__REPARENT, &ad);
1999 if (rc)
2000 return rc;
2001 }
2002
a269434d 2003 ad.u.dentry = new_dentry;
1da177e4 2004 av = DIR__ADD_NAME | DIR__SEARCH;
2c616d4d 2005 if (d_is_positive(new_dentry))
1da177e4 2006 av |= DIR__REMOVE_NAME;
275bb41e 2007 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 2008 if (rc)
2009 return rc;
2c616d4d 2010 if (d_is_positive(new_dentry)) {
83da53c5 2011 new_isec = backing_inode_security(new_dentry);
e36cb0b8 2012 new_is_dir = d_is_dir(new_dentry);
275bb41e 2013 rc = avc_has_perm(sid, new_isec->sid,
1da177e4
LT		 2014 new_isec->sclass,
2015 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
2016 if (rc)
2017 return rc;
2018 }
2019
2020 return 0;
2021}
2022
2023/* Check whether a task can perform a filesystem operation. */
88e67f3b 2024static int superblock_has_perm(const struct cred *cred,
1da177e4
LT		 2025 struct super_block *sb,
2026 u32 perms,
2bf49690 2027 struct common_audit_data *ad)
1da177e4 2028{
1da177e4 2029 struct superblock_security_struct *sbsec;
88e67f3b 2030 u32 sid = cred_sid(cred);
1da177e4 2031
1da177e4 2032 sbsec = sb->s_security;
275bb41e 2033 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1da177e4
LT		 2034}
2035
2036/* Convert a Linux mode and permission mask to an access vector. */
2037static inline u32 file_mask_to_av(int mode, int mask)
2038{
2039 u32 av = 0;
2040
dba19c60 2041 if (!S_ISDIR(mode)) {
1da177e4
LT		 2042 if (mask & MAY_EXEC)
2043 av |= FILE__EXECUTE;
2044 if (mask & MAY_READ)
2045 av |= FILE__READ;
2046
2047 if (mask & MAY_APPEND)
2048 av |= FILE__APPEND;
2049 else if (mask & MAY_WRITE)
2050 av |= FILE__WRITE;
2051
2052 } else {
2053 if (mask & MAY_EXEC)
2054 av |= DIR__SEARCH;
2055 if (mask & MAY_WRITE)
2056 av |= DIR__WRITE;
2057 if (mask & MAY_READ)
2058 av |= DIR__READ;
2059 }
2060
2061 return av;
2062}
2063
8b6a5a37
EP		 2064/* Convert a Linux file to an access vector. */
2065static inline u32 file_to_av(struct file *file)
2066{
2067 u32 av = 0;
2068
2069 if (file->f_mode & FMODE_READ)
2070 av |= FILE__READ;
2071 if (file->f_mode & FMODE_WRITE) {
2072 if (file->f_flags & O_APPEND)
2073 av |= FILE__APPEND;
2074 else
2075 av |= FILE__WRITE;
2076 }
2077 if (!av) {
2078 /*
2079 * Special file opened with flags 3 for ioctl-only use.
2080 */
2081 av = FILE__IOCTL;
2082 }
2083
2084 return av;
2085}
2086
b0c636b9 2087/*
8b6a5a37 2088 * Convert a file to an access vector and include the correct open
b0c636b9
EP		 2089 * open permission.
2090 */
8b6a5a37 2091static inline u32 open_file_to_av(struct file *file)
b0c636b9 2092{
8b6a5a37 2093 u32 av = file_to_av(file);
ccb54478 2094 struct inode *inode = file_inode(file);
b0c636b9 2095
ccb54478 2096 if (selinux_policycap_openperm && inode->i_sb->s_magic != SOCKFS_MAGIC)
49b7b8de
EP		 2097 av |= FILE__OPEN;
2098
b0c636b9
EP		 2099 return av;
2100}
2101
1da177e4
LT		 2102/* Hook functions begin here. */
2103
79af7307
SS		 2104static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2105{
2106 u32 mysid = current_sid();
2107 u32 mgrsid = task_sid(mgr);
2108
2109 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
2110 BINDER__SET_CONTEXT_MGR, NULL);
2111}
2112
2113static int selinux_binder_transaction(struct task_struct *from,
2114 struct task_struct *to)
2115{
2116 u32 mysid = current_sid();
2117 u32 fromsid = task_sid(from);
2118 u32 tosid = task_sid(to);
2119 int rc;
2120
2121 if (mysid != fromsid) {
2122 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2123 BINDER__IMPERSONATE, NULL);
2124 if (rc)
2125 return rc;
2126 }
2127
2128 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2129 NULL);
2130}
2131
2132static int selinux_binder_transfer_binder(struct task_struct *from,
2133 struct task_struct *to)
2134{
2135 u32 fromsid = task_sid(from);
2136 u32 tosid = task_sid(to);
2137
2138 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2139 NULL);
2140}
2141
2142static int selinux_binder_transfer_file(struct task_struct *from,
2143 struct task_struct *to,
2144 struct file *file)
2145{
2146 u32 sid = task_sid(to);
2147 struct file_security_struct *fsec = file->f_security;
83da53c5 2148 struct dentry *dentry = file->f_path.dentry;
20cdef8d 2149 struct inode_security_struct *isec;
79af7307
SS		 2150 struct common_audit_data ad;
2151 int rc;
2152
2153 ad.type = LSM_AUDIT_DATA_PATH;
2154 ad.u.path = file->f_path;
2155
2156 if (sid != fsec->sid) {
2157 rc = avc_has_perm(sid, fsec->sid,
2158 SECCLASS_FD,
2159 FD__USE,
2160 &ad);
2161 if (rc)
2162 return rc;
2163 }
2164
83da53c5 2165 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
79af7307
SS		 2166 return 0;
2167
20cdef8d 2168 isec = backing_inode_security(dentry);
79af7307
SS		 2169 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2170 &ad);
2171}
2172
9e48858f 2173static int selinux_ptrace_access_check(struct task_struct *child,
5cd9c58f 2174 unsigned int mode)
1da177e4 2175{
be0554c9
SS		 2176 u32 sid = current_sid();
2177 u32 csid = task_sid(child);
2178
2179 if (mode & PTRACE_MODE_READ)
275bb41e 2180 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
006ebb40 2181
be0554c9 2182 return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
5cd9c58f
DH		 2183}
2184
2185static int selinux_ptrace_traceme(struct task_struct *parent)
2186{
be0554c9
SS		 2187 return avc_has_perm(task_sid(parent), current_sid(), SECCLASS_PROCESS,
2188 PROCESS__PTRACE, NULL);
1da177e4
LT		 2189}
2190
2191static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
828dfe1d 2192 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4 2193{
be0554c9
SS		 2194 return avc_has_perm(current_sid(), task_sid(target), SECCLASS_PROCESS,
2195 PROCESS__GETCAP, NULL);
1da177e4
LT		 2196}
2197
d84f4f99
DH		 2198static int selinux_capset(struct cred *new, const struct cred *old,
2199 const kernel_cap_t *effective,
2200 const kernel_cap_t *inheritable,
2201 const kernel_cap_t *permitted)
1da177e4 2202{
be0554c9
SS		 2203 return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2204 PROCESS__SETCAP, NULL);
1da177e4
LT		 2205}
2206
5626d3e8
JM		 2207/*
2208 * (This comment used to live with the selinux_task_setuid hook,
2209 * which was removed).
