]> Git Repo - linux.git/blame - security/selinux/hooks.c
projects / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge tag 'xtensa-20170612' of git://github.com/jcmvbkbc/linux-xtensa
[linux.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <[email protected]>
828dfe1d
EP		 7 * Chris Vance, <[email protected]>
8 * Wayne Salamon, <[email protected]>
9 * James Morris <[email protected]>
1da177e4
LT		 10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
2069f457
EP		 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <[email protected]>
13 * Eric Paris <[email protected]>
1da177e4 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
828dfe1d 15 * <[email protected]>
ed6d76e4 16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
82c21bfa 17 * Paul Moore <[email protected]>
788e7dd4 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
828dfe1d 19 * Yuichi Nakamura <[email protected]>
1da177e4
LT		 20 *
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
828dfe1d 23 * as published by the Free Software Foundation.
1da177e4
LT		 24 */
25
1da177e4 26#include <linux/init.h>
0b24dcb7 27#include <linux/kd.h>
1da177e4 28#include <linux/kernel.h>
0d094efe 29#include <linux/tracehook.h>
1da177e4 30#include <linux/errno.h>
3f07c014 31#include <linux/sched/signal.h>
29930025 32#include <linux/sched/task.h>
3c4ed7bd 33#include <linux/lsm_hooks.h>
1da177e4
LT		 34#include <linux/xattr.h>
35#include <linux/capability.h>
36#include <linux/unistd.h>
37#include <linux/mm.h>
38#include <linux/mman.h>
39#include <linux/slab.h>
40#include <linux/pagemap.h>
0b24dcb7 41#include <linux/proc_fs.h>
1da177e4 42#include <linux/swap.h>
1da177e4
LT		 43#include <linux/spinlock.h>
44#include <linux/syscalls.h>
2a7dba39 45#include <linux/dcache.h>
1da177e4 46#include <linux/file.h>
9f3acc31 47#include <linux/fdtable.h>
1da177e4
LT		 48#include <linux/namei.h>
49#include <linux/mount.h>
1da177e4
LT		 50#include <linux/netfilter_ipv4.h>
51#include <linux/netfilter_ipv6.h>
52#include <linux/tty.h>
53#include <net/icmp.h>
227b60f5 54#include <net/ip.h> /* for local_port_range[] */
1da177e4 55#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
47180068 56#include <net/inet_connection_sock.h>
220deb96 57#include <net/net_namespace.h>
d621d35e 58#include <net/netlabel.h>
f5269710 59#include <linux/uaccess.h>
1da177e4 60#include <asm/ioctls.h>
60063497 61#include <linux/atomic.h>
1da177e4
LT		 62#include <linux/bitops.h>
63#include <linux/interrupt.h>
64#include <linux/netdevice.h> /* for network interface checks */
77954983 65#include <net/netlink.h>
1da177e4
LT		 66#include <linux/tcp.h>
67#include <linux/udp.h>
2ee92d46 68#include <linux/dccp.h>
1da177e4
LT		 69#include <linux/quota.h>
70#include <linux/un.h> /* for Unix socket types */
71#include <net/af_unix.h> /* for Unix socket types */
72#include <linux/parser.h>
73#include <linux/nfs_mount.h>
74#include <net/ipv6.h>
75#include <linux/hugetlb.h>
76#include <linux/personality.h>
1da177e4 77#include <linux/audit.h>
6931dfc9 78#include <linux/string.h>
877ce7c1 79#include <linux/selinux.h>
23970741 80#include <linux/mutex.h>
f06febc9 81#include <linux/posix-timers.h>
00234592 82#include <linux/syslog.h>
3486740a 83#include <linux/user_namespace.h>
44fc7ea0 84#include <linux/export.h>
40401530
AV		 85#include <linux/msg.h>
86#include <linux/shm.h>
1da177e4
LT		 87
88#include "avc.h"
89#include "objsec.h"
90#include "netif.h"
224dfbd8 91#include "netnode.h"
3e112172 92#include "netport.h"
d28d1e08 93#include "xfrm.h"
c60475bf 94#include "netlabel.h"
9d57a7f9 95#include "audit.h"
7b98a585 96#include "avc_ss.h"
1da177e4 97
d621d35e 98/* SECMARK reference count */
56a4ca99 99static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
d621d35e 100
1da177e4 101#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
828dfe1d 102int selinux_enforcing;
1da177e4
LT		 103
104static int __init enforcing_setup(char *str)
105{
f5269710 106 unsigned long enforcing;
29707b20 107 if (!kstrtoul(str, 0, &enforcing))
f5269710 108 selinux_enforcing = enforcing ? 1 : 0;
1da177e4
LT		 109 return 1;
110}
111__setup("enforcing=", enforcing_setup);
112#endif
113
114#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
115int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
116
117static int __init selinux_enabled_setup(char *str)
118{
f5269710 119 unsigned long enabled;
29707b20 120 if (!kstrtoul(str, 0, &enabled))
f5269710 121 selinux_enabled = enabled ? 1 : 0;
1da177e4
LT		 122 return 1;
123}
124__setup("selinux=", selinux_enabled_setup);
30d55280
SS		 125#else
126int selinux_enabled = 1;
1da177e4
LT		 127#endif
128
e18b890b 129static struct kmem_cache *sel_inode_cache;
63205654 130static struct kmem_cache *file_security_cache;
7cae7e26 131
d621d35e
PM		 132/**
133 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
134 *
135 * Description:
136 * This function checks the SECMARK reference counter to see if any SECMARK
137 * targets are currently configured, if the reference counter is greater than
138 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
2be4d74f
CP		 139 * enabled, false (0) if SECMARK is disabled. If the always_check_network
140 * policy capability is enabled, SECMARK is always considered enabled.
d621d35e
PM		 141 *
142 */
143static int selinux_secmark_enabled(void)
144{
2be4d74f
CP		 145 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
146}
147
148/**
149 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
150 *
151 * Description:
152 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
153 * (1) if any are enabled or false (0) if neither are enabled. If the
154 * always_check_network policy capability is enabled, peer labeling
155 * is always considered enabled.
156 *
157 */
158static int selinux_peerlbl_enabled(void)
159{
160 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
d621d35e
PM		 161}
162
615e51fd
PM		 163static int selinux_netcache_avc_callback(u32 event)
164{
165 if (event == AVC_CALLBACK_RESET) {
166 sel_netif_flush();
167 sel_netnode_flush();
168 sel_netport_flush();
169 synchronize_net();
170 }
171 return 0;
172}
173
d84f4f99
DH		 174/*
175 * initialise the security for the init task
176 */
177static void cred_init_security(void)
1da177e4 178{
3b11a1de 179 struct cred *cred = (struct cred *) current->real_cred;
1da177e4
LT		 180 struct task_security_struct *tsec;
181
89d155ef 182 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
1da177e4 183 if (!tsec)
d84f4f99 184 panic("SELinux: Failed to initialize initial task.\n");
1da177e4 185
d84f4f99 186 tsec->osid = tsec->sid = SECINITSID_KERNEL;
f1752eec 187 cred->security = tsec;
1da177e4
LT		 188}
189
88e67f3b
DH		 190/*
191 * get the security ID of a set of credentials
192 */
193static inline u32 cred_sid(const struct cred *cred)
194{
195 const struct task_security_struct *tsec;
196
197 tsec = cred->security;
198 return tsec->sid;
199}
200
275bb41e 201/*
3b11a1de 202 * get the objective security ID of a task
275bb41e
DH		 203 */
204static inline u32 task_sid(const struct task_struct *task)
205{
275bb41e
DH		 206 u32 sid;
207
208 rcu_read_lock();
88e67f3b 209 sid = cred_sid(__task_cred(task));
275bb41e
DH		 210 rcu_read_unlock();
211 return sid;
212}
213
88e67f3b
DH		 214/* Allocate and free functions for each kind of security blob. */
215
1da177e4
LT		 216static int inode_alloc_security(struct inode *inode)
217{
1da177e4 218 struct inode_security_struct *isec;
275bb41e 219 u32 sid = current_sid();
1da177e4 220
a02fe132 221 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
1da177e4
LT		 222 if (!isec)
223 return -ENOMEM;
224
9287aed2 225 spin_lock_init(&isec->lock);
1da177e4 226 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 227 isec->inode = inode;
228 isec->sid = SECINITSID_UNLABELED;
229 isec->sclass = SECCLASS_FILE;
275bb41e 230 isec->task_sid = sid;
42059112 231 isec->initialized = LABEL_INVALID;
1da177e4
LT		 232 inode->i_security = isec;
233
234 return 0;
235}
236
5d226df4
AG		 237static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
238
239/*
240 * Try reloading inode security labels that have been marked as invalid. The
241 * @may_sleep parameter indicates when sleeping and thus reloading labels is
42059112 242 * allowed; when set to false, returns -ECHILD when the label is
5d226df4
AG		 243 * invalid. The @opt_dentry parameter should be set to a dentry of the inode;
244 * when no dentry is available, set it to NULL instead.
245 */
246static int __inode_security_revalidate(struct inode *inode,
247 struct dentry *opt_dentry,
248 bool may_sleep)
249{
250 struct inode_security_struct *isec = inode->i_security;
251
252 might_sleep_if(may_sleep);
253
1ac42476 254 if (ss_initialized && isec->initialized != LABEL_INITIALIZED) {
5d226df4
AG		 255 if (!may_sleep)
256 return -ECHILD;
257
258 /*
259 * Try reloading the inode security label. This will fail if
260 * @opt_dentry is NULL and no dentry for this inode can be
261 * found; in that case, continue using the old label.
262 */
263 inode_doinit_with_dentry(inode, opt_dentry);
264 }
265 return 0;
266}
267
5d226df4
AG		 268static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
269{
270 return inode->i_security;
271}
272
273static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
274{
275 int error;
276
277 error = __inode_security_revalidate(inode, NULL, !rcu);
278 if (error)
279 return ERR_PTR(error);
280 return inode->i_security;
281}
282
83da53c5
AG		 283/*
284 * Get the security label of an inode.
285 */
286static struct inode_security_struct *inode_security(struct inode *inode)
287{
5d226df4 288 __inode_security_revalidate(inode, NULL, true);
83da53c5
AG		 289 return inode->i_security;
290}
291
2c97165b
PM		 292static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
293{
294 struct inode *inode = d_backing_inode(dentry);
295
296 return inode->i_security;
297}
298
83da53c5
AG		 299/*
300 * Get the security label of a dentry's backing inode.
301 */
302static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
303{
304 struct inode *inode = d_backing_inode(dentry);
305
5d226df4 306 __inode_security_revalidate(inode, dentry, true);
83da53c5
AG		 307 return inode->i_security;
308}
309
3dc91d43
SR		 310static void inode_free_rcu(struct rcu_head *head)
311{
312 struct inode_security_struct *isec;
313
314 isec = container_of(head, struct inode_security_struct, rcu);
315 kmem_cache_free(sel_inode_cache, isec);
316}
317
1da177e4
LT		 318static void inode_free_security(struct inode *inode)
319{
320 struct inode_security_struct *isec = inode->i_security;
321 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
322
9629d04a
WL		 323 /*
324 * As not all inode security structures are in a list, we check for
325 * empty list outside of the lock to make sure that we won't waste
326 * time taking a lock doing nothing.
327 *
328 * The list_del_init() function can be safely called more than once.
329 * It should not be possible for this function to be called with
330 * concurrent list_add(), but for better safety against future changes
331 * in the code, we use list_empty_careful() here.
332 */
333 if (!list_empty_careful(&isec->list)) {
334 spin_lock(&sbsec->isec_lock);
1da177e4 335 list_del_init(&isec->list);
9629d04a
WL		 336 spin_unlock(&sbsec->isec_lock);
337 }
1da177e4 338
3dc91d43
SR		 339 /*
340 * The inode may still be referenced in a path walk and
341 * a call to selinux_inode_permission() can be made
342 * after inode_free_security() is called. Ideally, the VFS
343 * wouldn't do this, but fixing that is a much harder
344 * job. For now, simply free the i_security via RCU, and
345 * leave the current inode->i_security pointer intact.
346 * The inode will be freed after the RCU grace period too.
347 */
348 call_rcu(&isec->rcu, inode_free_rcu);
1da177e4
LT		 349}
350
351static int file_alloc_security(struct file *file)
352{
1da177e4 353 struct file_security_struct *fsec;
275bb41e 354 u32 sid = current_sid();
1da177e4 355
63205654 356 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
1da177e4
LT		 357 if (!fsec)
358 return -ENOMEM;
359
275bb41e
DH		 360 fsec->sid = sid;
361 fsec->fown_sid = sid;
1da177e4
LT		 362 file->f_security = fsec;
363
364 return 0;
365}
366
367static void file_free_security(struct file *file)
368{
369 struct file_security_struct *fsec = file->f_security;
1da177e4 370 file->f_security = NULL;
63205654 371 kmem_cache_free(file_security_cache, fsec);
1da177e4
LT		 372}
373
374static int superblock_alloc_security(struct super_block *sb)
375{
376 struct superblock_security_struct *sbsec;
377
89d155ef 378 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 379 if (!sbsec)
380 return -ENOMEM;
381
bc7e982b 382 mutex_init(&sbsec->lock);
1da177e4
LT		 383 INIT_LIST_HEAD(&sbsec->isec_head);
384 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 385 sbsec->sb = sb;
386 sbsec->sid = SECINITSID_UNLABELED;
387 sbsec->def_sid = SECINITSID_FILE;
c312feb2 388 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 389 sb->s_security = sbsec;
390
391 return 0;
392}
393
394static void superblock_free_security(struct super_block *sb)
395{
396 struct superblock_security_struct *sbsec = sb->s_security;
1da177e4
LT		 397 sb->s_security = NULL;
398 kfree(sbsec);
399}
400
1da177e4
LT		 401/* The file system's label must be initialized prior to use. */
402
eb9ae686 403static const char *labeling_behaviors[7] = {
1da177e4
LT		 404 "uses xattr",
405 "uses transition SIDs",
406 "uses task SIDs",
407 "uses genfs_contexts",
408 "not configured for labeling",
409 "uses mountpoint labeling",
eb9ae686 410 "uses native labeling",
1da177e4
LT		 411};
412
1da177e4
LT		 413static inline int inode_doinit(struct inode *inode)
414{
415 return inode_doinit_with_dentry(inode, NULL);
416}
417
418enum {
31e87930 419 Opt_error = -1,
1da177e4
LT		 420 Opt_context = 1,
421 Opt_fscontext = 2,
c9180a57
EP		 422 Opt_defcontext = 3,
423 Opt_rootcontext = 4,
11689d47 424 Opt_labelsupport = 5,
d355987f 425 Opt_nextmntopt = 6,
1da177e4
LT		 426};
427
d355987f
EP		 428#define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
429
a447c093 430static const match_table_t tokens = {
832cbd9a
EP		 431 {Opt_context, CONTEXT_STR "%s"},
432 {Opt_fscontext, FSCONTEXT_STR "%s"},
433 {Opt_defcontext, DEFCONTEXT_STR "%s"},
434 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
11689d47 435 {Opt_labelsupport, LABELSUPP_STR},
31e87930 436 {Opt_error, NULL},
1da177e4
LT		 437};
438
439#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
440
c312feb2
EP		 441static int may_context_mount_sb_relabel(u32 sid,
442 struct superblock_security_struct *sbsec,
275bb41e 443 const struct cred *cred)
c312feb2 444{
275bb41e 445 const struct task_security_struct *tsec = cred->security;
c312feb2
EP		 446 int rc;
447
448 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
449 FILESYSTEM__RELABELFROM, NULL);
450 if (rc)
451 return rc;
452
453 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
454 FILESYSTEM__RELABELTO, NULL);
455 return rc;
456}
457
0808925e
EP		 458static int may_context_mount_inode_relabel(u32 sid,
459 struct superblock_security_struct *sbsec,
275bb41e 460 const struct cred *cred)
0808925e 461{
275bb41e 462 const struct task_security_struct *tsec = cred->security;
0808925e
EP		 463 int rc;
464 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
465 FILESYSTEM__RELABELFROM, NULL);
466 if (rc)
467 return rc;
468
469 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
470 FILESYSTEM__ASSOCIATE, NULL);
471 return rc;
472}
473
b43e725d
EP		 474static int selinux_is_sblabel_mnt(struct super_block *sb)
475{
476 struct superblock_security_struct *sbsec = sb->s_security;
477
d5f3a5f6
MS		 478 return sbsec->behavior == SECURITY_FS_USE_XATTR ||
479 sbsec->behavior == SECURITY_FS_USE_TRANS ||
480 sbsec->behavior == SECURITY_FS_USE_TASK ||
9fc2b4b4 481 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
d5f3a5f6
MS		 482 /* Special handling. Genfs but also in-core setxattr handler */
483 !strcmp(sb->s_type->name, "sysfs") ||
484 !strcmp(sb->s_type->name, "pstore") ||
485 !strcmp(sb->s_type->name, "debugfs") ||
a2c7c6fb 486 !strcmp(sb->s_type->name, "tracefs") ||
2651225b
SS		 487 !strcmp(sb->s_type->name, "rootfs") ||
488 (selinux_policycap_cgroupseclabel &&
489 (!strcmp(sb->s_type->name, "cgroup") ||
490 !strcmp(sb->s_type->name, "cgroup2")));
b43e725d
EP		 491}
492
c9180a57 493static int sb_finish_set_opts(struct super_block *sb)
1da177e4 494{
1da177e4 495 struct superblock_security_struct *sbsec = sb->s_security;
c9180a57 496 struct dentry *root = sb->s_root;
c6f493d6 497 struct inode *root_inode = d_backing_inode(root);
c9180a57 498 int rc = 0;
1da177e4 499
c9180a57
EP		 500 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
501 /* Make sure that the xattr handler exists and that no
502 error other than -ENODATA is returned by getxattr on
503 the root directory. -ENODATA is ok, as this may be
504 the first boot of the SELinux kernel before we have
505 assigned xattr values to the filesystem. */
5d6c3191 506 if (!(root_inode->i_opflags & IOP_XATTR)) {
29b1deb2
LT		 507 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
508 "xattr support\n", sb->s_id, sb->s_type->name);
c9180a57
EP		 509 rc = -EOPNOTSUPP;
510 goto out;
511 }
5d6c3191
AG		 512
513 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
c9180a57
EP		 514 if (rc < 0 && rc != -ENODATA) {
515 if (rc == -EOPNOTSUPP)
516 printk(KERN_WARNING "SELinux: (dev %s, type "
29b1deb2
LT		 517 "%s) has no security xattr handler\n",
518 sb->s_id, sb->s_type->name);
c9180a57
EP		 519 else
520 printk(KERN_WARNING "SELinux: (dev %s, type "
29b1deb2
LT		 521 "%s) getxattr errno %d\n", sb->s_id,
522 sb->s_type->name, -rc);
c9180a57
EP		 523 goto out;
524 }
525 }
1da177e4 526
c9180a57 527 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
29b1deb2
LT		 528 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
529 sb->s_id, sb->s_type->name);
1da177e4 530
eadcabc6 531 sbsec->flags |= SE_SBINITIALIZED;
b43e725d 532 if (selinux_is_sblabel_mnt(sb))
12f348b9 533 sbsec->flags |= SBLABEL_MNT;
ddd29ec6 534
c9180a57
EP		 535 /* Initialize the root inode. */
536 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 537
c9180a57
EP		 538 /* Initialize any other inodes associated with the superblock, e.g.
