]> Git Repo - linux.git/blame - security/selinux/hooks.c
projects / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
selinux: Add IB Port SMP access vector
[linux.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <[email protected]>
828dfe1d
EP		 7 * Chris Vance, <[email protected]>
8 * Wayne Salamon, <[email protected]>
9 * James Morris <[email protected]>
1da177e4
LT		 10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
2069f457
EP		 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <[email protected]>
13 * Eric Paris <[email protected]>
1da177e4 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
828dfe1d 15 * <[email protected]>
ed6d76e4 16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
82c21bfa 17 * Paul Moore <[email protected]>
788e7dd4 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
828dfe1d 19 * Yuichi Nakamura <[email protected]>
3a976fa6 20 * Copyright (C) 2016 Mellanox Technologies
1da177e4
LT		 21 *
22 * This program is free software; you can redistribute it and/or modify
23 * it under the terms of the GNU General Public License version 2,
828dfe1d 24 * as published by the Free Software Foundation.
1da177e4
LT		 25 */
26
1da177e4 27#include <linux/init.h>
0b24dcb7 28#include <linux/kd.h>
1da177e4 29#include <linux/kernel.h>
0d094efe 30#include <linux/tracehook.h>
1da177e4 31#include <linux/errno.h>
3f07c014 32#include <linux/sched/signal.h>
29930025 33#include <linux/sched/task.h>
3c4ed7bd 34#include <linux/lsm_hooks.h>
1da177e4
LT		 35#include <linux/xattr.h>
36#include <linux/capability.h>
37#include <linux/unistd.h>
38#include <linux/mm.h>
39#include <linux/mman.h>
40#include <linux/slab.h>
41#include <linux/pagemap.h>
0b24dcb7 42#include <linux/proc_fs.h>
1da177e4 43#include <linux/swap.h>
1da177e4
LT		 44#include <linux/spinlock.h>
45#include <linux/syscalls.h>
2a7dba39 46#include <linux/dcache.h>
1da177e4 47#include <linux/file.h>
9f3acc31 48#include <linux/fdtable.h>
1da177e4
LT		 49#include <linux/namei.h>
50#include <linux/mount.h>
1da177e4
LT		 51#include <linux/netfilter_ipv4.h>
52#include <linux/netfilter_ipv6.h>
53#include <linux/tty.h>
54#include <net/icmp.h>
227b60f5 55#include <net/ip.h> /* for local_port_range[] */
1da177e4 56#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
47180068 57#include <net/inet_connection_sock.h>
220deb96 58#include <net/net_namespace.h>
d621d35e 59#include <net/netlabel.h>
f5269710 60#include <linux/uaccess.h>
1da177e4 61#include <asm/ioctls.h>
60063497 62#include <linux/atomic.h>
1da177e4
LT		 63#include <linux/bitops.h>
64#include <linux/interrupt.h>
65#include <linux/netdevice.h> /* for network interface checks */
77954983 66#include <net/netlink.h>
1da177e4
LT		 67#include <linux/tcp.h>
68#include <linux/udp.h>
2ee92d46 69#include <linux/dccp.h>
1da177e4
LT		 70#include <linux/quota.h>
71#include <linux/un.h> /* for Unix socket types */
72#include <net/af_unix.h> /* for Unix socket types */
73#include <linux/parser.h>
74#include <linux/nfs_mount.h>
75#include <net/ipv6.h>
76#include <linux/hugetlb.h>
77#include <linux/personality.h>
1da177e4 78#include <linux/audit.h>
6931dfc9 79#include <linux/string.h>
877ce7c1 80#include <linux/selinux.h>
23970741 81#include <linux/mutex.h>
f06febc9 82#include <linux/posix-timers.h>
00234592 83#include <linux/syslog.h>
3486740a 84#include <linux/user_namespace.h>
44fc7ea0 85#include <linux/export.h>
40401530
AV		 86#include <linux/msg.h>
87#include <linux/shm.h>
1da177e4
LT		 88
89#include "avc.h"
90#include "objsec.h"
91#include "netif.h"
224dfbd8 92#include "netnode.h"
3e112172 93#include "netport.h"
d28d1e08 94#include "xfrm.h"
c60475bf 95#include "netlabel.h"
9d57a7f9 96#include "audit.h"
7b98a585 97#include "avc_ss.h"
1da177e4 98
d621d35e 99/* SECMARK reference count */
56a4ca99 100static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
d621d35e 101
1da177e4 102#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
828dfe1d 103int selinux_enforcing;
1da177e4
LT		 104
105static int __init enforcing_setup(char *str)
106{
f5269710 107 unsigned long enforcing;
29707b20 108 if (!kstrtoul(str, 0, &enforcing))
f5269710 109 selinux_enforcing = enforcing ? 1 : 0;
1da177e4
LT		 110 return 1;
111}
112__setup("enforcing=", enforcing_setup);
113#endif
114
115#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
116int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
117
118static int __init selinux_enabled_setup(char *str)
119{
f5269710 120 unsigned long enabled;
29707b20 121 if (!kstrtoul(str, 0, &enabled))
f5269710 122 selinux_enabled = enabled ? 1 : 0;
1da177e4
LT		 123 return 1;
124}
125__setup("selinux=", selinux_enabled_setup);
30d55280
SS		 126#else
127int selinux_enabled = 1;
1da177e4
LT		 128#endif
129
e18b890b 130static struct kmem_cache *sel_inode_cache;
63205654 131static struct kmem_cache *file_security_cache;
7cae7e26 132
d621d35e
PM		 133/**
134 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
135 *
136 * Description:
137 * This function checks the SECMARK reference counter to see if any SECMARK
138 * targets are currently configured, if the reference counter is greater than
139 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
2be4d74f
CP		 140 * enabled, false (0) if SECMARK is disabled. If the always_check_network
141 * policy capability is enabled, SECMARK is always considered enabled.
d621d35e
PM		 142 *
143 */
144static int selinux_secmark_enabled(void)
145{
2be4d74f
CP		 146 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
147}
148
149/**
150 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
151 *
152 * Description:
153 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
154 * (1) if any are enabled or false (0) if neither are enabled. If the
155 * always_check_network policy capability is enabled, peer labeling
156 * is always considered enabled.
157 *
158 */
159static int selinux_peerlbl_enabled(void)
160{
161 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
d621d35e
PM		 162}
163
615e51fd
PM		 164static int selinux_netcache_avc_callback(u32 event)
165{
166 if (event == AVC_CALLBACK_RESET) {
167 sel_netif_flush();
168 sel_netnode_flush();
169 sel_netport_flush();
170 synchronize_net();
171 }
172 return 0;
173}
174
8f408ab6
DJ		 175static int selinux_lsm_notifier_avc_callback(u32 event)
176{
177 if (event == AVC_CALLBACK_RESET)
178 call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
179
180 return 0;
181}
182
d84f4f99
DH		 183/*
184 * initialise the security for the init task
185 */
186static void cred_init_security(void)
1da177e4 187{
3b11a1de 188 struct cred *cred = (struct cred *) current->real_cred;
1da177e4
LT		 189 struct task_security_struct *tsec;
190
89d155ef 191 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
1da177e4 192 if (!tsec)
d84f4f99 193 panic("SELinux: Failed to initialize initial task.\n");
1da177e4 194
d84f4f99 195 tsec->osid = tsec->sid = SECINITSID_KERNEL;
f1752eec 196 cred->security = tsec;
1da177e4
LT		 197}
198
88e67f3b
DH		 199/*
200 * get the security ID of a set of credentials
201 */
202static inline u32 cred_sid(const struct cred *cred)
203{
204 const struct task_security_struct *tsec;
205
206 tsec = cred->security;
207 return tsec->sid;
208}
209
275bb41e 210/*
3b11a1de 211 * get the objective security ID of a task
275bb41e
DH		 212 */
213static inline u32 task_sid(const struct task_struct *task)
214{
275bb41e
DH		 215 u32 sid;
216
217 rcu_read_lock();
88e67f3b 218 sid = cred_sid(__task_cred(task));
275bb41e
DH		 219 rcu_read_unlock();
220 return sid;
221}
222
88e67f3b
DH		 223/* Allocate and free functions for each kind of security blob. */
224
1da177e4
LT		 225static int inode_alloc_security(struct inode *inode)
226{
1da177e4 227 struct inode_security_struct *isec;
275bb41e 228 u32 sid = current_sid();
1da177e4 229
a02fe132 230 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
1da177e4
LT		 231 if (!isec)
232 return -ENOMEM;
233
9287aed2 234 spin_lock_init(&isec->lock);
1da177e4 235 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 236 isec->inode = inode;
237 isec->sid = SECINITSID_UNLABELED;
238 isec->sclass = SECCLASS_FILE;
275bb41e 239 isec->task_sid = sid;
42059112 240 isec->initialized = LABEL_INVALID;
1da177e4
LT		 241 inode->i_security = isec;
242
243 return 0;
244}
245
5d226df4
AG		 246static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
247
248/*
249 * Try reloading inode security labels that have been marked as invalid. The
250 * @may_sleep parameter indicates when sleeping and thus reloading labels is
42059112 251 * allowed; when set to false, returns -ECHILD when the label is
5d226df4
AG		 252 * invalid. The @opt_dentry parameter should be set to a dentry of the inode;
253 * when no dentry is available, set it to NULL instead.
254 */
255static int __inode_security_revalidate(struct inode *inode,
256 struct dentry *opt_dentry,
257 bool may_sleep)
258{
259 struct inode_security_struct *isec = inode->i_security;
260
261 might_sleep_if(may_sleep);
262
1ac42476 263 if (ss_initialized && isec->initialized != LABEL_INITIALIZED) {
5d226df4
AG		 264 if (!may_sleep)
265 return -ECHILD;
266
267 /*
268 * Try reloading the inode security label. This will fail if
269 * @opt_dentry is NULL and no dentry for this inode can be
270 * found; in that case, continue using the old label.
271 */
272 inode_doinit_with_dentry(inode, opt_dentry);
273 }
274 return 0;
275}
276
5d226df4
AG		 277static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
278{
279 return inode->i_security;
280}
281
282static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
283{
284 int error;
285
286 error = __inode_security_revalidate(inode, NULL, !rcu);
287 if (error)
288 return ERR_PTR(error);
289 return inode->i_security;
290}
291
83da53c5
AG		 292/*
293 * Get the security label of an inode.
294 */
295static struct inode_security_struct *inode_security(struct inode *inode)
296{
5d226df4 297 __inode_security_revalidate(inode, NULL, true);
83da53c5
AG		 298 return inode->i_security;
299}
300
2c97165b
PM		 301static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
302{
303 struct inode *inode = d_backing_inode(dentry);
304
305 return inode->i_security;
306}
307
83da53c5
AG		 308/*
309 * Get the security label of a dentry's backing inode.
310 */
311static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
312{
313 struct inode *inode = d_backing_inode(dentry);
314
5d226df4 315 __inode_security_revalidate(inode, dentry, true);
83da53c5
AG		 316 return inode->i_security;
317}
318
3dc91d43
SR		 319static void inode_free_rcu(struct rcu_head *head)
320{
321 struct inode_security_struct *isec;
322
323 isec = container_of(head, struct inode_security_struct, rcu);
324 kmem_cache_free(sel_inode_cache, isec);
325}
326
1da177e4
LT		 327static void inode_free_security(struct inode *inode)
328{
329 struct inode_security_struct *isec = inode->i_security;
330 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
331
9629d04a
WL		 332 /*
333 * As not all inode security structures are in a list, we check for
334 * empty list outside of the lock to make sure that we won't waste
335 * time taking a lock doing nothing.
336 *
337 * The list_del_init() function can be safely called more than once.
338 * It should not be possible for this function to be called with
339 * concurrent list_add(), but for better safety against future changes
340 * in the code, we use list_empty_careful() here.
341 */
342 if (!list_empty_careful(&isec->list)) {
343 spin_lock(&sbsec->isec_lock);
1da177e4 344 list_del_init(&isec->list);
9629d04a
WL		 345 spin_unlock(&sbsec->isec_lock);
346 }
1da177e4 347
3dc91d43
SR		 348 /*
349 * The inode may still be referenced in a path walk and
350 * a call to selinux_inode_permission() can be made
351 * after inode_free_security() is called. Ideally, the VFS
352 * wouldn't do this, but fixing that is a much harder
353 * job. For now, simply free the i_security via RCU, and
354 * leave the current inode->i_security pointer intact.
355 * The inode will be freed after the RCU grace period too.
356 */
357 call_rcu(&isec->rcu, inode_free_rcu);
1da177e4
LT		 358}
359
360static int file_alloc_security(struct file *file)
361{
1da177e4 362 struct file_security_struct *fsec;
275bb41e 363 u32 sid = current_sid();
1da177e4 364
63205654 365 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
1da177e4
LT		 366 if (!fsec)
367 return -ENOMEM;
368
275bb41e
DH		 369 fsec->sid = sid;
370 fsec->fown_sid = sid;
1da177e4
LT		 371 file->f_security = fsec;
372
373 return 0;
374}
375
376static void file_free_security(struct file *file)
377{
378 struct file_security_struct *fsec = file->f_security;
1da177e4 379 file->f_security = NULL;
63205654 380 kmem_cache_free(file_security_cache, fsec);
1da177e4
LT		 381}
382
383static int superblock_alloc_security(struct super_block *sb)
384{
385 struct superblock_security_struct *sbsec;
386
89d155ef 387 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 388 if (!sbsec)
389 return -ENOMEM;
390
bc7e982b 391 mutex_init(&sbsec->lock);
1da177e4
LT		 392 INIT_LIST_HEAD(&sbsec->isec_head);
393 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 394 sbsec->sb = sb;
395 sbsec->sid = SECINITSID_UNLABELED;
396 sbsec->def_sid = SECINITSID_FILE;
c312feb2 397 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 398 sb->s_security = sbsec;
399
400 return 0;
401}
402
403static void superblock_free_security(struct super_block *sb)
404{
405 struct superblock_security_struct *sbsec = sb->s_security;
1da177e4
LT		 406 sb->s_security = NULL;
407 kfree(sbsec);
408}
409
1da177e4
LT		 410static inline int inode_doinit(struct inode *inode)
411{
412 return inode_doinit_with_dentry(inode, NULL);
413}
414
415enum {
31e87930 416 Opt_error = -1,
1da177e4
LT		 417 Opt_context = 1,
418 Opt_fscontext = 2,
c9180a57
EP		 419 Opt_defcontext = 3,
420 Opt_rootcontext = 4,
11689d47 421 Opt_labelsupport = 5,
d355987f 422 Opt_nextmntopt = 6,
1da177e4
LT		 423};
424
d355987f
EP		 425#define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
426
a447c093 427static const match_table_t tokens = {
832cbd9a
EP		 428 {Opt_context, CONTEXT_STR "%s"},
429 {Opt_fscontext, FSCONTEXT_STR "%s"},
430 {Opt_defcontext, DEFCONTEXT_STR "%s"},
431 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
11689d47 432 {Opt_labelsupport, LABELSUPP_STR},
31e87930 433 {Opt_error, NULL},
1da177e4
LT		 434};
435
436#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
437
c312feb2
EP		 438static int may_context_mount_sb_relabel(u32 sid,
439 struct superblock_security_struct *sbsec,
275bb41e 440 const struct cred *cred)
c312feb2 441{
275bb41e 442 const struct task_security_struct *tsec = cred->security;
c312feb2
EP		 443 int rc;
444
445 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
446 FILESYSTEM__RELABELFROM, NULL);
447 if (rc)
448 return rc;
449
450 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
451 FILESYSTEM__RELABELTO, NULL);
452 return rc;
453}
454
0808925e
EP		 455static int may_context_mount_inode_relabel(u32 sid,
456 struct superblock_security_struct *sbsec,
275bb41e 457 const struct cred *cred)
0808925e 458{
275bb41e 459 const struct task_security_struct *tsec = cred->security;
0808925e
EP		 460 int rc;
461 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
462 FILESYSTEM__RELABELFROM, NULL);
463 if (rc)
464 return rc;
465
466 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
467 FILESYSTEM__ASSOCIATE, NULL);
468 return rc;
469}
470
b43e725d
EP		 471static int selinux_is_sblabel_mnt(struct super_block *sb)
472{
473 struct superblock_security_struct *sbsec = sb->s_security;
474
d5f3a5f6
MS		 475 return sbsec->behavior == SECURITY_FS_USE_XATTR ||
476 sbsec->behavior == SECURITY_FS_USE_TRANS ||
477 sbsec->behavior == SECURITY_FS_USE_TASK ||
9fc2b4b4 478 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
d5f3a5f6
MS		 479 /* Special handling. Genfs but also in-core setxattr handler */
480 !strcmp(sb->s_type->name, "sysfs") ||
481 !strcmp(sb->s_type->name, "pstore") ||
482 !strcmp(sb->s_type->name, "debugfs") ||
a2c7c6fb 483 !strcmp(sb->s_type->name, "tracefs") ||
2651225b
SS		 484 !strcmp(sb->s_type->name, "rootfs") ||
485 (selinux_policycap_cgroupseclabel &&
486 (!strcmp(sb->s_type->name, "cgroup") ||
487 !strcmp(sb->s_type->name, "cgroup2")));
b43e725d
EP		 488}
489
c9180a57 490static int sb_finish_set_opts(struct super_block *sb)
1da177e4 491{
1da177e4 492 struct superblock_security_struct *sbsec = sb->s_security;
c9180a57 493 struct dentry *root = sb->s_root;
c6f493d6 494 struct inode *root_inode = d_backing_inode(root);
c9180a57 495 int rc = 0;
1da177e4 496
c9180a57
EP		 497 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
498 /* Make sure that the xattr handler exists and that no
499 error other than -ENODATA is returned by getxattr on
500 the root directory. -ENODATA is ok, as this may be
501 the first boot of the SELinux kernel before we have
502 assigned xattr values to the filesystem. */
5d6c3191 503 if (!(root_inode->i_opflags & IOP_XATTR)) {
29b1deb2
LT		 504 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
505 "xattr support\n", sb->s_id, sb->s_type->name);
c9180a57
EP		 506 rc = -EOPNOTSUPP;
507 goto out;
508 }
5d6c3191
AG		 509
510 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
c9180a57
EP		 511 if (rc < 0 && rc != -ENODATA) {
512 if (rc == -EOPNOTSUPP)
513 printk(KERN_WARNING "SELinux: (dev %s, type "
29b1deb2
LT		 514 "%s) has no security xattr handler\n",
515 sb->s_id, sb->s_type->name);
c9180a57
EP		 516 else
517 printk(KERN_WARNING "SELinux: (dev %s, type "
29b1deb2
LT		 518 "%s) getxattr errno %d\n", sb->s_id,
519 sb->s_type->name, -rc);
c9180a57
EP		 520 goto out;
521 }
522 }
1da177e4 523
eadcabc6 524 sbsec->flags |= SE_SBINITIALIZED;
b43e725d 525 if (selinux_is_sblabel_mnt(sb))
12f348b9 526 sbsec->flags |= SBLABEL_MNT;
ddd29ec6 527
c9180a57
EP		 528 /* Initialize the root inode. */
529 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 530
c9180a57
EP		 531 /* Initialize any other inodes associated with the superblock, e.g.