2210 *
2211 * Since setuid only affects the current process, and since the SELinux
2212 * controls are not based on the Linux identity attributes, SELinux does not
2213 * need to control this operation. However, SELinux does control the use of
2214 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2215 */
2216
6a9de491
EP		 2217static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2218 int cap, int audit)
1da177e4 2219{
8e4ff6f2 2220 return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
1da177e4
LT		 2221}
2222
1da177e4
LT		 2223static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2224{
88e67f3b 2225 const struct cred *cred = current_cred();
1da177e4
LT		 2226 int rc = 0;
2227
2228 if (!sb)
2229 return 0;
2230
2231 switch (cmds) {
828dfe1d
EP		 2232 case Q_SYNC:
2233 case Q_QUOTAON:
2234 case Q_QUOTAOFF:
2235 case Q_SETINFO:
2236 case Q_SETQUOTA:
88e67f3b 2237 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
828dfe1d
EP		 2238 break;
2239 case Q_GETFMT:
2240 case Q_GETINFO:
2241 case Q_GETQUOTA:
88e67f3b 2242 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
828dfe1d
EP		 2243 break;
2244 default:
2245 rc = 0; /* let the kernel handle invalid cmds */
2246 break;
1da177e4
LT		 2247 }
2248 return rc;
2249}
2250
2251static int selinux_quota_on(struct dentry *dentry)
2252{
88e67f3b
DH		 2253 const struct cred *cred = current_cred();
2254
2875fa00 2255 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1da177e4
LT		 2256}
2257
12b3052c 2258static int selinux_syslog(int type)
1da177e4 2259{
1da177e4 2260 switch (type) {
d78ca3cd
KC		 2261 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2262 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
be0554c9
SS		 2263 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2264 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
d78ca3cd
KC		 2265 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2266 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2267 /* Set level of messages printed to console */
2268 case SYSLOG_ACTION_CONSOLE_LEVEL:
be0554c9
SS		 2269 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2270 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2271 NULL);
1da177e4 2272 }
be0554c9
SS		 2273 /* All other syslog types */
2274 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2275 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
1da177e4
LT		 2276}
2277
2278/*
2279 * Check that a process has enough memory to allocate a new virtual
2280 * mapping. 0 means there is enough memory for the allocation to
2281 * succeed and -ENOMEM implies there is not.
2282 *
1da177e4
LT		 2283 * Do not audit the selinux permission check, as this is applied to all
2284 * processes that allocate mappings.
2285 */
34b4e4aa 2286static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 2287{
2288 int rc, cap_sys_admin = 0;
1da177e4 2289
b1d9e6b0 2290 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
8e4ff6f2 2291 SECURITY_CAP_NOAUDIT, true);
1da177e4
LT		 2292 if (rc == 0)
2293 cap_sys_admin = 1;
2294
b1d9e6b0 2295 return cap_sys_admin;
1da177e4
LT		 2296}
2297
2298/* binprm security operations */
2299
be0554c9 2300static u32 ptrace_parent_sid(void)
0c6181cb
PM		 2301{
2302 u32 sid = 0;
2303 struct task_struct *tracer;
2304
2305 rcu_read_lock();
be0554c9 2306 tracer = ptrace_parent(current);
0c6181cb
PM		 2307 if (tracer)
2308 sid = task_sid(tracer);
2309 rcu_read_unlock();
2310
2311 return sid;
2312}
2313
7b0d0b40
SS		 2314static int check_nnp_nosuid(const struct linux_binprm *bprm,
2315 const struct task_security_struct *old_tsec,
2316 const struct task_security_struct *new_tsec)
2317{
2318 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
380cf5ba 2319 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
7b0d0b40
SS		 2320 int rc;
2321
2322 if (!nnp && !nosuid)
2323 return 0; /* neither NNP nor nosuid */
2324
2325 if (new_tsec->sid == old_tsec->sid)
2326 return 0; /* No change in credentials */
2327
2328 /*
2329 * The only transitions we permit under NNP or nosuid
2330 * are transitions to bounded SIDs, i.e. SIDs that are
2331 * guaranteed to only be allowed a subset of the permissions
2332 * of the current SID.
2333 */
2334 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2335 if (rc) {
2336 /*
2337 * On failure, preserve the errno values for NNP vs nosuid.
2338 * NNP: Operation not permitted for caller.
2339 * nosuid: Permission denied to file.
2340 */
2341 if (nnp)
2342 return -EPERM;
2343 else
2344 return -EACCES;
2345 }
2346 return 0;
2347}
2348
a6f76f23 2349static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1da177e4 2350{
a6f76f23
DH		 2351 const struct task_security_struct *old_tsec;
2352 struct task_security_struct *new_tsec;
1da177e4 2353 struct inode_security_struct *isec;
2bf49690 2354 struct common_audit_data ad;
496ad9aa 2355 struct inode *inode = file_inode(bprm->file);
1da177e4
LT		 2356 int rc;
2357
a6f76f23
DH		 2358 /* SELinux context only depends on initial program or script and not
2359 * the script interpreter */
2360 if (bprm->cred_prepared)
1da177e4
LT		 2361 return 0;
2362
a6f76f23
DH		 2363 old_tsec = current_security();
2364 new_tsec = bprm->cred->security;
83da53c5 2365 isec = inode_security(inode);
1da177e4
LT		 2366
2367 /* Default to the current task SID. */
a6f76f23
DH		 2368 new_tsec->sid = old_tsec->sid;
2369 new_tsec->osid = old_tsec->sid;
1da177e4 2370
28eba5bf 2371 /* Reset fs, key, and sock SIDs on execve. */
a6f76f23
DH		 2372 new_tsec->create_sid = 0;
2373 new_tsec->keycreate_sid = 0;
2374 new_tsec->sockcreate_sid = 0;
1da177e4 2375
a6f76f23
DH		 2376 if (old_tsec->exec_sid) {
2377 new_tsec->sid = old_tsec->exec_sid;
1da177e4 2378 /* Reset exec SID on execve. */
a6f76f23 2379 new_tsec->exec_sid = 0;
259e5e6c 2380
7b0d0b40
SS		 2381 /* Fail on NNP or nosuid if not an allowed transition. */
2382 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2383 if (rc)
2384 return rc;
1da177e4
LT		 2385 } else {
2386 /* Check for a default transition on this program. */
a6f76f23 2387 rc = security_transition_sid(old_tsec->sid, isec->sid,
652bb9b0
EP		 2388 SECCLASS_PROCESS, NULL,
2389 &new_tsec->sid);
1da177e4
LT		 2390 if (rc)
2391 return rc;
7b0d0b40
SS		 2392
2393 /*
2394 * Fallback to old SID on NNP or nosuid if not an allowed
2395 * transition.