539 inodes created prior to initial policy load or inodes created
540 during get_sb by a pseudo filesystem that directly
541 populates itself. */
542 spin_lock(&sbsec->isec_lock);
543next_inode:
544 if (!list_empty(&sbsec->isec_head)) {
545 struct inode_security_struct *isec =
546 list_entry(sbsec->isec_head.next,
547 struct inode_security_struct, list);
548 struct inode *inode = isec->inode;
923190d3 549 list_del_init(&isec->list);
c9180a57
EP		 550 spin_unlock(&sbsec->isec_lock);
551 inode = igrab(inode);
552 if (inode) {
553 if (!IS_PRIVATE(inode))
554 inode_doinit(inode);
555 iput(inode);
556 }
557 spin_lock(&sbsec->isec_lock);
c9180a57
EP		 558 goto next_inode;
559 }
560 spin_unlock(&sbsec->isec_lock);
561out:
562 return rc;
563}
1da177e4 564
c9180a57
EP		 565/*
566 * This function should allow an FS to ask what it's mount security
567 * options were so it can use those later for submounts, displaying
568 * mount options, or whatever.
569 */
570static int selinux_get_mnt_opts(const struct super_block *sb,
e0007529 571 struct security_mnt_opts *opts)
c9180a57
EP		 572{
573 int rc = 0, i;
574 struct superblock_security_struct *sbsec = sb->s_security;
575 char *context = NULL;
576 u32 len;
577 char tmp;
1da177e4 578
e0007529 579 security_init_mnt_opts(opts);
1da177e4 580
0d90a7ec 581 if (!(sbsec->flags & SE_SBINITIALIZED))
c9180a57 582 return -EINVAL;
1da177e4 583
c9180a57
EP		 584 if (!ss_initialized)
585 return -EINVAL;
1da177e4 586
af8e50cc
EP		 587 /* make sure we always check enough bits to cover the mask */
588 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
589
0d90a7ec 590 tmp = sbsec->flags & SE_MNTMASK;
c9180a57 591 /* count the number of mount options for this sb */
af8e50cc 592 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
c9180a57 593 if (tmp & 0x01)
e0007529 594 opts->num_mnt_opts++;
c9180a57
EP		 595 tmp >>= 1;
596 }
11689d47 597 /* Check if the Label support flag is set */
0b4bdb35 598 if (sbsec->flags & SBLABEL_MNT)
11689d47 599 opts->num_mnt_opts++;
1da177e4 600
e0007529
EP		 601 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
602 if (!opts->mnt_opts) {
c9180a57
EP		 603 rc = -ENOMEM;
604 goto out_free;
605 }
1da177e4 606
e0007529
EP		 607 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
608 if (!opts->mnt_opts_flags) {
c9180a57
EP		 609 rc = -ENOMEM;
610 goto out_free;
611 }
1da177e4 612
c9180a57
EP		 613 i = 0;
614 if (sbsec->flags & FSCONTEXT_MNT) {
615 rc = security_sid_to_context(sbsec->sid, &context, &len);
616 if (rc)
617 goto out_free;
e0007529
EP		 618 opts->mnt_opts[i] = context;
619 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
c9180a57
EP		 620 }
621 if (sbsec->flags & CONTEXT_MNT) {
622 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
623 if (rc)
624 goto out_free;
e0007529
EP		 625 opts->mnt_opts[i] = context;
626 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
c9180a57
EP		 627 }
628 if (sbsec->flags & DEFCONTEXT_MNT) {
629 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
630 if (rc)
631 goto out_free;
e0007529
EP		 632 opts->mnt_opts[i] = context;
633 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
c9180a57
EP		 634 }
635 if (sbsec->flags & ROOTCONTEXT_MNT) {
83da53c5
AG		 636 struct dentry *root = sbsec->sb->s_root;
637 struct inode_security_struct *isec = backing_inode_security(root);
0808925e 638
c9180a57
EP		 639 rc = security_sid_to_context(isec->sid, &context, &len);
640 if (rc)
641 goto out_free;
e0007529
EP		 642 opts->mnt_opts[i] = context;
643 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
c9180a57 644 }
12f348b9 645 if (sbsec->flags & SBLABEL_MNT) {
11689d47 646 opts->mnt_opts[i] = NULL;
12f348b9 647 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
11689d47 648 }
1da177e4 649
e0007529 650 BUG_ON(i != opts->num_mnt_opts);
1da177e4 651
c9180a57
EP		 652 return 0;
653
654out_free:
e0007529 655 security_free_mnt_opts(opts);
c9180a57
EP		 656 return rc;
657}
1da177e4 658
c9180a57
EP		 659static int bad_option(struct superblock_security_struct *sbsec, char flag,
660 u32 old_sid, u32 new_sid)
661{
0d90a7ec
DQ		 662 char mnt_flags = sbsec->flags & SE_MNTMASK;
663
c9180a57 664 /* check if the old mount command had the same options */
0d90a7ec 665 if (sbsec->flags & SE_SBINITIALIZED)
c9180a57
EP		 666 if (!(sbsec->flags & flag) ||
667 (old_sid != new_sid))
668 return 1;
669
670 /* check if we were passed the same options twice,
671 * aka someone passed context=a,context=b
672 */
0d90a7ec
DQ		 673 if (!(sbsec->flags & SE_SBINITIALIZED))
674 if (mnt_flags & flag)
c9180a57
EP		 675 return 1;
676 return 0;
677}
e0007529 678
c9180a57
EP		 679/*
680 * Allow filesystems with binary mount data to explicitly set mount point
681 * labeling information.
682 */
e0007529 683static int selinux_set_mnt_opts(struct super_block *sb,
649f6e77
DQ		 684 struct security_mnt_opts *opts,
685 unsigned long kern_flags,
686 unsigned long *set_kern_flags)
c9180a57 687{
275bb41e 688 const struct cred *cred = current_cred();
c9180a57 689 int rc = 0, i;
c9180a57 690 struct superblock_security_struct *sbsec = sb->s_security;
29b1deb2 691 const char *name = sb->s_type->name;
83da53c5 692 struct dentry *root = sbsec->sb->s_root;
2c97165b 693 struct inode_security_struct *root_isec;
c9180a57
EP		 694 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
695 u32 defcontext_sid = 0;
e0007529
EP		 696 char **mount_options = opts->mnt_opts;
697 int *flags = opts->mnt_opts_flags;
698 int num_opts = opts->num_mnt_opts;
c9180a57
EP		 699
700 mutex_lock(&sbsec->lock);
701
702 if (!ss_initialized) {
703 if (!num_opts) {
704 /* Defer initialization until selinux_complete_init,
705 after the initial policy is loaded and the security
706 server is ready to handle calls. */
c9180a57
EP		 707 goto out;
708 }
709 rc = -EINVAL;
744ba35e
EP		 710 printk(KERN_WARNING "SELinux: Unable to set superblock options "
711 "before the security server is initialized\n");
1da177e4 712 goto out;
c9180a57 713 }
649f6e77
DQ		 714 if (kern_flags && !set_kern_flags) {
715 /* Specifying internal flags without providing a place to
716 * place the results is not allowed */
717 rc = -EINVAL;
718 goto out;
719 }
1da177e4 720
e0007529
EP		 721 /*
722 * Binary mount data FS will come through this function twice. Once
723 * from an explicit call and once from the generic calls from the vfs.
724 * Since the generic VFS calls will not contain any security mount data
725 * we need to skip the double mount verification.
726 *
727 * This does open a hole in which we will not notice if the first
728 * mount using this sb set explict options and a second mount using
729 * this sb does not set any security options. (The first options
730 * will be used for both mounts)
731 */
0d90a7ec 732 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
e0007529 733 && (num_opts == 0))
f5269710 734 goto out;
e0007529 735
2c97165b
PM		 736 root_isec = backing_inode_security_novalidate(root);
737
c9180a57
EP		 738 /*
739 * parse the mount options, check if they are valid sids.
740 * also check if someone is trying to mount the same sb more
741 * than once with different security options.
742 */
743 for (i = 0; i < num_opts; i++) {
744 u32 sid;
11689d47 745
12f348b9 746 if (flags[i] == SBLABEL_MNT)
11689d47 747 continue;
44be2f65 748 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
1da177e4 749 if (rc) {
44be2f65 750 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
29b1deb2
LT		 751 "(%s) failed for (dev %s, type %s) errno=%d\n",
752 mount_options[i], sb->s_id, name, rc);
c9180a57
EP		 753 goto out;
754 }
755 switch (flags[i]) {
756 case FSCONTEXT_MNT:
757 fscontext_sid = sid;
758
759 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
760 fscontext_sid))
761 goto out_double_mount;
762
763 sbsec->flags |= FSCONTEXT_MNT;
764 break;
765 case CONTEXT_MNT:
766 context_sid = sid;
767
768 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
769 context_sid))
770 goto out_double_mount;
771
772 sbsec->flags |= CONTEXT_MNT;
773 break;
774 case ROOTCONTEXT_MNT:
775 rootcontext_sid = sid;
776
777 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
778 rootcontext_sid))
779 goto out_double_mount;
780
781 sbsec->flags |= ROOTCONTEXT_MNT;
782
783 break;
784 case DEFCONTEXT_MNT:
785 defcontext_sid = sid;
786
787 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
788 defcontext_sid))
789 goto out_double_mount;
790
791 sbsec->flags |= DEFCONTEXT_MNT;
792
793 break;
794 default:
795 rc = -EINVAL;
796 goto out;
1da177e4 797 }
c9180a57
EP		 798 }
799
0d90a7ec 800 if (sbsec->flags & SE_SBINITIALIZED) {
c9180a57 801 /* previously mounted with options, but not on this attempt? */
0d90a7ec 802 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
c9180a57
EP		 803 goto out_double_mount;
804 rc = 0;
805 goto out;
806 }
807
089be43e 808 if (strcmp(sb->s_type->name, "proc") == 0)
134509d5
SS		 809 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
810
8e014720
SS		 811 if (!strcmp(sb->s_type->name, "debugfs") ||
812 !strcmp(sb->s_type->name, "sysfs") ||
813 !strcmp(sb->s_type->name, "pstore"))
134509d5 814 sbsec->flags |= SE_SBGENFS;
c9180a57 815
eb9ae686
DQ		 816 if (!sbsec->behavior) {
817 /*
818 * Determine the labeling behavior to use for this
819 * filesystem type.
820 */
98f700f3 821 rc = security_fs_use(sb);
eb9ae686
DQ		 822 if (rc) {
823 printk(KERN_WARNING
824 "%s: security_fs_use(%s) returned %d\n",
825 __func__, sb->s_type->name, rc);
826 goto out;
827 }
c9180a57 828 }
aad82892
SF		 829
830 /*
01593d32
SS		 831 * If this is a user namespace mount and the filesystem type is not
832 * explicitly whitelisted, then no contexts are allowed on the command
833 * line and security labels must be ignored.
aad82892 834 */
01593d32
SS		 835 if (sb->s_user_ns != &init_user_ns &&
836 strcmp(sb->s_type->name, "tmpfs") &&
837 strcmp(sb->s_type->name, "ramfs") &&
838 strcmp(sb->s_type->name, "devpts")) {
aad82892
SF		 839 if (context_sid || fscontext_sid || rootcontext_sid ||
840 defcontext_sid) {
841 rc = -EACCES;
842 goto out;
843 }
844 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
845 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
846 rc = security_transition_sid(current_sid(), current_sid(),
847 SECCLASS_FILE, NULL,
848 &sbsec->mntpoint_sid);
849 if (rc)
850 goto out;
851 }
852 goto out_set_opts;
853 }
854
c9180a57
EP		 855 /* sets the context of the superblock for the fs being mounted. */
856 if (fscontext_sid) {
275bb41e 857 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
1da177e4 858 if (rc)
c9180a57 859 goto out;
1da177e4 860
c9180a57 861 sbsec->sid = fscontext_sid;
c312feb2
EP		 862 }
863
864 /*
865 * Switch to using mount point labeling behavior.
866 * sets the label used on all file below the mountpoint, and will set
867 * the superblock context if not already set.