532 inodes created prior to initial policy load or inodes created
533 during get_sb by a pseudo filesystem that directly
534 populates itself. */
535 spin_lock(&sbsec->isec_lock);
536next_inode:
537 if (!list_empty(&sbsec->isec_head)) {
538 struct inode_security_struct *isec =
539 list_entry(sbsec->isec_head.next,
540 struct inode_security_struct, list);
541 struct inode *inode = isec->inode;
923190d3 542 list_del_init(&isec->list);
c9180a57
EP		 543 spin_unlock(&sbsec->isec_lock);
544 inode = igrab(inode);
545 if (inode) {
546 if (!IS_PRIVATE(inode))
547 inode_doinit(inode);
548 iput(inode);
549 }
550 spin_lock(&sbsec->isec_lock);
c9180a57
EP		 551 goto next_inode;
552 }
553 spin_unlock(&sbsec->isec_lock);
554out:
555 return rc;
556}
1da177e4 557
c9180a57
EP		 558/*
559 * This function should allow an FS to ask what it's mount security
560 * options were so it can use those later for submounts, displaying
561 * mount options, or whatever.
562 */
563static int selinux_get_mnt_opts(const struct super_block *sb,
e0007529 564 struct security_mnt_opts *opts)
c9180a57
EP		 565{
566 int rc = 0, i;
567 struct superblock_security_struct *sbsec = sb->s_security;
568 char *context = NULL;
569 u32 len;
570 char tmp;
1da177e4 571
e0007529 572 security_init_mnt_opts(opts);
1da177e4 573
0d90a7ec 574 if (!(sbsec->flags & SE_SBINITIALIZED))
c9180a57 575 return -EINVAL;
1da177e4 576
c9180a57
EP		 577 if (!ss_initialized)
578 return -EINVAL;
1da177e4 579
af8e50cc
EP		 580 /* make sure we always check enough bits to cover the mask */
581 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
582
0d90a7ec 583 tmp = sbsec->flags & SE_MNTMASK;
c9180a57 584 /* count the number of mount options for this sb */
af8e50cc 585 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
c9180a57 586 if (tmp & 0x01)
e0007529 587 opts->num_mnt_opts++;
c9180a57
EP		 588 tmp >>= 1;
589 }
11689d47 590 /* Check if the Label support flag is set */
0b4bdb35 591 if (sbsec->flags & SBLABEL_MNT)
11689d47 592 opts->num_mnt_opts++;
1da177e4 593
e0007529
EP		 594 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
595 if (!opts->mnt_opts) {
c9180a57
EP		 596 rc = -ENOMEM;
597 goto out_free;
598 }
1da177e4 599
e0007529
EP		 600 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
601 if (!opts->mnt_opts_flags) {
c9180a57
EP		 602 rc = -ENOMEM;
603 goto out_free;
604 }
1da177e4 605
c9180a57
EP		 606 i = 0;
607 if (sbsec->flags & FSCONTEXT_MNT) {
608 rc = security_sid_to_context(sbsec->sid, &context, &len);
609 if (rc)
610 goto out_free;
e0007529
EP		 611 opts->mnt_opts[i] = context;
612 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
c9180a57
EP		 613 }
614 if (sbsec->flags & CONTEXT_MNT) {
615 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
616 if (rc)
617 goto out_free;
e0007529
EP		 618 opts->mnt_opts[i] = context;
619 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
c9180a57
EP		 620 }
621 if (sbsec->flags & DEFCONTEXT_MNT) {
622 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
623 if (rc)
624 goto out_free;
e0007529
EP		 625 opts->mnt_opts[i] = context;
626 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
c9180a57
EP		 627 }
628 if (sbsec->flags & ROOTCONTEXT_MNT) {
83da53c5
AG		 629 struct dentry *root = sbsec->sb->s_root;
630 struct inode_security_struct *isec = backing_inode_security(root);
0808925e 631
c9180a57
EP		 632 rc = security_sid_to_context(isec->sid, &context, &len);
633 if (rc)
634 goto out_free;
e0007529
EP		 635 opts->mnt_opts[i] = context;
636 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
c9180a57 637 }
12f348b9 638 if (sbsec->flags & SBLABEL_MNT) {
11689d47 639 opts->mnt_opts[i] = NULL;
12f348b9 640 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
11689d47 641 }
1da177e4 642
e0007529 643 BUG_ON(i != opts->num_mnt_opts);
1da177e4 644
c9180a57
EP		 645 return 0;
646
647out_free:
e0007529 648 security_free_mnt_opts(opts);
c9180a57
EP		 649 return rc;
650}
1da177e4 651
c9180a57
EP		 652static int bad_option(struct superblock_security_struct *sbsec, char flag,
653 u32 old_sid, u32 new_sid)
654{
0d90a7ec
DQ		 655 char mnt_flags = sbsec->flags & SE_MNTMASK;
656
c9180a57 657 /* check if the old mount command had the same options */
0d90a7ec 658 if (sbsec->flags & SE_SBINITIALIZED)
c9180a57
EP		 659 if (!(sbsec->flags & flag) ||
660 (old_sid != new_sid))
661 return 1;
662
663 /* check if we were passed the same options twice,
664 * aka someone passed context=a,context=b
665 */
0d90a7ec
DQ		 666 if (!(sbsec->flags & SE_SBINITIALIZED))
667 if (mnt_flags & flag)
c9180a57
EP		 668 return 1;
669 return 0;
670}
e0007529 671
c9180a57
EP		 672/*
673 * Allow filesystems with binary mount data to explicitly set mount point
674 * labeling information.
675 */
e0007529 676static int selinux_set_mnt_opts(struct super_block *sb,
649f6e77
DQ		 677 struct security_mnt_opts *opts,
678 unsigned long kern_flags,
679 unsigned long *set_kern_flags)
c9180a57 680{
275bb41e 681 const struct cred *cred = current_cred();
c9180a57 682 int rc = 0, i;
c9180a57 683 struct superblock_security_struct *sbsec = sb->s_security;
29b1deb2 684 const char *name = sb->s_type->name;
83da53c5 685 struct dentry *root = sbsec->sb->s_root;
2c97165b 686 struct inode_security_struct *root_isec;
c9180a57
EP		 687 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
688 u32 defcontext_sid = 0;
e0007529
EP		 689 char **mount_options = opts->mnt_opts;
690 int *flags = opts->mnt_opts_flags;
691 int num_opts = opts->num_mnt_opts;
c9180a57
EP		 692
693 mutex_lock(&sbsec->lock);
694
695 if (!ss_initialized) {
696 if (!num_opts) {
697 /* Defer initialization until selinux_complete_init,
698 after the initial policy is loaded and the security
699 server is ready to handle calls. */
c9180a57
EP		 700 goto out;
701 }
702 rc = -EINVAL;
744ba35e
EP		 703 printk(KERN_WARNING "SELinux: Unable to set superblock options "
704 "before the security server is initialized\n");
1da177e4 705 goto out;
c9180a57 706 }
649f6e77
DQ		 707 if (kern_flags && !set_kern_flags) {
708 /* Specifying internal flags without providing a place to
709 * place the results is not allowed */
710 rc = -EINVAL;
711 goto out;
712 }
1da177e4 713
e0007529
EP		 714 /*
715 * Binary mount data FS will come through this function twice. Once
716 * from an explicit call and once from the generic calls from the vfs.
717 * Since the generic VFS calls will not contain any security mount data
718 * we need to skip the double mount verification.
719 *
720 * This does open a hole in which we will not notice if the first
721 * mount using this sb set explict options and a second mount using
722 * this sb does not set any security options. (The first options
723 * will be used for both mounts)
724 */
0d90a7ec 725 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
e0007529 726 && (num_opts == 0))
f5269710 727 goto out;
e0007529 728
2c97165b
PM		 729 root_isec = backing_inode_security_novalidate(root);
730
c9180a57
EP		 731 /*
732 * parse the mount options, check if they are valid sids.
733 * also check if someone is trying to mount the same sb more
734 * than once with different security options.
735 */
736 for (i = 0; i < num_opts; i++) {
737 u32 sid;
11689d47 738
12f348b9 739 if (flags[i] == SBLABEL_MNT)
11689d47 740 continue;
44be2f65 741 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
1da177e4 742 if (rc) {
44be2f65 743 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
29b1deb2
LT		 744 "(%s) failed for (dev %s, type %s) errno=%d\n",
745 mount_options[i], sb->s_id, name, rc);
c9180a57
EP		 746 goto out;
747 }
748 switch (flags[i]) {
749 case FSCONTEXT_MNT:
750 fscontext_sid = sid;
751
752 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
753 fscontext_sid))
754 goto out_double_mount;
755
756 sbsec->flags |= FSCONTEXT_MNT;
757 break;
758 case CONTEXT_MNT:
759 context_sid = sid;
760
761 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
762 context_sid))
763 goto out_double_mount;
764
765 sbsec->flags |= CONTEXT_MNT;
766 break;
767 case ROOTCONTEXT_MNT:
768 rootcontext_sid = sid;
769
770 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
771 rootcontext_sid))
772 goto out_double_mount;
773
774 sbsec->flags |= ROOTCONTEXT_MNT;
775
776 break;
777 case DEFCONTEXT_MNT:
778 defcontext_sid = sid;
779
780 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
781 defcontext_sid))
782 goto out_double_mount;
783
784 sbsec->flags |= DEFCONTEXT_MNT;
785
786 break;
787 default:
788 rc = -EINVAL;
789 goto out;
1da177e4 790 }
c9180a57
EP		 791 }
792
0d90a7ec 793 if (sbsec->flags & SE_SBINITIALIZED) {
c9180a57 794 /* previously mounted with options, but not on this attempt? */
0d90a7ec 795 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
c9180a57
EP		 796 goto out_double_mount;
797 rc = 0;
798 goto out;
799 }
800
089be43e 801 if (strcmp(sb->s_type->name, "proc") == 0)
134509d5
SS		 802 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
803
8e014720
SS		 804 if (!strcmp(sb->s_type->name, "debugfs") ||
805 !strcmp(sb->s_type->name, "sysfs") ||
806 !strcmp(sb->s_type->name, "pstore"))
134509d5 807 sbsec->flags |= SE_SBGENFS;
c9180a57 808
eb9ae686
DQ		 809 if (!sbsec->behavior) {
810 /*
811 * Determine the labeling behavior to use for this
812 * filesystem type.
813 */
98f700f3 814 rc = security_fs_use(sb);
eb9ae686
DQ		 815 if (rc) {
816 printk(KERN_WARNING
817 "%s: security_fs_use(%s) returned %d\n",
818 __func__, sb->s_type->name, rc);
819 goto out;
820 }
c9180a57 821 }
aad82892
SF		 822
823 /*
01593d32
SS		 824 * If this is a user namespace mount and the filesystem type is not
825 * explicitly whitelisted, then no contexts are allowed on the command
826 * line and security labels must be ignored.
aad82892 827 */
01593d32
SS		 828 if (sb->s_user_ns != &init_user_ns &&
829 strcmp(sb->s_type->name, "tmpfs") &&
830 strcmp(sb->s_type->name, "ramfs") &&
831 strcmp(sb->s_type->name, "devpts")) {
aad82892
SF		 832 if (context_sid || fscontext_sid || rootcontext_sid ||
833 defcontext_sid) {
834 rc = -EACCES;
835 goto out;
836 }
837 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
838 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
839 rc = security_transition_sid(current_sid(), current_sid(),
840 SECCLASS_FILE, NULL,
841 &sbsec->mntpoint_sid);
842 if (rc)
843 goto out;
844 }
845 goto out_set_opts;
846 }
847
c9180a57
EP		 848 /* sets the context of the superblock for the fs being mounted. */
849 if (fscontext_sid) {
275bb41e 850 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
1da177e4 851 if (rc)
c9180a57 852 goto out;
1da177e4 853
c9180a57 854 sbsec->sid = fscontext_sid;
c312feb2
EP		 855 }
856
857 /*
858 * Switch to using mount point labeling behavior.
859 * sets the label used on all file below the mountpoint, and will set
860 * the superblock context if not already set.