2396 */
2397 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2398 if (rc)
2399 new_tsec->sid = old_tsec->sid;
1da177e4
LT		 2400 }
2401
43af5de7
VG		 2402 ad.type = LSM_AUDIT_DATA_FILE;
2403 ad.u.file = bprm->file;
1da177e4 2404
a6f76f23
DH		 2405 if (new_tsec->sid == old_tsec->sid) {
2406 rc = avc_has_perm(old_tsec->sid, isec->sid,
1da177e4
LT		 2407 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2408 if (rc)
2409 return rc;
2410 } else {
2411 /* Check permissions for the transition. */
a6f76f23 2412 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
1da177e4
LT		 2413 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2414 if (rc)
2415 return rc;
2416
a6f76f23 2417 rc = avc_has_perm(new_tsec->sid, isec->sid,
1da177e4
LT		 2418 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2419 if (rc)
2420 return rc;
2421
a6f76f23
DH		 2422 /* Check for shared state */
2423 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2424 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2425 SECCLASS_PROCESS, PROCESS__SHARE,
2426 NULL);
2427 if (rc)
2428 return -EPERM;
2429 }
2430
2431 /* Make sure that anyone attempting to ptrace over a task that
2432 * changes its SID has the appropriate permit */
9227dd2a 2433 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
be0554c9 2434 u32 ptsid = ptrace_parent_sid();
a6f76f23
DH		 2435 if (ptsid != 0) {
2436 rc = avc_has_perm(ptsid, new_tsec->sid,
2437 SECCLASS_PROCESS,
2438 PROCESS__PTRACE, NULL);
2439 if (rc)
2440 return -EPERM;
2441 }
2442 }
1da177e4 2443
a6f76f23
DH		 2444 /* Clear any possibly unsafe personality bits on exec: */
2445 bprm->per_clear |= PER_CLEAR_ON_SETID;
1da177e4
LT		 2446 }
2447
1da177e4
LT		 2448 return 0;
2449}
2450
828dfe1d 2451static int selinux_bprm_secureexec(struct linux_binprm *bprm)
1da177e4 2452{
5fb49870 2453 const struct task_security_struct *tsec = current_security();
275bb41e 2454 u32 sid, osid;
1da177e4
LT		 2455 int atsecure = 0;
2456
275bb41e
DH		 2457 sid = tsec->sid;
2458 osid = tsec->osid;
2459
2460 if (osid != sid) {
1da177e4
LT		 2461 /* Enable secure mode for SIDs transitions unless
2462 the noatsecure permission is granted between
2463 the two SIDs, i.e. ahp returns 0. */
275bb41e 2464 atsecure = avc_has_perm(osid, sid,
a6f76f23
DH		 2465 SECCLASS_PROCESS,
2466 PROCESS__NOATSECURE, NULL);
1da177e4
LT		 2467 }
2468
b1d9e6b0 2469 return !!atsecure;
1da177e4
LT		 2470}
2471
c3c073f8
AV		 2472static int match_file(const void *p, struct file *file, unsigned fd)
2473{
2474 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2475}
2476
1da177e4 2477/* Derived from fs/exec.c:flush_old_files. */
745ca247
DH		 2478static inline void flush_unauthorized_files(const struct cred *cred,
2479 struct files_struct *files)
1da177e4 2480{
1da177e4 2481 struct file *file, *devnull = NULL;
b20c8122 2482 struct tty_struct *tty;
24ec839c 2483 int drop_tty = 0;
c3c073f8 2484 unsigned n;
1da177e4 2485
24ec839c 2486 tty = get_current_tty();
1da177e4 2487 if (tty) {
4a510969 2488 spin_lock(&tty->files_lock);
37dd0bd0 2489 if (!list_empty(&tty->tty_files)) {
d996b62a 2490 struct tty_file_private *file_priv;
37dd0bd0 2491
1da177e4 2492 /* Revalidate access to controlling tty.
13f8e981
DH		 2493 Use file_path_has_perm on the tty path directly
2494 rather than using file_has_perm, as this particular
2495 open file may belong to another process and we are
2496 only interested in the inode-based check here. */
d996b62a
NP		 2497 file_priv = list_first_entry(&tty->tty_files,
2498 struct tty_file_private, list);
2499 file = file_priv->file;
13f8e981 2500 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
24ec839c 2501 drop_tty = 1;
1da177e4 2502 }
4a510969 2503 spin_unlock(&tty->files_lock);
452a00d2 2504 tty_kref_put(tty);
1da177e4 2505 }
98a27ba4
EB		 2506 /* Reset controlling tty. */
2507 if (drop_tty)
2508 no_tty();
1da177e4
LT		 2509
2510 /* Revalidate access to inherited open files. */
c3c073f8
AV		 2511 n = iterate_fd(files, 0, match_file, cred);
2512 if (!n) /* none found? */
2513 return;
1da177e4 2514
c3c073f8 2515 devnull = dentry_open(&selinux_null, O_RDWR, cred);
45525b26
AV		 2516 if (IS_ERR(devnull))
2517 devnull = NULL;
2518 /* replace all the matching ones with this */
2519 do {
2520 replace_fd(n - 1, devnull, 0);
2521 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2522 if (devnull)
c3c073f8 2523 fput(devnull);
1da177e4
LT		 2524}
2525
a6f76f23
DH		 2526/*
2527 * Prepare a process for imminent new credential changes due to exec
2528 */
2529static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
1da177e4 2530{
a6f76f23
DH		 2531 struct task_security_struct *new_tsec;
2532 struct rlimit *rlim, *initrlim;
2533 int rc, i;
d84f4f99 2534
a6f76f23
DH		 2535 new_tsec = bprm->cred->security;
2536 if (new_tsec->sid == new_tsec->osid)
2537 return;
1da177e4 2538
a6f76f23
DH		 2539 /* Close files for which the new task SID is not authorized. */
2540 flush_unauthorized_files(bprm->cred, current->files);
0356357c 2541
a6f76f23
DH		 2542 /* Always clear parent death signal on SID transitions. */
2543 current->pdeath_signal = 0;
0356357c 2544
a6f76f23
DH		 2545 /* Check whether the new SID can inherit resource limits from the old
2546 * SID. If not, reset all soft limits to the lower of the current
2547 * task's hard limit and the init task's soft limit.
2548 *
2549 * Note that the setting of hard limits (even to lower them) can be
2550 * controlled by the setrlimit check. The inclusion of the init task's
2551 * soft limit into the computation is to avoid resetting soft limits
2552 * higher than the default soft limit for cases where the default is
2553 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2554 */
2555 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2556 PROCESS__RLIMITINH, NULL);
2557 if (rc) {
eb2d55a3
ON		 2558 /* protect against do_prlimit() */
2559 task_lock(current);
a6f76f23
DH		 2560 for (i = 0; i < RLIM_NLIMITS; i++) {
2561 rlim = current->signal->rlim + i;
2562 initrlim = init_task.signal->rlim + i;
2563 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
1da177e4 2564 }
eb2d55a3 2565 task_unlock(current);
baa73d9e
NP		 2566 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2567 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
1da177e4
LT		 2568 }
2569}
2570
2571/*
a6f76f23
DH		 2572 * Clean up the process immediately after the installation of new credentials
2573 * due to exec
1da177e4 2574 */
a6f76f23 2575static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
1da177e4 2576{
a6f76f23 2577 const struct task_security_struct *tsec = current_security();
1da177e4 2578 struct itimerval itimer;
a6f76f23 2579 u32 osid, sid;
1da177e4
LT		 2580 int rc, i;
2581
a6f76f23
DH		 2582 osid = tsec->osid;
2583 sid = tsec->sid;
2584
2585 if (sid == osid)
1da177e4
LT		 2586 return;
2587
a6f76f23
DH		 2588 /* Check whether the new SID can inherit signal state from the old SID.
2589 * If not, clear itimers to avoid subsequent signal generation and
2590 * flush and unblock signals.
2591 *
2592 * This must occur _after_ the task SID has been updated so that any
2593 * kill done after the flush will be checked against the new SID.