868 */
eb9ae686
DQ		 869 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
870 sbsec->behavior = SECURITY_FS_USE_NATIVE;
871 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
872 }
873
c9180a57
EP		 874 if (context_sid) {
875 if (!fscontext_sid) {
275bb41e
DH		 876 rc = may_context_mount_sb_relabel(context_sid, sbsec,
877 cred);
b04ea3ce 878 if (rc)
c9180a57
EP		 879 goto out;
880 sbsec->sid = context_sid;
b04ea3ce 881 } else {
275bb41e
DH		 882 rc = may_context_mount_inode_relabel(context_sid, sbsec,
883 cred);
b04ea3ce 884 if (rc)
c9180a57 885 goto out;
b04ea3ce 886 }
c9180a57
EP		 887 if (!rootcontext_sid)
888 rootcontext_sid = context_sid;
1da177e4 889
c9180a57 890 sbsec->mntpoint_sid = context_sid;
c312feb2 891 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 892 }
893
c9180a57 894 if (rootcontext_sid) {
275bb41e
DH		 895 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
896 cred);
0808925e 897 if (rc)
c9180a57 898 goto out;
0808925e 899
c9180a57 900 root_isec->sid = rootcontext_sid;
6f3be9f5 901 root_isec->initialized = LABEL_INITIALIZED;
0808925e
EP		 902 }
903
c9180a57 904 if (defcontext_sid) {
eb9ae686
DQ		 905 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
906 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
c9180a57
EP		 907 rc = -EINVAL;
908 printk(KERN_WARNING "SELinux: defcontext option is "
909 "invalid for this filesystem type\n");
910 goto out;
1da177e4
LT		 911 }
912
c9180a57
EP		 913 if (defcontext_sid != sbsec->def_sid) {
914 rc = may_context_mount_inode_relabel(defcontext_sid,
275bb41e 915 sbsec, cred);
c9180a57
EP		 916 if (rc)
917 goto out;
918 }
1da177e4 919
c9180a57 920 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 921 }
922
aad82892 923out_set_opts:
c9180a57 924 rc = sb_finish_set_opts(sb);
1da177e4 925out:
c9180a57 926 mutex_unlock(&sbsec->lock);
1da177e4 927 return rc;
c9180a57
EP		 928out_double_mount:
929 rc = -EINVAL;
930 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
29b1deb2 931 "security settings for (dev %s, type %s)\n", sb->s_id, name);
c9180a57 932 goto out;
1da177e4
LT		 933}
934
094f7b69
JL		 935static int selinux_cmp_sb_context(const struct super_block *oldsb,
936 const struct super_block *newsb)
937{
938 struct superblock_security_struct *old = oldsb->s_security;
939 struct superblock_security_struct *new = newsb->s_security;
940 char oldflags = old->flags & SE_MNTMASK;
941 char newflags = new->flags & SE_MNTMASK;
942
943 if (oldflags != newflags)
944 goto mismatch;
945 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
946 goto mismatch;
947 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
948 goto mismatch;
949 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
950 goto mismatch;
951 if (oldflags & ROOTCONTEXT_MNT) {
83da53c5
AG		 952 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
953 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
094f7b69
JL		 954 if (oldroot->sid != newroot->sid)
955 goto mismatch;
956 }
957 return 0;
958mismatch:
959 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
960 "different security settings for (dev %s, "
961 "type %s)\n", newsb->s_id, newsb->s_type->name);
962 return -EBUSY;
963}
964
965static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
c9180a57 966 struct super_block *newsb)
1da177e4 967{
c9180a57
EP		 968 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
969 struct superblock_security_struct *newsbsec = newsb->s_security;
1da177e4 970
c9180a57
EP		 971 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
972 int set_context = (oldsbsec->flags & CONTEXT_MNT);
973 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 974
0f5e6420
EP		 975 /*
976 * if the parent was able to be mounted it clearly had no special lsm
e8c26255 977 * mount options. thus we can safely deal with this superblock later
0f5e6420 978 */
e8c26255 979 if (!ss_initialized)
094f7b69 980 return 0;
c9180a57 981
c9180a57 982 /* how can we clone if the old one wasn't set up?? */
0d90a7ec 983 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
c9180a57 984
094f7b69 985 /* if fs is reusing a sb, make sure that the contexts match */
0d90a7ec 986 if (newsbsec->flags & SE_SBINITIALIZED)
094f7b69 987 return selinux_cmp_sb_context(oldsb, newsb);
5a552617 988
c9180a57
EP		 989 mutex_lock(&newsbsec->lock);
990
991 newsbsec->flags = oldsbsec->flags;
992
993 newsbsec->sid = oldsbsec->sid;
994 newsbsec->def_sid = oldsbsec->def_sid;
995 newsbsec->behavior = oldsbsec->behavior;
996
997 if (set_context) {
998 u32 sid = oldsbsec->mntpoint_sid;
999
1000 if (!set_fscontext)
1001 newsbsec->sid = sid;
1002 if (!set_rootcontext) {
83da53c5 1003 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
c9180a57
EP		 1004 newisec->sid = sid;
1005 }
1006 newsbsec->mntpoint_sid = sid;
1da177e4 1007 }
c9180a57 1008 if (set_rootcontext) {
83da53c5
AG		 1009 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
1010 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1da177e4 1011
c9180a57 1012 newisec->sid = oldisec->sid;
1da177e4
LT		 1013 }
1014
c9180a57
EP		 1015 sb_finish_set_opts(newsb);
1016 mutex_unlock(&newsbsec->lock);
094f7b69 1017 return 0;
c9180a57
EP		 1018}
1019
2e1479d9
AB		 1020static int selinux_parse_opts_str(char *options,
1021 struct security_mnt_opts *opts)
c9180a57 1022{
e0007529 1023 char *p;
c9180a57
EP		 1024 char *context = NULL, *defcontext = NULL;
1025 char *fscontext = NULL, *rootcontext = NULL;
e0007529 1026 int rc, num_mnt_opts = 0;
1da177e4 1027
e0007529 1028 opts->num_mnt_opts = 0;
1da177e4 1029
c9180a57
EP		 1030 /* Standard string-based options. */
1031 while ((p = strsep(&options, "|")) != NULL) {
1032 int token;
1033 substring_t args[MAX_OPT_ARGS];
1da177e4 1034
c9180a57
EP		 1035 if (!*p)
1036 continue;
1da177e4 1037
c9180a57 1038 token = match_token(p, tokens, args);
1da177e4 1039
c9180a57
EP		 1040 switch (token) {
1041 case Opt_context:
1042 if (context || defcontext) {
1043 rc = -EINVAL;
1044 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1045 goto out_err;
1046 }
1047 context = match_strdup(&args[0]);
1048 if (!context) {
1049 rc = -ENOMEM;
1050 goto out_err;
1051 }
1052 break;
1053
1054 case Opt_fscontext:
1055 if (fscontext) {
1056 rc = -EINVAL;
1057 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1058 goto out_err;
1059 }
1060 fscontext = match_strdup(&args[0]);
1061 if (!fscontext) {
1062 rc = -ENOMEM;
1063 goto out_err;
1064 }
1065 break;
1066
1067 case Opt_rootcontext:
1068 if (rootcontext) {
1069 rc = -EINVAL;
1070 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1071 goto out_err;
1072 }
1073 rootcontext = match_strdup(&args[0]);
1074 if (!rootcontext) {
1075 rc = -ENOMEM;
1076 goto out_err;
1077 }
1078 break;
1079
1080 case Opt_defcontext:
1081 if (context || defcontext) {
1082 rc = -EINVAL;
1083 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1084 goto out_err;
1085 }
1086 defcontext = match_strdup(&args[0]);
1087 if (!defcontext) {
1088 rc = -ENOMEM;
1089 goto out_err;
1090 }
1091 break;
11689d47
DQ		 1092 case Opt_labelsupport:
1093 break;
c9180a57
EP		 1094 default:
1095 rc = -EINVAL;
1096 printk(KERN_WARNING "SELinux: unknown mount option\n");
1097 goto out_err;
1da177e4 1098
1da177e4 1099 }
1da177e4 1100 }
c9180a57 1101
e0007529 1102 rc = -ENOMEM;
8931c3bd 1103 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
e0007529
EP		 1104 if (!opts->mnt_opts)
1105 goto out_err;
1106
8931c3bd
TH		 1107 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
1108 GFP_KERNEL);
e0007529
EP		 1109 if (!opts->mnt_opts_flags) {
1110 kfree(opts->mnt_opts);
1111 goto out_err;
1112 }
1113
c9180a57 1114 if (fscontext) {
e0007529
EP		 1115 opts->mnt_opts[num_mnt_opts] = fscontext;
1116 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
c9180a57
EP		 1117 }
1118 if (context) {
e0007529
EP		 1119 opts->mnt_opts[num_mnt_opts] = context;
1120 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
c9180a57
EP		 1121 }
1122 if (rootcontext) {
e0007529
EP		 1123 opts->mnt_opts[num_mnt_opts] = rootcontext;
1124 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
c9180a57
EP		 1125 }
1126 if (defcontext) {
e0007529
EP		 1127 opts->mnt_opts[num_mnt_opts] = defcontext;
1128 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
c9180a57
EP		 1129 }
1130
e0007529
EP		 1131 opts->num_mnt_opts = num_mnt_opts;
1132 return 0;
1133
c9180a57
EP		 1134out_err:
1135 kfree(context);
1136 kfree(defcontext);
1137 kfree(fscontext);
1138 kfree(rootcontext);
1da177e4
LT		 1139 return rc;
1140}
e0007529
EP		 1141/*
1142 * string mount options parsing and call set the sbsec
1143 */
1144static int superblock_doinit(struct super_block *sb, void *data)
1145{
1146 int rc = 0;
1147 char *options = data;
1148 struct security_mnt_opts opts;
1149
1150 security_init_mnt_opts(&opts);
1151
1152 if (!data)
1153 goto out;
1154
1155 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1156
1157 rc = selinux_parse_opts_str(options, &opts);
1158 if (rc)
1159 goto out_err;
1160
1161out:
649f6e77 1162 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
e0007529
EP		 1163
1164out_err:
1165 security_free_mnt_opts(&opts);
1166 return rc;
1167}
1da177e4 1168
3583a711
AB		 1169static void selinux_write_opts(struct seq_file *m,
1170 struct security_mnt_opts *opts)
2069f457
EP		 1171{
1172 int i;
1173 char *prefix;
1174
1175 for (i = 0; i < opts->num_mnt_opts; i++) {
11689d47
DQ		 1176 char *has_comma;
1177
1178 if (opts->mnt_opts[i])
1179 has_comma = strchr(opts->mnt_opts[i], ',');
1180 else
1181 has_comma = NULL;
2069f457
EP		 1182
1183 switch (opts->mnt_opts_flags[i]) {
1184 case CONTEXT_MNT:
1185 prefix = CONTEXT_STR;
1186 break;
1187 case FSCONTEXT_MNT:
1188 prefix = FSCONTEXT_STR;
1189 break;
1190 case ROOTCONTEXT_MNT:
1191 prefix = ROOTCONTEXT_STR;
1192 break;
1193 case DEFCONTEXT_MNT:
1194 prefix = DEFCONTEXT_STR;
1195 break;
12f348b9 1196 case SBLABEL_MNT:
11689d47
DQ		 1197 seq_putc(m, ',');
1198 seq_puts(m, LABELSUPP_STR);
1199 continue;
2069f457
EP		 1200 default:
1201 BUG();
a35c6c83 1202 return;
2069f457
EP		 1203 };
1204 /* we need a comma before each option */
1205 seq_putc(m, ',');
1206 seq_puts(m, prefix);
1207 if (has_comma)
1208 seq_putc(m, '\"');
a068acf2 1209 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
2069f457
EP		 1210 if (has_comma)
1211 seq_putc(m, '\"');
1212 }
1213}
1214
1215static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1216{
1217 struct security_mnt_opts opts;
1218 int rc;
1219
1220 rc = selinux_get_mnt_opts(sb, &opts);
383795c2
EP		 1221 if (rc) {
1222 /* before policy load we may get EINVAL, don't show anything */
1223 if (rc == -EINVAL)
1224 rc = 0;
2069f457 1225 return rc;
383795c2 1226 }
2069f457
EP		 1227
1228 selinux_write_opts(m, &opts);
1229
1230 security_free_mnt_opts(&opts);
1231
1232 return rc;
1233}
1234
1da177e4
LT		 1235static inline u16 inode_mode_to_security_class(umode_t mode)
1236{
1237 switch (mode & S_IFMT) {
1238 case S_IFSOCK:
1239 return SECCLASS_SOCK_FILE;
1240 case S_IFLNK:
1241 return SECCLASS_LNK_FILE;
1242 case S_IFREG:
1243 return SECCLASS_FILE;
1244 case S_IFBLK:
1245 return SECCLASS_BLK_FILE;
1246 case S_IFDIR:
1247 return SECCLASS_DIR;
1248 case S_IFCHR:
1249 return SECCLASS_CHR_FILE;
1250 case S_IFIFO:
1251 return SECCLASS_FIFO_FILE;
1252
1253 }
1254
1255 return SECCLASS_FILE;
1256}
1257
13402580
JM		 1258static inline int default_protocol_stream(int protocol)
1259{
1260 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1261}
1262
1263static inline int default_protocol_dgram(int protocol)
1264{
1265 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1266}
1267
1da177e4
LT		 1268static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1269{
da69a530
SS		 1270 int extsockclass = selinux_policycap_extsockclass;
1271
1da177e4
LT		 1272 switch (family) {
1273 case PF_UNIX:
1274 switch (type) {
1275 case SOCK_STREAM:
1276 case SOCK_SEQPACKET:
1277 return SECCLASS_UNIX_STREAM_SOCKET;
1278 case SOCK_DGRAM:
1279 return SECCLASS_UNIX_DGRAM_SOCKET;
1280 }
1281 break;
1282 case PF_INET:
1283 case PF_INET6:
1284 switch (type) {
1285 case SOCK_STREAM:
da69a530 1286 case SOCK_SEQPACKET:
13402580
JM		 1287 if (default_protocol_stream(protocol))
1288 return SECCLASS_TCP_SOCKET;
da69a530
SS		 1289 else if (extsockclass && protocol == IPPROTO_SCTP)
1290 return SECCLASS_SCTP_SOCKET;
13402580
JM		 1291 else
1292 return SECCLASS_RAWIP_SOCKET;
1da177e4 1293 case SOCK_DGRAM:
13402580
JM		 1294 if (default_protocol_dgram(protocol))
1295 return SECCLASS_UDP_SOCKET;
ef37979a
SS		 1296 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1297 protocol == IPPROTO_ICMPV6))
da69a530 1298 return SECCLASS_ICMP_SOCKET;
13402580
JM		 1299 else
1300 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 1301 case SOCK_DCCP:
1302 return SECCLASS_DCCP_SOCKET;
13402580 1303 default:
1da177e4
LT		 1304 return SECCLASS_RAWIP_SOCKET;
1305 }
1306 break;
1307 case PF_NETLINK:
1308 switch (protocol) {
1309 case NETLINK_ROUTE:
1310 return SECCLASS_NETLINK_ROUTE_SOCKET;
7f1fb60c 1311 case NETLINK_SOCK_DIAG:
1da177e4
LT		 1312 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1313 case NETLINK_NFLOG:
1314 return SECCLASS_NETLINK_NFLOG_SOCKET;
1315 case NETLINK_XFRM:
1316 return SECCLASS_NETLINK_XFRM_SOCKET;
1317 case NETLINK_SELINUX:
1318 return SECCLASS_NETLINK_SELINUX_SOCKET;
6c6d2e9b
SS		 1319 case NETLINK_ISCSI:
1320 return SECCLASS_NETLINK_ISCSI_SOCKET;
1da177e4
LT		 1321 case NETLINK_AUDIT:
1322 return SECCLASS_NETLINK_AUDIT_SOCKET;
6c6d2e9b
SS		 1323 case NETLINK_FIB_LOOKUP:
1324 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1325 case NETLINK_CONNECTOR:
1326 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1327 case NETLINK_NETFILTER:
1328 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1da177e4
LT		 1329 case NETLINK_DNRTMSG:
1330 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1331 case NETLINK_KOBJECT_UEVENT:
1332 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
6c6d2e9b
SS		 1333 case NETLINK_GENERIC:
1334 return SECCLASS_NETLINK_GENERIC_SOCKET;
1335 case NETLINK_SCSITRANSPORT:
1336 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1337 case NETLINK_RDMA:
1338 return SECCLASS_NETLINK_RDMA_SOCKET;
1339 case NETLINK_CRYPTO:
1340 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1da177e4
LT		 1341 default:
1342 return SECCLASS_NETLINK_SOCKET;
1343 }
1344 case PF_PACKET:
1345 return SECCLASS_PACKET_SOCKET;
1346 case PF_KEY:
1347 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1348 case PF_APPLETALK:
1349 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1350 }
1351
da69a530
SS		 1352 if (extsockclass) {
1353 switch (family) {
1354 case PF_AX25:
1355 return SECCLASS_AX25_SOCKET;
1356 case PF_IPX:
1357 return SECCLASS_IPX_SOCKET;
1358 case PF_NETROM:
1359 return SECCLASS_NETROM_SOCKET;
da69a530
SS		 1360 case PF_ATMPVC:
1361 return SECCLASS_ATMPVC_SOCKET;
1362 case PF_X25:
1363 return SECCLASS_X25_SOCKET;
1364 case PF_ROSE:
1365 return SECCLASS_ROSE_SOCKET;
1366 case PF_DECnet:
1367 return SECCLASS_DECNET_SOCKET;
1368 case PF_ATMSVC:
1369 return SECCLASS_ATMSVC_SOCKET;
1370 case PF_RDS:
1371 return SECCLASS_RDS_SOCKET;
1372 case PF_IRDA:
1373 return SECCLASS_IRDA_SOCKET;
1374 case PF_PPPOX:
1375 return SECCLASS_PPPOX_SOCKET;
1376 case PF_LLC:
1377 return SECCLASS_LLC_SOCKET;
da69a530
SS		 1378 case PF_CAN:
1379 return SECCLASS_CAN_SOCKET;
1380 case PF_TIPC:
1381 return SECCLASS_TIPC_SOCKET;
1382 case PF_BLUETOOTH:
1383 return SECCLASS_BLUETOOTH_SOCKET;
1384 case PF_IUCV:
1385 return SECCLASS_IUCV_SOCKET;
1386 case PF_RXRPC:
1387 return SECCLASS_RXRPC_SOCKET;
1388 case PF_ISDN:
1389 return SECCLASS_ISDN_SOCKET;
1390 case PF_PHONET:
1391 return SECCLASS_PHONET_SOCKET;
1392 case PF_IEEE802154:
1393 return SECCLASS_IEEE802154_SOCKET;
1394 case PF_CAIF:
1395 return SECCLASS_CAIF_SOCKET;
1396 case PF_ALG:
1397 return SECCLASS_ALG_SOCKET;
1398 case PF_NFC:
1399 return SECCLASS_NFC_SOCKET;
1400 case PF_VSOCK:
1401 return SECCLASS_VSOCK_SOCKET;
1402 case PF_KCM:
1403 return SECCLASS_KCM_SOCKET;
1404 case PF_QIPCRTR:
1405 return SECCLASS_QIPCRTR_SOCKET;
3051bf36
LT		 1406 case PF_SMC:
1407 return SECCLASS_SMC_SOCKET;
1408#if PF_MAX > 44
da69a530
SS		 1409#error New address family defined, please update this function.