861 */
eb9ae686
DQ		 862 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
863 sbsec->behavior = SECURITY_FS_USE_NATIVE;
864 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
865 }
866
c9180a57
EP		 867 if (context_sid) {
868 if (!fscontext_sid) {
275bb41e
DH		 869 rc = may_context_mount_sb_relabel(context_sid, sbsec,
870 cred);
b04ea3ce 871 if (rc)
c9180a57
EP		 872 goto out;
873 sbsec->sid = context_sid;
b04ea3ce 874 } else {
275bb41e
DH		 875 rc = may_context_mount_inode_relabel(context_sid, sbsec,
876 cred);
b04ea3ce 877 if (rc)
c9180a57 878 goto out;
b04ea3ce 879 }
c9180a57
EP		 880 if (!rootcontext_sid)
881 rootcontext_sid = context_sid;
1da177e4 882
c9180a57 883 sbsec->mntpoint_sid = context_sid;
c312feb2 884 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 885 }
886
c9180a57 887 if (rootcontext_sid) {
275bb41e
DH		 888 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
889 cred);
0808925e 890 if (rc)
c9180a57 891 goto out;
0808925e 892
c9180a57 893 root_isec->sid = rootcontext_sid;
6f3be9f5 894 root_isec->initialized = LABEL_INITIALIZED;
0808925e
EP		 895 }
896
c9180a57 897 if (defcontext_sid) {
eb9ae686
DQ		 898 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
899 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
c9180a57
EP		 900 rc = -EINVAL;
901 printk(KERN_WARNING "SELinux: defcontext option is "
902 "invalid for this filesystem type\n");
903 goto out;
1da177e4
LT		 904 }
905
c9180a57
EP		 906 if (defcontext_sid != sbsec->def_sid) {
907 rc = may_context_mount_inode_relabel(defcontext_sid,
275bb41e 908 sbsec, cred);
c9180a57
EP		 909 if (rc)
910 goto out;
911 }
1da177e4 912
c9180a57 913 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 914 }
915
aad82892 916out_set_opts:
c9180a57 917 rc = sb_finish_set_opts(sb);
1da177e4 918out:
c9180a57 919 mutex_unlock(&sbsec->lock);
1da177e4 920 return rc;
c9180a57
EP		 921out_double_mount:
922 rc = -EINVAL;
923 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
29b1deb2 924 "security settings for (dev %s, type %s)\n", sb->s_id, name);
c9180a57 925 goto out;
1da177e4
LT		 926}
927
094f7b69
JL		 928static int selinux_cmp_sb_context(const struct super_block *oldsb,
929 const struct super_block *newsb)
930{
931 struct superblock_security_struct *old = oldsb->s_security;
932 struct superblock_security_struct *new = newsb->s_security;
933 char oldflags = old->flags & SE_MNTMASK;
934 char newflags = new->flags & SE_MNTMASK;
935
936 if (oldflags != newflags)
937 goto mismatch;
938 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
939 goto mismatch;
940 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
941 goto mismatch;
942 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
943 goto mismatch;
944 if (oldflags & ROOTCONTEXT_MNT) {
83da53c5
AG		 945 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
946 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
094f7b69
JL		 947 if (oldroot->sid != newroot->sid)
948 goto mismatch;
949 }
950 return 0;
951mismatch:
952 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
953 "different security settings for (dev %s, "
954 "type %s)\n", newsb->s_id, newsb->s_type->name);
955 return -EBUSY;
956}
957
958static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
c9180a57 959 struct super_block *newsb)
1da177e4 960{
c9180a57
EP		 961 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
962 struct superblock_security_struct *newsbsec = newsb->s_security;
1da177e4 963
c9180a57
EP		 964 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
965 int set_context = (oldsbsec->flags & CONTEXT_MNT);
966 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 967
0f5e6420
EP		 968 /*
969 * if the parent was able to be mounted it clearly had no special lsm
e8c26255 970 * mount options. thus we can safely deal with this superblock later
0f5e6420 971 */
e8c26255 972 if (!ss_initialized)
094f7b69 973 return 0;
c9180a57 974
c9180a57 975 /* how can we clone if the old one wasn't set up?? */
0d90a7ec 976 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
c9180a57 977
094f7b69 978 /* if fs is reusing a sb, make sure that the contexts match */
0d90a7ec 979 if (newsbsec->flags & SE_SBINITIALIZED)
094f7b69 980 return selinux_cmp_sb_context(oldsb, newsb);
5a552617 981
c9180a57
EP		 982 mutex_lock(&newsbsec->lock);
983
984 newsbsec->flags = oldsbsec->flags;
985
986 newsbsec->sid = oldsbsec->sid;
987 newsbsec->def_sid = oldsbsec->def_sid;
988 newsbsec->behavior = oldsbsec->behavior;
989
990 if (set_context) {
991 u32 sid = oldsbsec->mntpoint_sid;
992
993 if (!set_fscontext)
994 newsbsec->sid = sid;
995 if (!set_rootcontext) {
83da53c5 996 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
c9180a57
EP		 997 newisec->sid = sid;
998 }
999 newsbsec->mntpoint_sid = sid;
1da177e4 1000 }
c9180a57 1001 if (set_rootcontext) {
83da53c5
AG		 1002 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
1003 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1da177e4 1004
c9180a57 1005 newisec->sid = oldisec->sid;
1da177e4
LT		 1006 }
1007
c9180a57
EP		 1008 sb_finish_set_opts(newsb);
1009 mutex_unlock(&newsbsec->lock);
094f7b69 1010 return 0;
c9180a57
EP		 1011}
1012
2e1479d9
AB		 1013static int selinux_parse_opts_str(char *options,
1014 struct security_mnt_opts *opts)
c9180a57 1015{
e0007529 1016 char *p;
c9180a57
EP		 1017 char *context = NULL, *defcontext = NULL;
1018 char *fscontext = NULL, *rootcontext = NULL;
e0007529 1019 int rc, num_mnt_opts = 0;
1da177e4 1020
e0007529 1021 opts->num_mnt_opts = 0;
1da177e4 1022
c9180a57
EP		 1023 /* Standard string-based options. */
1024 while ((p = strsep(&options, "|")) != NULL) {
1025 int token;
1026 substring_t args[MAX_OPT_ARGS];
1da177e4 1027
c9180a57
EP		 1028 if (!*p)
1029 continue;
1da177e4 1030
c9180a57 1031 token = match_token(p, tokens, args);
1da177e4 1032
c9180a57
EP		 1033 switch (token) {
1034 case Opt_context:
1035 if (context || defcontext) {
1036 rc = -EINVAL;
1037 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1038 goto out_err;
1039 }
1040 context = match_strdup(&args[0]);
1041 if (!context) {
1042 rc = -ENOMEM;
1043 goto out_err;
1044 }
1045 break;
1046
1047 case Opt_fscontext:
1048 if (fscontext) {
1049 rc = -EINVAL;
1050 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1051 goto out_err;
1052 }
1053 fscontext = match_strdup(&args[0]);
1054 if (!fscontext) {
1055 rc = -ENOMEM;
1056 goto out_err;
1057 }
1058 break;
1059
1060 case Opt_rootcontext:
1061 if (rootcontext) {
1062 rc = -EINVAL;
1063 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1064 goto out_err;
1065 }
1066 rootcontext = match_strdup(&args[0]);
1067 if (!rootcontext) {
1068 rc = -ENOMEM;
1069 goto out_err;
1070 }
1071 break;
1072
1073 case Opt_defcontext:
1074 if (context || defcontext) {
1075 rc = -EINVAL;
1076 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1077 goto out_err;
1078 }
1079 defcontext = match_strdup(&args[0]);
1080 if (!defcontext) {
1081 rc = -ENOMEM;
1082 goto out_err;
1083 }
1084 break;
11689d47
DQ		 1085 case Opt_labelsupport:
1086 break;
c9180a57
EP		 1087 default:
1088 rc = -EINVAL;
1089 printk(KERN_WARNING "SELinux: unknown mount option\n");
1090 goto out_err;
1da177e4 1091
1da177e4 1092 }
1da177e4 1093 }
c9180a57 1094
e0007529 1095 rc = -ENOMEM;
8931c3bd 1096 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
e0007529
EP		 1097 if (!opts->mnt_opts)
1098 goto out_err;
1099
8931c3bd
TH		 1100 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
1101 GFP_KERNEL);
e0007529
EP		 1102 if (!opts->mnt_opts_flags) {
1103 kfree(opts->mnt_opts);
1104 goto out_err;
1105 }
1106
c9180a57 1107 if (fscontext) {
e0007529
EP		 1108 opts->mnt_opts[num_mnt_opts] = fscontext;
1109 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
c9180a57
EP		 1110 }
1111 if (context) {
e0007529
EP		 1112 opts->mnt_opts[num_mnt_opts] = context;
1113 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
c9180a57
EP		 1114 }
1115 if (rootcontext) {
e0007529
EP		 1116 opts->mnt_opts[num_mnt_opts] = rootcontext;
1117 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
c9180a57
EP		 1118 }
1119 if (defcontext) {
e0007529
EP		 1120 opts->mnt_opts[num_mnt_opts] = defcontext;
1121 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
c9180a57
EP		 1122 }
1123
e0007529
EP		 1124 opts->num_mnt_opts = num_mnt_opts;
1125 return 0;
1126
c9180a57
EP		 1127out_err:
1128 kfree(context);
1129 kfree(defcontext);
1130 kfree(fscontext);
1131 kfree(rootcontext);
1da177e4
LT		 1132 return rc;
1133}
e0007529
EP		 1134/*
1135 * string mount options parsing and call set the sbsec
1136 */
1137static int superblock_doinit(struct super_block *sb, void *data)
1138{
1139 int rc = 0;
1140 char *options = data;
1141 struct security_mnt_opts opts;
1142
1143 security_init_mnt_opts(&opts);
1144
1145 if (!data)
1146 goto out;
1147
1148 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1149
1150 rc = selinux_parse_opts_str(options, &opts);
1151 if (rc)
1152 goto out_err;
1153
1154out:
649f6e77 1155 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
e0007529
EP		 1156
1157out_err:
1158 security_free_mnt_opts(&opts);
1159 return rc;
1160}
1da177e4 1161
3583a711
AB		 1162static void selinux_write_opts(struct seq_file *m,
1163 struct security_mnt_opts *opts)
2069f457
EP		 1164{
1165 int i;
1166 char *prefix;
1167
1168 for (i = 0; i < opts->num_mnt_opts; i++) {
11689d47
DQ		 1169 char *has_comma;
1170
1171 if (opts->mnt_opts[i])
1172 has_comma = strchr(opts->mnt_opts[i], ',');
1173 else
1174 has_comma = NULL;
2069f457
EP		 1175
1176 switch (opts->mnt_opts_flags[i]) {
1177 case CONTEXT_MNT:
1178 prefix = CONTEXT_STR;
1179 break;
1180 case FSCONTEXT_MNT:
1181 prefix = FSCONTEXT_STR;
1182 break;
1183 case ROOTCONTEXT_MNT:
1184 prefix = ROOTCONTEXT_STR;
1185 break;
1186 case DEFCONTEXT_MNT:
1187 prefix = DEFCONTEXT_STR;
1188 break;
12f348b9 1189 case SBLABEL_MNT:
11689d47
DQ		 1190 seq_putc(m, ',');
1191 seq_puts(m, LABELSUPP_STR);
1192 continue;
2069f457
EP		 1193 default:
1194 BUG();
a35c6c83 1195 return;
2069f457
EP		 1196 };
1197 /* we need a comma before each option */
1198 seq_putc(m, ',');
1199 seq_puts(m, prefix);
1200 if (has_comma)
1201 seq_putc(m, '\"');
a068acf2 1202 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
2069f457
EP		 1203 if (has_comma)
1204 seq_putc(m, '\"');
1205 }
1206}
1207
1208static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1209{
1210 struct security_mnt_opts opts;
1211 int rc;
1212
1213 rc = selinux_get_mnt_opts(sb, &opts);
383795c2
EP		 1214 if (rc) {
1215 /* before policy load we may get EINVAL, don't show anything */
1216 if (rc == -EINVAL)
1217 rc = 0;
2069f457 1218 return rc;
383795c2 1219 }
2069f457
EP		 1220
1221 selinux_write_opts(m, &opts);
1222
1223 security_free_mnt_opts(&opts);
1224
1225 return rc;
1226}
1227
1da177e4
LT		 1228static inline u16 inode_mode_to_security_class(umode_t mode)
1229{
1230 switch (mode & S_IFMT) {
1231 case S_IFSOCK:
1232 return SECCLASS_SOCK_FILE;
1233 case S_IFLNK:
1234 return SECCLASS_LNK_FILE;
1235 case S_IFREG:
1236 return SECCLASS_FILE;
1237 case S_IFBLK:
1238 return SECCLASS_BLK_FILE;
1239 case S_IFDIR:
1240 return SECCLASS_DIR;
1241 case S_IFCHR:
1242 return SECCLASS_CHR_FILE;
1243 case S_IFIFO:
1244 return SECCLASS_FIFO_FILE;
1245
1246 }
1247
1248 return SECCLASS_FILE;
1249}
1250
13402580
JM		 1251static inline int default_protocol_stream(int protocol)
1252{
1253 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1254}
1255
1256static inline int default_protocol_dgram(int protocol)
1257{
1258 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1259}
1260
1da177e4
LT		 1261static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1262{
da69a530
SS		 1263 int extsockclass = selinux_policycap_extsockclass;
1264
1da177e4
LT		 1265 switch (family) {
1266 case PF_UNIX:
1267 switch (type) {
1268 case SOCK_STREAM:
1269 case SOCK_SEQPACKET:
1270 return SECCLASS_UNIX_STREAM_SOCKET;
1271 case SOCK_DGRAM:
1272 return SECCLASS_UNIX_DGRAM_SOCKET;
1273 }
1274 break;
1275 case PF_INET:
1276 case PF_INET6:
1277 switch (type) {
1278 case SOCK_STREAM:
da69a530 1279 case SOCK_SEQPACKET:
13402580
JM		 1280 if (default_protocol_stream(protocol))
1281 return SECCLASS_TCP_SOCKET;
da69a530
SS		 1282 else if (extsockclass && protocol == IPPROTO_SCTP)
1283 return SECCLASS_SCTP_SOCKET;
13402580
JM		 1284 else
1285 return SECCLASS_RAWIP_SOCKET;
1da177e4 1286 case SOCK_DGRAM:
13402580
JM		 1287 if (default_protocol_dgram(protocol))
1288 return SECCLASS_UDP_SOCKET;
ef37979a
SS		 1289 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1290 protocol == IPPROTO_ICMPV6))
da69a530 1291 return SECCLASS_ICMP_SOCKET;
13402580
JM		 1292 else
1293 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 1294 case SOCK_DCCP:
1295 return SECCLASS_DCCP_SOCKET;
13402580 1296 default:
1da177e4
LT		 1297 return SECCLASS_RAWIP_SOCKET;
1298 }
1299 break;
1300 case PF_NETLINK:
1301 switch (protocol) {
1302 case NETLINK_ROUTE:
1303 return SECCLASS_NETLINK_ROUTE_SOCKET;
7f1fb60c 1304 case NETLINK_SOCK_DIAG:
1da177e4
LT		 1305 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1306 case NETLINK_NFLOG:
1307 return SECCLASS_NETLINK_NFLOG_SOCKET;
1308 case NETLINK_XFRM:
1309 return SECCLASS_NETLINK_XFRM_SOCKET;
1310 case NETLINK_SELINUX:
1311 return SECCLASS_NETLINK_SELINUX_SOCKET;
6c6d2e9b
SS		 1312 case NETLINK_ISCSI:
1313 return SECCLASS_NETLINK_ISCSI_SOCKET;
1da177e4
LT		 1314 case NETLINK_AUDIT:
1315 return SECCLASS_NETLINK_AUDIT_SOCKET;
6c6d2e9b
SS		 1316 case NETLINK_FIB_LOOKUP:
1317 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1318 case NETLINK_CONNECTOR:
1319 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1320 case NETLINK_NETFILTER:
1321 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1da177e4
LT		 1322 case NETLINK_DNRTMSG:
1323 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1324 case NETLINK_KOBJECT_UEVENT:
1325 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
6c6d2e9b
SS		 1326 case NETLINK_GENERIC:
1327 return SECCLASS_NETLINK_GENERIC_SOCKET;
1328 case NETLINK_SCSITRANSPORT:
1329 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1330 case NETLINK_RDMA:
1331 return SECCLASS_NETLINK_RDMA_SOCKET;
1332 case NETLINK_CRYPTO:
1333 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1da177e4
LT		 1334 default:
1335 return SECCLASS_NETLINK_SOCKET;
1336 }
1337 case PF_PACKET:
1338 return SECCLASS_PACKET_SOCKET;
1339 case PF_KEY:
1340 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1341 case PF_APPLETALK:
1342 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1343 }
1344
da69a530
SS		 1345 if (extsockclass) {
1346 switch (family) {
1347 case PF_AX25:
1348 return SECCLASS_AX25_SOCKET;
1349 case PF_IPX:
1350 return SECCLASS_IPX_SOCKET;
1351 case PF_NETROM:
1352 return SECCLASS_NETROM_SOCKET;
da69a530
SS		 1353 case PF_ATMPVC:
1354 return SECCLASS_ATMPVC_SOCKET;
1355 case PF_X25:
1356 return SECCLASS_X25_SOCKET;
1357 case PF_ROSE:
1358 return SECCLASS_ROSE_SOCKET;
1359 case PF_DECnet:
1360 return SECCLASS_DECNET_SOCKET;
1361 case PF_ATMSVC:
1362 return SECCLASS_ATMSVC_SOCKET;
1363 case PF_RDS:
1364 return SECCLASS_RDS_SOCKET;
1365 case PF_IRDA:
1366 return SECCLASS_IRDA_SOCKET;
1367 case PF_PPPOX:
1368 return SECCLASS_PPPOX_SOCKET;
1369 case PF_LLC:
1370 return SECCLASS_LLC_SOCKET;
da69a530
SS		 1371 case PF_CAN:
1372 return SECCLASS_CAN_SOCKET;
1373 case PF_TIPC:
1374 return SECCLASS_TIPC_SOCKET;
1375 case PF_BLUETOOTH:
1376 return SECCLASS_BLUETOOTH_SOCKET;
1377 case PF_IUCV:
1378 return SECCLASS_IUCV_SOCKET;
1379 case PF_RXRPC:
1380 return SECCLASS_RXRPC_SOCKET;
1381 case PF_ISDN:
1382 return SECCLASS_ISDN_SOCKET;
1383 case PF_PHONET:
1384 return SECCLASS_PHONET_SOCKET;
1385 case PF_IEEE802154:
1386 return SECCLASS_IEEE802154_SOCKET;
1387 case PF_CAIF:
1388 return SECCLASS_CAIF_SOCKET;
1389 case PF_ALG:
1390 return SECCLASS_ALG_SOCKET;
1391 case PF_NFC:
1392 return SECCLASS_NFC_SOCKET;
1393 case PF_VSOCK:
1394 return SECCLASS_VSOCK_SOCKET;
1395 case PF_KCM:
1396 return SECCLASS_KCM_SOCKET;
1397 case PF_QIPCRTR:
1398 return SECCLASS_QIPCRTR_SOCKET;
3051bf36
LT		 1399 case PF_SMC:
1400 return SECCLASS_SMC_SOCKET;
1401#if PF_MAX > 44
da69a530
SS		 1402#error New address family defined, please update this function.