2594 */
2595 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
1da177e4 2596 if (rc) {
baa73d9e
NP		 2597 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2598 memset(&itimer, 0, sizeof itimer);
2599 for (i = 0; i < 3; i++)
2600 do_setitimer(i, &itimer, NULL);
2601 }
1da177e4 2602 spin_lock_irq(&current->sighand->siglock);
9e7c8f8c
ON		 2603 if (!fatal_signal_pending(current)) {
2604 flush_sigqueue(&current->pending);
2605 flush_sigqueue(&current->signal->shared_pending);
3bcac026
DH		 2606 flush_signal_handlers(current, 1);
2607 sigemptyset(&current->blocked);
9e7c8f8c 2608 recalc_sigpending();
3bcac026 2609 }
1da177e4
LT		 2610 spin_unlock_irq(&current->sighand->siglock);
2611 }
2612
a6f76f23
DH		 2613 /* Wake up the parent if it is waiting so that it can recheck
2614 * wait permission to the new task SID. */
ecd6de3c 2615 read_lock(&tasklist_lock);
0b7570e7 2616 __wake_up_parent(current, current->real_parent);
ecd6de3c 2617 read_unlock(&tasklist_lock);
1da177e4
LT		 2618}
2619
2620/* superblock security operations */
2621
2622static int selinux_sb_alloc_security(struct super_block *sb)
2623{
2624 return superblock_alloc_security(sb);
2625}
2626
2627static void selinux_sb_free_security(struct super_block *sb)
2628{
2629 superblock_free_security(sb);
2630}
2631
2632static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2633{
2634 if (plen > olen)
2635 return 0;
2636
2637 return !memcmp(prefix, option, plen);
2638}
2639
2640static inline int selinux_option(char *option, int len)
2641{
832cbd9a
EP		 2642 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2643 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2644 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
11689d47
DQ		 2645 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2646 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
1da177e4
LT		 2647}
2648
2649static inline void take_option(char **to, char *from, int *first, int len)
2650{
2651 if (!*first) {
2652 **to = ',';
2653 *to += 1;
3528a953 2654 } else
1da177e4
LT		 2655 *first = 0;
2656 memcpy(*to, from, len);
2657 *to += len;
2658}
2659
828dfe1d
EP		 2660static inline void take_selinux_option(char **to, char *from, int *first,
2661 int len)
3528a953
CO		 2662{
2663 int current_size = 0;
2664
2665 if (!*first) {
2666 **to = '|';
2667 *to += 1;
828dfe1d 2668 } else
3528a953
CO		 2669 *first = 0;
2670
2671 while (current_size < len) {
2672 if (*from != '"') {
2673 **to = *from;
2674 *to += 1;
2675 }
2676 from += 1;
2677 current_size += 1;
2678 }
2679}
2680
e0007529 2681static int selinux_sb_copy_data(char *orig, char *copy)
1da177e4
LT		 2682{
2683 int fnosec, fsec, rc = 0;
2684 char *in_save, *in_curr, *in_end;
2685 char *sec_curr, *nosec_save, *nosec;
3528a953 2686 int open_quote = 0;
1da177e4
LT		 2687
2688 in_curr = orig;
2689 sec_curr = copy;
2690
1da177e4
LT		 2691 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2692 if (!nosec) {
2693 rc = -ENOMEM;
2694 goto out;
2695 }
2696
2697 nosec_save = nosec;
2698 fnosec = fsec = 1;
2699 in_save = in_end = orig;
2700
2701 do {
3528a953
CO		 2702 if (*in_end == '"')
2703 open_quote = !open_quote;
2704 if ((*in_end == ',' && open_quote == 0) ||
2705 *in_end == '\0') {
1da177e4
LT		 2706 int len = in_end - in_curr;
2707
2708 if (selinux_option(in_curr, len))
3528a953 2709 take_selinux_option(&sec_curr, in_curr, &fsec, len);
1da177e4
LT		 2710 else
2711 take_option(&nosec, in_curr, &fnosec, len);
2712
2713 in_curr = in_end + 1;
2714 }
2715 } while (*in_end++);
2716
6931dfc9 2717 strcpy(in_save, nosec_save);
da3caa20 2718 free_page((unsigned long)nosec_save);
1da177e4
LT		 2719out:
2720 return rc;
2721}
2722
026eb167
EP		 2723static int selinux_sb_remount(struct super_block *sb, void *data)
2724{
2725 int rc, i, *flags;
2726 struct security_mnt_opts opts;
2727 char *secdata, **mount_options;
2728 struct superblock_security_struct *sbsec = sb->s_security;
2729
2730 if (!(sbsec->flags & SE_SBINITIALIZED))
2731 return 0;
2732
2733 if (!data)
2734 return 0;
2735
2736 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2737 return 0;
2738
2739 security_init_mnt_opts(&opts);
2740 secdata = alloc_secdata();
2741 if (!secdata)
2742 return -ENOMEM;
2743 rc = selinux_sb_copy_data(data, secdata);
2744 if (rc)
2745 goto out_free_secdata;
2746
2747 rc = selinux_parse_opts_str(secdata, &opts);
2748 if (rc)
2749 goto out_free_secdata;
2750
2751 mount_options = opts.mnt_opts;
2752 flags = opts.mnt_opts_flags;
2753
2754 for (i = 0; i < opts.num_mnt_opts; i++) {
2755 u32 sid;
026eb167 2756
12f348b9 2757 if (flags[i] == SBLABEL_MNT)
026eb167 2758 continue;
44be2f65 2759 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
026eb167 2760 if (rc) {
44be2f65 2761 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
29b1deb2
LT		 2762 "(%s) failed for (dev %s, type %s) errno=%d\n",
2763 mount_options[i], sb->s_id, sb->s_type->name, rc);
026eb167
EP		 2764 goto out_free_opts;
2765 }
2766 rc = -EINVAL;
2767 switch (flags[i]) {
2768 case FSCONTEXT_MNT:
2769 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2770 goto out_bad_option;
2771 break;
2772 case CONTEXT_MNT:
2773 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2774 goto out_bad_option;
2775 break;
2776 case ROOTCONTEXT_MNT: {
2777 struct inode_security_struct *root_isec;
83da53c5 2778 root_isec = backing_inode_security(sb->s_root);
026eb167
EP		 2779
2780 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2781 goto out_bad_option;
2782 break;
2783 }
2784 case DEFCONTEXT_MNT:
2785 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2786 goto out_bad_option;
2787 break;
2788 default:
2789 goto out_free_opts;
2790 }
2791 }
2792
2793 rc = 0;
2794out_free_opts:
2795 security_free_mnt_opts(&opts);
2796out_free_secdata:
2797 free_secdata(secdata);
2798 return rc;
2799out_bad_option:
2800 printk(KERN_WARNING "SELinux: unable to change security options "
29b1deb2
LT		 2801 "during remount (dev %s, type=%s)\n", sb->s_id,
2802 sb->s_type->name);
026eb167
EP		 2803 goto out_free_opts;
2804}
2805
12204e24 2806static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
1da177e4 2807{
88e67f3b 2808 const struct cred *cred = current_cred();
2bf49690 2809 struct common_audit_data ad;
1da177e4
LT		 2810 int rc;
2811
2812 rc = superblock_doinit(sb, data);
2813 if (rc)
2814 return rc;
2815
74192246
JM		 2816 /* Allow all mounts performed by the kernel */
2817 if (flags & MS_KERNMOUNT)
2818 return 0;
2819
50c205f5 2820 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2821 ad.u.dentry = sb->s_root;
88e67f3b 2822 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
1da177e4
LT		 2823}
2824
726c3342 2825static int selinux_sb_statfs(struct dentry *dentry)
1da177e4 2826{
88e67f3b 2827 const struct cred *cred = current_cred();
2bf49690 2828 struct common_audit_data ad;
1da177e4 2829
50c205f5 2830 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2831 ad.u.dentry = dentry->d_sb->s_root;
88e67f3b 2832 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2833}
2834
808d4e3c 2835static int selinux_mount(const char *dev_name,
8a04c43b 2836 const struct path *path,
808d4e3c 2837 const char *type,
828dfe1d