1410#endif
1411 }
1412 }
1413
1da177e4
LT		 1414 return SECCLASS_SOCKET;
1415}
1416
134509d5
SS		 1417static int selinux_genfs_get_sid(struct dentry *dentry,
1418 u16 tclass,
1419 u16 flags,
1420 u32 *sid)
1da177e4 1421{
8e6c9693 1422 int rc;
fc64005c 1423 struct super_block *sb = dentry->d_sb;
8e6c9693 1424 char *buffer, *path;
1da177e4 1425
828dfe1d 1426 buffer = (char *)__get_free_page(GFP_KERNEL);
1da177e4
LT		 1427 if (!buffer)
1428 return -ENOMEM;
1429
8e6c9693
LAG		 1430 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1431 if (IS_ERR(path))
1432 rc = PTR_ERR(path);
1433 else {
134509d5
SS		 1434 if (flags & SE_SBPROC) {
1435 /* each process gets a /proc/PID/ entry. Strip off the
1436 * PID part to get a valid selinux labeling.
1437 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1438 while (path[1] >= '0' && path[1] <= '9') {
1439 path[1] = '/';
1440 path++;
1441 }
8e6c9693 1442 }
134509d5 1443 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
1da177e4 1444 }
1da177e4
LT		 1445 free_page((unsigned long)buffer);
1446 return rc;
1447}
1da177e4
LT		 1448
1449/* The inode's security attributes must be initialized before first use. */
1450static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1451{
1452 struct superblock_security_struct *sbsec = NULL;
1453 struct inode_security_struct *isec = inode->i_security;
9287aed2
AG		 1454 u32 task_sid, sid = 0;
1455 u16 sclass;
1da177e4
LT		 1456 struct dentry *dentry;
1457#define INITCONTEXTLEN 255
1458 char *context = NULL;
1459 unsigned len = 0;
1460 int rc = 0;
1da177e4 1461
6f3be9f5 1462 if (isec->initialized == LABEL_INITIALIZED)
13457d07 1463 return 0;
1da177e4 1464
9287aed2 1465 spin_lock(&isec->lock);
6f3be9f5 1466 if (isec->initialized == LABEL_INITIALIZED)
23970741 1467 goto out_unlock;
1da177e4 1468
13457d07
AG		 1469 if (isec->sclass == SECCLASS_FILE)
1470 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1471
1da177e4 1472 sbsec = inode->i_sb->s_security;
0d90a7ec 1473 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1da177e4
LT		 1474 /* Defer initialization until selinux_complete_init,
1475 after the initial policy is loaded and the security
1476 server is ready to handle calls. */
1477 spin_lock(&sbsec->isec_lock);
1478 if (list_empty(&isec->list))
1479 list_add(&isec->list, &sbsec->isec_head);
1480 spin_unlock(&sbsec->isec_lock);
23970741 1481 goto out_unlock;
1da177e4
LT		 1482 }
1483
9287aed2
AG		 1484 sclass = isec->sclass;
1485 task_sid = isec->task_sid;
1486 sid = isec->sid;
1487 isec->initialized = LABEL_PENDING;
1488 spin_unlock(&isec->lock);
1489
1da177e4 1490 switch (sbsec->behavior) {
eb9ae686
DQ		 1491 case SECURITY_FS_USE_NATIVE:
1492 break;
1da177e4 1493 case SECURITY_FS_USE_XATTR:
5d6c3191 1494 if (!(inode->i_opflags & IOP_XATTR)) {
9287aed2 1495 sid = sbsec->def_sid;
1da177e4
LT		 1496 break;
1497 }
1da177e4
LT		 1498 /* Need a dentry, since the xattr API requires one.
1499 Life would be simpler if we could just pass the inode. */
1500 if (opt_dentry) {
1501 /* Called from d_instantiate or d_splice_alias. */
1502 dentry = dget(opt_dentry);
1503 } else {
1504 /* Called from selinux_complete_init, try to find a dentry. */
1505 dentry = d_find_alias(inode);
1506 }
1507 if (!dentry) {
df7f54c0
EP		 1508 /*
1509 * this is can be hit on boot when a file is accessed
1510 * before the policy is loaded. When we load policy we
1511 * may find inodes that have no dentry on the
1512 * sbsec->isec_head list. No reason to complain as these
1513 * will get fixed up the next time we go through
1514 * inode_doinit with a dentry, before these inodes could
1515 * be used again by userspace.
1516 */
9287aed2 1517 goto out;
1da177e4
LT		 1518 }
1519
1520 len = INITCONTEXTLEN;
4cb912f1 1521 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1522 if (!context) {
1523 rc = -ENOMEM;
1524 dput(dentry);
9287aed2 1525 goto out;
1da177e4 1526 }
4cb912f1 1527 context[len] = '\0';
5d6c3191 1528 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1da177e4 1529 if (rc == -ERANGE) {
314dabb8
JM		 1530 kfree(context);
1531
1da177e4 1532 /* Need a larger buffer. Query for the right size. */
5d6c3191 1533 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1da177e4
LT		 1534 if (rc < 0) {
1535 dput(dentry);
9287aed2 1536 goto out;
1da177e4 1537 }
1da177e4 1538 len = rc;
4cb912f1 1539 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1540 if (!context) {
1541 rc = -ENOMEM;
1542 dput(dentry);
9287aed2 1543 goto out;
1da177e4 1544 }
4cb912f1 1545 context[len] = '\0';
5d6c3191 1546 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1da177e4
LT		 1547 }
1548 dput(dentry);
1549 if (rc < 0) {
1550 if (rc != -ENODATA) {
744ba35e 1551 printk(KERN_WARNING "SELinux: %s: getxattr returned "
dd6f953a 1552 "%d for dev=%s ino=%ld\n", __func__,
1da177e4
LT		 1553 -rc, inode->i_sb->s_id, inode->i_ino);
1554 kfree(context);
9287aed2 1555 goto out;
1da177e4
LT		 1556 }
1557 /* Map ENODATA to the default file SID */
1558 sid = sbsec->def_sid;
1559 rc = 0;
1560 } else {
f5c1d5b2 1561 rc = security_context_to_sid_default(context, rc, &sid,
869ab514
SS		 1562 sbsec->def_sid,
1563 GFP_NOFS);
1da177e4 1564 if (rc) {
4ba0a8ad
EP		 1565 char *dev = inode->i_sb->s_id;
1566 unsigned long ino = inode->i_ino;
1567
1568 if (rc == -EINVAL) {
1569 if (printk_ratelimit())
1570 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1571 "context=%s. This indicates you may need to relabel the inode or the "
1572 "filesystem in question.\n", ino, dev, context);
1573 } else {
1574 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1575 "returned %d for dev=%s ino=%ld\n",
1576 __func__, context, -rc, dev, ino);
1577 }
1da177e4
LT		 1578 kfree(context);
1579 /* Leave with the unlabeled SID */
1580 rc = 0;
1581 break;
1582 }
1583 }
1584 kfree(context);
1da177e4
LT		 1585 break;
1586 case SECURITY_FS_USE_TASK:
9287aed2 1587 sid = task_sid;
1da177e4
LT		 1588 break;
1589 case SECURITY_FS_USE_TRANS:
1590 /* Default to the fs SID. */
9287aed2 1591 sid = sbsec->sid;
1da177e4
LT		 1592
1593 /* Try to obtain a transition SID. */
9287aed2 1594 rc = security_transition_sid(task_sid, sid, sclass, NULL, &sid);
1da177e4 1595 if (rc)
9287aed2 1596 goto out;
1da177e4 1597 break;
c312feb2 1598 case SECURITY_FS_USE_MNTPOINT:
9287aed2 1599 sid = sbsec->mntpoint_sid;
c312feb2 1600 break;
1da177e4 1601 default:
c312feb2 1602 /* Default to the fs superblock SID. */
9287aed2 1603 sid = sbsec->sid;
1da177e4 1604
134509d5 1605 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
f64410ec
PM		 1606 /* We must have a dentry to determine the label on
1607 * procfs inodes */
1608 if (opt_dentry)
1609 /* Called from d_instantiate or
1610 * d_splice_alias. */
1611 dentry = dget(opt_dentry);
1612 else
1613 /* Called from selinux_complete_init, try to
1614 * find a dentry. */
1615 dentry = d_find_alias(inode);
1616 /*
1617 * This can be hit on boot when a file is accessed
1618 * before the policy is loaded. When we load policy we
1619 * may find inodes that have no dentry on the
1620 * sbsec->isec_head list. No reason to complain as
1621 * these will get fixed up the next time we go through
1622 * inode_doinit() with a dentry, before these inodes
1623 * could be used again by userspace.
1624 */
1625 if (!dentry)
9287aed2
AG		 1626 goto out;
1627 rc = selinux_genfs_get_sid(dentry, sclass,
134509d5 1628 sbsec->flags, &sid);
f64410ec
PM		 1629 dput(dentry);
1630 if (rc)
9287aed2 1631 goto out;
1da177e4
LT		 1632 }
1633 break;
1634 }
1635
9287aed2
AG		 1636out:
1637 spin_lock(&isec->lock);
1638 if (isec->initialized == LABEL_PENDING) {
1639 if (!sid || rc) {
1640 isec->initialized = LABEL_INVALID;
1641 goto out_unlock;
1642 }
1643
1644 isec->initialized = LABEL_INITIALIZED;
1645 isec->sid = sid;
1646 }
1da177e4 1647
23970741 1648out_unlock:
9287aed2 1649 spin_unlock(&isec->lock);
1da177e4
LT		 1650 return rc;
1651}
1652
1653/* Convert a Linux signal to an access vector. */
1654static inline u32 signal_to_av(int sig)
1655{
1656 u32 perm = 0;
1657
1658 switch (sig) {
1659 case SIGCHLD:
1660 /* Commonly granted from child to parent. */
1661 perm = PROCESS__SIGCHLD;
1662 break;
1663 case SIGKILL:
1664 /* Cannot be caught or ignored */
1665 perm = PROCESS__SIGKILL;
1666 break;
1667 case SIGSTOP:
1668 /* Cannot be caught or ignored */
1669 perm = PROCESS__SIGSTOP;
1670 break;
1671 default:
1672 /* All other signals. */
1673 perm = PROCESS__SIGNAL;
1674 break;
1675 }
1676
1677 return perm;
1678}
1679
b68e418c
SS		 1680#if CAP_LAST_CAP > 63
1681#error Fix SELinux to handle capabilities > 63.
1682#endif
1683
1da177e4 1684/* Check whether a task is allowed to use a capability. */
6a9de491 1685static int cred_has_capability(const struct cred *cred,
8e4ff6f2 1686 int cap, int audit, bool initns)
1da177e4 1687{
2bf49690 1688 struct common_audit_data ad;
06112163 1689 struct av_decision avd;
b68e418c 1690 u16 sclass;
3699c53c 1691 u32 sid = cred_sid(cred);
b68e418c 1692 u32 av = CAP_TO_MASK(cap);
06112163 1693 int rc;
1da177e4 1694
50c205f5 1695 ad.type = LSM_AUDIT_DATA_CAP;
1da177e4
LT		 1696 ad.u.cap = cap;
1697
b68e418c
SS		 1698 switch (CAP_TO_INDEX(cap)) {
1699 case 0:
8e4ff6f2 1700 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
b68e418c
SS		 1701 break;
1702 case 1:
8e4ff6f2 1703 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
b68e418c
SS		 1704 break;
1705 default:
1706 printk(KERN_ERR
1707 "SELinux: out of range capability %d\n", cap);
1708 BUG();
a35c6c83 1709 return -EINVAL;
b68e418c 1710 }
06112163 1711
275bb41e 1712 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
9ade0cf4 1713 if (audit == SECURITY_CAP_AUDIT) {
7b20ea25 1714 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
9ade0cf4
EP		 1715 if (rc2)
1716 return rc2;
1717 }
06112163 1718 return rc;
1da177e4
LT		 1719}
1720
1da177e4
LT		 1721/* Check whether a task has a particular permission to an inode.
1722 The 'adp' parameter is optional and allows other audit
1723 data to be passed (e.g. the dentry). */
88e67f3b 1724static int inode_has_perm(const struct cred *cred,
1da177e4
LT		 1725 struct inode *inode,
1726 u32 perms,
19e49834 1727 struct common_audit_data *adp)
1da177e4 1728{
1da177e4 1729 struct inode_security_struct *isec;
275bb41e 1730 u32 sid;
1da177e4 1731
e0e81739
DH		 1732 validate_creds(cred);
1733
828dfe1d 1734 if (unlikely(IS_PRIVATE(inode)))
bbaca6c2
SS		 1735 return 0;
1736
88e67f3b 1737 sid = cred_sid(cred);
1da177e4
LT		 1738 isec = inode->i_security;
1739
19e49834 1740 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1da177e4
LT		 1741}
1742
1743/* Same as inode_has_perm, but pass explicit audit data containing
1744 the dentry to help the auditing code to more easily generate the
1745 pathname if needed. */
88e67f3b 1746static inline int dentry_has_perm(const struct cred *cred,
1da177e4
LT		 1747 struct dentry *dentry,
1748 u32 av)
1749{
c6f493d6 1750 struct inode *inode = d_backing_inode(dentry);
2bf49690 1751 struct common_audit_data ad;
88e67f3b 1752
50c205f5 1753 ad.type = LSM_AUDIT_DATA_DENTRY;
2875fa00 1754 ad.u.dentry = dentry;
5d226df4 1755 __inode_security_revalidate(inode, dentry, true);
19e49834 1756 return inode_has_perm(cred, inode, av, &ad);
2875fa00
EP		 1757}
1758
1759/* Same as inode_has_perm, but pass explicit audit data containing
1760 the path to help the auditing code to more easily generate the
1761 pathname if needed. */
1762static inline int path_has_perm(const struct cred *cred,
3f7036a0 1763 const struct path *path,
2875fa00
EP		 1764 u32 av)
1765{
c6f493d6 1766 struct inode *inode = d_backing_inode(path->dentry);
2875fa00
EP		 1767 struct common_audit_data ad;
1768
50c205f5 1769 ad.type = LSM_AUDIT_DATA_PATH;
2875fa00 1770 ad.u.path = *path;
5d226df4 1771 __inode_security_revalidate(inode, path->dentry, true);
19e49834 1772 return inode_has_perm(cred, inode, av, &ad);
1da177e4
LT		 1773}
1774
13f8e981
DH		 1775/* Same as path_has_perm, but uses the inode from the file struct. */
1776static inline int file_path_has_perm(const struct cred *cred,
1777 struct file *file,
1778 u32 av)
1779{
1780 struct common_audit_data ad;
1781
43af5de7
VG		 1782 ad.type = LSM_AUDIT_DATA_FILE;
1783 ad.u.file = file;
19e49834 1784 return inode_has_perm(cred, file_inode(file), av, &ad);
13f8e981
DH		 1785}
1786
1da177e4
LT		 1787/* Check whether a task can use an open file descriptor to
1788 access an inode in a given way. Check access to the
1789 descriptor itself, and then use dentry_has_perm to
1790 check a particular permission to the file.