1403#endif
1404 }
1405 }
1406
1da177e4
LT		 1407 return SECCLASS_SOCKET;
1408}
1409
134509d5
SS		 1410static int selinux_genfs_get_sid(struct dentry *dentry,
1411 u16 tclass,
1412 u16 flags,
1413 u32 *sid)
1da177e4 1414{
8e6c9693 1415 int rc;
fc64005c 1416 struct super_block *sb = dentry->d_sb;
8e6c9693 1417 char *buffer, *path;
1da177e4 1418
828dfe1d 1419 buffer = (char *)__get_free_page(GFP_KERNEL);
1da177e4
LT		 1420 if (!buffer)
1421 return -ENOMEM;
1422
8e6c9693
LAG		 1423 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1424 if (IS_ERR(path))
1425 rc = PTR_ERR(path);
1426 else {
134509d5
SS		 1427 if (flags & SE_SBPROC) {
1428 /* each process gets a /proc/PID/ entry. Strip off the
1429 * PID part to get a valid selinux labeling.
1430 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1431 while (path[1] >= '0' && path[1] <= '9') {
1432 path[1] = '/';
1433 path++;
1434 }
8e6c9693 1435 }
134509d5 1436 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
1da177e4 1437 }
1da177e4
LT		 1438 free_page((unsigned long)buffer);
1439 return rc;
1440}
1da177e4
LT		 1441
1442/* The inode's security attributes must be initialized before first use. */
1443static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1444{
1445 struct superblock_security_struct *sbsec = NULL;
1446 struct inode_security_struct *isec = inode->i_security;
9287aed2
AG		 1447 u32 task_sid, sid = 0;
1448 u16 sclass;
1da177e4
LT		 1449 struct dentry *dentry;
1450#define INITCONTEXTLEN 255
1451 char *context = NULL;
1452 unsigned len = 0;
1453 int rc = 0;
1da177e4 1454
6f3be9f5 1455 if (isec->initialized == LABEL_INITIALIZED)
13457d07 1456 return 0;
1da177e4 1457
9287aed2 1458 spin_lock(&isec->lock);
6f3be9f5 1459 if (isec->initialized == LABEL_INITIALIZED)
23970741 1460 goto out_unlock;
1da177e4 1461
13457d07
AG		 1462 if (isec->sclass == SECCLASS_FILE)
1463 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1464
1da177e4 1465 sbsec = inode->i_sb->s_security;
0d90a7ec 1466 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1da177e4
LT		 1467 /* Defer initialization until selinux_complete_init,
1468 after the initial policy is loaded and the security
1469 server is ready to handle calls. */
1470 spin_lock(&sbsec->isec_lock);
1471 if (list_empty(&isec->list))
1472 list_add(&isec->list, &sbsec->isec_head);
1473 spin_unlock(&sbsec->isec_lock);
23970741 1474 goto out_unlock;
1da177e4
LT		 1475 }
1476
9287aed2
AG		 1477 sclass = isec->sclass;
1478 task_sid = isec->task_sid;
1479 sid = isec->sid;
1480 isec->initialized = LABEL_PENDING;
1481 spin_unlock(&isec->lock);
1482
1da177e4 1483 switch (sbsec->behavior) {
eb9ae686
DQ		 1484 case SECURITY_FS_USE_NATIVE:
1485 break;
1da177e4 1486 case SECURITY_FS_USE_XATTR:
5d6c3191 1487 if (!(inode->i_opflags & IOP_XATTR)) {
9287aed2 1488 sid = sbsec->def_sid;
1da177e4
LT		 1489 break;
1490 }
1da177e4
LT		 1491 /* Need a dentry, since the xattr API requires one.
1492 Life would be simpler if we could just pass the inode. */
1493 if (opt_dentry) {
1494 /* Called from d_instantiate or d_splice_alias. */
1495 dentry = dget(opt_dentry);
1496 } else {
1497 /* Called from selinux_complete_init, try to find a dentry. */
1498 dentry = d_find_alias(inode);
1499 }
1500 if (!dentry) {
df7f54c0
EP		 1501 /*
1502 * this is can be hit on boot when a file is accessed
1503 * before the policy is loaded. When we load policy we
1504 * may find inodes that have no dentry on the
1505 * sbsec->isec_head list. No reason to complain as these
1506 * will get fixed up the next time we go through
1507 * inode_doinit with a dentry, before these inodes could
1508 * be used again by userspace.
1509 */
9287aed2 1510 goto out;
1da177e4
LT		 1511 }
1512
1513 len = INITCONTEXTLEN;
4cb912f1 1514 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1515 if (!context) {
1516 rc = -ENOMEM;
1517 dput(dentry);
9287aed2 1518 goto out;
1da177e4 1519 }
4cb912f1 1520 context[len] = '\0';
5d6c3191 1521 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1da177e4 1522 if (rc == -ERANGE) {
314dabb8
JM		 1523 kfree(context);
1524
1da177e4 1525 /* Need a larger buffer. Query for the right size. */
5d6c3191 1526 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1da177e4
LT		 1527 if (rc < 0) {
1528 dput(dentry);
9287aed2 1529 goto out;
1da177e4 1530 }
1da177e4 1531 len = rc;
4cb912f1 1532 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1533 if (!context) {
1534 rc = -ENOMEM;
1535 dput(dentry);
9287aed2 1536 goto out;
1da177e4 1537 }
4cb912f1 1538 context[len] = '\0';
5d6c3191 1539 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1da177e4
LT		 1540 }
1541 dput(dentry);
1542 if (rc < 0) {
1543 if (rc != -ENODATA) {
744ba35e 1544 printk(KERN_WARNING "SELinux: %s: getxattr returned "
dd6f953a 1545 "%d for dev=%s ino=%ld\n", __func__,
1da177e4
LT		 1546 -rc, inode->i_sb->s_id, inode->i_ino);
1547 kfree(context);
9287aed2 1548 goto out;
1da177e4
LT		 1549 }
1550 /* Map ENODATA to the default file SID */
1551 sid = sbsec->def_sid;
1552 rc = 0;
1553 } else {
f5c1d5b2 1554 rc = security_context_to_sid_default(context, rc, &sid,
869ab514
SS		 1555 sbsec->def_sid,
1556 GFP_NOFS);
1da177e4 1557 if (rc) {
4ba0a8ad
EP		 1558 char *dev = inode->i_sb->s_id;
1559 unsigned long ino = inode->i_ino;
1560
1561 if (rc == -EINVAL) {
1562 if (printk_ratelimit())
1563 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1564 "context=%s. This indicates you may need to relabel the inode or the "
1565 "filesystem in question.\n", ino, dev, context);
1566 } else {
1567 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1568 "returned %d for dev=%s ino=%ld\n",
1569 __func__, context, -rc, dev, ino);
1570 }
1da177e4
LT		 1571 kfree(context);
1572 /* Leave with the unlabeled SID */
1573 rc = 0;
1574 break;
1575 }
1576 }
1577 kfree(context);
1da177e4
LT		 1578 break;
1579 case SECURITY_FS_USE_TASK:
9287aed2 1580 sid = task_sid;
1da177e4
LT		 1581 break;
1582 case SECURITY_FS_USE_TRANS:
1583 /* Default to the fs SID. */
9287aed2 1584 sid = sbsec->sid;
1da177e4
LT		 1585
1586 /* Try to obtain a transition SID. */
9287aed2 1587 rc = security_transition_sid(task_sid, sid, sclass, NULL, &sid);
1da177e4 1588 if (rc)
9287aed2 1589 goto out;
1da177e4 1590 break;
c312feb2 1591 case SECURITY_FS_USE_MNTPOINT:
9287aed2 1592 sid = sbsec->mntpoint_sid;
c312feb2 1593 break;
1da177e4 1594 default:
c312feb2 1595 /* Default to the fs superblock SID. */
9287aed2 1596 sid = sbsec->sid;
1da177e4 1597
134509d5 1598 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
f64410ec
PM		 1599 /* We must have a dentry to determine the label on
1600 * procfs inodes */
1601 if (opt_dentry)
1602 /* Called from d_instantiate or
1603 * d_splice_alias. */
1604 dentry = dget(opt_dentry);
1605 else
1606 /* Called from selinux_complete_init, try to
1607 * find a dentry. */
1608 dentry = d_find_alias(inode);
1609 /*
1610 * This can be hit on boot when a file is accessed
1611 * before the policy is loaded. When we load policy we
1612 * may find inodes that have no dentry on the
1613 * sbsec->isec_head list. No reason to complain as
1614 * these will get fixed up the next time we go through
1615 * inode_doinit() with a dentry, before these inodes
1616 * could be used again by userspace.
1617 */
1618 if (!dentry)
9287aed2
AG		 1619 goto out;
1620 rc = selinux_genfs_get_sid(dentry, sclass,
134509d5 1621 sbsec->flags, &sid);
f64410ec
PM		 1622 dput(dentry);
1623 if (rc)
9287aed2 1624 goto out;
1da177e4
LT		 1625 }
1626 break;
1627 }
1628
9287aed2
AG		 1629out:
1630 spin_lock(&isec->lock);
1631 if (isec->initialized == LABEL_PENDING) {
1632 if (!sid || rc) {
1633 isec->initialized = LABEL_INVALID;
1634 goto out_unlock;
1635 }
1636
1637 isec->initialized = LABEL_INITIALIZED;
1638 isec->sid = sid;
1639 }
1da177e4 1640
23970741 1641out_unlock:
9287aed2 1642 spin_unlock(&isec->lock);
1da177e4
LT		 1643 return rc;
1644}
1645
1646/* Convert a Linux signal to an access vector. */
1647static inline u32 signal_to_av(int sig)
1648{
1649 u32 perm = 0;
1650
1651 switch (sig) {
1652 case SIGCHLD:
1653 /* Commonly granted from child to parent. */
1654 perm = PROCESS__SIGCHLD;
1655 break;
1656 case SIGKILL:
1657 /* Cannot be caught or ignored */
1658 perm = PROCESS__SIGKILL;
1659 break;
1660 case SIGSTOP:
1661 /* Cannot be caught or ignored */
1662 perm = PROCESS__SIGSTOP;
1663 break;
1664 default:
1665 /* All other signals. */
1666 perm = PROCESS__SIGNAL;
1667 break;
1668 }
1669
1670 return perm;
1671}
1672
b68e418c
SS		 1673#if CAP_LAST_CAP > 63
1674#error Fix SELinux to handle capabilities > 63.
1675#endif
1676
1da177e4 1677/* Check whether a task is allowed to use a capability. */
6a9de491 1678static int cred_has_capability(const struct cred *cred,
8e4ff6f2 1679 int cap, int audit, bool initns)
1da177e4 1680{
2bf49690 1681 struct common_audit_data ad;
06112163 1682 struct av_decision avd;
b68e418c 1683 u16 sclass;
3699c53c 1684 u32 sid = cred_sid(cred);
b68e418c 1685 u32 av = CAP_TO_MASK(cap);
06112163 1686 int rc;
1da177e4 1687
50c205f5 1688 ad.type = LSM_AUDIT_DATA_CAP;
1da177e4
LT		 1689 ad.u.cap = cap;
1690
b68e418c
SS		 1691 switch (CAP_TO_INDEX(cap)) {
1692 case 0:
8e4ff6f2 1693 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
b68e418c
SS		 1694 break;
1695 case 1:
8e4ff6f2 1696 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
b68e418c
SS		 1697 break;
1698 default:
1699 printk(KERN_ERR
1700 "SELinux: out of range capability %d\n", cap);
1701 BUG();
a35c6c83 1702 return -EINVAL;
b68e418c 1703 }
06112163 1704
275bb41e 1705 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
9ade0cf4 1706 if (audit == SECURITY_CAP_AUDIT) {
7b20ea25 1707 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
9ade0cf4
EP		 1708 if (rc2)
1709 return rc2;
1710 }
06112163 1711 return rc;
1da177e4
LT		 1712}
1713
1da177e4
LT		 1714/* Check whether a task has a particular permission to an inode.
1715 The 'adp' parameter is optional and allows other audit
1716 data to be passed (e.g. the dentry). */
88e67f3b 1717static int inode_has_perm(const struct cred *cred,
1da177e4
LT		 1718 struct inode *inode,
1719 u32 perms,
19e49834 1720 struct common_audit_data *adp)
1da177e4 1721{
1da177e4 1722 struct inode_security_struct *isec;
275bb41e 1723 u32 sid;
1da177e4 1724
e0e81739
DH		 1725 validate_creds(cred);
1726
828dfe1d 1727 if (unlikely(IS_PRIVATE(inode)))
bbaca6c2
SS		 1728 return 0;
1729
88e67f3b 1730 sid = cred_sid(cred);
1da177e4
LT		 1731 isec = inode->i_security;
1732
19e49834 1733 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1da177e4
LT		 1734}
1735
1736/* Same as inode_has_perm, but pass explicit audit data containing
1737 the dentry to help the auditing code to more easily generate the
1738 pathname if needed. */
88e67f3b 1739static inline int dentry_has_perm(const struct cred *cred,
1da177e4
LT		 1740 struct dentry *dentry,
1741 u32 av)
1742{
c6f493d6 1743 struct inode *inode = d_backing_inode(dentry);
2bf49690 1744 struct common_audit_data ad;
88e67f3b 1745
50c205f5 1746 ad.type = LSM_AUDIT_DATA_DENTRY;
2875fa00 1747 ad.u.dentry = dentry;
5d226df4 1748 __inode_security_revalidate(inode, dentry, true);
19e49834 1749 return inode_has_perm(cred, inode, av, &ad);
2875fa00
EP		 1750}
1751
1752/* Same as inode_has_perm, but pass explicit audit data containing
1753 the path to help the auditing code to more easily generate the
1754 pathname if needed. */
1755static inline int path_has_perm(const struct cred *cred,
3f7036a0 1756 const struct path *path,
2875fa00
EP		 1757 u32 av)
1758{
c6f493d6 1759 struct inode *inode = d_backing_inode(path->dentry);
2875fa00
EP		 1760 struct common_audit_data ad;
1761
50c205f5 1762 ad.type = LSM_AUDIT_DATA_PATH;
2875fa00 1763 ad.u.path = *path;
5d226df4 1764 __inode_security_revalidate(inode, path->dentry, true);
19e49834 1765 return inode_has_perm(cred, inode, av, &ad);
1da177e4
LT		 1766}
1767
13f8e981
DH		 1768/* Same as path_has_perm, but uses the inode from the file struct. */
1769static inline int file_path_has_perm(const struct cred *cred,
1770 struct file *file,
1771 u32 av)
1772{
1773 struct common_audit_data ad;
1774
43af5de7
VG		 1775 ad.type = LSM_AUDIT_DATA_FILE;
1776 ad.u.file = file;
19e49834 1777 return inode_has_perm(cred, file_inode(file), av, &ad);
13f8e981
DH		 1778}
1779
1da177e4
LT		 1780/* Check whether a task can use an open file descriptor to
1781 access an inode in a given way. Check access to the
1782 descriptor itself, and then use dentry_has_perm to
1783 check a particular permission to the file.