EP		 2838 unsigned long flags,
2839 void *data)
1da177e4 2840{
88e67f3b 2841 const struct cred *cred = current_cred();
1da177e4
LT		 2842
2843 if (flags & MS_REMOUNT)
d8c9584e 2844 return superblock_has_perm(cred, path->dentry->d_sb,
828dfe1d 2845 FILESYSTEM__REMOUNT, NULL);
1da177e4 2846 else
2875fa00 2847 return path_has_perm(cred, path, FILE__MOUNTON);
1da177e4
LT		 2848}
2849
2850static int selinux_umount(struct vfsmount *mnt, int flags)
2851{
88e67f3b 2852 const struct cred *cred = current_cred();
1da177e4 2853
88e67f3b 2854 return superblock_has_perm(cred, mnt->mnt_sb,
828dfe1d 2855 FILESYSTEM__UNMOUNT, NULL);
1da177e4
LT		 2856}
2857
2858/* inode security operations */
2859
2860static int selinux_inode_alloc_security(struct inode *inode)
2861{
2862 return inode_alloc_security(inode);
2863}
2864
2865static void selinux_inode_free_security(struct inode *inode)
2866{
2867 inode_free_security(inode);
2868}
2869
d47be3df 2870static int selinux_dentry_init_security(struct dentry *dentry, int mode,
4f3ccd76 2871 const struct qstr *name, void **ctx,
d47be3df
DQ		 2872 u32 *ctxlen)
2873{
d47be3df
DQ		 2874 u32 newsid;
2875 int rc;
2876
c957f6df
VG		 2877 rc = selinux_determine_inode_label(current_security(),
2878 d_inode(dentry->d_parent), name,
c3c188b2
DH		 2879 inode_mode_to_security_class(mode),
2880 &newsid);
2881 if (rc)
2882 return rc;
d47be3df
DQ		 2883
2884 return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2885}
2886
a518b0a5
VG		 2887static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2888 struct qstr *name,
2889 const struct cred *old,
2890 struct cred *new)
2891{
2892 u32 newsid;
2893 int rc;
2894 struct task_security_struct *tsec;
2895
2896 rc = selinux_determine_inode_label(old->security,
2897 d_inode(dentry->d_parent), name,
2898 inode_mode_to_security_class(mode),
2899 &newsid);
2900 if (rc)
2901 return rc;
2902
2903 tsec = new->security;
2904 tsec->create_sid = newsid;
2905 return 0;
2906}
2907
5e41ff9e 2908static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
9548906b
TH		 2909 const struct qstr *qstr,
2910 const char **name,
2a7dba39 2911 void **value, size_t *len)
5e41ff9e 2912{
5fb49870 2913 const struct task_security_struct *tsec = current_security();
5e41ff9e 2914 struct superblock_security_struct *sbsec;
275bb41e 2915 u32 sid, newsid, clen;
5e41ff9e 2916 int rc;
9548906b 2917 char *context;
5e41ff9e 2918
5e41ff9e 2919 sbsec = dir->i_sb->s_security;
5e41ff9e 2920
275bb41e
DH		 2921 sid = tsec->sid;
2922 newsid = tsec->create_sid;
2923
c957f6df 2924 rc = selinux_determine_inode_label(current_security(),
c3c188b2
DH		 2925 dir, qstr,
2926 inode_mode_to_security_class(inode->i_mode),
2927 &newsid);
2928 if (rc)
2929 return rc;
5e41ff9e 2930
296fddf7 2931 /* Possibly defer initialization to selinux_complete_init. */
0d90a7ec 2932 if (sbsec->flags & SE_SBINITIALIZED) {
296fddf7
EP		 2933 struct inode_security_struct *isec = inode->i_security;
2934 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2935 isec->sid = newsid;
6f3be9f5 2936 isec->initialized = LABEL_INITIALIZED;
296fddf7 2937 }
5e41ff9e 2938
12f348b9 2939 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
25a74f3b
SS		 2940 return -EOPNOTSUPP;
2941
9548906b
TH		 2942 if (name)
2943 *name = XATTR_SELINUX_SUFFIX;
5e41ff9e 2944
570bc1c2 2945 if (value && len) {
12b29f34 2946 rc = security_sid_to_context_force(newsid, &context, &clen);
9548906b 2947 if (rc)
570bc1c2 2948 return rc;
570bc1c2
SS		 2949 *value = context;
2950 *len = clen;
5e41ff9e 2951 }
5e41ff9e 2952
5e41ff9e
SS		 2953 return 0;
2954}
2955
4acdaf27 2956static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
1da177e4
LT		 2957{
2958 return may_create(dir, dentry, SECCLASS_FILE);
2959}
2960
1da177e4
LT		 2961static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2962{
1da177e4
LT		 2963 return may_link(dir, old_dentry, MAY_LINK);
2964}
2965
1da177e4
LT		 2966static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2967{
1da177e4
LT		 2968 return may_link(dir, dentry, MAY_UNLINK);
2969}
2970
2971static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2972{
2973 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2974}
2975
18bb1db3 2976static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
1da177e4
LT		 2977{
2978 return may_create(dir, dentry, SECCLASS_DIR);
2979}
2980
1da177e4
LT		 2981static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2982{
2983 return may_link(dir, dentry, MAY_RMDIR);
2984}
2985
1a67aafb 2986static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
1da177e4 2987{
1da177e4
LT		 2988 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2989}
2990
1da177e4 2991static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
828dfe1d 2992 struct inode *new_inode, struct dentry *new_dentry)
1da177e4
LT		 2993{
2994 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2995}
2996
1da177e4
LT		 2997static int selinux_inode_readlink(struct dentry *dentry)
2998{
88e67f3b
DH		 2999 const struct cred *cred = current_cred();
3000
2875fa00 3001 return dentry_has_perm(cred, dentry, FILE__READ);
1da177e4
LT		 3002}
3003
bda0be7a
N		 3004static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3005 bool rcu)
1da177e4 3006{
88e67f3b 3007 const struct cred *cred = current_cred();
bda0be7a
N		 3008 struct common_audit_data ad;
3009 struct inode_security_struct *isec;
3010 u32 sid;
1da177e4 3011
bda0be7a
N		 3012 validate_creds(cred);
3013
3014 ad.type = LSM_AUDIT_DATA_DENTRY;
3015 ad.u.dentry = dentry;
3016 sid = cred_sid(cred);
5d226df4
AG		 3017 isec = inode_security_rcu(inode, rcu);
3018 if (IS_ERR(isec))
3019 return PTR_ERR(isec);
bda0be7a
N		 3020
3021 return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad,
3022 rcu ? MAY_NOT_BLOCK : 0);
1da177e4
LT		 3023}
3024
d4cf970d
EP		 3025static noinline int audit_inode_permission(struct inode *inode,
3026 u32 perms, u32 audited, u32 denied,
626b9740 3027 int result,
d4cf970d 3028 unsigned flags)
1da177e4 3029{
b782e0a6 3030 struct common_audit_data ad;
d4cf970d
EP		 3031 struct inode_security_struct *isec = inode->i_security;
3032 int rc;
3033
50c205f5 3034 ad.type = LSM_AUDIT_DATA_INODE;
d4cf970d
EP		 3035 ad.u.inode = inode;
3036
3037 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
626b9740 3038 audited, denied, result, &ad, flags);
d4cf970d
EP		 3039 if (rc)
3040 return rc;
3041 return 0;
3042}
3043
e74f71eb 3044static int selinux_inode_permission(struct inode *inode, int mask)
1da177e4 3045{
88e67f3b 3046 const struct cred *cred = current_cred();
b782e0a6
EP		 3047 u32 perms;
3048 bool from_access;
cf1dd1da 3049 unsigned flags = mask & MAY_NOT_BLOCK;
2e334057
EP		 3050 struct inode_security_struct *isec;
3051 u32 sid;
3052 struct av_decision avd;
3053 int rc, rc2;
3054 u32 audited, denied;
1da177e4 3055
b782e0a6 3056 from_access = mask & MAY_ACCESS;
d09ca739
EP		 3057 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3058
b782e0a6
EP		 3059 /* No permission to check. Existence test. */
3060 if (!mask)
1da177e4 3061 return 0;
1da177e4 3062
2e334057 3063 validate_creds(cred);
b782e0a6 3064
2e334057
EP		 3065 if (unlikely(IS_PRIVATE(inode)))
3066 return 0;
b782e0a6