1791 Access to the descriptor is implicitly granted if it
1792 has the same SID as the process. If av is zero, then
1793 access to the file is not checked, e.g. for cases
1794 where only the descriptor is affected like seek. */
88e67f3b
DH		 1795static int file_has_perm(const struct cred *cred,
1796 struct file *file,
1797 u32 av)
1da177e4 1798{
1da177e4 1799 struct file_security_struct *fsec = file->f_security;
496ad9aa 1800 struct inode *inode = file_inode(file);
2bf49690 1801 struct common_audit_data ad;
88e67f3b 1802 u32 sid = cred_sid(cred);
1da177e4
LT		 1803 int rc;
1804
43af5de7
VG		 1805 ad.type = LSM_AUDIT_DATA_FILE;
1806 ad.u.file = file;
1da177e4 1807
275bb41e
DH		 1808 if (sid != fsec->sid) {
1809 rc = avc_has_perm(sid, fsec->sid,
1da177e4
LT		 1810 SECCLASS_FD,
1811 FD__USE,
1812 &ad);
1813 if (rc)
88e67f3b 1814 goto out;
1da177e4
LT		 1815 }
1816
1817 /* av is zero if only checking access to the descriptor. */
88e67f3b 1818 rc = 0;
1da177e4 1819 if (av)
19e49834 1820 rc = inode_has_perm(cred, inode, av, &ad);
1da177e4 1821
88e67f3b
DH		 1822out:
1823 return rc;
1da177e4
LT		 1824}
1825
c3c188b2
DH		 1826/*
1827 * Determine the label for an inode that might be unioned.
1828 */
c957f6df
VG		 1829static int
1830selinux_determine_inode_label(const struct task_security_struct *tsec,
1831 struct inode *dir,
1832 const struct qstr *name, u16 tclass,
1833 u32 *_new_isid)
c3c188b2
DH		 1834{
1835 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
c3c188b2
DH		 1836
1837 if ((sbsec->flags & SE_SBINITIALIZED) &&
1838 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1839 *_new_isid = sbsec->mntpoint_sid;
1840 } else if ((sbsec->flags & SBLABEL_MNT) &&
1841 tsec->create_sid) {
1842 *_new_isid = tsec->create_sid;
1843 } else {
20cdef8d 1844 const struct inode_security_struct *dsec = inode_security(dir);
c3c188b2
DH		 1845 return security_transition_sid(tsec->sid, dsec->sid, tclass,
1846 name, _new_isid);
1847 }
1848
1849 return 0;
1850}
1851
1da177e4
LT		 1852/* Check whether a task can create a file. */
1853static int may_create(struct inode *dir,
1854 struct dentry *dentry,
1855 u16 tclass)
1856{
5fb49870 1857 const struct task_security_struct *tsec = current_security();
1da177e4
LT		 1858 struct inode_security_struct *dsec;
1859 struct superblock_security_struct *sbsec;
275bb41e 1860 u32 sid, newsid;
2bf49690 1861 struct common_audit_data ad;
1da177e4
LT		 1862 int rc;
1863
83da53c5 1864 dsec = inode_security(dir);
1da177e4
LT		 1865 sbsec = dir->i_sb->s_security;
1866
275bb41e 1867 sid = tsec->sid;
275bb41e 1868
50c205f5 1869 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1870 ad.u.dentry = dentry;
1da177e4 1871
275bb41e 1872 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1873 DIR__ADD_NAME | DIR__SEARCH,
1874 &ad);
1875 if (rc)
1876 return rc;
1877
c957f6df
VG		 1878 rc = selinux_determine_inode_label(current_security(), dir,
1879 &dentry->d_name, tclass, &newsid);
c3c188b2
DH		 1880 if (rc)
1881 return rc;
1da177e4 1882
275bb41e 1883 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1da177e4
LT		 1884 if (rc)
1885 return rc;
1886
1887 return avc_has_perm(newsid, sbsec->sid,
1888 SECCLASS_FILESYSTEM,
1889 FILESYSTEM__ASSOCIATE, &ad);
1890}
1891
828dfe1d
EP		 1892#define MAY_LINK 0
1893#define MAY_UNLINK 1
1894#define MAY_RMDIR 2
1da177e4
LT		 1895
1896/* Check whether a task can link, unlink, or rmdir a file/directory. */
1897static int may_link(struct inode *dir,
1898 struct dentry *dentry,
1899 int kind)
1900
1901{
1da177e4 1902 struct inode_security_struct *dsec, *isec;
2bf49690 1903 struct common_audit_data ad;
275bb41e 1904 u32 sid = current_sid();
1da177e4
LT		 1905 u32 av;
1906 int rc;
1907
83da53c5
AG		 1908 dsec = inode_security(dir);
1909 isec = backing_inode_security(dentry);
1da177e4 1910
50c205f5 1911 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1912 ad.u.dentry = dentry;
1da177e4
LT		 1913
1914 av = DIR__SEARCH;
1915 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
275bb41e 1916 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1917 if (rc)
1918 return rc;
1919
1920 switch (kind) {
1921 case MAY_LINK:
1922 av = FILE__LINK;
1923 break;
1924 case MAY_UNLINK:
1925 av = FILE__UNLINK;
1926 break;
1927 case MAY_RMDIR:
1928 av = DIR__RMDIR;
1929 break;
1930 default:
744ba35e
EP		 1931 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1932 __func__, kind);
1da177e4
LT		 1933 return 0;
1934 }
1935
275bb41e 1936 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1da177e4
LT		 1937 return rc;
1938}
1939
1940static inline int may_rename(struct inode *old_dir,
1941 struct dentry *old_dentry,
1942 struct inode *new_dir,
1943 struct dentry *new_dentry)
1944{
1da177e4 1945 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2bf49690 1946 struct common_audit_data ad;
275bb41e 1947 u32 sid = current_sid();
1da177e4
LT		 1948 u32 av;
1949 int old_is_dir, new_is_dir;
1950 int rc;
1951
83da53c5
AG		 1952 old_dsec = inode_security(old_dir);
1953 old_isec = backing_inode_security(old_dentry);
e36cb0b8 1954 old_is_dir = d_is_dir(old_dentry);
83da53c5 1955 new_dsec = inode_security(new_dir);
1da177e4 1956
50c205f5 1957 ad.type = LSM_AUDIT_DATA_DENTRY;
1da177e4 1958
a269434d 1959 ad.u.dentry = old_dentry;
275bb41e 1960 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1961 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1962 if (rc)
1963 return rc;
275bb41e 1964 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1965 old_isec->sclass, FILE__RENAME, &ad);
1966 if (rc)
1967 return rc;
1968 if (old_is_dir && new_dir != old_dir) {
275bb41e 1969 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1970 old_isec->sclass, DIR__REPARENT, &ad);
1971 if (rc)
1972 return rc;
1973 }
1974
a269434d 1975 ad.u.dentry = new_dentry;
1da177e4 1976 av = DIR__ADD_NAME | DIR__SEARCH;
2c616d4d 1977 if (d_is_positive(new_dentry))
1da177e4 1978 av |= DIR__REMOVE_NAME;
275bb41e 1979 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1980 if (rc)
1981 return rc;
2c616d4d 1982 if (d_is_positive(new_dentry)) {
83da53c5 1983 new_isec = backing_inode_security(new_dentry);
e36cb0b8 1984 new_is_dir = d_is_dir(new_dentry);
275bb41e 1985 rc = avc_has_perm(sid, new_isec->sid,
1da177e4
LT		 1986 new_isec->sclass,
1987 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1988 if (rc)
1989 return rc;
1990 }
1991
1992 return 0;
1993}
1994
1995/* Check whether a task can perform a filesystem operation. */
88e67f3b 1996static int superblock_has_perm(const struct cred *cred,
1da177e4
LT		 1997 struct super_block *sb,
1998 u32 perms,
2bf49690 1999 struct common_audit_data *ad)
1da177e4 2000{
1da177e4 2001 struct superblock_security_struct *sbsec;
88e67f3b 2002 u32 sid = cred_sid(cred);
1da177e4 2003
1da177e4 2004 sbsec = sb->s_security;
275bb41e 2005 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1da177e4
LT		 2006}
2007
2008/* Convert a Linux mode and permission mask to an access vector. */
2009static inline u32 file_mask_to_av(int mode, int mask)
2010{
2011 u32 av = 0;
2012
dba19c60 2013 if (!S_ISDIR(mode)) {
1da177e4
LT		 2014 if (mask & MAY_EXEC)
2015 av |= FILE__EXECUTE;
2016 if (mask & MAY_READ)
2017 av |= FILE__READ;
2018
2019 if (mask & MAY_APPEND)
2020 av |= FILE__APPEND;
2021 else if (mask & MAY_WRITE)
2022 av |= FILE__WRITE;
2023
2024 } else {
2025 if (mask & MAY_EXEC)
2026 av |= DIR__SEARCH;
2027 if (mask & MAY_WRITE)
2028 av |= DIR__WRITE;
2029 if (mask & MAY_READ)
2030 av |= DIR__READ;
2031 }
2032
2033 return av;
2034}
2035
8b6a5a37
EP		 2036/* Convert a Linux file to an access vector. */
2037static inline u32 file_to_av(struct file *file)
2038{
2039 u32 av = 0;
2040
2041 if (file->f_mode & FMODE_READ)
2042 av |= FILE__READ;
2043 if (file->f_mode & FMODE_WRITE) {
2044 if (file->f_flags & O_APPEND)
2045 av |= FILE__APPEND;
2046 else
2047 av |= FILE__WRITE;
2048 }
2049 if (!av) {
2050 /*
2051 * Special file opened with flags 3 for ioctl-only use.
2052 */
2053 av = FILE__IOCTL;
2054 }
2055
2056 return av;
2057}
2058
b0c636b9 2059/*
8b6a5a37 2060 * Convert a file to an access vector and include the correct open
b0c636b9
EP		 2061 * open permission.
2062 */
8b6a5a37 2063static inline u32 open_file_to_av(struct file *file)
b0c636b9 2064{
8b6a5a37 2065 u32 av = file_to_av(file);
b0c636b9 2066
49b7b8de
EP		 2067 if (selinux_policycap_openperm)
2068 av |= FILE__OPEN;
2069
b0c636b9
EP		 2070 return av;
2071}
2072
1da177e4
LT		 2073/* Hook functions begin here. */
2074
79af7307
SS		 2075static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2076{
2077 u32 mysid = current_sid();
2078 u32 mgrsid = task_sid(mgr);
2079
2080 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
2081 BINDER__SET_CONTEXT_MGR, NULL);
2082}
2083
2084static int selinux_binder_transaction(struct task_struct *from,
2085 struct task_struct *to)
2086{
2087 u32 mysid = current_sid();
2088 u32 fromsid = task_sid(from);
2089 u32 tosid = task_sid(to);
2090 int rc;
2091
2092 if (mysid != fromsid) {
2093 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2094 BINDER__IMPERSONATE, NULL);
2095 if (rc)
2096 return rc;
2097 }
2098
2099 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2100 NULL);
2101}
2102
2103static int selinux_binder_transfer_binder(struct task_struct *from,
2104 struct task_struct *to)
2105{
2106 u32 fromsid = task_sid(from);
2107 u32 tosid = task_sid(to);
2108
2109 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2110 NULL);
2111}
2112
2113static int selinux_binder_transfer_file(struct task_struct *from,
2114 struct task_struct *to,
2115 struct file *file)
2116{
2117 u32 sid = task_sid(to);
2118 struct file_security_struct *fsec = file->f_security;
83da53c5 2119 struct dentry *dentry = file->f_path.dentry;
20cdef8d 2120 struct inode_security_struct *isec;
79af7307
SS		 2121 struct common_audit_data ad;
2122 int rc;
2123
2124 ad.type = LSM_AUDIT_DATA_PATH;
2125 ad.u.path = file->f_path;
2126
2127 if (sid != fsec->sid) {
2128 rc = avc_has_perm(sid, fsec->sid,
2129 SECCLASS_FD,
2130 FD__USE,
2131 &ad);
2132 if (rc)
2133 return rc;
2134 }
2135
83da53c5 2136 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
79af7307
SS		 2137 return 0;
2138
20cdef8d 2139 isec = backing_inode_security(dentry);
79af7307
SS		 2140 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2141 &ad);
2142}
2143
9e48858f 2144static int selinux_ptrace_access_check(struct task_struct *child,
5cd9c58f 2145 unsigned int mode)
1da177e4 2146{
be0554c9
SS		 2147 u32 sid = current_sid();
2148 u32 csid = task_sid(child);
2149
2150 if (mode & PTRACE_MODE_READ)
275bb41e 2151 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
006ebb40 2152
be0554c9 2153 return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
5cd9c58f
DH		 2154}
2155
2156static int selinux_ptrace_traceme(struct task_struct *parent)
2157{
be0554c9
SS		 2158 return avc_has_perm(task_sid(parent), current_sid(), SECCLASS_PROCESS,
2159 PROCESS__PTRACE, NULL);
1da177e4
LT		 2160}
2161
2162static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
828dfe1d 2163 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4 2164{
be0554c9
SS		 2165 return avc_has_perm(current_sid(), task_sid(target), SECCLASS_PROCESS,
2166 PROCESS__GETCAP, NULL);
1da177e4
LT		 2167}
2168
d84f4f99
DH		 2169static int selinux_capset(struct cred *new, const struct cred *old,
2170 const kernel_cap_t *effective,
2171 const kernel_cap_t *inheritable,
2172 const kernel_cap_t *permitted)
1da177e4 2173{
be0554c9
SS		 2174 return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2175 PROCESS__SETCAP, NULL);
1da177e4
LT		 2176}
2177
5626d3e8
JM		 2178/*
2179 * (This comment used to live with the selinux_task_setuid hook,
2180 * which was removed).
2181 *
2182 * Since setuid only affects the current process, and since the SELinux
2183 * controls are not based on the Linux identity attributes, SELinux does not
2184 * need to control this operation. However, SELinux does control the use of
2185 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2186 */
2187
6a9de491
EP		 2188static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2189 int cap, int audit)
1da177e4 2190{
8e4ff6f2 2191 return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
1da177e4
LT		 2192}
2193
1da177e4
LT		 2194static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2195{
88e67f3b 2196 const struct cred *cred = current_cred();
1da177e4
LT		 2197 int rc = 0;
2198
2199 if (!sb)
2200 return 0;
2201
2202 switch (cmds) {
828dfe1d
EP		 2203 case Q_SYNC:
2204 case Q_QUOTAON:
2205 case Q_QUOTAOFF:
2206 case Q_SETINFO:
2207 case Q_SETQUOTA:
88e67f3b 2208 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
828dfe1d
EP		 2209 break;
2210 case Q_GETFMT:
2211 case Q_GETINFO:
2212 case Q_GETQUOTA:
88e67f3b 2213 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
828dfe1d
EP		 2214 break;
2215 default:
2216 rc = 0; /* let the kernel handle invalid cmds */
2217 break;
1da177e4
LT		 2218 }
2219 return rc;
2220}
2221
2222static int selinux_quota_on(struct dentry *dentry)
2223{
88e67f3b
DH		 2224 const struct cred *cred = current_cred();
2225
2875fa00 2226 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1da177e4
LT		 2227}
2228
12b3052c 2229static int selinux_syslog(int type)
1da177e4 2230{
1da177e4 2231 switch (type) {
d78ca3cd
KC		 2232 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2233 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
be0554c9
SS		 2234 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2235 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
d78ca3cd
KC		 2236 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2237 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2238 /* Set level of messages printed to console */
2239 case SYSLOG_ACTION_CONSOLE_LEVEL:
be0554c9
SS		 2240 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2241 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2242 NULL);
1da177e4 2243 }
be0554c9
SS		 2244 /* All other syslog types */
2245 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2246 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
1da177e4
LT		 2247}
2248
2249/*
2250 * Check that a process has enough memory to allocate a new virtual
2251 * mapping. 0 means there is enough memory for the allocation to
2252 * succeed and -ENOMEM implies there is not.