1784 Access to the descriptor is implicitly granted if it
1785 has the same SID as the process. If av is zero, then
1786 access to the file is not checked, e.g. for cases
1787 where only the descriptor is affected like seek. */
88e67f3b
DH		 1788static int file_has_perm(const struct cred *cred,
1789 struct file *file,
1790 u32 av)
1da177e4 1791{
1da177e4 1792 struct file_security_struct *fsec = file->f_security;
496ad9aa 1793 struct inode *inode = file_inode(file);
2bf49690 1794 struct common_audit_data ad;
88e67f3b 1795 u32 sid = cred_sid(cred);
1da177e4
LT		 1796 int rc;
1797
43af5de7
VG		 1798 ad.type = LSM_AUDIT_DATA_FILE;
1799 ad.u.file = file;
1da177e4 1800
275bb41e
DH		 1801 if (sid != fsec->sid) {
1802 rc = avc_has_perm(sid, fsec->sid,
1da177e4
LT		 1803 SECCLASS_FD,
1804 FD__USE,
1805 &ad);
1806 if (rc)
88e67f3b 1807 goto out;
1da177e4
LT		 1808 }
1809
1810 /* av is zero if only checking access to the descriptor. */
88e67f3b 1811 rc = 0;
1da177e4 1812 if (av)
19e49834 1813 rc = inode_has_perm(cred, inode, av, &ad);
1da177e4 1814
88e67f3b
DH		 1815out:
1816 return rc;
1da177e4
LT		 1817}
1818
c3c188b2
DH		 1819/*
1820 * Determine the label for an inode that might be unioned.
1821 */
c957f6df
VG		 1822static int
1823selinux_determine_inode_label(const struct task_security_struct *tsec,
1824 struct inode *dir,
1825 const struct qstr *name, u16 tclass,
1826 u32 *_new_isid)
c3c188b2
DH		 1827{
1828 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
c3c188b2
DH		 1829
1830 if ((sbsec->flags & SE_SBINITIALIZED) &&
1831 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1832 *_new_isid = sbsec->mntpoint_sid;
1833 } else if ((sbsec->flags & SBLABEL_MNT) &&
1834 tsec->create_sid) {
1835 *_new_isid = tsec->create_sid;
1836 } else {
20cdef8d 1837 const struct inode_security_struct *dsec = inode_security(dir);
c3c188b2
DH		 1838 return security_transition_sid(tsec->sid, dsec->sid, tclass,
1839 name, _new_isid);
1840 }
1841
1842 return 0;
1843}
1844
1da177e4
LT		 1845/* Check whether a task can create a file. */
1846static int may_create(struct inode *dir,
1847 struct dentry *dentry,
1848 u16 tclass)
1849{
5fb49870 1850 const struct task_security_struct *tsec = current_security();
1da177e4
LT		 1851 struct inode_security_struct *dsec;
1852 struct superblock_security_struct *sbsec;
275bb41e 1853 u32 sid, newsid;
2bf49690 1854 struct common_audit_data ad;
1da177e4
LT		 1855 int rc;
1856
83da53c5 1857 dsec = inode_security(dir);
1da177e4
LT		 1858 sbsec = dir->i_sb->s_security;
1859
275bb41e 1860 sid = tsec->sid;
275bb41e 1861
50c205f5 1862 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1863 ad.u.dentry = dentry;
1da177e4 1864
275bb41e 1865 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1866 DIR__ADD_NAME | DIR__SEARCH,
1867 &ad);
1868 if (rc)
1869 return rc;
1870
c957f6df
VG		 1871 rc = selinux_determine_inode_label(current_security(), dir,
1872 &dentry->d_name, tclass, &newsid);
c3c188b2
DH		 1873 if (rc)
1874 return rc;
1da177e4 1875
275bb41e 1876 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1da177e4
LT		 1877 if (rc)
1878 return rc;
1879
1880 return avc_has_perm(newsid, sbsec->sid,
1881 SECCLASS_FILESYSTEM,
1882 FILESYSTEM__ASSOCIATE, &ad);
1883}
1884
828dfe1d
EP		 1885#define MAY_LINK 0
1886#define MAY_UNLINK 1
1887#define MAY_RMDIR 2
1da177e4
LT		 1888
1889/* Check whether a task can link, unlink, or rmdir a file/directory. */
1890static int may_link(struct inode *dir,
1891 struct dentry *dentry,
1892 int kind)
1893
1894{
1da177e4 1895 struct inode_security_struct *dsec, *isec;
2bf49690 1896 struct common_audit_data ad;
275bb41e 1897 u32 sid = current_sid();
1da177e4
LT		 1898 u32 av;
1899 int rc;
1900
83da53c5
AG		 1901 dsec = inode_security(dir);
1902 isec = backing_inode_security(dentry);
1da177e4 1903
50c205f5 1904 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1905 ad.u.dentry = dentry;
1da177e4
LT		 1906
1907 av = DIR__SEARCH;
1908 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
275bb41e 1909 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1910 if (rc)
1911 return rc;
1912
1913 switch (kind) {
1914 case MAY_LINK:
1915 av = FILE__LINK;
1916 break;
1917 case MAY_UNLINK:
1918 av = FILE__UNLINK;
1919 break;
1920 case MAY_RMDIR:
1921 av = DIR__RMDIR;
1922 break;
1923 default:
744ba35e
EP		 1924 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1925 __func__, kind);
1da177e4
LT		 1926 return 0;
1927 }
1928
275bb41e 1929 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1da177e4
LT		 1930 return rc;
1931}
1932
1933static inline int may_rename(struct inode *old_dir,
1934 struct dentry *old_dentry,
1935 struct inode *new_dir,
1936 struct dentry *new_dentry)
1937{
1da177e4 1938 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2bf49690 1939 struct common_audit_data ad;
275bb41e 1940 u32 sid = current_sid();
1da177e4
LT		 1941 u32 av;
1942 int old_is_dir, new_is_dir;
1943 int rc;
1944
83da53c5
AG		 1945 old_dsec = inode_security(old_dir);
1946 old_isec = backing_inode_security(old_dentry);
e36cb0b8 1947 old_is_dir = d_is_dir(old_dentry);
83da53c5 1948 new_dsec = inode_security(new_dir);
1da177e4 1949
50c205f5 1950 ad.type = LSM_AUDIT_DATA_DENTRY;
1da177e4 1951
a269434d 1952 ad.u.dentry = old_dentry;
275bb41e 1953 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1954 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1955 if (rc)
1956 return rc;
275bb41e 1957 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1958 old_isec->sclass, FILE__RENAME, &ad);
1959 if (rc)
1960 return rc;
1961 if (old_is_dir && new_dir != old_dir) {
275bb41e 1962 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1963 old_isec->sclass, DIR__REPARENT, &ad);
1964 if (rc)
1965 return rc;
1966 }
1967
a269434d 1968 ad.u.dentry = new_dentry;
1da177e4 1969 av = DIR__ADD_NAME | DIR__SEARCH;
2c616d4d 1970 if (d_is_positive(new_dentry))
1da177e4 1971 av |= DIR__REMOVE_NAME;
275bb41e 1972 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1973 if (rc)
1974 return rc;
2c616d4d 1975 if (d_is_positive(new_dentry)) {
83da53c5 1976 new_isec = backing_inode_security(new_dentry);
e36cb0b8 1977 new_is_dir = d_is_dir(new_dentry);
275bb41e 1978 rc = avc_has_perm(sid, new_isec->sid,
1da177e4
LT		 1979 new_isec->sclass,
1980 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1981 if (rc)
1982 return rc;
1983 }
1984
1985 return 0;
1986}
1987
1988/* Check whether a task can perform a filesystem operation. */
88e67f3b 1989static int superblock_has_perm(const struct cred *cred,
1da177e4
LT		 1990 struct super_block *sb,
1991 u32 perms,
2bf49690 1992 struct common_audit_data *ad)
1da177e4 1993{
1da177e4 1994 struct superblock_security_struct *sbsec;
88e67f3b 1995 u32 sid = cred_sid(cred);
1da177e4 1996
1da177e4 1997 sbsec = sb->s_security;
275bb41e 1998 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1da177e4
LT		 1999}
2000
2001/* Convert a Linux mode and permission mask to an access vector. */
2002static inline u32 file_mask_to_av(int mode, int mask)
2003{
2004 u32 av = 0;
2005
dba19c60 2006 if (!S_ISDIR(mode)) {
1da177e4
LT		 2007 if (mask & MAY_EXEC)
2008 av |= FILE__EXECUTE;
2009 if (mask & MAY_READ)
2010 av |= FILE__READ;
2011
2012 if (mask & MAY_APPEND)
2013 av |= FILE__APPEND;
2014 else if (mask & MAY_WRITE)
2015 av |= FILE__WRITE;
2016
2017 } else {
2018 if (mask & MAY_EXEC)
2019 av |= DIR__SEARCH;
2020 if (mask & MAY_WRITE)
2021 av |= DIR__WRITE;
2022 if (mask & MAY_READ)
2023 av |= DIR__READ;
2024 }
2025
2026 return av;
2027}
2028
8b6a5a37
EP		 2029/* Convert a Linux file to an access vector. */
2030static inline u32 file_to_av(struct file *file)
2031{
2032 u32 av = 0;
2033
2034 if (file->f_mode & FMODE_READ)
2035 av |= FILE__READ;
2036 if (file->f_mode & FMODE_WRITE) {
2037 if (file->f_flags & O_APPEND)
2038 av |= FILE__APPEND;
2039 else
2040 av |= FILE__WRITE;
2041 }
2042 if (!av) {
2043 /*
2044 * Special file opened with flags 3 for ioctl-only use.
2045 */
2046 av = FILE__IOCTL;
2047 }
2048
2049 return av;
2050}
2051
b0c636b9 2052/*
8b6a5a37 2053 * Convert a file to an access vector and include the correct open
b0c636b9
EP		 2054 * open permission.
2055 */
8b6a5a37 2056static inline u32 open_file_to_av(struct file *file)
b0c636b9 2057{
8b6a5a37 2058 u32 av = file_to_av(file);
ccb54478 2059 struct inode *inode = file_inode(file);
b0c636b9 2060
ccb54478 2061 if (selinux_policycap_openperm && inode->i_sb->s_magic != SOCKFS_MAGIC)
49b7b8de
EP		 2062 av |= FILE__OPEN;
2063
b0c636b9
EP		 2064 return av;
2065}
2066
1da177e4
LT		 2067/* Hook functions begin here. */
2068
79af7307
SS		 2069static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2070{
2071 u32 mysid = current_sid();
2072 u32 mgrsid = task_sid(mgr);
2073
2074 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
2075 BINDER__SET_CONTEXT_MGR, NULL);
2076}
2077
2078static int selinux_binder_transaction(struct task_struct *from,
2079 struct task_struct *to)
2080{
2081 u32 mysid = current_sid();
2082 u32 fromsid = task_sid(from);
2083 u32 tosid = task_sid(to);
2084 int rc;
2085
2086 if (mysid != fromsid) {
2087 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2088 BINDER__IMPERSONATE, NULL);
2089 if (rc)
2090 return rc;
2091 }
2092
2093 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2094 NULL);
2095}
2096
2097static int selinux_binder_transfer_binder(struct task_struct *from,
2098 struct task_struct *to)
2099{
2100 u32 fromsid = task_sid(from);
2101 u32 tosid = task_sid(to);
2102
2103 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2104 NULL);
2105}
2106
2107static int selinux_binder_transfer_file(struct task_struct *from,
2108 struct task_struct *to,
2109 struct file *file)
2110{
2111 u32 sid = task_sid(to);
2112 struct file_security_struct *fsec = file->f_security;
83da53c5 2113 struct dentry *dentry = file->f_path.dentry;
20cdef8d 2114 struct inode_security_struct *isec;
79af7307
SS		 2115 struct common_audit_data ad;
2116 int rc;
2117
2118 ad.type = LSM_AUDIT_DATA_PATH;
2119 ad.u.path = file->f_path;
2120
2121 if (sid != fsec->sid) {
2122 rc = avc_has_perm(sid, fsec->sid,
2123 SECCLASS_FD,
2124 FD__USE,
2125 &ad);
2126 if (rc)
2127 return rc;
2128 }
2129
83da53c5 2130 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
79af7307
SS		 2131 return 0;
2132
20cdef8d 2133 isec = backing_inode_security(dentry);
79af7307
SS		 2134 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2135 &ad);
2136}
2137
9e48858f 2138static int selinux_ptrace_access_check(struct task_struct *child,
5cd9c58f 2139 unsigned int mode)
1da177e4 2140{
be0554c9
SS		 2141 u32 sid = current_sid();
2142 u32 csid = task_sid(child);
2143
2144 if (mode & PTRACE_MODE_READ)
275bb41e 2145 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
006ebb40 2146
be0554c9 2147 return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
5cd9c58f
DH		 2148}
2149
2150static int selinux_ptrace_traceme(struct task_struct *parent)
2151{
be0554c9
SS		 2152 return avc_has_perm(task_sid(parent), current_sid(), SECCLASS_PROCESS,
2153 PROCESS__PTRACE, NULL);
1da177e4
LT		 2154}
2155
2156static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
828dfe1d 2157 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4 2158{
be0554c9
SS		 2159 return avc_has_perm(current_sid(), task_sid(target), SECCLASS_PROCESS,
2160 PROCESS__GETCAP, NULL);
1da177e4
LT		 2161}
2162
d84f4f99
DH		 2163static int selinux_capset(struct cred *new, const struct cred *old,
2164 const kernel_cap_t *effective,
2165 const kernel_cap_t *inheritable,
2166 const kernel_cap_t *permitted)
1da177e4 2167{
be0554c9
SS		 2168 return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2169 PROCESS__SETCAP, NULL);
1da177e4
LT		 2170}
2171
5626d3e8
JM		 2172/*
2173 * (This comment used to live with the selinux_task_setuid hook,
2174 * which was removed).
2175 *
2176 * Since setuid only affects the current process, and since the SELinux
2177 * controls are not based on the Linux identity attributes, SELinux does not
2178 * need to control this operation. However, SELinux does control the use of
2179 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2180 */
2181
6a9de491
EP		 2182static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2183 int cap, int audit)
1da177e4 2184{
8e4ff6f2 2185 return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
1da177e4
LT		 2186}
2187
1da177e4
LT		 2188static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2189{
88e67f3b 2190 const struct cred *cred = current_cred();
1da177e4
LT		 2191 int rc = 0;
2192
2193 if (!sb)
2194 return 0;
2195
2196 switch (cmds) {
828dfe1d
EP		 2197 case Q_SYNC:
2198 case Q_QUOTAON:
2199 case Q_QUOTAOFF:
2200 case Q_SETINFO:
2201 case Q_SETQUOTA:
88e67f3b 2202 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
828dfe1d
EP		 2203 break;
2204 case Q_GETFMT:
2205 case Q_GETINFO:
2206 case Q_GETQUOTA:
88e67f3b 2207 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
828dfe1d
EP		 2208 break;
2209 default:
2210 rc = 0; /* let the kernel handle invalid cmds */
2211 break;
1da177e4
LT		 2212 }
2213 return rc;
2214}
2215
2216static int selinux_quota_on(struct dentry *dentry)
2217{
88e67f3b
DH		 2218 const struct cred *cred = current_cred();
2219
2875fa00 2220 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1da177e4
LT		 2221}
2222
12b3052c 2223static int selinux_syslog(int type)
1da177e4 2224{
1da177e4 2225 switch (type) {
d78ca3cd
KC		 2226 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2227 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
be0554c9
SS		 2228 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2229 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
d78ca3cd
KC		 2230 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2231 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2232 /* Set level of messages printed to console */
2233 case SYSLOG_ACTION_CONSOLE_LEVEL:
be0554c9
SS		 2234 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2235 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2236 NULL);
1da177e4 2237 }
be0554c9
SS		 2238 /* All other syslog types */
2239 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2240 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
1da177e4
LT		 2241}
2242
2243/*
2244 * Check that a process has enough memory to allocate a new virtual
2245 * mapping. 0 means there is enough memory for the allocation to
2246 * succeed and -ENOMEM implies there is not.
2247 *
1da177e4
LT		 2248 * Do not audit the selinux permission check, as this is applied to all
2249 * processes that allocate mappings.