EP		 3067
3068 perms = file_mask_to_av(inode->i_mode, mask);
3069
2e334057 3070 sid = cred_sid(cred);
5d226df4
AG		 3071 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3072 if (IS_ERR(isec))
3073 return PTR_ERR(isec);
2e334057
EP		 3074
3075 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
3076 audited = avc_audit_required(perms, &avd, rc,
3077 from_access ? FILE__AUDIT_ACCESS : 0,
3078 &denied);
3079 if (likely(!audited))
3080 return rc;
3081
626b9740 3082 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
2e334057
EP		 3083 if (rc2)
3084 return rc2;
3085 return rc;
1da177e4
LT		 3086}
3087
3088static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3089{
88e67f3b 3090 const struct cred *cred = current_cred();
ccb54478 3091 struct inode *inode = d_backing_inode(dentry);
bc6a6008 3092 unsigned int ia_valid = iattr->ia_valid;
95dbf739 3093 __u32 av = FILE__WRITE;
1da177e4 3094
bc6a6008
AW		 3095 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3096 if (ia_valid & ATTR_FORCE) {
3097 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3098 ATTR_FORCE);
3099 if (!ia_valid)
3100 return 0;
3101 }
1da177e4 3102
bc6a6008
AW		 3103 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3104 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2875fa00 3105 return dentry_has_perm(cred, dentry, FILE__SETATTR);
1da177e4 3106
ccb54478
SS		 3107 if (selinux_policycap_openperm &&
3108 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3109 (ia_valid & ATTR_SIZE) &&
3110 !(ia_valid & ATTR_FILE))
95dbf739
EP		 3111 av |= FILE__OPEN;
3112
3113 return dentry_has_perm(cred, dentry, av);
1da177e4
LT		 3114}
3115
3f7036a0 3116static int selinux_inode_getattr(const struct path *path)
1da177e4 3117{
3f7036a0 3118 return path_has_perm(current_cred(), path, FILE__GETATTR);
1da177e4
LT		 3119}
3120
8f0cfa52 3121static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
b5376771 3122{
88e67f3b
DH		 3123 const struct cred *cred = current_cred();
3124
b5376771
SH		 3125 if (!strncmp(name, XATTR_SECURITY_PREFIX,
3126 sizeof XATTR_SECURITY_PREFIX - 1)) {
3127 if (!strcmp(name, XATTR_NAME_CAPS)) {
3128 if (!capable(CAP_SETFCAP))
3129 return -EPERM;
3130 } else if (!capable(CAP_SYS_ADMIN)) {
3131 /* A different attribute in the security namespace.
3132 Restrict to administrator. */
3133 return -EPERM;
3134 }
3135 }
3136
3137 /* Not an attribute we recognize, so just check the
3138 ordinary setattr permission. */
2875fa00 3139 return dentry_has_perm(cred, dentry, FILE__SETATTR);
b5376771
SH		 3140}
3141
db59000a
SS		 3142static bool has_cap_mac_admin(bool audit)
3143{
3144 const struct cred *cred = current_cred();
3145 int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT;
3146
3147 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit))
3148 return false;
3149 if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true))
3150 return false;
3151 return true;
3152}
3153
8f0cfa52
DH		 3154static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3155 const void *value, size_t size, int flags)
1da177e4 3156{
c6f493d6 3157 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3158 struct inode_security_struct *isec;
1da177e4 3159 struct superblock_security_struct *sbsec;
2bf49690 3160 struct common_audit_data ad;
275bb41e 3161 u32 newsid, sid = current_sid();
1da177e4
LT		 3162 int rc = 0;
3163
b5376771
SH		 3164 if (strcmp(name, XATTR_NAME_SELINUX))
3165 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 3166
3167 sbsec = inode->i_sb->s_security;
12f348b9 3168 if (!(sbsec->flags & SBLABEL_MNT))
1da177e4
LT		 3169 return -EOPNOTSUPP;
3170
2e149670 3171 if (!inode_owner_or_capable(inode))
1da177e4
LT		 3172 return -EPERM;
3173
50c205f5 3174 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 3175 ad.u.dentry = dentry;
1da177e4 3176
20cdef8d 3177 isec = backing_inode_security(dentry);
275bb41e 3178 rc = avc_has_perm(sid, isec->sid, isec->sclass,
1da177e4
LT		 3179 FILE__RELABELFROM, &ad);
3180 if (rc)
3181 return rc;
3182
52a4c640 3183 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
12b29f34 3184 if (rc == -EINVAL) {
db59000a 3185 if (!has_cap_mac_admin(true)) {
d6ea83ec
EP		 3186 struct audit_buffer *ab;
3187 size_t audit_size;
3188 const char *str;
3189
3190 /* We strip a nul only if it is at the end, otherwise the
3191 * context contains a nul and we should audit that */
e3fea3f7
AV		 3192 if (value) {
3193 str = value;
3194 if (str[size - 1] == '\0')
3195 audit_size = size - 1;
3196 else
3197 audit_size = size;
3198 } else {
3199 str = "";
3200 audit_size = 0;
3201 }
d6ea83ec
EP		 3202 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3203 audit_log_format(ab, "op=setxattr invalid_context=");
3204 audit_log_n_untrustedstring(ab, value, audit_size);
3205 audit_log_end(ab);
3206
12b29f34 3207 return rc;
d6ea83ec 3208 }
12b29f34
SS		 3209 rc = security_context_to_sid_force(value, size, &newsid);
3210 }
1da177e4
LT		 3211 if (rc)
3212 return rc;
3213
275bb41e 3214 rc = avc_has_perm(sid, newsid, isec->sclass,
1da177e4
LT		 3215 FILE__RELABELTO, &ad);
3216 if (rc)
3217 return rc;
3218
275bb41e 3219 rc = security_validate_transition(isec->sid, newsid, sid,
828dfe1d 3220 isec->sclass);
1da177e4
LT		 3221 if (rc)
3222 return rc;
3223
3224 return avc_has_perm(newsid,
3225 sbsec->sid,
3226 SECCLASS_FILESYSTEM,
3227 FILESYSTEM__ASSOCIATE,
3228 &ad);
3229}
3230
8f0cfa52 3231static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
f5269710 3232 const void *value, size_t size,
8f0cfa52 3233 int flags)
1da177e4 3234{
c6f493d6 3235 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3236 struct inode_security_struct *isec;
1da177e4
LT		 3237 u32 newsid;
3238 int rc;
3239
3240 if (strcmp(name, XATTR_NAME_SELINUX)) {
3241 /* Not an attribute we recognize, so nothing to do. */
3242 return;
3243 }
3244
12b29f34 3245 rc = security_context_to_sid_force(value, size, &newsid);
1da177e4 3246 if (rc) {
12b29f34
SS		 3247 printk(KERN_ERR "SELinux: unable to map context to SID"
3248 "for (%s, %lu), rc=%d\n",
3249 inode->i_sb->s_id, inode->i_ino, -rc);
1da177e4
LT		 3250 return;
3251 }
3252
20cdef8d 3253 isec = backing_inode_security(dentry);
9287aed2 3254 spin_lock(&isec->lock);
aa9c2669 3255 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3256 isec->sid = newsid;
6f3be9f5 3257 isec->initialized = LABEL_INITIALIZED;
9287aed2 3258 spin_unlock(&isec->lock);
aa9c2669 3259
1da177e4
LT		 3260 return;
3261}
3262
8f0cfa52 3263static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
1da177e4 3264{
88e67f3b
DH		 3265 const struct cred *cred = current_cred();
3266
2875fa00 3267 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3268}
3269
828dfe1d 3270static int selinux_inode_listxattr(struct dentry *dentry)
1da177e4 3271{
88e67f3b
DH		 3272 const struct cred *cred = current_cred();
3273
2875fa00 3274 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3275}
3276
8f0cfa52 3277static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
1da177e4 3278{
b5376771
SH		 3279 if (strcmp(name, XATTR_NAME_SELINUX))
3280 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 3281
3282 /* No one is allowed to remove a SELinux security label.