2253 *
1da177e4
LT		 2254 * Do not audit the selinux permission check, as this is applied to all
2255 * processes that allocate mappings.
2256 */
34b4e4aa 2257static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 2258{
2259 int rc, cap_sys_admin = 0;
1da177e4 2260
b1d9e6b0 2261 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
8e4ff6f2 2262 SECURITY_CAP_NOAUDIT, true);
1da177e4
LT		 2263 if (rc == 0)
2264 cap_sys_admin = 1;
2265
b1d9e6b0 2266 return cap_sys_admin;
1da177e4
LT		 2267}
2268
2269/* binprm security operations */
2270
be0554c9 2271static u32 ptrace_parent_sid(void)
0c6181cb
PM		 2272{
2273 u32 sid = 0;
2274 struct task_struct *tracer;
2275
2276 rcu_read_lock();
be0554c9 2277 tracer = ptrace_parent(current);
0c6181cb
PM		 2278 if (tracer)
2279 sid = task_sid(tracer);
2280 rcu_read_unlock();
2281
2282 return sid;
2283}
2284
7b0d0b40
SS		 2285static int check_nnp_nosuid(const struct linux_binprm *bprm,
2286 const struct task_security_struct *old_tsec,
2287 const struct task_security_struct *new_tsec)
2288{
2289 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
380cf5ba 2290 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
7b0d0b40
SS		 2291 int rc;
2292
2293 if (!nnp && !nosuid)
2294 return 0; /* neither NNP nor nosuid */
2295
2296 if (new_tsec->sid == old_tsec->sid)
2297 return 0; /* No change in credentials */
2298
2299 /*
2300 * The only transitions we permit under NNP or nosuid
2301 * are transitions to bounded SIDs, i.e. SIDs that are
2302 * guaranteed to only be allowed a subset of the permissions
2303 * of the current SID.
2304 */
2305 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2306 if (rc) {
2307 /*
2308 * On failure, preserve the errno values for NNP vs nosuid.
2309 * NNP: Operation not permitted for caller.
2310 * nosuid: Permission denied to file.
2311 */
2312 if (nnp)
2313 return -EPERM;
2314 else
2315 return -EACCES;
2316 }
2317 return 0;
2318}
2319
a6f76f23 2320static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1da177e4 2321{
a6f76f23
DH		 2322 const struct task_security_struct *old_tsec;
2323 struct task_security_struct *new_tsec;
1da177e4 2324 struct inode_security_struct *isec;
2bf49690 2325 struct common_audit_data ad;
496ad9aa 2326 struct inode *inode = file_inode(bprm->file);
1da177e4
LT		 2327 int rc;
2328
a6f76f23
DH		 2329 /* SELinux context only depends on initial program or script and not
2330 * the script interpreter */
2331 if (bprm->cred_prepared)
1da177e4
LT		 2332 return 0;
2333
a6f76f23
DH		 2334 old_tsec = current_security();
2335 new_tsec = bprm->cred->security;
83da53c5 2336 isec = inode_security(inode);
1da177e4
LT		 2337
2338 /* Default to the current task SID. */
a6f76f23
DH		 2339 new_tsec->sid = old_tsec->sid;
2340 new_tsec->osid = old_tsec->sid;
1da177e4 2341
28eba5bf 2342 /* Reset fs, key, and sock SIDs on execve. */
a6f76f23
DH		 2343 new_tsec->create_sid = 0;
2344 new_tsec->keycreate_sid = 0;
2345 new_tsec->sockcreate_sid = 0;
1da177e4 2346
a6f76f23
DH		 2347 if (old_tsec->exec_sid) {
2348 new_tsec->sid = old_tsec->exec_sid;
1da177e4 2349 /* Reset exec SID on execve. */
a6f76f23 2350 new_tsec->exec_sid = 0;
259e5e6c 2351
7b0d0b40
SS		 2352 /* Fail on NNP or nosuid if not an allowed transition. */
2353 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2354 if (rc)
2355 return rc;
1da177e4
LT		 2356 } else {
2357 /* Check for a default transition on this program. */
a6f76f23 2358 rc = security_transition_sid(old_tsec->sid, isec->sid,
652bb9b0
EP		 2359 SECCLASS_PROCESS, NULL,
2360 &new_tsec->sid);
1da177e4
LT		 2361 if (rc)
2362 return rc;
7b0d0b40
SS		 2363
2364 /*
2365 * Fallback to old SID on NNP or nosuid if not an allowed
2366 * transition.
2367 */
2368 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2369 if (rc)
2370 new_tsec->sid = old_tsec->sid;
1da177e4
LT		 2371 }
2372
43af5de7
VG		 2373 ad.type = LSM_AUDIT_DATA_FILE;
2374 ad.u.file = bprm->file;
1da177e4 2375
a6f76f23
DH		 2376 if (new_tsec->sid == old_tsec->sid) {
2377 rc = avc_has_perm(old_tsec->sid, isec->sid,
1da177e4
LT		 2378 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2379 if (rc)
2380 return rc;
2381 } else {
2382 /* Check permissions for the transition. */
a6f76f23 2383 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
1da177e4
LT		 2384 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2385 if (rc)
2386 return rc;
2387
a6f76f23 2388 rc = avc_has_perm(new_tsec->sid, isec->sid,
1da177e4
LT		 2389 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2390 if (rc)
2391 return rc;
2392
a6f76f23
DH		 2393 /* Check for shared state */
2394 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2395 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2396 SECCLASS_PROCESS, PROCESS__SHARE,
2397 NULL);
2398 if (rc)
2399 return -EPERM;
2400 }
2401
2402 /* Make sure that anyone attempting to ptrace over a task that
2403 * changes its SID has the appropriate permit */
9227dd2a 2404 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
be0554c9 2405 u32 ptsid = ptrace_parent_sid();
a6f76f23
DH		 2406 if (ptsid != 0) {
2407 rc = avc_has_perm(ptsid, new_tsec->sid,
2408 SECCLASS_PROCESS,
2409 PROCESS__PTRACE, NULL);
2410 if (rc)
2411 return -EPERM;
2412 }
2413 }
1da177e4 2414
a6f76f23
DH		 2415 /* Clear any possibly unsafe personality bits on exec: */
2416 bprm->per_clear |= PER_CLEAR_ON_SETID;
1da177e4
LT		 2417 }
2418
1da177e4
LT		 2419 return 0;
2420}
2421
828dfe1d 2422static int selinux_bprm_secureexec(struct linux_binprm *bprm)
1da177e4 2423{
5fb49870 2424 const struct task_security_struct *tsec = current_security();
275bb41e 2425 u32 sid, osid;
1da177e4
LT		 2426 int atsecure = 0;
2427
275bb41e
DH		 2428 sid = tsec->sid;
2429 osid = tsec->osid;
2430
2431 if (osid != sid) {
1da177e4
LT		 2432 /* Enable secure mode for SIDs transitions unless
2433 the noatsecure permission is granted between
2434 the two SIDs, i.e. ahp returns 0. */
275bb41e 2435 atsecure = avc_has_perm(osid, sid,
a6f76f23
DH		 2436 SECCLASS_PROCESS,
2437 PROCESS__NOATSECURE, NULL);
1da177e4
LT		 2438 }
2439
b1d9e6b0 2440 return !!atsecure;
1da177e4
LT		 2441}
2442
c3c073f8
AV		 2443static int match_file(const void *p, struct file *file, unsigned fd)
2444{
2445 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2446}
2447
1da177e4 2448/* Derived from fs/exec.c:flush_old_files. */
745ca247
DH		 2449static inline void flush_unauthorized_files(const struct cred *cred,
2450 struct files_struct *files)
1da177e4 2451{
1da177e4 2452 struct file *file, *devnull = NULL;
b20c8122 2453 struct tty_struct *tty;
24ec839c 2454 int drop_tty = 0;
c3c073f8 2455 unsigned n;
1da177e4 2456
24ec839c 2457 tty = get_current_tty();
1da177e4 2458 if (tty) {
4a510969 2459 spin_lock(&tty->files_lock);
37dd0bd0 2460 if (!list_empty(&tty->tty_files)) {
d996b62a 2461 struct tty_file_private *file_priv;
37dd0bd0 2462
1da177e4 2463 /* Revalidate access to controlling tty.
13f8e981
DH		 2464 Use file_path_has_perm on the tty path directly
2465 rather than using file_has_perm, as this particular
2466 open file may belong to another process and we are
2467 only interested in the inode-based check here. */
d996b62a
NP		 2468 file_priv = list_first_entry(&tty->tty_files,
2469 struct tty_file_private, list);
2470 file = file_priv->file;
13f8e981 2471 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
24ec839c 2472 drop_tty = 1;
1da177e4 2473 }
4a510969 2474 spin_unlock(&tty->files_lock);
452a00d2 2475 tty_kref_put(tty);
1da177e4 2476 }
98a27ba4
EB		 2477 /* Reset controlling tty. */
2478 if (drop_tty)
2479 no_tty();
1da177e4
LT		 2480
2481 /* Revalidate access to inherited open files. */
c3c073f8
AV		 2482 n = iterate_fd(files, 0, match_file, cred);
2483 if (!n) /* none found? */
2484 return;
1da177e4 2485
c3c073f8 2486 devnull = dentry_open(&selinux_null, O_RDWR, cred);
45525b26
AV		 2487 if (IS_ERR(devnull))
2488 devnull = NULL;
2489 /* replace all the matching ones with this */
2490 do {
2491 replace_fd(n - 1, devnull, 0);
2492 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2493 if (devnull)
c3c073f8 2494 fput(devnull);
1da177e4
LT		 2495}
2496
a6f76f23
DH		 2497/*
2498 * Prepare a process for imminent new credential changes due to exec
2499 */
2500static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
1da177e4 2501{
a6f76f23
DH		 2502 struct task_security_struct *new_tsec;
2503 struct rlimit *rlim, *initrlim;
2504 int rc, i;
d84f4f99 2505
a6f76f23
DH		 2506 new_tsec = bprm->cred->security;
2507 if (new_tsec->sid == new_tsec->osid)
2508 return;
1da177e4 2509
a6f76f23
DH		 2510 /* Close files for which the new task SID is not authorized. */
2511 flush_unauthorized_files(bprm->cred, current->files);
0356357c 2512
a6f76f23
DH		 2513 /* Always clear parent death signal on SID transitions. */
2514 current->pdeath_signal = 0;
0356357c 2515
a6f76f23
DH		 2516 /* Check whether the new SID can inherit resource limits from the old
2517 * SID. If not, reset all soft limits to the lower of the current
2518 * task's hard limit and the init task's soft limit.
2519 *
2520 * Note that the setting of hard limits (even to lower them) can be
2521 * controlled by the setrlimit check. The inclusion of the init task's
2522 * soft limit into the computation is to avoid resetting soft limits
2523 * higher than the default soft limit for cases where the default is
2524 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2525 */
2526 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2527 PROCESS__RLIMITINH, NULL);
2528 if (rc) {
eb2d55a3
ON		 2529 /* protect against do_prlimit() */
2530 task_lock(current);
a6f76f23
DH		 2531 for (i = 0; i < RLIM_NLIMITS; i++) {
2532 rlim = current->signal->rlim + i;
2533 initrlim = init_task.signal->rlim + i;
2534 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
1da177e4 2535 }
eb2d55a3 2536 task_unlock(current);
baa73d9e
NP		 2537 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2538 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
1da177e4
LT		 2539 }
2540}
2541
2542/*
a6f76f23
DH		 2543 * Clean up the process immediately after the installation of new credentials
2544 * due to exec
1da177e4 2545 */
a6f76f23 2546static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
1da177e4 2547{
a6f76f23 2548 const struct task_security_struct *tsec = current_security();
1da177e4 2549 struct itimerval itimer;
a6f76f23 2550 u32 osid, sid;
1da177e4
LT		 2551 int rc, i;
2552
a6f76f23
DH		 2553 osid = tsec->osid;
2554 sid = tsec->sid;
2555
2556 if (sid == osid)
1da177e4
LT		 2557 return;
2558
a6f76f23
DH		 2559 /* Check whether the new SID can inherit signal state from the old SID.
2560 * If not, clear itimers to avoid subsequent signal generation and
2561 * flush and unblock signals.
2562 *
2563 * This must occur _after_ the task SID has been updated so that any
2564 * kill done after the flush will be checked against the new SID.