2250 */
34b4e4aa 2251static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 2252{
2253 int rc, cap_sys_admin = 0;
1da177e4 2254
b1d9e6b0 2255 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
8e4ff6f2 2256 SECURITY_CAP_NOAUDIT, true);
1da177e4
LT		 2257 if (rc == 0)
2258 cap_sys_admin = 1;
2259
b1d9e6b0 2260 return cap_sys_admin;
1da177e4
LT		 2261}
2262
2263/* binprm security operations */
2264
be0554c9 2265static u32 ptrace_parent_sid(void)
0c6181cb
PM		 2266{
2267 u32 sid = 0;
2268 struct task_struct *tracer;
2269
2270 rcu_read_lock();
be0554c9 2271 tracer = ptrace_parent(current);
0c6181cb
PM		 2272 if (tracer)
2273 sid = task_sid(tracer);
2274 rcu_read_unlock();
2275
2276 return sid;
2277}
2278
7b0d0b40
SS		 2279static int check_nnp_nosuid(const struct linux_binprm *bprm,
2280 const struct task_security_struct *old_tsec,
2281 const struct task_security_struct *new_tsec)
2282{
2283 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
380cf5ba 2284 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
7b0d0b40
SS		 2285 int rc;
2286
2287 if (!nnp && !nosuid)
2288 return 0; /* neither NNP nor nosuid */
2289
2290 if (new_tsec->sid == old_tsec->sid)
2291 return 0; /* No change in credentials */
2292
2293 /*
2294 * The only transitions we permit under NNP or nosuid
2295 * are transitions to bounded SIDs, i.e. SIDs that are
2296 * guaranteed to only be allowed a subset of the permissions
2297 * of the current SID.
2298 */
2299 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2300 if (rc) {
2301 /*
2302 * On failure, preserve the errno values for NNP vs nosuid.
2303 * NNP: Operation not permitted for caller.
2304 * nosuid: Permission denied to file.
2305 */
2306 if (nnp)
2307 return -EPERM;
2308 else
2309 return -EACCES;
2310 }
2311 return 0;
2312}
2313
a6f76f23 2314static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1da177e4 2315{
a6f76f23
DH		 2316 const struct task_security_struct *old_tsec;
2317 struct task_security_struct *new_tsec;
1da177e4 2318 struct inode_security_struct *isec;
2bf49690 2319 struct common_audit_data ad;
496ad9aa 2320 struct inode *inode = file_inode(bprm->file);
1da177e4
LT		 2321 int rc;
2322
a6f76f23
DH		 2323 /* SELinux context only depends on initial program or script and not
2324 * the script interpreter */
2325 if (bprm->cred_prepared)
1da177e4
LT		 2326 return 0;
2327
a6f76f23
DH		 2328 old_tsec = current_security();
2329 new_tsec = bprm->cred->security;
83da53c5 2330 isec = inode_security(inode);
1da177e4
LT		 2331
2332 /* Default to the current task SID. */
a6f76f23
DH		 2333 new_tsec->sid = old_tsec->sid;
2334 new_tsec->osid = old_tsec->sid;
1da177e4 2335
28eba5bf 2336 /* Reset fs, key, and sock SIDs on execve. */
a6f76f23
DH		 2337 new_tsec->create_sid = 0;
2338 new_tsec->keycreate_sid = 0;
2339 new_tsec->sockcreate_sid = 0;
1da177e4 2340
a6f76f23
DH		 2341 if (old_tsec->exec_sid) {
2342 new_tsec->sid = old_tsec->exec_sid;
1da177e4 2343 /* Reset exec SID on execve. */
a6f76f23 2344 new_tsec->exec_sid = 0;
259e5e6c 2345
7b0d0b40
SS		 2346 /* Fail on NNP or nosuid if not an allowed transition. */
2347 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2348 if (rc)
2349 return rc;
1da177e4
LT		 2350 } else {
2351 /* Check for a default transition on this program. */
a6f76f23 2352 rc = security_transition_sid(old_tsec->sid, isec->sid,
652bb9b0
EP		 2353 SECCLASS_PROCESS, NULL,
2354 &new_tsec->sid);
1da177e4
LT		 2355 if (rc)
2356 return rc;
7b0d0b40
SS		 2357
2358 /*
2359 * Fallback to old SID on NNP or nosuid if not an allowed
2360 * transition.
2361 */
2362 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2363 if (rc)
2364 new_tsec->sid = old_tsec->sid;
1da177e4
LT		 2365 }
2366
43af5de7
VG		 2367 ad.type = LSM_AUDIT_DATA_FILE;
2368 ad.u.file = bprm->file;
1da177e4 2369
a6f76f23
DH		 2370 if (new_tsec->sid == old_tsec->sid) {
2371 rc = avc_has_perm(old_tsec->sid, isec->sid,
1da177e4
LT		 2372 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2373 if (rc)
2374 return rc;
2375 } else {
2376 /* Check permissions for the transition. */
a6f76f23 2377 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
1da177e4
LT		 2378 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2379 if (rc)
2380 return rc;
2381
a6f76f23 2382 rc = avc_has_perm(new_tsec->sid, isec->sid,
1da177e4
LT		 2383 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2384 if (rc)
2385 return rc;
2386
a6f76f23
DH		 2387 /* Check for shared state */
2388 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2389 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2390 SECCLASS_PROCESS, PROCESS__SHARE,
2391 NULL);
2392 if (rc)
2393 return -EPERM;
2394 }
2395
2396 /* Make sure that anyone attempting to ptrace over a task that
2397 * changes its SID has the appropriate permit */
9227dd2a 2398 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
be0554c9 2399 u32 ptsid = ptrace_parent_sid();
a6f76f23
DH		 2400 if (ptsid != 0) {
2401 rc = avc_has_perm(ptsid, new_tsec->sid,
2402 SECCLASS_PROCESS,
2403 PROCESS__PTRACE, NULL);
2404 if (rc)
2405 return -EPERM;
2406 }
2407 }
1da177e4 2408
a6f76f23
DH		 2409 /* Clear any possibly unsafe personality bits on exec: */
2410 bprm->per_clear |= PER_CLEAR_ON_SETID;
1da177e4
LT		 2411 }
2412
1da177e4
LT		 2413 return 0;
2414}
2415
828dfe1d 2416static int selinux_bprm_secureexec(struct linux_binprm *bprm)
1da177e4 2417{
5fb49870 2418 const struct task_security_struct *tsec = current_security();
275bb41e 2419 u32 sid, osid;
1da177e4
LT		 2420 int atsecure = 0;
2421
275bb41e
DH		 2422 sid = tsec->sid;
2423 osid = tsec->osid;
2424
2425 if (osid != sid) {
1da177e4
LT		 2426 /* Enable secure mode for SIDs transitions unless
2427 the noatsecure permission is granted between
2428 the two SIDs, i.e. ahp returns 0. */
275bb41e 2429 atsecure = avc_has_perm(osid, sid,
a6f76f23
DH		 2430 SECCLASS_PROCESS,
2431 PROCESS__NOATSECURE, NULL);
1da177e4
LT		 2432 }
2433
b1d9e6b0 2434 return !!atsecure;
1da177e4
LT		 2435}
2436
c3c073f8
AV		 2437static int match_file(const void *p, struct file *file, unsigned fd)
2438{
2439 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2440}
2441
1da177e4 2442/* Derived from fs/exec.c:flush_old_files. */
745ca247
DH		 2443static inline void flush_unauthorized_files(const struct cred *cred,
2444 struct files_struct *files)
1da177e4 2445{
1da177e4 2446 struct file *file, *devnull = NULL;
b20c8122 2447 struct tty_struct *tty;
24ec839c 2448 int drop_tty = 0;
c3c073f8 2449 unsigned n;
1da177e4 2450
24ec839c 2451 tty = get_current_tty();
1da177e4 2452 if (tty) {
4a510969 2453 spin_lock(&tty->files_lock);
37dd0bd0 2454 if (!list_empty(&tty->tty_files)) {
d996b62a 2455 struct tty_file_private *file_priv;
37dd0bd0 2456
1da177e4 2457 /* Revalidate access to controlling tty.
13f8e981
DH		 2458 Use file_path_has_perm on the tty path directly
2459 rather than using file_has_perm, as this particular
2460 open file may belong to another process and we are
2461 only interested in the inode-based check here. */
d996b62a
NP		 2462 file_priv = list_first_entry(&tty->tty_files,
2463 struct tty_file_private, list);
2464 file = file_priv->file;
13f8e981 2465 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
24ec839c 2466 drop_tty = 1;
1da177e4 2467 }
4a510969 2468 spin_unlock(&tty->files_lock);
452a00d2 2469 tty_kref_put(tty);
1da177e4 2470 }
98a27ba4
EB		 2471 /* Reset controlling tty. */
2472 if (drop_tty)
2473 no_tty();
1da177e4
LT		 2474
2475 /* Revalidate access to inherited open files. */
c3c073f8
AV		 2476 n = iterate_fd(files, 0, match_file, cred);
2477 if (!n) /* none found? */
2478 return;
1da177e4 2479
c3c073f8 2480 devnull = dentry_open(&selinux_null, O_RDWR, cred);
45525b26
AV		 2481 if (IS_ERR(devnull))
2482 devnull = NULL;
2483 /* replace all the matching ones with this */
2484 do {
2485 replace_fd(n - 1, devnull, 0);
2486 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2487 if (devnull)
c3c073f8 2488 fput(devnull);
1da177e4
LT		 2489}
2490
a6f76f23
DH		 2491/*
2492 * Prepare a process for imminent new credential changes due to exec
2493 */
2494static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
1da177e4 2495{
a6f76f23
DH		 2496 struct task_security_struct *new_tsec;
2497 struct rlimit *rlim, *initrlim;
2498 int rc, i;
d84f4f99 2499
a6f76f23
DH		 2500 new_tsec = bprm->cred->security;
2501 if (new_tsec->sid == new_tsec->osid)
2502 return;
1da177e4 2503
a6f76f23
DH		 2504 /* Close files for which the new task SID is not authorized. */
2505 flush_unauthorized_files(bprm->cred, current->files);
0356357c 2506
a6f76f23
DH		 2507 /* Always clear parent death signal on SID transitions. */
2508 current->pdeath_signal = 0;
0356357c 2509
a6f76f23
DH		 2510 /* Check whether the new SID can inherit resource limits from the old
2511 * SID. If not, reset all soft limits to the lower of the current
2512 * task's hard limit and the init task's soft limit.
2513 *
2514 * Note that the setting of hard limits (even to lower them) can be
2515 * controlled by the setrlimit check. The inclusion of the init task's
2516 * soft limit into the computation is to avoid resetting soft limits
2517 * higher than the default soft limit for cases where the default is
2518 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2519 */
2520 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2521 PROCESS__RLIMITINH, NULL);
2522 if (rc) {
eb2d55a3
ON		 2523 /* protect against do_prlimit() */
2524 task_lock(current);
a6f76f23
DH		 2525 for (i = 0; i < RLIM_NLIMITS; i++) {
2526 rlim = current->signal->rlim + i;
2527 initrlim = init_task.signal->rlim + i;
2528 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
1da177e4 2529 }
eb2d55a3 2530 task_unlock(current);
baa73d9e
NP		 2531 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2532 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
1da177e4
LT		 2533 }
2534}
2535
2536/*
a6f76f23
DH		 2537 * Clean up the process immediately after the installation of new credentials
2538 * due to exec
1da177e4 2539 */
a6f76f23 2540static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
1da177e4 2541{
a6f76f23 2542 const struct task_security_struct *tsec = current_security();
1da177e4 2543 struct itimerval itimer;
a6f76f23 2544 u32 osid, sid;
1da177e4
LT		 2545 int rc, i;
2546
a6f76f23
DH		 2547 osid = tsec->osid;
2548 sid = tsec->sid;
2549
2550 if (sid == osid)
1da177e4
LT		 2551 return;
2552
a6f76f23
DH		 2553 /* Check whether the new SID can inherit signal state from the old SID.
2554 * If not, clear itimers to avoid subsequent signal generation and
2555 * flush and unblock signals.
2556 *
2557 * This must occur _after_ the task SID has been updated so that any
2558 * kill done after the flush will be checked against the new SID.