3283 You can change the label, but all data must be labeled. */
3284 return -EACCES;
3285}
3286
d381d8a9 3287/*
abc69bb6 3288 * Copy the inode security context value to the user.
d381d8a9
JM		 3289 *
3290 * Permission check is handled by selinux_inode_getxattr hook.
3291 */
ea861dfd 3292static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
1da177e4 3293{
42492594
DQ		 3294 u32 size;
3295 int error;
3296 char *context = NULL;
20cdef8d 3297 struct inode_security_struct *isec;
d381d8a9 3298
8c8570fb
DK		 3299 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3300 return -EOPNOTSUPP;
d381d8a9 3301
abc69bb6
SS		 3302 /*
3303 * If the caller has CAP_MAC_ADMIN, then get the raw context
3304 * value even if it is not defined by current policy; otherwise,
3305 * use the in-core value under current policy.
3306 * Use the non-auditing forms of the permission checks since
3307 * getxattr may be called by unprivileged processes commonly
3308 * and lack of permission just means that we fall back to the
3309 * in-core context value, not a denial.
3310 */
20cdef8d 3311 isec = inode_security(inode);
db59000a 3312 if (has_cap_mac_admin(false))
abc69bb6
SS		 3313 error = security_sid_to_context_force(isec->sid, &context,
3314 &size);
3315 else
3316 error = security_sid_to_context(isec->sid, &context, &size);
42492594
DQ		 3317 if (error)
3318 return error;
3319 error = size;
3320 if (alloc) {
3321 *buffer = context;
3322 goto out_nofree;
3323 }
3324 kfree(context);
3325out_nofree:
3326 return error;
1da177e4
LT		 3327}
3328
3329static int selinux_inode_setsecurity(struct inode *inode, const char *name,
828dfe1d 3330 const void *value, size_t size, int flags)
1da177e4 3331{
2c97165b 3332 struct inode_security_struct *isec = inode_security_novalidate(inode);
1da177e4
LT		 3333 u32 newsid;
3334 int rc;
3335
3336 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3337 return -EOPNOTSUPP;
3338
3339 if (!value || !size)
3340 return -EACCES;
3341
20ba96ae 3342 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
1da177e4
LT		 3343 if (rc)
3344 return rc;
3345
9287aed2 3346 spin_lock(&isec->lock);
aa9c2669 3347 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3348 isec->sid = newsid;
6f3be9f5 3349 isec->initialized = LABEL_INITIALIZED;
9287aed2 3350 spin_unlock(&isec->lock);
1da177e4
LT		 3351 return 0;
3352}
3353
3354static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3355{
3356 const int len = sizeof(XATTR_NAME_SELINUX);
3357 if (buffer && len <= buffer_size)
3358 memcpy(buffer, XATTR_NAME_SELINUX, len);
3359 return len;
3360}
3361
d6335d77 3362static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
713a04ae 3363{
e817c2f3 3364 struct inode_security_struct *isec = inode_security_novalidate(inode);
713a04ae
AD		 3365 *secid = isec->sid;
3366}
3367
56909eb3
VG		 3368static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3369{
3370 u32 sid;
3371 struct task_security_struct *tsec;
3372 struct cred *new_creds = *new;
3373
3374 if (new_creds == NULL) {
3375 new_creds = prepare_creds();
3376 if (!new_creds)
3377 return -ENOMEM;
3378 }
3379
3380 tsec = new_creds->security;
3381 /* Get label from overlay inode and set it in create_sid */
3382 selinux_inode_getsecid(d_inode(src), &sid);
3383 tsec->create_sid = sid;
3384 *new = new_creds;
3385 return 0;
3386}
3387
19472b69
VG		 3388static int selinux_inode_copy_up_xattr(const char *name)
3389{
3390 /* The copy_up hook above sets the initial context on an inode, but we
3391 * don't then want to overwrite it by blindly copying all the lower
3392 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3393 */
3394 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3395 return 1; /* Discard */
3396 /*
3397 * Any other attribute apart from SELINUX is not claimed, supported
3398 * by selinux.
3399 */
3400 return -EOPNOTSUPP;
3401}
3402
1da177e4
LT		 3403/* file security operations */
3404
788e7dd4 3405static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 3406{
88e67f3b 3407 const struct cred *cred = current_cred();
496ad9aa 3408 struct inode *inode = file_inode(file);
1da177e4 3409
1da177e4
LT		 3410 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3411 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3412 mask |= MAY_APPEND;
3413
389fb800
PM		 3414 return file_has_perm(cred, file,
3415 file_mask_to_av(inode->i_mode, mask));
1da177e4
LT		 3416}
3417
788e7dd4
YN		 3418static int selinux_file_permission(struct file *file, int mask)
3419{
496ad9aa 3420 struct inode *inode = file_inode(file);
20dda18b 3421 struct file_security_struct *fsec = file->f_security;
b197367e 3422 struct inode_security_struct *isec;
20dda18b
SS		 3423 u32 sid = current_sid();
3424
389fb800 3425 if (!mask)
788e7dd4
YN		 3426 /* No permission to check. Existence test. */
3427 return 0;
788e7dd4 3428
b197367e 3429 isec = inode_security(inode);
20dda18b
SS		 3430 if (sid == fsec->sid && fsec->isid == isec->sid &&
3431 fsec->pseqno == avc_policy_seqno())
83d49856 3432 /* No change since file_open check. */
20dda18b
SS		 3433 return 0;
3434
788e7dd4
YN		 3435 return selinux_revalidate_file_permission(file, mask);
3436}
3437
1da177e4
LT		 3438static int selinux_file_alloc_security(struct file *file)
3439{
3440 return file_alloc_security(file);
3441}
3442
3443static void selinux_file_free_security(struct file *file)
3444{
3445 file_free_security(file);
3446}
3447
fa1aa143
JVS		 3448/*
3449 * Check whether a task has the ioctl permission and cmd
3450 * operation to an inode.