2565 */
2566 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
1da177e4 2567 if (rc) {
baa73d9e
NP		 2568 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2569 memset(&itimer, 0, sizeof itimer);
2570 for (i = 0; i < 3; i++)
2571 do_setitimer(i, &itimer, NULL);
2572 }
1da177e4 2573 spin_lock_irq(&current->sighand->siglock);
9e7c8f8c
ON		 2574 if (!fatal_signal_pending(current)) {
2575 flush_sigqueue(&current->pending);
2576 flush_sigqueue(&current->signal->shared_pending);
3bcac026
DH		 2577 flush_signal_handlers(current, 1);
2578 sigemptyset(&current->blocked);
9e7c8f8c 2579 recalc_sigpending();
3bcac026 2580 }
1da177e4
LT		 2581 spin_unlock_irq(&current->sighand->siglock);
2582 }
2583
a6f76f23
DH		 2584 /* Wake up the parent if it is waiting so that it can recheck
2585 * wait permission to the new task SID. */
ecd6de3c 2586 read_lock(&tasklist_lock);
0b7570e7 2587 __wake_up_parent(current, current->real_parent);
ecd6de3c 2588 read_unlock(&tasklist_lock);
1da177e4
LT		 2589}
2590
2591/* superblock security operations */
2592
2593static int selinux_sb_alloc_security(struct super_block *sb)
2594{
2595 return superblock_alloc_security(sb);
2596}
2597
2598static void selinux_sb_free_security(struct super_block *sb)
2599{
2600 superblock_free_security(sb);
2601}
2602
2603static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2604{
2605 if (plen > olen)
2606 return 0;
2607
2608 return !memcmp(prefix, option, plen);
2609}
2610
2611static inline int selinux_option(char *option, int len)
2612{
832cbd9a
EP		 2613 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2614 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2615 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
11689d47
DQ		 2616 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2617 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
1da177e4
LT		 2618}
2619
2620static inline void take_option(char **to, char *from, int *first, int len)
2621{
2622 if (!*first) {
2623 **to = ',';
2624 *to += 1;
3528a953 2625 } else
1da177e4
LT		 2626 *first = 0;
2627 memcpy(*to, from, len);
2628 *to += len;
2629}
2630
828dfe1d
EP		 2631static inline void take_selinux_option(char **to, char *from, int *first,
2632 int len)
3528a953
CO		 2633{
2634 int current_size = 0;
2635
2636 if (!*first) {
2637 **to = '|';
2638 *to += 1;
828dfe1d 2639 } else
3528a953
CO		 2640 *first = 0;
2641
2642 while (current_size < len) {
2643 if (*from != '"') {
2644 **to = *from;
2645 *to += 1;
2646 }
2647 from += 1;
2648 current_size += 1;
2649 }
2650}
2651
e0007529 2652static int selinux_sb_copy_data(char *orig, char *copy)
1da177e4
LT		 2653{
2654 int fnosec, fsec, rc = 0;
2655 char *in_save, *in_curr, *in_end;
2656 char *sec_curr, *nosec_save, *nosec;
3528a953 2657 int open_quote = 0;
1da177e4
LT		 2658
2659 in_curr = orig;
2660 sec_curr = copy;
2661
1da177e4
LT		 2662 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2663 if (!nosec) {
2664 rc = -ENOMEM;
2665 goto out;
2666 }
2667
2668 nosec_save = nosec;
2669 fnosec = fsec = 1;
2670 in_save = in_end = orig;
2671
2672 do {
3528a953
CO		 2673 if (*in_end == '"')
2674 open_quote = !open_quote;
2675 if ((*in_end == ',' && open_quote == 0) ||
2676 *in_end == '\0') {
1da177e4
LT		 2677 int len = in_end - in_curr;
2678
2679 if (selinux_option(in_curr, len))
3528a953 2680 take_selinux_option(&sec_curr, in_curr, &fsec, len);
1da177e4
LT		 2681 else
2682 take_option(&nosec, in_curr, &fnosec, len);
2683
2684 in_curr = in_end + 1;
2685 }
2686 } while (*in_end++);
2687
6931dfc9 2688 strcpy(in_save, nosec_save);
da3caa20 2689 free_page((unsigned long)nosec_save);
1da177e4
LT		 2690out:
2691 return rc;
2692}
2693
026eb167
EP		 2694static int selinux_sb_remount(struct super_block *sb, void *data)
2695{
2696 int rc, i, *flags;
2697 struct security_mnt_opts opts;
2698 char *secdata, **mount_options;
2699 struct superblock_security_struct *sbsec = sb->s_security;
2700
2701 if (!(sbsec->flags & SE_SBINITIALIZED))
2702 return 0;
2703
2704 if (!data)
2705 return 0;
2706
2707 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2708 return 0;
2709
2710 security_init_mnt_opts(&opts);
2711 secdata = alloc_secdata();
2712 if (!secdata)
2713 return -ENOMEM;
2714 rc = selinux_sb_copy_data(data, secdata);
2715 if (rc)
2716 goto out_free_secdata;
2717
2718 rc = selinux_parse_opts_str(secdata, &opts);
2719 if (rc)
2720 goto out_free_secdata;
2721
2722 mount_options = opts.mnt_opts;
2723 flags = opts.mnt_opts_flags;
2724
2725 for (i = 0; i < opts.num_mnt_opts; i++) {
2726 u32 sid;
026eb167 2727
12f348b9 2728 if (flags[i] == SBLABEL_MNT)
026eb167 2729 continue;
44be2f65 2730 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
026eb167 2731 if (rc) {
44be2f65 2732 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
29b1deb2
LT		 2733 "(%s) failed for (dev %s, type %s) errno=%d\n",
2734 mount_options[i], sb->s_id, sb->s_type->name, rc);
026eb167
EP		 2735 goto out_free_opts;
2736 }
2737 rc = -EINVAL;
2738 switch (flags[i]) {
2739 case FSCONTEXT_MNT:
2740 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2741 goto out_bad_option;
2742 break;
2743 case CONTEXT_MNT:
2744 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2745 goto out_bad_option;
2746 break;
2747 case ROOTCONTEXT_MNT: {
2748 struct inode_security_struct *root_isec;
83da53c5 2749 root_isec = backing_inode_security(sb->s_root);
026eb167
EP		 2750
2751 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2752 goto out_bad_option;
2753 break;
2754 }
2755 case DEFCONTEXT_MNT:
2756 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2757 goto out_bad_option;
2758 break;
2759 default:
2760 goto out_free_opts;
2761 }
2762 }
2763
2764 rc = 0;
2765out_free_opts:
2766 security_free_mnt_opts(&opts);
2767out_free_secdata:
2768 free_secdata(secdata);
2769 return rc;
2770out_bad_option:
2771 printk(KERN_WARNING "SELinux: unable to change security options "
29b1deb2
LT		 2772 "during remount (dev %s, type=%s)\n", sb->s_id,
2773 sb->s_type->name);
026eb167
EP		 2774 goto out_free_opts;
2775}
2776
12204e24 2777static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
1da177e4 2778{
88e67f3b 2779 const struct cred *cred = current_cred();
2bf49690 2780 struct common_audit_data ad;
1da177e4
LT		 2781 int rc;
2782
2783 rc = superblock_doinit(sb, data);
2784 if (rc)
2785 return rc;
2786
74192246
JM		 2787 /* Allow all mounts performed by the kernel */
2788 if (flags & MS_KERNMOUNT)
2789 return 0;
2790
50c205f5 2791 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2792 ad.u.dentry = sb->s_root;
88e67f3b 2793 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
1da177e4
LT		 2794}
2795
726c3342 2796static int selinux_sb_statfs(struct dentry *dentry)
1da177e4 2797{
88e67f3b 2798 const struct cred *cred = current_cred();
2bf49690 2799 struct common_audit_data ad;
1da177e4 2800
50c205f5 2801 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2802 ad.u.dentry = dentry->d_sb->s_root;
88e67f3b 2803 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2804}
2805
808d4e3c 2806static int selinux_mount(const char *dev_name,
8a04c43b 2807 const struct path *path,
808d4e3c 2808 const char *type,
828dfe1d
EP		 2809 unsigned long flags,
2810 void *data)
1da177e4 2811{
88e67f3b 2812 const struct cred *cred = current_cred();
1da177e4
LT		 2813
2814 if (flags & MS_REMOUNT)
d8c9584e 2815 return superblock_has_perm(cred, path->dentry->d_sb,
828dfe1d 2816 FILESYSTEM__REMOUNT, NULL);
1da177e4 2817 else
2875fa00 2818 return path_has_perm(cred, path, FILE__MOUNTON);
1da177e4
LT		 2819}
2820
2821static int selinux_umount(struct vfsmount *mnt, int flags)
2822{
88e67f3b 2823 const struct cred *cred = current_cred();
1da177e4 2824
88e67f3b 2825 return superblock_has_perm(cred, mnt->mnt_sb,
828dfe1d 2826 FILESYSTEM__UNMOUNT, NULL);
1da177e4
LT		 2827}
2828
2829/* inode security operations */
2830
2831static int selinux_inode_alloc_security(struct inode *inode)
2832{
2833 return inode_alloc_security(inode);
2834}
2835
2836static void selinux_inode_free_security(struct inode *inode)
2837{
2838 inode_free_security(inode);
2839}
2840
d47be3df 2841static int selinux_dentry_init_security(struct dentry *dentry, int mode,
4f3ccd76 2842 const struct qstr *name, void **ctx,
d47be3df
DQ		 2843 u32 *ctxlen)
2844{
d47be3df
DQ		 2845 u32 newsid;
2846 int rc;
2847
c957f6df
VG		 2848 rc = selinux_determine_inode_label(current_security(),
2849 d_inode(dentry->d_parent), name,
c3c188b2
DH		 2850 inode_mode_to_security_class(mode),
2851 &newsid);
2852 if (rc)
2853 return rc;
d47be3df
DQ		 2854
2855 return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2856}
2857
a518b0a5
VG		 2858static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2859 struct qstr *name,
2860 const struct cred *old,
2861 struct cred *new)
2862{
2863 u32 newsid;
2864 int rc;
2865 struct task_security_struct *tsec;
2866
2867 rc = selinux_determine_inode_label(old->security,
2868 d_inode(dentry->d_parent), name,
2869 inode_mode_to_security_class(mode),
2870 &newsid);
2871 if (rc)
2872 return rc;
2873
2874 tsec = new->security;
2875 tsec->create_sid = newsid;
2876 return 0;
2877}
2878
5e41ff9e 2879static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
9548906b
TH		 2880 const struct qstr *qstr,
2881 const char **name,
2a7dba39 2882 void **value, size_t *len)
5e41ff9e 2883{
5fb49870 2884 const struct task_security_struct *tsec = current_security();
5e41ff9e 2885 struct superblock_security_struct *sbsec;
275bb41e 2886 u32 sid, newsid, clen;
5e41ff9e 2887 int rc;
9548906b 2888 char *context;
5e41ff9e 2889
5e41ff9e 2890 sbsec = dir->i_sb->s_security;
5e41ff9e 2891
275bb41e
DH		 2892 sid = tsec->sid;
2893 newsid = tsec->create_sid;
2894
c957f6df 2895 rc = selinux_determine_inode_label(current_security(),
c3c188b2
DH		 2896 dir, qstr,
2897 inode_mode_to_security_class(inode->i_mode),
2898 &newsid);
2899 if (rc)
2900 return rc;
5e41ff9e 2901
296fddf7 2902 /* Possibly defer initialization to selinux_complete_init. */
0d90a7ec 2903 if (sbsec->flags & SE_SBINITIALIZED) {
296fddf7
EP		 2904 struct inode_security_struct *isec = inode->i_security;
2905 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2906 isec->sid = newsid;
6f3be9f5 2907 isec->initialized = LABEL_INITIALIZED;
296fddf7 2908 }
5e41ff9e 2909
12f348b9 2910 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
25a74f3b
SS		 2911 return -EOPNOTSUPP;
2912
9548906b
TH		 2913 if (name)
2914 *name = XATTR_SELINUX_SUFFIX;
5e41ff9e 2915
570bc1c2 2916 if (value && len) {
12b29f34 2917 rc = security_sid_to_context_force(newsid, &context, &clen);
9548906b 2918 if (rc)
570bc1c2 2919 return rc;
570bc1c2
SS		 2920 *value = context;
2921 *len = clen;
5e41ff9e 2922 }
5e41ff9e 2923
5e41ff9e
SS		 2924 return 0;
2925}
2926
4acdaf27 2927static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
1da177e4
LT		 2928{
2929 return may_create(dir, dentry, SECCLASS_FILE);
2930}
2931
1da177e4
LT		 2932static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2933{
1da177e4
LT		 2934 return may_link(dir, old_dentry, MAY_LINK);
2935}
2936
1da177e4
LT		 2937static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2938{
1da177e4
LT		 2939 return may_link(dir, dentry, MAY_UNLINK);
2940}
2941
2942static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2943{
2944 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2945}
2946
18bb1db3 2947static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
1da177e4
LT		 2948{
2949 return may_create(dir, dentry, SECCLASS_DIR);
2950}
2951
1da177e4
LT		 2952static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2953{
2954 return may_link(dir, dentry, MAY_RMDIR);
2955}
2956
1a67aafb 2957static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
1da177e4 2958{
1da177e4
LT		 2959 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2960}
2961
1da177e4 2962static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
828dfe1d 2963 struct inode *new_inode, struct dentry *new_dentry)
1da177e4
LT		 2964{
2965 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2966}
2967
1da177e4
LT		 2968static int selinux_inode_readlink(struct dentry *dentry)
2969{
88e67f3b
DH		 2970 const struct cred *cred = current_cred();
2971
2875fa00 2972 return dentry_has_perm(cred, dentry, FILE__READ);
1da177e4
LT		 2973}
2974
bda0be7a
N		 2975static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
2976 bool rcu)
1da177e4 2977{
88e67f3b 2978 const struct cred *cred = current_cred();
bda0be7a
N		 2979 struct common_audit_data ad;
2980 struct inode_security_struct *isec;
2981 u32 sid;
1da177e4 2982
bda0be7a
N		 2983 validate_creds(cred);
2984
2985 ad.type = LSM_AUDIT_DATA_DENTRY;
2986 ad.u.dentry = dentry;
2987 sid = cred_sid(cred);
5d226df4
AG		 2988 isec = inode_security_rcu(inode, rcu);
2989 if (IS_ERR(isec))
2990 return PTR_ERR(isec);
bda0be7a
N		 2991
2992 return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad,
2993 rcu ? MAY_NOT_BLOCK : 0);
1da177e4
LT		 2994}
2995
d4cf970d
EP		 2996static noinline int audit_inode_permission(struct inode *inode,
2997 u32 perms, u32 audited, u32 denied,
626b9740 2998 int result,
d4cf970d 2999 unsigned flags)
1da177e4 3000{
b782e0a6 3001 struct common_audit_data ad;
d4cf970d
EP		 3002 struct inode_security_struct *isec = inode->i_security;
3003 int rc;
3004
50c205f5 3005 ad.type = LSM_AUDIT_DATA_INODE;
d4cf970d
EP		 3006 ad.u.inode = inode;
3007
3008 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
626b9740 3009 audited, denied, result, &ad, flags);
d4cf970d
EP		 3010 if (rc)
3011 return rc;
3012 return 0;
3013}
3014
e74f71eb 3015static int selinux_inode_permission(struct inode *inode, int mask)
1da177e4 3016{
88e67f3b 3017 const struct cred *cred = current_cred();
b782e0a6
EP		 3018 u32 perms;
3019 bool from_access;
cf1dd1da 3020 unsigned flags = mask & MAY_NOT_BLOCK;
2e334057
EP		 3021 struct inode_security_struct *isec;
3022 u32 sid;
3023 struct av_decision avd;
3024 int rc, rc2;
3025 u32 audited, denied;
1da177e4 3026
b782e0a6 3027 from_access = mask & MAY_ACCESS;
d09ca739
EP		 3028 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3029
b782e0a6
EP		 3030 /* No permission to check. Existence test. */
3031 if (!mask)
1da177e4 3032 return 0;
1da177e4 3033
2e334057 3034 validate_creds(cred);
b782e0a6 3035
2e334057
EP		 3036 if (unlikely(IS_PRIVATE(inode)))
3037 return 0;
b782e0a6
EP		 3038
3039 perms = file_mask_to_av(inode->i_mode, mask);
3040
2e334057 3041 sid = cred_sid(cred);
5d226df4
AG		 3042 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3043 if (IS_ERR(isec))
3044 return PTR_ERR(isec);
2e334057
EP		 3045
3046 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
3047 audited = avc_audit_required(perms, &avd, rc,
3048 from_access ? FILE__AUDIT_ACCESS : 0,
3049 &denied);
3050 if (likely(!audited))
3051 return rc;
3052
626b9740 3053 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
2e334057
EP		 3054 if (rc2)
3055 return rc2;
3056 return rc;
1da177e4
LT		 3057}
3058
3059static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3060{
88e67f3b 3061 const struct cred *cred = current_cred();
bc6a6008 3062 unsigned int ia_valid = iattr->ia_valid;
95dbf739 3063 __u32 av = FILE__WRITE;
1da177e4 3064
bc6a6008
AW		 3065 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3066 if (ia_valid & ATTR_FORCE) {
3067 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3068 ATTR_FORCE);
3069 if (!ia_valid)
3070 return 0;
3071 }
1da177e4 3072
bc6a6008
AW		 3073 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3074 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2875fa00 3075 return dentry_has_perm(cred, dentry, FILE__SETATTR);
1da177e4 3076
44d37ad3
JVS		 3077 if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE)
3078 && !(ia_valid & ATTR_FILE))
95dbf739
EP		 3079 av |= FILE__OPEN;
3080
3081 return dentry_has_perm(cred, dentry, av);
1da177e4
LT		 3082}
3083
3f7036a0 3084static int selinux_inode_getattr(const struct path *path)
1da177e4 3085{
3f7036a0 3086 return path_has_perm(current_cred(), path, FILE__GETATTR);
1da177e4
LT		 3087}
3088
8f0cfa52 3089static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
b5376771 3090{
88e67f3b
DH		 3091 const struct cred *cred = current_cred();
3092
b5376771
SH		 3093 if (!strncmp(name, XATTR_SECURITY_PREFIX,
3094 sizeof XATTR_SECURITY_PREFIX - 1)) {
3095 if (!strcmp(name, XATTR_NAME_CAPS)) {
3096 if (!capable(CAP_SETFCAP))
3097 return -EPERM;
3098 } else if (!capable(CAP_SYS_ADMIN)) {
3099 /* A different attribute in the security namespace.