2559 */
2560 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
1da177e4 2561 if (rc) {
baa73d9e
NP		 2562 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2563 memset(&itimer, 0, sizeof itimer);
2564 for (i = 0; i < 3; i++)
2565 do_setitimer(i, &itimer, NULL);
2566 }
1da177e4 2567 spin_lock_irq(&current->sighand->siglock);
9e7c8f8c
ON		 2568 if (!fatal_signal_pending(current)) {
2569 flush_sigqueue(&current->pending);
2570 flush_sigqueue(&current->signal->shared_pending);
3bcac026
DH		 2571 flush_signal_handlers(current, 1);
2572 sigemptyset(&current->blocked);
9e7c8f8c 2573 recalc_sigpending();
3bcac026 2574 }
1da177e4
LT		 2575 spin_unlock_irq(&current->sighand->siglock);
2576 }
2577
a6f76f23
DH		 2578 /* Wake up the parent if it is waiting so that it can recheck
2579 * wait permission to the new task SID. */
ecd6de3c 2580 read_lock(&tasklist_lock);
0b7570e7 2581 __wake_up_parent(current, current->real_parent);
ecd6de3c 2582 read_unlock(&tasklist_lock);
1da177e4
LT		 2583}
2584
2585/* superblock security operations */
2586
2587static int selinux_sb_alloc_security(struct super_block *sb)
2588{
2589 return superblock_alloc_security(sb);
2590}
2591
2592static void selinux_sb_free_security(struct super_block *sb)
2593{
2594 superblock_free_security(sb);
2595}
2596
2597static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2598{
2599 if (plen > olen)
2600 return 0;
2601
2602 return !memcmp(prefix, option, plen);
2603}
2604
2605static inline int selinux_option(char *option, int len)
2606{
832cbd9a
EP		 2607 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2608 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2609 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
11689d47
DQ		 2610 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2611 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
1da177e4
LT		 2612}
2613
2614static inline void take_option(char **to, char *from, int *first, int len)
2615{
2616 if (!*first) {
2617 **to = ',';
2618 *to += 1;
3528a953 2619 } else
1da177e4
LT		 2620 *first = 0;
2621 memcpy(*to, from, len);
2622 *to += len;
2623}
2624
828dfe1d
EP		 2625static inline void take_selinux_option(char **to, char *from, int *first,
2626 int len)
3528a953
CO		 2627{
2628 int current_size = 0;
2629
2630 if (!*first) {
2631 **to = '|';
2632 *to += 1;
828dfe1d 2633 } else
3528a953
CO		 2634 *first = 0;
2635
2636 while (current_size < len) {
2637 if (*from != '"') {
2638 **to = *from;
2639 *to += 1;
2640 }
2641 from += 1;
2642 current_size += 1;
2643 }
2644}
2645
e0007529 2646static int selinux_sb_copy_data(char *orig, char *copy)
1da177e4
LT		 2647{
2648 int fnosec, fsec, rc = 0;
2649 char *in_save, *in_curr, *in_end;
2650 char *sec_curr, *nosec_save, *nosec;
3528a953 2651 int open_quote = 0;
1da177e4
LT		 2652
2653 in_curr = orig;
2654 sec_curr = copy;
2655
1da177e4
LT		 2656 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2657 if (!nosec) {
2658 rc = -ENOMEM;
2659 goto out;
2660 }
2661
2662 nosec_save = nosec;
2663 fnosec = fsec = 1;
2664 in_save = in_end = orig;
2665
2666 do {
3528a953
CO		 2667 if (*in_end == '"')
2668 open_quote = !open_quote;
2669 if ((*in_end == ',' && open_quote == 0) ||
2670 *in_end == '\0') {
1da177e4
LT		 2671 int len = in_end - in_curr;
2672
2673 if (selinux_option(in_curr, len))
3528a953 2674 take_selinux_option(&sec_curr, in_curr, &fsec, len);
1da177e4
LT		 2675 else
2676 take_option(&nosec, in_curr, &fnosec, len);
2677
2678 in_curr = in_end + 1;
2679 }
2680 } while (*in_end++);
2681
6931dfc9 2682 strcpy(in_save, nosec_save);
da3caa20 2683 free_page((unsigned long)nosec_save);
1da177e4
LT		 2684out:
2685 return rc;
2686}
2687
026eb167
EP		 2688static int selinux_sb_remount(struct super_block *sb, void *data)
2689{
2690 int rc, i, *flags;
2691 struct security_mnt_opts opts;
2692 char *secdata, **mount_options;
2693 struct superblock_security_struct *sbsec = sb->s_security;
2694
2695 if (!(sbsec->flags & SE_SBINITIALIZED))
2696 return 0;
2697
2698 if (!data)
2699 return 0;
2700
2701 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2702 return 0;
2703
2704 security_init_mnt_opts(&opts);
2705 secdata = alloc_secdata();
2706 if (!secdata)
2707 return -ENOMEM;
2708 rc = selinux_sb_copy_data(data, secdata);
2709 if (rc)
2710 goto out_free_secdata;
2711
2712 rc = selinux_parse_opts_str(secdata, &opts);
2713 if (rc)
2714 goto out_free_secdata;
2715
2716 mount_options = opts.mnt_opts;
2717 flags = opts.mnt_opts_flags;
2718
2719 for (i = 0; i < opts.num_mnt_opts; i++) {
2720 u32 sid;
026eb167 2721
12f348b9 2722 if (flags[i] == SBLABEL_MNT)
026eb167 2723 continue;
44be2f65 2724 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
026eb167 2725 if (rc) {
44be2f65 2726 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
29b1deb2
LT		 2727 "(%s) failed for (dev %s, type %s) errno=%d\n",
2728 mount_options[i], sb->s_id, sb->s_type->name, rc);
026eb167
EP		 2729 goto out_free_opts;
2730 }
2731 rc = -EINVAL;
2732 switch (flags[i]) {
2733 case FSCONTEXT_MNT:
2734 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2735 goto out_bad_option;
2736 break;
2737 case CONTEXT_MNT:
2738 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2739 goto out_bad_option;
2740 break;
2741 case ROOTCONTEXT_MNT: {
2742 struct inode_security_struct *root_isec;
83da53c5 2743 root_isec = backing_inode_security(sb->s_root);
026eb167
EP		 2744
2745 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2746 goto out_bad_option;
2747 break;
2748 }
2749 case DEFCONTEXT_MNT:
2750 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2751 goto out_bad_option;
2752 break;
2753 default:
2754 goto out_free_opts;
2755 }
2756 }
2757
2758 rc = 0;
2759out_free_opts:
2760 security_free_mnt_opts(&opts);
2761out_free_secdata:
2762 free_secdata(secdata);
2763 return rc;
2764out_bad_option:
2765 printk(KERN_WARNING "SELinux: unable to change security options "
29b1deb2
LT		 2766 "during remount (dev %s, type=%s)\n", sb->s_id,
2767 sb->s_type->name);
026eb167
EP		 2768 goto out_free_opts;
2769}
2770
12204e24 2771static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
1da177e4 2772{
88e67f3b 2773 const struct cred *cred = current_cred();
2bf49690 2774 struct common_audit_data ad;
1da177e4
LT		 2775 int rc;
2776
2777 rc = superblock_doinit(sb, data);
2778 if (rc)
2779 return rc;
2780
74192246
JM		 2781 /* Allow all mounts performed by the kernel */
2782 if (flags & MS_KERNMOUNT)
2783 return 0;
2784
50c205f5 2785 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2786 ad.u.dentry = sb->s_root;
88e67f3b 2787 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
1da177e4
LT		 2788}
2789
726c3342 2790static int selinux_sb_statfs(struct dentry *dentry)
1da177e4 2791{
88e67f3b 2792 const struct cred *cred = current_cred();
2bf49690 2793 struct common_audit_data ad;
1da177e4 2794
50c205f5 2795 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2796 ad.u.dentry = dentry->d_sb->s_root;
88e67f3b 2797 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2798}
2799
808d4e3c 2800static int selinux_mount(const char *dev_name,
8a04c43b 2801 const struct path *path,
808d4e3c 2802 const char *type,
828dfe1d
EP		 2803 unsigned long flags,
2804 void *data)
1da177e4 2805{
88e67f3b 2806 const struct cred *cred = current_cred();
1da177e4
LT		 2807
2808 if (flags & MS_REMOUNT)
d8c9584e 2809 return superblock_has_perm(cred, path->dentry->d_sb,
828dfe1d 2810 FILESYSTEM__REMOUNT, NULL);
1da177e4 2811 else
2875fa00 2812 return path_has_perm(cred, path, FILE__MOUNTON);
1da177e4
LT		 2813}
2814
2815static int selinux_umount(struct vfsmount *mnt, int flags)
2816{
88e67f3b 2817 const struct cred *cred = current_cred();
1da177e4 2818
88e67f3b 2819 return superblock_has_perm(cred, mnt->mnt_sb,
828dfe1d 2820 FILESYSTEM__UNMOUNT, NULL);
1da177e4
LT		 2821}
2822
2823/* inode security operations */
2824
2825static int selinux_inode_alloc_security(struct inode *inode)
2826{
2827 return inode_alloc_security(inode);
2828}
2829
2830static void selinux_inode_free_security(struct inode *inode)
2831{
2832 inode_free_security(inode);
2833}
2834
d47be3df 2835static int selinux_dentry_init_security(struct dentry *dentry, int mode,
4f3ccd76 2836 const struct qstr *name, void **ctx,
d47be3df
DQ		 2837 u32 *ctxlen)
2838{
d47be3df
DQ		 2839 u32 newsid;
2840 int rc;
2841
c957f6df
VG		 2842 rc = selinux_determine_inode_label(current_security(),
2843 d_inode(dentry->d_parent), name,
c3c188b2
DH		 2844 inode_mode_to_security_class(mode),
2845 &newsid);
2846 if (rc)
2847 return rc;
d47be3df
DQ		 2848
2849 return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2850}
2851
a518b0a5
VG		 2852static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2853 struct qstr *name,
2854 const struct cred *old,
2855 struct cred *new)
2856{
2857 u32 newsid;
2858 int rc;
2859 struct task_security_struct *tsec;
2860
2861 rc = selinux_determine_inode_label(old->security,
2862 d_inode(dentry->d_parent), name,
2863 inode_mode_to_security_class(mode),
2864 &newsid);
2865 if (rc)
2866 return rc;
2867
2868 tsec = new->security;
2869 tsec->create_sid = newsid;
2870 return 0;
2871}
2872
5e41ff9e 2873static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
9548906b
TH		 2874 const struct qstr *qstr,
2875 const char **name,
2a7dba39 2876 void **value, size_t *len)
5e41ff9e 2877{
5fb49870 2878 const struct task_security_struct *tsec = current_security();
5e41ff9e 2879 struct superblock_security_struct *sbsec;
275bb41e 2880 u32 sid, newsid, clen;
5e41ff9e 2881 int rc;
9548906b 2882 char *context;
5e41ff9e 2883
5e41ff9e 2884 sbsec = dir->i_sb->s_security;
5e41ff9e 2885
275bb41e
DH		 2886 sid = tsec->sid;
2887 newsid = tsec->create_sid;
2888
c957f6df 2889 rc = selinux_determine_inode_label(current_security(),
c3c188b2
DH		 2890 dir, qstr,
2891 inode_mode_to_security_class(inode->i_mode),
2892 &newsid);
2893 if (rc)
2894 return rc;
5e41ff9e 2895
296fddf7 2896 /* Possibly defer initialization to selinux_complete_init. */
0d90a7ec 2897 if (sbsec->flags & SE_SBINITIALIZED) {
296fddf7
EP		 2898 struct inode_security_struct *isec = inode->i_security;
2899 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2900 isec->sid = newsid;
6f3be9f5 2901 isec->initialized = LABEL_INITIALIZED;
296fddf7 2902 }
5e41ff9e 2903
12f348b9 2904 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
25a74f3b
SS		 2905 return -EOPNOTSUPP;
2906
9548906b
TH		 2907 if (name)
2908 *name = XATTR_SELINUX_SUFFIX;
5e41ff9e 2909
570bc1c2 2910 if (value && len) {
12b29f34 2911 rc = security_sid_to_context_force(newsid, &context, &clen);
9548906b 2912 if (rc)
570bc1c2 2913 return rc;
570bc1c2
SS		 2914 *value = context;
2915 *len = clen;
5e41ff9e 2916 }
5e41ff9e 2917
5e41ff9e
SS		 2918 return 0;
2919}
2920
4acdaf27 2921static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
1da177e4
LT		 2922{
2923 return may_create(dir, dentry, SECCLASS_FILE);
2924}
2925
1da177e4
LT		 2926static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2927{
1da177e4
LT		 2928 return may_link(dir, old_dentry, MAY_LINK);
2929}
2930
1da177e4
LT		 2931static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2932{
1da177e4
LT		 2933 return may_link(dir, dentry, MAY_UNLINK);
2934}
2935
2936static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2937{
2938 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2939}
2940
18bb1db3 2941static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
1da177e4
LT		 2942{
2943 return may_create(dir, dentry, SECCLASS_DIR);
2944}
2945
1da177e4
LT		 2946static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2947{
2948 return may_link(dir, dentry, MAY_RMDIR);
2949}
2950
1a67aafb 2951static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
1da177e4 2952{
1da177e4
LT		 2953 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2954}
2955
1da177e4 2956static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
828dfe1d 2957 struct inode *new_inode, struct dentry *new_dentry)
1da177e4
LT		 2958{
2959 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2960}
2961
1da177e4
LT		 2962static int selinux_inode_readlink(struct dentry *dentry)
2963{
88e67f3b
DH		 2964 const struct cred *cred = current_cred();
2965
2875fa00 2966 return dentry_has_perm(cred, dentry, FILE__READ);
1da177e4
LT		 2967}
2968
bda0be7a
N		 2969static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
2970 bool rcu)
1da177e4 2971{
88e67f3b 2972 const struct cred *cred = current_cred();
bda0be7a
N		 2973 struct common_audit_data ad;
2974 struct inode_security_struct *isec;
2975 u32 sid;
1da177e4 2976
bda0be7a
N		 2977 validate_creds(cred);
2978
2979 ad.type = LSM_AUDIT_DATA_DENTRY;
2980 ad.u.dentry = dentry;
2981 sid = cred_sid(cred);
5d226df4
AG		 2982 isec = inode_security_rcu(inode, rcu);
2983 if (IS_ERR(isec))
2984 return PTR_ERR(isec);
bda0be7a
N		 2985
2986 return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad,
2987 rcu ? MAY_NOT_BLOCK : 0);
1da177e4
LT		 2988}
2989
d4cf970d
EP		 2990static noinline int audit_inode_permission(struct inode *inode,
2991 u32 perms, u32 audited, u32 denied,
626b9740 2992 int result,
d4cf970d 2993 unsigned flags)
1da177e4 2994{
b782e0a6 2995 struct common_audit_data ad;
d4cf970d
EP		 2996 struct inode_security_struct *isec = inode->i_security;
2997 int rc;
2998
50c205f5 2999 ad.type = LSM_AUDIT_DATA_INODE;
d4cf970d
EP		 3000 ad.u.inode = inode;
3001
3002 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
626b9740 3003 audited, denied, result, &ad, flags);
d4cf970d
EP		 3004 if (rc)
3005 return rc;
3006 return 0;
3007}
3008
e74f71eb 3009static int selinux_inode_permission(struct inode *inode, int mask)
1da177e4 3010{
88e67f3b 3011 const struct cred *cred = current_cred();
b782e0a6
EP		 3012 u32 perms;
3013 bool from_access;
cf1dd1da 3014 unsigned flags = mask & MAY_NOT_BLOCK;
2e334057
EP		 3015 struct inode_security_struct *isec;
3016 u32 sid;
3017 struct av_decision avd;
3018 int rc, rc2;
3019 u32 audited, denied;
1da177e4 3020
b782e0a6 3021 from_access = mask & MAY_ACCESS;
d09ca739
EP		 3022 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3023
b782e0a6
EP		 3024 /* No permission to check. Existence test. */
3025 if (!mask)
1da177e4 3026 return 0;
1da177e4 3027
2e334057 3028 validate_creds(cred);
b782e0a6 3029
2e334057
EP		 3030 if (unlikely(IS_PRIVATE(inode)))
3031 return 0;
b782e0a6
EP		 3032
3033 perms = file_mask_to_av(inode->i_mode, mask);
3034
2e334057 3035 sid = cred_sid(cred);
5d226df4
AG		 3036 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3037 if (IS_ERR(isec))
3038 return PTR_ERR(isec);
2e334057
EP		 3039
3040 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
3041 audited = avc_audit_required(perms, &avd, rc,
3042 from_access ? FILE__AUDIT_ACCESS : 0,
3043 &denied);
3044 if (likely(!audited))
3045 return rc;
3046
626b9740 3047 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
2e334057
EP		 3048 if (rc2)
3049 return rc2;
3050 return rc;
1da177e4
LT		 3051}
3052
3053static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3054{
88e67f3b 3055 const struct cred *cred = current_cred();
ccb54478 3056 struct inode *inode = d_backing_inode(dentry);
bc6a6008 3057 unsigned int ia_valid = iattr->ia_valid;
95dbf739 3058 __u32 av = FILE__WRITE;
1da177e4 3059
bc6a6008
AW		 3060 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3061 if (ia_valid & ATTR_FORCE) {
3062 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3063 ATTR_FORCE);
3064 if (!ia_valid)
3065 return 0;
3066 }
1da177e4 3067
bc6a6008
AW		 3068 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3069 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2875fa00 3070 return dentry_has_perm(cred, dentry, FILE__SETATTR);
1da177e4 3071
ccb54478
SS		 3072 if (selinux_policycap_openperm &&
3073 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3074 (ia_valid & ATTR_SIZE) &&
3075 !(ia_valid & ATTR_FILE))
95dbf739
EP		 3076 av |= FILE__OPEN;
3077
3078 return dentry_has_perm(cred, dentry, av);
1da177e4
LT		 3079}
3080
3f7036a0 3081static int selinux_inode_getattr(const struct path *path)
1da177e4 3082{
3f7036a0 3083 return path_has_perm(current_cred(), path, FILE__GETATTR);
1da177e4
LT		 3084}
3085
8f0cfa52 3086static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
b5376771 3087{
88e67f3b
DH		 3088 const struct cred *cred = current_cred();
3089
b5376771
SH		 3090 if (!strncmp(name, XATTR_SECURITY_PREFIX,
3091 sizeof XATTR_SECURITY_PREFIX - 1)) {
3092 if (!strcmp(name, XATTR_NAME_CAPS)) {
3093 if (!capable(CAP_SETFCAP))
3094 return -EPERM;
3095 } else if (!capable(CAP_SYS_ADMIN)) {
3096 /* A different attribute in the security namespace.