3451 */
1d2a168a 3452static int ioctl_has_perm(const struct cred *cred, struct file *file,
fa1aa143
JVS		 3453 u32 requested, u16 cmd)
3454{
3455 struct common_audit_data ad;
3456 struct file_security_struct *fsec = file->f_security;
3457 struct inode *inode = file_inode(file);
20cdef8d 3458 struct inode_security_struct *isec;
fa1aa143
JVS		 3459 struct lsm_ioctlop_audit ioctl;
3460 u32 ssid = cred_sid(cred);
3461 int rc;
3462 u8 driver = cmd >> 8;
3463 u8 xperm = cmd & 0xff;
3464
3465 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3466 ad.u.op = &ioctl;
3467 ad.u.op->cmd = cmd;
3468 ad.u.op->path = file->f_path;
3469
3470 if (ssid != fsec->sid) {
3471 rc = avc_has_perm(ssid, fsec->sid,
3472 SECCLASS_FD,
3473 FD__USE,
3474 &ad);
3475 if (rc)
3476 goto out;
3477 }
3478
3479 if (unlikely(IS_PRIVATE(inode)))
3480 return 0;
3481
20cdef8d 3482 isec = inode_security(inode);
fa1aa143
JVS		 3483 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
3484 requested, driver, xperm, &ad);
3485out:
3486 return rc;
3487}
3488
1da177e4
LT		 3489static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3490 unsigned long arg)
3491{
88e67f3b 3492 const struct cred *cred = current_cred();
0b24dcb7 3493 int error = 0;
1da177e4 3494
0b24dcb7
EP		 3495 switch (cmd) {
3496 case FIONREAD:
3497 /* fall through */
3498 case FIBMAP:
3499 /* fall through */
3500 case FIGETBSZ:
3501 /* fall through */
2f99c369 3502 case FS_IOC_GETFLAGS:
0b24dcb7 3503 /* fall through */
2f99c369 3504 case FS_IOC_GETVERSION:
0b24dcb7
EP		 3505 error = file_has_perm(cred, file, FILE__GETATTR);
3506 break;
1da177e4 3507
2f99c369 3508 case FS_IOC_SETFLAGS:
0b24dcb7 3509 /* fall through */
2f99c369 3510 case FS_IOC_SETVERSION:
0b24dcb7
EP		 3511 error = file_has_perm(cred, file, FILE__SETATTR);
3512 break;
3513
3514 /* sys_ioctl() checks */
3515 case FIONBIO:
3516 /* fall through */
3517 case FIOASYNC:
3518 error = file_has_perm(cred, file, 0);
3519 break;
1da177e4 3520
0b24dcb7
EP		 3521 case KDSKBENT:
3522 case KDSKBSENT:
6a9de491 3523 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
8e4ff6f2 3524 SECURITY_CAP_AUDIT, true);
0b24dcb7
EP		 3525 break;
3526
3527 /* default case assumes that the command will go
3528 * to the file's ioctl() function.
3529 */
3530 default:
fa1aa143 3531 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
0b24dcb7
EP		 3532 }
3533 return error;
1da177e4
LT		 3534}
3535
fcaaade1
SS		 3536static int default_noexec;
3537
1da177e4
LT		 3538static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3539{
88e67f3b 3540 const struct cred *cred = current_cred();
be0554c9 3541 u32 sid = cred_sid(cred);
d84f4f99 3542 int rc = 0;
88e67f3b 3543
fcaaade1 3544 if (default_noexec &&
892e8cac
SS		 3545 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3546 (!shared && (prot & PROT_WRITE)))) {
1da177e4
LT		 3547 /*
3548 * We are making executable an anonymous mapping or a
3549 * private file mapping that will also be writable.
3550 * This has an additional check.
3551 */
be0554c9
SS		 3552 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3553 PROCESS__EXECMEM, NULL);
1da177e4 3554 if (rc)
d84f4f99 3555 goto error;
1da177e4 3556 }
1da177e4
LT		 3557
3558 if (file) {
3559 /* read access is always possible with a mapping */
3560 u32 av = FILE__READ;
3561
3562 /* write access only matters if the mapping is shared */
3563 if (shared && (prot & PROT_WRITE))
3564 av |= FILE__WRITE;
3565
3566 if (prot & PROT_EXEC)
3567 av |= FILE__EXECUTE;
3568
88e67f3b 3569 return file_has_perm(cred, file, av);
1da177e4 3570 }
d84f4f99
DH		 3571
3572error:
3573 return rc;
1da177e4
LT		 3574}
3575
e5467859 3576static int selinux_mmap_addr(unsigned long addr)
1da177e4 3577{
b1d9e6b0 3578 int rc = 0;
1da177e4 3579
a2551df7 3580 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
98883bfd 3581 u32 sid = current_sid();
ed032189
EP		 3582 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3583 MEMPROTECT__MMAP_ZERO, NULL);
84336d1a
EP		 3584 }
3585
98883bfd 3586 return rc;
e5467859 3587}
1da177e4 3588
e5467859
AV		 3589static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3590 unsigned long prot, unsigned long flags)
3591{
3ba4bf5f
SS		 3592 struct common_audit_data ad;
3593 int rc;
3594
3595 if (file) {
3596 ad.type = LSM_AUDIT_DATA_FILE;
3597 ad.u.file = file;
3598 rc = inode_has_perm(current_cred(), file_inode(file),
3599 FILE__MAP, &ad);
3600 if (rc)
3601 return rc;
3602 }
3603
1da177e4
LT		 3604 if (selinux_checkreqprot)
3605 prot = reqprot;
3606
3607 return file_map_prot_check(file, prot,
3608 (flags & MAP_TYPE) == MAP_SHARED);
3609}
3610
3611static int selinux_file_mprotect(struct vm_area_struct *vma,
3612 unsigned long reqprot,
3613 unsigned long prot)
3614{
88e67f3b 3615 const struct cred *cred = current_cred();
be0554c9 3616 u32 sid = cred_sid(cred);
1da177e4
LT		 3617
3618 if (selinux_checkreqprot)
3619 prot = reqprot;
3620
fcaaade1
SS		 3621 if (default_noexec &&
3622 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
d541bbee 3623 int rc = 0;
db4c9641
SS		 3624 if (vma->vm_start >= vma->vm_mm->start_brk &&
3625 vma->vm_end <= vma->vm_mm->brk) {
be0554c9
SS		 3626 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3627 PROCESS__EXECHEAP, NULL);
db4c9641 3628 } else if (!vma->vm_file &&
c2316dbf
SS		 3629 ((vma->vm_start <= vma->vm_mm->start_stack &&
3630 vma->vm_end >= vma->vm_mm->start_stack) ||
d17af505 3631 vma_is_stack_for_current(vma))) {
be0554c9
SS		 3632 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3633 PROCESS__EXECSTACK, NULL);
db4c9641
SS		 3634 } else if (vma->vm_file && vma->anon_vma) {
3635 /*
3636 * We are making executable a file mapping that has
3637 * had some COW done. Since pages might have been
3638 * written, check ability to execute the possibly
3639 * modified content. This typically should only
3640 * occur for text relocations.
3641 */
d84f4f99 3642 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
db4c9641 3643 }