3100 Restrict to administrator. */
3101 return -EPERM;
3102 }
3103 }
3104
3105 /* Not an attribute we recognize, so just check the
3106 ordinary setattr permission. */
2875fa00 3107 return dentry_has_perm(cred, dentry, FILE__SETATTR);
b5376771
SH		 3108}
3109
8f0cfa52
DH		 3110static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3111 const void *value, size_t size, int flags)
1da177e4 3112{
c6f493d6 3113 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3114 struct inode_security_struct *isec;
1da177e4 3115 struct superblock_security_struct *sbsec;
2bf49690 3116 struct common_audit_data ad;
275bb41e 3117 u32 newsid, sid = current_sid();
1da177e4
LT		 3118 int rc = 0;
3119
b5376771
SH		 3120 if (strcmp(name, XATTR_NAME_SELINUX))
3121 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 3122
3123 sbsec = inode->i_sb->s_security;
12f348b9 3124 if (!(sbsec->flags & SBLABEL_MNT))
1da177e4
LT		 3125 return -EOPNOTSUPP;
3126
2e149670 3127 if (!inode_owner_or_capable(inode))
1da177e4
LT		 3128 return -EPERM;
3129
50c205f5 3130 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 3131 ad.u.dentry = dentry;
1da177e4 3132
20cdef8d 3133 isec = backing_inode_security(dentry);
275bb41e 3134 rc = avc_has_perm(sid, isec->sid, isec->sclass,
1da177e4
LT		 3135 FILE__RELABELFROM, &ad);
3136 if (rc)
3137 return rc;
3138
52a4c640 3139 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
12b29f34 3140 if (rc == -EINVAL) {
d6ea83ec
EP		 3141 if (!capable(CAP_MAC_ADMIN)) {
3142 struct audit_buffer *ab;
3143 size_t audit_size;
3144 const char *str;
3145
3146 /* We strip a nul only if it is at the end, otherwise the
3147 * context contains a nul and we should audit that */
e3fea3f7
AV		 3148 if (value) {
3149 str = value;
3150 if (str[size - 1] == '\0')
3151 audit_size = size - 1;
3152 else
3153 audit_size = size;
3154 } else {
3155 str = "";
3156 audit_size = 0;
3157 }
d6ea83ec
EP		 3158 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3159 audit_log_format(ab, "op=setxattr invalid_context=");
3160 audit_log_n_untrustedstring(ab, value, audit_size);
3161 audit_log_end(ab);
3162
12b29f34 3163 return rc;
d6ea83ec 3164 }
12b29f34
SS		 3165 rc = security_context_to_sid_force(value, size, &newsid);
3166 }
1da177e4
LT		 3167 if (rc)
3168 return rc;
3169
275bb41e 3170 rc = avc_has_perm(sid, newsid, isec->sclass,
1da177e4
LT		 3171 FILE__RELABELTO, &ad);
3172 if (rc)
3173 return rc;
3174
275bb41e 3175 rc = security_validate_transition(isec->sid, newsid, sid,
828dfe1d 3176 isec->sclass);
1da177e4
LT		 3177 if (rc)
3178 return rc;
3179
3180 return avc_has_perm(newsid,
3181 sbsec->sid,
3182 SECCLASS_FILESYSTEM,
3183 FILESYSTEM__ASSOCIATE,
3184 &ad);
3185}
3186
8f0cfa52 3187static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
f5269710 3188 const void *value, size_t size,
8f0cfa52 3189 int flags)
1da177e4 3190{
c6f493d6 3191 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3192 struct inode_security_struct *isec;
1da177e4
LT		 3193 u32 newsid;
3194 int rc;
3195
3196 if (strcmp(name, XATTR_NAME_SELINUX)) {
3197 /* Not an attribute we recognize, so nothing to do. */
3198 return;
3199 }
3200
12b29f34 3201 rc = security_context_to_sid_force(value, size, &newsid);
1da177e4 3202 if (rc) {
12b29f34
SS		 3203 printk(KERN_ERR "SELinux: unable to map context to SID"
3204 "for (%s, %lu), rc=%d\n",
3205 inode->i_sb->s_id, inode->i_ino, -rc);
1da177e4
LT		 3206 return;
3207 }
3208
20cdef8d 3209 isec = backing_inode_security(dentry);
9287aed2 3210 spin_lock(&isec->lock);
aa9c2669 3211 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3212 isec->sid = newsid;
6f3be9f5 3213 isec->initialized = LABEL_INITIALIZED;
9287aed2 3214 spin_unlock(&isec->lock);
aa9c2669 3215
1da177e4
LT		 3216 return;
3217}
3218
8f0cfa52 3219static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
1da177e4 3220{
88e67f3b
DH		 3221 const struct cred *cred = current_cred();
3222
2875fa00 3223 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3224}
3225
828dfe1d 3226static int selinux_inode_listxattr(struct dentry *dentry)
1da177e4 3227{
88e67f3b
DH		 3228 const struct cred *cred = current_cred();
3229
2875fa00 3230 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3231}
3232
8f0cfa52 3233static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
1da177e4 3234{
b5376771
SH		 3235 if (strcmp(name, XATTR_NAME_SELINUX))
3236 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 3237
3238 /* No one is allowed to remove a SELinux security label.
3239 You can change the label, but all data must be labeled. */
3240 return -EACCES;
3241}
3242
d381d8a9 3243/*
abc69bb6 3244 * Copy the inode security context value to the user.
d381d8a9
JM		 3245 *
3246 * Permission check is handled by selinux_inode_getxattr hook.
3247 */
ea861dfd 3248static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
1da177e4 3249{
42492594
DQ		 3250 u32 size;
3251 int error;
3252 char *context = NULL;
20cdef8d 3253 struct inode_security_struct *isec;
d381d8a9 3254
8c8570fb
DK		 3255 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3256 return -EOPNOTSUPP;
d381d8a9 3257
abc69bb6
SS		 3258 /*
3259 * If the caller has CAP_MAC_ADMIN, then get the raw context
3260 * value even if it is not defined by current policy; otherwise,
3261 * use the in-core value under current policy.
3262 * Use the non-auditing forms of the permission checks since
3263 * getxattr may be called by unprivileged processes commonly
3264 * and lack of permission just means that we fall back to the
3265 * in-core context value, not a denial.
3266 */
b1d9e6b0
CS		 3267 error = cap_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
3268 SECURITY_CAP_NOAUDIT);
3269 if (!error)
3270 error = cred_has_capability(current_cred(), CAP_MAC_ADMIN,
8e4ff6f2 3271 SECURITY_CAP_NOAUDIT, true);
20cdef8d 3272 isec = inode_security(inode);
abc69bb6
SS		 3273 if (!error)
3274 error = security_sid_to_context_force(isec->sid, &context,
3275 &size);
3276 else
3277 error = security_sid_to_context(isec->sid, &context, &size);
42492594
DQ		 3278 if (error)
3279 return error;
3280 error = size;
3281 if (alloc) {
3282 *buffer = context;
3283 goto out_nofree;
3284 }
3285 kfree(context);
3286out_nofree:
3287 return error;
1da177e4
LT		 3288}
3289
3290static int selinux_inode_setsecurity(struct inode *inode, const char *name,
828dfe1d 3291 const void *value, size_t size, int flags)
1da177e4 3292{
2c97165b 3293 struct inode_security_struct *isec = inode_security_novalidate(inode);
1da177e4
LT		 3294 u32 newsid;
3295 int rc;
3296
3297 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3298 return -EOPNOTSUPP;
3299
3300 if (!value || !size)
3301 return -EACCES;
3302
20ba96ae 3303 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
1da177e4
LT		 3304 if (rc)
3305 return rc;
3306
9287aed2 3307 spin_lock(&isec->lock);
aa9c2669 3308 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3309 isec->sid = newsid;
6f3be9f5 3310 isec->initialized = LABEL_INITIALIZED;
9287aed2 3311 spin_unlock(&isec->lock);
1da177e4
LT		 3312 return 0;
3313}
3314
3315static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3316{
3317 const int len = sizeof(XATTR_NAME_SELINUX);
3318 if (buffer && len <= buffer_size)
3319 memcpy(buffer, XATTR_NAME_SELINUX, len);
3320 return len;
3321}
3322
d6335d77 3323static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
713a04ae 3324{
e817c2f3 3325 struct inode_security_struct *isec = inode_security_novalidate(inode);
713a04ae
AD		 3326 *secid = isec->sid;
3327}
3328
56909eb3
VG		 3329static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3330{
3331 u32 sid;
3332 struct task_security_struct *tsec;
3333 struct cred *new_creds = *new;
3334
3335 if (new_creds == NULL) {
3336 new_creds = prepare_creds();
3337 if (!new_creds)
3338 return -ENOMEM;
3339 }
3340
3341 tsec = new_creds->security;
3342 /* Get label from overlay inode and set it in create_sid */
3343 selinux_inode_getsecid(d_inode(src), &sid);
3344 tsec->create_sid = sid;
3345 *new = new_creds;
3346 return 0;
3347}
3348
19472b69
VG		 3349static int selinux_inode_copy_up_xattr(const char *name)
3350{
3351 /* The copy_up hook above sets the initial context on an inode, but we
3352 * don't then want to overwrite it by blindly copying all the lower
3353 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3354 */
3355 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3356 return 1; /* Discard */
3357 /*
3358 * Any other attribute apart from SELINUX is not claimed, supported
3359 * by selinux.
3360 */
3361 return -EOPNOTSUPP;
3362}
3363
1da177e4
LT		 3364/* file security operations */
3365
788e7dd4 3366static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 3367{
88e67f3b 3368 const struct cred *cred = current_cred();
496ad9aa 3369 struct inode *inode = file_inode(file);
1da177e4 3370
1da177e4
LT		 3371 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3372 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3373 mask |= MAY_APPEND;
3374
389fb800
PM		 3375 return file_has_perm(cred, file,
3376 file_mask_to_av(inode->i_mode, mask));
1da177e4
LT		 3377}
3378
788e7dd4
YN		 3379static int selinux_file_permission(struct file *file, int mask)
3380{
496ad9aa 3381 struct inode *inode = file_inode(file);
20dda18b 3382 struct file_security_struct *fsec = file->f_security;
b197367e 3383 struct inode_security_struct *isec;
20dda18b
SS		 3384 u32 sid = current_sid();
3385
389fb800 3386 if (!mask)
788e7dd4
YN		 3387 /* No permission to check. Existence test. */
3388 return 0;
788e7dd4 3389
b197367e 3390 isec = inode_security(inode);
20dda18b
SS		 3391 if (sid == fsec->sid && fsec->isid == isec->sid &&
3392 fsec->pseqno == avc_policy_seqno())
83d49856 3393 /* No change since file_open check. */
20dda18b
SS		 3394 return 0;
3395
788e7dd4
YN		 3396 return selinux_revalidate_file_permission(file, mask);
3397}
3398
1da177e4
LT		 3399static int selinux_file_alloc_security(struct file *file)
3400{
3401 return file_alloc_security(file);
3402}
3403
3404static void selinux_file_free_security(struct file *file)
3405{
3406 file_free_security(file);
3407}
3408
fa1aa143
JVS		 3409/*
3410 * Check whether a task has the ioctl permission and cmd
3411 * operation to an inode.
3412 */
1d2a168a 3413static int ioctl_has_perm(const struct cred *cred, struct file *file,
fa1aa143
JVS		 3414 u32 requested, u16 cmd)
3415{
3416 struct common_audit_data ad;
3417 struct file_security_struct *fsec = file->f_security;
3418 struct inode *inode = file_inode(file);
20cdef8d 3419 struct inode_security_struct *isec;
fa1aa143
JVS		 3420 struct lsm_ioctlop_audit ioctl;
3421 u32 ssid = cred_sid(cred);
3422 int rc;
3423 u8 driver = cmd >> 8;
3424 u8 xperm = cmd & 0xff;
3425
3426 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3427 ad.u.op = &ioctl;
3428 ad.u.op->cmd = cmd;
3429 ad.u.op->path = file->f_path;
3430
3431 if (ssid != fsec->sid) {
3432 rc = avc_has_perm(ssid, fsec->sid,
3433 SECCLASS_FD,
3434 FD__USE,
3435 &ad);
3436 if (rc)
3437 goto out;
3438 }
3439
3440 if (unlikely(IS_PRIVATE(inode)))
3441 return 0;
3442
20cdef8d 3443 isec = inode_security(inode);
fa1aa143
JVS		 3444 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
3445 requested, driver, xperm, &ad);
3446out:
3447 return rc;
3448}
3449
1da177e4
LT		 3450static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3451 unsigned long arg)
3452{
88e67f3b 3453 const struct cred *cred = current_cred();
0b24dcb7 3454 int error = 0;
1da177e4 3455
0b24dcb7
EP		 3456 switch (cmd) {
3457 case FIONREAD:
3458 /* fall through */
3459 case FIBMAP:
3460 /* fall through */
3461 case FIGETBSZ:
3462 /* fall through */
2f99c369 3463 case FS_IOC_GETFLAGS:
0b24dcb7 3464 /* fall through */
2f99c369 3465 case FS_IOC_GETVERSION:
0b24dcb7
EP		 3466 error = file_has_perm(cred, file, FILE__GETATTR);
3467 break;
1da177e4 3468
2f99c369 3469 case FS_IOC_SETFLAGS:
0b24dcb7 3470 /* fall through */
2f99c369 3471 case FS_IOC_SETVERSION:
0b24dcb7
EP		 3472 error = file_has_perm(cred, file, FILE__SETATTR);
3473 break;
3474
3475 /* sys_ioctl() checks */
3476 case FIONBIO:
3477 /* fall through */
3478 case FIOASYNC:
3479 error = file_has_perm(cred, file, 0);
3480 break;
1da177e4 3481
0b24dcb7
EP		 3482 case KDSKBENT:
3483 case KDSKBSENT:
6a9de491 3484 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
8e4ff6f2 3485 SECURITY_CAP_AUDIT, true);
0b24dcb7
EP		 3486 break;
3487
3488 /* default case assumes that the command will go
3489 * to the file's ioctl() function.
3490 */
3491 default:
fa1aa143 3492 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
0b24dcb7
EP		 3493 }
3494 return error;
1da177e4
LT		 3495}
3496
fcaaade1
SS		 3497static int default_noexec;
3498
1da177e4
LT		 3499static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3500{
88e67f3b 3501 const struct cred *cred = current_cred();
be0554c9 3502 u32 sid = cred_sid(cred);
d84f4f99 3503 int rc = 0;
88e67f3b 3504
fcaaade1 3505 if (default_noexec &&
892e8cac
SS		 3506 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3507 (!shared && (prot & PROT_WRITE)))) {
1da177e4
LT		 3508 /*
3509 * We are making executable an anonymous mapping or a
3510 * private file mapping that will also be writable.
3511 * This has an additional check.
3512 */
be0554c9
SS		 3513 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3514 PROCESS__EXECMEM, NULL);
1da177e4 3515 if (rc)
d84f4f99 3516 goto error;
1da177e4 3517 }
1da177e4
LT		 3518
3519 if (file) {
3520 /* read access is always possible with a mapping */
3521 u32 av = FILE__READ;
3522
3523 /* write access only matters if the mapping is shared */
3524 if (shared && (prot & PROT_WRITE))
3525 av |= FILE__WRITE;
3526
3527 if (prot & PROT_EXEC)
3528 av |= FILE__EXECUTE;
3529
88e67f3b 3530 return file_has_perm(cred, file, av);
1da177e4 3531 }
d84f4f99
DH		 3532
3533error:
3534 return rc;
1da177e4
LT		 3535}
3536
e5467859 3537static int selinux_mmap_addr(unsigned long addr)
1da177e4 3538{
b1d9e6b0 3539 int rc = 0;
1da177e4 3540
a2551df7 3541 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
98883bfd 3542 u32 sid = current_sid();
ed032189
EP		 3543 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3544 MEMPROTECT__MMAP_ZERO, NULL);
84336d1a
EP		 3545 }
3546
98883bfd 3547 return rc;
e5467859 3548}
1da177e4 3549
e5467859
AV		 3550static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3551 unsigned long prot, unsigned long flags)
3552{
1da177e4
LT		 3553 if (selinux_checkreqprot)
3554 prot = reqprot;
3555
3556 return file_map_prot_check(file, prot,
3557 (flags & MAP_TYPE) == MAP_SHARED);
3558}
3559
3560static int selinux_file_mprotect(struct vm_area_struct *vma,
3561 unsigned long reqprot,
3562 unsigned long prot)
3563{
88e67f3b 3564 const struct cred *cred = current_cred();
be0554c9 3565 u32 sid = cred_sid(cred);
1da177e4
LT		 3566
3567 if (selinux_checkreqprot)
3568 prot = reqprot;
3569
fcaaade1
SS		 3570 if (default_noexec &&
3571 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
d541bbee 3572 int rc = 0;
db4c9641
SS		 3573 if (vma->vm_start >= vma->vm_mm->start_brk &&
3574 vma->vm_end <= vma->vm_mm->brk) {
be0554c9
SS		 3575 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3576 PROCESS__EXECHEAP, NULL);
db4c9641 3577 } else if (!vma->vm_file &&
c2316dbf
SS		 3578 ((vma->vm_start <= vma->vm_mm->start_stack &&
3579 vma->vm_end >= vma->vm_mm->start_stack) ||
d17af505 3580 vma_is_stack_for_current(vma))) {
be0554c9
SS		 3581 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3582 PROCESS__EXECSTACK, NULL);
db4c9641
SS		 3583 } else if (vma->vm_file && vma->anon_vma) {
3584 /*
3585 * We are making executable a file mapping that has
3586 * had some COW done. Since pages might have been
3587 * written, check ability to execute the possibly
3588 * modified content. This typically should only
3589 * occur for text relocations.
3590 */
d84f4f99 3591 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
db4c9641 3592 }