3097 Restrict to administrator. */
3098 return -EPERM;
3099 }
3100 }
3101
3102 /* Not an attribute we recognize, so just check the
3103 ordinary setattr permission. */
2875fa00 3104 return dentry_has_perm(cred, dentry, FILE__SETATTR);
b5376771
SH		 3105}
3106
db59000a
SS		 3107static bool has_cap_mac_admin(bool audit)
3108{
3109 const struct cred *cred = current_cred();
3110 int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT;
3111
3112 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit))
3113 return false;
3114 if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true))
3115 return false;
3116 return true;
3117}
3118
8f0cfa52
DH		 3119static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3120 const void *value, size_t size, int flags)
1da177e4 3121{
c6f493d6 3122 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3123 struct inode_security_struct *isec;
1da177e4 3124 struct superblock_security_struct *sbsec;
2bf49690 3125 struct common_audit_data ad;
275bb41e 3126 u32 newsid, sid = current_sid();
1da177e4
LT		 3127 int rc = 0;
3128
b5376771
SH		 3129 if (strcmp(name, XATTR_NAME_SELINUX))
3130 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 3131
3132 sbsec = inode->i_sb->s_security;
12f348b9 3133 if (!(sbsec->flags & SBLABEL_MNT))
1da177e4
LT		 3134 return -EOPNOTSUPP;
3135
2e149670 3136 if (!inode_owner_or_capable(inode))
1da177e4
LT		 3137 return -EPERM;
3138
50c205f5 3139 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 3140 ad.u.dentry = dentry;
1da177e4 3141
20cdef8d 3142 isec = backing_inode_security(dentry);
275bb41e 3143 rc = avc_has_perm(sid, isec->sid, isec->sclass,
1da177e4
LT		 3144 FILE__RELABELFROM, &ad);
3145 if (rc)
3146 return rc;
3147
52a4c640 3148 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
12b29f34 3149 if (rc == -EINVAL) {
db59000a 3150 if (!has_cap_mac_admin(true)) {
d6ea83ec
EP		 3151 struct audit_buffer *ab;
3152 size_t audit_size;
3153 const char *str;
3154
3155 /* We strip a nul only if it is at the end, otherwise the
3156 * context contains a nul and we should audit that */
e3fea3f7
AV		 3157 if (value) {
3158 str = value;
3159 if (str[size - 1] == '\0')
3160 audit_size = size - 1;
3161 else
3162 audit_size = size;
3163 } else {
3164 str = "";
3165 audit_size = 0;
3166 }
d6ea83ec
EP		 3167 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3168 audit_log_format(ab, "op=setxattr invalid_context=");
3169 audit_log_n_untrustedstring(ab, value, audit_size);
3170 audit_log_end(ab);
3171
12b29f34 3172 return rc;
d6ea83ec 3173 }
12b29f34
SS		 3174 rc = security_context_to_sid_force(value, size, &newsid);
3175 }
1da177e4
LT		 3176 if (rc)
3177 return rc;
3178
275bb41e 3179 rc = avc_has_perm(sid, newsid, isec->sclass,
1da177e4
LT		 3180 FILE__RELABELTO, &ad);
3181 if (rc)
3182 return rc;
3183
275bb41e 3184 rc = security_validate_transition(isec->sid, newsid, sid,
828dfe1d 3185 isec->sclass);
1da177e4
LT		 3186 if (rc)
3187 return rc;
3188
3189 return avc_has_perm(newsid,
3190 sbsec->sid,
3191 SECCLASS_FILESYSTEM,
3192 FILESYSTEM__ASSOCIATE,
3193 &ad);
3194}
3195
8f0cfa52 3196static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
f5269710 3197 const void *value, size_t size,
8f0cfa52 3198 int flags)
1da177e4 3199{
c6f493d6 3200 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3201 struct inode_security_struct *isec;
1da177e4
LT		 3202 u32 newsid;
3203 int rc;
3204
3205 if (strcmp(name, XATTR_NAME_SELINUX)) {
3206 /* Not an attribute we recognize, so nothing to do. */
3207 return;
3208 }
3209
12b29f34 3210 rc = security_context_to_sid_force(value, size, &newsid);
1da177e4 3211 if (rc) {
12b29f34
SS		 3212 printk(KERN_ERR "SELinux: unable to map context to SID"
3213 "for (%s, %lu), rc=%d\n",
3214 inode->i_sb->s_id, inode->i_ino, -rc);
1da177e4
LT		 3215 return;
3216 }
3217
20cdef8d 3218 isec = backing_inode_security(dentry);
9287aed2 3219 spin_lock(&isec->lock);
aa9c2669 3220 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3221 isec->sid = newsid;
6f3be9f5 3222 isec->initialized = LABEL_INITIALIZED;
9287aed2 3223 spin_unlock(&isec->lock);
aa9c2669 3224
1da177e4
LT		 3225 return;
3226}
3227
8f0cfa52 3228static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
1da177e4 3229{
88e67f3b
DH		 3230 const struct cred *cred = current_cred();
3231
2875fa00 3232 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3233}
3234
828dfe1d 3235static int selinux_inode_listxattr(struct dentry *dentry)
1da177e4 3236{
88e67f3b
DH		 3237 const struct cred *cred = current_cred();
3238
2875fa00 3239 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3240}
3241
8f0cfa52 3242static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
1da177e4 3243{
b5376771
SH		 3244 if (strcmp(name, XATTR_NAME_SELINUX))
3245 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 3246
3247 /* No one is allowed to remove a SELinux security label.
3248 You can change the label, but all data must be labeled. */
3249 return -EACCES;
3250}
3251
d381d8a9 3252/*
abc69bb6 3253 * Copy the inode security context value to the user.
d381d8a9
JM		 3254 *
3255 * Permission check is handled by selinux_inode_getxattr hook.
3256 */
ea861dfd 3257static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
1da177e4 3258{
42492594
DQ		 3259 u32 size;
3260 int error;
3261 char *context = NULL;
20cdef8d 3262 struct inode_security_struct *isec;
d381d8a9 3263
8c8570fb
DK		 3264 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3265 return -EOPNOTSUPP;
d381d8a9 3266
abc69bb6
SS		 3267 /*
3268 * If the caller has CAP_MAC_ADMIN, then get the raw context
3269 * value even if it is not defined by current policy; otherwise,
3270 * use the in-core value under current policy.
3271 * Use the non-auditing forms of the permission checks since
3272 * getxattr may be called by unprivileged processes commonly
3273 * and lack of permission just means that we fall back to the
3274 * in-core context value, not a denial.
3275 */
20cdef8d 3276 isec = inode_security(inode);
db59000a 3277 if (has_cap_mac_admin(false))
abc69bb6
SS		 3278 error = security_sid_to_context_force(isec->sid, &context,
3279 &size);
3280 else
3281 error = security_sid_to_context(isec->sid, &context, &size);
42492594
DQ		 3282 if (error)
3283 return error;
3284 error = size;
3285 if (alloc) {
3286 *buffer = context;
3287 goto out_nofree;
3288 }
3289 kfree(context);
3290out_nofree:
3291 return error;
1da177e4
LT		 3292}
3293
3294static int selinux_inode_setsecurity(struct inode *inode, const char *name,
828dfe1d 3295 const void *value, size_t size, int flags)
1da177e4 3296{
2c97165b 3297 struct inode_security_struct *isec = inode_security_novalidate(inode);
1da177e4
LT		 3298 u32 newsid;
3299 int rc;
3300
3301 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3302 return -EOPNOTSUPP;
3303
3304 if (!value || !size)
3305 return -EACCES;
3306
20ba96ae 3307 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
1da177e4
LT		 3308 if (rc)
3309 return rc;
3310
9287aed2 3311 spin_lock(&isec->lock);
aa9c2669 3312 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3313 isec->sid = newsid;
6f3be9f5 3314 isec->initialized = LABEL_INITIALIZED;
9287aed2 3315 spin_unlock(&isec->lock);
1da177e4
LT		 3316 return 0;
3317}
3318
3319static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3320{
3321 const int len = sizeof(XATTR_NAME_SELINUX);
3322 if (buffer && len <= buffer_size)
3323 memcpy(buffer, XATTR_NAME_SELINUX, len);
3324 return len;
3325}
3326
d6335d77 3327static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
713a04ae 3328{
e817c2f3 3329 struct inode_security_struct *isec = inode_security_novalidate(inode);
713a04ae
AD		 3330 *secid = isec->sid;
3331}
3332
56909eb3
VG		 3333static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3334{
3335 u32 sid;
3336 struct task_security_struct *tsec;
3337 struct cred *new_creds = *new;
3338
3339 if (new_creds == NULL) {
3340 new_creds = prepare_creds();
3341 if (!new_creds)
3342 return -ENOMEM;
3343 }
3344
3345 tsec = new_creds->security;
3346 /* Get label from overlay inode and set it in create_sid */
3347 selinux_inode_getsecid(d_inode(src), &sid);
3348 tsec->create_sid = sid;
3349 *new = new_creds;
3350 return 0;
3351}
3352
19472b69
VG		 3353static int selinux_inode_copy_up_xattr(const char *name)
3354{
3355 /* The copy_up hook above sets the initial context on an inode, but we
3356 * don't then want to overwrite it by blindly copying all the lower
3357 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3358 */
3359 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3360 return 1; /* Discard */
3361 /*
3362 * Any other attribute apart from SELINUX is not claimed, supported
3363 * by selinux.
3364 */
3365 return -EOPNOTSUPP;
3366}
3367
1da177e4
LT		 3368/* file security operations */
3369
788e7dd4 3370static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 3371{
88e67f3b 3372 const struct cred *cred = current_cred();
496ad9aa 3373 struct inode *inode = file_inode(file);
1da177e4 3374
1da177e4
LT		 3375 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3376 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3377 mask |= MAY_APPEND;
3378
389fb800
PM		 3379 return file_has_perm(cred, file,
3380 file_mask_to_av(inode->i_mode, mask));
1da177e4
LT		 3381}
3382
788e7dd4
YN		 3383static int selinux_file_permission(struct file *file, int mask)
3384{
496ad9aa 3385 struct inode *inode = file_inode(file);
20dda18b 3386 struct file_security_struct *fsec = file->f_security;
b197367e 3387 struct inode_security_struct *isec;
20dda18b
SS		 3388 u32 sid = current_sid();
3389
389fb800 3390 if (!mask)
788e7dd4
YN		 3391 /* No permission to check. Existence test. */
3392 return 0;
788e7dd4 3393
b197367e 3394 isec = inode_security(inode);
20dda18b
SS		 3395 if (sid == fsec->sid && fsec->isid == isec->sid &&
3396 fsec->pseqno == avc_policy_seqno())
83d49856 3397 /* No change since file_open check. */
20dda18b
SS		 3398 return 0;
3399
788e7dd4
YN		 3400 return selinux_revalidate_file_permission(file, mask);
3401}
3402
1da177e4
LT		 3403static int selinux_file_alloc_security(struct file *file)
3404{
3405 return file_alloc_security(file);
3406}
3407
3408static void selinux_file_free_security(struct file *file)
3409{
3410 file_free_security(file);
3411}
3412
fa1aa143
JVS		 3413/*
3414 * Check whether a task has the ioctl permission and cmd
3415 * operation to an inode.
3416 */
1d2a168a 3417static int ioctl_has_perm(const struct cred *cred, struct file *file,
fa1aa143
JVS		 3418 u32 requested, u16 cmd)
3419{
3420 struct common_audit_data ad;
3421 struct file_security_struct *fsec = file->f_security;
3422 struct inode *inode = file_inode(file);
20cdef8d 3423 struct inode_security_struct *isec;
fa1aa143
JVS		 3424 struct lsm_ioctlop_audit ioctl;
3425 u32 ssid = cred_sid(cred);
3426 int rc;
3427 u8 driver = cmd >> 8;
3428 u8 xperm = cmd & 0xff;
3429
3430 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3431 ad.u.op = &ioctl;
3432 ad.u.op->cmd = cmd;
3433 ad.u.op->path = file->f_path;
3434
3435 if (ssid != fsec->sid) {
3436 rc = avc_has_perm(ssid, fsec->sid,
3437 SECCLASS_FD,
3438 FD__USE,
3439 &ad);
3440 if (rc)
3441 goto out;
3442 }
3443
3444 if (unlikely(IS_PRIVATE(inode)))
3445 return 0;
3446
20cdef8d 3447 isec = inode_security(inode);
fa1aa143
JVS		 3448 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
3449 requested, driver, xperm, &ad);
3450out:
3451 return rc;
3452}
3453
1da177e4
LT		 3454static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3455 unsigned long arg)
3456{
88e67f3b 3457 const struct cred *cred = current_cred();
0b24dcb7 3458 int error = 0;
1da177e4 3459
0b24dcb7
EP		 3460 switch (cmd) {
3461 case FIONREAD:
3462 /* fall through */
3463 case FIBMAP:
3464 /* fall through */
3465 case FIGETBSZ:
3466 /* fall through */
2f99c369 3467 case FS_IOC_GETFLAGS:
0b24dcb7 3468 /* fall through */
2f99c369 3469 case FS_IOC_GETVERSION:
0b24dcb7
EP		 3470 error = file_has_perm(cred, file, FILE__GETATTR);
3471 break;
1da177e4 3472
2f99c369 3473 case FS_IOC_SETFLAGS:
0b24dcb7 3474 /* fall through */
2f99c369 3475 case FS_IOC_SETVERSION:
0b24dcb7
EP		 3476 error = file_has_perm(cred, file, FILE__SETATTR);
3477 break;
3478
3479 /* sys_ioctl() checks */
3480 case FIONBIO:
3481 /* fall through */
3482 case FIOASYNC:
3483 error = file_has_perm(cred, file, 0);
3484 break;
1da177e4 3485
0b24dcb7
EP		 3486 case KDSKBENT:
3487 case KDSKBSENT:
6a9de491 3488 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
8e4ff6f2 3489 SECURITY_CAP_AUDIT, true);
0b24dcb7
EP		 3490 break;
3491
3492 /* default case assumes that the command will go
3493 * to the file's ioctl() function.
3494 */
3495 default:
fa1aa143 3496 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
0b24dcb7
EP		 3497 }
3498 return error;
1da177e4
LT		 3499}
3500
fcaaade1
SS		 3501static int default_noexec;
3502
1da177e4
LT		 3503static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3504{
88e67f3b 3505 const struct cred *cred = current_cred();
be0554c9 3506 u32 sid = cred_sid(cred);
d84f4f99 3507 int rc = 0;
88e67f3b 3508
fcaaade1 3509 if (default_noexec &&
892e8cac
SS		 3510 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3511 (!shared && (prot & PROT_WRITE)))) {
1da177e4
LT		 3512 /*
3513 * We are making executable an anonymous mapping or a
3514 * private file mapping that will also be writable.
3515 * This has an additional check.
3516 */
be0554c9
SS		 3517 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3518 PROCESS__EXECMEM, NULL);
1da177e4 3519 if (rc)
d84f4f99 3520 goto error;
1da177e4 3521 }
1da177e4
LT		 3522
3523 if (file) {
3524 /* read access is always possible with a mapping */
3525 u32 av = FILE__READ;
3526
3527 /* write access only matters if the mapping is shared */
3528 if (shared && (prot & PROT_WRITE))
3529 av |= FILE__WRITE;
3530
3531 if (prot & PROT_EXEC)
3532 av |= FILE__EXECUTE;
3533
88e67f3b 3534 return file_has_perm(cred, file, av);
1da177e4 3535 }
d84f4f99
DH		 3536
3537error:
3538 return rc;
1da177e4
LT		 3539}
3540
e5467859 3541static int selinux_mmap_addr(unsigned long addr)
1da177e4 3542{
b1d9e6b0 3543 int rc = 0;
1da177e4 3544
a2551df7 3545 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
98883bfd 3546 u32 sid = current_sid();
ed032189
EP		 3547 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3548 MEMPROTECT__MMAP_ZERO, NULL);
84336d1a
EP		 3549 }
3550
98883bfd 3551 return rc;
e5467859 3552}
1da177e4 3553
e5467859
AV		 3554static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3555 unsigned long prot, unsigned long flags)
3556{
3ba4bf5f
SS		 3557 struct common_audit_data ad;
3558 int rc;
3559
3560 if (file) {
3561 ad.type = LSM_AUDIT_DATA_FILE;
3562 ad.u.file = file;
3563 rc = inode_has_perm(current_cred(), file_inode(file),
3564 FILE__MAP, &ad);
3565 if (rc)
3566 return rc;
3567 }
3568
1da177e4
LT		 3569 if (selinux_checkreqprot)
3570 prot = reqprot;
3571
3572 return file_map_prot_check(file, prot,
3573 (flags & MAP_TYPE) == MAP_SHARED);
3574}
3575
3576static int selinux_file_mprotect(struct vm_area_struct *vma,
3577 unsigned long reqprot,
3578 unsigned long prot)
3579{
88e67f3b 3580 const struct cred *cred = current_cred();
be0554c9 3581 u32 sid = cred_sid(cred);
1da177e4
LT		 3582
3583 if (selinux_checkreqprot)
3584 prot = reqprot;
3585
fcaaade1
SS		 3586 if (default_noexec &&
3587 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
d541bbee 3588 int rc = 0;
db4c9641
SS		 3589 if (vma->vm_start >= vma->vm_mm->start_brk &&
3590 vma->vm_end <= vma->vm_mm->brk) {
be0554c9
SS		 3591 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3592 PROCESS__EXECHEAP, NULL);
db4c9641 3593 } else if (!vma->vm_file &&
c2316dbf
SS		 3594 ((vma->vm_start <= vma->vm_mm->start_stack &&
3595 vma->vm_end >= vma->vm_mm->start_stack) ||
d17af505 3596 vma_is_stack_for_current(vma))) {
be0554c9
SS		 3597 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3598 PROCESS__EXECSTACK, NULL);
db4c9641
SS		 3599 } else if (vma->vm_file && vma->anon_vma) {
3600 /*
3601 * We are making executable a file mapping that has
3602 * had some COW done. Since pages might have been
3603 * written, check ability to execute the possibly
3604 * modified content. This typically should only
3605 * occur for text relocations.
3606 */
d84f4f99 3607 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
db4c9641 3608 }